The recent article by Brian Krebs on using VPNs for securing personal internet traffic comes on the heels of fresh and continued government action to strip individual privacy rights and further corporate profit interests. I’ve switched over to using a VPN service almost full time. There are a number of guides on how to increase your personal privacy and I encourage all readers to survey these how to documents as even technical savvy folks can use a refresher on the current options and threat models. Rather than attempt to compile an extensive field guide, in this post I’ll document a few of my personal choices and some of the reasoning behind those choices.
VPNs
I initially signed up for a VPN service to help with my security research needs. When looking at potentially malicious or suspect sites, I needed a way to obscure my true geographic and organizational locations. In recent months, I’ve gone to running my VPN client full time. I happen to use AirVPNwith its extensive collection of US and non-US end points. With clients on my desktop, laptop, and iPhone, my traffic is obscured from my local ISP fairly consistently – though I do run naked (virtually, not physically, thank you very much) on those occasions where I’m doing online gaming. AirVPN gives me a choice of domestic and foreign connection options that allow me to view content from different geopolitical regions and hide my traffic details from my local ISP. There are concerns posted about some astroturfingof AirVPN’s reviews, though I’ve had good results with the service. Based on the OpenVPN software, I can use the same client to access AirVPNs infrastructure as I use to hit my own personal and client-hosted endpoints for work purposes.
Browsing
My use of Firefox (configured with a fairly restrictive set of privacy settings) goes way back to the Netscape Navigator days and, indirectly, back further to NCSA Mosaic. This is practically iconoclastic with the rise of Chrome, but my former fanboy devotion to Google started to rapidly fade around the time of the great Google Reader disaster. Google’s “Don’t Be Evil” mantra has been increasingly consumed by the hunger of advertising-driven rent seeking activity. There are some excellent people at Google, and I still use a number of Google products, but each one is done with a personal risk calculation of how much control and information I’m willing to cede in the name of convenience.
Within Firefox I run Ghostery, uBlock (and Purify within iOS), and NoScript. This combination keeps most of the worst of the ads, web beacons, and other tracking technologies at bay. For sites that I wish to support, I do buy subscriptions to offset the ad revenue loss. NoScript is the most potentially disruptive add on for normal web users. I run with fairly strict settings in NoScript which breaks most sites upon initial load, choosing to enable JavaScript only on a case by case basis. Again, that’s a personal decision and there are settings within NoScript that can make the default experience much smoother. For searches, I run DuckDuckGo and am largely happy with the its non-logged search results as compared to Google’s, where every search query is inevitably linked to my Google ID as a source for further data mining.
Operating System
Though I have a beard and love my fedora, I don’t run MacOS and am still a Windows user. I run Windows 10 on my primary computing platforms. I do keep the installed software footprint on these systems to a small set, with cloud and local virtual machine resources stepping in for many of my computing needs. Microsoft has introduced more privacy compromising features and outright advertising in Windows 10 than any previous version, but it’s still possible to disable most of these defects and return the OS to an acceptable level. My use of configuration management tools helps ensure that these settings are documented and consistently deployed.
Social Media
I don’t participate in Zuckerberg’s privacy slurping machine. While I do have accounts on a number of other social media sites and do use a consistent alias across them (allowing easy correlations across sites), I’m currently not participating in any social media for a variety of mostly non-privacy reasons.
On Risk
This is far from an extensive document on my personal choices and further still from a recommendation on what others should use. While I’m comfortable with breaking large parts of the modern web on first load, that’s probably not a decision with which others would agree. Similarly, I use cloud based services of various sorts, including storing large amounts of sensitive information. There are those who are much more cautious than I for whom any sort of cloud storage is anathema. It’s difficult to evaluate each technology choice and setting as a potential commercial and political act, yet that is the burden of mindfulness that seems to be needed.