tim: Tim with short hair, smiling, wearing a black jacket over a white T-shirt (Default)
This article about applying harm reduction to your secure use of the Internet has been going around. I can't share it in good conscience without adding a few things to it. I work for Google, but the following is my personal opinion.

If you're concerned about your data being collected (and I understand that you may be concerned about Google retaining your data not because you think Google will use it inappropriately, but because you fear that the federal government will require them to surrender it), use Chrome without being logged in. People disagree on how safe Tor really is, but my odds are on "not." If you don't have the level of technical expertise necessary to read the source code for yourself, you probably shouldn't be risking your life on it. It doesn't guarantee full anonymity. The reasons why are fairly complicated, which is a good sign you might want to avoid being lulled into a false sense of security.

For email, I wouldn't really recommend riseup. The author alludes to this, but: any widely used anarchist/radical site has been compromised already. Having a low volume of data makes you an easier target.

A friend I trust has confirmed that Signal is trustworthy. I agree with this article that regular SMS is not secure.

Passwords: use a password manager, turn on 2-factor wherever you can. Pretty much what they say.

Google: Don't log in when searching if you're worried (use multiple browser windows). As an insider, I can say Google takes user trust and privacy extremely seriously. I can't share everything that backs up that belief, but I will vouch for them.

It was pointed out to me that: "Turning off geolocation on a cell phone doesn't do much; the government can and will subpoena cell phone tower records which provide enough geolocation information."

If you would like to see how Google works with government requests for data, watch this official video on how Google responds to search warrants.

I don't trust Duck Duck Go any further than I can throw them, honestly. I would say the same thing about any other small service. They may be trying to do the right thing, but there are lots and lots of ways to retain more data than you intend to, and it takes a huge amount of human resources to not do that.

tl;dr: Only big companies have the resources to actually protect your privacy. Whether they want to do that is a different story. I'm confident that Google does want to do that, because without user trust, Google has no business.

Pretty much nothing is resistant to the government coercing you or your friend with the email server or Google into giving up data, because coercion is how the government works.

Use non-discoverable media when possible. Talk in person.

Whatever you're doing, think about what security people call your "threat model": what are you trying to defend against? What concrete risks do you face if your data gets into the wrong hands? What are the benefits of using a communication mechanism that's subject to surveillance? An example of threat modeling is your bicycle lock: if you have a nice bike and you ride in a major city, you might want to carry a heavy-duty Kryptonite U-lock at all times, plus extra locks for the wheels. That's because you can infer, based on information that you have, that your bike is attractive to thieves, there are many thieves, and they will try hard to steal your bike. If you have a rusty bike and live in a small town, you might be OK with a cable lock because the benefit of not having several pounds of metal to carry around outweighs the risk of theft, and a good U-lock costs more than your bike did. You can think about analogous trade-offs as they apply to your use of networked communication technologies.

This is one post where it's perfectly fine to well-actually me if you have security or systems expertise.
tim: Tim with short hair, smiling, wearing a black jacket over a white T-shirt (Default)
The scene: Midway Airport, about 1:20 PM on Independence Day 2009.

I walk up to the TSA worker in the "Expert Traveler" line and show my driver's license and boarding pass. She shines the little purple light on it that presumably lights up with the letters "tErRoRiSt" at appropriate times. She hesitates.

She calls one of her colleagues over and they turn away from me, holding my ID and boarding pass and whispering.

I know what it's about. It's never happened to me before, but for a year and a half, my license has said "Chevalier, Timothy Jan" underneath the picture and "F" underneath where it says "sex". It was just a matter of time. I hear one of them whispering to the other "it's one of the things they tell us to look for..." and the other says "...but we're not allowed to ask them..."

She asks me to step over to the desk on the side. A third guy comes up and asks me whether I prefer "Mr." or "Mrs." Choosing for now not to point out the incompleteness of his list, I said "Mr." He looks almost as if he's expecting me to explain, but I don't think I need to explain anything. "But it says here..." I may have cocked an eyebrow at this point. "Is it an error?" "No." [pause] "It's my legal sex." (In retrospect, I shouldn't even have volunteered that.)

"Do you have a previous name you used?" he asks me. I was on the verge of answering, and then the voice in my head said, "Fuck, you don't have to answer that question." I asked "Are you allowed to ask that question?" He said they had to verify my ID. I asked if there was a supervisor I could talk to. He said he was the supervisor -- wrong answer.

After asking me how I say my middle name, he asked me to sit on the window ledge while they waited for a fourth person to come. He asked me if I had another ID. I gave him my Portland State ID.

Fourth person came. "Is it an error?" "It's not an error." "Well, because it says 'F' but you said you prefer 'Mister'..." (Well, what? I think.) I didn't say anything. She and the "supervisor" looked at each other. She said "I think it's okay" and shrugged. She walked away.

The "supervisor" gave me back my IDs. He asked me whether I'd ever had a problem before. I said "no", truthfully. He said "well, you should have that error corrected." (I'd said it wasn't an error, twice.) I said that legally, it was impossible for me to change it. I'm not sure what he thought. He let me go through security.

I was lying when I said it was impossible -- in Oregon, your driver's license can have whatever gender marker you like (as long as it's "M" or "F") as long as you get a letter from a DMV-approved therapist affirming that your gender is really what you think it is.

Read that again: "DMV-approved therapist".

I don't want to give my tacit approval to a system that says it's the state (and its approved therapists), not me, that knows what sex my brain expects my body to be. If I don't change my mind about that, I'd better start budgeting an extra half an hour when I go to the airport.

I think it's important to stand up for your rights. I like an opportunity to kick ass and take names as much as any other guy does. That doesn't mean I relish the threat of public humiliation. I was shaking when I got to the place for taking my boots off and my laptop out.

I have multiple friends (some who are trans, some who are cis) who've been strip-searched for less.

I'm going to Europe in two months. Getting the gender marker on your passport changed is more difficult than getting an Oregon driver's license changed. To change it, I would have to submit a letter that says that I have "completed sex reassignment surgery". Many cissexual women have breast reduction surgery; the surgery that I just had is substantially similar to breast reduction. It's unclear whether the US Passport administration would consider my surgery "sex reassignment surgery", and there are no clear published guidelines that suggest either that they would, or that they wouldn't. Passport change evaluation is opaque.

This is what my boarding pass looked like after the four TSA workers got done with it. I guess the initials "AS" mean "we checked this person's gender and determined they weren't a terrorist based on that."

If you travel by air, do you feel safer after reading this story?

Profile

tim: Tim with short hair, smiling, wearing a black jacket over a white T-shirt (Default)
Tim Chevalier

March 2017

S M T W T F S
   1234
5 678910 11
12131415161718
19202122232425
262728293031 

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags