It seems like you can barely sneeze these days without reading about another large company losing our sensitive data, our credit card information, or compromising our online privacy. So if huge companies like Target and Home Depot have trouble keeping information private, is there any hope for us as individuals to do so?
Before we can answer that, lets define the scope of privacy we’re talking about by getting some big, ugly, hairy questions out of the way:
Can my boss really read my work emails, monitor the Web sites I visit, view my desktop, etc.?
Absolutely. Technically all this – and more – is possible without you even knowing. However, you have likely agreed to being ok with it as part of the terms and policies you agreed to when you started working for your company. You should not, in any way, consider a work PC your machine, nor should you consider messages you send and receive your email. When I was taking journalism classes, I remember a professor putting it this way: “Don’t visit a Web site, write an email, or make a phone call that you wouldn’t be able to immediately justify in front of your boss.” In other words, just about everything that happens on your machine can be monitored, recorded, logged, and audited later if need be.
What about visiting secure sites and doing encrypted chat – isn’t that safe?
Not necessarily. Without going too deep into the details, it is possible for your employer to be a “man in the middle” and still be able to figure out which sites you are visiting or chat messages you are sending. When I was working as a network engineer a few years ago, my company was quite successful at selling network appliances that were designed to monitor employee Internet usage. Every night the boss would be emailed a PDF containing a breakdown of sites employees visited, how long they remained on each site, and what kind of bandwidth some applications such as Yahoo Messenger, MSN Messenger, Facebook games and Dropbox were eating up on the network. It was fascinating – and a little scary – to see how granular these devices could be at picking apart and disseminating this data. In general, it would probably be safer to assume that any communications to and from your company’s network can be monitored.
How about at home using my Comcast or Century Link connection – they can’t see what I do, right?
Unfortunately this is a false assumption as well. As your computer tries to connect to sites like www.facebook.com or use programs like Dropbox, there is all kinds of network traffic being sent from your computer. Before that data reaches the public Internet, it first goes through your ISP’s network equipment, which can inspect and monitor at least some of that traffic in order to figure out what site you are trying to visit. Any sites you visit securely (i.e. with https in front of it) would be encrypted and therefore more difficult for your provider to see. However, any unencrypted traffic – which could include casual Web browsing on non-secured sites or even the emails you send and receive – could be snooped on.
So there is the tough truth: it is not incredibly difficult for your employer or your ISP to keep tabs on much of your online activity.
How to handle your (lack of) online privacy
One way you can get a little more privacy and security is to “secure the line.” In other words, encrypt and/or anonymize the traffic on its way out to the Internet so it can’t be snooped on along the way. To illustrate this, check out the picture below (and please pardon my terrible whiteboard art skills):
In the bottom image, Internet traffic is safe from prying eyes because the PC is setting up a secure, encrypted connection to a VPN or anonymizing service, which is used as a “jumping off” point to the rest of the Internet.
OK I probably lost some of you on the last paragraph. Here’s another way to envision it: Think about the people who come in and out of your house – family members, friends, pets, etc. Your neighbors nearby can see and identify who is going in and out of your house.
Now think about building an enormous pipe with one end at the front door of your house, and the other end a few miles away. And now anyone who wanted to visit you would have to enter and exit using the pipe. Now, your neighbors would have no idea who is coming in and out because the visitors are “hidden” inside the pipe. So to sum up what might be a horrible analogy:
- House = your computer
- Visitors = Internet traffic (the sites you visit)
- Neighbors = boss or ISP
- Pipe = VPN/anonymizing service
The private pipe
So how do you create this private “pipe?” Do a Google search for “surf anonymously” and you will see plenty of products and services that will provide this solution. One that I have played with off and on the last few years is called ProXPN (www.proxpn.com). Whenever I am at a public wifi hotspot or just want to surf the Web anonymously, I fire up the software client and let it connect to one of ProXPN’s servers. As you can see from the screenshot below, I can funnel my network traffic through several points around the US, and even other countries:
Once I’m connected, anything I do online is encrypted before it is sent through ProXPN’s servers and eventually out to the Internet. In other words, I have established a secure “tunnel” between my computer and ProXPN’s servers, which keeps all my online activity private and unreadable from my boss or ISP.
One feature I really like is called VPN Guard. When turned on, VPN Guard will kill a list of applications if for some reason the ProXPN connection goes down. For example, if I want Dropbox and Evernote to shutdown, I could configure the ProXPN program like so:
“Wait a second!” you might say. “If I use one of these VPN services, have I really gained any privacy if they can see everything I do?” Great question, and you’re absolutely right. If you use an anonymizing service, you are feeding it some pretty deep insight into what you do online. So you need to read the terms of service closely, and make sure you fully understand what level of privacy you can expect from using the service. In ProXPN’s case, they claim to encrypt connections in such a way that your network traffic is totally unreadable to them. Also, they claim to only keep logs of when users connect, and those logs are kept for two weeks and then deleted. Do I believe all that? Well, I’m a security guy so the answer is, of course, maybe J.
Yes, the sad truth is that true online privacy is almost a myth. But there are a few things you can do to keep your online activities at least a little bit more private.
If you have questions about online privacy or want to discuss it further, I would welcome the chance to talk with you. I can be reached at 952-467-6385 or at b[email protected].
Coming up next
In November, we will discuss patching as it relates to your workstations, servers, and network equipment. Yes, it will get a bit geeky, but I’ll do my best to ensure the topics are covered in a way that’s easy to digest.
In December, we will ring in the holiday month by sharing some online shopping tips to keep your credit card and other sensitive information as safe as possible.