While many people are pretty vigilant about their personal security, be it financial, physical, mental, or otherwise, most of us internet users are far less motivated, and much less educated, when it comes to the security of our data. And even those internet users with a general awareness of internet privacy gaps—even those who have browsed one of the internet’s many useful guides to digital security—have surely felt the daunting task of protecting themselves from hackers.
“Something just isn’t right with the state of digital security advice,” says John Scott-Railton, a senior researcher at Citizen Lab, a research group at the University of Toronto focused on digital rights and privacy. This week, the group launched its attempt at a solution: the website Security Planner, a custom, peer-reviewed digital security tool that’s centered around basic questions about a user’s current needs (“I’m concerned about online harassment”; “I want to know more about how governments are accessing my data”) and offers clear, personalized action plans for data protection.
Bruce Schneier, a noted cryptographer and digital security specialist who serves on the project’s advisory board, points to a handful of good existing resources on internet security, including EFF’s Surveillance Self-Defense, Front Line Defenders’ Digital Protection, and Motherboard‘s recently published guide to not getting hacked. Security Planner isn’t meant to replace these guides, Schneier says: instead, it’s for users who want to improve their online security immediately without getting too deep into the intricacies of an ever-evolving set of technologies.
“It’s a quick bang for your buck, a quick return,” says Schneier, who provided input as part of the project’s peer review. “[Some] advice is too complex and doesn’t meet your needs, and [the guides] often don’t get updated. And last year’s advice is sometimes the wrong advice.”
To gather recommendations, Citizen Lab is managing a peer review group of security professionals, including Dr. Angela Sasse of University College London and Jamie Tomasello of Duo Security, as well as activist organizations like the Guardian Project and the Tibet Action Institute. Scott-Railton says Citizen Lab sought to couple their expertise with user testing and consumer surveys, so that the final language feels accessible for average users, rather than technical or esoteric.
“I bet most of us would agree that there is a digital security literacy gap,” he says. “Most users really don’t know where to start. This is not for lack of online ‘digital security advice.’ There is a ton of such advice. It is often contradictory, arbitrary, confusing, out of date, not clear about use cases, and so on. This is not to say that there aren’t some good, well-thought-out guides out there,” he adds, “but for the most part their intended audience is high-risk users.”
Scott-Railton is well acquainted with those users: Citizen Lab has built its reputation on investigating some of the world’s most sophisticated commercial and government-made spyware and its use against activists and political dissidents. Security Planner is for them, but it’s also for the rest of us.
“Average users are not technologically savvy, and it’s a very unfair competition to pitch the average user against the best,” Schneier says. “So what I like about [Security Planner] is that it’s not going to make you perfect, but here are some things you can do now to even the odds.”
Apart from personalized tips, Security Planner also allows users to see all recommendations for browsing, computers, online accounts, smartphones, and internet connections, among other areas of interest. For more secure browsing, for instance, Security Planner recommends installing HTTPS Everywhere, which encrypts a user’s connection to thousands of websites for secure surfing.
The site also recommends the privacy-focused Tor Browser and the plug-in Privacy Badger, which prevents advertisers and others from tracking users across the web. Citizen Lab also suggests using Google Chrome and Mozilla Firefox because “they are available across platforms, support the browser extensions and apps that we recommend, and have many advanced security features.” (The tool has received funding from Consumer’s Union, which publishes Consumer Reports, as well as from Jigsaw, the Alphabet social good incubator, whose parent company makes the Chrome browser.)
For securing phone data, Security Planner recommends Whisper Systems’ Signal, which allows users to call and text privately via encryption. Security Planner also walks users through the setup of built-in encryption for iOS and Android phones, as well as guiding users on how to properly back up their phone’s data. It also offers recommendations for more high-risk users (activists, journalists, and the like) as well as guidance for dealing with online harassment.
One glaring omission from Security Planner: encrypted email recommendations. In the experts’ analysis, there is “no effective, accessible option in this category… research shows that it is really hard for people to use encrypted e-mail without making mistakes.”
Scott-Railton says that Citizen Lab is committed to updating the tool as needed, and is working on localized releases of Security Planner in several languages, starting with French and Spanish. And, appropriately, while no personal information is stored by the site itself, he says the lab also wants to further reduce and anonymize any data the tool collects.
No matter how it’s updated, however, the tool won’t be able to defend against the most sophisticated attackers and exploits, Schneier warns.
“Most commercial spyware, built by the cyberweapons manufacturers, as I call them, relies on basic vulnerabilities and simple tricks, so Security Planner will do better than the average user against this type of attacker,” he says. State-sponsored attackers are a different story. “If the Russians want into your computer, they’re into your computer. If the NSA wants into your computer, they’re in,” says Schneier. But Security Planner “fills a needed niche, and that’s what I like about it.”