How do You Protect Your Online Privacy?

P asks: "In the light of the recent discussions about on-line privacy: What can one do to protect his/her on-line privacy, while still having a enjoyable web experience? For example, are you using PGP for all your emails and Zfone for all your VOIP traffic? Or are there better ways of protecting oneself? Share your tips and tricks."

Easy.

I don't use the internet.

Forget it

seriously, if "They" want your data, They will go through your trash, subpoena your pay records and phone records, and tap your phone line. "They" will know more about you than you can imagine, regardless of whether you use encrypted VoIP or not.

Want to feel safe on line? Write your Congressman, tell your friends about IP and privacy issues, affect a cultural change. As long as 51% of your friends are willing to trade freedom (theirs and yours) for security (mostly theirs), you're fscked.

Re:Forget it

Back in 1998 I was raided by the Australia Federal Police. They were looking for evidence on computer crimes allegedly committed by people I had allegedly spoken to on IRC. They weren't after me, but I was still thankful that my harddrive was encrypted and there we no laws, at the time, that could be used to force me to give up my encryption keys. Had there been evidence on my harddrive that I had committed a crime (there wasn't, unless I'm committing crimes and I'm not aware of it) I would have been facing jail time, even though the AFP did not have any justification to search that computer because of anything I had done.

Easy!

[x] Post Anonymously

GPG and Thunderbird

I was using GPG in Thunderbird, linked to my gmail account. This was just for signing though, so it was more to protect my identity than my privacy. I believe GPG does encryption too. It was seamless once it was setup, but I use gmail from too many places. It just wasn't worth it. Here's hoping Google adds support for this sort of thing to Gmail.

built-in security?

This isn't a direct answer, but it's directly related. I've always wondered why network applications don't use encryption by default. For practically everything, from web servers to instant message apps, you have to go out of your way to set it up with any decent level of security.

Why aren't all connections passed over ssl or ssh? I know it's a bit of overhead, but it's not that significant for modern desktops.

Why isn't it the norm to see web servers running SSL? Why is SSL reserved for only financial transactions? For high-traffic web sites, this will slow the server down a little, but isn't that a valid tradeoff?

People seem concerned about the NSA wiretapping scandal, but this would be largely moot if the traffic they were snooping were encrypted. I can't be the only person who wishes encryption was the standard rather than the exception.

tor

well, personally, if i'm doing something that i don't want traced, i'll fire up tor (http://tor.eff.org/ [eff.org])tor

i currently don't really worry about my email security (if someone wants to read my aunt's cookie recipes, thats fine by me). if i happened to be doing something important, i'd likely use some form of encryption, likely PGP or maybe something stronger.

The flaw in only using GPG for "important" stuff:

i currently don't really worry about my email security (if someone wants to read my aunt's cookie recipes, thats fine by me). if i happened to be doing something important, i'd likely use some form of encryption
 

This reminds me of a joke that takes place in a courtroom:

Prosecutor: Did you see this woman in New York?
Defendant: I refuse to answer that question!
Prosecutor: Did you see this woman in Chicago?
Defendant: I refuse to answer that question!
Prosecutor: Did you see this woman in Atlanta?
Defendant: What!? Atlanta?? I never saw her in Atlanta!

Moral of the story: if you don't pay attention to your email security except when you really need to, then when you do pay attention, someone else would also know to pay attention!

If someone wants to read my aunt's cookie recipes, that is not fine by me. Eat my {/dev/random}-XOR'd dust.

this is easy...

i surf slashdot. they talk about all the bad things on the intarweb.

Disable Cookies

About all I use online is a web browser. For this, I of course use Mozilla Firefox, but disable cookies (except for sites that I know really need them, like online banking) and disable certain javascript features (opening windows, removing location bar, etc.).

I also use adblock to disable tracking sites. You know, hitbox.com and the like which use included URLs to track you by your IP address.

Re:Disable Cookies

the NoScript extension is also a MUST HAVE

From /.'s homepage :

<script src="//images.slashdot.org/prototype.js?T_2_5_0_11 1a" type="text/javascript">

<script src="//images.slashdot.org/common.js?T_2_5_0_111a" type="text/javascript">

<script type="text/javascript" src="http://a.as-us.falkag.net/dat/dlv/aslmain.js" >

<script type="text/javascript" src="http://an.tacoda.net/an/11711/slf.js">

<script type="text/javascript" src="http://a.as-us.falkag.net/dat/njf/104/slashdo t/mainpage_p2_top_right_skyscraper.js">

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
<script type="text/javascript">
        _uacct = "UA-32013-5";
        urchinTracker();
</script>

Simple

It's simple. Don't ask stupid questions on a forum populated by a good chunk of people who consider BOHF to be non-fiction (and a training manual, to boot).

My easy solution

I have the best method of protecting my privacy online... I use a computer belonging to someone else. The internet connection used by that computer is actually being mooched off of someone else (read: gotta love those unsecured wifi access points). I never use online commerce sites, nor do I maintain an email account.

Also, when anyone asks for my name, I tell them that my name is "Bob".

(btw... my post is supposed to be a joke)

Who wants Tinfoil ?

Seriously, who are your opponents? You cannot do any security planning without threat scenarios. If the NSA wants you, they pwn j00 d00d! But fortunately, they're seldom interested , and even more reluctant to disgorge their capabilities by revealing info.

So you have to decide what is cost effective. For me, for most things, no security at all the the perferred option. I _want_ people to read my postings and email. I'm far more concerned with my msgs not being received/read than unauthorized people reading them.

The ULTIMATE Solution

Lie. Lie about everything. Writing an email to your friend? Lie about it. Lie about everything that happened to you. Lie about who you are. IT DOESN'T MATTER. Signing up for some new service? Lie. Lie about your name, age, race, sex, address, credit card, whatever. Actually need to recieve the package? Send it to your neighbor and pick it up at the FedEx office with a fake ID that goes with your fake personality. Sometimes if you lie enough to a girl, you even get to sleep with her. Then, if you get herpes you can just lie to everyone else and say you don't have it! IT'S THE SAME THING IF YOU USE WINDOWS AND GET A VIRUS!! HOORAH! The lies will set you free.

I don't

I just simply do not enter valid information. If they wanted valid information, there are enough ways of getting it. The more information a site asks for, the more I make sure that the responses I give are false. If a site only wants say, my date of birth, I might give my real date. If it wants my postal address, telephone number, yada yada without just cause...I will give them wrong info. Its my way of discouraging the use of such techniques. Maybe if enough people do it, then the next time they upgrade their site they will ask only for information that they absolutely need to have instead of every little detail.

The only was is to browse the web anonymously...

The only way would be to browse the internet from a completely anonymous place like a public library.

Here it is take it!

John Smith
1234 Anystreet
Anytown, CA
90210
(123)456-7890

DOB: 1/1/1900
email: aolsux@aol.com
Mothers maiden name: mommy

Easy to remember on any site I visit.
the moral of the story, NEVER give out true information to ANY online site.
You make exceptions on an as-needed basis.
(eg. bank, 1 or 2 trustworthy sites to shop from.)

Protection

I think the biggest thing is keep your mouth shut about internet stuff to others because you never know who is listening. Only give that kind of information out to those who know it. Also i think that you should only use fake stuff if you have had experience in things going missing like money etc. I also only put my name when signing up for e-mail accounts etc. because that information they do need. Also I believe another way of dealing with good security is make usernames that are unique and not simple like jdoe, or johndoe or doej234 and crap like that use something people wouldn't use to try and figure out who you are. When I pick any type of usernames etc. I try and make it be something that relates to me but doesn't give personal information or flag any.

How do I protect my identity?

Easy, I just use someone elses!

Whois records

I once received an abusive e-mail from some guy who was receiving loads of spam from a source using a rotation of from addresses. My address happened to appear on the mail he received and it he snapped, firing back at me. His mail address was from his family business, looked up the whois information which was correctly filled in. Phone number, address etc, simple google of the domain name showed me forums in which members of the family had posted in, different topics, cars, real-estate. From there I could build quite a profile of this person, his family, where they lived, google earth supplied satellite images of their house. I knew what kind of cars they owned, how much their house cost and when they bought it (purchasing records of individual houses was available online as part of the council areas statistics).

I sent him a mail explaining that it wasn't me sending the spam, and he wrote back apologising, then I explained to him all the information that I'd found including the google earth picture and he couldn't believe what I'd come up with by just roaming around the net.

My 8 years of internet usage..

I almost never put my real name on the net, I use my "nick" extensively (it _really) cuts down on phishing attacks and makes them much easier to spot), If I have to put my name down for anything other than CC purchases I put my initials in only.

Out of site out of mind and common sense is the only way to survive.

Using a variety of tools...

Firstly, tor [eff.org] with Privoxy and a Firefox plugin that makes it easy to switch between it and a direct connection. Others may use FreeNet [sourceforge.net], but I personally don't bother.

For IRC, connect using SSL (If you trust the network admins. Even if you don't, still better than nothing) and perhaps through Tor as well. For email, anything PGP-ish.

Also, for protecting my files, I use TrueCrypt [truecrypt.org].

Cookies

Do you remove your browser's cookies on a regular schedule? If you don't, your favourite search engine has a nice track record of all of your searches. If you happen to enjoy your search engine's webmail offering, too, they may very well be able to associate your search habits to your real name, know who your contacts are, and by parsing the mail's contents, in order to place matching ads, they know what you talk about.

While Google promises to do no evil - which can be true or not, I'm not judging them - they are collecting an enormous amount of data about their users. Currently a prospective employer may google up some information about you. But what happens when Google, in some more or less distant future, is no longer guided by their noble motto and instead starts to sell their records as an alternative form of revenue? Your email conversations, your "talk" conversations, and for a small additional fee your full search records?

Paranoid? I don't know. Oh, and Google is just one example, maybe the the most famous. I'm not saying they're out to harm you either, it's just that they have the technical possibility.

Easy

Use your neighbors open wireless connection.

Another approach that works 100% of the time

...Just don't put shit on the Internet you want to keep secret. You never enter it in, it never gets out. AE

The best...

The best answer is to talk with your kids, and encourage them to make good decisions. The internet is full of plenty of content easily-accessed that you probably don't want your kids to see. Either the computer is kept in a public place, or you have to educate your kids and trust them. Software programs are too easily bypassed.

Cross platform tools

Some cross platform tools I use both under Linux and Windows:

• Firefox with PermitCookies extension (to easily enable cookies on trusted websites) and BugMeNot extension (to avoid compulsory registration at popular websites)
• When really needed (since it's pretty slow) Tor + Privoxy to surf anonymously
• Thunderbird + Enigmail for email
• Gaim + gaim-encryption plugin for IM
• Truecrypt for disk encryption (latest version runs great under Linux too, although there is no GUI yet)
• Throw-away email accounts like mailinator.com

But most importantly: /dev/brain

If you care about your privacy, don't give away your data to everyone!

Important step

Be careful of the steady leak of information that most people go through. After registering on a few forums and stuff like that, it's amazing how much information you can release in a short space of time. After that, your data is only a small search [google.co.uk] away. Even though I've only used this URL and alias for a short while, it already leads to a Frappr map of users of ##slackware on freenode, with my general location and a photo... someone who really knew what they were doing could whois my site [domaintools.com] and then they'd have my full name, mobile phone number and my soon to be ex-address.

Sometimes I worry that so much of my data is so freely available, but then I always remember that people routinely provide even more when advertising their business or service. But even so, what do you guys think? Should I take some of that data off the net?

P works for CIA? FBI? NSA? SecSer? Homeland?

Asking Slashdot: Now THAT's a cheap way to perform methodical analysis for a government agency. No, I will not share any wisdom about how I do protect my online privacy.

Email filtering.

This'll be suck eggs for many, but new to others.

I, like many of you have the ability to have anything@mydomain email addresses that i can use/create on the fly. So what I do is, whenever I register on a website or give my email address out to a third party, I enter/provide a unique address. my email address at slashdot is 'slashdot@mydomain', at amazon it's amazon@mydomain and for any business contact it's my companyname@mydomain - anyway you get the idea.

The instant I get spam sent to an address, I immediately kill the address, and (if I can) shout at the person who leaked the address to spamlists.

It's my small way of (trying) to keep my inbox spam free, and to protect my privacy by not having a global email address that any tom dick or harriet can hassle me on.

-Jar

PS. As a side note. Does ANYONE know how to get Outlook to auto-file emails based on recipient smtp address, including auto creating the folders?

Technologies to use...

First off, use Linux. If your OS isn't reasonably secure, all bets are off, and Windows is just too difficult to keep secure for a casual user. With a good linux distro you're much better off so long as you keep it updated.

Secondly use encrypted filesystems for data you want to keep private. I can recomend encfs for Linux http://arg0.net/wiki/encfs [arg0.net]... it's easy to use and can be installed with yum in Fedora. It uses file-level encryption which makes possible incremental backups which retain the encryption.

If you want protection from being forced by a court to give up your key, take a look at http://www.truecrypt.org/ [truecrypt.org] . This is a filesystem that lets you keep multiple levels of data encrypted with different keys, and if you give up one key noone can know that there's more data hidden with another key.

For web browsing use Tor, http://tor.eff.or/ [tor.eff.or]. Tor is still under development and may not be secure against a focused attack on you specifically, but at least your ISP won't be able to easily spy on you and your IPSs logs (which as we know are being mass-analyzed by the NSA) won't show anything about your activity. Also tor is /very/ easy to install and use, especially with Firefox and the FF tor extension. Also you can use it in combination with privoxy http://www.privoxy.org/ [privoxy.org] for some protection against malicious cookies and other tricks used by the sites you access.

Plus, here's a good trick for ensuring that your web browser cache, history, etc., can't be easily searched by someone who gets access to your computer... put them on an encrypted filesystem, as follows. Make a script that mounts an encrypted filesystem (asking for the passphrase), sets your HOME env var to the newly mounted fs, then starts Firefox (which now places its cache there because that's HOME), and unmounts the encrypted fs after Firefox exits. You should do this even if your entire home dir is also on an encrypted fs, because your normal home dir is likely to stay mounted for longer periods of time, so this way you separate the risk levels. And it's easy. An additional little-known trick for this: set the LOGNAME env var to something other than your username to let you run a second copy of Firefox on the same X display (so you can have an "insecure" and a "secure" one running at the same time).

Of course use GnuPG for secure email. The Thunderbird Enigmail extension makes it painless.

You should also give money to the EFF and run a Tor server if you can, to help maintain our ability to have some privacy.

Finally, if you are a hardcore libertarian and/or think we should have a truly free Internet, experiment with FreeNet http://freenetproject.org/ [freenetproject.org] and consider donating to its development. This project ran into some dead ends with scalability but the developers have taken a fresh approach and the new 0.7 dev version looks like it might be the start of something that could get big. They have a full-time programmer working on it paid by donations (and he's so dedicated to the ideal that his salary is the bare minimum he needs to live), so consider donating. (Btw., I'm not a libertarian in the political sense, but I think we need a strong counter-balance to the marching forces of fascism, so I donate to the Freenet project.)

:j

GnuPG and TOR

GnuPG/GPG (http://www.gnupg.org/) for encrypting e-mails and TOR (http://tor.eff.org/) for anonymous Internet communication.

Many people say "I will encrypt if I am sending/recieing something important/strange". It sounds reasonable, but this his way they (the ones who, legaly or illegaly, oversee) know when you send/recieve something (that you think is) "special" and to who. It's worse than not encrypting at all. They know that you have things to hide other than casual things (aunt's cookie recipe).

The point is that even the aunt's cookie recipe, or the photograph of me in my backyard is something I want to choose who will see.

So if we want privacy, we must use encryption in every single message we send/recieve. The problem is what happens when you need to communicate with someone who doesn't know to use GPG or is not willing to learn. Well, in that case you must choose, either privacy or communication.

It's easy.

I just go to China. The real Internet can't touch me there.

Why should VoIP need a server, anyway?!?

FTP doesn't need any more than my client & the source's server... ie, no intermediary...

So, why should VoIP be any different... ie, after a directory lookup leads to a connection
between caller and callee?

(We're talking about the simple case of a 2-party conversation...)

Maybe Im getting old...

and my eyes arent what they used to be, but when I first saw the headline I saw "How to protect your piracy". I thought "Finally a useful article on Slashdot", but lo.

FF extensions and tor

I use some select FF extensions, and will soon be setting up a tor node, along with common sense.

The FF extensions I use are:

• NoScript (http://www.noscript.net/ [noscript.net]). I allow very few sites to run scripts, and the vast majority of sites work fine without JS. Even if JS is needed, it is easily enabled for good with noscript, or just for that browser session (and I use this feature more). Like flash and animated gifs, JS has been hijacked by marketters as a method to peddle their wares and they have spoilt it for everyone else. A fantastic side effect of running without JS is many sites use JS almost as a crude DRM.... There's some sites about that make you click an "I agree" button to download stuff, and often the EULA is in an HTML form textbox. The more stupid web devs protect the text of the EULA with JS to stop it being changed, even though text in boxes can be "readonly" just with HTML from 10 years ago.... then you agree to your new contract :)
• RefControl (http://www.stardrifter.org/refcontrol/ [stardrifter.org]). A referer blocker. I block all referers as it's simply a way to provide less info to a website. A website doesn't need to know where I have come from, and what will they do with that knowledge if they have it? Probably nothing that can harm me, but it could be useful for targetted adverts. Very few sites need referers to work, and they are mostly pr0n and warez/crack sites that use referers to stop leaching. That reminds me, must whitelist fosi again :)
• Adblock. (http://adblock.mozdev.org/ [mozdev.org]). Everyone will be familiar with this. I use filterset.g too, and also add agressive filters for sites that are blatently tracking/trending domains. For example, one filter I have is http*.google-analytics.com/* . I have seen one tracking domain serving web bugs (those 1x1 images) by https, so my filters these days allow for that too...
• Extended Cookie Manager. (http://xcm.defector.de/ [defector.de]). I basically accept all cookies on a session basis, and then whitelist the sites that need permament cookies, or at least the sites I use that I trust not to track me (more than is necessary for the operation of the website), or that I don't want to have to log into every time.

  If anyone can answer this I'd be chuffed though: Can FF be made to automatically try to use HTTPS for all surfing? For example, you type in a URL and it'll try the HTTPS site, you click on a link on a website and the browser will go to the https if it exists?.

  As I said above I'm going to be setting up a tor node too on a spare machine, and will use this for searches and any communication with governmental sites, and sites where I may disclose personal info.

  I can, if I want to, renew my car tax online for example. The UK government has demonstrated it's obsession with data collection with the the ID cards etc., and sooner or later they will realise really how powerful datamining is. I don't feel they need to ever be given my name/address and IP. If they ever want to determine users from IPs (eg IndyMedia servers) they can get a fucking court order and get the ISP to hand over the info. Even that's horrific, but there's not much I can directly do about that, apart from a Tor node. An extension for FF to automatically use a proxy for certain domains would be cool.

  Of course common sense too protects your privacy. Always use fake details if registering for somewhere that doesn't need your details, and never use the same fake person at a bunch of sites, or even all the time. Make up names on the spot, or just munge keys. Some sites want valid info, or even check postal codes exist... We all know about 90210 for America, and the British postal code system can be abused too. I tend to use B1 1AA when a site wants a post code, or I'll

Protecting one's net.privacy.

TOR and PGP/GPG.. enough people have mentioned them that I will only touch on them in passing. No sense in beating a dead horse. Encrypt whatever traffic you can. If you can set up SSH tunnels to connect to a proxy server that connects to the TOR network or FreeNet, do so. Just remember that not all of the ingress/egress points you will contact will be friendly. Use webmail sites to set up disposable e-mail addresses. Hushmail [hushmail.com] is good for encrypted webmail, unless you don't mind writing all of your e-mails offline, encrypting them, and attaching them to webmail messages. Don't leave any sensitive information laying around on your computers' hard drives (who on Slashdot has only one computer?) that isnt' encrypted. PGP or GPG are good for encryption.. encrypted filesystems are useful, too. Set up encrypted swap partitions if you are able to so that sensitive data can't be written to disk for possible retrieval. Consider removable storage: Encrypt files and move them to a USB key, compact flash card, or something else to get them off the Net entirely. Use secure erase programmes (like shred) to erase the originals. Consider filling up the file systems of your hard drives with junk (copy a big file from the OS, like the kernel image until the filesystem is full, erase the copies, do it again) to scramble the latent data in slack space. Don't let your web browser accept every cookie it's offered. It doesn't take much time to look at a popup window when you go to Foomail.com, see that the cookie would be from drax.bar.com, and hit "Don't set cookie for this site ever." Set up another user account on the computer you do all of your web browsing on and browse from there. Write a little script that securely erases the contents of that user's home directory every time you log off or power down the machine. Erase your cookies and browser history periodically. Less scrupulous folks might want to consider using the world's largest wireless hotspot (ESSID 'LINKSYS') for their less savory activities. Remember that this is probably illegal in your area. Or go to a library or a local coffee shop that offers free wireless.

Use a nym

Use a nym, like CmdrTaco, but don't let anybody associate your nym with your RL persona, like Rob Malda did.

I tell them my name is Cliff

Seriously, I give false information and scrub cookies regularly, and avoid suspect sites. Oh, one more way, I don't use M$IE. Firefox rules, at least for now.