In light of Edward Snowden’s recent disclosure of the PRISM surveillance program, it is becoming clear that Western democratic governments are heading towards an ever-increasing level of control over online traffic, at the expense of privacy. Tools like deep-packet inspection (which allows advanced content monitoring and filtering), corporate willingness to give away customer data, and international agreements make it increasingly difficult to maintain a modicum of anonymity and confidentiality online. But the major threat to privacy is not there – it is in our own complacency and lack of technical ability to do anything about it. We readily disclose so much information online so carelessly, that, while it does not excuse the snooping behavior of the states and businesses, it certainly makes the job a lot easier for them. Here are four things you can and should do to improve your privacy online – and that does not include the obvious of securing your facebook profile!
1. Use a VPN (or at least a proxy)
Virtual Private Networks (VPNs) are a way for your computer to communicate securely (using encryption) with a remote server, through which all your traffic (Web browsing, email, etc.) gets then routed to the general Internet. Most large companies, in fact, rely on VPN to protect the data of their on-the-road employees. This serves a dual privacy purpose: it prevents your ISP, government or local cybercafe wifi hacker from monitoring your traffic between your location and the remote server (confidentiality), and from the Internet’s perspective it makes your traffic originate from the remote server, which can be located in a foreign country (anonymity). So, to snooping ears close to home, your data will be gibberish; and to distant snooping ears, your IP address (which is tied to your name) will not show.
There are limitations though: good VPNs (in terms of bandwidth and latency) are usually a bit expensive; you have to somewhat trust the VPN provider or their government to spy on your traffic; and they will usually disclose your identity if required by law (i.e. they do not provide protection if you partake in illegal activities online).
Given these pros and cons, it can be considered good practice to always run a VPN on your computer. Don’t use it only for sending sensitive info – it’s better to clutter the VPN traffic with as much trivial data as possible, to reduce the signal-to-noise ratio for snooping ears. An “always-on” VPN is best, and if you can afford it, having two or three VPN providers in different countries (and cycling daily between them) is best. Also, once set up, make sure to route all your traffic through the VPN – not just your web browsing; this is usually available in your operating system’s VPN configuration settings.
It is difficult to recommend VPN providers – no one can vouch for their integrity or technical capability at protecting your data, however a few providers are considered mainstream players:
- iPREDator, based in Sweden, originated from The Pirate Bay and now run by Portlane Networks, who also operates anonymizing services Anonine and Relakks. The name sounds scary but comes in response to the European Union’s Intellectual Property Rights Enforcement Directive (IPRED), which ensures that member states enforce speedy investigation and prosecution of digital copyright infringements. The cost is about 23 USD / 17 EUR for three months. Accepts PayPal (which somewhat defeats the purpose, since Paypal’s parent company Google is a willing participant in the PRISM program), as well as credit cards (through a third-party, so iPREDator doesn’t keep your transaction on record) and, yes, BitCoins for the more anonymous-minded.
- StrongVPN offers an interesting array of countries to route your connection through, including Hong Kong, Norway and Russia. The parent company is located in the US, however, and therefore is more likely to give up your data easily. The cost is about 21 USD for three months using a US server, or USD 20 for one month for international locations. StrongVPN does not offer anonymous payment methods – it’s either PayPal, credit card, wire transfer or Western Union.
- Private Internet Access is a UK-based VPN provider owned by London Trust Media, on whom little information is available. While this offers little guarantee (the UK and US share information under the UKUSA Security Agreement), it is the cheapest of the three for those who just seek to secure their connection from local hackers, or preserve their anonymity from visited websites.
Alternatively, for a thin varnish of confidentiality and anonymity, free alternatives exist – such as HotSpot Shield or OpenVPN’s PrivateTunnel. These might not provide as strong a guarantee that your data is safe with them, but at least it will be safe from your ISP and local threats. They are also sufficient to just bypass websites or services that may be blocked in your country.
If all you care about is anonymity, not confidentiality, then a simple solution that does not require any setup is to use a public web proxy. A web proxy is a “middleman website” which pretends to be you as you browse. This anonymity does not resist government investigations, though, as your IP address is likely to be recorded by the proxy itself. A good up-to-date list of web proxies is available here.
2. Get your browser(s) set up right
However there are times when you do not want to be identified – on search engines, controversial websites, etc. Disallowing cookies is not really an option – rejecting the Google cookie also locks you out of Gmail, YouTube, PayPal, etc. for example. The recommended workaround is to actually use two browsers – e.g. Chrome for all your unconcealed activities (your “white” browser), and Firefox (with maximum privacy settings on) for everything else (your “black” browser). If you switch between the two, remember to also toggle your VPN connection – otherwise you will be accessing Google from the same IP address, which would give away your identity.
In your “black” browser, make sure to set the privacy settings to use the “do not track” feature (although it is weakly implemented), to reject all cookies, to “never remember history” and to not keep any local cache. Activate the “private browsing mode” (Firefox), “private browsing” (Safari) or “incognito window” (Chrome) feature at all times.
3. Secure your search
It is amazing how much can be inferred about someone using the keywords they have looked up online. You may have casually googled names of individuals, symptoms of diseases, address locations, topics of interest to you, and perhaps even less admissible things that you would not be comfortable seeing revealed. Yet, you have trusted your search engine provider with this daily influx of insight into your lifestyle and preferences. From there, it is likely that a firm like Google is able to infer your gender, sexual orientation, age, marital status, level of income, personal wealth, health situation, job situation, career plans, travels, hobbies, interests, friends, acquaintances, romantic partners, down to which pet and car you own. And this is without looking up your social profiles – just through the keywords you willingly provided in your searches.
What can you do about it? At least a few things, without trading too much convenience for privacy:
- think before you do an online search, and be smart and responsible about it. It sounds trivial, but it is the difference between looking up a term in a paper encyclopaedia (which is inconsequential) and asking a particularly knowledgeable entity, who keeps track of all your queries forever. What has been asked cannot be unasked. Would you be comfortable if your search history was leaked tomorrow?
- Use a VPN or a proxy (see section 1). This will at least conceal your originating IP and make it more difficult for the search engine to correlate this search with your previous ones.
- Use a different browser (with maximum privacy settings) to do your search on. Do not log into any account (especially Google, Yahoo!, etc.) on that browser. See “2. Get your browser(s) right” section above to figure out the best configuration.
- Use atypical search engines. DuckDuckGo is fast, reliable, and does not either track you or encase you in the infamous filter bubble that Bing and Google use. It has garnered tremendous public interest since Edward Snowden’s revelations about the PRISM surveillance program. Yandex.ru is also an alternative – of course, its homepage is in Russian, and the Kremlin might be snooping in, but they are likely to care less about your searches if you live outside Russia (isn’t it ironic that Americans would look to Russia to protect their privacy?). Just add %hl=en at the end of your search URL to get only results in English. Altavista (remember?) is owned by Yahoo!, so the same caveats apply as for Google if you are also using Yahoo’s mail services. Do not trust a single provider with too many aspects of your online activities.
This advice also applies to your mobile devices. Privacy browsers (such as AtomicWeb for iPad/iPhone) and DuckDuckGo mobile. If you are the owner of a jailbroken iDevice, you have more control over your privacy and can set DuckDuckGo as your default search provider.
4. Use TOR
The Third-gen Onion Routing project, better known as TOR, was first devised by the US Naval Research Laboratory. Ironically, it might be one of the best tools for protecting privacy against governmental meddling into your personal affairs. It is not for the faint of heart, and setting up right requires a little bit of discipline and dedication; the tradeoff is also reduced browsing speed. However, the upside is that it virtually guarantees anonymity (not confidentiality) on the net by routing your connection through a collection of other volunteer TOR users (so no one controls the network). It is also free and open source. With the advent of packages solutions such as the TOR Browser, which requires virtually no setup, there is little excuse not to use TOR for your online activities that require extra privacy.
Providing the steps on setting up TOR goes beyond the scope of this post, but the documentation page is easy to follow.
Dear reader, do you have recommendations of your own on what to do to give away less of our privacy online?