Maintaining online privacy

0

August 4, 2017 by quirkyuncle@gmail.com

Photo by William Iven on Unsplash

Securing our digital privacy has become even more important now that our service providers have been given free rein to collect and sell our personal data.


In reality, repeal of the FCC privacy rules leaves us as much exposed as we have ever been. This legislative change does, however, shine a spotlight on the issue of digital privacy and should motivate us to reassess how we go about our online activities.

Want to skip the background information and go directly to the solutions? Click here.

Why the sudden concern about digital privacy?

Everything that we do online is handled by a number of organizations starting with an Internet Service Provider (ISP), such as Spectrum, CenturyLink, or Google Fiber. There are other online services we all use: email (Outlook, Hotmail, Gmail, your ISP-provided email), search engines (Google, Bing, or Ask), and free social media (Facebook, Twitter, Instagram, etc.). Many of the businesses providing these services, some of which we pay for, are interested in profiting from the treasure trove of valuable personal information that passes through their networks and equipment.

The fear that digital service providers might monetize our personal data for profit has always been a concern. Before the FCC privacy rules were enacted, no rules were in place relating to the privacy of data being transferred and it was unclear what, if any, expectations were there for service providers to protect our privacy. Bearing in mind that customers were paying for many of these services, providers were unsure about what information they were allowed to collect and sell and how much it might cost them if they were sued for exposing our personal information. This uncertainty caused digital service providers to take a more protective stance.

Once the FCC drafted rules to protect our privacy, service providers understood their limits and backed down. Even though the rules were yet to become law, the legislative stance was clear: unless authorized, service providers could not collect and sell your personal information without your consent.

It’s all in the fine print

All those long and boring user agreements that you seldom read and eventually accept when signing up for online services give the provider permission to sell whatever information passes through their hands. Yes, you are willingly agreeing to give away your personal information when you click OK.

A few years ago, the FCC drafted regulations that forced digital service providers to inform customers if they were collecting and selling their personal information, get their consent, and allow customers to opt out of the data collection process. The recent repeal of the FCC rules reverses these regulations, giving digital service providers the green light to collect and sell our personal information.

What personal information can they collect and sell?

Short answer: everything.

Any data sent via an unsecure connection can be read by your ISP. Connect to a free wifi network at a hotel or coffee shop (or anywhere else), and the folks providing the free connection have access to all of the data being transferred, as does their ISP. Your levels of exposure is like peeling an onion.

Make an online purchase? Your credit card info is exposed.

Read your medical records online? Your social security number and the medical records that you access could be exposed.

The list goes on… If the website you’re connecting to does not provide a secure connection (websites that start with an https: instead of an http: at the beginning of their full web address), you’re potentially at risk.

But wait, there’s more…

There are additional digital services where your assumed-secure data can be scanned and sold: email, search engines, and social media.

Not so free email

Most free email providers, and those free email accounts that are included with other online services such as your ISP, scan and read the content of all email messages that you send, looking for information about you that they can sell. This information is typically sold to advertisers, so you can be targeted with ads for items that you might be interested in. That’s not so bad, I guess, but they can also sell this information to whomever else wants to buy it. You’re private information is up for sale to the highest bidder!

The government also looks into what you might be saying in your email, in the interest of national security. It’s a process called deep packet inspection which is something that is as creepy as it sounds.

Your text messages get looked at, too, so don’t think you’re safe there.

What you search for reveals much about you

Most search engines make their money by selling your search queries to advertisers, along with information that identifies you. Ever notice how you do some searches about something and suddenly see advertisements for that type of thing magically appearing on the web pages you visit for the next few weeks? Now you know why.

Social media: tell your friends, tell the world

I’m not going to say much about social media, since safe social media habits are already widely discussed. Still, in spite of all the warnings, people still willingly post all sorts of private information.

Keep in mind that even if you have set stringent privacy settings for your social media content, the social media service provider owns whatever you post and can do with it as they please – this is how they make their money and you did agree to it. It’s all right there in the fine print of the service and privacy agreements that you accepted when you signed up.

Since social media is a known public forum, exposure of social media content is implied, whereas email and search engines are more private by nature and assumed by many to be secure.

What can I do to protect myself?

There are different ways that can help protect your privacy for each of the areas of exposure. These are discussed in the following sections:

Securing social media

Loose lips sink ships.

Protecting you privacy on social media is mostly under your control. Privacy settings in each program provide a measure of security over who can see your profile and postings. Since many of these services are free of charge, it is understood that, for the most part, you are relinquishing ownership of whatever you might post. Social media services are a very lucrative business and are not helping you connect with your friends and relatives out of the goodness of their hearts.

The best advice I can give is to think before you post. Consider that whatever you put out there is no longer private and can come back to haunt you in the future. There is no such thing as a deleted post – you might hide things from view, but they are being stored out there forever and being sold for profit.

Securing email

If the U.S. Postal Service started opening and reading all of our correspondence, there would be total pandemonium! Why is it okay for email?

Only one of the major email services that is free provides secure email storage and transfer while seamlessly integrating with the mail client on your computer or device. It allows you to connect and use your standard mail application the same way you use it now, without the risk of having the content of your email messages scanned and sold.

iCloud mail, a free service provided to people who have an Apple ID, has promised to safeguard your communications and keep them secure, not selling your personal information for profit. As of this posting, the iCloud mail privacy policy says:

… Our business model is very straightforward: We sell great products. We don’’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’’t “monetize” the information you store on your iPhone or in iCloud. And we don’’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple. …

You can read all about the Apple privacy policy at: https://www.apple.com/privacy/.

Anyone who has purchased an Apple product – computer, laptop, iPhone, iPad, Apple Watch, iPod, Apple TV, Apple Music subscription, etc. – was set up with an Apple account and email as part of the product registration process. To log in to your iCloud account or to set one up, go here: https://www.icloud.com/. As far as I can tell, ownership of an Apple device is not required.

Need even more email security?

If you want totally secure email, you can go with an encrypted email service. These services require their own dedicated email application, for security purposes, meaning that you can’t integrate it with the email client already installed in your computer or device. Some of these secure email services are free, with limited capability, or are have a paid subscription.

If you do use a secure email service you can still send encrypted messages to non-secure recipients using a feature called symmetric encryption. This is a process where the recipient receives a link to the encrypted message via email and a message-specific passcode from you that allows them to unlock and access it.

Very James Bond, if you require this level of security.

There are number of secure email services available. Based on my research, ProtonMail would be the one I’d try first, if I felt the need for greater email security than what is provided by iCloud Mail.

Securing search engines

What you search for and which search results you access tells a lot about you. It’s nobody’s business.

As of this writing, there is only one search engine that has pledged to protect your search queries and not sell your search information: DuckDuckGo.

I’ve been using DuckDuckGo for several months and the results it returns are generally on-par with Google or other popular search engines. The biggest difference I see between DuckDuckGo and Google, is the formatting of returned results. If you use anything for an extended period of time, you get used to its look and feel and it takes a bit of time adjusting to the changes.

A cool thing about DuckDuckGo is that it supports something called BANG! commands. These commands, starting with an !, perform special search functions, such as searching within a specific website or performing a search constrained by a particular subject or timeframe. You can see the full list of BANG! commands here: https://duckduckgo.com/bang.

As a new DuckDuckGo user migrating from Google, the most useful BANG! command I’ve found is !g, which allows you to perform anonymous Google searches. It’s the perfect remedy for Google search withdrawal. If you precede your search string with a !g, DuckDuckGo will submit your search to Google and return your results without Google knowing who you are.

For example, to search for articles by the Quirky Uncle in Google using DuckDuckGo, you’d type
!g quirkyuncle.

Pretty cool! You get can get your Google search results, keep your search history private, and prevent being tracked and pestered with annoying ads.

You can access DuckDuckGo at the following web address: https://duckduckgo.com/. You can also set up DuckDuckGo as the default search engine for your web browser:

DuckDuckGo also provides a dedicated search application for IOS and Android mobile devices. Information about the DuckDuckGo application is here: https://duckduckgo.com/app.

Securing internet connection (ISP or public wifi)

Wait, you want to monitor everywhere I go, everything I watch or listen to, everything I read, and everything I say? That’s insane! (And in the our digital lives, it’s already happening.)

You can use a Virtual Private Network (VPN) to secure your internet or wifi connection. A VPN encrypts all of the incoming and outgoing data transmissions from your computer or mobile device so it can’t be read by anyone monitoring your data traffic, protecting your information from prying eyes.

VPNs are complex to understand and deserve a detailed explanation. To jump to my VPN choice CLICK HERE.

Most companies with remote workers use VPNs to allow their employees to connect securely to the company networks and services when they are working outside the office. Data services and assets that a VPN protects include email, internal networks, website access, searches, and streaming media – pretty much everything that can flow through any internet-based connection. VPNs protect data whether the connection is wired, wifi, or made via a cellular data network. Most companies rely upon VPNs as the foundation of connection security.

The only places that can see your data during a VPN protected transfer are at the VPN itself, which decrypts/encrypts data sent from/to your device, and the services where the VPN sends/receives unencrypted data anonymously on your behalf. VPNs protect the connection between your device and the rest of the world.

Any service, such as a public wifi network or your ISP, that is transferring data between your device and the VPN won’t be able to see anything other than the quantity of data that you are transferring and the web address of the VPN – any content being transferred is scrambled and they can’t see into it. (Internet and wifi providers absolutely hate this.)

Finally, a way to get a secure data connection at your favorite coffee shop!

It should be noted that data transfer between the VPN and the service you are communicating with is only as secure as that service’s data connection. The safety factor here being that unless someone can read the data being transferred during this stage of the journey and determine information about you from within its content, the information can’t be traced back to you due to the anonymity provided by the VPN on your behalf.

An interesting aspect of using a VPN is your ability to fool service providers about your physical location. When using a VPN, the location exposed is based on the VPN connection point that you choose. These connection points are typically regional, so you can choose a connection point that is closest to your physical location. By choosing a connection point in a different region or country, content that is restricted to a specific region can potentially be accessed outside of that area. For example, if you were in the U.S. and wanted to access a streaming sport event only available in Europe, you might be able to see it by choosing a VPN connection point in Europe.

All VPNs are not created equal

There are a number of VPN alternatives; some are free and some require paid subscriptions.

Short answer: choose a paid VPN. With an income stream from subscribers, a paid service has greater ability to expand their infrastructure to keep up with increased demand. Also, if the VPN is making their money from your subscription, there is less incentive for them to generate revenue by selling your information.

When choosing a VPN service:

  • Review their ratings and see what other people have to say about their stability, performance, and customer support.
  • Sign up for a trial period to see if the service works as you expect.
  • Consider where the VPN is located. If they are US-based, they are subject to search and seizure warrants from U.S. government agencies. If they are offshore, they are not compelled to comply with these requests. Some US-based VPN providers indicate that they will go offline and delete any customer data if they are presented with a search warrant, so that does provide you with a measure of security.
  • Some VPNs cache user data, while others erase it immediately. VPNs that retain cached data are of greater risk.
  • Read the fine print. The devil is always in the details!


Paid VPN services I considered and my choice

I did a lot of research before signing up with a VPN service. In the end, my list had two finalists: PIA (Private Internet Access) and NordVPN.

Both services were comparable with minor differences and both are similarly priced. PIA had greater market share.

When I signed up, NordVPN offered a free one-month trial. PIA had a one month subscription for $7.

I tried PIA, as it seemed to better meet my personal needs. It worked well, so I signed up with PIA for 2 years at $3/month. I have no regrets.

Open source vs dedicated VPN applications

While most VPNs provide their own applications to install on your computer or device to manage your VPN connection, open source alternatives are also available. Open source applications are typically free of charge and developed by professional software engineers who volunteer their free time. Open source applications are well crafted and can exceed the performance of paid applications.

For VPNs, you run the open source application and input your VPN login information to establish the connection.

I am currently running open source applications for VPN management on my phone (OpenVPN) and computers (TunnelBlick). I am experiencing improved connection with the open source applications, but the connection seems to time out more often (this is likely a setting that needs to be adjusted). Open source programs often give you greater control over specific settings, allowing you to customize their performance to best meet your needs.

Things to keep in mind when using a VPN

I’ve encountered the following items while using a VPN that are good to know. (Check back for updates.)

Choosing a VPN connection point
Your VPN will give you a number of possible connection points. Typically, you connect to the one that is closest to your physical location, the idea being less distance yields greater speed. This holds true unless there is more traffic at your connection point than the VPN anticipated. If you detect a degradation of your internet speed, try connecting to one of the other connection points that your VPN provides. (You can also use a different connection point to make it look like you are in a different location, for connecting to geography dependant services.) See Reading wifi and internet connection speeds for a free tool to measure your internet connection speed.

Connection speed
Because of the additional encryption/decryption and data transfer operations a VPN performs, connection can be a bit slower than when using a standard non-encrypted connection. It is also possible that you could see an increase in connection speed when using a VPN due to compression that can take place during encryption, making the transfer packets smaller. I have experienced both cases.

I have noted a decrease in connection speeds lately as VPN use has been increasing. With more revenue, I’m hoping that my VPN invests in more equipment to keep pace with the greater number of new subscribers. See Reading wifi and internet connection speeds for a free tool to measure your internet connection speed.

Battery life
We’ve experienced no noticeable degradation in device battery life during normal daily VPN use. The only battery related issue we’ve had was when using a phone-based GPS service via the VPN connection on long (500 mile) road trips. We’ve not seen any unusual battery drain when using the GPS-via-VPN when navigating locally.

Our VPN provider, GPS application developer, and cellular provider are all at odds to explain why our cellphone battery is draining so fast on long trips. We plan to disable the VPN for our next trip and see what happens.

Connection timeout and unexpected disconnect
A VPN is a service whose primary goal is keeping your data transfer secure. As such, it will disconnect if it senses any threat to its operation. The VPN will also disconnect after extended periods of inactivity to save battery life. While the VPN seems good at maintaining connection when moving between connection points in a network and when transferring between wifi and cellular connection, there can be a lag. Reconnection cannot be assumed and you need to pay attention to the VPN status indication on your computer, smart phone, or tablet screen. An example of the active VPN connection indicator for an iPhone is shown below.

iOS VPN indicator

Some VPN applications or VPN clients can be set up to block all data transfer for the device if the VPN loses connection. You need to pay attention when using a VPN to make sure it is active and protecting you.

No VPN in a VPN
You can’t establish a second VPN connection through another VPN connection. If, instead of configuring the VPN client on your device, you set up your router as the VPN gateway and use a VPN for making connections for your job when working from home, your work VPN connection will fail. (This condition is rare, but I thought that I’d mention it.)

Secure HTTPS connections
Some websites that use secure HTTPS connections, where the full web address starts with https:// instead of http://, will block connections made via a VPN, including those made via an embedded application (like the application provided by your bank for online services). This is because these institutions can’t pinpoint exactly where you are coming from due to the VPN-provided anonymity and want to be sure you are not hacking their system.

We have only run into this issue with banks and other finance institutions – shopping websites and other websites that use HTTPS work just fine.

Since HTTPS websites are already encrypting your data, you can shut down the VPN while making these connections knowing that your data is secure (all that is being exposed to your ISP is the web address of the website you are connecting to). The only caveat is that you do remain exposed to some level of hacking on public wifi networks when disabling your VPN.

Ultimate total online security

If you really want to digitally disappear without completely disconnecting and living in a hut under a bridge, you can use something like Tor. In simple terms, Tor bounces your data traffic all over the place so nobody can figure out who you are and where you are. This is real cloak and dagger spy stuff! Using something like Tor slows your connection down significantly, but if extreme security is your main concern, it’s worth it.

The internet is a wild place. There is more internet hidden from view than you can normally access. It’s called the Dark Web – a very scary place where all sort of nasty stuff happens (weapons trading, drug deals, human trafficking… the ugly underbelly of humanity). You can bet the folks involved are using Tor or something like it.

Stay safe and secure out there, my friends! Have fun, but be careful.

Did you find this posting useful? Did it save you time or money? If so, consider making a donation.



0 comments »

Subscribe to this blog, this post, or enter comments below. I'd like to hear from you!

Like what you see?

Please consider helping us out!

Subscribe

  • Facebook
  • Twitter
  • Pinterest

Subscribe via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 44 other subscribers


Follow

Get every new post delivered to your Inbox

Join other followers:

%d bloggers like this: