Tuesday 23 July 2013

How to stop the online snoops

It's been more than a month since the Post exclusively interviewed surveillance whistle-blower Edward Snowden, but the fallout from his revelations about the US PRISM cyber-snooping program continue. Among them were claims that US authorities have hacked Chinese mobile phone companies to access millions of private text messages, while Tsinghua University in Beijing appears to have been targeted, too.
It has brought attention to just how public our personal web browsing, online chat, file transfer, voice-over IP calls, cloud storage and e-mail really are. But is there anything we can do to stay safe from the snoops?
There are multiple ways of "digital shredding", encrypting data and staying anonymous, but before we explore the options, it's worth asking why you want to operate in secret. Also, if you encrypt your data, does that make you more suspicious to government snoopers?
Kevin Curran, a senior member of the Institute of Electrical and Electronics Engineers, reckons anyone making such arguments is living in the past. He says we've moved on from a time when the only people using encryption were paranoid geeks, terrorists and law enforcement agencies. Forget the Big Brother angle and think of it this way: is locking your house at night suspicious behaviour, or having a PIN code on your smartphone?
Keeping your private data secure is good practice for individuals and is becoming a necessity for businesses.
But there is no silver bullet that will keep all of your data and online behaviour safe.
"What you need to do to hide from online snoops depends in large part on what sort of snoops you want to hide from, and how valuable your information is to those snoops," says Lysa Myers, virus hunter at security software company Intego.
Its Identity Scrubber software - aimed at frequent travellers - digitally shreds sensitive data on a Mac. "It's quite difficult to hide yourself, if someone pursuing your information is sufficiently determined," says Myers, who recommends we take many small steps to protect privacy rather than attempt to erase all traces of ourselves online.
Aside from letting politicians know your stance on cybercrime laws and the government's ability to search people's data, she recommends going through the privacy and security options already built-in to most software, including the operating system, which you've likely ignored so far.
"Encrypting data at rest on a local device is best practice," agrees Curran, who says that anything held behind a firewall is likely to be encrypted.
"All data prior to be sent to a service like Dropbox should be encrypted before uploading to the cloud service," he adds.
People with the Ultimate or Enterprise version of Windows 7 or Windows 8 can use the built-in BitLocker software to encrypt the drive, while others include TrueCrypt, DiskCryptor and CloudFrogger.
Anonymising web proxies are another way to protect yourself by completely obscuring your IP address, and thus your identity. Two examples are Proxify and hidemyass.com which let users visit websites from within a closed-off, encrypted Virtual Private Network (VPN), although using either is as easy as visiting a webpage. Anyone snooping around will see only scrambled, encrypted data.
"By connecting to the internet via a VPN, any data transmitted is encrypted and cannot be read by snoopers," says Danvers Baillieu, chief operating officer at Privax, which owns Hide My Ass. "Decrypting VPN traffic is theoretically possible, but would require a huge amount of time and processing power."
Many firms provide VPNs for staff to connect to base when working remotely, Baillieu adds. "The main reason to use a VPN is as an extra layer of security from hackers and snoopers - not necessarily government."
VPNs scatter your data to proxy servers around the globe for it to be encrypted before its journey into the wider internet, but there are downsides.
"They can be slow and practically unusable when it comes to streaming video or other bandwidth intensive applications," Curran says, a problem that stems from the constant redirection of data to multiple proxy servers. "They have also been subject to law enforcement subpoenas to release data on user IP addresses, so the professionals steer clear."
But encryption technology is just one of several approaches taken by professional anti-snoopers. Disconnect.me, an anti-tracking browser extension that takes seconds to download and install, is a bit of an eye-opener. Revealing exactly which websites are covertly tracking your every move (probably hundreds) around the internet with their "cookies", it can block 2,000 websites from doing so.
Cookies are also the enemy of a service called Ghostery, which is available as a free Chrome plug-in. Those worried their Mac is being accessed by snoopers and rogue applications are assuaged by Little Snitch, a firewall that acts as a guard; you can deny or permit every single incoming and outgoing internet communication.
Secure search engines are, at last, making the headlines, too. "When you search on DuckDuckGo you are truly anonymous," says Zac Pappis, chief operating officer at DuckDuckGo.com which has broken all of its traffic records since the PRISM story broke.
"People are being drawn to us because of our strong privacy policy. They are staying because they're getting a better search experience, including less spam, clutter, ads and better instant answers," Pappis says.
DuckDuckGo, which doesn't gather user information or profile its users, is now handling over three million direct searches daily, as are rivals like Ixquick and StartPage.
The most famous "anonymiser" is Tor, which is in the category of steganography: the art of writing hidden messages. It's definitely one for the geeks, using a network of volunteers worldwide to forward encrypted traffic anonymously between multiple routers to hide IP addresses and other identifying data.
"Tor is the gold standard for remaining anonymous online," says Curran. "To the best of any security expert's knowledge, Tor is completely anonymous." That means websites whose location is impossible to identify, invisible browsing habits and instant messaging that can't be eavesdropped on. In something of a privacy landmark for the internet, the latest version of Tor allows for users to advertise public services online without the need to reveal a public IP address.
"This is completely new for such a high profile service, and now stops others from gaining any knowledge of where such a service is physically located in the world," says Curran, who underlines how the use of Tor prevents websites from being shut down by governments: "How do you shut down a site which is hosted by a million-plus users?" In fact, much of the anti-snooping technology that exists is used by investigative journalists, political activists and whistle-blowers - like Snowden - and, of course, by government agencies.
Tor might be going a bit too far for some, but it's easy enough to protect your online chat conversations, all of which are stored by Google, Microsoft and Yahoo. The likes of TorChat, ChatSecure and Off-the-Record Messaging all encrypt your conversations, and keep them private within compatible messaging software, one of which is Pidgin. If you can't avoid using Gmail chat or other "big brands" of chat, consider disabling the logging of past conversations, which is usually a default setting.
For those who rely on a smartphone for instant messaging, the Wickr and Gliph apps do a similar job, although only between users.
Anonymous e-mail is easier than you might think. Those worried about Google, Microsoft or other US-based companies accessing their e-mail histories can use anonymous e-mail service providers such as Tor Mail, or secure cryptographic software such as Pretty Good Privacy or the free GNU Privacy Guard. Tor Mail uses anonymous servers that retain no e-mails or logs. "It doesn't matter if they are seized, or shut down or if the law enforcement agencies attempt to seize identifying information on users of the service," says Curran.
But what about online phone conversations? With Skype now known to have been targeted by US snoopers, open source and snooper-proof software like Silent Circle and RedPhone could become popular.
Perhaps the ultimate anonymiser is Burner Phone, which totally prevents telephone communications from being targeted by third parties. "Each phone has a hardware identification number called IMEI," explains entrepreneur-programmer Randall Degges of Burner Phone.
"When you place a phone call with a normal phone, your IMEI number is broadcast along with your call, making it easy to track your phone usage even if you switch SIM cards, or get a new phone number. Our Burners ensure you get a new IMEI with each order, making it impossible to associate a hardware phone with a specific person."
Each Burner comes with a SIM card that must be activated before use, and is assigned a random phone number.
If that seems ideal for criminals, you'd be right. "Our product is intended to help people maintain private communications, which is why we take a 'no questions asked' policy," says Degges. "What people do with this technology is up to them."

No comments:

Post a Comment