Simple Digital Privacy in a Complex Digital Age

Raleigh, NC (TFC) – A note before the article proper from the author:

Greetings, readers.  I am a new writer for TFC, so any flak you may have for my work is possibly attributable to my lack of familiarity with user feedback.  However, let it be known that I will not suddenly yield my positions on the topics I write about simply because some people online hold worldviews very contrary to my own.  I, as a writer will either disappear due to lack of reader approval or will continue writing on with some dedicated support from readers.  That being said, I am not an immovable object, position wise, and academic and healthy discussion might spur a worldview change in me.  But I prefer that flame wars and rumination dialogues be kept to social media, which I will link at the bottom of this article.  Thank you.

 

INTRO/SUMMARY/ABSTRACT

In an age where a Google search can reveal horrible or embarrassing content about anyone, the global Justice-Intelligence Complex stores everything it can on all individuals at all times, and private companies deploy secretive aggressive tracking technologies hiding public knowledge in the depths of discombobulating Terms of Service agreements, one can indeed feel less free and fearful, even if no one actually took away one’s freedoms.  The state of fear, caused by the more baleful possibilities this passive data storage enables and worsened by the inherent weakness in so many ‘secure’ technologies, can inhibit one’s ability to perform normal tasks involving online technologies.  This, for some, is equally as crippling to freedom as physical bullies, ex-girlfriends and ex-boyfriends, or municipal bureaucrats are.  Fortunately, there are a few actions one can take to reduce visibility in the digital realm in case that is a concern (which for me, it personally is a concern).

 

The Internet Search or Protection against Individuals

The first and easiest (at least, according to me on account of my experiences in researching the methods behind this article) privacy task anyone can do is reduce their visibility in search engines, namely Google.  Note that this particular tactic is only practical if you are not a particularly public figure, as it is beyond the scope of this article to assist public figures in their disappearance from public view.  This is meant for non-public individuals.  Chances are, you have heard people say, ‘Google it!’  An article published to Cision emphasizes the widespread significance of this powerful phrase.  Although the author discusses how to achieve top results in a Google search, that knowledge is useful in determining how to hide results of pages that you made about yourself on the web, or to at least hide these results from Google and other search engines.  If you have EU citizenship and would like to take this a step further, you could research the ‘Right to Be Forgotten,’ though it should be noted that this only applies to EU citizens on EU  versions of search engines and can lead to what can be interpreted as censorship, and that discussion is for another time.

Now, a rudimentary understanding of search engines is quite beneficial in one’s hunt to hide personally-posted, public content online.  Search engines operate by using what are called web crawler programs, the name of which is probably of little relevance to this article.  These crawler programs provide the Google results you see by periodically finding publically available, standard-format content about anything on the internet.  This information is then analyzed automatically and, in many cases, leaves a copy of that information on Google.  Some of that information might pertain to you negatively or positively, but regardless, for every bit of information that it can find, link, and read, it places a link or sometimes a copy of that information onto Google’s servers for anyone to find.  Understanding this process is how one can render a more effective search for data to hide.

These facts are necessary premises to communicate the next point, which will include screenshots.  To hide content that you posted a while back from Google or other search engines, you can complete one or more of several tasks:

  • A proof-of-concept, personally tested method: Make the data non-existent, at least in the published form on a particular website’s server. If you happen to have a webpage or post that you made that you would like removed, contact that website’s management and request that that specific page be taken down.  Usually the contact form will ask for a name, an email address to contact you by, and a box to enter in your message or an email address to send inquiries to.  Be courteous, state your request (and include the precise link or links) and leave an email address they can contact you by and, in my experiences, management usually responds within 48 hours. Either the page will have been successfully taken down or the management may ask you for verification of information of some sort, usually an email address, and in rare cases, a photo ID picture (which you can blot out the sensitive information of).  In the images below, I detail what I mean by using Wunderground.com, where I actually requested that my account be removed from their servers last week, and received a successful response within 10 minutes!

 

 

  • In case the non-existent page results still appear in search results and does not update after a few days, it may be time to request Google to remove the result for at least 90 days from its search results. The page for that should look like the image below, minus the obvious edits.
  • If you do not want to eliminate the content, update the content so that it is private. If this involves social media posts or pages, for example, simply change some settings on your account so that your account and posts are private.  To take this a step further, use an alias for your accounts online, as I do for my Twitter page.
  • If you do not want to eliminate your content and still want it to be publically accessible, you can move the content into non-standard file formats that web crawlers cannot read or in pages that are not linked on other webpages. Web crawlers do not watch videos and they often are unable to explore onion links.
  • Often times, public records are available publically online and display discomforting amounts of information about individuals in searchable formats. While this is usually unsearchable by search engines, a first and last name is all one needs to get vast amounts of other information about an individual.  My only recommendation here is to simply not register one’s self into voter databases and the like.

 

While it might seem like I am a spokesman for Google or other companies here (or that this writing is condescending), know that the internet is operated by private companies and so practical advice will involve at least some of these names, especially when one, like myself, cannot code.  Also, some of these names are about to come under heavy criticism.

 

Stealth against Private Companies and Governmental Organizations

Since at least the Edward Snowden leaks of mid 2013, USIC, the Five Eyes Network, local, state, regional and federal law enforcement agencies have sought to rapidly extend their surveillance reach to everyone and to compromise every single network communication they can collect, store, and analyze.  They have billions of dollars in funding and a vast array of employees.  So what can one do?

First, one must understand how communications are stored, how one is targeted and by whom.  If you chat or send text messages, its safe to assume that the company providing this service and the middle companies transferring the data are storing your communications or metadata about your communications in some form.  After a log in, you notice your chat history is still there—clear evidence of storage.  This storage is indeed convenient and many individuals do want their communications stored for this reason, but its how that chat history is used afterwards that can be spooky.  It may be encrypted or unencrypted, but even many encrypted services have built in weaknesses called backdoors that were intentionally designed for exploitation by government organizations, especially the Five Eyes Network organizations.  Something you communicated, created, or searched a while ago could come trouble you legally, even if you were not involved in illicit actions you were chatting about.  For instance, with today’s private-government alliances, The Guardian and other sources reported that a woman had her house searched by police after a family member’s search history that involved pressure cooker explosives and backpacks prompted the former employer to notify police about their online activities.  And even if the consequence of the searches does not manifest itself in the form a visit from armed bureaucrats, it could still land you on one of many watch lists.  More often times than not, certain keywords in posts or internet searches that are often completely benign in nature may result in increased DHS surveillance of your online activities using the ‘Desktop Binder.’  This document was only released to the public via the arduous legal efforts of EPIC (Electronic Privacy Information Center), though with some redaction as a sort of taunt to the public.  The digital aggression, however, is evident even in the unsealed elements of the document.  Imagine the sheer amount of harmless communications that these agencies capture and then pursue without a justifiable reason.  What a waste of effort and what a horrifying thought.  And the DHS would not be the first agency to experience this ‘needle in an artificial haystack’ problem.  An NSA document titled ‘Too Many Choices’ provided to The Intercept discusses the problem of scale within intelligence agencies in general, especially for SIGINT (SIGnals INTelligence): expanding the haystacks of communications captured in the surveillance machine will increase the difficulty of finding the needles.

But the ability to retroactively look at everything a person said online in the past, metadata or not, public and private, is far too tempting to let go of, apparently.  US President Barrack Obama pushed for an extension of key surveillance provisions in the Patriot Act under the USA ‘Freedom Act.’  The only difference, at least officially, is that private companies will be required to collect and store all the information in bulk which the NSA was authorized to do under the expired provisions of the Patriot Act.  So now, Verizon, AT&T, Facebook, Google, and other major telecommunication companies will collect all that invasive metadata that, under Smith v. Maryland, is not protected under the Fourth Amendment of the US Constitution.

Let’s face it—every single person has something to hide.  The next time you see an anti-privacy advocate, politely ask them for their house key and for their online account information by reason that they should not possess anything they are hiding.  Usually their reaction should provide you with all the verification you need to substantiate that claim.  As an example, according to page 171 of No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State, investigative journalist Glenn Greenwald reports that Mark Zuckerberg, the CEO of Facebook, purchased four adjacent homes around his property in Palo Alto with costs in the millions of dollars—all to ensure his own personal privacy.  The fact that he is such a public figure generates revenue based on Facebook user’s willingness to share information about themselves is not the point—the point is that even he has something he does not want others seeing.  I imagine that other internet company CEOs have similar dilemmas, but enough about them and their dilemmas, as they are not relevant to low cost privacy tactics.

The first weapon in the battle against passive, mass surveillance is encryption.  Yes, I am fully aware that Facebook, Apple, Google and other companies encrypt your communications—but the systems automatically read through your posts and messages.  That is why you have targeted ads related to your online activities displayed on the sides of unrelated webpages.  Also, the keys to your encrypted conversations are stored on the host servers, so if company employees decide they have reason to search your conversations, your conversations will be exposed and can be handed over to authorities, should you happen to discuss pressure cookers and backpacks.  A Reuters article from 2012 describes how a man who allegedly solicited a minor was flagged by Facebook’s software and reported to authorities and subsequently arrested.  A Facebook page created by Facebook staff for law enforcement sheds some more light on the nature of this surveillance. This is an example of the more passive surveillance that ultimately may lead to exposure of conversations once thought to be totally private.  In my own experiences, Google, Facebook, Twitter, and perhaps other companies offer you the option of downloading your data archive if you so choose.  The archive is the minimum amount of data these companies store on you—chats, emails, posts, photos, videos, friends, apps, et cetera.  What the archives likely may not include is the metadata associated with that content, which is conditionally more invasive than content itself.  To demonstrate the feasibility of this claim, let me show you a redacted screenshot of a data archive that I had to fight a certain company to obtain about my own data.  Take a look: the data stored that they gave me included time when messages were sent to and from that account, to whom the messages were sent (identified by phone number), and the messages themselves.  I happened to be sent a set of Excel files, which is why I have an image of the archive I requested in Excel.  That is the minimum amount of data this company stores about me and my messages that I had to obtain via legal consent forms from the law enforcement team at this particular company.

While it does present some metadata, it is likely that the law enforcement team decided to not include more metadata such as MAC addresses, network identifiers, device operating systems, ISP information, login data, and, with further coordination with service providers, location data with an accuracy of centimeters.  Now, granted, some of these companies will not care about this data very much and will actually overwrite your data periodically and may actually use it for benign purposes.  If you want to use location services to locate yourself on a map, you need to give some information to that service so that it locates you.  These are very valuable services—when controlled, known, and consensual.  But because the capabilities of these services are often buried deep in Terms of Service agreements, patents, or trade secrets that may change without notice, are sometimes difficult to find, and often incomprehensible without a justice degree, I think it is fairly reasonable to suspect that my phone may be locatable whenever it is on and within range of a cell tower.  Here, in the US, virtually everywhere is within range of a cell tower.  Ultimately, all of this in consideration, with the rights of your own content owned almost entirely by the services you indifferently click “I accept” to, do not be surprised if the information you shared about yourself grants you an online stalker, an investigation by your two-hop association to others, an embarrassing advertisement using your photos on social media, new spam emails, or new spam snail mail.  Any of these things may be more than the desired amount of nuisance online, so if you do not want to risk any of this, be extra careful about the content you post online, as you never know how companies are using your data.

Fortunately, solutions are freely available online.  Micah Lee, one of the first people Snowden contacted regarding the 2013 revelations, wrote a 30-page whitepaper titled ‘Encryption Works,’ detailing methods of free, secure, open-source encryption that exists because of the voluntary generosity of small groups of individuals working to defend privacy online.  Since 30 pages may be too boring or time-consuming for most readers (and I do not write that in a demeaning way), I will highlight the important points.

  • On pages 10 and 11, Lee discusses OTR client programs. For Windows and GNU/Linux users, Pidgin will be the program of choice.  For Mac OS X users, Adium will be the program of choice.  OTR programs allow you to utilize the full strength of end-to-end encryption, usually with AES-256, for individual sessions.  Each conversation has its own key, though you will need to validate the digital finger print of one another via other means that require more work to attack, such as Twitter.  In my case, I utilize Adium, displayed below.

 

Create a digital fingerprint for yourself and share it via Lee’s recommended methods.

2)  On pages 16 through 23 of the document, Micah Lee discusses Pretty Good Privacy, or PGP for short.  PGP is excellent in that is allows you to add a digital signature that is verifiable to whatever you encrypt, should you so choose.  It also allows you to encrypt multiple files at once.  You can store all your keys here, and export them, if you wish, though I only recommend exporting them via flash drive and not the internet to reduce the possibility of interception. In the case of OS X, ensure that you can encrypt text, images, emails and files by changing your shortcuts in the Settings app are checked off and that your Thunderbird mail signatures are set up with the GPG keys you have created.

The green setting in the top right corner of the menu allows you to decide whether you want this particular email to be sent in encrypted form or not.  This guide from GPGTools should explain what you need to know before you use this secure encryption method.

3) Use Tor (the onion router).  Tor redirects encrypted traffic via multiple random computers to ensure great difficulty of potential surveillance.  While the the endpoints do not know which machines made the original requests, this is a great way to conceal your identity online.  Because using only Tor is not foolproof, do not send communications that could identify you via Tor, including unique web searches for pressure cookers at the same time from the same node on the same search engine.  To understand why this is, look over the Tor Project’s overview of Tor.

4)  Use a read-only virtual machine.  While Micah Lee specifically recommends Tails, successful installation of it requires a proper flash drive, all of my attempted installations of Tails were unsuccessful.  As far as a tested OS, I recommend installing Whonix on a flash drive along with VirtualBox on your computer.  Of course, you do not need to install it on a flash drive.  Whonix OS is a Linux based read-only operating system which has Tor built in.  In case Whonix is hijacked, you can quickly quit the application without exposing your identity or details about your host machine.  This is important because it allows many key details to be hidden about your internet traffic online, which are the first clues governments and companies utilize to identify you.  An installation guide is available here.  Using it should not be too difficult.  I made a video that explains how to use it once you have installed it.  Check it out: https://www.youtube.com/watch?v=0l4_EABV3Fk

5)  Use a free, no limit VPN.  Be cautious when browsing the web, however.  There is a chance your location is discoverable even with the VPN if you are not running the browser add-on No Script, especially on video sites.

6)  Use an end-to-end encrypted email service.  Edward Snowden used Lava Bit while it still was in operation, for example.  I understand that most of these services are premium-only, but there are a few free ones out there that work very well.  One that comes to mind is ShazzleMail.  Shazzlemail emails are stored locally on your computer or mobile device, not on Shazzlemail servers.  It also conceals metadata, which further secures the transmission of user data.  Additionally, it offers free and prompt user support as well as premium services, should you deem them fit.  Shazzlemail also offers the same services for mobile devices.

 

And there you have it.  Using this knowledge and these tactics, you should be able to boost your digital stealth in the age of general data mining.  I have not delved into the morality of the surveillance machine, as that is out of the scope of this article, though I may write another article on that should that be requested.  Ultimately though, the point is: if you do not want others seeing it, do not communicate it online.

 

End Note

This article is not intended to be a promotion or demotion of any products or services.  It is simply intended to be a guide for increased privacy in the digital world which is only possible because of individuals voluntarily working to create products, services and methods that make this possible.  Any views or opinions expressed in this article are solely the author’s and do not necessarily reflect the views or opinions of The Fifth Column.  For any questions or comments, you may contact the author on Twitter @VanthusPrime.  For sharing this article, the author does not believe in gun-backed intellectual property rights, so organizations and individuals are free to share this article if The Fifth Column approves.  The author only asks that you retain whom it was authored by, and a link to the original source of content that is shared.

 

 

 

 

 

References

 

Just “Google It” – What the Power of This Phrase Means for Businesses Today. (2013, June 27). Cision. Retrieved from http://tinyurl.com/py9yhzu.

Hern, Alex (2015, December 29). Wikipedia swears to fight ‘censorship’ of ‘right to be forgotten’ ruling. The Guardian. Retrieved from http://tinyurl.com/kaallxo.

Khandelwal, Swati (2015, December 28). 191 Million US Voters’ Personal Info Exposed by Misconfigured Database. The Hacker News. Retrieved from http://tinyurl.com/z9jvf63

DNI.gov. (2015). Retrieved December 29, 2015, from http://tinyurl.com/gns8gqg.

Privacy International. Retrieved December 29, 2015, from http://tinyurl.com/plnvjmo.

National Information Standards Organization. (2004). Retrieved December 29, 2015, from http://tinyurl.com/y99olov.

New York woman visited by police after researching pressure cookers online. (2013, August 1). The Guardian. Retrieved from http://tinyurl.com/m2jj3of.

Department of Homeland Security, National Operations Center. (2011). Analyst’s Desktop  Binder. Retrieved December 29, 2015, from Andrea Stone, website: http://tinyurl.com/7swpoqk.

Electronic Privacy Information Center. (2012). Retrieved December 29, 2015, from http://tinyurl.com/78logk4.

Inside NSA, Officials Privately Criticize “Collect It All” Surveillance. (2015, May 28). The Intercept. Retrieved from http://tinyurl.com/hyofr89.

Joseph D. Mornin, NSA Metadata Collection and the Fourth Amendment, 29 Berkeley Tech. L.J. (2014). Available at:             http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=2042&context=btlj

Social networks scan for sexual predators, with uneven results. (2012, July 12). Reuters. Retrieved from http://tinyurl.com/jcpxlpv.

[Facebook] Safety Center. Information for Law Enforcement Authorities. Retrieved December 29, 2015, from http://tinyurl.com/a6whlbz.

Logan, J (2014, May 20). THE BANALITY OF TERMS OF SERVICE AGREEMENTS [Web log post]. Retrieved December 29, 2015, from http://tinyurl.com/z9px4hs.

NSA warned to rein in surveillance as agency reveals even greater scope. (2013, July 17). The Guardian. Retrieved from http://tinyurl.com/jwgtgow.

Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance. (2013, July 24). Freedom of the Press Foundation, p. 10-11, 16-23. Retrieved from  http://tinyurl.com/hjdh34s.

GPGTools. (2014, August 28). GPGTools – OpenPGP on OS X (Introduction to GPG Suite) [Video file]. Retrieved December 29, 2015, from             https://www.youtube.com/watch?v=P7xQVZN1S6Q.

Tor: Overview. Tor Project. Retrieved from https://www.torproject.org/about/overview.

Whonix.org. Retrieved December 29, 2015, from https://www.whonix.org/wiki/VirtualBox.