Yellow poster with cookie

A few easy tips to up your privacy game: David Sherry

How can you can improve your privacy in your everyday use of web browsers, email, text messaging and other apps?


David Sherry
David Sherry

Our guest is David Sherry, the chief information security officer here at Princeton. He’s responsible for shoring up security at this Ivy League campus of more than 15,000 people. He has 20 years of experience in information security management. He can — and often does — speak publicly about how he manages to herd all those cats to make Princeton safer for technology. But today, he’s agreed to provide tips that anyone can use to improve their privacy in their own digital lives.

Links:

Duck Duck Go search engine

Tor Project and browser.

Eli Pariser interview about book “Filter Bubble.”

The Best VPN Services for 2021,” PC Magazine, August 9, 2021.

Signal messaging service

Proton Mail and Mailvelope email services

Transcript:

Aaron Nathans:
From the Princeton University School of Engineering and Applied Science, this is Cookies, a podcast about technology privacy and security. I’m Aaron Nathans. On this podcast, we’ll discuss how technology has transformed our lives, from the way we connect with each other, to the way we shop, work and consume entertainment. And we’ll discuss some of the hidden trade-offs we make as we take advantage of these new tools. Cookies, as you know, can be a tasty snack, but they can also be something that takes your data.

Aaron Nathans:
On today’s episode, we’ll talk nuts and bolts about how you can improve your privacy and your everyday use of web browsers, email, text messaging, and other apps. Our guest is David Sherry, the Chief Information Security Officer here at Princeton. He’s responsible for shoring up security at an Ivy League campus, both for those on campus and remote with nearly 1,300 faculty members, more than 5,000 undergrads, nearly 3,000 grad students, roughly 7,000 staff members and more. He has 20 years of experience in information security management. He can and often does speak publicly about how he manages to herd all those cats to make Princeton safer for technology. But today he’s going to do something different. He’s agreed to provide tips that anyone can use to improve their privacy in their own digital lives. Let’s get started. David, welcome to the podcast.

David Sherry:
Thank you, Aaron. Happy to be here.

Aaron Nathans:
All right. What exactly is the concept of privacy? Is it just your name, your address and social security number or does it encompass more?

David Sherry:
Hmm, well, concept is an interesting term to use for privacy. I think you have to go back really to what would be a definition of privacy. If you look up any of the encyclopedias or any dictionaries, they would say probably three things about privacy. One is the quality or state of being apart from company or observation. That’s probably what most people think about. It’s the state of being concealed or hidden when you make something private. And the third one is freedom from unauthorized intrusion, and that’s really part of my job every day is that aspect of privacy, the freedom of unauthorized intrusion.

David Sherry:
And certainly I think it’s a lot more than just your name and your address and your Social Security number, so much more than that now. Privacy, in this day and age, 2021, maybe even like the last 10 years, it includes your shopping habits, driving records, medical diagnosis, maybe your work history, your financial history, credit scores, password ID combination, something I take to heart. It can be your likes and dislikes on social media. You can lose your privacy, donating to a charity, visiting a doctor, surfing the web, joining a gym, paying your mortgage, going through a toll booth, walking with your phone, driving through an intersection. I could go on and on. Making an online purchase. There’s just so many things and not just that, it can be lost through third parties and databases and connections and selling and buying.

David Sherry:
So I think really the concept of privacy now is really about people taking control. There was a book written in 1967 called Privacy and Freedom, 1967, think about that. And it says privacy is a claim of an individual, a group or an institution to determine for themselves when, how and to what extent information about them as communicated to others. So I think if you’re talking concepts, I really think this is about taking control. What’s yours is yours. People have different levels of privacy aspects, but it’s about taking control. Some people call it a basic human impulse. Some people want it to be a basic human right. I think it’s a combination of both of them, but at the end of the day, it’s much more than name, address and social security number. And it’s something that we all need to be conscious of.

Aaron Nathans:
So, what’s changed in the realm of privacy over the last 25 years?

David Sherry:
Wow. A lot has happened in 25 years. Think about what the maelstrom or the tsunami of changes in technology we’ve seen. Email would probably be in its infancy 25 years ago. The rise of personal computers, certainly just the global explosion of the public internet, but social media, GPS systems, identity theft, identity crime, identity syndicates, the internet of things. Alexa and Siri and thinking about connecting your car and your coffee pot and your light switches to the internet all brings privacy aspects. And then just breaches. That’s been a big impact on privacy recently, almost every adult in the United States and many abroad got Equifax many years ago. And that brought privacy to the forefront as well. So it’s not just what we do. It’s what others do to handle our privacy that can have an impact. And certainly that’s been one of the big things in the last 25 years.

Aaron Nathans:
Sure. I mean, so with all of these new digital tools that we have to make our lives better, few of us have any doubts that we’re paying for these tools with our private information. I mean, after all, we can see the customized ads and the email lists that we didn’t sign up for. To all those folks who say, and I know a lot of people like this who say, I know my privacy is being invaded and that’s just the price of admission. What do you say to that?

David Sherry:
Once again, I come back to this taking control and people just need to pay a little bit more attention to that because saying it’s just the price of admission or, I love the one that I hear a lot, Aaron, is I’ve got nothing to hide. You know, it doesn’t really matter, that one just drives me crazy.

Aaron Nathans:
Why is that?

David Sherry:
Because everyone, it’s not that we’re worried about someone, if you don’t have a criminal record or if you haven’t declared bankruptcy, but just having the basic building blocks of an identity can be used against other people. So even though you have nothing to hide, knowing pets’ names, knowing dates of birth, knowing where you live, knowing what you do for work, knowing what your likes or dislikes, my religious affiliation, your political affiliation. That puts enough of a group of items together that you could be at risk.

David Sherry:
So I don’t like the combination of people saying, ah, it’s just the price of living now and I really have nothing to hide. I mean, is it really? When you look, especially on a cell phone, you’re downloading an app on a cell phone, something that is so easy, everyone does it. And as you go through it, there’s a little thing that pops up that says “this application will have access to.” It’s a very shortened version of the old end user license agreements, EULAs that you used to get when you buy a piece of software. And it was a read me text that was 30 pages long.

David Sherry:
But it’s so easy to read this control. And a perfect example is a few years ago, the Olympics were going on and my family and I really enjoy following medal counts. And I’ve said, well, I’m just going to look for an app that would just give me a up to date list of who has the medals by country. So I found this one that was free. And when I went to download it, it says you supply this app with access to your photos, your location, your contacts and to read your text messages.

David Sherry:
Now, if I was not a crazy person about privacy and security, like I am, I might’ve just said, oh, what the heck. And now this app that I have no idea who wrote it, where it was written, how secure it is, who owns it, has access to all of my text messages and my phone calls and my pictures. To me, that’s crazy. I took control at that time. And I said, nope, I’m just, I’m going to go on. I ended up buying an app that was 7.99 for the use of two weeks, because it didn’t have access to anything on my phone.

Aaron Nathans:
You knew what to look for in the fine print though. Most folks don’t.

David Sherry:
Yeah, but an app. Once again, I’m not going back to those crazy end user license agreements that even I read those things too, because they’re fascinating to me. But it’s so easy. It’s one screen on your iPhone or your Android device, or it even pops up and says, do you allow this to have access to your camera? Do you allow this to have access to your text messages? And people just-

Aaron Nathans:
Really, it says it just like that?

David Sherry:
They can just pop up depending on what application, what operating system you’re using. It makes it really easy. It’s not anything that’s behind. Just reading before you download it, before you click install, it usually says what it has access to. People, just take a second and think that through. Everyone, be a little bit more safer on this thing that we know now is the internet.

Aaron Nathans:
So, something I run into a lot here at Princeton, a lot of the savviest folks in this area avoid social media entirely. How much more privacy does that buy you by doing that? I mean, is there a way to use social media in a more private way or is once you open that door, do you encounter all the trade-offs?

David Sherry:
So yes and no on that. Certainly it can buy you more privacy. It buys you a lot of privacy if you avoid it entirely. It’s not totally being private because there are other ways on the internet that can grab your information. But social media, we’re just regurgitating stuff on social media. We do a class at Princeton about handling online presence and one of the things we say is just don’t share as much. Does everyone really have to know that you went to Taco Bell for lunch or you’re going on such and such a vacation. So just sharing less information is a big part of that. There is no rule that says you have to use factual information on this. Some people use assumed names and an assumed picture just to be able to… I have a friend who, I don’t have a Facebook account. My wife has a Facebook account with five people on it, her mom and dad and our three adult children. And we use that just to get pictures of our grandchildren in an easy and quick way.

David Sherry:
I have a neighbor that says the same exact thing and assumed name with an assumed picture has no other friends except just a few family members. So that’s certainly a way to be able to use the power of social media without giving away private information. And then there are the real zealots up for it that want to use it but all they do is consume. They just consume, consume, consume. They use it for their news digest. They use it to see what other people are doing and they absolutely don’t post anything. They’re just a consumer and not adding to it.

David Sherry:
So there are ways to do it. Once again, it’s balance. Everyone has a different level of security. Some people are comfortable talking about their salary. Some people aren’t. Some people leave their houses unlocked. Some people don’t. Some people put their blinds down. Some people don’t. Some people don’t want to go through the scanners at the TSA. Some people don’t. It’s all about a level of privacy. Everyone has a different level and has to find their own sweet spot.

Aaron Nathans:
Once you enter social media, do they then have the ability to just grab everything of yours and or is it what you volunteer?

David Sherry:
Hmm. So they certainly can start connecting dots. If you’re using similar email addresses, sooner or later, those email addresses are going to get matched up together. If you’re using browsers that may not have the right protections they can match up. So technology people at technology companies are very savvy and they start putting the building blocks together and building almost like a digital dossier on someone saying, oh, well, this browser did that and this account did this, but then I saw Aaron do this and I saw David do that. So Aaron and David might be the same person because they have enough things connecting to each other that we can make an assumption that, yeah, this is really the same person. So, that can be done.

Aaron Nathans:
Hmm. That’s scary.

David Sherry:
It is.

Aaron Nathans:
So what is a web browser?

David Sherry:
Okay. By definition, it’s just a piece of software that you run on a computer or any other device, a laptop or a handheld, that allows you to get access to internet websites. Instead of going to a Barnes and Noble many years ago and browsing the bookshelves, you’re using this piece of software known as a browser to find things on the internet.

Aaron Nathans:
So if I go to Barnes and Noble, other than maybe the security camera, nobody’s going to know what I picked up and leafed through. If I go to barnesandnoble.com, maybe not.

David Sherry:
Different story.

Aaron Nathans:
When you’re using one of the more popular web browsers, who knows about what you’re browsing? Who sees that information?

David Sherry:
Mmm. So the browser captures a lot of things right off the bat. And there are a lot of browsers. Everyone knows Chrome. Everyone knows Firefox. But we come across Edge, Safari, Opera, Google has one, Bing. There’s all sorts of different browsers. There’s private browsing now that we are getting more and more questions about, which I’m really happy about.

David Sherry:
But when you’re searching the internet, your browser, just the browser itself knows your IP address, your internet protocol address, so where you’re from. It knows that you’re sitting in New Jersey or Philadelphia or Rhode Island or New York, just by your IP address. It knows your geo location because it can usually attach that IP address to a certain block of numbers that maybe your internet provider knows about. It knows your mouse clicks. It knows when you’re hovering over a photo, it knows the hardware and the software that you have installed. It knows whether you have a social media account that’s running in that browser or even in a different page. It knows your browsing history. It knows your image data. It knows your fonts. It knows your language. It grabs all this stuff from your operating system. So even if you’re not logged in as David Sherry or a pseudonym, it knows all that about the person who’s sitting in front of the keyboard at that time.

Aaron Nathans:
So what are some ways to improve your privacy when you’re using a web browser? I mean, on some phones, there’s private mode, on some laptops there’s incognito mode. And how effective are those tools alone in improving your privacy?

David Sherry:
Yeah. So, that’s a great question. They improve your privacy. They don’t totally give you a hundred percent privacy, but they certainly improve it. What that does is it keeps certain aspects of your browsing, private. It’s telling your browser when you’re in either private or incognito, not to store data, not to register cookies, not to register if you typed in a credit card number, any form fields you put in, any IDs and password, you have in. Your browser is not saving it.

David Sherry:
But that’s just the browser aspect of it. Google will still know about it. If you’re connected to Google at the time, it knows the sites that you visit. Your employer would know if you’re using private or incognito browsing from your work computer. Your employer still knows about it. If you’re at home, your ISP will still know about it. It’s just your browser that’s not collecting it and sharing it with the browsing company. And when you close it down, it all goes away.

Aaron Nathans:
All right. You’re listening to Cookies, a podcast about technology security and privacy. We’re speaking with David Sherry, the Chief Information Security Officer here at Princeton University. On our next episode, we’ll talk with Mihir Kshirsagar. He’s a Clinical Lead at the Center for Information Technology Policy at Princeton and a lecturer in computer science. He’s a coauthor of a recent paper that spells out, in startling detail, everything you wondered about but didn’t want to know about how online platforms are allowing students to have their personal data exploited as the students use them for online learning.

Aaron Nathans:
It’s the hundredth anniversary of Princeton School of Engineering and Applied Science. To celebrate, we’re providing 100 facts about our past, our present and future, including some quiz questions to test your knowledge about the people, places and discoveries who have made us who we are. Join the conversation by following us on Instagram at E Princeton. That’s the letter E Princeton. But for now, back to our conversation with David Sherry. David, I’m guessing you’re not on Instagram?

David Sherry:
I am not on Instagram. I am not on Facebook. I do have a professional account on Twitter, CISO at Princeton, where I share privacy and security with the Princeton community. And I’m on LinkedIn, of course, with my basic resume.

Aaron Nathans:
I often find that people who are in computer science who limit their social media to one or two platforms, tend to choose Twitter.

David Sherry:
Hm-mm (affirmative).

Aaron Nathans:
That’s interesting.

David Sherry:
Yeah. And I choose to do it, Aaron, as a professional. So every time I comment or forward or do something, I do it from my lens as the CSO at Princeton. I think if I had a private account, I’d be talking more about sports and religion and politics and books and that’s where I think I’d get myself in trouble. So knowing I just have that professional one and I’m representing Princeton University, my tweets are very different.

Aaron Nathans:
That’s right. I know that feeling.

David Sherry:
Yes.

Aaron Nathans:
I run the Engineering Twitter account and it’s a very different voice.

David Sherry:
That’s right.

Aaron Nathans:
Okay. Well, let’s talk about DuckDuckGo.

David Sherry:
Okay.

Aaron Nathans:
What is DuckDuckGo? How can it improve your privacy and what are the trade-offs?

David Sherry:
Yeah, wow. So I like DuckDuckGo. I’ve been a fan of DuckDuckGo since it started. Legend has it, it started in some guy’s garage in Newton, Massachusetts, I believe. I don’t really know if that’s true, but all I know is I’m thankful that whoever had started it, put the work into it to keep it going. DuckDuckGo is an internet search engine. Just like Google, just like Yahoo, just like Bing, but it’s built for privacy. It stops you from being tracked. You know, as we just talked about, browsers are keeping tabs on what you’re up to. Things like the website, you visit the items you purchase, the videos you watch. With DuckDuckGo, what you’re searching is your business. They’re very good about privacy. They’re very good about openness about what they collect and what they don’t collect. And it’s just a way of not allowing all that other stuff that your browser has collected in anything that Google or Yahoo would collect, that they can serve up ads with. You don’t get that on DuckDuckGo. And there’s positives and negatives to it. But for most people, the positives way outweigh the negatives.

Aaron Nathans:
I mean, is it as intuitive a search engine? Usually people say I’m Googling something and that tends to be because Google has been the go-to browser. I’m sorry, forgive me, the go-to search engine.

David Sherry:
Correct.

Aaron Nathans:
Do you lose any functionality, any intuitiveness with DuckDuckGo?

David Sherry:
So 15 years ago, the search would not have been as deep and as robust as Google. I would say it’s on par or at least in the 90/95 percentile. The great thing about DuckDuckGo is, first of all, it doesn’t use pages. It’s continuous streaming. You know how people say, I only look at the first two pages of Google. Well, DuckDuckGo, you could go on forever because it’s just one continuous feed. It’s really an algorithm that’s based on the relevance to what you’re looking for and the perceived popularity of the internet about who has used it and how long they stay there. And the other great thing is if you’re, our listeners, don’t realize it, Aaron, if you put something into Google in a Google search engine and I put the exact same phrase in, our results are going to be different because Google uses what’s called filter bubbles, and it knows everything it can about you from your past searching, your past web browsing, your past purchasing habits, what you’ve watched on YouTube, what is coming in and out of your email and your habits would be very different from my habits. And what they try to give you is what they think you want to see.

David Sherry:
In this heightened political arena that we’re in now, if it’s a person that’s constantly looking at left-leaning materials, the web results are going to give left leaning results. And if it’s a person that’s right leaning, you’re going to get right leaning results. I find that to be disheartening. I don’t want my browser to tell me what it thinks I want to know. I want to be challenged and do my own homework and find alternative viewpoints and make my own decisions. There’s a great book by Eli Pariser, who’s a fellow I believe currently Princeton, or was at least before the pandemic. And he wrote a great book called Filter Bubbles that talks about how Google gathers all this and tells us what we want to know, or it thinks it wants to know. DuckDuckGo doesn’t do that. If you typed in a phrase, looking for something, and I typed the phrase looking for something 99 percent of the time, it’s going to come out exactly the same.

Aaron Nathans:
So let’s talk about Tor. How is Tor different from DuckDuckGo and what do you gain or lose by using it?

David Sherry:
Mm, well, Tor is a browser, but it’s really an ecosystem, more than just a browser that you could use on any one of your operating systems. It started back actually in the mid ’90s. The U.S. Navy was looking for a way to communicate sensitive information privately. And the Naval Research Lab came up with something called onion routing. Now picture the old analogy about peeling back the onion, that’s where this comes into play. It was a kind of technology that would protect your internet traffic with layers of privacy. And by 2003, it became what was known as the onion routing project or easily acronymed as Tor and was available for the public.

David Sherry:
And at its core, Tor is really used to anonymize your data. It’s a browser that can be installed that makes it difficult, if not impossible, for any snoops to see your web mail, your search history, your social media posts, your online activity. And of course, because of this Tor has somewhat of a bad reputation on the dark web because the bad aspects, the bad guys use it for their traffic and money laundering, drug running, whatever. We could go on and on and have a whole podcast on that because of its anonymity. But it’s open to the public. It’s in use on every college campus. I’ll tell you that. And it’s a good product.

Aaron Nathans:
So what’s a VPN? I know we use one at work, but how difficult and expensive is it to use one at home?

David Sherry:
Yeah, so very easy to use. When at home VPN stands for virtual private network and all it does is create an encrypted tunnel or encrypted traffic from your device that you have it installed on to whatever device you’re going to. From a work environment, we use it so that when Princeton people are at home and everybody at Princeton was at home since March of 2020, it makes their home computer or even their Princeton device, look like it’s on the Princeton network.

David Sherry:
If you did not have a VPN installed and you tried to get to campus resources that require you to be on campus, you can’t get there. When you start the virtual private network for Princeton, it connects your device to the Princeton network and you can be anywhere around the globe and look like you’re there. From a home perspective, you can run it on your phone, you can run out on your home device, all it does is gives you that privacy and anonymity of encrypting your traffic going back and forth. So your ISP doesn’t know about it. Your browser doesn’t know about it. And it can make it very difficult to be snooped or stolen by a criminal at that time.

Aaron Nathans:
You were speaking before about how Google collects all this information about you coming from all sorts of different areas. Would a VPN help fight that?

David Sherry:
A VPN does help fight that because it hides your traffic and it hides your IP address. So it would still collect other areas, but it reduces it greatly, it reduces it greatly. And it keeps the real private, the emails and the traffic that’s going back and forth, the real private pieces. Maybe, you’re okay saying no I’m using a Windows operating system that needs to be patched and that’s okay if somebody knows that, but if you’re sending an email to something about a job offer or to buy a house, you want to keep that private and a VPN is a good solution for that.

Aaron Nathans:
So how does a VPN work with a phone? When I think of a VPN, I think of the computer that I’m talking to you on now. How do you do that?

David Sherry:
Same thing. You have to install a VPN client on your phone. You can find those. We do not, as the information security office, we find it very hard not to recommend products, but we tell people, you go to PC magazine, you search top 10 VPNs, or top 10 email clients, or top 10 whatever, and choose the one that’s best for you. But it installs on your phone, I have one on my phone and when I need to do private communications, certainly back to the university, I fire up my VPN. That way then my traffic from my phone to the wireless tower, located up the street to how many other wireless towers it gets to Verizon before it connects back into the University is all encrypted and the data cannot be looked at.

Aaron Nathans:
In the absence of a VPN is a phone inherently any less secure than a laptop?

David Sherry:
So it all depends on the connection that you’re making. If your phone is connected to the 5G network there is some security built into that. Not 100 percent security. Just like if you took your laptop into the local coffee shop and hit their wireless. You have no privacy on that, unless you fire up a VPN, that wireless access point in that coffee shop is going to be looking at all your traffic. So same thing with a phone. 5G is better than your phone connecting to the wireless, once again, of the local coffee shop or your neighbor across the street, or any other wireless access point that’s wide open.

Aaron Nathans:
When I’m using my phone and I send a text message, how private is that communication? Is anybody seeing that other than the person I’m intending to send it to?

David Sherry:
Well, I don’t think anybody is sitting at the other end, Aaron, wondering what you’re texting your friends, but it’s certainly is available to the company of the messaging system that you have in the phone system that you’re using. They have access to those messages. Texting is not the most secure mode of communication that you can think of. Those are being stored somewhere and somebody could have access to it if they wanted to.

Aaron Nathans:
So, I mean, I hear about a texting services like Signal or Telegram. I mean, is that really only important if you’re a high level government official or a spy? Why would you want to secure your texting service?

David Sherry:
Sure. Once again, it’s just that different levels of people’s personal preference about their privacy. I wouldn’t want Verizon or the chat program that I use on my phone to know the things that I’m chatting up with my wife or my children, or private Signal, private chat rooms with my staff when we’re talking about incidents that are going on. So Signal gives me, that we use Signal because that gives me that sense of protection and sense of privacy. Signal is all of the messages are encrypted by default. So it’s always on. You can shut it off, but it would be why you use it if you’re at that point. So we know we have encryption. The data is stored encrypted on the device. Most people use it on their phone. Some people have it on the desktop as well, so that’s all encrypted.

David Sherry:
So if the device is ever lost or stolen, it’s just gobbledygook for the person. And the only thing that’s stored on the Signal servers for each account is the phone number that you registered with, the date and the time that you joined the service and the date that you last logged in. That’s all they know about you. The information they keep is very small and very private. And you know, it’s recommended by some of the greatest security thinkers in the world today, which is a pretty good recommendation, that if they use it, I would say, why doesn’t everybody use it?

Aaron Nathans:
So email’s been around for decades. When I first started using email, it just felt like, like I’m sending a letter to somebody only I’m typing it on my gigantic computer. At what point did email become a privacy risk and why?

David Sherry:
Can I say that the day the first one was sent, it became a privacy risk?

Aaron Nathans:
Really?

David Sherry:
Yeah.

Aaron Nathans:
So on that gigantic computer, there were privacy concerns too?

David Sherry:
There was probably not a lot of security built into it, whether someone was actually trying to sniff that traffic or trying to find the original ones. There’s a lot of things that have evolved since computing really exploded, ’60s, ’70s, ’80s, that security wasn’t built in. Security was an afterthought. Even when they internet was being built, security was an afterthought, which is job security for those of us that are in it and something that we have to keep up with every day.

David Sherry:
But no, overall, email, especially Gmail and Yahoo, if we’ll go back to AOL and CompuServe and BBN Planet and all those, those were never built for security. The traffic was not encrypted, so it could be sniffed or they could have a man in the middle attack. It was never encrypted at the front end, the back end, so whatever server that was on the administrators had access to it. We’ve always said, when you’re sending an email, it’s almost like sending a postcard. And when you send a postcard, everyone in the US Postal Service has the ability or the capability of reading the back of that about your recent trip to Paris or something. I’m a former postal employee. I can tell you that that very rarely happens, but the capability is there because of the writings right in front of it. But you take that postcard and you put it in an envelope and you lick it and you seal it. Now, it makes it a lot more difficult.

David Sherry:
Email is kind of like a postcard. It travels all over the place and anyone who’s in that location has the capability of reading it. So encrypted email and private email is the way to go. Certainly corporate email, like at Princeton, we have a lot more privacy built into it and we build it for security and we build it for privacy. But my comments before were mainly on the public ones like Gmail and Yahoo and other things that we do get for free.

Aaron Nathans:
So who’s seeing that those private emails?

David Sherry:
So once again, it’s not somebody sitting there approving it and fixing your typos and spell checking before it goes onto the next person. It’s just if I am sending an email to a person, let’s say in Western Canada, how many servers does that have to go through before it gets there and how many touch points and how many of those copies are saved and who has access to it?

David Sherry:
So every system administrator, at any enterprise, has escalated privileges and the power and the authority to read things like that. They’re not supposed to, we signed confidentiality agreements and if you’re a certified security professional, you take an ethics oath every year not to do that, but it still has the capability of being read because it’s not encrypted, it’s there in clear text at every one of the stops. So that’s what makes email not as private and not as secure as a lot of other mediums that you could use to send data.

Aaron Nathans:
Is that more of a hypothetical risk that people can have their email looked at? Or is it, is there a lot of documented cases of people’s emails being hacked into?

David Sherry:
So certainly the there’s less and less because it’s easier to find out things, phishing emails, just going in and getting the person’s ID and password and go and reading them that way is the easiest way. But in the early days of email and wireless, remember wireless wasn’t ubiquitous. You had to really find it. I recall a time I was walking through New York City with my niece and I stopped and I was looking at the foundation of a building and she said, what are you looking at? And I was looking at the marks and I said this gives me enough information that I can get free wireless access here. I can read through this cryptography and say, if I sat here with my laptop and opened up, I got enough information that I can use the wireless in this building. And that’s because you can find wireless in a lot of places, it was called warchalking.

David Sherry:
And you could walk around New York City, if you could understand the code that was written, you could get free wireless. Now, all of a sudden wireless shows up at coffee shops and at restaurants and attackers know that people sit there and want to do their shopping. So they start sniffing the traffic. They look for emails, they look for credit cards going by, it’s getting less and less because there are other ways for the criminals to do this, but hypothetically, yes. Does it happen? Less and less, but still can be done. The bottom line is email is really not a secure platform. At Princeton, we say we cannot send restricted or confidential information by email. We have other options to doing that because it’s just not protected.

Aaron Nathans:
Are there more secure email services than the most popular ones?

David Sherry:
Certainly. Just off the top of my head, ProtonMail, Mailvelope, MailPile… SCRYPTmail, GMX, FastMail. There’s a whole host of them if you start going through it. WeEncrypt, FairEmail, FlowCrypt. Okay? I think that’s enough.

Aaron Nathans:
What they all have in common?

David Sherry:
They all have in common that they’re built for security. If we could take one of the most popular ones, ProtonMail, another thing that’s used by a lot of security thinkers. So that’s a good recommendation for it. That was developed by scientists at MIT in CERN. It’s based in Switzerland, which has huge privacy and security laws. It’s completely open source, so you can check it out. And basically that offers end to end encryption plus a lot of other security features that keep the communications private. Even the company that’s hosting your mail does not have the message texts, it just has the message headers of who, when and where and why. So, that’s just the way to go. If you want your mail to be kept private, you don’t want to be using the public ones like Gmail and Yahoo. You want to be using something like ProtonMail or Mailvelope.

Aaron Nathans:
So finally, we’ve spoken about a lot of different ways to secure your online activity, but it’s a lot of work to do all of them. People can pick and choose among them. How do we know which of these steps are warranted? And which of these are better suited to again, a spy or a high level government official? I mean, how do we strike a balance between doing the right thing and still being functional?

David Sherry:
Sure. Yeah. The great thing is you can be functional with all these things. With the free one or the paid versions, you certainly can be functional. Like anything else, there’s a trade-off. We use two factor authentication now to get into a lot of our systems, both personally and professionally. That’s a trade off to get that extra level of security, you have to click that thing on your phone to say, yes, this is me. So you have to strike a balance.

David Sherry:
So I talked at the beginning, Aaron, about everyone’s privacy level is a little different. Yours would be different than mine. It’d be different from the next two people that we talk to. So you have to say, how far do I have to go to protect my privacy. As a security professional, I take it kind of seriously and I will take all these steps. But sometimes it takes a negative event for people to jump on the bandwagon they say, oh this will never happen, this will never happen to me. And the next thing you know, maybe their bank account has been drained and they trace it back to a phishing email that they had or a hacked website that they a credit card stored.

David Sherry:
I don’t store credit cards on any browser because I just don’t… Browsers aren’t built for that and I don’t know the security posture of the people who are protecting it. I use a password manager to protect all my passwords. So they’re all long, crazy, strong. I don’t even know half of my passwords, maybe three quarters of my passwords anymore, but I don’t keep the password to my financial, my retirement in there, because that’s the level of privacy that I choose, that I want to keep that in a safe in my home. But you know, my login for Home Depot or websites I visit, I keep that in a password manager. So it’s really a personal choice as to what level of privacy, what level of security, and then the effort that takes to do that.

Aaron Nathans:
Well, we’ve been speaking with David Sherry, the Chief Information Security Officer here at Princeton University. David, thank you for taking the time to speak with us today. This has been really interesting.

David Sherry:
Right. I really enjoyed the conversation, Aaron. I’m real thankful that you asked me to speak.

Aaron Nathans:
I want to thank David as well as our recording engineer, Dan Kearns. Thanks as well to Emily Lawrence, Molly Sharlach, Neil Adelantar and Steven Schultz. Cookies is a production of the Princeton University School of Engineering and Applied Science. This podcast is available on iTunes, Spotify, Stitcher, and other platforms. Show notes and an audio recording of this podcast are available at our website, engineering.princeton.edu. If you get a chance, please leave a review. It helps.

Aaron Nathans:
The views expressed on this podcast do not necessarily reflect those of Princeton University. I’m Aaron Nathans, Digital Media Editor at Princeton Engineering. Watch your feed for another episode of Cookies soon. Peace.