The Paranoid's survival guide: Protect your privacy on social, mobile
The paranopid's survival guide, part 2: Protect your privacy on social, mobile and more
byROBERT L. MITCHELL |
Is privacy dead? Not by a long shot. While you can't control everything that's out there about you, there's quite a bit you can do to reduce your data footprint -- or at least avoid adding to it. For this series, Computerworld asked nine privacy experts for tips and tricks they use for keeping their own personal data profiles on the down low.
Whether your goal is avoiding tracking by marketers, ensuring your personal safety or protecting yourself from government surveillance, there are steps you can take to minimize your exposure both online and off, these professionals say.
Part 1 of this series covered how to maintain your online privacy and surf the Web without leaving a data trail. Here, in part 2, we offer advice on how to approach social media, messaging and some general rules you should follow when using mobile apps. Part 3 covers how to minimize your offline data footprint, and where to go to opt out. (For more tips, also see our "60-minute security makeover: Prevent your own epic hack.")
3 ways to shape up your social media
Don't sign up for a new service using Facebook or another social networking account
When a website tells you it's easier to register for its service using your Facebook account, what they really mean is that it's easier for them to pull all available information about you from that site and use it to build a profile on you, says Rob Shavell, co-founder and CEO at privacy software vendor Abine. Always choose the "sign up with email" option, and don't use the same email address you use for Facebook or other social media accounts.
Lock down those social network privacy settings
Review and set the privacy settings for every online service you use, and revisit those policies regularly to update them, as the services tend to change their policies frequently, says Jules Polonetsky, executive director of the Future of Privacy Forum. "Make sure you lock down the settings in every social media profile, and test it to see what others can see about you," he suggests.
Think before you post
On social networks nothing is truly private. "Be aware when you post with whom you are sharing," says Sid Stamm, senior engineering manager for security and privacy at Mozilla. What you post can be used against you, either now or in the future -- by snooping government agencies, political operatives, potential employers or online marketers that want to serve up interest-based advertising.
Even when you delete a post it's likely to persist. Your "friends" can copy/paste anything visible to them into other sites or email messages. And with Twitter your posts are part of the public data feed that's routinely captured by data brokers and others interested in analyzing that data. "The act of deleting just means removing the visibility on Twitter," says Robert Hansen, a security researcher and director of product management at the website-security vendor WhiteHat Security. But every data broker or other organization that has consumed your Twitter feed between the time you posted and the time you deleted the message still has the data.
Don't post photos of your kids, your interests or when you'll be going on vacation, he adds. "If it's something I even briefly pause about, I don't put it on social networks. Treat everything in social networks as adversarial, and then you don't have to worry about it."
Online job sites and online dating sites are the two areas where people give up way too much information about themselves, says Casey Oppenheim, co-CEO at anti-tracking software vendor Disconnect. "Your name, address, where you went to school -- all of that information about you can be used to answer challenge questions," he says. Online dating sites may use questionnaires to collect extensive psychological and demographic data in an effort to build very detailed profiles that may be retained even after you close your account.
Page 2 of 3
Manage your messaging
Secure your email
Be sure to enable HTTPS encryption for all email communications in transit. As for email data in your inbox, a hosted private email service that you pay for, from a company such as Rackspace, offers more privacy than does a free, public Webmail service such as Gmail, while hosting your own email server on premises offers the most privacy of all.
There are many exploits out there for compromising Webmail services, says Hansen. What's more, the content of email hosted on free Webmail services may be used to allow advertisers to send interest-based advertising. Also, government agencies can access your data on Webmail or hosted email systems at any time by simply presenting a subpoena -- and the provider may be prohibited from telling you about it. With an internally hosted server, a search warrant would be required, and you would be aware of the action.
Use a privacy-oriented email service
Popular Webmail services such as Gmail and Yahoo Mail offer a free account in exchange for collecting data about you and analyzing your email activity for marketing purposes. If that bothers you, consider a free service not supported by advertising, such as Zoho Mail, or use an email account provided by your ISP.
For even greater protection, use a secure email service that's dedicated to protecting your privacy, such as Riseup or MyKolab. Services like MyKolab, which hosts your email data offshore and out of reach of the Patriot Act, may make your data less prone to U.S. government snooping.
Use a self-destructing text/chat service
Instant messaging/texting services that encrypt your communications and don't retain your chat history have gained critical mass among young people, and for good reason, says Polonestky. "No one records [verbal] chit-chat, but when I have that conversation online it's somehow part of the national archives. It shouldn't be. It's the kind of communication that should work as a shout out and be fleeting," he says.
Polonestky uses Frankly Chat, which he calls "Snapchat for adults," but says other popular services including Snapchat itself or Whisper also work well. Whisper is an anonymous social network, and Snapchat allows users to set time limits for how long their posts will appear.
Oppenheim recommends Silent Text and TextSecure. The downside of these services is that the person you want to message must have the same app installed and running before you can connect. So, depending on which service your friends use, you might need to keep more than one app running.
Limit tracking on your mobile phone
Mobile phones offer more limited options for minimizing your online footprint, says Justin Brookman, director, consumer privacy at the Center for Democracy & Technology. Your carrier knows your location, the calls you make, the sites you visit, the texts you've sent and received and the apps you use. Unless you turn off your phone, your carrier will always know where you are, he says. And while you can't opt of out all data collection, your carrier may offer options that let you limit how it uses and shares that data.
Password-protect your smartphones, tablets and other personal computing devices, and configure the "find me" feature or app for mobile devices. "The first thing to do is to make sure that if you ever lost the device you can get it back and lock it down. This is half security, half privacy," says Chris Babel, CEO at security vendor Truste.
Page 3 of 3
Use a password manager and two-factor authentication
Password managers not only keep track of your online user names and passwords and generate strong passwords, Babel says, but most also have an auto-fill feature that protects your account credentials from key logger malware that may be watching you. (It's especially important to use a strong password for your email account, since it contains a trove of personal information about you, and most online accounts use your email address to allow you to reset forgotten passwords.)
If you already use a password manager -- either on your desktop as a standalone app or in your browser -- check to see if it has a mobile component. Many do.
For additional protection, consider a password manager such as LastPass that supports two-factor authentication. Even if someone guesses your master password they still won't be able to get at your password database without physical access to your device.
Don't share your location information
"You can control who you give location permission to on most mobile devices, but you can't control" with which other apps are given that data. "So choose carefully," says Brookman. Social media updates that include location data also tell people where you are -- and where you aren't. Do you really want everyone on Twitter, or all of your Facebook friends -- and friends of friends -- to know? "Don't turn on location services unless you really need it," says Oppenheim. And turn it off when you're done.
Turn off your Wi-Fi and Bluetooth to avoid retail tracking
Today you walk into a store and the retailer doesn't know much about you. "But stores are installing listening devices to detect mobile phones with Wi-Fi turned on that are actively looking for access points," says Brookman. Before long, it won't just be your mobile carrier and mobile apps that know where you are at all times. Retailers and other businesses want to use the combination of Bluetooth and Wi-Fi signals emanating from your smartphone to track you when you enter a store or other place of business.
"When I walk into the mall they will know I've entered because my device is pinging Wi-Fi. And with Bluetooth they can track me within 30 to 50 feet. They know where I'm walking," says Babel. When your phone queries the store's wireless router to search for connectivity option, the business captures the unique MAC address associated with your phone's Wi-Fi hardware. If you then make a purchase, your MAC address can be combined with other information the store has to identify you. Some consumers might want to announce themselves, Babel says, because they're hoping to receive special offers on their smartphones. But if you're paranoid, says Brookman, turning off Wi-Fi and Bluetooth solves the problem.
If you can't be bothered to toggle those services off every time you leave your home or office, anti-virus software vendor AVG recently rolled out a service called PrivacyFix that automatically turns off your mobile Wi-Fi if the network you're passing by isn't on your whitelist. Mobile apps like Tasker for Android can be configured to use a technique called "geofencing" to turn off Wi-Fi when you leave your home or office and turn it back on when you return.
Soon you may have another option: The Future of Privacy Forum is in the process of creating a service called Do Not Track My Mac -- to be hosted at smartstoreprivacy.org -- that will let users opt out of tracking by retailers that want to capture your smartphone's Ethernet MAC address.
The companies agree not to capture your name or link your information to your MAC address unless you opt in, says Polonetsky. However, they can still track your MAC address anonymously unless you opt out. The data is used for general analysis purposes, such as to determine the average wait time in cashier lines, for example, or to study how traffic moves through the store. So far, 10 companies have signed on, Polonetsky says.