The Five Days of Privacy -- Day 3: Email, File Storage, and Virtual Private Networks

Using encrypted email, encrypted file storage, and VPNs to communicate all add additional levels of privacy protection.

December 16, 2016
Bill Fitzgerald Director, Privacy Initiative

CATEGORIES Privacy Evaluation Initiative

Today's post is the third in our series the Five Days of Privacy. In the series, we are looking at accessible steps people can take to improve their personal privacy and security. In our first post, we covered how to assess risk and some steps we can take to improve privacy issues that can come up when we share space with other people. In our second post, we discussed ways we can protect ourselves from online tracking, both for reasons related to privacy and to escaping filter bubbles. Today, we will look at ways we can use email and store files more securely, and we'll look at when a virtual private network (VPN) or anonymous web browsing can be useful.

As always, the recommendations in these posts carry the assumption that we have identified our risks and the steps we are willing to take to address them.

Email

Email is one of the more convenient ways for bad things to happen to good people. While these steps won't solve all the problems with email, they can help address some of the more common issues. The risks in emails that are delivered to your inbox generally come from aggressive advertising or people trying to steal information, compromise your account, or even install ransomware.

Of course, there is always the low risk of your uncle or cousin sending you that hilarious chain email, but protection from that is beyond the scope of this post.

Be wary of links and downloads coming to you via email, even if they appear to come from friends. When you're sending links or files via email, describe what you're sending. This helps the recipients of anything you send know why you're sending it. When you receive a file or a link, look for that context. If all the email says is, "Hey! You gotta check this out!," you should probably avoid the link (and this advice is true for text messages as well).

To avoid a potentially malicious link, review the base URL and verify that it makes sense (mouse over any links before you click on them so you can review the URL that's displayed). People trying to steal your information will create website domains that look "right" but are actually fake (for example, "citibank.co" instead of "citibank.com").

Expand shortened links before you click on them. People trying to steal your information will often use shortened URLs to obscure where they're sending you.

Use extreme caution when downloading files, especially files that are compressed (for example, they end with ".zip," ".gz," ".7z," and the like). Bad downloads are a common way of spreading malware and ransomware. Also, avoid files sent via email that are executable, meaning they can install software on your computer (for example, they end with ".exe" for Windows or ".dmg" or ".app" for Mac OS X).

The advice about using links and being suspicious of file downloads applies directly to using social media as well. Be very wary about expanding links sent via direct or private messages from acquaintances you follow. This is a common attack strategy: Compromise one account, then send malware to all the "friends" of that account.

Set your email client to strip or not display images. Marketers will often embed tracking technology called a "tracking pixel" in emails; by stripping or not displaying images, you can prevent the effectiveness of this tracking method.

Don't hesitate to ask for confirmation from someone about whether or not a message is legitimate. It's better to send a quick email response asking for confirmation than for your system to get compromised.

If you want an encrypted email account, use a service like Protonmail. However, when using an encrypted email account, keep in mind that both the sender and receiver of the email need to use an encrypted email service. If you send an email from a Protonmail account to a Yahoo or Gmail account, your email and information will be accessible to the ad scanning in those services.

One of the advantages of a large email provider such as Gmail is they provide solid spam, phishing, and malware protection as a part of their service. For regular consumer accounts with Gmail (not educational accounts), you pay for that protection by allowing Google to scan all your email message content, and you allow Google to use that information to create an advertising profile and market services to you; but if your main concern is avoiding malware and phishing scams, then Gmail offers some benefits.

One "advantage" of both email and cloud-based file storage (discussed below) is that they offer a large amount of "invisible" storage. The more data we retain, the more data that can be compromised or accessed by people for whom that information was never intended. If you have important emails that you need to retain over time, archive them and store them offline and then delete the original emails from your email provider. Deleting old emails minimizes the risk to us and to the people we communicate with. It's good data hygiene.

On a practical level, in some instances email can be used in criminal cases or civil lawsuits. Deleting unneeded emails, and deleting older emails, provides a level of protection against frivolous legal action.

A final note about email: It is only as secure as the person you're sending it to, and the "security" of the message should be assessed against the sensitivity and value of the message. If you're using an encrypted email service and you're sending messages to a person using a personal Gmail account, that email is getting scanned by Google. We generally advise people to consider email an insecure service. Accordingly, sending information about a surprise party is probably pretty safe, whereas sending information about a Dark Family Secret is something you might want to save for an in-person conversation.

Secure Online File Storage

For better or worse, we live in a time of plentiful cheap online storage. However, out of this embarrassment of riches, few options offer the ideal blend of ease of access and security. For people who want as close to a guarantee as possible that their information can only be accessed with their consent, most of the common storage options -- Google Drive, Dropbox, and iCloud -- are not useful. While these companies encrypt data at rest, they have a level of access to the data and can be compelled to provide access to that data in response to a legal request. Additionally, these companies often store metadata about how users store files, and this metadata (details such as time and location of access, IP addresses, filenames, and so on) can be informative even without the underlying files. In some cases, using services like iCloud can undercut security and privacy protections we have in place.

For a secure cloud-file-storage solution, we recommend Spider Oak. The differentiating feature of Spider Oak is that it allows us to set a private encryption key that only we can access. This renders our data stored on Spider Oak unreadable. This both supports our security and streamlines the business operations for Spider Oak; if they're ever asked to provide access to a user's data, they are in the enviable position of having nothing useful to share.

As with email, delete any files that are not immediately useful. Files can always be archived offline on an encrypted removable drive. This is a good step for personal organization, and it is also helpful to ensure that sensitive information isn't left exposed accidentally. As with many steps we can take to protect our privacy, taking small steps to reduce risk can help minimize risk. No individual step will magically solve everything, but incremental risk reduction adds layers of protection.

Virtual Private Networks (VPNs)

For people who access the internet from outside their home or office, using a virtual private network (or VPN) can provide different levels of protection from a nosy kid playing at hacker on the coffee shop Wi-Fi network or from a person trying to steal private information as part of an attempt at identity theft. VPNs can also obscure which sites a person visits, thus hiding their browsing histories from people who might attempt to access it. Additionally, VPNs hide your IP address, which can make it appear as if you're in a different geographic location, which blocks location-based targeting.

While there are free VPN options, we do not recommend using them, as many of the free VPNs actually track and share your online behavior. If you're going to use a VPN, you will need to research an option that works for you based on your needs. If obscuring your browsing and connection history is essential, make sure you use a VPN that does not store any access logs. These two guides provide a list of things to consider, along with recommendations.

Most VPN services offer plans that can be used on computers, phones, and tablets.

Many companies provide VPNs for their employees. While these VPNs protect against people outside the company seeing traffic, people using a company-provided VPN should know and expect that their company's IT department can see all their online browsing activity and that in many cases that activity is logged.

Increased Anonymity and Tracking Protection

For people who work from multiple computers, or who for whatever reason don't want to use their computer or phone to browse privately, Tails allows you to boot from a USB key and use Tor to browse the web without leaving any trace of your activity on your host computer.

Because Tails can be treated as a throwaway operating system, it offers a level of flexibility other options might not have. Tails can also be useful as a tool to access the internet securely when connecting from places where we might not trust the security of the internet connection.

Tails is a specialized tool that isn't needed by everyone, but it can be useful for people who need to communicate privately from a system that will be difficult to trace, and its preconfigured privacy protections allow people to get started quickly.

Conclusion

While many people won't have an immediate need for the anonymous browsing offered by Tails, the flexibility of a secure and portable browsing and storage tool can be useful in its own right. However, most of us need email as a regular part of our daily work, and the tips outlined in this post can help us use email in a way that minimizes privacy risks.

In our next post, we look at ways of managing passwords and protecting our logins and using public wireless securely. We also dig into some free and easy ways to use our phones and tablets more securely.


Share your thoughts