Resources for everyday folks on internet privacy and security

I’ve had several friends from non-computing fields ask me for advice about tools for better privacy and security online. Some of this is in reaction to recently repealed FCC privacy rules that prevented Internet Service Providers (ISPs) from selling their customers’ private browsing information. Some of it is concern about an increasingly invasive surveillance state, and breaches by hacking groups with state funding.

I’ve been looking to improve my own digital security as well, and have found most of the resources out there to be hard to digest and turn into an action plan that doesn’t start with years of learning. So I’m putting my short notes on what I think matters most here, as well as some links for those who want to learn more. This is by no means a definitive or infallible guide, and if you have specific concerns, you should get individualized advice on this stuff.

Contents:

The 3 Major Web Security Technologies and What They Protect

  1. HTTPS is a secure way to connect to a remote website without anyone being able to read what gets sent or received. More and more websites are supporting or defaulting to HTTPS these days. (This is what we said “look for the lock icon in the address bar!” about in the ’90s.) Importantly, HTTPS does not prevent your ISP or Big Brother from knowing what site you’re visiting. And it doesn’t keep you anonymous from the servers running the site you’re visiting – anyone with their server or access logs knows about your visit, and if they get hacked or subpoenaed, you have exposure to threats here. But HTTPS is great! You should avoid ever using a login or password on sites that don’t use HTTPS (Ask sites without HTTPS why they aren’t protecting their users!) If you use the Chrome or Firefox browsers on your PC or Mac, I recommend installing the HTTPS Everywhere browser extension, which tries to use HTTPS connections to sites whenever possible. (Be advised that every once in a while, HTTPS Everywhere can cause issues if a site has not set up HTTPS properly. The extension can be disabled on a site-by-site basis in these instances.)
  2. A VPN (virtual private network) will encrypt your entire internet connection between your device and the VPN’s server. (Your apps are covered too! However, some services, especially from financial institutions and outgoing mail servers, are often blocked over VPN.) This makes for good protection against unsecured public Wi-Fi networks, snooping ISPs, network censorship, and can route around corporate or government surveillance before the VPN server (but only if you’re connecting to a server beyond those surveillance tools). But on the VPN server side, your traffic still comes out unprotected. Think of it like a secure pipeline or signal repeater to access the Internet from the VPN server’s location, instead of your own. Trust is important here – a VPN provider is just as capable of bad actions as your local ISP. (In fact, the majority of free VPNs are super malicious. I currently do not recommend any free-to-the-public VPN. Even that cool one you heard about from a trusted brand.) It’s also important to know what information the VPN provider is logging about you.
  3. Tor is a tool which tries to fully anonymize your identity and browsing information from everyone. (HTTPS and VPNs protect part of your browsing information during part of a browsing session.) It requires you to use their modified version of the Firefox browser, and disables functionality present in other browsers that can be used to reveal your identity or communications. They also have some important warnings which need to be heeded to keep you protected.

Choosing a VPN service

This is a complicated and personal decision. I suggest keeping the following in mind:

  • Who do you want to shield your internet data from? Your neighbors at the café? The tech staff at your work or school? Your ISP? Your government or one you’re visiting?
  • What devices do you want to protect? If you just connect your PC to a VPN, your phone is still exposed. Some VPNs have a limit on how many devices can connect at once.
  • What kind of logging do you care about the VPN doing? Some log everything. Some log as little as possible.
  • Do you need something that’s easy to use? Sometimes the best VPN on paper turns out to be difficult to set up or use.

I used two different guides to VPNs in my research:

  • PCMag.com reviewed several VPN services on their quality of service and ease of use, but paid almost no attention to the privacy or logging side of things.
  • That One Privacy Site has a detailed guide to many VPN services which focuses on their quantitative specs (with a strong emphasis on their security against government surveillance), and has very little about their usability or quality.

I decided that I want to use a VPN to protect my browsing information from corporations who would like to sell it for their own purposes, possibly to my detriment. I will use other technologies to add security for more sensitive situations.

I chose to use Private Internet Access on my iOS, macOS, and Windows devices. They claim to log very little about what their customers access, allow a good number of devices connected at once, have a lot of available servers, and are a great deal at $40/year. Installation was very easy, and it automatically connects to their VPN whenever I turn any device on. On my mobile devices, it seamlessly handles any transitions between cellular and wi-fi networks, and maintains a permanent connection. I did have my Windows PC completely crash a couple of times, though I haven’t yet narrowed that down to an incompatibility with a certain driver. Everything works very well.

My biggest caveat for Private Internet Access: they’re under United States jurisdiction, and they aren’t very transparent about who runs or owns the business. (Their corporate address is a coworking space just next to Union Station in Denver, so points for a Colorado business, perhaps?) I would probably advise something else for activists or people more concerned about a snooping government than a snooping ISP.

Let’s talk about your e-mail and messaging apps.

All email is inherently insecure. Treat it like a postcard that could be read by anyone between the writer and intended recipient. Don’t use it for sensitive information about you or anyone else. Unless you want to learn how to do PGP-encrypted email. (You don’t want to learn how to do PGP-encrypted email.)

SMS messaging and most internet messaging apps are also particularly vulnerable. Don’t talk about anything that could be damaging to yourself or any vulnerable third parties over them. Even if you think you’re having a private conversation. But I do recommend using Signal for private, encrypted messaging and calls. (Install: iOSAndroidChrome) Others have said WhatsApp (owned by Facebook) is secure, but since the UK Snooper’s Charter became law, we can no longer be sure of this.

Other things you should be doing

  • It’s long past time to actually start using different, strong passwords for every account you have. No excuses! You will get burned if you don’t. And possibly embarrassed publicly. You can check to see where your login information has already been compromised at “Have I Been Pwned?”
  • Use a password manager to generate and store all those different passwords you have. The two I can vouch for are LastPass (which I use, and like for their features and pricing, though sometimes they have some usability and design issues) and 1Password (which also works well and has better design but costs more). Nowadays these managers can be unlocked on your phone with a fingerprint, which makes them faster than remembering any password. Seriously, come on in. The water’s fine. I don’t remember any of my passwords any more.
  • Enable two-factor authentication on any service that supports it. This protects you in case someone does get a hold of your password. Here’s more on how 2FA works, and here’s a list of who supports 2FA with links to each provider’s own 2FA instructions.
  • Worried about other Internet companies like Facebook, Google, and Amazon tracking you? I recommend the following:
    • Change your default search engine to DuckDuckGo, which works very well and doesn’t track you. This is an available search engine in iOS as well.
    • There is a browser extension for Firefox and Chrome called Privacy Badger that is meant to block tracking stuff outright. I don’t use it but it sounds great.
    • Only allow cookies from the actual site you’re visiting (block third party cookies that usually are for ads):
      • Safari 10.1 (macOS): Preferences > Privacy > Cookies and website data: “Allow from current website only”
      • Firefox 52: Preferences/Settings  > Privacy > History > Use custom settings for history > Accept cookies from sites > Accept third-party cookies: Never
      • Chrome 57 desktop: Preferences/Settings > Show advanced settings > Privacy > Content settings > Block third-party cookies and site data
      • iOS 10: Settings > Safari > Block Cookies > Allow from Current Website Only
      • Chrome 57 Android: Settings > Site Settings > Cookies > Block third-party cookies

Educational resources

The best place to learn more about this stuff for yourself is the Electronic Frontier Foundation’s Surveillance Self-Defense Guide. I particularly recommend “An Introduction to Threat Modeling,” which covers the kind of different security risks to keep in mind before you set about a plan to improve your operational security.