8 tips to enhance your online privacy

There are ways both individuals and businesses can remain in the wired world and make it difficult for anyone, including the government, to monitor their activities

Everybody wants a measure of privacy. As some experts on the topic have pointed out, even those who declare they have "nothing to hide" generally have curtains on the windows of their homes and don't invite everybody over to have a look at their credit card statements.

But in light of recent revelations from Edward Snowden, the former Booz Allen Hamilton employee who leaked top-secret documents about the extent of National Security Agency (NSA) data collection, and more recent news about government monitoring even snail mail, there are serious questions about whether privacy -- particularly online and telephone -- is possible at any level any more.

[20 security and privacy apps for Androids and iPhones]

The answer from a number of experts is a qualified yes -- as in possible, but not likely. As Kevin McAleavey, cofounder and chief architect of the KNOS Project noted, "even Booz Allen Hamilton (and by extension the NSA) can't keep their stuff private. If the 'experts' can't keep their stuff under wraps, what possible chance does Judy Consumer have?"

Privacy experts say there are two ways to keep government monitors out of your life. One is to withdraw as much as possible from the wired world. That would mean ditching your smartphone, or if you have to use one for your job, to turn it off and remove the battery when you don't need it, since otherwise it will broadcast your location.

That also includes conducting no business online, and not ever sending an email or posting anything on social media that you don't want collected and stored by the government.

It is a bit like the political advice that the public policy think tank Pioneer Institute attributes to Martin Lomasney, an old Boston political boss: "Never write if you can speak; never speak if you can nod; never nod if you can wink." The disgraced former governor of New York, Eliot Spitzer, gave it an update on his Wikipedia page: "Never put it in email."

The Electronic Frontier Foundation (EFF), in a list of privacy recommendations, includes this: "Unless you take specific technical measures to protect your communications against wiretapping or traffic analysis --such as using encryption to scramble your messages -- your best defense is to use the communications methods that possess the strongest and clearest legal protections: face-to-face conversations, postal mail and landline telephones."

Even nation-states are taking the Luddite approach in some cases. Just recently, it was reported that the Russian equivalent of the U.S. Secret Service is using typewriters again, to avoid generating digital copies of highly sensitive documents.

But experts say there are ways both individuals and businesses can remain in the wired world and at least make it difficult for anyone, including the government, to monitor their activities. Those who are really serious about it will have to take some time-consuming and in some cases complicated steps to do so. The following list includes some of the more common recommendations:

1.) Be sure your computer(s) have whole-disk encryption and are password protected. PGP (Pretty Good Privacy) Desktop is, according to Rebecca Herold, CEO of The Privacy Professor, "still a great tool, and comparatively easy to use. There are also steganography solutions, but I anticipate the NSA would crack those fairly quickly," she said.

2.) Encrypt your email with S/MIME (Secure/Multipurpose Internet Mail Extensions). Experts are unanimous that end-to-end encryption is essential. Users also should not use any nickname in an email account that could identify them. Amie Stepanovich, director of domestic surveillance at the Electronic Privacy Information Center (EPIC) said it is crucial for the user, not a third-party vendor, to hold the encryption keys.

The documents from Snowden about Microsoft allowing the NSA access to its encryption keys means any system that trusts an intermediary carrier is worthless.

[6 ways we gave up our privacy]

"It's like you're renting an apartment and the landlord still has a set of keys and can let anyone into your personal space anytime they want to," Herold said. "If the user owns them, government could still seek access to the encryption keys, but to get them, it would have to come to that user."

Even that is not foolproof, however, McAleavey said.

"The bottom line is that 'end-to-end encryption' is only any good if the spooks never saw it before. Otherwise, they don't need the keys -- like any good car thief, they have jimmy sticks and sequencing key fobs."

3.) Use features like ad block, ghostery and HTTPS to remain as anonymous as possible.

"I always go incognito when using Facebook," Herold said. "I use other types of browsers where I cannot effectively use sites while incognito." EFF calls HTTPS, "the most common web encryption standard."

4.) Consider running the OS off of a live-boot DVD with all the necessary programs to ensure viruses cannot infect it. Have it auto-mount the encrypted drive, perhaps with a different password than the login password.

5.) Use Tor (free software that uses onion routing to enable users to communicate anonymously on the Internet) and configure it to have multiple Socks ports available so that email, web browsing and other activities can go use separate circuits.

6.) Have a separately installed OS (or second OS live-boot disk) for any activity you don't want associated with another activity.

Herold says this is "a great idea, but, most folks who really need such protection simply will not take the time to do it. We need protections built in and transparent," she said. "The problem now is that we will always be wondering if Apple or Microsoft will go ahead and give the government access anyway."

7.) Use an RF-proof bag for your smartphone when you're not using it.

"They're made all over the planet and they're dirt cheap," McAleavey said."They're made of fine copper mesh woven into fabric. The really good ones have very good RF attenuation, which completely blocks all signals when the device is in the bag. GPS won't work, it can't talk to the cell towers and it definitely can't talk or watch what you're doing. Your phone also will not ring, you can't make calls and nobody knows where that phone is -- until you take it out of the bag."

8.) Use Virtual Private Networks (VPNs) -- EFF describes them as, "a potent encryption tool that allows you to 'tunnel' communications securely over the Internet."

Those recommendations don't end the debate over privacy, however. EPIC's Stepanovich argues that people shouldn't have to go to extreme lengths to guard their privacy in wired world.

"It's not true that there has to be a trade off between privacy and security. You don't have to give up one to get the other," she said.

While EPIC does not oppose all surveillance, she said, "it should be targeted. An individual should be in mind because of a showing. Maybe with widespread surveillance, you'll catch a couple of bad people. But it is not in line with the foundation principles of this country."

On the other side, Randy Sabett, an attorney with ZwillGen and information security/privacy expert said he believes that Americans should be concerned about privacy, "but I think the question should be: Can privacy from government surveillance be balanced against the security needs of our country?"

Sabett said there is, "a big difference between surveillance and collection, and I think we need a dialogue to try to find the balance."

He said he believes there is some over-classification of information and that data collected about citizens should probably be destroyed after a certain number of months or years.

"But government needs some ability to track down bad guys, and you have to grant them some level of secrecy," he said.

About the Snowden revelations on government surveillance, he said, "The bad guys will read that like a cook book -- they will know what to avoid. Do we really want that?"

Join the CSO newsletter!

Error: Please check your email address.

Tags securityprivacy

More about AppleEFFElectronic Frontier FoundationElectronic Privacy Information CenterFacebookMicrosoftNational Security AgencyNSAPGPPioneerPretty Good PrivacyStrategy&Wikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place