Thank you to everyone who was able to join us for our online privacy and security workshop at Birmingham Open Media last Wednesday. We’re pleased to be able to share with you some resources from the evening so that you can take some simple steps to improve your online privacy and security.
The workshop was hosted by myself (Francis Clarke), who established Open Rights Group Birmingham in 2015 and Leo Francisco, who has made a contribution since joining ORG Birmingham just before Christmas.
Close to 30 people came along to Birmingham Open Media (BOM) for the meetup. For many, it was the first time they’d attended an Open Rights Group event. I’m pleased to say reaction to the event and BOM’s wonderful venue was overwhelmingly positive.
Why you should care about online privacy
I kicked off the evening with an introduction to Open Rights Group’s mission to protect and promote human rights as our society goes digital before going on to explain why we as a society must care about protecting online privacy and reject the ‘nothing to hide, nothing to fear’ argument.
Leo presented a more detailed look at the threats to our privacy, including the mass surveillance regimes Edward Snowden revealed and the UK government’s plans to introduce even more surveillance through the much-criticised Investigatory Powers Bill.
We were also fortunate enough to hear from respected journalist Paul Bradshaw, who explained how pervasive surveillance, particularly in the workplace, is making it harder for whistleblowers to alert the public to corruption and misconduct.
Leo has kindly shared slides from the evening here.
Practical help to reclaim your online privacy
With so much doom, gloom and political point-scoring surrounding the privacy debate, it’s easy to feel overwhelmed and pessimistic. For this reason, we spent the rest of the evening showing guests some simple things we can all take to improve our own privacy and security and help society, too.
1. Keep your device’s software up-to-date
Privacy and security are closely related. Keeping your desktop, laptop, tablet or smartphone’s software up-to-date makes it more difficult for criminals to access to your device and steal personal information such as your online banking login details.
The precise method for updating your device’s software will vary depending on the hardware and software you’re running. Both Microsoft Windows and Mac OS X will regularly prompt you to install updates. Don’t ignore these messages! If you are an iPhone or iPad user, you will also receive similar messages. Sadly, updates for Android phones and tablets are released less frequently but you should still keep an eye out for them.
As well as saying yes to update prompts, you can also manually check for available updates. Here are instructions for different systems.
Updates for Android phones and tablets vary by manufacturer. Generally, look in your Settings menu for an ‘About your Phone’ option. Here you will see an option to check if updates are available for your phone. Some manufacturers are better than others at issuing updates. Generally, Google Nexus phones and tablets receive updates faster than Samsung, HTC and other phone makes.
Remember to keep an eye out for other opportunities to keep your software up-to-date. Modern web browsers such as Firefox and Chrome regularly search for updates but, depending on your device’s settings, you may still need to approve the changes.
If you’re a Windows user and you’re still using Microsoft Internet Explorer, it’s worth switching over to Firefox and Chrome, both of which offer much better security and privacy options.
2. Choose strong and unique passwords
Be honest, have you ever used the same password for more than one service? Most of us have done this at one time or another, making it easier for a criminal who has accessed our social media accounts to gain access to our private email conversations.
To make matters worse, we often choose passwords which are easy for criminals to guess from the information we post online about ourselves, such as the names of our family members, fondly remembered pets or the place we grew up in.
Choosing strong and unique passwords for our online services reduces the chances of us having our personal information compromised.
One good way of choosing a strong password is to select four random words from the dictionary. A password consisting of ‘correct horse battery staple’ is easier to remember than one made up of random letters and numbers.
3. Use a Password manager
A password manager can help you get round the problem of having to remember all your various passwords. Instead, all you have to do is remember one strong ‘master password’. The rest of your passwords will be securely stored in your personal password vault, which only you can access.
There are many different password managers out there. Two options to try out are:
– KeePassX. A free, open source password manager that works across multiple systems and comes with a strong security pedigree.
Open source means anyone is free to inspect how the software works and make improvements. Public inspection is probably the most important why of ensuring security flaws are spotted quickly and fixed.
– LastPasss. A popular commercial password manager with a strong emphasis on working seamlessly across multiple devices.
Depending on your level of computer confidence, you may find KeePassX quite technical and hard to set up. If so, you might prefer LastPass. LastPass is ‘freemium’, which means it provides both a free version as well as a more advanced, paid-for option.
With any password manager you use there is always a risk of ‘putting all your eggs in one basket’, i.e. if someone discovers your master password, they could go on to access all your other services. However, this risk must be weighed up against the benefits that come from being able to easily create and remember multiple strong and unique passwords.
4. Use Two factor authentication
Even if you use strong and unique passwords, there is a chance someone could discover your password and go on to access your personal information. That’s where two factor authentication comes in.
With two factor authentication, your online service will prompt you for a second unique piece of information before granting you access. For example, should you try to access your Gmail from a friend’s laptop, Google will send a verification code to your mobile phone via text message. you assigned to your account. Only when you have entered this information will you be able to access your emails.
As well as text message alerts, services increasingly give you the option of receiving notifications via a dedicated smartphone app. This can be handy when you are abroad or your mobile reception is patchy.
5. Encryption and Signal Private Messenger
Encryption is the process of encoding a message or information in such a way that only authorised parties can read it.
If you’ve been following the news lately, chances are you’ve heard about encryption and not in a good way. Politicians and public officials have been claiming that encryption is preventing them from tackling terrorism and other serious crime. For the latest round in this debate, see the stand-off between Apple and the FBI.
You’re far less likely to hear how strong encryption is essential to modern day life, allowing us to access online banking, complete our tax return online and securely and exchange private information securely.
Next time you’re browsing online, look for the green padlock icon in your web address. That symbol, together with the letters https, tell you that your connection to the website you are visiting is protected by encryption, which prevents criminals from getting between you and the website to steal your personal information.
Up until a few years ago, your options for encrypting your personal communications were fairly limited. You could set up an encrypted email system but it was (and still is) technically complex, with lots of room for error.
Following Edward Snowden’s revelations of mass surveillance, companies started to take customer privacy more seriously and offer smartphone-based encrypted messaging services. Both iMessage and WhatsApp, for example, allow you to send messages in encrypted form, which is a big improvement over traditional SMS text messages, which people can easily intercept and read.
While iMessage and WhatsApp are very good services, they still require you to trust the companies operating the service with your privacy. For that reason, privacy and security experts recommend you use the Signal Private Messenger app, which is available as a free download for both iPhone and Android.
Without going overboard on the strengths and weaknesses of different messaging systems (more of which can be found over on the EFF Messaging Scorecard), the main advantages of Signal are:
– Encryption is end to end and your access key is not shared with the company. This means nobody but you and the person you are sending the message to can access the content.
– Signal is open source, meaning anyone can examine the code and report security issues. This is seen as the best way of maintaining a secure system. By contrast, iMessage and WhatsApp are closed source, which means we have to trust the app makers that they have spotted and fixed all known problems.
– Signal is free to download and developed by a not-for-profit company. This means they do not have the same commercial pressure as other messaging providers, which can result in providers acting in a way that runs contrary to user privacy.
– It’s a really well-made app and stands up very favourably to WhatsApp, which should make it easier for you to persuade friends and family to install the app.
6. Privacy and security boosting web browser extensions
With the Investigatory Powers Bill and Apple versus the FBI cases in the news, a lot of attention has rightly focused on government threats to your online privacy. However, as an everyday user of the internet, you should not overlook the significant role commercial organisations play in undermining online privacy through commercial surveillance.
Commercial surveillance most often takes the form of companies tracking how you use the web (what you search for, the sites you visit, the links you click on) so that they can build a detailed profile about you, which is then used for targeted advertising and even to adjust the price you see for products online.
Online tracking is a huge topic. To find out more about what tracking is and how it affects you everyday, go to the excellent Do Not Track interactive documentary.
Adjust your browser’s privacy settings
The first thing to do to take control of your online privacy is to adjust your web browser’s privacy settings and into the Do Not Track request. This was an attempt to get advertisers to respect people’s right not to be tracked online but sadly many operators have chosen to ignore user requests and carry on tracking. It’s still worth switching on Do Not Track, however, as it gives a signal of support for online privacy.
The steps for doing this will vary depending on your web browser. The EFF organisation have produced a how to guide for mot browsers.
Installing Browser Extensions or Add Ons
Most modern browsers allow users to install extensions or add ons to the standard browser. Extensions or add ons can provide a wide range of extra features which enhance your web experience.
For example, if you are designer you can install a colour picker tool, similar to one you would find in a photo editor, which allows you to identify the precise colour of red used in a logo so that you can match colours like a pro.
In our case, we’re going to focus on extensions which give a helping hand to online security and privacy.
Every browser implements extensions slightly differently and not all of the extensions listed below will be available for every browser so you will have to experiment in order to arrive at a setup which works for you. For example, it’s possible to run extensions using the Safari browser on iPhone but not on the mobile version of the Chrome browser. If you wish to run extensions on your phone or tablet, Firefox is generally your best bet.
As the name of this name suggests, this extension tries its best to allow you to use HTTPS on every site you visit. Often, websites offer a secure version of their website but do not make it easy for you to access it. HTTPS Everywhere does its best to select for you the secure version of the website and force other elements, including advertising networks, to at least encrypt the data they are gathering about you.
For example, as standard The Guardian website is insecure, meaning anyone sharing the same WiFi network as you could look at your browsing and see you’re reading that trashy article about pets. With HTTPS everywhere, your connection is at least partially encrypted, meaning the most someone on your network would know is you are visiting a reputable bastion of liberal news and current affairs.
Ad blocking extensions
The adverts you see online are a well known source of malware/viruses and can infect your computer, even without you clicking on them. For that reason, people often choose to run an ad blocking extension in their browser.
Not only will an ad blocker stop you seeing annoying adverts when you’re online, they also make it more difficult for companies to gather information about your online browsing habits, which they sell on to other advertisers and marketers. Plus, if you’re on a smartphone, you’ll notice pages load more quickly and consume less data because more often than not it’s the adverts not the content that make up the bulk of the page.
There are lots of different ad blockers out there. Each will implement ad blocking slightly differently. Unlock Origin is growing in popularity and has received very positive feedback for its effectiveness and for not slowing down your device. Adblock Plus is probably the most popular blocker but its Acceptable Ads Programme has been a source of controversy.
Adblock Plus (universal website leads you to extension for your browser)
It’s worth trying out different ad blockers to see which one works for you.
Privacy Badger: a more ethical alternative to ad blocking?
Whilst online advertising presents privacy and security risks, many websites rely on the money they make from advertising to operate. Therefore, using an ad blocker can present an ethical dilemma.
Should you feel uncomfortable using a regular ad blocker, you may wish to try the Privacy Badger extension instead. This extension operates on a trust model, only blocking adverts and other trackers once it has established they are tracking you without your consent. Privacy badger allows adverts which promise to respect your right not to be tracked online.
For me personally, I am more comfortable using Privacy Badger over conventional ad blockers. Unfortunately, as of writing (Feb 2016) Privacy badger is not available for smartphones, only desktop/laptops but hopefully that will change soon.
Privacy Badger (universal website leads you to extension for your browser)
7. Use Tor to stay anonymous online
Even if you apply all the privacy and security settings listed above, your online privacy cannot be guaranteed. For example, when you visit a website, it is still possible for its operator, your internet service provider and other determined individuals/organisations could obtain a range of information about you, including:
– The Internet Protocol address you used to access the site (at home this is usually shared by everyone who uses your broadband but at work your IP address can be tied to a single machine)
– Whereabouts in the world you are accessing the internet from. For example, someone could tell that you accessed openrightsgroupbirmingingham.wordpress.com from Birmingham
– Other identifying characteristics such as the type of device you used to access the internet
Tor, or to give use its full name The Onion Router, is designed to get around these problems and stay anonymous online. The Tor project, which develops the software, is focused on helping people who need anonymity, such as human rights defenders operating in repressive countries and people with special safety requirements. For example, the high profile Everyday Sexism project recommends people use Tor to protect their identity and stay safe when reporting their experiences of sexism.
You can read find out more over on the About Tor page and by watching the video below.
To use Tor, you will need to install a separate Tor web browser, which is a super-secure version of Firefox. Please click on the link below for installation instructions.