The Snowden leak is a game changer. User angst over privacy and anonymity is at an all time high. 61% of US net users want to do more to protect their privacy.
It takes time for consumers and market players to absorb the full impact of game-changing events such as the Snowden leak. When the news broke in June of last year, the first Pew poll showed that 56% of Americans found NSA’s mass surveillance acceptable. After more than a year of drip-fed additional revelations from Snowden’s enormous data material, people have begun to realise the full extent of the security state’s spying. A Pew poll from June this year found that support for NSAs spying had fallen to 42% and 74% thought Americans should not have to sacrifice privacy for safety from terrorism. Another Pew poll found that 86% of US Internet users have taken steps online to remove their digital footprint. A Harris poll from March 2014 showed that 47% of US users have changed their online behaviour after the NSA revelations. 26% said they are doing less online banking and online shopping, and in the 18-34 age group the figure is 33%. A new study from Pew last week shows that awareness and concern are rising even more among Americans. 90% of the respondents agreed that users have no control over their online information and 80% are concerned about the way advertisers take advantage of information on social media. 87% had heard something about government surveillance and only 36% of users support the government’s online snooping. Most important of all, 61% of users said they wanted to do more to protect their privacy. These negative sentiments are most likely even more pronounced outside the US. In another survey of 10,000 people in nine countries from April by ComputerWeekly, 75% expressed concern about their privacy online.
Awareness is the first step, the next is taking action. Once users begin to educate themselves they will realise that the potential for intrusions is much greater than they initially thought. As a test, I spent a few hours educating myself about privacy and anonymity for browsing with Firefox on a PC. This is what I found:
Basic advice about anti-virus programs, firewalls, avoiding obvious passwords, and deleting cookies is far from enough.
The most intrusive tracking and surveillance is done by advertisers and analytics firms. Government surveillance is ubiquitous yet invisible to the average user in most cases. However, advertisers’ tracking is actually quite obvious. We know that advertisers can easily create an approximate profile of where you live, your gender, age, interests and income. They can even match your real name and address with your browser surfing patterns if you fill in your customer data on a website that sells this information to the tracking companies. Considering all the revelations from the Snowden leak, it would be reasonable for users to also suspect that the government surveillance agencies are buying advertisers’ tracking profiles.
Deleting cookies is not enough. There are supercookies in Flash (LSO) and in HTML5 there is a cookie-like function called web storage (DOM). These can be blocked by installing the Better Privacy plugin in your browser.
Another privacy browser plugin is Ghostery which blocks trackers. The HTTPS Everywhere plugin forces encryption between the browser and server when possible. The NoScript plugin provides protection from malicious scripts on untrusted websites. NoScript blocks all untrusted scripts and gives the user full control over enabling or disabling each script. For every visited webpage, NoScript provides a list of all scripts used on that page. However, the best plugin of all is Adblock Plus which blocks almost all ads. Adblock Plus has over 300 million downloads.
Enabling all these plugins will reduce the browsing experience on some websites and can slow down Firefox. For example, if NoScript is installed, users will have to open the list of scripts manually to enable them. This can be an inconvenience. On the other hand, webpages often load faster, in particular if all ads are blocked with Adblock.
Webpages load even faster if Flash is disabled. Flash is potentially a huge security hole and a common recommendation is to disable Flash in the browser and only enable it temporarily when really needed.
An additional security measure is to use a VPN. Subscribing to a VPN will hide your IP address. A VPN creates an encrypted tunnel from your computer to one of the VPN provider’s servers, where your surfing traffic will enter the open internet. The servers can be located in another country, which enables users to stream TV or video that is normally blocked for users from other countries (for example BBC and Netflix USA).
Selecting the best antivirus program and firewall is also important. Bitdefender gets top test results, but aggressive antivirus programs can sometimes slow down the computer.
When it comes to search engines, users can reject Google in favour of DuckDuckGo or Startpage, which do not track users’ search patterns.
Many cybersecurity experts even recommend putting a piece of black tape over the webcam in order to prevent it from being used as a spying device. For those who want to achieve an even higher level of privacy and security there are more challenges, such as avoiding browser fingerprinting and WiFi security breaches. For the advanced user there are additional technologies such as TOR, Bitcoin, Tails, IceDragon, Ubuntu/Virtualbox, PGP, Protonmail, Comodo, and Online Armor.
It is unlikely that mainstream consumers will utilise all of these security measures, but installing the browser plugins is fairly easy and there are “How To” guides that explain how it’s done. Once in place, these users are a permanent loss for the advertisers. And it will be the active, well educated, high-income users who go first; the most valuable targets for advertisers.
When the mainstream market begins to embrace anonymity and encryption the effects will be wide-reaching. Ad-financed websites and advertising networks will be hit first. Social media sites where real names are used such as Facebook are also at risk.
Users will probably also be increasingly suspicious of cloud service providers such as Dropbox. Not for intrusive advertisers but for NSA spying on stored data and the risk of hacked accounts. Companies that have dumped their own IT infrastructure and moved everything to the cloud will also have a hard time proving that their customers’ data is secure and has not been scooped up by the NSA somewhere inside the cloud.
But this development is also a business opportunity for cybersecurity providers, anonymisers and VPN providers. For example, Protonmail is a startup offering encrypted email. The company and servers are located in Switzerland, which has very strict laws regarding data protection. All stored emails are encrypted before leaving the customer’s computer and Protonmail does not have the decryption keys.
Another example is SpiderOak, a competitor to Dropbox that offers cloud backup. Encryption makes it impossible even for SpiderOak’s own staff to view their customers’ data. For Android smartphones there is the app Redphone for encrypted voice calls. TextSecure is an app for encrypted messaging for iOS and Android. Silentcircle offers a suite of services for encrypted communication.
Yet another indicator of the strength of this trend is the rapidly growing demand for NSA-secured cryptophones. Several small companies have developed bespoke smartphones, often based on hardened versions of Android. With prices up to $3,500, they are becoming the new status symbols for business executives. Some of the brands are: GSMK Cryptophone, Blackphone, Teopad, Hoox m2, In Confidence, and Secusmart.
And the smartphone giants Apple and Google are also offering better encryption to protect their users’ privacy and security. iPhone 6 and iOS8 have integrated new encryption on the devices which Apple can’t bypass even if they are required to do so by the authorities. Google is working on a similar solution for the new Android 5.0 release Lollipop.
It is unclear how far the various segments of the user base will go in order to protect their anonymity and privacy. But this trend has the potential to be very disruptive, even if only 40% of users take action. Ignore it at your own risk.