Using the internet in a non-private world

I am an internet technologist and a bit of a privacy nut, both of which combine to make most of my days a conflicting struggle. I don’t see any version of myself that is not a heavy internet user, but I am also painfully aware of how I am personally exploited every single day by the products I use. Ever app on my phone and every website I visit it doing its utmost to scrape as much data about me as it can. Every time I tap the screen or click a link, I know I’ve set in motion another attack against my privacy. The attacker wants my location, my age, my income, my relationship status, my car model, my medical history, my financial portfolio and everything else it can get without regard to its ability to use or need that data. Given that I view the internet as the most pervasive attack vector ever deployed, how is it that I can continue to use it?

The answer to that is partially philosophical and partly technical. Let me explain.

I believe in ninjas

For philosophical peace of mind I turn to a phrase I once heard on a podcast. The name of that show is lost to memory now, but I remember that it featured a reporter inviting a white-hat hacker to see how easily the reporter could be exploited. It took just a few days for the hacker to completely pwn the reporter and ex-filtrate personal data that would be very useful to the other type of hacker. The reporter was aghast and asked “knowing what I know now, how do I get up in the morning and continue to use the internet?”

The hacker said something like “Well, I am sure you are aware that there are ninja assassins in the world, correct?” The reporter nods. The hacker finished by saying “Ok, now think about how much you realistically fear being murdered by a ninja.”

The point being made is that if you’re nobody special, you’re not likely to attract the kind of specialized spear-phishing tactics that the white hatter used to obtain the reporter’s data. The point I take away form this is that I have to be vigilant, but not completely paralyzed by fear. The ninjas will get me if they want me, but I still have to get on with my life regardless.

I know how things work

In my daily job, I deal with an extraordinary number of paranoid people. However, over the years I’ve noticed there are two types of paranoid people. There are paranoid people who know how things like cryptography and social engineering work and there are paranoid people who don’t know how any of that works. The latter group spend every waking moment in a complete panic because they fear the magical powers of the internet will steal their very soul out from under them by completely unpreventable means. The former group understand the risks involved with internet behaviour and can take reasonable precautions to prevent it.

A colleague at work put this concept very succinctly: “You can’t be paranoid if you don’t know how things work” and he’s right.

If you are worried about what a certain website, or a certain app may do to your privacy, research it. Use StartPage (not Google, more on that later) to see what actual security minded people and security researchers are saying about the issue. I understand that one person can’t know everything, but certainly all of us know everything. Once you gain an understanding of how the internet works and what safeguards exists, you can start making good decisions on how to lock down your connected life.

I don’t trust the companies that form the foundation of the internet

In my view, Google and Facebook are the most predatory companies on the internet today. The reason for this is because they have no product at all. They make their money by cajoling us into providing as much personal data as they can, and then they sell that data. The two companies go about their evil deeds in very different ways, but their aim is the same: eviscerate your personal space into a series of data points that can be sold on the open market.

How can companies that exist solely to steal and sell your data be trusted to do so in a measured way? Both companies are publicly traded and therefore have an obligation to monetize as much as possible. Given that they are both well on their way to becoming the first companies with A TRILLION dollar market cap, fines and sanctions for breaking privacy laws are essentially meaningless to them. There is no compelling reason for either company to curb their wholesale data collection machines.

I prefer companies with actual products

This point deals mostly with the Android vs Apple debate. The hacker in me loves Android. I like my tools with thousands of knobs and levers and dials. Apple phones are a great disappointment to me in that regard but they shine in a few other areas.

First; Apple makes its money by creating things I like and selling them to me. On the Google side, the Android mobile OS was created as an attack vector  to get more of your data into the Google ecosystem. With very few exceptions, Google doesn’t even make phones because it doesn’t really want to sell you a phone. It wants your data and it gets that regardless of who makes your Android phone.

Second; Apple has been pretty good at handling U.S. government overreach requests in a pragmatic way. It offers help but also says no to ridiculous requests such as back doors.

Lastly; the Apple App Store is better curated than the Google Play store. While both stores have had malware discovered in them, the rate of incident is much higher in the Play store.

I’m not saying Apple is 100% trustworthy either, but at least it has motives in line with mine – sell me stuff I like.

I don’t store passwords online or let my browser access them

Knowing what we know how, it is simply inexcusable to reuse passwords among sites. Password managers are a must for everyone but the way in which password managers have evolved is not good.

I use KeePass which is a password manager like Lastpass or 1Password. It stores my passwords and generates random passwords for me to use when I need. That part is great and every password manager does that.

What’s not great is that for some reason most password managers have convinced us that we need our passwords to be stored on the internet. I understand that password managers encrypt passwords but that encryption is only as strong as your encryption password. That you type in a lot. Like daily at least. So how strong did you really make that password, anyhow?

If someone stole my password database from the cloud I probably would not know for weeks or months or however long it took my password manager service to notice and tell me. How long has the bad guy been hacking away at it trying to guess my password? I don’t have a lot of confidence that any password I choose can’t eventually be discovered therefore I don’t store my passwords online to begin with.

Is it inconvenient to copy my password database from my computer to my phone and laptop periodically? No. It’s really not. I’ve been doing this for years and have never accidentally found myself locked out of something because of it.

The second bad thing that password managers encourage is the use of browser plugins. Your password manager can easily be tricked into divulging your username and password for any site in the internet. They mostly use poor fuzzing techniques to figure out what site you’re on and then offer up any matching credentials it has. If you think this isn’t a big problem, search for Tavis Ormandy and read about every password plugin vulnerability he’s found on the Google Project Zero site.

Final thoughts

There’s no sense expending energy attempting to maintain the privacy standards we had pre-internet. It’s simply not possible to use the internet AND remain completely anonymous and private. Your data will leak out, and it will be scooped up by both evil-minded companies and evil-minded people. That genie ain’t going back in the bottle so the challenge now is to figure out how to operate in the current world.

Legislation is part of the solution and places like the European Union have been leading the space on privacy-centric internet law. However, legislation is slow, frequently not drawn up correctly, and hard to enforce. We lock our car doors even thought it is against the law to steal a car. We do that because we know we cannot solely rely on police officers to prevent our car from being stolen. We also know that even if the perpetrators are later caught, they may destroy the car.

Internet privacy must be viewed in the same manner. It is up to each of us to protect ourselves as much as possible instead of hoping that the issue can be regulated away.