SAN FRANCISCO — Let’s be clear. Your personal information online is not always yours to control.
Thieves could grab a Social Security number stored unencrypted in a doctor’s computer; the National Security Agency could order an e-mail provider to unlock correspondence; even the phone company could supply the police with a map of your whereabouts for the last several months.
For now, short of living in a cave without a cellphone, there are no fail-proof technological tricks to avoid this exposure. But there are a variety of tools to minimize your digital footprint.
Some of these tools cost money, making digital privacy something of a luxury for those who can afford it. Others are free. But all of them take effort and awareness.
“A lot of people say, ‘I don’t have anything to hide,’ ” said Mike Janke, chief executive of Silent Circle, a company outside Washington that markets a private communications tool to individuals and businesses. “I say, ‘Tell me the last time you had a private conversation — or thought you did.’ ”
PROTECTING PASSWORDS Experts say never to use the same password on multiple sites. Reality says that following that advice is nearly impossible.
But keeping strong and safe passwords, which means keeping multiple passwords, is crucial to protecting accounts. A relatively safe bet is to use a password manager. They generate random passwords and store them in an encrypted safe, to which only you have the key, usually in the form of a master password. Several are available, including Dashlane, LastPass and RoboForm; some work better than others on mobile devices. Apple’s new operating system, iOS 7, includes a so-called Password Generator that can produce “a unique, hard-to-guess password” as well as “remember it for you.”
Two-step authentication is another worthwhile safeguard. Many large Web companies, including Google and Yahoo, along with recently breached services like LinkedIn, now offer this option. If you turn on two-step authentication, entering a user name and password sends a code to your phone by voice mail or text message. The service then requires that you enter the sent code. It takes extra time to set up and use the system, but far less than it would take to clean up a thief’s mess.
TRICKING THE TRACKERS Whether it is to avoid peeping criminals or advertising networks, there are several options for keeping your browser history to yourself.
Tracker blocking tools let you see the companies tracking your activities on the Web, and to block them if you wish. Some of the popular blocking tools include Ghostery, Disconnect and Abine. To the dismay of advertisers, some browser makers now offer consumers a way to block so-called third-party cookies, tiny pieces of code that track where you go on the Web.
Forrester Research estimates that 27 percent of Web users have used an ad blocking tool, a sharp increase from recent years.
It is possible to take much stronger steps, too, and Tor is one of the most popular options. Originally developed for the Navy, and used by agents for the Federal Bureau of Investigation, Tor’s browser prevents Web sites from knowing who you are by rerouting Web traffic through a series of other points. Using Tor with your e-mail service, for instance, would most likely prevent a government agency from detecting your Internet Protocol address, though not from compelling a service provider to turn over your messages.
Orbot offers an equivalent for the Android operating system; there is nothing for iOS.
A virtual private network, or VPN, can also help blur your tracks. It creates an encrypted tunnel between your computer and the VPN’s server, obscuring your Web browsing to others, including your Internet service provider. But some VPNs log your Internet traffic, compiling a rich history of your Web travels. HTTPS Everywhere, a browser extension, takes you to secure, encrypted versions of Web sites wherever possible, protecting you from eavesdroppers, for instance, when you are using public Wi-Fi.
If you do not want Google or Bing (the two main search engines) to compile your search history data, there is the upstart search engine called DuckDuckGo.
Its founder, Gabriel Weinberg, says his company has no interest in saving user search history. The company makes money by serving advertisements based on the keywords searched, right then and there, and discards the search history. So if the government asks for user information (that hasn’t happened yet, he said), it will not get much. “If the data doesn’t exist, there’s nothing to hand over,” he said.
TRUSTING THE CLOUD Lawyers sometimes like to say that the digital cloud has fundamentally changed the relationship between citizens and their governments. If the police wanted to inspect your work files in the past, a search warrant was required to enter your office. Now, the police can turn to the cloud service you use to store work files.
But when SpiderOak, of San Francisco, receives these inquiries, it cannot offer anything legible. Its customers’ files are not only encrypted, but users’ plain text passwords are not transmitted to the company.
“Most companies ask you to trust them,” said Ethan Oberman, its chief executive. “Our theory is you don’t have to trust us.” The service costs $10 a month for 100 gigabytes of storage.
KEEPING CONVERSATIONS PRIVATE An e-mail is like a postcard — it can be easy for others to read. And an e-mail provider’s promise of encryption provides little comfort. For starters, when a message is sent from a Gmail user to a Yahoo user, for example, it travels on the wide open highway of the Internet, vulnerable to theft. And a government can order an e-mail provider to unlock the correspondence — whether through a search warrant from police agencies or a National Security Letter from an intelligence agency.
Moxie Marlinspike, a security researcher, uses the analogy of an offline lock and key. “Let’s say the door to my house is locked, but I keep the key Scotch-taped next to it,” he said. Anyone who can grab the key can get in.
P.G.P., or Pretty Good Privacy, is one system to encrypt e-mail communications, but it is relatively complicated to use. The brains behind that tool have now come together to form Silent Circle, the company run by Mr. Janke. In addition to encrypted e-mail — which Mr. Janke admits is the company’s least secure product — Silent Circle also offers encrypted phone, text messaging, file transfer and video chat services. The user gets a 10-digit phone number that works on Android or Apple devices.
The company does not keep a log of phone calls, which means that a law enforcement request even for so-called metadata is likely to be futile. A decryption key is produced for a phone call, video chat or text message made using its service; once the message is received, the key is deleted. But there is a serious hitch: the extra protection works only if both parties are using Silent Circle. The service costs $10 a month.
Mr. Marlinspike has also developed an encrypted text messaging app, TextSecure, now available on Android. Off the Record is another encrypted instant message service. RedPhone, built by Mr. Marlinspike, encrypts calls from end to end, and keeps no data itself, meaning that no telephone carrier can keep a record of those you talk to or comply with a wiretap order to monitor your phone calls.
KoolSpan, a Bethesda, Md., company, offers its encrypted phone and data service to law firms, which are especially interested in safeguarding their client communications from hackers; former Attorney General John Ashcroft’s firm, the Ashcroft Group, is a client.
REMEMBERING THE BASICS Even the most advanced privacy tools might not work, though, if the basics are ignored. And perhaps the most basic safeguard of all — the equivalent of hand-washing in digital hygiene — is to keep software updated. A host of known security bugs are often fixed with each release, and ignoring those sometimes annoying calls to update are done at your peril.