Creating a private website with WordPress

When we became parents in 2015, Kelly and I talked about where and how we wanted to share the initial photos and stories of that experience with a small group of our family and friends. In case you haven't noticed, I feel pretty strongly about the principle of owning our digital homes. So I felt resistance to throwing everything up on Facebook in hopes that we'd always be able to make their evolving privacy and sharing settings and policies work for us, while also trusting that every single Facebook friend would honor our wishes about re-sharing that information.

I took some time to explore tools available for creating a private website that would be relatively easy for our users to access, relatively easy to maintain, and still limited in how accessible the content would be to the wider world. (I tend to assume that all information connected to the Internet will eventually become public, so I try to avoid ever thinking in terms of absolute privacy when it comes to websites of any kind.)

I thought about using WordPress.com, which offers the ability to quickly create a site that is private and viewable only by invited users while maintaining full ownership and control of the content. I passed on this idea in part because it didn't allow quite the level of feature customization that I wanted, and partly because it's a service of my employer, Automattic. While I fully trust my colleagues to be careful and sensitive to semi-private info stored there, it felt a little strange to think of creating something a bit vulnerable and intended for a small group of people within that context. I would still highly recommend the WordPress.com option for anyone looking for a simple, free/low-cost solution to get started.

Here are the WordPress tools I ended up using, with a few notes on my customizations:

Basic WordPress Configuration

For the basic WordPress installation and configuration, I made the following setup choices:

  • I put the site on a private, dedicated server so that I had control over the management and maintenance of the site software (as opposed to a shared server where my content, files or database may be accessible to others).
  • I used a Let's Encrypt SSL certificate and forced all traffic to the SSL version of the site, to ensure all communication and access would be encrypted.
  • I set up a child theme of a default WordPress theme so I could add a few customizations that would survive future parent theme updates.
  • I set "Membership" so that "Anyone can register" in the role of Subscriber (see more below on why this is okay).
  • For Search Engine Visibility I set "Discourage search engines from indexing this site".
  • For discussion I set "

Continue reading Creating a private website with WordPress

Cloud email, contacts & calendars without Google

Tricky situationI like Google and a lot of the things it does in the world. When people ask me what free mail, calendaring and contact syncing tools they should use, I usually include Google's services in my answer. But I always explain that they're trading some privacy and ownership of their information for the "free" part of that deal. "You're the product, not the customer" and all that.

For me, I've always tried to avoid having my own data and online activities become the product in someone else's business model. There are plenty of places where I can't or don't do that, and I mostly make those tradeoffs willingly. But so far, I've been able to avoid using Google (and Apple and Microsoft) for managing my personal email, calendaring and contact syncing.

Here's how.

Continue reading Cloud email, contacts & calendars without Google

Chrome extensions to manage online privacy

Privacy

There are a couple of extensions for Chrome that I've been using for a while now to try to maintain or improve my privacy online. Some have been helpful, others haven't. Some mini-reviews:

Terms of Service, Didn't Read

Most every modern website has a "Terms of Service" that governs your interactions with it. The document usually lays out how and when the site will use any data it collects about you - helpful, right? The document is also usually many pages long and would potentially take hours to fully absorb and understand. Terms of Service, Didn't Read is an extension that tries to give you a high-level view of the Terms of Service of the site you're on, based on their team's reading and interpretation of those documents on your behalf. If there are particular concerns related to privacy and personal data use, the extension will flag that when you arrive.

I used this extension for several months, finding it interesting at first to see how the sites I visited regularly measured up to TOSDR's evaluation. But after the initial curiosity wore off, I realized that for the most part, the information here wasn't changing my behavior. If TOSDR flagged something like "The copyright license is broader than necessary" or "This service tracks you on other websites," I'd still have to do some more digging to figure out exactly what that meant, and whether or not I was comfortable with it. So, the information provided by TOSDR is helpful, but not always conveniently actionable when it comes to protecting privacy. (There's a theme in all this: protecting privacy is rarely convenient.)

Continue reading Chrome extensions to manage online privacy

Use the cloud, keep control of your data

Balloons in the Rose GardenAfter ranting recently about the choices we make to give "big data" companies access to our private information in ways that might be abused or exploited by government eavesdroppers, I thought it would be worth sharing some of the options I've found for using "the cloud" while also retaining a reasonable level of control over access to the data stored there.

This post has information about tools and software you can deploy yourself to approximate some of the functionality that third party services might provide, but that might also make you vulnerable to privacy and security vulnerabilities.  It's based on my experiences designing and implementing solutions for my own company, so it's mostly applicable to the interests of businesses and organizations, but may also be useful for personal projects.

A few important disclaimers: any time you make your personal or corporate data available on Internet-connected devices, you're creating a potential privacy and security vulnerability; if you need to keep something truly protected from unauthorized access, think hard first about whether it belongs online at all.  Also, the tools and services I'm listing here are harder to setup and configure than just signing up for one of the more well-known third party services, and may require ongoing maintenance and updates that take time and specialized knowledge.  In some cases, it requires advanced technical skills to deploy these tools at all, which is the reason most people don't or can't go this route.  Hosting and maintaining your own tools can often have a higher initial and/or ongoing cost, depending on what financial value you assign to data privacy.  Sometimes the privacy and security tradeoffs that come with using a third-party service are well worth it.

Still interested in options for using the cloud without giving up control over your data?  Read on.

Email and Calendar Sharing

Need a powerful, free email account?  Need robust calendar management and sharing capabilities? Everybody uses Gmail and Google Calendar, so just sign up for an account there, right?  Unless you don't want Google having access to all of your email communications and usage patterns, and potentially sharing that information with advertisers, government agencies or other entities.

Continue reading Use the cloud, keep control of your data

I have read and agree to the terms of service

NSA Seal

As revelations continue about the US Government capturing and monitoring online activities and communications, I'm glad (and, ok, only a little bit smug) to see that more conversations are happening about just what privacy expectations we should give up by using modern Internet tools and services.

Most of the mainstream conversation has been focused on what information "big data" companies like Google, Twitter, Facebook and Apple do or don't hand over to the government and under what circumstances, and debating where those lines should be.

The built-in assumption here is that it's inevitable that these are the companies that will continue to have access to our private information and communications. I grant that it's a pretty safe assumption - I don't foresee a mass exodus from Facebook or a global boycott on iPhones - but I do think it's important to note that this is a choice we are making as users and consumers of these services.  We are the ones who click through the "terms of service" and "privacy policy" documents without reading them so we can get our hands on cool free stuff, we are the ones who are glad to entrust our intimate exchanges to technology we don't understand.

A certain amount of naiveté about the security and privacy implications of the tools we use is understandable here.  When I've given presentations on email privacy and security issues, some attendees are legitimately gasping at the new understanding that their e-mail messages are traversing the open internet as plain text messages that can potentially be read by any number of parties involved in the management of those servers and networks.  The average user probably assumes that the Internet was designed from the ground up to be a robust and secure way of conducting financial transactions and sending suggestive photos of themselves to amorous contacts.

Continue reading I have read and agree to the terms of service

The Torn-up Credit Card Application

Some people think I'm paranoid when I shred certain documents, or when I lock my doors, or when I dart erratically down the street to avoid giving the snipers a clear line of sight.  But if you've ever needed convincing that a little paranoia is good for you, especially when it comes to how you dispose of those annoying credit card applications you get in the mail, here's a great story from the folks at cockeyed.com: The Torn-Up Credit Card Application.

Basically, the guy took an application ("pre-approved credit line - just sign here and return!"), cut it up into many pieces, reassembled it with tape, filled it out with a change of address and change of phone number, mailed it in, and got the approved, ready-to-use credit card back in the mail at the new address.

Most people probably don't tear those things up, let alone shred, incinerate and bury them like I prefer to.  And while I don't want anyone constantly living in fear that their identity will be stolen, there are some reasonable precautions to take.  After all, it's not paranoia if they're really after you.

Security FAIL

Two stories of security failure for this blustery day:

1) Apparently, all you have to do to throw off the facial recognition software that protects us from identity theft or worse, is smile:

The Indiana Bureau of Motor Vehicles is restricting glasses, hats, scarves -- and even smiles -- in driver's license photographs. The new rules imposed last month were deemed necessary so that facial recognition software can spot fraudulent license applications, said BMV spokesman Dennis Rosebrough.

And then he had the gall to spin it as an improvement, since it would be horrible to admit that humans had done a better job:

The new technology represents an advancement of what the BMV already was doing, Rosebrough said. BMV employees always have looked at the old photo of a person to see if it looked like the person seeking a new license.

FAIL.

2) I was at a local video store yesterday, trying to rent a video using Anna Lisa's account. I gave the cashier her phone number and name, and he said he'd have to call her to verify that it was okay for me to rent on her account. When she didn't pick up, I offered to call her on my cell phone (in case she wasn't picking up the call from an unknown number), and the cashier said, "okay, yeah, just ask her if it's okay and then you can tell me what she said."

FAIL.

Can the President of the U.S. use e-mail?

The Times has a nice little article today about why Barack Obama will probably have to give up the use of his Blackberry - and e-mail altogether - when he becomes President:

As his team prepares a final judgment on whether he can keep using e-mail, perhaps even in a read-only fashion, several authorities in presidential communication said they believed it was highly unlikely that he would be able to do so.

Diana Owen, who leads the American Studies program at Georgetown University, said presidents were not advised to use e-mail because of security risks and fear that messages could be intercepted.

“They could come up with some bulletproof way of protecting his e-mail and digital correspondence, but anything can be hacked,” said Ms. Owen, who has studied how presidents communicate in the Internet era. “The nature of the president’s job is that others can use e-mail for him.”

Surely there's some middle ground to keep a President as tech-savvy as Barack Obama from being forced off of e-mail altogether? I mean, this is the guy who announced his VP pick by SMS text message, for crying out loud.

Here are some scenarios to explore: Continue reading Can the President of the U.S. use e-mail?

Total Information Awareness

Typical Saturday Morning in ChicagoPeople sometimes ask me how much I think "The Government" is really listening in on our phone calls, e-mail messages, web browsing, text messages, and other forms of communication. I still apparently surprise people with my answer: for the purposes of my day-to-day life, I assume that every communication I send or receive using an electronic medium is monitored and recorded by someone else. And I'm not just talking about watching some rough meta-information go by and trying to deduce what we're up to - I'm talking about full access to the content of every single communication, in real time.

Recent media reports, including a March 10th article in the Wall Street Journal, show us how much information spy agencies are allowed to legally collect and monitor:

  • Recipient and sender address, subject line, timestamp of e-mail messages
  • Internet sites visited and searches conducted
  • Incoming and outgoing numbers dialed on cell and regular phones, length of calls, where you physically were when a cell phone call happened
  • Pretty much everything about your financial transactions

Makes you wonder what's actually happening beyond the law's provisions. Again, I'll generally assume the worst.

Watching the watchers

IMG_2396.JPGSometimes people forget how much information is being collected about them when they visit a website. It's actually not all that much - what IP address you're visiting from, what kind of operating system and web browser you're running, and perhaps what other website you came from in your visit. The real fun starts when you learn how to interpret the trends in that information, and start to drill down to what it might mean about a visitor.

For example, earlier this week, a user visited my website without any referring URL information. This means they probably entered the address directly in their browser's location bar, but it could also mean they followed a bookmark, or are actively trying to hide where they came from. As soon as they got to my site, they started searching for the word "congress" in my content. When I traced the IP address, it went back to a location in McLean, Virginia, which is the home of the Central Intelligence Agency.

So what can we conclude from this? Obviously, a CIA operative was investigating my website because in my ramblings about politics and the government, I've clearly come too close to the truth about a cover-up related to U.S. energy policy and the War on Terra, and now they're coming to take me away, ha-ha.

Continue reading Watching the watchers