Gonçalo Valério

Tag: privacy

  • Improving your online privacy: An update

    Ten years ago, after it became clear to almost everyone that all our online activity was being tracked and stored, I wrote a blog post about simple steps a person could take to improve their privacy online.

    Essentially, it contains a few recommendations that everyone could follow to reduce their fingerprint without much effort. It wasn’t meant to be exhaustive, and it wasn’t meant to make you invisible online. If your personal situation needs more, you have a lot more ground to cover, which was totally out of the scope of that post.

    The target audience was the average Joe, that doesn’t like to be spied on. Specially by commercial companies that just want to show you ads, sell you stuff or use your habits against you.

    Many things have changed in the last 10 years, while others remained the same. With this in mind, I think it is time for an update to my suggestions, keeping in mind that no specialized knowledge should be required and the maximum amount of effort should not surpass 30 minutes.

    1. Pick an ethical browser

    For regular users on any computer or operating system, the main window to the outside world is the browser. Nowadays, this app is of the utmost importance.

    My initial suggestion remains valid these days, you should install and use Firefox.

    There are other browsers that could also do the trick, such as Brave or Safari, but my preference still goes to Mozilla’s browser.

    No matter your choice, you should avoid Chrome and Edge. If you want a more detailed comparison, you can check this website.

    Expected effort: 5 minutes

    2. Install important extensions

    Unfortunately, the default configuration of a good browser is not enough, even considering it already includes many protections enabled from the start.

    For a minimal setup, I consider 2 extensions indispensable:

    These will ensure that most spyware, included in a huge number of websites, isn’t loaded and does not leak your private information to third-parties. They will also block ads and other junk that make the web slow and waste your bandwidth.

    Expected effort: 2 minutes

    3. Opt out of any data collection

    This topic is specially problematic for Microsoft Windows users. However, it is becoming an increase prevalent practice in all software vendors.

    They will tell you they are collecting anonymous data to improve their products and services, while often the data is not that anonymous and/or the purposes are far wider than the ones they make you believe initially.

    Nowadays, Windows is an enormous data collection machine, so to minimize the damage, you should disable as much of this as possible. If this is your operating system, you can find a step-by-step tutorial of the main things to disable here (note: you should evaluate if the last 3 steps make sense for your case).

    If you use a different operating system, you should do a small research about what data the vendor collects.

    The next action is to do the same on your browser. In this case, in Firefox you should paste about:preferences#privacy in the URL bar, look for Firefox Data Collection and Use and then disable all options.

    Expected effort: 2–8 minutes

    4. Use a better DNS resolver

    This suggestion is a bit more technical, but important enough that I decided to include it in this guide that only covers the basics.

    With the new configuration that we set up on points 2 and 3, in theory, we are well protected against these forms of tracking. However, there are 2 big holes:

    • Are you sure the operating system settings are being respected?
    • Trackers on the browser are being blocked, but what about the other installed applications? Are they spying on you?

    To address the 2 points above, you can change your default DNS server to one that blocks any queries to sites tracking your activity. Two examples are Mullvad DNS and Next DNS, but there are others.

    Changing your DNS server can also help you block tracking on other devices you have less control, such as your phone or TV.

    The links contain detailed guides on how to proceed.

    Expected effort: 4–10 minutes

    5. Segregate your activity

    This step is more related to your behavior and browsing habits than to any tools that you need to install and configure.

    The goal here is to clean any data websites leave behind to track you across visits and websites through time.

    You should configure your browser to delete all cookies and website related data at the end of each session, and by this, I mean when you close your browser.

    In Firefox, you should again to about:preferences#privacy search for “Cookies and Site Data” and check the option: “Delete cookies and site data when Firefox is closed“.

    Sometimes this is impractical because it will force you to login into websites and apps all the time. A good compromise is to use “Multi-Account Containers“, they allow you to segregate your activity into multiple isolated containers, so you can limit any tracking capabilities.

    Expected effort: 3 minutes

    6. Prefer privacy preserving tools and services

    Most online services that common folk use, go to huge lengths to track your activities. For most of them, this is their business model.

    Luckily, there are drop-in replacements for common tools that will provide you with similar or better service:

    The above are just a few examples, these choices will depend on your own needs. At first, you might find them strange, but experience tells me that soon enough you will get used to them and discover they are superior in many ways.

    Expected effort: 3–5 minutes

    7. Adopt better habits

    I’m already a few minutes over budget, but hey, privacy is hard to achieve nowadays.

    For this last point, the lesson is that you must be careful with the information you share and make use of GDPR to control when someone is overstepping.

    Here are a few tips, just for you to get an idea:

    • Don’t provide your personal data just because they ask (input random data if you think it will not be necessary).
    • Always reject cookies and disable data collection when websites show those annoying pop-ups. Look for the “reject all” button, they usually hide it.
    • Even if websites don’t prompt you about privacy settings, go to your account preferences and disable all data collection.
    • Use fake profiles / identities.
    • When too much information is needed, and you don’t see the point, search for other alternatives.

    The main message is: Be cautious and strict with all the information you share online.

    Concluding

    If you followed up to this point, you already made some good progress. However, this is the bare minimum and I only covered what to do on your personal computer, even though some of these suggestions will also work on your other devices (phone, tablet, etc.).

    I avoided suggesting tools, services and practices that would imply monetary costs for the reader, but depending on your needs they might be necessary.

    Nowadays, it is very hard not to be followed around by a “thousand companies and other entities”, specially when we carry a tracking device in our pockets, attached to our wrists, or move around inside one of them.

    In case you want to dig deeper, there are a many sources online with more detailed guides on how to go a few steps further. As an example, you can check “Privacy Guides“.

    Now, to end my post with a question (so I could also learn something new), what would you recommend differently? Would you add, remove or replace any of these suggestions? Don’t forget about the 30-minute rule.

  • Lenovo and men in the middle

    Another week, another scandal. The general public might pass by without noticing the recent news about Lenovo computers but the tech community in the Internet is incredulous. What we witnessed was serious and a betrayal of the customer confidence, so in this post I will try to briefly cover everything that I’ve read about the issue and point out how this affects who bought a Lenovo computer in the last 6 months.

    What happened

    Basically the computers were sold with a piece of very intrusive ad-ware (that could be called malware since it is not that different). This software supposedly stands in the middle of every Internet connection that the computer makes (even secure ones) and tries to inspect its contents and inject advertisement on the websites that the users visits [source] [prof].

    On the technical level, this software was able to avoid the securities measures and alerts implemented by browsers by issuing a self-signed root certificate that was added to the list of Trusted Certificate Authorities. This way it was able to trick the browser into thinking that it was connecting to the valid website, issuing certificates when needed, when instead it was talking with the ad-ware (SuperFish) and the secure connection was instead being made by it [source].

    What are the consequences

    Besides users being spied and secure connection being compromised (for example.with bank websites) by the hardware vendor, like many as already stated, this leaves a huge security hole that can be exploited by people with bad intentions. [source]

    In fact as we can see in this tweet, once this issue was uncovered people started digging into the subject and already uncovered the private key, with gives the anyone the ability to sign certificates, tricking the affected users into believing they are visiting the correct website when in reality they are on a malicious one. According with some articles it was relatively easy and the password is the same for every machine.  [source]

    What can be done

    Thankfully, given the enormous pressure on the Internet and media attention, the company tried some excuses and provided some tools to remove the software. But … there is always a but, the less alert users might not know they are vulnerable and it seems the certificate problem is still persisting (probably the worst issue). Fortunately Microsoft stepped in and its windows defender tool that comes bundled with the operating system will automatically clear the software and reset all certificates. [source]

    For the most suspicious users, some people created tools to check if the machines are still vulnerable (here and here).

    Summing up, this serves as a reminder to be careful with the software that you install in your computer. If possible, when acquiring a new machine, the first step is to clean the disc and install everything yourself, i recommend using a Linux based operating system.

    P.S.: Digging into the root of the issue and knowing who crafted the problematic software.

  • Laura Poitras’ CITIZENFOUR Awarded Oscar for Best Documentary in 2014

    Laura Poitras’ CITIZENFOUR Awarded Oscar for Best Documentary in 2014 by EFF

  • Why Privacy Matters

  • “Nothing to hide” is not a good argument

    When talking about privacy and online surveillance (a topic that has been in the spotlight over the last year) with friends, colleagues and people that haven’t given much thought about these issues, the most common answer i hear is (as you’ve already guessed) “I’ve nothing to hide”, which is fallacious argument. Arguing with someone that has this mindset is really difficult because most of the time (in my experience) it means one of 4 things:

    1. I don’t care.
    2. I don’t know the quantity and/or quality of  information that can be gathered.
    3. I don’t believe small pieces of unrelated information leaked in different places will be added up to build a more complete profile.
    4. I’m not really aware of what the implications of surveillance are.

    Trying to convince this person that privacy in the age of the Internet is a topic worth discussing is really hard (it got a little easier after last year’s events).

    Today I’ve read an essay that really sums up some of the arguments i would use to show to someone that privacy matters. It is a long read but it worths the time spent:

    Why Privacy Matters Even if You Have ‘Nothing to Hide