SECURITY LOCKDOWN

A LAY PERSON’S GUIDE TO BASELINE PRIVACY

Inflammatory articles about a divisive tech culture critic were written and broadcast this past January. They marked the beginning of a shit-storm that included the publication of sensitive information about the critic (doxxing), SWAT being called on her family (swatting), and a bewildering todo about her sex life that was bent on shame and disaccreditation. Historical mistakes were surfaced and referred to by people on both sides of the line, contributing to an unsavory pall of retribution. It was sordid business that made me feel sorry to be a human being.

This episode led me to ruminate on how dehumanizing the Internet can be, how deeply socialized gender is, and how elusive privacy has become.

I think that privacy and its decline is a particular problem for women given societal and cultural burdens (how we should look, behave, speak) which, if shunned, create disproportionate risk to professional and financial advancement, general security, and freedom of expression. At a minimum, it’s hard to speak out when we feel unsafe. The victim in the aforementioned attack specifically warned sympathizers to refrain from supporting her publicly due to the danger of getting doxxed themselves.

After the attack, the critic went dark for a week or two. I was disturbed and felt compelled to look more closely at my own behavior, habits, and tools that degrade or safeguard my privacy. It started out as an exercise for peace of mind, but the process made me recognize that many, especially those who are not as savvy as the folks in the Bay Area tech scene, and even some in that demographic, are not aware of how poorly protected they are when it comes to their personal information.

There’s a ton of material already out there but, as an expert I interviewed said: “redundancy is not always bad. Saying the same thing in different ways reaches different people, and that’s good for all of us.”

In that spirit I thought I’d organize what I consider good habits and practices into a three-tier approach to better protecting your digital self. My target audience is the technically comfortable lay person who normally takes privacy for granted. My hope though is that even the savvy will find some of this information useful, and that unique value will surface in the strategies that I proffer.

My goals are to lay out an approachable baseline, increase awareness about the illusion of privacy today, and to contribute, in however small a way, to people feeling legitimately safer about having a public voice.

This article is a culmination of casual yet long-winded research including conversations with industry experts, victims of abuse, and OG gamers. Online security and privacy comes at the cost of convenience, so the more robust the protection you seek, the more time and effort required. Of course whom you want protection from (government? harassers? telemarketers?) and what you want to protect (your contact information? Your digital data?) will require different strategies and priorities.

FIRST, SOME FOOD FOR THOUGHT

1. Private browsing is not private nor a priority.
2. We are broadly tracked without consent or choice.
3. Your 16-character password can be cracked in less than an hour.
4. Signing out of Facebook doesn’t mean you’re not being tracked.
5. Popular tools like Evernote, do not provide encryption for data at rest.
6. The Electronic Communications Privacy Act (ECPA) is from 1986, before the Internet.
7. Public record laws haven’t evolved with digitalization. What goodies come up with your name?
8. Bits of meta-data say a lot about you, especially in aggregate.
9. See if your mobile carrier is tracking the websites you visit on your phone.
10. Citizen Four is a good film. Watch it. Twice.

THE RECOMMENDATIONS

The following recommendations are presented in three levels. They aim to balance convenience and security in a commensurate manner. A mix of threats from various anticipated sources are addressed.

Level one recommends what anyone who regularly uses the Internet and popular online services should do to begin protecting their information.

Level two looks at additional measures one could take, trading time and effort for more security.

Level three is for individuals who require more security than the average person, and are willing to take on extra hassle for robust protection.

Last caveats: privacy maintenance takes time and, to be truly effective, ongoing effort. User interfaces change and references to them become outdated rapidly. These suggestions address a mix of different threats, but they are not exhaustive. They’re organized in a subjective manner and are by, and for, the non-expert. However, as previously stated, I’ve tried to do due diligence by consulting with industry experts as much as possible throughout the process.

LEVEL ONE

These tip in favor of convenience. They are big bang for the buck tasks that, in many cases, only need to be done once, or very infrequently, to help establish baseline security.

PROTECT YOUR DEVICES

1. Turn on pass codes for all of your devices.
2. Encrypt your laptop. (on the Mac, do this by turning on FileVault. If it gets stuck, try this.)
3. Cover all of your iSight cameras to prevent being filmed without your knowledge.
4. Review and fix your laptop’s security & privacy settings.
   - For example: turn off iCloud photo syncing and Spotlight suggestions on your Mac.
5. Review and fix your devices’ security & privacy settings:
   - For example: turn off location and cloud services for some apps, or turn them to “while using” on iPhone. (On Android, unfortunately, you can’t turn off location on a per-app basis.)
   - For example: turn off ad tracking on your device. (e.g., on the iPhone go to Settings, General, Privacy, Advertising.)
6. Turn off devices when going through customs or airport security in case the machine is confiscated.
7. Back everything up locally and regularly. Just in case.

USE STRONG PASSWORDS TO DEFEND AGAINST HACKING

1. Get a password manager.
2. Create a strong master password of at least 16 characters. Do not write it down anywhere. It should contain a mix of symbols, numbers, upper- and lower- case letters, and should not be semantic: you don’t need to change it often if you do this. Here’s a way to memorize hard-to-guess passphrases.
3. Use a strong-password generator (1Password offers this feature) to create non-semantic passwords that are 20+ characters long for everything.
4. Install a password manager extension in your browser so that you can access these passwords easily without having to remember them.
5. Store sensitive information such as credit card numbers with a service (like your password manager) that doesn’t know your master password and provides encryption for data at rest.

CONTROL WHAT APPS & SERVICES SHARE ABOUT YOU

1. Review and fix the privacy settings in all apps and services you use. With Google, you can opt-out of some ad tracking permanently.
2. With Facebook, monitor your privacy and ads settings (this article is helpful in opting out of more interest-based advertising).
3. On Twitter, you can turn off location permanently or per Tweet.

LEVEL TWO

These are additional things that you can do for increased privacy and security. Some of these things, like using two-factor authentication (2FA), can feel at first like a hassle. But you’ll get used to it, and it should eventually become second-nature.

MAKE IT HARDER TO ACCESS YOUR DATA

1. Turn on 2FA for everything, and have a backup plan in case you lose your method of authentication, such as your phone.
2. Encrypt any sensitive images that you sync to the cloud if you must sync them (for instance, in Evernote). Dropbox has encryption for data at rest, but beware that they maintain the encryption key.
3. Encrypt any text that you sync to the cloud, if you must sync it. In Evernote, select the text then right click to choose “Encrypt selected text…” but, as mentioned earlier, this isn’t really the place to store sensitive information.

MAKE BROWSING YOUR BUSINESS

1. Use multiple browsers and/or profiles
2. Have one profile for signed in activity (Google, Facebook, Twitter)…
3. …and another profile for casual browsing, so your identity is not linked to browsing activity.
4. Automatically clear your history when you close out from the secondary profile. Click the profile name in upper right corner of window and choose “Go incognito” if you’re in Chrome. You can verify which profile you’re in by going to settings from the incognito window, and seeing which profile is highlighted as “current.”
5. In the secondary profile, you can additionally make a non-biased search engine (that doesn’t track your IP address, like DuckDuckGo) your omnibar default. In Chrome:
   - Go to Settings, Search, Manage search engines
   - Add Duck Duck Go, keyword duck (or whatever), URL https://duckduckgo.com/?q=%s&search_plus_one=form&iac=1
   - Hover over this entry and click “Make default”
6. Install AdBlock+ for desktop browsers to help prevent downloading something malicious or unintended:
   - Subscribe to the easylist filter.
   - Uncheck “allow some non intrusive.” This also stops many tracing cookies.
   - Turn on “Do not track” on all browsers (both laptop and devices) to signal that you want to opt out of tracking by analytics services, advertising networks, and more. Usually in Settings > Advanced or Settings > Privacy.
7. Consider using additional extensions in your browser to monitor tracking and make browsing even more secure:
   - Disconnect.me
   - Ghostery anti-tracking tool
   - Https Everywhere
   - Referer control (this breaks content sometimes, unfortunately)
   - FF Lightbeam
   - Netograph

CONTROL YOUR PUBLIC RECORDS

1. Opt out:
   - List of leading data aggregators
   - List of web services
   - National Do Not Call Registry
   - Stop receiving unwanted mail: DMA Choice and Catalog Choice
   - Look into opt-out options at your banks or financial service institutions
2. Lie or say less when filling out information online. This makes it harder for third parties to surface accurate, sensitive information about you:
   - If you’ve the option to not enter a last name, or gender, etc., don’t.
   - Use various false or truncated information where you can and then lock them to be visible only to you (hometown and age on your Facebook profile are good examples).
   - Get a secondary email address and phone number (Google Voice) for, say, signing up for services, or filling out surveys online.
   - You can also mask things like your email and credit card numbers by using a tool like Blur while shopping online or filling out forms.
3. Don’t submit your name to public records if you can help it:
   - Don’t buy property in your name. Use a trust instead.
   - Use a P.O. box for driver’s license and voter registration.

LEVEL THREE

Journalists, activists, or highly visible women who are likely to be under targeted surveillance from governments or online harassers, may find this section more useful.

BE PARANOID

1. Change non-master passwords every 3 months. Password manager Dashlane now offers a feature to auto update all of your passwords at once!
2. Install a browser like Tor that isn’t as slick or standard as mainstream browsers (sites may not render as prettily) but provides extra features for anonymity. Do this on your devices as well as on your laptop.
3. Disable access to camera and microphone from your browser to prevent them being used to secretly record you.
4. Purchase devices in a physical store rather than via an online order, to avoid interception and tampering. (This isn’t as far-fetched as you might think; it happened recently to an activist I know.)
5. Turn off wifi and bluetooth while in transit.

ENCRYPT ONLINE COMMUNICATION

1. Messaging:
   - TextSecure on Android
   - Signal available on iOS
   - Chatsecure on multiple platforms
2. Chat:
   - Use OTR (off-the-record) for chat on Adium.
   - Disable logging for OTR chats in general settings (logs have been the downfall of whistleblowers like Manning).
3. Email:
   - Use PGP.
   - Mailvelope and GPG tools seem worth looking at in this vein.

LEVERAGE RESOURCES ONCE COMPROMISED

1. Tools exist on platforms like Twitter, such as Block Together, to help you block many attackers at once.
2. Crash Override appears to be a great support network and resource for victims of online harassment.
3. If you’re doxxed, call local businesses and police to get on a “call first” list to prevent fraudulent reservations, reports, and requests.
4. Contact credit bureaus to request a credit freeze. It’s a free service if you prove that you’ve been a victim of fraud. This does come with some inconveniences, and it takes time for a freeze to “thaw” if you decide to reverse it.

HUGE THANKS to experts at EFF, Twitter, Research Action and Design, the Women’s Media Center, victims of doxxing, and friends who graciously gave hours of their time, reviewed this document, and provided valuable feedback.

FURTHER READING & RESOURCES

• EFF’s Tips, Tools, and How-tos for safer online communications
• EFF’s Encrypt the web report: who’s doing what
• Hate Crimes in Cyberspace
• What to do if trolls have doxxed you
• Take preventive measures against doxxing
• How to evaluate threats
• How to talk to family and law enforcement
• The paranoid’s survival guide
• How the NSA is tracking people right now
• 1Password’s Agilebits’ accessible article about encryption standards
• OnlineHarassmentData.org
• Pew research on online harassment
• 2014 US Consumer Data Privacy Study

This content is under a Creative Commons Attribution-NonCommercial-NoDerivatives license.