It's quite frequent that I see a blog post on "How to remain anonymous online" or something similar. To me, however, some of these posts seem to be pushing a VPN or similar product in your face for a referral click or due to sponsorship and don't really do much to help you/provide resources.
As you, a reader of this blog may know, I do not post referrals nor do I push products (though, I may recommend one) because they sponsor me or whatever. So, here's my take to help you protect your privacy. This will be a lengthy post. Grab coffee or something to keep you up. ;)
What This Post Isn't#####
This post isn't a guide to 100% protect yourself. Only you can do that. This post is also not a guide for evading law enforcement or to be used for hiding illicit activity.
What This Post Is#####
This post is a guide for curious individuals or those who wish to better control privacy and aren't very familiar with some basic concepts. As previously mentioned, this will not 100% protect your privacy. That is an effort only you can do.
Lastly, I am going to be working on keeping this post up to date with information/tools/services.
Being aware of how your privacy is handled is among the most important steps to protecting it; sort of a RTFM thing. The other takeaway is to simply be careful about what you say and to who. Posting when you go places and the like allows someone to build a timeline of your day.
Browsing the net? You're being tracked. Why? Mostly it's for advertising networks and other miscellaneous analytics. Again...why?! Generally, ad networks want to serve you ads which they deem relevant to you. Don't get me wrong, there are several websites which maintain their revenue stream thanks to ad networks. The problem, however, is that you are trusting that ad networks aren't compromised/serving malicious ads.
Here are a few examples:
- http://www.forbes.com/sites/thomasbrewster/2015/09/22/forbes-website-served-malware/#220c34e03748 (ironic link is ironic)
Sure, your government is probably tracking you too.
How can you limit tracking, analytics, and ads? There are a few useful ways:
- Browser Plugins (no specific order, don't install all of these at once unless you want to REALLY break stuff).
- uBlock Origin (has been pretty solid for me)
- Adblock Plus (has gotten some bad rap for allowing "vetted" networks through)
- Ghostery (can be a bit much for your average user, however, an effective tool)
- Privacy Badger (Project by the EFF)
- Blur (Tracker blocker + many other useful features that I will talk about)
- DNS Blackhole on your network (may be intimidating to a basic user)
- Pi-Hole (Free DNS blackhole that takes minutes to set up. RaspberryPi is cheap; a big plus. Personally tested to be pretty effective)
If evading censorship is what you're looking for, TorBrowser is a good thing to look into. It is incredibly important to understand that ToR and TorBrowser are not perfect (https://www.torproject.org/about/overview.html.en#stayinganonymous). There have been several instances where governments and researchers have "de-anonymized" ToR. If you're looking for a similar alternative, check out I2P. I2P even has a comparison chart for I2P vs Tor: https://geti2p.net/en/comparison/tor
Second to limiting ads, trackers, and potentially other malicious content, it is also recommended to try and use SSL/TLS whenever possible. Yes, there are attack avenues for SSL/TLS, however, almost anything is better than just plaintext. If you want to try and only use SSL/TLS, you should check out HTTPS Everwhere by EFF. https://www.eff.org/https-everywhere
Accounts & Passwords#####
Sometimes, consistently using the same username and/or email is useful and leads to us not having to remember as much to just login to a service. The problem with that, however, is that breaches happen, you could get targeted, and your email is in another database. One can turn to services such as 10minutemail to have a temporary email when signing up. The only issue with this approach is that it is only a temporary email.
In comes Blur by Abine again (I know, seems like I'm shoving this product in your face...I promise that I do not mean for it to seem that way). Blur lets you create randomly generated emails which then forward to your actual email; useful if you need an email to remain active. One must remember that your emails are handled by Abine, thus, technically touching their servers.
Have a service that supports two-factor authentication (2FA)? Enable it. 2FA provides a secondary layer to protect your account, should an attacker find themselves in possession of your credentials. Many services that use 2FA can rely on your phone as the token. For a community-driven list of 2FA sites, check out https://twofactorauth.org/ (some content is not up to date) .
Personally, I like password managers. Why? They work. They only work, however, if you take the necessary precautions and understand the risk(s) they can introduce; all the keys to the kingdom situation. If you use a password manager, ensure you use a very strong master passphrase to unlock. Also, I'd advise you to stay away from the "convenient" password managers that sync everything for you on their servers, this just causes more unnecessary exposure. If you do elect to use a password manager that syncs to the creator's server, research how they handle the data, I.E. how the data is transmitted or how the data is stored.
In short, there are a few ways to help protect your accounts:
- Don't repeat usernames unless you absolutely want to (track where you've repeated usernames)
- Limit how much identifiable info you put on a profile
- Alternate emails (generate them if possible)
- Set strong passwords (random generated, 16 character if you can)
- Enable 2FA if possible
- Routinely change passwords
- Check out if a password manager is right for you
Let's face it, communicating with others is human nature. Thankfully, many crypto people are also humans and have been working on ways for people to securely communicate. You don't need to be a criminal, haxor, terrorist, a general "bad guy" to desire the use of encrypted communications. It irks me when officials and the like allude that only bad guys encrypt communications because they have something to hide. This, however, is not always the case. We general users have many reasons to encrypt our communications.
Attackers can come in many forms and can be on who knows what network. Not to mention you are trusting that no authorized person is abusing their powers over a network. Of course, there's also the potential of a Man-in-the-Middle attack and an attacker is simply intercepting your communication.
The largest downfall of many encrypted messengers/platforms, and something you should note, is that in most cases both parties must be using the same messenger/platform. This does not sound like a complicated matter until you realize that there is a flood of "secure" or "encrypted" or "private" messengers/platforms. Here are some of the ones out there:
- Tutanota (free or paid, offers mobile app)
- ProtonMail (free or paid, offers mobile app)
- Signal (recently had a favourable audit, easy integration)
- Wickr (yes, the one seen in Mr. Robot....)
- Wire (Feature rich)
- Threema (Haven't had a whole lot of time messing with this one. Worth noting that it isn't free.)
- Phone Calls (Note that most messengers allow for encrypted calls)
- Red Phone (Now part of Signal)
- SilentPhone (SilentCircle also has an encrypted messenger and phone if you're interested. Is not free)
Again, the trick with encrypted communications is that not everyone uses the same messenger/platform. Not to mention that you are relying on the other person to not be already compromised.
Probably the most commonly searched for privacy guard, the usage of VPNs has exploded over the last couple years. With so many bloggers being paid to write about them or getting referrals, it is hard to trust a source. Luckily, you can see privacy concerns/issues with many VPN providers here:
I'm leaving it up to you to find one that suits your needs...there are simply too many providers.
It is worth nothing that when you are on a VPN, you are trusting the word of the company. And if IRC has taught us anything, it's that someone is always logging. Remember, when you are on a VPN, your are on someone else's network. Should they be compromised, it would have presumptively large ramifications (I could be wrong).
If you are privacy-conscious person or considering a subscription to a VPN service, please be careful. I recommend:
- Identify why you need a VPN
- Check the aforementioned privacy site to see if the provider is listed (no harm in checking)
- Pay in alternative currencies I.E. BitCoin (Remember, BitCoin isn't 100% anonymous and can be traced)
- Be wary of entering any personally identifiable information (public or private)
- Assume that somewhere something is being logged (trust no one)
- Trust no one
- Remember that they will know your originating IP
- Avoid L2TP (some providers readily distribute their psk)
Let's not forget that you can always host your own. There are plenty of guides online on how to host/create your own VPN. Just be sure to use strong cipher suites and protocols.
This guide on DigitalOcean by https://twitter.com/jmellingwood is decent:
Know When To Turn It Off#####
Are you that person that is lazy and leaves WiFi and/or Bluetooth enabled? Don't be. It is too easy to setup rogue wireless access points or play with Bluetooth. If you walk out of your trusted area, simply turn off unnecessary wireless tech unless you absolutely need it.
This should go without saying..."Don't connect to public WiFi" (unless you ABSOLUTELY need to)
Other than safe browsing, safe passwords, VPNs, ToR, it is also important to note that your computer itself is a general risk to your privacy. What can you do?
- Get a camera cover or tape over it
- Disable IPv6, unless you need it
- Ensure your computer's firewall is enabled
- Enable/get one if not.
- Don't run as local admin (use a secondary non-privileged account)
- Disable guest accounts
- Ensure disk encryption is in use (Prevent thieves from easily obtaining your data. After all, we use computers for a lot of personal data nowadays)
- Spoof MAC addresses if possible (bit extreme for general users)
- Use strong local passwords (surprised that not all guides state this, even though it may seem obvious)
- Disable local searches from querying the Internet, I.E. Spotlight search, Cortana, etc...
Aside from those general items, if you are a Windows 10 user, you should REALLY review your privacy settings:
If you are a MacOS user, I highly recommend that you check out some of the tools provided for free by Objective See (https://objective-see.com/).
Information About You - USA Readers#####
Your data is always being collected by third parties. If you are in the U.S.A. have you ever gone through a credit check and now, because you are prescreened, you receive a ton of credit offers? This is a perfect example of how data brokers work; your informations being passed around to buyers or even for free.
Limit mail and calls:
Additionally, in the US, there are various data broker sites online that people can search you on. These sites all distribute your data to each other. Thankfully, you can send opt-out requests to each one. In some cases, you need to prove your identity to remove the listing. Be warned, however, that most the time the data can come back within days. There are, however, some services which promise to routinely monitor and send opt-out requests on your behalf.
- Privacy Pro by Reputation Defender ($10/month, $99/year, $179/2year)
- DeleteMe by Abine ($129/year, $209/2year)
- If you don't want to pay, they provide how-tos https://abine.com/optouts.php
Keeping up on yourself and ensuring that you are being safe can seem quite overwhelming; it is a process that requires continual effort. It is like they say, "practice makes perfect." Keep practicing and you will achieve the desired result.
If you have any additional tools, services, or recommendations, feel free to mention me. https://twitter.com/protoxin_