

My Privacy Plan - benrmatthews
http://benrmatthews.com/2013/06/my-privacy-plan/

======
frisco
I feel like this is a rather porous plan for privacy.

> 1\. Sign up to relevant pressure groups

Ok, I like this one. No reason not to. Support the EFF.

> 2\. Install HTTPS Everywhere

Since I believe that the NSA likely already have all of the relevant private
keys, I'm not sure about this one. HTTPS is still better than no HTTPS, but
don't overestimate it.

> 3\. Install Adblock Plus

Yep ok. Making it harder to be tracked across the internet is good.

> 4\. Review my browser use

Sure. Use Chrome + best practices.

> 5\. Review web services I use and switch if necessary

Suddenly this appears: a catch-all "change everything I do on the internet".
Stop using Facebook, Skype, Gmail, etc. Probably not going to happen. I'll
come back to this in a second.

> 6\. Download and Use Tor

Given my belief that the government is probably running enough nodes to
reconstruct Tor identities, I'm not convinced that this helps much.

> 7\. Use the Onion Browser on my mobile

See #6.

> 8\. Run "host-proof" Web applications

This is an extension of #5. I like the idea, but this is hard. Startups like
Ciphercloud and Social Fortress are ostensibly working on it; I look forward
to when they're available. I imagine that if any significant percentage of
people start using, say, Social Fortress on Facebook, Facebook will make it
against the TOS.

I do think that the NSA has probably broken RSA. It's notable that they
haven't approved it for securing classified data, despite the fact that it
would significantly simplify the DOD's current pains around key distribution.
This, of course, takes SSL with it, but importantly takes PGP, too. Running
GPGMail on a desktop isn't enough.

###

My privacy plan will involve learning more about politics. Who are our
representatives? What districts play disproportionate roles here? How are the
oversight committees formed? Who's on them and why? What can we do to be
involved? This is a much longer timescale play -- it's a lifetime of being
involved, rather than a quick technological fix now. I'm not confusing a
personal interest here with having influence -- I'm just one person, and not a
high-profile one, and alone I won't have much impact. But, I don't believe
that there's any substitute for a politically engaged constituency.

I don't believe that Washington is fundamentally corrupt or irreversibly
damaged. In the Snowden video he spoke about how these decisions are viewed as
policy and not law -- so a future president may decide to go off the deep end
into despotism. But since it's still policy, there are systems for this. It's
not ok to simply complain that the system will defend itself and there's
nothing you can do. Apply the same mindset that drives you through the
multiple brick walls that are a startup to changing Washington.

~~~
iuguy
> 5\. Review web services I use and switch if necessary > Suddenly this
> appears: a catch-all "change everything I do on the internet". Stop using
> Facebook, Skype, Gmail, etc. Probably not going to happen. I'll come back to
> this in a second.

You say that, but having switched to DuckDuckGo[1] for the past few weeks I'm
slowly but surely losing my reliance on Google for personal stuff. Sure, it's
not as good as Google in terms of finding relevant results or having the rest
of the ecosystem, but it's no worse than using the web a few years ago, which
to me is good enough (and I make some pretty esoteric searches).

I'm looking further into moving away from the traditional Internet to
something a bit more self-hosted and it looks possible.

~~~
yk
The trick about using DDG is their !bang [1] notation, which you can use to
pipe searches directly into the search of another site. ( At least for many
large sites.) Especially, if you prefix your search with !g you will get the
Google result page for that search. This is of course a privacy vs usability
trade off, but Google still sees only a few searches. With this, I actually
think that DDG beats Google as search engine, since quite often I want to just
search Wikipedia (!w) or Stackexchange (!se) and in this cases DDG takes me
directly to these sites.

[1][https://duckduckgo.com/bang.html](https://duckduckgo.com/bang.html)

------
u2328
Well, I don't think I've ever felt so paranoid. Thanks President Obama, this
is the exact opposite thing we wanted you to do when we voted for you.

~~~
pvdm
I think people are beginning to realize that the demorepublican party is two
sides of the same coin. Tails you lose, heads they win.

~~~
u2328
Ha, no. Save possibly Rand Paul, I still think the Republicans are _way_
worse.

~~~
tzs
Would that be the Rand Paul who said this?

"I’m not for profiling people on the color of their skin, or on their
religion, but I would take into account where they’ve been traveling and
perhaps, you might have to indirectly take into account whether or not they’ve
been going to radical political speeches by religious leaders. It wouldn’t be
that they are Islamic. But if someone is attending speeches from someone who
is promoting the violent overthrow of our government, that’s really an offense
that we should be going after — they should be deported or put in prison".

[http://articles.baltimoresun.com/2011-06-08/entertainment/ba...](http://articles.baltimoresun.com/2011-06-08/entertainment/bal-20110608_1_rand-
paul-speeches-comments)

~~~
u2328
I realize the consequence of throwing support behind Rand Paul, because as an
Obama supporter, there's clearly a lot I would disagree with him on. But,
enough with the cult of personalities; if he's going to make waves on this
issue in Congress, then I support him on it. That does not mean I suddenly
agree with all of his policy positions. This is politics, not football. I care
about the issues, not the teams.

------
dkokelley
There is a fundamental problem with being truly secure online. That flaw is
that the sites and services we use are compromised. In order to me to write
this comment, I'm relying on the free wifi at Starbucks to not log my actions.
I'm relying on their ISP to not log the traffic to HN's servers. I'm relying
on Google's Chrome browser to correctly recognize HN's certificate and encrypt
my packets properly, and I'm relying on Entrust Certification Authority to
correctly assert that I am actually sending my data to HN and not an
intermediary. Then I'm relying on HN to receive my data and store it securely
(well, as secure as I should expect a public forum to be, but the scenario
applies just as well to banks and email providers). Finally, I'm relying on
all software installed on my laptop (including the operating system) to
respect my privacy by not logging keystrokes.

Any 3-letter agency that wanted to track my internet usage only needs to
collude with one of these services to compromise my privacy. I think the
solution to privacy is a combination between government transparency and
accountability, and our own due diligence to carefully vet the programs and
services we use.

~~~
eurleif
>In order to me to write this comment, I'm relying on the free wifi at
Starbucks to not log my actions.

No, you aren't. Hacker News is HTTPS-exclusive.

~~~
dkokelley
They still know where to send my packets, and it's possible that they are
proxying the SSL (although that requires a secondary breach in Chrome's CA
list and/or Entrust).

------
RexRollman
In today's environment, the most secure person computing set-up might be
Richard Stallman's. I don't think I could do it though, as it is too
restrictive.

[http://stallman.org/stallman-computing.html](http://stallman.org/stallman-
computing.html)

------
lake99
There's one more thing all Tor users with good bandwidth should consider:
start relaying.

I relay when I can, which is not very often because I am mostly behind a NAT
which I have no control over.

------
jd007
If everyone uses Adblock, it could be detrimental to a lot of free web
services that are supported solely on ad revenue. I am not sure if there is a
good solution here...

------
mtct
This is a good start, but in the end the NSA can bypass any of these measure
if needed (even the cryptography). The only think that really can change this
situation is a protest versus your political representatives.

~~~
jiggy2011
You think NSA has a way to break AES/RSA?

~~~
mtct
[https://sslimgs.xkcd.com/comics/security.png](https://sslimgs.xkcd.com/comics/security.png)

~~~
dageshi
I don't think that scales very well...

~~~
UVB-76
Alas, the NSA can afford a million dollar cluster to crack your password...

~~~
jiggy2011
A million dollar cluster won't make a dent in cracking an AES key of a proper
size. Not unless the NSA have managed to solve some pretty baffling math
problems and keep it secret.

~~~
IanChiles
The NSA is currently the largest employer of mathematicians in the US. To
think they haven't found anything of use would be naive at best.
[http://www.nsa.gov/research/tech_transfer/advanced_math/](http://www.nsa.gov/research/tech_transfer/advanced_math/)

~~~
riquito
AES is a specification of the U.S. National Institute of Standards and
Technology (NIST). USA use it to encrypt the most sensitive informations. It's
hard to think that they would use a broken cryptographyc algorithm themselves

------
noerps
Learn and understand crypto, develop and follow procedure to embrace secure
end-to-end communications with your peers.

------
yekko
Move out of the US.

~~~
sneak
I did that five years ago after coming to the conclusion that the US didn't
care about any of these abuses and that decades of surveillance state would go
by without any improvement. I implored everyone that would listen to leave; I
thought that was the end of it.

After Snowden proved me absolutely and indelibly wrong, I decided this week to
come back.

These people operate in secret because they can't justify their actions in a
free and open debate. The secrecy has now been lifted.

There's a war coming. It's time to fight.

------
Hyrum_Graff
Here's what I did. [http://www.battle-school.co.uk/Blog/2013/06/08/its-our-
own-f...](http://www.battle-school.co.uk/Blog/2013/06/08/its-our-own-fault-
deal-with-it/) Got rid of every cloud based service I use.

~~~
jafaku
I use Dropbox with encfs. But now I'm wondering if the client could have a
backdoor, since it's a binary.

