what we suspected and our paranoid friends have always told us eventually turned out to be true – and even worse than thought. Edward Snowden’s brave revelations were shocking, but not shocking enough to make the normal citizen take consequences in his or her online life. we’re very quick in accusations and blaming politics about the lack of privacy and security of our online data – but in the end it’s our own fault and our own responsibility.
enjoying the convenient and easy to use services of google, facebook, and other corporations for FREE did not make us think about why they offer them for free. they are in fact not. we pay them what’s way more worth than money: our information. of course it was just a matter of time that not only corporations used and abused the info we voluntarily gave them – but also governments and secret services took the logical opportunity to tap into this priceless collection of our private lives. i’ll not go into detail about what this means, i am sure there are zillions of other posts and articles about it all over the net.
eventually i am trying to take this responsibility about my data serious and i want to give some hints and advice about my attempts to gain more privacy and security of my data.
local data encryption
first of all, my offline data. as most people nowadays i own a portable computer. my whole life is on there and it getting stolen would be quite a disaster. in this case i would not want all my personal information like stored emails, photos, bank account and business data, crucial files, private journals and all these things get into the hands of someone else.
i tried different free tools to encrypt a dedicated partition on my hard drive as a vault for my personal data. the first one i tried was TrueCrypt. It’s available for Windows, Linux and MacOS X and quite straight forward to use. You can create a fixed size virtual drive that exists as a file in your filesystem, and you can even create a hidden virtual drive, or you encrypt a dedicated partition on your drive. TrueCrypt has nice features, like auto-mounting your secure drive on system startup, and so on.
a good alternative is EncFS that is also available for all major operating systems and even for Android. It’s quite convenient to encrypt your cloud drive (Dropbox, …) because it does’t work as a virtual file system, but encrypts the single files within every existing file system which allows it to be flexible in size and you can have your encrypted files synced on your Android device.
i found TrueCrypt a bit slow and unstable and a friend also pointed me to this paranoid article that suspects TrueCrypt not to be safe, because it is based on proprietary code, not open source (can’t be checked for backdoors), created by dubious anonymous coders and might even have a backdoor – nobody can verify the claims, but to be fully sure the only way is to not use it, right?
i really liked EncFS because of it’s ability to grow flexibly and to sync it to my Android phone, but on my Windows machine it was terribly slow and my Thunderbird email client constantly lost it’s account data because crucial config files residing in my encrypted folder could not be loaded and even got lost – i need reliability and EncFS did not provide it.
eventually i ended up using DiskCryptor that is based on TrueCrypt and made for encrypting physical partitions. not using virtual partitions seems to make it work faster than the alternatives and you can even encrypt your system drive because it can load on boot time before the operating system comes up. It’s fully open source and runs rock solid, but only available for Windows machines.
covering my tracks
not only national and international secret services and other dubious state authorities want to know when i am browsing which webpage, but mainly the big five (Apple, Microsoft, Google, Facebook, Amazon) want to know everything about you, your friends, the friends of your friends, where you or they are and what you do and potentially want to buy from them. i am not going to get into details about cookies and scripts tracking you, adwords and so on. it will take you not more than 10 minutes to equip your browser with some plugins that will give you 80% more privacy on the web.
HTTPS Everywhere – ensures that the communication between you and the webpage you visit will always be SSL encrypted
Disconnect – visualizes and blocks all the websites that constantly try to track you and makes your browsing experience not only more private, but also a tick faster
AdBlock – blocks those omnipresent Ads from showing up on the websites you browse
don’t use google as your main search engine, even if it provides the best search results. Make the open DuckGoGo your standard browser search engine of choice, or use StartPage or IxQuick if you want the Google results without ads and being tracked.
if you want even more privacy and not reveal your real IP address, try the Tor/Onion Router network. It’s very straight forward to use if you just download the whole Tor Browser Bundle pack and start surfing privately. it will make everything a bit slower since all your internet traffic gets re-routed via several Tor user proxies, but it’s acceptable. it will confuse the hell out of your gmail and facebook who constantly warn you about all the unknown locations “someone” attempted to login to “your” account – but using privacy measures on a Google page or a social network is not really the point anyway, right?
for Windows i prefer Advanced Onion Router over the official Tor Bundle because it provides socks 4 and 5 proxies for all your applications that can use a manually configured proxy connection. Tor/Onion Router works fine for browsing the web and email communication, but it’s way too slow if you want to download large files with a decent speed. For this scenario it’s a good idea to register at some VPN proxy provider that give you high speed VPN tunnels with various international exit points that cover your private IP address. i chose proxy.sh (based on the Seychelles) because it’s reliable, fast and comes with their own little connection tool so you don’t have to bother with setting up VPN connections in your system. you can even pay for their services in BitCoins in case you’re into that.
so now we got our local data encrypted and our online tracks covered. but what about our means of communication like email and instant messaging, where it’s not crucial to stay anonymous but have the stuff we talk about with others kept private?
for email encryption there are two common encryption methods. the most popular one is PGP or GPG where you create a private key for yourself and a public key for everyone who wants to send you emails and make sure only you can read them. read about PGP on the net if you want more details. in practice i recommend the Enigmail add-on for Thunderbird email client, or if you are a Gmail webmail user, you should check out the Mailvelope add-on that allows PGP encryption within the webmail interface in your browser.
the other encryption method mainly used in corporate email setups is called S/MIME which is supported out of the box by most email clients. You just need to get or create yourself an SSL certificate and load it up into your client. Everything else is almost automatically handled in the background by your email client.
one general problem with email providers like Gmail, Yahoomail, Hotmail, … is that our emails are saved on their servers, so they can read your mails too and potentially third parties also, whether it’s to find out your consumer behaviour or if you have something to hide doesn’t matter. fact is that they do. if you don’t like that idea, encrypt your emails or use a mail provider that does that for you, like
lavabit, silent circle, neomailbox or the very promising looking StartMail coming up soon. they all cost a little money, but they make sure, your email is safe and that nobody will get access to them.
for our instant blabbering clients (AIM, ichat, Jabber, ICQ, …) there are methods of encryption too. you can use PGP/GPG like with your emails, or more commonly used is OTR (Off-The-Record) encryption. both are available for the cross platform open source messenger client Pidgin wich i really recommend.
i recommend it even for Facebook and Gtalk chats, because under the hood these messengers are nothing else than normal XMPP protocol based messengers and you can easily use any XMPP/Jabber client to speak to your Gtalk/FB friends.
on your mobile phone, WhatsApp is a disaster concerning privacy and security and SMS text messages are also not the safest thing to send, because all state authorities can easily decypher them. for Android (possibly also available for iOS) i really recommend the following apps to make your mobile messaging more private:
TextSecure – saves all incoming and outgoing normal SMS encrypted on your phone and if the other person also has it you can even send fully encrypted SMS. simple interface, everything works nicely in the background.
Threema and myEnigma – two swiss products that ensure highly encrypted messaging with people who have the same app. highly recommended.
Gibberbot – provids OTR encryption for all Jabber/XMPP based messenger services
K-9 Mail – the best email client out there for Android devices, fully supports PGP/GPG encryption (needs AGP)
DJIGZO – provides S/MIME encryption for all your Android mail clients
if you also want to hide your mobile IP address, there is a nice tool called Orbot that routes all your traffic through the Tor/Onion router network.
i hope you enjoyed my roundup of the last months of research, trial and errors to reclaim at least part of my privacy. to sum it up: don’t trust them to respect your privacy, it’s your own responsibility. use it!