Keeping Your Habits Private In A Connected World
Earlier this month, President Trump signed Senate Joint Resolution 34 into law, rolling back rules put into place by the Federal Communications Commission during the Obama administration. Those rules, which had not yet gone into effect, would have blocked internet service providers from selling users’ browsing data. Blocking those rules means that ISPs can now legally mine data about the sites people visit online and sell that information to advertisers and others. Propublica senior reporter Julia Angwin and cybersecurity expert Eva Galperin of the Electronic Frontier Foundation join Ira to talk about practical methods to shield your online communications, including tools like Tor and VPNs, secure messaging programs like Signal, and encrypted email services such as ProtonMail.
Julia Angwin is author of Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance (Times Books, 2014) and senior reporter for ProPublica in New York, New York.
Eva Galperin is Director of Cybersecurity for the Electronic Frontier Foundation in San Francisco, California.
IRA FLATOW: This is Science Friday. I’m Ira Flatow. Earlier this month, President Trump signed legislation rolling back FCC rules issued last year on internet privacy, blocking those privacy rules before they could even take effect. Under the law, internet service providers are now allowed to sell your browsing data, your record of what sites you visited online.
What if you don’t want them to? What tools can help you keep your data and your browsing habits private? And what about messaging your friends? How can you keep those conversations away from prying eyes?
Joining me to talk about practical tips for privacy are Julia Angwin, she’s a senior reporter at ProPublica and has written extensively about security and privacy. She’s the author of Dragnet Nation: A Quest for Privacy, Security, and Fredom in a World of Relentless Surveillance. She’s in our New York studios. Welcome back.
JULIA ANGWIN: It’s great to be here.
IRA FLATOW: Also, Eva Galperin is director of cyber security for the Electronic Frontier Foundation and helped create their surveillance self-defense guide. And she’s at KQED in San Francisco. We’ll get to her in a minute. Welcome to Science Friday, Eva.
EVA GALPERIN: Thanks, I’m happy to be here.
IRA FLATOW: And nice to have you. Julia, how much does this new law actually change things?
JULIA ANGWIN: Well, unfortunately, this new law actually just sort of codifies the status quo, which is that internet service providers, the companies that you pay for internet service whether it’s on your phone or on your home internet connection, have been desperate to get into the business that Google and Facebook have of creating dossiers about people and getting advertisers to pay for that access.
So they’ve been coming up with new products to sell to advertisers for years now. And the SEC effort last year to put in these privacy rules was actually because they were concerned about the intrusiveness of the actions the ISPs were taking. And it was meant to curtail some of that. But now this new administration and Congress have said, actually go wild, have fun, and enter this new era of access to personal data.
IRA FLATOW: So what kind of data are we talking about? What are they able to see?
JULIA ANGWIN: So basically, your ISP sees everything. So you connect to the internet through them and then basically the rest of the internet as you access it, they can see it unless you’re using some kind of masking technique.
Generally if you’re using– most email providers at this point– their back end, the part that goes over the ISP, is encrypted. So they mostly can’t read your email, but that’s still not true of all of them. Same thing with instant messaging or chats. So theoretically, they can see almost everything unless the service you’re using has taken steps to encrypt it.
IRA FLATOW: And Eva Galperin, is there anything a person can do? EVA GALPERIN: Well, there are a couple of different things that you can do. The first is to think about using a VPN when you connect online. And not all VPN are created equal. And I would be very suspicious of free VPNs, or VPNs that are very cheap because usually if you don’t understand who is paying for the product, you are probably the service.
IRA FLATOW: So how much should you pay, reasonably pay, for a VPN, a virtual private network?
EVA GALPERIN: I think it really depends. But if it is free or if it is, say, $20 for a lifetime membership, you should be strongly suspicious that there are making money by selling your browser data.
IRA FLATOW: Yeah, so maybe $3.00, $4.00, or $5.00 a month or something like that is a good price?
EVA GALPERIN: That’s not unreasonable.
IRA FLATOW: And how do you decide what you need to include in the mix of your protections?
EVA GALPERIN: Well again, you might want to consider using a VPN. But you might also want to make sure that you’re using a browser extension called HTTPS everywhere, which is written by EFF, in which we make available for free. You can use it on either your Chrome or your Firefox browser. And it will make sure that if the site that you’re visiting supports HTTPS that it will do so by default.
So HTTPS is the encryption that Julia was talking about, which means that your ISP can see sort of what web site you’re going to but they can’t see what you’re doing on the web site and they can’t see what part of the web site they’re going to.
So if you go to say KQED.org, they can see that you went to KQED.org, but they can’t see that you went to KQED.org/sciencefriday.
IRA FLATOW: So people like to talk about the NSA or hackers as being something they were really afraid of, but you’re saying probably a bigger threat is the ISP, your service provider.
EVA GALPERIN: I think everybody’s threat model is a little bit different. And some people are genuinely concerned about being spied on by law enforcement. But that doesn’t mean that being spied on by your ISP or by corporations is not also deeply worrying for some people. And they should be able to protect themselves against it.
IRA FLATOW: Julia, what else do you do to shield yourself?
JULIA ANGWIN: Well, I don’t think a fan of the Tor web browser. So it’s a web browser you download just like any other one, but it anonymizes your traffic. So what your ISP would see is that you’re going through Tor, but it wouldn’t know what websites you’re visiting. And it’s probably, in my opinion, the best protection we have in this situation that we’re in, where the IPs have been given Carte Blanche to look at everything that we’re doing online.
And so there’s little lag time because Tor bounces your traffic around the world. So it goes to Amsterdam or Germany or wherever, in order to evade you know being seen. And so you have to put up with a little bit of slowness, but I keep it open most of the time and try to use it for the searches that I don’t want anyone to see.
IRA FLATOW: Don’t the browsers, or some of the web browsers, have it built right in, some of the VPNs and Tor built in or you have to add that on?
JULIA ANGWIN: Usually you download it yourself. I would definitely prefer people to download it directly from Tor because there are also are, unfortunately, people who try to market fake Tor processors. So it’s best to get it directly from the source.
IRA FLATOW: Eva, you wanted to jump in there?
EVA GALPERIN: One thing to keep in mind– one thing to keep in mind if you’re using Tor browser for all of your browsing is that you will frequently get a lot of requests to fill out captchas and prove that you are not a bot. And one of the reasons for this is because a lot of abuse to web sites happens via Tor. And so they need to make sure that you are not in fact being abusive, that you are just like regular people surfing the internet. So it slows you down a little bit, and it’s a little bit annoying, but it is free and it’s certainly worthwhile.
IRA FLATOW: And what about text messaging? What’s the best way to feel like you’re secure in text messaging?
EVA GALPERIN: Well, the first thing that you should know is that if you’re sending just regular straight up SMS text messages to someone from your phone to their phone, it is extremely easy to spy on those messages. Not just the metadata, who you’re talking to, but the content of your messages is really easy to pick up. Not just for your cell phone provider, but for anyone who can make a new radio to spy on your text messaging for, honestly, not a lot of money.
So text messages are not very secure. There are several excellent replacements for text messaging that work quite well. One of them is Signal from Open Whisper Systems, which is both free and open source. And it works as a pretty good way of sending messages to your friends.
The same crypto is used in WhatsApp. The only concern about WhatsApp is that WhatsApp is owned by Facebook. And so Facebook takes their knowledge of who you’re sending messages to and combines that with the things they know about you from Facebook. Which, if you’re worried about corporate spying, could be pretty distressing.
I also recommend Wire, which is also a free app.
IRA FLATOW: Isn’t the Apple system, the text message system, encrypted end to end?
EVA GALPERIN: Yes, if you’re sending messages to other people who have iPhones.
IRA FLATOW: Ah ha. So it has to have– so if you send somebody who is on Google, or some other system, Android, then it’s only going to be encrypted on your end, but not the other end.
EVA GALPERIN: It will in fact not be encrypted at all.
IRA FLATOW: At all?
EVA GALPERIN: Nope.
IRA FLATOW: Wow, I didn’t know that. Julia, what about internet companies that aren’t ISPs, like Facebooks and the Googles. I mean, shouldn’t we just assume that they– that you give them permission to go and see everything that you have?
JULIA ANGWIN: I mean yes. If you bother to read that very long terms of service that no one ever reads, you have agreed to give them everything. And they are using that to make a lot of money off of you. And basically what’s happening is that the ISPs are just jealous. They want that same amount of money even though they already charge you for their services. So they want sort of a double dip on that.
And I think that we have to think about this as a problem overall for the internet, right? This is troubling that the ISPs have got this special pass, but we’ve also built a system where we’ve allowed everyone, kind of, total surveillance of us. And we don’t have a lot of options as consumers for a better way unless you want to do like I do, which is to use Tor, but as Eva, said it’s extremely annoying to use.
IRA FLATOW: With the new regulations, or the non-implementation of the old regulation, allowing people to sell your data about where you’re surfing, how granular can that get? Can they actually– do companies who are buying it really want to know the exact person on the other end or do they want to know when a general rule about who–?
JULIA ANGWIN: That’s a good question because actually, some of the ISPs have come out and said, we don’t sell. We’re not going to sell your browsing data. And there’s a little bit of a semantic game that’s going on right now because most companies don’t sell it, like, here’s where Ira went today, and here is a list of the URLs. It’s actually much more about, I want to reach somebody who’s really into science and has a radio show on Fridays and can you follow that person around the web?
And so they put people into categories, and they sell those categories. And that allows them to say that they’re selling your individual data, that it’s more sort of compiled or an analysis. But in reality, there may well just be only one person who fits that criteria.
IRA FLATOW: So let’s go to the phones. Let’s go to Mike in New Britain Connecticut. Hi Mike.
MIKE: Yeah, hey. I love your show, great topic.
IRA FLATOW: Thank you.
MIKE: I heard about what happened– you’re welcome. I heard about what happened with Congress. And I just wanted to call in. I actually purchased a VPN service. It was recommended for two years by PC magazine, and they’re having a 72% off deal for two years right now. So if anyone’s out there and they’re looking for it, it’s NordVPN, which is truly outstanding.
One other thing with the VPN services is some of will save your data. And actually, there can be a way that, even though they’re protecting you while you’re surfing the data is saved, and people can get at it, some don’t save the data. So there’s really no way anyone can get at your information, your personal information, or your browsing history or anything like that.
So I just want to chime in with that, that there’s this great product, NordVPN. I don’t work for them, and they’re having a sale right now.
IRA FLATOW: All right, thanks for that. Now Eva, what do you think?
EVA GALPERIN: Well, I do think it’s very important when you’re choosing a VPN to see whether or not they have a policy of logging your browsing data. If you are concerned about your ISP having a great big log of all of your browsing data and possibly selling it, then that concern also extends to your VPN provider. You’re essentially just sort of moving the nexus of trust.
One of the things that I recommend doing is actually looking for a VPN provider in a country like Sweden or Finland, where logging is illegal.
IRA FLATOW: Oh, Switzerland. That fits. So search for one that’s out of the country. Well, do your homework and find out where the countries most respect your privacy, and go look for VPN there. And they’re available quite easily if you Google it?
EVA GALPERIN: Yes. Yes, they are.
IRA FLATOW: Are we– is this the new normal now, Julia? I mean, is this is it the spy versus spy like we used to say in Mad Magazine? I mean, are we– who’s one step ahead of you, or are you one step ahead of them?
JULIA ANGWIN: I mean that is unfortunately the new normal, and I wish it wasn’t. Because the truth is that as citizens we’re always going to be out-gunned by the corporations that are trying to watch us and make money off of surveilling us. And so yes, we can try to do all this.
And I use a VPN and use Tor and use Signal, and I use all those things. But in the end, I’m up against people who have just much greater resources. And I would really love it if at some point we were able to re-balance this equation slightly more in favor of the citizen.
IRA FLATOW: I’m Ira Flatow. This is Science Friday from PRI, Public Radio International. Talking about your internet security with the Eva Galperin. She’s director of cyber security for the Electronic Frontier Foundation. And also with us is Julia Angwin, senior reporter at ProPublica.
Let’s talk in the few minutes we have remaining about encrypting your email. Is that a good idea or is your email really so easy to get a hold of?
EVA GALPERIN: Well, there are sort of two aspects to encryption here. And this is actually something that confuses people a lot when they talk about encryption. They’re trying to choose Tools, and they’re trying to decide, what do I do in order to protect myself? People say, well, why don’t we just sprinkle some encryption on that? Everything’s fine. And frequently, it’s not clear whether they mean encrypting your data at rest or encrypting your data in transit, which are two different things.
Right now, most email providers will encrypt your data in transit, which means that if you go to the URL bar on your browser, it will– your URL will be starting with HTTPS rather than HTTP. And that means that the data is encrypted while it is going across the internet.
And this is very good. This is something that we’ve actually been pushing for at EFF for many years. And about half of the internet is currently using HTTPS. So we think that’s really great. But the other question is your data at rest, which is to say that when the email is on your computer, is it encrypted then?
And for that you often need to use additional tools, such as PGP.
IRA FLATOW: Pretty good privacy, as they used to call it.
EVA GALPERIN: Pretty good privacy.
IRA FLATOW: And is it free like it used to be? Or do you pay for something?
EVA GALPERIN: Yes. It is in fact free to PGP encrypt your email. And you can do this using some browser extensions, such as Mailvelope, are compatible with your web-based email. So if you want to do that, you can do it. I usually caution people against the use of PGP because it is so easy to get it wrong. And when it fails, it fails unencrypted. So if you–
IRA FLATOW: Wait a minute, you told us to use it. So what should you use instead?
EVA GALPERIN: It is extremely important that you do it right. If it is important to you to send messages back and forth with someone and you would like to make it more difficult for you to screw up, I would recommend a tool more like Signal or WhatsApp, depending on your feelings about the metadata issue. Because that stuff will always be end-to-end encrypted. Your data will always be encrypted both in transit and at rest. And you can’t screw it up.
IRA FLATOW: Yeah, making things less easy to screw up is always the preferred situation. Certainly for people working high-tech stuff on the internet.
I want to thank both of you for taking time to be with us today. Eva Galperin is director of cyber security for the Electronic Frontier Foundation. And she helped create their surveillance self-defense guide. And Julia Angwin, senior reporter at ProPublica, author of Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. Thanks to both of you for being with us today.