Regaining Your Online Privacy

For years I’ve advocated the user of numerous tools and/or services individuals and households can use to bolster their online privacy, but I’ve never written about them. I’ve heard a lot of people saying “We live in a post-Snowden era”, which is true. But what does that mean and how do we regain even the tiniest bit of privacy?  Earth’s reaction to the Snowden revelation varied. Many individuals already believed this type of state sponsored surveillance had been in place for many years, and this only confirmed their suspicions. Some were truly shocked. Others still live in a state of denial. One of the many things to come from the leaked information was an increase in the number of services designed to block ads, encrypt your connections to websites or services, and not log where you’ve been.

Let’s go over a few of them!

Note: Under no circumstances am I an expert in cryptography, network security, nor am I advocating the use of any security/privacy service mentioned in this post, this blog, or anywhere else on the internet to conceal your illegal activities on the internet.

vpn-mod

VPN Services

Probably the most ubiquitous privacy service these days is a VPN. Not all VPN services are created equally though. Having recently changed VPN service providers, I can speak first hand how tedious pouring over the copious amount of providers can be. If you aren’t familiar with a VPN service, let’s go over what they are designed to do.

VPN, or Virtual Private Networking, is a type of technology that creates a secured connection between your device, be it a computer, mobile phone, or tablet, over the Internet. Many corporations use VPNs to allow their employees to connect securely from home, a coffee shop, convention/trade show, hotel room, etc. However, the purpose of a VPN service in the context of privacy and this post is to create a secure connection between you and a VPN server so you can browse the internet securely. Unfortunately, many ISPs use a technology called DPI (Deep Packet Inspection) which can inspect the traffic between your device and the internet and possibly see what you are doing, which websites you’re visiting, maybe even which e-mail provider you use. A VPN service would most likely prevent this type of inspection, to some degree.

Modern VPN services also allow you to appear as though you are in another location as the services often have multiple locations available for use. This can be quite handy! Let’s say you’re on holiday in Germany and want to watch something from your DVR or streaming movie service. They’ll likely block you initially because the IP address you’ll be using is German, not one from your home country. With a VPN, you could connect to a VPN server in your home country and trick the system into thinking you’re at home. While there are legitimate uses for this, it’s been a point of contention for major streaming media companies and the movie/tv studios, and while some services are trying to block VPNs, it’s nearly impossible to do.

Why do I need a VPN?

Excluding corporate reasons, the primary reason you need a VPN is security and privacy. If you’ve ever connected to a public WiFi network, such as one at a  hotel, theme park, coffee shop, mall, or supermarket, you’ve inadvertently exposed sensitive data. That doesn’t necessarily mean someone has snooped, of course, it just means that your phone, tablet, or laptop, has likely connected over the public wifi network to which you are connected to a server/service on the Internet. Through these connections, others on the same network as you could be running software/tools to capture your traffic and eavesdrop.

Yes, your phone or tablet is likely configured to use an encrypted connection, such as SSL or TLS, when sending/receiving e-mail, or synchronizing things like your calendar and contacts or when you purchase apps. That said, your hedging your bets there as the certificate on the server to which you are connecting to could be expired or compromised, opening a connection you believed to be secure to the entire hotel and convention center (for example). A VPN would isolate your traffic and prevent them from doing this. Think of it as a system of rings, the outermost of which is the internet, followed by your VPN, followed by the traffic you’re doing. Without the VPN, you only have the outer ring and your device. The VPN insulates you.

What is the ‘best’ VPN service?

In network security we are taught the best security is something you can see and touch. I.e. a system over which you have full control. Unless you’re operating your own internet service provider and not peering with anyone in transit on the internet, this isn’t possible with a VPN. Your traffic, though encrypted, will pass through an untold amount of networks, most of which even your VPN provider, their data center provider, and their upstream providers, have little control over. In short, there is no “best” VPN, and don’t let the verbiage used on any VPN providers website say otherwise.

The best VPN provider is the one that meets your requirements and works well for you. This is why almost all providers offer a free or low-cost trial and money back guarantee. One website which really helped me choose a VPN which works well for me was That One Privacy Site. I stumbled on the site when Ars Technica posted an article on The impossible task of creating a “Best VPNs” list today. .

If you’re looking for a VPN service for whatever reason, I strongly advise reading the Ars Technica article and looking over the spreadsheet on That One Privacy Site. If you aren’t sure what something means, research it. There are many resources you can use to decipher complicated tech lingo and ask for opinions. Wikipedia maintains an excellent database on network protocols and technology, as well as encryption methodologies, and Reddit has a great community on privacy and privacy tools at /r/privacy and /r/privacytoolsIO. The community is engaging and helpful, and it’s also a great place to spot new methods for maintaining privacy.

Despite my advise above, to save you some time, here is a list of VPN providers worth their salt (as of this writing and in no particular order):

These providers use excellent cryptography, have good support, and easy to understand privacy/payment/terms of use policies. That being said, use their trial periods and test them thoroughly on your computers and mobile devices. Also, open tickets with the providers and ask questions specific to your needs. The quality of their replies should be a factor in your decision making process.

DNS Services

Perhaps the most elusive and overlooked aspect of online privacy is DNS. To understand why, let’s look at what DNS is and how it works.

DNS stands for Domain Name System. Domain names are things like disobeyers.com or microsoft.com. There are a variety of TLD, gTLD, or ccTLDs, like .co.uk, .com.au, .xyz, and .me for example. Each of these “extensions” and the part before the ‘ . ‘ comprise a domain name. The primary function of DNS is to translate www.google.com into 216.58.198.46 (or whatever IP address is used in your area. Without DNS, we’d all have to remember these IP addresses, just like we had to remember phone numbers or have an address book 30 years ago.

Almost every internet service provider in the world runs their own DNS servers. You can find their IP addresses in my post here. However, it’s not always best to use the DNS provided by your ISP. Why? Well, for starters, they aren’t always reliable. For example, the largest ISP in America – Comcast, has an entire website and Twitter account dedicated to providing the status on their DNS infrastructure. It’s existence speaks for itself. Uptime of your ISPs DNS servers shouldn’t be your only concern. Privacy should be.

Each time you go somewhere on the internet, especially if it’s somewhere you’ve never been, your computer queries a DNS server for the requested website’s IP address. Chances are high if you’re using your ISPs DNS servers (or a few other well known DNS providers, like Google an OpenDNS), this information is being logged. This type of information is unprecedented and can lead to targeted advertising from your ISP or Telco. Additionally, in the event, however rare you may believe it to be, a government entity requests this information, they will be able to see your entire browsing history without ever touching your computer. Creepy, isn’t it? So what are the alternatives?

Well, as mentioned before, almost all ISPs log DNS queries for technical reasons (auditing, errors, capacity oversight) and legal reasons (illegal activity, surveillance, etc) but so do other DNS providers… namely: Google Public DNS and OpenDNS.

It’s no secret I loathe Google. I avoid their services at all costs. Google makes money on advertising based on information they’ve learned about you and your online habits. In theory, having access to your DNS queries fuels the fire as their statisticians can analyze the data and target more ads to you while you search for stuff on google.com. Are you a gmail user? Great, they have more information on you by scanning your e-mails looking for targeted keywords. If you’re a user of Google Fiber, then you’re really in for a world of monitoring by the big G.

OpenDNS is no different, though their privacy policy says they don’t sell your DNS queries to third parties, they still have them, and thus, your internet habits are subject to subpoena at any time, or subject to the nosiness of an OpenDNS employee, at the very least.

Over the years, a few reputable “no log” DNS providers have popped up. It’s quite easy to change the DNS resolvers your router, computer, or mobile device uses. All of the below services offer clear instructions on how to do so. Once you’ve configured them, it’s something you don’t think about anymore since it doesn’t require any maintenance.

Two of the most well known ‘no log’ DNS providers are:

Both provide secure, private, no log DNS resolver services for your home and office. These services are free, they aren’t ad supported, and from what I’ve been able to gather, are exceptionally reliable. I’ve been alternating between DNS Watch and FreeDNS for a few weeks now and have been pleasantly surprised with the responsiveness of their infrastructure.

There are additional services out there, however. DNS services that block ads and malware at the DNS level, before it’s even sent back to your computer. These are called Smart DNS services. The only free ones I am aware of are:

  • Alternate DNS
  • VPN.AC also has a Smart DNS in beta, if you happen to subscribe to their VPN service, be sure to request access to the system.

With either service, you may encounter some sites that don’t want to load and will not work. This is because the Smart DNS system is blocking relevant content on the site that is required for the page to display properly. It would be something you’d want to contact the provider about to see if they can unblock it. For example, with VPN.ac’s DNS service, I was unable to use my TiVo (even in my own home), and also PlayStation Network did not work. Not their fault at all. Their system just isn’t designed to run services like that over the Smart DNS platform. Something you will want to check with before using a Smart DNS tool.

If you can prefer, you can also host your own VPN server using OpenVPN (or similar). This may require a higher out of pocket cost, but would give you greater control over logging features, security, and the server itself.

Private E-mail Services

Free services always have a hidden cost. For most, by using free e-mail, like Gmail, you allow Google to scan the contents of your e-mail so they can serve you ads relating to the e-mail message. Now, you might say, “I have an ad blocker, so I don’t see their ads!”. Right, you don’t see them, but that doesn’t stop Google or another free e-mail service from scanning the content of your e-mail.

In August 2013, uncovered court document revealed Google stated in a court filing Gmail users had no expectation of privacy. See below:

“… all users of email must necessarily expect that their emails will be subject to automated processing … Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS [electronic communications service] provider in the course of delivery.” 

Via: https://www.theguardian.com/technology/2013/aug/14/google-gmail-users-privacy-email-lawsuit

When Microsoft launched the new Outlook.com service in 2013, a outspoken advertising campaigned, “Don’t Get Scroogled By Gmail” debuted as well. Their advertisements highlighted Google’s lack of respect for e-mail privacy and pointed out a fairly well known but perhaps not taken seriously secret – they read your e-mail.

 

Of course Microsoft is merely playing devil’s advocate here, as they have their own naughty secrets. In 2013 when the NSA PRISM program was revealed to the world, documents detailing how Microsoft bypassed their own internal encryption to feed the NSA direct copies of messages sent on the Hotmail/Outlook platform became available to the public.

In response to these revelations, several companies have launched their own encrypted e-mail services. Perhaps most notably is Proton Mail. Engineered by many of CERNs people, it offers some of the strongest security measures:

  • End to End Encryption. Messages in transit and at rest are encrypted.
  • Zero Access by Staff. Their own staff are unable to access your e-mail account due to the segregated authentication and decryption systems. Essentially, your account has a password to login, and your mailbox has another password to decrypt. This two stage authentication prevents Proton Mail from accessing your data, and consequently recovering it if you forget your login information. If you forget your mailbox password, you can reset it, but everything inside of the mailbox will be deleted.
  • Open Source Cryptography – FOSS, or Free and Open Source Software allows anyone to audit code and contribute changes. Microsoft and Gmail, for example, don’t allow you to see the code behind their mail service. The use of open source cryptography allows Proton Mail to remain transparent and creates a wall of trust, given you can be assured there are no backdoors or secret systems siphoning your data for analysis.
  • More privacy features are detailed on their Security page.

Of course, Proton Mail also has a cost. Personally, I think their plans are overpriced and/or under equipped. A bit like a Honda Accord…. under equipped to begin with, but start adding things and it becomes costly for it’s class. Proton Mail basic accounts are free, and you get 500 MB of storage and a 150 message per day limit. If you need more storage, 5 GB will cost you $5.00 per month, and 20 GB will run about $30.00 per month, as of this writing. The $30.00 is where the Honda really begins to lose worth given it’s a lot to pay for 20 GB of mail. Especially if you are a single user.

Before you e-mail me and say “But Proton Mail allows the a la carte purchase of storage, domains, and addresses… why didn’t you mention that?” I would… but it’s overpriced, has no calendar feature, and can be cumbersome for the average user who’s not a tech expert but isn’t computer illiterate.

Cost aside, if you place an extremely high value on you privacy, or that of your families or business, Proton Mail is one of the most secure e-mail platforms on the planet.

What if Proton Mail isn’t for me?

Fear not weary traveler, you’ve come to the right area of this post! I have 3 excellent recommendations for you!

First and foremost, introducing the service I’ve been using for the last few weeks: Mailfence. No, Mailfence isn’t in Switzerland, they are from Belgium. However, they have laws nearly as strict with regard to government surveillance and eavesdropping. They also have the most complete product (and best webmail) I’ve found in the quest for secure e-mail. Plus, it’s less expensive than Proton Mail.

In contrast to Proton Mail, Mailfence has IMAP, SMTP, POP3 and Exchange ActiveSync support, as well as a calendar and contacts app. Exchange ActiveSync was important to me as I am fond of keeping my calendar, contacts, and e-mail in sync across my various devices. Their software also allows you to send (not receive) faxes from within the mail area, and has a documents storage feature as well with it’s own separate storage limits.

Also, Mailfence is not open source, unlike one of the options below (if not both). Their parent company, ContactOffice.com sells their groupware to Universities and Corporations. They do say they are open to software audits and have hardened the software on the Mailfence.com brand quite a bit more than what is being used at ContactOffice.com, from my understanding.

Alternatively, the following services have excellent offerings:

  • Tutanota
  • Kolab Now  – It is worth noting, Kolab Now uses Roundcube as their webmail, and they are the largest contributor to the project.

As with VPN services, I recommend using any trial periods available, or free accounts, to see if you enjoy using the service and would consider a switch. It’s something you don’t rush into.

Search Engines

Modern search engines tend to store a history of your quests on the internet, even when you use InPrivate or Incognito windows. They log it by your IP address and shape the results of your search to your habits. In theory, this isn’t a bad idea, but inevitably, services like Google and Bing are ad driven, and just like your mail, they base their ads on your search queries. In this age of increased government surveillance, it’s conceivable they may be feeding government authorities your search history, as well. There are reports of people who were shopping for pressure cookers online being visited by the FBI shortly after the Boston bombing from 2013, this speaks volumes for the privacy of one’s online search habits.

If you are looking for something that offers a little more anonymity, I suggest checking out one of the two search engines:

  • DuckDuckGo – DuckDuckGo pulls results from Yahoo! via their partnership, but the requests are anonymized. Also, search results for “bottled water” (for example) would be the same for everyone using the service, not tailored based on past search history. They also have unique !bang features which take you immediately to the results from a website, like !w will show Wikipedia entries/pages. I love the idea but didn’t care for the search results, and that’s from someone who’s been using Bing for the last 5 years.
  • StartPage – billed as the most private search engine in the world, their system facilitates proxy searches on Google, so you get Google results, but Google never has your IP address. I have found the results to be more favorable than DDG and have been using it for a few weeks now. In my trial period of using StartPage, I’ve had a few family members convert and they have been pleased with the quality of results also.

If you know of any other search alternatives, send me a note!

Ad Blockers

Preface: There’s a lot of companies out there who’s sites depend on ad revenue, so use this tool sparingly.

Ad blockers are fairly ubiquitous these days. However, for me, the only one worth it’s weight in gold is Ublock Origin. Available for Firefox and Chrome, the plugin has a light memory footprint, which is great for system resource usages overall. Also, the filter lists allow you to enable Disconnect filters, from Disconnect.me, which bolster the do not track features of Ublock origin, without having to add the Disconnect.me plugins.

Phone Calls / SMS

Encrypted phone services are fairly new to this world, surprisingly. A few companies offer them, Silent Circle being one of the most notable. However, their service, though great, does have a cost. But, there’s an open source alternative: Signal, from Open Whisper Systems.

Signal allows for end to end encrypted chats and calls, as well as group messaging. Signal is available on iOS and Android, as well as in Chrome. If you need to communicate securely, this app does the job. One of my favorites and most frequently used!

Conclusion

So there you have it, an excellent guide to regaining some of your online privacy, tools and services you can use, together, or individually, piecing them together like a puzzle. If you have any questions, suggestions, or criticisms, as always, drop me a line!