The Transparency Project

Note: If the length of this post seems intimidating, skip the regular text and go straight to what’s bolded.

This guide is designed to help you minimize your profile on the Internet. Buckle up, it will be a long journey. You may not think that this is something you need to do. “I’ve got nothing to hide,” you might say. This may be true. However, I have several questions for you:

What could you have to hide, and who decides what that is?

Who would you be hiding from if you did, and what would happen if they found out?

If you suddenly had something to hide, how well would you be able to do that?

Do you think that the only information that can be used against you is that which implicates you in criminal wrongdoing?

These are rhetorical questions, of course, meant to make you think, not to be answered. In lieu of an answer, let me tell you about an Internet phenomenon called “doxxing.” Doxxing is where all of the information that can be found about a person is collected in a single place and made publicly accessible. This includes real names, photographs, your home address, places of work, phone numbers, et cetera. It is the publishing of all of a person’s “docs,” or documents.

It is almost always done with malicious intent, usually by people who want to encourage real world retaliation against a person for perceived wrongdoing on the Internet. Doxxing is entirely legal as long as the published docs contain only information that is publicly available on the Internet. Have you ever gotten in a fight with someone on the Internet? Imagine if they responded by dumping all of your personal information on their blog and encouraged others to send nasty emails to your boss or school, keep your phone ringing 24/7, and mail you threatening letters and packages. We think that we can walk away from cyberbullying, but if you are doxxed, you cannot simply turn off the computer and walk away. There is no escape, and no way to unpublish the information. What about stalkers? One person creepy and dedicated enough could uncover everything about you if you leave it in the open.

So there is one compelling reason why you should try to preserve your privacy, even if you do not mistrust the government, or even do not care about having your information sold to advertisers. Here is another: When you tie your online identity to your real name, everything you do is preserved forever. In real life, if you say or do something stupid, people will forget it. Anyone new you meet won’t know about it. On the Internet, it will likely be archived forever, freely accessible by anyone, and haunt you for the rest of your life. This is the reality of the new digital era. The only thing you can do to protect yourself from your own mistakes is to make sure that, when you leave them behind, there is no way for them to be traced back to you. If there is anything you do on the Internet that you would be embarrassed to show everyone you have ever known, you should be sure that your privacy is protected. The term “Internet detective” exists for a reason. This is especially important as employers begin to demand more and more access to your online presence, even extorting passwords for social media accounts. The best way to stop them from doing so is to simply not have them.

Now that you hopefully understand the importance of privacy, let’s begin deconstructing your digital presence. By the end of this process, your profile on the Internet should be minimal enough that you cannot be harassed, stalked, traced, doxxed, or researched. Please be advised that this will involve giving up comfort for security. This is a conscious choice made and continued by you alone, to sacrifice convenience in the name of privacy. There are many things you may take for granted that compromise your Internet security, like autofill passwords, or Facebook logins on websites. Cutting these things out is not easy, but it is worth it.

With this in mind, follow as many of these steps as you feel comfortable doing. Any at all will ensure you are safer than you were before. Even if you are not entirely rigorous in their execution, they will help.

1. Shut down your Facebook. This cannot be emphasized enough. Facebook’s owner, Mark Zuckerburg, believes that privacy is a thing of the past. Facebook makes its profit by monetizing your information. Your Facebook profile is a collection of anything anyone could ever want to know about you all in one place, and when you use Facebook to log in to another website, you tie that website back to that collection, and create a thread for someone to follow that will lead to that treasure trove of personal information. Shut down your Facebook. You do not need it. There are safer alternatives. When it is gone, you will wonder why you ever used it in the first place.

Shutting down your Facebook will not be easy because, again, Facebook makes money by selling you. If you try to delete yourself from their website, they will lose money. This website provides detailed information on how to delete your Facebook profile, but as it suggests, it is possible the information you put on there will never truly disappear. While Facebook claims it does not, the technology is there to record even the information you do not publish, and Facebook says it is within the terms of service. Also, Facebook’s app listens to everything you say. In truth, you should never have made a Facebook to begin with, but this way you are minimizing the damage done.

You’ve done that, or never had one to begin with? Good. Make sure you scrub any personally identifying information off Twitter, Tumblr, et al. as well. Next step.

2. Uninstall Skype. This will likely be a hard one, but chin up. If you’re like most people, you’ve complained at how steadily shittier Skype has gotten for a while now. What you probably didn’t know is that it’s entirely possible that it’s reading your IMs. And it’s entirely possible that others can too. Skype is considered unsecure by privacy advocates. It’s simply exploitable. You should not trust Microsoft to handle your data. It’s time to give Skype the axe. If you have ooVoo, drop it too.

Don’t worry, there are plenty of IM clients on the web. We’ll get to those in a moment, but first, while Skype offers no simple way to delete your account, here is some information on how to go about removing your personal information from it. If you want to straight-up delete your account, you will need to contact Skype staff.

For an alternative to Skype, I recommend RetroShare. It can do everything Skype can do except video chat, and it can do a lot more. The major downside to the software is that few people use it, and you will likely have a hard time convincing others to adopt it… but the only way to change that is to start using it. If that’s not your thing, just pick up Pidgin. You can connect it to IRC, AIM, Google Talk, and more. In particular, you will want the Off-The-Record plugin. This will allow you to hold secure, encrypted chats with other users. Also, there’s plenty of VoIP clients like TeamSpeak or Mumble or Ventrilo that don’t intrude on you.

Increasing your privacy doesn’t have to mean leaving friends behind, but it can. If people do not care enough about you to follow you out, you probably did not really lose anything of value. You can still communicate with those who don’t bother reducing their e-footprint through email and instant messaging.

3. Adopt a pseudonym (or several). This may sound weird, but it is what Internet users have been doing for decades. “XxXWeedGoku69XxX” is, itself, a pseudonym. All usernames are pseudonyms, because they are names that are used to refer to you that are not your real names. You cannot exist on the Internet completely anonymously, for better or for worse. You are going to have to go by something.

You probably already have a username, so if it’s not already tied to your real name in any way, keep using it. Additionally, start using different usernames on different websites. That way, nobody can look up your username on a search engine after seeing you on one website and find you on another. Additionally, I recommend you adopt a different name for online use, so if your real name is “Joe Smith,” if anybody or any website wants to know online, you tell them it’s “Jack Baker,” or perhaps something more unique. This is for more professional use, not professional enough that you have to use your real name, but enough that you would want to put your real name on it if you were less privacy savvy. It’s the same as a pen name, or “nom de plume.” Websites don’t need to know your real name. They only ask so they can “personalize” for you, ha ha ha.

4. Get a private email account. Yahoo! Mail? Gmail? Hotmail? Not anymore. Phase those accounts out of use and close them as soon as you can. It’s time to get an email address at Autistici. It’s free, by request. Just tell them you want an email address to protect your privacy and they will give you one. While you’re at it, donate. They are an incredibly worthy cause. Once you have an email address, register a MailNull account. While you’re at it, donate. He provides an extremely valuable service.

With your new MailNull account, you can create an unlimited number of throwaway email addresses, which all redirect to your Autistici account. Whenever an email address becomes burdensome, simply cancel it and you will never receive anything from it ever again. Some websites don’t accept MailNull (jerks), which is fine, because Autistici also allows you to create alternate identities that forward to your main account. I have yet to encounter a website that blocks Autistici. It’s not perfectly untraceable, since all your MailNull accounts begin with a common identity, but it’s a significant improvement. Make sure that you set your email addresses as hidden from the public wherever possible. You can communicate with people via your Autistici address or one of your alternate identities.

If you have a different private email account, that’s fine too. Even the fine folks at Autistici emphasize that you should not trust them — just because someone says that they’re concerned with protecting your privacy doesn’t mean they are. Only trust yourself with your personal information. So just because I recommend Autistici+MailNull doesn’t mean you have to use them, as long as you’re using something along the same lines.

5. Make multiple memorable passwords. If one of your accounts is compromised, it’s incredibly important to have several passwords used across all of them, otherwise none of your accounts are safe. And websites do not protect your password equally. If you use the same login on NeoGAF as you do on the Common App or your bank’s website, anyone who compromises the former can impersonate you on the latter. Surely you’ve seen forums get hacked. For this reason I recommend that you come up with several “tiers” of passwords, at least three — one that you use for top-level stuff like your bank account and your computer and so on, things that could ruin your life if someone got access to them. They should be long, at least 8 to 10 characters, and have capital letters, numbers, and symbols (like * or &) mixed in. You should also have a mid-level password you use for things that are important to you but not actually that important, like, I don’t know, Tumblr, or your Dropbox account. Finally, come up with a low-level password that you use when you’re making what is essentially a throwaway account, or a new account on a service, or anywhere you don’t trust. Places you might not come back to that often. Making an account on that MMO? That’s low-level. (At least until you put your credit card info on there.)

Here’s a simple and easy way to come up with memorable passwords:

Think of a word or phrase, like “settle the score.”

Replace part of it with a symbol, and some more with numbers, and capitalize at least one letter.

Hey presto, now you have: 53TtL3Th3#

Now repeat it twice: 53TtL3Th3#53TtL3Th3#

HSIMP tells us that this new password would take “425 quintillion years” to brute force with a desktop PC. The only way anyone could ever get this password would be if they compromised the software storing it. Nothing you can do about that. It would be a good top-level password.

You can make it even safer by repeating it more than two times. You can even make your tiers out of the same base by repeating it two-three-four times for each tier. The only way this would be dangerous to you is if a human being got ahold of one or two and recognized the pattern. Computers aren’t that smart.

Don’t ever use this password, obviously. It’s been posted in a public place. But hopefully it gives you some ideas for your own.

Ideally, you would have a separate password for everything that is in any way tied to your real life identity. Remember, multiple accounts with the same password are dominoes waiting to happen. And you shouldn’t write down your password, anywhere, unless you are sure you won’t be able to remember it (though in that case you might want to make a new password). Typing in these new passwords may seem awkward and clunky at first, but the more you do it, the more natural it will seem, and eventually it will just be muscle memory. I memorized a 22 character hexadecimal string for one password years ago, and my fingers still remember it even when I can’t say it out loud.

6. Switch to Firefox. I know, it’s missing some stuff that Chrome’s got, it’s not perfect. But Chrome is developed by one of the largest tech corporations in the world (I think you know of whom I speak), and Mozilla (the group behind Firefox and Thunderbird) is entirely non-profit and most of its code is done by volunteers. Google makes more of an effort towards protecting the open web than most big corporations, but they don’t care nearly as much as Mozilla. Mozilla was specifically founded on an open source open web. Google has done some skeezy stuff of late. And frankly, the Windows Firefox browser isn’t that bad. Sometimes it doesn’t display pages right, but for average day-to-day browsing, you’ll do fine by it. Anyway, you’ll need it for these addons.

7. Download some simple privacy and security addons: AdBlock Plus + EasyList, TrackMeNot, KeyScrambler. Ghostery is also an option, but I found it to break things more often than AdBlock and generally not be as high quality. It’s made mostly redundant by ABP anyway.

You may already have AdBlock Plus. If you don’t, get it. It’s very simple to get, and free. Once you have it, download the EasyList and EasyPrivacy subscriptions for it. Then get Fanboy Annoyances List. These lists should be enough to make browsing the web a breeze, and you’ll be safe from another danger: viruses installed onto your computer by malicious ads. They can slip through anywhere, and infect thousands of people before they’re removed. Only allow advertisements on websites you trust and want to support. Even then, you’re better off just donating.

Also get TrackMeNot. All it does is occasionally send random Markov gibberish to search engines, Horse_eBooks style. This helps stop them from collecting your searches and selling them, because nobody wants to buy garbage, and they especially don’t want to have to pick through it for the good stuff. Especially if you don’t want to follow the next step, get TrackMeNot.

KeyScrambler is a program that encrypts your keystrokes as you type, preventing keyloggers from recording them. If you don’t have this, and you get infected, then everything you type can be recorded. Account names and passwords, private messages, etc. Keyloggers aren’t illegal unless they’re used illegally, so anyone can download one of these babies and stick it on your computer. When I was in high school a kid put a keylogger on the teacher’s computer from his USB under the guise of printing something, and stole her gradebook login. (I actually happened across it accidentally, but assumed that it was something the district placed on there intentionally to monitor us. Big Brother is its own downfall.) That could happen to you. KeyScrambler prevents it, and it lets you know when it’s working, though unobtrusively.

8. Switch to DuckDuckGo. Remember what I said about trusting people just because they say they care? Companies don’t care. Google doesn’t care. People who work at Google might care. Google does not. Google has been in all sorts of trouble about privacy violations, some of which they didn’t even intentionally do. Google records stuff. Google monitors things. Google wants to centralize your web presence, and that is a very bad thing. If there’s one thing I’d hope you’ve gleaned from this guide by now, it’s that decentralization is key to lowering your web profile and protecting yourself from attacks. You do not want one account across all Google services, because that means that anyone who wants in only has to compromise one account. But Google simply doesn’t care about your security. Google is trying to appeal to you with comfort, so you’ll use their services, so that they can make their money the way they always do — advertising to you.

Yeah, I know, whatever. Just switch to DuckDuckGo, alright? You can keep using YouTube or Drive or whatever you like, but it’s better to have one less thing on your Google account to compromise. Also make it your default Firefox search engine to help you use it. They even have an image search now. You can always go back to Google if DDG can’t help you find something — but only for that one thing.

9. Get Thunderbird and Enigmail. Here’s Thunderbird. Here’s Enigmail. Here’s how to connect your Autistici email address to Thunderbird. Simple. Autistici recommends you never log in to their website if you can help it, and set Thunderbird to delete emails off their servers once it downloads them.

10. Proxy up. Not gonna lie to you — proxies might slow down your browsing speed, and if you don’t pay for them, you may have to replace them occasionally. But they are basically the safest way to browse the web. There’s two ways you can go about it: Get FoxyProxy and head to HideMyAss’s free proxy list. They offer a paid VPN which you could use also. Or, download Tor, though expect to get proxy IPs that are blocked from many places. Free anonymity can make people do terrible things.

Most Internet companies that charge you money for a service are trustworthy, because the only thing they need to keep operating at a profit is for you to pay them for their service, and to get more customers. Companies that survive off ad profits make their living off selling you to advertisers. That’s why they can’t be trusted. Here’s how the typical advertisement model works:

At the top are the advertising agencies, like Google and Project Wonderful. They create advertising packages which they sell to people or companies that want to advertise. That is how they make their money — up front. It’s very profitable. It covers a certain number of pageviews or clickthroughs, or perhaps a certain time period, for a single ad up to a group of ads. The more ads you buy the more people you reach.

In the middle are websites, sometimes run by people like you and me, who voluntarily take code from advertising agencies and put it on our website. This code then displays the advertisements created by the companies or people that paid for the advertising packages. Usually, the people who run the websites are paid by the advertising agencies each time an advertisement is clicked on, or else every time a certain number of pageviews is reached (like 1000). It is not very profitable. You have to have a lot of traffic to make enough money to even support your website this way. But besides donations, it’s the only way some websites that offer content for free can stay afloat. They’re not just trying to get your pity when they say that. They really have no other source of income.

And finally, at the tail end, are the companies or people who bought the advertising packages. They make their money when you click their advertisements, go to their websites, and pay for their products. Of course, sometimes people advertise free content too (in which case they have their own ads on their website, or a store to buy merchandise at, probably). But the key point is that they only make money if the advertisements they pay for reach people who are interested in what they’re advertising.

Why is this a problem? Because it puts pressure on advertisers to ensure that ads reach those target demographics, so that those who pay for ads are satisfied with their purchase, and feel it was worth the money. How do they do this? By profiling you. By collecting information on you. By creating an image of you, trying to guess what interests you, what you’re likely to spend money on, and then sending you the relevant advertisements so that the agencies’ customers will get their money’s worth.

That’s why Google and Facebook and Microsoft collect your information. That’s why Gmail reads your emails. That’s why Google tracks your search history. That’s why Facebook records everything you say or do. That’s why Skype reads your conversations. Advertising agencies want to know about you so they can sell you to their customers, if those customers are looking to advertise to people like you. Websites will collect information on you to sell to advertisers, because they will pay top dollar for you. In the advertising industry, you are a commodity. Their money is made by the invasion of your privacy and sharing of your information. The government also wants to know about this stuff so that they can determine if you’re a threat, or a criminal, or likely to become one, and so on. Individual people might want it if they have an interest in you. You know all this by now. All of this is dangerous, to you, and you can’t let it go on.

Tumblr likes movies and shit, right? Remember Captain America: The Winter Soldier? “Don’t trust anyone.” Remember Project Insight? There are no superheroes in real life to protect you from something like that. Protect yourself.

Gates talked about his foundation’s work improving and distributing vaccines across the world. But he says making advances in education is the foundation’s hardest challenge.

"You name it, we have been passed by," Gates said of the country’s math and science programs.

New technology to engage students holds some promise, but Gates says it tends to only benefit those who are motivated.

President Barack Obama has officially announced his plan to reform the National Security Agency’s collection of phone records. Under his new proposal, the agency would no longer keep a database holding a large percentage of all American call records. Instead, phone companies like AT&T and Verizon would keep them for the same length of time they do now, and the government would submit requests for individual numbers after getting approval from the Foreign Intelligence Surveillance Court. Phone companies, for their part, would have to provide “technical assistance” in order to make sure that the government could easily search for and collect information, which could include the numbers that had been in communication with a particular subscriber, the duration of calls, and similar information from within two degrees of separation (or “hops”) from a target.

THE CURRENT PROGRAM WILL CONTINUE FOR AT LEAST 90 DAYS

Today, a report from the Homeland Security and Governmental Affairs Minority Committee offered an overview of the fed’s current state of cybersecurity. And how is the government with which we entrust our most sensitive and private information looking? In short—bad. Very, very bad. It’s no secret that the federal government isn’t exactly what you might call competent when it comes to, well, anything having to do with technology. But according to the new report, the full extent to which we really have no idea what the hell we’re doing is more than a little concerning.

According to The Washington Post:

The report draws on previous work by agency inspectors general and the Government Accountability Office to paint a broader picture of chronic dysfunction, citing repeated failures by federal officials to perform the unglamorous work of information security. That includes installing security patches, updating anti-virus software, communicating on secure networks and requiring strong passwords. A common password on federal systems, the report found, is “password.”

So just how bad is it? We’ve picked out some of the more troubling revelations here, but you can read the report in its entirety down below. Brace yourself—it ain’t pretty.

1. Shitty passwords

Over at the Department of Homeland Security, FEMA’s Enterprise Data Warehouse boasts “accounts protected by ‘default’ passwords, and improperly configured password controls.”

The IRS isn’t doing much better, either:

In March 2013, GAO [Government Accountability Office] reported that IRS allowed its employees to use passwords that “could be easily guessed.” Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology.

2. Physically writing down those passwords on furniture

Particularly painful is the Department of Homeland Security’s mishandling—to put it lightly—of sensitive information:

Independent auditors physically inspected offices and found passwords written down on desks, sensitive information left exposed, unlocked laptops, even credit card information. To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops — even two credit cards left out.

3. Out-of-date antivirus software

Twelve of the 14 computers that controlled physical access to the Department of Homeland Security had “anti-virus definitions most recently updated in August 2011.”

4. Government employees “going rogue” to avoid inept IT guys

Apparently, the Nuclear Regulatory Commission’s IT department has such a “perceived ineptitude” that “NRC offices have effectively gone rogue – by buying and deploying their own computers and networks without the knowledge or involvement of the department’s so-called IT experts.” And these independents systems can, of course, make the problem even worse when officials don’t actually know what the system is running on, leading to…

5. Inability to keep track of computers

Since employees are avoiding the IT department by running their own hardware, the Nuclear Regulatory Commission can’t track of which laptops are accessing sensitive information.

6. Failure to encrypt sensitive data

Surely all that financial data of yours running through IRS computers is in safe hands, right? Apparently not! According to the report, the IRS either routinely fails to encrypt its data or just does such a horrible job of it that it can be easily decoded. Which, as we unfortunately know, hackers have no problem doing.

7. Refusing to install crucial software updates and patches

In March 2012, the IRS found that it had around 7,300 “potential vulnerabilities on its computers.” In 2011, about a third of all computers at the IRS were carrying software with unpatched, critical vulnerabilities. The IRS said it would have all the patches installed in 72 hours—it actually took about 55 days.

Just as recently as last September, the IRS still had yet to implement “a process to ensure timely and secure installation of software patches,” according to the Treasury Inspector General for Tax Administration.

8. Minimal, if any, server protection

If you’re looking to access the Department of Education’s computer system—which “holds and manages $948 billion in student loans made to more than 30 million borrowers”—you won’t find too much standing in your way. In 2011, 2012, and 2013, auditors were able to connect a “rogue” computer to the Education Department’s network without being detected, no hacking necessary. What’s more, in 2013, the same test gave auditors access to sensitive data “stored in the department’s networked printers.”

So yeah, it’s pretty grim out there, made all the worse by recent revelations of just how much of your information the government has on hand. Check below to read the full, sobering account:

#EditorialCartoon #Obamacare by Adam Zyglis

We’re fixing the website and cancellations. Now, please give 30 million uninsured a chance at health care. pic.twitter.com/6PMrbCECsn