This article is a pre-release chapter in the upcoming “Take Control of Security for Mac Users,” by Joe Kissell, scheduled for public release later in 2015. Apart from Chapter 1: Introducing Mac Security, and Chapter 2: Learn Security Basics, these chapters are available only to TidBITS members; see “Take Control of Security for Mac Users” Streaming in TidBITS for details.
Chapter 11: Keep Personal Data Private
As we’ve seen, security and privacy have a complex relationship, but improving your Mac’s security can often increase your privacy—and in fact, keeping your data private is one of the most important reasons to take security measures. Some of the steps that lead to greater privacy don’t involve security in the strictest sense, but they’re no less important just because they fall on one side of that conceptual line. This chapter explores several of those borderline topics.
First, I talk briefly about the implications of sharing a Mac with other people (such that each person has an individual login account). To what extent do separate accounts keep each person’s data safe, and how do file ownership and permission settings affect your privacy?
Next, I explore a few of the key concepts from my book Take Control of Your Online Privacy, pointing out who might want your private data and why, what privacy risks you may face when using the Internet, and some key steps you can take to protect yourself—in particular, using encrypted email.
I wrap up the chapter with an overview of OS X’s main built-in privacy settings, explaining what they do and why they may or may not be of interest to you.
Keep Your Data Safe from Other Local Users
If you’re the only person who ever uses your Mac, there’s nothing to see here—skip ahead to Learn about Online Privacy. But if you share your Mac with others, you should know a few things about what sorts of access they may have to your data.
First, if everyone shares the same account—that is, anyone can use the Mac without having to log in with a separate username and password—all bets are off. Whatever’s available to you is available to everyone else. (So, I’m not a fan of that arrangement. Every human who uses your Mac should have a unique username and password. See Improve Users & Groups Security in Chapter 4 for details.)
But let’s say each person does have a separate account and password, and each one diligently logs out (or shuts down the Mac) after every session before the next person logs in. Then what?
OS X, as a variety of Unix, relies on the properties of ownership and permissions for each file. To oversimplify a bit, each file and folder has a designated owner—usually one of the individual account holders or the system itself—and a series of settings that specify what operations (such as reading and writing) various users can perform on the file. For example, perhaps the owner has full authority to read, write, or otherwise modify a certain file, while others can only read but not make changes. For another file, maybe no one but the owner is permitted even to read it.
Users (and groups of users), ownership, and permissions can get vastly more complicated than this, but the central point for our purposes is that by default, all the files in a user’s home folder (
/Users/username) are owned by that user, and only that user has permission to read them. In practice, this means that if you try to view the contents of someone else’s home folder in the Finder, you won’t be able to see inside any of the folders except the one called
Public. For day-to-day segregation of one person’s data from another, this system provides a reasonable barrier.
However, there’s more than one way to skin a cat. If someone else wanted to see your files, there are several ways that could happen:
- Your password: Anyone who knows or can guess your login password can log in as you and access all your files. Of course, you have a terrific password that you’ve kept completely safe from everyone else, right? Fine, but there are still other problems.
- Administrator access: Anyone with an administrator account and working knowledge of the Unix command line can access everyone else’s files by opening the Terminal app (found in
sudo -s, and supplying the administrator account’s password.
- Another startup volume: If your Mac’s disk is used as a secondary disk—not a startup volume—for another Mac, anyone signed in as an administrator on that other Mac can freely access your files. For example, someone could start your Mac in Target Disk Mode and attach it to another Mac via Thunderbolt or FireWire, so that your Mac functioned as an external hard drive. Or, if your Mac has a removable disk, another person could take it out and attach it to another Mac.
In addition, someone else with access to backups of your files can likely open them all from the backup, without file ownership and permission getting in the way.
For all these reasons, the only safe assumption is that anyone else who has an account on your Mac and physical access to it could conceivably access your files. Although your data is fairly safe from casual access by nontechnical users, you should not think of ownership and permissions as a significant roadblock.
Moral of the story: If you have files you absolutely must keep private from other users of your Mac, you should encrypt them. In this situation, FileVault won’t help you, because once it’s unlocked for one user, it’s unlocked for everyone. An encrypted disk image or third-party encryption app should do the trick—see Other Encryption Options in Chapter 10.
Learn about Online Privacy
As I’ve mentioned, I have another whole book—Take Control of Your Online Privacy—that explores privacy issues on the Internet. But I still want to share some key concepts about online privacy here that also have security implications.
Understand Privacy Threats
My first rule of online privacy is: What happens on the Internet, stays on the Internet. In other words…
- Once you expose any data to the Internet—whether by sending it in an email message, typing it in a Web form, backing up your iPhone’s camera, or whatever—the potential exists for it to fall into the hands of someone you didn’t intend to see it.
- Information spreads quite readily on the Internet. It’s easy to make copies, and thus extremely difficult (or even impossible) to fully and permanently eradicate any piece of data once it has been online.
- You can never know for sure who, if anyone, has seen or stored a certain piece of information or when it might pop up again.
The best way to avoid having unwanted information spread itself around the Internet is not to put it online in the first place. Sometimes that’s possible, but not always. After all, the mere act of browsing the Web can reveal tons of personal information about you to people you’ve never met.
Who exactly is trying to find out personal information about you, and what do they want to know? Here are some examples:
- Advertisers want to know as much about you as possible—your location, what you search for, what you buy, what sites you visit, your tastes, preferences, and more—to better target ads at you. And it’s not just individual advertisers either, but also data brokers, who make money by selling your information to other advertisers, whether or not they also use it themselves.
- Local “villains” such as a jealous ex, a troublesome neighbor, or a prospective employer may want to know who you’ve been hanging out with, where you’ve been going, and what your habits are. What they learn about you online could affect your safety, your reputation, or whether you get hired (among other things).
- Hackers out to make a quick buck by selling credit card and social security numbers (and other data that could help someone steal your money or identity) are always looking for easy victims.
- Big Media such as record labels, broadcasters, and motion picture studios want to make sure no one is pirating their products.
- Big Money—banks, credit card providers, insurance companies, and the like—want to see whether you’re a good risk for credit or insurance based on what they can learn about you online.
- Big Data is how I refer to gigantic companies such as Google, Facebook, and Twitter, whose entire business models depend on you voluntarily giving them as much data about yourself as possible. Some of that is merely to show you ads, but once the data is out there, someone could tap into it for more sinister purposes.
- Big Brother is watching and listening. No, seriously—you’ve seen it on the news a hundred times. Government agencies all over the world, but especially the NSA (National Security Agency) in the United States, routinely monitor and record Internet traffic of all kinds in the name of preventing terrorism and solving crimes. But all too often, innocent bystanders get swept up in the process. (Government agencies also collect massive amounts of data for much more mundane reasons—think of the Centers for Disease Control and Prevention, the Census Bureau, the Social Security Administration, and the Internal Revenue Service, for example—making them another variety of “big data.”)
In most cases, it’s not that someone is monitoring you specifically, but rather that all these entities are sucking up as much data as possible—yours likely included—to accomplish their particular goals.
You’ve already taken measures to protect your privacy online, such as using strong passwords (see Chapter 5: Improve Your Passwords), securing your Internet connection (see Chapter 6: Improve Your Network Security), and using a firewall to prevent remote break-ins (see Chapter 7: Fortify Your Mac’s Defenses), and later in this chapter you’ll learn how to Configure Your Mac’s Privacy Settings. But there are a couple of other important privacy options you should know about (whether or not you choose to use them): encrypting your email and sharing files privately.
Encrypt Your Email
The only way to keep your email private all the way from sender to recipient is to secure it using encryption. Even if your email client uses SSL/TLS to encrypt the connection with your own email server, messages are unencrypted while they sit on various email servers, and often for their journey from one server to another. Encryption compensates for those vulnerabilities.
Encrypting email is a great idea, and in an ideal world, all messages would be encrypted all the time. In a moment I’ll mention a few ways you can go about encrypting messages if you choose to. But even though I personally like to encrypt email when possible, encrypting email is a less-than-optimal solution for most people, most of the time. Here’s why:
- Once the recipient has decrypted your email message, anything could happen to it, and it’s entirely out of your control. A message may stay private all the way to Mr. X, but if he’s not careful (or if his computer or phone is stolen or hacked), your message could still get out.
- Configuring an email client to encrypt messages can be (depending on the platform and software) a cumbersome process. Once you’ve done that, encrypting individual messages is usually simple, but requires that your recipients use the same type of encryption, and set up everything correctly on the other end. Even then, in some cases you must go through extra steps to obtain a public key or certificate from the other person before you can send secure email; in other cases, both parties must find some way other than email to swap passwords. You wouldn’t want to go through this bother for everyone with whom you correspond.
- Although encryption protects the contents of your messages, it doesn’t protect their headers, which means that someone with access to your encrypted email while in transit or on a server could still see the message subject, sender and recipient’s email addresses, date and time, and other information that may itself be private.
- As things currently stand in the United States, the NSA can retain indefinitely any encrypted email messages it happens upon, presumably to help the agency learn how to break that encryption. Unfortunately, the very fact that you encrypt messages—regardless of their content—may mark you as a suspicious person subject to more in-depth monitoring. Encrypting email messages not only draws attention to yourself but could mean that any messages that are intercepted will be kept until the NSA can figure out what they say or decides it’s not worth knowing.
In other words, encrypting your email might end up being a lot of inconvenience for relatively little reward. Paradoxically, it might make you feel safer than you really are—and perhaps even give your communications unwanted government attention.
What’s the alternative? Using FaceTime, or the iMessage protocol in Messages (the default when you sign in with an iCloud account) gives you end-to-end encryption that’s far easier to set up and use without looking suspicious, although neither one solves the problem of someone seeing a decrypted message on the other end. Those apps aren’t appropriate for every type of communication—and they won’t give you end-to-end encryption if the other person isn’t also an Apple user—but if you have only an occasional need for encrypted communication, they may be better choices.
Those disclaimers aside, encrypted email still has many excellent applications, and if you’d like to try it, there are three main techniques you might use:
- S/MIME: Almost all modern email clients, including Apple Mail on OS X and iOS, Outlook, and Thunderbird, support an industry standard called S/MIME (Secure/Multipurpose Internet Mail Extensions). S/MIME uses a form of public-key cryptography: you give me a public key (in the form of a file called a certificate) that I use to encrypt a message I send you, and then only you can decrypt it with your corresponding private key. To reply to me, you reverse the process, encrypting a message with my public key; I decrypt it with my corresponding private key.
Before you can use S/MIME, you must obtain the necessary certificates and install them on your device; it’s a tedious and non-obvious process. (I describe how to do this in Apple Mail—for both OS X and iOS—in Take Control of Apple Mail.) Your correspondents must also use S/MIME, and you’ll need their public certificates to send them encrypted messages.
- PGP/GnuPG: The commercial PGP (Pretty Good Privacy), owned by Symantec, and the compatible, open-source GnuPG (Gnu Privacy Guard, also known as GPG) represent another flavor of public-key cryptography. Conceptually, PGP/GnuPG is roughly comparable to S/MIME (in fact, newer versions of GnuPG also support S/MIME), although the implementation is different.
You’ll need to install extra software on your device to use PGP or GnuPG—for Macs, I recommend GPGTools (free, but soon to begin charging for its encrypted email component, GPGMail). However, the process of obtaining public/private key pairs is simpler than with S/MIME, and both systems optionally use keyservers, which let you obtain someone else’s public key by looking up a name or email address rather than having to contact that person first. Although it’s rare for webmail services to offer encryption, a service called Hushmail does support PGP.
- Encrypted attachments: A somewhat simpler, lower-tech approach is to send an ordinary email message containing an attachment that’s encrypted; inside the attachment is the private content you want to transmit. One good tool you can use to do this is BetterZip 2, which creates encrypted Zip archives that can be opened on almost any platform. If you and the recipient are both Mac users, you can also use Disk Utility to create an encrypted disk image.
This approach is great for one-shot communications, such as when you need to send someone a Social Security number, credit card number, or some other isolated piece of sensitive information but don’t need whole email messages to be encrypted regularly. However, there’s just one problem, which is that the recipient needs the password, and you can’t send that by email! You’ll need to convey the password by other means, such as iMessage (better than an SMS message!) or a phone call.
Share Files Privately
Most privacy concerns with file sharing fall into one of the following categories:
- You want to share files with a specific person or group without letting anyone else know what you were sharing or with whom.
- You want to share files publicly, but without anyone knowing you were the person who uploaded or downloaded them.
Most methods of sharing files—including OS X’s built-in file sharing (see Share Resources Securely in Chapter 4)—offer neither sort of privacy protection, which is why you may want to use extra precautions.
And what are the risks if you don’t? That all depends on what you’re sharing. Perhaps a competitor sneaks a look at trade secrets in confidential business files you’re sharing with your employees, clients, or contractors. Maybe the public gets early access to the top-secret new album, software, or game that you were previewing for your agent or investors. Or the other side in a legal dispute sees potentially damaging information in a file you intended for your lawyer’s eyes alone. And, if you’re sharing copyrighted media (which, of course, I strongly advise against), the copyright holder can rain all sorts of legal trouble on you.
Encrypt Transfers, Files, or Both
One danger when sharing files is that their contents could be intercepted in transit between your computer and the recipient’s computer. You can reduce the risk of eavesdropping if you Use Encrypted Wi-Fi, or Use VPNs and Similar Measures (both in Chapter 6), but these steps protect data only for part of its journey. To protect the entire path against eavesdropping, the connection between your computer and the remote computer must be encrypted using a file transfer method such as SFTP (SSH File Transfer Protocol) or WebDAV HTTPS. However, such transfer methods aren’t always an option, and even when they are, they solve only part of the problem. If a file is going to be sitting on a server somewhere, and if you want to restrict access only to trusted parties, you should encrypt it as well.
In Encrypt Your Email, I mentioned that you might use a program such as BetterZip 2 to encrypt files, or, to transfer files solely between Mac users to create an encrypted disk image in Disk Utility. The same advice holds for files you share with other methods—whether you upload to a public server or use any of numerous file sharing services such as Dropbox, Google Drive, SugarSync, or SpiderOak.
But wait! Don’t these and most of the other cloud storage and syncing services already encrypt files you upload? Yes! Sort of!
I’ll take Dropbox as an example, because it’s the most common of these (and because I wrote a book about it, Take Control of Dropbox). All the files you put in your Dropbox are indeed encrypted, but Dropbox holds the encryption key, so the company could decrypt your files if it had to (for example, in response to a subpoena). Even if that’s not a worry, Dropbox has two different methods of sharing files:
- Share a link: Dropbox generates a link to a file or folder you’ve stored online, and you can do whatever you want with that link—post it on a Web site or send it by email, say. Anyone who follows the link gets the contents of the file or folder—unencrypted. In other words, once you’ve shared a link, the only thing protecting it is the URL’s obscurity. If anyone learns that URL, Dropbox’s encryption is moot.
- Invite someone to a folder: You can share a folder in such a way that only people you invite can share it, and those people must all be Dropbox users too. This method enables the files to stay encrypted on the server all the time, although of course you can’t control what any of the other participants in the folder may do with your files.
So, for Dropbox, if you’re sharing a link and you want to ensure that a file stays private, you should encrypt the file before putting it in Dropbox in the first place. Then you can share the password with the recipient.
Other services have their own methods, but the general rule is that if you’re sharing a link in such a way that the link is the only thing someone needs to access the file, the service’s encryption is irrelevant—you should instead encrypt the file yourself first.
Use Peer-to-Peer File Sharing
Another type of file sharing relies on peer-to-peer (or P2P) file sharing networks, of which the best known is BitTorrent. Peer-to-peer file sharing has many perfectly valid, legal uses, including distributing large files without incurring massive storage and bandwidth fees. Sometimes you’ll even see musicians and movie studios using P2P networks to distribute media to the public. But P2P is often associated with illicit sharing of copyrighted materials—fair warning.
In a P2P network, someone makes a file available for others to download, but as soon as a recipient downloads a portion of the file, that person’s computer also turns into a server, making that portion available to other downloaders. Thereafter, anyone trying to download the same file may connect to multiple computers at once, fetching only small pieces of the file from each one; the client software reassembles all the pieces at the end. This makes file transfers more efficient, but (slightly) harder to track than conventional client-server transfers.
However, BitTorrent and other P2P apps aren’t always the easiest programs to use—they typically expect users to have a bit of geek mojo, and value functionality over simplicity.
Create a Personal Cloud
What if you could combine the simplicity of Dropbox with the security of a friend-to-friend network and the assurance that all the data and hardware is safely under your control? And what if, in the bargain, you got up to 3 TB of file storage that you can access from any computer or iOS device, with no monthly fees? If you have a lot of data to share privately, you may be interested in a device called the Transporter.
Transporter is a small gadget containing a hard drive and a network interface, much like a NAS (network-attached storage) device. (A version called Transporter Sync omits the internal hard drive and works with any external USB hard drive you have.) The difference is its software, which makes it function very much like Dropbox. All transfers to and from your Transporter are encrypted, and if you have two or more of them, they can automatically sync any or all of their files with each other, regardless of where they’re physically located. So, merely by connecting a Transporter or two to the Internet, you effectively create a personal cloud for file sharing.
I’ve had a Transporter for a couple of years, and although it’s not ideal for most of my needs (see my TidBITS article Bypassing the Cloud with Transporter), I like the fact that it has none of the complications of peer-to-peer networks. And I have used it in place of Dropbox for sharing book manuscripts with my editor as I work on them—including this one!
Transporter isn’t the only device in this class. A number of other NAS devices (such as Synology’s DiskStation products and TonidoPlug) also offer private sharing over the Internet, but Transporter stands out for its size, cost, and simplicity.
It’s also possible to create a personal, Dropbox-like system for syncing and sharing files using only software—for example, with the free BitTorrent Sync. But because this runs on your computer(s), you’ll have to leave at least one computer turned on, awake, and connected to the Internet at all times to maintain access to your data from other devices. I wrote about how to set this up in my Macworld article How to Create a Personal Cloud with BitTorrent Sync.
Configure Your Mac’s Privacy Settings
Although we’ve covered many of OS X’s built-in security settings, we’ve touched on only a few privacy settings as such. There are quite a few more, and although they’re mostly self-explanatory, I want to review where you can find them and what they do.
The largest concentration of privacy settings can be found in System Preferences > Security & Privacy > Privacy. Once there, click the lock icon in the lower left of the window and enter your username and password. Then you can modify the following settings:
- Location Services: Select the main Enable Location Services checkbox to turn on location services generally, which enables OS X to determine your physical location using information about nearby Wi-Fi networks (Figure 1). Then select the checkbox next to each app you want to be able to use that data (such as Maps and Weather). You can avoid broadcasting any location information by turning off Location Services and Spotlight Suggestions (in System Preferences > Spotlight > Search Results), but that will disable certain features you may want, such as Find My Mac.
- Contacts, Calendars, Reminders: Some apps want access to the data in your Contacts, Calendars, and Reminders apps in order to accomplish what they need to do. For example, Pages might use your contacts when printing envelopes or labels, and LaunchBar wants access to your calendar so you can use it to create new events. But some apps may ask for access to your contacts, calendars, or reminders without an apparent good reason, and if you aren’t sure it’s necessary, deselect the app’s checkbox.
- Twitter, LinkedIn, Facebook: If you have accounts set up for any of these services (in System Preferences > Internet Accounts), other apps may ask to access their data. For example, a third-party Twitter client may want access to your Twitter account to save you the bother of entering your credentials separately. As always, if you have any doubts, leave items in these categories unchecked.
- Accessibility: Some apps need to be able to use accessibility features in OS X in order to accomplish tasks like altering keyboard shortcuts, running scripts, or sending commands to other apps. Most of these uses are entirely legitimate—utilities such as Keyboard Maestro, LaunchBar, and TextExpander would be useless without these capabilities. But because granting an app accessibility access gives it more power to see into other apps and control them, you should deselect this feature for any app you don’t trust.
- Diagnostics & Usage: Yosemite can automatically send diagnostic and usage data to Apple and/or third-party developers to help them track down the causes of crashes and other bugs you may encounter. This information is anonymous and doesn’t contain personal information. If you want to send this troubleshooting data in the event that a problem occurs, select Send Diagnostics & Usage Data to Apple. With that selected, you may also select Share Crash Data with App Developers. (You can’t share crash data with app developers unless you also share diagnostic data with Apple.)
In addition to those preferences, I want to call your attention to three other places in OS X with significant privacy settings:
- Spotlight: Go to System Preferences > Spotlight > Privacy to exclude any folder or volume from Spotlight indexing. You might do this if, for example, you have private files that might show up when another user of your Mac is performing a Spotlight search. To prevent your location information and address being sent to Apple and its partners, go to System Preferences > Spotlight > Search Results and uncheck Spotlight Suggestions.
- Extensions: New in Yosemite, Extensions are plug-ins that let apps extend their capabilities in interesting ways, including adding widgets to the Today view of Notification Center and destinations to the Share Menu. Some utilities that need to modify the behavior of the Finder (Dropbox, Transporter Desktop) or other apps can also do so by way of extensions. But because an extension could conceivably access personal data within an app, you can disable any you’re unsure about by going to System Preferences > Extensions, selecting a category, and deselecting the app’s checkbox (Figure 2).
- Safari: In Safari > Preferences > Privacy (Figure 3), you’ll find settings for Cookies and Website Data (I recommend Allow From Websites I Visit), Website Use of Location Services (I recommend Prompt for Each Website Once Each Day), and Website Tracking (I recommend checking Ask Websites Not to Track Me).