VPNs aren’t going to save you



Well now that the Trump administration has sold you out (surprised?) here’s some things you should know and do:


A VPN is crucial, but it’s not going to fully protect you.

A VPN is a network that you connect to before communicating with the wider internet. Your communication with the VPN is encrypted, meaning that no one can see what you are sending to and from the VPN.  The VPN still needs to connect to the wider internet though, so it does and returns the requests (encrypted) to you.  If the VPN does not keep records of your account access or IP address (and this is one of the main things you want to look for), then there is no way to link your web searches with your computer.  This is good, and will go a long way to protect against some of the potential damage that S.J. Res. 34 will cause.

However, this doesn’t do anything if you are logged into services like Google, Facebook, etc.  While your searches and online activity are now protected from outside snooping (and this is important), the companies you use to navigate the internet are still collecting your data and can sell it. And they do.  For a recent example, see the US election.

Instead of Google, why not try DuckDuckGo – a great search engine that doesn’t track your searches – it also acts as an in between with Google, allowing you to use Google without them tracking you.

You really need to encrypt your e-mails

You know that all the stuff you type into gmail is stored, analyzed, and now can be easily sold, right?  Even if you don’t save the e-mail, it’s saved as a draft and it can be analyzed.  And you don’t even have to try hard to gain simple insights over a large enough dataset – I wrote a while ago about metadata and freedom, and about why you really should be encrypting everything you send out.

Sending an e-mail across the internet is the equivalent of shouting it out in a football stadium.  Sure, it’s loud and there are so many other conversations happening that it seems unlikely that yours will be listened to, but it’s not impossible – and the reality is that security services no longer listen to your conversation, they record all of them, and then go back later and search if they feel the need to.

If you’re going to yell in a crowded room, better to yell gibberish.  Here is an excellent simple tutorial to get started.

Please feel free to send me an encrypted test e-mail.

You should probably be wary of WhatsApp and Facebook Messenger

Both of these programs offer end-to-end encryption, but it is not in the parent company’s interests to keep this data private.  In short, while I trust that this information is encrypted when it is sent across the internet, I do not trust that Facebook (who owns WhatsApp) is not keeping records of the encryption keys – it simply is not in their self-interest to do so.

Instead, I highly recommend the Signal app – they developed the tech that Facebook uses, and they have no interest in gaining access to you communications.

Use a fucking password manager

If all of your passwords across all of your accounts are the same, then you are screwed the moment one gets compromised. Instead, have different passwords for everything. “But this is too hard,” is no excuse – use a password manager that will remember the passwords for you. I use 1password and it is brilliant. There are many others.  Don’t be lazy.

Create multiple fake accounts for the services you use

In addition to different passwords, you want to have different accounts as well.  Why? Well it’s all about the meta-data.  If you use “steve@holt.com” as your login for Facebook, Twitter, Instagram, Tinder, Reddit, and YouTube, then if someone buys data from all of these places, they can link it all together.  In relational database terms, this would be the primary key – if we match on the primary key across datasets, we get a whole lot of information.

Even worse is if you have the same password across all of these accounts, but you don’t because you use a password manager now, right?

One thing you can do for those services that require an e-mail confirmation, but that you don’t want to be linked to you, is to use a temporary e-mail account – try 10minutemail.com – it will generate an e-mail address that will disappear after 10 minutes.  Long enough to confirm your account and get started, with no trail. There are other anonymous e-mail address services as well, do a quick search to find them

If you are truly committed or doing sensitive work, you can set up an unlinked Gmail account. This requires you to pay cash for a SIM card that is used to confirm your Gmail account, and then it requires vigilance to keep this e-mail separate from other aspects of your life.  A lot more work, but could be worth the peace of mind.

Encrypt sensitive material before it syncs to Dropbox

If you use Dropbox or any other cloud service, then your data is already in someone else’s hands.  I recommend setting up a service that encrypts data before you send it to Dropbox, like Boxcryptor, at least for your most sensitive data.

Use TOR and Tails

Most people don’t need to do this, but if you are researching militias or North Korea – if you find that you are someone who often feels the need to smuggle data out of countries, then it’s worth it to look closely at The Onion Router and Tails – both which will help to keep you completely anonymous.

Other things

Just a reminder of other simple protections you can take.  Don’t use fingerprint IDs on your phones. Cover your computer camera with a sticker when not in use. Set up a strong password on your computer and phone. Use https everywhere. Browse in private mode. Wear tinfoil on your head. You know, the basics.

This stuff takes a little bit of work

But not much.  We are so used to everything being so goddamned simple, and this is how we got into this mess.  Don’t be lazy.  Click “connect to VPN,” spend three-seconds to encrypt your e-mail, don’t give apps access to all of your personal information, be aware of what you are doing, and spend some time learning about how to protect yourself.  It’s not that complicated, and at the end of the day, not only do you protect your own data from snooping, but you also create a larger mass of people using encryption – and that protects others who are using it from being targeted due to their behaviours.

At the end of the day, VPNs, proxies, and other tools aren’t the answer. The answer is for citizens to be hyper-vigilant about their privacy, for people to get acquainted with the threats and the abilities governments, companies, and hackers have, and for individuals to stand up to short-sighted profit-driven decisions made by regulatory bodies.