Privacy

So why do privacy and security matter?

On May 22, 2006, an employee for the US Department of Veteran Affairs discovered that his laptop had been stolen (Stout). On the hard drive was the personal health data of 26.5 million veterans (Stout). Although the laptop and disk were recovered by the FBI and the data never leaked, the event highlighted the possibility of catastrophic breaches.

Although you may think that you have nothing to hide, almost everyone has some online data that they want to keep secure. Without proper protection, your browser history, text messages, direct messages, emails, camera roll, files, and other digital assets are vulnerable. Beyond that, you probably want to avoid being tracked by large companies across all of your online activity. Corporations like Google and Meta have built their businesses on collecting user data in order to display relevant ads. This is often done by tracking users across different websites using cookies and fingerprinting. When websites display ads, they load code from the servers of ad providers and run it on their websites. This code can be used to collect information on the website and the user running it and send that information back to the servers. A similar technique is fingerprinting, which involves testing specific aspects of your hardware, operating system, and browser in order to develop a unique fingerprint of your device and track you across different websites.

The consequences of bad or inadequate security are more obvious. If an attacker gains access to your email account, for example, they could reset your passwords for other services, impersonate you, and potentially gain access to high-value data like your bank account or social security number. These attacks aren't all that common, but when they do happen they can be catastrophic for the victim.

Privacy is a Right

Privacy is a human right. You have the right to keep your personal data secure in the same way that you have the right to keep random people out of your bedroom. The United Nation's Universal Declaration of Human Rights guarantees everyone the right not to be "subjected to arbitrary interference with [their] privacy". For the reasons described above, you should excercise your right to privacy and encourage others to do so as well. Security, while very important in other respects, is critical for protecting your privacy. The right to protect your privacy is being challenged by laws targeting encryption, and we must do what we can to ensure that this right is not taken away. The main things that you can do to help achieve this are to vote and to excercise your rights by using secure and private technologies.

Browser Fingerprinting

Another way that advertisers and other services track people across websites is using a technique known as browser or device fingerprinting. Browser fingerprinting analyzes unique attributes about your browser, such as permissions, audio and video capabilities, 3D rendering capabilities and performance, and settings to build a unique profile on you. Fingerprinting scripts are often loaded unknowingly by websites that use third-party advertising services or even fonts or images. Fingerprinting is highly effective — the popular FingerprintJS library is able to construct uniquely identifiable IDs for over 99% of users. Several studies have found similar rates of effectiveness for browser fingerprinting (Eckersley). Moreover, fingerprinting is widespread. 30% of the top 1,000 most popular websites use fingerprinting (Iqbal). Fingerprinting is another highly accurate and effective tool in advertisers' tracking toolbox.

Location Tracking

Google's terms of service gives them the right to collect, use, and share information about users' precise locations. Many other services, including Netflix, Hulu, Ubisoft, and Yahoo have similar policies. Recently, the FBI publicly admitted to buying location data collected from American's phones. Other government agencies also buy location data collected on mobile devices. Although this presumably improves the user experience somewhat with more relevant results, it is also pretty creepy.

Cross-Site Cookies

Cross-site cookies are the most common tracking method. They are frequently used by advertisers to gather data on users and improve relevance of ads.

An animation displaying the third-party cookie tracking process described below

When your web browser loads a webpage, it sends a request to the server for the data that encodes the page. The page may also request data from an advertiser to display ads. When it does this, the advertiser can send back a cookie along with the ad that will then be sent on all other requests to the advertiser. This allows the advertiser to see what websites that display their ads a specific user is visiting.

Protecting your privacy and security

Although protecting yourself online can seem overwhelming, there are some simple techniques that will vastly improve your privacy and security.

Strong Passwords

The most common recommendation for creating strong passwords is that they should be at least 14 characters, avoid common words, and include capital letters, numbers, and symbols. Unfortunately, this information is not correct. The best way to make a strong password is to make a long password. Pick 3-4 random words and add one or two numbers or symbols in the middle of a word. Avoid replacing a letter with a number/symbol, like "p@ssword", as this is common and easily broken by password crackers.

As shown in this demonstration, symbols and numbers are less important than length for creating a strong password. The crack times shown are for attacks where a bot is trying to log in to your account over the internet. If the database of the service has been breached, the crack times will be anywhere between 1,000 and 1 billion times faster.

This demonstration does not store or transmit any input. It is safe to enter real passwords into it.

Password Managers

The best way to keep track of your passwords is with a password manager. Password managers store all of your accounts and passwords in one central database, allowing you to use long and randomly-generated passwords, like this one:

This password generator uses cryptographically secure random data. Passwords generated with it are safe to use.

All of your passwords are secured by one master password, which you have to remember. Although this may seem insecure, password managers are designed so that even if the password manager's database is breached, your passwords will still be inaccessible without the master password. Although the master password is a single point of failure, it is still vastly more secure than using weak passwords or reusing passwords. With 2-factor authentication, it is even more secure.

I personally use Bitwarden, and I also recommend 1Password. I would not recommend LastPass, as it has a history of security breaches.

Ad and Tracker Blocking

Blocking ads and trackers is very easy and can be done with browser extensions. The best ad and tracker-blocking extension is uBlock Origin. Unfortunately, using browser extensions on mobile devices can be difficult or impossible. In February of 2023, Google released an update to Chrome's extension API called Manifest v3 that removed many features used by adblockers. This means that adblockers will be considerably less effective on Chromium- based browsers, including Chrome, Chromium, Edge, Brave, Opera, and Vivaldi. Firefox and Safari are not based on Chromium. I recommend Firefox, since Safari is only available on Apple devices and does not support many important web standards.

Preventing Fingerprinting

Unfortunately, device fingerprinting is very challenging to prevent. The only 100% effective way to do so is to disable Javascript with an extension like NoScript, which breaks most websites. You probably don't want to do that. Some browser extensions reduce the effectiveness of certain fingerprinting methods, such as CanvasBlocker.

Virtual Private Networks (VPNs)

VPNs are one of the most commonly-used privacy devices, after adblockers. There has been a recent influx of advertising for VPNS on many platforms, including Youtube. These ads and sponsorships use scare tactics to try to get people to use VPNs. I want to quickly debunk some misconceptions that might result from this. First, no one can read data that is sent over the network as long as the site uses HTTPS. Passwords, credit card numbers, and other sensitive information are safe. However, it is trivial to figure out which pages on a website someone is visiting if they are not using a VPN. The best VPN available for privacy is Mullvad VPN.