‘I have nothing to hide’ is probably the most dangerous phrase you will hear in a liberal democracy.
If you really believe this phrase, then we can do nothing but admire your:
- Trust in big business;
- Trust in big government;
- Failure to appreciate the recent history of almost all modern liberal democracies; and
- Complete lack of empathy for the billions of people who currently live without any prospect of civil freedom.
But if you find these five words as scary as we do, and you consider your privacy something worth investing in, then you might want to spend some time investigating some useful tools and strategies we employ as a firm, and highly recommend to you:
Duck Duck Go
Google is the big-bad-daddy of big-data. What Google doesn’t know about you is probably not worth knowing (and they can probably put a price on that). Searching through your email is one thing, but having real-time insight into what you are looking for is how Google really makes its money.
Take back your search privacy and switch to the equally effective but entirely private alternative – DuckDuckGo! “The search engine that doesn’t track you.”
We have been using this for well over a year and can attest that it is as accurate and easy to use as Google.
It is easy to set DuckDuckGo as your default search engine in your browser settings.
Have you had that strange feeling that someone is following you after a Facebook search? That’s because they are.
You would be amazed at how much stuff most websites dump on your hard drive when you visit, so that they can track where you go in the future (yes, well after you have left their site). That’s where Privacy Badger comes in. This utility “blocks spying ads and invisible trackers“.
It’s one thing to find what you are looking for using Duck Duck Go, it’s another thing to ensure that Google doesn’t pick up your scent again when you arrive on the page you have found.
You can easily install this utility as a Chrome add-in.
But the fun doesn’t end with Privacy Badger, you can double your defences with Ghostery. This utility makes your browsing “faster, safer, and smarter… Ghostery helps you browse smarter by giving you control over ads and tracking technologies to speed up page loads, eliminate clutter, and protect your data.”
Have you heard of Facebook Pixel. It’s the latest thing in tracking. Basically, Facebook encourages people to link their website pages with Facebook via this digital marketing service. When someone visits a page it creates a ‘curated list’ of people that Facebook knows has visited that page. When the same person then goes to Facebook they can target content to issues associated with that page. Facebook owns all of this data – so they can use it for whatever they want. They get this data by giving some ‘re-targeting’ capability to the website owner who buried the Pixel in their site, but this is just the tip of the iceberg of what Facebook can then do with the data. This is what Ghostery tells me when I visit a page…
You can easily install this utility as a Chrome add-in.
Use Chrome as your browser
After all that Google-bashing this is going to sound a bit hypocritical, but if you are going to browse the internet then you should use either Chrome, Safari or Firefox. (We think Firefox is best, but it does have some issues with some sites.) They are the most W3C compliant, and easily integrate with the other privacy tools we talk about here (bit ironic).
However, our recommendation to use Chrome comes with a caveat – don’t sign in with your gmail account. Chrome will pester the living daylights out of you to ‘sign in’ to Chrome. Why? Because it will then track EVERYTHING you do, not just your Google searches. So your online life is now in the hands of dear old Google – you’re basically playing in their sandbox. Why do you think they have spent a small fortune trying to ‘own’ the browser market? Charity? No. They now have a front row seat to your entire online life, not just when you make a search. (The same applies for why they have spent a small fortune ‘giving away’ the Android operating system for mobile phones – once again, not charity…)
What’s worse than disclosing to the world what you are looking for (Google Search or signing into Google Chrome)? Answer: also disclosing why (information easily found among your deepest darkest email secrets). Google Mail (or gmail) is almost ubiquitous. But why is it given away for free? Read Google’s fine print – it explicitly states that its service analyses all of your emails (although it has watered this down a little since the backlash started to mount).
Unfortunately, taking back control of your email is much, much harder than protecting your search and browsing history. This is because Google has integrated with everything, and makes communication a breeze. Really, Gmail is amazing! However, there are alternatives. The most secure that we have so far come across is ProtonMail. Now you can not only hide your money in Switzerland, but also your email:
‘ProtonMail is an end-to-end encrypted email service founded in 2014 at the CERN research facility by Dr. Andy Yen, Jason Stockman and Wei Sun. ProtonMail uses client-side encryption to protect email content and user data before they are sent to ProtonMail servers, in contrast to other common email providers.‘
Of course, your email is only as secure as the other parties you are communicating with – and you can pretty much expect that everyone else is going to remain a weak link in the chain.
We haven’t completely adopted Proton Mail, mainly because of the integration issues, and the fact that it does not have the super helpful Google Calendar (which also tells Google exactly where you are at least 12 hours every day – with Google Maps filling in any blanks…)
So if you can’t stop Google (or Microsoft) looking at your hosted email, the next best thing is to use a third-party add-in to encrypt your email before it passes through the public pipe. These can be a bit tricky to install and set up, but are getting easier (much easier).
We personally use GPGSuite (because we’re Mac lovers, but there are plenty of equivalents for PCs): https://gpgtools.org/.
You will need to get your head around public and private keys, but it isn’t as hard as it first sounds. If you are running a business, you may find your clients actually appreciate your efforts and get on board with facilitating the receipt of encrypted email at the other end.
Password-protect your PDFs
This is an easy one. Did you know that you can lock your PDFs with a password? So if you send them to the wrong person, or someone steals your data, they still won’t be able to read your stuff, because they won’t know the password.
Ask your accountant to send you your Tax Assessment as a locked PDF – and avoid your secretary (or anyone else you have delegated email privileges to) knowing what you earn.
Password protecting your PDFs may require you to upgrade to a professional version of Adobe Acrobat or equivalent, but the recipient of your PDFs can open them with the free version of Acrobat.
The way the internet works is that your computer spits out a string of ASCII characters over a public network. Anyone with access to the pipe (which is pretty much everyone who wants it) can intercept the stream of characters and re-create your message. It is really that simple – that’s what makes the internet protocol so useful and ubiquitous, but also inherently unsafe.
Using a VPN is like pulling a shutter down on your window, or spray painting the pipe through which your messages are running. It creates your own walled garden on the web. (That’s probably enough metaphors…)
If you are using the web for work and have multiple offices, or regularly work from Starbucks (or CIBO) or hotels, then a VPN is an absolute MUST HAVE. This is because public ‘free’ WIFI is provided in return for being able to read all of your traffic – why else would Westfield care!? A VPN is easy to set up and you can configure a dedicated and secure ‘pipe’ between your laptop (or desktop in the office) to your server and other work related machines.
We use Nord VPN which is relatively affordable and easy to use. It also runs on our mobile phones and tablets.
All this paranoia is not worth much if someone can pick up your keys and open all the locks.
We don’t know about you, but when our password spreadsheet extended to over 250 lines, we knew it was time to find a better solution. Post-it notes can only get you so far. (By the way, the number of people who keep ALL their passwords on a Google Sheet is amazing. Can you believe that?!)
What you need is a ‘password manager’. There are plenty to choose from, and it can feel a little strange when you first enter the keys to your bank account into a third-party cloud software service. But really you have no choice in this day and age.
It is important that the service you use encrypts the data on your machine before it is sent to the cloud, so if their servers are compromised, all the hacker sees is a lot of encrypted data.
We have gone with LastPass, which is great. But like all these services, it is constantly under cyber attack, so keep an eye on news and always use 2-factor authentication (see below).
If you use online banking, then chances are you know about 2-factor authentication. When you enter your password to log on to a service, it will send a second random confirmation number or request to a nominated service, such as an email or text message to your phone. When you enter the second confirmation it will let you in or process your transaction. Banks go a little further, and issue you with a physical ‘dongle’ that generates random numbers every few seconds that must be entered to confirm a transaction. When we think about it, our bank has about 5-factor authentication…
This is all good, unless one of two things happens – someone hacks your email or steals your phone (or both!). With a little browsing through your historical emails, they will soon pick up the fact that you are using a particular service (or bank), and then by entering your email address (i.e. ID) into the service, and clicking ‘Lost my password’, they will soon have everything they need to 2-factor authenticate – your ID, your recovery email and your phone.
So this is why it is so important to secure your phone (I’m talking 6-digit code, fingerprint, face recognition, etc – and all of the above!) and not let too many people have access to your email. Also, you need a plan that you can quickly implement if you lose your phone or your email is hacked. I mean – shut down everything in minutes. Do you have a plan?? Probably not. Make one.
Another trick is to have an email address just for 2-factor authentication. So if you need to process a transaction or recover a service, you log in to that account. Otherwise you log in to your normal account. This will keep things separate, and make it harder for anyone to put the 3 things together they need to steal your ID.
Use an iPhone
One thing people get very defensive about is their choice of mobile phone. All you android users out there are going to hate us for this, but if you really care about your privacy (and cybersecurity), then you should be using an iPhone. Even the US government employees use iPhones, (having traded in their CrackBerries).
Funnily enough, Apple iPhones and Android phones are probably equally as secure – it is just that Apple won’t let ‘user error’ allow people in. The bottom line is that Apple’s locked-down hardware and software ecosystem is such that not much gets in other than what Apple knows about (and is making money from). The NSA probably still has a direct pipe into your phone (but no more direct than their pipe into your Android). But as for other cyber-snoopers, chances are that they have hit the proverbial Apple-fan on their way in.
Encrypt your hard drive data
Apple makes this super easy with FileVault which is built into their operating system, but similar services are available for Windows and other operating systems.
I heard a great story of a Fortune 500 company in the US that thought they had the absolute best digital security in the world. They challenged a digital security consultancy to ‘hack’ their defences – and offered them a huge amount of money if they could. So what did the consultancy do? They hired a really good looking guy to impersonate an air-conditioning repairman. He turned up at their offices, chatted-up the receptionist who let him into the server room to repair the air-conditioning, and he walked out with a server full of unencrypted data saying it was a part he needed to replace…! Bingo.
If you use a data encryption utility on your server and other hardware, then if someone breaks into your office and steals your laptops, desktops or server, all they will get is the hardware, and not all of your data, (which of course you will have already backed up offsite or in the cloud).
With modern computing power, and services to backup your passwords, there is no excuse for not using real-time encryption of your hard drive – particularly for your laptops.
Don’t use Dropbox (Google Drive, OneDrive, iCloud…) for anything important
Come on guys, I know it’s really handy to have all those files on hand, everywhere. But does it not spook you a little that everything in your Dropbox account is immediately searchable? All Word, Excel, pictures, audio, video, PDFs. etc – immediately searchable.
By all means use Dropbox for the current versions of your latest Broadway play, or blockbuster manuscript, but leave work files on secure and encrypted work servers. It’s not really that hard or expensive – and you can easily set up a fast VPN to access them from anywhere.
If you love the convenience of cloud access, then set your own up. We use an in-house Synology rack server to handle our files. It is easy to set up and maintain, it has RAID redundancy, it backs up to cold storage or encrypted cloud services, you can access it over the web via a VPN, you can encrypt all data on it in real time, and it costs less than a couple of grand for an enterprise-grade version with multi-terabytes of storage.
Use crypto-currencies to buy your mushrooms
If you have read some of our other material, you will know that we are crypto-sceptics. However, not 100%. We believe that distributed blockchains and crypto-trust services, may just save privacy after all.
While a deep discussion of cryptography and distributed ledgers is beyond this article, we strongly encourage you to keep up to date with where this technology is heading. A great starting point is this podcast with Kevin Rose.
Don’t spend your life on Facebook, Instagram, Messenger (all owned by Facebook), Youtube (owned by Google), and especially not LinkedIn (owned by Microsoft)
This should be obvious. But it appears that it’s not – from the 2.13 billion users Facebook has.
Who would tell the world who all their friends and business acquaintances are – and then expose all of their deepest and darkest thoughts, emotions and images to boot?? What a high price we are paying to feel ‘connected’. Seriously.
There is not a lot more we can actually say here that has not been said a thousand times (and probably by you to your kids on several occasions recently).
The people who own these services do not use them, and certainly do not let their kids anywhere near them, so why should you?
Privacy and cybersecurity go hand in hand. The ‘good guys’ are just mining your data for legitimate billions. However, the ‘bad guys’ are out there to take over your identity. Sometimes it’s hard to know who’s who…
Cybersecurity warrants an entire article of its own. However, just note that a criminal cyber attack will cost you a small fortune when it hits you, and most of the above privacy tips will help you prevent it happening to you.
If you want to explore this topic further, we suggest you read some of Marc Goodman’s stuff.
How long will all this take to set up?
With a little help, you should be able to get most of this going in an hour or two. A fantastic investment of time, in our view…