Internet Privacy : Is this even possible?!

I’ll be clear from the off-set here, anonymity is not my aim, but my  privacy is. I am happy to be held accountable for my actions, for my bank to know my purchases and to have a presence on LinkedIn and other such sites.

My aim is however simple, I don’t want “various companies” (such as Facebook) mining my data and/or sharing it and in effect using it to target me with products and services or to “profile” me. At the very least, I’d like to make it harder for them to do this.

I’ll state, for the record, I am in no way affiliated with any company listed within this article – there is no sponsorship or similar going on here.

Be aware, much of “the solution” involves you changing how you consume Internet-based services. Start thinking about one thing, when a service or product is free consider how you might actually be paying for it – in some cases the provider is privacy aware and has a robust privacy policy in-place, in other cases this is simply not true, and in-fact flies against the commercial model of the product or service.

Contents

  • Protecting Your Connection
    • VPN or Tor, or Both?
    • Devices, Everywhere and Anywhere!
    • Protecting Your Network
    • Confirm Your VPN is Working
    • VPN Gotcha’s
  • Changing Your Behaviour
    • Wave Goodbye to Chrome
      • Browser Add-Ins
      • All Set?  Now Test Your Browser Setup
    • Internet-based Services and Account Privacy
      • Google Account
      • Facebook Account
      • Microsoft Account
      • Skype Account
      • LinkedIn Account
    • Operating Systems
      • Desktop
      • Mobile
        • Mobile Messaging Apps
  • Other Useful Resources

Protecting Your Connection

Lets start with the basics. In the UK at least, those companies that are snooping on you today include your Internet Service Provider (ISP) and your Mobile Phone Provider – i.e. the very access point you have to the Internet. For details around some of the snooping that is going on here take a look at this article. The fact is that this snooping is a legal requirement.

Snooped information can be and in fact is shared with third parties and thus, can be used to target you with personalised adverts for products and services. That’s a best-case scenario on how that data could be used.

VPN or Tor, or Both?

How to you stop this snooping? Well there are a couple of options here:

  • Use a Virtual Private Network or “VPN”
  • Use The Onion Router or “TOR”

In my opinion, provided you’re aiming for data privacy and not anonymity, a VPN is an easier and more consumable solution for day-to-day Internet access and service consumption. You can, if so desired, chose a VPN provider that enables you to use Tor over their VPN.

Choosing a VPN provider is like a mine-field, full of compromise and false hope. Believe me, I have been through this myself.

The best resources I came across when making my decision were That One Privacy Site and privacytools.io. There are many, many more sites that recommend different providers – beware many of them are affiliated with a specific provider.

For me, the main considerations were as below:

  • Service location / base of operations
  • Device / access-interface support (OpenVPN is pretty-much universal)
  • Data logging / retention policy
  • Data privacy policy
  • Server locations

Devices, Everywhere and Anywhere!

Be sure you can protect every device “of interest” – for me this meant Android phones, Windows PCs and a variety of Android and iOS tablet devices; all of these devices I would be accessing services, websites personal data. I was not concerned with my Set Top Box / IP TV nor was I concerned about my Xbox One.

In terms of devices you access services / personal data on, it has to be an all or nothing approach – otherwise any unprotected devices undermines the value of any devices with protection.

In the end, for devices in the home I opted for a router (A recent Asus device, running Merlin firmware) that I could configure a VPN on directly enabling every device in my house to be routed through the VPN. I then simply excluded the devices above. For devices out of the home the OpenVPN Connect client was installed/configured as-per the VPN providers requirements. I also used Automate for Android to setup a flow to automatically disconnect VPN on mobile devices when at home (based on SSID – see this community flow).

If you don’t want to use Automate, just ensure that when you leave the house or, a VPN protected Wirless Network, that you connect to your VPN service.

Confirm Your VPN is Working

  • Check you are not leaking DNS queries once you think your setup is complete: https://www.dnsleaktest.com/ – if you are, review your DNS configuration as-per the VPN providers recommendation.
  • Check you are not leaking IPv6 addresses: http://ipv6leak.com/ – if you are disable IPv6 as your chosen VPN provider may not protect you from this. (On WIndows 10 set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\DisabledComponents to 0xFF)

VPN Gotcha’s

  • In the UK, I had issues with BBC iPlayer working. I had to add an exception to the VPN config, on the router, to push all traffic destined for iPlayer straight through the WAN, bypassing the VPN (for those interested, the subnet I targetted was 212.58.224.0/19).
  • You’ll likely have issues when trying to pay for things using Mastercard / Visa. Simply put, they block all VPN-based purchased and access to online banking – I guess I can understand some of the potential concerns here.

Protecting Your Network

Your home network is your private cul-de-sac or, gated community, away form the Internet. Like me (until recently) you likely allow friends and family alike to connect to that network using whatever devices they have a need for an Internet connection. I’m not saying those friends and family have malicious intentions, but their device might, should they be compromised by malware.

Consider how you might separate personal devices and their data from “external” devices over which you have no control. The simplest solution for me was to setup a guest network / SSID on my wireless router. Now I have two networks that cannot “talk” to each other:

  • PRIVATE_SSID – WPA2 PSK protected, hidden SSID with MAC filtering
  • GUEST_SSID – WPA2 PSK protected,broadcast SSID, no MAC filtering

You can see I have also hidden the SSID of my private network and enabled MAC filtering. These are some rudimentary obfuscations that make malicious users less inclined to try (though, for the dedicated hacker these are both easily overcome).

Finally, disable WPS on your router – it represents a known exploit for Wireless routers.

Changing your Behaviour

This is going to hurt…. trust me.

Wave Goodbye to Chrome

I said this would hurt. You can review the Chrome Privacy Policy here, but essentially we’re going to disable some of the features that can be used to help build an understanding of your consumer habits and target specific services and products at you.

Use Firefox on your mobile devices as well.

First things first, download and install Firefox, you then need to create two files to lock-down privacy-related settings. Approaching this in this way means these settings cannot be changed by any plug-in or future update. For more information about the specific settings check out https://www.privacytools.io/#about_config.

mozilla.cfg

//
lockPref("privacy.trackingprotection.enabled", true);
lockPref("geo.enabled", false);
lockPref("browser.safebrowsing.enabled", false);
lockPref("browser.safebrowsing.malware.enabled", false);
lockPref("browser.safebrowsing.downloads.enabled", false);
lockPref("dom.event.clipboardevents.enabled", false);
lockPref("network.cookie.cookieBehavior", 1);
lockPref("network.cookie.lifetimePolicy", 2);
lockPref("browser.cache.offline.enable", false);
lockPref("browser.send_pings", false);
lockPref("webgl.disabled",true);
lockPref("dom.battery.enabled", false);
lockPref("browser.sessionstore.max_tabs_undo", 0);
lockPref("media.peerconnection.enabled", false);
lockPref("media.peerconnection.turn.disable", true);
lockPref("media.peerconnection.use_document_iceservers", false);
lockPref("media.peerconnection.video.enabled", false);
lockPref("media.peerconnection.identity.timeout", 1);
lockPref("browser.search.suggest.enabled", false);
lockPref("datareporting.healthreport.service.enabled", false);
lockPref("datareporting.healthreport.uploadEnabled", false);
lockPref("signon.rememberSignons", false);

local-settings.js

pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");

On Windows copy the files as follows:

copy mozilla.cfg "C:\Program Files (x86)\Mozilla Firefox"copy local-settings.js "C:\Program Files (x86)\Mozilla Firefox\defaults\pref"

On Linux (Debian 8, Jessie specifically):

cp mozilla.cfg /usr/lib/firefox-esr/
cp local-settings.js /usr/lib/firefox-esr/defaults/pref/

If you think I am missing something here, leave a comment and I’ll update the list accordingly.

Browser Add-Ins

With Firefox installed and hardened we now need to look at ad-ins that can also help to reduce tracking, as-per privacytools.io, but also other sites, I would suggest the below as having minimal impact on your browsing experience:

  • uBlock Origin :: no specific config
  • Disconnect :: no specific content
  • Decentraleyes :: no specific config
  • Flash Control :: no specific content
  • HTTPS Everywhere :: no specific config
  • Self-Destructing Cookies :: no specific config

The following add-ins WILL impact your experience somewhat or, in the case of NoScript, significantly:

  • Random Agent Spoofer :: config below
  • NoScript :: no specific config, but beware, this will significantly impact your browsing experience.

Again, if you think I am missing something here, leave a comment and I’ll update the list accordingly.

All Set?  Now Test Your Browser Setup

Use the various tests available at Browser Leaks to ensure you’re setup properly.

Also consider your browser Finger Print. If you are using the Random Agent Spoofer you will appear to be very unique, but remember every X minutes (as you have defined) your fingerprint will change massively – making this a non-issue.

Internet-based Services and Account Privacy

Firstly, and fore-mostly, use a strong, unique password for every service – if you really need to ask why, see if an account associated with your email address (and thus any related passwords) has been compromised here: https://haveibeenpwned.com/ – consider a password manager to help with this.

Secondly, ensure you have enabled multi-factor authentication (MFA) or two-factor authentication on any account / service that you can.

Below we’ll target some of the big services, but in essence we’ll disable targetting advertising, reset advertising IDs and hide as much information from people we do not know (as this could be used to get into your accounts for other services).

Google Account

Run through the Google “Privacy Check-Up” – the information Google has been collecting abut you is “surprising,” especially the location history and app usage on your Android device… a privacy enthusiasts nightmare!

Facebook Account

No surprises these guys have amassed a significant amount of information on you.

Microsoft Account

Skype Account

LinkedIn Account

Operating Systems

The basis here, irrespective of desktop or mobile Operating System/ platform are – keep you OS up-to-date, run real-time Anti-Virus software, irrespective of platform, and run regular scans.

Desktop

Many of you reading this will be running a Windows device – a few of you may not be. If you happen to be running Windows 10 you need to check out the Win10_Privacy tool, available here: http://www.winprivacy.de/ – there are several reasons why Windows 10’s information gathering has generated a lot of noise online – this tool deals with the majority of this noise.

If you are “flexible” with your Operating System then consider Debian Linux (perhaps running in a VM?) or any other options presented here. Ubuntu is not recommended due to some privacy concerns – namely around ads and search tracking.

Mobile

Mobile OS may be easier, depending on your device. Google’s Android and Apple’s iOS are proprietary. either closed source or are gathering your information – see Device history that good gathers, it includes when you open apps, how long you used them for etc.

Android devices can benefit hugely in-terms of privacy, by installing a Cyanogenmod ROM- namely because of Privacy Guard. Even if you are running Cyanogenmod you should still configure as below:

  • Settings | Google | Ads
    • Reset Advertising ID
    • Enable Opt Out of Ads Personalisation
  • Settings | Security
    • Apps with Usage Access > Disable ALL of them

iOS users should options within the Settings | Privacy menu.

As before, regardless of platform (sorry Windows Phone users) use Firefox to improve your privacy.

Mobile Messaging Apps

SMS and Phone Calls are inherently insecure, although there are plenty of alternatives that are better (to varying degrees) – see the EFF scorecard on messaging apps for more detail.

I went with Signal in the end, but the choice is yours. Wondering why this is important? Check out this story for more information.

Other Useful Resources

My go-to places for Privacy-related information / updates and suggestions include: