Many of us are, unfortunately, quite ignorant of our privacy. Especially when we browse the web. For those of you interested, for whatever (good and legitimate, I hope) reason, here is a set of tools to keep you and your data safe and private online.
The Human is the Weakest Link: Get Your Basics Right
The human is always the weakest link in the whole chain. Remember, the “vulnerabilities” in most cases arise out of the ignorance of the user.
I hardly need to emphasise the need for a strong, yet effective password. In case you’re wondering how to go about setting up a strong yet easy-to-remember password, perhaps this comic strip from Xkcd will speak wisdom.
Now that we’re done with the fundamentals, let’s get to the more advanced ones. Over here, I am making a (terrible) assumption that you are aware of the fundamental security safeguards, such as:
- Proper Password
- Using an antivirus software
- Use of a Firewall
- Using Incognito Mode in Chrome
- Clearing browsing history, cache and cookies on exit
- Getting rid of temporary files on your PC
- Regularly checking for and installing patches and security updates
Having said so, let’s move on. Here is a list of some tools I use.
Ghostery is the probably the beginning of wisdom an aspiring person wishing to be anonymous on the web.
On the Internet, every website has certain scripts running, which track various details about you, such as your IP address, where in the world you are, your Browsing history, system date and time, cookies, etc.
This can potentially reveal a lot about you and your identity to third parties. Very often, they are done with good intentions, but if you wish to shut them down, there’s a way.
Ghostery, the virtual ghost, will do that for you. It is available as an add-on for both Google Chrome and Mozilla Firefox.
By default, Ghostery blocks all scripts, trackers, beacons and widgets. This may be inconvenient in certain cases, therefore you can always set exceptions: things which Ghostery would not block.
Added Advantage: Ghostery displays the list of trackers, scripts, beacons and widgets it has blocked for a few seconds after a page has loaded completely, along with those it has allowed.
Disconnect is all the punch in a single package. It has a suite of three separate software, that is the ultimate holy grail of anonymizing software in your web browser.
When you go to a certain webpage, a host of trackers and other webpages request a share on some information gathered from you. This not only exposes your data to third parties, but also consumes bandwidth and time. Disconnect blocks all of them by default, and you can manually set the exclusions.
This second add-on allows you to search on the web while staying anonymous. Typical search engines can record your search terms, and store your IP address. There are also people like ISPs, law enforcement, and intelligence agencies collecting your search terms in the name of “homeland security”, thus risking your privacy.
Disconnect Private Search is basically acting as a router that submits your search term to the search engine of your choice, without revealing personally identifiable information and search terms from being brokered.
All these are available separately as plugins for Google Chrome and Mozilla Firefox. But of course, you’d prefer to use all of them as a suite, won’t you?
This is the ultimate step: getting the Tor Browser Bundle. This is a product of the Tor Project, an organisation whose products defend you from “network analysis”.
Ghostery and Disconnect will block scripts, trackers, widgets and beacons. What they woefully fail to do is stop network analysis. They are browser-based applications, they can only block the extra services that attempt to execute on your web browser upon loading a page.
ISPs, law enforcement and intelligence agencies are far from being dumbasses. They know their job, and how to go about it. You blocked trackers, you blocked widgets, you blocked beacons, you blocked scripts. You blocked data requests. So what?
Network traffic to and from your PC still passes through the communication networks on the country, in most cases, unencrypted. They can and do monitor that traffic, and perform analysis on it (network analysis). That can woefully ruin your privacy, more so since you have no way you determining that your network traffic is on their radar.
If you wish to bypass it, for all practical purposes, the Tor Network is an innovative approach past that (know that the Tor Network has its own set of rare limitations though).
To connect to the Internet using the Tor Browser, your communications are routed through the Tor Network, using a networking principle known as onion routing. I won’t go into the details, but here’s the basic principle.
When you connect to the Tor Network, a Tor Circuit is established. The communication from your computer is encrypted, and channelled through several computers across the world, known as nodes. At the last node, the connection is decrypted, and then your information is relayed to the server you’re trying to access. The data from the servers enters the last node and is encrypted, and is relayed back to your PC, where is again decrypted.
It is like that classic maxim in criminology. Take a complicated route that make your steps more difficult to trace. In this case, it is virtually impossible.
Advantages of Using Tor
- Allows you access the Internet, uncensored.
- Allows you to evade filtering and network control by local agencies.
- You can research on sensitive topics (sensitive in your area), without the fear of anyone prowling on you.
- Human Rights Journalists and social activists use it to evade government backlash and surveillance.
- Confidentiality is maintained.
- Secrets Service Agents on the field, police informers, law enforcement on sting operations; all use Tor for confidentiality.
- You will remain anonymous.
Of course, majority of the people using Tor are not anti-State actors. They just want to keep some information away from prying eyes for their own good interests.
That’s much talk. You can head over to the Tor Project website to learn more. I strongly advise you to go through all the documentation, before using Tor.
According to a kiosk of the Railway Protection Force in Sealdah Station, a central railway terminus in Kolkata:
“Ignorance is not a choice, it is a sin.”
4. OpenPGP Encryption
I must admit, nothing’s better than encryption when it comes to privacy. That is because the encryption standards used today are so powerful that, for all practical purposes, it is not feasible to crack an encrypted message.
Mind you, it’s not impossible, but it would take an invariably large amount of time. So long that it would be better to use other methods, or the process will bore you out.
If you have to use encryption, use it for whatever you wish to keep confidential to the highest level. Lawyers, companies, everyone with legitimate (and illegitimate) secrets to keep uses it. Security experts, including Mr. Snowden, have repeatedly stated that using encryption is your best bet against snooping.
The OpenPGP encryption standard uses two keys, which are the equivalent of passwords: the public key, and the private key. With your public key, all files can be encrypted such that only you, with your private key, can decrypt the file and read it.
Quite understandably, you share the public key with the world, so that they can use it to encrypt whatever they send to you. So that only you can see it.
But the problem is, both the private and public keys are computer files, and they can be stolen. If your private key is stolen, you’re finished. Well, actually you’re not. To prevent it from being used by the wrong people, the private key is further encrypted with a passphrase, and that passphrase should ideally be stored nowhere but your brain.
If you used a Linux-based OS, the GNU Privacy Guard is a software available for using OpenPGP Encryption on your PC.
If you’re a Windows user, you unfortunately cannot use GnuPG. Sorry guys, but encryption is native to Linux. Nevertheless, you need not despair.
An equivalent of GnuPG, Gpg4win, is available for using OpenPGP Encryption on Windows. Gpg4win comes loaded with a pretty little PDF tutorial on encryption and how to use it, for novices.
Note that Gpg4win is a software suite, and contains a range of supporting applications that enable you to smoothly use OpenPGP Encryption on your PC and in your email service.
For a complete introductory tutorial to encryption (which I highly recommend), OpenPGP encryption in particular, refer to this blog: http://zacharyvoase.com/2009/08/20/openpgp/
Yes, that was my guru.
5. Encrypting Messages
GnuPG or Gpg4win would allow to encrypt and decrypt files on your computer. So, you protected yourself, huh? The very next thing you might want to do is communicate encrypted with your contacts. In fact, you should seriously consider doing that.
Although there are plugins available for email, the best bet is to use the Clipboard of Gnu Privacy Assistant. GPA too comes bundled with Gpg4win, for those using Windows-based systems.
You just compose your message in GPA, and then you can sign and encrypt it. You then copy the cipher-text to whatever medium of communication you want to use: chat, email, messenger…… whatever. Just anything.
That’s what makes GPA special. It is platform-independent, which is a huge boost in terms of logistics.
Whenever you receive a message from someone encrypted for you with your public key, you simply paste it into this Clipboard of GPA, and click Decrypt. Job done, mate. You can also verify the signature (explained below).
6. Checking Hashes
So you now know how to prevent your communications from being spied upon by spying eyes, huh? How do you possibly ascertain that the stuff which has reached you is exactly as the content author intended it to be?
To do that, we use a hash.
Suppose that you have written a message in binary on a piece of paper. You tear up this piece of paper, and crumple the individual pieces into a paper ball.
That’s the hash of the message.
There is no way anyone can possibly get back the original message from a hash. So, how does this help? The hash of every message is unique.
Well, the sender calculates the hash of a message using a hash algorithm. He then sends the message to you, and the hash of that message he calculated separately. You use the same hash algorithm to calculate the hash of the message you have received.
If the two hashes match, it means that the message is as it embarked on a journey to you from the sender.
If the hashes do not match, it means that the message has been tampered with or modified on the way. It works on that basic principle: every message has a unique hash, which is unreproducible.
If a message is tampered with, or modified, it has to have a different hash.
If you want to check hashes manually, then there is a tiny programme to help you do just that. Often, digital signatures (equivalent to hashes) come embedded with encrypted messages, which can automatically be verified by GPA (mentioned earlier).
7. Do Not Use Tails
Among many suggestions on privacy, you would come across advice to use a particular, specialized OS known as Tails, that leaves no trace of its use on your computer system. Well, although Mr. Snowden used it, I would advise you not to.
To say the truth, Tails is an obscure OS.
Being obscure, many security loopholes in the OS go unnoticed for long. Probably many would have been discovered if the OS had a wider developer community.
A wooden door is better than a steel door with a hole in it. It doesn’t make sense using a loopholed OS: you might be putting yourself in more violations of privacy rather than against it.
There is a reason why these tools are not commonly used: they are indeed a hassle to use, in many ways. Unfortunately, that is the ground reality.
Before you use any or all of these, be sure to do a mental cost-benefit analysis. There is really no reason for you to encrypt a copy of your profile picture when you email that to a friend. But if it’s a copy of, say, your birth certificate, there might be legitimate reason for taking those steps.
Or maybe not. It all depends on you, and what you prefer.
Of course, there is something I will never be able to teach anyone: that everyone of us has a responsibility to use these tools responsibly.
These are the tools. Use them wisely, and responsibly. Do remember, knowledge + character = good citizen.