Tag Archives: privacy

Increasing Transparency Alongside Privacy – 2014 Report

As we’ve stated in Transparency Reports since 2012, privacy continues to be at the root of all we do at SpiderOak. Every new product and feature is designed to fit tightly alongside our Zero-Knowledge privacy commitment. And we continue to understand how transparency plays a role in overall privacy.

Unlike overall trends, SpiderOak has enjoyed a fairly private year. Below, please find our latest Transparency Report for all activity over the last calendar year – from January 2014 through December of 2014. The report is as follows:

2014_transparency_chart

We are proud to stand behind our commitment in keeping our users informed of any and all activities involving their data and the constant protection of their privacy. Our relationship with the privacy advocates and other organizations will always improve our outreach and understanding so that our supporters will benefit from a fully transparent and open environment. As always, we greatly value your thoughts and feedback so please don’t hesitate to send further thoughts or questions anytime.

ANNOUNCEMENT: NEW SPIDEROAK PRICING FOR 2015

At the end of last year, the Pew Research Center canvassed thousands of experts on their predictions on privacy. When asked whether they believed there would be a widely accepted privacy infrastructure by 2025, many said no, stating that privacy is destined to become a ‘luxury.’ Kate Crawford, a professor and research scientist, had this to say,

“In the next 10 years, I would expect to see the development of more encryption technologies and boutique services for people prepared to pay a premium for greater control over their data. This is the creation of privacy as a luxury good. It also has the unfortunate effect of establishing a new divide: the privacy rich and the privacy poor.”

Read the full report.

SpiderOak believes privacy matters. It’s a right, not a luxury good, and therefore should be available to more than just the affluent. We are committed to bringing affordable privacy solutions to the cloud.

NEW SPIDEROAK PRICING

This leads us to announce the first pricing change we’ve ever made since we started (2007). Now get more space for less money with these three new storage plans.

new-pricing-image

To learn more about this change, how to sign up or switch plans, check out the FAQs below.

With Zero-Knowledge,
The Team at SpiderOak


=== FAQs ===

Q: This is awesome. I’d like to switch from my current plan to a new plan. How do I do so?

A: Just follow these steps:

(1) Log into the desktop application and choose ‘Buy More Space’. Alternatively, you can go to your Account page and select ‘Upgrade Plan’.
(2) Select plan size, frequency, and then click ‘Next.’
(3) Once you’ve reviewed the change, ‘Submit Order’ will complete the switch.

NOTE: You will be billed a prorated amount immediately. By switching to a new plan, you are purchasing an additional year or month of storage starting the date you make the switch which is why you are being billed immediately.

Q: Cool! I’ve been waiting for a more affordable plan to become a paid SpiderOak user. How do I sign up?

A: Welcome! We’re happy to have you join our community. You will be given 2 GB of free storage when you create your account. To upgrade to one of the larger plans, click the ‘Buy More Space’ button to choose the plan you’d like and enter your payment information.

Q: Actually, I’d rather stay on the plan I currently have. Do I have to switch?

A: If you’re happy, we’re happy. If you are a current user, you can stay on your existing plan.

Q: My current plan is more expensive so I’d like to switch. Will I receive a refund for the difference?

A: Your renewal date becomes the date you switched plans. When you move to one of the new plans, you will either be prorated or not charged at all for the first year. Refunds will not be issued.

Q: Oh no! I just signed up last week. Can I move to a better plan?

A: Yes, please see the first Q/A listed.

Q: I’m on an Unlimited (or any other discounted) plan. Do I have to switch?

A: No. You are welcome to stay on your current plan.

Q: Will you still offer an education discount?

A: We now offer a 25% discount for all .edu accounts. We also now offer a 25% discount for .org and .mil accounts.

Q: I have a .edu / .org / .mil account. How do I get 25% off?

A: If you create your account with a corresponding email address, you will automatically be able to choose the discounted plans on the ‘Buy More Space’ page. If you did not use this email address when creating your account, you can edit the address associated with your account. Once this change goes through, you’ll be able to see the new plans.

Q: Will you still run other promotions?

A: We are really excited about our new pricing but there will be promotions in the future as we’ve always done.

Q: Can I sign up from my mobile device?

A: You must sign up – or make any adjustments to your account – through the desktop application.

10 NOTABLE PRIVACY & SECURITY BREACHES OF 2014 + TIPS TO PROTECT YOUR PERSONAL DATA

Personal InformationBelow is a list of 10 notable breaches that left hundreds of millions of people and their personal information at risk this year.

===BUSINESS===

SNAPCHATJanuary 2014 – The supposedly private photo and video messaging app was hacked near the first of the year resulting in phone numbers and usernames of up to 4.6 million accounts being posted to public forums like Reddit.com and downloaded by a website called SnapchatDB.info. The security gap was due to user data being stored in plain text and the lack of the basic security measure of rate limiting. Later in the year, a third party vendor, Snapsaved.com, announced their servers were hacked which resulted in a breach of over 200,000 accounts and thousands of photos and videos made public.

eBAYMay 2014 – In late February or early March, more than 145 million users login credentials and postal addresses were exposed due to a cyberattack on eBay’s database earlier in the spring. The corporate network was breached when hackers compromised employee credentials that were reportedly encrypted with presumedly a weak algorithm or stolen decryption keys. Though initially confused, the company later confirmed that no financial or credit card information was compromised. Criticized for not responding appropriately or in a timely manner, the company slowly urged users to change their password and to not reuse their old password across other sites.

HOME DEPOTSeptember 2014 – Though the Department of Homeland Security warned retailers of their systems potentially being compromised, Home Depot didn’t become aware of their attack until September when 109 million records were leaked, including 56 million credit and debit cards and 53 million email addresses. Hackers gained access to in-store payment systems and stole data off the company registers during point of sale. The stolen financial information was sold on underground cybercrime sites. Facing 44 civil lawsuits in the U.S. and Canada, Home Depot has offered twelve months of credit monitoring to its customers. This attack came after a series of earlier security breaches by Home Depot employees who allegedly stole personal information of some 30,000 individuals.

iCLOUDSeptember 2014 – Backed up nude photos of Hollywood celebrities and many others were leaked due to a “brute force” access of targeted iCloud and Find my iPhone accounts. The hack, popularly known as “Celebgate,” included the posting of photos on 4chan which quickly spread throughout the internet. Though Apple denied the breach, reports of it knowing about the security hole as early as March were released.

SONYNovember 2014 – Sony’s systems were hijacked in late November with initial threats of releasing secrets if monetary demands weren’t met. Warnings were made against the release of “The Interview.” Days later, it was reported that personal and financial information of over 47,000 celebrities, freelancers, company executives, and current and former employees was leaked. Some of the information obtained was from an Excel file without any password protection. The damage also led to the postponement of showing “The Interview.” Now confronted with a class action lawsuit for not securing its computer network and protecting confidential information, Michael Lynton, CEO, said the company has not given in to the demands of the hackers.

===FINANCIAL===

JPMORGANSeptember 2014 – Over the summer, hackers gained access to data on more than 76 million account holders. Names, addresses, phone numbers and emails of customers who use the company’s online financial services were obtained. Information on an additional 7 million small businesses was also accessed. Security experts have reported that breach could have been avoided by a fix to a server that was apparently overlooked.

===EDUCATION===

UNIVERSITY OF MARYLANDFebruary 2014 – One of the University of Maryland’s records database suffered a “sophisticated” attack at the first of the year with names, Social Security numbers, birth dates, and university ID numbers stolen from over 309,000 students, staff, and alumni. No records were altered but a copy of the information was made. A year of free credit monitoring was offered by the University.

===GOVERNMENT===

USISAugust 2014 – US Investigation Services, a U.S. Homeland Security contractor that is responsible for more than 21,000 background checks per month for government employees suffered leak of personal information that affected more than 25,000 employees of the Department of Homeland Security, U.S. Immigration and Customs Enforcement, and U.S. Customs and Border Protection units. This was also the same firm that vetted former NSA contractor, Edward Snowden, and Navy Yard shooter Aaron Alexis. Exposed information included birth dates, family names and addresses, Social Security numbers, as well as health, education and criminal history.

USPSSeptember 2014 – More than two-dozen servers at the U.S. Postal Service came under cyber attack with blame being placed on state-sponsored Chinese hackers. More than 800,000 employees and 2.9 million customers were left vulnerable. Names, birth dates, Social Security numbers, addresses, dates of employment were some of the information obtained. It took two months to develop a response and mitigation strategy before shutting down the threat.

NATIONAL OCEANIC AND ATMOSPHERIC ADMINISTRATION (NOAA) – September 2014 – The U.S. weather service’s satellite network critical to forecasts, warnings, and disaster planning was hacked by the Chinese. Though cybersecurity teams responded immediately, officials did not notify authorities until late October. It’s unknown as to whether classified information was accessed.The system was deemed vulnerable due to a serious lack in security measures. Around the same time, systems at the U.S. Department of State and the White House were also hit.


More and more people are giving away their personal information for the enjoyment of smart devices or even without realizing it. SpiderOak urges you to take privacy seriously. Here are several tips to protect your data:

Password Management

  • Make sure your passwords are strong (no personal information, common words or sequences, make them long, use special characters when possible).
  • Do not use the same password for multiple accounts.
  • Password protect all your devices.
  • Consider a password manager.
  • Use two-factor authentication when available.

Encryption

  • Use WPA2 encryption when setting up or using Wi-Fi.
  • Use whole-partition or whole-disk encryption on your devices.
  • Encrypt sensitive information before storing or sending.

Mobile

  • Use security lockout feature.
  • Consider installing remote wipe.
  • Only download apps from reputable vendors (Windows Phone Store, Apple Store) to reduce the risk of receiving a malware-laden version.
  • Turn off location services, GPS, Bluetooth, and Wi-Fi until you need these services.

Privacy Policies & The Web

  • Know what information you are giving access to. If it’s not information critical to the function of the app or service, consider passing.
  • Since much of user information is sold for advertising, use social networks at your own risk.
  • Disable 3rd party cookies.

Credit Monitoring

  • Consider monitoring your credit year round.
  • Restrict access to your credit report if you are at risk of identity theft.

 

Supporting Reset the Net & Free Software for End-to-End Encryption

SpiderOak Supports Reset the Net and free software for end-to-end-encryption June 5Today, June 5, just a year after one of the most significant leaks in U.S. history by Edward Snowden, SpiderOak joins Reset the Net and hundreds of thousands of others to protect our privacy and freedom from government mass surveillance.

Our CEO, Ethan Oberman, had this to say about Snowden and the campaign:

The Snowden revelations not only raised the level of awareness around privacy but also intrinsically changed the way people think about their online presence. It is wonderful that there is more awareness around this issue and even more wonderful to see the advancements that companies have made in the past year, especially around data encryption. The Reset the Net campaign will help drive the dialogue forward, leading to a future in which we are able to set new, higher standards for privacy. We are proud to support this campaign and honored to participate in the worldwide movement toward a more free and secure Internet.

Here are some ways to better protect yourself against mass surveillance…

SUPER-EASY ENCRYPTION TOOLS:

These free tools let you talk, chat, and text with privacy.

  • Adium & Pidgin for private (OTR) chat over Gtalk, Facebook, Yahoo, MSN, XMPP / Duck Duck Go and others
  • Textsecure and Redphone for Android and iPhone (we hope), for private SMS and voice calls
  • HTTPS Everywhere for browsers
  • GPGtools and Enigmail (as a bonus for more sophisticated users)
  • TOR (as a bonus for sophisticated users or those with anonymity needs)

(One important note on the inclusion of Pidgin, Adium, and OTR: if you believe you may be the specific target of surveillance, these aren’t the tools for you. Pidgin has had a large number of remotely exploitable vulnerabilities recently, and auditors looking at the code believe there are likely to be many more. Still, these tools are effective against passive mass surveillance, and they’re unusually easy to use.)

THIS OFFER EXPIRED ON JULY 6, 2014.

5 FREE GBS
  • If you’re already a SpiderOak user (free or paid), get your additional 5GBs by sending an email toerin[at]spideroak.com with the subject ‘Reset the Net 5GB’. You MUST include your username in the message. (I will collect usernames and apply your 5GB in July, no later than July 11). 
  • If you don’t have a SpiderOak account, sign up for a new SpiderOak account and enter the promo code resetthenet. You should have 5 free GBs! If you have any issues, send us a note at support@spideroak.com.
TO GET 33% OFF
  • If you’re a completely new SpiderOak user, sign up for a new SpiderOak account and after you download the client, choose ‘BUY MORE SPACE.’ Then choose ‘UPGRADE PLAN’ and select the plan you want. Enter the promo code resetthenet for your 33% off! Enjoy.
INSTRUCTIONS FOR EXISTING USERS:
  1. In the client choose ‘BUY MORE SPACE’, or in the web login, go to your Account page and select “Upgrade Plan”
  2. Choose YEARLY and type in promotional code resetthenet
  3. Finally, select “Next” and “Submit Order”
  4. Congrats! Enjoy your 33% off.

*If you already have a paid account, you will have to complete this payment process. However, your account will pro-rate. PayPal users will need to cancel their existing subscription and create a new one.

DEVELOPERS

We need you to build privacy into your apps! It’s the only way to make privacy scale. Check out Crypton. It’s the first application framework that provides a foundation for building ‘Zero-Knowledge’ cloud products. It allows developers to provide customers a truly private storage and collaboration environment with no access to unencrypted customer data, without having to rely on 3rd party security layers or post development hacks.

Finally, we encourage you to watch this video to learn more about Reset the Net. Support the movement on social media by sharing calls for greater privacy and security under the campaign hashtag #ResetTheNet.

EFF Recognizes SpiderOak For Having Your Back

The Electronic Frontier Foundation (EFF) just released it’s annual “Who Has Your Back?” report honoring our efforts – and others – on the legal and privacy front of protecting our users.

Of the six criteria used to assess a company’s practices and polices, SpiderOak received five of the six. According to the EFF, “SpiderOak earns 5 stars in this year’s report. It has demonstrated a strong commitment to transparency around government data requests and respect for its users’ privacy. Specifically, SpiderOak requires a warrant for access to content, gives notice to users when their data is sought by the government, publishes a transparency report detailing government data requests, and publishes its law enforcement guides. In addition, it has publicly opposed mass surveillance.”

It goes on to say, “While SpiderOak does not receive a star for fighting for user privacy in courts, this does not reflect badly on the company: Many companies do not have an opportunity to challenge an overbroad government demand or may be barred from discussing their legal challenges.”

Who has your back 2014

We have not had the occasion to defend any of our users’ rights in court. We have not been bound by secrecy of gag orders, nor imposed by court orders. In any of these cases, we would comply with the law. As our users know however, we do not have access to our users’ plaintext data. Furthermore, should we ever get the opportunity to fight for our users’ privacy in court, we would – without hesitation – do so.

Here is the complete report.

Router Security In the Cloud: Enterprises Seek Data Protection for Remote Workers

As router security becomes an increasing concern, companies with remote workers are seeking data protection in the cloud.
Image Source: Flickr User Cisco Hardware at Router-switch.com

For many enterprises, security has become a chief concern in the light of hacking, the spread of malware, and international cyber wars. The latest in the litany of worries over data safety comes from news of 300,000 compromised routers. While many enterprises operate on a much bigger scale than the small office and home office (SOHO) routers that were recently attacked, the growing popularity of enabling mobile workforce and work from home policies jeopardizes sensitive company data, due to the relative insecurity of such commonly used routers. Instead of scaling back worker mobility, enterprises can still take advantage of on-the-go work and work from home solutions by securing important corporate and consumer data in a private cloud service.

Continue reading

Generational Risk: Millennials & Data Security

IT, Finance, & The Threat to Data Safety.
Image Source: Softchoice

Millennials are typically seen as the go-to generation for all things tech-related. So it may come as a big surprise that recent surveys indicate that lax generational views toward data security could jeopardize the safety of your enterprise’s data. This flies in the face of the recent trend of reverse mentoring, in which younger workers share their tech habits to older workers. When it comes to bad habits, such practices could cause entire organizations to adopt unsafe data storage and syncing techniques, leaving sensitive corporate information open to attack or leakage.

The best way to protect such data is through strong internal systems and the adoption of secure storage and sync services. A recent survey put out by Softchoice is changing the way enterprises view their Millennial workers. According to the research, 28.5% of 20-somethings have their passwords kept in plain sight. This is in comparison with 10.8% of Baby Boomers. So it’s clear that the common wisdom that younger generations are inherently more data-secure falls flat on its face. The survey also found that the lack of secure password storage went hand in hand with syncing sensitive files to unprotected devices for the convenience of working from home. As Millennials are more likely than other generations to push for mobile or work-from-home options, companies need to find secure solutions to handle this trend without putting their data at risk.

Continue reading

Tomorrow is ‘The Day We Fight Back’ against mass surveillance

In Matt’s Damon’s AMA on Reddit last week, he was asked:

Hey Matt, your amazing monologue about the NSA in Good Will Hunting is probably more relevant today than it was when the film was first released. How did you come up with that scene, and are you at all surprised by the revelations on the NSA from the information released by Snowden? 

Here is the clip from Good Will Hunting:

Matt’s reply:

“Well, the first thing to that monologue is it’s safe to say that is the hardest that Ben and I have ever laughed while writing something. We were in our old house in Hollywood, in the basement of this house writing this thing and we were literally in tears because this monologue kept building on itself. We wrote it it one night and kept performing it back and forth, and pissing ourselves laughing.

You know, I was unaware, as I think everyone was, that they had that capacity. Snowden is literally changing policy. These are conversations we have to have about our security, and civil liberties, and we have to decide what we are willing to accept, and he’s provided a huge service kickstarting that debate…”

If you haven’t yet heard, tomorrow one of those conversations about our security, civil liberties, and what we’re willing to accept – it’s called The Day We Fight Back.

Thedaywefightback.org screen shot

“Together we will push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance. Together, if we persist, we will win this fight.”

HOW YOU CAN PARTICIPATE:

WHAT HAPPENS ON FEBRUARY 11th:

In the U.S.: Thousands of websites will host banners urging people to call and email Congress. Ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act, and enact protections for non-Americans.

Outside the U.S.: Visitors will be asked to urge appropriate targets to institute privacy protections.

Global events: Events are planned in cities worldwide, including in San Francisco, Los Angeles, Chicago, Copenhagen, Stockholm and more. Find an event near you.

Add the banner to your site now: Grab the banner code on thedaywefightback.org. They’ve built special plugins for WordPress and CloudFlare users and also have a special version of the banner that pushes people to call over email.

Will you join us? 

Guest Post: Can you trust a VPN to protect your privacy?

Privacy by policy vs. privacy by design: At SpiderOak we always preach privacy by design, we don’t *choose* to not see your data, we just *can’t*.

Sadly, a lot of online services cannot take on that philosophy, simply because of how the internet works right now. This is the case of VPN. VPNs are a great service, but depending on what you want or need, they might have some drawbacks, as we commented on our VPN, privacy and anonymity post.

If after understanding the contents of that post, you still want to use VPN, you will want to use one that is run by someone or some company that is trustworthy, because they will *choose* to protect your privacy. We believe IVPN is a really good example of how this kind of services should be run, so without further ado, we continue this post with a few words from Nick from IVPN.  – Tomas

———–

This article was written by IVPN’s Nick Pearson. IVPN is a privacy-orientated VPN platform, an Electronic Frontier Foundation member, dedicated to protecting online privacy.

For many years commercial Virtual Private Network companies have promised customers freedom from online surveillance and data retention practices. But with the government seemingly waging war on online privacy, is it really possible for a VPN company to protect its users – and how do you know which VPNs actually take online privacy seriously?

 How secure is a VPN?

 Firstly, any individual who has a critical need to avoid surveillance, such as political dissidents or anyone whose life may be at risk, should not rely on a single privacy tool to protect them – whether it’s a VPN, a free tool like The Onion Router, or I2P. In such scenarios, advanced set-ups, involving compartmentalization and isolation via a combination of virtual machines, VPNs and Tor, would be required (you can check out IVPN’s guide to advanced privacy solutions here). It’s also worth noting that even highly sophisticated set-ups probably won’t protect you from targeted surveillance by global-scale intelligence agencies, which can marshal a level of resources and expertise far beyond any individual or company.

 However, generally speaking, most potential VPN customers simply want to avoid data retention at the ISP level and circumvent internet censorship. In this case a VPN service would be sufficient. But only if the company running the VPN actually takes privacy seriously in the first place.

 Privacy policies

 For instance, most VPN companies shield users from data retention by allowing them to circumvent their ISPs ability to log their IP address and connections to other websites. By using a VPN your ISP can only see that your connected to the VPN’s servers and not the website that you’re browsing. But for this system to work, the user has to trust the VPN company not to log IP addresses and connections itself.

 The sad fact is many VPN companies – and indeed some of the most popular VPNs on the market – do in fact log and store customers’ data. Some VPNs will even retain this data longer than many ISPs. Perhaps even worse is that some VPNs are not upfront about their data retention practices and do not state in their privacy policies exactly what data they store and for how long (some VPNs don’t even have privacy policies).

 A VPN company should wipe its data logs regularly, ideally within hours of them being created, so that any requests for the data cannot be met. However, even if a VPN doesn’t store data, users’ privacy can still be compromised. Any company could be subpeoned by local authorities and forced into recording data on particular user. There are precedents for this, such as the Lulzsec fiasco, which saw a US-based VPN forced into logging data by the FBI. It’s therefore good to know what jurisdiction your VPN operates within, so you can get an idea of how local authorities behave toward them. This is a grey area, as there are no countries (that we’re aware of) that will protect a VPN’s right to not log data. All you can do is try to avoid those countries whose authorities have a track record in zealous online surveillance.

 What questions do you need to ask?

 So if you’re thinking of signing-up to a VPN service what questions should you ask in order to determine whether or not they take privacy seriously. Here’s a few suggestions.

 Do they have a privacy policy? This sounds like a no-brainer, but you’d be surprised to discover some VPNs don’t even have a privacy policy, let alone one that’s up to scratch. If they don’t bother telling you their approach to privacy, steer clear.

 How long do they retain logs? The vast majority of VPNs will log data for network troubleshooting purposes. However, there’s no reason to store data longer than a few days, unless the company is eager to comply with requests from authorities or from other third parties such as copyright holders. Ideally, a VPN should be wiping logs within hours. If the VPN doesn’t say how long it retains data then ask them directly. A good place to start is this list of VPNs that don’t log data.

 What country is the VPN registered in? Knowing what country the VPN is registered in will let you research the country’s laws pertaining to online privacy. As mentioned above, there are no countries that offer complete sanctuary for VPNs who don’t want to log data, but some are better than others.

 What other personal data will the company retain? It’s important to know whether a VPN can link your account to a real identity. Does the VPN require an address, or credit card information? Can you use a more anonymous form of payment such as Bitcoin?

 What will the VPN do if laws change? With governments around the world cracking down on online freedoms, it’s quite possible that VPNs could come under scrutiny. It’s therefore important that a VPN company notify its customers of any change in local laws, which may affect its ability to protect user privacy.

VPN, privacy and anonymity

There is a common misconception when it comes to anonymity and privacy for users and VPNs that we felt we should try to clarify.

When the goal for a user is to handle all their things as private as possible, or be completely anonymous, the most (seemingly) harmless little detail can make a tremendous difference and compromise every effort made.

So given this fragile balance of everything, lets start by the very first thing that needs to be clear, what does it mean to be anonymous online and what does it mean to have privacy.

Anonymity

If you are one of those readers who note every subtle use of words (I am not) you may have noticed that I said “be anonymous” and “have privacy”. That’s the first and one of the most important details: anonymity is not retroactive. Which means, if you know what you are doing, you are going to become anonymous from one point and only from that point that “property” of your identity will be valid. Before that point in time, you might as well have streamed a live recording of your whole life.

Being anonymous basically works as follows: there are certain countries that assign an ID number to all its citizens, so every person born in it can be reduced on paper to that number. If we remove that ID, we are left with all the other details (hair color, height, etc) that aren’t unique, but combine them and you’ll have what we might call a pseudo-ID. Which is quite close to be as good as the actual ID number. So being anonymous online implies that your pseudo-ID or identifying characteristics make you no different than a big enough group.

It’s basically like saying that you are called John Smith, and 90% of the John Smiths of the world have a certain skin color, hair color and so on, and you are one of those. If you are a John Smith with a hair color from the other 10%, you could dye your hair and you’ll be becoming anonymous from that point on (i.e. unrecognizable from the other billion John Smiths).

Being anonymous online basically means becoming a part of an even bigger group of “John Smiths”, so once you are anonymous you should be really complicated to locate in the world. But it’s also a lot harder to become.

You might use all the software in the world for anonymity, but at some point you might behave in a certain way (write a word more than another, or type at a certain velocity, or always appear online in the same time frame) and you will be blowing away the cover that you created.

Privacy

Privacy works a little different, you can “enable” and “disable” privacy as you wish (if you know what you’re doing and you’re being careful). An eavesdropper will know you are you, but you can choose whether to let that person see what you are doing or not (hint: use HTTPS or HTTP).

Privacy is the concealing of data from people other than you. This data might be a file, or it might be what you are sending and receiving through your WiFi connection every second. Privacy is the door you close when you go to the bathroom, or rather, the door you choose to close. The main problem with privacy though, is knowing where those doors are and knowing how to close them properly.

The main argument against wanting privacy I’ve heard is “I have nothing to hide”. To which I say: do you let other people watch and record you while you’re in the bathroom?

So it’s a matter of boundaries and knowing that those boundaries cannot be broken. It’s knowing that even if you are being recorded in while your bathroom, that camera won’t be capturing anything worthwhile, i.e. the video will be all static. It doesn’t matter which camera you use, it’s not possible for you to see me where I don’t want to be seen. That’s “privacy by design”, but we’ll talk about it more in another post.

How do VPNs work?

VPN stands for Virtual Private Network. The idea behind it is not really complex: when you open your browser and enter an URL like https://google.com and hit the return key, your computer starts sending “network packets” to some other computer, which in turn sends them to some other computer, which in turn… well, and so on, until it reaches one of the computers behind the URL you want to access. There, it reaches the content you asked for and goes all the way back to your home computer. Jumping from host to host in the middle.

Now say you are in a cafe and they have WiFi, if you connect to it and start doing internet things, your “network packets” will go first to the WiFi router and then to the big chain of computers we discussed. So if someone is “standing” in the WiFi router, they can see what you are doing (or part of it). “Oh! Mary is accessing her GMail account”.

Connecting to a web server without VPN

If you use a VPN, what you are doing is basically presetting the first computer your “network packet” will reach once it goes out of yours. Well, not exactly right, but the VPN server will be the first computer that will understand what you want to do. So now the person standing in the router can only say “Oh! Mary is accessing this computer” (which will be the VPN server), and that’s all they will be able to see.

Connecting to a web server with VPN

If someone is “standing” in the VPN server, they will have the same power the person standing in the router in the non-VPN scenario has. But may be the only person standing there is you, because it’s your computer at home acting as a VPN server, or the computer of someone you trust. Which is great! right? You don’t have to trust all the random coffee lovers that might sit right next to you in that particular day in that particular coffee shop.

What does a VPN give its users?

So VPNs sound really neat, and indeed they are. You can control an important portion of how you are being seen by the outside world. But be careful! “outside world” in this case means something along the lines of “random people in the same coffee shop as you”, not “everyone in the whole wide world”.

VPNs are like ensuring that when you take a shower, only your husband or wife can open that bathroom door, and that’s ok, because you truly trust that person – you choose him or her.

What does a VPN NOT give its users?

Well, what if your significant other lets somebody else inside? That would be an enormous betrayal of your trust!, but it is possible, is it not?

VPNs work kind of in the same way, the people behind the VPN server are the ones in control. If you play your cards right (i.e. use HTTPS all the time), they won’t have complete control, but they will still have some.

Privacy and anonymity do NOT go hand in hand with VPNs, and that’s the end of the story. If you are looking for those two particular words, you must not trust a VPN. If someone tells you “you will be completely anonymous, you’ll have VPN running all the time”, that’s a lie. You’ll have this really neat and handy service called VPN running, and it’ll “save” you from a lot of thing, but it won’t anonymize you, it will just give you some privacy, SOME.

The problem with privacy is that it’s not a binary state, it’s not an ON/OFF switch. It has different scales of ON and OFF. So what do you want to protect? Ask yourself that multiple times, answer it carefully, and then and only then decide whether VPNs give you the privacy you want or not.

This is too much information, just tell me how to maintain my anonymity and privacy!

Well I’ve got bad news for you, being truly anonymous might even be called an art. It’s really hard, it has a lot of layers. So if you want to be truly anonymous, I suggest you start reading about all the ways you can compromise your anonymity. Read about how to attack anonymity so you’ll know how to defend yourself. But first things first! What do you want to protect?

For privacy, things are a bit easier. You just need to be careful what software you use and how. Pick software or services that have privacy as their main goal. Always maintain your paranoid alarms in a healthy level. Do not give your trust away easily. You’ll want to use services that use cryptography in some way, they might be using it wrong, but that’s a good start at least. You don’t want to use a service that the only privacy related thing they have is the privacy policy.

So, what do you want to protect?