deborah: The management regrets that it was unable to find a Gnomic Utterance that was suitably irrelevant. (gnomic)
deborah ([personal profile] deborah) wrote2016-11-17 11:55 am
Entry tags:

Protecting ourselves online in a hostile age

I'm seeing a lot of people post about how, in light of current political shifts, everyone should increase online security. A few points on this:

  • Yes.
  • This is always true.
  • Most of the advice going around is a mix of good, reasonable, difficult, and bad. (eg. One list going around says Gmail is totally safe because it won't get hacked. Google (and Facebook, and Apple, and others) explicitly cooperates with the CIA, the NSA, and other governments around the world.
  • There is a conflation of different concepts of online security: protecting your data from theft, protecting your data from government abuse, protecting your accounts from hacking. There's no point in getting paranoid about Internet security if you don't know which of these dangers is most important to you, how much you can assess risk, and what measures specifically apply to that danger.

Don't take the advice of activists about security. Take the advice of professional Internet security experts (I am not one). Start with Brian Krebs ([ profile] briankrebs) and Bruce Schneier ([ profile] schneierblog). A lot of what they have to say is aimed at security experts and you can ignore it; focus on the pieces that are obviously relevant to you, such as Brian Krebs' Tools for a safer PC. If you are the kind of person who likes to look for the work of women and people of color when you are looking for expert opinions, don't hold your breath when you are looking in research for computer security. That is not to say that there are not security experts who aren't white men, but infosec has notoriously always been so misogynist and such a cultural cesspool that it appalls even the rest of the tech industry.

When it comes to protecting your accounts and your own devices from hackers, the tips you get from experts are only somewhat inconvenient and a great place to start.

However, when it comes to protecting your information from the panopticon, whether corporate or government, I've got some bad news for you:

If the advice sounds easy or socially convenient, it's false.

  • Cloud services put you at risk. (Twitter, Gmail, Facebook, and technically Dreamwidth, though the scale of Dreamwidth allows many of us to have a relationship of trust with the site.)
  • Credit cards put you at risk, whether or not you have ever purchased something online in your life.
  • Using an email address in multiple places put you are risk.
  • Having ever given your telephone number, email address, or Social Security number to a business puts you at risk.
  • Having friends who know your email address or your phone number puts you at risk.
  • Not knowing the underlying tech infrastructure of the online services you use puts you at risk.
  • Browsing the web puts you at risk.

If you are going to be engaging in the kind of activism that will put you in a government's crosshairs, and you have a sincere, evidence-based belief that you are going to be targeted by a government because of your activities, and you want to protect yourself, you need to do some serious, hard-core curation of your available information online. You are not going to fix your problems by installing Tor and using two-factor authentication on your Gmail account. You are not going to fix your problems by any tip sheet that is currently being circulated around Twitter. And you are not going to fix your problems easily. It is difficult to address this kind of situation without a major life change. For most of us, resources would be better spent on lobbying the companies we do business with to mitigate the damage from these kind of practices writ large. That is to say, not necessarily helping ourselves, but trying to diminish the surveillance state as a whole.

Here's a very brief summation of the problem. Most companies of any size you've done business with have probably sold a fair amount of your Personally Identifiable Information (PII) to information brokers such as Acxiom. These information brokers collate all of the information they have purchased from their myriad contributors until they have a massive database. That means that if one site knows your email address and phone number, another knows your phone number and date of birth, and a third knows your date of birth and your hometown, the information brokers know all of it. These information brokers, far from being zealous guardians of your privacy, are literally in the business of selling your information to any potential customers.

It gets worse.

If you use a browser without ghostery or some other tracker blocker set on some fairly restrictive settings (you'll know if they are strict enough, because they will be annoying to you and disrupt your browsing experience), then information brokers and social media services are keeping a log of every site you visit, every online purchase you make, every link you follow. They are building a profile of you which is incomprehensibly detailed. These are not sites you are visiting; these are the vendors which allow the sites that you do visit to monetize themselves, by hiding invisible code on the pages that you never see, which allow those third-party sites (think ads, Google analytics, media players, social media buttons, as well as random tracking code with no obvious purpose for you) to gather information about everything you do on the page. If you do use a tracker blocker, sites you visit can still build a relatively accurate profile of you based on unique browser + device fingerprinting.

What you post on social media gets scraped, so who you retweet, what posts you like, what hashtags you use, what communities you join on Facebook: all of this is affiliated with your other personally identifiable information, sold to the highest bidder, happily given in response to any government subpoena.

Don't use social media? That's okay, you're still at risk. Your friends use social media, and at least some of them have absentmindedly uploaded their contact lists onto social media services. So you,, are known to be friends of,, and Researchers have already shown that they can determine a ridiculous amount about you simply by doing network analysis of who knows you. In fact, even if you trust your friends, multiple companies including Twitter and Snapchat have been found to be uploading contact lists without user permission.

Do any acquaintances ever upload pictures of you on to Facebook or Twitter, with or without your permission? Facebook is experimenting with facial recognition technology, and researchers have shown that they have reasonable odds of figuring out so much personal information about you based on facial recognition and social network connections that they can determine your Social Security number.

You trust all the services you use online? Fantastic. Do you happen to know if they are using off-site servers, off-site disk storage, contracted web analytics? Do you know the privacy and data sharing and subpoena-response policies of all of those services?

How about your ISP? What information do they promise not to sell? Do they delete unnecessary information so that they don't have to give it to law enforcement officers if it's requested?

Do you use location services or any GPS-enabled services on a smart phone? Hell, do you use a cell phone at all? The cell towers know where you are when making calls even with the least smart of smart phones. The more GPS-enabled services you use, the more you are giving various third-party vendors information about your location. If you play Pokemon Go, you are basically telling a game company where you are at all times. Do you know if these services have been issued government subpoenas? Fitbit location data has already been successfully used in court cases to prove that people were not where they claim they were.

Oh, you're one of the very careful people? You don't use a credit card, you don't use any Google services, you don't use any social media that you don't or your trusted friends don't host themselves? Awesome--assuming you also don't ever email, call, or text people who aren't just as careful as you. Because if you do, then their vendors know you have called them,, texted them, emailed them. When you email, do you know for a fact that they aren't forwarding to Gmail? Gmail, which according to their own privacy policy scrapes data from sent and received emails, and which we know cooperates with the NSA's intelligence gathering program? When you text your security-conscious friend, are you sure that they aren't using an inexpensive cell phone that siphons text messages and call records off to servers in China?


If you are seriously worried and have good reason to be exceptionally careful:

  • Encrypt everything.
  • Only use cloud services where you explicitly trust the host and know their policy about government requests for information, third-party vendors, and their third-party vendors' similar policies.
  • Only use throwaway cell phone numbers, email addresses, and credit card numbers to do business.
  • Never, ever use social media.

For the rest of us, well. Here's what we can do.

  • Take a deep breath and acknowledge that any reasonably competent government and sufficiently well-off corporation already knows anything about us that it wants to.
  • Protect our devices and our accounts from explicit hacking.
  • Lobby for institutional change in the surveillance state and the industrial panopticon.
  • Stop panicking.

And seriously, folks. Install 1Password, KeePass, or some other locally hosted password manager, and switch to unique and difficult passwords for every account you have. And then install Ghostery on your browsers.

And don't panic about this. Be concerned, and be careful, but panicking is counterproductive; the cat is so far out of the bag for most of us that there is not even cat hair left. We have a lot more to panic about than whether the government can find us.