Windows is not a secure nor a private operating system platform.

I couldn't recommend it to anyone concerned about the security of their computing platform, or, the confidentiality of their personal private information (PPI).

It cannot be hardened or made secure so long as it is connected to the public Internet.

If you use it, you are unwittingly transmitting PPI, location data, and system data to Microsoft, even if you attempt to harden the o/s through enabling its privacy settings.

• Out of the box, Windows 10 violates your privacy and transmits information to Microsoft.

• Curious about what Windows collects about you? Here's an analysis.

• Windows 10 transmits confidential information to Microsoft over 5,500 times a day.

• Windows 10 has a native keylogger that transmits PPI.

• Windows 10 search features keep transmitting PPI even if disabled.

• Even when instructed not to transmit data to Microsoft, the o/s does so.

• Extensive telemetry data cannot be prevented from being transmitted to Microsoft.

• When you encrypt the drive with Bitlocker, the decryption key is sent to Microsoft.

• The EFF continues to hound Microsoft to address their behaviors without response; Microsoft continues to disregard user choice and violates their privacy.

• Google felt to publicly disclose a Windows 10 vulnerability before Microsoft, because they refused to take action; they did it to protect their users while Microsoft stalled.

• Microsoft's operating system is constantly susceptible to zero-day flaws and attacks; famously, a Russian-created zero-day attack mounted by Russian intelligence services were used to attack the DNC.

If you're concerned about security or privacy, one cannot honestly look at Microsoft's offerings and consider them a serious option. 

R

Nearly everything we do is digital: our banking and commerce; our interactivity and socialization; our education and information exchange; our entertainment; our politics and our dissent. So much of our lives have an electric footprint.

Therefore, it's in the interest of everyone to better manage the risks of digital media. In the spirit of teaching others how to do something than to simply do it for them, Mickler & Associates, Inc. is joining forces with the Electronic Frontier Foundation (EFF) to help train, educate, and show others how to manage their data securely and confidentially.

The Electronic Frontier Alliance (EFA) is a network of grassroots groups taking action in their own local communities to promote digital rights.

As an EFA member organization, we believe that technology should support the intellectual freedom at the heart of a democratic society. In the digital age, that entails advancing:

• Free Expression
  People should be able to speak their minds to whoever will listen.
  

• Security
  Technology should be trustworthy and answer to its users.
  

• Privacy
  Technology should allow private and anonymous speech, and allow users to set their own parameters about what to share with whom.
  

• Creativity
  Technology should promote progress by allowing people to build on the ideas, creations, and inventions of others.
  

• Access to Knowledge
  Curiosity should be rewarded, not stifled.

We uphold these principles by fighting for transparency and freedom in culture, code, and law. Locally, Mickler & Associates, Inc. will be promoting these ideals by:

• Holding online and on-ground seminars about digital security and privacy.

• Creating training videos and other digital assets that could be shared and disseminated.

• Commercial and non-commercial training.

• Private consultations and service engagements.

• Corporate events.

• Offering up training for students and to community activists.

• Donating our time and experience to non-profits.

Want to know more, or, how we could lend a hand to you or your local organization? Contact us. We can chit-chat about the possibilities and see where Mickler & Associates, Inc. could add value. Thanks.

R

How does Google secure your data and ensure its confidentiality?

1. The Google Cloud Platform encrypts data at rest on their servers. That means that your stuff, while it sits idle on the cloud platform, is wrapped in encryption. This is done without your intervention. The Google Cloud Platform even allows users to declare their own cryptographic keys if desired for extra layers of security.

2. Google Data is distributed and wrapped in key-chunks throughout their data centers. That means your stuff is broken into pieces - so not all of your eggs are in one basket. Your data is spread among data centers to provide extra redundancy, security, and disaster recovery, and encrypted using Google's Key Management Service. This is also done without your intervention.

3. Data is encrypted at the storage level using AES128 or AES256 encryption. This is a bit nuanced, but let's say that Google's physical hardware is also set to use encryption.

4. Google uses Perfect Forward Secrecy (PFS) with it's API's. Data that travels between their services is encrypted. It also uses Keyczar to implement encryption of your data between all of their products.

5. Google employs TLS/SSL security in transit. While your data is on the move between their servers and your device it is encrypted.

6. Gmail's web interface forces all client connections to use HTTPS (RSA/SSL) encryption and has done so since 2014. While you're using Gmail on the web, your session is secure.

7. Gmail has client-side controls within the web interface to notify the user of security failures or questions.  While you're using Gmail, it informs the user if there are questionable aspects of the sender that could put you at risk.

8. Google is actively attempting to depreciate legacy mail clients that use older forms of email challenge/verification. Google refers to these mail solutions as "less secure clients" and the user must flip a switch for them to be used. This often forces the user to upgrade their mail client software to versions that support more modern and secure access tokens.

Now, all of this is well and good but it's not the end of the conversation. Your data may be encrypted at rest and in transit with Google, but is it confidential?

1. If you own a non-commercial Gmail account, you have no promise of confidentiality. That is because the service is offered in exchange for Google being able to read your email and market services to you. This aspect of Gmail would fail all best practice confidentiality requirements as Google expressly says in its EULA that the data is theirs and can be used to "token and stem" - a big-data practice of creating logical relationships between ideas - as to market to you. That's why it's free.

2. If you own a commercial Gmail account - if you pay for G-Suite - you are a commercial subscriber to the Google Cloud Platform. The EULA there says that Google does not read your data and Google considers it a private, sealed container. It's your data.

3. Caveat: both the non-commercial and commercial aspects of the Google Cloud Platform are subject to US Law and Regulation. That is, if Google receives a warrant to access data under your account, they will work with federal officials to retrieve that data and surrender it to authorities. This aspect of Google's operations - for some - presents a hazard that has folks turning to Proton Mail, for example: a free encrypted mail service that is presumed outside US jurisdiction, or, Signal, from Open Whisper Systems, an encrypted messaging platform.

Okay, but I use a thick mail client like Apple Mail or MsOutlook or Thunderbird. What about the security of my client software, o/s, or hardware platform?

This isn't recommended. Using a thick mail client makes you responsible for the care-taking of your data and some aspects of filtration (spam filters, AV filters, keyword and black list filters, etc). Even using G-Suite which centralizes some of this management.

Still, if you don't use the web for accessing email and insist on using a thick mail client:

1. Once the data is delivered to a software mail client (e.g., Apple Mail, MsOutlook, Eudora, etc.), it is up to the client to secure the messages. Example: if your Windows laptop was stollen, the data stored in MsOutlook's PST file is an open container - it is not encrypted unless you encrypt it - and is therefore vulnerable. You must take steps to encrypt that data.

2. The platform must provide encryption. At the o/s and hardware level, there are tools to encrypt the contents of your drive. You must take steps to encrypt the drive system (enable Filevault 2 on a Mac, or, Bitlocker on a PC).

3. You may not think the o/s level encryption is good enough, so you may be convinced to implement your own hardware level encryption. That's something you'd have to do, too.

4. Some iOS platforms are secured through hardware-level encryption; some are not. Generally, receiving mail to Apple Mail on an iPhone 6 or iPhone 7 is secure. Android phones must be specifically configured to provide o/s layer security; each vendor has their own policy on hardware level encryption, and that's variable based on product.

Best Practice:

Are you concerned about the best way to keep your data secure on Gmail/G-Suite?

1. Follow my list of advice on how to Avoid Gmail Hacks.

2. Don't use a thick mail client. Stick to using the web interface.

3. Avoid using Microsoft Windows computing platforms. Using a ChromeBox, Linux machine, or Apple product is far superior in terms of o/s security.

4. Use the latest iOS and Apple devices for the best security possible.

5. Avoid using unaltered Android platforms. Have a professional help you configure Android to be secure; and/or purchase specific OEM products like Google's Pixel or the Blackphone from Silent Circle to make it secure.

6. If you're concerned about HIPAA, only the G-Suite product can offer a Business Associate Agreement (BAA) for protecting that data, and there are specific restrictions over Google's service offerings. Not all data on the Google Cloud Platform is considered compliant. Careful.

7. If you're concerned about FERPA or COPPA, G-Suite for Education is compliant there. PCI-DSS 3.0 compliance is also a feature of the Google Cloud Platform.

And finally, how do you know that Google is actually doing what they're promising? Like, how can you trust Google?

Don't take my word for it: Google is audited annually to specific information system standards. Independent agencies routinely compare what Google says to what Google does. Still, Google isn't perfect - in 2015, the EFF rated Google poorly on being transparent with publishing government requests and data access. We hope that Google will make progress there.

There we go. A reasonable accounting of how well your data is secured and confidentiality managed on the Google (G-Suite) Cloud Platform. Questions?

R