Honest Citizen's Guide to Digital Privacy - In Dark Times

If you haven’t done so already, now might be a good time for you to protect the privacy of your digital life. There have been quite a few how to articles on digital privacy published online since Donald J. Trump became President-elect of the United States. I’ve shared a collection of links to those articles below, and I’ve also offered my own list of things you might do as well. Before we dive in, however, it’s probably worthwhile to take a moment to consider why protecting your privacy is a wise course of action.

Why It’s Smart to Protect Your Digital Privacy

Protecting your digital privacy is admittedly a bit of a hassle. It’s certainly understandable for an honest, ordinary, law-abiding citizen in a democratic republic to conclude that it’s hardly worth the trouble.  Perhaps you are such a person.

You might argue that it would be quite different if you were a journalist reporting from within some repressive authoritarian regime—or even from London or Washington DC. You’d probably have sources to protect, information that people with power and resources would rather you not share, an exclusive story you don’t want a competitor to steal, and all of that sort of cloak and dagger business. But that probably isn’t you. Maybe you’re not doing anything more controversial than sharing cat videos on social media. You’re certainly not doing anything illegal. What’s there to worry about?

Innocence Doesn’t Matter and Institutions Won’t Protect You

If you’re an American citizen you might even say, “Hey, doesn’t the Fourth Amendment to the Constitution guarantee my right to privacy already?” The answer is no. A right to privacy is merely alluded to in the Fourth Amendment. It’s implied by all of that business about unreasonable searches and seizures, the likes of which are now largely ‘legal’ thanks to provisions of the USA Patriot Act instituted after 9/11 by President George W. Bush (and a legislature more than happy to trade rights for security), and extended by President Barack Obama (thanks Obama!).

No one really cares or not if you’re doing anything wrong or illegal. That kind of care would entail respect for civil rights and due process of the law, which is precisely what the USA Patriot Act is designed to circumvent. And remember, honest, law-abiding citizen, that this is the situation today—right now. Should an autocrat succeed in overthrowing the republic, a prospect that suddenly doesn’t seem so far-fetched, then it is probable that many more people are going to find themselves confronting state power in various unpleasant ways, not just political activists, journalists, and vulnerable minorities.

No one really cares or not if you’re doing anything wrong or illegal. That kind of care would entail respect for civil rights and due process of the law, which is precisely what the USA Patriot Act is designed to circumvent.

But in fact it doesn’t even have to come to this. Even while the republic stands there is a wave of nativist, nationalist sentiment growing in the United States and Europe. Those who embrace this wave of sentiment will target people who don’t look like them, who don’t believe the same things they believe, and who don’t live the same kind of lives they live. They’ll attack using both political and extra-political means. If you’re a target, then protecting your digital privacy is an important part of an overall strategy to defend yourself and those you care about. If you’re not a target but are nevertheless still a decent person, then you’re obligated to help the vulnerable. That will make you a target as well.

 Measures You Can Take to Protect Your Digital Privacy

Here are a few relatively easy things you can do to protect your digital privacy. They don’t require an inordinate amount of tech savvy, and they’re not that expensive. In fact, most of them are free.

Encrypt Your Text Messages and Phone Conversations

Install and use Open Whisper Systems’ Signal messaging app for text messaging and phone calls. It provides end-to-end encryption, and it’s free. It’s even endorsed by NSA whistle-blower extraordinaire, Edward Snowden. Bear in mind, however, that to be fully encrypted, you need to convince your friends and family to install and use it as well. There are simple download and installation instructions on Open Whisper Systems’ website.

You could also use WhatsApp, which also uses Open Whisper Systems’ end-to-end encryption.

Encrypt Your Phone Data

Both iOS and Android have native encryption. You just need to turn it on. For iOS 8 and above, all you have to do is set an access password and it’ll encrypt automatically. Some newer Android phones are already encrypted, but most require taking some steps. First you set up a password. Then you have to activate encryption (which is fairly simple, but does take some steps). Here is an article from Redmond Pie that shows you how to do it.

Once encrypted, the data on your phone is digital scrambled eggs without the password. Remember in early 2016 when the FBI asked Apple to unlock the iPhone to obtain data on one of the San Bernardino terrorists? That’s because there was no way the FBI was going to read that encrypted data. Apple (thankfully) refused to build a security-compromising back door for the government. Eventually the FBI got the data by using software to hack the access password.

Encrypt Your Hard Drive

Both MacOS and Windows come with native hard drive encryption. You simply have to turn it on. See instructions in the provided links.

Use a VPN

A VPN is a Virtual Private Network. If you have a company-issued laptop where you work, you probably log into a VPN to securely access your email and work network when you use the laptop at home or when traveling. You can purchase and install your own personal VPN as well. I recommend you do so.

A VPN allows you to create a private, secure connection to another network even when you’re accessing the internet via a public network. For example, perhaps you’re using free wifi in a coffee shop (which is notoriously insecure). Your computer exchanges trusted keys with a faraway server and encrypts the data connection. This makes you invisible to anyone eavesdropping on the wifi connection in the coffee shop. They can’t harvest your data.

A VPN can also mask your physical location to the websites you visit. If you live in San Francisco, and your VPN connection is to a server in Amsterdam, it appears you’re using the internet from Amsterdam. That provides all kinds of advantages to people who live under authoritarian regimes. Want more detail? Check out this article from LifeHacker.

Use the TOR Browser and the DuckDuckGo Search Engine

The TOR browser allows you to browse the internet anonymously. It bounces your communications around a network of relays run by volunteers (you can volunteer to help if you are so inclined). Like a VPN it keeps the sites you visit from knowing your physical location, and it allows you to access sites that are blocked (e.g., if you live in a country ruled by a regime that censors parts of the internet).

TOR is built on the Mozilla platform, so it functions like the Firefox browser. It’s available for your computer and your smartphone. To remain secure, be sure not to install any plug ins or extensions (they may gather data). Also, be sure not to open files you download while you’re connected to the internet.

By default, TOR uses the DuckDuckGo search engine. It doesn’t gather data or use cookies like Google does.

Use 2-Factor Authentication

Given an infinite amount of time, a roomful of monkeys typing on keyboards will eventually guess the password to your email account, online banking account, laptop computer, etc. Password cracking software might be able to do it in under an hour. However, if entering that password prompts a code to be sent to your phone via SMS, and you have to then enter that code as well as the password, and the monkey is in Russia and doesn’t have access to your phone, then the monkey doesn’t get in. That’s how 2-Factor Authentication works. Set it up wherever you can and use it. For example, here is how to do so to secure a Gmail account.

Use Strong Passwords

The days of abc123 and password are long over. There are some tips about creating strong passwords that you may already know, but that certainly bear repeating:

  1. Don’t use the same password on multiple accounts. To do so gives a hacker access to your entire digital kingdom rather than to a single account.
  2. Longer passwords are better. Each time you increase the password length you exponentially increase the number of possible correct passwords. The greater the number of possible passwords, the harder it is to guess yours.
  3. A combination of upper case, lower case, numbers, and special characters is better than just alphabetical text. Doing so increases the possible number of characters used at each keystroke, which exponentially increases the number of possible correct passwords.
  4. Don’t reuse old passwords. There are just too many large-scale data breeches that may have harvested your old password for this to be safe. For example, in 2014 a hacker published the passwords to nearly 5 million hacked email accounts. If you were one of those 5 million people, you’ve hopefully changed your email password since then. Now image that you recently signed up for online banking with your bank and you recycled that old email password. If a hacker had those published passwords and wanted to break into your online banking account, you can bet that that hacker would give your old password a try.

Consider Using a Password Manager

A password manager assigns a random, complicated, hard to memorize password to each of your digital accounts. It stores them in an encrypted file. The software then logs you into your accounts. You don’t even have to know your passwords.

You protect the password manager and its collection of passwords with a master password. This master password is the only one you have to memorize, and it needs to be super strong.

The advantages are great. You have maximally complex passwords in place and you don’t have to memorize them or even know them. It’s far more secure than the sloppy but easy to recall passwords most of us use.

The downside of a password manager is that it’s a single point of failure. If someone is able to access your master password and your password manager, then they have everything. Of course, 2-Factor Authentication can help mitigate this risk. To learn more, check out this article from How to Geek.

Use Passphrases Rather than Passwords When Possible

If someone really wants your data, there are robots that can hammer away and crack a 10 digit password eventually. Passphrases, however, are much more difficult, if not impossible, to hack.

What’s the difference? A password is typically a 10 digit combination of numbers, letters, and special characters (e.g., F3kn$8@pL7). A passphrase is a sentence with spaces. For example: I know 12 cats with long tales.

A passphrase doesn’t have to be grammatical (better if it’s not), and you can easily implement upper case, lower case, number, and special character requirements. It shouldn’t be guessable based upon what people know about you (e.g., you’re an Abraham Lincoln scholar and you’re using 4 score and 7 years ago).

Some credentialing systems won’t allow long strings of characters. Also, long passphrases are a bit unwieldy to type into a smartphone. However, they’re ideal for a laptop or desktop computer. All major operating systems (Windows, Mac, Linux) allow passphrases up to 127 characters. Passphrases are bomber! Check out this article from Password Dragon for more detail.

Provide False Answers to Security Challenge Questions

When you forget your password, you can often reset your password after you answer a Challenge Question. Factually correct answers to these questions are a vulnerability. For instance, a quick check of your Facebook profile may reveal the name of the city you were born in or the name of your pet. To be extra safe, provide false answers that only you could know to challenge questions. If you were born in Minneapolis, answer New Orleans. Of course, you have to remember you answered New Orleans.

Install Quality Virus and Malware Protection and Keep It Updated

If you accidentally infect your computer with key-logging malware, you’re toast. The malware records the keystrokes you use to enter your user name and  password, and that’s it. You’re compromised. Even a sophisticated password or passphrase isn’t going to help (however 2-factor authentication will help!).

A List of Digital Privacy “How To” Articles

As promised earlier, here is a collection of articles detailing how to protect your digital privacy. Some of them cover material I don’t, so you might want to take a look at them.