Privacy Tools We Should All Be Using

There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.

-Bruce Schneier

Its no secret, we have an important decision ahead of us. The world that tinfoil hat privacy advocates have been preaching is slowly becoming a reality. However, publicly available tools exist for the average citizen to begin taking appropriate steps to protect themselves from prying eyes. Its up to us to use the tools and take out privacy and security into our own hands.

I've compiled a list (by no means is it exhaustive) of software and tools every person should know about and use. Some are accessible to the technological layperson, some aren't. That's why its important for those who can use the more complex tools to educate those who can't.

You can protect your privacy (and your personal information) from three different fronts. Encrypting your data locally (on your computer and devices) will protect you from those with physical access to your machine. Masking and encrypting your network traffic protects you from those in a position to eavesdrop on your connection. Finally, you can encrypt the data stored on remote servers so the people running the services you're supposed to trust don't actually see what they're storing.

Local Encryption

One of the best options for protecting your local data is to utilize full disk encryption. Native solutions exist for OSX and most Linux distributions and are usually very easy to set up. Windows users can use Bitlocker, a disk encryption tool made by Microsoft, but some have voiced security concerns that there may be a silent backdoor in the software. Because of this, Windows users are advised to use a tool like TrueCrypt for their system encryption needs.

However, full disk encryption is not fool-proof. An attacker can access encryption keys if they have access to a running computer by using a vulnerability known as a cold boot attack. If the machine isn't running, it is still possible to get the keys by exploiting the pre-boot authentication system.

In addition to encrypting your hard drive, you can use TrueCrypt to create secure virtual disk within a file on your computer. The disk could hold sensitive information such as passwords, banking info and contacts.

Network Encryption and Anonymity

Once your data leaves your computer its vulnerable from a whole slew of different snooping vectors.

The first step to securing your online communications is to connect to websites using the HTTPS protocol, instead of the unencrypted HTTP one. The caveat is that the website you're connecting to must have an SSL certificate set up to use the protocol -- some of which don't. You're best option is to install the HTTPS Everywhere plugin for your browser (thanks to the EFF and Tor people for it). This plugin will check each connection you make and attempt to recreate it using HTTPS if it already isn't. If you use a website that doesn't support HTTPS, try looking for an alternative or contact their support staff to inquire if they have plans of implementing it.

In addition to HTTPS, you can use Tor to protect your anonymity while browsing. Tor routes your traffic through a huge network of other tor servers (known as the tor network) effectively masking your origin (ip address) from everyone along the way (except for the end point of the connection). The tor bundle is available for all major platforms (OSX, Linux and Windows) and is very simple to use.

For an easy to understand infographic about the technologies presented above, see the EFF's Tor and HTTPS page.

There are other tools currently under development that take the above to a whole new level. Projects are being worked on to create peer-driven mesh networks that are completely decentralized. While these efforts are still in their infancy, recent events will surely drive new talent to the communities.

Remote Encryption

The final destination of your data is the website or service you're connecting to. Protecting your data in this environment is much harder and relies on trust between you and the owners of the website. If you can't trust a website with your personal information, don't use it. This is the most powerful method available to protect your privacy.

If you rely on a cloud service (storage, for example) that doesn't respect your privacy, find one that does, or move to use only zero-knowledge web applications. If you are technologically able, host your own cloud service and get your family and friends using it. Companies should be storing your data in an encrypted state such that they would never be able to decrypt it without you (they don't hold the keys). You can use tools to encrypt your data locally before uploading them to the cloud as a last resort. Online email services are of a particular interest to data miners and eavesdroppers. I would recommend using Hushmail or running a local mail server at home.

Assume that any information you post online is being tracked and analyzed by anyone and everyone. We have the tools to improve our privacy online -- we just need to use them.

We Have A Very Important Decision Ahead Of Us

Recent leaks have revealed that the NSA has been collecting live data (emails, voice messages and most online activity for starters) on millions of people since 2007 in a program called PRISM). This widespread disregard of basic privacy rights does not just affect US citizens, but encompasses information from all foreign visitors to the big American tech companies (Google, Microsoft, Skype and Yahoo to name a few).

In the days following the leak, the internet has exploded with discussions regarding the ethics of this program. Some internet giants have published official statements denying their participation in PRISM and accusing news outlets of exaggerating and confusing the facts.

Regardless of the truth behind all these stories, it is clear that we are approaching a critical moment in internet and telecommunication privacy. We are currently losing a tug-of-war battle with world governments, and our freedoms are on the line.

We have a very important decision ahead of us.

Will we live in an Orwellian future where our opinions, communications and thoughts are monitored for our "well being"? Will we trust our governments with our precious freedoms under the guise of our own security? Only if we let it come to that. There is an immense body of open source, privacy-focused tools at our disposal -- all we have to do is use them.

Encrypting your communications isn't for the tinfoil hat wearing computer geeks anymore. These tools are accessible to the general public.If you're a developer, create open source encryption software. If you're an entrepreneur, make this your new market. If you care about privacy, let other people know.

Relevant (and slightly overused) quote from the movie Network (1976):

We know things are bad — worse than bad. They're crazy. It's like everything everywhere is going crazy, so we don't go out anymore. We sit in the house, and slowly the world we are living in is getting smaller, and all we say is: 'Please, at least leave us alone in our living rooms. Let me have my toaster and my TV and my steel-belted radials and I won't say anything. Just leave us alone.'

Well, I'm not gonna leave you alone. I want you to get mad! I don't want you to protest. I don't want you to riot — I don't want you to write to your congressman, because I wouldn't know what to tell you to write. I don't know what to do about the depression and the inflation and the Russians and the crime in the street. All I know is that first you've got to get mad. You've got to say: 'I'm a human being, god-dammit! My life has value!'

Share your thoughts with me via email. You can find my public key here

The Turing Oath: The Promise to Develop Ethical Software

In light of some recent unethical behaviour in software development, and after a user on Hacker News suggested that software developers have their own "version" of a Hippocratic Oath, I figured I'd try my hand at drafting an initial attempt.

The oath deals with user privacy and ethical handling of their personal information. This primarily caters to web applications which hold the personal information of users. It's named after Alan Turing because he was a remarkable person who advanced computer science by great leaps.

The oath is hosted on Github and I encourage people to fork it and edit its contents. Add what you think ethical software development is.

The Turing Oath

  1. I swear to respect the privacy of the user. All user information kept on web servers should be properly protected, encrypted and secured.

  2. I swear to not invade the private space of the user. Users will not be spammed, contacted needlessly or have their personal information used without their knowledge.

  3. I swear to be transparent in the information I keep on the user. Users should always know all the information that is currently kept on them and have access to it at all times.

  4. I swear to release and remove user information at the user's request. Users should be allowed to leave a service or uninstall a product and have all stored personal information on them removed.

We Need More Violence

I've never been a big fan of the news, whether it be in print or televised. As a recent article on Hacker News pointed out, there's nothing much to gain by consuming report after report. In fact, modern news sickens me.

Society seems to have an unsatisfied craving for violence and hate, which news outlets keep pouring out to keep the general audience's attention. The Boston bombings were a horrible act of hate, in-humanism and cowardice, but seeing images of victims with severed limbs and giant pools of blood in the streets is not my preferred method of getting information about the incident. Don't get me wrong. I'm against censorship and I don't think news outlets are the bad guys for wanting to publish these graphic images. I think that people, us, have come to expect such levels of violence as regular occurrences.

Why is that? Publishing images like the ones hitting the press in the past couple of days would have been unheard of a couple years back. This is not a rant, but an open ended question:

(Why) Do we need more violence?

Dear StackExchange: Thank You

I've been a frequent user of the StackExchange (SE) network for about 2 years now. It started when I had difficult programming questions and was redirected to StackOverflow, and continued to grow until I had accounts on 41 different SE sites. I've never come across a better interactive learning tool in my life, I owe a lot to the communities that drive the SE sites.

Being a huge Linux fan, I was overjoyed to discover Unix&Linux.SE (U&L). I quickly started asking and answering questions and over time became very attached to the community and the great people behind it.

On March 2nd, Rebecca Chernoff (SE employee) announced that every user on U&L who appeared on the first two user pages (sorted by total reputation) would be receiving a complimentary "thank you" care package from the SE team for helping to build a great Linux and Unix community site. The kit was said to include a U&L t-shirt, some U&L stickers, and a nice SE pen and sharpie. I was excited and happy that the administration recognized the huge contributions that users bring to their network.

I got the package in the mail about 2-3 weeks later, and was surprised to see a hand-signed letter from Joel Spolsky (the CEO of StackExchange). The letter was typed up and most likely contained a generic message (my username was never mentioned), but the fact that they would send a hand-signed (no photocopy crap here) letter like that on top of all the other swag was amazing. They WOW'ed me and exceeded my expectations ... again.

I think Joel and the whole StackExchange team deserves this post. Thank you very much, you make the internet a better place.

Comments (HN)