So how are we now in a world where doing day-to-day menial tasks, where even trying to buy a bag of oranges, compromises our basic rights to privacy and safety?

Let's set the scene a little...

Essential vs Non-Essential

Covid has had a massive impact on the lives we take. Before, you could nip to your local shop to buy your bag of oranges. Now, though, we live amongst a virus that can, and has, cause serious harm to a large population. It reached a point where even walking outside can be a death sentence for you, or your loved ones.

The local shop is no longer equipped to provide essential goods to the population.

This firmly places various online services into the role of being an Essential Service, effectively making them non-optional for day-to-day living going forward.

Privacy

Privacy is, somehow, a touchy subject. One side says "no privacy, catch the undesirables". The other, a strong proponent for the right to be forgotten + anonymity, with the masses not understanding the implications, or recognising that privacy is not black and white.

The Right to Privacy is about choosing how you present yourself to the outside. My personal life has nothing to do with anyone but myself. I choose to share my professional life; not for gain, but because I find what I do professionally very interesting, and others get enjoyment out of what I provide. Many others make this choice too, notably the faceless from Youtube; Real Civil Engineer, Lock Picking Lawyer, Bosnian Bill to name a few.

Undesirables

Originally, I wrote "unlawful", however that implies that everyone is honest, and that all laws are just. It also implies that only Law Enforcement is watching. There's been enough said on this matter over the past decade. At a fundamental level, nothing has changed where it matters. Technology has progressed, but the politicians haven't. Unfortunately, it's the politicians that make decisions still.

Welcome to the Internet

The Internet can be a dangerous place, and is not inherently safe. Having everything "Secure by Design" is some wild fantasy an idealist dreamt up, so individuals have to take safety into their own hands.

Sorry State of Enterprise

In the UK, Enterprises can get certificates to say they're "secure", though the Cyber Essentials Scheme. Having implemented their guidelines multiple times, rest assured that it is a meaningless certificate in the sense that if you don't adhere to it, you have well and truly failed already, and you will get compromised. The bulk of the implementation amounts to "encrypt your devices, enable UAC, do updates, have an anti-virus where applicable". Needless to say, most reputable business laptop providers do this out of the box. The one thing of note is the lack of guidelines around "what if you do get compromised". And if you are compromised, there's some pretty steep fines to go with it. You get compromised and don't report it (be it neglect or malicious), you get even more fines. So you'd best be able to identify a compromise within 48 hours. More on this in future articles!

Basically, enterprises in the UK are largely insecure at the most basic levels. If you can't trust a company to protect their own interests, how can you trust them to protect yours?

Pretty worrying when you consider the rise in Startups in regulated spaces (the regulations generally have little bearing on technology).

Then I'm at their mercy?

Well, yes and no. There's a lot of ways to compromise a company. They could break into the app/database. They could get an employee to share details (Phishing). They could launch a Monster-in-the-Middle (MitM) attack.

Something to remember, though.. Your engagement with a company is not directly with that company. There's:

• the companies that made the network equipment. Rest easy that all wireless access points are maintained, and secure.. Right? It was definitely someone knowledgeable that setup the hotel WiFi...
• Internet service providers have never been immoral. They've never looked at your data. They wouldn't tamper your data for their own self-interests..
• Internet Service Providers... Saying it twice, many would assume that the name on the bill is their service provider. However, much of the Internet is built on shared infrastructure for a reduction of costs. BT Openreach comes to mind here.
• someone in the corner, drinking a Mocha, eating tea biscuits, tapping away at a keyboard. I bet you missed them the first glance around the café. You're using the WiFi. It must be secure, it has a password! I'd post a packet dump, but I think that's a little too in the grey area.

And what are they after? Data. All of it. Though usually something more tangible, like a credit card number, or a password. Knives have been swapped for keyboards in the mugging game.

protecting yourself

OK, you've been exposed to some of the minor dangers out there. Dangers that you encounter on a daily basis without realising. Maybe you've been affected. Maybe you know you were affected, and managed to reset your cards + passwords afterwards.

A common practice (and one I employ for personal + professional use) is to use a VPN. That's right, the tool you use to bypass Streaming restrictions can also be used to protect you and those around you.

The aim of using a VPN is to limit the involved actors from everyone down to 3; you, the company you're engaging, and your chosen VPN Service Provider. A VPN sets up a tunnel to send your Internet through, with a much smaller attack surface than a request going to a website. Basically, 1 very strongly protected connection, as apposed to thousands of "probably alright 20 years ago" connections. Most attacks happen during the start of a connection (handshake). By reducing how many connections you start, you drastically reduce the opportunity the Mocha drinker has to get your data. The VPN also encrypts the traffic; so if you go to a website that isn't 'https', you're still safe from the Mocha.

Buy your Oranges already, dammit!

Fine, fine. We've established how to make you a little more secure online. Let's open the online shop we all know but shall not name.

Except, it doesn't open. Everything else is working fine, let's try the other VPNs. Still a no go.

What we're beginning to see is websites blocking real, human originated traffic; simply for the fact that we value our Safety and Privacy.

There are a few interpretations of this; but the answer they'll provide tomorrow will be along the lines of "we're so sorry you feel this way, we value you being a member", to which the can will be kicked down the road.

reasons for compromising the safety of an individual

The 2 common arguments are around Bot detection (hello, CAPTCHA), and preventing an individual from ordering goods not in their region (weak argument when you provide primarily physical goods).

legitamite reasons

404 - Not Found

so, no Bag of Oranges?

It seems that way. To order everyday-essential goods from an online shop positioned as the saving grace of Covid, we must now compromise the safety of ourselves and our loved ones by disabling our VPNs.

While you may say "guess that's a condition of the service", remember that these are essential goods; items that we can't live reasonably live without. Given the current climate, we cannot afford to compromise our online safety; and so, I must call for others to join in the banning of VPN blocking, for the good of society.

Let us buy our Oranges, without giving a piece to the Mocha drinker