A secret US government data collection program called “PRISM” has been in the news recently, and I thought this might be a good time to post my thoughts on options available for those who would like to keep their data private and secure. I’m definitely not a security expert, but I have read some of the recommendations they have made, and I’ve put a little bit of thought into how I can make them work in my situation as a researcher and teacher.
What Should You Put Online?
I think it is safe to assume that nothing kept online is completely safe. We know, for example, that data can be:
- legally accessed in the US
- illegally accessed from outside the US
- opened up to access without your authorization
With these risks in mind, before putting something online (remember, even emailing data is putting it online), especially if it isn’t yours (student data, grades, etc.), I recommend asking yourself if it really needs to leave your device.
Although there is certainly a powerful allure to having everything available anytime on any device, there are also security tradeoffs involved. There are various measures to keep your stuff safe and secure offline ranging from easily implemented solutions to extreme and cumbersome ones, depending on how serious you are about locking down your data.
Some Best Practices for Working Online
For the data you put online, here are some best practices that will help you reasonably safe without much effort. It might seem troublesome, but once you have your system set up, it pretty much runs itself. In fact, I find the password manager to be a lot more convenient than the old days of typing in passwords.
- Don’t share personal information indiscriminately. Hackers are pretty clever about using social engineering to gain access to your data. In relation to this, it’s also a good idea to provide incorrect data when you set up password recovery security questions. If you have a hundred photos of your dog Spot on your Facebook page, it won’t be very difficult for hackers to figure out what your pet’s name is for the security question. Use random character strings instead of real answers, put those in your password manager (see below), and you’ll be a lot better off.
- Use long, random, unique, and regularly changed passwords. Using “8FpXjZzRbDdRKm4k7Yu” on one site and “2Ny3g5HN9ZHkbuUSYn8” on another is a whole lot more secure than “1234Mayo” on both. It looks like a painful thing to do, and it is, unless you use a password manager like LastPass or RoboForm to help keep it all straight.
- Use two-factor or two-step authentication whenever possible. Many sites make this available nowadays. In combination with this, you might also want to set up Touch ID on your phone (if you have iOS).
- Use a unique email account for financial institutions. Create an email account (use a random string of letters and numbers for the name) that you have never used before, change the email at all of your financial institutions to this, and you can avoid phishing attacks or email account hacks. No one will have this email in their contact list, so it is off the radar, and is unlikely to be discovered. Make sure not to put it into your contact list either when you set it up with your email service (Outlook, Thunderbird, etc.).
- Encrypt sensitive data before uploading it. It’s actually not that difficult, because these days encryption is available on a lot of applications, and if you are using one of those password managers, you can keep track of your encryption keys there. In terms of notetaking, DevonThink, nvALT, and VoodooPad all enable you to encrypt your database. Evernote has limited capabilities that will allow you to encrypt passages of text in your notes (you can add password-protected attachments to a note, of course).
- Consider a “zero-knowledge” service like SpiderOak. Only you have the password (the company does not store it), all of your data is encrypted (no one at the company can read it), and even in the event of a government request or security breach, it is very unlikely that anyone will be able to read your data (perhaps not impossible, though).
Secure Your Computer
It won’t do you a whole lot of good to keep your data secure online if you haven’t secured your computer offline. Obviously, you shouldn’t leave your laptop unattended on the table in the library, but you should also put the display to sleep anytime you are step away from your computer (I use a hot corner to make this as easy as a quick swipe) along with a strong password for the login. In addition, I recommend you encrypt your hard drive (easily done with File Vault on the Mac), keep an encrypted backup (easily done with Time Machine on the Mac), and have copies of this backup in multiple physical locations. In case of fire, theft, or zombie apocalypse, you want to know that your data is safe somewhere.
Put on Your Tinfoil Hat!
Personally, I prefer to work offline as much as possible, because I value my privacy, and I am uncomfortable with the unfettered access that governments and corporations all over the world have to our data. The worst part of this is that governments can actually compel companies not to tell you if they have provided access to your data. If you’d like to read more about this, see Winston Maxwell and Christopher Wolf’s “A Global Reality: Governmental Access to Data in the Cloud.” At least we (sometimes) receive notification if a hacker gets a hold of our data! I am happy to say that it is still possible to work almost exclusively offline, but it will take a little more work on your part.
Mixing Offline and Online Notetaking
For note-taking, a popular service among students and teachers in higher education is Evernote. Although it is a cloud-based application, it has a little-known feature called “local notebooks” that will allow you to keep the data from being uploaded to Evernote servers. You won’t be able to enjoy the advantages of syncing across devices or their automatic OCR (optical character recognition) of your content, but it is convenient to be able to use the same app for your offline and online content. If you don’t mind separating sensitive notes from their less sensitive brethren and sequestering them in a local notebook (I wish that we had “local tags”) then this is probably the most attractive option for the general user.
One problem with working offline is that mobile devices assume cloud access these days. In particular, Apple devices do not have file systems, and so you cannot always move data from your computer to your iDevice. Software developers have to code some kind of direct access into their apps, and many of them don’t do it. PDF readers? No problem. Notetaking apps? Not so easy.
Moving Data onto Your iDevice
Some of the notetaking apps, like PlainText, will let you move text files in and out of the app, but it is clumsy, and you’ll have to do it all manually. For a handful of notes, this isn’t a big deal, but with 10,000 or 20,000 notes, it can be quite time consuming. Other apps, like notesy or Evernote, do not even give you access to the app through iTunes. Unfortunately, if you want to use nvALT on your Mac, you are probably going to have to accept that you’ll need Dropbox to sync with notesy (or any other note-taking app in iOS), and if you use Evernote, you’ll have to sync through their servers to get your data onto your iPhone or iPad.
The Most Secure Notetaking for Mobile
Ideally, for complete security, you would want to avoid the cloud entirely. As far as I know, there are only a few notetaking apps on the iPad that will let you sync your data through your home wifi network, or move your data through a simple drag and drop of the entire database, and none of them appear to work reliably.
As of now (July 12, 2015), VoodooPad still has a lot of promise, but it is languishing these days. It used to be run single-handedly by Gus Mueller at Flying Meat, but he has handed the project off to Plausible Labs, who have been slow to push out updates. However, the developers now say they are working on a new version. Hopefully, this wonderful app will get the overhaul it needs.
Yojimbo is a wonderful app on the Mac, but in iOS it apparently (I have not purchased it) only works on the iPad, and does not allow you to create new entries. In other words, it is a read-only app. On top of that, it is rarely updated; the last one was in January of last year.
As of now (July 12, 2015), DevonThink To Go, which is the iPad/iPhone version of DevonThink on the Mac, works OK. You have to be a little persistent, be alright with a relatively primitive interface (compared to other apps), and be prepared for times when it syncs just fine in the morning but cannot find your computer in the afternoon. I think it is worth the hassle, because the desktop version has established itself as a phenomenal tool for historians and other researchers. The mobile app costs a hefty amount ($15), especially considering it is years out of date and a little unreliable, but an update is in the works (no promises about when it will be delivered), and the upgrade will be free for existing users.