An aerial image of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire.
Photographer: GCHQ/Crown Copyright. CC BY-SA 2.0
Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.
Edward Snowden, 2015 (source)
I get asked now and then how to improve one's personal privacy, digitally speaking. It's unsurprising that such questions are directed my way given privacy is a core objective of the hi:project, and yet I seemed to have attracted more than the usual number of questions since my last post – Introducing Google Assistant, the Surveillance Interface.
You might want to stop commercial entities intruding – it's difficult to sum up in a sentence or two how egregious the state of commercial surveillance is today. You might want to help head off the realisation of a surveillance state if only because you've read somewhere that such things don't end well. You might simply want to have less data about your movements and purchases and media habits and general proclivities out there because it's not a case of if the corresponding databases are hacked but when.
Importantly, I write this post the very week the UK has passed the most extreme surveillance law ever passed in a democracy. The so-called Snoopers' Charter is disgusting, distressing and, in good part, stupid.
Why stupid?
Well here's some information about how I protect my privacy. It takes just a little tech savvy and a little money. I have both, as will very many of the people the surveillance state supposedly exists to fight, leaving only the masses – the innocent, technically less literate and/or poor and/or couldn't care – the subject of Orwellian intrusion and risk. The chilling impact on the vibrancy of our society effects everyone.
Virtual private network
Subscribe to a VPN now and always use it – on your phones, tablets, computers.
I use Private Internet Access. For the monthly price of a flat white (disclosing my metropolitan proclivities there), my broadband ISP and mobile phone operator can't see what I'm doing – my web browsing is invisible to them, immediately undermining one of the major thrusts of the new UK law.
It also hides my IP address so commercial surveillance cannot use that unique identifier to attribute and connect up my various activities.
Importantly, Private Internet Access logs nothing so there is nothing that might be subpoenaed. Whichever VPN service you choose, make sure this is the case.
Added bonus – if you've ever wanted to access some media but have been prevented from doing so because you're outside a specific country (eg, the BBC while abroad, or some US content while you're in the UK), you can just change the endpoint of the VPN to that country in a click and you're sorted.
Do not track
Turn on Do Not Track (DNT) in every browser on every device you use. There is no legal requirement for any company to obey your request not to be tracked, but at least the more ethically minded listen. And use Firefox – the only browser that only has your best interests at heart.
DNT instructions for:
By the way, if you're still using Internet Explorer (IE), you should know this browser is no longer maintained by Microsoft. You should stop using it immediately and chose one of the above instead.
Secure web surfing
You should make sure that your browser establishes a secure connection to the website or web service you're visiting whenever that facility is available. Use HTTPS Everywhere.
Anonymous search
Use DuckDuckGo. As good as Google and Bing 90% of the time. And seriously, do you really want to look up that sexual disease or 'not normal' thing and have the search provider add it to your profile?
In appropriate instances, just use Wikipedia and follow the links from there.
Blockers
There are a variety of browser add-ons available to frustrate commercial surveillance. They stop the trackers embedded into websites from doing their thing. I use Privacy Badger. Not all blockers are created equal ... check out Better for Safari, where you'll also be able to read more on that topic.
Google Analytics
When those running a website want to understand how others use it, they configure some web analytics capability. The Google Analytics service is the market leader. Opt out here.
This one is tricky. Configuring your own email service isn't going to suit very many people. So right here I'm going to recommend gmail as the most secure / private of all the major email services. Of course, as soon as you let Google into your life, you're now relying on the services of the proprietor of the world's largest digital advertising business and therefore the most prolific tracker.
For the more adventurous: Hushmail and ProtonMail.
Messaging
If you're serious about privacy, you don't text / use SMS – that's entirely unencrypted – you use a messaging service. And if you're serious about messaging privacy, you check two things:
- that it employs so-called end-to-end encryption, and
- nothing goes via or gets logged with the service provider.
Last I checked, the second of these excludes anything from Facebook, Google, and Microsoft. Recent revelations also throw doubt on Apple's services too. Without hesitation, I recommend Signal.
Voice
Calls from your landline and mobile phone are unencrypted and they are being recorded. Use Signal.
Transactions
Use cash. Yes. I often find it's the payment choice for software engineers. What more validation do you need?!
Or Apple Pay ... "protects your personal information, transaction data, and credit, debit, and prepaid card information with industry-leading security."
Where you only have a choice of electronic methods, use the most niche. For example, I always use Oyster (dedicated payment method for London public transport services) rather than a bank card contactless payment.
Location
Prevent Android apps from tracking your movements.
Stop your Apple devices from tracking your movements.
The blockers (above) will frustrate Facebook from building the most detailed digital profile of you that you might imagine. (The profile would take hundreds of pages to print.) But perhaps the best method here is too much for you ... leave Facebook.
###
If you think I've missed anything, or worse have anything wrong, please do leave a comment accordingly. Thanks.
More reading
- Amnesty International – Urgent: Stop the new Snooper’s Charter annihilating our rights
- Open Democracy – The UK’s Investigatory Powers Bill is about to become law – here's why that should terrify us
- Gizmodo – Investigatory Powers Bill: A Closer Look at the Plans to Monitor Your Online History
- The Independent – Investigatory Powers Bill: 'Snoopers Charter 2' to pass into law, giving Government sweeping spying powers
- Liberty’s briefing on the Investigatory Powers Bill for Report Stage in the House of Lords
Traceless (@traceless_me) says:
Nice short writeup :) Few comments:
Just blocking all trackers should be the better choice than using DoNotTrack. A lot of companies don't care about that setting as it is not enforced, thus it is pointless to use it and you just make your browser profile more unique from others as a lot of people have DNT disabled.
Same goes for Google Analytics, no need to opt out, just block it completely.
As for paying one could refer to Bitcoind and other cryptocurrencies. It's also possible to get virtual and physical Debit cards now that can be filled via Bitcoin and co which makes paying a bit more private.
22 November 2016 — 3:49 pm
Philip says:
Thanks Traceless. You make some good points, and I'll explain further if I may.
Some pundits have labelled the past year or so the Ad-block-alypse! And with the rise of the use of adblockers, those owners of websites that rely on ad revenues have resorted to blocking access to anyone using a blocker, which in turn has led to the development of adblock-blocker-blockers! This arms race cannot continue to everyone's satisfaction.
DoNotTrack is a polite request not to be tracked, and it gives website owners the opportunity to respect that. It's not anti-ads per se, just anti-surveillance – the subject of my post here. We must continue to signal politely, as indeed this proposal from Don Marti, April 2016, encompasses.
Ditto GA. If Google politely offers the possibility, it is only polite and therefore productive to use it.
I am keenly interested in the world of cryto-currencies ... Zcash is getting my attention right now. But this post is for family and friends, and their families, the vast majority of whom would be lost by today's crytocurrency user experience. I wanted to leave readers with something they felt they can act on rather than some sort of masterclass. Although, perhaps such a thing would make for a lovely piece of marketing content if you fancy sponsoring it :-)
Finally, thanks again for dropping by. I did not know of Traceless before now, so will be sure to check it out.
22 November 2016 — 4:54 pm
DanThornton says:
Really interesting and useful article - I've had an interest in online privacy for a while, but it'll make a good, readable guide for friends and family who may not have heard of a VPN before...
One thing I do wonder is about the Google Analytics Opt Out Add On - reading the Google docs, it doesn't seem to explain exactly what data you're opting out of sharing, or if you basically vanish completely...
I ask partly because if the second case it likely, you'll probably see an increasingly number of website owners installing secondary analytics software, and because it's an interesting dilemma as someone who wants to respect privacy settings but also wanting to bootstrap multiple websites into sustainable businesses - the loss of anonymous keyword data has already proven to be a massive pain in terms of better serving visitors, when it's harder to pull together data on what they're looking for. And for anything relying not just on advertising, but also sponsored posts etc, it could lead to a big case of under-reporting audience numbers...
(I'm not expecting a complete solution, but just wondered as I read up on the Hi Project etc if this is something that has been broached at all? It's something I've wrestled with for quite some time, as someone who has spent his whole life split between media and tech....)
30 November 2016 — 11:51 pm
Philip says:
Good question Dan. I've assumed (although realising one can make the wrong assumptions) that Google interprets "opt out" as "opt out completely". In other words, no behaviours are tracked. No cookies are planted. No cross-domain analysis is possible.
Losing keyword data from Google Analytics upset the apple cart for webmasters. I recall one of my clients being less than complimentary about the move!
But here's the nub of the matter as far as I see it. People don't mind advertising (well, so long as it doesn't take up the entire page!), it's just an increasing proportion of them don't like to be surveilled by commercial entities, and it's a shock to many to find out they've been surveilled in this manner for many years. In other words, marketing technologists took the piss! Rather than limiting themselves to what would have been quid pro quo, they went all out to take whatever they could without asking. Remember browser history sniffing?!
It is then unsurprising that the backlash is as far the other way now that web users have better understanding and more options. Ultimately, this oscillation, this arms race in the context of blockers, will settle down to an equilibrium whereby both parties are happy. If a firm's marketers ask rather than ride roughshod, share rather than take, engender trust rather mistrust, then that firm may find more people are willing to maintain and grow a relationship, eventually volunteering the kind of data you're already missing on behalf of your clients.
FYI, I explored this and related dynamics in Attenzi – a social business story.
P.S. Love "the way of the web" :-)
1 December 2016 — 8:20 am