Internet privacy has been a hot topic of conversation in the last year. From Edward Snowden, to high-profile credit card hacks, to conversations about wearable technology like Google Glass. These are conversations that are not going away anytime soon, either.
There’s a saying: “What you don’t know can’t hurt you.” But when it comes to internet privacy, nothing could be further from the truth. The new book Dragnet Nation has gotten some attention lately, with author Julia Angwin appearing on quite a few media outlets, including a recent 60 Minutes feature. I gave it a read, and honestly, it scared the pants off me a little bit.
The Edward Snowden/NSA stuff is pretty common knowledge at this point. And unfortunately, there isn’t a whole lot we can do as citizens on that front. In fact, in some cases, the more we do to protect ourselves, the more attention we’ll garner from the NSA for the mere fact that we’re trying to protect ourselves.
What was more surprising to me was learning about the vast ad networks and identity thieves that are buying and selling my personal information as if it was a can of beans on a grocery shelf. One quick example that floored me: You know all those coupons and ads you get when you move to a new place? That happens because the US Postal Service is selling that information to advertisers. Do we get asked if we’re okay with that? Certainly not. This kind of thing happens all over in our world, and no place moreso than online.
While Google has certainly changed our world for the better in many regards, it’s also the king of personal information storage. A look at one day of your search history will be more revealing than you would have possibly thought:
What can we learn about Jeremy Anderberg from this small snapshot of searches over the course of about 18 hours on February 26-27, 2014? First, I was finding out if The Bachelor was available through Comcast on-demand (for my wife, I swear!). I was then doing some research for a post on Frankenstein that I was writing up. Then I was doing some bachelor party planning for a friend in Minnesota. I followed that with some quick research into Swiss vacation packages (a guy can dream…). Finally, I was looking at some cigar reviews before making a Groupon purchase of a sampler pack. While that information is random, if put together with other random pieces of information, you get quite a detailed picture about the daily life of Jeremy Anderberg. I found years worth of this information, without really having to dig.
I wasn’t too pleased with Google, and therefore possibly hundreds of other companies having all that information about me. I also knew that my passwords (I use the plural – but really it was just one password for everything) were long overdue for changing. So, I started doing some research on how to go about better protecting myself.
It’s a little bit frustrating, honestly, because you can never really escape the internet. And heck, this website relies on advertising, so how do we reconcile making a living with protecting ourselves? It’s a complicated issue. So over the last few months I’ve tried various techniques of internet protection to varying degrees, and finally found the ones that stick. While I still have privacy vulnerabilities, at a certain point you just have to compromise and say that you’re doing the best you can for the time being. I’m certainly better off than I was a few months ago.
In this article, what I really want to do is give the very basics to protecting yourself online. Taking the few steps below will save you from the majority of internet privacy issues. I also give a couple tips for some more intermediate steps you can take if you’d like to take additional, but admittedly more inconvenient precautions.
The reality is that we’ll never truly escape the watchful eyes of the government without hunkering down into a hole and totally disconnecting our lives from every electronic device and transaction. That’s not realistic for the majority of people, or desirable. We’ll just have to live with that piece of it for now. What I’m trying to do is take small steps to protect myself from would-be identify thieves, as well as offer a small bit of protest to our own government, and the mega-corporations that are buying and selling my personal information like it’s a commodity.
While we may not be able to control the entirety of our online lives, we can do something, which is always better than nothing.
Note: I don’t cover mobile phone/tablet security here, because that can be a whole other ballgame, and is largely related to your device vs the internet. This article is about internet privacy. We may do something about mobile security later on.
Why Privacy Online Matters
If you’re like I was just a few months ago, you may not really care much about internet privacy. I’m not a criminal, so who cares if the NSA sees what I’m doing? Sure, advertisers may have my info, but so do phone books, and it’s not impacting my life in any real way. Websites are getting more secure, so I don’t have to worry as much about hackers trying to steal my identity, right?
Let’s take a look at just a few reasons why your privacy online matters.
1. Websites are more secure, but hackers are smarter than ever before. In 2005, there were 1.6 million identity theft incidents reported; in 2012, there were 16.6 million such incidents, which amounts to 7% of the entire US population over the age of 16. With recent reports from Target, Michaels, and other retailers, it’s actually more important than ever to protect yourself from hackers. Even if there isn’t significant financial loss, identify theft can result in poor credit, needing to open brand new accounts, and of course undue stress.
2. Your private information in the hands of corporations/governments can cost you. First, you may not have noticed yet, but depending on your online profile (the information a particular company has collected on you), you could be getting charged different prices than your neighbor on products you buy online. Do you have a higher income? Do you frequently shop online? Have you proven in the past to buy goods at full price? While companies say they are “personalizing” and “customizing” your buying experience, the reality is that price discrimination based on your browsing profile is happening more and more.
Second, your information can cost you in more than just your wallet. Have you participated in any medical forums like WebMD? When applying for health insurance, that information can be found and used against you. Have you searched for illegal topics online (we’re all curious how bombs are made…)? You can be put on a government watchlist. Did you have a phase in college you aren’t proud of, and your browsing history includes a bunch of porn and illegally downloaded music and movies? Future employers could get their hands on that information and prevent you from getting a job. You may not think your information online matters all that much, but it can impact you in very real ways that are only getting more intrusive.
3. Your privacy is a constitutional right.
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” –Fourth Amendment to the US Constitution
Honestly, this didn’t matter much to me until I read a little bit of backstory on the 4th Amendment. In the mid-1700s, as tensions began to rise between Great Britain and colonial America, the king issued orders that colonists’ homes and possessions could be searched basically without cause to find smuggled goods. Nobody was exempt, regardless of proof or suspicion.
So when independence was won in 1776, privacy from the search and seizure of personal possessions was so important to the new country it was written into our very constitution. Our government and mega-corporations are getting their hands on our personal information, and it’s sometimes used against us without any probable cause. Now, is information the same as a personal possession? It sure seems like it. To take measures to protect your privacy is to offer a small bit of protest to the unlawful measures that our government has been proven to use in gathering information about the American people.
What To Do To Protect Yourself Online From Hackers
Change your passwords. Yesterday.
This is easily the biggest fault of most internet users. I thought this was a bit of a myth, but honest to goodness, the most commonly used password is “password.” Come on, people. Forty percent of all passwords are in the list of 100 most commonly used passwords, and seventy percent are in the top 500. That makes almost ¾ of all internet users extremely vulnerable to hacking.
First, you need to check how strong your password actually is. Use this link to test them – simply type in your passwords, and it will tell you how long it would take would-be hackers to crack your code. You’ll be amazed at how short it really is. Before I changed my passwords, the one that I used could be hacked in 15 days. Now, the “crack time” says “centuries.” It’s quite comforting, actually. (Don’t worry, the tool is encrypted, and anything you enter is deleted immediately after being tested.)
After you’ve tested your passwords and failed miserably, use Diceware to create new passwords for yourself. There are all sorts of strategies out there for how to create uncrackable passwords. The safest password is a set of 4-6 truly random words from the dictionary. Phrases, acronyms, etc., are more vulnerable to hacking than something truly random. Diceware is a system where you roll a die five times to get a 5-digit number. That 5-digit number corresponds to a random dictionary word. Once you have a single word, repeat the process 4-5 times, and you end up with a nearly unbreakable password. I didn’t do this for all my passwords (because it takes a while and I’m lazy), but I did for what I consider to be the most important – email, banking, any e-commerce site that has my info stored, etc.
When you get your passwords changed, write them in a notebook with no identifying information. It can just be a list of seemingly random words on a sheet of paper. This is what I did, and you’ll come to recognize which passwords belong to which accounts pretty quickly. My passwords are long, and I haven’t actually yet even memorized most of them, but I’m fine with that. I’d rather be safe than sorry. You may have heard to not write your passwords down, but it’s actually safer than storing passwords anywhere else digitally, especially if it’s in a safe place like a locked file cabinet or safe. And I keep my list out on my desk with me during the day, so it’s not a huge hassle.
Also make sure you don’t let your browser store your passwords – you can do this in the settings of any browser you use. It’s a pain, but you will feel safer.
I’ll also briefly mention password management software like LastPass and 1Password — while they are certainly more secure than using one simple password for all your online accounts, they’re still aren’t as secure as the method mentioned above. Many experts recommend using these for less important account like social media, but not using them for your most important banking and ecommerce accounts.
If you do nothing else from this list, please please please change your passwords. It’s the biggest single step you can take to keep yourself from being hacked.
Enable two-step authentication.
This is pretty darn easy, and should be one of the first things you do after changing your passwords. What this does is create a second step for logging in to your various internet accounts. Instead of just inputting a password, you may also get a unique code texted to your phone that has to also be entered. As the name implies, it’s just a second layer of protection should your password(s) be compromised. Sites that you can use two-step authentication with include, but are not limited to:
- Google accounts (Gmail, YouTube, etc.)
- Apple accounts (email, iTunes, etc.)
- Microsoft accounts (Outlook, Hotmail, OneDrive, etc.)
- Most social media: Facebook, Twitter, LinkedIn
- Some banks – I use Wells Fargo, and for logging in to my accounts, they don’t have two-step authentication. I know there are some banks that do, though, so you’ll have to check with your institution.
It may seem like a hassle at times (which it can be), but on most of these platforms you can set it up so that you only have to enter that second step (the texted code) when your account is being accessed from new devices. So if you have one main computer, you can tell Google to remember you, and it won’t always ask for the second step. But if you head to the library, and try to access your account, you’ll need to go through the two-step authentication process.
Be wary of public wifi.
You can hop online from virtually anywhere these days, from airports, to coffee shops, and even fast food joints. It’s obviously incredibly convenient when we’re on the go, but it can make our private information vulnerable to hackers. Without getting into technical information, hackers use these typically unsecured networks to gain easy access to passwords, banking information, etc. via “man in the middle” attacks. One website likened it to your mail being intercepted by a third party before being picked up by the post office.
First, always make sure you’re connecting to the real wifi network that’s been set up by the establishment. Hackers will often go to places and set up fake networks such as “Free Starbucks Wifi” to easily get people’s information. Always double check the network you’re joining — this most often simply means going up to the counter and asking what their wifi network and password is.
Second, make it a rule to never access sensitive information from public wifi – banking, e-commerce, even social media and email. Learn a few more advanced techniques to protect yourself when using public wifi.
What To Do To Protect Yourself From Advertisers
Pry yourself from Google’s claws. If you can.
The previous two security measures are related more to hacking than just privacy in general. The following steps are based on your privacy from advertisers. You should have to give explicit permission to give info to advertisers, but in our internet world, you do so implicitly just by using certain services. Primarily, because you’re using Google for everything.
Disconnecting from this particular tech giant is a toughie because Google is so embedded in so many of our lives. But, it’s worth it. There are a few steps here that are Google-related and will keep the largest chunks of your info from them.
Delete your search history. Your Google search history is just about the most valuable information that Google has on you. From where you’ve been, to what you’re buying, to any embarrassing secrets you’re trying to rid yourself of (“How to get rid of weird rash…”), it’s a treasure trove of information – and a very valuable one to advertisers.
So your first step is to delete all your past Google history, and keep them from tracking any future searches. Follow the steps laid out here and you’ll be set, but know that your searches are still logged in Google servers somewhere in the world. They just aren’t going to be sold or used by advertisers anymore.
Disconnect your account from Chrome. Google’s Chrome browser is only second in worldwide usage to Internet Explorer. When you use Chrome, and you’re logged in to your account, you’re giving Google unlimited access to your entire browsing history, not just your search history. So, if you disconnect your personal Google account under “settings,” you’ll no longer be logged by name. Your information will still be connected to an IP (we’ll talk below about how to solve that problem), but theoretically no identifying personal information.
Consider dropping Google altogether. I really wish this was easier to do than it is. I’d love to drop email, but there aren’t really any good, truly secure email services out there without getting very technical. I have, for the most part, stopped using Google search (see below for how I did this). But even that is tough, because it simply provides the best results. If you have the discipline, get rid of Google altogether, and know that you’re free from their prying robot eyes.
Use DuckDuckGo as your search engine. As the subject of internet privacy has gotten steam, so has the cry for a search engine that doesn’t track your every move. DuckDuckGo is the best answer to that plea. Launched in 2008, this service has gained serious steam in the last couple years. It prides itself on giving all users the same search results for the same searches – meaning that search results are totally de-personalized. If you search “restaurants” in Google, you’ll get listings based on your location. If you search in DuckDuckGo, you’ll get nationwide results that lead you to Zagat, Trip Advisor, and the like.
To step it up a notch (which I have, and heartily recommend), install the DuckDuckGo Plus plugin. It makes all your default search bars DuckDuckGo, and connects you to HTTPS sites wherever possible — meaning you have more secure browsing, period. The plugin makes it way easier to ditch Google because you don’t have to go to the site to search…how many of us really go to google.com to search for things nowadays?
If you’re extra concerned, use the Tor browser. The Tor browser was once just a fledgling, buggy browser for paranoid geeks. Now, it’s a full-fledged program that is a great option for anonymous web browsing for even the most casual and concerned internet user. What it does is re-route your IP address all over the world so that you’re totally anonymous. Even with Chrome or other browsers, if there isn’t any personally identifying info, there’s still your IP address. If you don’t even want that tracked, Tor is your best option, even according to the NSA.
The issue is that using Tor automatically puts you onto intelligence service radar, because as you can imagine, with a truly anonymous browsing experience, there’s a lot of illicit activity happening through Tor. If you’re willing to take that risk, go for it. I don’t care quite enough, so I stick with using the classic browsers with the DuckDuckGo plugin. Tor is also a little bit slower, since you are routing your traffic through remote corners of the world.
What about ad blockers?
Some of you may ask about using ad blockers. It’s a legitimate question, because they do block ad code and keep you from being tracked across the web. The issue is that advertising is how many websites (including ours) make money. There is a common misconception that websites only make money if you actually click on the ads, and thus using ad block doesn’t hurt sites because you wouldn’t have clicked on the ads anyway. But this isn’t the case; nearly all ad revenue is based on impressions – from readers simply visiting the different pages on the site. If you use ad blockers while visiting a website, you increase that site’s server costs, which can be quite expensive (thousands of dollars for a large blog), without chipping in to help cover those costs. So if a site like AoM didn’t have ads, we’d have to charge you, our dear and loyal readers, for our content. And we don’t want to do that. So, IF you use an ad blocker, make sure to whitelist your favorite websites (this means allowing ads on certain websites – an easy process for most ad blockers) so you can support their livelihood. Advertising, as lame as it sometimes may be, is an important part of our media economy.
If your privacy concerns run so deep that you’re not willing to even whitelist your favorite sites, consider donating to them, whether directly through a donate button or indirectly by annually purchasing one of their paid products.
In Conclusion: Privacy vs. Convenience
In all my various testing, the constant question that came up for me was how I would balance privacy concerns with convenience.
Using DuckDuckGo vs Google is sometimes a pain, and every once in a while I do need to use Google. You have to change your search habits, you’ll come to realize, because Google is quite smart. You won’t get suggested results, or personalized results, so you have to be smarter than your search engine.
Having to type in passwords for all my accounts every time I open them is a pain. Especially when I don’t actually remember my passwords and need to look them up.
Using two-step authentication is a pain when I’m in a hurry to access information.
Convenience is absolutely sacrificed when you take steps to increase your privacy and security online. There’s no doubt about that. And these steps outlined above are truly baby steps compared to what one could do (and what Julia Angwin did in her research for Dragnet Nation).
What you need to do is experiment with these measures to find your own acceptable balance of privacy vs convenience. Again, it’s unlikely that this balance will ever be ideal. But taking the simple steps outlined above will keep you much safer and protected than the vast majority of internet users out there.
What have you done to protect your online security and privacy? Any other tips for me?