Becoming Digitally Invisible: An Interview with Michael Bazzell & Justin Carroll

How did the two of you become interested in the privacy world?

Michael – Investigating cyber criminals can take quite a toll on a person. I became interested in privacy around 2002 when I discovered that any cyber sleuth could look up my home address in public online records. I immediately sought books such as How to be Invisible by JJ Luna and devoured every tactic I could find. I began experimenting with my own privacy techniques around 2004.

Justin – from 2002 to 2010, I was deploying to some pretty unsavory places, and each of these trips seemed to bring a new, eye-opening experience. Having OSINT used against me at SERE school, being asked for my home address on an Afghani visa application, having my credit card information stolen at Charles de Gaulle airport – all of these experiences primed me to be protective of my information. Maintaining my privacy and security eventually became a part of my daily life and has been a constant evolution ever since.

You both do privacy training. Is there a particular part of the world you think is more privacy conscious?

Michael – Mostly outside of America. We seem to be willing to give away every detail of our life to any company that will motivate us with free stuff. These companies then often release that data, sometimes unknowingly, to government entities and partner companies. Eventually, much of it gets released in the wild.

Justin - I think some countries really “get it” on a national level. I might disagree with Michael a bit – free email, Facebook, and equivalent services are worldwide phenomena and people everywhere like free stuff and connecting with others. The countries that do get it and do a better job tend to focus on limiting the corporate or government entities doing the collection. A couple of good examples are Switzerland and Germany.

Since you have begun privacy training in the civilian world, in your opinion has it become more difficult to protect yourself because of advances in hacking and spying technology, or easier because of advances in privacy technology?

Michael – Much more difficult. For every privacy and security tactic that becomes mainstream, dozens of tracking technologies are introduced into the digital world. This is why we must use non-conventional methods to protect our privacy.

Justin – That’s really hard to gauge accurately. There are more security tools out there than ever, but also more breaches and bad news on a daily basis than ever. It’s a constant evolution and a constant arms race. I’m not sure if it’s really harder today, or we just have more awareness of the threats.

Do you feel that a VPN is enough to protect yourself online? Is it best to use it in conjunction with TOR browser?

Michael – I believe that a VPN is a solid and vital piece of online protection, but not the whole story. So many other proper digital hygiene habits must also be practiced consistently. Tor is very valuable in some situations, but much of my investigative work gets blocked within the Tor browser due to the services that block it.

Justin – To echo what Michael said, a VPN is only part of a bigger picture. A VPN protects you from certain classes of privacy and security threats but does nothing to address others. You have to take a holistic approach – there’s no such thing as “silver bullet security”.  Tor is appropriate in some contexts, against some threat models and if it’s really worth using, it’s probably worth using in conjunction with a VPN. Tor has the potential to offer a great deal of privacy and security if used correctly, but it has its own set of inherent risks and limitations. It also significantly elevates your profile.

I noticed that you recommend Private Internet Access VPN. What factors do you consider when choosing a VPN? What makes PIA so good?

Michael – For me, I must realize that the VPN I recommend must be affordable and easy to use. While these are not the priorities for my personal use, I must think about the attendees of my courses. They are new to the idea, and need simplicity. I have found PIA to be easy to use, and cheap. I also appreciate their popularity, and being a smaller needle in a larger haystack never hurts.

Justin – Private Internet Access has a quite a few things going for it. First, it works extremely well with iOS devices in maintaining an “always on” connection. It is also really easy to understand and simple to implement, so it’s a great “starter” VPN. PIA also has a good array of options for more the more technically inclined (just not on iOS). PIA is also US-based, so it’s a great option for US persons that don’t want to take their traffic overseas and lose the legal protections US persons have. Finally, a ton of people use PIA, making it easier to blend into the herd than with more expensive or obscure VPNs.

Justin, I noticed you created an iOS version of Your Ultimate Security Guide, but not yet an Android version. Are you more vulnerable on iOS than on an Android platform?

Justin – I strongly believe that iOS is more private and secure than Android and I think it’s hard to argue otherwise. That said, there are still meaningful measures you can take to improve Android privacy and security. The absence of the book actually stems more from the diversity of the Android environment; it would be hard to write one book that would adequately cover the settings on all – or even most – Android devices.

You have both worked in the government/armed forces and both now work in the private world (and now in Hollywood for you, Michael). Do you enjoy one over the other? What aspects do you enjoy about working in the private world as opposed to government?

Michael – I get the best of both worlds now. I am still heavily involved with GOV contracts, and I am allowed to extend that into private sector. Personally, I enjoy the balance between the two. The variety keeps it interesting.

Justin - The majority of my work is still with the government sector, and I really enjoy it. Government clients usually have an immediate need, and the students are extremely motivated to learn. I probably don’t get to work with the civilian sector as much as I’d like because of government demand, but I enjoy both. Both have their own priorities and challenges, and I always end up learning something from both.

What was it like investigating computer crimes 15 years ago as opposed to now when technology has changed so drastically?

Michael - The disparity is as vast as between night and day. Previously, a forensic investigation could wrap up in a mere two hours. Contrastingly, in the present day, there is no certainty that all pertinent data has been discovered. In the past, encountering encrypted files and communication was exceedingly unusual. But now, it's nearly an everyday occurrence.

Where do you see the security world heading in the next 5-10 years?

Michael – In ten years, personal computers will be eliminated. Everything will be a service, and the underlying OS’s will be out of our control. I will live in northern Montana out of the reach of wall-to-wall embedded devices.

Justin – The IoT as we know it now will no longer exist. The new, improved IoT will be integrated into nearly everything, and escaping some form of digital surveillance, even momentarily, will be an impossibility. The best we can hope for is that our laws catch up to the digital world and we have some legal protection from ubiquitous monitoring.

Michael, of course the obligatory Mr. Robot question… Do you think this show has given people insight into how the hacking world works, being that it is so true-to-life? Are you proud that you have a way to share your extensive experience with the public?

Michael – I believe that Mr. Robot has proven that the depiction of accurate hacking is desired by the growing technical audience. Hopefully, it has set the standard, and viewers will demand the same from any new hacking shows that emerge. It was an honor to work on a show that finally gives a glimpse to the reality of hackers’ lives.

Learn more about Michael Bazzell on his website.

Additionally, you can see a preview of their book The Complete Security & Privacy Desk Reference, as well as purchase it, here on Amazon.com.