The documents leaked by NSA whistle-blower Edward Snowden illustrated the startling reach of the West’s biggest intelligence agencies, and one revelation in particular sticks out. We learned that the agencies collaborated with technology companies to deliberately weaken widely used security tools, making it easier to spy on the public.
That’s big. From email up to online banking, it’s simply no longer safe to assume anything about the security of your data – except that you’re probably not the only one who has access to it. Whether or not you’re on their radar, your activity may be sucked up indiscriminately by intelligence services, who have made it their right to know what you know – for your own good, of course.
One consequence of such invasion is that average users are increasingly turning to open-source privacy tools. Much more transparent and often independently audited, they can’t be subverted as easily as a proprietary tool, making them the best means of retaining a bit of privacy in your online activities.
Stay private online: Encryption
We know the NSA and GCHQ have collaborated with technology companies to install backdoors into security products, so it’s fairly safe to assume any proprietary encryption solution is compromised.
That means no more BitLocker, even though it’s highly convenient as it comes with some versions of Windows. Instead, we recommend you use the open-source TrueCrypt to encrypt your data.
It’s a powerful tool, offering volume, partition and drive encryption, as well as the ability to set up additional hidden volumes or even an entire hidden OS. That means if you’re compelled to reveal your main encryption password for whatever reason, any hidden volume will remain safely encrypted and undetectable inside the visible volume. Thinks of it as a saferoom within a saferoom.
You can download TrueCrypt from www.truecrypt.org and install it to your PC. To set up an encrypted area in which to store your most important files, first launch TrueCrypt, then click Create Volume and choose “Create an encrypted file container”.
You’ll be offered the option of making a hidden volume; these must be created inside an existing standard TrueCrypt volume, so for now just choose Standard.
Click Select File and choose a location and a file name for your new TrueCrypt container; don’t use a file name that already exists, or it will be overwritten by the new container. Choose your encryption and hash algorithm – novices can safely stick to the defaults – then choose the size of your container and a suitably strong password. The final step is important: when prompted, randomly move your mouse around the TrueCrypt window for at least 30 seconds – the longer you move, the stronger the encryption – and that’s your container created.
To use it, go back to the TrueCrypt home screen, choose any spare drive letter and select your container file from the Volume dropdown, then click Mount. Enter your password, and the volume will appear in Windows Explorer like any other drive. Drag a file into it and it will be automatically encrypted and added to the container; open an encrypted file and it will be decrypted temporarily in your PC’s RAM. When you’re done with your container, just click Dismount and it will disappear, safely locked from prying eyes.
There’s lots more you can do from there. You could create a hidden volume inside your standard volume, and you can encrypt a partition or full OS using similar steps to creating a container. It’s all well documented both in the software and on the TrueCrypt website.
Stay private online: Web browsing
Tor is a free and open virtual network that bounces communications around the world to prevent sites from learning your physical location. It forms the basis of a range of security applications, the most common of which is the increasingly popular Tor browser. It’s based on a modified Firefox release, so it’s easy to get to grips with, and if you follow some simple precautions it will grant you a level of anonymity while you browse.
To set it up, just go to www.torproject.org and download the Tor Browser Bundle, which contains all the required tools. Run the downloaded file, choose an extraction location, then open the folder and click Start Tor Browser. That’s it. The Vidalia Control Panel will automatically handle the randomised network setup and, when Tor is ready, the browser will open; just close it again to disconnect from the network.
It won’t quite be browsing as usual, as the Tor browser is necessarily stripped of many of Firefox’s modern trimmings. Plugins, such as Flash and QuickTime, are blocked by default as they can reveal your non-Tor IP address, as can opening any downloaded document that’s handled by an external application such as Word. The makers strongly advise against using BitTorrent over Tor as well. Don’t go switching to Chrome, though: Tor is not protecting your PC’s internet traffic, only the traffic that goes via the Tor Browser, so it’s no good just having Tor running in the background. It isn’t a VPN client. See also: How to set up a VPN using Hotspot Shield.
Because of these restrictions, not to mention the reduced speed of browsing as data flies around the world en route to your PC, it’s really not practical to use Tor for everything online. It’s fine to keep using your current browser for everyday online activities – if you want to make it a bit more private, search with DuckDuckGo.com instead of Google – but try to at least get into the habit of switching to Tor when it’s time to do your banking, shopping or any other sensitive tasks.
Next page: encrypt your emails, instant messages and clean your hard disk
Stay private online: Messaging
Public key cryptography is no longer only for IT experts, as more and more people are using tools such as OpenPGP (Pretty Good Privacy) to keep their communications (such as emails and file transfers) private.
To explain it in very simple terms, with PGP you generate two unique keys. Your public key is what you give to others, and they can use it to encrypt any messages meant for your attention. Your private key is what you keep secret and safe, as it works in conjunction with your public key to unlock those messages when they arrive. The public key alone can never decrypt a message, which means you’re safe to hand it out even to people you’ve never met.
The most popular implementation of OpenPGP is the GNU Project’s free GnuPG. Unless you’re skilled with the command line, scroll down to the Binaries section on the Downloads page to find the special setup files for each operating system. Note that both sender and recipient need the software installed.
For Windows that’s Gpg4win, a suite which contains GnuPG plus a few other useful tools and extensions, as well as a PDF of the excellent Gpg4win Compendium. The “For Novices” chapter is a great place to start learning about PGP.
Gpg4win includes everything you need: there are plugins for Outlook 2003 and 2007, and a standalone email client called Claws Mail that works with the keys you generate in Kleopatra.
To generate your own pair of keys, run Kleopatra (it’s installed with Gpg4win), then click File | New Certificate. Choose the first option that pops up, enter your name and email, and click Create Key. Your chosen passphrase is very important, as its strength determines the strength of your encryption; try to use a phrase at least four or five words long, but be sure you’ll remember it. Back up your newly created key pair if you want to, and then Export the certificate to a suitable folder on your PC. Opening that certificate file will give you your public key in text form.
That’s the very basic setup, but of course there’s an awful lot more to it. The Gpg4win Compendium document has walkthroughs for everything, so the best thing you can do is work through the examples until you’re confident enough to start using OpenPGP with your friends, relatives and colleagues.
One area of messaging that Gpg4win doesn’t cover is instant messaging. Skype - one of the most popular video calling apps and IM services – uses industry-standard encryption to keep your conversations private. However, if you don’t want to put your trust in a mainstream app, you might like to try Off-the-record.
This encryption toolkit works with Pidgin (an IM client for Windows, Linux and Mac OS) which you can download from www.pidgin.im.
Stay private online: Disk cleaning
The final tool in your privacy arsenal is a vital one: a good disk cleaner. BleachBit is a simple piece of software that can shred files to prevent recovery, and overwrite free disk space to hide traces of old files. That might sound like something you won’t use very often, but it also automatically hunts down and deletes unnecessary files anywhere on your hard disk, from caches and cookies to the temporary folders of thousands of applications. If your backups keep growing, or if you want to compress a disk image, BleachBit is a simple means of keeping the size manageable.
Download the software from bleachbit.sourceforge.net, install it to your PC and run it. The interface will show you any supported applications you have installed down the left, along with information on what will be deleted for each on the right. Just tick what you want to clean, leave anything you’re unsure of, and click Preview to see how much room you’ll free up. Then tap Clean to finish the job.
The extra privacy tools are all in the File dropdown menu. Shred Files and Shred Folders will delete and overwrite your selected data. Wipe Free Space will go through a drive or partition and overwrite files previously deleted by any software, so they can’t be easily recovered. After doing this, BleachBit will also attempt to wipe metadata about those files by filling Windows’ Master File Table.
Stay private online: Tails
We’ve covered some good individual tools, but if you want a bit of everything in one pocket-sized package, try Tails. It’s a live Debian-based operating system that you can run on any PC from a DVD or USB drive, and as it only uses the host system’s RAM it leaves no trace when you switch off and disconnect. You can rock up at an internet café or use the PC in your hotel lobby without worrying about viruses and spyware on the host OS, and you can also use Tails to circumvent regional locks and internet censorship.
Bear in mind, though, that you’ll need to be able to boot from a disc or external drive, so you won’t be able to run Tails on any PC with a locked-down BIOS that’s set to only boot from the internal hard drive.
Download the Tails ISO image, and follow the clear instructions on the download page to verify the image. To install onto a USB drive, first go to www.pendrivelinux.com and download and run the Universal USB Installer. Choose Tails from its dropdown list and click Browse to select your downloaded ISO image, then select the drive letter of your connected USB stick. Finally, click Create to build your own bootable Tails OS drive.
Tails includes a range of tools, all of which are pre-configured to connect to the internet through the Tor network – it blocks any attempts by applications to access the internet directly. To be fully anonymous and private online, be sure to read the documentation on the Tails site for lots more information on combining the included services to maximum effect.