Encryption, security, privacyPublished Wednesday, 14th August, 2019
Over the past few months I've become increasingly more security and privacy conscious. This has led me to upgrade the tools I use on a daily basis to ones that support my ethos and make some kind of further statement about the world I would like to live in. In this post, I write about the tools I now use and share some thoughts on the society in which I use them. If you're just after the recommendations, you can skip to those by clicking here.
US Attorney General William Barr claims that 'making our virtual world more secure should not come at the expense of making us more vulnerable in the real world', failing to recognise that the virtual and real world are the same thing. Contrary to the popular retort, claiming back my privacy and caring about security is not about 'having something to hide', it's about having something worth protecting: everything. If you had told someone at the dawn of the world wide web that almost every mode of interaction would be mediated by it, they'd probably have called you crazy. It is specifically because they encompass everything we do that security around our digital lives is of paramount importance.
If you doubt that our digital lives have much of a bearing on the real-world, give somebody the password to your email inbox and watch them take control of almost everything you own. Email shouldn't be – but is treated like – identification. I can log into my bank account with it, I can reset passwords, I can email technical support who will, by pure dint of the fact I am using the email address registered to an account, hand over sensitive security information.
We live in an unprecedented era of surveillance where corporations are joining the State as a privacy and security adversary. These companies are eager to jigsaw the minuscule breadcrumbs of your life in order to sell your data and attention to advertisers. We've seen companies abusing their power or being so lackadaisical with the data they gather – frequently with only de-facto consent – that it ends up in the hands of others who are happy to abuse it. Given enough time, becoming the subject of a data breach is almost a given. How severely it impacts you depends on how well you protected your other assets.
We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. [...] We must defend our own privacy if we expect to have any. – A Cypherpunk's Manifesto
A lot of the things I’ve done to improve my privacy and security are far beyond what is really required. It's also worth noting that some of this comes at both a financial and convenience cost and that there's always a cost-benefit analysis to be done when deciding which of these tools to implement yourself. Historically there has always been a trade-off between security and convenience (as there continues to be between financing tools with our data and financing tools with our money) but as people become more aware of how their data is held and has the potential to be used against them, developers begin to create tools to maximise privacy and minimise the time and effort spent achieving it.
As with everything on this domain, I am not paid nor do I get commission or anything for free by recommending these companies to you. This is an impartial list of the tools I use in my daily life to claw back my privacy and make things more secure. I encourage you to do your own research and work out what tools suit your needs.
I have moved from...
- Microsoft's OneDrive to the end-to-end encrypted, zero-knowledge cloud-host, Tresorit
- Adobe Lightroom CC to Apple Photos – which still isn't brilliant. If you have any suggestions for a full-featured privacy-enhanced photo management tool, please do let me know!
- Apple Notes to Standard Notes, which has a powerful longevity statement and privacy manifesto – I've purchased their five year license
- WhatsApp, which faces some questions around the efficacy of its encryption, and Messenger, mainly because it's another Facebook company, to Signal and iMessage
- Roundcube, hosted by my domain registrar, to the inexpensive, encrypted, zero-knowledge email host ProtonMail
I have adopted use of...
- KeePassXC as my password manager, stored in Tresorit, reading the database with Strongbox on my portable devices
- Two-factor authentication for everything that will allow me to turn it on, secured in Authy
- A physical security USB key for the things that need the most protection
- Nord VPN, always-on on my iPhone, iMac, and MacBook
- DuckDuckGo as my search engine
- Brave for as my desktop browser with a range of tweaked settings including DNS-over-HTTPS and fingerprint obfuscation
- Trezor, a hardware wallet for cryptocurrencies like Bitcoin
I have turned on...
- Email notifications for HaveIBeenPwned
- FileVault for my iMac and MacBook Air, as well as firmware passwords for them both.
- Encryption for all external hard drives, with extra-sensitive documents further encrypted via NordLocker
- Alphanumeric passcodes for my other Apple devices
- Encryption keys for my cloud backup platform, Backblaze
I have turned off...
- Access to things like my contacts, camera roll, and location for the apps that don't require access to those things for the app to be functionally useful
- iCloud iPhone backups, which are encrypted with keys owned by Apple and not by me – instead, I back up manually to my MacBook with an encryption key I own
Removing stray profiles is something I've been doing over the past few months too. Consolidating and reducing my footprint whilst securing everything that remains means there's less to compromise. I learned this the hard way when HaveIBeenPwned told me an account I hadn't used since 2012 was part of a data breach in 2018...
If your interest has been piqued, I've created a Twitter list that curates the messages of my favourite tools. Feel free to subscribe to it and dig around to find tools that work for you or to email me with suggestions, tips, or to chat further about this topic. I'd love to hear what you think.
For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. – A Cypherpunk's Manifesto