Before the month is over: countersurveillance/anti-stalking tips

I’ve really missed the target on the number of posts I wanted to make for National Stalking Awareness Month, though actually I’ve not made that many posts to this blog period (and I am way behind on my other blog, with a post I need to finish before I can post one that has to be scheduled behind it, but that’s another story).

It’s not that I’ve forgotten, just that blogging has taken a back seat to a few other things lately. So, before the month is over, here are a few basic countersurveillance/anti-stalking tips:

  1. Be very leery of an intimate partner (boyfriend/girlfriend) asking to borrow your phone, your vehicle, etc. “all of a sudden.” It’s one thing to offer a ride, it’s another to just lend the car outright. (It’s the same with phone calls.) Sometimes this is a ploy to install tracking devices (vehicle) or software (phones/computer/tablet).
  2. If something feels wrong, it probably is. If there’s any doubt about a situation that you’re not comfortable with, get out of it.
  3. If you think you are being followed in a vehicle, make a series of turns in the same direction. Ideally, these should be turns that do not have to cross oncoming traffic, i.e. right turns in the US, Canada, and other countries that drive on the right. If you are in the UK or Japan, these will be left turns. You can also try driving much slower than the flow of traffic. If you are still being followed, find a populated and well-lit area (if at night) and call the police.
  4. Know the anti-stalking law in your country, state, or province, and what the legal definition of stalking is. It may not be what you think it is. In Texas, for example, stalking (Penal Code 42.072) is for the most part defined as multiple instances of harassment (Penal Code 42.07) with some additional qualifiers and a couple of criteria which broaden it to conduct which isn’t necessarily against 42.07 per se. There’s also a civil anti-stalking law (Civil Practice and Remedies Code Chapter 85) which is a bit wider than the criminal law. There’s also a federal anti-stalking law but that usually only comes into play when a stalker follows you across state lines.
  5. Running any operating system besides Windows on a PC will do a lot to improve security, if you possibly can stand to make the change. The vast majority of spyware/malware is written for Windows, to the point where it practically does not exist in the wild for anything else. Ubuntu is easy to set up, and there are other GNU/Linux distributions and freely available operating systems focused on user friendliness. It may be worth having two computers: one with Windows to run the bare minimum of proprietary Windows programs, and one running a GNU/Linux distribution (or whatever) for general purpose browsing, email, Facebook, Twitter, etc. (I’m writing this on a used laptop purchased for $200, which I’ve since had to put a $75 solid-state drive in to replace the original failing hard drive. Sure, it had the former user’s Windows install on it, but that was easy to take care of.) If there’s demand for a more in-depth post or series of posts on this, let me know and I’ll write them.
  6. If you don’t need to keep data, get rid of it. Overwrite sensitive data, don’t just delete it using a normal delete command (which only removes a pointer to the data, not the data itself).

I’ll try to come up with something else before Tuesday night. Stay safe out there.

Could you get spied on and ratted out by your computer repair shop?

This post was inspired by the recent widely publicized incident where a Best Buy customer in California was charged with child pornography-related crimes after he dropped his computer off at the local store and it was shipped to the Geek Squad center in Kentucky for the actual repairs. There’s also a tie-in with National Stalking Awareness Month related to privacy and security when it comes to electronic data which I will get to later in the post.

A representative sample of articles about the incident:

I’m not really going to go into quotes of any of the articles here, but simply restate what appear to be the facts in my own words. A Geek Squad staffer was running a data recovery (“file carving”) tool on this particular PC. Part of the assigned work was data recovery, so on its face it would appear to be a valid reason. However, the Geek Squad staffer’s job was just to get the PC running, not recover data. It turns out that he was a paid FBI informant who got $500 for each instance of apparent child porn he found.

To its credit, Best Buy issued this statement (quoted from the Network World article):

“Best Buy and Geek Squad have no relationship with the FBI. From time to time, our repair agents discover material that may be child pornography and we have a legal and moral obligation to turn that material over to law enforcement. We are proud of our policy and share it with our customers before we begin any repair.

“Any circumstances in which an employee received payment from the FBI is the result of extremely poor individual judgment, is not something we tolerate and is certainly not a part of our normal business behavior.

“To be clear, our agents unintentionally find child pornography as they try to make the repairs the customer is paying for. They are not looking for it. Our policies prohibit agents from doing anything other than what is necessary to solve the customer’s problem so that we can maintain their privacy and keep up with the volume of repairs.”

My first reaction to reading this was “looks like more spin than a Steve Mizerak massé”. I have a lot of respect for PR as a profession, but this smacks of trying to close the barn door after the horse has already bolted. Depending on the circumstances, I would even question that there is a moral obligation, even if a legal one is there. That they would be proud of this policy, especially if it goes over and above what the law actually requires (despite what they say), is a bit concerning from a privacy standpoint.

The law in Texas appears to have such a requirement. Without quoting the entire law here, the computer technician has to “view the image” “in the course and scope of employment or business” in order for the reporting requirement to kick in. There’s a criminal penalty of a class B misdemeanor ($4,000 fine and/or 180 days county jail as of this writing) as well as possible civil liability. For the terminally curious, it’s Section 110 of the Business and Commerce Code.

Anyway, whether your threat model is a Best Buy technician, or an intimate partner who may have turned to stalking you, the basic ways to protect yourself are pretty much the same. First, realize that without taking any other steps, “deleted” files aren’t really deleted. Whether one empties the Recycle Bin in Windows, or runs the rm command from a GNU/Linux command line, the only thing that is actually removed is the pointer to the data, not the data itself.

If the true intent is to erase a file, one needs to actually erase it, not just remove the pointer to it. BleachBit contains options for wiping the data in the free space of a hard drive (which I would recommend doing at least once per month, if not more often), as well as overwriting file contents or an entire directory’s contents prior to deletion. There is also the shred command for GNU and related systems if working from the command line. This mainly pertains to mechanical hard drives, as a properly configured solid state drive (SSD) should effectively do this for you: enable TRIM on Windows, or mount with the “discard” option on GNU/Linux (yes, it may affect performance but it’s a small price to pay for knowing that deleted files are actually gone and not just floating around). In fact, not only should one not need to overwrite files on have a solid state drive, doing so can shorten the drive’s lifespan.

Second, consider using encryption to keep your data private. There is a reason most websites (including this blog) use HTTPS (encrypted HTTP) now, and why it’s been recommended since the beginning of the World Wide Web to never submit credit card or banking information over unencrypted plain HTTP. Anyone can read plain HTTP while it’s in transit. It’s the electronic equivalent of writing information on a postcard and mailing it–something most people reserve for the most innocuous of communications. Similarly, data encrypted in storage won’t be readable without a decryption key, usually a passphrase (don’t just use a simple word).

Third, consider keeping particularly sensitive data on external storage devices such as USB hard drives, so that the data is not on the computer if it needs to be repaired. This would also reduce the chance of important data on the internal drive getting “accidentally” erased for whatever reason during a repair–though if it’s important, it should be backed up anyway (see below).

Fourth, don’t keep data that you don’t need. If you don’t need your web browsing history from some months ago, get rid of it. Firefox sorts history by calendar month and lumps sites visited over 6 months ago into their own list; unfortunately, this has to be done manually every so often (again, I would recommend monthly). For stuff that should never go into the history to begin with, Chrome has an “incognito” mode and Firefox has a “private browsing” mode. Firefox, at least, also lets one completely disable keeping browsing history if appropriate for one’s situation (Preferences / Privacy / History then select “Never remember history”) and also includes a “Forget” toolbar button for quickly “disappearing” the last 5 minutes, 2 hours, or day’s worth of history.

Finally, don’t forget to keep adequate backups. Remember, if the main copy of the data is encrypted, it only makes sense for the backups to be encrypted as well (and often the backup copies should be encrypted even if the originals are not). The more important something is, the more backup copies of it should exist (either onsite or offsite).