TL;DR (short version for those who don’t want to read the whole thing)
- Use encryption wherever possible, which is almost everywhere. Encryption works. Use full disk encryption like Truecrypt on all your hard drives and all external drives and thumbdrives, except any used for temporary storage and sharing of files. Encrypt your emails wherever possible using open source email technology like GnuPG. This means Mailvelope with Gmail and other webmail services, GPGTools with Mac Mail, GPG4Win and Enigmail with Thunderbird on Windows, or Enigmail with Thunderbird on Linux. Admittedly, encrypting email is a bit of a pain, but it works. Luckily, other encrypted messaging is much easier to use. On your phone, use an encrypted SMS replacement like TextSecure, Threema, Wickr, or Silent Circle. You can even encrypt cell phone calls with RedPhone or SilentCircle. Encrypt chats using crypto.cat, or OTR (“off the record”) plugins for Adium and Pidgin, or Gibberbot on Android and ChatSecure on iOS.
- Do not rely exclusively on encryption. Understand what it can and cannot do. The mathematical foundations of encryption are the strongest link in the security chain, but the weaker links in the security chain are the bigger problems: your crappy passwords; poor implementations of encryption; buggy, out of date, or unpatched software and operating systems; malware; insecure browsing habits; untrustworthy friends; stupidity or forgetfulness; the physical insecurity of the “endpoints” (i.e. your devices, your workplace, and your home). In other words, don’t assume that you have actually achieved total privacy, security, or anonymity: you are reducing, not eliminating, your footprint. Yet this is still a substantial gain in the battle for privacy and against bulk surveillance.
- Learn what a strong password is. At this stage, to future proof your passwords, you probably need at least an 18 character purely random string of big and small letters, numbers, and symbols generated by a random password generator like LastPass, 1Password, or https://grc.com/passwords. No really: at least 18 truly random characters. 20 or more is better. Any system you have come up with to devise your own passwords that is not properly random and high entropy is easily broken. Your idea of random is not random. Anything you think is clever that is not purely random is also thought clever by millions of others and well known to people who spend their time making password cracking machines.
- Be clear about what you are trying to protect against and calibrate your actions accordingly. If you are happy being a subject of total surveillance, at least be clear about that. But don’t endanger anyone else just because you’re not worried.
- Understand the difference between privacy, security, and anonymity, and what each entails.
- Do your best to learn and maintain good security practices: install only the software you really need; avoid dubious or illicit software; keep your software, computer, and mobile devices fully up to date; secure your browser. Enable two factor authentication on LastPass, GMail, Facebook, Twitter, and anywhere else it is available to you. Here is an example of a good guide to basic Windows security.
- Do not keep, send, or travel with written passwords to encrypted devices and drives in proximity to each other (note: Glenn Greenwald has stated that UK police lied, and that his partner was not actually travelling with any written passwords). Do not send, store, or travel with any passwords written in the clear, or in the “same channel” as the encrypted content. If physically mailing or travelling with an encrypted device, use something like lastpass or PGP to send the password in encrypted form.
How to think about security: Threat models and the spectrum of paranoia
Before going too far, it is important to think about the “threat model”. What kind of actor are you protecting against, and against what type of activity? Are you being targeted directly, or protecting against passive, bulk surveillance and opportunistic threats (like eavesdroppers at an open wifi hotspot, or people who find your lost laptop)? Is the potential adversary a large entity with vast resources and global reach, like a government, multinational, or large criminal organization? A petty criminal? Or people in your life? Does the adversary have physical access, or is the threat remote? What are the costs and consequences of a failure of privacy and security? All of these are factors indicating the level of caution you might adopt. In general, the following should be kept in mind:
- It is very difficult for an ordinary person to defend against an adversary who can gain physical access to devices.
- If a large organized entity targets you, protecting yourself will require extreme vigilance, discipline, and skill beyond most people’s capacities.
- It is fairly easy to achieve a level of privacy and security from passive and opportunistic threats, like petty criminals, passive eavesdroppers, relatives who aren’t tech savvy, and people who might find a lost device or hard drive.
- It is relatively easy to protect the content of your communications from bulk surveillance.
- It is difficult or impossible to protect metadata about your email and telephone communications from surveillance, and in some cases, the metadata is not really different from “content”: for example, when you phone an abortion clinic, a psychiatrist, or an investigative journalist.
The inevitability of trust
Short of becoming a hermit and eschewing all technology, we have no choice but to trust innumerable people and technologies all through our daily lives. We trust the people who make and sell our food and medicine, the workers who made our car, our bus driver, our fellow travellers, our devices, and innumerable other people and things. We cannot check that the computer made from hardware manufactured in many different places around the world does not contain embedded backdoors at a deep level in its silicon chips. Nor can we build our own computers from raw elements up, or compile and examine the internals of every piece of software we must rely on--even if we are qualified to. Further, if we communicate with others, at some point we are going to trust them. How much trust is reasonable is an assessment that balances security with necessity and convenience, and the realities of daily life.
Privacy, security, anonymity: related but distinct goals
Broadly, we can say there are three related but distinct goals in protecting yourself and your information from surveillance or criminal threats: privacy, security and anonymity. (Related to these but beyond the scope of this article are the ideas of identity, authentication, and trust, which are fundamental problems on the internet with as yet no great solution. )
Privacy is about your ability to decide what information you will share, and who you will share it with. On the internet, conversations and correspondence you expect to be private should not be surveilled, and neither should your browsing or purchasing habits. In a world of perfect trust, we could rely on others to respect our wishes. In the world we live in, we need to take measures to protect our privacy. A reasonable level of privacy is easier to achieve than anonymity. The primary means to protect the privacy of your data are encryption and appropriate security measures and access controls. Other measures to protect your privacy include measures to prevent corporations and governments from tracking your browsing or purchasing and building up profiles of you.
Privacy of your computer, devices, and hard drives
All your hard drives, computers, and devices should be encrypted by default, as well as any USB keys that you might use to store personal files. Encryption protects this information from being seen, and also from tampering. This is now very easy to do on Windows, OS-X, Linux, and Android. On OS-X, use the system’s FileVault option in system preferences. On Windows, use the system’s “BitLocker” whole disk encryption if available, or download the cross-platform open-source program Truecrypt and enable whole disk encryption. Truecrypt is generally more trusted than Bitlocker and FileVault, especially after revelations of corporate collusion with the NSA, because it is completely open source and well vetted, whereas Bitlocker and FileVault are closed source and require you to trust Microsoft and Apple. On Linux, at install time, most distributions allow you to choose to encrypt the system, and also choose the option to encrypt your home directory for good measure, which protects your personal data even if the system is on while you are logged off. In Android, encrypting the phone is an option in Settings → Security.
Limitations: Remember, encrypted hard drives are only protected when they are unmounted or powered off. The encryption only protects “data at rest”. If they are on and mounted, the encryption keys are held in memory, where they need to be available for decryption, and an attacker can siphon them if they have physical access to your computer. Encryption of hard drives is now so easy and transparent to the user that there is no reason why all hard drives should not be encrypted by default.
Protecting your data in the cloud
If you use a cloud service like Dropbox, Google Drive, or Amazon Cloud, remember that your data is only encrypted in transit (which can be intercepted). Otherwise you are trusting the company not to examine or turn over your data. In order to fully protect your data, you need to encrypt it on your computer before you send it to the cloud. There are many good tools for the job. On the Mac, Arq is a great tool that will encrypt your backups to Amazon’s S3 and Glacier services (be sure you understand Amazon’s pricing structures before using the service). Boxcryptor is a product that will work on Mac, Windows, or Linux, and allow you to store encrypted data on any cloud service. Savvy users can also use Truecrypt or the open source EncFS to create their own encrypted volumes and store them in the cloud.
Alternatively, you might try the new tool BitTorrent Sync, which allows you to sync files and folders between all your computers and mobile devices without relying on a cloud host, and uses strong encryption for transport. However, the tool is still new and hasn’t been fully vetted for its security yet.
Privacy of your email
In the 1990s, Phil Zimmerman wrote the email encryption program PGP for anti-nuclear peace activists to use. Subsequently, a free and open source version called GnuPG (GNU Privacy Guard) has become available for use on OS-X, Windows, and Linux. Once it is installed on Windows or Linux (installed in Linux by default), it is easy to use it with your regular email account in Thunderbird using the Enigmail extension. On OS-X, MacGPG comes with a great plugin for Mac Mail that also makes it very easy to use There is also an extension for Chrome and Firefox called Mailvelope that allows you to use PGP with Gmail, Hotmail, and Yahoo! Mail. There is a learning curve involved in using email encryption, but it is not that steep and anyone can master it.
Email encryption relies on public key cryptography. Each user has a private key and a public key, and shares the public key with their correspondents. Emails are encrypted using the recipient’s public key and decrypted with the recipient’s private key. The public key encryption used in PGP relies on the difficulty of some mathematical problems, particularly the factoring of large numbers and the discrete logarithm problem. A newer kind of public key cryptography (which is the NSA recommends that you use) is called elliptic key cryptography, and involves a different mathematical difficulty. Although it is newer, faster, and uses smaller keys for the same strength of encryption, it is not yet widely implemented, and there are doubts about its security because of the NSA’s role in the development of some of its standards.
One thing to remember: the recipient of an encrypted email or chat can always forward the message onwards in unencrypted form, breaking the security chain. Therefore, you must trust your recipient and make explicit your expectations of privacy.
Some new projects are being developed in response to the NSA scandals that hope to bring user-friendly secure email to the masses, notably the promising Scramble.io and Mailpile, which are both currently in limited beta and under development.
Geek tips for encrypted email: choose the longest key length when generating your key that the program allows. In GnuPG, this is generally 4096 bits. If there is an advanced settings dialog, choose AES256 as the preferred symmetric cipher and SHA256 or SHA512 as the preferred message digest algorithm. Other public keys can be searched at public keyservers, such as pgp.mit.edu. Make sure that you know who you are writing to, and that the key you are encrypting to really belongs to them. The best way to do this is in person, or by exchanging key fingerprints over a separate channel, such as SMS or phone.
Protecting your chat privacy online and on your phone
One of the problems with email is that because of the way the protocol is designed, it is impossible to encrypt metadata like senders, recipients, and subject lines. This makes complete privacy very difficult to achieve except through hard to use services like the now defunct TorMail. Luckily, there are now some very robust solutions for online chat that do offer benefits that email encryption does not. The best known is OTR (Off The Record), a secure chat protocol developed by Canadian cypherpunk and math professor Ian Goldberg. It does not protect your metadata if you use it with your gmail address, for example, but it does offer Perfect Forward Secrecy. It is available as a plugin for the popular Pidgin and Adium chat clients, which you can use with your Gmail account. It is also available as the Gibberbot and Chatsecure apps on Android and iOS. Remember, it is important to verify the fingerprint of the person you are chatting with on another channel besides the OTR chat (for example, text message or phone call), otherwise you are vulnerable to a “man-in-the-middle attack”. OTR is also the technology behind Crypto.cat, which offers user-friendly Chrome and Firefox apps that allow you to chat securely without needing to login using a username and password. Note, only the 2 person chats use OTR; group chats use a less proven technology that I wouldn’t trust yet.
On your cellphone, there are now a range of pretty good options. There are PGP implementations like IPGMail for email, and there are secure instant messaging platforms like TextSecure for Android, Threema for Android and iOS, Wickr, the commercial service Silent Circle by the inventor of PGP, and the soon to be released heml.is. Note that some of these services, like Threema, make it very easy for the recipient to forward the chat over email, which breaks the security chain.
How encryption fails: In all cases, remember your password and the “security of the endpoints,” i.e. your computers, are probably going to be the weakest links. If you use the industry-standard AES256 cipher to encrypt your data, in order for the password to be as strong as the encryption used, you would need a completely random 39-character string using upper and lower case, numbers, and the full ASCII symbol set. A 20-character random password will provide you with 128 bits of entropy, which is probably sufficient. Anything shorter than 18 characters is not advised.
Encryption can also fail because of poor implementations, mathematical breakthroughs, untrustworthy people you have trusted, or someone breaking into your computer systems. Therefore it’s important to understand the limitations of the technology and the concept of future-proofing: choosing a system that will likely remain secure for many years to come.
If at all possible, avoid use of 1024 bit keys, elliptic curve cryptography based on NIST curves (Curve25519 is suggested instead, as implemented in Nacl), and avoid use of RC4 as a stream cipher if you know how to avoid it. Recent advances mean RC4 and 1024 bit public keys must be presumed compromised at this point, while there are many doubts about the security of elliptic curve cryptography based on NIST curves because of the influence of the NSA on selection of the constants.
In addition to encrypting your data, it is important to protect your general privacy online, which is violated by shadowy companies like Acxiom that track your identity and behaviour and sell the information onwards (including to governments). A good place to start is the Electronic Frontier Foundation’s 4 Simple changes to protect your privacy online. In addition to the four steps recommended there, I recommend installing the tracking prevention tools from the good people at Disconnect.me, as well as the tools Collusion for Chrome and Firefox. One other thing you should do is take control of your Facebook privacy settings.
You can also use a virtual private network (VPN) service like ProXPN or PrivateTunnel to prevent your internet service provider from spying on you. These also allow you to use the internet safely on open wifi hotspots. Make sure that your VPN provider supports OpenVPN, which is the strongest VPN protocol and now the standard.
Security is broadly about protecting the integrity of your computer and information systems, just as you also protect the integrity of your home and your person by taking appropriate precautions. Along with crappy passwords, poor security is probably your biggest vulnerability. Unfortunately, computer systems are complex and require a lot of vigilance and knowledge to maintain at a high level of security, so even people who know how often don’t bother, because it’s inconvenient. While there are very few things you can do to protect your computer from an adversary who has physical access to it, there are a few simple things that almost anyone can do to be much more secure from remote threats online.
For Windows users, Brian Krebs has a useful guide to the basics that is also generally useful for Mac and Linux users. The most common security problems are: software that is out of date; dodgy software; browser based exploits which can be hidden on websites you visit, or the ads they host. Luckily, it’s easy to mitigate these risks.
Stay up to date on all software, especially high risk software like the system and internet-facing programs like the browser, Flash, Acrobat, and email clients, as well as Microsoft Office. Most operating systems allow you to enable automatic updating. On Windows, it is a pain because each program’s updater runs separately and all of them together tend to slow down the system. That’s why Secunia’s Personal Software Inspector is such a great tool for Windows users. Linux, Android, and iOS are the easiest platforms to update. Windows and OS-X may require you to update each program independently, but it’s still important to do so.
Only install trustable software and only software you need; avoid pirated software and software from obscure or dodgy sources on the internet. If you don’t need it, don’t install it. If you no longer need it, remove it.
Use a password manager like Lastpass, 1Password, KeePass or PasswordSafe to generate secure, random passwords for all your accounts and to store them. Most of them have the ability to store notes and other files, and allow you to securely share these with others. You must use a secure, long password that you can remember as your master password, which will be the only password you need.
Browse the internet using a secure platform. One solution is to use separate platforms for your sensitive browsing, such as banking, and your open browsing on the internet. Some suggest using a Live CD or USB stick - basically a CD-ROM or USB stick with a full read-only Linux operating system on it that will reboot in pristine state every time you start up from it. Most Linux distributions can be burned to a CD or DVD and run as live systems. Ubuntu is probably the most user-friendly. Some, like Tails, are designed to be secure, anonymous, and booted from a USB key. Google’s Chromebooks are probably the most secure consumer computers on the market, and they are perfect for anything that you can do in a browser or with a Chrome app. They are very secure by design, update automatically, and if the firmware detects changes in the system on bootup, it will automatically repair any damage. Chromebooks will protect you from attacks by criminals and random hackers, but won’t do anything to protect your data if Google is legally compelled to provide it.
Enable two-factor authentication wherever you can. I use Yubikey with my Lastpass account, and Google authenticator with GMail, Dropbox, Outlook.com, and any other service that supports it. Yubikey is a very small and highly tamper-resistant USB device that sends a cryptographic token to a web service to authenticate the bearer. Google Authenticator runs on your phone and generates time-based passwords from a shared secret. Facebook and Twitter also have their own second-factor systems. Although not a foolproof system, it greatly increases your overall security and means password breaches alone will not give an attacker access.
Secure your wifi router by disabling WPS, changing the default admin password to something random and secure, making sure the wireless security type WPA2 and that you are using a long random password, and turning off UPnP unless you know you need it. The very security conscious may want to put their own router with custom firmware like DD-WRT with OpenVPN support between their network and their ISP’s router, since there is very little transparency about how ISPs use the privileged access their proprietary routers provide to home networks.
Some more esoteric measures to protect yourself. EMET is a tool from Microsoft that prevents certain kinds of exploits on Windows. You have to enable it for each application that is not supported by default, but this doesn’t take much time. Windows power users should also explore and learn how to use the Local Security Policy editor. One of the best ways to secure your Windows system is application whitelisting using AppLocker. There are other things the paranoid can do, for example, tightening up controls on USB using the Local Security Policy editor so that programs can’t be run from a USB key; whitelisting USB devices so that only trusted devices can be used - this prevents attacks by malicious devices pretending to be keyboards. OS-X users should set a firmware password to prevent attacks siphoning passwords from memory over FireWire and other ports with direct memory access. Linux users should use some type of mandatory access control system like AppArmor, grsecurity or SELinux if you trust it (SELinux was developed by the NSA). Finally, you can change the default DNS settings on your router to use OpenDNS or Google’s DNS servers, so your ISP is not logging all your internet address lookups. Better yet, use an encrypted DNS lookup tool like DNSCrypt, which prevents snooping of your internet lookups.
If you are doing anything really sensitive - like Glenn Greenwald or Bruce Schneier, or activists living under repressive regimes - you might need to use a separate computer for some functions, one that is “air-gapped”, that is, never ever connected to the internet. Of course, such a computer will also require you to ensure a level of physical security that is not practical for most people.
Anonymity obscures identifying information about you: who you are, where you are located, and so on.
Who may need anonymity: whistleblowers, leakers, activists, artists, and journalists living under repressive regimes (which may also include liberal democracies).
How to achieve it: Measures to achieve anonymity online typically focus on hiding your network location (your IP address), and the primary technology used for this is the Tor network. This is a network originally designed by the US military that bounces your information from one randomly selected relay to another before sending it to the final destination. The routing information and data being sent are encrypted in envelopes or layers like an onion (“Tor” is an acronym for “The Onion Router”). Each layer is decrypted by a node before it passes the other envelopes onwards. Only the final Tor node in the circuit, the “exit node”, actually knows the real destination of the data. It can also see any data that has not been end-to-end encrypted by you (e.g. using https in the browser or PGP in email). The destination server (the site you are trying to visit) only sees the Tor exit node as the source of the data and does not know your location. Only the very first node knows your location, but it does not know the content of your data or the final destination. Tor can also be used to run “hidden servers” that are inaccessible on the ordinary internet, and can only be accessed via the Tor network.
How to use it: By far the easiest and most common way to use it is to use the Tor Browser Bundle. This comes installed with useful plugins like NoScript, which you should be sure to immediately change to block all scripts by default (and selectively allow scripting only when you need it). As always, be sure that your software, including the Tor Browser, is completely up to date. There are bespoke implementations of Tor, such as Strongbox, which is the New Yorker’s system for whistleblowers and sources to submit information anonymously. Tails is a system on a thumb drive that is preconfigured to use Tor securely.
Remember, your hardware can also be used to identify you if information about it leaks to the internet. If you bought it online or at a major box store, or if you also use it in non-anonymized mode, it may be possible to associate your “anonymous” usage with you.
Anonymity is probably the very hardest thing to achieve on the internet. (I myself have never used Tor, except to experiment with it.) We are not only tracked online, but through our credit card and loyalty card purchases and other financial information, not to speak of CCTVs and ubiquitous “citizen surveillance”. If you went to the extreme to achieve online anonymity, you would have to buy a cheap commodity computer with cash from a small store you had never shopped at, a store without sophisticated inventory tracking, and in an area you do not frequent. You would never use it for anything but Tor activity, and you might only use it a few times, or in the extreme, once. You would not use it for more than one “contextual identity” because two or more can be correlated and identify you. Even then, there might be unknown software flaws that can be exploited to expose you, or you might make a mistake and expose your true identity or location on the internet. Anonymity online is very difficult to achieve, and in general the technology to achieve it imposes a performance burden on online activity that most people will not be able to put up with (Tor is slower than non-anonymized internet traffic, partly by design: it introduces jitter to thwart traffic analysis.). However, for some people - for example, activists living under repressive, authoritarian regimes - it is still much better to take measures towards anonymity than not.
Tor, along with widely available and easy to use VPN services like ProXPN, StrongVPN, or PrivateTunnel, can also be used to circumvent censorship.
Useful Resources to Stay Informed
Bruce Schneier’s blog is one of the best sources on computer security and privacy on the internet. Schneier is a respected cryptographer and independent thinker who is also passionately principled.
Brian Krebs’ blog is a good source of information on criminal hackers and malware threats.
Wired’s Threatlevel is a good source of news on security, privacy, and surveillance issues.
The Electronic Frontier Foundation is at the forefront of defending individual and social rights online and always has useful information and tools.
Boing Boing, is a blog that features the writings of well known privacy and openness advocate Cory Doctorow and others.
Security Now! is a podcast by well known security expert Steve Gibson that digests the week’s security news and breaks down important security topics, usually in a fairly accessible way.
Democracy Now! is one of the few news outlets that has always covered surveillance issues in depth.