Computer Science

Privacy, Security, and Encryption

Let's talk about privacy, security, and encryption.

Privacy

Everybody needs privacy. Whether you're protecting your health records, a credit card transaction, a business plan, or a private journal, most people feel that people have some right to privacy.

In a post-9/11 world, the concept of privacy has gotten a bad reputation in some circles. "If you haven't done anything wrong, what do you have to hide?" some people say.

And yet we absolutely have a need for secrecy.

Interesting analysis from the New York Times.

Security

In order to maintain one's digital privacy, we rely on various types of security mechanisms. Passwords, encryption, secure browsing via https, onion routing, and ssh keys, are among the many ways that we attempt to ensure that only authorized users have access to private information. A full treatment of all the different strategies one can employ is well beyond the scope of this single page, although we can certainly discuss some of them, and try to identify what current best practices are.

Just as it's your responsibility to lock your car and your house before you leave, it's your responsibility to be smart about using some common-sense strategies and tools to keep yourself "digitally secure."

Passwords

On a computer, the most common way people have of protecting their information is by using a userID (either an email address or a user-supplied name) along with an accompanying password. While an email address may be easily identified and is not usually a secret, a secret password is what protects the security of an account. If your password is too easy to guess or hack, your account and the information it controls is no longer secure.

The security of any given password is directly related to its entropy, or disorder: the harder it is for a person or computer to guess a password, the more secure it is. Thus, longer and more complex passwords are better than short, easy-to-remember passwords. Also, because passwords may be stolen from a website, a different password should be used for each different site, website, or context so that a password stolen from one site is not able to be used on another.

Has your identity been hacked?

You've certainly heard about some high-profile businesses that have had there servers hacked—servers that might store your name, email, credit card information, password, etc.

Check to see if your email address was listed on a business that was hacked by going to haveibeenpwned.com. Enter your email address, and see what pops up!

If you find that your email has been found on a server that was hacked—or even if it hasn't—make sure that you use a system that allows you to use different passwords on different websites. If your email and password were hacked, and that same email and password are used on a different site, it's possible for your account to be compromised on that site as well.

Password Managers

There are a number of strategies for managing the creation and use of high-entropy passwords on your own. You can also take advantage of password-services that will manage your passwords for you, with access controlled by a single master password that you use to access them all.

Take a moment to examine these three well-known companies to find out which solution might work for you.

The author of this webpage currently uses BitWarden on my laptops and smartphone. LastPass was considered very good, and may still be, although there have been concerns about their transparency in reporting a recent breach.

Two-factor authentication (2FA)

Having a strong password is helpful for securing your information, but even better is a second means of verification. This "second factor" is, like the password, a way of trying to ensure that you are you, and not someone else trying to use the account. Most often the second factor that you'll use is your cellphone, on which you will receive a text message, or an email message with a code that you can use.

If you have an AppleID (you probably do), check out Two-factor authentication for Apple ID.

If you use Google services (you do), check out Google 2-Step Verification.

Two-factor authentication, when available, is an important step in helping to secure your accounts. You should use it.

The future of authentication

There are additional strategies for demonstrating that you are authorized to access an account, some of them more useful than others:

You can learn more about these online.

Encryption

Encryption refers to the coding and decoding of information during storage or transmit. Encrypted files may be stored or transmitted so that only a user with the appropriate credentials can view the information contained within.

Encryption on the Internet

The Internet was designed with "openness" in mind, in the sense that files are typically transmitted over networks "in the clear." The problem with this is that it's possible for anyone observing traffic on the network—wireless or wired—to observe your information in transit. If you log onto a non-secure connection, I can watch your password being sent wirelessly, whereas if you log onto a secure connection, your password and other information is encrypted before being sent.

To use the Internet securely, ideally you would want to only use websites with an https:// address. For email you can use Pretty Good Privacy (PGP) or Gnu Privacy Guard (GPG) to encrypt and decrypt emails sent to other users who are using that same system.

"Tracking" on the Internet

Even if you're using https: to protect your web traffic, there are ways that businesses can subvert your attempts to protect your privacy.

In order to make browsing a website more convenient, many websites install a small bit of text onto your computer—a "cookie"—that identifies you as a user on their website. This text allows them to remember that you've logged in, among other things. Although you can set up your computer to refuse these cookies, many commercial websites won't function without them.

The cost for this convenience is that fact that online business often share information with each other. If you've ever done a search for something on Amazon and then seen an advertisement for that very same thing pop up on Facebook, you know exactly what I'm talking about. Unless you explicitly choose to opt out of Amazon's "Personalized Ads," they're going to share your shopping information with other companies.

Targeted Advertising: Service or Threat?

Some people like the idea of being served ads based on their personal preferences—why would they want to have to look at an ad that isn't of the slightest interest to them?

Other people prefer that business not have access to what they consider personal information. They think of targeted advertising as "creepy."

What do you think?

For the ultimate in targeted advertising, see this clip from the movie adaptation of Philip K. Dick's short story, Minority Report. In the first half of the clip, Tom Cruise's character, John Anderton, is being identified by biometric data: retina scans. In the second half, after receiving a new pair of eyes from an organ donor, his new eyes identify him as "Mr. Yakamoto."

Secure browsing

Is there any way to avoid being tracked on the Internet? You can do a lot to mitigate the information collected by your browsing history. Here are some strategies, in increasing order of complexity.

Of course, it does you no good to use the Internet "securely" if you're just logging on to Facebook and identifying yourself there anyway. And you won't be able to do much on the Internet aside from view websites, unless your interacting with the Dark Web, and that's well beyond the scope of this article.

Browsing Anonymously

Are you comfortable with various websites monitoring your browsing activity? Do you prefer having customized ads displayed for you, or would you rather have random ads that may not apply to you at all?

Would you be comfortable with the federal government monitoring your browsing?

Let's consider it from another perspective.

The Fourth Amendment

The Fourth Amendment to the U.S. Constitution includes federal prohibitions against "unreasonable search" on the part of the government, and this has been interpreted to include many forms of surveillance.

Is it acceptable for the federal government to override these prohibitions, say, in an effort to prevent domestic terrorism?

Would you be comfortable allowing federal agents to search your home without a warrant?

Would you be comfortable allowing technology companies to search your information (say, your email), without explicit permission?

Have you ever been surprised by the way a technology company has used your personal information? What were the circumstances?

Encryption on your computer

For millenia, people have been using encryption of one sort or another to keep information private. Computers have made it more difficult for people to keep things secret: the very first electronic computer, Great Britain's Colossus, was developed for that very purpose. At the same time, computers—and particularly software running on our computers—have made it relatively easy for people to take advantage of world-class encryption. Your email, the secret plans for your evil lair and world domination, and even your entire hard disk can be effectively impossible for anyone to discover.

References