Reclaim Your Digital Life

Security and Privacy are frequently confused. They are not similar, although they do overlap.

In very simple terms a system is secure if a hacker who targets the system cannot gain control of it. But a secure system doesn’t necessarily respect your privacy. If you buy a minstream mobile phone, correctly use all the security features and follow good security practices then it will likley be secure. But there will still be organisations (un-named in this blog) who harvest your data and use it to build a profile about you (for example, to taget adds at you). Some mainstream phone manufacturers push you to store your data (photos, messages etc) in a cloud which is controlled by the company rather than your own local device. While this can offer advantages (ie restor your old settings when you get a new phone), I object to the PRIVACY (not security) risks assoicated with it.

Most of the software running on mainstream commercial devices is closed sourced. Windows, MacOS, iPhone and much of the commercial versions of android are propiratry, or closed source. This means the code cannot be seen. If the code cannot be seen, it cannot be audited. Noone can know with certinty what this code actually does.

Open sourced code, often called “FOSS” or “Free as in Freedom” is visible for anyone to read. Thus, those with coding knowlage can review the code. It makes it impossible for anyone make false claims about what code does or doesn’t do, since others could review the code to confirm. The privacy benifit of this is obvious: broadly speaking, any app or software can claim to not harvest my data, but I only trust this claim if the code is “open sourced”. But many argue that there is also security benifits: being able to review the code makes it easier to find security vulnerabilities, which may sound like a catch 22, but ultimately means these vulnerabilities are closed more quickly.

Now remember, I am not an expert. I personally cannot review the code. I value open sourced code because I take comfort it knowing that others can review the code.

The next feature of trustworthy software is local control only. Software cannot spy on me if it doesn’t have an internet connection (even if it learns stuff about me, who would it tell?). Now go to an app store of your choice, look for a flashlight app and see how many of them request network access. Weird hey? Clearly they are doing something more than turning your cameras light on and off. ie. they spy on you.

Still, some sofware needs internet. In fact, some software needs to store stuff i the cloud!! It might be backup software whos job is to store a backup of your files in the cloud, for example. That’s okay if it’s encrypted, right?? Well…not necessarily. Encryption protects your files from being read by anyone who doesn’t hold the encryption keys. So you always need to ask (or think about) who holds the encryption keys? If it is you, and only you, then great. But if you read a simple claim from an online storage company that says “we store your files encrypted”, it may sound nice, but if that online company is also who holds the encryption keys then they can read your files. This encryption might protect your files from someone who tries to hack your cloud provider, but this encryption does not give you privacy from the cloud provider itself. Once you know this it is easy to fix: you can simply encrypt the files yourself on your own local machine before you even given them to any cloud provider, and the best ways to do this will be the topic of another post.

So in summary, I chose to trust software which is:

• Open Source and Claims to respect my privacy; or
• Doesn’t have an internet connection; or

And I do not trust software which:

• Is closed source (because it is impossible to varify any claims they make anyway)
• Puts data into the cloud without me encrypting it first, and without me being the only one who holds the keys