The recent scandal involving the former Director of the CIA is tragic on many levels, and we won’t be talking about any of that here. However, it is a perfect occasion to discuss fundamental issues of security and privacy: Against whom are you trying to secure your communications and what is the best way to accomplish that end? This is hugely relevant for a broad array of executives, professionals, lawyers, journalists, and many others as they conduct their professional on-line existence. When you are not on your corporate network, what counts as safe? We known from history that simply having a shared Gmail account does not come close to cutting it.
First, know who are you attempting to secure your communications against. Is it the teenager next door or is it well-funded actors, a foreign government, or the agents of state-sponsored industrial espionage? Second, do your homework. Before you use a particular security-enhancing piece of software, see what the independent researchers and academics—not media commentators—say about its effectiveness and performance characteristics.
Two basic things to remember are to ensure security of identity (anonymity) and the content of communications (confidentiality).1
It’s actually a good deal more difficult on the web to remain anonymous than most people think. Your device’s routing address on the Internet (IP address), physical hardware address (“MAC” address), device fingerprint, as well as persistent identifiers used by websites and web applications (HTTP cookies, local shared objects, and other local storage), can all be leveraged to identify you on the Internet—even when you are trying to remain anonymous.
If anonymity is critical, then using TOR—a multi-step go-between, known as “The Onion Router” and originally developed from a project at the U.S. Naval Research Laboratory—is a must. TOR is designed to make it extremely difficult for the website you are visiting—say Gmail—to know the IP address of the router that your computer is using to access the Internet. There are ways to use TOR in which it is effective as well as common mistakes. The TOR website contains a wealth of information, has excellent engineers and computer scientists affiliated with it, and is a great resource on issues relating to anonymity and security generally.
In addition to TOR, it’s important that the content of the communications themselves be encrypted between the two end-points (the two end-points being your device and the website, web application, or computer on the other end). A good starting point for further thought on encryption and confidentiality is the relevant sections of the CryptoParty handbook.
What were once obscure tools for hackers and security specialists have now become, in our increasingly networked world, simply essential.