Today is Data Privacy Day, and we would like to mention a few techniques and applications you should consider using to protect your privacy online, especially in this environment of growing policy and corporate monitoring of our activities online. Everyone knows to be careful about what information you share on Facebook, but simply by being on the network you provide a lot more information than you might think.
Account and password management
I use unique, strong passwords for each and every online account I have. In addition, I occasionally use unique usernames for sites to make it more difficult to to cross-link my identities across multiple sites. To generate unique random usernames, you can use MyUsernameGenerator. There are several alternatives for password management; my preference is to use KeePass to generate long, strong passwords. KeePass stores usernames in an encrypted file, which I store in DropBox to ensure it is synced between all of my computers and mobile devices automatically. Just make sure you have a good passphrase on your KeePass database. Clients exist for Windows, Mac, and Linux, as well as iOS and Android. In addition to slowing down data mining, using unique usernames protects your accounts on various sites if one site you visit has a security breach.
Use 2-factor authentication when possible
Two-factor authentication is significantly stronger than just a password; it involves both “something you know” (the password) and “something you have” – in this case, usually a key that generates very short duration time-based passwords. Google is the only major service provide – as far as I know – who currently offers this, and if you have a Google account I strongly suggest you turn it on. The way it works with Google is they provide an application that you install on your phone to act as the password-generating token. Then, to log on to a new computer, you need both your normal password and the code generated by the token. If someone steals your password, they still cannot login without the token (your phone).
Use application-specific passwords
Putting your Google password into an application to log into your Google account is dangerous. If the app is compromised, or malicious, it now has full access to your Google account. (Some websites will authenticate against another account management site – Facebook does this, for example – which is different and does not put your account credentials at risk. Most sites that do this allow per-site management, such as Google.) Google allows you to generate unique passwords to supply to an application which allows you to both limit the application’s access to particular features of your account, and allows you to revoke that access in the future, should you learn the application is compromised. I do this for my chat clients, both on my laptop and on my phone. Other account providers may provide similar capabilities, but as far as I know Google is the only one so far.
Encrypt your email
Encryption online is problematic, because it requires effort on both ends of the communication to work – and most people do not do anything in this area. However, PGP and GPG provide the ability to sign and/or encrypt your emails so that they can be identified by the receiver as authentic and free of manipulation, and if encrypted the contents are guaranteed to be private. This is important because email is transmitted and stored in plain text – and any computer in the path of the email transmission can trivially read the contents. Additionally, it is trivial to forge email headers, meaning that I can make it appear as if I am anyone else that I wish to be. If someone has your email address, they can send email that appears to come from you – with enough sophistication that most users would never know it wasn’t (spammers do this often). And, do you trust your service provider with all of the information in your email?
Encrypt your chat
Chat protocols are a bit newer, and a bit less naive than email when it comes to authentication. Still, unencrypted communications are subject to relatively trivial snooping by anyone else on the network – meaning that when chatting online while on the wireless at the coffee shop, that skeezy looking guy in the corner could be reading the entire conversation. And, of course, the communications are all subject to logging and monitoring by your service provider (and potentially an overreaching police state). Much like email, chat encryption requires users at both ends to take action in order to work, but it also can bolt on top of existing messaging networks. Clients also exist for computers and mobile devices. I use the OTR protocol (“Off The Record”), which allows users with OTR-capable clients to communicate with each other securely across existing chat networks, such as Facebook or Google Talk. I use Adium (MacOS) on my laptop, and Gibberbot on my Android, to provide OTR secured chat. (Clients exist for most platforms: Jitsi, ChatSecure, Pidgin, for example.) Why should Facebook be allowed to see all the details of what you intend to be private communications with your friends?
Encrypt your video chat
Encryption for video and voice calls over existing networks is a newer area, as voice and video chat are less mature technologies. Still, secure alternatives to Skype exist. Much like email and chat, they require compatible clients at both ends of the connection, but Jitsi is an application that supports OTR chats (as mentioned above), and also encrypted audio and video chats. This is accomplished by using the SRTP and ZRTP protocols over existing networks. So, just like with chat encryption, you can still use these clients to communicate with people on your normal network who are not using encryption. No need to switch to a separate application, on a separate network. Best of all, you can configure these clients to attempt to auto-negotiate encrypted comms (and they will tell you whether or not the communication is secure – so you know if it is safe to give the security code to your home alarm to your housesitting friend or not).
Encrypt your cell phone calls
Do you really not trust your cell service provider? You can actually encrypt your cellular calls, too. I use an app called RedPhone on my Android. This is a very new area, as the application is still in “beta”, but the technology is the same as the video chat – using SRTP and ZRTP. When you attempt a call, the application will detect if the person on the other end has registered their phone in the RedPhone network, and offer the option of a encrypted call over VoIP.
Encrypt your text messages
The same folks who made RedPhone also make TextSecure, which allows optionally encrypted text messages – and communication with users who don’t support encryption just like normal. These applications are virtually all Open Source, as well, which allows the community to review the code and verify that it behaves in a “good” way.
Mask your web activity
Most people are aware that your web browser will record various bits of information about your activities on the local computer – and that most web browsers now support “incognito” mode (or something similarly named) that will provide some protection. I would suggest, any time you sit down at a computer that isn’t yours to browse the web, you open an incognito window immediately to ensure cookies and web history is discarded, so that the next person to come along can’t access your Facebook account, if you accidentally clicked “keep me logged in”. Most people are also aware that HTTPS traffic is encrypted, ensuring that the data being sent cannot be read between the browser and the server, such as your bank’s website. However, regular HTTP traffic is visible to anyone on the network, and even the fact that you are conducting HTTPS access to your bank is visible. Your ISP knows everything you do online. It is possible to obfuscate your activities from your ISP (or hackers attempting to access their logs, or sniff network traffic) by using a technology called Tor. Tor allows you to browse the network completely anonymously – anyone monitoring your activity would be able to discern that you were on Tor, but would have no information at all about what sites you were visiting, which can be on the Tor network, or on the regular internet. (Some activity, such as using plugins, is unsafe and can reveal your real identity – IP address – to the remote host – such as YouTube.) Clients exist for mobile devices, such as Orbot for Android.
As you can see, there are a lot of things you can do to enhance your data privacy on the internet, and most of it involves protecting that data from being stored by third parties in the first place. Some of this may seem like overkill, but many of these techniques were used by folks in Egypt during the Arab Spring to hide organizing efforts from those who would wish to squelch them. While the risks to us on a daily basis are far less dire, that doesn’t mean we should willingly grant third parties unrestricted access to private communications. I would suggest you learn how to do all of this, and evangelize to your friends, but at the bare minimum start using strong, unique passwords at every site you have an account at, and even better start using unique usernames at all of them. This will at least contain the damage of a hacked site to just that site.
Like most rights, unless we exercise them, they are subject to erosion. Exercise your right to privacy.