My data belong to me!

Why data security is important and how to achieve it

Not everyone can protect his data as extensively as Edward Snowden did when he brought documents from the NSA to light. But as the documents show, today everyone is more or less affected by surveillance via the Internet. Where to start if you want to better protect your own data? E-mails and hard drives can be encrypted, data traces on the web minimized.

alt=""Data is the currency of the 21. Century" says Sandra Hoferichter in an interview. In fact, the apps we use are more likely to trade data than we are to trade ourselves." width="620" height="413" /> Hopefully well protected along the way. (icannphotos) License: cc by-sa/2.0/en

Surveillance is not a problem for which there is a technical solution. What degree of surveillance a society allows, what means citizens have to protect themselves, must be politically negotiated and determined. The sovereign determines which financial and legal means are given to the secret services, to which control they are subjected – or not.

The sovereign, that is in democracy all of us. Technical resistance can be at most a part of the answer. This is the part we want to deal with here. As we have learned from the documents given to the media by Edward Snowden, the intelligence agencies are extremely well equipped technically. In addition, they have such far-reaching powers, or presume to have them, that hardly anyone who comes into their sights and is to be spied on directly will succeed in completely hiding their communications from their eyes and ears. The reason for this is that communication takes place between at least two parties and they must have the same level of expertise to protect their communication. As long as communication technologies are not "off the shelf", security is not guaranteed secure and encrypted, this remains a challenge.

However, we can still assume that most people are not targets of direct intelligence surveillance. For them, it’s all about protecting their communications so that as little content as possible ends up in the dragnet of the NSA, the British intelligence agency GCHQ or the German BND. Because all the billions of pieces of data that the services siphon off are either searched for specific signal terms or patterns, and then examined more closely when in doubt. Or they are stored for decades and only analyzed when they turn up in contexts that are of interest to the intelligence services.

This means that any ordinary citizen can now become a target for intelligence agencies to spy on – even if it’s just through contact with certain other people. To understand how to protect yourself, you need to distinguish between two types of data:

One type are the Content of communications, The text of an e-mail, the wording of a telephone call, or the contents of a file on a USB stick, for example. This content can be protected by encrypting emails and data carriers.

The other kind of data are so called Meta data, in other words, data about data: Who you talked to on the phone and when, who sent whom an e-mail and when, who called up which website and when? This data may seem harmless, but it can be just as revealing as the content of the communication. Meta-data always accumulates in digital communication, but it can be disguised to a certain extent, for example by tools for more anonymity.

None of these techniques and technologies can guarantee security. On the contrary: some of them are complex and tempt to make mistakes. All need to be tried, practiced and used regularly. But even if comprehensive security is not possible against highly armed secret services such as the NSA, it is by no means a waste of time to provide more data security. Common precautions offer protection not least from common criminals on the net. They are also always on the lookout for security vulnerabilities and poorly secured communications that they can use, for example, to steal identities. Likewise, if security vulnerabilities are kept secret so that they can be used for surveillance, this has a negative impact on the security of all citizens

Useful links:

  • The Privacy Handbook: Much more detailed than would be possible here, this handbook describes in more than 300 pages what users can do to protect their privacy. It is a collaborative manual maintained by privacy activists and available in different versions on the web. A current version can be found at privacy-handbook.de (PDF).
  • The U.S. civil liberties organization Electronic Frontier Foundation runs the continuously updated guide website Surveillance Self-Defense, with lots of guidance and simple explanations of basic data security concepts. The papers are available in English, Spanish and Arabic.

1. E-mail encryption

Those who send unencrypted e-mails are sending the electronic equivalent of postcards. This has been said and written many times, but many people are surprised when they learn that mails travel practically unprotected through the net. Mails are stored several times on their way from the sender to the recipient, for example at the Internet providers at the sender and recipient, but also further times in between. On the way, the mails can be read by those who have access to the network. The Snowden revelations show that masses of mails are being "trawled" monitored and evaluated. They are automatically scanned for certain keywords to see if they might be of interest to intelligence agencies. If this is the case, they will be looked at more closely. But even if there is no current reason, it can be assumed that mails are simply stored at least by the NSA, so that they can be examined also in the future.

If you want to avoid having your mails scrutinized in this way, you must use end-to-end encryption. This means that the mail is encrypted at one end by the sender and decrypted at the other end by the recipient. This way, the content never travels unencrypted through networks to which others have access.

PGP: Ingenious idea, but not easy to understand at first

GnuPG Logo

A common solution that is suitable for normal users – those who do not have the support of specialists – for this purpose is PGP. The abbreviation stands for "pretty good privacy", so "quite good privacy". The slightly joking name indicates that PGP inventor Phil Zimmermann does not believe that the method can provide complete security, but rather good security. And although Zimmermann developed PGP already in the 1990s, this assessment is still valid today: PGP is still the most secure mail encryption method. There are different ways to use it. Usually you need an extension for an email client – the program you use to read and write emails. If, on the other hand, e-mail is only used via a web browser, there are also extensions, but most experts do not consider them mature yet. The multitude of different abbreviations can be somewhat confusing: "Open PGP" is the name of the underlying encryption standard, which is supported by various programs. This includes the now commercial program PGP as well as the free variant called "GNU Privacy Guard", GnuPG or GPG for short. For simplicity, all these developments are often grouped under the term PGP, as in this article. The method on which PGP is based is called "public-key cryptography" called and in German "asymmetric cryptosystem" translated – easier to understand would be the translation "public key encryption". The idea behind this is ingenious, but at first not easy to understand. In a symmetric method, two people share a common key. The problem is: How can the key be exchanged securely?? It cannot be attached to the message, because then it could be decrypted by an attacker who intercepts the message. You can transmit the key separately from the message, but even then it could be intercepted. Who has it can then decrypt the messages. To be sure, they would have to exchange the key directly, for example by meeting each other.

In asymmetric encryption, on the other hand, each user has a public and a private key. Together they form a key pair. As the name suggests, one part is public and can be passed on carelessly: by mail, via a website, on a USB stick or in a chat. If a message is encrypted with this public key, it can only be decrypted again with the private key. An attacker who intercepts the message can’t decrypt it because he doesn’t know the private key. Also the sender can not decrypt the message at the receiver, because he also knows only the public key, not the private key. Calculating the private key from the public key – which is known to everyone – is so difficult and time-consuming that experts currently consider the system to be secure under certain conditions (long key and secure password).

Select suitable program, create key pair

To use PGP, you need the appropriate software. The programs are manifold and are offered for almost all operating systems, also for smartphones. Since they all work and are set up differently, we refer in the links to instructions. What has to be done in any case: You have to create a key pair. It is extremely important that the private key has a key length of at least 2.048 bit and is protected with a good password. You can set the key length when you generate the key. Put simply, it affects how many possible keys an attacker would have to try through to accidentally get the right one if he were to copy every conceivable key. 1.024-bit keys are now considered insecure; if you want to be on the safe side, choose a 4-bit key right away.096-bit keys. This makes it possible to encrypt large mails, e.g., e-mails.B. with attached files, even on fast computers, however, take a long time.

The public key should be uploaded to a so-called key server. Since it is associated with an e-mail address, others can find it even if they have never been in contact with the owner of the e-mail address. Many programs offer to upload the key directly to such a server.

Useful links

  • Instructions on how to set up email encryption are available on the website "Consumers safe online" compiled for different operating systems and programs. This includes the extension Enigmail and the "GNU Privacy Guard", encryption with Mozilla Thunderbird on Windows, Mac OS as well as Linux& Co. enables. For Mac systems, there are also instructions for the GPG Suite/GPG Tools package for Apple’s mail program. For Windows, you can also set up GnuPG and Claws Mail, GpgOE for Outlook Express or GnuPG/ WinPT for The Bat mail program.
  • Instructions on how to exchange public keys and upload them to a key server can be found in the "GPG Suite" example also at "Consumers safe online.
  • Advice on secure passwords is available from the German Federal Office for Information Security (BSI); if you want to be even more secure, follow the tips from Jurgen Schmidt in the Heise article "Password protection for everyone".

Again and again it is said about e-mail encryption that it is easy to use it. This is not true, because in practice there are many pitfalls, which is why the first steps are often frustrating even for experienced users. As with all complex procedures: practice makes perfect. The best thing to do is to find someone to try out and test the programs with.

Some known problems from practice:

  • You encrypt the mails you send to others, receive encrypted mails from others, but store the mails unencrypted on your own computer. For example, if the laptop is stolen and a stranger can gain access, he can read the mails.
  • You forget your password and have not created a so-called revocation certificate, which can be used to declare the key invalid. Then you can create a new key with a new password, but the old key is still available. Others may send encrypted mails that you can’t decrypt, and you have to ask them to use a new key.
  • the hard disk breaks down and there is no backup copy of the private key. All mails that have been encrypted are unreadable.
  • Encrypted e-mails can no longer be easily searched, depending on the program and the settings chosen, and they usually can’t be viewed via webmail service either.

2. Encrypt hard disks and mobile data media

On an unencrypted data carrier, all data is exposed. With a portable device like an external hard drive or USB memory stick, it’s also immediately obvious why this can be a problem: They can be lost or stolen. The same applies to laptops. But even a desktop computer can fall into the wrong hands, through a break-in or because a disfavored colleague is too curious.

Password protection is not encryption: if computers are protected with an access password, this is good in principle, but does not help if an attacker has the device in his possession. Such a password prevents him from starting and using the system, but if he can remove the hard disk, he can still access the data on it. With a USB stick or other portable data medium this is the case anyway.

Encryption, on the other hand, means that all the data that is to be protected is converted into a form that, for someone who does not know the key, is nothing but data salad, i.e. a meaningless collection of characters. Means: Only if the data are securely encrypted, they are protected from the access of an attacker.

On-board tools practical, but open source programs more recommendable

But how does? Many operating systems offer on-board tools to encrypt files, the user folder or entire hard disks. They have two decisive disadvantages: On the one hand, the Snowden revelations lead to the suspicion that very many companies keep so-called backdoors open for the secret services. This means that the encryption technology may have intentional vulnerabilities that can be exploited by NSA and Co. can be used to get at the data.

On the other hand, there is the problem that, for example, a USB stick encrypted with Apple software cannot be decrypted with a Windows program. For greater compatibility, a program is recommended that firstly can be used on as many operating systems as possible, and secondly whose program code is transparent, so that it is at least possible to check whether security gaps and backdoors exist. In the case of the on-board tools offered by Microsoft and Apple "Bitlocker or. "Device encryption" as well as "File Vault/ File Vault 2" this is not the case. The on-board tools often used on Linux systems, such as LUKS and DM-Crypt, can be publicly checked, but they are also not easily compatible with other operating systems.

General-purpose tool Truecrypt discontinued, alternatives only partially available

Truecrypt logo

Truecrypt Logo

For many years the program Truecrypt was the first choice here, because it fulfilled both requirements and is versatile: To create encrypted folders (called containers), which are used like a drive; but also to encrypt complete data media or the system hard drive. The encrypted parts can also be hidden in such a way that their existence remains undetected. However, the anonymous developers stopped working on the project in May 2014. Since they did not give any really clear information on the reasons for this, there are different assessments as to whether the program should continue to be used.

  • Organizations like the American Committee to Protect Journalists think that at least existing installations of the last full 7.1a can still be used securely. They refer to the fact that security researchers in an independent investigation of the program code have not discovered any serious security vulnerabilities so far. The last full version is still offered for free in various places on the net, for example on the website Security in a box, a project of the NGOs Tactical Tech and Front Line Defenders. A guide for all the different functions has been created by Marco Kratzenberg.
  • Others have now withdrawn their recommendations for Truecrypt, such as the German Federal Office for Information Security; also the developers of the secure operating system "Tails" Have removed the program. One of the core problems is that security updates will no longer be available.

In order to provide security, such encryption programs must of course also be used correctly and their limits should be known. Some familiar problems from the field:

  • A folder that is encrypted but open is unprotected. If you go on a coffee break and leave it open, you undermine your own good intentions.
  • Some programs automatically store versions of files in places that are not encrypted, such as temporary folders. If, for example, the computer crashes, they might stay the same.
  • If the password is lost, the data is gone. All. Forever.
  • If an attacker has the means to spy out the password, he can get to all data. This is possible, for example, with programs that log keystrokes (keyloggers). Of course, if you don’t use encryption at all, attackers can get at data more easily, but it can also create a situation where you’re overconfident.

3. Surf anonymously with browser extensions and Tor

The Tor Logo

The goal logo license: cc by/3.0/en (gate)

If you surf the web, you leave data traces behind. Websites log about the IP address of the computer from which you access them. If one logs into a web service with a real identity, be it Facebook, Google Drive or GMX, that IP address can be assigned to a person; law enforcement can determine who is behind a particular IP address anyway by asking the provider. This is actually designed to help prosecute certain well-defined crimes, but you now have to assume that these links will be made in other cases as well.

Website providers use tracking to try to find out which paths their visitors take on the Internet, so that they can provide them with customized advertising. You know this, for example, when you search for "Weather Mallorca" and later flights and hotels appear in advertising. A classic means of doing this is cookies, which are small files on your hard drive, but the techniques are constantly evolving. Many of these data shadows can still be avoided. The old principle of data economy ultimately also serves data security, because data that is not collected in the first place cannot be misused.

Useful links

  • Browser extensions like HTTPS everywhere, Adblock Edge, Disconnect, Do Not Track Plus or Noscript can already reduce data traces. Of course, a website operator registers when his website is called up, but you can prevent dozens of third parties from looking over your shoulder when you call up your website, such as advertising networks. A simple guide to common browser extensions for Firefox has been created by journalist Boris Kartheuser.
  • Anyone who uses Tor to access a web service like Facebook or Gmail that requires a login naturally undermines anonymization.
  • Other programs running on the machine will only use Tor if they are specifically set up to do so. For example, if you surf via Tor, but use a chat or mail program on the side that does not use Tor, you are not anonymous in the process.
  • Programs in the browser like Flash or Java should be deactivated. Likewise, quite a few browser extensions can pass on information that makes identification possible.
  • Tor does not replace encrypted connections such as "HTTPS". Once the traffic leaves the Tor network, it is again unencrypted and can be intercepted there if no other precautions are taken.
  • Simply installing and activating Tor does not increase security. To actually gain anonymity, most will have to change some typical behaviors on the computer and deal with setting up their entire system. Used carelessly, you may even increase the security risk. Intelligence agencies such as the NSA are reportedly interested not only in the operators of the Tor network, but in anyone who downloads the program, for example by trying to log their downloads.
  • It is advisable to use the Tor Browser. This package includes all the programs that are needed, including a Firefox browser in which common problematic settings are already corrected. This package can also be started from a USB stick, so that it can also be used in Internet cafes or at work.
  • A general German-language installation guide is available from the portal "Verbraucher sicher online, maybe it is additionally necessary to consult more up-to-date instructions for one’s own operating system. The Tor software is available for Windows, Mac OS, Linux& Co. As well as Android offered, but not for Apple’s mobile devices.

As already mentioned at the beginning: Data security is a process that needs to be learned and practiced. It can be tedious. But on the one hand, there have never been more urgent reasons to start with. On the other hand, thanks to Edward Snowden, a dynamic has emerged which could ensure that many tools become better or are developed in the first place. Staying idle now out of a – well-founded – feeling of helplessness about not being able to provide your own perfect protection would be the biggest favor you could do to the surveillance state.

This text is available under a Creative Commons License "CC BY 3.0 DE – Attribution 3.0 Germany" published. Author: David Pachali Matthias Spielkamp for bpb.de

You may use the text under mention of the license CC BY 3.0 DE and the author(s) share.
Copyright information on images / graphics / videos can be found directly with the images.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: