• United States



Contributing writer

8 tips to enhance your online privacy

Jul 24, 20138 mins
Application SecurityData and Information SecurityGovernment

Everybody wants a measure of privacy. As some experts on the topic have pointed out, even those who declare they have “nothing to hide” generally have curtains on the windows of their homes and don’t invite everybody over to have a look at their credit card statements.

But in light of recent revelations from Edward Snowden, the former Booz Allen Hamilton employee who leaked top-secret documents about the extent of National Security Agency (NSA) data collection, and more recent news about government monitoring even snail mail, there are serious questions about whether privacy -- particularly online and telephone -- is possible at any level any more.

The answer from a number of experts is a qualified yes -- as in possible, but not likely. As Kevin McAleavey, cofounder and chief architect of the KNOS Project noted, “even Booz Allen Hamilton (and by extension the NSA) can’t keep their stuff private. If the ‘experts’ can’t keep their stuff under wraps, what possible chance does Judy Consumer have?”

Privacy experts say there are two ways to keep government monitors out of your life. One is to withdraw as much as possible from the wired world. That would mean ditching your smartphone, or if you have to use one for your job, to turn it off and remove the battery when you don’t need it, since otherwise it will broadcast your location.

That also includes conducting no business online, and not ever sending an email or posting anything on social media that you don’t want collected and stored by the government.

It is a bit like the political advice that the public policy think tank Pioneer Institute attributes to Martin Lomasney, an old Boston political boss: “Never write if you can speak; never speak if you can nod; never nod if you can wink.” The disgraced former governor of New York, Eliot Spitzer, gave it an update on his Wikipedia page: “Never put it in email.”

The Electronic Frontier Foundation (EFF), in a list of privacy recommendations, includes this: “Unless you take specific technical measures to protect your communications against wiretapping or traffic analysis --such as using encryption to scramble your messages -- your best defense is to use the communications methods that possess the strongest and clearest legal protections: face-to-face conversations, postal mail and landline telephones.”

Even nation-states are taking the Luddite approach in some cases. Just recently, it was reported that the Russian equivalent of the U.S. Secret Service is using typewriters again, to avoid generating digital copies of highly sensitive documents.

But experts say there are ways both individuals and businesses can remain in the wired world and at least make it difficult for anyone, including the government, to monitor their activities. Those who are really serious about it will have to take some time-consuming and in some cases complicated steps to do so. The following list includes some of the more common recommendations:

1.) Be sure your computer(s) have whole-disk encryption and are password protected. PGP (Pretty Good Privacy) Desktop is, according to Rebecca Herold, CEO of The Privacy Professor, “still a great tool, and comparatively easy to use. There are also steganography solutions, but I anticipate the NSA would crack those fairly quickly,” she said.

2.) Encrypt your email with S/MIME (Secure/Multipurpose Internet Mail Extensions). Experts are unanimous that end-to-end encryption is essential. Users also should not use any nickname in an email account that could identify them. Amie Stepanovich, director of domestic surveillance at the Electronic Privacy Information Center (EPIC) said it is crucial for the user, not a third-party vendor, to hold the encryption keys.

The documents from Snowden about Microsoft allowing the NSA access to its encryption keys means any system that trusts an intermediary carrier is worthless.

[6 ways we gave up our privacy]

“It’s like you’re renting an apartment and the landlord still has a set of keys and can let anyone into your personal space anytime they want to,” Herold said. “If the user owns them, government could still seek access to the encryption keys, but to get them, it would have to come to that user.”

Even that is not foolproof, however, McAleavey said.

“The bottom line is that ‘end-to-end encryption’ is only any good if the spooks never saw it before. Otherwise, they don’t need the keys -- like any good car thief, they have jimmy sticks and sequencing key fobs.”

3.) Use features like ad block, ghostery and HTTPS to remain as anonymous as possible.

“I always go incognito when using Facebook,” Herold said. “I use other types of browsers where I cannot effectively use sites while incognito.” EFF calls HTTPS, “the most common web encryption standard.”

4.) Consider running the OS off of a live-boot DVD with all the necessary programs to ensure viruses cannot infect it. Have it auto-mount the encrypted drive, perhaps with a different password than the login password.

5.) Use Tor (free software that uses onion routing to enable users to communicate anonymously on the Internet) and configure it to have multiple Socks ports available so that email, web browsing and other activities can go use separate circuits.

6.) Have a separately installed OS (or second OS live-boot disk) for any activity you don’t want associated with another activity.

Herold says this is “a great idea, but, most folks who really need such protection simply will not take the time to do it. We need protections built in and transparent,” she said. “The problem now is that we will always be wondering if Apple or Microsoft will go ahead and give the government access anyway.”

7.) Use an RF-proof bag for your smartphone when you’re not using it.

“They’re made all over the planet and they’re dirt cheap,” McAleavey said.”They’re made of fine copper mesh woven into fabric. The really good ones have very good RF attenuation, which completely blocks all signals when the device is in the bag. GPS won’t work, it can’t talk to the cell towers and it definitely can’t talk or watch what you’re doing. Your phone also will not ring, you can’t make calls and nobody knows where that phone is -- until you take it out of the bag.”

8.) Use Virtual Private Networks (VPNs) -- EFF describes them as, “a potent encryption tool that allows you to ‘tunnel’ communications securely over the Internet.”

Those recommendations don’t end the debate over privacy, however. EPIC’s Stepanovich argues that people shouldn’t have to go to extreme lengths to guard their privacy in wired world.

“It’s not true that there has to be a trade off between privacy and security. You don’t have to give up one to get the other,” she said.

While EPIC does not oppose all surveillance, she said, “it should be targeted. An individual should be in mind because of a showing. Maybe with widespread surveillance, you’ll catch a couple of bad people. But it is not in line with the foundation principles of this country.”

On the other side, Randy Sabett, an attorney with ZwillGen and information security/privacy expert said he believes that Americans should be concerned about privacy, “but I think the question should be: Can privacy from government surveillance be balanced against the security needs of our country?”

Sabett said there is, “a big difference between surveillance and collection, and I think we need a dialogue to try to find the balance.”

He said he believes there is some over-classification of information and that data collected about citizens should probably be destroyed after a certain number of months or years.

“But government needs some ability to track down bad guys, and you have to grant them some level of secrecy,” he said.

About the Snowden revelations on government surveillance, he said, “The bad guys will read that like a cook book -- they will know what to avoid. Do we really want that?”