My Privacy Plan
(Photo via Sean MacEntee)
I’ve decided to come up with a privacy plan for myself. After hearing about the NSA’s surveillance scandals and now the details about Edward Snowden, the whistleblower behind the NSA surveillance revelations, I’ve been kicked into action.
These events has got me (and several million other people) spooked by who is capturing information about me, how they are capturing information about me and what are they are doing with that information.
It’s always been an issue, I just didn’t care.
The interview with Edward Snowden is especially interesting / frightening / thought-provoking, so I suggest you read that right now if you haven’t already. In the interview, Snowden says that “The greatest fear I have…is that nothing will change.”
My privacy plan is an attempt to take some action about this, as an exercise in getting a little privacy back in my online life, to better understand the issues for myself and to show Snowden that his actions have made a change (at an individual level at least).
Below is my initial privacy plan, that I will work through in the next few weeks. Many are taken from this excellent Security Stack Exchange Question: What are the implications of NSA surveillance on the average internet user?
(Interestingly, Edward Snowden himself when asked “Is it possible to put security in place to protect against state surveillance?” said the following: “You are not even aware of what is possible. The extent of their capabilities is horrifying. We can plant bugs in machines. Once you go on the network, I can identify your machine. You will never be safe whatever protections you put in place.” This may make this privacy plan futile at best.)
I’ve divided each action by Difficulty (easy, medium or hard) and Time (short, medium, long) to give an indication of how long I expect the action to take.
I’ll also add to this privacy plan as I find other useful suggestions or more suggestions are made to me, so please leave extra ideas and tips in the comments below.
Key: Action (Difficulty, Time).
1. Sign up to relevant pressure groups (easy, short)
If you live in the UK, you can support the Open Rights Group, who work to protect your privacy and voice your feelings on the matter to your local representatives. If you are a US citizen, you can support the Electronic Frontier Foundation, who are based in San Francisco and do similar work over there. Even just signing up to their mailing lists or reading around their sites to understand the issues is important.
2. Install HTTPS Everywhere (easy, short)
Produced as a collaboration between The Tor Project and the Electronic Frontier Foundation, HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure.
3. Install Adblock Plus (easy, short)
4. Review my browser use (easy, short)
According to the EFF Surveillance Self Defense Guide, the web browser is a security hole that needs to be plugged. You need to take regular steps to clear out all the stuff it’s been storing, such as a history of the web sites you’ve visited and the files you’ve downloaded, cached copies of web pages, and cookies from the web sites you visit. In particular, it’s a bad idea to have the browser save your passwords for web sites, and it’s a bad idea to have it save the data you’ve entered into web forms. If your computer is seized or stolen, that information will be compromised.
5. Review web services I use and switch if necessary (hard, medium)
Of those services that were detailed in the NSA surveillance scandal, many of them are the web services and apps I and many other people use every day, hence going in the hard category for Difficulty. Google, Facebook, YouTube, Skype and Apple being the most notable. It’s going to take time to move over to new services that better protect my privacy, but there are a host of them out there for most of what I do online. For example, duckduckgo.com can replace google search, PGP can help with encryption, TorMail for personal email (I use Gmail at work – one other thing to consider).
6. Download and Use Tor (medium, short)
For information like a web search history, you can prevent that information from being linked back to you personally by confusing the point of origin. Using an onion routing service like Tor will help with this.
7. Use the Onion Browser on my mobile (easy, short)
As an extension to using Tor, Onion Browser is a minimal web browser that encrypts and tunnels web traffic through the Tor onion router network and provides other tools to help browse the internet while maintaining privacy.
8. Run “host-proof” Web applications (difficult, long)
The server holds only encrypted data, and the client does encryption and decryption to read and write to the server. For example, if there’s some persistent information (i.e., a document) you don’t want a government to see, don’t let your service provider see it either. That means either use a service you absolutely trust (e.g., an installation of FengOffice or EtherPad that’s running off your SheevaPlug) or use encryption at rest, e.g., encrypt your documents with AES before you send them to Google Drive.
I’ll add to this privacy plan as more suggestions are made, so please leave extra ideas and tips in the comments below.
Update: There’s also some further discussion and advice around this post over on Hacker News.
Update #2: I’ve written a follow-up post on the politics of a privacy plan here.