Online Self Defense
Slides for this class can be found here.
Defeating Online Surveillance
Why Care about privacy?
"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say” – Edward Snowden
You suffer when information breaches occur
Linkedin, Target, Anthem, etc. All of these companies had lots of your data, and they all had major data breaches. By limiting the amount of data that companies have about you, you limit the damage that their carelessness can do. Remeber, any time that you put information online, it is now out of your control.
Privacy protects those who need it
There are many vulnerable populations that need privacy to avoid persecution. Depending on where you are in the world, this populations may include domestic abuse victims, members of the LGBT community, human rights workers and many others. Privacy also protects everyday people. Privacy allows a safe space to explore new ideas and ways of thinking without judgement. These ideas can literally change the world. When Thomas Paine wrote Common Sense, he published it anonymously. If his work had been under strict surveillance, he could not have possibly published a pamphlet so contrary to the views of those in power. Librarians refer to this freedom to explore ideas as intellectual freedom and it is impossible without privacy.
Who wants to surveil you?
Criminals / Hackers
Your information is valuable. If they can gain access to some of it, they can often get access to much more. A social security number can get you a credit card, or let you file a fradulent tax return. Your email contacts can give them information to do a targeted "spear phishing" attack which might get them banking information. Even just your name and email address is worth something to them. By limiting the information that is available about you, you limit your exposure to this kind of exploitation.
Information is the currency of the internet. Companies like Google and Facebook would never exist as free services without some way to monetize the service. That way is by selling your information to advertisers. The more comprehensive the profile they have of you, the more targeted ads can become. Some may argue that this is the bargain you make when you sign up for these free services, and in some ways it is true. However, these companies are far from transparent about what information they have, and what they can do with that information. If you have any doubt, try reading their privacy policies and see how transparent they are. You may be willing to trade information for access to a service. However with the use of third party cookies, and super cookies that can track you across multiple websites, many companies are collecting far more information than people realize. Even if we are ok with this, we are still trusting that these companies maintain good security for our information. The history of major data breaches should cause us to question that trust. Finally, we must continue to worry about the advertisers that these companies are selling our information to. There have been many cases recently of malvertising (advertising that results in malware) being shown on many reputable websites. In their quest to maximize profits, companies do not always provide adequate screening of their advertisers. This allows for abuse of the users while the company profits.
No rational person would argue that governments should not be able to gather information on adversaries. We expect our governemnts to provide for the common defense, and this means knowing who is a threat. However, this does not give a government agency carte blanche to collect any information on anybody they wish. It is quite a stretch to claim that the mass surveillance practices that have been revealed do not exceed the limitations set on these agencies. One reason that these agencies are able to maintain mass surviellance on the population as a whole is that technology has made it so cheap and easy to access lots of information. By enhancing privacy, we make this more expensive and ensure that the government spends its resources surveilling those who are actual threats rather than simply watching everyone.
What you can do to make surveillance more difficult
- Use HTTPS - this encrypts your connection between websites and your computer. It doesn't prevent someone watching you from knowing which website you connect to or how long you were there, but it does mean that they can't see exactly what was transferred between you and the website. It also helps to ensure that what you are seeing is what the website is sending. This prevents a Man In The Middle (MitM) attack.
- Disable Third Party Cookies in your browser - Cookies are needed for browsing the internet today, but you can ensure that the only cookies that a site is allowed to set are from that site.
- Log out of sites when done - Logging out of a site destroys the session cookie for that site. This keeps other sites from reading the session cookie and learning information about other services that you use.
- Compartmentalize web browsing - Maintaing seperate identities (or even completely seperate web browsers) for different tasks prevents sites from gathering information about you that they shouldn't have access to.
- Use privacy enhancing plugins for your browser. Three that are useful are:
- HTTPS Everywhere - This forces websites to use the encrypted version if one is available
- Privacy Badger - This prevents a lot of snooping on your web sessions by third parties
- uBlock Origin - This is a very good, light weight ad blocker. It will prevent malicious advertising and lower your bandwidth usage resulting in faster, more secure browsing.
Better Privacy - Proxies and VPN's
Web proxies forward your traffic, keeping the website from knowing where the connection originates. They do not provide encryption however, and provide no defense against someone snooping on your traffic.
VPN's are similiar to proxies except that they create an encrypted tunnel to the VPN server. This protects your privacy when on an insecure internet connection such as at a coffee shop or airport. Both VPN's and Proxies can be found on https://proxy.org. Note that some VPN's keep logs of who connects to them and where the traffic goes from their. Others do no logging. These are called anonymous VPN's and are far better for privacy.
Even Better than that - the Tor Browser Bundle
TOR is a strong anonymity tool that was originally developed by the navy. It bounces traffic through three voluntarily hosted relays located around the world while wrapping the traffic in three layers of encryption. This ensures strong protection against someone on the recieving end being able to trace the IP address of the sender. Although it isn't the end all, be all for privacy, it is a very strong tool. The Tor browser bundle can be downloaded from https://torproject.org. It works on all platforms including mobile phones.
Best protection - Secure Operating systems
For the best possible protection for your privacy, you can use a secure operating system. These operating systems are designed to replace current operating systems (such as Windows or OSX). They have privacy and security baked in from the ground up and are much more secure than most systems that people are more familiar with.
TAILS - https://tails.boum.org/
The Amnesiac Incognito Live System is an operating system that is designed to be run from a USB drive. It leaves no trace on the computer that it was run on when it is removed. It forces all interenet traffic through the TOR network and is excellent for preventing many of the deanonymizing attacks that have been used against TOR users in the past.
Qubes - https://www.qubes-os.org/
Qubes is a very interesting project that is under heavy development. It enforces the concept of segregating identities by using a seperate virtual machine for each role. This allows you to effectively do all of your banking from one computer, while having a second for casual web browsing, a third for work related email, a fourth for downloading music, etc. This provides excellent security, but takes a fair bit of resources to run well. It isn't recommended for older hardware.
Subgraph OS - https://subgraph.com/sgos/index.en.html
Subgraph OS is only available as an alpha release (early testing) right now, so it probably isn't suitable to use on a daily basis, but it looks very promising. It is designed to be installed on a computer and act as your primary operating system while having some of the best security features that TAILS has. If you are daring, try it out! If not, keep an eye on this project because it shows a lot of promise.
Our online self defense course is designed to teach online security to everyday users. It starts with basics like anti-virus and good passwords and progresses all the way to using the TOR browser. We are currently working on getting all of the information from our classes online.