If 2013 was the year of the whistle-blower waking the world up to vast state surveillance, then 2014 should be the year of encryption and privacy. Here are a few ways to avoid being spied on, aside from throwing your computer off a building.
Image by Cei Willis, graphic work by Sam Taylor
On March 12 of last year, Senator Ron Wyden asked Director of National Intelligence James Clapper point blank if the NSA collected bulk data on Americans. In front of a Senate Intelligence committee, Clapper replied, “No, sir… not wittingly.” Roughly three months later, Edward Snowden took a flight to Hong Kong and dumped a shitload of NSA secrets, simultaneously proving Clapper a liar and pushing the word "Orwellian" closer toward redundancy.
Despite the critical mass of outrage since then, nothing has changed—NSA surveillance has gone on unabated, and will continue to do so at least until the end of March. So if you believe that your data is now safe on your laptop or smartphone thanks to Glenn Greenwald's editorial crusade, you are wrong. It is not. As Anton Kapela, a security expert at world-leading data storage company 5NINES, said, the only real privacy is in disconnecting. “There is a way to be private and secure, but at substantial cost and limited practicality,” Kapela says. “Minimize all use of the internet on laptop, desktop, and mobile, because you're 100 percent fucked.”
Kapela should know. In 2008, at the hacking conference DEF CON, he and colleague Alex Pilosov presented a hack that exploited a basic internet protocol called Border Gateway Protocol (BGP). The hack would allow an eavesdropper—any eavesdropper—to monitor the unencrypted traffic flowing to and from your computer. As WIRED reported at the time, “The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.”
But cyberspace doesn't have to be so bleak. If 2013 was the year of the whistle-blower waking the world up to vast state surveillance, then 2014 should be the year of encryption and privacy. After Edward Snowden's NSA revelations, several tools aiming to help you privatize your online life popped up, from Lockbox’s encrypted cloud to Crypstagram, which allows you to upload images that contain encrypted messages. Elsewhere, Wickr is utilizing the spy film/Snapchat method—providing a service that allows you to send private messages that self-destruct—while just last month, Instagram tried to capture the privacy zeitgeist with its Instagram Direct private messaging tool.
Until the next generation of privacy apps arrive, there are a few things you can do to duck the *Orwellian* gaze of government, tech companies, and advertisers. We asked a few security and internet experts for tips on how you can make your online life more private in 2014. They responded with a range of tactics that anyone could implement with moderate ease. Here they are.
Encrypt Your Web Browsing
The simple act of browsing, whether on a computer or mobile device, opens a whole can of privacy worms. By default, search engines and browsers amass user data—everything from cookies and searches to passwords and download history is fair game. Even if this cache of information is regularly deleted, hackers, NSA agents, Google, Bing, and their fleet of advertisers will have access to everything. The moment you enter a search term, it's out in the world and it’s not coming back. This reality needs to be understood before anything else.
And so free internet advocate Elizabeth Stark, creator of the recently launched Kickstarter-meets-XPRIZE platform called Threshold, believes everyone should be using HTTPS Everywhere. A collaboration between the Tor Project and the Electronic Frontier Foundation, HTTPS Everywhere encrypts your communications over the web, transforming every standard HTTP page into a more secure HTTPS page. This means greater privacy and security when you're browsing the web.
As the Electronic Frontier Foundation notes, many sites have limited support for HTTPS, and those that do often make it difficult to use. Some sites, for example, might support HTTPS but fill the site's page with links that sneakily take you back to the plain-old unencrypted HTTP site. The HTTPS Everywhere extension can be downloaded for Chrome, Firefox, and Opera browsers, allowing you to get one over on those companies and organizations whose websites couldn't give a fuck about your web security.
Photo by Anthony Topper via
Get Yourself Some Anti-Tracking Plugins
Seeing how data is processed is also important in enhancing privacy. Mozilla's Lightbeam is a privacy extension that allows its users to see the first- and third-party sites they interact with on the web. Activate the extension, and you'll be presented with a real-time visualization of all the third parties that are active on that page in three graphic representations: Graph, List, and Clock. While Lightbeam isn’t going to stop user tracking, it’s a good first step in learning how you're tracked on the web.
For those of you looking to stop tracking, enable the "Do Not Track" option on web browsers like Chrome and Firefox. Using an anonymous search engine like DuckDuckGo is a wise choice as well. Its purpose is the exact opposite of Google’s, which is to collect as much information as possible about every Google user on the planet. Regardless of how emotionally stimulating their Doodles can be, avoiding the tech giant as much as possible is vital in securing privacy.
Stop Over-Sharing, Duh
Compared to Facebook, Google is a model citizen. Facebook’s one true goal is to add or tweak features so that users will gleefully offer up treasure troves of private information. They want real, three-dimensional life mirrored online in very precise detail. Facebook owns everything its users post, forever, also reserving the right to hand this data over to the government without notification. The best option for users would be to shutter their accounts, but in an age where social media is just an extension of a social life, this isn't exactly realistic.
If you can't make the break, Stark advises you to check Facebook's privacy settings, which are purposefully labyrinthine. Though you might manage to go publicly incognito, Facebook will still have access to your data, selling it to advertisers and possibly handing it over to the NSA in bulk or via warrants. The same goes for Twitter with its recently announced private photo tool. These “private” photos may be hidden from public view, but Twitter will have access to the photo’s geo-data and content.
“The internet has a long memory,” cautioned Kevin Mahaffey, who is the founder of an app called Lookout that protects your data from cybercrime. “Never put anything on a social network that you don't want your grandchildren to read or a History Channel special on your life to mention.”
Mahaffey believes that the biggest privacy issue facing most people is their willful volunteering of private information on an actively tell-all scale. Facebook, Twitter, Instagram, and various other social media platforms are gold mines of personal data. These services acquire as much data as possible, for which advertisers pay top dollar and governments lobby for secret access. These social media outlets have many different privacy policies, so the best thing to do is to browse them and enable as many privacy protection settings as possible.
Password-Protect Your Shit
On the mobile front, one of the best and easiest moves smartphone users can make is password-protecting your phone’s screen lock function. If anyone gets their hands on a lost or stolen smartphone, they won't be able to check its contents, unless they have a hacking tool that can create a brute force attack. That goes for law enforcement as well, who cannot compel you to hand over your password without a warrant. Users should also encrypt data stored on a smartphone—this will require a longer, more random password, but will be more effective at safeguarding your private information.
Pay Attention to Your Apps—Especially the Healthcare ones
After password-protecting a smartphone, you should become conscious of your device's apps and data, and the interaction between the two. “Beware of health apps and other apps you download,” advised Sell, who noted that health app makers can mine physical data generated by your body and sell it to pharmaceuticals or other for-profit companies in the healthcare industry.
“Also, use Lookout to protect your phone from apps and yourself,” said Sell, noting that people should use anonymous search engines like Blekko—with Super Privacy enabled—for medical and other searches. For added privacy, Sell said people should pay for healthcare (and non-healthcare) products in cash instead of credit or debit, which leave digital paper trails. As any decent cop drama should have told you by now, no one can follow the cash.
Stop Telling Tech Companies Where You Are All the Time
Sell encourages more seasoned internet users to feed Google Maps misinformation, so that its algorithms cannot piece together precise patterns. She also advises you to keep smartphones in a Faraday cage, which blocks all wireless signals from entering or exiting the phone. These cages also stop phones from waking up from an off state and transmitting cellular, WiFi, and GPS electrical signals. One of the most notable is Off Pocket, which was successfully crowd-funded into existence earlier this year.
Geotags, or geo-location data, is also a privacy concern. Photo-sharing apps like Instagram embed this information in the image file, permitting the company and advertisers to learn more about your real-world movements through your mobile devices. This allows advertisers to better target ads at you. “Delete geolocation data from media you post online, and don't post kids' photos on Facebook, Google, Twitter, etc,” said Sell, who added that using Skype for private communications is ill-advised, given that Microsoft collects Skype data.
Shred All Your Browsing Data
Smartphones have a "Do Not Track" setting, which, once enabled, blocks first- and third-parties from collecting internet browsing data. The only catch is that access to certain websites might be blocked in turn, disrupting the browsing experience. A few weeks back, app maker MotoTap dropped Dolphin Zero, a stripped down version of its celebrated Dolphin browser, which shreds all data when users close the app. Default mobile browsers don't function like this right out of the gate, so it's worth getting ahold of some software that will.
Protect Your Contacts
Contacts both on computers and smartphones should also be kept private. “Don't upload your contact books to eVite, WhatsApp, Snapchat, and Facebook,” added Sell. “Respect your contacts and expect others to do the same.”
Of course, giving fake names to important contacts in order to confuse digital peeping Toms is one option. Remembering actual numbers instead of saving them is another. But, if your terrible memory won't permit you to pursue either of these options, be sure to research apps that protect contact lists, such as Mobile Vault, to maintain a modicum of contact privacy. Another app that does the trick is My Secret Contacts by Synapsis Research, which saves contacts behind a password-protected wall, among other things.
Step Up Your Password Game
Kevin Mahaffey also emphasizes that whether you're a digital native or not, you should pay special attention to your primary email account. Use a unique password and never spread it across other accounts. Also, never use a word or phrase that can be gleaned from a Twitter or Facebook feed. Randomise passwords and change them often. If need be, write passwords down in case they are forgotten. Store the password on a piece of paper, then place it in a wallet or in a drawer.
If the wallet is lost, change the password, which should be done semi-regularly anyway for security and privacy purposes. And, if possible, use two-step or other multi-factor login authentication. This makes it far more difficult for a hacker to access an email account. Google offers two-step verification for Gmail that is incredibly easy to set up. Mozilla Thunderbird is also a successfully private email service, which can be made more secure with extensions, including PGP or GPG encryption (private keys that make messages secret). Expect new encrypted email services to emerge soon enough and replace the now defunct Lavabit, Tor Mail, and Silence Circle options.
Start Talking to People IRL
Of course, traditional person-to-person communication is still an option. The ease of the internet and mobile communication has tricked people into believing that information has to be exchanged on this digital matrix. If privacy is a major concern, make a point of having proper, real-life conversations. Unless you’re in the actual mob, it’s unlikely you’re being bugged.
Ultimately, there is one truism of the digital age: good and bad hackers alike are constantly trying to find system vulnerabilities. We might never be truly secure from malicious hacking and government intrusion. If we simply can’t bear unplugging ourselves from the matrix, then there are tools and apps that grant us a greater degree of privacy. But, it’s important to remember, even these tools are vulnerable.
Beyond that, privacy in this surveillance age is a matter of education. People need to understand why privacy matters and what can be done to better ensure it. Experts stay informed about the latest privacy and encryption apps, tools, and subversions, but average users are rarely, if ever, proactive. The best we can do is to share with our friends and relatives the best tactics against corporate and state surveillance. And, as Kapela suggests, stay the fuck off the internet, or at least severely reduce our usage. Do that, and we'll all be surprised at how private our lives can become.
Follow DJ on Twitter: @djpangburn