May 222020
 

Maybe you don’t care whether or not your movements on the Internet are being watched because you’re “not doing anything wrong”. If so, I won’t pick a quarrel with you. After all, why should you draw your curtains at night? Haven’t they seen a naked man/woman before?

Or maybe you will agree that the idea of being watched while sitting on the toilet is disagreeable, but if that is what it takes to put a few drug dealers behind bars, it’s an idea you can live with, even though you realise that if there’s one thing drug barons can do better than just about anybody else except other big-time criminals, it’s to protect their privacy. After all, they can buy all the expertise they need.

So, no, I won’t argue with you. You will hear more than you can bear about privacy in months to come. Covid has unleashed an army of young talented developers who are now all clicking away at their keyboards to satisfy governments’ and industry’s vast demand for ways and means to monitor our actions and influence our attitudes. If that’s fine with you, I repeat, I won’t argue… except to remind you of one thing:

There are investigative journalists out there, sticking their necks out to dig up the dirt we need to know about so that we don’t go off and elect the likes of Trump and Bolsonaro again and again and again. There are tens of thousands of human rights activists and their lawyers and honest judges who risk being stuffed into jails without trials or killed for defending their co-citizens. These people’s privacy must be protected at all cost! How can we help? By defending our own privacy so that their defended privacy doesn’t stick out like a row of sore thumbs.

I’m so very far from being an expert in this field that I would urge you to leave this page at once to go and read somebody else’s advice. But I haven’t found any comprehensive self-help guidance to direct you to. The Privacy Rights Clearing House, for instance, provides very sound insight at the general level, but the bottom line there, as I understand it, is that we should all stay away from the Internet in any way, shape, or form.

True, you can find valuable practical snippets on sites like this one from Kaspersky, but bear in mind that here Kaspersky is also trying to sell us its own products.

So I will do my best to indicate how we can protect our privacy from various kinds of intrusion. Of course, if you run a business, you should probably invest in professional services not only to protect your data but also to minimise your vulnerability to malware.

Your device’s location gets shared

The good news is that your device’s GPS is not telling anybody where you are.

The bad news is that the apps that have access to your GPS might do just that. And commercial use is made of the information.

So you should disable location access for the apps on your phone, and you should disable location storage in your Google or Apple account. PCMag outlines how to do so.

You should consider whether you absolutely need to use Facebook, and if you really do, you ‘d better hone your privacy settings there. Kaspersky tells you how.

Websites you visit share more information about you

You prevent this if you use a VPN service.

Doing so not only hides your IP address; it encrypts the re-routing of your internet traffic. So whatever information the websites or ISPs have stored will be illegible to them.

There are many free VPN services, and even more websites that compare them. Take a look.

“Free” always comes at a cost:

  • You don’t want “speed throttling”.
  • You want a large data allowance.
  • You want to cover all the devices you use.
  • For normal privacy protection, you don’t need access to many countries.

So as not to excceed my data allowance, I try to remember to turn off VPN when video streaming (legally).

Another advantage of VPN is that it also protects you against hackers when you are away from home. But if you yourself are engaged in serious criminal activity, the web service can hand over your identity to law-enforcement.

Many repressive regimes consider political opposition “terrorism” and some unnamed countries penalise whistle blowing. If you are from or living in such a country you might opt for a VPN service in a country that is not likely to pander to, for instance, the Saudi or Israeli governments.

You do not need to use a VPN to block cookies and adverts. There are other ways of doing that. Some browsers do so and there are plugins or “extensions”, such as Ghostery.

Your browser

If you use VPN, your browser isn’t a big issue. But if you turn off VPN …

I would not use Chrome or Safari, and Opera has been sold to a Chinese group.

On Android devices I currently recommend Brave. For computers, consult e.g. Wired or Digital Trends. If you use Firefox, you should at least learn how to fine-tune the browser’s security and privacy settings.

Messaging

WhatsApp is owned by Facebook and its main source of income is based on users’ contact lists. I put to you that Facebook’s track record is less than respectable. Signal is widely recommended. and is pretty impressive in terms of privacy.

Contacts, calendarsand email are our weekest point!

If you, like me, let Google or Apple manage your contacts and calendar, not to mention your email, you really have a problem. We have a problem. Or rather, our contacts have a problem. A lot of other apps on our phones will have access to the contacts, not least Facebook. Yes, Google and Apple enccrypt our email, but not end-to-end.

Oh dear, oh dear.

There is no way I am going to take my contacts and calendar back to a paper notebook. The blessing of having all my devices synchronised cannot be exaggerated. But what if I regularly meet with political refugees from, say, Saudi Arabia or with Russian political activists opposed to Putin… Yes, what then? If the Saudi or Russian authorities are seriously tracking them, my writing in my calendar that I’ll be having lunch with them at so and so time/place and their phone numbers in my contact list may endanger them.

How do I know what Google hands over to state prosecutors who may or may not be hounding people from minority groups and other disadvantaged areas?

What I need is an email service (and local client) that provides end-to-end encryption and that also stores and synchronises a contact list and a calendar.

I googled “privacy alternative to gmail and contacts” (without the quotes). You’d be surprised by the number of hits. Three of the top five, including two from VPN service providers (and they should know) all coincided pretty well in their conclusions. (NordVPN, RestorePrivacy and PureVPN).

As far as I can judge, only one of the email clients they recommend also provides a contact list and calendar: Tutanota. Now, I don’t much like the name, but I do like the look of it. The hitch is, of course, that all email sent from this email service gets encrypted. So you won’t want to use it to ask your dentist for an appointment. But you could use it to communicate with Saudi refugees and with good friends, not to mention if one of them is a married colleague with whom you are having an affair. You would, in other words, leave your dentist’s number on your visible contact list and move your shrink to your private list, using only Signal to communicate with him/her.

So this is as far as I get without using PGP, which many email clients do allow, but which is a little too cumbersome for most of us – and it still leaves us with an unprotected contact list and calender.

The last word has not yet been written, never will be. But for the moment, if you really make an effort, you can still communicate pretty safely online.

Dec 182016
 

To me, the word “encryption” sounded sinister until very recently, when I realised I’d have to take the consequences of what we are seeing these days. And guess what: digital protection – even encryption – isn’t difficult at all. There are programs that do it all for us. I believe that what I am proposing in this and the following post need not even make a dent in anybody’s wallet.

In view of the medieval state of race relations in the US, and bearing in mind Mr Trump’s penchant for decisive action, I think we should not place too much trust in the rule of law in the US, for instance. It’s a good idea to be prepared.

In general, in a world that is increasingly being governed by individuals who label political opponents as “criminals” or even “terrorists”, we should think of the consequences of such labels, not necessarily for ourselves – at least not yet – but for reasons that I will return to a few paragraphs further down.

Many of our rulers are willing to resort to what we in the west recently (i.e. pre-Snowden) considered “the unthinkable”, to stay in power and, in many cases, to improve their financial leverage.

There is also a rising number of people who are learning the tricks of cybercrime. For all you know, your next-door neighbour might be one of them, in which case he or she may be particularly interested in your WIFI network.

Most of us are not terrorists or criminals, although we might be leftist or Moslem or environmentalist or black or even Mexican. We might, however, be deeply dissatisfied with our rulers, and we might even be organised, say in an activist civil rights group. Organised opposition has always been regarded as a threat, or at least a nuisance, by the powers that be, and is now becoming increasingly risky. In many countries, of course, it has always been deadly dangerous. What’s new is that the number and potency of tools to penetrate people’s private (digital) worlds have grown exponentially over the past years.

What’s new, too, is that year by year, in all countries, law enforcement and secret services are being given wider powers to use these tools. This is quite understandable because, after all, there is a real threat of terrorism, and there is a real and growing threat of serious cybercrime.

Meanwhile, political improvement is contingent on our all understanding as much as possible of what goes on. Some journalists, social scientists and whistle blowers are putting their necks out to protect us by uncovering the crooked acts of cynical rulers and magnates. By doing so, they risk their lives in many countries, and in others, including mine, they risk finding themselves without a job.

We need them. We desperately need them! Only by knowing what is actually going on, by being able to dismiss false rumours, libel and “post-truth” propaganda (see Oxford Dictionaries’ Word of the Year), do we have any chance of improving the world we live in. They – the journalists and social scientists – hopefully know how to protect themselves, but by doing so, they will inevitably seem suspicious: “Why is NN encrypting his stuff? Why is that woman using a VPN server? Are they terrorists?”

Since they are trying to protect us, the least we can do is to try to protect them, in essence by protecting ourselves.

If only to protect our bank account information, password lists, copies of passport and driving licence, intimate letters and pictures etc., we should start thinking about digital personal protection. When we started using email, in my case in the late eighties, it seemed very difficult. We had to put a lot of effort into it. These days, it’s all so easy that kids are social media experts before they can add and subtract. Did we think this was the way it would always be? If so, our thinking was flawed: Sic transit gloria mundi.

Sooner or later, the alternative to using only pen-and-paper may well be to encrypt everything; computers, phone calls, email, social networking – the lot!

Meanwhile, there are a few very basic steps we should take, apart from everything we hear every day (e.g. being wary of links in emails and on websites). The measures cost us a few extra seconds, but then again – let us not forget how very, very much more time-consuming everything was, just ten years ago.

  • Text messaging encryption. Thanks to Edward Snowden, Signal has become quite a hit. It’s so seamless that once you’ve installed it, you won’t notice you are no longer using your phone’s stock SMS app, except that it’s faster and doesn’t hang.
  • Wifi router protection
    Wifi routers must be new enough to yield so-called WPA2 protection (at least).
  • “Anti-virus” software
    You should not rely entirely on Defender, if you are using Windows. There are several excellent and powerful anti-virus protection schemes that are free.
  • VPN (Virtual Private Network)
    If privacy protection is an issue for you — and to my mind it should be, if only for the reasons given above  conceal your IP address.  This is probably one of the most important steps to take if you are a fact-hunting dissident. Many services provide access to VPN servers in various countries, and competition is fierce. Most of the best services are no entirely free, though, or rather, those that are tend to plague you with adds or restrict your bandwidth. On the bright side, most of them now require no technical know-how, just that you press a button. There are numerous lists of “best VPN” services, free and non-free.
  •  
  • Storage on external drives
    Store as little as possible on computers, tablets and smartphones. (Plug in your external drive and move private stuff to it, then remove the external drive at once.) If you don’t use cloud storage, this should do (assuming your computer doesn’t have digital parasites lodged in its entrails, your external hard drive is securely stored and never leaves the house, and the house never burns down).

Cloud storage

Most people use cloud services these days, if only to transfer files. Besides, people are often more or less unwittingly constantly connected to their operating systems’ “Store”, storage spaces, sharing services, etc.and to social services.

  • TLS/SSL protocol
    Respectable cloud storage services use a TLS/SSL protocol for data transfer (HTTPS://). That isn’t much, but better than nothing.
  • Encryption
    Some services encrypt your stuff already before it leaves your computer. They say that you risk nothing and that they have “zero-knowledge” (about you and your stuff). This sort of service is used by companies. But why not do your own encryption before uploading anything to your cloud. with good software, it’s a cinch! So:

     

    • What is good software? Since good encryption depends not on your software, but on the algorithm used by the software, the software you want will depend on whether it is easy to use, can relate to your operating system and serves your needs in other respects. Leading encryption programs all use basically the same algorithms, the best known of which is AES (developed some 20 years ago).
    • Veracrypt is one such (free) cross-platform program (i.e. for Mac, Windows, Linux, but not for mobile systems). I am mentioning it not least as it is the program used in the following link which I am including to demonstrate how very easy it is to encrypt whatever files you want to keep out of any private or public eye: encouraging demonstration

Phones and tablets

Being an open system, Android is more vulnerable to malware attacks than are IOS devices. Over the past two years or so Android has been rocked by some pretty serious security issues, e.g. “Stagefright”. So serious were they, in fact, that phones that come with Marshmellow (or newer) installed are supposedly encrypted by default (!) Yes, you read correctly, by default. In other words, Android is not taking any chance, nor should you, so encrypt!

  • Encryption
    Older phones, with Android versions from Gingerbread up, can optionally be encrypted. Details about how to do this may vary depending on your phone and version, but  this guide gives an idea.
    IOS phones have been encrypted by default for a while. Older phones can also easily be encrypted.

Flash drives

Some people will want to encrypt their entire computer. If so, they will probably have used their operating system’s tools for doing this. (BitLocker on Windows, and FileVault on MACs). Encrypting flash drives is, if anything, all the more important since they tend to get lost or forgotten.

  • The same tools as for computers
    BitLocker (Windows), FleVault (Mac)and, again, Veracrypt, can encrypt flash drives (USB sticks).
    Here is one of many guides.

In my next post I shall touch upon sharing (most importantly by email) with PGP.