To contact me using encrypted e-mail, please use my GPG public key below. This key allows you to encrypt messages to me. You need your own key, as well, to encrypt and decrypt messages. For Mac users, GPGTools software can help set you up on GPG. For Windows users, there is a program called GPG4Win.

GPG Key C664D201

Before sending an encrypted message, it’s important to verify that you have the right key by comparing the key fingerprint that you downloaded with another verifiable fingerprint. My public key fingerprint is: F292 E93A 86B3 1713 05A6  FE9F 85C9 09BB C664 D201

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

Ever since Edward Snowden revealed the inner secrets of the NSA, he has been urging Americans to use encryption to protect themselves from rampant spying.

“Encryption does work,” Snowden said, via a remote connection at the SXSW tech conference. “It is a defense against the dark arts for the digital realm.”

ProPublica has written about the NSA’s attempts to break encryption, but we don’t know for sure how successful the spy agency has been, and security experts still recommend using these techniques.

And besides, who doesn’t want to defend against the dark arts? But getting started with encryption can be daunting. Here are a few techniques that most people can use.

Encrypt the data you store. This protects your data from being read by people with access to your computer.

• Encrypt your hard drive so that if you lose your computer or you get hacked, your information will be safe. Most recent Apple Macintosh computers contain a built-in encryption system called FileVault that is simple to use. Some versions of Microsoft’s Windows 7 also contain a built-in encryption system called BitLocker. Another popular solution is the free, open-source program TrueCrypt, which can either encrypt individual files or entire partitions of your computer or an external hard drive.

•  Encrypt the data you store in the cloud. I use the SpiderOak encrypted cloud service. If an encrypted cloud service were somehow forced to hand over their servers, your data would still be safe, because it’s encrypted using a key stored only on your computer. However, this also means that if you lose your password, they can’t help you. The encrypted data would be unrecoverable.

Encrypt the data you transmit. The Snowden revelations have revealed that U.S. and British spy agencies are grabbing as much unencrypted data as they can find as it passes over the Internet. Encrypting your data in transit can protect it against spy agencies, as well as commercial data gatherers.

• Install HTTPS Everywhere on your Web browser. This encrypts your Web browsing sessions, protecting you from hackers and spy agencies that scoop up unencrypted traffic across the Internet. Not every site works properly with HTTPS Everywhere, though an increasing number do.

• Use the Off-the-Record Messaging protocol to encrypt your instant messaging conversations. You can still use your favorite instant-messaging service, such as Gchat or AIM, though you’ll need to use a software client that supports the Off-the-Record protocol. On Macs, free software called Adium can enable OTR chats, and on Windows, you can use Pidgin. Once you’ve set up OTR and gone through a simple verification step, you can IM as you usually do. Both parties have to use OTR for the encryption to work.

• Use Gnu Privacy Guard to encrypt your email conversations. Like OTR, if you’re using GPG you’ll need the people you email with to use it as well in order to encrypt your conversations. I use free software called GPG Tools with Enigmail and Postbox. GPG Tools also works directly with Apple’s built-in Mail program.GPG has some shortcomings — it’s difficult-to-impossible to use it with the mail program built into most smartphones, and you can’t use it easily with webmail like Gmail. (Although there are some new web-based mail programs that use GPG called Mailvelope and StartMail that I haven’t had a chance to try yet.)The most difficult part of GPG is that, unlike the encrypted texting and instant messaging programs, you have to generate a secret key and keep it somewhere secure (usually on your computer or on a USB stick). This often means you can only send GPG mail when you have your key with you. Even so, it is incredibly satisfying once you send your first message and watch it transform into a block of numbers and letters when you click “encrypt.”

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

“Where R U?” There’s a reason that is among the most common text messages of the modern age.

Location is one of the most revealing pieces of information about us. In 2013, researchers found that four instances of a person’s location at a given point in time were enough to uniquely identify 95 percent of the individuals they examined. “Human mobility traces are highly unique,” the researchers wrote. “Mobility data is among the most sensitive data currently being collected.”

Location is also predictive. In another study, researchers at Microsoft were able to use location data to predict where people would be in the future. Wednesdays were the easiest to predict, and weekends the hardest. “While your location in the distant future is in general highly independent of your recent location,” the researchers wrote, “it is likely to be a good predictor of your location exactly one week from now.”

To mask my location I took several steps:

1)   When browsing the Web, I tried to use  the Tor Browser as often as possible.  Tor anonymizes the location – known as the IP Address — that you computer transmits automatically to every website you visit. It’s amazing to see how revealing your IP address can be –this site pinpoints my location exactly.

Tor bounces your Internet traffic around the world so that your computer’s location is masked. However, because your traffic is bouncing around the world, using Tor can slow down your Web browsing. Click the Tor button on this graphic to see how Tor protects your location from potential eavesdroppers.

2)   Masking my location when using my cellphone was more difficult. I turned off ‘location services’ for my apps. And I tried to opt out from companies that track cellphone users via the Wi-Fi signal emitted by their phone.

I identified 58 companies that appeared to be in the mobile location tracking business—ranging from advertisers to wireless carriers. Of those, only 11 offered opt-outs—which I attempted to complete. Here is the chart of the folks I found that offered opt outs.

The Future of Privacy Forum has also built a location opt-out site, which as of today, offers opt-outs from 11 location tracking companies.

Ultimately, I decided that turning off my Wi-Fi signal was a more effective opt-out.

3)   When I really do not want my location to be tracked, I throw my phone into a Faraday cage – a bag that blocks it from transmitting signals to Wi-Fi or the cellphone tower. I use this one from OffPocket, but any Faraday cage will do.

Of course, this also means that I can’t use my phone. So, like most of my privacy fixes, it is a highly imperfect solution.

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

The following excerpt appeared on Time.com on February 24, 2014.

I think it was the search for “pink glitter tiny toms” that finally prompted me to quit Google.

I had long been worried that Google knew too much about me — after all, like most people, I used Google Search, Google Maps, Google Docs and Gmail on a daily basis. Not to mention the Google ads that tracked me across the web.

But I didn’t quite realize how much Google knew until I dug deep into my Gmail account settings and found the section where Google had been logging my search queries dating back to when I opened my account in 2006.

There, I found that Google had been carefully cataloging the 26,000 searches that I apparently conducted every month, by date and by category (maps, travel, books, etc.).

My searches were a horrifying insight into what Buddhists call the “monkey mind,” leaping from place to place restlessly. Consider Nov. 30, 2010: I started the day by reading some technology news. Then, suddenly, I was searching for “pink glitter tiny toms” for shoes I was considering purchasing for my daughter. Then I was off to the thesaurus to look up a word for an article I was writing, then to OpenTable to book a restaurant reservation, and then to Congress‘s site to download the text of privacy legislation. Phew.

This was more intimate than a diary. It was a window into my thoughts each day — in their messiest, rawest form — as I jumped from serious work topics to online shopping for my kids. My searches are among the most sensitive information about me. If I’m planning a trip to Berlin, all my searches are about Berlin. If I’m researching an article about facial-recognition technology, all my searches are about facial-recognition technology. Basically, my searches are a fairly accurate prediction of my future actions.

This was something I didn’t want anybody to see — not my boss, my friends or my husband. And even more desperately I did not want my information fed into some algorithm that will reveal that people who considered buying pink glitter shoes and recently visited Berlin are poor credit risks, or some such thing that will likely arise in the future world of Big Data.

And I couldn’t expect the company to keep all my data secret. Google has a history of abusing users’ trust. In 2010, it launched a social-networking tool called Buzz that automatically listed people as “followers” of people with whom they frequently emailed or chatted on Gmail. Users who clicked on the button “Sweet! Check Out Buzz” were not adequately informed that the identity of their closest Gmail contacts would be made public. Google later agreed to settle the Federal Trade Commission’s charges that Buzz was deceptive and paid $8.5 million to settle a Buzz-related class action.

Google was also caught bypassing the privacy settings of Safari, used by millions of iPhone and other Apple users, with a special computer code to trick the browser into allowing Google tracking. Google later paid a $22.5 million fine related to that violation. And, of course, Google violated people’s privacy when its Street View cars inadvertently collected personal information from wi-fi networks.

And then there is the data that Google hands over to the government. Google gets legal requests from the U.S. government for information about tens of thousands of accounts per year — and it complies with most of them. This is partly due to the outdated privacy laws that make it easier for law enforcement to legally read people’s email than to open their postal mail. Most mail can only be opened with a search warrant, but “stored” email can be obtained without a warrant.

The leading Internet companies, including Google, Apple and Facebook, have joined a coalition that is pushing to amend the Electronic Communications Privacy Act to require search warrants for email and cell phone location records. So far its efforts to reform the law have not been successful.

If that wasn’t enough, we have learned from the top-secret documents obtained by Edward Snowden that the National Security Agency has been hacking into Google’s data centers.

So I decided I needed to go on a Google data diet. I started by quitting Google Search.

I found a tiny search engine called DuckDuckGo that has a zero-data-retention policy. It doesn’t store any of the information that is automatically transmitted by my computer — the IP address and other digital footprints. As a result, DuckDuckGo has no way to link my search queries to me. “When you access DuckDuckGo (or any website), your web browser automatically sends information about your computer,” the company’s privacy policy states. “Because this information could be used to link you to your searches, we do not log (store) it at all. This is a very unusual practice, but we feel it is an important step to protect your privacy.”

As soon as I switched, I realized how dependent on Google I had become. Without Google’s suggested searches and perfect memory of what I usually search for, each search required more work from me. For instance, DuckDuckGo doesn’t know that I live in New York City, so when I mistyped “Naturaly History Museum,” it brought up the Natural History Museum of Los Angeles. For a comparison, I checked Google — and sure enough, it corrected my spelling and guessed I was in New York, listing the American Museum of Natural History in Manhattan at the top of my search results.

DuckDuckGo’s lack of knowledge about me forced me to be smarter in my searches. For instance, I noticed I had become so lazy that I had been typing URLs — like CNN.com — into the Google Search bar instead of the navigation bar, even though I knew exactly where I was going. So I began typing the addresses into the correct spot on my web browser.

The next thing I noticed: I had been Googling web pages that I visit regularly — such as my kids’ schools and my yoga-studio schedule — instead of just bookmarking them. And so I began bookmarking them.

In fact, I had gotten so accustomed to letting Google do my work that I found it a bit jarring to have to finish typing an entire word without Google’s finishing it for me. Without Google’s suggestions, however, I found that I was less distracted to search for things I didn’t need. No more typing in the letter a and having Google suggest “amazon,” and then suddenly remembering that I needed to order something from Amazon.com.

With DuckDuckGo, I usually found what I wanted, although sometimes it was strange to be confronted with just three results. I was so conditioned to seeing millions of results for everything on Google.

But DuckDuckGo had some black holes. I desperately missed Google Maps and couldn’t find any other online maps that I liked as much. And I missed the Google News section.

Before going to a friend’s dinner party, I searched to remind myself of the promotion he had just landed at Columbia University. There had been some recent news about it, but all my searches on his name, Sree Sreenivasan, and his name and Columbia, turned up nothing. Finally, I tried “Sree, Columbia and News” and an article popped up. The news was there. I just had to retrain myself to use DuckDuckGo’s structure for news searches.

It dawned on me that I had attuned myself to Google. I had always thought of Google as a clean sheet of paper — possibly because of its nice white interface — but in fact I had molded my questions to adjust to how Google likes to answer questions.

Now I was attuning myself to a different service, DuckDuckGo, which had different ways of answering questions. It was like a new relationship: I was discovering my new partner’s quirks and foibles. And it was empowering. I was attuning myself to a partner that didn’t have a hidden agenda of building a file on me for advertising purposes.

I had broken free from Google, and the world was still on its axis. I had mastered another service and could still find the information I needed. The whole experience reminded me of a quote from Marc Andreessen, the man who created Netscape, the first web-browsing software, back in 1994. “The spread of computers and the Internet will put jobs in two categories,” he said in a 2012 interview. “People who tell computers what to do, and people who are told by computers what to do.”

Mastering my switch to DuckDuckGo made me feel like I had a better chance of being in the category of people who tell computers what to do.

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

The following excerpt appeared in The Wall Street Journal on February 21, 2014.

If you search for my kids online, you’ll find barely a trace of them. Not only do I not post any information or photos of them, I have also taught them to erase their own digital footprints.

My children, whom I will call Woody and Harriet, are 6 and 9. They use fake names online—always. They use software to block online tracking, and instead of Googling homework assignments, they use a search engine that doesn’t store any data about their queries. They have stickers that cover their computer cameras. Harriet, my older child, uses an encryption program to scramble her calls and texts to my cellphone, using passwords that are 20 characters long.

Why go to such extremes at such a young age? Because if I don’t do anything to help my children learn to protect themselves, all their data will be swept up into giant databases, and their identity will be forever shaped by that information.

They won’t have the freedom I had as a child to transform myself. In junior high school, for example, I wore only pink and turquoise. But when I moved across town for high school, I changed my wardrobe entirely and wore only preppy clothes with penny loafers. Nobody knew about my transformation because I left no trail, except a few dusty photographs in a shoebox in my parents’ closet. Try that in the age of Facebook.

Even worse, if my children leave their data lying around, they will face all the risks of what I call our “dragnet nation,” in which increased computing power and cheap data storage have fueled a new type of surveillance: suspicionless, computerized, impersonal and vast in scope. Criminals could use my kids’ data to impersonate them for financial fraud. Extortionists could seize control of their computers’ Web cameras and blackmail them with nude photos. And most terrifyingly, their innocent online inquiries would be forever stored in databases that could later place them under suspicion or be used to manipulate them financially.

Persuading my kids to care about privacy wasn’t easy. To them, “privacy” was just a word that meant “no.” Privacy was the reason they couldn’t post videos on YouTube or sign up for kids’ social networks. Privacy is the reason I complained to their teachers about posting pictures of them on a blog that wasn’t password-protected. So I began my family privacy project by explaining to my daughter how strong passwords would let her keep secrets from me—and her nosy younger brother.

We began by using a password methodology known as Diceware, which produces passwords that are easy to remember but hard for hackers to crack. Diceware is deceptively simple: You roll a six-sided die five times and use the results to pick five random words from the Diceware word list, which contains 7,776 short English words. The resulting passwords look something like this: “alger klm curry blond puck.”

Harriet loved building strong passwords. Soon I began paying her to build passwords for me too. Eventually she branched out and started selling strong passwords to friends and family members for $1 each.

Excited by her successful business venture, Harriet soon became curious about some of the other experiments I’ve tried to reclaim my online privacy. She loved the fake identity that I created for some of my online accounts (“Ida Tarbell,” borrowing the name of a turn-of-the-century, muckraking journalist) and decided to use a fake name for her online accounts as well.

Harriet was also entranced by the encryption tools I used to turn my text messages and emails from plain text into huge blocks of code that could only be read by the intended recipient. So I set up an encryption app called Silent Circle so that she and “Ida” could exchange encrypted texts and phone calls.

Harriet also got interested in a program called Ghostery that I use to block online tracking. She particularly liked Ghostery’s logo—a cute little blue ghost that sits at the top right corner of her Web browser. So I installed Ghostery on her own computer, an old netbook that we got free when setting up our high-speed Internet connection. She began to view Ghostery as a videogame, with the goal being to find websites with the most trackers. “Mommy, I found one with 41 trackers!” she crowed, running into my room toting her computer.

Harriet even started to like DuckDuckGo, a privacy-protecting search engine whose logo is a cheerful duck in a bow tie. I set it up as her default search engine, and she happily showed the duck off to her friends.

To keep outside snoops away from the family iPad, we found an app from Brian Kennish, a former Google engineer who quit to build privacy-protecting software. His powerful Disconnect Kids app captured all the traffic leaving our iPad and blocked any contact with a list of known mobile tracking companies. I thought the app’s invisible whirring was quite clever, but Harriet was disappointed that it lacked a videogame aspect: She couldn’t see how many trackers it was blocking.

After Harriet had used Disconnect Kids for a while without breaking any of her other apps, I decided to install Disconnect Kids on my own iPhone. Sure, it was a kids’ app, but I had been struggling to block ad tracking on my phone—and this was the best solution I’d seen yet.

Now, whenever I glance at Disconnect Kids’ dancing green robot on my iPhone, I remember that my kids and I face the same online challenges. After all, what’s the difference between privacy-protecting software for kids and adults when all of our data is being swept up equally indiscriminately?

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of blog posts, I try to distill the lessons from my privacy experiments into a series of useful tips for readers.

Data brokers have been around forever, selling mailing lists to companies that send junk mail. But in today’s data-saturated economy, data brokers know more information than ever about us, with sometimes disturbing results.

Earlier this month, OfficeMax sent a letter to a grieving father addressed to “daughter killed in car crash.” And in December, privacy expert Pam Dixon testified in Congress that she had found data brokers selling lists with titles such as “Rape Sufferers” and “Erectile Dysfunction sufferers.” And retailers are increasingly using this type of data to make from decisions about what credit card to offer people or how much to charge individuals for a stapler.

During my book research, I sought to obtain the data that brokers held about me. At first, I was excited to be reminded of the address of my dorm room and my old phone numbers. But thrill quickly wore off as the reports rolled in. I was equally irked by the reports that were wrong—data brokers who thought I was a single mother with no education—as I was by the ones that were correct—is it necessary for someone to track that I recently bought underwear online? So I decided to opt out from the commercial data brokers.

It wasn’t easy. There is no law requiring data brokers to offer opt-outs. Of the 212 data brokers that I managed to identify, less than half—92—accepted opt-outs. Of those, a majority—65—required me to submit some form of identification, such as a driver’s license to opt out. Twenty-four sites required the opt-out forms to be sent by mail or fax. In some cases, I decided not to opt-out because the service seemed so sketchy that I didn’t want to send in any additional information.

Still, I achieve some minor successes: A search for my name on some of the largest people-search Web sites, such as Intelius and Spokeo, yields no relevant results.

So, for those who want to try my strategy, here are the two spreadsheets I put together with the names of companies that track your information, links to their privacy pages, and instructions on how to opt out, in the cases where they offered them.

The first spreadsheet below is a list of data brokers who will give you copies of your data. (You can scroll around inside the box below, and you can also download your own copy of the spreadsheet, in Excel format, or as a CSV file.) The second is the list of data brokers from whom I sought to opt-out, with the ones that allowed opt-outs highlighted. (Download that one as Excel or CSV.)

Good luck!

Companies that let you download your data:

All of the companies I tried to opt out of:

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

Passwords are the first line of defense between your private data and an attacker – whether it is a criminal hacker or a spy agency.

But most of the conventional wisdom about building passwords is terrible. People are often told they should change their passwords every three months; that their passwords should be made strong with multiple symbols and letters; and the passwords should not be written down anywhere.

Computer scientist Ross Anderson has summed up this terrible advice as “Choose a password you can’t remember, and don’t write it down.” Faced with that impossible task, most people use passwords that are easy to remember – the most popular password is still 123456 – and use it for every single account.

It’s actually better advice to choose a more secure password and write it down somewhere in a safe place. After all, it’s much less likely that someone will break into your house and steal your master password list than it is that someone will hack into your account from afar through a weak password.

However, even if you write down your passwords, you still face the difficult task of dreaming up the dozens of passwords that seem to be required for modern life. At first, I tried to make up my own passwords, but after I stumbled on this password-strength estimator, I realized that many of my homegrown passwords were still easy to crack. So, after much searching for a perfect password strategy, I came up with a two-tiered solution for building strong passwords:

• For less important passwords – such as for my frequent flier and online shopping accounts – I used password management software called 1Password to generate and store passwords. Like its competitors, LastPass and KeePass, 1Password generates strong passwords from strings of letters, numbers and symbols and stores them on my machine in an encrypted file.

• For more important passwords – such as the password to my 1Password vault, my e-mail and online bank accounts – I used a simple, low-tech passphrase-generating system called Diceware. It works like this: roll a six-sided die five times, then take the numbers you roll and match them up to the Diceware word list, which contains 7,776 short words. Repeat this five times and you will end up with a five-word passphrase that is hard for attackers to crack, but easy to remember. [UPDATE 3/27/14: Diceware creator Arnold Reinhard is now recommending that people use six words.]

This XKCD comic nicely sums up the beauty of the Diceware approach.

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

One of the easiest and simplest things you can do to protect your privacy is to be a smarter Web browser.

This is surprisingly difficult because most popular Web browsing software is set up to allow users to be tracked by default. The reason is simple economics – you don’t pay for Web browsing software, so the companies that make it have to find other ways to make money.

The most egregious example of this conflict came in 2008 when Microsoft’s advertising executives helped quash a plan by the engineers to build better privacy protections into the Internet Explorer 8 Web browser. Microsoft has since added additional protections – but they are not turned on by default.  The situation is no better at Google, whose Chrome Web browser has “buried and discouraged” the “Do Not Track” button, and is pioneering the use of new tracking technology that cannot be blocked. And it’s worth noting that the other big Web browser maker, Mozilla Corp., receives 85 percent of its revenues (PDF) from its agreement to make Google the default search engine on Firefox. 

Even worse, many of the tools that Web browsers offer to protect privacy are not effective. Tracking companies have refused to honor the “Do Not Track” button. And Google Chrome’s “Incognito” mode and Internet Explorer’s “InPrivate Browsing” mode won’t protect you from being tracked. Those settings simply prevent other people who use your Web browser after you to see where you’ve been online.

And so, in order to prevent the most common types of tracking, I ended up loading up my Web browser – Mozilla’s Firefox – with a bunch of extra software. It sounds like a lot of work, but most of this software can be installed in a few minutes. Here’s what I used:

• I installed “HTTPS Everywhere,” created by the Electronic Frontier Foundation and the Tor Project. This tool forces your Web browser to use encrypted Internet connections to any website that will allow it. This prevents hackers – and the National Security Agency – from eavesdropping on your Internet connections.

• I also installed Disconnect, a program created by former Google engineer Brian Kennish, which blocks advertisers and social networks, such as Facebook and Twitter, from tracking which websites you visit.

• And finally I set my default search engine to be DuckDuckGo, a search engine that doesn’t store any of the information that is automatically transmitted by your computer — the IP address and other digital footprints — so DuckDuckGo has no way to link your search queries to you. That means DuckDuckGo won’t auto-complete your search queries based on your previous searches or based on your physical location, as Google does. So you’ll have to be a little smarter about your searches, and remember to bookmark the pages that you visit often, to save time.

After browsing with my ungainly setup for nearly a year, I found a Web browser that had all the features I wanted built in — called WhiteHat Aviator. It has built-in HTTPS Everywhere, it doesn’t retain or sell your online activity, and it uses Disconnect to block trackers from advertisers and social media companies. Its default search engine is DuckDuckGo.

It’s built by a computer security firm called WhiteHat Security, but it hasn’t been audited by any computer security experts yet, as far as I can tell. So use it at your own risk (and currently you can only use it on the Mac OSX operating system). But I’ve been using it for a few months, and after some bugginess in the beginning, I’ve started to enjoy the unusual feeling of having privacy as a default setting.