I fiercely defend the privacy of my personal life. And I’ve increasingly grown worried about attaining the same, ever since Mr. Edward Snowden shocked the world with his revelations of mass, uncontrolled, often illegal spying by the National Security Agency, an intelligence agency of the USA.
Recently, I have tried out many services, both online and offline, in order to more fiercely lock down my privacy. On account of the experience I had, let me share some of it with you.
Of course, I have left out the (often bitter) experiences and not-so-pleasant moments I’ve encountered.
Mr. Snowden himself said that encryption is the best bet against snooping. But before that, there are some fundamental basics that need to be understood.
The human is always the weakest link in the whole chain. Remember, the “vulnerabilities” in most cases arise out of the ignorance of the user.
I hardly need to emphasise the need for a strong, yet effective password. In case you’re wondering how to go about setting up a strong yet easy-to-remember password, perhaps this comic strip from Xkcd will speak wisdom.
Now that we’re done with the fundamentals, let’s get to the more advanced ones. Over here, I am making a (terrible) assumption that you are aware of the fundamental security safeguards, such as:
- Proper Password
- Using an antivirus software
- Use of a Firewall
- Using Incognito Mode in Chrome
- Clearing browsing history, cache and cookies on exit
- Getting rid of temporary files on your PC
Having said so, let’s move on. Here is a list of some tools I use.
Ghostery is the probably the beginning of wisdom an aspiring person wishing to be anonymous on the web. On the Internet, every website has certain scripts running, which track various details about you, such as:
- Your IP Address
- Location in the world
- Browsing History
- System Date and Time
This can potentially reveal a lot about you and your identity to third parties. Very often, they are done with good intentions, but there is no guarantee that they won’t be used for cross-purposes.
Shut them down. The scripts. Ghostery, the virtual ghost, will do that for you. It is available as an add-on for both Google Chrome and Mozilla Firefox.
By default, Ghostery blocks all scripts, trackers, beacons and widgets. This may be inconvenient in certain cases, therefore you can always set exceptions: things which Ghostery would not block.
Added Advantage: Ghostery displays the list of trackers, scripts, beacons and widgets it has blocked for a few seconds after a page has loaded completely, along with those it has allowed.
Disconnect is all the punch in a single package. It has a suite of three separate software, that is the ultimate holy grail of anonymizing software in your web browser.
Private Browsing: When you go to a certain webpage, a host of trackers and other webpages request a share on some information gathered from you. This not only exposes your data to third parties, but also consumes bandwidth and time. Disconnect blocks all of them by default, and you can manually set the exclusions.
Private Search: This second add-on allows you to search on the web while staying anonymous. Typical search engines can record your search terms, and store your IP address. There are also people like ISPs, law enforcement, and intelligence agencies collecting your search terms in the name of “homeland security”, thus risking your privacy.
Disconnect Private Search is basically acting as a router that submits your search term to the search engine of your choice, without revealing personally identifiable information and search terms from being brokered.
All these are available separately as plugins for Google Chrome and Mozilla Firefox.
This is the ultimate step: getting the Tor Browser Bundle. This is a product of the Tor Project, an organisation whose products defend you from “network analysis”.
Ghostery and Disconnect will block scripts, trackers, widgets and beacons. What they woefully fail to do is stop network analysis. They are browser-based applications, they can only block the extra services that attempt to execute on your web browser upon loading a page.
ISPs, law enforcement and intelligence agencies are far from being dumbasses. They know their job, and how to go about it. You blocked trackers, you blocked widgets, you blocked beacons, you blocked scripts. You blocked data requests. So what?
Network traffic to and from your PC still passes through the communication networks on the country, in most cases, unencrypted. They can and do monitor that traffic, and perform analysis on it (network analysis). That can woefully ruin your privacy, more so since you have no way you determining that your network traffic is on their radar.
The Tor Network is an innovative approach past that.
To connect to the Internet using the Tor Browser, your communications are routed through the Tor Network, using a networking principle known as onion routing. I won’t go into the details, but here’s the basic principle.
When you connect to the Tor Network, a Tor Circuit is established. The communication from your computer is encrypted, and channelled through several computers across the world, known as nodes. At the last node, the connection is decrypted, and then your information is relayed to the server you’re trying to access. The data from the servers enters the last node and is encrypted, and is relayed back to your PC, where is again decrypted.
It is like that classic maxim in criminology. Take a complicated route that make your steps more difficult to trace. In this case, it is virtually impossible.
Advantages of using Tor
- Allows you access the Internet, uncensored.
- Allows you to evade filtering and network control by local agencies.
- You can research on sensitive topics (sensitive in your area), without the fear of anyone prowling on you.
- Human Rights Journalists and social activists use it to evade government backlash and surveillance.
- Confidentiality is maintained.
- Secrets Service Agents on the field, police informers, law enforcement on sting operations; all use Tor for confidentiality.
- You will remain anonymous.
Of course, majority of the people using Tor are not anti-State actors. They just want to keep some information away from prying eyes for their own good interests.
That’s much talk. You can head over to the Tor Project website to learn more. I strongly advise you to go through all the documentation, before using Tor.
According to a kiosk of the Railway Protection Force in Sealdah Station, a central railway terminus in Kolkata:
“Ignorance is not a choice, it is a sin.”
4. OpenPGP Encryption
I must admit, nothing’s better than encryption when it comes to privacy. That is because the encryption standards used today are so powerful, that it is not feasible to crack an encrypted message.
Mind you, it’s not impossible, but it would take an invariably large amount of time. So long that it would be better to use other methods, or the process will bore you out.
If you have to use encryption, use it for everything. Security experts, including Mr. Snowden, have repeatedly stated that using encryption is your best bet against snooping.
The OpenPGP encryption standard uses two keys, which are the equivalent of passwords: the public key, and the private key. With your public key, all files can be encrypted such that only you, with your private key, can decrypt the file and read it.
Quite understandably, you share the public key with the world, so that they can use it to encrypt whatever they send to you. So that only you can see it.
But the problem is, both the private and public keys are computer files, and they can be stolen. If your private key is stolen, you’re finished. Well, actually you’re not. To prevent it from being used by the wrong people, the private key is further encrypted with a passphrase, and that passphrase should ideally be stored nowhere but your brain.
If you used a Linux-based OS, the GNU Privacy Guard is a software available for using OpenPGP Encryption on your PC.
If you’re a Windows user, you unfortunately cannot use GnuPG. Sorry guys, but encryption is native to Linux. Nevertheless, you need not despair.
An equivalent of GnuPG, Gpg4win, is available for using OpenPGP Encryption on Windows. Gpg4win comes loaded with a pretty little PDF tutorial on encryption and how to use it, for novices.
Note that Gpg4win is a software suite, and contains a range of supporting applications that enable you to smoothly use OpenPGP Encryption on your PC and in your email service.
For a complete introductory tutorial to encryption, OpenPGP encryption in particular, refer to this blog: http://zacharyvoase.com/2009/08/20/openpgp/
Yes, that was my guru.
5. Encrypting Messages
GnuPG or Gpg4win would allow to encrypt and decrypt files on your computer. So, you protected yourself, huh? The very next thing you might want to do is communicate encrypted with your contacts. In fact, you should seriously consider doing that.
Although there are plugins available for email, the best bet is to use the Clipboard of Gnu Privacy Assistant. GPA too comes bundled with Gpg4win, for those using Windows-based systems.
You just compose your message in GPA, and then you can sign and encrypt it. You then copy the cipher-text to whatever medium of communication you want to use: chat, email, messenger…… whatever. Just anything.
That’s what makes GPA special. It is platform-independent, which is a huge boost in terms of logistics.
Whenever you receive a message from someone encrypted for you with your public key, you simply paste it into this Clipboard of GPA, and click Decrypt. Job done, mate. You can also verify the signature (explained below).
6. Checking Hashes
So you now know how to prevent your communications from being spied upon by spying eyes, huh? How do you possibly ascertain that the stuff which has reached you is exactly as the content author intended it to be?
To do that, we use a hash.
Suppose that you have written a message in binary on a piece of paper. You tear up this piece of paper, and crumple the individual pieces into a paper ball.
That’s the hash of the message.
There is no way anyone can possibly get back the original message from a hash. So, how does this help? The hash of every message is unique.
Well, the sender calculates the hash of a message using a hash algorithm. He then sends the message to you, and the hash of that message he calculated separately. You use the same hash algorithm to calculate the hash of the message you have received.
If the two hashes match, it means that the message is as it embarked on a journey to you from the sender.
If the hashes do not match, it means that the message has been tampered with or modified on the way. It works on that basic principle: every message has a unique hash, which is unreproducible.
If a message is tampered with, or modified, it has to have a different hash.
If you want to check hashes manually, then there is a tiny programme to help you do just that. Often, digital signatures (equivalent to hashes) come embedded with encrypted messages, which can automatically be verified by GPA (mentioned earlier).
7. Do Not Use Tails
Among many suggestions on privacy, you would come across advice to use a particular, specialized OS known as Tails, that leaves no trace of its use on your computer system. Well, although Mr. Snowden used it, I would advise you not to.
To say the truth, Tails is an obscure OS.
Being obscure, many security loopholes in the OS go unnoticed for long. Probably many would have been discovered if the OS had a wider developer community.
A wooden door is better than a steel door with a hole in it. It doesn’t make sense using a loopholed OS: you might be putting yourself in more violations of privacy rather than against it.
It is better not to use all of these tools on a daily basis. As I said, appropriate authorities are always on the lookout for suspicious activities, and you may attract their attention by (over)using these anonymizing tools.
They are just doing their job: maintaining national security. They have to follow all leads, to wherever they lead.
Well then, why not stop over-using them, and create a better living situation for both? There is really no reason why you should use these tools unless necessary.
So, as an example, here’s what I do:
- Regular (Daily Use): Ghostery, Disconnect Private Browsing, Disconnect Privacy Icons. That should satisfy you enough.
- Disconnect Private Search: There is really no reason why you should use it unless what you are searching is to be absolutely private (it rarely is).
- File Encryption: I have my important documents and photographs signed and encrypted, to prevent tampering. Encrypt only what is absolutely important.
- Communication Encryption: I very rarely use this. It should only be used when what you are exchanging is only for private eyes, viz. health reports, sting operation reports, revelations, diseases, personal and national security, etc.
- Tor Browser: There is absolutely no reason why you should use this unless you want to evade network analysis, viz. during sting operations, online raids, counter-terrorism, etc.
I think that this routine should be good enough for every Tom, Dick, and Harry. Why risk your privacy, and the logistics of national authorities, when both get nothing out of it?