Cybersecurity for the Trumped

11. Carrying devices and data across borders

Thu, 16 Feb 2017 21:06:04 GMT

This is not an article. That's because I haven't written the article yet. It may be the hardest thing for me to write about so far, because things are changing so rapidly and so much is currently unknown. What is known, however, is that crossing the US border in either direction can result in unprecedented attacks on your privacy.

US border agents get to ask you a lot of things. You get to refuse to answer. But then they get to detain you for an unlimited time, or simply block you from crossing the border. They may ask you to give the names of your social media accounts; they may also ask you for the passwords. They can ask you to unlock your phone or computer so they can look through it. And they have software that can extract a whole lot of data in a short time.
In other words, they can get a very intimate snapshot of your contacts, your conversations, your interests, your friends, your job, your love life, your past... in short, your life. They can also get a lot of information about the people you know, who aren't even present.

I've not written the article but I've started gathering information. And this is too important to wait. So I'll just go ahead and give you the links I've found so far, and add more as I find it.

New, and probably the most reliable information out there:

Digital Privacy at the U.S Border: A New How-To Guide from EFF

Updated with more links on February 25, 2017.
Added the new EFF guide on March 9.

Back to Index

comments

10. Instant messaging and chat

Wed, 08 Feb 2017 14:54:26 GMT

Many of us like to stay in touch with others in real time. For that purpose, we have a lot of tools that we can use. Some of them are safer than others. Let's look at some popular ones...

Twitter is very popular and not private/secure in any way. Assume that anything you tweet is public.
IRC has been around for a long time. It's still used by many. It's not secure unless you use OTR (Off The Record).
Facebook Messenger... well, it's Facebook. Not secure in any way.
WhatsApp is encrypted, but the metadata is still logged, and says more than the actual conversations; also, it's owned by Facebook.
Google+, Google Hangouts, Gchat... it's Google. Avoid.
ICQ and Yahoo chat? Not secure.
Skype is popular for voice and video chat. But it's owned by Microsoft nowadays. The calls are encrypted, but there's that pesky metadata thing again. So it's not really secure.
SMS (text messages) are not secure at all.

So what are the better options?

Signal is well-known for being recommended by Snowden. It does voice chat as well as instant messaging. Can be used on smartphones and desktops.
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. It works on many platforms and also in your browser. I like this one.
Hoccer is a privacy-conscious messaging and file sharing app for smartphones.
Confide is a messaging app for smartphones and Windows and OSX computers; it's hyped to be very secure (messages cannot be kept). But it's closed source, so who knows, and some experts say it's not great.
Tox is another good option that works for messaging, voice and video chat. There are clients (= software) available for all platforms.
Ring serves a similar function. It also allows group chats (teleconferencing)
Linphone: same same.
And if you do not want to download or install anything or get an account, there is always Talky video chat which can simply be used on the web. Set up a 'room' by choosing a room name, send the other person the URL for your room, and you're off.

So which one do I use?

The one you can get your friends or family to use.

A note on the technical side of all of this

We need to distinguish between two things when talking about chat/messaging software: there's the software and there's the protocol.
Just like PDF documents can be opened with Adobe Reader, and many people assume that this is the only option... but in reality, there are lots of different programs that can open PDFs. Likewise, there are different programs that can handle different protocols, and even programs that can handle a whole lot of them!
For example, I use IRC, ICQ and Telegram, but I don't want three programs running on my laptop all the time. So I use multi-protocol messenger software, that can handle all three of these and more.

Some good multi-protocol programs are:
Pidgin (for Linux, Windows, OSX)
Miranda IM (for Windows)
Adium (for OSX)
These are mainly meant for laptops and desktop computers. On a smartphone, a dedicated app is generally the better option.

Some instant messaging protocols are:
ICQ, IRC, Gadugadu, AIM, AOL, XMPP, Bonjour, Telegram (has OTR feature built in).

If you want secure instant messaging on a protocol that's not inherently encrypted, look into adding an OTR plugin.

Further reading (and even more apps) in this article in the New York Times.

Back to Index

comments

FamilytreeNow: doxxing made easy

Mon, 16 Jan 2017 19:58:33 GMT

A reader of my other blog (thank you!) recently brought this article to my attention:
You’ve probably never heard of this creepy genealogy site. But it knows a lot about you. I'll just chill here for a while and give you the time to read it...
...
...
...
...
... Done? Good. Creepy, isn't it? I'd say so. As the article points out, the FamilytreeNow website lists information that's already public, but it makes it a whole lot easier to access; it effectively makes it child's play to doxx someone. Doxing or doxxing means to make information, especially about someone's true identity, home address, phone number and so on, available against that person's wishes, so that they are now more vulnerable to harassment, violence and other nasty stuff.

This site only seems to have records about people who live in the US. If you do, you are probably listed. This is an inherent risk to your privacy and personal safety. So my advice is: go to the site and find your own listing, and once you do, opt out. This is where you go to do that.

This is not the only site of its kind but it's unique in that anyone can look up anyone's info without even registering. But if you find similar sites, let me know so I can add their links too.

Back to Index

comments

Some good articles on cybersecurity (in progress)

Fri, 06 Jan 2017 14:06:27 GMT

Here are some good and relevant articles that I found. In fact, for now it's just one but I'll be adding more.

Salim Virani: Get your loved ones off Facebook

Back to Index

comments

9. VPNs

Thu, 22 Dec 2016 13:29:15 GMT

Time to write about VPNs. VPN means Virtual Private Network. Using a VPN is one of the best ways to improve your online privacy and security. There are many tutorials out there on how to get started with that, but most of them are trying to steer you towards a certain provider; there are also good and neutral articles. I will provide links to them later.
But first, since I'm writing this for people like my mother, who is plenty smart but not super well versed in technical stuff (hi mom!), I will explain how VPNs do what they do.

How it works

Let's imagine the internet like a village. It has streets, houses and stores. Just like in any village, people in your neighbourhood can see what goes on there.
Let's say that one fine day, I want to go out for a stroll and visit the sex shop at the other end of the village. This is something I probably don't want everyone to know! Because when I return with a big bag of none of your business, printed in bold bright letters that say 'Ye Olde Sexy Shoppe', my neighbours will probably see me.

One of them is the janitor (my ISP), who, when asked, reports my comings and goings to the mayor... who may very well have strong opinions on what the villagers should and should not be buying.
Another is a store owner, who would probably start shouting at me: "Wouldn't you like a bottle of wine to go with that? Maybe these candles, or some chocolate? How about these flowers? Perfume? Lingerie?"
A third one might be a burglar, who notes down where and when I shop, in order to mug me or rob my house later.

So I sign up with the VPN store. I pay them, and they dig a tunnel from my house to their store. I leave my house through the tunnel. This is great! The neighbours can't see who is walking there. I'm strolling along through the tunnel without a care. The only problem is, I'm underground and I want to visit stores that are on street level. So I need to come up.

For that reason, I walk straight to the VPN store. The greeter says: "Welcome! You gave me the secret handshake, so I know that you are one of our customers. Here's a coat. Right this way, please!"
I enter the store and put the coat on. I walk out the back door onto the street and to the sex shop, and to all the other places in the village where I may want to go! No one, not even the janitor, saw me leave my house: I popped up from out of nowhere behind the VPN store, and I'm wearing a coat with my VPN provider's name printed on it, so I have more privacy. You'd have to take my fingerprints to recognise me. The greeter doesn't care what I do, and ideally does not keep a log.

When I walk back home, I go back through the tunnel, for the distance from the VPN store to my house, carrying all my bags full of none of your business. (I should probably draw some pictures of all of this, it won't make things clearer, but it might be fun.)

Translated back to the internet, this means:

Your VPN service accepts encrypted traffic from your computer to their servers (we call them endpoint), because you're their customer. You'll need some kind of software in order to do this encryption; they will generally provide this and make it easy to use.
Your connection to the internet will then go through their servers and be shielded.
This is especially great when you are using public WiFi, because in that case you may not even know who is acting as your ISP by providing you with internet access. Using a VPN here is a big deal and makes your browsing much more secure!

What it does... and doesn't do

Using a VPN does not make you fully anonymous. Of course, when you log in somewhere, you are then known by that identity. But your system can also be recognised by its fingerprint. Still, a VPN does hide your IP address and also your physical location and this adds a layer of privacy and security to your browsing.
Using a VPN does not protect you from fake websites or malware. But it does protect you from man-in-the-middle attacks that happen 'in your neighbourhood': if you are connecting to a free WiFi that's not actually run by who you think is running it, or if someone is listening in on your WiFi connection, they get only encrypted data from you.
Using a VPN can make it possible to use websites that are otherwise blocked to you because of your location (geoblocking). If that's what you're after, choose a provider that has endpoints in the location where you wish to access content, or at least a 'friendly' location that has this access.

How to get started

You get started by picking a provider. They'll tell you what to do. They want to make this stuff easy for you, because they want you as a customer.

How to choose a VPN

Most VPNs are probably better than none at all. Still, you usually get what you pay for. While there are some free VPN providers, they are generally not reliable. And since it's not easy to check how well they do what they say they do, it's probably better to pay a few dollars and have more peace of mind. Some things to look out for:

Make sure they offer support for the OS(ses) that you are using! Don't forget your mobile devices.
Make sure they do not keep logs. Read their statements on this.
Make sure they are using up-to-date technology. Find out whether they support OpenVPN. This is software that runs on your end and handles the encryption, and it's open source and probably the best option that is currently available. It runs on multiple platforms.

Here are some articles to help you choose.

EFF makes no recommendations but has a great outline on the basics. I would start here.
Choosing the best VPN for you goes into great detail... for some of us, too much detail. But it's good stuff, so give it a try.
How To Geek is very thorough on this, as well.
PC Mag has a nice table and a decent looking article.
Torrentfreak: Which VPN providers take your anonimity seriously?
If you're really picky (and why shouldn't you be?) check out this list on privacytools.io

This blog post was edited on December 23 based on feedback from savvy friends. Thank you, KdB and Stoneshop!

Back to Index

comments

8. Smartphones

Thu, 08 Dec 2016 21:20:14 GMT

I'm about the least likely person to write about this, because I do not own a smartphone. But someone has to do it, so I'll go ahead and do it. I'll be doing research as I go along, and cite my sources for you to peruse if you want to. As always, keep in mind that corrections and additions are welcomed.

So. Smartphones. Almost everyone in the industrialized world now carries one of these palm-sized computers with them. And they are a great way to keep track of people. It's a lot like Orwell's vision of the surveillance state of the future, with one big difference: we don't have to be forced to wear a tracking device. We do it by ourselves, because it's convenient and fun and offers a lot of options that we really want. Here's what your smartphone can reveal about you.

What kind of information is being collected? By who?

Your telecom provider is, at the very least, keeping tabs on the following:

Incoming and outgoing calls: the phone numbers you call, the numbers that you receive calls from, and the duration of the call;
Incoming and outgoing text messages: the phone numbers you send texts to and receive texts from;
How often you check your e-mail or access the Internet;
Your location.

Not all providers keep your data for the same amount of time. Check this article. Oh, and if you're not excited about the Trump presidency, T-Mobile may not be your provider of choice.
Other parties who may be privvy to your information:

Retailers can nowadays follow you through cameras, using face recognition, and combine that information with the MAC address of your smartphone which can, in many cases, be linked to a specific individual. The difference between Bluetooth-tracking beacons and Wi-Fi tracking systems is that the modern smartphone leaves Wi-Fi on, even when manually switched off for data connectivity, as a way of pinpointing its location. Source.
If you're using the Facebook app, Facebook has access to:
- Your contacts, including modification and adding or changing calendar events. They know who is in your phone and can contact them.
- Your exact location. They know where you are at any time.
- Your camera, including taking pictures and videos at any time, as well as recording from the microphone. They can get at anything you’re saying or looking at.
- Your text messages, your calls, and can call phone numbers. They can see who you’ve contacted recently.
- Your internal storage, including permission to delete anything. They can see the files on your phone.
- Full Internet access anytime, changing your wallpaper, opening up over other apps, and downloading files. They can make little tweaks without your knowledge.
- When posting a status, the app can determine what song you’re listening to or what TV show is on in the background, and tag your status with this information. Source.
Many different apps send location information and other data to third parties. That includes things like games and flashlight apps.
If you're using Chrome as your mobile browser, Google has access to your browser history, open tabs, passwords and more.

Settings

Lock down your phone's security settings. Here's how.

Apps

Apps are what makes a smartphone a smartphone: it can run software, programs, applications, in one word: apps. These apps need permissions to do things; a browser, for example, needs permission to use the internet. Permissions are the only layer of defense between your phone and an app. If an application has malicious intent, all you have to do is allow it on your phone with invasive permissions to create problems.
Never give permissions to an app without at least reading what they are, and thinking about what that means. Try to understand the permissions required by the app: is there some legitimate reason or is something malicious happening in the background? To give an example, a calculator or torchlight application shouldn’t be requesting access to your contacts. Likewise, many applications shouldn’t be requesting your GPS location: it could potentially give away when you’re not currently at home (useful information for anyone breaking into your house). If you’re not comfortable with the permissions being requested, it’s always best to cancel the installation. Source.
Here's a guide for Android. Here's one for iPhone.

The risks of free WiFi

Using public WiFi isn't unlike having a conversation in a public place: Others can overhear you. If you don't take precautions, information your devices send over a public WiFi network goes out in clear text — and anyone else on the network could easily take a look at what you're doing with just a few simple software tools.
Someone spying could easily pick up your passwords or other private information. If you use the same password on multiple sites, that could be a big problem. (But you should not be doing that anyway.)
The next potential problem is what is called a honeypot. Thieves might set up their own WiFi hotspot with an unassuming name like "Public WiFi" to tempt you to connect so they can grab up any data you send. These are easy to set up without any kind of special equipment — it could be done just using a laptop or smartphone — so you could run into them anywhere.
Finally, using public WiFi puts you at risk for session hijacking, in which a malicious hacker who's monitoring your WiFi traffic attempts to take over an open session you have with an online service (like a social media site or an email client) by stealing the browser cookies the service uses to recognize who you are. Once hackers have that cookie, they can pretend to be you on these sites or even find your login and password information stored inside the cookie. Source.

When you're using a public WiFi:

Make sure you know that you are connecting to the right WiFi hotspot and not one that has a similar or generic-sounding name. And read the terms and conditions.
Check that you are using HTTPS by looking at the URL of the site you are connecting to. Also check the spelling of the URL itself.
it’s better to use a mobile browser than an app, because browsers are more fussy when it comes to checking and verifying these HTTPS connections. Essentially, apps can be accepting bogus security credentials without your knowledge, and that’s a problem if you’re doing something important like online banking or buying stuff online. Source.
Use a VPN. More about that here.
Use two-factor authentication wherever possible.
If you want to be extra careful, avoid doing anything over public WiFi that needs you to enter a password.

Avoid the Facebook app

From a viewpoint of privacy, Facebook is one of the worst offenders. The Facebook app, doubly so. So if you cannot live without Facebook, at least don't use it through the app; instead, view it inside your browser of choice. Or for a nice compromise: use a wrapper app like Tinfoil or Metal (Android).

Messenger apps

Whatsapp is a very popular messenger app for smartphones. The good news is that it's lately been made to use encryption; the bad news is that it's owned by Facebook, who of course still gets the metadata (who are you talking to, when and how often?)
A good alternative that's been getting a lot of attention is Signal. And another good option is Telegram. Both of these offer encryption and are free, as well as ad-free!

Going off-grid

If it makes you uncomfortable to be tracked so closely all the time, go off-grid now and then. It's a good idea to switch your smartphone off when you're not using it; unfortunately, that's not always enough anymore. Modern smartphones never turn off completely and you can't always take the battery out anymore, either. A good way to cut off all information to and from the device is to put inside a signal blocking pouch! Complete how-to here.

It's also a smart option to split your phone use off from your smartphone use. You could get an old-fashioned 'dumbphone' and use that to make calls, while reserving your smartphone for browsing on the go. Compartimentalization again. Non-smartphones are often sold as prepaid phones in bigger electronics stores; make sure you are getting a simlockfree phone. Bonus: many of them have really long standby times!

Phones and OSses

Which smartphones are the most private and secure? Read more here.
It seems pretty clear that Androids are the least secure, since you're always giving a lot of data to Google and cheaper Chinese Androids may also send data home to the manufacturer. Older versions of Android are worse than up to date ones.
iPhones may be slightly better since Apple is mostly in the hardware business, advertising: not so much. iPhones are also fairly hard to hack.
Windows phones are not too bad either, for similar reasons.
Alternative OSses are probably a step up: Firefox OS (but as a phone OS, that project is dead in the water), Sailfish, Cyanogenmod if you like to tinker. If you're really, really serious about all of this, get a Blackphone.

Back to Index

comments

7. Facebook

Thu, 24 Nov 2016 11:24:11 GMT

Facebook is a problem. Privacy-wise, it's riddled with concerns, but it's so embedded in many people's lives that it's hard to uproot. I have never used Facebook, so everything I'm going to write below is second-hand; please correct me where needed.

Why worry about Facebook?

Here are some reasons why many people feel that Facebook should not be trusted with the details of your daily life.

First off: Mark Zuckerberg is a jerk. He does not respect his users; their privacy, even less so. He's called his users 'dumb fucks' for trusting him. Does that offend you? It probably should.

Secondly, privacy settings on Facebook change all the time. They can't be relied upon. If there is something you're not ready to share with the entire world (under your real name,no less), you should not be sharing it with anyone through Facebook.

Facebook is not designed to show you what you want to see. It's designed to keep you clicking around within the Facebook walled garden for as long as possible. It is, in fact, designed to be addictive. That shouldn't be a surprise, since many websites are.

Facebook tinkers with your emotions in ways that aren't good for you. It actively makes people unhappier.

Facebook stores ridiculous amounts of data about its users and probably never deletes it, even after you close your account.

Facebook builds a very detailed profile of you, based on your behaviour both on the site itself and on other sites, and uses that for targeted advertising. It also sells this information.

That's right: Facebook tracks your surfing even when you're not on Facebook. If you click a 'like' button anywhere on the web, that is of course recorded; if you don't click it, that's fine too. The fact that it's shown in your browser at all is enough to track your online behaviour.

Facebook gets information from Google searches that lead you to specific companies' websites. Those companies don't just know you visited their website, they know what you searched for that led you there. And now they can follow up with you on Facebook. All for your own convenience, mind you.

Facebook is keylogging your status updates as you type them. So even if you decide never to post them, they're being stored.

All this data is in the hands of a US based company. The US government, or any random cybercriminal, can certainly gain access to it. If you don't want to be spied on, don't use Facebook, not even if you're in Europe. EU laws don't protect you.

Getting away

So if you don't want to use Facebook, what other options are there? No worries, it's a wide, wide Web out there. Here are some options, depending on what you use Facebook for. Whether these options work for you, also depends on why you want to get away from Facebook. Always check who owns the platform you're considering joining. This can change rapidly and dramatically!

Part of this information comes from here.

LinkedIn: A professional social networking site with approximately 347 million users worldwide. Good for maintaining professional contacts with colleagues, clients, and others, LinkedIn can also be used for finding jobs and recruiting employees. Now owned by Microsoft.

Twitter: While smaller and more narrow in focus, Twitter is hardly an also-ran. At last count, it boasted over 284 million active users and 500 million tweets a day. It is growing at least as fast as Facebook and is causing quite a lot of waves with a well-publicised role in revolutionary movements in Egypt, Iran, and other countries. Here is information about staying safe as an activist on Twitter.

Pinterest: This platform revolves around the concept of "pinning" interesting photos, web pages, articles, and other content onto virtual noticeboards, then sharing them with people. You can create different pinboards for different interests, events, collections, or whatever you want. You can view things on other people's pinboards and repin them on your own. Pinterest has over 72.8 million users and is growing rapidly.

Instagram: This isn't just a social network, but it is being used as one by many. It's an online mobile photo-sharing, video-sharing, and social networking service that lets users to share images, videos, and words. Instagram says 300 million people use its photo app every month, with 70% of them coming from outside the US.

Tumblr: Tumblr is part blog and part social networking site. Users can create their own blogs and follow others' in a similar way to social networks. Last I checked, it had 420 million users, probably 30-50 of which are active, and 217 million blogs.

MySpace: Originally the big name in social networking, it is most popular with young people and has 50.6 million monthly active members. Following a re-branding, it is now a music-orientated site targeted at young people.

Tagged: A social networking site with approximately 100 million users (but no clear data on how many are active), it is now also known as if(we). It was the subject of significant controversy in 2009 for allegedly using member's email accounts to repeatedly send invites to all of their email contacts.

LiveJournal: Used to be a very popular blogging/networking site, that is still used by many groups in fandom. Currently in Russian hands, and not advertising-free. Faded glory, but still quite usable. But: hosted in Moscow, so don't consider it private or safe.

DreamWidth: Forked from LiveJournal years ago, and the better alternative if you ask me. Popular with fandom, but also good for keeping an online diary that can be as public or restricted as you want it to be. Ad-free, free to use and founded in high ideals.

Diaspora: This is a nonprofit, user-owned and distributed social network that gives you full ownership and control of all the data, photos, writing, etc. that you post. This is in direct contrast to Facebook, whose policy is to use your data and posts however it likes.

Ello: Created by a small group of artists who'd grown tired of clutter, negativity, data mining, and ads. You won't be forced to watch videos or see ads. Instead of being the intended facebook killer, it found its niche as a thriving, supportive portfolio service for digital artists.

Path: A social network that limits you to 50 friends. The idea of this is to allow you to interact with and share your photos, thoughts, and your life, really, with only the people you are closest to.

MetaFilter: Metafilter is a weblog that anyone can contribute a link or a comment to. This website exists to break down the barriers between people, to extend a weblog beyond just one person, and to foster discussion among its members. Also has subsites like AskMefi and FanFare (discussion of popular media like films and books). Good moderation. Good place to find activists.

Reddit: A social news aggregation, web content rating, and discussion website. Reddit's registered community members can submit content, such as text posts or direct links. Registered users can then vote submissions up or down to organize the posts and determine their position on the site's pages. Beware of the dark corners, not all of this site is safe/pleasant.

Medium: in its own words, a place where everyone has a story to share and the best ones are delivered right to you. Every day, thousands of people turn to Medium to publish their ideas and perspectives. Leaders. Artists. Thinkers. And ordinary citizens who have a story to tell.

BookCrossing: a worldwide community of book lovers, who want to make the world into a library by leaving books behind in public places, for others to find.

Sticking around

If you feel that Facebook is something you can't do without, there are still ways to cut down on the tracking and the data gathering. As always, the more of these you can do, the better it is. But even doing just one of them is already an inprovement.

Go through your privacy settings with a fine-toothed comb. Some tips here, here and especially here.

Harden your browser. Install NoScript (or a different blocker) and disallow Facebook scripts.

Have a separate browser (or browser profile) for all your Facebook activity. Allow Facebook scripts only in that one.

Don't use the Facebook app on your phone. If you must use Facebook on your phone, do it through a browser. The app is notorious for spying on you. Keep in mind that your smartphone knows exactly where you are

Follow the guidelines posted here.

Bonus link!

This browser add-on probably doesn't make Facebook safer, as such, but it seems like it could make it more pleasant and at least better for your mental health: FB Purity.

Back to Index

comments

6. Getting away from Google

Tue, 22 Nov 2016 13:32:05 GMT

Why?

First of all, why would you want to avoid Google? Well, there are several reasons...

Google offers a lot of services, so they collect a lot of different data from different sources.
Google connects all the data from these services into a very detailed profile, meant to advertise at you with more precision. This is their whole business model and they're very good at it.
Google is quite willing to share this profile with the US government. They only need to ask.
Google has been known to break promises about privacy and data retaining policy. Here's the most recent case.
They also are known never to delete any data.

Need more reasons? I sure don't.

How?

How can you get away from Google? There are lots of things you can do. Any of the items listed below will decrease the stream of data that flows from you to Google. The more you can do, the smaller it gets.
Most of their services have decent alternatives; some are so good you'll be happy you jumped ship. But before you do, clean out all that you can.

Check to see if your web history has been recorded by Google. If so, you need to wipe all of it. Do the same with your location, which Google very kindly keeps a record of just for us.
Next up: YouTube. Go to YouTube and click both Clear all watch history, and Pause watch history. From now on, when watching YouTube, do it when logged out of Google, as with all your browsing. If you need to log into your Google account for some reason, do that in a separate browser, and log out after use.

Stop using Google for searches

This is easy. Start using a different search engine, and set your browser to use the new one as the default. Google listens in on your searches, doubly so when you are logged into a Google account (so don't do that in your normal browser). Here are some privacy-conscious search engines.

DuckDuckGo
StartPage <--- my personal favourite
Ixquick
Qwant
Blekko

Stop using Google Docs

Google Docs is pretty great, which makes it seem like it's hard to quit. But here are some alternatives. Some of them are hosted outside of the US: always a plus.
What we're looking for: online collaborative document editing and sharing, with the possibility of keeping documents hidden from those who aren't logged in. It needs to have some formatting options, and to have some kind of protection against data loss through accidental simultaneous editing. It would be great if it were something that can be viewed and used inside a webbrowser. It would be nice if it were free!
Etherpad is great for quick editing of simple documents in groups, in real time and with no editing conflicts.
Here's Zoho. Here's Evernote. Here's ThinkFree.
Mailfence is in Belgium, privacy-oriented, and may be your one stop shop for docs and email.
You could also possibly make do with LibreOffice documents saved in Dropbox or elsewhere.

Stop using Google Maps

Easy-peasy. Use Here, Mapquest, or another one of several sites and apps. Plenty of options here!

Stop using Google Talk

Google Talk is Google's instant messenger. We have to make the distinction between the service (the protocol) and the software here. Google Talk is generally used through your browser, so many people do not use any specific software when they are using this service (and Google's servers). There are other protocols, as well as other software; some well-known services are ICQ (remember? It still exists), MSN, Facebook messenger, Jabber, and nowadays Signal and Telegram. Most services offer their own software but can also be used through third-party software.

There are a lot of options out there. The world is full of options for instant messengers. Signal is said to be great for privacy; Telegram is good too. These can be used on your desktop, laptop and smartphone. I'll write more about chat and messengers later.

The hard part with this one: getting your friends and other contacts to join you on a different service. Usually, users of one service cannot talk to users on another one. If this is a problem for now, you could start using Gtalk through a third-party application for now, so you don't have to log in into your Google account in your browser. There's that compartimentalizing thing again!
Good clients for desktops and laptops include Miranda IM for Windows, Pidgin for Linux and Adium for OS X.
Franz is multi-platform, and in fact so is Pidgin. But there are others out there.

Stop using Google Translate

This is tough. Google is probably just the best option here.Try Bing, or install some translation software.
Then again, they are certainly storing the content of the text that you are translating, but probably not a whole lot else, as long as you're logged out of any Google accounts. You're logged out, right?

Stop using Blogger

Move your Blogger blog over to a different service. Yes, it'll hurt a bit. But there are tons of good options. You could clear it out and leave a link to your new home behind, if you want people to be able to find it easily. You may lose some readers and commenters, but you'll gain new ones.

Stop using Google+

Just stop. No need for a replacement.

Stop using Google Chrome

Start using a different browser. If you're a creature of habit, Chromium is for you.
Install it, and let it import your bookmarks. Then, in Chrome, go to Settings > Advanced Settings > Privacy > Clear Browsing Data. Tick all the boxes, so it all gets deleted.
Finally, delete your Google Chrome profile from your computer. In Windows it's generally stored in C:/Users/[yourusername]/AppData/Local/Google/Chrome/User Data.

Stop using Google Mail

I know this is a big step! It's fine not to do this straight away. It is a step that has a lot of positive impact on your privacy, so it's a great thing to do, but save it for last if you're finding it scary.
Before you switch to another email provider, which is something I strongly recommend, go into your Gmail account and clean out all email that you don't care about; then set up Thunderbird (or a different email client of your choice) and download all the email you want to keep. Here's how. Also download your address book: here's how.
Go back into your Gmail account and delete everything. All emails and all addresses. We don't know how deleted they really are. But it may help.
Now you're ready to sign up with a non-US email provider that offers encryption. Congratulations!

Now, the ultimate step is to delete your Google account. If and when you're ready.

Further reading on getting away from Google:
Going Google-Free: The Best Alternatives to Google Services on the Web
How To De-Google-ify Your Life: The Complete Guide To Leaving Google
The Best Google Alternatives For Email, Search, Docs and Everything Else

As always: if I'm in the wrong, please set me straight and steer me to decent sources. Thank you!

Back to Index

comments

5. Password policy

Tue, 22 Nov 2016 13:26:07 GMT

Passwords are the keys to our online lives. With our passwords, people can read our email, post on our social media accounts, see our banking data... and lock us out of our own accounts. So it's important to treat them with great care. But how? Here are a few hints on a good password policy.

Do not reuse passwords, ever. Reusing passwords means that breaking into one of your accounts also compromises others. At the very least, add some letters that differ for each site.

Switch to two-factor authentication wherever you can.

Do not keep the same passwords forever. It's good practice to change them every year, especially the important ones.

Do not use passwords such as your date of birth, partner's first name, or pet's name. People can find those easily by looking at social media or even talking to you or your friends.

Do not rely too much on often-used substitutions of letters by numbers. A zero instead of the letter o is not exactly hard to guess.

If you have trouble remembering your passwords, use a password manager. Read more about that here.

It's not a horrible solution to write important passwords down, as long as you make sure you're not leaving them in places where others can find them.

An option could be to create them in the form of fake 'people', stored in an address book (either digital or physical), whose made-up names help you remember what they belong to, and whose address or telephone numbers are the password. If you saw 'Amalia 035-3445899' written down in my little black book, would you think that was a password hint for my Amazon password? It's not, but it could have been.

Another way to make a decent password that's easy to remember is to make a sentence that's meaningful to you, and use the first letters of each word to form your password. For example: the sentence 'My old aunt Emmy has 3 pretty cute Greyhounds' stands for the password MoaEh3pcG but is a lot easier to remember, especially if you use it for your account on the website where you buy your dog food, or the social network where your aunt always posts pictures of her dogs.

If it's allowed, you could also use four (or more) random words that you can easily remember by drawing a picture of them in your mind, instead of a hard to remember and much shorter 'normal' password. Let XKCD guide you here (just do not reuse his example).

Further reading on good password practices:
Cnet
HowToGeek

Back to Index

comments

4. Browser hardening

Tue, 22 Nov 2016 13:22:49 GMT

As we've established, we're not going to give up the internet. It's informative and it's full of cats. But we do want to be safer while doing it, and less trackable. So how can we make this happen? Let's take a good look at the tool we use to look at the web: our browser.

Browsers help us view a lot of information. But the information stream goes both ways. Websites that we visit gather a lot of information about us, if we let them. For example, the fact that we've visited a website is generally logged. But also whether or not an individual picture has been shown in our browser, and that picture may very well be hosted on a different server (so we don't even know who is getting that information). Previous browsing history is collected, too. Our searches are logged, and also specific information about our computer (such as installed fonts and plugins) and location. All of this makes it quite possible to pinpoint a specific computer user, and follow them around from one website to another. Here and here is some information on how that works.

Browsers

There are more browsers than you can shake a stick at, even if you're very good at shaking sticks.
I would recommend not using anything made by or in cooperation with any of the big corporations: Google, Microsoft, Apple. So that means: it's best to avoid Chrome, Internet Explorer / Edge, and Safari. Here are some options:

Firefox. A good old standard that used to be innovative. Has a LOT of good privacy enhancing add-ons available. Win, Linux, OS X, Android.
Seamonkey. My personal favourite. Classic looks, robust features. Comes as a suite, bundled with (good!) software for email, HTML editing and IRC (= Internet Relay Chat). Win, Linux, OS X.
Pale Moon. A Firefox fork. Like Firefox before they got the Chrome-like interface. Win, Linux.
Chromium. Like Chrome, but not linked to Google. Open source. Win, Linux, OS X, Android.
Iron. Based on Chromium, but the makers claim it's fully anonymized. Win, Linux, OS X, Android.
SlimJet. Another Chromium fork. A newcomer. I heard good things, seems pretty privacy-centered. Win, Linux.
Vivaldi. Technically similar to Chrome. A newcomer. Win, Linux, OS X.
Opera. Now uses the same rendering engine as Chrome. Win, Linux, OS X, Android.

This list is by no means exhaustive. Some others are listed here.
Browsers are a personal preference. Pick your favourite... then pick another one and another one. Why? Because:

- Not all browsers are compatible with all websites.
- It's good to have separate browsers for specific activities. Google and Facebook come to mind. If you need to use these, and especially if you use them in such a way that requires you to log in, then it's a whole lot safer to run them in a browser that's just for those activities. Compartimentalize!

Add-ons

Add-ons are small pieces of helper software that add functionality to your browser. There are a lot of add-ons that can increase privacy and security. Most of them can be installed through a feature inside the browser (add-on manager) or on a specific webpage that lists all of them for your specific browser. Here are some good ones.

Adblockers:
AdBlock Plus used to be good. Nowadays it's not the best option anymore. Will allow some 'non-intrusive' ads unless you tell it not to; if you're running this, check the settings carefully.
UBlock Origin is a better replacement for AdBlock Plus. Blocks adds really well and can hide stuff you don't want to see.

Tracker blockers:
Ghostery used to be very good, but now needs it settings checked carefully, and a user account in order to see full tracker info.
Disconnect does much the same thing and is said to be good.
Privacy Badger protects your privacy by blocking spying ads and invisible trackers.

Other:
DecentralEyes protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
Selfdestructing Cookies allows you to accept cookies, and then gets rid of them automatically when you're done with them.
NoScript keeps sites from executing Javascript on a case by case basis. Lets you whitelist and blacklist sites.

My advice would be:
- For starters: run an adblocker because it makes the web so much safer, faster and more pleasant.
- Add a way to deal with cookies. Can be a browser setting or an add-on. Accept them selectively or accept them but do not keep them.
- Add DecentralEyes just because you can, if you can.
- Finally add NoScript. It's a bit of a pain but it works very well. You can allow Facebook-scripts in your dedicated FB-browser and not anywhere else. Same with Google.
You'll have to adjust this recipe for your OS, browser and personal preferences.

Search engines

Step away from the Google. Google is not your friend. Google listens in on your searches, doubly so when you are logged into a Google account (so don't do that). Here are some privacy-conscious search engines.

DuckDuckGo
StartPage <--- my personal favourite
Ixquick
Qwant
Blekko

What about Private Browsing /Incognito Mode?

That only limits what gets saved to your own computer. It has no influence on what gets sent to others.

'Safe' Browsing

Mozilla-based browsers (Firefox, SeaMonkey, and others but apparently not Pale Moon), and also Chrome and Safari, have an option called Safe Browsing. If that is switched on, pages get checked against a blacklist hosted by... Google. It's a useful feature in principle, but it means that Google gets to keep tabs on your browsing, which is one of the things we're trying to avoid!
Once you have add-ons installed that block ads, scripts and other potential security risks, it's better for your privacy to switch the Safe Browsing feature off. More information here.

Another way to compartimentalize (slightly more advanced)

If you really really really like Firefox (for example), and can't get to grips with any other browser, there's another way to make separate 'sandboxes' for things like Facebook and Google: you can set up different profiles, and make icons on your desktop that start an instance of Firefox working in each of these profiles. Name them after what you're going to use them for and set the settings accordingly in each of them.
Hey presto, separate browser profiles for your different activities. That means data from your surfing behaviour in one instance will not bleed over into the Facebook usage in another instance, even when they're running at the same time.

Bonus!

Firefox settings, including tracking prevention settings, made easy: FF Profile Maker.

If you want to go further...

Want more anonymity? There's the Tor browser, a modified Firefox with extra security features for fully anonymous surfing. I don't use it, but you might want to, so here's a how-to or two.

Back to Index

comments

3. Email providers

Tue, 22 Nov 2016 12:12:55 GMT

Let's start off with something fairly easy: getting your email off of US soil. If you're using a Europe based provider, they can't be subpoenaed into handing over your data. That is exactly the result we are after. A US company, like Google, can be forced to hand over your data even if that data is not stored in the US, according to this article. Just another reason to avoid them like the plague.

Here are some good and mostly free options; keep in mind that a good, reliable and secure email provider is in my view well worth a few dollars. Most of the free providers also offer a paid option with more features, more storage, and so on.
These providers generally offer an English-language interface; one less thing to worry about.

All of those listed below offer built-in encryption, that you don't have to know anything about in order to use. You may feel that you do not actually need that, but it's a valuable layer of security. Then again, if your goal is just to get away from Google and/or get your email into a place where the US government can't easily reach, you have a lot more options (see links below).

OpenMailbox (FR)	Free	Encryption, POPmail, IMAP	1 GB storage
ProtonMail (CH)	Free	Encryption, webmail	0.5 GB storage
Tutanota (DE)	Free	Encryption, webmail	1 GB storage
Mailfence (BE)	Free	Encryption, webmail, POPmail, IMAP	0.2 GB storage
StartMail (NL)	€ 49,50/year	Encryption, webmail, IMAP	10 GB storage

You'll find more options listed here and here. These lists also show providers that do not offer built-in encryption.

Some of you are probably familiar with Lavabit. That is a privacy-concious provider whom the US government tried to force into giving up their data (and its encryption keys) in 2013 because they had an account that belonged to Snowden. The owner responded by pulling the plug and did not give up the data. Now they are (soon to be) back. I would trust these people but their service is on the geeky/techy side. They are preparing to offer 5GB of storage for $30 a year and they are quite serious about security. Not bad!

If you have your own domain name, another option to get e-mail service is by using the service offered by your domain hosting provider, if they offer that; of course, they may be using servers in the US, so you'd need to check that first. But for some of us, that's a good option, with the added advantage that your email address never needs to change for the rest of your life if you don't want it to.

Bonus!

Need a free throwaway email address for one hour only, with no records kept? Here you go.

Protection level and limitations

How much does having a EU provider protect you? That's hard to say. If you have a provider that you trust, the chance that they will hand your data over to the US government is definitely smaller, because they can't be forced to do that as easily as a US-based company can. So that is a certain level of security.

However, there are some reasons why 'they' can still get your data:
- The receiver may use a US provider, who may be forced to hand its data over.

This would of course give them only a access to segment of your sent emails. Sure, they can probably puzzle all your email traffic together this way, but it's harder and more expensive than just asking Gmail to give them the whole batch.

- Data has to travel somehow. It needs to travel through US servers to reach you, and can be read on the way.

If your provider uses secure POP, secure IMAP and secure SMTP (usually done through something called TLS) then your data is encrypted on the way from your computer to your email provider's server and back. That helps, for sure. Pay attention to whether your provider of choice offers TLS or its predecessor, SSL. You don't need to know how they work, just make sure that they offer them so you can use them. It's generally a server setting in your email program.
Webmail is generally protected by the HTTPS protocol (S for Secure).

It's good to realise that you are by definition leaving a trail when you're sending email. Anything you can do to obfuscate that trail helps keep you a little bit more secure. But using a non-US email provider is not a panacaea.
End-to-end encryption offers a lot more protection, but for most of us, that's just not feasible, at least not all the time. If you're interested, Enigmail combined with PGP (Pretty Good Privacy) is a good option for POP and IMAP, and runs as an add-on in Thunderbird and SeaMonkey Mail.

What are POPmail, IMAP and webmail?

Webmail is email that you read and write on a webpage, as shown by your browser of choice (such as Firefox). Can be useful to those who want to use email on the go, on computers that aren't their own. No e-mail software is needed.
POPmail is email that you download into your own computer, using e-mail software such as Thunderbird (or Outlook, but let's not go there). Can be useful to those who want to keep control over their stored emails. Be sure to make backups now and then.
IMAP is email that you view through e-mail software but that lives on your provider's server, not yours. Can be useful to those who use several computers for their email and want to keep things synched, yet prefer email software over webmail.

Using e-mail software (also called an e-mail client) has the advantage that you can add a digital signature as well as encryption.

This blog post has been edited on November 13 and 16, based on feedback from readers. Thank you!
New links have been added on December 3.
More links added on February 8 2017.

Back to Index

comments

2. A list of things you can do

Tue, 22 Nov 2016 11:52:42 GMT

A lot of people are worried about their level of online privacy and safety lately, for reasons that shouldn't be too hard to understand. The big thing here is that US companies collect data, and the US government can grab hold of that data if they feel there's a need; if you are now under a government that you distrust, it makes sense to reduce the amount of data that you hand over to US-based companies.
Here's a list of things you can do. Some are easy and some are hard, but every one of them can help. Even if you can only do one of these things, it's worth doing.

Here's the hardest one, for many of you: Get off of Facebook. Facebook collects a LOT of data, even when you're not on it. It's not just what you post on Facebook, it's also about your surfing habits on other sites, and a lot more. All this data is under the control of a man who called his users 'dumb fucks' for trusting him. If that offends you, good! It should. If you feel you cannot do without Facebook, consider abandoning your account and setting up a new one, using an altered version of your name, and reconnecting with your friends on that. Changes like that help obfuscate your digital trail.

Get away from Google. I will post in more details about this later, because Google is an ecosystem that consists of a lot of services. Most of them have good replacements! The very fact that Google has all these services is also why it's so potentially dangerous: they collect a LOT of different data from all those sources and combine it all into a very detailed profile. Need a good search engine? Try StartPage.

Get your e-mail off of US soil. Use an e-mail provider that's hosted in Europe and offers encryption. There are plenty of them and some of the good ones are free. More information on that is now posted here.

Compartimentalize. Use different browsers for different purposes. Use different providers for different services, so that your data is split up and therefore less meaningful. Keep your profiles on social media and other websites separate. (I know, I don't always do that either. But I do have a few online hangouts that you probably don't know about.)

Here's another hard one. Don't use a smartphone. If you must, be very wary of the apps you install. Review and think about the permissions your apps ask to use. Can they also operate with less? Switch it off when it's not in use. If you can make do with a nonsmart cellphone, or use that for phone calls and use your smartphone for data only, do that. That's compartimentalizing too.

Here's some easy stuff! Use adblockers and other browser add-ons that improve privacy. Your surfing experience will be safer and faster and the sites you visit will look nicer! This is another good topic for a separate post, but for now I'll throw out some names: UBlock Origin, Ghostery, BetterPrivacy, PrivacyBadger, DecentralEyes, SelfDestructing Cookies. If you use Ghostery, be sure to check the settings carefully, as the default is not great.

Also easy: if a service you are using offers two-factor authentication, set that up. It makes your accounts a lot harder to break into. This is especially important for webmail accounts, since they are often the key to a lot of other things, because many services use email to reset passwords.

Another fairly easy one, and we should all be doing this already: use good, strong passwords and be smart about using them. Read more on that here.

Learn to use an e-mail client that supports encryption. You may not need it now, but it's a good option to have. Thunderbird is just fine for this; with the add-ons Enigmail and GPG installed, it works well. It's also an all-around good e-mail program. And if more people use encryption, those who use it won't stand out anymore. Remember when mail used to be private? E-mail should be private, too.

If you haven't yet, consider getting away from Apple and Microsoft. Linux isn't just for geeks anymore. There are several good looking, easy to use Linux based OSses nowadays, they can run on most of the hardware that you are using, and they are free. Ask your friendly local nerd or cybersmart cousin to show you Linux Mint. Bonus: your computer will probably run faster, and will not need to be replaced as rapidly!

One of the best things you could do would be to attend a cryptoparty: an interactive workshop about cybersecurity, often aimed at beginners. Find out here when and where they are happening. A good place to ask about this would also be your local hackerspace; hackerspaces are physical spaces (as in, buildings/rooms) where people get together to tinker and to share knowledge about many things, cybersecurity being one of them. Don't worry about the bad reputations of hackers; there are good reasons why malicious hackers generally stay away from hackerspaces (they don't need them, they aren't welcome, and they don't want the extra visibility).

Back to Index

comments

1. Some general notes

Tue, 22 Nov 2016 11:27:21 GMT

The tradeoff

Cybersecurity always comes at a price: most often, the price is convenience. This is no coincidence. The parties who want your data need to bribe you into handing it over, and convenience is one of the best things they have to offer. So they make all these nifty tools, that make your life so much easier; who wouldn't want that? And the easiest, most default mode is always, always the mode in which you end up exposing yourself more.

Yes, it's inconvenient to avoid Google (more on that later!), to stay off of Facebook and Twitter, to use more different providers to keep your stuff compartimentalized. It's mighty convenient to just use your Google or Facebook login everywhere, to stay logged in to all these services, and not to have to enter passwords all the time. And it's just so convenient to reuse the same password everywhere, and not change it ever.

But convenience, too, comes at a price. All these nifty free tools and services aren't free: you pay with your data. You might say that you don't care and they can have it, and who is interested in you anyway? You are not that important after all. (And out comes the dreaded 'I don't have anything to hide'. But more about that later.)
But you are important. You're oh so very important and interesting. Because you are a consumer, and you buy stuff; building a profile of you that's as detailed as possible allows you to be advertised at in a very precise way. Now you are probably thinking: But I don't respond to advertising, I never buy the stuff I see in ads. I'm afraid that's probably not true. We all respond to advertising; it can't be helped.

You might also say: cool, so they have a profile of me for targeted advertising. That's not so bad, is it? It means I'll see less ads for stuff that I don't care about.
Well, of course that is up to you. But who has access to your profile? You don't know that. It's certainly not you: you don't get to see it. But your government might. Your employer, or a potential future employer, might. Your insurance provider might. Other parties might, and they might not have your best interest in mind. Data can be sold, and it can be stolen. Who gets access to your information, now or in a year or in ten years?

What we can do

So if that makes us uncomfortable, what can we do? Some people say: Nothing. You're on the internet, stop worrying about it because there is nothing you can do. They already know all there is to know about you. But I don't buy that, and here's why.
1) It's fatalistic and we don't know whether it's actually true. Why pick the most depressing option if you have a choice?
2) There is actually a lot that the internet doesn't know about me and I'm sure the same goes for you. I intend to keep it that way if I can help it.
3) Data rots. It gets outdated. We don't stay the same all of our lives; not even our bodies stay the same. We grow thinner, fatter, older, sicker, healthier. Some of us get pregnant, some of us gain disabilities, some of us get surgery of all kinds. We all change all the time and so the best data is fresh data. Even if they knew all about you right now, it would still make sense to stop leaking data now.
4) It's not a matter of all or nothing. There is a whole spectrum between a wide open empty doorframe and a solid steel vault door with ten different locks on it. Just because we can't hide everything from view, that's no reason to give up and not attempt to keep anything to ourselves. Even if there are conveniences we don't want to give up on, there are probably things we can do that make a difference.

So what can we do? Here's a thing we can't do: we can't make ourselves invisible on the internet, not if we intend to keep using it (which I do, and you probably do too). It's not about vanishing from the web. It's about making your tracks vaguer, fewer, more fragmented and harder to follow. And harder to follow means: more expensive to follow. Investigating people is, after all, not free: there are costs involved. There is a limited budget reserved for following us non-notorious folks; what we're trying to do here is becoming more expensive to track. We want to strain the budget, making it impossible to follow everyone, and make ourselves less worth the trouble (= money).

What we'll get in return

As we've seen, there is always a price to be paid, generally a larger or smaller loss of convenience. I feel better about this when I think about it as a choice: a small price that I'm gladly paying in exchange for personal freedom. That's s small mind hack that not everyone may be able to pull off, but it's worth a try.
An example... Since I dumped Windows and switched to Linux, I need to enter my password every time I download updates for my computer. Newcomers to Linux often find this unnecessary and annoying, and ask in the forums how they can get around that. But it's such a small thing really. And it's not that hard to see it as a good thing: I'm entering my password because that helps keep my computer safe. Yay password that keeps my system safe and happy!

The problem with this kind of thing is that there is no tangible reward. Google will never knock on your door saying 'What happened? We never hear from you anymore.' Bill Gates isn't going to send you a Hallmark card that says 'I miss you, let's get back together'.
So that can be frustrating. If we want to improve our cybersecurity, we'll be giving up on certain things that are convenient or fun, and we'll never get any feedback. That's not entirely true because there are some tests you can run... but that's about it.

What we can gain in the short term is peace of mind, and not much else. So if you're not worried, there's not a lot of reason for you to be reading this. But if you are, keep reading, because there's a lot more coming up. And in the long term, you may be saving your own ass.

Back to Index

comments

Index

Tue, 22 Nov 2016 11:15:27 GMT

Index

Part 1 is about cybersecurity in general.
Part 2 is a list of things you can do.
Part 3 is about e-mail providers.
Part 4 is about browsers.
Part 5 deals with password policy.
Part 6 is about getting away from Google.
Part 7 is about Facebook.
Part 8 deals with smartphones.
Part 9 is about VPNs.
Part 10 is about Instant Messaging and Chat.
Part 11: Carrying data and devices across US borders <--- in progress

Other stuff:

A warning about the FamilyTree website.

Upcoming subjects

Making the switch to Linux

What's this? What is it for? Who is it for? Who is it by?

( Click to read... )

Clicking this icon at the bottom of every post will always take you back here:

Back to Index

comments