Online Privacy Guide Overview
Updated January 30th, 2016.
As technology advances, it is important to take a moment to consider how is our privacy affected by the prominent role that internet is playing in our lives. The popularity of social media websites has made showed us that many people are willing to openly share information that used to be private. However, even if you are not interested in disclosing certain aspects about yourself online, your privacy is still under threat. Over the last few years, information that shows the extend of the risks that our privacy faces online, has come to light. The revelations continue and each of them proves that internet is no longer the safe, anonymous and free place that we once thought.
While the NSA and the GCHQ are the flagship names for online monitoring, government organizations around the world are advancing in their plans to establish regulations that give them a stronger control over Internet and telecommunications. These regulations would enable them to monitor and keep details of every email, chat. text or phone call. Under these circumstances, the possibility of a surveillance state where everything we do or say is monitored, would no longer be something that only happens in a fictional world.
The Guardian has published a nine page document outlining the NSA’s procedures regarding mass data collection and retention of U.S. citizens. Essentially, the agency collects and scans massive amounts of data, but only retains what may contain suspect content. Encrypted data is treated as very important, and gets archived until they find a way around the encryption. Warrants are not required for these activities to remain legal under current rules.
For over a decade, internet service and software providers have either been forced to comply with mass data collection or even had their security breached by surveillance agencies, eventually earning them the title of Internet Villains of 2014 at the ISPA yearly awards.
Thankfully there is hope for privacy and we have options to ensure that out online activity is not intercepted. In this guide, we will take a look at the different aspects of online privacy and what we can do to protect it.
Encryption provides a secure option to keep your online activities private. However, its use will get you the attention from the government, which may determine that you could have something to hide and therefore, they will try to take a closer look at what you do. For instance, as mentioned above, in the United States, data is collected from all citizens and if considered irrelevant it is then discarded. In the case of encrypted data, the information is deemed as important and it is stored until it is possible to decrypt it. Unfortunately, merely searching about online privacy can warrant attention.
Encryption key length can determine how long it will take to break a cypher because it represents the code (number of ones and zeros) used in a cypher. An attack on a cypher is called exhaustive key search or brute force attack, it entails attempting every possible combination until the right one is discovered. Breaking encryption cyphers is not impossible but it is very difficult and would take a long time. The success of exhaustive key search relies on different factors and will require specialized resources.
Is Encryption Truly Secure?
Just to give you an idea of how challenging it is to break a cypher with brute force, keep in mind that even for the most advanced supercomputer in the world today, it could take around a third of a billion years to crack 128-bit AES key. Furthermore, increasing to a 256-bit key increases the required computing capacity by to achieve such a feat. The previous reigning supercomputer dating from 2011 named Fujitsu K, has about a third of the power. Even if supercomputers grew exponentially in processing power every year, double that of the actual current Moore’s Law observation, by the year 2025 it would still require roughly over one hundred and sixty thousand years to brute force a 128-bit key.
Impressive as it sounds, we can no longer assume that AES encryption will remain secure for that long a period of time. Leaked documents from Edward Snowden shed light on a 10-year NSA program that made a breakthrough in back 2010 in successfully cracking older encryption algorithms. Additional revelations indicate that millions of dollars are used to lobby tech companies into secretly creating back doors or weakening security specifically for the agencies.
In light of all of it, security experts no longer fully trust existing protocols both presently and for the future, leaving an urgent need to upgrade encryption systems and cipher key algorithms. The way encryption technology works, it will always be possible to create strong mathematical algorithms, and if developed under ethical and transparent circumstances, we can count on encryption to keep us safe. Although large surveillance organizations have incredible amounts of resources, low level encryption is often enough to stop cyber criminals dead in their tracks, and even if remaining private from unwarranted mass surveillance is still possible by applying the best end-to-end security protocols in place.
Encryption key length is the amount of raw numbers but cyphers are the mathematics implemented to use encryption. If encryption is cracked, it is often due to the algorithms used in the cypher not being strong enough, instead of an issue with the key length. The most common cyphers are Blowfish and AES, which work with OpenVPN. RSA is used to encrypt and decrypt cypher keys, and to authenticate the data, SHA-1/ SHA-2 are used. AES is usually considered as the safest cypher to use and since it is used by the US government to protect its information, the perception is that it is the most reliable option. But not everyone trusts the organization that developed and maintains AES encryption.
The NIST is the United States National Institute of Standards and Technology, and organizations that collaborates closely with the NSA and creates its cyphers. AES, RSA, SHA-1 and SHA-2 were developed/certified by the NIST. NIST has actively stated that they would not deliberately make a cryptographic standard weak and has deployed public initiatives related to encryption standards, ethics, and advancements since coming under fire. However, given their association with the NSA, the trustworthiness of their algorithms remains under question. We have seen more initiative in the industry and abroad for better encryption, but is there is not enough being done to see prominent change.
One of the major blows to the reliability of the NIST, was the confirmation that its certified cryptographic standard, the Dual Elliptic Curve algorithm, had been weakened twice by the NSA. Although it was known to be continuously flawed for years, only recently at the end of 2013 did it become public that the NSA had paid 10 million to RSA in a secret deal in order to create a back door. With further accusations of budgeting millions into weakening encryption, trust in NIST quickly dissipated, regardless of their claims indicating that they have never deliberately weakened the security and integrity of their protocols. Multiple early reports and warnings surfaced from various researchers including some Microsoft engineers, it is not initially clear why this organization has never been dropped by major tech giants.
The unfortunate truth is that all major industries have continued to follow the standards put in place by the NIST due to complience requirements by the U.S. government. Without putting NIST encryption standards in place, industries are not in code and cannot operate legally. The fact that the certified cryptographic standards from the NIST are used worldwide at a large scale is worrying, considering that many companies trust in the reliability and privacy of its algorithms. The world is highly dependent on NIST standards due to all major corporations still implementing them. Only a handful of services have been able to address the issue by moving away from them.
Lavabit, Edward Snowden’s past email service provider, made headlines when the FBI pressured them to hand over their SSL encryption keys, but the company founder chose to close down in order to avoid undermining the privacy of all their users. Silent Circle followed suite by shutting down Silent Mail in order to avoid spying. Both Lavabit and Silent Circle email services used NIST standard encryption protocols, but have now joined forces to develop Dark Mail, and promising a new way to email with secure end-to-end encryption.
RSA & VPN Encryption Vulnerabilities
The information leaked by Edward Snowden revealed that there were programs intended to singling out encryption keys (certificates) that could be broken by supercomputers from the GCHQ. The fact that these certificates can be singled out indicates that 1024-bit RSA encryption, which is usually employed to protect certificate keys is more vulnerable than it was previously believed and that it can be decrypted in a shorter amount of time. It is not hard to imagine that organizations like the NSA and the GHCQ count with the necessary resources to achieve this. When a certificate key has been decrypted, all data transferred is compromised unless ephemeral (temporary) key exchange is in place. In light of these revelations, it can be assumed that many forms of encryptions that rely on certificates and non ephemeral keys, can be and have been broken. This includes SSL and TLS certificates, which has a severe repercussion for all HTTPS traffic.
It is safe to sa at this point that PPTP over VPN can be decrypted by these organizations. It is hard to say how fast or easily it is done, but with all the previously mentioned reports, including old ones such as Microsoft advising back in 2012, that MS-CHAP v2 (PPTP) Authentication was vulnerable. Regardless, PPTP remains a popularly used VPN protocol. If security and privacy is not the biggest concern, PPTP can still have its merit. It is still preferable to use PPTP encryption on a public Wi-Fi connection if that is your only option, some encryption is always better than none.
Even the updated and robust L2TP/IPSec protocol has also been scrutinized when a report published by EFF founding member John Gilmore, disclosed how NSA employees had leading roles in the IPSEC standards committee, and various ways in which the security standard may have been sabotaged.
Once it was revealed that the GHCQ and the NSA have the capacity to break 1028-bit RSA encryption, many VPN services boosted their key encryption to 2048-bits and some even to 4096-bits. Another part to take into consideration when it comes to encryption is PFS (Perfect Forward Secrecy). This is a system in which a new and individual private encryption key is generated for every session. This helps to address the vulnerability issues for SSL and TLS connections. A few companies have already started using ephemeral keys, which keep them in large part protected from the Heartbleed Bug.
Fortunately, OpenVPN should not be impacted as it uses ephemeral key exchanges. Since ephemeral key exchanges generate a new key for every exchange, they do not rely on certificates to create trust. If an eavesdropper manages to get the private key of a certificate, they would not be able to decrypt the data. If the private key has been compromised, an interceptor or man in the middle attack, could still target an OpenVPN connection. However, this would have to be an attack that has been specifically targeted. It should be noted that OpenVPN utilizes OpenSSL library, and when discussing older versions, it may be vulnerable to the Heartbleed Bug which is covered in detail a little further down this guide. In conclusion, OpenVPN remains the most secure option available at this time, and should always be chosen as a first option. The open-sourced platform can continuously be improved and keep security vulnerabilities at bay.
When end-to-end encryption (E2EE) data is used, all data, including communications is encrypted at your end and it is only de-crypted at the intended recipient’s end. This ensures that no one can intercept the data or act as a middle man, that can access your un-encrypted data. Any attempt to intervene in the transferring of data should be seen as threat to privacy and security and for this reason, end-to-end encryption is indispensable. Avoid any services that encrypt your data on their servers, instead of allowing you to encrypt it on your own computer.
The end goal is to make it so that no one else but you or the targeted recipient holds the key to decrypt the data, and this is what end-to-end encryption allows you to achieve. Any service provider encrypting your data for you can be suspect, and if they are located in the U.S. or U.K., it is even more likely that they hold the keys to your data, including VPN services.
It is important to keep in mind that encryption may not always sufficiently protect privacy due to metadata collection. Although encryption makes a conversation unreadable for third parties, this does not mean that they cannot gather data about the date, location, recipients and regularity of these communications. Still, technologies such as Tor and of course, VPNs, can make the collection of metadata more difficult for any third party. With a VPN, all that others would be able to recognize is that you are using a VPN server but details such as your location and what you are doing online, would not be accessible to them.
In spite of the issues with NIST certification, AES remains to be (to this date) secure for the most part. While it is not immune to attacks, OpenVPN can also offer a strong level of security. Overall, it can be said that even though encryption is not entirely safe and the ability of powerful governmental organizations to break it should not be underestimated, it still is the strongest way to protect our data from invasion. Furthermore, it is worth remembering that our information is not only exposed to surveillance from government organizations that count with advanced technology and resources. We are also exposed to attacks from cyber-criminals and our privacy could be compromised by large companies as well. These don’t count with the power and ability to circumvent encryption that the NSA or the GCHQ have. Therefore, using encryption remains to be the best option for anyone that wants to protect not only their online privacy, but also a multitude of fraud and identity theft crimes.
The disastrous Heartbleed Bug mentioned previously, made it to the headlines in 2014 resulting in hundreds of service providers asking users to reset their passwords. It had possibly been exploited for a long time prior to being publicly discovered. An error in the open source code of OpenSSL affecting versions 1.01 to 1.01f had been vulnerable. It represents the most devastating threat to online security to date, specially considering that OpenSSL is by far the most popular cryptographic library on the internet and it is used by banks, online storage services, as well as VPN providers. The scale of the impact was such that it was estimated that over tow thirds of the internet was affected by the bug, which was not noticed for nearly one year and a half. The main problem was that even if a system was affected by the Bug, it was not possible to know about it.
As to be expected, speculations that the NSA knew about the bug quickly surfaced, and Bloomberg subsequently published a report from two undisclosed sources claiming the agency was indeed aware of it for a minimum of two year prior.
An attacker that exploits the bug, would be able to take over users’ accounts, access passwords, as well as SLL keys. The implications of this are devastating and millions of users were prompted to change all their passwords. By now, most websites and services using the affected versions of OpenSSL should have updated their libraries to address the vulnerability. They also re-issued their SSL certificates as they may have compromised. However, it is important to keep in mind that not all services and websites completed the update and most of the solution lies on their hands because the issue has to be fixed from the server’s side. Still, for users it is important to change their passwords once the issue has been addressed. Finally, it should be noted that any websites that have implemented Perfect Forward Secrecy are largely immune to the Heartbleed Bug, even if their were used one of the OpenSSL versions affected.
How to Increase Privacy and Security
By now, we have established that there is not a method that can guarantee that your privacy is 100% protected and private when we consider metadata and all the other possible exploitable avenues. However, protecting yourself against identity theft and cyber crime is enough to consider taking the necessary amount of action to better secure your privacy and data both off and online.
Free Open Source Software
As exposed previously, the NSA has deliberately compromised the strength of common international encryption standards, leaving the reliability of proprietary software in ruins. It has been demonstrated that the NSA and GCHQ has collaborated, paid or forced hundreds of technology companies into adding backdoors in their programs or weakening the security of their programs to make them accessible to them. The major suspects are software manufacturers in the US and the UK but this does not mean that other companies across the world, have not accepted to comply with the NSA’s requests.
A similar secret program named PRISM is said to have given the NSA, FBI and UK surveillance backdoor access to user data across nine of the largest U.S. service providers: AOL, Apple, Facebook, Google, Microsoft, PalTalk, Skype, Yahoo, and YouTube. As reported by The Guardian and The Washington Post, PRISM was used in collaboration between U.S. and U.K. surveillance in order to make it possible to circumvent current laws protecting citizens from being unlawfully spied on by their own government. By simply having each country willfully spy on each other instead, they could legally exchange data with no restrictions. Said to be in existence since 2007 with the advent of President Bush’s US surveillance law, it has been used to collect personal emails, photos, videos, chat conversations and more. All of the major service providers have denied any prior knowledge of such a program and claim that any type of mass data collection would have been done without their involvement, but evidence from the leaked documents certainly point the other way.
Unfortunately, these types of mass privacy breaches have also been reported to exist years prior. Back in 1999, Heiss reported a discovery by security researchers regarding a coding mistake by Microsoft engineers, which allowed the NSA to secretly build a backdoor to all Windows 95 systems. The same year, Lotus was accused of deliberately disabling security and creating a back door access in Notes software specifically for the NSA. Today, the challenges are even bigger with the latest operating systems wanting to collect data from every stroke and click. For those who have already migrated to Microsoft’s latest OS, we have compiled a tutorial on how to stop Windows 10 from collecting your data.
Proprietary software presents diverse issues such as the fact that as unique developers, it is easy that companies are approached directly by the NSA. Another concern is that the source code is kept secret, which makes it easier to keep any modifications or backdoors implemented, hidden from public attention.
That is why free open source software (FOSS) presents a better option. It is often developed by multiple individuals that are not associated to each other and that collaborate in the improvement of the source code. The source code is available for open scrutiny, which reduces the chances that it has been corrupted. In order to minimize the chance of a backdoor being included, FOSS should ideally be compatible with other implementations. Given the collaborative, open nature of FOSS, it is not hard to imagine that NSA agents have infiltrated its development groups with the intention of tampering with it.
Unfortunately, there is a large amount of code in every open source project and many of the people that collaborate in these projects, do not have enough experience or cannot work on the development of this code full time. This makes it very difficult to fully review all the code to find possible issues. Even though it has its shortcomings, reports show FOSS still being the most reliable software available and it is the best option to ensure that your privacy is protected.
Advantages of Using Linux
Open source software, as we mentioned is less likely to be infiltrated by organizations like the NSA. This is why Linux offers a more secure alternative to proprietary operating systems like Windows or OSX. While that does not meant that Linux is entirely secure and immune to surveillance, it does offer a more reliable option. The downside of Linux is that it is more difficult to use than Windows and OSX, which is why it hasn’t reached the anywhere near the levels of popularity of its competitors, even for popular and user friendly builds such as Ubuntu. However, if you want to enhance your privacy, Linux is the best technology to choose when it comes to your OS of choice. If you’re a techie, you may certainly enjoy it and plenty of VPN services have easy setup guides using OpenVPN on Linux.
Use Anonymous Payment Methods
The first thing that you can do to enhance your privacy is to use anonymous payment methods. If you order physical goods online, you still need to provide a delivery address but if you want to pay for services, you have options to protect your identity. Bitcoin is the most popular solution but some services would even accept cash posted anonymously
What is Bitcoin?
Bitcoin is a decentralized virtual currency that work in peer-to-peer manners, similarly to BitTorrent. The idea is ground-breaking as it does not entail an intermediate body to regulate it. For many, Bitcoins represent a good investment opportunity, while others regard them as a high risk option, due to the fact that they are not regulated so the value can increase of decrease dramatically at any time. Bitcoin acts as an anonymous currency that can be purchased, exchanged, invested and used to pay for goods and services, so it can move freely through the market, as any other currency. Even though, Bitcoin is not as widely accepted as regular currencies, it is becoming more and more popular, particularly when it comes to online services, such as VPN that aim to help users to protect their anonymity. Vice-versa, you can pay for a VPN service using Bitcoin in order to keep your purchase anonymous.
It is important to keep in mind that Bitcoin on its own is not anonymous but it can be used in an anonymous way, if you follow some recommendations when acquiring them. You can use anonymous, temporary email addresses when buying Bitcoins and use a different Bitcoin wallet/address for each purchase. Also, make sure that you never use personal information such as your real name, your address or phone number.
Additionally, you can look for a local Bitcoin seller and pay for them in cash by using a seller locating website like LocalBitcoins.com. You can contact them an arrange to meet them to make the transaction. Keep in mind that the prices may be higher and it is important that you check for feedback for the seller you have chosen, to make sure that it is legit.
Pre-Paid Credit Cards
This method is not available everywhere but in certain locations, you can use pre-paid cards that can be acquired through shops. By purchasing a pre-paid credit card with cash money at a retailer, you effectively remove a paper trail for that initial purchase. To increase anonymity, you can use the card to buy Bitcoins anonymously if you use a disposable email address to complete the transaction.
How to Make Your Internet Use Anonymous
Using a VPN service or connecting through Tor are the most popular, convenient and effective ways to keep your online activity anonymous and to protect your data. Both options can hide your actual IP address and encrypt you internet traffic. Proxies are other alternatives to access content that is not available in your area and disguise your IP address. However, they cannot offer security for your data. We will take a look at VPN services and Tor, which are the best methods to improve your privacy online.
VPN can help you to ensure that your privacy remains intact by creating a secure connection between your device and a remote server. Without a VPN, your online traffic goes from your computer through your Internet Service Provider and then internet. If you use a VPN, your traffic goes from your device, to your ISP and is routed through a VPN server to internet. When data enters the VPN tunnel, it is encrypted so its is not accessible for anyone, including your ISP. The data can only be accessed by the computers at each end of the VPN tunnel. This is far superior to a Proxy or Smart DNS intermediary server in terms of security and privacy.
The majority of VPN providers promise to keep no logs, but using a U.K. or U.S. based service can pose a risk that rules can be bent if pressured by authorities. IronSocket, AirVPN, or NordVPN are only some of the international logless VPN services available, but it is not to say that no U.S. provider has been trustworthy thus far, unless US law enforcement officials request to start looking at your data, US providers such as Private Internet Access and ExpressVPN remain very good, if not better choices, as they have been able to keep a clean slate thus far.
Assuming that you are using a provider that does not keep logs, the benefits of using a VPN connection include security and anonymity for your internet activity no matter where you may be. It enables you to establish a secure connection when you are using public Wi-Fi hot spots, which are otherwise completely unsafe and a haven for cyber criminals. With a VPN, you can bypass geo-location restrictions to access online content and evade firewalls implemented in certain countries to censor internet content. By changing your server location to the country of your choice, you can access content that would otherwise be restricted to local use, such as Netflix, or various other streaming services. Using a VPN is considerably faster than using Tor and it is an ideal option for P2P filesharing.
There are some downsides to using a VPN, one being that you must put your faith that your VPN service is trustworthy. Another issue is that your ISP and surveillance agencies can still recognize that you are using a VPN service simply by identifying the traffic as being encrypted, which is why it is of utmost importance to use OpenVPN or equivalently secure protocols to ensure the data remains encrypted and private. Finally, another very important downside to mention is bandwidth speed loss due to encryption and server location. As mentioned, you can technically connect anywhere in the world and access local services, but the further away you are from that location, the slower the connection may get. Some speed loss is always to be expected. If quick transfer speeds fit into your needs, short routes and fast VPN services are a must.
Depending on your needs, various other factors can also come into play when selecting a service, jump to our VPN service reviews for detailed information on pricing, global coverage, hardware, and software support. Or you may also opt for our ranked Top 10 VPN services page.
Originally known as The Onion Network, Tor is a network run by volunteers that offers free software which allows you to surf internet anonymously. When you use Tor, you connect through at least three relay points or nodes that are selected randomly. These volunteer node computers serve the purpose of masking the traffic, making it impossible for the website to know who is really visiting, while hiding what website was visited to the ISP. The data in encrypted every time, meaning that even though each node can only recognize the source of the data and where it is going but it cannot trace the whole route. One of the main weaknesses of Tor is the final node, the one that establishes the connection to internet. The volunteers running the exit nodes may face prosecution for the activity of another Tor users that have accessed the network for illegal purposes, since the IP address of the offenders can be traced to the exit node’s IP address.
This is the reason why the number of public exit nodes available is limited, which has enabled China to restrict access to them once identified and blacklisted. While there are still nodes to connect to, many Tor users would need to reconnect multiple times and try different nodes before finding one that has not been blocked. Since the data is routed through a variety of servers located around the world before connecting to internet, Tor is usually very slow, which means that it is not ideal for P2P downloading or content streaming. Furthermore, many websites can recognize that you are using Tor and may not allow you access. However it also offers great benefits, including security and anonymity and the fact that it is free. It also enables you to access public Wi-Fi hotspot securely and bypass firewalls and geo-location restrictions. You can learn more on our Tor FAQ and Guide here, or by visiting the official website: TorProject.org
The Importance of Securing Your Browser
When you connect to internet, you are not only exposed to surveillance from government organizations but also to corporations that want to access your data for their own benefit. Advertisers are capable of using devious techniques to follow your activities online in order to identify your habits. Companies can use this data to sell you goods and services or can sell information about your interests to others that want to use this information to make money. Anyone that is concerned about privacy must know about HTTP cookies and the importance of clearing them . You also need to keep in mind that the majority of browsers are currently offering a Private Browsing mode that ensures that your online history is saved and that also blocks HTTP cookies. It is advisable to always use Private Browsing when you are surfing internet but keep in mind that this is not all you need to ensure that your activities are being tracked online, as there are other traces that can be followed.
DNS cache is the information that remains after your browser caches the IP address it gets from your default DNS server, with the aim of speeding up your internet access. Windows users can find the DNS information that has been cached by entering “ipconfig/displaydns” at the command prompt (cmd.exe). This cache can be cleared in Windows by opening the command prompt and typing the following: “ipconfig/flushdns” and hit enter. OSX users (up to 10.4) need to open Terminal and enter: “lookup-flushcache” and those using OSX 10.5 and above can enter: “dscacheutil – flashcache”.
Flash cookies are also widely used to track your online activity. They are not always blocked when cookies are disabled in your browser and they can keep track in the same manner as regular cookies. You can find them and remove them manually in Windows by going to this directory: C:\Users\username\AppData\Local|Macromedia\Flash Player\#SharedObjects. For OSX users (10.4 and below), the option to locate them is to go to User directory, then Library, Preferences/Macromedia/Flash Player\#SharedObjects. Users of higher OSX versions should go to User directory, then Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/.
A more effective way to ensure that you are safe from Flash cookies is to use the CCleaner utility, which is available for Windows and OSX. It does not only removes Flash cookies but also everything else that can be slowing down your computer and enabling others to follow your activities online. It is important to make sure that CCleaner is properly configured to complete this task efficiently. The use of Flash cookies has decreased, since nowadays, more users are aware of them and related issues like zombie cookies, which are bits of persistent Flash code that regenerate regular cookies when they are altered or deleted. However, this does not mean that they are no longer a risk for privacy.
Browser Add-ons / Extensions
Since companies are eager to obtain information that can be commercially exploited, they are willing to employ any methods available or even invest into developing new ways to track online user activity down to the finest details. Other forms of web tracking include Browser Fingerprinting, which is the way to identify your browser, based in its unique features. Details of your Operating System and browser configuration, enable third parties to identify your browser accurately. Ironically, when more plugins are used, more likely your browser is to be tracked. However, there are options available to avoid this, including the recently released Privacy Badger browser add-on from the EFF (Electronic Frontier Foundation), a group that campaigns in favor of online privacy. This technology promises to offer protection from fingerprinting.
Another web tracking technology used is HTML web storage, which is built into HTML5. It is a technology more powerful than cookies and it allows to store data in web browser but it is more persistent and has a larger storage capacity. Furthermore, it cannot be identified or monitored and it cannot be selectively removed for your browser. Web storage is used in all browsers by default but it can be disabled in Firefox and IE. Firefox also allows its users to configure add-ons such as Click&Clean and BetterPivacy, which allows to remove web storage regularly. Chrome users can also use Click&Clean, as well as the Google NotScripts extension (revision: NotScripts was abandoned by its developer in 2014, and subsequently removed from the Google Store). It is important to keep in mind as previously mentioned that using these browsers, increases the chances of your browser being fingerprinted.
ETags are markers that part of HTTP, the Word Wide Web protocol and they are used by your browser to keep track of resource changes at a particular URL. Websites can compare the changes in these markers an create a fingerprint to track you. They can also regenerate HTTP and HTML5 cookies and when they are implemented in a website, they are used by associate companies to monitor your online habits. The main issues is that this type of cache tracking is very difficult to detect, which makes reliable prevention a challenge. You can clear your cache after visiting each website, as well as turning off your cache completely/ However, these methods are not practical and will not allow you to enjoy your browsing experience.
An even more worrying tracking technology that is used nowadays is History stealing or history snooping, which allows a website you visit to get access to your previous browsing history. This data can be mixed with social network profiling to find our personal information about you and it is practically impossible to avoid. Fortunately, using a VPN or connecting to internet with Tor, will allow you to disguise your IP address, which will help you to protect your identity online.
There are also useful extension that you can get to enhance your privacy online. One of the best browser extensions to protect your privacy is AdBlock Plus, which is available for Firefox, Chrome, Opera and Android. This is an indispensable extension that allows you to block all kinds of ads, even in social media and online streaming sites like Facebook and YouTube. It also notifies you when you are visiting hosting websites known for malware and removes third party cookies and scripts. It is very advanced and also easy to use.
There is also BetterPrivacy, an extension that can block Flask cookies in Firefox. It is also good to know that nowadays, most browsers have a Do Not Track function that instructs websites to turn off tracking when you visit them. This is a useful option but it is important to be aware that for it to work, website owners would be the option implemented on their site.
A more compatible option is Disconnect, an anti-tracking and anti-cookie extension, available for Firefox, Chrome, Internet Explorer and Safari. It counts with an updated database of tracking cookies, as well as features such as secure Wi-Fi encryption, analytics tools and page load optimization. With this extension, you can control all the elements of a website and block third party tracking cookies, preventing social media websites to track you and gather information when you are online. The paid version includes a VPN, but we cannot attest to quality.
Other effective solutions include HTTPS Everywhere, an extension created by the EFF that can be used with Chrome and Firefox. It ensures that you always access a website using secure HTTPS connection, whenever possible.
Since mobile devices have become so popular and they offer a convenient way to connect to internet from anywhere you are, it is crucial that you ensure that your browser is also protected there. Securing your mobile browser can be more challenging but there are options that you can implement. AdBlock Plus is one of them. Private Browsing and Do Not Track are also becoming standard options available for mobile browsers.
Flash Player Settings
In spite of its popularity, Flash Player can be highly insecure and vulnerable to attacks. It is important that you check its settings and by default keep as many options possible turned off as part of better securing your online browsing. Most security plugins disable Flash by default, in order to protect you. However, if you want to access Flash content, make sure that you only use it on trusted websites. You can access the Flash Player Settings by right-clicking on any Flash content and selecting “Global Settings.
Use a Private Search Engine
Google is without a doubt the most popular search engine in the world. However, it is known for storing information from its users such as search history, terms searched and IP address. This data is normally transferred to the requested website and those who run advertising batters that appear on that website. This information is collected to target you with ads that may be relevant to your interests, based in a profile created using your browsing activity. Furthermore, Google and other search engines provide this data to the government whenever required. Below is a recent snapshot of disclosed requests for the past few years directly from Google’s transparency report, which indicate an upwards trend:
Delete Your Google Search History
In order to stop Google from profiling you, you should clear your search history. Even though this will not avoid government organizations or anyone who is spying on you to collect information based in previous searches, it will help you to prevent the company from gathering details about you to create a profile. You can clear your Google History by signing up into your Google account and visiting www.google.com/history. There you will see a list of your recent searches, which you can remove selectively. You can also use the checkbox at the top of the page to remove all items. Click on the gear icon on the top right side of the screen and select Settings to turn off Search History.
If you are concerned about Google or other recognized search engines accessing or sharing any embarrassing search queries, you can opt for a search engine that does not track you. There are now more than a few available private search engines that respect your privacy.
One of the most predominant choices is DuckDuckGo, which promises not to collect any data from its users. They operate by deleting data and IPs related to search queries, without using any artificial identifiers to attach queries to. Pretty much nothing is left to track. With DuckDuckGo, you can enjoy anonymous searches and no tracking.
An interesting option is StartPage, which pledges not to track users or store/share any data and uses proxies to privately search on Google for you. Similar to previously existing Scroogle, if you prefer Google search results, this is your choice.
Ixquick is from the same company as StartPage, and runs the same using proxies, with the exception that it pulls queries from multiple search engines at once. It is also notable that both options include video search options, often lacking in private search sites.
Gibiru also allows you to perform online searches securely because it doesn’t associate your query to your IP address. This is possible thanks to the use of proxy servers. Additionally, Gibiru deletes all records instantly so they do not keep any data.
Finally, YaCy appears as a decentralized engine that works with P2P technology.
Improve Email Security
While the majority of emails offer a secure SSL encrypted connection from the sender’s side to the email servers and from email servers to the recipient, this does not guarantee that your emails remain private. Many email providers, particularly the most popular ones, are likely to hand your information to third parties, specially to government surveillance organizations. The best option to protect the privacy of your emails is using end-to-end encryption, which ensures that the content is only available for the sender and the intended recipient. It is important to note that an encrypted email system can only work if all the parties involved have implemented it. This means that all your contacts, senders and recipients, must use this type of encryption.
Another issue with email encryption is that it only secures the content of a message. Information such as the email addresses, subject, time and date of sending are not encrypted, meaning that you are still subject to the collection of metadata. Using email encryption is more likely to catch the attention of government organizations that will store your emails to try to decrypt them. Still, if you want to protect the information, including attachments sent or received via email, there are some end-to-end email encryption solutions that you can implement such as GNU Privacy Guard, which is the open source alternative to Symantec’s PGP or Pretty Good Privacy. GNU PrivacyGuard or GnuPG/GPG is free and it can be used with Windows, Linux and OSX. There is also a version available for Android users.
Opting to use an encrypted webmail service, preferably end-to-end, is a convenient alternative to protect the privacy of your emails. However, it should be noted that the company would also hand data to law enforcement, whenever applicable. Hushmail was a prime example back in 2007 when some emails had been captured for Canadian Court warrants against suspected criminals.
In addition, it is possible to encrypt Gmail using a free Firefox extension called Encrypted Communication, which is simple to use and offers 256-bit AES end-to-end encryption. Your recipient must also have the extension installed and the content of the email will be protected by a password, which you should exchange in person (if possible) or through another encrypted messaging system. Mailvelope is a browser extension for Firefox and Chrome that offers another option to encrypt your email communications. It allows you to apply full-end-to-end encryption over Hotmail, Gmail and other email services.
Privacy of Your Online Conversations
Not only your emails can be compromised, it is also important to ensure that other channels of communication that you use on internet are also protected. These include VoIP and Instant Messaging or mobile SMS text services. VoIP stands for Voice over Internet Protocol and it refers to a service that allows you to make phone calls to any place in the world and to send instant messages online. Skype is one of the most recognized names in this area. However, it is vulnerable to eavesdropping and government surveillance, as it has been reported that part of the PRISM program, Skype video and audio conversations had been collected by the NSA. In order to protect the privacy of your voice conversations online, it is important to use VoIP with end-to-end encryption. Using a VPN in conjunction with a secure VoIP app is also very effective. There are multiple options that allow you to enjoy the features that you get with Skype but in a secure manner.
Secure Skype & Messaging Alternatives
Linphone – Android, iOS, Windows Phone, Windows OS, Mac, Linux
With a wide compatibility range, Linphone is a free open source Skype clone that allows for audio and video calls with advanced conferencing and call waiting options. Chat, file sharing and a variety of configurable settings also available. Mobile apps are properly supported for smartphone and tablet formats. Security wise, Linphone provides secure protocol options of zRTP, TLS, and SRTP.
Telegram – Android, iOS, Windows Phone, Windows OS, Mac, Linux, Web Platform
Another great highly secure Skype alternative is Telegram. We have discussed how Facebook and WhatsApp have most likely felt threatened by Telegram’s presence. Available across all major platforms including online, the service operates on a cloud platform with API support, secure encryption and self destruct options. Telegram stands behind their encryption by offering a $200,000 BTC reward to anyone that cracks it.
Jitsi – Windows OS, Mac, Linux, Android
Jitsi is a free and open source software that can encrypt all your conversations and file transfers using ZRTP and OTR. The encryption is implemented with a padlock and the service (available for OSX, Windows, Linux and Android) is easy to use. Video and voice calls with conferencing, along with chat and file sharing options are all available. A very good Skype replacement with solid layered padlock encryption.
Silent Phone – Android, iOS
Silent Circle, makers of the previously mentioned Silent Mail that was shut down in the wake of possible privacy vulnerabilities, is a very popular and secure VoIP service. It offers services for iOS, OSX, Android and Windows. Silent Phone allows for voice, video and text communications, as well as file transfers up to 100MB in size. Scheduled message history deletion. A paid version is available with extra functionality.
Signal – Previously RedPhone – Android, iOS
Android and iOS users can opt for Signal, previously known as RedPhone by Open Whisper Systems, another free and open source application that allows you to use your usual phone number and gives you the option to encrypt your calls and SMS text messages, also replacing their now defunct TextSecure. What is notably different about Signal is that it uses your actual phone and number but with end-to-end encryption for callers using the app, essentially making it a caller encryption service and not a VoIP app, but fully supports video messages without extra fees.
Pidgin has gained a large amount of users on Windows by providing an open source service that combines all your IM accounts into one. All your various accounts and contacts can be combined from AIM, MSN, AOL, ICQ, IRC and many more. Linux users can also use Pidgin but pre-built packages are not available. OTR – Off The Record, is a plugin that can be used in combination with Pidgin to make it secure. It applies layered protection with AES encryption, SHA-1 hash function and perfect forward secrecy to ensure top shelf security. This does require some configuration, but we have a step-by-step guide on setting up Pidgin with OTR encryption to help you get started.
Addium – Pidgin Clone – Mac, iOS
If you happen to be on a Mac OSX platform, Addium, considered Pidgin’s sister app is an OSX and iOS compatible open source option that comes with OTR already available, removing the need to configure anything.
ChatSecure – Android, iOS
ChatSecure is another mobile option that also uses OTR and perfect forward secrecy along with strong encryption measures. You can connect Facebook and Google accounts as well as create new accounts on XMPP servers with Tor, or even opt to use your own server. ChatSecure can be used in conjunction with other OTR services.
Using a secure password may seem like an obvious recommendation, but many people still are overlooking the importance of setting up strong passwords. When we discuss the use of all these various accounts and emails, weak passwords are just as prone to be exploited and easily provide a wealth of private details to cyber criminals, increasing the risk of identity theft.
There are multiple tips to follow in order to enhance the security of your password and protect your information from being compromised. The first tip is to use different passwords for all your sensitive accounts. As far as passwords go, the easiest option to increase strength is to add a punctuation, exclamation mark or a random space somewhere in your password.
Probably the best method is to use a phrase as your password. This will add length and complexity to your password, making it even more secure than lengthy random characters. You can also opt for password management programs such as KeePass, Sticky Password or Firefox password manager, which encrypt your passwords, but also help by remembering and managing them all for you.
Computer and Device Security
You can opt to locally encrypt your data as an extra layer of protection for your local sensitive information. This will protect in case of theft, but there are additional steps to take as well. Adding a password to both your BIOS/UEFI and OS account can help deter a thief from accessing your device. If you carry a laptop or tablet around besides your smartphone, some general guidelines can be helpful to remember and regularly practice. Windows system administrators may be interested in Enhanced Mitigation Experience Toolkit (EMET), a Microsoft tool used to prevent attacks on their software. The list goes on but some basic software tools remain strong options for better system security.
Viruses remain an online threat and a solid anti-virus is the first step to keeping your system in healthy state. In general, both paid and free options are sufficient. Paid services come with better customer support and communication channels if ever needed. While many exclusive features are also reserved for the paid options, there are plenty of free anti-virus apps that do a great job on their own. Our two favorites are:
Avira – Windows, Mac, iOS, Android
Avaast – Windows, Mac, iOS, Android
Often overlooked and unbeknownst to the general public, anti-malware software should be used in conjunction with an anti-virus. Malware and viruses are essentially the same. A virus is part of the malware family, but other malicious code such as spyware, trojans, ransomware and more, fall under malware. This also includes adware which can not only track you with cookies, but also terribly slow down your system. The software is designed to catch suspicious code that could otherwise escape an anti-virus and vice-versa, and greatly improve system performance. As with anti-virus apps, free versions are sufficient. Our favorite tools to use are listed below. An overkill but effective solution is to use two or three of these in separate scans to achieve an ultimate level of malware detection.
RKill – Windows, Mac, Linux
ComboFix – Windows, Mac, Linux
AdwCleaner – Windows, Mac, Linux
MalwareBytes – Windows, Mac, Android
CCleaner – Windows, Mac *Previously mentioned tool for cleaning Flash Cookies
Another great layer of security to a server or personal machine is a firewall that will monitor all in and outbound traffic and block packets accordingly to how it is configured. It can be highly flexible but also extremely complicated and troublesome. It is often a long process to allow and disallow various software programs from having external network access, but once properly configured, a firewall can protect against external attacks, as well as internally by blocking apps from accessing the web when they shouldn’t be in the first place.
You can improve further your security by accessing internet using a Virtual Machine. Virtual Machines are software programs that act like a hard drive in which an OS like Linux or Windows is installed. This enables the virtual machine to function like a regular computer in software, using your regular operating system. With a VM, all files are self-contained, meaning that the actual computer that you are using to run the software is not exposed to viruses that may attack the virtual machine. You can also encrypt a Virtual Machine to enhance your privacy. Some Virtual Machine options are VMware Player and VirtualBox which supports Whonix: An anonymous OS that operates inside the VM with highly secure features such as DNS leak protection, Tor network gateway, as well as an isolated network.
Secure Cloud Storage
The popularity of cloud storage services continues growing and thanks to faster internet speeds, these services have become more accessible and affordable and somewhat indispensable for some industries, and even personal use. Given the multiple options we have to access internet and the high demand for content online, it is clear that we need more space to keep our files and more practical ways to access them from various locations or devices. The issues is that the privacy and security of the files stored in the cloud can be compromised. The largest cloud storage services have been infiltrated by the NSA and are likely to scrutinize your files and release information whenever required. The good news is that there are steps that you can take in order to secure your files. The options include encrypting your files manually before uploading them to the cloud and also to utilize a secure encrypted cloud storage service to start with.
Protect the Privacy of the Files You Store in the Cloud
Encrypting your files manually is a convenient method that allows you to ensure that your files are protected, regardless of the Cloud storage service that you use. You can easily sync files on your desktop, since it is possible to add your encrypted folder to your Cloud storage folder. However, you would not be able to access your files on the go. The alternative to manual file encryption is to choose a cloud service that encrypts files automatically. Services like SpiderOak encrypt your files before uploading them to the Cloud. The downside with these services is that they store your password on their servers temporarily in order to verify your identity and grant you access to you to your files. Once you finish a session, the password is deleted from the log. Another downside is that most cloud service providers are not open source, but SpiderOak plans to eventually become so.
While it is not a cloud storage service as such and it is currently in its experimental phase, BitTorrent Sync is an option that allows you to synchronize files and folders across your devices, without storing them in the Cloud. It is free, easy to use and it is available for OSX, Linux, Android, Windows and soon for iOS as well. Simply choose a folder that you want to share and BitTorrent Sync will set a password or secret that you will need to access it. Then you can link the folder that you want to share with a folder on another device that also has BitTorrent installed. You can add other folders in the same way and all the files will be transferred using P2P protocol with 256-bit encryption.
Online Services Based in US and UK
An additional recommendation that you should consider is that US and UK companies are more vulnerable to infiltration from the NSA and the GCHQ and in many cases, these corporations collaborate with these organizations willingly. Other times, US companies are forced to hand over user data from any subscriber regardless of location of the user or data.
Edward Snowden’s revelations exposed the large scale of the spying programs implemented by these agencies and in light of those revelations, it is not absurd to think that US and UK-based companies are actively involved in these surveillance efforts. At least, they are more likely to be monitored by these government organizations. In general, they try and collect as much data as possible. As such, if privacy is your main concern, you may want to be more careful when dealing with them, and possibly opting for other international providers instead.
Under the current Foreign Intelligence Surveillance Act and Patriot Act, anyone using a US based service provider is at risk. Given that UK’s GHCQ works closely with the NSA, both locations should be considered questionable.
Social Media Privacy
Nowadays, social networking sites enjoy a huge popularity and are the scenario in which we can share everything about our lives. While a large part of the information is provided voluntarily by users, these sites may also use invasive methods to obtain more details about you. Facebook is not only a famous social network site, but it is also recognized for its role as privacy foe that is willing to profit from your information, by selling it to advertisers. Not to mention that they will hand your data to government organizations without thinking it twice. Of course, Facebook is not the only social networking site that is guilty of putting your privacy at risk. Social media sites thrive by getting access to your information and exploiting it for their own benefit.
Keep Your Information Safe on Social Network Sites
When it comes to social media websites, privacy concerned users should steer clear of them. However, in many cases this is not the most practical solution because in spite of their issues, social network websites are a very convenient way to stay in touch with friends and family. They also allow us to stay updated with what is going on in the world and are a great source of entertainment. Businesses also rely on them to connect with their audience and build their brands online. There are more secure alternatives such Diaspora, a non-profit and open source social network that is owned by its users. If you are not ready to leave Facebook, Twitter or your favorite social networking site, there are a few things that you should keep in mind to improve your privacy when you use them.
Aliases – Don’t Use Your Real Name
Facebook insists that users sign up with their real name but you can opt for an alias instead. This is the best way to avoid other people accessing your Facebook profile without your knowledge. When creating or editing your Facebook or Twitter profile, it is also a good idea to avoid including accurate data about your location or interests. In other words, make it difficult for others to spy on you or to find out everything about you with only a few click.
Check Your Privacy Settings Regularly
Facebook is known for updating their privacy settings and policy very often. Their policies are anything but transparent, making it difficult for users to have control of what is shared without them being aware of it. Make sure that you keep a close look at the privacy settings of all the social network websites that you use and that you adjust them to keep your information as protected as possible. This will ensure that your photos, posts and any other details that you don’t want to share with the world, are kept hidden
Be Careful With What You Share
It sounds simple but if you have a look at social media profiles and posts, you will see that they are filled with private information. Many people seem to have forgotten that there are details about their life that should not be made public. Anything that you post on a social media website will be available for many people to see. Even if you delete it later, it will haunt you for a long time, if anyone was quick enough to share it with others or take a screenshot. Furthermore, it is important to keep in mind that the government monitors these websites and a simple joke could land you into big trouble.
Maintain the Privacy of Your Conversations
There is such a thing as too much information and you should avoid making an spectacle of yourself on social media sites. This is specially important when it comes to your interactions with friends and family. There are details that you should not discuss in public and too often, Twitter and Facebook are used as a platform for personal rows. Stick to private messages and DMs when you are having a conversation with someone. While this may not protect you from government surveillance of advertisers monitoring, it will save you from public embarrassment.
It cannot be denied that we have benefited greatly from internet and it has made things simple and convenient. At the same time, by accessing more information about us, technology has been able to evolve and become more efficient in addressing our needs. What we need to take a moment to think how far are we willing to go in the search for comfort and we should ask ourselves if it is worth sacrificing our privacy. However, it is important to consider that just as technology offers the tools that enable the invasion to our privacy, it also gives us the solutions that allow us to protect it. The advance of technology cannot and should not be stopped but it is necessary to keep in mind its impact on privacy.
The ability to interact not only with our close friends and family, but also with people around the world is one of the benefits of using internet. However, it has also made us more vulnerable to surveillance as the information we share has a greater visibility. While many people are unaware of the fact that their data is monitored or may not care, the reality is that if we all took a more careful approach when using internet and if we give privacy the importance it deserves, we may be able to ensure that a world in which we do not have the freedom to think or say what we want, is not the future that awaits us.
We have described the options available to improve our privacy online. While there is no method that can guarantee complete safety and any technology is subject to weaknesses, the tools and advice that we presented in this guide can help you to defend your right to protect the information that you want to maintain private.