Online and offline privacy basics


by - posted

online and offline privacy basics

As a technological innovation creates new opportunities to collect, process and transfer personal information, the privacy risks associated with it grow. Privacy can be seen as an aspect of security.
The online and offline privacy basics article will show you some technical approaches for increasing your privacy on your local machine as well as on the Internet. I will describe some aspects of encryption, secure protocols, Linux distros, privacy software, e-mail privacy, VPN, etc. in order to get you an idea where to improve your privacy.
This article does not cover organizational aspects, user behavior and privacy law.

Encryption

Encryption is two-way – encrypted data can be decrypted in order to get the original data.
Encryption is the translation of data into a secret code. Encryption is the most effective way to exchange secured data. To read encrypted data you must have access to a secret key or password that enables you to decrypt it.
Encryption can be enabled by hardware, software or as an option of a program.

Hardware

Hardware-based encryption uses the device’s on-board security to perform encryption and decryption. It is self-contained and does not require the help of any additional software. Therefore, it is essentially free from the possibility of contamination, malicious code infection or vulnerability.

A hardware-based solution is most advisable when protecting sensitive data on a portable device such as a laptop or a USB flash drive; it is also effective when protecting data at rest.

Hardware-based full disk encryption systems can encrypt the entire boot disk, including the MBR.

There are also routers with hardware encryption engines.

Software

Software encryption programs are more prevalent than hardware solutions today. Software encryption is available for all major operating systems and can protect data at rest, in transit and stored on different devices. The protection granted by these solutions however is as strong as the level of security of the operating system of the device. Performance degradation is a notable problem with this type of encryption.

Encryption software encrypts and decrypts data, usually in the form of files, directories or partitions on hard drives. It encrypts and decrypts also on removable media as well as email messages or in the form of (data) packets sent over networks.

Examples :
– VeraCrypt
– PGP (Pretty Good Privacy)

See more about encryption in my article : Data encryption made easy

Local privacy

Local privacy means to protect your data on your machine from being read from unwanted persons. This concerns also the deleted files, the meta data attached to your files as well as LSOs and DOM storage.
If you transmit some files over the Internet, you will probably not to be exposed by their meta data.

File / directory encryption

File / directory encryption is a form of disk encryption where individual files or directories are encrypted by the file system itself. Access control allows to give individual access rights to a single or a group of files/directories.

Disk encryption

Full disk encryption (or whole disk encryption) is a kind of disk encryption software, which encrypts every bit of data that goes on a disk or disk volume. The term “full disk encryption” is often used to describe that everything on a disk is encrypted, including the programs that can encrypt. But they must leave the master boot record (MBR) and thus a part of the disk, unencrypted.

Secure file wiping

When you issue the command to delete a file, the file is in fact not deleted at all. Usually the file’s name is removed from the disk’s index and the space occupied by the file is marked as available for new data. However, as long as no new data is written on those locations, the ‘deleted’ file can still be recovered.
A popular standard states that you should wipe a file at least three times with zeros and ones and then with random pattern. This should even erase the magnetic remains of your data, which still can be detected after it has been overwritten once.

The swapfile poses a special challenge. This file is used by the operating system to temporarily store data that is used by active programs. That data may contain passwords the user just entered or other sensitive data. However the swapfile cannot be wiped, as it is constantly in use by the operating system.

Another difficulty occurs with so-called journaling filesystems (JFS) or log-structured file-system (LFS). Such filesystems store the data in a different way, so that the data can always be recovered after a crash.

Wiping the MBR is sometimes also necessary!

Bad sectors can also contain sensitive data, they also have to be wiped.

Wipe possibilities :
– Shredder utility
– Live CD + shredder utility: this allows to wipe the swap file and the JFS.
– Low level formatting tools from the manufacturer of the harddisk wipes all, like swap, JFS, MBR and bad sectors

Metadata removal

Metadata can be found in many types of files such as documents, spreadsheets, presentations, images and audio files. They can include information such as details on the file authors, file creation and modification dates, document revision history and comments.

A metadata removal tool protects the privacy by removing potentially privacy compromising metadata from files before they are being shared with others.

LSO

LSO means Local Shared Objects, they are also called flash cookies, super cookies or simply flash content. Even if you regularly clean out your browser cookies, flash videos and other objects leave all kinds of traces on your machine. LSO files are typically stored with a “.SOL” extension.

With Firefox you can use for example the “Better Privacy” add-on to delete LSOs.

If you want to block flash content from macromedia use the “Flashblock” add-on for Firefox.

You can increase the privacy for the macromedia player by modifing the settings here .

DOM

DOM means Document Object Model also called Web storage.

DOM is the specification for how objects in a Web page (text, images, headers, links, etc.) are represented. The DOM defines what attributes are associated with each object and how the objects and attributes can be manipulated. Dynamic HTML (DHTML) relies on the DOM to dynamically change the appearance of Web pages after they have been downloaded to a user’s browser.

DOM storage supports persistent data storage, similar to cookies but with a greatly enhanced capacity. There are two main DOM storage types: local storage and session storage, behaving similarly to persistent cookies and session cookies respectively.

You can delete the DOM by changing the browser standard preferences or in using a browser add-on, like”Click&Clean”.

Internet privacy introduction

When referring to privacy on the Internet, this commonly refers to what information is shared with the visiting site, how that information is used, with who that information is shared and if that information is used to track users.

The challenge in Internet privacy is to share data while protecting personally identifiable information. Having control (access) over personal data sent to service providers as well as the possibility to correct or delete personal data are important keys in Internet privacy.

There are many reasons to hide your real identity when you use the Internet. You might want to protect yourself against an oppressive government or post personal messages to a Usenet newsgroup without identifying yourself to the whole world as the poster.

Secure Internet protocols

Secure Internet Protocols allow you to transport your data over the Internet in a manner that your data will be encrypted and transmitted in a secure way.

TLS

Means Transport Layer Security.

TLS predecessor is the Secure Sockets Layer (SSL).
TLS commonly uses port 563 to connect your computer to a secure server on the Internet. TLS is
most often used for transmitting credit card, tax, banking, or personal information to a business
server.

SSL

Means Secure Sockets Layer.

SSL encrypts data with two keys: a public key and a private key. The public key is used in issuing a certificate to confirm your identity. The information you provide is then put in the private key, which is used to allow you to interact with the server. Banking websites often use SSL as well as many email servers.

HTTPS

Means Hypertext Transfer Protocol Secure.

HTTPS is a combination of the Hypertext Transfer Protocol with the TLS/SSL protocol to provide encryption and secure identification of the server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. HTTPS should not be confused with Secure HTTP (S-HTTP) see below.

S-HTTP

Means Secure Hypertext Transfer Protocol.

Secure Hypertext Transfer Protocol is a little-used alternative to the HTTPS URI scheme for encrypting web communications carried over HTTP. For sensitive transactions such as e-commerce or online access to financial accounts, the browser and server must encrypt this information.
HTTPS and S-HTTP were both defined in the mid-1990s to address this need. Netscape and Microsoft supported HTTPS rather than S-HTTP, this was leading to HTTPS becoming the de facto standard mechanism for securing web communications.

SSH

Means Secure SHell.

SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells.

SSH commonly uses port 22. It is most often used by network administrators as a remote login / remote control way to manage their servers.

Linux distros for privacy

This distros allows you to surf the Internet anonymously in a manner that even your ISP can not track your browsing behavior. Encryption may also be involved.

Tails

Tails is a live operating system that you can start from a USB stick or a DVD.

It aims at preserving your privacy and anonymity and helps you to:
use the Internet anonymously and circumvent censorship
all connections to the Internet are forced to go through the Tor network
leave no trace on the computer you are using unless you ask it explicitly
use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging

Discreete Linux

Discreete Linux is the new name for Ubuntu Privacy Remix which has been around since 2008.

Discreete Linux provides an isolated, local working environment that is not accessible to spyware (Trojan software). Therefore, sensitive data can be processed, encrypted and stored securely and is protected against such surveillance and espionage attacks.

A clever feature is that kernel modules can only be installed if they’ve been digitally signed by the Discreete Linux team. This prevents hackers from trying to sneak in malware.

Whonix

Whonix is a desktop operating system designed for advanced security and privacy.
Whonix has no live system nor an install setup but it runs in a virtual machine at the top of your OS.
Whonix ensures that you remain completely isolated, therefore DNS leaks are practically impossible. This makes sure that even malware with root privileges are unable to find a user’s real IP.

Privacy software

Privacy software (installed on your machine) basically hides your IP address and encrypt your data. There are standalone software solutions as well as browser plugins available.

Tor (The Onion Router)

Tor works by routing Internet traffic through several “onion” servers, obscuring the originating IP address. Tor prevents somebody watching your Internet connection from learning what Websites you visit and it prevents the Websites you visit from detecting your physical location.

Privoxy (privacy enhancing proxy)

Privoxy is a web proxy program. It has filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access and selectively removing content such as ads, banners and pop-ups.

I2P

I2P is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. All communication is end to end encrypted and even the end points (“destinations”) are cryptographic identifiers (IP hiding). Sender and recipient are unidentifiable to each other as well as to third parties.

HTTPS Everywhere (Firefox add-on)

This plugin uses a more secure web-browsing protocol that encrypts all of the web data that’s transmitted between the server and your browser using SSL/TLS. So, even if someone intercepts your connection, they won’t be able to read the data.

NoScript (Firefox add-on)

Unpatched JavaScript exploits could potentially be used to trick your browser into deliver identifying information. If you want to be truly anonymous, you’re going to need to disable JavaScript.

E-mail privacy

E-mail privacy means the protection of electronic mail from unauthorized access and inspection.
E-mail can potentially be accessed on the mail server, the local machine and when sending and receiving the e-mail.

One simple solution is to use G-mail with your browser only. You don’t have the e-mails on your local machine and the transport is secured by HTTPS.

If you are looking for more privacy, choose one of the secure e-mail services like :
– Runbox
– Mailfence
– ProtonMail
– Posteo.de
– Tutanota

Anonymous remailer

An anonymous remailer is a server computer which receives messages with embedded instructions about where to send them next. It forwards them without revealing where they originally came from.

Peer-to-peer filesharing

Peer-to-peer file sharing is the distribution and sharing of digital media using peer-to-peer (P2P) networking technology. The anonymity of participants is usually achieved by special routing overlay networks that hide the physical location of each node from other participants.

Client examples :

– BitTorrent
– eMule
– Gnutella

Anonymous proxy

An anonymizer or an anonymous proxy makes your browsers activity on the Internet untraceable in hiding your public IP address. It is a proxy server that acts as an intermediary and privacy shield between your computer (browser) and the rest of the Internet.

When using a proxy, it is important to realize that the proxy you’re using could keep a log of visitors. This means if someone really wants to find you, it could still be possible. Finally, keep in mind that you will not know who is controlling the proxy. If you’re entering sensitive data such as usernames, passwords, credit card information or reading your e-mail – be aware that the person in control of the proxy could capture and read that information!

Examples of anonymous proxy servers :

– Zend2
– Hidester

VPN

VPN allows all applications basically to communicate in secure/private manner over the Internet.

From Wikipedia :
“A virtual private network (VPN) extends a private network across a public network. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security and management of the private network.”

VPNs are also used to securely connect geographically separated offices of an organization, creating one cohesive network.

A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols or traffic encryption.

VPN Examples :

– OpenVPN
– Openswan

Virtual private network technology (VPN) is based on the idea of tunneling.

VPN tunneling essentially involves establishing and maintaining a secured network connection in which packets – constructed in a specific VPN protocol format – are encapsulated within some other base or carrier protocol (example : TCP/IP) .
The packets are then transmitted between the VPN client and server and finally de-encapsulated on the receiving side.
The tunnel is the logical path or connection that encapsulated packets travel through the transit network (example : Internet).

Minimalistic tips

Technical level :

– Before you start installing privacy on your system, install the necessary security elements !

– Disable the WiFi on your router or use at least the highest security settings

– Use HTTPS, this encrypts data coming from the server to your computer

User level :

– Do not disclose any private information unless absolutely required

– In some cases e.g. when your last name is required, only fill in partial information such as your last initial

– Don’t disclose private information in e-mail

If you enjoyed this article, you can :
– get post updates by connecting to our RSS feed
– get post updates by subscribing to our e-mail list
– share on social media :