Cryptoparty Resources
Here are some guides for secure browsing, communicating, website hosting, and life online.
It’s Cryptoparty time! I'll be leading a couple workshops for educators this summer on digital literacies, including privacy. To support our efforts, here are some guides to getting started with a variety of tools for secure browsing, communicating, website hosting, and life online. If you’re interested in securing your digital content and protecting your digital identity online, check out these tools and take them for a spin.
Secure Communications
Activists, investigative journalists, and other privacy-conscious individuals need a way to communicate digitally that is also secure from surveillance and hackers. The same is true for those who simply don’t want every web-based advertising company knowing (and serving up ads based on) their private business.
Here are some tools and services that are (mostly) easy to use that will help keep your communications privy only to you and the people whom you choose.
Text messaging
Signal is a text messaging app for iOS and Android that encrypts communications end-to-end (meaning that Signal’s programmers cannot access your data, even under a subpoena or pressure from law enforcement). It is easy to use, easy to install, and on Android it can become your only text messaging app – with Signal sending encrypted messages to other Signal users, and regular text messages to other users. You can also make secure (and international) audio calls for free over your data connection.
Protonmail secures your email similarly to Signal. Protonmail was developed by (and for) scientists at CERN, and it uses end-to-end encryption for messages between Protonmail users. Emails to other users are stored on a secure server in privacy-conscious Switzerland. When needed, Protonmail also allows you to send one-time encrypted messages to non-Protonmail users, provided you send them a password via another channel (like text message). Free and paid accounts are available for different users’ needs. Software is open-source and subjected to regular public security audits.
Tutanota, Latin for “secure letter,” functions similarly to Protonmail. Data is housed in Germany, away from US and UK government surveillance apparati, and both free and paid accounts are available. Software is open-source and subjected to regular public security audits.
GPG is more involved to setup, but provides the same kind of encryption for “regular” email, by encrypting message content inside a Gmail, Yahoo, or Outlook message. Like Protonmail and Tutanota, both sender and receiver must have GPG setup for secure communications. GPG also supports single-file encryption on the desktop, and can be installed for Mac, Windows, or Linux.
Secure Browsing
Browsing activity is vulnerable to surveillance from internet service providers (ISPs), the government, the administrator of a network, other users on the network, and the owners of any cookies (bits of code left on your computer from sites you’ve visited and/or logged into) on your computer.
The tools below are generally easy to install and use, and protect you from some aspects of surveillance and unwanted third-party data sharing.
Private Browsers
Tor Browser is a private browser, developed by the US military, that encrypts data and passes it through a chain of “relay” servers to obscure both the source and the destination of the data. It also deletes all history, cache, and cookies every time you close the app. While imperfect, it goes a long way to secure and obscure your web activity. (You can also install and run the Tor service, which will do so for other apps that access the web.) However, it does slow things down, and some sites block Tor users.
Onion Browser is one of the better iOS instances of Tor, and Orbot for Android.
Private Search
Search engines collect a lot of user data in order to “personalize” search results (and boost their advertising-based business model). In addition to search history, companies like Google also provide (and collect data through) advertisements on a variety of websites – from health to shopping to religious to political to personal sites.
Search engines like DuckDuckGo.com and Disconnect.me offer up quality search results (if less “personalized”) while anonymizing the data sent to Google (Disconnect.me) – or simply providing their own search results without collecting personal user data (DuckDuckGo). You can change your browser’s default search engine to either DuckDuckGo or Disconnect.me. You can also install the Diconnect.me browser plugin.
Browser Plugins
AdBlock Plus is a must. It not only blocks advertisements, but a lot of third-party data mining tools, as well. It is available for a variety of browsers.
Privacy Badger, from the Electronic Frontier Foundation, blocks unseen trackers and spying ads that adblockers often miss. It allows a great deal of customization and flexibility, to ensure that it doesn’t “break” the sites that you visit frequently.
Ghostery both blocks ads and trackers, and provides information about the companies that own them. While it doesn’t always catch things some of the other blockers do, it helps you understand just how much of your web traffic is routed through the data stores of the same small number of companies.
Lightbeam (for Firefox only) visualizes those relationships even more. By creating a network graph of both the sites you visit and the sites they share your data with, you can see just how connected your data is on the scary, wonderful thing we call the internet. Again, it doesn’t catch everything, but it catches enough to create an insightful, if frightening, image of the paths your data takes across the web.
Password managers
Perhaps the biggest vulnerability on the web is bad passwords. And the biggest thing that contributes to a bad password is one that is used repeatedly. Eventually, almost every service will be compromised. And when it is, any username and password on the compromised system can be used to gain access to other services where the password is reused. Of course, we all have so many accounts out there that it is impossible to have a different, secure, memorable password on each one. That's where password managers come in.
A password manager is an app that keeps all of your usernames and passwords secure and locked behind a single password. You remember that password, login to your password manager, and with a click or two you can access all of your accounts with ease. This allows you to have unique, secure (i.e., looooooooong and random) passwords for each service, but you only have to remember one of them. Just make it a secure one.
Two reputable and widely used password managers are 1password and LastPass. Both offer desktop and mobile apps and/or browser plugins.
Two-factor authentication
Passwords can be guessed (including by code), stolen, hacked, or otherwise compromised. Passwords can also be bypassed by clicking "I lost my password" and providing the answers to "security" questions, which are usually publicly available — like mother's maiden name, city of birth, etc. To protect yourself from compromised access, setup two-factor authentication (2FA) on every account you can. (And get rid of as many accounts without 2FA that you can afford to.)
2FA requires two factors to access your account, one of which typically involves access to something physical. The most common form sends a text message with a second code to your phone after you have entered your password in the app or website. If you are also worried about your phone or text-message service being compromised, a USB security key is a great option. (Just don't get one manufactured in China. Security researchers have found some of them to come pre-compromised. YubiKey is likely the most common and trusted brand in the U.S.)
Social-media privacy settings
A lot of personal information can be inadvertently leaked through your social-media profile if your privacy settings are improperly set — or if the platform added new "features" that require a refresh of your privacy settings. Facebook is notorious for having the most byzantine privacy settings, as well as for making changes in the past that have exposed information unexpectedly without notifying users. But LinkedIn is probably the most public in unexpected ways by default. It is important to walk through every social account's security settings thoroughly, and revisit them on a regular basis.
Digital KonMari (a.k.a., deleting stuff)
Digital minimalism is an approach to curating your digital identity that is deliberate about including the things that you value most, and eliminating the things that distract from (or potentially compromise) the things you value. Perhaps you already know some things that you could do without, but for most people, some soul-searching and deliberate decision-making is necessary. Several authors have written books or articles about digital minimalism or digital KonMari recently. I recommend:
- Digital Minimalism, by Cal Newport
- Deep Work, by Cal Newport
- How to Break Up with Your Phone, by Catherine Price
- Silence, by Thich Nhat Hanh
A Secure Domain of One’s Own
Domain of One’s Own already increases user privacy by decentralizing the way we find and distribute information. But one simple step can increase our readers’ privacy without diminishing their experience or site performance. This is especially important on sites that engage controversial and/or activist issues, and whose audiences are surveilled, oppressed, or marginalized.
Why Encrypt?
“As our dependency on the internet has grown, the risk to users’ privacy and safety has grown along with it. Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace. Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators. When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services. … By using private connections by default, changed expectations make everyone safer.” – CIO.GOV
Though the content of your website is public, not every visitor wants everyone knowing what they’ve been reading. Perhaps even more relevant for Domain of One’s Own users, the content of your website is not the only information that is transmitted when someone visits your site. And it is easier to eavesdrop on those transmissions than many people realize.
Establishing an encrypted connection on your website is easy, and it protects your visitors from a variety of privacy invasions.
How to Encrypt?
Visit umw.domains/setting-up-encrypted-access for detailed directions on how to enhance your domain with a secure, encrypted connection.
Be sure to add HTTPS encryption for every domain and subdomain you have.