The steady stream of news stories detailing security breaches of online services & databases, combined with the increasingly intrusive surveillance legislation in the UK (represented most recently by the Investigatory Powers Act 2016 – or “snooper’s charter”), has meant I’ve been doing a lot of reading around protecting my security and privacy when online (i.e. most of the time!).
The response from many people when discussing online surveillance is “I have nothing to hide, why should I care?”
Aside from the havoc that identity theft can cause on one’s life and finances, new laws such as the IPA set a baseline or ‘norm’ where such a level of surveillance against a general population is seen as normal for a democratic (and peaceful) society; surely some push back against that idea is to be welcomed? Glen Greenwald’s TED talk on why privacy matters is an excellent primer on why this affects everyone.
As part of its excellent summary of VPNs, The Wirecutter explains why a VPN service is suitable for most people; it’s well worth a read.
What do I do?
I’m concerned with a number of identifiable threats and have set these out below, together with my current approach to each.
A starting point
I’m assuming most people know:
* to check they’re using SSL (“https”) versions of websites particularly when sending/receiving anything sensitive ( HTTPS Everywhere | Electronic Frontier Foundation is excellent for this);
* which wifi networks to trust ( Cloak VPN is helpful when you’re not sure);
* how to avoid common phishing attempts;
* how to enable multi-factor authentication wherever possible; and
* how to practice good password security ( 1Password is your friend here).
Targeted invasive advertising and preference-tracking
Google’s ad preferences (inc. Gmail and Search) and Facebook’s persistent cookies
Browsing: 1Blocker – Blocks ads and tracking scripts in Safari
Snooping over public wifi
Via my BT Broadband service, I have access to BT’s public wifi hotspots, and my office provides a “Bring Your Own Device” wifi network, which is supposedly limited access. I don’t control the security parameters of either of these services, but they’re exceedingly useful.
Cloak may not be the ‘best’ or strongest VPN in terms of a clear no-logging policy and its jurisdiction, but for day-to-day protection for your internet access on iOS, it’s superb. For stronger VPN protection, see below and the Further Reading links.
Personal VPN: For anyone wanting to roll your own, Streisand is a fascinating project which creates your own private suite of security tools on a VM with providers such as DigitalOcean , Amazon EC2, Linode, Rackspace and similar. In 15 minutes I fired up a small droplet with DigitalOcean in their London DC and created an OpenVPN-enabled VPN tunnel and Tor bridge relay to which I can connect my MacBook Pro, iPad and iPhone. Speeds are excellent, it costs me $5 a month and I can share the automatically-created configuration file with family members should I wish.
Geo-blocking and localised websites
I’m travelling to Germany for the day for business, but want to listen to BBC Radio 4 (I do see some of the commercial rationale for geoblocking/geolocation but not in the above example!)
One of the more eye-catching provisions in the new UK legislation is that ISPs will be required to log each website (the site, but not each page) that their customers visit. Aside from the logistical nightmare for the ISPs and the attractive target those databases will be to hackers, it’s the surprisingly long list of public authorities that in theory have access to those logs. (Food Standards Agency? Welsh Ambulance Services National Health Service Trust?)
The most obvious way to avoid your ISP logging website visits is to use a VPN (see links below under Further Reading) but do note that VPNs can sometimes play havoc with your browsing (they can upset my online banking and media streaming services if my IP is deemed unusual) so you may find yourself toggling them on and off when needed.
Depending on your motivations, you may wish to choose a non-UK incorporated/domiciled VPN which does not log anything and takes anonymous payment. For all the VPN information you may ever need (and more), That One Privacy Site | Detailed VPN Comparison Chart is useful, as are the links below in Further Reading.
Further steps to harden security
I’m pretty comfortable with the above suite of tools; after all, I’m not doing anything that GCHQ will take a serious interest in and the above tools will deter all but the most persistent hacker who, if they had a targeted and specific interest in me, would be able to circumvent most protections I’d put in place.
What the above ~does~ do is, I believe, deter opportunistic hackers on public wifi, blur/disrupt my online profile from companies looking to build a targeted advertising profile of me, and protect my devices and the information they transmit when in public.
If I wanted to go further, I’d look into the following services:
Further reading :
The Best Anonymous VPN Services of 2016 .
iOS – Platforms – PRISM Break
Most VPN Services are Terrible · GitHub
How to encrypt your entire life in less than an hour
How can I protect myself from government snoopers? | Technology | The Guardian
How to setup your own VPN on AWS in 10 minutes
The Privacy Paper