(Photo via Sean MacEntee)
I’ve decided to come up with a privacy plan for myself. After hearing about the NSA’s surveillance scandals and now the details about Edward Snowden, the whistleblower behind the NSA surveillance revelations, I’ve been kicked into action.
These events has got me (and several million other people) spooked by who is capturing information about me, how they are capturing information about me and what are they are doing with that information.
It’s always been an issue, I just didn’t care.
The interview with Edward Snowden is especially interesting / frightening / thought-provoking, so I suggest you read that right now if you haven’t already. In the interview, Snowden says that “The greatest fear I have…is that nothing will change.”
My privacy plan is an attempt to take some action about this, as an exercise in getting a little privacy back in my online life, to better understand the issues for myself and to show Snowden that his actions have made a change (at an individual level at least).
Below is my initial privacy plan, that I will work through in the next few weeks. Many are taken from this excellent Security Stack Exchange Question: What are the implications of NSA surveillance on the average internet user?
(Interestingly, Edward Snowden himself when asked “Is it possible to put security in place to protect against state surveillance?” said the following: “You are not even aware of what is possible. The extent of their capabilities is horrifying. We can plant bugs in machines. Once you go on the network, I can identify your machine. You will never be safe whatever protections you put in place.” This may make this privacy plan futile at best.)
I’ve divided each action by Difficulty (easy, medium or hard) and Time (short, medium, long) to give an indication of how long I expect the action to take.
I’ll also add to this privacy plan as I find other useful suggestions or more suggestions are made to me, so please leave extra ideas and tips in the comments below.
Key: Action (Difficulty, Time).
1. Sign up to relevant pressure groups (easy, short)
If you live in the UK, you can support the Open Rights Group, who work to protect your privacy and voice your feelings on the matter to your local representatives. If you are a US citizen, you can support the Electronic Frontier Foundation, who are based in San Francisco and do similar work over there. Even just signing up to their mailing lists or reading around their sites to understand the issues is important.
2. Install HTTPS Everywhere (easy, short)
Produced as a collaboration between The Tor Project and the Electronic Frontier Foundation, HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure.
3. Install Adblock Plus (easy, short)
With every browsing session, there are multiple companies tracking your online activity and browsing history. There are hundreds of ad agencies tracking your every move, but with Adblock Plus you can easily disable all tracking, and browse the web truly anonymously. It has a pretty good data and privacy policy too.
4. Review my browser use (easy, short)
According to the EFF Surveillance Self Defense Guide, the web browser is a security hole that needs to be plugged. You need to take regular steps to clear out all the stuff it’s been storing, such as a history of the web sites you’ve visited and the files you’ve downloaded, cached copies of web pages, and cookies from the web sites you visit. In particular, it’s a bad idea to have the browser save your passwords for web sites, and it’s a bad idea to have it save the data you’ve entered into web forms. If your computer is seized or stolen, that information will be compromised.
5. Review web services I use and switch if necessary (hard, medium)
Of those services that were detailed in the NSA surveillance scandal, many of them are the web services and apps I and many other people use every day, hence going in the hard category for Difficulty. Google, Facebook, YouTube, Skype and Apple being the most notable. It’s going to take time to move over to new services that better protect my privacy, but there are a host of them out there for most of what I do online. For example, duckduckgo.com can replace google search, PGP can help with encryption, TorMail for personal email (I use Gmail at work – one other thing to consider).
6. Download and Use Tor (medium, short)
For information like a web search history, you can prevent that information from being linked back to you personally by confusing the point of origin. Using an onion routing service like Tor will help with this.
7. Use the Onion Browser on my mobile (easy, short)
As an extension to using Tor, Onion Browser is a minimal web browser that encrypts and tunnels web traffic through the Tor onion router network and provides other tools to help browse the internet while maintaining privacy.
8. Run “host-proof” Web applications (difficult, long)
The server holds only encrypted data, and the client does encryption and decryption to read and write to the server. For example, if there’s some persistent information (i.e., a document) you don’t want a government to see, don’t let your service provider see it either. That means either use a service you absolutely trust (e.g., an installation of FengOffice or EtherPad that’s running off your SheevaPlug) or use encryption at rest, e.g., encrypt your documents with AES before you send them to Google Drive.
—
I’ll add to this privacy plan as more suggestions are made, so please leave extra ideas and tips in the comments below.
Update: There’s also some further discussion and advice around this post over on Hacker News.
Update #2: I’ve written a follow-up post on the politics of a privacy plan here.
https://www.tarsnap.com is a good “host-proof” application.
Thanks – will take a look.
As for Adblock there’s a much simpler solution.
Install this hosts file, and every tracking server will resolve to localhost.
http://someonewhocares.org/hosts/
Ah, thanks for the tip (and the tweet) Jimmy. Will look to update the post with your suggestion.
Personal Cloud Tonido can replace Google Drive, Dropbox for you. It will also serve your file, photo sharing needs.
A 3rd party analysis of Tonido service:
http://www.amendpc.ca/blog/2013/05/tonido-personal-cloud/
Thanks for the writeup!
I would add MEGA (https://mega.co.nz) as a good choice of cloud storage featuring end to end encryption.
GLA on your privacy plans – everybody should have one.
Thanks Henrik! Good point about Mega, but has it been proven secure (as a relatively new service)?
Firefox and Chrome (and hopefully others) will soon have a WebCrypto API which will allow cloud services to only accept encrypted data that was encrypted locally in your web browser before touching the Internet: http://www.w3.org/TR/WebCryptoAPI/
There is a polyfill to experiment with the API and build applications for it. http://polycrypt.net/
Thanks, Kumar. Will have a look at WebCrypto when I make the switch to Firefox.
Other alternatives to Google, that I actually like more, are https://startpage.com or https://ixquick.com. For email I recommend https://countermail.com. And I recommend the browser add-on https://disconnect.me that works in many browsers, but I would recommend sticking to a totally open-source browser, like Firefox (if you love Chrome and can’t give it up, then use Chromium).
Also, this needs to become a way of life. Remember that having your email stored outside of the US and safely encrypted doesn’t do much good if you’re constantly emailing people in the US that keep their email unencrypted on GMail. Get the word out, help your friends, family, and colleagues to move over to secure communications and services.
We have to make it clear in no uncertain terms that this kind of spying is unacceptable, but whether or not the government changes, we have to change our habits.
Thanks for the input, Mike. Switching to Firefox from Chrome is one of the first actions on my list, so will look at that plugin and the other services you mention.
Freedom Box built a nice list of “leaving the cloud” services http://wiki.debian.org/FreedomBox/LeavingTheCloud
You might also be interested in their FOSDEM talk, the first 15 minutes with Eben Moglen. or so covers why we need privacy tools. The second part is a staus report on their project.
https://fosdem.org/2013/schedule/event/freedombox/
For sharing I’ve been looking into git-annex
http://git-annex.branchable.com/
Thanks, Diane. Great suggestions. Will definitely take a look at the Freedom Box list.
Hello Ben, thanks a lot for the great explanation and compilation of tools.
Do you care if I translate it to spanish and share it in my blog?
Thanks again!
¡Por serpuesto, Hernan! Just a link back to my original post would be appreciated.
Why would you trust Tormail? Because it has the word “Tor” in it? It is not affiliated with the Tor-project in any way. There is no guarantee that it isn’t just a elaborate honeypot service for the gullible. There are much better privacy “aware” email providers if you search for them.
Thanks for the heads up. TorMail was recommended in the Security Stack Exchange thread, but will take a look at other suggestions and update the post with a more suitable service.
Ben, thanks for writing such a helpful article.
Private Internet Access is an easy VPN to set up too – details are here https://www.privateinternetaccess.com/
You’re welcome Anne! Will make sure to look at that service too and will update the post later today.
buenos dias que es un tor? o que significa la palabra tor en una pagina web?
Thanks for all the comments and ideas. I’ve written a follow up post, looking at the political aspects of a privacy plan.
Read more here: https://benrmatthews.com/2013/06/learning-about-the-politics-of-a-privacy-plan/