Complacency with privacy invasion has become our 6th sense. Handing over the intimate details of our lives to corporate and government stooges has become a virtue and civic duty. It should come as no surprise that, even for a society dripping with tech-savviness, the average person would rather their government act than to take action themselves. According to Pew Research:
Six-in-ten Americans (61%) have said they would like to do more to protect their privacy. Additionally, two-thirds have said current laws are not good enough in protecting people’s privacy, and 64% support more regulation of advertisers.
In an effort to get you off the sideline, here is a list of basic tools that involve little-to-no effort and are either free or extremely affordable.
By no means is any tool 100% full-proof in keeping prying eyes out (it is very likely nothing ever will be), but rather, make it extremely difficult, time-consuming and costly for those seeking to molest your privacy.
Turn Off Mobile Device Biometric Security — Facial or Fingerprint Scanning
Apple’s Face & Touch ID were revolutionary for mobile identity authentication. It’s tough to beat, but not impossible. To the average person, these features are more about convenience than a̶ ̶f̶a̶l̶s̶e̶ ̶s̶e̶n̶s̶e̶ ̶o̶f̶ security.
Even still, there’s one fatal flaw to biometric security: they are routinely included in warrants, making it simple for police to access the contents of your phone. This is exactly the permissions the DEA requested for those alleged to have satiated rapper Mac Miller’s appetite for drugs.
FBI report detailing text messages between Mac Miller (McCormick) and his alleged drug dealer, Cameron Pettit.
WHAT TO DO INSTEAD
You should be using an alphanumeric passcode. Better yet, use a passphrase. By default, most devices have you choose 4 or 6 numbers. As Johns Hopkins Professor of Cryptography Matthew Green would tell you, that's pretty easy to crack.
By using a passcode or passphrase rather than a biometric authentication, you are free to invoke the 5th amendment… or a strange case of amnesia.
HOW TO DO IT
Signal — Encrypted Text Messaging
When Edward Snowden revealed the massive data collection campaign by the NSA, 87% of Americans had knowledge of the program, and yet a massive majority did not alter their use of technology.
Signal is an open source communication tool for your phone and computer that allows you to send encrypted messages. Being open source, the software’s code has been peer-reviewed and audited for gaping security holes or government backdoors. In fact, Signal was issued a federal subpoena and, because the company keeps minimal logs and does not own or see your encryption keys, they weren’t able to produce much. The same can’t be said for WhatsApp, a popular, Facebook-owned s̶e̶c̶u̶r̶e̶ messaging app.
There is one catch, though — whoever you are messaging also has be using the Signal app. Make sure to spread the word to your friends, family and/or drug dealing mistress.
ProtonMail — Encrypted Email
Email still remains one of the most dominant forms of communication, in particular for businesses, and so it is constantly being attacked through ever-evolving holes. Other times, users just open up the front door.
Protonmail.com
ProtonMail takes the security of AES, RSA and OpenPGP encryption and makes it accessible to the non-techie. Based in Switzerland, who happens to have some of the strongest privacy protection laws in the world, ProtonMail’s servers are stored under 1,000 meters of solid rock. So take comfort in knowing that nuclear bomb won’t stop your email from reaching Grandma.
Keep in mind that this is still a centralized solution and thus, you are trusting a 3rd party to transmit/store your data, even if they may not be able to access it; it may be worthwhile to read ProtonMail’s response.
Full-Disk Encryption
Encryption and cryptography are complicated topics to comprehend and even harder to explain. In it’s simplest form, think of it like this: using a password to protect unencrypted data on your computer is like relying only on your home’s door locks to keep intruders out — they could still kick the door in, break a window, etc. If they did manage to get into your home and you were using encryption, the entire contents of your house would appear invisible unless they knew the special password to make it visible (decrypt) again.
Townsendsecurity.com
iPhones have had hardware-level 256-bit AES encryption built-in since the iPhone 3GS. Since iOS 8, if you have a passcode, even Apple itself can’t unlock your phone. Google has taken similar steps in Android.
- Apple’s FileVault is off by default on Mac computers, but is simple to turn on.
- For Windows or Linux (or Mac), I recommend Veracrypt.
Virtual Private Networks
A Virtual Private Network (VPN) is a simple concept that has been around for decades. They can be purchased for cheap monthly or annual fees. You’ll see VPN services offered for free, but it’s better to avoid these since they’re often slower than paid services.
Many of these companies are set up in countries with strong privacy/data protection laws (Germany, Switzerland, etc.). And while it is a secure method, it isn’t without flaws. One of the key things to look for when selecting a VPN is reputation and whether or not the company keeps activity logs. Most will claim that they do not maintain user information or activity, but that’s clearly a sham.
That isn’t to say you shouldn’t use a VPN, but do not let it give you a false sense of security. Your data is encrypted and it helps keep out prying eyes, but remember, you are still relying on a 3rd party. A good review of many VPNs is available.
Password Managers
Password managers are essentially an encrypted bucket for you to store all your most important details inside of. One simple, yet effective way hackers access your accounts is by exploiting a flaw of the human brain — poor memory.
Most people reuse the same few, memorable passwords across all their accounts. Unfortunately, these are usually insecure things like Password123 or Pen15Club. You can ignore how easy these are to brute-force because all it takes is you to have an account at one company that experiences a data breach. Banking on the fact that you’ll likely use the same password elsewhere, hackers simply go try those credentials on various other platforms like your bank account.
Password managers allow you generate random passwords for each site you use to prevent the above scenario. It then stores all these credentials behind your encryption key. You might be asking yourself, well isn’t that like putting all my eggs in one basket? Sort of. You need to create a strong master passphrase that is long and memorable.
sit chapel slaying degree
Something like the above passphrase would take approximately 6,000,126 centuries to brute-force crack. However, you should use something with at least 6 words. Longer is always better, but not to the point it risks your ability to recall it.
HOW TO DO IT
- 1 Password (Windows, Mac, iOS, Android)
- LastPass (iOS, Android; Chrome plugin works on Windows, Mac, Linux)
- KeePass (Linux, Windows, Mac, Android)
For the truly paranoid, you can even use what is called Diceware. It works like this:
A long list of words are assigned to 5 digit strings.
EXAMPLE
16664 cleat
16665 cleft
16666 clerk
21111 cliche
21112 click
- Roll your die 5 times, writing down the resulting number for each roll.
- Lookup the resulting combination in the list from step 1 and write it down.
- Repeat 5 more times.
- The result is your new 6-word passphrase truly generated at random.
Two-Factor Authentication
A 2FA device that has been used for decades in the corporate world.
Two-Factor Authentication, or 2FA, is an additional layer that protects your online accounts. After enabling 2FA and logging in to your account, a code is generated and sent to a secondary device you own, most commonly a text message to your phone. This code acts as an additional measure that you’re the person you are claiming to be. Obviously, the main security concern here is what happens if your phone is stolen? Well, hopefully you followed the rest of the advice above…
More and more websites are supporting 2FA and even with its limitations, enabling 2FA is more secure than not using it. A list of websites/services that support 2FA is readily available.
If you want want to take a non-SMS (text message) route, apps like Authy generate something called a Time-based One-Time Passcode (TOTP). This is the software-based equivalent of the RSA SecurID pictured above.
Other Tools
There are plenty of other ways to protect your privacy. Here are a few:
- Tools from the Electronic Frontier Foundation
- Ad/tracking blockers for your browser
- Host your own cloud server like a Dropbox
- A directory of direct links to delete your account from web services
- Stop Facebook from your tracking you around the web
- Disposable email or masked/alias email
Stay safe out there and please, if you have other tools or corrections, please leave them in the comments!