It’s Cryptoparty time again! I’ll be leading UMW’s Digital Knowledge Fellows through a series of crash courses and tutorials relating to digital privacy this week. To support our efforts, I’ve created (and laminated!) a few one-sheets, getting folks started with a variety of tools for secure browsing, texting, email, and website hosting. If you’re interested in securing your digital content and protecting your digital identity online, check out these tools and take them for a spin.
And feel free to print (and laminate!) these one-sheets for your own use — even your own Cryptoparty!
- Secure Communications
- Secure Browsing
- A Secure Domain of One’s Own (a.k.a., encrypting your site’s traffic with https)
Activists and other privacy-conscious individuals need a way to communicate digitally that is also secure from surveillance and hackers. The same is true for those who simply don’t want every web-based advertising company knowing (and serving up ads based on) their private business.
Here are some tools and services that are (mostly) easy to use that will help keep your communications privy only to you and the people whom you choose.
Signal is a text messaging app for iOS and Android that encrypts communications end-to-end (meaning that Signal’s programmers cannot access your data, even under a subpoena or pressure from law enforcement). It is easy to use, easy to install, and on Android it can become your only text messaging app – with Signal sending encrypted messages to other Signal users, and regular text messages to other users.
Protonmail secures your email similarly to Signal. Protonmail was developed by (and for) scientists at CERN, and it uses end-to-end encryption for messages between Protonmail users. Emails to other users are stored on a secure server in privacy-conscious Switzerland. When needed, Protonmail also allows you to send one-time encrypted messages to non-Protonmail users, provided you send them a password via another channel (like text message). Free and paid accounts are available for different users’ needs. Software is open-source and subjected to regular public security audits.
Tutanota, Latin for “secure letter,” functions similarly to Protonmail. Data is housed in Germany, away from US and UK government surveillance apparati, and both free and paid accounts are available. Software is open-source and subjected to regular public security audits.
GPG is more involved to setup, but provides the same kind of encryption for “regular” email, by encrypting message content inside a Gmail, Yahoo, or Outlook message. Like Protonmail and Tutanota, both sender and receiver must have GPG setup for secure communications. GPG also supports single-file encryption on the desktop, and can be installed for Mac, Windows, or Linux.
Browsing activity is vulnerable to surveillance from internet service providers (ISPs), the government, the administrator of a network (like UMW’s), other users on the network, and the owners of any cookies (bits of code left on your computer from sites you’ve visited and/or logged into) on your computer.
The tools below are generally easy to install and use, and protect you from surveillance and unwanted third-party data sharing.
Tor Browser (inaccessible on the UMW network) is a private browser, developed by the US military, that encrypts data and passes it through a chain of “relay” servers to obscure both the source and the destination of the data. It also deletes all history, cache, and cookies every time you close the app. While imperfect, it goes a looong way to secure and obscure your web activity. (You can also install and run the Tor service, which will do so for other apps that access the web.) However, it does slow things down, and some sites block Tor users.
Onion Browser is one of the better iOS instances of Tor, and Orbot for Android.
Search engines collect a lot of user data in order to “personalize” search results (and boost their advertising-based business model). In addition to search history, companies like Google also provide (and collect data through) advertisements on a variety of websites – from health to shopping to religious to political to personal sites.
Search engines like DuckDuckGo.com and Disconnect.me offer up quality search results (if less “personalized”) while anonymizing the data sent to Google (Disconnect.me) – or simply providing their own search results without collecting personal user data (DuckDuckGo). You can change your browser’s default search engine to either DuckDuckGo or Disconnect.me. You can also install the Diconnect.me browser plugin.
AdBlock Plus is a must. It not only blocks advertisements, but a lot of third-party data mining tools, as well. It is available for a variety of browsers.
Privacy Badger, from the Electronic Frontier Foundation, blocks unseen trackers and spying ads that adblockers often miss. It allows a great deal of customization and flexibility, to ensure that it doesn’t “break” the sites that you visit frequently.
Ghostery both blocks ads and trackers, and provides information about the companies that own them. While it doesn’t always catch things some of the other blockers do, it helps you understand just how much of your web traffic is routed through the data stores of the same small number of companies.
Lightbeam (for Firefox only) visualizes those relationships even more. By creating a network graph of both the sites you visit and the sites they share your data with, you can see just how connected your data is on the scary, wonderful thing we call the internet. Again, it doesn’t catch everything, but it catches enough to create an insightful, if frightening, image of the paths your data takes across the web.
A Secure Domain of One’s Own
Domain of One’s Own already increases user privacy by decentralizing the way we find and distribute information. But one simple step can increase our readers’ privacy without diminishing their experience or site performance. This is especially important on sites that engage controversial and/or activist issues, and whose audiences are surveilled, oppressed, or marginalized.
“As our dependency on the internet has grown, the risk to users’ privacy and safety has grown along with it. Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace. Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators. When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services. … By using private connections by default, changed expectations make everyone safer.” – CIO.GOV
Though the content of your website is public, not every visitor wants everyone knowing what they’ve been reading. Perhaps even more relevant for Domain of One’s Own users, the content of your website is not the only information that is transmitted when someone visits your site. And it is easier to eavesdrop on those transmissions than many people realize.
Establishing an encrypted connection on your website is easy, and it protects your visitors from a variety of privacy invasions.
How to Encrypt?
Visit umw.domains/setting-up-encrypted-access for detailed directions on how to enhance your domain with a secure, encrypted connection.
Be sure to add HTTPS encryption for every domain and subdomain you have.