To some, encryption sounds nefarious. Recent ransomware attacks may have given the word a bad rap. Encryption is the process of converting information into code to prevent unauthorized access. While it can be used by bad actors to keep you from your data (ransomware is an excellent reason to keep frequent backups), encryption can also be used by you to keep bad actors from snooping on your data. It is also useful to verify trust, most commonly seen in TLS certificates. Knowing that you are actually communicating with your home server or online banking server rather than some bad server dressed in sheep's clothing is certainly very important. The web is now encrypted by default thanks to efforts such as Let's Encrypt. HTTPS also provides for faster transmission via HTTP/2, so there is little reason to not encrypt web traffic. HTTPS ensures that you are talking to the website you think you are and that sensitive data you send such as your login password is sent encrypted end-to-end. Today, any digital citizen should have some concern about ensuring their data does not fall into the wrong hands.
The argument that one who has "nothing to hide" should not be concerned about encryption is a red herring. As we have seen recently, even companies we previously trusted (I'm looking at you, Facebook) are irresponsible with the data we freely provide to them. Perhaps these recent data scandals will be enough to convince people to be conscious of their digital footprints. We already know data companies such as Facebook can infer "private" information such as annual income from the things we like and the demographic data we freely share. Facebook probably already has your exact street address if you uploaded photos with GPS metadata (i.e. photos taken by a smartphone). Windows collects and shares information to the Microsoft mothership (there's a keylogger included by the way). Most software applications send "usage data."
People didn't even bat an eye when Gmail parsed and read through our emails to sell relevant ads. Retailers track you while you shop with your cell phone's MAC address. Thank you for the free WiFi.
That last one may sound shocking but online retail giants have been doing essentially the same thing for years. Cookies and now digital fingerprints are used to keep track of your every interest across websites.
I do not mean to sound alarmist. It is true that a lot of this data collection is beyond our control. It is also true that these same tools that track us do actually provide value. Tracking cookies, for instance, allow advertisers to send us advertisements that are targeted to our unique interests. Nevertheless, people should be aware of their threat model and take simple steps to stay safe. For example, switching to a secure messaging platform such as Signal and even face-to-face conversation is a solid first step. Using iMessage is also a good second option because messages are encrypted end-to-end by default. It is completely transparent and convenient. But it also requires that you trust Apple with the encryption key (not a big leap) and there is the fact that your messages are stored unencrypted on iCloud where they are available for search warrants and skilled hackers. Still, this is much better than email, where messages are mostly not encrypted at all (Gmail does provide TLS encryption if you have a business account but Google still has the key).
- Use Signal or another secure messaging (Skip WhatsApp as it is owned by Facebook, which has a bad security reputation).
- Don't overexpose yourself by posting "I'm off on vacation for the next two weeks!" on social media (translation: "Calling all burglars! My home is available!").
- Disable Windows 10 telemetry - or at least what you can.
- Keep up with software security updates. Stop using Windows XP.
- Use a VPN (no need to spend money here, you can connect back to your home or office connection) when using public WiFi, Hotel WiFi, Airbnb, etc.
- Switch to Firefox or Safari. Use Firefox Container tabs and HTTPS everywhere extensions.
- Proxy all of your Google searches (see Startpage) except where doing so doesn't make sense (such as local and Maps results) or use DuckDuckGo if you are extra paranoid.
- Use 2-factor authentication for your important accounts. Avoid SMS as a second factor. Use a U2F key for extra security or Google Authenticator.
- If you want to step it up, you can use the full-disk encryption offered by your operating system. This ensures no one will have access to the data without the password (including you). At the very least, encrypt your phone as this is the device that is most likely to be lost or stolen. Many iPhones and Android phones now do this by default. You could also encrypt your computer as long as you are not the type of person who forgets passwords.
So, Facebook betrayed your trust by sharing your data with third parties. Did we all give up and abandon the social media giant? No. Should we? Probably not. We are social beings. For many people, Facebook is their only online presence and only source of news. Small businesses still depend on the platform for promotion despite their rising ad prices.
Yes, our friends betrayed us (although unwittingly). They shared our profile information with third parties because they just had to find out which Hogwarts character they were most like.
So what should be done? Well first, not everything has to be or should be posted. Second, consider auditing what data you've chosen to share with Facebook. Third, delete old posts. We know that Facebook doesn't actually delete anything. They still keep deleted posts for their algorithms and to package as a consumer profile that can then sold to Facebook advertisers. This is why the first point is important. Removing old posts does ensure that data won't be seen by web scrapers and people to build profiles of their own. Regularly deleting old posts is a lot less drastic than deleting and disappearing from social media. Is it important that everyone be able to access all your conversations from three years ago? Probably not.
Encryption should become the norm. Even if you still believe you have "nothing to hide", encrypting your online communications helps make the internet more secure and actually helps those who are in danger of surveillance, such as journalists. If you live in mass surveillance state such as the United States, you may be shocked to find that Trump's CIA director thinks encryption "may itself be a red flag". If encryption becomes the norm as it should, your use of encryption will help those at risk by obfuscating that apparent red flag. The more people that employ good security, the safer everyone becomes.