A work-in-progress post on how to protect your data and privacy online

privacy.md

Work-in-progress

How to protect your data and privacy online for the average user

Table of Contents

1. Introduction and Motivation 1a. About me
2. Ad profiling: What can be tracked
3. Government tracking: What can be tracked
4. Low-effort
5. Medium-effort
6. High-effort
7. Thanks

Introduction and Motivation

Today, it is extremely hard to protect our data online. Even if we don't volunteer it, companies still collect it, monetize it, resell it, and aggregate it in ways that can't be traced all the way to the end. Governments listen to it and make conclusions about whether people are dangerous to the government.

Many articles these days focus on the idea of data as "the new oil.", and, like oil, there are both plenty of positives and negatives about collected data. When used correctly, data can detect heart attacks before they happen, help us understand the history of the internet, and help us connect with other people.

But data is also a very powerful weapon that can be used against you. It can find things out about you that you want to be private. It can be used to manipulate your emotions.. It can be breached by hackers.. It can be aggregated to reveal who you are to the world. It can, in a word, destroy you.

A single piece of data about you is like a grain of rice among thousands of identical ones: once it's out there, it's very hard to delete it, for a number of technical reasons.

The only way to absolutely make sure that your data is not compromised is to never post it online, which is impossible for 99.9% of the population. The other .1% is Richard Stallman, who is so paranoid that he's devised an entire system of reading the entire internet through email. The other end of the spectrum, of course, is Mark Zuckerberg, who in spite of preferring an extremely private life for himself, wants the entire world's data to be default-open.

There is no way to make 100% sure that your data is not being compromised. Ultimately, you have to trust something or someone with your privacy. But there are numerous ways to make yourself at least a bit more safer. The goal of this guide to let you decide for yourself what you value and where on this spectrum you'd like to fall in terms of protecting your data.

The two main important categories in data safety today are safety from advertisers and safety from hackers or government entities listening in to your private conversations. It's important to understand is that every action you take online is a choice on the spectrum between convenience and privacy. If you want convenience, you can't have privacy: easy means your data is compromised. If you want privacy, it will take some effort on your part. You might not have to read your internet through your email, but you may have to make some tradeoffs if you decide privacy is more important than accessibility.

About me:

I'm a data scientist, so I understand the movement of data and the implications of data collection. But, I'm not a security expert, and I don't play one on the internet. I'm just someone who doesn't want to be tracked, and I've done some research into what's available for the average internet user in the United States.

So, please feel free to email me, add a comment to this gist, or do a pull request on it. I'd love to have others add resources and clarifications.

I've organized everything here from least effort to most effort.

Ad profiling: What can be tracked

A good first place to start is by understand what is tracked about you online. The Consumerist has a good general article about online tracking. The main thing to understand is that the way the internet works today is mainly fueled by the ad-tech industry which makes money by tracking people and selling their data.

Here's a very good explainer on what happens in detail.

What this technology is really good at doing is following you from site to site, tracking your actions, and compiling them into a database, usually not by real name, but by a pseudonymous numerical identifier,” says Narayanan, “Nevertheless, it knows when you come back, and it knows to look you up, and based on what it has profiled about you in the past, it will treat you accordingly and decide which advertisements to give you, sometimes how to personalize content to you, and so on.”

The main companies most consumers need to worry about are the big, oligopolistic friendly giants operating mainly on advertising revenue that control our internet experience: Google and Facebook. The other important ones are Microsoft, Amazon through Echo, and Apple. Twitter used to default to open,but recently it's also started to get in on the ad/data game.

I've written specifically about Facebook. And here are two good articles about Google. If you have an iPhone, Apple also tracks you and sells that information to advertisers.

So from the minute you open a browser window, you're being tracked. A good place to start is the FTC's site on tracking, which covers cookies and device fingerprinting, the main way that sites track you. Once you log into a site, such as Facebook or Google, and give them your information, they can get even better at setting up a profile about you and understanding everything you do, both on their sites and off. Google has your entire search history and every place you've been through Google Maps, and Facebook has data about your entire social network and all of your likes, dislikes, political opinions, and moods.

Government tracking: What can be tracked

It is in the interest of every government entity to track its population. An excellent resource on this to start with is the 1967 book "Privacy and Freedom," which is considered the seminal work on the topic, and goes into why people need privacy and how governments violate it. Governments have kept track since at least the Old Testament, in which King Solomon counts all the foreigners in Israel “Then Solomon took a census of all the aliens who were residing in the land of Israel, after the census that his father David had taken; and there were found to be one hundred fifty-three thousand six hundred.” (2 Chronicles 2:17-2:17)", and this has become much easier for them with the advent of technologies like counting machines, and most recently, telecommunications.

The recent revelations have shown that, at the very least, the United States government keeps track of at least email messages, chat data, file transfers, and phone calls of most US citizens, and many international targets, as well. It gets most of this data from companies such as Google and Facebook.

What can be done about all of this? The first step is to understand how security experts think about these threats.

Electronic Frontier Foundation's Surveillance Self-Defense Site is a good resource starting point. There is a LOT there, and most of it is related to private communications, focusing on what happens if a hacker or the government intercepts your conversation online. Start with reading the section on threat modeling. Here's another good article laying out the implications of the government having access to all the same data that adtech companies collect.

Low-effort

1. Install adblockers. uBlock Origin. Don't use Adblock Plus.
2. Install Ghostery.
3. Install NoScript.
4. Log out of Facebook and Google when you browse. (Although that won't always help, since Facebook tracks you even outside of sessions.)
5. Sign out of Chrome. Don't set up a Chrome profile to begin with.
6. Use Firefox and switch to do not track mode.
7. Use an anonymous browser window for sensitive searches (i.e. medical, sex-related, geographical, private questions.)
8. Don't do geographic check-ins either on services like Facebook, Twitter, Yelp, Foursquare, etc.
9. Disable Google Maps Timeline.
10. Don't tag people in Facebook photos without their consent, especially children or people not on Facebook.
11. Don't give applications your real information unless they absolutely need it. Don't give away your birthdate, email, phone number, or other private information.
12. Use HTTPS Everywhere.

Medium-effort

1. Use a VPN client. My favorite is Private Internet Access.
2. Don't use Google - switch to Duck Duck Go.
3. Don't use the Facebook mobile app or Messenger. - use the mobile site online. You can get Messenger by requesting desktop site on mobile.
4. Don't use any applications owned by Facebook for private communications, including Instagram, and Whatsapp. All data entered there is sold and correlated to Facebook profiles, and if it's not yet, it will be in the future.
5. Don't use cloud services like Google Docs or particularly DropBox.
6. Download Signal and use that for chat, and encourage all friends to, as well. Telegram is another, similar alternative, but there has been some debate about how secure it is.
7. Use iOS.
8. Create good passwords and store them in password managers. Here's an excellent post on why most password creation systems are not so great.

High-effort

1. Use your own site instead of Facebook or Twitter to post updates. Own your content.
2. Use Tor.
3. Get off GMail.
4. Research companies you're signing up for. Unrollme is the latest case of this.
5. Keep up with privacy news to understand changes. Bruce Schneier is considered the best in the field and blogs pretty frequently. There's also Matthew Green.
6. Run your own VPN. For expert users only. Here are some reasons why you may want to.
7. Use pgp/encryption on all of your emails.

Thanks

Thanks to Fernando and Artem for offering technical feedback.

Add dropbox hack information.

Here’s a few more things to consider:

1. Application permissions on iOS/Android. The rule of thumb: if it’s not immediately obvious why an app asks for a certain permission, default to “No”. Nothing bad can happen if you do so: for example, Skype and Telegram will work fine without access to your contacts or camera.
2. OAuth. Don’t use your Facebook/Twitter/etc. to login to other websites. If you do, carefully read requested permissions and make sure to review connected apps regularly. Could be useful to provide links to "authorized apps" pages on popular services.
3. If you use Google search or any of their services, be sure to visit https://myactivity.google.com/myactivity (just doing that could be enough motivation to switch to DuckDuckGo) and disable all tracking.
4. Disable browser autofill.
5. Do not sit on OS security updates for days, install them as soon as possible.
6. Beware of browser extensions, esp. Grammar.ly.
7. Never give apps access to your email inbox (LinkedIn used to do (still does?) some scary stuff around this).
8. Use OTP-based two-step verification for critical services (a bit controversial, but generally accepted).

Additional comments: I would add something about antivirus since that often offers some basic privacy protection.

[7:44]
Also, I like to get people thinking about levels of privacy as it applies to information. For example, if I am talking with my friends in the front yard and a neighbor walks by, my expected privacy of my conversation is zero; bad time to share my SSN with everyone. Conversely, if I want to talk finances with my partner, doing so in a train car at rush hour might not be the best choice.

[7:45]
Applying different privacy standards based on the data allows one to leverage services that might otherwise be ignored in a strict privacy approach.

Include DDG Privacy guides: https://spreadprivacy.com/mac-privacy-tips-13395592a9b4

Hi @veekaybee. We just chatted on Twitter. A couple of resources I'd recommend are:

• https://www.reddit.com/r/privacy/ - For a subreddit it's surprisingly open to newbie questions with easy-to-understand content.
• https://thatoneprivacysite.net - I keep referring people to the VPN info in particular. Gets a bit technical but super helpful for choosing a service you can hopefully trust.

Under Medium Effort, adding a section about Secure DNS http://www.computerworld.com/article/2872700/6-dns-services-protect-against-malware-and-other-unwanted-content.html may apply. Basically, setting your home Internet to use a secure DNS provider versus the automatic DNS from the provider adds a layer of malware protection for the entire house and by inference an additional layer of obfuscation of the Internet habits for the entire household. Of course, the secure DNS provider may be reviewing meta metrics but your consumer provided IP address only translates into a provider's IP address pool.

Update 1-2-19: In 2018 IBM opened Quad 9 (9.9.9.9) as an open DNS alternative which also blocks known malware sites. Cloudflare also opened a new public DNS at 1.1.1.1 and emphasizes security and privacy.