ONLINE PRIVACY CANNOT BE PROTECTED OFFLINE
This website is for all Internet users. We can hardly imagine our lives without the Internet – nor do we want to. We believe that it gives us knowledge and freedom each one of us should have equal access to. It is our common task and interest to preserve and exploit the value of the Internet. It has the potential for endless possibilities but almost as many dangers.
Nearly all of us are exposed to these lurking dangers, but the members of a small group are even more exposed. Political and social activists, legal defenders, whistleblowers and journalists perform a special role. The causes they fight for may require keeping their data and communication much safer than average. This website was not created specifically for them, but we took their situations into consideration while choosing the applications, and we are sure that they can find the most adequate tools for their demands.
It is vital to understand that every single person’s privacy and personal information are valuable. Just as we lock our doors, we should also protect our online valuables from unauthorized persons. Not all violators are alike; their tools and purposes may differ and can cause different kinds of damage. A lot of them are interested in gaining control of our personal data. People living under the oppression of dictatorships fear governments might infringe on their privacy. In contrast, the citizens of Western countries trust the state more than they trust private companies. In the Digital Age we must realize that the success of various enterprises are reliant on huge databases and the sale of personal data. One of the lessons of the surveillance scandal is that it is becoming increasingly difficult to separate the dangers caused by the public and private sectors. The assessment of these dangers and the role they play are no longer black-and-white. The American surveillance scandal also proves that due to the nature of the state and the market there are numerous violations, even in democracies. It follows that our fear of surveillance, even within the framework of a constitutional government, cannot be exaggerated.
This website has been created to support a life without imminent fear that our online activities are exposed in order to be misused. The Snowden revelations have shown that government surveillance is far more extensive than we had previously thought. This website intends to provide average Internet users with the knowledge and self-confidence necessary to regain control over their personal information, without having to give up their favorite Internet activities.
The protection of privacy and personal information in the digital age presents us not only with technological challenges, but also raises legal difficulties as well. The website was not created with this problem in mind, but it can point us towards where we should start. The team of the HCLU is naturally at anyone’s disposal should further questions arise.
WHAT IS ONLINE PRVACY?
The protection of privacy is a fundamental right guaranteed by international law and also by Hungarian regulations. The basis for this protection is different around the world, but still, we do not have to explain to anyone why it is forbidden to place cameras in bathrooms. Our lives are made up of a lot of tiny pieces of data and information: our names, dates of birth, illnesses, favorite soft drinks, holiday destinations, messages from loved ones, etc. Taken in themselves, this information can be extremely important and confidential but also quite insignificant. Taken together, however, they give a clear picture of our everyday habits, our work and our secrets. We call this information personal information. They are, in connection with privacy, specified and protected by law.
The unstoppable development of the Internet has made it, or rather online services like Google and Facebook, the decisive space of our privacy, and we typically store our data on computers as well. For most people, the concept of privacy and the notion of home have come to entail the idea of having a computer and being able to access online correspondence and photos. In our everyday lives we experience the advantages of technological development. Ranging from Internet banking and web stores to messaging applications, services are becoming more and more comfortable and indispensable. Our intentionally or unintentionally shared private data are extremely valuable, and not just for us. Certain companies make huge profits from using and organizing this information while some governments have unlimited access to the most private aspects of our lives. The agents of both the private and government sectors often circumvent the regulations intended to protect private data and privacy and gravely abuse their unlimited information power. We believe that governments and agents of the private sector have to respect the rights of people, and that it is they who have to comply with the law. On the other hand, the law is sometimes unable to provide satisfactory protection, as it lags behind technology. We created this website to provide adequate technological responses to existing dangers, and also to make these technologies easy to learn.
It is a commonplace today that if you do not have to pay for a service, it means that you yourself are the commodity. In the case of the Internet, this means that although Facebook seems to be free, in reality users pays with countless pieces of personal information. Research has shown that many people would be willing to pay for certain services that would better protect their personal information. In other words, they would pay to improve their privacy settings. We cannot agree with this position. It cannot be a question of money whose fundamental human rights companies or governments respect. For this reason we only show methods and applications on this website that are available for free, although we do not contest that there are some good solutions available for purchase.
SECURITY IS A PROCESS, NOT A PRODUCT
We believe the protection and security of personal information should be a process and not a single task to be checked off. First, we have to recognize why it is important to use technologies that strengthen privacy and what inconveniences they can help prevent. The next step is to strive to attain this goal and not lose heart because of the current situation. In addition, we have to prioritize the security of our data and activities and choose that which best suits our goals.
Our objective was to make this process attractive and as easy as possible for all Internet users. None of the programs or applications should be considered a single, final and perfect solution. The technological devices we have chosen will not be relevant forever. This is why the site will continuously be refreshed and maintained. We will indicate how up-to-date each device is, and make suggestions as to what they can or can’t be used for.
We not only receive information in a passive manner while we browse the Internet, clicking from article to article, blog posts or cat pictures, but also provide data about ourselves. When we buy a book, register to a website or write about the events of the past few days, we give away large amounts of personal information: name, e-mail address, credit card and bank account details, birthdate, phone number, home address, password details of our personal lives and personal thoughts.
Communication sent to websites is transmitted through many devices. The process is the same when we retrieve a webpage or send data:
- We type the address of the website in the browser/fill in an online form. Let the example be a registration form to blog.com.
- The request is transferred via intermediary devices until it reaches the one which finally finds its recipient and transmits the request
- The recipient computer processes the data and sends the response, for example that the form data was saved and the registration was successful.
- The response, just as the initial request, is transferred to the initiating computer by hopping through routers.
- The initiating computer displays the response.
(For a visualization of how a data packet gets to a server located in the US, click here http://www.yougetsignal.com/tools/visual-tracert)
When browsing the Internet we usually access website using a technology which transmits data in a non secure, non encrypted way. This allows the data to be easily intercepted and read by others over an unprotected wireless network or on any device it travels through.
Secure HTTP connection, HTTPS was devised to overcome this vulnerability. When using HTTPS, data is transferred in a secure way between our browser and the computers hosting the websites. This way if someone intercepts the message, they will not be able to break the encryption to access the message content.
It is typical for banks and shopping portals to secure data transfer with HTTPS. Major websites such as Google and Facebook usually also enable it.
In the mentioned systems, encryption is achieved using a key pair consisting of public and a private key. To receive data encrypted, the receiving party generates a public-private keypair. Anyone can use the public key to encrypt data but it can only be decrypted with the private key, kept secretly by the receiving party. The private key practically cannot be inferred from the public one.
We need a way to make sure we use the recipient’s public key for encryption. It is easy to commit an attack (a so called man-in-the-middle attack) by publishing a public key in the name of the recipient. If we use this key to encrypt the message, only the attacker will be able to decrypt it.
Digital certificates serve to prevent such attacks. These are issued by certification authorities who authenticate the issuer of the public key and certify that the public key is created by them.
We can check if a digital certificate was issued for a certain site for its HTTPS connection: a locker icon appears in the address bar.
The same problem occurs with e-mailing: messages are sent as plain text, so anyone having access to it can read its contents. One of the most widely used encryption method, PGP (which stands for Pretty Good Privacy) also uses for secure communication a public key and a certificate attesting the authenticity of the key.
We reveal a lot of information about ourselves simply by visiting site or clicking ads. What can be known about us based on these activities and who can have access to this knowledge?
It is easy to follow this process through ads as an example. If we buy a ceramic knife set in an online shop, we may realize soon that we get bombarded by ceramic knife ads throughout Facebook, Youtube or news portals.
Online behavioural tracking and using this data for advertising is labelled behavioural advertising. The advertisers are aiming to collect data about customers so that they are able to show them tailored, targeted ads online.
This is not necessarily a problem for everyone, many Internet users are willing to accept this trade-off so that they see advertisement of products they are really interested in. But advertisers don’t only know our habits related to purchasing of knives, but they may know about our interests, political convictions, sexual orientation or health issues based on what sites we visit, how often, for how long. As online behavioural data represent significant business value, many companies specialize in collecting, selling and using this data.
Data can be collected in many ways, one of the most prevalent methods is through cookies. A cookie is a plain text file sent by server of the visited website to browser which then stores is. When we visit the website next time, our browser sends the cookie back to the site along. The server uses the browser’s unique identifier to identify us, looks for the file storing information about our previous visits and appends new data – for example this time how much time we spent on the site, what our IP address is (which generally reveals our approximate location) or which subpages we visited.
Using this method enables websites to keep us logged in having once typed our username and password, or stay connected after closing the browser window, keep the items in our shopping basket, or have our individual settings on the site at each visit. If we open the site from a different browser or clear the cookies, the site will treat us as new visitors.
Websites typically only store the browser’s unique identifier in the cookie, but in some cases personal data may also be stored such as online form data. These are usually, but not always, stored encrypted. Cookies have differing lifespans, some are automatically deleted when we close the browser, and most have a preset lifetime – this may range from a few hours to decades. A study conducted in September 2014 found cookies which remain active for 7984 years.)
As long as a website’s cookie is stored in the browser, information on the server about one’s visits to the site are extended by each visit.
First-party cookies are the cookies set by the visited website and they store information about our using the site. However many other cookies are kept in our browser from websites we have never visited.
When we open a website, say example.com, we not only see content coming directly from example.com. Our browser receives content from different servers which together build up the website: it gets adverts from ad servers, Facebook “Like” buttons from facebook.com etc. These third parties can also set cookies in our browser which sends the cookies back to their servers each time it requests an ad from the same ad server or displays a button from Facebook. The browser also lets these servers know which website we are visiting.
Sizeable ad servers display ads on many sites which enables them to track our browsing through sites by linking the browser’s requests from different site through its unique identifier and combining the information into a comprehensive profile. Facebook or Google have the same tools to track our online activities. Moreover, if we are logged in to account, they are able to link browsing information to our personal profile. Depending on the lifespan of cookies, they are able to collect browsing information for months or years. The aforementioned study revealed that out of the sampled 16000 cookies 70% was from a third party.
In order for companies to track our browsing habits they don’t even need to place visible content on websites. Many websites allow ad networks and tracking companies to set tiny, 1×1 pixel images, web bugs on them thus enabling cookie transfer. Marketing firms specialised in tracking use this method to cover the most visited pages throughout the Internet. It is thus very likely that they are able to follow a significant portion of our browsing.
Data rarely remain only at the company which collected it as many of them, notably the ones offering free services rely on revenue from selling collected data to marketing firms.