Those of us who have chosen to safeguard our privacy and take digital security to another level know that it requires changing our habits and being more situationally aware. This awareness extends from the digital world and into the physical world as well. Operational security is a constant assessment of your threat model, and can be quite challenging and also fun. While this blog focuses mainly on the “digital” aspects of protecting our personal information, a person who is learning these skills should also educate themselves on ways to be safer from a physical security standpoint. The two disciplines work hand in hand to give you the highest level of awareness and protection.
During live training on these topics I am often asked to describe what steps or methods can be used day to day by a person when they are living “under the radar”. What does this actually look like? What modern conveniences are given up, if any, and what do you need to compromise on for a higher degree of privacy and security? Everyone has different needs and skill sets. Your threat model and the time you devote to learning about ways to protect yourself is entirely up to you and your situation. In this post I will attempt to describe my daily workflow and give suggestions on some of the methods I use. Some things will be described in a general sense (for OpSec reasons) but hopefully it will provide some insight on the day to day methods that have worked their way into my routine.
Overnight my computer is turned off and not connected to my home Wifi network. When I turn the computer on, I enter my password at boot up which gives me access to the hard drive which is encrypted with the standard OSX full disk encryption. My VPN (Virtual Private Network) of choice is Private Internet Access (PIA) which I have written about in past blogs. PIA loads as my computer boots and connects automatically to give me an encrypted connection to the Internet.
You may know what a VPN, or Virtual Private Network, is; but you may not be using one yet. You really should be using a VPN, and even if you don’t think so now, at some point in the future you may consider it as important as your internet connection. The most important thing you need to know about a VPN: It secures your computer’s internet connection to guarantee that all of the data you’re sending and receiving is encrypted and secured from prying eyes. There are many to choose from, but I recommend using a paid VPN service due to enhanced privacy features, speed, and reliability.
For further information and reviews on VPN services, see the following links: https://www.privateinternetaccess.com | https://www.bestvpn.com/private-internet-access-review-2016 | http://www.digitaltrends.com/computing/what-is-a-vpn
The browser I primarily use is the latest version of Mozilla Firefox with several customized add-ons that aid in keeping the browser as private and secure as possible. A good place to learn more about browser add-ons is https://www.privacytools.io/
Each day I go online and search for new information about technology and online search methods (OSINT). This is my passion and is also used in my work life as well. I visit many of the websites listed in the Resources section of this site to stay current with what is being discussed in the community. There will always be new things to learn about and new information to pass on to others who enjoy these topics. There are a few websites that I check daily without fail and I will list them here for you.
In addition to my daily online research, I take the opportunity to search for myself online. As more and more information about me has been removed over the years I do this less often, however I still make a habit of using myself as the search target on a regular basis. I use Michael Bazzell’s custom people search tool to automate this process which can be found HERE. I also search for my address, phone number and email addresses in a similar manner to identify anywhere they may be listed online. Every now and again I find a piece of information I want to target for removal, however most of the results are forms of disinformation which I choose leave alone. I encourage my close friends and family to also search for me online because everyone has a different method and sometimes new information can be found that I had not yet discovered. Hiring a private investigator to find you is also a great exercise to see how well your personal information is hidden.
My computer, a MacBook Pro, also has several Linux and OSX virtual machines which enable me to do online research in an even more private manner. The Complete Privacy & Security Desk Reference covers this topic well and using these techniques will open the door for a lot of new things to learn and experiment with. If you are adventurous, I recommend learning more about VMs and bootable USB operating systems to enhance your privacy and security.
I have well over 100 online accounts, but the majority of those are in alias names and are not tied to any real information about me. Some are used for covert investigations, some for online shopping, and others are just services that have no need to know anything real. Each one has a unique user name and password, and those passwords are managed by a password manager, naturally. There are many password managers to choose from and I have used a few over the years. Currently I am using LastPass and experimenting with KeePass as well. Dashlane and 1Password are others that I have used and would recommend. For a variety of reasons I have chosen LastPass to manage my current set up. If you are not currently using a password manager, please check out this recent blog post from Michael where he discuses their use https://inteltechniques.com/wp/?p=185. Botton line, you need have a strong, unique password at every website you have an account with. Password managers make this a simple thing to do and your digital security will benefit tremendously by doing so.
For email communications, I use ProtonMail. I pay for their premium service which allows me to compartmentalize my email strategy to a large extent. Compartmentalization is an important security related topic that I plan to cover in more detail down the road (HERE). Basically, I use a pseudorandomly generated username as my main login username for ProtonMail and have several addresses available to use under that same account. The random main username is never given out and is unknown to the world except for ProtonMail. I use these addresses for different purposes. In some cases I can give out an actual ProtonMail address. For services like my bank or Blur, I don’t want to use an email forwarding service. First, that gives an additional party access to my data. Secondly, if the forwarding service ever goes down, I risk locking myself out. I can also setup one ProtonMail Premium address for use with Blur Masked Emails, and another for use with 33Mail. I use these with less sensitive services. With both I have control over the forwarding addresses and can shut them down at will, and in none of these cases have I given out a real ProtonMail address. I believe this is an excellent strategy for security and you already know from previous posts that I love ProtonMail in general. For more on email from a previous post go HERE.
In time I hope to share more about my cell phone strategy on this blog. Secure and anonymous communications via cell phones is a truly fascinating topic, and also a tough one to figure out. It can be accomplished to a large extent, but would require more than the scope of this particular post to explain. UPDATE: Read about my strategy for more private communications with a cell phone HERE.
What I have discussed here does not require much of an investment, only some careful consideration into how you can implement your strategy. Mostly it comes down to a willingness to learn and explore topics related to privacy and security. Most people will never do some of the simple things I discussed, like use a password manager or a VPN. Most will not care enough to safeguard their personal information in ways that we discuss here or remove their information from data bases. If you do, you will be in a very elite group, living a safer, more secure life, and being much harder to compromise.
Short Term Goals – In the short term, say over the next year, you should aim to drastically reduce the amount of information that is available about you online. As you check your work by searching for yourself online, you find nothing, or very little. Anything left over will be obscured by a well executed disinformation campaign. The effort you put in will also improve your personal safety and security because you will have changed your habits in important ways. You are no longer sharing personal details about yourself with every company that asks for it. You communications (email & phone) are more secure, private, compartmentalized, and anonymous. You use a password manager and every account has unique passwords. You operate online using a VPN, your home network is secure, and your browser add-ons have been customized to eliminate tracking and improve your anonymity and security. The important data on your computer is safe, backed up regularly, and encrypted. You are also sharing your knowledge with others.
Long Term Goals – Looking into the future, you have the resources and knowledge to keep up with changes in technology and privacy matters that affect your life. You are a respectful, law abiding productive citizen, and you stand up when the National Anthem is played. When you move or retire later in life, you can execute some of the more advanced privacy strategies you have learned…and you will disappear. How much fun will that be!