It’s time to use a virtual private network

The Thinker by Rodin

As a tech guy, it’s rare for me to find technology and politics intersecting. Both are my passions. Last week though it did and at the suggestion of my wife (actually her friend) we subscribed to a virtual private network service.

Why? Well, if you live in the United States it’s hard to miss the news that Congress passed and on Monday Trump signed into law a bill that allows Internet Service Providers (ISPs) to sell your Internet usage data. The law prohibits the Federal Communications Commission (FCC) from implementing a rule planned for later this year. That Obama FCC rule would have prohibited ISPs from selling your Internet access information without your explicit consent. With the new law, ISPs don’t need your consent. So in addition to paying companies like Comcast $100 a month for your Internet service they now have government sanction to do whatever they want with your Internet access information and without your consent too. You would think they would at least give you a kickback depending on the value of the information.

Being money grubbing, profit-making corporations of course ISPs will try to sell your information for as much as the market will allow. There are likely to be plenty of buyers because what they have to sell is likely plenty valuable. Think about your Internet life. Perhaps it is quite G-rated, as mine is most of the time. But even if you lead a G-rated life your browser history will still be tracked and analyzed, and sold to companies that will want to sell you stuff. Of course it’s much easier to sell you stuff when they already suspect you have an interest in what they are promoting, which is why it will likely generate a lot of profits for ISPs. In the sales business, this is called prospecting. It used to be done door-to-door and now it’s done electronically and you have no say in the matter because it’s like leaving your front door open for marketers to roam around in at any hour of the day to observe your behavior.

This practice isn’t news. You probably get targeted ads that follow you online, as I do. It’s probably not Comcast (yet) selling this information, although in the past they were not legally prohibited from selling it. (Most of these are site owners sharing information they collect about your access on their site, principally your IP address, to others.) The issue was murky so ISPs appeared to be refraining from doing it. That’s not the case now and really if you complain what are you going to do? Most of us don’t have the option of choosing another ISP. I sure don’t here in Massachusetts where Comcast holds the monopoly. My only choice is to give up the Internet altogether or access it from public libraries. Obviously this is not a viable solution today. Google and Facebook of course make lots of money selling targeted ads. However, you don’t have to use Google or Facebook, and they don’t charge you for the privilege. Using it is a choice.

With no constraints on what ISPs can do with information it collects about you while using its network, pretty much anything about your Internet usage is now available potentially to anyone with the money. ISPs could even give it away for free. Perhaps you don’t mind getting targeted ads so you think, okay, I’m in. If I have to have ads thrown at me online all day, maybe they can at least be relevant. But consider some of the other ways this information could be misused:

  • The government could pay ISPs to collect all this information and store a copy in its own servers. You could even make a case for it. If the NSA is looking for potential terrorists, knowing you keep going to an al Qaeda website sure would be good to know. Of course while they are in there they could also learn that you frequent PornHub.com or regularly contribute to the American Communist Party. If you want to create a police state, this is a pretty efficient way to get one started.
  • Political parties could use it not just to find new voters, but also to target voters they don’t want voting because they suspect you will vote against their interests. This is similar to what the Russian government is accused of doing in our last election through fake news sites and sophisticated web robots that promoted false stories that it believed we were likely to fall for. It’s quite likely that Hillary Clinton lost the election through the promotion of fake news stories about her email server or actions on Benghazi while Secretary of State.
  • It would make it much easier for the Russians to affect future elections. Now they have to hunt to find gullible people. Buying the information up front is so much easier and allows a broader scope. Russia need not be the only state actor. Any nation with the cash (like China) could play.
  • Your spouse can find out that you frequent ashleymadison.com or gay porn sites.
  • Your Googling of medical conditions might suggest to health insurers that you are a bad bet and they might deny you a policy or cancel an existing one.
  • You may have related confidential family information, maybe about your kid’s run in with the law, or a son’s ADHD, or a sister with Alzheimer’s Disease, stuff that is your business, but not some stranger’s business.
  • Political enemies could discover you and target you, perhaps with a brick through your window because you gave to the ACLU and Planned Parenthood. (I am guilty of both.)

In short this should be very alarming. In more reasonable places, like most of Europe, laws prohibit this stuff. It doesn’t generate controversy because no one would consider an idea as radical as the bill Trump signed on Monday. Ah, but here in the USA we’re all about extreme capitalism. Those with the money make the rules and that appears to be Republicans since they moved this law, and very quickly too.

What can you do about it? I don’t intend to get into the many ways to safeguard your privacy on the web that have been around for years. In this case though you are being mined and recorded without your consent. Your Internet address is stored, geolocation information too along with a host of other information, like your web browser, the page you were viewing and the page that referred you to the page. It can all be logged and put into vast data warehouses and there is nothing you can do about it.

Okay, there is one thing: use a virtual private network (VPN). It’s hardly a perfect solution but it’s the next step. Unfortunately, a VPN service is rarely free, which means that if you value your privacy like everything else you will probably pay a cost, most likely in money, but perhaps just in your time. A VPN is a secure tunnel that your ISP cannot read, aside from knowing that you are connecting to a VPN site. Your web requests essentially are proxied through the VPN provider you choose.

(A side note: Congress is also considering legislation to do away with “net neutrality”. If passed, ISPs could use this is an excuse to block VPN sites or to charge them extra for the privilege, costs which would trickle down to you. This is just another reason that I think net neutrality is essential.)

We took the plunge last week and bought a year of VPN service from Private Internet Access. It’s a pretty good deal. ($40 a year for up to 5 simultaneous devices, if you pay for a year in advance.) I am not endorsing the company as we have just started using it. Of course you have no idea if the VPN service is reselling your information just like Comcast. You have to trust them. Private Internet Access’s terms of service suggest that if you are doing illegal things they can detect it and might report it. I’m quite confident that if they get a search warrant they can turn on logging easily enough. Of course they would not be in business long if they were engaged in these sorts of activities routinely. Private Internet Access, like most VPNs, says they don’t keep logs of your access. If true, it’s reasonably private.

So if you are shopping for a VPN, by all means shop around. This recent PC World article reviewed a bunch of VPNs so it’s a good place to get unbiased advice. (Private Internet Access is one of their Editor’s Choice winners.) Some, like one built into the Opera browser, are free. Most cost money. As you might expect the quality of the service you get depends principally on how much you are willing to pay. With Private Internet Access so far I have noticed:

  • I could not access Craigslist until I pointed it to use a connection point within the United States
  • I could not use it at the same time with another VPN. Since I teach at a local community college, I use its VPN from time to time. I could not use it until I first turned off the Private Internet Access VPN.
  • Content streaming is not noticeably slower but it is probably slower in general because there is an extra server between me and the content I want

Hopefully in time we’ll get a Congress and president again that will respect our privacy. Like with the Citizens United decision, Americans are overwhelmingly against this law, and that includes Republicans. So it’s likely Republicans will eventually pay a price for this heavy handedness. In the meantime if you value your privacy, you probably need to get a VPN.

It’s not paranoia if they really are out to spy on you

The Thinker by Rodin

President Obama says that no one is reading your email. Maybe not in my case because most of my email is not particularly interesting, but I sure as heck don’t like that the government is collecting huge amounts of metadata about me. Metadata (data about data) is really equally as interesting, if not more so, than actual emails and Facebook posts that you make.

Supposedly a secret court oversees all this. But it’s not a good omen when this court rejects only a handful of requests a year, and approves thousands of others. It’s not comforting to know that Big Brother is indeed watching me to keep me safer and that President Obama is as complicit in this mess as everyone else. Most of Congress has little idea what is going on, and those that do are sworn to secrecy. Being vested members of the system, they will have a natural tendency to think that government’s security needs will trump your right to privacy in your daily affairs.

I could possibly be okay with non-US citizens being monitored by the government but not me, no way, not without my explicit consent. I am a citizen, and I have freedoms and an inherent right to privacy. It’s in the Bill of Rights: freedom from unreasonable searches and seizures, a.k.a the Fourth Amendment. Any Supreme Court worth its salt would reject Project Prism, identified in leaks by Edward Snowden, as wholly unconstitutional. But it is clear that the NSA is sniffing pretty much every packet of data it can get its hands on, not to mention telephone records, and putting all the metadata into huge hosting centers, and maybe your data as well. It’s not even clear that even with a legal prohibition they would actually stop.

Like many Americans I will be working to enact laws to get the government out of the proactive data collection business of U.S. citizens altogether. I have to admit that the probability of my success is rather low, but it would help dear reader if like me you holler like hell at your elected officials. They need to understand that this is not acceptable at all. And if you are cool with the government reading your email and tracking your online behavior then by all means give them permission to do so. I never did.

There have been a number of depressing articles recently about just how easily the government can collect information about us. Of course, it is not just the government. We are already deeply in bed with services like Google that make fabulous search engines and great email in the cloud products, while developing uncannily eerie portfolios of our behavior more valuable than years of babbling to a clinical psychologist.

If like me you are fed up, you might try a few ways of fighting back. Here are some I know about from reading, my experience and that very useful course I took on networking in graduate school.

First off: email. I am guilty of using Gmail. It sure is convenient to have a decade or so of email in the cloud, accessible anywhere I go. However, if you really want private email, you are going to have to pay for it. More importantly, you need an email host not located in the United States. This way when they get a subpoena from a U.S. court they can just laugh. You pay them so they don’t start serving you advertisements and developing their own psychological profile of you. There is no completely risk free solution, but you need to avoid all the cloud email services and that includes GMail, Yahoo Mail, MSN, Hotmail and the like. Here’s one to try: hushmail.com. They are located in Canada and all email is sent via Secure Socket Layer (https). You can use their free web email but if you prefer secure POP or IMAP access, you got to pay them. Their premium package is $34.99 a year. It’s money well invested. Of course they do have some limitations. You can’t use it for sending out spam or for any illegal purpose, at least for any illegal purpose applicable in British Columbia. And for their free web mail, if you don’t log in at least every three weeks, they’ll remove your account. If you do have a hushmail.com or similar type of account, don’t advertise it on your web site or business cards. You don’t want the NSA to associate you with it.

Like to instant message? Don’t particularly like having the NSA able to listen in? What you need to do is nag your chat partners to use encryption. Of course many providers already provide that, but if they can decode it on their servers when sending it between parties then you are vulnerable. You need a chat client with OTR (“off the record”) functionality. Basically you and your recipient exchange cryptographic keys each of you generate and trade them using the protocol. It takes a little bit of effort and you may have to convince your friend to use Adium (Mac) or Pidgin (PC and other operating systems), and then show them how to use OTR. It’s a relatively painless one-time thing between two parties. Your instant messaging provider won’t be able to decrypt it, and neither will the NSA.

Who doesn’t like surfing the web? You may not like it as much if you can’t use your favorite browser, but if you can deal with Firefox you can install TOR, a browser endorsed by Edward Snowden himself. TOR is a customized version of Firefox with privacy enhancements, so it is built on top of an open-source browser. Essentially it proxies traffic between frequently changing servers, making it hard if not impossible for your browsing to be associated with your address on the Internet. I tested it yesterday. I admit it is a bit slower working through a proxy and some of the security features are annoying (it doesn’t want to retain links or easily import bookmarks). But used religiously and you will seem a G-rated person to the NSA even if you live an R-rated life.

Like your cellular phone service but want it secure? Look into Silent Circle. You can also use it for secure messaging, video chats and email. Also look at Redphone software. Curiously, Redphone was developed with your tax money.

What else can you do? If you don’t like turning over private aspects of yourself you could be very brave and delete your Google, Yahoo and other cloud-based accounts. Remember, the government could request these services to give you all their metadata. I’ll grant you that deleting these accounts is hard because they are so convenient. So save those services for the truly vanilla stuff you wouldn’t mind putting on a postcard.

On my list of things to do is getting rid of accounts on sites that provide specialized services. I mentioned mint.com earlier this year. It’s a neat site but it knows too much about me, including all my account numbers and passwords. It’s going to get deleted soon. I’ll keep my financial stuff in Quicken on my home computer. I’ll backup my files to a spare external hard disk, which is easy enough using my Mac and TimeMachine.

Six years ago I mentioned TrueCrypt. It’s a great way to encrypt your whole hard drive, so even the NSA can’t read it. With many operating systems you can do this with a simple command or two. Look into it.

Mobile devices have all sorts of security issues. At a minimum you can try to use secure socket layer when communicating. Many of the solutions I mention above have mobile equivalents. Use them if you can or keep your mobile life boring and G-rated.

Thanks to Edward Snowden, our worst fears have been confirmed. There is no reason to let the government know more about you than your spouse, but that potential is there. You are being sniffed, cataloged, indexed and, perhaps without a court order, having your digital content analyzed for subversive behavior or anything the government wants to learn about you. Join me in yelling like hell but don’t be a patsy either. Do what you can to keep the government out of your digital life.

TrueCrypt puts the personal in PC

The Thinker by Rodin

Your computer is somewhat like a post card. Although you may be able to restrict who gets onto your machine, in general the data stored on your computer is stored as plain text and is thus easily compromised.

If you are like me, one of the reasons you own a PC is because you want not just a computer, but a personal computer. “Personal” means more than the freedom to change your screensavers. A personal computer should make your sensitive data available only to you.

Unless you take the time to password protect your documents, your computer is a treasure trove of information about you that you may not want shared. Many applications allow your data to be password protected, but that does not necessarily mean that the data itself is encrypted. Even if it is, that does not mean the vendor’s encryption algorithm is good. Ideally, you would like your private data to be only accessible by you as well as stored and encrypted in a transparent manner. You might even want the NSA to throw up their hands if they were ordered to decrypt your files.

If you feel this way, you want the terrorists to win. No wait, I am parroting our president. Actually, if you feel this way: congratulations. Your personal computer should not be amenable to electronic snooping. The problem is not with your need for privacy, which is entirely natural, but with those elements in society that figure anything is fair game, including your hard disk.

I have been experimenting with a free open source software solution that is fighting back. It is called TrueCrypt. For those of you in the Microsoft Windows world, it can ensure that data on your hard disk or other devices (like your flash drive) is stored in an encrypted format. Once you create your virtual disk (which is some portion of your actual hard disk), it behaves just like any other drive. You can move files in and out of it using tools like Windows Explorer. However, everything stored on this virtual drive is encrypted.

There is not a whole lot of data I want to keep truly private, but there is some. My Quicken data files are an obvious example. While Quicken allows you to save your data in an encrypted format there is the annoying password I have to provide each time I start it and the latency from starting and using the program. Moreover, I suspect their encryption scheme is rudimentary. Of course if you have an encrypted virtual drive you can store anything you want inside of it that you consider private, from letters from old boyfriends, to your electronic diary to your favorite porn.

If you decide to buy Windows Vista Ultimate, you can pay money for this level of protection. Of course, most of us will not want to spend extra money. In addition, most of us Windows users are still in the Windows XP world where the Windows “experience” does not include this kind of transparent file encryption. Moreover, call me paranoid, but I have a hard time trusting my hard disk to Microsoft in the first place. I would much rather trust my privacy to an open source product like TrueCrypt than to Microsoft.

After installing Truecrypt, to store private files you must first create a virtual disk. It can be as small or big as you want. From the perspective of Microsoft Windows, it is just another file on your machine. (TrueCrypt can also format entire disk partitions or devices.) If you want to make a very big virtual disk, it may take some minutes to format it. Here is Truecrypt’s downside: you must start Truecrypt, enter your password, point it to the location of your encrypted volume and then assign it to a drive letter. This is called mounting and it can take 15-30 seconds. Once the volume is mounted, it is then accessible. So if you do not dismount it before walking away from your computer, data on it could be accessible to someone else. Since it is just another drive from the Windows perspective, if you are a sloppy person who cannot be bothered to install a firewall, virus protection software and anti-spyware software, it is still possible for others to get at your private data. If you use Google Desktop Search, you will want to make sure it does not search your encrypted drives.

While not a perfect solution, Truecrypt is the good enough 90% solution at a price that is impossible to beat. While you cannot hide the space it consumes on your hard disk, you can give each virtual drive a boring looking file name. One you have your virtual disk, you can even hide a volume inside it. This way even if you were forced to divulge your password, the person would not necessarily see your stored files, since the hidden volume would not be shown.

My next computer will likely be an iMac. I assume Apple is smart enough to include features like this by default. While I wait for a financial justification to replace my PC, solutions like Truecrypt help me believe that for the first time I really do have a personal computer.