Tag Archives: privacy

Tomorrow is ‘The Day We Fight Back’ against mass surveillance

In Matt’s Damon’s AMA on Reddit last week, he was asked:

Hey Matt, your amazing monologue about the NSA in Good Will Hunting is probably more relevant today than it was when the film was first released. How did you come up with that scene, and are you at all surprised by the revelations on the NSA from the information released by Snowden? 

Here is the clip from Good Will Hunting:

Matt’s reply:

“Well, the first thing to that monologue is it’s safe to say that is the hardest that Ben and I have ever laughed while writing something. We were in our old house in Hollywood, in the basement of this house writing this thing and we were literally in tears because this monologue kept building on itself. We wrote it it one night and kept performing it back and forth, and pissing ourselves laughing.

You know, I was unaware, as I think everyone was, that they had that capacity. Snowden is literally changing policy. These are conversations we have to have about our security, and civil liberties, and we have to decide what we are willing to accept, and he’s provided a huge service kickstarting that debate…”

If you haven’t yet heard, tomorrow one of those conversations about our security, civil liberties, and what we’re willing to accept – it’s called The Day We Fight Back.

Thedaywefightback.org screen shot

“Together we will push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance. Together, if we persist, we will win this fight.”

HOW YOU CAN PARTICIPATE:

WHAT HAPPENS ON FEBRUARY 11th:

In the U.S.: Thousands of websites will host banners urging people to call and email Congress. Ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act, and enact protections for non-Americans.

Outside the U.S.: Visitors will be asked to urge appropriate targets to institute privacy protections.

Global events: Events are planned in cities worldwide, including in San Francisco, Los Angeles, Chicago, Copenhagen, Stockholm and more. Find an event near you.

Add the banner to your site now: Grab the banner code on thedaywefightback.org. They’ve built special plugins for WordPress and CloudFlare users and also have a special version of the banner that pushes people to call over email.

Will you join us? 

Guest Post: Can you trust a VPN to protect your privacy?

Privacy by policy vs. privacy by design: At SpiderOak we always preach privacy by design, we don’t *choose* to not see your data, we just *can’t*.

Sadly, a lot of online services cannot take on that philosophy, simply because of how the internet works right now. This is the case of VPN. VPNs are a great service, but depending on what you want or need, they might have some drawbacks, as we commented on our VPN, privacy and anonymity post.

If after understanding the contents of that post, you still want to use VPN, you will want to use one that is run by someone or some company that is trustworthy, because they will *choose* to protect your privacy. We believe IVPN is a really good example of how this kind of services should be run, so without further ado, we continue this post with a few words from Nick from IVPN.  - Tomas

———–

This article was written by IVPN’s Nick Pearson. IVPN is a privacy-orientated VPN platform, an Electronic Frontier Foundation member, dedicated to protecting online privacy.

For many years commercial Virtual Private Network companies have promised customers freedom from online surveillance and data retention practices. But with the government seemingly waging war on online privacy, is it really possible for a VPN company to protect its users – and how do you know which VPNs actually take online privacy seriously?

 How secure is a VPN?

 Firstly, any individual who has a critical need to avoid surveillance, such as political dissidents or anyone whose life may be at risk, should not rely on a single privacy tool to protect them – whether it’s a VPN, a free tool like The Onion Router, or I2P. In such scenarios, advanced set-ups, involving compartmentalization and isolation via a combination of virtual machines, VPNs and Tor, would be required (you can check out IVPN’s guide to advanced privacy solutions here). It’s also worth noting that even highly sophisticated set-ups probably won’t protect you from targeted surveillance by global-scale intelligence agencies, which can marshal a level of resources and expertise far beyond any individual or company.

 However, generally speaking, most potential VPN customers simply want to avoid data retention at the ISP level and circumvent internet censorship. In this case a VPN service would be sufficient. But only if the company running the VPN actually takes privacy seriously in the first place.

 Privacy policies

 For instance, most VPN companies shield users from data retention by allowing them to circumvent their ISPs ability to log their IP address and connections to other websites. By using a VPN your ISP can only see that your connected to the VPN’s servers and not the website that you’re browsing. But for this system to work, the user has to trust the VPN company not to log IP addresses and connections itself.

 The sad fact is many VPN companies – and indeed some of the most popular VPNs on the market – do in fact log and store customers’ data. Some VPNs will even retain this data longer than many ISPs. Perhaps even worse is that some VPNs are not upfront about their data retention practices and do not state in their privacy policies exactly what data they store and for how long (some VPNs don’t even have privacy policies).

 A VPN company should wipe its data logs regularly, ideally within hours of them being created, so that any requests for the data cannot be met. However, even if a VPN doesn’t store data, users’ privacy can still be compromised. Any company could be subpeoned by local authorities and forced into recording data on particular user. There are precedents for this, such as the Lulzsec fiasco, which saw a US-based VPN forced into logging data by the FBI. It’s therefore good to know what jurisdiction your VPN operates within, so you can get an idea of how local authorities behave toward them. This is a grey area, as there are no countries (that we’re aware of) that will protect a VPN’s right to not log data. All you can do is try to avoid those countries whose authorities have a track record in zealous online surveillance.

 What questions do you need to ask?

 So if you’re thinking of signing-up to a VPN service what questions should you ask in order to determine whether or not they take privacy seriously. Here’s a few suggestions.

 Do they have a privacy policy? This sounds like a no-brainer, but you’d be surprised to discover some VPNs don’t even have a privacy policy, let alone one that’s up to scratch. If they don’t bother telling you their approach to privacy, steer clear.

 How long do they retain logs? The vast majority of VPNs will log data for network troubleshooting purposes. However, there’s no reason to store data longer than a few days, unless the company is eager to comply with requests from authorities or from other third parties such as copyright holders. Ideally, a VPN should be wiping logs within hours. If the VPN doesn’t say how long it retains data then ask them directly. A good place to start is this list of VPNs that don’t log data.

 What country is the VPN registered in? Knowing what country the VPN is registered in will let you research the country’s laws pertaining to online privacy. As mentioned above, there are no countries that offer complete sanctuary for VPNs who don’t want to log data, but some are better than others.

 What other personal data will the company retain? It’s important to know whether a VPN can link your account to a real identity. Does the VPN require an address, or credit card information? Can you use a more anonymous form of payment such as Bitcoin?

 What will the VPN do if laws change? With governments around the world cracking down on online freedoms, it’s quite possible that VPNs could come under scrutiny. It’s therefore important that a VPN company notify its customers of any change in local laws, which may affect its ability to protect user privacy.

VPN, privacy and anonymity

There is a common misconception when it comes to anonymity and privacy for users and VPNs that we felt we should try to clarify.

When the goal for a user is to handle all their things as private as possible, or be completely anonymous, the most (seemingly) harmless little detail can make a tremendous difference and compromise every effort made.

So given this fragile balance of everything, lets start by the very first thing that needs to be clear, what does it mean to be anonymous online and what does it mean to have privacy.

Anonymity

If you are one of those readers who note every subtle use of words (I am not) you may have noticed that I said “be anonymous” and “have privacy”. That’s the first and one of the most important details: anonymity is not retroactive. Which means, if you know what you are doing, you are going to become anonymous from one point and only from that point that “property” of your identity will be valid. Before that point in time, you might as well have streamed a live recording of your whole life.

Being anonymous basically works as follows: there are certain countries that assign an ID number to all its citizens, so every person born in it can be reduced on paper to that number. If we remove that ID, we are left with all the other details (hair color, height, etc) that aren’t unique, but combine them and you’ll have what we might call a pseudo-ID. Which is quite close to be as good as the actual ID number. So being anonymous online implies that your pseudo-ID or identifying characteristics make you no different than a big enough group.

It’s basically like saying that you are called John Smith, and 90% of the John Smiths of the world have a certain skin color, hair color and so on, and you are one of those. If you are a John Smith with a hair color from the other 10%, you could dye your hair and you’ll be becoming anonymous from that point on (i.e. unrecognizable from the other billion John Smiths).

Being anonymous online basically means becoming a part of an even bigger group of “John Smiths”, so once you are anonymous you should be really complicated to locate in the world. But it’s also a lot harder to become.

You might use all the software in the world for anonymity, but at some point you might behave in a certain way (write a word more than another, or type at a certain velocity, or always appear online in the same time frame) and you will be blowing away the cover that you created.

Privacy

Privacy works a little different, you can “enable” and “disable” privacy as you wish (if you know what you’re doing and you’re being careful). An eavesdropper will know you are you, but you can choose whether to let that person see what you are doing or not (hint: use HTTPS or HTTP).

Privacy is the concealing of data from people other than you. This data might be a file, or it might be what you are sending and receiving through your WiFi connection every second. Privacy is the door you close when you go to the bathroom, or rather, the door you choose to close. The main problem with privacy though, is knowing where those doors are and knowing how to close them properly.

The main argument against wanting privacy I’ve heard is “I have nothing to hide”. To which I say: do you let other people watch and record you while you’re in the bathroom?

So it’s a matter of boundaries and knowing that those boundaries cannot be broken. It’s knowing that even if you are being recorded in while your bathroom, that camera won’t be capturing anything worthwhile, i.e. the video will be all static. It doesn’t matter which camera you use, it’s not possible for you to see me where I don’t want to be seen. That’s “privacy by design”, but we’ll talk about it more in another post.

How do VPNs work?

So now we got to this VPN things. VPN stands for Virtual Private Network. The idea behind it is not really complex: when you open your browser and enter an URL like https://google.com and hit the return key, your computer starts sending “network packets” to some other computer, which in turn sends them to some other computer, which in turn… well, and so on, until it reaches one of the computers behind the URL you want to access. There, it reaches the content you asked for and goes all the way back to your home computer. Jumping from host to host in the middle.

Now say you are in a cafe and they have WiFi, if you connect to it and start doing internet things, your “network packets” will go first to the WiFi router and then to the big chain of computers we discussed. So if someone is “standing” in the WiFi router, they can see what you are doing (or part of it). “Oh! Mary is accessing her GMail account”.

Connecting to a web server without VPN

If you use a VPN, what you are doing is basically presetting the first computer your “network packet” will reach once it goes out of yours. Well, not exactly right, but the VPN server will be the first computer that will understand what you want to do. So now the person standing in the router can only say “Oh! Mary is accessing this computer” (which will be the VPN server), and that’s all they will be able to see.

Connecting to a web server with VPN

If someone is “standing” in the VPN server, they will have the same power the person standing in the router in the non-VPN scenario has. But may be the only person standing there is you, because it’s your computer at home acting as a VPN server, or the computer of someone you trust. Which is great! right? You don’t have to trust all the random coffee lovers that might sit right next to you in that particular day in that particular coffee shop.

What does a VPN give its users?

So VPNs sound really neat, and indeed they are. You can control an important portion of how you are being seen by the outside world. But be careful! “outside world” in this case means something along the lines of “random people in the same coffee shop as you”, not “everyone in the whole wide world”.

VPNs give you the chance of taking a shower and only your husband or wife can open that bathroom door, and that’s ok, because you truly trust that person, you choose him or her.

What does a VPN NOT give its users?

Well, what if your significant other lets somebody else inside? That would be an enormous betrayal of your trust!, but it is possible, is it not?

VPNs work kind of in the same way, the people behind the VPN server are the ones in control. If you play your cards right (i.e. use HTTPS all the time), they won’t have complete control, but they will still have some.

Privacy and anonymity do NOT go hand in hand with VPNs, and that’s the end of the story. If you are looking for those two particular words, you must not trust a VPN. If someone tells you “you will be completely anonymous, you’ll have VPN running all the time”, that’s a lie. You’ll have this really neat and handy service called VPN running, and it’ll “save” you from a lot of thing, but it won’t anonymize you, it will just give you some privacy, SOME.

The problem with privacy is that it’s not a binary state, it’s not an ON/OFF switch. It has different scales of ON and OFF. So what do you want to protect? Ask yourself that multiple times, answer it carefully, and then and only then decide whether VPNs give you the privacy you want or not.

This is too much information, just tell me how to maintain my anonymity and privacy!

Well I’ve got bad news for you, being truly anonymous might even be called an art. It’s really hard, it has a lot of layers. So if you want to be truly anonymous, I suggest you start reading about all the ways you can compromise your anonymity. Read about how to attack anonymity so you’ll know how to defend yourself. But first things first! What do you want to protect?

For privacy, things are a bit easier. You just need to be careful what software you use and how. Pick software or services that have privacy as their main goal. Always maintain your paranoid alarms in a healthy level. Do not give your trust away easily. You’ll want to use services that use cryptography in some way, they might be using it wrong, but that’s a good start at least. You don’t want to use a service that the only privacy related thing they have is the privacy policy.

So, what do you want to protect?

And Now: a SpiderOak Video Singalong (12 Days of Privacy)

“On the 12th Day of Privacy, SpiderOak gave to me….”

For those of you who would like to see a slightly embarrassing and quite silly compilation of SpiderOakers singing what we’ve deemed The 12 Days of Privacy*, then this is for you! We have more than 50 employees all over the world, and this is but a selection of them – from our developers, to customer support, to sales and marketing folks, and yes – even our co-founders. (If you make it through all four minutes – you deserve an award.)

But seriously, thanks for watching! We had fun.

Meanwhile, for the rest of December, you CAN in fact nab 25% off all yearly plans. Here’s how.

What lyrics would you include in the “12 Days of Privacy”?

Happy Holidays! 

*Disclaimer: We do know the 12 Days of Privacy typically begins on Christmas, but we chose to celebrate it before the holidays.

12 Days of Privacy SpiderOak

Privacy: The Year and the Word

You can imagine how tickled we were yesterday when Dictionary.com named ‘Privacy’ the word of the year. They wrote, “The discussion of privacy – what it is and what it isn’t – embodies the preeminent concerns of 2013.”

Word of the year

Not to toot our own horn but at the beginning of this year, our executives, marketing team and PR firm sat around a table and got very clear on our message. As a result, we released this on January, 28th, calling 2013 The Year of Privacy.

Of course we couldn’t predict the Snowden disclosures about the NSA surveillance, the Google Glass release, all the changes in privacy policies that got users in a tizzy, or the Snapchat snafu, but what we have known for some time now is privacy is the best form of security.

Check out this cool info-graphic on The Year in Privacy.

Privacy in a digital world is not easy and it certainly poses some interesting challenges and contradictions. Look no further than the immediate criticism Dictionary.com received due to naming ‘Privacy’ the word of the year…

“Today, just visiting the homepage of Dictionary.com sets 90 cookies and replicating the method from the Wall Street Journal investigation (including reading the blogpost on ‘privacy’ being the word of the day) yields 198 cookies, according to The Washington Post’s research.” — Click here to read more.

As we look to 2014, it is our mission to continue protecting our users’ privacy, developing more ‘Zero-Knowledge’ cloud technologies, and pushing privacy further and further into the web.

Happy holidays and cheers to privacy!

12 Days of Privacy: 25% Off!

12 Days of Privacy

On the fifth day of Privacy

SpiderOak gave to me:

25% off!!

On December 13, we introduced the 12 Days of Privacy* – sung to the tune of the 12 Days of Christmas. We hope to share with you what the 12 Days of Privacy means to us with this little holiday spin off.

Today is the 5th day of our 12 Days of Privacy which means you can enjoy “Twenty-fiiiiiive percent off!” all yearly plans!

Current Users:

  1. Login to your account online.
  2. Go to your ‘Account‘ tab at the top
  3. Click ‘Buy More Space,’ and then choose ‘Upgrade My Plan.’
  4. Plug in the promo code 12DaysofPrivacy, and choose which plan you want under Yearly Billing.

New Users (Welcome!):

  1.  Sign up here
  2. Download and install the client
  3. Click  ‘Buy More Space’ in the client itself, or via the web portal (which will then take you to a new screen, where you need to choose ‘Upgrade My Plan.‘)
  4. Use the promo code 12DaysofPrivacy and choose which plan you want under Yearly Billing.
What do you think the 6th Day of Privacy will bring?

*We do know that the original 12 days of Christmas begins on Christmas day, but we wanted to do our own spin off before the holidays. 

12 Days of Privacy: 4 ‘Zero-Knowledge’

 

 

12 Days of Privacy

On the fourth day of Privacy

SpiderOak gave to me:

4 ‘Zero-Knowledge’ 

On December 13, we introduced the 12 Days of Privacy* – sung to the tune of the 12 Days of Christmas. We hope to share with you what the 12 Days of Privacy means to us with this little holiday spin off.

You can join in too!

We don’t want to have all the fun so we invite you to submit your own lyrics. Share them with us on Facebook, Twitter, or in the comments section, and we’ll promote them throughout the week! We can’t wait to see what the 12 Days of Privacy means to you. To find out what the SpiderOak staff and fans come up with, follow #12DaysOfPrivacy.

Tis the season of Privacy!

*We do know that the original 12 days of Christmas begins on Christmas day, but we wanted to do our own spin off before the holidays. 

The Crypto-Think & The 12 Days of Privacy

At the beginning of the year, we predicted that 2013 was going to be “The Year of Privacy.” It’s been amazing to watch privacy take the forefront in national and international debates as well as have growing attention and importance in the online world. As the new year approaches, we can only hope 2014 brings increased efforts to fight for the right to privacy across the globe.

Today, Dec. 13, we will be holding The CRYPTO-THINK – our very first Web Privacy Think Tank – in San Francisco at our SpiderOak headquarters. SpiderOak and the ‘Zero-Knowledge’ Privacy Foundation have invited a diverse group of developers from around the country to an open discussion around the good, the bad, and the ugly truth of privacy. “One small step for Javascript, one giant leap for browser privacy.”

We hope this is the first of many events and hackathons that will help improve and change web privacy as we know it. Will you help chart a course to the unthinkable?

The CRYPTO-THINK

SpiderOak Crypto Think Event Browser Privacy Javascript Privacy

 12 Days of Privacy

12 Days of Privacy SpiderOak Public Private RSA key

On the first day of Privacy

SpiderOak gave to me:

A public/private RSA key!

Starting today – the first day of privacy – we will be sharing over the next 12 days what that means to us as a company. Our version of the song is called the 12 Days of Privacy* in the same tune as the 12 Days of Christmas. Stay tuned to learn via Twitter, Facebook or this blog to see what we’ve come up with and submit your own lyrics for a chance to win free GBs.

Tis the season of Privacy!

12 Days of Privacy SpiderOak

*We do know that the original 12 days of Christmas begins on Christmas day, but we wanted to do our own spin off before the holidays. 

Join SpiderOak and Thousands of Others to Demand ECPA Reform

Today, SpiderOak is joining a nationwide day of action calling for reform of the Electronic Communications Privacy Act (ECPA), the law that says the government can access your email and documents in the cloud without a warrant.

ECPA is one of the Internet’s most outdated laws – it was enacted in 1986, before most people had access to a home computer or email. While the public has been rightfully outraged over reports that the NSA accesses communications without a warrant, ECPA says that hundreds of other government agencies—like the IRS, FBI, and DEA, as well as state and local law enforcement agencies—can access many of our stored emails, private social media messages, and documents in the cloud without getting a warrant from a judge. The law flies directly in the face of our Fourth Amendment values.

Bills to reform ECPA have gained huge support in recent months from both parties in Congress. However, legislation is now being blocked by a power grab from the Securities and Exchange Commission, which is pushing for a special carve-out for regulatory agencies to get your documents from online providers without a warrant. The SEC carve-out would neuter ECPA reform.

That’s why we’re calling on the White House to break its silence and stand up for ECPA reform. We need President Obama to tell the SEC to back down in its demands for troubling new powers and make clear that the time for ECPA reform is now.

Today we ask you join us by signing this petition to the White House. It’s time for the President to join hundreds of tech companies, startups, advocates, and Members of Congress by supporting this commonsense, long overdue reform to ensure our privacy rights online.

No Knowing November

No matter where you consume the news, there is no escaping the revelations continually coming out of PRISM and MUSCULAR and their impact around the globe. At its root, it uncovered a dangerous problem – privacy online is indeed threatened at every level.

Since its inception in 2007, SpiderOak has been focused on preserving our users’ privacy through the implementation of ‘Zero-Knowledge’ technologies – the privacy-first orientation that ensures the server never knows what data it is storing. How is this accomplished? By never storing the encryption keys and therefore never having plaintext access to the data. Ultimately, this is the only way to give ownership and control back to the user and – thus – ensure privacy throughout the process.

Back in January – when everyone was talking about the importance of security - we had the foresight to call 2013 the Year of Privacy. As we have seen, security only solves half of the problem. When a company retains the keys to the data, it also maintains the ability to access it. The access can then be used in a number of damaging ways as has been exposed back in June.

SpiderOak, Zero Knowledge, Privacy, No

Help us make this month NO KNOWING NOVEMBER by sharing this critical message on privacy through ‘No Knowing!’

WANT TO SHARE?

  • Promote privacy through #NoKnowing
  • Use any of our ‘No Knowing’ images