Robert Anton Wilson and Robert Shea. Blog, Internet resources, online reading groups, articles and interviews, Illuminatus! info.

Sunday, May 18, 2014

Protecting your privacy online [UPDATED]

Julia Angwin (photo by Deborah Kopaken Cogen)

UPDATE: TrueCrypt is no longer recommended; see this article.]

[This is a reprint of an article on ProPublica by Julia Angwin, author of the new book Dragnet Nation.  Her advice on how to protect your privacy online is so good and so succinct I wanted you to see it. Please notice that I am not "pirating" the article; ProPublica allows anyone to reprint its articles if you meet its terms and conditions. -- The Mgt.]

Privacy Tools: Encrypt What You Can

Here are some techniques that anybody can use to protect their privacy online.
by Julia Angwin
ProPublica, May 6, 2014

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

Ever since Edward Snowden revealed the inner secrets of the NSA, he has been urging Americans to use encryption to protect themselves from rampant spying.

"Encryption does work," Snowden said, via a remote connection at the SXSW tech conference. "It is a defense against the dark arts for the digital realm."

ProPublica has written about the NSA's attempts to break encryption, but we don't know for sure how successful the spy agency has been, and security experts still recommend using these techniques.

And besides, who doesn't want to defend against the dark arts? But getting started with encryption can be daunting. Here are a few techniques that most people can use.

Encrypt the data you store. This protects your data from being read by people with access to your computer.

• Encrypt your hard drive so that if you lose your computer or you get hacked, your information will be safe. Most recent Apple Macintosh computers contain a built-in encryption system called FileVault that is simple to use. Some versions of Microsoft's Windows 7 also contain a built-in encryption system called BitLocker. Another popular solution is the free, open-source program TrueCrypt, which can either encrypt individual files or entire partitions of your computer or an external hard drive.

[Since this article was written, TrueCrypt has abruptly shut down. See this BoingBoing report.]

• Encrypt your smartphone's hard drive. Yes -- your smartphone has a hard drive much like your computer does. In fact, your phone probably contains as much --or more -- sensitive information about you as your computer does. Apple doesn't let you encrypt your smart phone's hard drive or the files on it, though the operating system will encrypt passwords and some other files if you use a passcode on your device. Apple will also let you encrypt your phone's backup files on iTunes or iCloud. You can also use Find my iPhone to remotely "wipe," or delete the data on your iPhone or iPad if it is lost or stolen. Google's Android operating system lets you encrypt your phone hard drive.

• Encrypt the data you store in the cloud. I use the SpiderOak encrypted cloud service. If an encrypted cloud service were somehow forced to hand over their servers, your data would still be safe, because it's encrypted using a key stored only on your computer. However, this also means that if you lose your password, they can't help you. The encrypted data would be unrecoverable.

Encrypt the data you transmit. The Snowden revelations have revealed that U.S. and British spy agencies are grabbing as much unencrypted data as they can find as it passes over the Internet. Encrypting your data in transit can protect it against spy agencies, as well as commercial data gatherers.

• Install HTTPS Everywhere on your Web browser. This encrypts your Web browsing sessions, protecting you from hackers and spy agencies that scoop up unencrypted traffic across the Internet. Not every site works properly with HTTPS Everywhere, though an increasing number do.

• Use encrypted texting apps with friends who install the same apps on their phones. On the iPhone, Silent Circle and Wickr offer apps for encrypted texting. On Android, the TextSecure app encrypts texts in transit and when they are stored on your device.

• Use the Off-the-Record Messaging protocol to encrypt your instant messaging conversations. You can still use your favorite instant-messaging service, such as Gchat or AIM, though you'll need to use a software client that supports the Off-the-Record protocol. On Macs, free software called Adium can enable OTR chats, and on Windows, you can use Pidgin. Once you've set up OTR and gone through a simple verification step, you can IM as you usually do. Both parties have to use OTR for the encryption to work.

• Use Gnu Privacy Guard to encrypt your email conversations. Like OTR, if you're using GPG you'll need the people you email with to use it as well in order to encrypt your conversations. I use free software called GPG Tools with Enigmail and Postbox. GPG Tools also works directly with Apple's built-in Mail program. [Using Thunderbird as your email client with the Enigmail add-on is an easy way to use GPG with any platform -- I use it with my Macintosh work computer and Ubuntu Linux home computer. In Julia Angwin's excellent book, which you should all read, she admits that she needed help to get GPG working with Postbox. I believe if she had used Thunderbird she would have figured it out herself. -- The Mgt.]

GPG has some shortcomings — it's difficult-to-impossible to use it with the mail program built into most smartphones, and you can't use it easily with webmail like Gmail.  [Gmail works well with Thunderbird -- see the previous paragraph -- The Mgt.] (Although there are some new web-based mail programs that use GPG called Mailvelope and StartMail that I haven't had a chance to try yet.)

The most difficult part of GPG is that, unlike the encrypted texting and instant messaging programs, you have to generate a secret key and keep it somewhere secure (usually on your computer or on a USB stick). This often means you can only send GPG mail when you have your key with you. Even so, it is incredibly satisfying once you send your first message and watch it transform into a block of numbers and letters when you click "encrypt."

Clarification (May 7, 2014): This post was clarified to specify that Apple's iOS encrypts some files automatically.


gacord said...

3 cheers for this one, Tom! RE: the encrypted mail on the phone. I use an app on my iPhone called iPGPMail to encrypt/decrypt emails. It _is_ more cumbersome than the automatic activity I get from GPG Tools because I have to move over to a separate app and then type in my private key to read an encrypted email (reverse that process to send.) But hey, what's a few extra keystrokes... even if it's only for a little OM?

As I see it, Julia nails it here. Encryption is relatively easy. If you'd be pissed about the mail carrier reading your bills and junk mail (does anyone get letters anymore? I do, but they're rare.) Then why let them read your electronic mail? (texting, messaging, chatting all counts as mail to me as it's traveling beyond the face-to-face chat).

John said...
This comment has been removed by the author.