The Borders of Privacy

In my previous post, I defined privacy piracy. My focus was on for-profit companies pirating personal information. Here I want to mention that governments are increasingly restricting our right to electronic privacy as well.

As an example, U.S. border officials can seize and search laptops, smartphones and other electronic devices for any reason. The ACLU is suing, with the stated goal that "...the government has to have some shred of evidence they can point to that may turn up some evidence of wrongdoing” before such searches can be performed. The American Civil Liberties Union cites government figures and estimates 6,500 persons have had their electronic devices searched along the U.S. border since October 2008. No mention of how many terrorists were caught.

So what can the average computer geek do to protect his privacy?

One solution is encryption. TrueCrypt is an open source software, free to download, that provides a way to encrypt files, partitions, and even a laptop's entire operating system. There are versions for both Windows and Linux, although complete OS encryption is available for Windows only. See the complete documentation here. I have used the software to encrypt Windows operating systems, partitions on Linux systems, and numerous files on both operating systems. TrueCrypt performed without error and did not seem to affect performance adversely. (I noticed my CPU utilization went up a bit, but my CPU had no difficulty keeping up with the hard disk. A CPU can decrypt/encrypt data faster than the hard drive can read/write it.) Just be sure to follow their password recommendations. IMHO, the algorithms used by TrueCrypt should be quite robust to even the most sophisticated decryption efforts that nefarious governments can mount.

It is possible to observe that a file has been encrypted -- all that completely random looking data constituting the entire file.  Recent U.S. case law suggests that government agents, during a laptop search, could notice an encrypted file and then be able to compel one to divulge one's password for it. (Fifth Amendment protections not withstanding.) They could then use the password to gain access and decrypt the data contained in the file.

To deal with this privacy commandeering, TrueCrypt has a couple of plausible deniability tricks. One trick is to hide an encrypted volume within an encrypted volume, each having separate passwords. The inner volume is undetectable. Which volume is accessed depends on which password is used. This trick allows a person to reveal the password of the outer encrypted file but "forget" to mention the inner encrypted volume. Another trick is the ability to hide an entire operating system (Windows only) behind a decoy encrypted operating system.

However, like most, although I like to rant against nefarious governments my real concern is having my laptop stolen. A web search revealed inconsistent statistics, but would I guess anywhere from 100,000 to 500,000 laptops are stolen each year. So my bigger worry is to have some thief get his hands on my private and financial data. This includes not only bank statements and brokerage account information, but related data in my operating environment such as cookies and the contents of my swap file.

Again, what to do?

I create a virtual machine that I exclusively use for my online financial transactions and private communications. I then store the virtual machine on a TrueCrypt volume on my laptop. Therefore, if my laptop is ever stolen, the thieves will be able to find all about my laptop web surfing habits, but nothing truly sensitive or potentially damaging that I store on the virtual machine.

BTW, I haven't overlooked that smartphones contain a lot of private data too. I'll address smartphone encryption in a later post.

1 comment:

  1. BTW, this Wired Magazine article describes how recently established guidelines "to keep a search warrant for computer data from turning into a license for a fishing expedition" have just been "gutted" by an appeals court.

    ReplyDelete