Is Online Privacy Dead?
In today’s interview with privacy expert Paul Rosenberg, you’ll discover how to protect your information from online hackers, nosy businesses and intrusive government. Essential reading for all who use the Internet and especially for those who have internationalized and use the Internet as a way to manage their affairs across borders.
International Man: Tell us a little bit about yourself and how you got into the privacy business.
Paul Rosenberg: I have a construction industry background and am originally from Chicago. I’m a long-time “freedom advocate”, for a lack of a better word.
I got into this business in kind of a cool way. In 2002, I wrote a novel called The Lodging of Wayfaring Men, which was a big hit with the crypto guys [computer professionals who study cryptography and related topics]. One of them turned out to be a very special guy. He contacted me in a roundabout way and said he wanted to get to know me. We happened to be living not too far apart at that time, so we ended up getting together and taking a long road trip. Somewhere towards the end of the trip he said, “Okay, here is what I want to do, and here is why it has to be done. This needs to be done and I want you to do it with me.” I said “yes” and that become Cryptohippie.
IM: Great stuff. Now, before we get into some of the nitty, gritty details, can you take us on a brief private internet history lesson? How did we get to the point that we are today?
PR: That’s a really good question.
Privacy wasn’t really built in to the original Internet. It’s also important to remember that the worldwide use of the Internet was a surprise to everybody. One or two sci-fi guys and a few other people saw it coming, but very few.
As soon as the Net became popular worldwide in the mid-90s, the threats started popping up.
The first one was the usual criminal problem—people trying to scam other people to get something out of them. Because the Internet is nothing except information, they began to learn how to steal information and how to use information against people.
The other problem was the State. The Internet was a surprise to almost all of them. The ability to encrypt data, which I’ll talk about that a bit later, slipped out. Encryption makes it possible for people to hide whatever they want from anybody else, including income. So the State, for a variety of reasons but certainly one of them being income, had to try to bring this thing under control. Over the years, they’ve been steadily working on it. However, because the Internet is inherently decentralized (though not as much as people think), controlling it is very difficult.
So they have done the next best thing. They started surveilling everything and trying to identify every user of the Internet. If they can’t control the Net itself, they’ll try and control the users. It seems they prefer the driver’s license model and every now and then some of their people try to introduce a new program like that. They have all sorts of names for it such as “Computer Health Certificate” but it’s all a variation on the same theme. But some sort of universal Internet ID is essentially the model.
Such programs would allow them to “get in” and basically access anything they would want about anyone. That brings up encryption.
There’s a great story there about a gentleman named Phil Zimmerman. The US government tried very hard to keep encryption out of our hands and Phil, heroically, got it to us [you can read the story here]. And since then they’ve been trying to just get their hands around the internet in any way they could.
A lot of the original Internet surveillance systems grew out of an old system designed to grab every phone call in the world. That program was called Echelon. It was problematic though because in some countries (certainly in the US and a few others), it’s illegal for the spooks to spy on their own people. To get around this, the spy guys came up with a cute idea—the US spied on the Brits, the Brits on the Americans, the Canadians on somebody else, and somebody else spied on somebody else… and then they shared the information amongst themselves.
And that’s what they did for quite a while. They had a very big station in Northern England, among other places. You can look that up, it’s not that secret.
At the same time, the guys with the information tended to share commercial details with some of their corporate pals, some of which made it into the news… The French, in particular, were very teed off at one point because the Americans, if I remember correctly, sent commercial information about Airbus to some of the American companies. It was a big event about in the early part of the century.
Today, the big dog in this game is the NSA [US National Security Agency]. The CIA, the Brits and the other people are all involved, but the NSA is the big one. They get almost every piece of information in and through North America. We could call it the North American Surveillance Agency. And it’s a big deal because most of the world’s internet traffic passes through North America.
In fact, they have offices in communications facilities that are dedicated to tracking the net. Wired Magazine did an expose five years ago or so. There is an office in several of the AT&T buildings where the NSA it is set up to copy all the data travelling through the AT&T servers in that location. They take the whole darn thing.
Their headquarters is outside of DC, but they’re building new facilities. I’m not sure about the details, but I know they have one in Utah that’s in the process of construction now and fairly well along. By our calculations, it’s capable of storing and searching ten years’ worth of Internet traffic – just from that one facility.
That’s what they do. And they’re getting very good at it.
You know, people think of keywords that they are looking for in emails. But they are way beyond that now…
They can read and search context. They keep track of who communicates with whom—two, three and four levels deep.
One of the big things that made it all work was what I call the “free stuff model.” People got free services – whatever it was – Google, Facebook, Hotmail, whatever. And consumers didn’t ask any more questions. “Hey, it’s free!” It has turned out to be a real issue…
I like to explain it this way: Who are Google’s customer? It’s not you. You’re not giving them money. The customer is the person who is paying Google. So what does this make you? Well, you’re the product, and that’s the truth. On all of these free services, you are the product. They are providing you to advertisers or whomever else. So, that model stuck and people want everything for free, and in return, they give away their information. It’s an old scam.
IM: That’s pretty frightening stuff but let’s put a box around this… If you could kind of summarize today’s situation in regards to privacy, how would you do so? The world in 30 seconds…
PR: Unless you specifically protect your communication, almost all of it is in the hands of other people that you don’t know. This is certainly true if you are in North America or, for that matter, Europe. It’s a little less true if you’re in South America and Asia is pretty questionable. But, for those of your readers in the Western world, it’s important to remember that almost every email – almost everything you send is stored and saved in other people’s computers…and they are starting to get good at searching through them.
IM: I think at this point it would be good to point out that this is not fear-mongering and this is not for the sake of selling services. This is the reality of it and statements can be verified. Indeed, the processing power and the political will is there to be able to track and catalogue all these things. All in the name of “drug wars”, “terrorism” and the like.
PR: Absolutely. It’s just the way it is.
We used to put out a report called the “Electronic Police State.” And we put it out every year. We tracked 51 or 52 nations—how they were doing with what we call the “Electronic Police State.” You know, everything is held against you and it’s essentially stored forensically. In other words, it can more or less be used as evidence.
But we eventually stopped publishing because the people who wanted to know, knew, and most people who didn’t know, didn’t want to know. They just thought that we were trying to stir things up because we had a kettle of fish to sell.
But what I shared was and is the truth. It’s the way it is.
I didn’t get into this business because I wanted to make a quick million bucks. We did it because we thought it mattered. Of course we want to make money too. But what I’ve talked about really is going on – it’s the world we live in.
IM: Not too many of our readers know that I come from a technical background – I was on the Internet first in the mid-90s, just after it started to commercialize. I developed and built websites through the late nineties into the early 2000s. So I got to see a lot of this develop. I still have a pretty good idea of how the network infrastructure works.
A few months ago, I pulled up an old tool that “traces” the path from my computer to a server that hosts a particular web site.
It was amazing to me to discover that virtually every site I visited, no matter where it was located, bounced through the US. I found it both comical and disturbing to find that connecting from my home base in Western Canada to a server in Toronto required the signal to bounce through Chicago, NY and I think it even went through Texas.
And of course, when the signal enters the US, it can legally be recorded – it’s their jurisdiction.
Let’s talk a little bit more about the government… We’ve talked about the fact that realistically they have the power, they have the money and they have the political will to track as much as possible. Can you tell us a little bit about some of the things we can do to protect ourselves from the so-called “digital hand” of government?
PR: The trick is to make yourself invisible. To do it right, though, requires either a lot of time or payment. One or the other.
There are two real ways to do this. And I suppose I should back up and say that it’s not only email, it’s every website you visit that gathers all sorts of information on you… where you are, what you’re looking at, why you’re looking at it – all sorts of things.
But you can make yourself invisible. Actually, “unknown” is probably a better way to say it. There are a couple of different ways of doing it—and they both require something of you. It’s always easiest to do nothing, which is the problem.
The first option is to use a free technology called “Tor”, which is something very fancy called an “onion router.” It’s a fine technology, but it requires you stay on your toes and know what traps to avoid; to make sure you’re using the extra encryption at all the right times, and so on. It’s a complex thing and requires a fair understanding of technical matters. Tor nodes can also be compromised, set up by malicious parties to steal your information.
IM: Can you explain what a “node” is?
PR: A node is just one computer, one server, one computer that is cooperating in this system.
With Tor, anyone can become a “node” in the system, which can and has created a few problems in the past. The technology itself is fine and in fact, it has some very nice capabilities. One in particular is called “multiple hops” – in other words your signal jumps from computer to computer to computer to computer in a random way that is very hard to trace. Tor handles that very nicely.
But, because it’s complex and the already mentioned potential security issues, it is really best for professionals. If you’re a guy who has a regular job and just wants to be protected quick and easy, then you need something else.
The other option is to buy an anonymity service like ours. We have multiple hops in multiple jurisdictions… we rotate IP addresses… we pad the traffic so it can’t be tracked easily… we do all sorts of fancy technical things that helps make you appear “unknown”.
But, you have to pay for it. Some services are cheap but the best are not. But you tend to get what you pay for.
If you were there in the 90s, you must remember the free proxies, which were fun. Simple proxies are still around, and they are very cheap. But the problem is they are really not sufficient to the threat anymore. They are single hops, which might trick a site like hulu.com to thinking you’re located in the US when you’re actually in Canada. But it’s really no good as a way to protect yourself from prying eyes.
IM: Without going too much off topic and keeping in mind that the majority of our readers aren’t “techy people”, can you comment or give suggestions on some of the characteristics you would look for in an ideal service that can protect you as best as possible?
PR: There are a few things to look for.
One is that the service is multi-jurisdictional. In other words, it’s not just one server in one country that you connect to and that’s it. You want a service where you, let’s say, connect to them in Canada and your signal will bounce through their network and will come out in, let’s say, Germany. That sort of thing. You don’t want just one spot, because that spot will be watched, and you’ll be exposed quite quickly. Without getting too technical, you want your signal to bounce around as much as possible as it makes you harder to track.
You’ll want a service that has some sort of reputation. This is actually difficult to find because everyone, including service providers, is trying to stay somewhat anonymous. But, ideally you want a company with some reputation.
You want a company that is based outside the US. Being US based is a problem. I hate to keep talking about my company but for example, our network is operated out of Panama. We do have a US sales office, but we even made that a different corporation, so that the network itself is not US based.
With all the “anti-privacy” laws in the US, it’s just a matter of time. Your machines can be taken in a moment. Almost no serious protection service is based in the US anymore. It’s a shame but it’s true.
Lastly, you’ll want to look for a service with good customer service so if you’ve got a question or a problem, you can find a human being to help you out.
So those are the things you really should look at.
IM: Is it fair to say that when you use an “anonymiser service” that you’re bullet-proof against the government? Or, is there still a way they can track you down even with the best system in the world?
PR: Technically yes. There is nothing that is perfectly private.
Let’s say you’re America’s Most Wanted bad guy and they really want you. There are still ways that they can do it with massive computer power. With enough time and enough money, any system can be broken into. There is no security that can provide 100% protection. No one can. Not that I know of.
But for any practical person who just wants to be responsible with his data, that’s where such a service is invaluable. We protect a lot of doctors, lawyers, accountants, investment guys, people that handle other people’s money and people who just want to communicate without anybody listening in over their shoulder.
Real serious international bad guys, well, we certainly don’t want them as customers.
IM: If I were to summarize, the key lesson to take away here is that you need to take the best steps you can to protect yourself. While nothing is 100% perfect, being proactive even a little will set you way ahead of most other people on the Net and make you much less of a target.
Let’s talk a bit about identity theft now, which is something that is dramatically on the increase in the Western world. Can you take us through a little bit about how thieves get our information, and what we can do to protect ourselves, if anything?
PR: The thieves get information in a whole lot of ways. There is the usual way that people suspect – hacking computers – but that doesn’t happen very often nowadays. Now, they put out things like viruses and worms that get into computers (which users get by downloading software), and have them “phone home” and send information. That happens a lot.
It’s important to mention that the real identity theft threat is organized crime. And they are very serious about what they do.
According to some reports a few years ago — pretty credible people put out the reports — data theft and identity theft as a whole provided more profit than illegal drugs. How do you determine that? I don't know, but that’s what some pretty reliable groups are saying.
There is a lot of money in it, so these guys are serious. Usually they just get users to download viruses (in the guise of something free), or sometimes they just buy information on customers and “crunch” the date. Oddly enough, most of personal data is gathered legally. So much for personal privacy! Let me tell you a quick story here to show you how this goes…
I had a friend call me up with a problem. He said he was on a big online broker site and had to change some account settings, which required a call so they could confirm his identity.
“Okay, that’s fairly common, nothing unusual about that”, I said. “Yeah”, he said, “but they had questions that freaked me out.” And I said, “like what?” “Like what is your brother’s address? How do they even know that I had a brother, and they had his name right! They knew my brother’s name, they knew one of my sister’s names. And they knew my parents’ names. I got freaked out and I said,’ how the heck did you get this information?’ And they got defensive and they said, ‘well, it’s all publicly gathered, Sir. It’s all gathered legally, it’s not a problem, Sir.’”
This big online broker was using my friend’s personal information for security questions – information that he had never given to them.
Such information is constantly bought and sold. It’s all gathered by a variety of means. When it comes to getting government information, criminal groups are very good at stealing laptops and things like that.
For example, they find some guy who is an auditor for some agency, and they know that he stops at a coffee place on such a corner at such a time every morning. And if they have enough time, they just copy the data and nobody even knows that it’s missing. If not, they just steal the laptop, and then it shows up a couple of days later with no harm done. And meanwhile all the data has been copied.
You couldn't make this stuff up.
Once they have the data, they send it to “refineries”. This is where they crosslink massive databases to create entire profiles on a particular person. So, they may get a name from the stolen file, an address from a shopping site you visited, a social security number from a third place and put it together into one file… Then, the criminals use this data for all sorts of credit card, banking or other scams. I can’t even keep up with all the various things that they do.
The point is, once they have the identity, they “got ya.”
There is a real fast, cheap way to limit your chances of having your identity stolen. But like most things that work, it’s illegal of course! It’s anonymous digital cash. If it’s just cash and it’s anonymous, nothing you do with it can be traced to you. So you’re not leaving information all over the place on who you are, and how much money you have, and what your social security number is. Because you’re spending cash. It’s just the electronic version of spending paper.
It’s illegal because it makes it harder for the government to track your income. If they can’t track your income, how can they prove your paying your due taxes?
So there’s a really easy cure for identity theft, but it’s quite unlikely that it’s going to be allowed in any wide usage.
IM: Are there any such services around?
PR: Oh yeah, there are different kinds. One called “Bitcoin” has come out in the last year or two and is becoming more popular. It’s not perfectly anonymous but is better than the other payment methods. Of course, now that it has been getting some publicity, several US senators have been going around saying it’s empowering drug deals and such things. So they’ll probably kill that off very soon.
The politicians will never admit the real reason. They are going to blame whoever the big boogeyman that day is. Drugs, terrorists or whatever it may be. They’ll evoke that name. But they can’t allow it to exist.
IM: It’s good to mention at this point, that while you personally have no control over an auditor carrying information about you on his laptop, consumers do “leak” a lot of their own personal information themselves such as when they buy stuff online or sign up for free services.
That actually leads to my next question. A lot of our readers travel a lot and, at least from my experience, on every airport and every plane we’re leaving pieces of our information everywhere. When we log in at an internet café, tap into an open network at the airport, whatever. Can you give us some of the tips and tricks to traveling and still protecting our privacy as much as possible?
PR: First of all, you have to have some sort of protection means, whether Tor or a paid service. Certainly in any internet café, airport or other public place. It’s very easy for people to steal information when you’re not connected to your home (and hopefully somewhat secure) network.
You definitely also will not want to use somebody else’s computer in an internet café, because they can save everything, like keystrokes, to log into your email accounts. I especially don’t recommend logging into your bank account from an internet café. If you do, guess who just got your information to log into your account? If you do need to access your accounts in a foreign place, make sure you’re using your own laptop and have some sort of encryption.
Airports are brilliant places for thieves to grab information because you get all the guys who just finished a business meeting and then call back to the office to tell them how it went and what they are doing. There is a lot of money that can be made with certain information.
Probably the best place to get information that could be turned into fast easy money would be lower Manhattan, where the stock exchanges are. Indeed, it turns out that exactly this has been going on for quite some time.
In fact, two years ago or so, Wikileaks published all of the pager traffic from lower Manhattan that had occurred on the morning of September 11th, 2001. Whoever collected it decided to release all this information because it matters a little bit for historical purposes. The point is, somebody — and we don’t know who — had the ability to gather all the traffic that morning and store it.
Such things go on every day.
That’s why we don’t want to use public networks like Internet cafes for anything that is important to us. You never know who is keeping track of what. As well, assuming you are using your own laptop, you’ll want to protect yourself as much as possible. One of the easy things that you can and should do is limit “Javascript” and certain cookies. It can be done really easily by using the Firefox browser and installing two extensions, one is called “No Script” and the other is called “Better Privacy”. They are really easy to install and run, and they protect you from a couple of the nastier little attacks. So I definitely recommend those.
IM: Can you quickly explain why you need to limit the amount of Javascript on your computer… because it seems like every website uses them.
PR: Javascript is a program that is very nice from the webhosting guy’s side. It does and can communicate some of your computer’s direct information – like an IP address and things like that – to the web site. Even if you are using other products to protect yourself. How much Javascript is used maliciously, I don’t know, but it can be.
So the nice thing about the “No Script” extension in Firefox is that it makes it easy to turn Javascript, Java and other “executable content” on intentionally when you want it – which you need for things like accessing your online banking system and online memberships to certain sites like Facebook.
IM: So that’s some of the considerations our readers need to be aware of. Before we conclude, are there any last minute words of wisdom or stories that you’d like to share?
PR: I guess it sounds too self-serving to say protect yourself. But that really is the one piece of information that people need. No one else is going to do it.
IM: Are there any other companies people can do research on if they are looking for a solution. Obviously Cryptohippie is one, and it’s the one I use and I’m very happy with. But what are some of the other ones that are on the market, so people can check out to find what fits what they’re looking for?
PR: Good question. The only other one that I know that used to do multiple hops was a company called Xerobank. I don’t know what their current offerings are, but a couple of years ago they had a fairly good system. They are very much US based, which I consider to be a problem. Other than that, I really don’t know much else about them.
IM: Thanks Paul, that’s very helpful.
Cryptohippie – Free Trial Offer
Note from IM's Managing Director: I first became a customer of Paul's Cryptohippie service a few years ago – it is arguably the most sophisticated VPN solution I've ever used. While there are definitely other options out there, most are quite complex and if setup incorrectly, can actually cause more problems than they solve. On the other hand, you can use a system like Paul's – it's just not free. However, we've been able to arrange a 7-day free trial if you want to check it out before making any commitment. Click here for more info.