LiDA100: Learning in a Digital Age

Privacy

Your privacy is fragile, easy to lose instantaneously, and difficult to retrieve in an environment that requires so much online interaction.

• “Identity theft” happens, frequently.

Never put your social security number, your birthday, your mother’s maiden name, or any other personal facts, anywhere online. Everyone on the Internet will be able to access this information.

Always assume that anything you write online (including email) can, and probably will, eventually leak. Keep your email address private – to avoid receiving spam. If you email is published in a plain form anywhere on line, even if it is part of an archived email list, spammers will “harvest” it for their databases.

Spam email – at least half of all email being sent – is an unfortunate fact of our modern lives. If you must publish your email address online, consider creating a “sacrificial” email address, or one you only use to publish online. You can create an email “alias,” which you can set to automatically forward to your primary email, and easily disable if your spam volumes increases.

Another approach is to avoid publishing the email address as something like myname@somewebdomain.net… Instead you might use more confusing text, such as myname-at-somewebdomain-net. Some websites support using these types of obfuscation methods, but the spammers who "scrape" email addresses from websites to populate their spam databases use increasingly sophisticated methods to defeat these methods. Basically, avoid publishing the email addresses you value online to decrease the amount of spam you receive.

Passwords

What about passwords? Many people have just one, or maybe a few. Given the number of websites and web services which require password-based authentication, this is not good enough to avoid an identity disaster.

The problem with having only a few passwords is that even resource-rich and security-critical organizations have suffered massive leaks. If even one of them suffers a data leak, identity thieves will obtain your password and try to use it on other websites. It is easy for them to do this using computer technologies.

Other ways someone can get your password include:

1. Sniffing traffic when you log into a non-secure website that uses http:// rather than https:// – the “s” stands for secure because your data transmission’s encrypted. Look for the  in your address bar.
2. Sniffing emails – your email, unless encrypted, is not secure. Never send a login and password along with the web address of a service (similarly, don’t send credit card numbers).
3. Phishing attacks – where someone sends you an email that looks like it is from a trusted sender, such as from a friend, your bank, an online store you frequent, or a government agency, and they ask you to enter your password to confirm it. No one should ever ask you to enter your password via email.
   Always check the web address (hover over the link) to make sure it corresponds to the right place, or call the sender to confirm the request over the phone.
4. Brute force – hackers often use computers to guess your password, beginning with a list of common passwords, and try different combinations until they get it right, or until the system locks them out for trying too many times.
5. “How secure is my password” sites – you should avoid these sites and never type your password into a website or email response that is not appropriate, especially when you know the sender also knows your email.

Once your email and any password combination are known, identity thieves will try to use them at various websites, because they know most people only use a few passwords. A thief who discovers a password you created for a website you rarely use will try to compromise the security of a website that is important to you – such as your email system, your workplace, social media accounts, or bank account.

There are services you can use to check if your email is part of a leaked password data set. So, what can you do to protect yourself?

Password Managers

Get a password manager. They are incredibly helpful and convenient now that many of us use several computers and mobile devices. Password managers help you manage your passwords.

When you choose a password manager, make sure you create one strong password, such as a full sentence with some numbers and special characters. This is all you need to remember – the password manager remembers the others. The ensures you generate a different, fully-random password for each website you use that requires a password.

Good password managers only ever store your details in an encrypted form, where even the company that stores it cannot see your passwords. To access your passwords, you log into the password manager service using your single, strong password (via a secure web link – usually the default, but always check!).

There are many password manager options. Some widely used proprietary options include Lastpass and 1password. Open source options also exist. Sadly, some of the most popular password managers have suffered from software bugs that have exposed user passwords.

Good Messaging Hygiene

Always assume that anyone can and will read anything you write in an email. Email is not a secure form of communication. Few people encrypt their email, because it is an extra step that even the most technically-inclined users are reluctant to take. Both sender and recipient have to be technically proficient.

Text messages and instant messaging, such as Facebook messenger, are also insecure. Anyone, including government officials and the organization that runs the service, such as Facebook employees, can read it.

Secure your Own Privacy

Never send any sensitive data, such as your social security number, credit card number, password, or other personal information via email or text. Call the person to provide this information over the phone.

You can use a secure, encrypted, text message service, such as Signal if necessary. It is available at no cost, works on most platforms, and encrypts text messages on your phone. If you text someone else with Signal installed, the entire transaction is encrypted.

Secure the Privacy of Others

Another element of good digital hygiene is to protect the identity of others. For example, never send group emails using To: or CC: (carbon copy) for each email address. You will reveal the email addresses for everyone on your list. This is especially problematic if you or another person saves the email message and displays it on the web, such as in a mailing list archive. This makes it easy for spammers and hackers to access and download all of those email addresses.

Use BCC: (blind carbon copy), to hide the email addresses from your recipients, to protect everyone’s privacy. Use your own email address, and BCC the rest of the recipients, if your email software requires you to insert an email address into the To: box.

When using an email mailing list, where you send messages to a single email address to a list of people, never CC: someone else in the same message. This will compromise the privacy of every CC’d recipient and the privacy of the list. Always check with the people on the list to ensure you are not taking unacceptable liberties.

If someone asks you to share an email address of a friend or colleague, you should ask permission to share their email address, and state why the third party is requesting their email.

Be a Thoughtful Sceptic

So how can we protect ourselves if new threats are emerging all the time?

• Be conscious of where you put information that is “private” to you.
• Beware of the terms of service of social media providers, such as Facebook. Use a service like “TOSDR” to help identify risky, overreaching services. You may be able to use certain privacy settings to protect your information.
• Always check the identity of a website before you enter any passwords or personal information. Secure certificates are generally trustworthy, but be sure check the names and details.
• Always ask whether you should trust a provider or a government agency. Always ask “who benefits when I do this?” What are their incentives?
• Protect your own data and be even more protective of others’ private information. For example, be cautious before posting information about yourself or someone else. Be especially cautious when posting pictures or videos of their children.

Remember, complacency and unwarranted trust are your biggest enemies. A healthy paranoia is good for your digital health. Think about the great amount of time and effort it will take to regain your identity (and credit rating) if your information is compromised.