A prudent man conceals knowledge (Proverbs 12:23)
When faced with the great threat to our privacy we currently experience, most of us take the knee-jerk response of “Well, I don’t have anything to hide.” But if we stop and think for a moment, we will realize that we all have things to hide, and that hiding things is often wise. Of course, hiding sin is never wise For God will bring every deed into judgment, with every secret thing (Ecc 12:14) and on the last day God will judge the secret hearts of men by Christ Jesus (Rom 2:16). But there are times when it is wise to conceal information. Sometimes information may hurt someone or hinder reconciliation, or cause any number of other problems. We do not (and should not) say everything that is on our mind to everyone we meet (Prov 13:3; 15:28). There are secrets we are supposed to keep (Prov 25:9-10). And there are things we are supposed to do in secret without anyone knowing (Matt 6:4; Prov 21:14).
The issue is prudence. We must choose when to reveal information and when to keep it secret (like our debit card PIN). To not be discerning in exercising our control over who and when we give information is foolish. The point of this post is to give you the tools to choose who you want to share information with so that you can be discerning and wise, not careless and foolish.
The Snooping State
A year ago I posted Who’s Afraid of the Surveillance State? noting that fighting surveillance is actually boring an inconvenient… so we’re not likely to do it. That was mostly about conducting full privacy and anonymity more along the lines of Edward Snowden’s daily habits – which are unreasonable for the rest of us.
But aside from the direct power of the NSA, the state also works in unison with private companies you voluntarily collaborate with (like Google, Facebook, and Dropbox) to collect data and monitor your activity. These companies are often interconnected and tend to centralize information about everything you do online. Previously, I was inclined to trust these companies because, after all, I’m a capitalist and every capitalist knows that companies ultimately serve the interests of their customers. But then I realized that’s only true in a free market, and we don’t have one of those. Once a company becomes successful enough in America, they become wed to the state if they want to remain successful. As lifehacker.com notes “Who’s More Dangerous? The Government or Businesses? The short answer is that there’s no real difference between the two.”
Furthermore, a bill called the Cybersecurity Information Sharing Act was recently passed. It streamlines that data sharing process with the NSA and all other government agencies in real-time while also providing immunity to companies for violating user privacy laws (telling you they’re not collecting certain information, when in fact they are. Yes, that’s called lying). See also CISA: the dirty deal between Google and the NSA that no one is talking about and CISA Surveillance Law has passed, here’s what we can do.
While hiding everything from the state requires a great deal of effort that, frankly, most of us can’t manage to accomplish, here are some fairly easy steps we can take to make it much more difficult for them to amass a personal database on us and to conduct “untargeted dragnet surveillance.” At the very least these steps should require any surveillance done on you to be more intentional/targeted and difficult (rather than automated and easy).
Writing this post has taken me down a bit of a rabbit-hole. It’s information I’ve been wanting to figure out for a while. Hopefully it is helpful.
1. Opt-Out of the Digital Advertising Alliance Network?
Many online companies are members of ad networks, and each ad network puts a bit of code called a “cookie” on your computer. When you visit one of the member sites, the site recognizes the cookie and lets the ad network know where you are so it can send you ads.
Even worse, the member sites share what you do on their sites to build a database of what you like and don’t like, or even specific items you looked at…
Facebook and 120 or so other major companies, including Amazon and eBay, are part of the Digital Advertising Alliance. You can use a tool on the DAA’s website to opt out of “online behavioral advertising.”
Opt-out at the DAA’s Consumer Choice page. You need to do it on each device you use (it stores a cookie in your browser to enable the opt-out). However, the above quoted article “One way to stop Facebook from tracking you” is quite misleading. The opt-out (voluntarily offered by the behavior database consortium) does not stop companies from tracking your behavior and does not to stop them from sharing it in a common database. It only stops them from displaying ads on your browser using that data. It’s clearly a ploy to assuage the conscience of those concerned about privacy, without actually doing anything to protect that privacy.
2. Stop Using Chrome
Since Google can’t be trusted (more below), stop using their browser (even though it’s great). The browser itself can embed a limited amount of data to track and uniquely identify you. Use open source Firefox instead.
3. Install an Anti-Tracking Browser Extension
Install Disconnect (free). This prevents data collection of your online behavior across sites (which is where the real value/information lies).
Lifehacker surveys other anti-tracking alternatives like Adblock Plus (though beware) and the Electronic Frontier Foundation’s Privacy Badger. Consider uBlock Origin as well, which does many things and has the ability to load Disconnect’s tracking list to block as well.
4. Use a Search Engine That Doesn’t Track You
I use DuckDuckGo (note button at bottom of page to make it your default search engine), which doesn’t track your searches and store them in a database. It’s not as good as Google, but it works for everyday use. If I’m in research mode and really trying to track something down I’ll switch over to Google.
I just found out about Disconnect Search which is a free browser extension that lets you use any popular search engine without tracking. It sends your search request through Disconnect’s servers so that the request looks like it comes from them, thereby avoiding tracking. It has an option to use Disconnect Search whenever you type in a search in your address bar (my default way of searching). Looks like I’ll be using it instead of DuckDuckGo from now on.
Once you switch, make sure you delete your history on Google. Go to https://history.google.com/history/ and click the three vertical dots button in the top right corner, then select “Delete Options”, select Advanced, then All Time. Then click the three dots again, go to Settings, click the switch on the right to “pause” future collection of your search and browsing activity. Click Show More Controls to pause other tracking. Dig around the left panel to find more privacy settings.
5. Install HTTPS Everywhere
HTTPS Everywhere is another browser extension. It forces pages to use a secure connection whenever it’s possibly available. Long story short, it makes eavesdropping more cumbersome.
6. Use a VPN
Virtual Private Networks are commonly used by schools and businesses to give students and employees access to their private school or business network when they’re away from the school or business (like at home or at a coffee shop). This process involves adding encryption to your data connection.
When you connect to a VPN, you usually launch a VPN client on your computer (or click a link on a special website), log in with your credentials, and your computer exchanges trusted keys with a far away server. Once both computers have verified each other as authentic, all of your internet communication is encrypted and secured from eavesdropping.
However, you can use a VPN for your everyday browsing in order to encrypt everything you do online. This has two main benefits:
- If you’re at Starbucks or the airport or any public wi-fi location, it protects your data by encrypting it so that any data leaving your laptop or phone can’t be seen by the person sitting next to you using hacking software to eavesdrop on the entire Starbucks location. There are free VPN options to add this level of encryption for using public Wi-Fi spots. Find a free one and have it ready to go next time you find yourself needing to use public Wi-Fi.
2. It adds a level of anonymity to your browsing (complete anonymity requires much more). Your ISP knows who you are (your address, phone, credit card, etc). Your ISP gives you a unique identifier to browse the web with, called an IP address, each time you connect. Websites log what IP addresses visit their site. The state very frequently sends National Security Letters (NSL) to ISPs demanding they turn over the identity of any given IP address they choose (and any other data your ISP has collected, such as logging what sites you visit). They also gag the ISPs, making it illegal for the ISPs to tell you this has happened.
VPNs can (depending on how they are setup) short-circuit this process. A VPN encrypts all of your network traffic on your computer, before it leaves your computer. That means when it reaches your ISP, it’s encrypted and your ISP can’t see it. They can’t tell what website you’re viewing or anything else that’s going on. It’s just a bunch of 0101010101110101010. This potentially just pushes things back a step so that the state sends an NSL to your VPN instead. However, some VPNs are specifically designed/marketed to secure your privacy. The way they do that is by not logging your activity (so if the state demands they turn over a history of your activity, there is nothing to turn over) and by not recording your IP address (though they will have your cc on file and any email address you give them, so many accept bitcoin). This is a tricky issue, so you have to research your VPN carefully and choose one that really is committed to privacy. This feature requires you to pay for the VPN (free ones won’t offer this service), which is usually around $5/month.
TorGuard, Private Internet Access, and Disconnect Premium look like good options for privacy & security, however, only TorGuard is based outside the U.S., which means it is much more secure. Read Privacytools.io to understand why location matters. TorrentFreak also has a list of the best anonymous VPN providers. Compare it to Privacytools.io’s list of privacy VPNs, which seems to be the most reliable list (they point out that some of the VPNs listed in the TorrentFreak article are sponsored). Make sure to read lifehacker’s Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs).
7. Stop Using Gmail
Would you use an email address assigned to you by the state and monitored in its entirety in a searchable database, even if it was free and convenient? Since Google is part of the state, why are you using Gmail? I was an early adopter and, like most people, have used it extensively. It allowed you to archive emails instead of deleting them, which was very convenient. It also provided the absolute best free spam filtering (even better than a lot of paid filtering), making all that annoying spam email a thing of the past for most of us.
And more than 900 million users use Statemail around the world.
Now that I’ve been using it for so long, it would be a pain to change my email address. So I haven’t bothered. Until now.
There are two levels of Gmail alternatives: ones that are similar, just not associated with Google, and ones that actually provide privacy. Either are better than Gmail, but you want the latter.
- Non-Encrypted Gmail Alternatives
Gmail is set apart from other standard email providers in that they scan all of your emails automatically, searching for keywords (which they then use to provide targeted ads within Gmail, or send to the state). It is also part of the Behemoth GoogleState system (which includes Google Maps tracking everywhere you go, knowing who your contacts are and where they are, and with all the data collection “we can more or less guess what you’re thinking about“).
2. End-to-End Encrypted Email
But given everything you write in your emails, it is really worth choosing an email provider that uses end-to-end encryption.
Kolab Now looks like the best alternative to Gmail with great privacy, for about $5/month. Because of end-to-end encryption, your email is encrypted before it leaves your computer, so they can’t read it on their server. They note
We offer secure collaboration and email accounts. All data is stored exclusively in Switzerland and protected by a unique combination of terms of services, law, operational principles and technology. Kolab Now will never put you under surveillance to sell your data or profile and there will be no advertisements.
Cabe Atwell notes “What makes the data content so secure is actually Switzerland’s privacy laws, which makes it illegal for other nations (such as the United States and UK) to access secure data.” Read Privacytools.io explanation on why location matters.
Also, for those opposed to Intellectual Property, Kolab Now is also built entirely on Open Source software, which means the code can be checked by anyone for backdoor features granting the state or others access to your data.
ProtonMail was created by Harvard and MIT students to combat rampant spying by making special email encryption available to everyone easily, for free. Like a VPN, the service encrypts your email on your computer before it sends it. Once sent, it is stored on their servers, like any other email service, but it is stored in an encrypted format. That means they can’t read it, and more importantly, they can’t hand it over to the state. They also use Open Source encryption. It’s free.
Interesting to note, though it was started by Americans, it is now headquartered in Switzerland like Kolab Now. Read the story of Lavabit, a former US-based secure email service used by Snowden, to understand why ProtonMail isn’t US-based.
Something very interesting happened 2 months ago. They were hit by a DDOS attack by a hacker group (Armada Collective) demanding a meager $6,000 ransom (DDOS floods a server with data, making it unresponsive until the attack stops). They paid the ransom, but the attack continued. Armada Collective said they had stopped.
Officials from ProtonMail claim they’ve been working with GovCERT, the Swiss Governmental Computer Emergency Response Team, and CYCO, the Cybercrime Coordination Unit of Switzerland in the wake of the attack. After conferring with another group, MELANI, the information assurance division of the Swiss government, ProtonMail notes that there were really two attacks, one on its IP addresses, and another, separate group of attackers targeting specific weaknesses in its infrastructure.
See more at: ProtonMail Back Online Following Six-Day DDoS Attack https://wp.me/p3AjUX-tZJ
Natasha Lomas notes that ProtonMail’s anti-spying
goal puts ProtonMail at odds with powerful forces. End-to-end encryption has been under sustained rhetorical assault from government intelligence agencies in countries such as the U.S. and the U.K. ever since NSA whistleblower Edward Snowden disclosed the extent and scope of their mass surveillance programs — including efforts to compromise or circumvent encryption.
Whether such political heat has anything to do with the current DDoS attack on ProtonMail is unclear. But only last week the U.K. government introduced proposed new surveillance legislation that contains clauses which appear to suggest there will be a legal requirement for companies to be able to decrypt data when issued with a warrant by the security services.
Where that would leave services like ProtonMail, which offer end-to-end encryption — and therefore have no with no ability to hand over decrypted data — remains to be seen.
Yesterday Yen didn’t have time for a phone call to discuss the DDoS attack in detail, not least because it was still ongoing, but he responded to a few of TechCrunch’s questions via email…
You say the DDOS attack became “unprecedented in terms of sophistication”. Can you explain in more detail what exactly makes this attack so damaging?
Usually, a DDoS tries to just take a site offline. This one was different because it went after an entire datacenter and ISP, hitting nodes in multiple countries just to get to us. The attackers systematically probed the entire infrastructure of the ISP and then launched a coordinated assault on multiple sites.
After the attack was stopped, ProtonMail explained
It has now been one week since the first attack was launched against ProtonMail. Since then, we have been subject to the largest and most extensive cyberattack in Switzerland, with hundreds of other companies also hit as collateral damage. In addition to hitting ProtonMail, the attackers also took down the datacenter housing our servers and attacked several upstream ISPs, causing serious damage…
ProtonMail was attacked by at least two separate groups. The first attacker, the Armada Collective, demanded a ransom, more on this can be found in the previous posts copied below. The Armada Collective has contacted us to deny responsibility for the second attack.
The second group caused the vast majority of the damage, including the downing of the datacenter and crippling of upstream ISPs, exhibiting capabilities more commonly possessed by state-sponsored actors. They never contacted us or made any ransom demands. Their sole objective was to take ProtonMail offline, at any cost, with no regards for collateral damage, and to keep us offline for as long as possible. They have still not been identified.
It was not until the 3rd day of attack that we realised there were two separate attackers. Given the sophistication of the attack used by the second group, we believe they may have been preparing their attack against us for some time. After seeing the first attack, they chose to strike immediately afterwards in the hopes that they would not be discovered as being a separate attacker.
Note C.Jay’s recent post about the U.S. government’s hacking exploits.
ProtonMail is a new company, so some of its features are still in development, and some of those future features may be part of a paid version. Read ProtonMail’s blog for lots of interesting privacy news and analysis.
I haven’t picked one yet. I’ll update the post once I do. Once you pick one, you’ll need to migrate to your new address, export your massive archive of emails from Gmail for backup to the cloud (see below) and possibly import into your new email, and then delete all those emails from Gmail (which hopefully deletes them from Google servers… eventually).
8. Use a “Zero-Knowledge” Cloud Backup Solution instead of Dropbox
Edward Snowden has warned against the cloud storage service Dropbox which he says is “hostile to privacy”, and called for more services to offer the ‘zero knowledge’ which have no decrypted access to user data.
Snowden pointed out that Dropbox had appointed former Secretary of State Condoleezza Rice to its board in April 2014.
“Dropbox is a targeted you know wannabe PRISM partner,” he told the Guardian.“They just put … Condoleezza Rice on their board… who is probably the most anti-privacy official you can imagine. She’s one of the ones who oversaw Stellar Wind and thought it was a great idea. So they’re very hostile to privacy.”
Cloud companies need to pursue the zero knowledge system, he said, where they host and process content on behalf of customers without having access to it themselves.
9. Phone Calls
This one is much less practical, but if you don’t want your calls monitored (all your calls are automatically monitored) then you can use various services to make private calls. The catch is that both ends have to use the service. The good news is there are free options that integrate into your phone and contacts automatically, like Signal. Here are some other options.
Thankfully, Apple’s iMessage system (on iPhones and Apple computers) does use end-to-end encryption.
Apple has been involved in a dispute with the U.S. Department of Justice regarding iMessage encryption, with the DOJ demanding that Apple give them plaintext copies of iMessages in real time, pursuant to a wiretap order. Because iMessage uses end-to-end encryption, where only the users hold the keys, Apple is unable to comply with such an order unless it compromises its system and implements a backdoor for the U.S. government. This would compromise the security of every iMessage user, something that Apple has steadfastly refused to do.
However, if you enable backup storage of your message history to iCloud, that backed up copy is not encrypted.
I was initially skeptical of Apple’s claim that they have never given the U.S. backdoor access, but I found the claim credible after reading what lengths the state has gone to to try and crack Apple’s encryption. That said, independent researchers have demonstrated that it would be technically possible for Apple to make a few changes on their end (without anyone knowing) that would give them the ability to read messages (though note the interesting sidenote at the end here).
If you don’t use iMessage consider various other options using EFF’s Secure Messaging Scorecard. Signal seems to be a go-to option for mobile use. Pidgin is a good Windows option and Adium is a good Mac option – both are apps that allow you to add various accounts (Facebook, Google, etc – but not iMessage accounts) and then encrypts the conversation (at least on your end). Here’s a great explanation. Note that the encryption only extends to the weakest link. So if you’re chatting with someone using insecure software, what you say is openly visible on their end to prying eyes.
Use a password manager program. See Privacytools.io’s list and note their recommendation not to use 1Password, LastPass, Roboform, or iCloud Keychain. Consider SpiderOak Encrypter (securely syncs password database to the cloud) or Master Password (unique design requires no syncing).
12. Covenant Eyes
Since biblical discernment about your privacy means having the humility not to trust your secret behavior, but instead to wisely choose someone to share your online behavior information with, consider using Covenant Eyes.
13. Trust in God
“Therefore I tell you, do not be anxious about your life” (Matt 6:25). “The Lord is on my side; I will not fear. What can man do to me?…It is better to take refuge in the LORD than to trust in man.” (118:6,8). “And do not fear those who kill the body but cannot kill the soul. Rather fear him who can destroyboth soul and body in hell.” (Matthew 10:28)
Remember, the point of this post is to take steps that everyone should implement in their daily internet use. If you are specifically targeted by the state, these measures won’t suffice (see the Clandestine Reporters Working Group in that case). You’ll have to dig deeper. It becomes a cat and mouse game and the state is dumping tons of resources into breaking every known encryption system. But these measures should stop their ability to automatically record and categorize everything you do and say online to anyone.
Hopefully this article also made you aware of the increasingly important role of encryption in our everyday use of the internet.
Under current U.S. regulations, law enforcement agencies can get a court order to access communications channeled through major tech companies and wireless providers. But if those communications are encrypted through a process not accessible by any involved company, the data is essentially meaningless, garbled gibberish. “In a world in which data is encrypted, and the providers don’t have the keys, suddenly, there is no one to go to when they have a warrant,” says Soghoian. “That is, even if they get a court order, it doesn’t help them. That is what is freaking them out.”
In my research for this post, it’s also become very clear that many security-minded tech companies are fleeing the U.S. like the plague.
Green, the Johns Hopkins professor, argues that U.S. government attacks against the products of American companies will not just threaten privacy, but will ultimately harm the U.S. economy. “U.S. tech companies have already suffered overseas due to foreign concerns about our products’ security,” he says. “The last thing any of us need is for the U.S. government to actively undermine our own technology industry.”
You don’t have to accept the status quo. People in other countries aren’t.
- EFF’s Surveillance Self-Defense (excellent introduction and guide)
- Plenty to Hide
- Security Manual Reveals the OPSEC Advice ISIS Gives Recruits
- Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks
- Citizen Four
- Ultimate Privacy Guide
- Turtl end-to-end encryption alternative to Evernote
- Mass v. Targeted Surveillance (Clandestine Reporters Working Group)