I recently had a friendly debate on IRC about how much privacy you really need for it to be considered “enough.” Arguably, the answer is “there is never enough.” And still, there are plenty of people who would be perfectly content having no privacy at all.
Many argue that the key to privacy is actually transparency. If we use open source software, we can all audit it to be sure it is free of backdoors and bugs which may leak information. Perhaps this is why increasingly many users (but unfortunately still less than 2% overall) now prefer Linux to proprietary operating systems. But even among Linux users, there is not much knowledge about how deep the privacy rabbit hole goes.
Before I return to the debate about how much privacy is really sufficient, I’d like to give a quick overview of some of the tools one can use to preserve their privacy. I will discuss four levels of privacy: network, OS, firmware, and hardware.
Tor is now a very well-known protocol. It allows you to browse the Internet privately by encrypting your data several times and forwarding it through several proxies, each of which can only remove one layer of encryption.
One alternative to Tor is JonDonym, which is similar in that it enables privacy by packaging data under multiple layers of encryption. However, it is inherently less secure because its anonymization network is smaller and it uses less randomization in path selection. Even so, it is demonstrably faster than Tor, so may be suitable if you aren’t quite as concerned about privacy.
Even though Tor has become the de-facto standard for Internet privacy, some privacy advocates and security researchers have recently asserted that Tor isn’t strong enough. For example, so-called “Internet drug kingpin” Dread Pirate Roberts was nabbed by the FBI despite using Tor back in 2013. More recently, there was a big controversy over the FBI allegedly paying academics large sums of money to help them catch criminals who were using Tor.
In response to concerns about Tor-like protocols, new privacy-centric protocols have been proposed. One particularly notable design is Vuvuzela, which goes out of its way to hide any possible metadata by having idle clients continuously transmit bogus data. While many complain that browsing the Internet using Tor is too slow, using Vuvuzela for this purpose is utterly impossible. It was purposely designed with message transmission latencies of up to one minute. Even so, it is perfectly suitable for sending sensitive emails, or other types of not-quite-instant messaging.
Privacy-centric operating systems
The Linux-based operating system Tails received notoriety back in 2013, as the operating system which Edward Snowden used to preserve his privacy while in exile. Tails is 100% open source and comes with a bundle of privacy-oriented software and state-of-the-art cryptographic tools. Perhaps most notably, it runs like a Live CD and does not store any state unless you specifically ask it to. Therefore, you can be sure that no identifying or compromising files will remain on the disk.
Though Tails is certainly the most popular, there are other privacy-oriented OSes out there. Some other notable distributions include:
- BlackArch: Based on Arch Linux, this distro is targeted primarily at pentesters and security researchers. Nonetheless, it ships with many of the same cryptographic and privacy-preserving utilities that are included with Tails.
- Parrot Security OS: This rolling-release Debian-based distro is similar to BlackArch in that it is aimed primarily at security researchers but still gives you all the utilities you need to ensure your privacy and security.
- JonDo: JonDo is more like Tails in that its main goal is to protect the user’s privacy. In addition to Tor, it includes clients for the JonDo anonymity network.
- Qubes OS: Qubes is unique in that it provides security by enforcing compartmentalization. Each program you run is contained in its own sandboxed virtual machine, so there is little chance of data leakage between applications. It is also notable in that its team is quite involved in the security research community.
Open source firmware
Recently, the NSA has been accused of infecting computers with persistent spyware that survives even if the operating system is reinstalled. The software can install itself permanently by infecting the computer’s firmware, e.g. in the BIOS/UEFI or System Management Controller. Detecting these threats is very difficult, and sometimes they can be impossible to mitigate. Updating firmware is difficult, and often vendors will never release updates to their code. In response, there have been recent efforts to make computer boot firmware open source.
The most popular free/open-source firmware projects are coreboot and libreboot. The two are intimately related, in that libreboot is actually a distribution of coreboot (e.g. in the way that Debian is a distribution of Linux). These projects aim to make full software-stack transparency possible for the average user — but this is still an ongoing endeavor.
As of now, there are not many hardware platforms supported by libreboot, and the installation process can be quite arduous, depending on the platform. Fortunately, support for open-source firmware is growing, so hopefully it will be more accessible in the near future.
Open source hardware
Though it may now be possible to run 100% open source code on your computer, all from the firmware up to application software, it is still difficult to gain full control over your hardware. As a result, the Open Source Hardware Foundation (OSHWA) and the Free Software Foundation (FSF) have recently initiated efforts to develop open hardware and certify compliant devices. Only with open-source hardware is it possible to have complete trust in your computer. With access to every detail of the design, these certified devices let you be sure that you are invulnerable to privacy holes and backdoors.
While several embedded devices and hobby platforms (e.g., Arduino) embrace the open-source hardware philosophy, it is still difficult to find a general-purpose computer that is completely open-source. The FSF’s open hardware certification program, “Respects Your Freedom,” has only certified a handful of devices since its inauguration. This is somewhat understandable, since only a small niche of users care enough about their privacy to go this far, so there is not much motivation for hardware vendors to make their products open and get them certified. However, one can rejoice in the fact that it is indeed feasible to obtain a completely open-source machine.
How much is too much?
Personally, I believe that everyone should be entitled to privacy online. However, I’m not going to go out of my way to make all of my communications 100% airtight from the prying eyes of determined state actors.
There is certainly a tradeoff between privacy and convenience. Not many people would take the time to find an open-source hardware platform with open-source firmware then install a locked-down, privacy-aware OS and route all of their Internet traffic through Vuvuzela. It is certainly possible to go to such an extent, and it will enhance your privacy. But I wouldn’t do it.
I am not a fan of the “nothing to hide, nothing to fear” argument. It is completely fallacious and does not justify surveillance. Nobody should feel guilty for valuing their privacy. Even so, you would have to be really determined to go to such extreme lengths for privacy.
I’m perfectly content using TLS to transmit private data, and using a VPN if I’m connected to a network that isn’t trustworthy. But my hard disk isn’t encrypted, I don’t use Tor, and I don’t use open-source firmware, so I’m certainly not what anyone would call paranoid.
I think that being paranoid usually isn’t worth it. For example, the average hacker isn’t capable of breaking your SSL session. A government can, but (with high probability) they would have to target you specifically. And if you’ve become the specific target of an actor with nation-state scales of resources, then you can never be 100% safe. There will always be some vulnerability that can be exploited.