Privacy and Data Security for the Normal Person

[7/15 – Updated Item 9 to include link to July 14 NYT story.]

On April 17, 2013, the UN special envoy on free expression warned that advances in technology have made governments’ effectiveness in conducting surveillance virtually unlimited in scale or duration – http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf.

Two days later, disclosures about the NSA’s phone records grab and the secret PRISM program supported the envoy’s point: sweeping secret surveillance by the government in the name of protecting us from terrorism is not a conspiracy theory but a reality. The government personnel doing this are doing it in the full belief that they are doing what’s right and necessary to protect America, but, as the sayings go:

“The road to hell is paved with good intentions.”

“We have met the enemy and he is us.”

For an entertaining look at how the kind of analysis the NSA is doing could’ve impacted the American Revolution, see http://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/. If you use Gmail, a group at MIT has developed a tool that lets you visualize your connections using only the metadata available in the To: and From: lines. That tool is available here – https://immersion.media.mit.edu/viz. (When you’re done, follow the directions to log out and delete your data, then click the link to revoke access to your Gmail account information. While you’re looking at that, see what other programs have access to your Gmail account data.)

The government monitoring is made possible, in large part, by the degree to which companies track our activities. However, tools to circumvent government and corporate monitoring exist and are freely available. It’s up to us to learn how to use them.

Some History and Why You Need to Be Concerned

In 1999, Scott McNealy, the former head of Sun MicroSystems, is reported to have said, “You have zero privacy anyway….Get over it.” In 2009, McNealy’s assessment was confirmed by Google’s CEO, Eric Schmidt. In an interview on NBC, he said, “If you have something that you don’t want anyone to know maybe you shouldn’t be doing it in the first place.”

Today McNealy’s words have taken on a far more sinister significance than he probably intended. They are increasingly becoming the operating assumption of the digital economy, and as the recent revelations about the NSA’s activities are concerned, the government is watching, too.

Not so long ago, a letter or a personal telephone conversation was considered a private, protected communication. Those days are over. Whether going online, using a PC, smartphone, tablet or digital TV, you can no longer assume that you have any privacy. In fact, you should assume you have absolutely no privacy unless you take steps to protect it.

For a frightening (but not unrealistic) look at where things might be heading see http://www.guardian.co.uk/technology/2012/sep/24/facebook-generation-y and http://www.guardian.co.uk/world/2013/feb/10/software-tracks-social-media-defence.

From a corporate perspective, your personal information is currency online. Criminals are trying to get access to your personal financial information to steal your money. Online businesses are trying to get access to your personal information so they can promise their advertisers that the targets of their ads will be more interested.

Companies like Facebook and Google argue that their data gathering is simply so they can better serve their users – by more precisely tracking a user’s inputs they can more efficiently target-market their advertising offerings. It’s important to remember that “if you’re not paying for something, you’re not the customer; you’re the product being sold.” The point of all this data collection and advertising optimization is to make the advertising more efficient and make it more likely that you’ll buy. This graphic shows what some of the larger social media services know about you – http://mashable.com/2012/07/20/social-network-data/.

To give you an idea how valuable your personal information is, an online privacy company called Abine developed a quiz that estimates your dollar value to Facebook based on the information provided in Facebook’s IPO filings and the current value of Facebook shares. You can take the quiz here – https://goprivate.abine.com/
Given that everyone is after your information, here are some things a normal person can do to protect your privacy and security online (in rough order of technical complexity). You don’t need to do all of them, but the more you do, the more secure you’ll be and the more control you will have over what everyone else knows about you:

1) Use Privacy Protecting Search Services like DuckDuckGo.com and Ixquick.com. When you use Google or Microsoft’s Bing (or any of the other major search tools), when you click on any of the links that come back, the search words you used are sent to that site automatically, along with information about your browser and your computer, which can be enough to uniquely identify you (this doesn’t mean they automatically get your name and address, but, rather, this collection of information is unique and other things can then be tied to it). Those sites you go to usually have ads placed by third parties, and those third parties build profiles about “you” (i.e., that uniquely identified computer user), and those ads can follow you from site to site. That profile becomes very precise – See http://prospect.org/article/meet-stalkers.

2) Use a Mac (for now). Apple computers and computers that run Microsoft Windows have very fundamental differences in the way they operate (the basic software that runs the computer, called the “operating system”). The majority of computers use Microsoft Windows. That means the odds favor the attacker who writes a virus or other malicious piece of software designed to infect Microsoft Windows, so those who write computer viruses focus their efforts there.

There are millions of viruses that have been written to try to infect the Windows environment, and hundreds (maybe thousands) that have been written to try to infect the Mac environment. However, this is changing as Macs become more popular, so this distinction may not last. Also, many of us have Windows computers, and much of the following advice is relevant for both Windows and Mac.

(*If you respond to this by saying, “But I run Linux,” you should already know everything in this list – but don’t be cocky. You can get fooled by a well-crafted phishing attack, too.)

3) Drop Facebook. If you don’t drop Facebook, then for Facebook’s latest privacy tools (as of 21 Dec. 2012) Gizmodo provides this privacy guide:http://gizmodo.com/5970373/facebooks-new-privacy-settings-are-here-this-is-what-you-need-to-do-right-now. and this article provides a way to make it harder for unauthorized people to hijack your Facebook account – http://wiredpen.com/2013/02/02/beefing-up-facebook-security-how-to-set-up-two-step-verification/

Be careful about the games you play/apps you download via social media. Be careful about messages you receive claiming to be from Facebook. If you have a Facebook account and you get a message notifying you of something about your Facebook account, don’t click the link or download an attachment – sign on to your Facebook account and check it there. When you’re in Facebook, go to https://apps.facebook.com/privacyscoreapps/ for an app that rates the privacy practices of the various Facebook apps BEFORE you load that app. The FBI has put together this guidance for parents and teens on how to be safer using social media – http://www.fbi.gov/about-us/investigate/vc_majorthefts/innocent/social-networking-sites.

When dealing with Facebook, Twitter, Pinterest and other social media services, read this article – http://www.bloomberg.com/news/2012-05-16/spammers-invade-pinterest-era-social-media-avoid-e-mail.html to see how spammers and other fraudsters are using social media, and then there’s this article from Australia about how criminals are using social media to decide which houses to rob – http://m.heraldsun.com.au/news/law-order/burglars-targeting-empty-homes-through-facebook-search/story-fnat7jnn-1226551332286. Finally, take a look at this article http://news.discovery.com/tech/facebook-felons-violent-crimes-using-social-media-20130607.htm about how criminals are using Facebook to get victims to come to them.

If you must attach your phone number to your Facebook account, see this – http://thenextweb.com/facebook/2012/10/11/how-to-protect-your-phone-number-on-facebook-three-options-you-and-your-friends-need-to-know-about/

With Facebook you have to keep on your toes, because things change frequently and Facebook forces you to make the changes necessary to protect your privacy. For example, if you use Instagram, read this article to see how people now have access to all of your Instagram photos – http://gizmodo.com/5958633/creepy-danger-alert-lock-your-instagram-if-you-dont-want-strangers-looking-at-everything.

And, as of today (July 8, 2013), Facebook will begin rolling out its new Graph Search product to all users. Graph Search replaces the old Facebook search bar with one that lets you look up a wide variety of information about your connections. As far as privacy goes, Graph Search can only display information to people you originally shared it with. So, for example, if you made your relationship status public, anyone will be able to search for that. But if you only shared with your Facebook friends that your guilty pleasure is reruns of My Little Pony, then only your friends will be able to search for it. Business Insider has put together directions for how to update your Facebook privacy settings to deal with Graph Search – http://www.businessinsider.com/facebook-privacy-graph-search-settings-2013-7#the-first-thing-you-should-tweak-is-who-can-see-the-information-about-you-thats-in-your-profile-start-by-heading-to-your-timeline-and-click-into-your-about-section-1

Finally, if you (and your teenage children) insist on using Facebook, read:

– this article about what your Facebook profile might reveal about you at work (http://www.businessnewsdaily.com/2702-personal-secrets-facebook.html);

– this one about how teens are dealing with the possibility that colleges might look at their Facebook profiles – http://nation.time.com/2012/11/15/when-colleges-look-up-applicants-on-facebook-the-unspoken-new-admissions-test/;

– this one about how a drunken mistake almost ruined a young woman’s life – http://www.nerve.com/love-sex/true-stories/my-ex-posted-revenge-porn-photos-of-me.

3) Do not click random links: Do not click any link that you can’t verify. To avoid viruses spread via email or instant messaging (IM), think before you click; if you receive a message out of the blue, with nothing more than a link and/or general text, do not click it. Like Facebook, right now, there is a rash of fake messages claiming to be from LinkedIn with invitations from people to connect. These messages include a link that downloads malicious software onto your computer. If you get an invitation to connect from LinkedIn, sign-on to LinkedIn and check your account. If the invitation is there and you want to accept it, accept it directly via your LinkedIn account. And see this article about a virus pretending to notify you that you’ve been tagged in a picture on Facebook – http://www.telegraph.co.uk/technology/facebook/9411069/Facebook-photo-virus-spreads-via-email.html.

4) Beware of email or attachments from unknown people, or with a strange subject line. ESPECIALLY DURING TAX SEASON, beware of emails claiming to be from the IRS, or Intuit or other financial/tax preparation/assistance services. Remember the simple rule – TANSTAAFL (There Ain’t No Such Thing as a Free Lunch). Similarly, right after big disasters (like earthquakes, tsunamis, etc.), look out for emails claiming to be collecting donations. Go directly to the Red Cross website to make your donation. In general, it is highly unlikely that you have won a foreign lottery that you did not enter. It is also highly unlikely that a random person in another country has contacted you via an internet search to assist them with some business or money transfer, especially one that involves minimal effort on your part for an unusually large payoff. Check out this website – http://www.crimes-of-persuasion.com/ for a database of different kinds of online scams and this slideshow from Chief Security Officer Online – http://www.csoonline.com/slideshow/detail/52935/15-social-media-scams. Many criminals use a tactic called “phishing” to try to get you to give them information about yourself or your accounts. Read this article – http://blog.eset.com/?p=15628 – to learn about phishing, and then test your ability to spot phishing emails at http://www.sonicwall.com/furl/phishing/

5) In general, be conscious of the choices you are making when you give out information. When someone or something (e.g., a form) asks you for a piece of information (in real life or online), ask why they need that information for the transaction you are requesting. Only provide the information that is absolutely necessary for the provider to do what you are requesting. For example, many online forms have certain fields that are required, and some that are not. Sometimes forms ask you for your birthday, street address or phone number, even though you’re doing an online transaction that shouldn’t require anything more than your email address (if that). There is generally no reason to fill in the un-required fields.

6) Do not download unfamiliar software off the Internet: Lots of programs available online appear to have useful and legitimate functions (and they have helpful sounding names like “AntiVirus 2012”, “CoolWebSearch,” or “Simplicity Personal Organizer®”). However, most of this software is (or contains) spyware that could damage your operating system installation, waste resources, generate pop-up ads, and report your personal information back to the company that provides the software. Recently, a new piece of malware disguised as a security tool for Android devices (and called “Android Security Suite Premium”) has been making the rounds. See this article – http://www.csoonline.com/article/708654/new-android-malware-disguised-as-security-app?source=CSONLE_nlt_update_2012-06-19_testB – to learn more about it. Before you download that cool/helpful sounding piece of software, do a little research. See Illinois University’s What is spyware or adware, and how can I remove it? Use the tool SpyBot Search and Destroy, available at http://www.safer-networking.org/index2.html . Finally, Actiance maintains a searchable spyware database here – http://www.spywareguide.com/. Check it before you download.

If you travel or use a mobile device in hotels, coffee shops, etc., avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. If you’re going to be traveling for business or will be using a work device when you travel – especially if you’re going outside the US – see the advice at http://blog.eset.com/2012/05/11/11-tips-for-protecting-your-data-when-you-travel.

7) Use Firefox or Google Chrome instead of Internet Explorer as your web browser. This is similar to the Use a Mac suggestion in #1. Internet Explorer, which is made by Microsoft, is still the dominant browser out there, so the odds favor attackers attempting to exploit security vulnerabilities in the Internet Explorer browser. This page – http://www.cert.org/tech_tips/securing_browser/ – from the Computer Emergency Response Team (CERT) at Carnegie Mellon University has tips and moderately easy directions for securing various browsers.

8) Select the Do Not Track option in your browser and use “private browsing”. In Firefox, you get to the Do Not Track function via Tools -> Options, and click “Tell websites I do not want to be tracked.” However, even if you’re telling other websites you don’t want to be tracked, as you browse the web, your own browser remembers lots of information for you: sites you’ve visited, files you’ve downloaded, and more. There may be times, however, when you don’t want other users on your computer to see this information, such as when shopping for a birthday present. In Firefox you turn private browsing on and off using CTRL+SHIFT+P. The “private browsing” mode allows you to browse the Internet without your browser saving any information about which sites and pages you’ve visited. Warning: Private Browsing doesn’t make you anonymous on the Internet. Your Internet service provider, employer, or the sites themselves can still track what pages you visit. Private Browsing also doesn’t protect you from keyloggers or spyware that may be installed on your computer.

9) Turn off “Location Services” on your mobile device unless you need it. Your smartphone is a homing beacon that would’ve made James Bond happy. When you have Location Services turned on, your current location is available to the applications running on your smartphone. However, unless you might unexpectedly need to be rescued from the clutches of SPECTRE, there’s no need to send out that information all the time. When I need a map or something that requires my location on my smartphone, I turn that function on. When I’m done, I turn it off, again.

In 2009, a German politician sued the German telephone company Deutsche Telekom and forced them to hand over over six months of his mobile phone data. He combined the geolocation data in those phone records with information relating to his life as a politician, such as Twitter feeds, blog entries and websites (all of which is all freely available on the internet) to generate the detailed history of his life that is available here – http://www.zeit.de/datenschutz/malte-spitz-data-retention.

The hot new thing in apps for your smartphone is called “ambient social networking” – these are apps that use your location to let other people know where you are in real time. I don’t use them. This is a good article about the privacy issues associated with these new apps – https://www.eff.org/deeplinks/2012/03/highlighting-privacy-problems-apps-need-respect-user-rights-start. And if you’re concerned about someone following you, check out this piece of research on using location services on your mobile device to predict where you’ll be tomorrow – http://news.discovery.com/tech/phone-predicts-where-youre-going-120712.html. And if you use your phone to take pictures, take a look at this article about a new service that uses location information automatically inserted into your pictures (unless you’ve turned off location services) to link your pictures with Google’s Street View – http://gizmodo.com/5972425/this-instagram+street-view-mash+up-is-a-stalkers-wet-dream.

Even beyond location tracking, brick-and-mortar retailers are getting into the act, too. See http://www.itworld.com/it-management/336828/attention-shoppers-retailers-can-follow-you-around-mall-way-web-trackers-do-onl?page=0,0 for a description of systems that use your phones wireless signal to track you around the store and around the mall. So, if you don’t like that idea, turn off your wireless connectivity before going in. Be aware, however, that stores are using cameras to try to do the same thing – see http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html

And for a really frightening look at how James Bond might use a smart phone in the not-to-distant future, see this article – http://www.vanityfair.com/culture/2012/12/microcomputers-weapons-smartphone?src=longreads&buffer_share=aff5f&utm_source=buffer.

10) Get privacy-protecting add-ons for your browser. In Firefox you get there via Tools -> Add-ons. I use and recommend: HTTPS Everywhere, from the Electronic Frontier Foundation and available at https://www.eff.org/https-everywhere; AdBlock Plus, ShareMeNot, Ghostery, and, for more technically advanced (and patient) users, a tool called NoScript.

11) Use current, up-to-date anti-virus software. In addition to having the standard ones from companies like Symantec, I recommend also installing (a) Windows Defender available from Microsoft at http://www.microsoft.com/download/en/details.aspx?id=17; (b) Malwarebytes available at http://www.malwarebytes.org (the free version is usually sufficient); and (c) Avast Antivirus available for Windows at http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html and for Mac at http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-75451160.html?part=dl-&tag=lang_en&lang=en (the free version is usually sufficient). I also recommend regularly (monthly or so) using the online virus checker from Trend Micro available at http://housecall.trendmicro.com/. It’s usually best to run it overnight as it can take a few hours to run. Trend Micro also has a tool for scanning Android mobile devices at http://housecall.trendmicro.com/mobile/

12) Use Email Encryption. Read this excellent basic article from Ars Technica about encryption – arstechnica.com/information-technology/2013/01/keep-it-secret-keep-it-safe-a-beginners-guide-to-web-safety/ , as well as this article about why you should consider encrypting your communications (http://netsecurity.about.com/cs/emailsecurity/a/aa051004.htm). Armed with all that knowledge, read this article about various email encryption tools – http://www.brighthub.com/computing/smb-security/articles/38933.aspx

13) Set up a separate “Administrator” account. – Note, this is the most technical item in this list. Your Windows computer has two types of users – “low” rights users and “high” rights (or “Administrator”) users. The difference is similar to the difference between the building manager who has a master key to a building and the workers in the building who have individual keys to specific offices. The account with “high” rights, or the “administrator” account can do things like install new software and make other significant changes to the computer, while the account with “low” rights can only use the software already on the computer and can’t make those changes. If you use a “low” rights account when you’re online, it’s much harder for some of the nasty things online to get access to your computer. The key idea is to only use your “high” rights account when you actually need administrator-level powers, such as when adding new hardware and software. For instant messaging, email, Web browsing and other daily computer use, use your “low” rights account. If you don’t know whether you’re using an administrator account right now, odds are that you are unless you have a tech savvy family member/friend that installs software for you on a frequent basis. Different versions of Windows require different steps to set up “low” rights accounts. This page – http://www.mechbgon.com/build/Limited.html#setup – provides good, step-by-step directions for setting up an administrator account and converting your daily use account to a “low” rights account. NOTE – Don’t do this if you’re using a work-issued computer. It will make your IT folks angry. Ask them to do it for you.
===========================

And if all of this makes you want to run for the hills and become a survivalist, here’s a set of instructions for how to remove yourself (as much as possible) from the internet completely – http://lifehacker.com/5958801/how-to-commit-internet-suicide-and-disappear-from-the-web-forever.

These tips were primarily intended to protect you from disclosing your personal information to companies and criminals, and to keep you safe online. If you want to encrypted your communications to protect them from government surveillance, you’ll need to use additional tools like those described in this article – http://www.slate.com/blogs/future_tense/2013/06/07/how_to_secure_and_encrypt_your_email_and_other_communications_from_prism.html

===============================
Got a tip for the average user that’s not covered here? Please post it in the comments!

Advertisements

About John Nicholson

I'm a transactional attorney who focuses on structuring and negotiating large outsourcing transactions (both on and offshore). As part of my work, I've specialized in: - Structuring and negotiating large outsourcing transactions (both on and offshore) including IT outsourcing and various BPOs (including HRO, Facilities Management, Procurement, Finance and Accounting), large systems development and implementations; - Assisting with development of RFPs, proposal evaluation, down select, and negotiation; - US and European privacy laws, including US Safe Harbor, and state privacy and data breach notification laws; and - Privacy, security, legal and contractual issues associated with cloud computing. I'm a frequent speaker on outsourcing, privacy and security issues. Before becoming a lawyer, I was the acting IT director for a mid-size company prior to hiring the CIO and project manager for the company's Oracle Financials implementation.
This entry was posted in cybersecurity, mobile apps, privacy, social media and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s