IS DISAPPEARING HOW NEW TECH TOOLS CAN HELP YOU FIGHT BACK P

TOP TECH TRENDS FOR 2014 p. 52 HUMAN-POWERED FLIGHT p. 72

IS DISAPPEARING HOW NEW TECH TOOLS CAN HELP YOU FIGHT BACK p. 56

(yes, really) p. 19 ISSUE INVISIBLE SKYSCRAPERS FEBRUARY THE NEW WAY TO INVENT p. 48 2014 OLYMPIC GEAR SECRETS p. 64 TECH HOME AUTO ADVENTURE SCIENCE THE DIGITAL SPIES ARE WATCHING YOU— MARKETERS, THE NSA, IDENTITY THIEVES, AALL KINDS OF SNOOPS. BBUT THE BATTLE’S NOT OVER. HERE ARE SEVEN BBIG CATEGORIES OF PPERSONAL TECH, AAND HOW YOU CAN SSECURE THEM.

IIT’ST TIME TO FIGHT FOR YOUR FEBRUARY 2014 57

PRIVACY, WE SAY, is about to come roaring back. No, it’s not too late. Yes, we know that Google monetizes both our emails and our search histories. It’s true that data brokers market our personal dossiers, listing everything from our favorite blogs to our old parking tickets (identity thieves must love it). And NSA leaker Edward Snowden really did prove the paranoids right: The United States government spies on everyone. Now, we agree that security agencies have a vital responsibility to track terrorists, but that mission can’t require all citizens to live in a surveillance state. Feel you have nothing to hide? That assumes the data will always be used to defeat terrorists, not to monitor activists, let alone to stalk ex-girlfriends—yes, NSA employ- ees have done that. Here’s the other side to the privacy-is-dead argument. You can ﬁght the privacy erosion that technology has enabled using tools that technology provides. And when you protect your data—using encryption and other tools—you incidentally bolster the argument that security is the norm. At least it should be. Privacy is not dead but simply suﬀering from neglect. It’s your job to revive it.

BY DAVEY ALBA TECH: WEB BROWSERS TO DO: DEFEAT TRACKING SOFTWARE PHOTOGRAPH BY TERU ONISHI PROP STYLING BY SARAH GUIDO Web browsers work in two directions: You use them to learn about the world, and snoops use them to learn about you. The sheer number of identifying ﬁles, or cookies, downloaded onto our computers can surprise even jaded digital natives. Many cookies are helpful—keeping you logged in to a service, for instance—but others exist purely to help marketers target their sales pitches. An online tool maintained by the Network Advertising Initiative can reveal who is collecting information on you; a browser we tested was being tracked by 82 ﬁrms, with u

TYPOGRAPHY BY SINELAB 58 FEBRUARY 2014 / POPULARMECHANICS.COM open-source browser.) Extreme fix: Organiz- ing resistance to a totalitarian state and need real anonymity? Download the Tor Browser Bundle. Tor has become famous as a secure way for activists, names such as AppNexus, Criteo, and Datalogix. journalists, and, yes, some criminals to browse the Cookies can be cleared, but new methods Web. Tor bundles your data into encrypted pack- for tracking online use will be harder to cir- ets and directs it through a worldwide volunteer cumvent. For instance, some companies use network of more than 3000 servers, hiding your browser fingerprinting, which looks for dis- location and making your data more difficult to tinctive patterns of computer settings, such as read along the way. installed fonts and time-zone details, to home There are two downsides to Tor: First, it’s slow, in on a user’s identity. Google and Microsoft because your data is sent through at least three are also working on a new form of cookie-less relays, with each relay donating different amounts identification: unique IDs with tracking that of bandwidth to Tor users. Second, merely down- reaches beyond the desktop and into the user’s loading it can draw government scrutiny. The browsing activities on smartphones and tablets. NSA has reportedly developed a system called Google’s system potentially could be used to FoxAcid to insert eavesdropping applications into tie together data across all its products—Gmail, the machines of Tor users. However, the agency the Chrome browser, and Android phones. In admitted in a leaked Snowden document, “We will addition to tech firms, the U.S. government can never be able to de-anonymize all Tor users all the monitor your digital trail through your browser. time.” A virtual private network (VPN) adds a differ- Among last year’s revelations: The NSA has ent kind of protection by encrypting all outbound tapped into the fiber-optic cables that make up computer communications. Combine Tor with a VPN the Internet’s backbone, and, through the Mari- and you’ve got even tighter security. na metadata application, the agency can track an individual’s browsing history, social connec- TECH: SOCIAL NETWORKS tions, and, in some cases, physical locations. Routine fix: To practice good browser TO DO: RAMP UP hygiene, regularly clear your cookies and your PRIVACY SETTINGS browser cache. There are a number of browser add-ons that can shrink the deluge as it pours in. In 2011 an Austrian law student named Max For instance, AdBlock Edge blocks ads and third- Schrems asked Facebook to provide all the party trackers. The Disconnect add-on lets you see data it had collected on him, taking advantage and prevent otherwise invisible tracking of your of an obscure provision in a European data- browsing history. (Both add-ons work with Firefox protection law passed in 1995. Schrems PHOTOGRAPH BY ASSOCIATED PRESS and Chrome; Firefox is preferable because it’s an initially received only a fraction of his data. He protested, and eventually a CD showed up at his door that held a 1222-page PDF, which included E-ZPass tags cap- employment information, relationship statuses, ture a car’s location pokes, old chat conversations, and geotagged data at toll plazas. The information photos—most of it information that Schrems can be used in civil thought he had deleted. Such data is being court cases, such as divorces. Tag readers monetized by tech companies in increasingly can also be used to invasive ways. Google’s Shared Endorsements monitor traffic flow feature, for instance, allows the company to along any road. ILLUSTRATIONS BY AMANDA LANZONE

my email, partly because I insisted on learning how to encrypt my Facebook messages too. I started using a password manager, then PRIVACY MAKEOVER promptly forgot the long master password I’d created. But I worked through the HOW POPMECH TECH EDITOR mishaps and felt much more secure once I was done. DAVEY ALBA TRIED FOR TOTAL But there was a rub: Pri- DIGITAL SECURITY. vacy is a lonely world. I had an encrypted phone service and text messaging—and PROUD TECHNOPHILE—that’s how I’d describe myself. no one to talk to. The first I’ve built a 3D printer from mail-order parts. I once tracked time I fired up my secure down an iPhone thief using sneaky digital tools. My smart- texting app, Silent Text, I phone, at last count, has 303 apps. But testing seemingly had exactly one contact on every digital product released has a downside: It means I my list: Bruce Schneier, the have bigger privacy vulnerabilities than most people. And cryptographer who’d recom- for all the attention I pay to technology, I’ve never worked mended it. But rather than particularly hard at protecting my data—I always used give up, I started cajoling my default privacy settings and the same, sloppy online tools friends into enabling encryp- most people choose. No longer. After interviewing dozens of tion on their own systems so computer science researchers, cryptographers, and security that we could communicate. (I probably have lots of invis- professionals and learning tract, but next time I’ll go ible new friends too. The how easily digital snoops with Android, which is open- NSA reportedly flags people can access personal data, I source. So far, so easy. who download encryption decided to change my ways. Next, I set about install- software—I imagine I’m now Every expert’s top sug- ing encryption software on the agency’s radar.) gestion: Use open-source on my laptop and phone. Is increased security software, because the NSA Honestly, I’d never even worth the trouble? I say works with tech companies heard of some of the tools yes. Realistically, it may be to weaken encryption in my sources recommended— hard to adopt some of these proprietary software. “It’s with names like Cryptocat, tools, the ones that require much harder to build in back Autistici/Inventati, and GNU your friends to sign up as doors in open-source,” Mat- Privacy Guard. Downloading well. But if there’s ever thew Green, a computer a secure instant- messaging been a time to advocate for security expert at Johns client was a cinch. So privacy technology, this is Hopkins University, told me. was adding plug-ins to my it. Downloading encryption “The eyeballs are on it.” I browser to block tracking tools sends a clear message switched to Mozilla Firefox, by ad companies. However, that you’re not okay with and I jettisoned my Googling it took me an afternoon to digital snooping. All kinds of habit in favor of a new wrestle PGP (Pretty Good organizations are spying on search engine, DuckDuckGo. Privacy) encryption into us, with minimal permission I downloaded Tor, an ano- or oversight. We don’t have nymizing browser bundle to make it easy for them. that hides your identity— it’s slow but worth using if you’re on an open Wi-Fi network. Right now I am locked in to an iPhone con- ILLUSTRATIONS BY AMANDA LANZONE Facebook, Facebook, One password to One password The more retail You’re a digital exhibi- a digital You’re

tionist—and an identity thief’s thief’s tionist—and an identity perfect target. Snapchat, Pinterest, Twitter, Snapchat, Pinterest, Twitter, Privacy it. name Instagram—you settings? What are those? The Man With No Secrets —at All Security level: 1 Profile: tech: Digital networks:Social Commerce: rule them all (last four of your your rule them all (last four of should Social Security number do it); unsecured Wi-Fi; phone Lock set to Off. Password loyalty programs you can join, programs you loyalty it. like the better you There are ways to avoid that kind of to avoid There are ways to sound an alarm every time his E-ZPass was to sound an alarm every time his E-ZPass pay read. This RFID-enabled device is used to throughout much of tolls bridge and highway the the East. But during a test drive in July 2013 when cow lit up and wailed in Manhattan, even the car was nowhere near a toll plaza. The readers had been installed to unseen E-ZPass pacify help monitor traffic flow—but that didn’t “If nontoll tracking is benign,” asks the hacker. is it not Puking Monkey in an email, “why disclosed when you sign up for an E-ZPass?” do too much about the tracking. But you can’t really big guns of automotive surveillance: the tens of thousands of automatic license-plate In scanners deployed across the country. 14,547 to give one example, Texas, Grapevine, and up vehicles were photographed in one day, to 2 million plates are currently stored in a enforcement agencies can Most law database. still set their own policies on the use and retention of the data (it varies by state); many Opt out of social Opt out of Use strong privacy settings Extreme fix: GET USED TO IT AUTOMOBILES on each of your social networks, placing limits social networks, your on each of block tracking posts. To on who can see your Share buttons on associated with the software websites, install Disconnect, an extension many social that disables such widgets. Also, log out of finished, and routinely when you’re networks clear cookies. TO DO: In early 2012 a tinkerer with the Internet alias Puking Monkey hacked a plastic “moo cow” toy TECH: Routine fix: include a Google Plus user’s name and photo include a Google Plus user’s name and photo alongside ads being shown to his social some contacts, if the original user had indicated such interest in the product. And potentially data could also be pored over by recruiters, cybercriminals, and stalkers. media—invite your friends to a barbecue. friends to media—invite your DIGITAL SAFETY ZONES SAFETY DIGITAL the easy-going online libertines and you’ll never have to never have libertines and you’ll the easy-going online spam- password—but everyone from remember another with you. Join the their way have spooks will bots to NSA entanglements, and all digital avoiding Luddite camp, be happiest but isolated. Most of us will be safer you’ll dweller. digital Choose wisely, middle. somewhere in the Where do you land along the privacy spectrum? Side with along the privacy spectrum? Where do you land FEBRUARY 2014 / POPULARMECHANICS.COM / POPULARMECHANICS.COM 2014 FEBRUARY 60 You Floss Welcome Living Nightly—and Paranoid? To the Off the Clear Your No, Encrypted Grid, Under Web Cache Realistic Zone A Rock

Security level: 2 Security level: 3 Security level: 4 Security level: 5

Profile: Sure, you know the Profile: They laughed at your Profile: You’re a CIA agent or Profile: You don’t want to NSA and Target are both listen- talk of government surveillance, democracy activist in a totali- worry about digital snooping— ing in. Creepy? Sort of. You’ll but that was before Edward tarian state. Or maybe you ever. So you’ve gone offline. take precautions—but you’re Snowden. Who’s paranoid now? just think like one. Welcome to Digital tech: Does finger not giving up Scramble With Digital tech: VPN (virtual pri- the privacy rabbit hole. painting count? Absolutely no Friends just to make a point. vate network), OTR (Off The Digital tech: Air-gapped computers. Digital tech: For Web brows- Record) instant messaging for computers (meaning no Web Social network: Other wood- ing, privacy add-ons (e.g., HTTPS laptops, and Silent Circle for connection) for sensitive files; land creatures, your reclusive Everywhere, Disconnect); for mobile phone calls; PGP (Pretty burner phones; the Tor bundle aunt. email, two-step verification Good Privacy) email encryption. with VPN. Open-source Commerce: Cash, foraging for and strong passwords; WPA- Social networks: Offline technology. edible roots. encrypted Wi-Fi. only—you meet your buddies at Social networks: Offline Social networks: All networks, the Def Con Hacking Conference. only. Immediate family, trusted but with strong privacy settings Commerce: No loyalty cards; members of your doomsday- and a password manager. you give “Jenny’s Number” prepper network. Commerce: Amazon Prime, (XXX-867-5309) to store clerks Commerce: Cash, barter in baby . . . You can’t give up to look up “your” account. MREs . . . or bitcoins. everything.

have no policy at all. In addition to all this, is to know your legal rights—or, better yet, just to cars are themselves data-sharing devices— drive safely. Really hate being watched? Buy an old electric cars can upload data to their manufac- car that predates black boxes. turers, and connected services such as GM’s OnStar and the Ford SYNC infotainment system TECH: INSTANT MESSAGING send information to the cloud. But the most widespread in-car device is the event data TO DO: CLEAR OLD CHATS recorder (EDR), which tracks seatbelt use, speed, steering, and braking, among other bits Instant messages seem fleeting, but they’re not. of vehicle data. This data comes into play The messages are stored, at least briefly, on the during accident investigations. Ninety-six IM service provider’s servers, and, unless you percent of cars built in 2013 have the devices; delete them, on your machine and your part- they will be required in all new cars starting ner’s. And unencrypted messages are vulner- next September. able to interception as they travel from your Routine fix: You can store RFID devices such device through your ISP’s network to your IM as an E-ZPass in a read-prevention holder until you service provider (Google, AOL, Yahoo, Microsoft, get to a tollbooth. Or simply pay cash—though that or whomever) and then out to your friend’s option is going away on some roadways. There’s a computer. But does anyone actually snoop on lot of chatter about techniques to defeat license- IM conversations? Well, the U.S. government plate cameras, but it’s unclear whether these are does, for one. Snowden leaks reported in July legal or even effective. Extreme fix: When it 2013 revealed the existence of XKeyscore, an comes to black boxes in cars, the best approach NSA program run in cooperation with security agencies in New Zealand and Australia that, One piece of fallout from that spying has among other things, lets agents surveil IM cor- been the shuttering of two services that until respondence, often in real time. recently offered a high level of protection—not Routine fix: Delete your chat records, in just against the United States government but case anyone gets hold of your phone or laptop. also against repressive regimes and criminal You can stop recording future chats by changing organizations. Ladar Levison, the owner of Lav- the settings in your IM client. Extreme fix: abit, a Texas-based secure email service, closed The gold standard in IM encryption is OTR, or down operations in August after he was asked Off The Record (not to be confused with Google’s to hand over the encryption keys that protected proprietary Off The Record chat feature, which his site to the FBI, which would have given the isn’t secure). OTR uses “perfect forward government access to all user data. The FBI said secrecy,” which means a fresh set of encryption it was just interested in Lavabit’s most famous keys is created every time one partner in the user, Edward Snowden—but refused Levison’s chat sends a new batch of messages. Note: Even offer to provide access to that account only. A participants in the chat won’t be able to review few hours later the encrypted communications old messages. As Ian Goldberg and Nikita Borisov, company Silent Circle announced that it, too, the designers of the OTR protocol, explained in was closing its email operations because, while an email, “The only record of the conversation is the messages sent through its service were your memories.” encrypted, email protocols—SMTP, POP3, and IMAP—leave user metadata open to spying. “We TECH: EMAIL decided that our email service was too much of a risk for us and our customers,” Silent Circle’s TO DO: TURN ON OPTIONAL Jon Callas says. “While it might have been a ADI KAMDAR, SECURITY TOOLS good idea six months before, it wasn’t a good ELECTRONIC FRONTIER idea in a post-Snowden world.” The companies FOUNDATION The content of your emails can be less reveal- have since teamed up to develop a new service, ing than the metadata—the record of which called Dark Mail, meant to secure both the con- contacts you correspond with and how often. tent of an email and its metadata—the encryp- Through a program called Stellar Wind, the tion will only work among Dark Mail users. NSA logged metadata on email communica- Routine fix: Ordinary email protocols make tions for 10 years, and from 2007 to 2011 the it impossible to hide metadata information, but data included bulk information on Americans. there are ways to secure the content of your In a separate effort, the government agency has messages. Check that you’re using the common been scooping up hundreds of millions of con- Internet security protocols, SSL and TLS, when tact lists from around the world, at a rate of 250 you’re on webmail. (The browser’s address million people a year. line will start with https, and a small padlock appears.) If you’re using a desktop mail client, make sure you’re connected via SSL/TLS over IMAP or POP; otherwise your emails are being sent in cleartext and can be read by outsiders. Also, turn on two-factor authentication, a security feature offered by the three big email services, “TOO OFTEN THE DISCUSSION ABOUT PRIVACY Gmail, Yahoo, and Outlook (see “5 Email Myths DIGRESSES FROM THE ISSUE OF CONTROL. Debunked,” p. 82, for additional routine email- PEOPLE DESERVE THE POWER TO KNOW security measures). Extreme fix: People who truly need to guard their communications use WHAT’S GOING ON, AND TO SAY NO OR SET PGP (Pretty Good Privacy) when they email each LIMITS ON WHO CAN USE THEIR DATA. MAKING other. Every user has a pair of cryptographic keys, SURE GOOD CHECKS ARE IN PLACE IS SOME- a public encryption key, and a private decryption THING THAT WE, AS BOTH CITIZENS AND one. The public key is widely distributed, while the private key is kept by the owner. A sender CONSUMERS, CAN AND SHOULD FIGHT FOR.” encrypts his or her note with the recipient’s pub- POPULARMECHANICS.COM / FEBRUARY 2014 63 lic key, transforming it into gibberish. Since only the sender and receiver hold the keys, no one in the middle—including the email service provider— can decode the message. PGP doesn’t hide the metadata, though, and everyone you communi- use—fewer apps means fewer robotic spies. cate with has to be using PGP for it to work. Extreme fix: Silent Phone can encrypt phone calls ($10/month, iOS and Android)—both TECH: MOBILE DEVICES parties need to be subscribers. There are also secure apps for IM chats and Web browsing. TO DO: DELETE OLD APPS Prepaid, or burner, phones are relatively safe from snooping because they aren’t tied to an account. There’s no need to invent the ultimate citizen- And if you’re worried about IMSI catchers at your surveillance device: It already exists, and it’s next political rally, just leave your phone at home. called the smartphone. Police departments have been investing in IMSI catchers (that’s TECH: WI-FI short for International Mobile Subscriber Iden- tity). These devices insert themselves between TO DO:USE ENCRYPTION mobile devices and cell towers—the technology can be used to identify participants at a We all know that browsing on an unsecured Burner phones, demonstration and even access their conversa- network is just asking for someone armed with prepaid devices tions. Hackers can build or buy the devices, as cheap network-analyzing software to tune in that aren’t tied well. Additionally, law enforcement agencies by vacuuming the 802.11 data packets flying to a specific account and can easily subpoena third-party companies for between your machine and the Wi-Fi router. allow people to user data; in 2011 cellphone carriers responded That can happen in Starbucks—or in your home. switch numbers to an astonishing 1.3 million demands for sub- Last September a federal appeals court ruled frequently, can be useful tools scriber information. The companies handed that Google could be held liable for civil dam- for the highly over text messages, caller locations, and other ages for eavesdropping on homeowners’ Wi-Fi cautious. information, in most cases without the knowl- networks while using the company’s camera- edge of the user. Brick-and-mortar retailers are carrying Street View cars. Google says it was all also making use of cellphone-location data: a misunderstanding: The Wi-Fi data was being Some chains have started experimenting with used to pinpoint precise locations where GPS using phonesphones to track individual shoppers as signals were spotty. they move through the store. And many mobilemobile RoutineRoutine fix:fix: MMost wireless Internet access phone apps can transmit location data, contact points come with WEP (Wired Equivalent Privacy)Privac y) SSOCIATE A lists, and calendar information back to theirtheir or WPA (Wi-Fi Protected Access) to let you Y developers. Lose an unlocked phone and, of encrypt the messages between your computer HS B

P course, you give up access to your contact lists, and your access point. Use WPA if possible; it’s emails, chats, and everything else that resides the stronger technology. In addition to protecting OGRA on your phone. your data, turning on encryption gives you legal

PHOTOGRAPHS BY ASSOCIATED PRESS (CAMERA), PHILIP FRIEDMAN (PHONE) PHOTOGRAPHS BY ASSOCIATED PHOT RoutineRoutine fix: First, delete the apps you don’t protection against hackers under thethe Wiretap Act, which Congress passedpassed in 1968 and last amended in 1986 through the Electronic Communications Privacy Act (ECPA). If you don’t make any attempt to secure your License-plate readers (left), data transmissions, the law mounted atop assumes that your intention patrol cars is to run a public network. and along city streets, scan ExtremeExtreme fix:fix: CombineCombine a up to 1800 vivirtualrtrtualual prprivateivate networknetwork wi withth license plates per minute— the Tor bundle and you’re as keeping track of safe as you can be—welbe—well,l, virtually every alalmost.most. Want even better car on the road. security?it ? DDoDon’tn’’t ususe e WiWi-FiFi att alall.l. PopMechPopMech