We live now in a pervasive cyber world where most of the people use their smart devices in all life aspects. Although this pervasive computing facilitates our work/life activities, it is important and necessary to know how to secure our data and preserve our privacy. In Privacy Flag project, we surveyed the cyber-activities that users commonly do with their computers and smart devices to identify possible privacy leaks and recommend trusted tools that mitigate or prevent these leaks. The conducted survey included a wide range of cyber-activities from surfing the Internet and sending instant messages to securely managing the user credentials.
Here, we provide the best practices for the most common cyber-activities to increase the public awareness about security and privacy and also recommend trusted tools that help users to follow these best practices to preserve their cyber-security and privacy.
While users browse the web, they leave footprints or traces behind them, whether locally on their machines or remotely on the web servers. However, there are some tips that can mitigate this problem:
A. Private Browser Window
Most web browsers support a private browsing mode which deletes all data related to the user session once the browser window is closed. Session data include browsing history, filled forms, cached media and first-party cookies.
B. Useful Add-ons
There are many browser add-ons that claim that they improve the user privacy. However, not all of them are really doing so or doing it in the correct way. We list here most popular browser add-ons that are recommended and offered by authentic sources.
- uBlock Origin (Firefox/Chrome) is an efficient wide-spectrum Ads blocker that is not memory consumer but supports so many Ads filters than other popular blockers. It is completely open source, has no monetization strategy, and does not allow so-called “acceptable ads” like AdBlock Plus.
- Self-Destructing Cookies (Firefox) automatically removes cookies when they are no longer used by open browser tabs.
- Click&Clean (Firefox/Chrome) deletes browsing and download history, temporary files and cache, remove cookies including Flash LSO.
- Disconnect (Firefox/Chrome) is an open source add-on that visualizes and blocks the invisible websites that track the user. It blocks third party tracking cookies and gives the user control over all site scripts.
- Privacy Badger (Firefox/Chrome) stops advertisers and other third-party trackers from secretly tracking the user. If an advertiser seems to be tracking the user across multiple websites without his/her permission, Privacy Badger automatically blocks that advertiser from loading any more content in the browser.
- HTTPS Everywhere (Firefox/Chrome): encrypts the user communications with many major websites, making the browsing more secure. This add-on is a collaboration between The Tor Project and the Electronic Frontier Foundation (EFF).
- Decentraleyes (Firefox/Chrome): It emulates Content Delivery Networks (CDNs) locally by intercepting requests, finding the required resource and injecting it into the environment. This all happens instantaneously, automatically, and no prior configuration is required.
- uMatrix (Firefox/Chrome): Many websites integrate features which let other websites track you, such as Facebook Like Buttons or Google Analytics. uMatrix gives the user control over the requests that websites make to other websites. This gives greater and more fine-grained control over the information that the user leaks online.
C. Harmful Add-ons
On the other side, there are some popular add-ons that are supposed to protect user privacy but, in fact, they sell the user data to 3rd parties:
- Ghostery gives the user the control of the personal data that can be shared with the trackers on the visited websites. It can also block the offending trackers and significantly speed up the browsing experience. However, it was reported by an MIT review that its company helps advertising companies that want to improve their use of tracking code by selling them data collected from Ghostery users who have enabled a data-sharing feature in the tool.
- Web of Trust (WOT) uses crowdsourcing to rate sites based on trustworthiness and child safety. It turns out that it also collects a bunch of data about the user browsing habits. According to a report from the German television channel NDR, WOT sells user data to various third party companies without even a proper anonymization, which means it is easy to re-identify the user.
D. Tor Browser
When users really care about their anonymity, they are advised to use the Tor browser. The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor’s users employ this network by connecting through a series of virtual secure tunnels, rather than making a direct connection to the destination. Along the same line, Tor is an effective censorship circumvention tool, allowing its users to reach otherwise blocked destinations or content. Tor can also be used as a building block for software developers to create new communication tools with built-in privacy features. The Privacy Flag add-on and smartphone app enablers use this feature and route the Privacy Flag traffic through Tor if the user installs and enables Tor.
Since the Tor network only considers the anonymity of data transport, the Tor project created the Tor Browser Bundle (TBB) which consists of a modified Mozilla Firefox web browser, the TorButton, TorLauncher, NoScript and HTTPS Everywhere extensions and the Tor proxy. The Tor Browser automatically starts Tor background processes and routes traffic through the Tor network. Upon termination of a session the browser deletes privacy-sensitive data such as HTTP cookies and the browsing history.
Virtual Private Network (VPN)
Virtual Private Network (VPN) extends a private network across a public network, typically the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Business users employ VPNs to connect remote datacenters, and individuals can use VPNs to get access to network resources when they’re not physically on the same local area network (LAN), or as a method for securing and encrypting their communications when they are using an untrusted public network (e.g., open WiFi). When the user connects to a VPN, he/she usually launches a VPN client on his/her machine, log-in with his/her credentials, and the user device exchanges trusted keys with a remote VPN server. Once both client and server have verified each other as authentic, all of user traffic is encrypted and secured from eavesdropping.
Recently, VPN services are commonly used to browse the Internet securely and anonymously. However, not all VPN providers are completely anonymous even if they declare themselves so. Some providers do logging of the IP addresses and activities of their users. Thus, VPN should not be considered as an anonymity tool but as a security layer for the user traffic so that it is not easily monitored or censored by intermediate parties. Nevertheless, we recognize privacy-friendly VPN providers since they support OpenVPN, do not require personal information to register, adopt no logging policy and offer protection against DNS leaks. Some examples are TorGuard, NordVPN, EarthVPN, and Proxy.sh.
Email service and client
Google has clarified its email scanning practices in a “terms of service” update, informing users that incoming and outgoing emails are analyzed by automated software. The revisions explicitly state that Google’s system scans the content of emails stored on Google’s servers as well as those being sent and received by any Google email account. This happens because emails are stored in clear text in the mail servers, even if they are transmitted to the server in an encrypted form. This information leakage is similar to other free popular email service providers.
Thus, to overcome this serious privacy leak, users are advised to use secure email services such as ProtonMail. Messages are transmitted and stored on ProtonMail servers in encrypted format. This means that they do not have the technical ability to decrypt the user messages and, as a result, they are unable to hand the user data over to third parties. They also do not save any tracking information, such as the IP addresses used to log in. Also, it does not require any personal identifiable information to register.
In case of using corporate email service, users are advised to use Pretty Good Privacy (PGP) to encrypt and sign their messages. PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key encryption. The message is encrypted by using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called as a session key. The message and its session key are sent to the receiver. The session key must be sent to the receiver so they know how to decrypt the message; but to protect it during transmission it is encrypted with the receiver’s public key. Only the private key belonging to the receiver can decrypt the session key. PGP supports message authentication and integrity checking. The latter is used to detect whether a message has been altered since it was completed (the message integrity property), and the former to determine whether it was actually sent by the person or entity claimed to be the sender (a digital signature). Because the content is encrypted, any changes in the message will result in failure of the decryption with the appropriate key. The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext and then creates the digital signature from that hash using the sender’s private key. There are several add-ons that support PGP in different mail clients such as Enigmail for Mozilla Thunderbird and SeaMonkey.
Search engines (like Google, Yahoo) use search queries issued by users to deliver more personalized search results. This maybe apparently a good feature but to be enabled, search engines store the user query, timestamp and IP address to track users and infer the user interests. This information is shared to the requested website which threatens the user privacy. Also, this feature prevents showing the results from the whole Internet, only things interested to the user.
On the bright side, there are some private search engines out there such as DuckDuckGo which does not track users nor collect their personalized information. Also, Startpage fetches results from Google on behalf of the user without recording her IP address or log anything about its behavior. Similarly, SearX is an open source meta-search engine, aggregates the results of other search engines while not storing information about its users.
Instant Messaging (IM) and VoIP Software
Instant Messengers (like Skype, Whatsapp, Viber, Facebook Messager) are used by almost everyone nowadays in sending text message and place voice and video calls. Few of these popular IM have recently started to support end-to-end encryption like Whatsapp and Viber which makes conversation secret even from the servers of the provider. Facebook Messenger supports end-to-end (E2E) encryption only for mobile devices and text messages, but it is not enabled by default. Even if this feature is support by IM app, user privacy is still not fully safe. In August 2016, WhatsApp announced that it will start to share user data with its parent company Facebook in order to draw in adverts to the platform. Third party companies will be able to send targeted messages directly to WhatsApp users.
To keep user messages safe and private, users are advised to use privacy-friendly open-source IM services. Signal is a free and open source mobile app which provides end-to-end encrypted instant messaging and voice calls (Video calls are recently beta supported). Encrypted group chats are also supported. Wire supports similar features as Signal but it is supported for desktop, web and mobile platforms. For desktop or laptop machines, Ricochet is another alternative which uses the Tor network to reach user contacts without relying on messaging servers. Ricochet starts a Tor hidden service locally on a person’s computer and can communicate only with other Ricochet users who are also running their own Ricochet-created Tor hidden services. This way, Ricochet communication never leaves the Tor network. A user screen name (e.g., ricochet:hslmfsg47dmcqctb) is auto-generated upon first starting Ricochet; the first half of the screen name is the word “ricochet”, with the second half being the address of the Tor hidden service. Before two Ricochet users can talk, at least one of them must privately or publicly share their unique screen name in some way.
Encrypted Cloud Storage
Cloud storage (like Dropbox, OneDrive and Google Drive) started to be an essential tool for everyone to share files and media among the user’s devices or contacts. Although all cloud services promise a security guarantee, they store user files unencrypted in the cloud whether on their own or shared servers. This means that the technical team or the government can have access to the personal user files without notice. Also, if the servers got compromised, hackers have full access to the user files.
There are several secure alternatives for cloud storage like Sync , Seafile and SpiderOak. Sync is a zero-knowledge cloud services which means the files are encrypted on the user machine before they are synced with the cloud servers. Sync.com use a 256-bit AES encryption on files and lock them with 2048-bit RSA private keys. For maximum security, passwords are never transmitted to Sync. Furthermore, Sync does not store passwords or password hashes during account creation, or when you log in. Another model is offered by Seafile. This cloud service gives users the opportunity to host their files on their own servers. It also offers to host user files on their servers either in Germany or with Amazon Web Service in the US.
Disk and File Encryption
Disk encryption software protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device). Operating systems usually use and enforce access controls where each user account has specific rights on each file and directory. However, disk encryption passively protects data confidentiality even when the OS is not active, for example if data is read directly from the hardware or by a different OS. Disk encryption generally refers to complete encryption that operates on an entire volume mostly transparently to the user, the system, and applications. This is generally distinguished from file-level encryption which enabled by the user action on a single file or group of files. Disk encryption usually includes all aspects of the disk, including directories, so that an attack cannot determine content, name or size of any file. It is well suited to portable devices such as laptop computers and external drives, which are particularly susceptible to being lost or stolen. If used properly, someone finding a lost device cannot penetrate actual data, or even know what files might be present.
One example for disk encryption tools is VeraCrypt which can create and maintain an on-the-fly-encrypted volume. On-the-fly encryption (OTFE) means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. The on-the-fly encryption does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory (RAM) requirements. VeraCrypt supports individual file encryption as well. For file encryption, GnuPG is a simple option which is open-source and supported on all desktop operating systems (Windows, Linux and MacOS).
Good security practices require users to use different passwords for each website and service. For accounts of any significance, those also need to be strong passwords of one form or another. But if we combine those two requirements (one password per site and strong passwords) then it turns to a very complex task. To handle this complexity, there are many password managers but only few of them are really secure. Master Password is based on a password generation algorithm that guarantees the passwords can never be lost. Its passwords are not stored, but they are generated on-demand from the user name, the site and the master password. Therefore, no syncing, backups or Internet access needed. KeePass is a free open-source traditional password manager, which helps the user manage passwords in a secure way. All passwords are stored in one database, which is locked with one master key or a key file. The databases are encrypted using the best and most secure encryption algorithms currently known: AES and Twofish.
Two-Factor Authentication (2FA)
After the numerous account breaches occurred last year even from giant service providers (such as LinkedIn, Dropbox, Yahoo, Myspace, etc.), many providers started to support a two-factor authentication to protect their users from being affected by this kind of attacks. Two-factor or two-step authentication adds a second level of authentication to an account log-in. When the user have to enter only the username and password to login to a service, that has considered a single-factor authentication. 2FA requires the user to enter an additional secret (or verification code) that the user (should) possess or knows. This additional secret is transferred to the user through the user’s phone or can be a biometric feature like a fingerprint. For example, the verification code can be sent in a SMS or generated by a dedicated mobile app that stores a secret (such as Google Authenticator, Duo Mobile, the Facebook app). Therefore, 2FA offers the user greater account security by authenticating the identity by more than one method. This means that, even if someone were to get hold of the user’s primary password, they could not access the account unless they also had the mobile phone, or another secondary means of authentication.
The 2FA authentication has variant terms from service to another. Facebook calls the process “login approvals,” Twitter calls it “login verification,” and Google calls it “2-step verification.” An extensive list of services supporting 2FA is available here.
Since security and privacy threats and their countermeasures are continuously evolving, we provide here links to trusted online resources that provide up-to-date tips, tools and best practices for safer and more private communication. In fact, we mainly used these resources, among others, to compile this guide.
- Surveillance self-defense guide provided by The Electronic Frontier Foundation (EFF) provides best practices and step-by-step tutorials that help users of different levels of profession to defend themselves from surveillance by using secure technology.
- PrivacyTools is a socially motivated website that provides information about tools for protecting data security and privacy. If the website is down or compromised, users can access it on GitHub
- The guardian project provides open-source mobile security software to help end users to communicate freely and protect themselves from intrusion and monitoring.
- Prism Break is a crowdsourced portal for privacy-aware, generally open source, alternatives to the most popular applications.
- BestVPN is an excellent privacy guide written by the creators of the bestVPN.com website.
- Privacy Test portal is a diverse and comprehensive list of online privacy tests that help users find out what kind of information programs and services reveal about users and their devices.