Protecting Your Privacy
Saturday, May 14, 2016
- Why Privacy is Important
- Steps I've Taken
- Tin Foil Hat Considerations
- Steps You Can Take
Why Privacy is Important
Privacy is a very hot topic right now with advertisers trying to deliver relevant ads and the potential for businesses or governments trying to peek into your personal doings for more information.
While I could go down a deep rabbit hole of government spying concerns, I'm going to keep this focused on businesses and advertisers whose business model depends on your information. For more information on what I mean, check out the Interactive Do Not Track Documentary, an awesome project showing how your data makes people money.
If you feel that you have nothing to hide and this doesn't impact you, please email me with your bank accounts and complete internet browser history. It's never been about having something that needs to be hidden, it's the fact that it's none of my business which websites you browsed on Friday evening or how you spent your last paycheck.
Steps I've Taken
I've taken a few steps to make privacy easier for my visitors. Keep in mind that while I'm privacy conscious, many websites aren't.
Google Analytics Deletion
I recently decided to disable Google Analytics. While it provided me with some great insight into the visitors of my website; I made the conscious decision that my visitor's privacy was not worth my curiosity factor.
I have not replaced the functionality of Google Anayltics with another tool (like Piwik or others), but it's worth mentioning that AWS CloudFront is collecting some of this information (see the Tin Foil Hat section below).
HTTPS Addition and Automatic Redirection
I have moved my website hosting away from GitHub Pages because of its lack of TLS support. With the advent of free and automated certificate authorities like Let's Encrypt and AWS Certificate Manager, there is no reason not to add TLS onto websites and support end-to-end encryption for all browsing.
Assets Moved to Personal Doamin
In an effort to keep my codebase small, I've been reluctant to add assets (photos, videos, etc) to it. This required me to host assets elsewhere, preferably for free or cheap. I previously used the following websites for asset hosting:
- Google Fonts for fonts
- Imgur for images
- MaxCDN for the FontAwesome iconic font
- SoundCloud for audio files
- YouTube for video files
Each location I hosted a file was another external request that a visitor would be required to make, and thus another opportunity for tracking to occur. It's possible that one of the hosts correlates visitors across multiple source domains by inspecting the requests.
All my assets have been moved to
assets.mide.io, another domain under my control. My visitors no longer need to send requests to third party domains to view my content. This has the added bonus of reducing my dependencies on external sources.
Embedded Content Removed
I previously embedded YouTube videos and SoundCloud sound clips into my blog entries to make things easier and more active for my viewers. However, I realized just how many assets each of these additions were pulling in.
If the embedded content didn't set any cookies or run any scripts, it still performed a request to fetch the content from a different source. I want my visitors to know explicitly when they're viewing content from a site other than my own, and I have achieved that by requiring a click of a link.
Tin Foil Hat Considerations
HTTP to HTTPS Redirection
I do not control the servers that perform HTTP to HTTPS redirection. It is possible that the HTTP server performs tracking based on requests. It is also true that third parties (like employers or internet providers) are able to see the initial HTTP request to
http://www.mide.io and could perform tracking based on that.
Some websites employ HTTP Strict Transport Security, a mechanism that causes servers to instruct clients to only communicate over secure channels for some length of time. This policy will cause the browser to perform HTTP to HTTPS redirections before requesting any content from the server, making man-in-the-middle attacks much more difficult. I do not currently have this enabled for this domain.
If this is a concern of yours, always make sure you type in
https:// for the website you're visiting or use a browser addon like HTTPS Everywhere.
Lack of Control over TLS Certificate and Key
I do not have control over the TLS private key, it's stored within Amazon's services. Amazon is the entity performing the decryption and the serving of content, they could be logging and gathering metrics on requests. In fact, CloudFront does collect some information from visitors, as can be seen from their Viewers Report.
In an ideal situation, I'd be the only one with access to the private key and the server would be physically and digitally under my control. But this isn't cost effective for me, so this is a compromise that I have to make for now.
DNS Lookup Privacy Leaks
When you type
www.google.com into your web browser, it will perform a DNS lookup to translate
188.8.131.52 (for example). This lookup occurs in plaintext and is answered by your DNS server.
Whoever your DNS provider is (Google, OpenDNS, your provider, or others), they are able to see the DNS lookup for the website you're visiting. The DNS query doesn't reveal any content, but it does reveal that you're visiting that website. For example, if you visit my website,
mide.io, your provider will know that you're visiting
mide.io because you performed a DNS query for the domain in cleartext.
Domain Name System Security Extensions (DNSSEC) solve some authenticity issues, but does not provide any confidentiality in queries.
Steps You Can Take
- Disable Third Party Cookies - Third party cookies are pieces of information that are set by a website other than the one you're on. For example, if you visit a website and it includes embedded YouTube videos, YouTube could set cookies even though you're not on YouTube. By disabling third party cookies, you allow cookies to be set only by the website you're visiting.
Enable Do Not Track (DNT) - The browser option "Do Not Track" will set a new request header,
DNT=1. This tells websites you visit that you would not like to be tracked. Because of the nature of the internet, only the good websites will respect this flag so while it's great to turn on, the DNT option should not be your only line of defense.
- Enable Click-To-Play Plugins - Some browser plugins, like Adobe Flash, can run code in your browser. In some cases, this code is less limited than the rest of the internet since it has the ability to run native code on your computer. By requiring "click to play", you opt into each plugin, rather than having them present without your knowledge.
- You may also want to check your browser related settings. Sometimes there are "features" that could compromise your privacy. (Mozilla Firefox, Google Chrome)
- HTTPS Everywhere - A browser extension that tries to use HTTPS by default on many websites.
- Privacy Badger - A browser extension that blocks known trackers.
- Duck Duck Go - A search engine that promises not to track you
- Panopticlick - An online test to see how unique your browser fingerprint is.
- Tor Browser - The Tor Project and its web browser has received a lot of negative light over the last years, but it does a good job at the problem it solves. It bounces your web traffic around the world to provide anonymity on the internet. Be sure to verify that using Tor does not break your local laws before use.
Review Local Laws
Some jurisdictions prohibit the use of strong encryption or anonymizing software. Consult your laws before taking any actions. I am not responsible if you get in trouble for advice you read on the internet.
- The Electronic Frontier Foundation
- Surveillance Self-Defense Guide from the EFF
- The Free Software Foundation
- The curly fry conundrum: Why social media "likes" say more than you might think by Jennifer Golbeck
- United Nations: The Universal Declaration of Human Rights (See Article 12)
Privacy isn't a switch you can turn on, it's a whole lifestyle of decisions. But don't fret, for there are helpful actions you can take at every level. Just remember, once something is public, it's public for good.