Slashdot Mirror
Snowden's Tough Advice For Guarding Privacy
While urging policy reform as more important than per-person safeguards, Edward Snowden had a few pieces of advice on maintaining online privacy for attendees at Saturday's New Yorker Festival. As reported by TechCrunch, Snowden's ideas for avoiding online intrusions (delivered via video link) sound simple enough, but may not be easy for anyone who relies on Google, Facebook, or Dropbox, since those are three companies he names as ones to drop. A small slice: He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid. (Somewhat amusingly, anyone watching the interview via Google Hangout or YouTube saw a Google logo above Snowden’s face as he said this.) His final piece of advice on this front: Don’t send unencrypted text messages, but instead use services like RedPhone and Silent Circle. Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data. Plus, companies like Apple, AT&T, and Verizon can be subpoenaed for their data.
Google and Facebook make our lives easier in many ways. Just understand that what you say is not truly private and use common sense about what you post there.
Google analytics and ads are everywhere so even if you don't directly use their services like Search and GMail, you are still being tracked by them.
Also, your browser sends referrer headers which tells whatever site you're visiting where you came from. Your browser + browser plugin profile can be used to narrow down who you are even behind Tor. Browser plugins like Adobe Flash save their own set of cookies separate from regular browser cookies.
If you use the Internet, you're being tracked. You may be able to help yourself be tracked _less_ by taking some precautions, but that's about it, I think, for the average person.
I used FB for years before finally closing my account down. No doubt that data will stay in their system forever. Like a drug, better to not start at all than to have to quit.
Basically it boils down to: law enforcement are going to do what they're going to do. I know I'm being tracked, I try and keep my nose clean, and whatever happens happens. I'm not going to live my life all paranoid.
Simply avoiding Facebook, Google and the rest isn't going to serve much. Because that makes you stand out, too. Use them. Fill them with enough goody-two-shoes garbage that you're uninteresting enough. Invent some innocent hobby or two for you to have so you can fill that page with something. Invite friends (whoever you run across will do, just make sure that they're not in some way "odd").
The important bit is just to keep your real life apart from your official one. And yes, before you ask, your work belongs on the "official" side. Along with your official family and everything else that can easily be connected to you with existing data. Don't try to hide what can be proven to belong to you.
And yes, 10 years ago I would have agreed that doing something like this means your tinfoil hat is sitting too tight. Today, I ain't so sure anymore...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Here is the rub:
A company breaks up a key into pieces and says that no single division or part can decrypt data.
However, with the proper "encouragement" via a government (similar to how India "encouraged" RIM to give them access to BIS servers), the data can still be obtained. iPhones are quite closed devices, and in theory (mind you, this is theory), Apple could push some code to the phone belonging to a person of interest that would either install a backup key, pull the key out, or download data in the background.
Android, similar... but with Android, there are so many different ROMs, phones, and configurations out there that it would take some doing and not just typing an IMEI number, click "spy", and be done with it. It is quite possible, but not as easy.
Do I trust Apple? There are other big companies who have started to play policeman and actively sift through their subscriber data and hand things over without being told to do so. Apple doesn't actively do the virtual equivalent of going through one's belongings with a fine tooth comb, then bringing in the police if something illegal is found under a couch. There is already enough fighting to keep government powers at bay. Having private companies act as another police force is unacceptable, no matter how noble their aim.
Would I stay at a hotel knowing that my stuff there will be sifted through for anything illegal, and my phone calls taped and actively listened to for any activity? Nope. I'm sure the "do you have anything to hide" argument will be brought to bear, but if the company storing my data is now someone actively trying to find a way to cause me legal issues, I'll take my business to another place that doesn't do that. I feel that Apple hasn't tossed anyone to the wolves, so they are probably a lesser evil in this department, although who knows where their data ends up, as their devices are made in China, and the Chinese government has just as much say in what goes into them as Tim Cook does.
Don't forget -- "illegal" applies globally. The US has extradition agreements with Saudi Arabia and Turkey, so technically, a US citizen can be extradited to KSA for something anti-Islamic (giving a church flyer to a Muslim), and then beheaded even though the person never set foot outside the US. So, what may be something one doesn't worry about now may be something (and their families) that one might be killed over in a few years.
Another example is Thailand's lese majeste laws. A US citizen who poked fun at Thailand's leaders can be deported there, even though the person never was in the country. Having a private company look for these types of things, items that people never thought of, then they get arrested and shipped overseas to stand trial in a country they never even seen is something that is inevitable. Someone may be a 100% law abiding person in the US and have nothing to hide... but with extradition treaties, they might be breaking laws in a country they never have heard from and can be hauled off for that (Kim Dotcom, anyone?). So, privacy is a must.
Do I trust Facebook? Rule 1 of the Net. Don't put it up unless you want the local DA, Feds, and your worst enemies seeing it. With that in mind, plus common sense partitioning (run your FB Web browser in a sandbox or container separate from everything else), FB is tamable. It is a must these days (I've been turned down for jobs because I didn't have a FB ID, as an IT worker without a FB or Twitter account is considered a "fossil".)
Do I trust Google? I use their services, and have found that Android is well written. Even the disk encryption is decent, especially if you separate the dm-crypt partition passphrase from your unlock PIN, making your /data partition extremely tough to brute force open. I'm not really worried, as they are not any worse or any better than other places.
Do I trust Dropbox? Similar to above. Neither worse or better. However, I do pack my own parachute and use Boxcryptor (not 10
Mainly to make the authorities go through the front door, you know, as the constitution says they should.
They hate having to follow that old rag's commandments though.
they need a warrant, and have to go through proper legal channels.
I take it you've been living under a rock for the past decade.
You need to take Apple at their word for most of those. There's proprietary hardware and binaries in the mix. There's no independent outside audit. Your level of trust is disturbingly naive in an era where corporations and governments lying to citizens is the norm.
Apple may well be telling the truth about all of them. But to put actual trust in it is fanboiism itself. Right now, you can't trust much of anything. In short, we're stuck between a rock and a hard place. We need to get work done, to interact with others, to be productive in general--but the best options available to us are lousy.
Trust comes at a high premium and isn't given lightly.
His advice is so stupid that I'm really beginning to wonder whether he is still working for the NSA. It's not only inconvenient, it actually puts you at a greater risk.
Computer security is really not that different from physical security: locking up everything from everybody is a lot of work, inconvenient, and expensive.
For most things, Google and Facebook are perfectly fine. Hysterical avoidance of them is not only inconvenient, but switching to supposedly more secure services will either make you appear suspicious, or you may simply be running into the open arms of some intelligence service that is using those services as a front.
Information you don't want to fall into the hands of criminals, you should encrypt; online storage may be fine for some if you are good about encryption and it's not that critical. For really critical information, use local USB drives or paper.
Is there information you don't want to fall into the hands of government? Yes, even if you are law-abiding. You want to avoid being a false positive on some witch hunt for terrorists or drug offenders, and you don't want to give corrupt prosecutors the ability to blackmail or pressure you into admitting things you didn't do. So, keep your Magic Pony gay porn collection off the Internet and encrypt it, keep your medical information on paper, and purchase your fertilizer and cold medication with cash when you can.
But i know, that there are people working with the source code. An obvious backdoor would have been found i.e. by the cyanogenmod people, so it needs at least to be more subtle.
Is this where "the man" dangles a puppet in front of your eyes so you forget about everything else? Say I never used facebook, dropbox and google and steer clear. Now "they" only have phones, credit cards, bank statements, anything I get shipped, plane stubs, hotel reservations, car license plates, cell- and/or smartphones and a bazillion other things to know exactly what I ate last Tuesday and to violate my privacy which, judging by the attention wh**ing online, nobody cares all that much about anyway it seems.
"Only one thing is impossible for God: To find any sense in any copyright law on the planet." - Mark Twain
Of course government can read my e-mail. All they have to be is waterboard me.
Wrong.
I can't understand why people are so confused about this. It has nothing to do with government needing to resort to extreme measures to get its way.
All it takes is a warrant. People have been getting warrants for close to a thousand years. Getting a warrant is not hard. Getting a warrant is a routine part of professional law enforcement. Nowadays getting the warrant is actually easier than all the theatrics they're doing instead. All these efforts to circumvent constitution guarantees (in multiple countries) are about making the political statement that the government is above the law. It is intimidation with no constructive purpose. Citizens are worse off not just because it violates their rights, but also because it encourages sloppy police work.