photo by Roman Akhmerov
There are legitimate reasons to want to avoid being tracked and spied-on while you're online. But aside from that, doesn't it feel creepy knowing you're probably being watched every moment that you're online and that information about where you go and what you do could potentially be sold to anyone at any time--to advertisers, your health insurance company, a future employer, the government, even a snoopy neighbor? Wouldn't you feel better not having to worry about that on top of everything else you have to worry about every day?
First, let me start out by giving you the bad news, there is no such thing as perfect online privacy. We'll assume for the purposes of this article that online privacy and anonymity mean roughly the same thing. No matter what anyone tells you, online privacy (and anonymity) just doesn't exist. The fight for online privacy is like warfare. Every time one side gets an advantage, the other side figures out how to get around it. That means your level of online privacy is dependent on how much effort you are willing to continually put into making yourself invisible. Let's face it, if the NSA wants to spy on you and is willing to put more time and money into singling you out than you are willing to spend being anonymous, then you will be spied on.
The good news is that there are things you can do to be less surveillable--and they won't cost you anything. Remember the old story about the two friends in the woods who came across a bear. One says to the other, "We'll never outrun this bear." The other smiles and says, "That's OK. I only have to outrun you." That isn't exactly a perfect analogy, because any trace that you leave behind on the Internet could be used against you at some later date. But it's still better to leave less behind than the next guy. Make it too expensive for "Them" to surveil everyone to the level that they would need to get much on you--at least for the time being.
The most anyone can possibly do to avoid online surveillance is to use a different computer every time he goes on line--one that has never been on the Internet before and cannot be traced to him. Then, after a single use, he will dispose of it where it can never be found by anyone. Further, he will wear gloves, a ski mask, and dark glasses and go to some public wifi hot spot with hundreds of people using it in a town far away from where he lives (a different town each time). Then he will avoid sites he has frequented in the past and never log on to any site with a password. And he will leave no finger prints or DNS evidence behind... So, obviously, no one is going to actually do this--unless he is in some really, really deep trouble. But, barring that, no sane person is going to put out this level of effort to be anonymous every time he goes on the Internet.
So, what level of effort is reasonable? Well, it depends on what you are trying to accomplish. But let's assume you are not doing anything illegal. You just want to access your email and surf the Internet, maybe buy something on Amazon. In other words, you are the average consumer. Well, there's some more bad news. Given a reasonable level of effort, you can't be anonymous on any website where you enter a password. Once you type your password, you have identified yourself. That's the point of a password. So, some level of anonymity can only be achieved when you don't enter a password during the period of time that you're logged on to the Internet. I know that's probably not what you were hoping to hear. But unless you are someone like Edward Snowden fleeing from the NSA, or on the FBI's ten-most-wanted list, you'll probably not be willing to expend the amount of effort I spelled out above to get the level of online privacy that it would take to keep yourself really, really anonymous.
Given that you are willing to make an effort to achieve a reasonable level of anonymity, how do you go about it? The first thing you need to do is to understand who "They" are and how they are watching you. The first group that is watching you is the companies who are hoping to make a buck off of you or off of information about what you are doing on line. These are companies like your Internet service provider, Google, Google Analytics, Microsoft, Facebook, WordPress, Squarespace, their competitors, and every website that uses web development software written by these companies or their competitors. The problem is that their software is used on just about every website these days. So, chances are extremely good that if you visit a website that sponsors advertisements, tracks the number of hits it receives, or allows you to make comments or fill out any kind of a form, you are being identified and tracked online. (By the way, this website, The Cheapskate's Guide to Computers and the Internet, only uses open-source software and does not attempt to identify or track you in any way.) If you are using an Internet browser or operating system written by Google, like Chrome or Android, you are also being identified and tracked. If you are using Windows 10, you are being identified and tracked online. That covers just about everyone who accesses the Internet.
The next group that is watching you works for a government. These are the NSA and possibly the CIA and FBI and other US government agencies (there are 17 government intelligence agencies in the US) and their foreign equivalents. For the time being, all the US government agencies want is to make sure that you are not a criminal or a terrorist--and to make sure they know where you are at all times, in case you ever decide to commit a crime or become a terrorist. In the future, who knows? Governments of some countries make it a crime to speak out against them, so you can probably figure out why they may want to watch their citizens. And the British government seems to want to spy on its people ... well apparently it just likes spying on its people. I don't know how else to account for the level of surveillance in Britain.
The next group that is watching you is composed of thieves. These are people who want your passwords, so they can empty out your bank accounts. Or they may want to use your online accounts, so they can hide while they steal from others. They may also want to convince you that they are actually a nigerian prince who has no other place to keep his money safe except in your trustworthy hands.
The next group that is watching you is the hackers who are not thieves. Mostly, they just want to snoop and to practice snooping so as to improve their ability to snoop. They want to know everything about everyone, especially governments and large corporations. And sometimes they want to get notoriety for revealing that information. Maybe some want to fix the broken systems that we all live under to make the world a better place.
Reasonable questions for you, the average consumer, to ask are, which groups, if any, can you protect yourself from, and how hard should you be trying? In order to be able to answer these questions, let's look at a few things. In the three lists which follow, I've assumed that the governments to which I am referring are Western "democratic" governments. The first list is a probable ranking of the above groups from most to least difficult to protect yourself from:
Taken together, the three lists above suggest the following. First, you shouldn't be worried about hackers, because they probably aren't spying on you. But even if they are, you can't do anything about it. And you really don't have much to fear from them, even if they are spying on you. Second, you should definitely be trying to protect yourself from thieves, because you have the most to fear from them, there is a reasonable likelihood that they are trying to spy on you, and they are the easiest group to protect yourself from. Next, Corporations probably aren't going to do you much damage by spying on you, even though they are certainly spying on you, although you have a chance, with vigilance on you part, of protecting yourself from them. So, whether you want to try to protect yourself from corporations is a judgment call that you'll have to make. And, lastly, governments are spying on you. And you have nearly as much reason to fear them as to fear thieves. However, governments are the hardest to protect yourself from. So, though you may be tempted to give up on trying to protect yourself from governments, due to the difficulty of doing so, you should probably be looking for ways to protect yourself from them. By the way, it makes sense that you have nearly as much to fear from governments spying on you as from thieves, since according to Paul Kennedy, who wrote The Rise and Fall of the Great Powers, governments are nothing more than institutionalized thievery. One more thing to note about government spying is that the numbers of people they are spying on is at least in the millions--if not a very significant portion of everyone on the planet, judging by what we know about the NSA. Also, see this and this.
So, now that we have established that we need to fear thieves, governments, and corporations, in that order, let's talk about what we can do about each. Thieves' main methods of attack are through social engineering attacks. Social engineering works mainly through phone calls, offers on web sites, and email. A thief may call you on the phone or send you an email to try to scam you by saying they are someone else who has a legitimate need for your information. For example, they may pretend to be the IRS and ask for your tax information, including your banking information and social security number. A thief may have a website with a message that pops up saying that your computer is infected with a virus and telling you to call a phone number. This is never legitimate. To avoid being scammed through email, many people advise you not to open emails from people you don't know. That's like never answering your phone unless you recognize the person calling. You may miss legitimate calls. But it is safer than talking to every caller. Avoid clicking on links in emails or opening attachments, because they may execute malware programs or take you to fake websites. Also 2-factor authentication is another layer of protection against thieves. By the way, you cannot protect yourself from thieves who steal your information out of companies' computers; however, the one exception is that you can encrypt your data before giving it to online services like Dropbox or sending it in emails. Often thieves will hide malware in software that looks legitimate. Don't load software onto your phone or computer from any sources that you don't trust, which is just about every source on the Internet except for official Microsoft and Google websites and Linux distribution repositories. With any other software, including web browser add-ons, you are risking your privacy and security. If you have to load software from another source, some of the less risky sources can be found here. One way of telling if you may have malware on your computer that is transmitting information to a thief is to see what ports you have open. You can do this using the Shieldsup test. You should not see any ports open while you are online. If you want even more online security, my personal recommendations are to not bank online and to consider using my three-USB stick method. Also, since threats, threat prevention software, and threat prevention techniques change continuously, it is important to keep yourself aware of the latest information.
Protecting yourself from corporate spying requires even more effort. It also requires even more knowledge. No gadget out there will do the work for you. Every time I've seen someone offer consumers a gadget, I've seen someone else explain why it's not very effective--at least, not so far. That leaves software. First, your Internet Service Provider (ISP) can see everything you do online. You probably can't do anything to completely change that; however, you can make it a little harder for them. First, use another DNS server, not your ISP's. This will make it slightly harder for them to see which websites you visit. It is also possible to encrypt your DNS traffic. This prevents your ISP from from seeing which websites you're visiting by examining the DNS headers in individual packets coming across its servers. Then, take full advantage of the built-in encryption on the Internet by only using HTTPS websites, where possible. Many people suggest using a VPN service. However, studies have shown that most VPN services don't actually work when it comes to hiding your activities from your ISP. Note that HTTPS and VPN's can no longer protect you from government surveillance.
The next thing to be aware of is that corporations have methods other than tracking to spy on you. There is a saying that if a corporation is offering you their product for free, you are their product. This means that corporations that offer you free services are selling the data they collect from you in order to be able to provide you with these services. So, chances are that companies that provide you with free email are reading your email. We know that, in addition to tracking you, Facebook reads your posts and knows who your friends are, and that is just the beginning of Facebook's spying methods. Free online surveys are just ways of collecting more data from you. Companies also monitor your credit card transactions and sell your online dating profiles. If you have a Samsung TV that is connected to the Internet, it's probably recording what you watch and may even be listening to your private conversations in your home. In fact, anything that you have in your home that is connected to the Internet may be spying on you, right down to your Internet-connected light bulb. With a few exceptions, online search engines monitor and log your searches. One of the exceptions is the ixquick.com search engine, which is headquartered in Europe. The steps to counter the nearly ubiquitous activities of free service providers would be to pay for services you receive online, read website privacy agreements, and not buy products that are known to be spying on you. However, the only way to be really secure from corporations using the Internet to spy on you is to never connect to the Internet or buy any Internet-connected appliances. Welcome back to the 1980's.
Protecting yourself from government spying while you are on the Internet is the hardest and requires the most knowledge. The biggest problem is that unless a whistle-blower like Edward Snowden tells us, we have no way of knowing how governments may potentially be spying on us. That means that we have no way of protecting ourselves 100% of the time from government spying. Some things whistle-blowers have revealed are that the US government logs the meta data from all phone calls (who calls who and when), secretly forces Internet service providers and providers of other services to allow it to "listen in on" and record all traffic going through their servers, reads nearly all email sent from everywhere in the world, and tracks the locations of all cell phones (even when they're turned off). And, although I am not aware of any specific whistle-blower revelations on this, there is every reason to believe that the US government (and perhaps others, including China's) has backdoors built into all computer hardware and operating system software for monitoring everything we do on our cell phones, tablets, laptops, desktop computers, and routers. See also this. Because Lenovo computers are manufactured in China, the US government has issued warnings to all US government agencies and subcontractors to strongly discourage them from using Lenovo computers. And the US government probably has backdoors into all commercially-available encryption software, with the possible exception of Truecrypt version 7.1a. I hope you are understanding now the magnitude of the lengths that governments are going to (using your tax money) to spy on you. In truth, we are now approaching the level of government spying that George Orwell warned about in his book, 1984
So what can we practically do to protect ourselves from government spying? Seriously, there isn't much, if we want to use cell phones, credit cards, and the Internet. About all we can do, if we absolutely need to have a private conversation, is to have a face-to-face meeting without any electronics within microphone range. That includes cell phones, Samsung TV's, video cameras, computers, or land-line telephones. And don't travel to the meeting place using long-distance commercial transportation. Sending a letter through the US mail is the next best, although it is known that the outsides of all mail sent through the US mail are photographed, and the pictures are stored. So, don't put your return address on the envelope. As far as surfing the Internet is concerned, begin with all the precautions that I outlined above to protect yourself from corporate spying (except HTTPS and VPN's). Then, add the TAILS operating system on a USB stick. As I said, TAILS will not prevent you from being identified and tracked via the fingerprinting method. And who can be sure whether the government has a backdoor in TAILS? As far as I know, the super-paranoid, hoody and sunglasses method I outlined above is is the next step.
Some people recommend using ProtonMail to send private emails (and then, only to other ProtonMail users). In order for this to work, ProtonMail would have to provide both the sender and the receiver with software that runs on their computers to encrypt and decrypt the contents of their emails before they are sent over the government-monitored Internet lines. Or you could encrypt the contents yourself with a prearranged password (from that face-to-face meeting you had). Be sure to use an extremely secure password! The real benefit of ProtonMail is not its encryption (because it's more secure to do that yourself), but the fact that the emails are stored in Switzerland, where the US government can't get them. But, if the government has a backdoor into either the encryption software that you used or that ProtonMail used to encrypt your email, then encryption does you no good if the US government ever manages to get their hands on your emails. (See this, this, and this.) All we know is that Snowden provided evidence in 2014 that the NSA had not cracked Truecrypt. Whether that is still the case today is unknown.
Be aware that simply the use of methods of avoiding government spying techniques may make you a target. This includes the use of encryption and TAILS. However, if millions and millions of law-abiding people begin to actively use these methods, then the NSA cannot put them under significantly more scrutiny than that to which it is already subjecting the rest of the world. This alone is an argument for their use.
To finally wrap up this long article, let me reiterate that the more you know, the more you will be able to protect yourself on the Internet from hackers, thieves, corporations, and the government. So, find out everything you can. Then take a deep breath, or ten, and begin doing what you can to protect yourself to any level that you consider reasonable. Tailor your approach to the actual threats that you are facing. And where you can't protect yourself online, find a way that does not involve the Internet. You can still use the old methods of communication: the US mail, telephone, fax, etc., just as you always have.