We want Privacy – the 2017 edition

This started out as an email to a concerned friend, so it may not be complete or a bit unfocused. Please discuss, I welcome your thoughts and input on this.

A note to start. Privacy and security intersect so much on the internet that it is quite hard to see if a problem is more one or more the other. With the current state of things the biggest threat to the average user does not come from the state but rather from big corporations analyzing our data 1. The second biggest threat is not for our privacy but security … being hacked is much more likely to hurt us in some way than the [insert your favorite spook agency here].

So in my opinion one cannot ignore one or the other. They go hand in hand.

It helps to be aware of all the data you have, and that you want to protect and to know what you care to keep secret from whoever it may not concern. A possible list could include: passwords, emails, chats, contacts, calendars, photos …

  • To get started you may want to check out: privacytools.io
  • Also: The Electronic Frontier Foundation (EFF)
  • Another good starter is to read the Cory Doctorow book Little Brother and its sequel. He explains quite a few concepts much better than I ever could.
  • Don’t buy into privacy snakeoil, easy solutions or cheap VPNs are just as likely to hurt you as they are to help you
  • Never follow advice blindly – even this!
  • Open source software is often better to use because people (may!) have looked at the code and vouched for it, but OSS is not per definition secure or private
  • Don’t put all your eggs in one basket is a good strategy. It may seem tempting to use one service to rule them all … but don’t, just like you shouldn’t use the same password everywhere, diversification helps to protect you.

A few easy fixes:

  • Firefox is better at privacy than Chrome
  • Use a plugin like Https Everywhere
    • Link
    • there is also one for Chrome
  • There are other search engines, google is not the only one
    • Check out DuckDuckGo as search engine before defaulting to google:
      • Link
      • not saying you shouldn’t use google at all, just saying: mix it up
  • Install addons that try to prevent tracking. I currently have
    • Decentraleyes,
    • Disconnect,
    • uBlock Origin
    • Privacy Badger
    • One of those is probably enough
  • Most tracking is done with cookies: install self-destructing cookies which deletesall but white-listed cookies after you leave a website and as such disables a lot of tracking all by itself link
    • whitelist only a few sites that you trust not to track you everywhere
    • do not whitelist facebook, they are the masters of tracking

What takes a bit more of an effort:

  • Use a password manager
    • http://keepass.info/ is what I use
    • I like it better than lastpass because you don’t have to trust lastpass servers
    • Keefox → accompanying browser plugin
    • mobile: Keepass2
    • there is also a good ios implementation
    • it really helps with the self destructing cookies
    • be aware that keepass – like everything else is not perfect, it could be target of a hack in the future, don’t leave your files lying around, update regularly
  • Use Two-Factor-Authentication where ever possible →
    • 2-factor requires additional authentication with onetime-passwords either via sms or a generator like Google Authenticator (https://alternativeto.net/software/google-authenticator/ -> I have switched to FreeOTP and have also looked at Authy both look ok. FreeOTP has no backup however as far as I can see making it dangerous if you lose your phone, and I am not sure it will easily migrate to a new one even if you have it. Authy has a server for backup meaning you have to trust them not to mess up their server’s security. Google Auth easily migrated from my old to my new phone last time)
    • Many big sites have it
      • google
      • evernote
      • steam
      • paypal (their version sucks …)
      • amazon (not a very good implementation either)
      • netflix
      • banks have been doing this basically forever with their TAN systems
      • … there are more all the time
    • It’s additional hassle but after you evaluate the “worth” of your accounts by the amount of damage it would do to your peace-of-mind/wallet if someone got hold of it. → enable 2-factor auth on everything that might hurt you when lost. 2 factor makes it way more unlikely2 someone can get into your account

Expensive / most effort:

  • buy yourself a NAS (not NSA but NAS)
    • don’t buy some fancy kickstarter/indiegogo device
    • we have one of these: Synology
      • safe, secure and private file storage at home
      • some provide calendaring and contacts sharing
      • some have included dyndns features
  • for your remaining files on cloud file sharing places like Google Drive / Dropbox consider using BoxCryptor
    • Link
    • developed in Germany
    • like so many things it doesn’t work quite as expected all the time but it does give me a bit more peace of mind when putting stuff on there even though it’s additional hassle
    • but the free version only covers 2 devices and 1 cloud service -.-
  • use services that are hosted in countries with better privacy laws (EU, Switzerland) for:
  • encrypt private communication to make it truly private
    • pgp or s/mime for emails
    • otr / omemo for chats
    • most nerds I know never bother to encrypt their emails
      • technology is there but hard to use, it’s worth several pages of discussion by itself to analyze why that is
    • but most nerds I know at least try to use encrypted messaging services (more on this below …)

Most effort, most difficult … probably not necessary – at least not at this point:

  • use a vpn (I don’t because unless you host it yourself you need to trust those who host the vpn quite a bit)
  • use tor (for the extremely paranoid and savy users)
  • I use neither although I did play around with Tor post-Snowden for a little bit

Messaging Services

So around here people are using 5 messaging services (and of course I use them all)

  • hangouts – for the lazy because it just works everywhere at the same time it is the worst solution because it’s Google and we know nothing about it’s privacy or encryption meaning there is none!
  • Whatsapp – it became one of the most popular messaging services over here a while ago and due to lots of user protest they are now using the same end2end encryption from Openwhispersystems that is used by Signal (see below)
    • App
    • but they still belong to facebook
    • and they still get your meta-data (who your friends are and who you talk to when)
    • they store stuff on their servers and if there ever were a backdoor … oops
    • apparently they have a web-interface which I haven’t used
    • my family “gets” whatsapp, and I only use it because somehow our whole family has it
  • Threema – swiss based messaging app (android and ios), the encryption is state of the art, however the webinterface is a bit of a hassle to use
    • App
    • the app costs a one-time a few euros
    • Threema’s business model is selling custom setups to companies → which is good to know because it makes it more unlikely they want to sell our data … of which they have very little.
    • for some reason our semi-paranoid nerd friends have started using this
    • but but but … there is always a few who don’t have it and that makes it a hassle yet again because like all these services in this list: they do not communicate across their garden walls with other services
    • for some reason the app refuses to run on more than one mobile device with the same identity and since identity is pretty central of a concept I do not have it on my tablet → another hurdle
    • The German Green Party is using it during election year to coordinate 🙂
  • Signal is a messaging app that is originally an sms app made by OpenWhisperSystems to showcase their encryption technology and comes with recommendations from the ultimate paranoid person on the planet: Edward Snowden
    • App
    • it’s free
    • but I’ve only a few people in my contact list who have it
    • the feature set is rather basic
    • since it can switch between sms and messaging we had trouble on our last trip when we were both without data access and forgot to switch back to sms … I was waiting for a message and he was waiting and neither phone told us the messages weren’t being sent -.-
  • Jabber is based on the xmpp protocol and it is the oldest of all of these, hangouts actually uses the protocol. Jabber is a great de-centralized service (which is of course the reasons all the big-ass companies are not using it they want their walled gardens where they can grab our data). Jabber has a bunch of problems
    • only recently a decent mobile client arrived “Conversations” (it’s not free however: App )
    • a semi-decent mobile client is: ChatSecure (also recommended by Snowden and the Guardian: App )
    • there are a bunch of good stand-alone clients
    • several of the best encryption technologies work with jabber (OTR or OMEMO) with very little hassle
    • but no web-client (we need a web client while at work)
    • jabber is the only one of these tools that can be used completely free of corporate data snooping
    • but again: no decent web-client (I am working on that)

1 Although since such analyzed data was used by the campaign of Donald Trump, and Brexit and most likely the upcoming elections in France and Germany one can argue that at long last it’s all one and the same …

2The forever caveat is “more unlikely” … nothing is perfect, if someone were specifically to target me for some reason they wouldn’t find it too difficult to get at my digital self. What we want is protecting from mass hacks, random sweeps etc. and that can be achieved for the most part

Updated 28/04/2017: info about alternatives to Google Authenticator I have tested. Added a few more words of general advice at the beginning

One Reply to “We want Privacy – the 2017 edition”

Comments are closed.