Conversations about life & privacy in the digital age

Get Up to Date on Your Privacy

“If there is no right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy.” - Dilma Rousseff

We eat, drink, and sleep privacy. This blog remains dedicated to company updates, developer musings and special promotions (like No Knowing November - check it out!), while our daily articles at the Privacy Post stay in stride with the news. We wanted to curate some of their recent posts in case you hadn’t made your way over there yet:

We want to hear from you – what other topics are you interested in? What do you want to know more about?

We also wanted to share this TEDx Brussels talkHow the NSA betrayed the world’s trust — time to act – where Mikko Hypponen calls George Orwell an optimist compared to the realities of today. “Privacy is non-negotiable and should be built into all the systems we use,” he said. At the end, he calls for trust to be built through open source software. We couldn’t agree more, which is why we have been building Crypton, to bring privacy to the internet.

Watch Mikko’s TEDx talk below:

No Knowing November

No matter where you consume the news, there is no escaping the revelations continually coming out of PRISM and MUSCULAR and their impact around the globe. At its root, it uncovered a dangerous problem – privacy online is indeed threatened at every level.

Since its inception in 2007, SpiderOak has been focused on preserving our users’ privacy through the implementation of ‘Zero-Knowledge’ technologies – the privacy-first orientation that ensures the server never knows what data it is storing. How is this accomplished? By never storing the encryption keys and therefore never having plaintext access to the data. Ultimately, this is the only way to give ownership and control back to the user and – thus – ensure privacy throughout the process.

Back in January – when everyone was talking about the importance of security - we had the foresight to call 2013 the Year of Privacy. As we have seen, security only solves half of the problem. When a company retains the keys to the data, it also maintains the ability to access it. The access can then be used in a number of damaging ways as has been exposed back in June.

SpiderOak, Zero Knowledge, Privacy, No

Help us make this month NO KNOWING NOVEMBER by sharing this critical message on privacy through ‘No Knowing!’

WANT TO SHARE?

  • Promote privacy through #NoKnowing
  • Use any of our ‘No Knowing’ images

Giving Privacy to the Internet: Developers Meet Crypton

We believe privacy doesn’t have to be a pain. So we’ve been working hard on Crypton. Now, anyone can easily build cyptographically secure cloud applications with Crypton, a Zero-knowledge framework for Javascript.

Last week in The New Yorker, our CEO Ethan Oberman talked to cyberculture journalist Joshua Kopstein about Crypton’s potential:

“I can tell you from firsthand experience that privacy is now at the forefront of how all these companies are thinking about their strategies moving forward,” Ethan Oberman, the C.E.O. of SpiderOak, told me. His company is one of many whose notoriety has spiked since the Snowden leaks. Its latest project, Crypton, is an open-source framework for “zero knowledge” privacy systems—that is, systems where user data is encrypted locally before traveling to cloud servers, leaving the company with nothing to hand over to authorities but jumbled ciphertext and a few pieces of metadata. “It makes it so that users don’t have to trust the company in the middle,” said Higgins. “In the long run, that leads to a better relationship with that company, and, ultimately, I think it does lead to trust.”

“Both Higgins and Oberman said that demanding transparency is an important first step in a much longer process, and they admit that many companies may not be willing to go the extra mile just yet. But Oberman said that once transparency measures are in place, users can start to make more informed decisions about how much they value their privacy and what information is important to them. He predicts that this could create an incentive for services to offer multiple levels of privacy, storing sensitive data in secure containers while allowing less-sensitive bits to be available for ad-targeting purposes. “We’re engaged with a lot of companies that are starting to think about data along those terms,” he said. “I think they’re all now taking a deep breath and considering what they can do to rebuild trust.”

Bringing Privacy to the Internet with Crypton

SpiderOak just hired David Dahl to supercharge Crypton development. David is a veteran software privacy engineer with more than 15 years at Mozilla Corporation, and is also one of the founding members of the W3C Web Cryptography Working Group. On Monday, he wrote on our blog about how he will be pushing Crypton forward, and details on how you can join weekly Crypton calls.

Companies can also leverage Crypton and give privacy back to their users.

Here are the basics on this first ever privacy-first platform:

BUILT BY DEVELOPERS FOR DEVELOPERS

Crypton is for developers who want to build privacy into their apps. Crypton allows developers to provide customers a truly private storage and collaboration environment with no access to unencrypted customer data, without having to rely on 3rd party security layers or post development hacks.

EASILY DEVELOP ZERO-KNOWLEDGE APPS

More people are becoming “privacy aware.” Enterprises refuse to adopt solutions where the developer and service provider can access critical internal data. Crypton is the first application framework that provides a foundation for building zero-knowledge cloud products.

BUILT TO SCALE WITH YOUR APP

Built on PostgreSQL and node.js, Crypton was built with the intention of being horizontally scalable. Privacy doesn’t have to be a pain.

View the developer guide, and get started.

Please share with the developers you know. Let’s give privacy to the internet, together.

Bringing Privacy to the Internet with Crypton

Pushing on the Open-Source Crypton Effort

After 5 years working on Firefox at Mozilla, last week I began a new adventure at SpiderOak. And whereas I will be working on a wide range of projects, my main focus will be directing the Crypton, open-source project.

Earlier this year I read about Crypton, SpiderOak’s open-source web framework that makes scalable, privacy-centered web applications much easier to produce. As a founder and sometime-editor of the W3C’s Web Cryptography Working Group, I knew there would eventually emerge a ”jQuery for web crypto.” Crypton seemed to be that and then some - a complete solution, including the server and storage mechanism. I was hooked. I have been tinkering in this space for a few years, producing a couple Firefox extensions including DOMCrypt and Nulltxt. These extensions model what I thought made sense for crypto APIs hanging off of each web page, as well as web applications to go along with these APIs. I implemented window.crypto.getRandomValues in Firefox and worked on the team that maintains and improves Firefox security.

With the idea that the Web Crypto API is now forthcoming and the recent media attention on ever-present Internet surveillance, I want to do something more tangible about it now. SpiderOak has been building privacy-oriented products that uphold its ‘Zero-Knowledge’ concept for almost a decade, which makes this move for me a natural fit. I am excited to play a role in making Crypton the standard for web crypto as well as providing an easy way for developers to easily build meaningful, useful ‘Zero-Knowledge’ applications.

As of September 26, 2013, SpiderOak is hosting a weekly development teleconference to discuss the latest developments, features, milestones, bugs and anything else Crypton users or developers would like to discuss. The details are on our Github wiki.

If you have any questions or ideas about Crypton, feel free to contact me via our many channels of communication or email me directly at ddahl[at]spideroak.com.

SpiderOak Calls to Reform the Electronic Communications Privacy Act (ECPA)

We all know the Fourth Amendment gives us a right to privacy – making it so the government can only search our home if they have a good reason, and – except in emergencies – a warrant from a judge. Since technology has advanced faster than court decisions and statues, our right to privacy is suffering.

The Electronic Communications Privacy Act (ECPA) was enacted to extend restrictions on the governments ability to intercept certain electronic communications. It was signed into law in 1986. 1986! Think: Peter Gabriel’s hit “In Your Eyes,” the Iran-Contra affair, Top Gun, the appearance of Halley’s Comet, and $89,430 was the average cost of a new home in the U.S.. The ECPA is now one of the Internet’s most outdated laws and desperately needs reform.

Instead of storing our private letters, photos, documents in a shoebox or file in our bedroom closet, most of us have them stored in the cloud. Under the current ECPA however, government agencies don’t need a warrant to search our private stuff stored in the cloud like they would if we stored these items in our home. We think this should change and better reflect this day and age.

The ECPA Reform Bill prohibits Internet companies from divulging contents of communications to the government without a warrant. It won’t solve everything, but it’s a good start and definitely part of the solution. It is bipartisan and has wide support from the tech community and advocacy groups. It’s time for congress to give the public the same level of protection of privacy that our email and online documents deserve.

If you agree, visit VanishingRights.com and tell your Representative to support ECPA reform.

State of Online Privacy Survey Results & Discounted GBs

The results are in!

We’d like to send a big thanks to the 7,883 respondents of our 2013 State of Privacy survey. We were thrilled to get such a great response.

Participants spoke loud and clear. The National Security Agency’s spying program has made users feel less secure. They consider the government the biggest threat to their online privacy. Corporations such as Google, Facebook and Apple came in second.

Nearly 90% said companies should prioritize privacy in their offerings. We agree!

To read the full report of our findings, click here.

To promote more privacy, share and take advantage of this unique offer that runs for the next four days only.

25GBs for $30
- or -
50GBs for $60

Use the code privacyfirst before October.

Typically, the smallest amount of storage you can buy with SpiderOak is 100GB for $100 a year but we recognize not everyone needs or wants that much space. This is why for the end of September, we’re happy to offer 25 or 50 GBs at a discounted rate.

SpiderOak Users:

Login to your account online. Once you’re in, go into your ‘Account‘ tab at the top, and then click ‘Buy More Space,’ and then choose ‘Upgrade My Plan.’ Plug in the promo code privacyfirst, and choose which plan you want under Yearly Billing. There you go!

New User to-be:

Quickly 1) sign up here, 2) download and install the client, then 3) click  ‘Buy More Space’ in the client itself, or via the web portal (which will then take you to a new screen, where you need to choose ‘Upgrade My Plan.‘) Simply use the promo code privacyfirst and choose which plan you want under Yearly Billing.

Be sure to let your friends know about this deal so they can put privacy first too.

Also, survey winners of the iPad, iPod Touch, 100GBs and 50GBs accounts are currently being notified. Let us know if you have any questions!

Thank you again to everyone who participated and validated the importance of privacy.

 

AMA: Interview with International Privacy Consultant JJ Luna

After our popular interview with cryptographer and computer security expert Jon Callas earlier this summer, we wanted to talk to more experts who were publicly passionate about privacy.

Meet JJ Luna – an international privacy consultant and author of the best-selling book How to Be Invisible. He’s spent more than five decades living off the grid, and helps his clients on topics such as home security, senior self defense, making money and living a truly private life. If you’re interested, you can read specific examples of his consulting work and the kinds of people he has helped here.

We were honored to have JJ Luna (aka Jack) answer a few questions about why he had to live a double life and protect his identity and his family’s safety, his views on U.S. current events regarding privacy and security, and his advice for average citizens.

How did you come to care so much about privacy? What put you on this path? Have you always valued privacy, or was there an incident that led you to be become so knowledgable and immersed in privacy?

JJL: Under the direction of an international Bible and Tract Society, I volunteered to move overseas. In 1959, therefore I moved to Spain’s Canary Islands with my wife and small children via a Norwegian freighter. At this time Spain was ruled by the dictator Francisco Franco and Catholicism was the state religion. All others were illegal. For that reason I had to live a double life. Openly, I was a commercial photographer. Secretly, under another name, I helped hold illegal meetings in private homes and VERY illegal assemblies deep in  pine forests. Eleven years later, Franco was pressured into allowing other religions in Spain, so I was then free to come in from the cold. However, I had gotten to enjoy hiding information so I continued, to a large extent, to stay private.

What are some simple precautions you would encourage the average US citizen to take (and why), for those who might not know a lot about privacy and why it is important?

JJL: It is not “simple.” I wrote an entire book on that subject, How to be Invisible.  The theme is basically to hide your home address. That way, if for any reason someone decides to go after you (this happens all the time!), they will have a hard time finding you. The benefit? You sleep well at night!

But essentially:

  1. Stop using credit cards. Pay cash.
  2. Never borrow money. Rent if you cannot buy.
  3. Never use a driver’s license for ID–use only a passport.
  4. If you are wealthy, hide that fact!*

For many of us, privacy in important because of what we own, where we live, and what we do – this is no one else’s business. Further, anyone can sue anyone in the [Canary Islands]. The ones chosen to be sued have “deep pockets.” Why advertise that fact?

*For more on hiding your wealth, you can buy JJ’s ebook, Invisible Money, Hidden Assets, Secret Accounts. Special SpiderOakian offer – get 75% off the Premium ebook with code: Jack15. You will receive $15 off, for a net of $4.99. This code will only work for 15 days after this post is published. If you have any trouble, please email JJ Luna directly at jack[at]jjluna[dot]com. (Unfortunately the Kindle price cannot be discounted.)

As an expert in this area, how have you seen the public conversation and awareness around privacy change over the past few decades? How has it also physically changed for you, with technology, etc.

JJL: Since 9/11, there is an increasing desire for privacy but it is harder and harder to accomplish. I find it increasingly difficult to keep information about me out of the internet.

Would you weigh in on the current Snowden/NSA/Prism situation and the ‘state of the nation’ in general, where it pertains to online and offline privacy?

JJL: Snowden? Mixed emotions. The government does need to know what the enemy is doing. I doubt that WWII could have been won without the allies reading both German and Japanese communications. However, I do not trust this present administration in any way, shape or form. In many ways, life under Franco was better than this!

What is something that surprises you, or that you continue to learn, in your line of work and its role in our world?

JJL: I am increasingly surprised that nothing can remain secret from the United States government. The government keeps secrets but the citizens are not allowed to do so?

A huge thanks to Jack for sharing his time and expertise with us. Stay up to date by following his blog and tweets. And you can learn How to Be Invisible (which has been read and enjoyed by many people within SpiderOak) too.

 

Top 5 Reasons to Care About Privacy

There has been a lot of discussion around our right to privacy and we at SpiderOak couldn’t be happier. We’ve been talking about it for years! Based on some recent conversations, we thought we’d give you five reason to care about privacy.

(1)  It’s Your Identity

You may shrug your shoulders and think, who cares if someone knows my demographics, where I shop, what I read, or what I say – they don’t really know it’s me. Online anonymity is becoming a thing of the past. The fact is, some companies may not keep your personally identifiable information (PII) but that doesn’t mean the information collected can’t or won’t be resold to other parties who are building an identifiable profile on you. Once you’ve released information into the wild, there is no getting it back – and you no longer have control over or any rights to it.

(2)  Your Information Is Worth Money – And You Don’t Want It Used Against You

Companies are paying for your information which means it’s worth cold hard cash. If you are generating something of value, why not treat it as any other asset you own? Furthermore, consider the idea that you could be discriminated against based on this information. For example, a company could charge you more for a product or service and who thinks that is a good idea? Click here to learn how this is already happening.

(3)  You Deserve It, Until You’ve Done Something Wrong

In this country, you are allowed to operate freely – which also means, privately – until you’ve done something wrong. Or at least until you’ve done something to raise the suspicions of the powers that be. Our government isn’t allowed to look over our shoulders unless they have a legitimate reason to do so. This principle was built into the founding of our country.

(4)  A Responsibility to Protect Those More At Risk

Perhaps you’ll decide keeping your data private is not a battle you care to fight but it’s still worth protecting the ability to make that choice. Stand up for the choice so others can also make it. Privacy may not be a big deal to you but it is to others like, children, teenagers, individuals who are pregnant, those dealing with health challenges, victims of abuse, activists, government and public figures, along with many more. It’s our responsibility to protect those who need help protecting themselves.

(5)  Room To Grow

Privacy allows you the space to try on something new, explore ideas, or think through decisions without lasting consequences. Having this freedom is critical to our ability to thrive as individuals and as a society.

Restore the Fourth: Secure Your Privacy with 4GBs Free(dom)

This week we are supporting Restore the Fourth‘s online efforts to drive awareness and action against unconstitutional digital surveillance. Be sure to join the conversation on Reddit and Twitter via #restorethe4th.

In solidarity, we are offering 4GBs free to new users and 25% off annual plans for existing users. Embrace our zero-knowledge privacy this week as you safely, privately and securely back up the data that is most important to you. See below for more information on how to take advantage of this limited-time deal.

THE FOURTH AMENDMENT

The Fourth Amendment was carefully written for the express purpose of limiting the government’s ability to violate the deserved privacy of its law-abiding constituents. We celebrate our freedom this week by asking the government to acknowledge privacy with respect to digital communications data.

Another way you can take action is by visiting stopwatching.us and sign a letter that demands the U.S. Congress reveal the full extent of the NSA’s spying programs.

TAKE ADVANTAGE OF 4GBS FREE(DOM) OR 25% OFF

If you are a new user, sign up for 4GBs free for life when you sign up HERE.

If you already use and love SpiderOak, use the code restorethe4th when you upgrade your yearly plan to receive 25% off – that means only $75 per year, or $6.25 a month, for 100Gbs. Here’s how:

  • Open your ‘account’ through the accounts tab in the SpiderOak client or click the ‘Buy more space’ button.
  • On the Account Details page, select “Upgrade My Plan” to the right.
  • On this page, you will see a “Promotional Code” box.
  • Type “restorethe4th” in this box and select “Update”
  • You will see the discount 4GB free option as well as the 25% discount to yearly plans.
  • Choose your promotion and continue the ‘checkout’ process.

Note: The ’4 GB FREE’ offer is intended for new users. Selecting this promotion as a current user will replace your existing storage with 4 GBs.

Offer ends July 4th at 11:59 PM CDT.

Enjoy, and thank you again for your continued patronage and support.

Securing Your Mail From Site to Site

Many of you know how to secure your email between your mail client and your computer. But if you run your own mail server, did you know you can secure email between servers? Many servers support TLS encryption for outgoing connections, which will protect your mail between your server and the next one. For my favorite mail server, Postfix, add this to your main.cf:

smtp_tls_security_level = may

This will enable “opportunistic” TLS for outbound connections, meaning it will use encryption if the remote server supports it, otherwise it will transmit it unencrypted. If you’re really paranoid and don’t want to talk to servers that don’t support encryption, you can change may to verify or secure to ensure that the remote end uses encryption.

To ensure that your server listens for TLS requests, add this:

smtpd_tls_security_level = may
smtpd_tls_cert_file = ...
smtpd_tls_key_file = ...

Note the small difference between smtp_... and smtpd_. The cert and key parameters configure your SSL certificate. You can also use encrypt here instead of may to force encryption for clients, but this isn’t recommended for a public Internet server.

By default, if Exim is compiled with TLS support, it will attempt TLS for outbound connections. If you want it to accept TLS, though, you’ll have to set:

tls_advertise_hosts = *
tls_certificate = ...
tls_privatekey = ...

It’s important to note that even with these configurations, you can’t guarantee that your mail is completely encrypted in transit, since your mail could be transmitted between several servers. It also doesn’t prevent eavesdropping on the servers themselves. If you want to ensure that only the recipient can read your mail, you should use something like PGP.

I’ll leave other mail servers as an exercise to the reader. Feel free to post further configuration or notes in the comments!