Conversations about privacy and security often focus on technology and give scant attention to the human, non-technological factors that affect personal privacy. This post covers a range of concrete steps we can all take to regain control over what, when, and with whom we share. Some of the things we discuss will involve technology, and some of them won't. The majority of the suggestions we make involve tools or practices that are freely available. The vast majority of things we suggest are also designed to be accessible without a large amount of technical knowledge. The steps we outline here are intended as a solid starting point, and not a comprehensive solution, but with that said, the steps we define here minimize or eliminate many common issues.
- Assessing Risk
- In Person/Face-to-Face
- Privacy and Filter Bubbles
- General Maintenance When Online
- Using Sites Where You Have an Account
- Third-Party Tracking
- Blocking Trackers, the Long Way
- Blocking Trackers, the Short Way
- News and Search
- Secure Online File Storage
- Virtual Private Networks (VPNs)
- Increased Anonymity and Tracking Protection
- Password Managers
- Two-Factor Authentication
- Phone/Tablet and Apps
- Simple Steps
- Licensing Information
When we think about protecting our privacy, we generally start with these questions:
- What are you trying to keep private?
- From whom are you trying to keep it private?
- What are the consequences if the protections fail?
- Do the consequences change or shift over time (short-, medium-, long-term)?
These factors can help determine our priorities: What information is most important to protect? Why? How much effort should be put into protecting something?
The answers to these questions will vary widely based on personal circumstances. By making some explicit decisions about what we want to protect and how much effort we're willing to spend protecting it, we can come up with a plan and a strategy that are realistic for us and tailored to our individual needs.
Using these questions to structure our decisions should also take into account how easy or hard something is to do. In the conversations below, we will highlight how easy or hard some changes are to make.
There are a range of ways people can access information if they're physically close to you. In this section, we will highlight ways to minimize the risk of people seeing information they don't need to see.
At the outset, I want to highlight that going into a public space means you will be caught up in some form of observation. This can be as benign and accidental as being in the background of someone's photo in a public place, or it could be as focused as having your license plate scanned as part of passive data collection by law enforcement. It's also worth remembering that many public places (most stores, malls, supermarkets, gas stations, Walmart, and the like) are covered by closed-circuit television cameras.
One of the most common ways that people can get information about you is by watching your screen as you work. This hallmark of the perpetually nosy -- also known as "shoulder surfing" -- can range from simply annoying to potentially dangerous, depending on what you're doing. It's not difficult to imagine web searches where we wouldn't want some stranger, sibling, uncle, or other person reading over our shoulder.
Fortunately, a privacy screen will block shoulder surfing. For other people who work in public spaces -- from coffee shops to offices and libraries -- the following steps can minimize your risk:
- If you're working and you leave your computer, lock your screen with your password or power it down. If you leave a computer when you're still logged in, anyone can sit down and access your computer and use all the information it has.
- Encrypt your hard drive on your computer. If your computer is lost or stolen, having an encrypted hard drive will prevent unauthorized access to any information on it. It's worth noting that encrypting your hard drive will not mean much if you have a weak password for your login.
- Encrypt your phone or tablet. If you're using a newer iPhone or iPad, then your device is likely already encrypted by default. Most newer Android phones support encryption. Encrypting your phone or tablet prevents access to information stored on the device in case of loss or theft. It's worth noting that encrypting your phone will not mean much if you use fingerprint unlock or a weak password.
- Be careful with using external storage such as USB flash drives.
- Use a password manager. At first blush, this doesn't seem to make a lot of sense for inclusion in a section on potential risks from someone being in the same physical space as you, but using password managers solves one common problem: writing usernames and passwords on paper where they can be read, photographed, or used by unauthorized people. (Fact: I have seen usernames and passwords written on a whiteboard get included in promotional videos.) Password managers are covered in more detail later in this blog series.
There are other steps you can take to minimize risks that arise from physical access, but using a privacy screen, encrypting devices, not leaving devices logged in while they're unattended, and being careful with external storage devices can eliminate many common issues. Privacy screens cost between $15 and $60, and the other options discussed today are free. As we stated at the outset, eliminating all risk is impossible, but these steps can reduce risks to which we're all commonly exposed.
Privacy and Filter Bubbles
An additional benefit of freeing ourselves from pervasive tracking is the ability to move outside our filter bubbles. We cover this in more detail in various sections, but good privacy practice is also good information-literacy practice. Steps we take to increase our privacy also increase our awareness of how information is presented to us and the different forms of bias embedded in that presentation.
Good privacy practice improves our ability to retrieve information short-term and long-term. They feed each other. Conversely, bad privacy practice limits our options, and these limits get reinforced over time. The steps we outline in this post help us reach beyond our filter bubbles and see a more complete picture.
General Maintenance When Online
Part of maintaining our privacy involves making sure that our device or computer software is up to date. When fine-tuning our privacy and security protections, we need to ensure our device is not compromised before we start. Check for malware and viruses. Uninstall and delete any software or apps that are not needed, as unused applications are often a source of security issues. If Flash is not required, disable it and delete it -- many ugly security issues target Flash, and having it enabled can leave you exposed. When in doubt, a clean reinstallation of the operating system is often the safest starting point. Using a service like Malwarebytes to scan for malware and protect you from it is definitely recommended.
Going online exposes us to the wonderfulness of the internet, but that wonderfulness also brings the fetid practice of tracking and behavioral-advertising technology. Due to the ongoing and well-documented overlap between malware and adtech, we document protections against tracking as an effective defense against exposure to various forms of malware.
As with all the sections in this post and in this series, the options described are not intended to be comprehensive. The full suite of options for securing computers running Windows, Mac OS X, or Linux are outside the scope of this post. However, checking for malware and installing updates regularly can help avoid some common problems. The sections that follow detail different areas that we need to think about when protecting our privacy.
Using Sites Where You Have an Account
When we visit any website, we generally are tracked by various methods. In this post, we lump different tracking methods and technologies into a blob that we will call "trackers." Technical differences exist between different types of trackers, but a thorough description of them all is outside the scope of this post.
It's also worth noting that when we go to a site where we have an account (or use an app on our phone that connects us to an account), our use of the service is generally tracked because we willingly identify ourselves to the site. For example, when I log into Google to check email or to Twitter to post 140 characters, I am identifying myself and my activities to these sites. Choosing to log into a site generally means that we are agreeing to be tracked by that site. The privacy policies of these sites describe how they use the data they collect from you. (Note: Most commercial sites can use and share your information with few restrictions, including sharing it with unnamed "partners" and combining it with data from other sources to create detailed tracking profiles.) It is possible to minimize tracking by browsing these sites without logging in whenever possible and only logging in when absolutely necessary.
When using social media, clicking on things such as quizzes can expose huge amounts of personal data to trackers or provide answers to your password-reset security questions. In some cases, the companies behind the quizzes use the data to compile personality profiles that are used in political campaigns. Even seemingly simple things like the "like" button or responding via emoji can allow for fairly precise tracking. Fortunately, avoiding this form of tracking is simple: Stop taking the quizzes, and stop using emoji-based reactions (people have experimented along these lines in the past).
We are also seeing more hackers looking for ways to exploit bugs or flaws on social media sites. While the patterns of different attacks may vary, many attacks can be thwarted by not opening files that you haven't explicitly downloaded from a trusted source. Deleting the contents of your "download" directory can help prevent the risk of accidentally opening a file that contains malware or ransomware.
But in general, when we create an account on any site, that site will track our behavior or how we use that site to some extent. The best way to avoid this type of tracking is to use sites without logging in whenever possible and to clear your cookies and browser cache frequently. Later in this post, we will cover how to clear cookies and other methods of minimizing tracking.
Sites that require people to create accounts also use and allow for a range of third-party trackers that monitor activity. This means that, on sites where we create accounts and log in, we are tracked by the sites we log into (for example, Facebook, Instagram, Twitter, WhatsApp, Evernote, Pinterest, Google, and so on), by the vendor themselves, and by the third parties they allow on their sites. In addition, sites that allow apps (for example, Facebook, Edmodo, Google Apps for Education, and so on) all expose us to tracking via any of the third-party apps we choose to enable.
Third-party tracking is pervasive on the web. Several thousand tracking companies exist, and in most cases, people browsing the web are never told which trackers are in use, what information they gather, or how that information can be used. Data collected by third-party trackers are often sold to data brokers, who combine data from multiple sources (a process known as "data enhancement" or "data recombination") and then sell access to that data. Some news sites, such as the Huffington Post, place upwards of 100 trackers when you visit their site. Trackers can also get information based on searches; in some cases, this can lead to searches for sensitive information -- such as searches for health information -- getting shared with data brokers.
To minimize the impact of tracking, we have a few tools at our disposal. These tools can help protect us from tracking by advertisers, political campaigns, and other undisclosed parties who can use our personal information without notifying us or without obtaining our informed consent. Some of the steps outlined in this section can also help disrupt filter bubbles and protect others from accessing our browsing history.
Blocking Trackers, the Long Way
The tools here focus on browsing the web using either Firefox or Chrome as our browser. We focus on these browsers because they are freely available and supported on Windows, Mac OS X, and Linux. While both Chrome and Firefox offer an option to create an account to sync settings across machines, we recommend not using this option and storing your preferences locally.
To get a sense of what trackers are placed on a site, use Lightbeam, a Firefox-only add on. Lightbeam allows you to create a list and a visualization of trackers that are placed by sites. While Lightbeam also supports blocking trackers, we use it primarily for research to get a sense of which trackers are placed by which sites.
To block trackers and other services that collect and use our information without notification or consent, use the combination of Privacy Badger and uBlock Origin. Privacy Badger does a good job of picking up most third-party trackers, and uBlock Origin catches trackers that Privacy Badger might miss. Both of these browser extensions have versions for Chrome and Firefox.
Firefox also has an add-on named Self-destructing Cookies that will destroy cookies automatically after a tab is closed or after the browser is closed. This can help prevent tracking, and it can also protect against someone accessing your computer and being able to access sites where you have logged in.
HTTPS Everywhere protects against connecting to websites via an unencrypted connection. This browser extension, supported in both Chrome and Firefox, doesn't protect against third-party tracking. However, for people who travel and use internet connections in hotels, coffee shops, conferences, or other public spaces, HTTPS Everywhere can protect against people snooping and looking at traffic on the network.
In addition to these steps, disabling and removing unused browser plug-ins is strongly recommended. In some instances, advertising companies have bought moderately popular extensions and used them to push trackers and malware. Disabling and deleting unused browser extensions minimizes this risk (read our instructions for Chrome and Firefox).
A final note here involves the use of so-called "private" or incognito browsing. Avoid it. If you want private browsing for everyday activities, use the steps outlined in this section. If you want truly private browsing, use Tor, as described in the next section.
Blocking Trackers, the Short Way
Use Tor. Tor protects against tracking and in some situations allows people to approach being anonymous online (we say "approach" because true anonymity does not exist). Tor was designed to provide protection for journalists and dissidents in repressive countries and helps protect against everything from tracking protection to, potentially, having traffic intercepted by governments and other organizations. While Tor is the most accessible option out there for blocking tracking and preserving a semblance of anonymity, it can't be overstated that even Tor has vulnerabilities.
We will discuss this in more detail later in this post, but using Tor to search for sensitive information provides a good level of protection for most people.
News and Search
For many of us, if we have Gmail accounts (either a personal or work account, or both) and we use Google for search, we almost always search when we are logged in to Google. This gives Google a very complete view of what we search for, which allows them to "personalize" searches to what Google thinks we want to see (if you want to see a small subset of what Google knows about you, visit https://myactivity.google.com/myactivity when logged into a Google account. While this is only a fraction of what Google knows about you, a quick scan through your search history is often illustrative and petrifying). "Personalization" ensures that two people searching for the same topic won't get the same results. However, when results are invisibly tailored "for" us, bias can appear in the results. There have also been substantial charges that Google has abused its position as a leader in search.
However, the same mechanisms that target ads to us also target search results and news to us, and this can create what some people call a filter bubble. Accordingly, all the steps outlined above to protect against ad tracking also help us receive less biased search results. We can expand the reach of what we see online by using different search services. These three services provide protections for privacy that are not as accessible with other search engines:
- Duck Duck Go
- StartPage (Schools can use https://startpage.info for an education-specific version.)
Additionally, if you set your browser's default search option to something other than Google, you will reduce the chance that you will accidentally provide Google with additional data. This allows you to make a deliberate choice around using Google relative to other search options.
Finally, when reading news sites, make a point of visiting sites that are counter to your usual sources of information. If you usually visit Huffington Post, head over to the Daily Caller. If you're a dedicated USAToday.com reader, head over to Time.com. Drop by Alternet or Yahoo! News. (In addition to getting the cookies from these sites stored on your browser, you will also read opinions outside your bubble or circle. You don't have to agree with them, but knowing what they're saying can be useful.)
When searching for sensitive information that you don't want shared, the best approach is to use Tor and search via Duck Duck Go, StartPage, or Disconnect.me. Adding in a VPN, which we discuss in tomorrow's post, is an additional layer of protection. Using this strategy helps protect you from having your personal data collected by data brokers while searching for information.
Email is one of the more convenient ways for bad things to happen to good people. While these steps won't solve all the problems with email, they can help address some of the more common issues. The risks in emails that are delivered to your inbox generally come from aggressive advertising or people trying to steal information, compromise your account, or even install ransomware.
Of course, there is always the low risk of your uncle or cousin sending you that hilarious chain email, but protection from that is beyond the scope of this post.
Be wary of links and downloads coming to you via email, even if they appear to come from friends. When you're sending links or files via email, describe what you're sending. This helps the recipients of anything you send know why you're sending it. When you receive a file or a link, look for that context. If all the email says is, "Hey! You gotta check this out!," you should probably avoid the link (and this advice is true for text messages as well).
To avoid a potentially malicious link, review the base URL and verify that it makes sense (mouse over any links before you click on them so you can review the URL that's displayed). People trying to steal your information will create website domains that look "right" but are actually fake (for example, "citibank.co" instead of "citibank.com").
Expand shortened links before you click on them. People trying to steal your information will often use shortened URLs to obscure where they're sending you.
Use extreme caution when downloading files, especially files that are compressed (for example, they end with ".zip," ".gz," ".7z," and the like). Bad downloads are a common way of spreading malware and ransomware. Also, avoid files sent via email that are executable, meaning they can install software on your computer (for example, they end with ".exe" for Windows or ".dmg" or ".app" for Mac OS X).
The advice about using links and being suspicious of file downloads applies directly to using social media as well. Be very wary about expanding links sent via direct or private messages from acquaintances you follow. This is a common attack strategy: Compromise one account, then send malware to all the "friends" of that account.
Set your email client to strip or not display images. Marketers will often embed tracking technology called a "tracking pixel" in emails; by stripping or not displaying images, you can prevent the effectiveness of this tracking method.
Don't hesitate to ask for confirmation from someone about whether or not a message is legitimate. It's better to send a quick email response asking for confirmation than for your system to get compromised.
If you want an encrypted email account, use a service like Protonmail. However, when using an encrypted email account, keep in mind that both the sender and receiver of the email need to use an encrypted email service. If you send an email from a Protonmail account to a Yahoo or Gmail account, your email and information will be accessible to the ad scanning in those services.
One of the advantages of a large email provider such as Gmail is they provide solid spam, phishing, and malware protection as a part of their service. For regular consumer accounts with Gmail (not educational accounts), you pay for that protection by allowing Google to scan all your email message content, and you allow Google to use that information to create an advertising profile and market services to you; but if your main concern is avoiding malware and phishing scams, then Gmail offers some benefits.
One "advantage" of both email and cloud-based file storage (discussed below) is that they offer a large amount of "invisible" storage. The more data we retain, the more data that can be compromised or accessed by people for whom that information was never intended. If you have important emails that you need to retain over time, archive them and store them offline and then delete the original emails from your email provider. Deleting old emails minimizes the risk to us and to the people we communicate with. It's good data hygiene.
On a practical level, in some instances email can be used in criminal cases or civil lawsuits. Deleting unneeded emails, and deleting older emails, provides a level of protection against frivolous legal action.
A final note about email: It is only as secure as the person you're sending it to, and the "security" of the message should be assessed against the sensitivity and value of the message. If you're using an encrypted email service and you're sending messages to a person using a personal Gmail account, that email is getting scanned by Google. We generally advise people to consider email an insecure service. Accordingly, sending information about a surprise party is probably pretty safe, whereas sending information about a Dark Family Secret is something you might want to save for an in-person conversation.
Secure Online File Storage
For better or worse, we live in a time of plentiful cheap online storage. However, out of this embarrassment of riches, few options offer the ideal blend of ease of access and security. For people who want as close to a guarantee as possible that their information can only be accessed with their consent, most of the common storage options -- Google Drive, Dropbox, and iCloud -- are not useful. While these companies encrypt data at rest, they have a level of access to the data and can be compelled to provide access to that data in response to a legal request. Additionally, these companies often store metadata about how users store files, and this metadata (details such as time and location of access, IP addresses, filenames, and so on) can be informative even without the underlying files. In some cases, using services like iCloud can undercut security and privacy protections we have in place.
For a secure cloud-file-storage solution, we recommend Spider Oak. The differentiating feature of Spider Oak is that it allows us to set a private encryption key that only we can access. This renders our data stored on Spider Oak unreadable. This both supports our security and streamlines the business operations for Spider Oak; if they're ever asked to provide access to a user's data, they are in the enviable position of having nothing useful to share.
As with email, delete any files that are not immediately useful. Files can always be archived offline on an encrypted removable drive. This is a good step for personal organization, and it is also helpful to ensure that sensitive information isn't left exposed accidentally. As with many steps we can take to protect our privacy, taking small steps to reduce risk can help minimize risk. No individual step will magically solve everything, but incremental risk reduction adds layers of protection.
Virtual Private Networks (VPNs)
For people who access the internet from outside their home or office, using a virtual private network (or VPN) can provide different levels of protection from a nosy kid playing at hacker on the coffee shop Wi-Fi network or from a person trying to steal private information as part of an attempt at identity theft. VPNs can also obscure which sites a person visits, thus hiding their browsing histories from people who might attempt to access it. Additionally, VPNs hide your IP address, which can make it appear as if you're in a different geographic location, which blocks location-based targeting.
While there are free VPN options, we do not recommend using them, as many of the free VPNs actually track and share your online behavior. If you're going to use a VPN, you will need to research an option that works for you based on your needs. If obscuring your browsing and connection history is essential, make sure you use a VPN that does not store any access logs. These two guides provide a list of things to consider, along with recommendations.
Most VPN services offer plans that can be used on computers, phones, and tablets.
Many companies provide VPNs for their employees. While these VPNs protect against people outside the company seeing traffic, people using a company-provided VPN should know and expect that their company's IT department can see all their online browsing activity and that in many cases that activity is logged.
Increased Anonymity and Tracking Protection
For people who work from multiple computers, or who for whatever reason don't want to use their computer or phone to browse privately, Tails allows you to boot from a USB key and use Tor to browse the web without leaving any trace of your activity on your host computer.
Because Tails can be treated as a throwaway operating system, it offers a level of flexibility other options might not have. Tails can also be useful as a tool to access the internet securely when connecting from places where we might not trust the security of the internet connection.
Tails is a specialized tool that isn't needed by everyone, but it can be useful for people who need to communicate privately from a system that will be difficult to trace, and its preconfigured privacy protections allow people to get started quickly.
Our advice on password managers is straightforward: Use one. LastPass, Password Gorilla, 1Password, KeePass, and Dashlane all are solid options.
While no single solution is perfect, password managers eliminate the problems of reusing the same password across multiple sites and using passwords that are too short or too simple. Password managers also generate passwords that are truly random and un-guessable. Additionally, many password managers have a mechanism wherein you can create secure notes to save important information.
To state the obvious, putting all this information in a single location is also a risk; this is why the password manager must also be protected by a strong password and a second factor of authentication, such as your mobile phone. While writing passwords down is almost never a good idea, writing down only the password to your password manager and your primary device (i.e., computer or mobile phone), and then storing these passwords in a safe location, allows you to have a suitably strong password protecting these key services while eliminating the risk that you will forget the passwords. This post contains tips on creating both secure and memorable passwords.
This study looks at four leading password managers and provides some good information on evaluating them.
While both Firefox and Chrome offer the ability to store passwords, avoid using this feature. It is not as secure as a password manager.
Two-factor authentication -- also called 2FA, or MFA (multi-factor authentication) -- is based on the idea that we can be more secure if we expand authentication to include two (or more) of the following criteria:
- something we know (such as a username and password or a security question);
- something we have (such as a phone, access to an email account, or a USB key); or
- something we are (such as a fingerprint, an iris scan, a typing pattern on a keyboard, or other biometric indicators).
The most commonly used form of two-factor authentication involves the provider sending a text message to our mobile phone, in a process that works like this:
- We log into a web site with our username and password;
- a successful login forwards us to a screen that asks us for a second confirmation code;
- we receive a text message with a one-time use code; and
- we enter that code on the screen, and we are fully logged in.
However, there are three main issues with using a text message to support two-factor authentication. First, if one of our concerns is tracking by corporations, this form of two-factor authentication provides a direct connection among us, a mobile phone number, and our account - in other words, when we give Facebook or Twitter our mobile phone number to support two factor authentication, we have told them a phone number that we rely on, which can then be used to track us further.
Second, two-factor authentication can be tricky for people who travel to or live in locations with unpredictable cell phone reception. If our phone can't get an adequately strong signal to receive the text, we're out of luck.
Third, hackers have started to use a technique called SIM hijacking to actually take over a phone and have texts forwarded to a different phone. While this technique is more complicated and requires a reasonably skilled and determined person to pull off, SIM hijacking appears to be occurring more frequently.
Services such as Authy address some of these issues but still involve sharing data with a third-party company. However, if our primary risk is getting hacked, and corporate or ad tracking is secondary, two-factor authentication via text or via a service provides an additional level of protection.
An additional option that has some advantages over using text or a service is to use a special USB key, such as the one offered by Yubico. These keys don't have the same privacy risks from tracking as other forms of two-factor authentication, which makes them an effective protection against hackers without them compromising other privacy concerns. Yubico keys can also be used to provide two-factor authentication when you're logging into a computer, which is most effective when the hard drive is encrypted. Keys sold by Yubico currently cost between $18 and $50 for individuals.
But to summarize, any form of two-factor authentication adds a level of protection against unauthorized access. Using a USB key also protects against hackers and doesn't leak information to the other companies that will use personal information -- such as a phone number tied to an email address and other personal information -- to track us.
Phone/Tablet and Apps
The tips in this section assume that you have evaluated the apps you have installed on their phones. For Android-based systems, you can review the permissions of apps in the Play store or on your phone. For iOS-based systems, you need to review the privacy settings on your phone, which allow you to control which apps can use tools such as location, contacts, and so on.
The advice given above about searching online and using a VPN while browsing the web applies to phone and tablet use as well. However, the use of apps on phones -- and the data they collect and share -- raises additional issues that need to be addressed for us to take control of our privacy.
One of the easiest things you can do to protect your privacy when using your phone is to install Signal. Signal is an encrypted text and voice app. Other texting apps (WhatsApp, Telegram, iMessage, Allo, and so on) all have greater or smaller issues that compromise privacy.
Using Signal on your phone also protects you from having the information in your texts logged and stored by your mobile phone carriers. As with email and file storage, deleting old text threads can protect against these threads being accessed.
While browsing the web, using a VPN will protect your communication, especially if you're connected to free wireless in a store or a coffee shop (wireless use is covered later in this post). Just as you would when using your browser on your computer, you should also clear cookies on your mobile browser (Safari and Chrome). For people using iPhones, you can also use the recently launched Firefox Focus. While there are also tracker-blocking tools for Android, we are not making any explicit recommendations because some of the apps that are marketed as ad blockers are actually trackers. Before installing any blocking apps in Android, be sure to read through the permissions they require.
Mobile phones contain multiple tools that have privacy implications. Applications can use your phone's location services, wireless connection, and Bluetooth connection to track your location. This data is collected and stored and often shared with data brokers and advertisers. The process of delivering ads based on a person's location is called "geofencing." At times, however, this technique has been used to compromise the privacy of people seeking health care.
Fortunately, this type of tracking can be minimized by turning off your phone's location services, Bluetooth connection, and wireless connection. If you turn these services off -- and then enable them only when you need them -- you minimize the amount of data you share and when you share it. Credit card companies have been using the locations where we shop as a means to adjust our credit scores for years. The next frontier of this type of tracking appears to be our location as we move throughout our day. Minimizing the amount of location data we share, and with whom we share it, allows us a degree of control over this aspect of our privacy.
Of course, turning off your phone or tablet minimizes the risk of tracking from most sources. For those of us who want to ensure a higher level of privacy protection but want to be able to selectively use a phone or tablet, you can also use a Faraday Bag to block wireless signals and any potential tracking.
Wireless internet or "hot spots" are now widely offered in many public places. As with anything that is free, the offers often come with strings. Be selective with free wireless. It is generally a tracking tool. The risks of using publicly available wireless can be mitigated by using a virtual private network (VPN) and/or Tor.
Free wireless internet with no password is the highest level of risk for wireless. If you're using a wireless connection that has no password, it's very easy for anyone to join that network and eavesdrop on your activity on the network. In many cases, stores that offer free wireless can use the information they collect about you when you're using their free wireless connection to track and target advertising to you, even while you're still in the store. Free wireless with a password is better, but not by much, and quality and safety will vary widely.
Institutional or organizational wireless is theoretically easier to secure, but the actual security will vary widely. In very general terms, the security within an organizational network will be set up to protect organizational assets first, personal privacy second. Institutional wireless often incorporates tracking, which is an appropriate security measure for the organization, but that can interfere with personal privacy. Additionally, if an organization leaves its wireless passwords unchanged for a significant amount of time, this erodes the value of security protections in place on this network.
Home wireless networks are as secure as the wireless encryption protocol and the passwords used to access the settings on the routers and the passwords or security on any connected devices. For most of us, home wireless networks are relatively safe. Generally, an attack on a home network would be part of a focused attempt against an individual.
It's also worth remembering that our devices will automatically connect to "recognized" wireless connections. This can be exploited by hackers who can create illicit networks in public places. Common names such as "attwifi," "xfinity," or "linksys" can easily be spoofed -- and once you connect to a wireless access point, the person who controls that access point has the ability to see and control your online activity. A VPN mitigates this risk, as does turning off wireless on your phone when you go out. You can also minimize risk by deleting wireless networks that are outside your regular locations.
Conversations about privacy and security often focus on technology and give scant attention to the human, non-technological factors that affect personal privacy. In this brief post, we will cover some of the personal choices we can make and technical options we can use to take control over what we share and with whom we share it. This post is not comprehensive, but it provides some clear steps we all can take. We also attempt to ground the choices and options we recommend with additional context. When we talk about protecting our privacy, we need to consider what we're protecting -- and from whom we're protecting it.
When we discuss privacy, we often become too focused on the tools rather than on the behavioral shifts required to use the tools well. At the same time, when discussing how to improve privacy and security, we often get stuck in the details and fail to acknowledge that we all can do simple things to increase the control we have over our privacy. This post goes into detail well beyond these simple steps, but using these steps as a starting point would be a marked improvement for most of us.
Easy, free steps to protect our privacy start with using these browser add-ons when you browse the web:
- uBlock Origin (blocks ad trackers)
- Privacy Badger (blocks ad trackers)
- HTTPS Everywhere (forces the browser to use an encrypted connection if one is available on the current site)
Use alternatives to Google for search: Use Duck Duck Go, StartPage, and/or Disconnect.me. These search engines minimize tracking and, when used in conjunction with add-on tracking blockers, help sidestep issues related to filter bubbles.
Whenever possible, set up two-factor authentication to protect accounts.
When using your phone or tablet, these free steps can increase your control over your privacy:
- Use Signal to send texts and make voice calls.
- Turn off wireless, Bluetooth, and location services when you leave your home. Only turn them on when you need them.
- If you use an iOS-based device, use Firefox Focus to block tracking.
Take these steps that are slightly more complex and still free:
- Use Tor when browsing for sensitive information.
- Delete cookies from your browser.
Try three additional options that add privacy protection but are not free:
- Use a virtual private network, or VPN, when browsing the internet from your computer, phone, or tablet.
- Use a privacy screen. This will help prevent people from reading over your shoulder.
- Use Spider Oak for encrypted cloud-based file storage.
A final step we all can take involves cleaning up the old files we have in our online file storage and deleting old emails we have stored online. No one needs to be a data hoarder. Setting up a time each month to delete emails and files we no longer need, and to archive items we don't have an immediate need for, helps minimize the risk of old information becoming compromised.
It's easy to feel powerless when it comes to protecting our privacy. Companies, political organizations, and governments have a head start, and the fight to regain our privacy is often marked by distinct information asymmetry, where the organizations collecting, sharing, and storing our data know more about us than we know about them. However, as the Five Days of Privacy demonstrate, we have options. There are a broad range of concrete steps we can take now, and most of these steps are free and pretty low-tech.
As we continue to reclaim our rights to privacy, part of our work is normalizing behavior that protects privacy. If one person out of a thousand uses a VPN, that individual will stand out. If 200 people out of a thousand use a VPN, we begin to get some safety in numbers. Additionally, as more people use more privacy-protecting behaviors, we reduce the value of the data that is collected. If we pair privacy-protecting behavior with studying the companies that want to collect and use our information, we reduce the current state of information asymmetry. Reclaiming privacy is a choice. Sometimes it's not a convenient choice, but flossing, exercise, and eating well aren't always easy either. But when we make protecting our privacy a choice as an individual, we make it easier to protect ourselves and our communities.
This work is licensed under a Creative Commons Attribution Share-Alike License. The lead authors of this work are Bill Fitzgerald and Audrey Watters.