•I use Ghostery, HTTPS Everywhere and Chrome browser on my laptop. I also use Chrome at work so the extensions follow me there. Some of the other tools like CertBot were great to read about as I have no server-side experience at all. TOR browser is on my laptop but honestly I haven’t opened it in a while. One thing that was cool was when I tried to expand a tab in TOR, it prompted to suggest that doing so could relay to an observer what kind of computer I’m using. How seemingly insignificant pieces of info about our device might shape a threat in real time was interesting.
•I do library catalog trainings for 8th through 12th grade students and where there was time I’d introduce DuckDuckGo as an alternative to Google to a class who might use a search engine as part of their research process. Having an audience already sitting in front of a computer is an opportunity that shouldn’t be passed up and going forward I am going to budget in time during these trainings to talk about small bits like HTTPS Everywhere. Adding this extension is fairly straight forward and it only takes a few minutes to demonstrate.
• One of the challenges with teens I’ve mentioned before is that they’re likely not to swap out apps as it will disrupt their routine- however showing them ‘one weird trick’ like turning off ‘significant locations’ services as per the Data Detox is totally doable in a short period of time and definitely reduces the amount info flowing out of our devices.
I’m fairly to very familiar with most of the tools on the list, some I use some I just have cursory knowledge of. I don’t use a password manager. I’ve cut down on how many accounts I need to log into to under 10 so I can usually manage to remember them, if not, it’s never an emergency so I just reset it to a new diceware password.
When I teach I mostly focus on passwords and threat modeling. I talk about extensions like privacy badger and I mention password managers, but my crowd is usually older so implementing these tools are sometimes a bit beyond them. I mention pgp but just as an example of the lengths you can go to protect yourself. I haven’t set up a cryptoparty for teens/adults yet, but it’s on my to-do list. Show people how to make keys so they can have true e2e encryption.
I’ve been working on the data detox for a while now but have yet to fold it into a class. I think it would be more of an online idea like TT uses rather then an actual class. Though it is an excellent handout.
I’m always looking for new ways to spice things up.
These days, I usually use firefox (and sometimes chrome at work) with privacy badger to deter tracking and duck duck go as the default search engine. I used to use the firefox extensions ad nauseum (which baffles ad tracking by clicking everything) and Track Me Not (which constantly sends random search queries from different search engines). Conceptually, I like the idea of creating white noise around tracking, making it pointless/inaccurate. but with the risk of “malvertising,” and the fact that these kinds of extensions can end up slowing things down, it’s probably not the best solution for most people.
I use Signal for texting…and LastPass for passwords. I have a riseup account, but only use it occasionally and end up using my personal gmail or work microsoft account much more often. I’ve used Tor browser, but it can be a little frustrating when things won’t load–I’m looking forward to learning more about it.
As far as what was new to me, I’d heard of YubiKey, but never understood exactly what it was, so I’m kind of excited about spreading that idea. I wish they weren’t so expensive–if they were cheap, i might be able to get the library to invest in some as giveaways for folks attending digital literacy/privacy classes. I’m also glad to learn about certbot for folks that run websites.
Reflecting on my own practices and also conversations I’ve had with others on this topic, I really resonate with the concept of friction–I feel like I’ve thought about this stuff more than the average person, and I still rely on google services way more than I’d like, because they are just SO convenient. I’m really interested in figuring out how to reduce friction for the average person so that defaulting to using tools that protect our privacy is just easy.
I wanted to share a new report from Pew about broadband adoption and mobile devices. There are some interesting implications here for libraries, particularly in the way we talk about privacy with our patrons.
A few stats here jump out:
37 percent of adults mostly use a smartphone to access the internet
The growth in smartphone preference is being observed across all age groups–58 percent of 18-29 year olds and 47 percent of 30 to 49 year olds.
Even as smartphone ownership increases across all demographic groups, broadband adoption rates are more varied w/r/t income, educational attainment, and race and ethnicity. That’s digital divide 101, but what I found interesting was that the primary reason given for not subscribing to broadband at home isn’t cost (dropping from 43 percent to 27 percent from 2015), but that the smartphone can do everything one needs (doubled since 2015 to 23 percent!).
This gives me pause for a few reasons. There’s so much that is hard to do on a smartphone, like completing a job application, accessing government services, or doing school work or research. Implementing the privacy tools we talked about this week can be hard as well, or requires a different set of strategies. As we talk about privacy tools to teach our patrons, I think we should be prepared for this increasing preference for smartphones. I’ve usually taught a smartphone security class as an add-on or cap to a series, but I wonder if it makes more sense to weave it throughout?
Familiar with most of these, and personally using LastPass (w/ a diceware passphrase) / Privacy Badger.
In our public classes, we show Lightbeam as a way for patrons to conceptualize third party tracking and cookies. In our e-mail classes we also talk about ProtonMail as an alternative to Gmail. We have a class on Google Takeout as well, where we talk through various Google alternatives (DDG for search, Open Office for Suite, so on).
As Ellie and TJ both touched on, some of these interventions present too much friction for our patrons. Threat modeling is useful here–what am I trying to protect, how valuable is it, how much time and effort and $ am I willing to put in to protect it? ProtonMail is great, but Google gives users 30 times the amount of storage for the free account. We try to educate patrons on the general risks, and give them a range of tools that increase in friction up to VPNs and a very basic overview of Tor.
I love my YubiKey though I do understand they are a bit pricey if you aren’t going to use it all the time. My laptop, for instance, has a 26 character password, but I hate typing it all in, so my yubikey unlocks my laptop for me. It’s a great physical backup.
Now if only yubikey would sponsor a library event so we could give them away!
While I was familiar with some of these tools, there are quite a few that are new to me. I plan to explore and integrate the data detox, lightbeam, and privacy badgr into my courses. I do talk about ad tracking in the course, but I don’t currently recommend any specific blockers, so plan to add a few from the third party tracking blocker list. In general, students in my class seem to be open to using browser extensions, so it also might be a fun activity to have them install Lightbeam and share their experience (e.g what third parties are tracking them). Overall though, I plan to use some of these listed tools to create a list of resources that students can refer to throughout the semester.
In my course, I do cover DuckDuckGo as an alternative to Google. I have my students compare and discuss the pros and cons of various search engines. I think this is where I can add in elements of threat modelling to further explore why and what extent they are willing to safeguard their privacy. It might mean trading a better search experience (e.g. more relevant results) for privacy. I really wish that DuckDuckGo could compete with Google in terms of search experience. It’s really difficult to convince students to at least consider something other than Google. However, at least they explore the possibility in my search engine forum/activity.
I also provide some resources to explore on Tor when we cover the dark web potion in my course. I’d like to learn more about Tor and be able to advise on ways for it to be more feasible to use. Some students that have experimented with using Tor complain of how slow everything loads, so that is one challenge of using this tool.
One thing that we hadn’t discussed that I would be interested in hearing more about are VPNs. I had previously been under the impression that they were very useful tools for privacy – specifically in regard to protecting your browsing from your internet service provider – but recently I have been hearing (via infosec ppl on twitter) that they may not be as useful for privacy as they say. I’ve heard claims along the lines of “despite what any company says, they are logging your sessions.”
I have been using a good portion of tools on this list; in the workplace and at home personally. On public technology that I have administered – particularly on mobile devices – I have installed 1 Blocker X, Firefox (Focus), Onion, on both Android & iOS tablets in an effort to promote safer browsing. I have installed across our Chromebooks, Macs & Windows machines Tor and Firefox (in addition to Chrome, & Edge [Safari only on Macs]); all web browsing search defaults to DuckDuckGo; Safari uses 1Blocker, Edge uses Ghostery and the remaining browsers are using HTTPS Everywhere & Privacy Badger. I had to opt for different tools because not each browser and/or extension is available on every one of these browsers and being consistent is important for me when configuring public access machines. Generally, library patrons have not commented and/or suspected ill-intent on the installation of these extensions – I suppose the most challenging part of all of this is not having enough time to work with everyone every day every time someone accesses technology (staffing realities – 20 machines vs 1-2 library staff members on the Reference Desk, etc).
Some of these tools are alternative to tools/brands that have been around – getting people to move away from widely known email providers and/or adopting a different set of productivity tools can be overwhelming and/or confusing. Some of the alternative tools may be just as effective but lack the same level of advertising which gets in the way of discoverability and/or trust – people tend to accept what they’ve heard of and/or think is widely used.
Tools that are included on this week’s list that I would like to personally adopt more includes secure password managers (I tend to write things down… but, password managers can actually be leveraged to support tougher passwords and improve security!) and…to actually break up with gmail. I do not particularly care that I would have to change my email address and I am exploring adopting protonmail and, digging deeper into the AntiDoxing list that you provided (I’ve used and referred people to accountkiller.com's directory when talking about internet safety and/or how to start undoing).
I was aware of most of the tools discussed in Data Detox on some level. Some I have been using for years, some I used to use & stopped for one reason or another, & others I hadn’t heard of/didn’t do much research on because: laziness. Most of the ones I quit, I stopped using because they were getting a bit buggy & clunky (AdBlock Plus, etc.).
I recently downloaded Signal & I absolutely love it so far. The only person I’ve managed to get switched to it is my partner. I will get my mother on there next time I see her in person & I have time to set it up for her. Hopefully, I can get my sister & her family on it eventually. It would be nice to know that our family discussions are a bit more secure with all the photos we send to one another of pets, kids, etc. But we do use iMessage 99% of the time, so I guess that can be good enough since it is end to end encryption.
I’ve been using startpage & DuckDuckGo for the most part for quite some time now. I am an avid back up queen because losing all my music, photos, & files terrifies me (& I do not have faith in the cloud!). Browsers & email are harder for me to break up with since I am a fan of Apple’s UI (I also worked at an Apple Store in my younger years). Firefox tweaked for privacy is my primary browser for most things, but I do still use Safari on my phone. I will have to get unlazy & fix that soon. I just signed up for a tutanota account, so we shall see if I am able to de-Googlise my life sooner than later. You all have also FINALLY convinced me to do a password manager as well.
We shall see how well I stick with all these things. Let the detox games begin.
Thanks for sharing this study and also bringing up the facts about how different strategies are needed in order to combat tracking and surveillance on smartphones. It’s a whole different “beast” and one I’m way less comfortable speaking about with patrons due to how layered and complex the type of information being sent out to ISP, cellphone towers, etc. is.
I was already familiar with a lot of these tools but had not taken the leap and started integrating them in my daily use. So far I’ve started using Lastpass, WhatsApp, and Privacy Badger and I’ve gotten back into my back up schedule. I’m still slowly working through the Data Detox Kit and trying to take note of where I’m finding friction. My next step is to work on convincing my husband to take the leap and walking him through the steps as a trial run of teaching these tools.
The biggest challenge that I am seeing is that the community I serve will find the number of options overwhelming. I want to find the balance for providing resources effectively in a limited period of time.
We will cover Tor in depth in NYC! I hope you will find it to be faster and more usable than when you last used it.
Exactly! The low friction, set-it-and-forget-it tools are perfect for this kind of environment.
I would LOVE to see a privacy class designed for teens called ONE WEIRD TRICK that’s just ALL WEIRD TRICKS.
Totally – I use it for most things and it certainly is not frictionless. But I do think it’s getting better. Looking forward to exploring it with you all in NYC.
Yeah, agree. I wonder if we might be able to convince YubiKey to do some kind of bulk discount for librarians? We should certainly use our clout.
It’s been a years-long process for me as well, and I still default back to the convenient options sometimes. That’s why a harm reduction framework has been useful for me. Small steps matter, and privacy is a longterm goal.
Yeah, I usually weave it throughout too. We will have a week just dedicated to talking about the unique problems with mobile devices, but I think the best classes combine desktop/mobile concerns.
Should I try to get someone who works on DuckDuckGo to come and speak to us about the challenges they face making their search engine as robust as Google’s?
That’s right! It’s complicated. I think I will do another week where we talk about VPNs, email, and maybe whatever related to Tor that we don’t get to in NYC.
Yup, which is one area we can be influential on – helping increase trust!
I find it to be a pretty good gateway privacy app because at this point it is fairly low friction.
We will talk more about teaching strategies later in the course, but I usually stick with teaching 3 things in one class. Maximum of five. Sometimes even as little as one thing (passwords usually). Lots of people appreciate this pace.
I would also be interested in that! Any time we can hear from someone at the source, it’s so much more memorable. I’d also like to hear what their plans are for the long-term. As we encourage more people to use these tools, it would be good to know if they have sustainability or growth in mind.
If I’m just on twitter all the time there isn’t time for any other services.
but seriously, there just isn’t that much online I need to use a real account for access to. couple vendors, couple banks, couple emails, but I do try to limit who I buy things from and the frequency in which I do. I think about my average day and logins and it’s pretty much this:
Twitter, Email, LFI, maybe check my CC or bank statement. That’s it. I don’t really use apps all that much so I’ve drastically limited the services I’ve subscribed to. Wasn’t easy, but it’s easy now.
I think one of the biggest challenges for introducing these tools in a library environment (and I’m thinking specifically a public library environment) is the complexity that comes with more options. When I used to teach a lot of intro topics, my focus was on how to simplify while helping patrons maintain their privacy at the same time which can be a difficult balance. I also think it can be a challenge to help patrons who are already frustrated or scared of using tech by bringing up other security issues they never thought about when introducing some of these tools. Like Jeff mentioned though, looking at this through the lens of threat modeling is helpful.
Another challenge is getting your institution to support this kind of instruction. Some library admins will tell you that their patrons aren’t interested in that kind of thing and don’t give their front-line workers the flexibility to develop new programming.