6 Jan, 2014 No Comments Bobby Software Security

It’s not conspiracy theory anymore: we live in a surveillance state. The latest bout of evidence shows that our own governments have been snooping on our internet activities for years. It doesn’t matter who you are. They like watching you.

Big Brother image

So what can we do? The good news is that we’re not entirely helpless. You just have to use the right services. Not all of the self-proclaimed “secure” services are really all that secure or private. Not even if your activity is encrypted.

What we’re looking for are services that make it impossible for anyone but you to see your data once it’s online, which includes keeping it hidden from the company’s own employees. That way, if they’re ever subpoenaed by johnny law for your data, they will able to comply with the request, simultaneously ensuring your data remains 100% private, because only you hold the keys for decryption.

That type of privacy, coined Trust No One (TNO), is more rare than you might think. The services that can boast they use TNO are in the minority. But they do exist and here I’ve compiled a shortlist of my favorites.

File Syncronization: SpiderOak

Cost: 2GB free – pay monthly fee for more

SpiderOak Logo

Services like Dropbox and Google Drive do a decent job of protecting your files from hackers. But the issue isn’t in their security practices, it’s in their terms of service agreements.

Most file sync services reserve the right to view your data and even give it away if compelled by law enforcement. It doesn’t matter if you have nothing to hide. They have stated the willingness to give your data away without your consent. Period.

SpiderOak stands out because they’ve been on the TNO boat for a long time. It’s a more complicated file sync service than most, but it’s also the most versatile and private. I highly recommend it. Check out my SpiderOak tutorial for a thorough guide.

Secondary mention: Keep your eye on BitTorrent Sync. It’s still in beta as of this writing and they haven’t fully disclosed their methods of encryption. But it could prove to be one of the safest syncing services out there when it’s finished.

VPN provider: ProXPN

Cost: Monthly or yearly pricing plans

ProXPN Logo

VPN services give you a secure “tunnel” to their server before your data exits onto the internet. This prevents anyone in between (like your ISP or the hacker in the coffee shop) from snooping on your connection. It also gives you a basic level of anonymity by hiding your real IP address and physical location.

The weakness in VPN lies at the end of the connection, at the server where your data gets spouted out on the internet in plain text. The company providing the VPN has the ability to see everything that goes through. This makes them prime targets for government agencies trying to collect data.

ProXPN is my favorite VPN service, and I use it all the time. For one, they’re based in Thailand with their offices in the Netherlands, outside the reach of the most offending state governments. Second, they have stated very plainly in their terms of service that they will never give away your information to anyone, ever.

Furthermore, they keep no logs of any user activity whatsoever. As soon as you disconnect from their service, it’s like you were never there. This is a crucially important feature that any VPN service who advertises privacy will have. (This was a recent change. Before mid-2015 they did keep logs for two weeks before deleting them. Their policy has changed.)

They’ve also been very reliable. And as a bonus, they have a free option with limited bandwidth. That way you can try them out before buying.

PrivateInternetAccess Logo

Secondary mention: PrivateInternetAccess seems like another good option. But I’ve never used it so I can’t attest to its service. It seems to be one of the best choices for VPN because they don’t retain your data or any logs of your activity, period. What’s more, they go the extra length to anonymize their users with shared IP addresses. That means there’s no way to link any IP address with a single user.

Online Backup: SpiderOak

Cost: 2GB free – pay monthly fee for more

SpiderOak Logo

SpiderOak makes it on the list again. This company doesn’t come up very often when people talk about online backup services like Carbonite or Crashplan. But online backup is already included when you sign up for any SpiderOak account.

What sets SpiderOak apart from other online backup services is that it does TNO encryption by default and you can’t turn it off. As far as I’ve looked, none of their competitors do this. Most of the other top services do offer TNO privacy, but it’s something you have to configure manually. SpiderOak doesn’t even give you the option to screw it up. I like that.

But beware, as with every other TNO backup service, that if you access your files through their website or a mobile device, it voids the TNO privacy and they can technically see your data if they want to. Just stick to accessing your files through the software they provide and you’ll be fine.

Password Manager: Lastpass

Cost: Free, premium account available

LastPass Logo

Password managers are more popular than ever. Cutting down password clutter is something we’ve all been pining for since the dawn of the login screen. For the most secure solution, there’s one that stands head and shoulders above the crowd.

Lastpass not only uses extremely good technical security practices to sync your passwords, but they also employ TNO to keep them perfectly private. Even the employees of Lastpass can’t see them. Lastpass has also been thoroughly vetted and recommended by security expert Steve Gibson.

Email: OpenPGP

Cost: Free, open source

OpenPGP Logo

Email was not originally designed to be secure or private. And it’s still not by a long shot. The only real way to encrypt email end-to-end is by setting up and controlling it yourself. But that can be a tedious and nerdy process. It’s not easy for most users, so very few people do it. Unfortunately, that also means that you can only exchange encrypted email with someone who’s set up with the same encryption capabilities. So it’s use remains very limited.

But if that sounds like something you want to do, the OpenPGP standard is the way to go. There’s no standardized software solution, so you have many options to choose from. For web-based email like Gmail or Yahoo, try the Mailvelope plugin.

If you use an email client you’ll need a different solution. For Outlook, try the Outlook Privacy Plugin with Gpg4win. For Thunderbird, try Enigmail with GnuPG.

Instant Messaging: Cryptocat

Cost: Free, open source

Cryptocat Logo

Instant messaging has always been a big privacy risk. But Cryptocat has bucked this trend with very good TNO encryption to prevent anyone besides the intended recipient from reading your messages. It does not protect your location, however. You are not anonymized.

For ultimate privacy and anonymization I would recommend Bitmessage instead of Cryptocat. However, Bitmessage is highly geeky and even requires you to compile the source code before you can use it. Keep an eye on it, however, because someday it may become more usable and would definitely be my recommendation for the best private IMing.

Mobile Messaging: Threema

Cost: $1.99

Threema Logo

Texting on your mobile phone cannot be considered private. Carriers have the capability to read and save your texts if they want to, even though they’re not obligated by law to do so (but rest assured, someone is still reading them). The best thing we can do is use a secure third party app to make sure no one in the middle can eavesdrop on our conversations.

For messaging on iOS and Android, Threema does it right. Following the pattern of every other company on this list, Threema does very good TNO encryption. But it includes another feature that’s unique for messaging apps: the ability to authenticate your contacts by using a QR code. This makes sure that, even if you’re continents away, you’re still texting the right person and not someone else who’s hijacked the conversation on their own device.

But of course, for Threema to work, both parties must be using it.

Internet Browsing: Tor

Cost: Free, open source

Tor Logo

If you want even more anonymity than a VPN service can provide, your only real choice is Tor. Tor is an acronym for “The Onion Router.” It wraps your data in layers of encryption (like an onion) as it’s routed through random nodes all over the world. By the time it comes out the other end, there’s no way to tell where the traffic came from.

This anonymity comes at a price, however. Your bandwidth will be greatly reduced which makes it less suitable for watching videos and downloading large files. It also has the drawback of making you very interesting to the same government agencies you’re trying to avoid. They like to watch Tor traffic very closely. They really don’t like it.

For a great read on using Tor, check out this Lifehacker article.

How Far Should My Trust Go?

You would do well to avoid any delusions of complete privacy. We can’t assume anything. Technology has holes and it always will. Untrustworthy companies and governments exist and they always will. We can only allow our trust to go so far.

The services I list here are the better ones, though none of them can claim to be perfectly secure or private. That would require, in addition to perfect security practices, 100% transparency. Admittedly not all of them have this. Not all of the software in this list is open source, so it can never really be scrutinized on the level we’d like. But as far as trust goes, these guys deserve it more than most.