Best Practices for Keeping Your Personal Data Safe Online
The concept of online privacy is coming under attack from all angles. The recent PRISM revelation proved what everyone already suspected: the NSA has a secret back door to the biggest online services on the web, enabling them to spy on users without any judicial oversight whatsoever. This scandal comes as governments around the western world draft a range of surveillance laws in an effort to keep-up with the rapid spread of new communication tools. Simultaneously, many online businesses have embraced highly targeted advertising, while new generations of children grow-up in an online environment that has normalized the sharing of personal data via social networks. The phrase “there’s no privacy online” has never appeared truer. But is it possible to reclaim online privacy (if it ever existed in the first place)? In this article I am going to briefly explore some of the tools and best practices available that can help get closer to such a goal.
Starting at the IP
State surveillance is getting more and more scary. From the spectre of data retention, which has already fully enveloped Europe, to government agencies acting in secret to spy on citizens. If we want to protect our privacy online then the first we must consider is how to effectively anonymize our IP address.
The Onion Router
If you have even a passing interest in online privacy, you’ve probably heard of The Onion Router (TOR). TOR is open source, completely free-to-use, and perhaps the most common method of masking your IP address. TOR is a highly secure way of surfing the web while anonymizing your traffic. But it’s not perfect. The biggest problem is that anyone can set-up and monitor an exit node, through which your traffic flows. TOR hides your identity and location, but you may still be identifiable via traffic confirmation (end-to-end correlation of traffic).
I2P
Another popular anonymising tool is I2P, which is essentially a computer network layer, allowing users to transmit messages to each other pseudo-anonymously. This provides many of the benefits that TOR offers, such as layered encryption and P2P-esque routing, but I2P is a very different beast. While TOR is designed to surf the web in a usual fashion, I2P is more like a network within the internet, with traffic staying within its borders. As such it’s a great tool to share data between users, as there’s plenty of applications designed for this, but it’s not so suited to browsing the web.
Commercial VPNs
There’s no shortage of commercial Virtual Private Networks out there offering privacy services (full disclosure: I work for the commercial VPN service, IVPN). Different VPNs use different methods to anonymise your internet traffic, but generally speaking a VPN sends encrypted traffic over the public internet as if it were over a private network. VPNs are therefore pretty secure platforms in terms of online privacy. But they also carry risks. Firstly, your source and destination IP address cannot be encrypted, which means your ISP will always know you’re using a VPN service. Secondly, you have to trust that the VPN you’re using is actually protecting your data. This is the biggest risk, as many VPN services are no better than ISPs when it comes to retaining your online data and their privacy policies are either incredibly vague or hostile to the concept of online privacy.
Controlling personal data
While protecting your IP address is vital to prevent surveillance, this protection needs to be complemented by taking control of your personal data. The PRISM revelation demonstrated that data stored with online services is not safe from government spying. So if you’re concerned about such surveillance you need to either stop using popular web services entirely, or limit your use so that you do not reveal too much personal information. There are no hard and fast rules. What is “too much personal information” for one person is different for another. Nevertheless, here are some best practices you can consider.
Social networks
While there are social networks that have been built with user privacy in mind, they all suffer from a lack of uptake. But with concerns over online privacy growing, we may see open source social platforms such as Disapora growing in popularity (though don’t hold your breath). If you do choose to use popular platforms such as Facebook and Twitter, it goes without saying to ensure you turn privacy settings to private, remove yourself from public search results and refrain from posting anything that you would be uncomfortable the whole world seeing. Beyond that, how you use social networks, and how you balance this with protecting your private data, is really a decision only you can make.
Email services
When it comes to privacy-centric email services, you’re a lot better served than social networks. HushMail, GuerillaMail and Reddif , all claim to offer secure and encrypted services (also take a look at EPIC’s round-up of secure email services). As Yahoo, Microsoft and Google are implicated in PRISM, you should probably treat their respective email services with suspicion. If you do use them make sure you’re aware the content of emails could be under surveillance. But remember, if you send an email to a Gmail user then that mail is on Google’s servers and is subject to the same surveillance risks as if you were using Gmail.
Search tools
Google has shown time and time again that it cannot be trusted with user data, from the Street View fiasco, to violating Safari’s privacy standards, and – most recently – it’s participation in PRISM. Thankfully there is a pretty decent alternative in the form of DuckDuckGo, which promises not to store user data nor create personalized search results. Also, consider using a tool that blocks cookies being stored on your computer and tracked by compromised companies such as Google. You can use browser extensions such as Ghostery and the Do Not Track option built into browsers, to easily achieve this.
Using common sense
Even if you combine TOR with your VPN (security in depth) and switch to more ethical search engines and email services, it still pays to exercise caution while browsing the web. We’re essentially reliant on the integrity of companies in the face of surveillance attempts from the government – any platform can potentially be compromised. But it’s much more likely for a smaller entity to notify customers of government surveillance efforts than a big multi-national, which relies on government co-operation for so much of its business. It also must be said that while some of the biggest tech companies, such as Google and Facebook, took part in PRISM, there are some notable exceptions such as Twitter, which has a decent track record in notifying users of surveillance attempts.
So to sum-up, find a tool or combination of tools to anonymize your IP address. Avoid social networks, search and email services that have proven to be compromised, or if you can’t do this, at least be aware that your data is not private. Lastly, be aware that there’s only degrees of privacy and while following the above may keep your data safe 99% of the time, there’s still that one percent.
About the Author
Nick Pearson is the founder and CEO of IVPN. He has 15 years experience in information security with experience across telecommunications and government sectors. With an MSc in Information Security, Nick’s areas of interest include enterprise risk assessment, penetration testing and information security awareness. IVPN is a VPN privacy service and member of the Electronic Frontier Foundation.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU