pood.re/blog

It's the pood.re blog. Cool. You'll find me talking about things I did, or things I want to do, or things I like, or things I don't like. Let's say you'll find me talking about things. Topics include: computing & computers, gender/sexuality/diversity and politics. Sensitive topics will be warned about.

Privacy and security on the Internet: the "no financial incentive" version

2020-07-07

This guide written by someone who does not have any sort of stake in privacy or security companies.

The goal of this guide is to provide common-sense privacy and security tips for people who aren't technically-minded or don't know much about how software and the Internet can violate your privacy and security if you're not careful.

1. Security

A drawing of a person with a shirt saying 'Hacker' looking at a computer screen with green lines. The person says 'I'm in.'
A typical hacker as they go about their hacking stuff

Security is the "hacker stuff". It's about keeping your computer safe in general, not necessarily your data. Think of it as protecting yourself against burglars: it will help in protecting your privacy, but it is not the only thing it does, nor is it the only thing you need to have good privacy.

1.1. Updating

The first and most important step for good security is simply to update your operating system and software. New security issues are discovered in many pieces of software every day, and they usually get patched in security updates only a few days later. Some of these security issues allow for automated mass exploitation and fixing them as fast as possible is very important. Check for new updates every dayf, especially for internet-facing software like web browsers and your operating system.

1.2. Untrusted software

Be careful about running software you don't know. Even unprivileged software with no administration rights can do serious damage to your computer. You always have to trust it. Download the software from the publisher's website rather than in download portal websites.

1.3. Backups

You need backups. Even though your data has few chances of getting stolen or deleted, doing backups is essential for the few cases it will. If it doesn't happen, you'll still be glad to have your data safe in case of a drive failure or a lost device.

1.4. Password managers

Another useful thing you can do for completely free is to use a password manager. Computers are better than you at coming up with and remembering passwords, so you should let yours do it. I recommend KeePassXC for computers and KeePassDX for Android devices. For other devices, search for an application which can read KeePass .kdbx files.

1.5. Other recommendations

For syncing important user files such as password databases or pictures, I recommend Syncthing, which is a self-hosted alternative to Dropbox and the like, which means the files are always on your devices, never on some private company's servers.

You will notice that I'm consistently recommending open-source and self-hosted software (KeePass instead of LastPass, Syncthing instead of Dropbox), and I will continue to do so. One of the reasons is that sadly your devices are not the only ones vulnerable to security issues. Private companies' software also gets broken and hacked into.

  • There is much less financial incentive for someone to break into your device compared to, say, Google's servers, which contain lots more exploitable information.
  • Even when it is trivially easy for a hacker to get into your device because of a devastating security breach (which happens once in a while), the security exposure of "all my devices" is still smaller than "all my devices + a bunch of cloud servers".

Another reason for choosing open-source free or "libre" software is that it is often more ethical, but more on that in the next section.

2. Privacy

Privacy online is just like privacy in real life. You don't want anybody to snoop around in your digital personal life, just like your real personal life, especially since those overlap so much nowadays. So what's the solution for privacy online? It's a bit more complicated.

2.1. The precious, precious data

The data that companies are after is: anything they can get about you. They want to know your browsing history, what ads you click on, what things you buy, what your name is, how old you are, what your age is, where you live, where you are at any moment, your religion, your sexual orientation, your friends, your political convictions, what you say in front of a microphone, any pictures you take. Everything is up for sale. Anything that gets them more data about you, that lets them squeeze these few fractions of cents of ad revenue out of you.

2.1.1. Your Internet fingerprint

Any piece of information about you or the device you're using will be used to build a profile of you. The more information you give, voluntarily or not, will allow them to know you better. It is possible to cross-reference the different pieces of data you give away on the Internet by trying to identify you uniquely. This is often referred to as "fingerprinting": the more specific the information, the more confidence they have of tracking you and you specifically.

One useful tool to know how easily identifiable you are based on the information your browser gives off about you by default is Panopticlick.

2.1.2. Who wants you data?

Most commonly, private companies specialized in showing ads to you or targeting products to you. There is an extensive network of companies trading data back and forth about millions of people. It's a lucrative business. You can read up on one such company that made the news in quite a big way: Cambridge Analytica.

Private companies are not the only ones to enjoy collecting people's data: governments love it too. That's why, in many countries, it is completely legal for your Internet Service Provider to be tapped by the government. Imagine the scandal if they could tap your physical mail.

The tips I'm giving here are useful for the common person, but less so for someone who is actively being watched, like an investigative journalist or a whistleblower, who will need to be much more paranoid and not settle for good enough.

2.2. Trustworthy software

Applications that want to collect your data will collect your data. Some of them allow you to disable personalization of your content and ads using your data, but they will collect the data anyway, they just pinky promise they won't use it. Similarly for websites that ask you to allow them to collect cookies. If you don't allow them, you often can't even use the website.

2.2.1. Open, libre, free, community-led, and ethical software

Firstly, you can use an alternative, open-source, community-owned application. Having the software community-owned allows you to better trust that the decisions made by the developers are only motivated by popular request and not driven by greed. Having the software open-source allows other developers to look through the software to make it better, fix issues with it, and of course make sure it respects the user's privacy.

But in the case of apps that use a remote privately-owned service, using an alternative client is only part of the answer. However better a YouTube app is compared to the official one, it will still be obligated to connect to the remote service, even if it does not send as much data. The only way to completely escape the data collection is to use an alternative to the service. Twitter might get replaced by Mastodon, Instagram by Pixelfed, etc.

Be wary of alternatives offered by other private companies instead of individuals and communities: it's nice to break up your data sending across different companies as it makes it more difficult to get profiled by a single one, but the best way to not get profiled is to not send data to any companies. A good website to find ethical alternatives is switching.software.

The Firefox browser logo.
The only major browser that is committed to your privacy. Image © Mozilla Corporation

This is a very deep topic that definitely needs more attention from people. If there's only one thing you end up doing after reading this, you should research what software you're using and think about who's behind it and whether you're OK with it. Use Firefox.

2.3. Blocking ads

The uBlock Origin logo.
uBlock Origin, my and many people's favorite ad blocker. Image © Raymond Hill

One of the easiest things you can do to improve your privacy is to block ads. Everywhere. It's not just a matter of annoyance, it's a matter on dozens of different companies not spying on you. Some ad blockers will allow some ads to slip through because they are so-called "acceptable". Use independent, community-managed ad blockers instead, as they do not botch their job in exchange for money from big advertising companies. For web browsers, uBlock Origin is probably the best bet.

Ad blockers do even more than blocking ads because they also include generalist privacy-protecting blocking. Many big companies provide tools to track activity on your website, and in exchange they get to keep all the data too. It's completely invisible and undetectable for the common person, and does not add any value to your browsing experience. They are blocked automatically in ad blockers, just as visible ads are.

2.4 Encryption over the Internet

The Firefox web browser showing a website encrypted using HTTPS.
HTTPS encrypts most of the web, including these very words! HTTPS lock Firefox by Reseletti is licensed under CC0 1.0

Most of the traffic you send across the Internet is already encrypted using military-grade protocols and ciphers. Any time you use an app or a website which uses HTTPS, you are almost guaranteed that only you and the website can know exactly what you're doing there. That doesn't mean that your data is safe, but rather that only the website and its partners have to be trusted, not the people who carry your traffic across (like your Internet Service Provider).

HTTPS is the encrypted version of HTTP, the Internet protocol for the web using an encryption protocol called TLS.

But there is some information that your computer still gives out about what you're doing, despite the democratization of encryption on the web.

2.4.1 Old protocols for a new age

Nowadays everything is encrypted because it is easy, cheap and transparent to set up for a programmer. But there was a time where encryption was considered too expensive or not useful enough to be baked into protocols, even protocols which still get used nowadays.

Some phone book listings.
DNS is often compared to a phone book for computers on the Internet. "The Phone Book Listings" by herzogbr is licensed under CC BY-NC-SA 2.0

One such protocol is DNS. DNS is the protocol that you computer uses to translate addresses like "pood.re" to a special number called an IP address used to refer to the computer at pood.re. Think of it like a way to translate your physical mail address to GPS coordinates. That protocol is not encrypted by default! That means that by default, all the websites your computer wants to talk to are shouted out loud over the Internet.

There are efforts to encrypt DNS traffic: DNSCrypt, DoH and DoT. There are discussions on which is better for privacy and security, but generally, they're better than nothing. Microsoft and Apple are planning to implement encrypted DNS, and it's already an option on recent Android devices. Firefox is starting to roll out encrypted DNS for their users.

Of course, as usual, make sure you trust the DNS provider that you use. By default, you are probably using the one provided by your Internet Service Provider. Make sure that your trust the alternative provider you use. A handy list of alternative DNS providers is available here.

2.5. Optional: Re-routing your traffic

One of the pieces of data you are forced to give out when using the Internet is your Internet Protocol address, or IP address, which is just a number that your Internet Service Provider assigned to you and sometimes to a few other people. Your ISP got it from one of several Internet authorities, depending on where you live. So when you connect to a website, your computer sends a message that tells the website who you are (your address) along with what you want (the page URL). In order to send the content back to you, the website has to read your address.

Most companies will not be able to personally identify you with just your IP address though: but it's enough to guess which country, state, and city you're connecting from, usually with pretty good accuracy. Only your ISP will be able to know which IP address is associated with which people, but in many countries the government is allowed to access that information too. Private companies will however probably not be able to guess your name or physical address by your IP address alone.

But since you're most commonly using the Internet using one or a few IP addresses, a website will be able to use your IP address, along with other info, to identify you uniquely. Sure, there can be dozens of people using IP address X, but how many people use IP address X, with that one browser, with this specific screen size, watching videos about cats? Your IP address has a very big role in identifying you. This is why, for security purposes, some websites like Google will warn you if someone logged into your account from previously-unseen IP address, because it's likely not you.

Note that an IP address is assigned to you by your ISP, but doesn't stick around forever and often gets assigned to other people after a while, typically during a router reboot. For mobile Internet, your IP address will change probably even more often.

2.5.1. VPNs
Some phone book listings.
This stock photo has nothing to do with how a VPN works. I just think it's funny. Install your blue shift key now for super security! "VPN blue" by Infosec Images is licensed under CC BY 2.0

So how do you solve this? Imagine the real-world equivalent: if you didn't want to let people know your address but still wanted to receive mail, you'd use a P.O. Box. The equivalent of a P.O. Box is another computer, that has a different address and sends and receives the messages for you. You send it the message, and it will act as a middle person between you and the website. The website then only knows that computer's address. Genius! That is a VPN.

But whether you use one IP address or another to connect to the website, it doesn't matter, right? The website will still be able to tell someone is watching cat videos, they might just not be able to know where you are really connecting from.

And yes, that is the first advantage of routing your traffic through another computer: you can fake being from another country, which is useful when you want to see geo-blocked content (say BBC iPlayer outside of the UK for example). Of course the VPN company will have to own a computer in that country for you to connect to it.

The real privacy gain comes if your regularly switch IP addresses. That will, indeed, make it harder for companies to build a precise profile out of you. The key word here is harder. Not impossible, just harder.

This is where most VPN marketing gets kind of misleading: some commercial VPNs sell themselves as a perfect privacy solution, where it is only part of what you can do to improve your privacy. Plus, of course, VPN services are sold to you by a company, which means you can only trust them as much as you trust said company. In many countries, VPN companies are required by law to let the government watch the traffic going trough their computers, just like for Internet Service Providers.

So in the end, should you subscribe to a VPN service? Well, maybe. If you like the security improvement and geo-blocking bypassing, it might be useful. If you're doing it because you want more privacy online, there are many other ways to achieve that which are cheaper and less risky. Nothing is an all-in-one solution, you will also have to change your Internet usage in other ways. Expect slightly higher delays for loading things, because your messages will bounce around for longer before reaching their destination.

2.5.2. Tor
The Tor Project logo.
Tor is probably the best around for almost total privacy online. Image © The Tor Project

Tor uses a different architecture to achieve a similar result to VPNs. Instead of sending all your Internet traffic to a computer that then forwards it to wherever you want it to, Tor is a network of volunteer computers that bounce around your Internet traffic along a specific route, starting with an "entry node" and ending with an "exit node". The nice thing about Tor is that each node only knows about the previous node and the next node in the route, so that even if an intermediary node is compromised, it cannot both know who you are and read your traffic, and most often it can't know anything at all.

Tor often comes packaged with the Tor Browser, a complete privacy suite which allows you to browse the web anonymously. It's a modified Firefox with extra security and privacy features. This is most likely how you will interact with Tor. It comes with JavaScript blocking as well as fingerprinting reduction by default.

2.5.3. Other anonymizing networks

Other projects like I2P try to achieve the same kind of goals as Tor using different approaches. Although more diversity in software is nice, only Tor is considered stable and secure right now as it has been thoroughly reviewed by independant security researchers.

2.6. Optional: JavaScript

JavaScript is a programming language that runs in the pages you visit on your web browser. It was originally designed to serve as a way to make pages more interactive and dynamic. But JavaScript is a very versatile language and it can do many things that regular software on a computer does, without having to be installed. People have even made entire video games in JavaScript!

But because of that power, JavaScript can be used for nefarious purposes. Browsers let pages run JavaScript by default, and many people have scripts on their websites that they didn't write themselves. A very common piece of JavaScript code found in web pages is Google Analytics, which reports the pages you're visiting, how long you're spending on them, and where you click on, directly to Google.

While a good ad blocker while most probably block Google Analytics and consorts, it will only be able to block known dangerous scripts and any scripts which have the same kind of dangerous behavior and have not explicitly been blacklisted by the ad blocker will pass right through.

The solution here is to block scripts by default, and only allow them on websites you trust, or at least only allow them when you can afford to give off a bit of information about you. Many websites will however be completely useless without JavaScript enabled. It's a trade-off. If you decide to go this way, uBlock Origin can do it.

3. Conclusion

As a conclusion, here is a to-do list of things you can do to make your device and your data more secure.

  1. Update your software frequently
  2. Use trustworthy software: open-source, libre, free and community-owned. See switching.software or alternativeto.net to find alternatives.
  3. Consider making regular backups of your most important data.
  4. Consider using a password manager to remember passwords for you.
  5. Block ads online, for example using uBlock Origin on your web browser.
  6. Consider researching how to enable encrypted DNS in your device.
  7. If you feel like it's worth it, use Tor for browsing the web more anonymously.

Happy browsing!