Surveillance is everywhere and ingrained in our society. While privacy is a human right, we live in an era of Operational Security (OPSEC) and privacy fatigue. The technologies we use everyday collect more and more information, making many people feel hopeless about having control over their information. From painful opt-out processes to the integration of artificial intelligence (AI) that can be used to collect keystrokes, people can feel overwhelmed when they try to protect their information.
In an attempt to protect data, many of us take steps like using proxy servers, virtual private networks (VPNs), or hardening our devices. Unfortunately, even taking these precautions may not be enough. A proxy server may not be better than a VPN if you don’t know who owns it. A VPN can have a vulnerability that compromises your ability to protect yourself, so you need to stay aware and, possibly, shift tooling over time. Hardening your own devices may only protect you. Even if you opt out from having your data collected, most companies remove what they collected rather than altering their data collection strategies.
None of these precautions are guaranteed to work. The current environment cultivates this sense of no longer controlling your own information. However, the people who care about data protection need to keep on fighting and educating others because we do have control when we take the necessary steps.
1. What are some ways to stay anonymous online?
No single bulletproof tool exists to help you stay anonymous online. Downloading a privacy-focused browser can help, but when someone else owns your entry or exit nodes, privacy becomes more complicated. For example, many people think that The Onion Router (Tor) is the most anonymous browser to use since it routes internet traffic through multiple volunteer-run servers to mask people’s IP addresses. However, Tor can be compromised on an exit node.
While the Tor browser is known for its ability to anonymize traffic, you want to take a layered approach to privacy which includes finding different technologies that align with your threat profile, including:
- Browsers: Know how they collect and store data
- Email apps: Decide whether you’re ok with the provider scanning your emails to use artificial intelligence (AI) purposes
- Operating system: Understand the malware, ransomware, and encryption capabilities
- Domain Name Server (DNS): Learn about their capabilities blocking or allowing websites and services
2. What are some steps for protecting my Wi-Fi network from public discovery?
Every Wi-Fi network has a service set identifier (SSID), a unique, assigned name. Whether you change this from random numbers to something personalized like “My Iron Throne,” an app like WiGLE can compromise your privacy. For example, WiGLE is an application that takes user-submitted observations to show the different wireless networks in a given geographic location.
Tools like WiGLE only connect a Wi-Fi’s name with a geographic location. However, if you use the same SSID across multiple locations, a unique SSID increases your risk of being tracked. If you have a generic SSID like “home” compared to “My Iron Throne,” your SSID becomes more anonymous because it’s less creative. With all the different people who use “home” as an SSID, you have a name that makes pinpointing you more difficult since an app like WiGLE would have many more with that name.
You may be using a unique SSID for a specific reason, but you should be able to explain your “why.” If your reason is “a unique SSID is more secure,” you want to focus more on having a strong password. If you want to mitigate exposure to being tracked as you travel, then having a generic SSID is likely a better option.
3. How can I reduce risk from metadata stored in photos that I take?
Most cameras – whether they’re on a smartphone or a standalone camera – include metadata in the photo files that include the longitude and latitude of where you took the picture. If you’re taking photos and uploading them to a social media site without removing this information, then someone can find your exact location which can be important if you want to protect your physical security and privacy.
The good news is that you can find apps that strip the metadata from the photos. One of the better apps I’ve found for metadata resistance is Session Messenger, a decentralized way to deliver messages. While Session is really good at stripping metadata to make sure that no one can use it against you to locate you, you should remember that metadata is a part of your data ecosystem. If you have a metadata leak, then someone can find you by tracking it or build a profile against you.
4. Should I use a proprietary or DIY solution for OPSEC?
Choosing between a proprietary solution like Apple or Windows and a DIY approach relies on two things:
- Your threat profile
- Your technical capabilities
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
For example, if you use Apple devices and install the Proton email application, you’re using proprietary solutions. These are easy to set up, but they can have negative OPSEC consequences. If a government agency asks for the data, the company could – and should by law – provide the information. Proton mail uses end-to-end encryption, meaning that they never have unencrypted access to any of your information. While you can set this up quickly, you still have some risk from unencrypted information in iCloud or other Apple owned storage locations.
If you take a DIY approach, you have control over data because you’re configuring and managing the technology. However, now you have to manage your own email server which is a nightmare of its own. It is extremely complicated since you need to manage reputation, sending emails, and making sure you backup everything. These challenges often mean that the privacy end doesn’t justify the work and time it takes.
5. What are the differences between enterprise and personal emails, like Gmail and Outlook?
When we talk about enterprise and personal email applications, we really need to look at two different types of protections:
- Protecting your information from the email provider, like Gmail using it for AI integrations
- Protecting your information from the enterprise that owns a corporate email account
Protecting from the Email Provider
When you want to protect your information from an email provider, you need to start with the username. Usernames are a great way for someone to connect you to multiple accounts across different websites. For example, tools like Linkook can look up a username and all the different permutations of it to track all your accounts online. These types of tools mean that someone who starts connecting your username to different accounts could trace things back to personal information, like a seemingly anonymous Bluesky account connected with a LinkedIn account that has your name and general location.
Next, someone could hunt through passwords to figure out who you are. In this case, if you use the same password everywhere, which we don’t recommend, they can tie it back to a username and, ultimately, your identity.
You can reinforce good password hygiene by using a password manager, like Bitwarden, Keepass, or 1Password. If you’re evaluating different password managers to see which one fits best with your threat profile, you should be asking:
- Are they using encryption?
- What are they integrated into?
While a complex password is one step, multi-factor authentication (MFA) is better. With MFA, the application sends you a challenge question to make sure you are who you say you are. Some options for MFA can be via:
- Text message (SMS)
- One-time password (OTP), sent as an email or text
- Authentication application, like Google Authenticator or Microsoft Authenticator, that provides a short-term, one use number to validate you
While a lot of debate can happen around best MFA options, an OTP can be a more secure option if you know the email address you’re using hasn’t been compromised. While you can use a text message to receive an OTP, this is less secure since someone can spoof and trick the recipient more easily.
Flare Academy and OPSEC
Want to know more about OPSEC? We covered this topic in our Flare Academy training: “Deep Privacy in the Age of the Panopticon: OPSEC Fundamentals.” Join the Flare Academy Discord Community for access to the training recording and slides.
The Discord community is an educational hub designed to democratize cybersecurity knowledge with free, online training models led by subject matter experts.
You can also check out our upcoming Flare Academy trainings and register for them here.
