5 Ways to Improve Your Privacy Online
In this post-PRISM era, it's only natural to assume your Internet activity is an open book -- and you may just be right. "Always assume anything you put into a computer can be read by someone else and act accordingly," said John Simpson, privacy project director at Consumer WatchDog. How to reclaim some of that lost privacy? Start with these five steps.
Jul 30, 2013 5:00 AM PT
It wasn't long after the Internet came into widespread use that online privacy became a growing concern. After all, anytime people are connected through their computers and sharing resources online, there's the potential for prying and abuse.
Such concerns were compounded with the arrival of social networks, online banking and, of course, malware -- among other points of potential weakness. Then -- just last month -- PRISM happened.
Today, it's only natural to wonder just how much of your Internet activity is truly private -- or to suspect that none of it really is.
Fundamentally, all data on the Internet falls into two broad categories: private and encrypted, or nonencrypted, publicly readable clear text.
Those two simple classes of data are continually shuttling around the Internet, either streaming in real-time or being persistently stored in archives as document and image files or in database records.
The reality is, without some method of strong encryption, anyone with access to your personal store of data can read your clear text documents, emails and files, in addition to seeing any other intermingled binary objects like photographs.
When you sign onto Facebook or Google, for example, you give both implicit and explicit permission to the respective Internet service provider to use part or all of the data associated with your activities in the manner specified by their Privacy Statement and Terms of Service agreement. Each ISP has them. Read them and determine if they are acceptable.
In the case of Google, your data won't be shared, but it will be parsed by Google (computer-speak for scanning keywords and lexical expressions for interpretation) in order to "intelligently" position personalized advertisements in your data stream for you to see while navigating their Web portal sites such as Google.com, Google Plus and Gmail.
Yet, even if your ISP says it won't share your data directly with third parties, how can you trust, much less verify, that such isn't being done?
The sad truth is, you probably can't -- nor should you. You also can't you verify that your data isn't being passed around the Internet.
Even if Google were deemed 100 percent trustworthy and maintained an impeccable record on privacy with stringent security, should one hacker succeed in cracking your Gmail account's password, for example, that personal data -- if stored in nonencrypted, public form -- is then directly readable by the hacker.
"Always assume anything you put into a computer can be read by someone else and act accordingly," John Simpson, privacy project director at Consumer WatchDog, told TechNewsWorld.
Act accordingly indeed. In that regard, approach how you conduct yourself the same way you do in the physical world in public places.
The degree to which privacy is possible today is a matter of debate, but the bottom line is that all of your Internet activity is up for grabs unless locked away using encryption. That doesn't mean, however, that there aren't steps you can take to protect yourself at least to some extent.
1) Browser Settings
There are some easy things that can be done to configure a browser for better security and privacy. Among the basics, "go into your Web browser's preference settings and set the browser not to accept 'cookies' from sites you haven't visited, also known as third-party cookies," Simpson suggested. "Generally, you'll want to accept cookies from the sites you visit.
"Apple's Safari blocks third-party cookies by default; Mozilla intends to make this the default setting soon in Firefox, but for now you'll need to opt for the setting," he added. "You have to choose these settings in Microsoft's Internet Explorer and Google's Chrome."
Also, the newest versions of Internet Explorer, Mozilla Firefox, Google Chrome and several others offer settings for "Do Not Track," a proposed header field that requests that a Web application disable its site and/or cross-site tracking of user activity.
"Consider setting your browser preferences to automatically clear cookies when you close the browser," Simpson recommended.
Installing Adblock Plus is one -- Adblock is a popular plug-in for Firefox and Chrome that strips out unwanted Javscript and HTML from Web pages on the fly to ensure that exploits and advertisements can't run in your browser. Selectively, the user can mark a website as whitelisted so that blocks aren't performed. The default behavior of Adblock is to block on any new site it encounters, and whitelisting is one click away.
Also recommended by the EFF are changing your cookie settings, as noted by Simpson, and turning off referers. Referer data may contain personally sensitive information from the preceding site you were on; installing plug-in Referer Control will strip this referer information out of the header.
The EFF's own HTTPS Everywhere plug-in, meanwhile, ensures maximal secure socket layer connectivity. If it detects that the site to which you connect using HTTP supports SSL, it will automatically try to establish a tunnel-encrypted SSL connection with it. With a tunnel-encrypted connection between your endpoint PC and the Web server, all traffic is shielded from view and privacy is assured.
2) Cloud Storage Encryption
Storage of anything private and personal in the cloud should use the strongest form of encryption possible. Strengths of encryption come in various standards. RSA 2048-bit key encryption provides the best possible strength when used with public key infrastructure. The chance of cracking an RSA 2048-bit private key is not nil, but it would take so long that attempting it is not practicable using today's raw computing power.
A strong cipher is the most important consideration. Close behind, however, are the questions of where you should use encryption and with what method.
If you have any data stored on the Internet that you would like to ensure never gets seen by anyone other than yourself, then this is a good candidate for encryption.
The strongest and safest method today for encryption of cloud data is Zero Knowledge. Zero knowledge means that your cloud ISP will have no knowledge of what is being stored on their site. The private key to unlock your data will be created by you on your local drive. Thus only you will have the ability to unlock the data -- not even the cloud ISP will be able to do so.
SpiderOak and Wuala are two examples of ISP Software as a Service sites that offer ZK data encryption.
There are now quite a few SaaS encryption vendors from which to choose, but those that support Zero Knowledge are the safest bet for those with privacy in mind.
3) Two-Factor Authentication
The use of hack-prone password-based access is being gradually replaced by technologies like fingerprint scan, keyfob-generated keys and two-factor authentication methods.
If your ISP uses password-based access, make sure you maintain strong passwords. A password's strength is measured by its ability to avoid being guessed. Many ISPs and portals will test the strength of your password as you create it. Pay attention and be sure that the test returns "strong."
"Do not use the same password for multiple accounts," Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, told TechNewsWorld.
Instead, use strong passwords that are unique to each account, Stephens urged -- and that's particularly important for your most sensitive online accounts, such as for banking, email and social networks, he added.
Two-factor authentication is another method that's growing in popularity. Google Gmail now offers a free two-step authentication service. The goal is to avoid having your login stream (which includes your password) from being intercepted by a "man-in-the-middle" attack. Criminals equipped with programs called packet analyzers (also known as "sniffers") can see your streaming data and steal your password.
With two-factor authentication, in addition to entering a password, the system will send to your phone a unique ID number that must be input for authentication as well. Using such a method means the "man-in-the-middle" cannot and will not know what is on your personal phone and so cannot intercept such information.
If your ISP offers two-step authentication, you'd be wise to use it.
At the same time, "it's a good idea to avoid using the same website for both your Web-based email and as your search engine," Stephens cautioned. " Web email accounts will always require some type of a login, so if you use the same site as your search engine, your searches can be connected to your email account.
"By using different websites, you can help limit the total amount of information retained by any one site," he explained.
4) Encryption for Chat and Email
With Google Talk and Google Hangouts, one can set the chat session to "off the record" to ensure that the chat session is never permanently stored on Google's chat servers.
Also, installing Pidgin for both Windows and Linux -- it's a popular multiprotocol messaging software application -- along with its "off the record" plugin will ensure that your chat session will remain encrypted and private. This ensures that an additional encryption layer is added to the stream using OTR, regardless of what the underlying protocol provides.
The same encrypted vs. nonencrypted concept applies to email. If you don't want your email read, then it is imperative that you encrypt it. The good news is that encrypting email is technically feasible using GnuPG, PGP or S/MIME standards, for example. The bad news is that few software applications are in circulation that make preparing and sending encrypted email "drop-dead" simple and foolproof in terms of usability by the general public.
5) Surf the Internet Anonymously
Finally, if you really feel strongly about keeping your Internet surfing habits anonymous, you may consider using a proxy for your Internet surfing -- though even that won't guarantee complete anonymity.
A more difficult-to-trace method for surfing the Web is called Tor. Essentially, when you install Tor software, you log onto a peer-to-peer (P2P) network representing millions of people, much in the way BitTorrent works. It is encrypted and fully decentralized, meaning not only that it is self-sustainable but also that there is no central server which, if shut down, will stop its Internet activities.
What happens in the Tor scenario is that your IP travels in a random path along the Tor encrypted tunnel and reaches a random endpoint, where your traffic then jumps on the Internet using one of the P2P computing devices as its proxy. That endpoint proxy could be a node anywhere in the world.
If you do try Tor, just go to Google and note which country shows. It will vary from minute to minute -- an indication of Tor's anonymity at work.
Nothing will happen to advance the cause for Internet privacy unless a federal mandate is established, and to the extent that the Internet operates as a borderless complex network, its global reach spans and ignores the laws and treaties of countries using it. In the meantime, however, the technology for achieving true privacy with applied encryption methods is technically feasible -- it's up to you to choose the approach you like best.