At Ferret gatherings internet privacy often comes up as a source of concern among our members, even the ones who are not journalists or activists.
So now that the UK is about to bring in “the most extreme surveillance law in our history,” what can you do about it?
The truth is, that if they want to get your stuff, they probably will, and there are no 100% guaranteed ways to make sure anything with an internet connection is secure.
But there are practical things you can do to make life harder for 3rd parties to access your data, and reduce the chances of your stuff being scooped up and linked to you in the first place.
This is not an exhaustive list, and they may not be suitable for people with specific security needs, but these are tools that we’ve tried and know to be practical to actually use on an everyday basis.
Encrypt your web traffic
Possibly one of the most insidious aspects of the IPBill are the requirements placed upon internet service providers to keep 12 month logs of all their customers usage.
One way that you can get reduce the amount of meta-data that your ISP saves on you is to invest in a Virtual Private Network (VPN) service.
These encrypt your internet traffic from your computer to their server where it then exits onto the wider network. This serves to make it harder for third-parties to identify and log your traffic.
There are a ton of VPN service providers out there, and although there are free services out there, to a large extent you get what you pay for, so it’s worth having a look around.
Things to look for in a VPN provider:
Can you use the same service across multiple computers and on your mobile devices?
Is it easy to use?
Does have apps that will allow you to use it on your mobile devices too?
You may also want to think about making it easy for people to use in your home, or office. It’s possible to buy a Wifi router that will push all the traffic from all the devices that connect to it through a VPN connection. A good practical set-up that might work at home is a dual router set-up - one wifi network is secure, the other is for things like streaming the bbc iPlayer which might be tricky if you seem to be connecting from a foreign country.
##Encrypt your drives
If you can you may want to consider encrypting all or part of the hard drives on your computer, and then you can use this to store sensitive information. Veracrypt is a free open source tool for doing this.
If you have an Apple phone, data stored on your phone is already encrypted, but if you have an Android phone, you may have to explicitly alter some settings to make sure your phone storage is encrypted.
Encrypt your sms and mobile messages
There are a number of phone apps you can switch to, in order to make it harder for people to snoop on your SMS and mobile messages.
Signal is probably one of the easiest to use - it can replace your SMS messaging app on many phones, so that all your texts become more secure, especially if you can persuade all your friends and family to use it too.
That said, WhatsApp is also pretty good when it comes to privacy, although some people may well be worried about the link with Facebook. The upside is most of your contacts are probably already using it.
If you have both apps on your phone, you can message almost anyone securely.
There’s a huge number of messaging apps out there - the Electronic Frontier Foundation are currently working on a comprehensive assessment of them.
What about email?
Email is inherently insecure, but there are some services that are trying to make it safer - whilst also preserving an element of usability.
Protonmail offers cloud-based encrypted email, with useable mobile apps. Unlike many popular, free email services, the firm promises that it can’t read your email, even if it wanted to, let alone pass much information along to any state agency.
Another similar service you may wish to check out is Tutanota
After using both email services, I can report that the one practical downside of these services for people who don’t practice zero inbox filing, is that their email search functions are far more limited - precisely because they can’t read your email!
Storing stuff in the cloud. If you worry about the security of the likes of Google Drive, then there are also cloud storage companies that also promise “zero knowledge” services, so they can’t read your files.
You could consider Sync, which offers 5GB for free. SpiderOak One is a more sophisticated paid alternative.
Lastly, even if you do adopt many of these services its possible that you could be tracked across the internet by third parties because of your “browser finger print.”
Arguably Firefox is the best browser to use if you are really concerned about this, but most key browser add-ons are available for other popular browsers too.
You can find out how easy it is for third-party services to track your browser by testing it using the Panopticlick website.
Here are some browser tips and addons that can help tackle this:
UBlock Origin blocks most ads and is pretty light on system resources. An alternative is Ad-Block Plus.
Disconnect blocks trackers and other privacy invading technologies. It also offers a paid-for full system service that includes a VPN and private search. You could also try Ghostery.
HTTPS Everywhere makes sure that if a website offers an encrypted connection, then it gets used.
Even with all this, some websites will still try to “finger print” your browser in a bid to identify you. It’s very hard to protect against this, but if you use Firefox, you could also consider the Random Agent Spoofer add-on. This alters the data your browser sends to other websites, making it harder to track repeat visits to the same site - or identify you across sites using the same tools. Firefox users can also guard against attempts at battery finger-printing techniques by altering their settings.
Tor is another service you can use to help you browse anonymously, especially if you use it in conjunction with a VPN. It is not infallible and can slow your browsing down further. Some sites may restrict access to people using TOR, so you may find you only want to use it for specific jobs where you feel anonymity is important.
The easiest way to get started is by downloading the TOR Browser.
##Anonymous file sharing
Want to send someone, like a Ferret Journalist a file, but don’t want to be linked to it?
Try using OnionShare.
Passwords are fact of life, and needed for everything. However, re-using a simple password across lots of services is asking to get hacked.
The only practical way to make sure you have complex, unique passwords for ever service you use is to use a password manager. There are lots of password managers out there, but you should probably use a “Zero Knowledge” password manager if you can.
Keeper is a paid-for service that you can use on pretty much any device and browser. An alternative is Encryptr. A load of other password management services have been reviewed here.
Did you really mean to share all that forever?
If you’re considering the things in this post seriously, it’s also worth thinking about the cumulative impact of the information you have already chosen to share about yourself. Afterall, do you really benefit from those 8-year-old status updates, or are they just more fodder for profiling algorithms and hackers?
Try reviewing your Facebook privacy settings, and considering exactly what is public on your profile. You can set lets of things on your profile so that “only you” can view them. There are also tools out there that will systematically delete all or some of your historic likes, comments, photos all the way back to the beginning of your time on the social network. Try the Chrome Browser extension, Facebook Post Manager.
If you have a Twitter account, it’s harder to delete your historical tweets, but easier to delete your old tweets on a rolling basis. A service like Tweet Delete will delete your tweets for you after a time period you specify.
On Google, you can delete your search history, location history and records of various other interactions you might have had with the company. If you value services like Google Now, then you might want to think about the effect deleting a lot of your personal info from Google might have on these services.
Stepping it up
If you believe you need a higher level of security, then you may want to consider using Tails, in conjunction with a 4g mobile dongle, that you pay for using cash only.
Is there something we’ve missed? Is there a better service that you’ve tried? Got any other useful tips? Let us know in this thread.