It's been a while since part 8 of this series on how I've improved protection of my privacy in the face of massive human rights violations against my freedom and privacy by a number of security organizations around the world as revealed by Edward Snowden. I've said good bye to public instant messaging providers and have installed my own server for family internal communication together with secure end to end encryption. Certificate Patrol in the browser protects me of rogue SSL certificates, I've installed GnuPG for email encryption but found it unusable in practice, I've become a regular user of TOR, my browser automatically deletes cookies when I exit it and most importantly, Owncloud keeps my files, calendar and address book in my own domain. For details on all those things click on the "Privacy" link at the end of this post to see the previoius parts of this series. Despite all of this, however, I still feel there are a number of open flanks that still need to be addressed:
- eMail: As a means of communication, email is completely broken and even encrypting the content will not make this form of communication secure. This is because there always needs to be a server somewhere in the Internet to store and forward messages and even if the content is encrypted, the subject, sender and receiver are not. So apart of encryption the only think that could at least make communication between my family members secure and private is to host my own email server at home and have all devices receive and send email via that server at home. This way at least the email and content we send between each other would be secure as that would never end up on an external server.
- My RSS aggregator leaves trails: Not mentioned above is Selfoss, my self hosted RSS aggregator that I installed after Google decided to shut down its Reader cloud service. It's been a tremendous enabler so I'm quite happy Google shut down the only service apart from search that I used to use from them. One thing I'd really like to do when I have a bit of time is to TORify all aggregator web requests to keep information about which web sites I read private. That might be a bit on the paranoid side it's really nobody's business which web sites I'm interested in. Period.
- Voice and Video calling: I still have to find a good replacement for Skype for communication between family members as a central server farm controlled by Microsoft knows about every call and every message I send over the Skype client. This is probably the most pressing issue that I have to address in the near future.
- Metadata: One thing I can do little about is the metadata my communication creates. Phone companies record who calls me and whom I call, anyone observing my IP packets knows what websites I'm interested in, which bank I am a customer of, etc. etc.
While I can still close a number of holes in my privacy armor, especially the meta data issue clearly shows that raising the shields is just treating the symptoms but is definitely not a cure for secret service agencies in many countries trampling on our human rights of freedom and privacy by collecting all data they can get hold of. I recently heard a pretty interesting analogy: Security agencies are like the immune system of the body, which detects and protects us from harm attacking our body. Without an immune system the body would not survive. But then there are autoimmune diseases where the immune system attacks the body which is ultimately fatal. And that's what just happening right now and we have to do everything to ensure that security agencies act as a proper immune system and not like an autoimmune disease. In other words, treating the symptoms by raising the shields is not enough, it's very important to treat the illness as well.
as far as the email part above, it’s not correct to say that hosting your own mail server will protect the email headers. All of that data is sniffed in flight at various points throughout the internet. It does not have to actually reside on a mail server for someone to be able to read the mail headers. So hosting an email server in your house is only going to do you any good if you only send email to other computers inside your house on your local subnet. Once those packets go to your service provider, consider them sniffed.
And if you are only going to send email to family members in your house, it’s probably a lot safer to just get up and tell them yourself…
Hi Dan,
hosting my own email server at home will help a lot for privacy because
we travel a lot and often send files between household members via
email. When you set the email clients to deliver to the email server at
home (with SSL) that then only forwards those emails externally that are
not for the same domain then everything is encrypted. Thats a lot
better than only using an external provider today. Sure, a MITM is still
possible because as far as I know Thunderbird does not alert when the
SSL certificate changes… But better than a fully hosted solution…
Cheers,
Martin