(Note: On most devices, words in darker type, like this, can be clicked for further information.)
Events since the inauguration have underscored how critical it is for any activist to protect your data privacy in this emerging brave new world. If you had any hope the new administration would appreciate or respect your privacy rights, consider these developments:
- The president has appointed Rudy Giuliani — yes, the guy who ignored advice not to house New York City’s emergency command center in the World Trade towers — to head U.S. cybersecurity efforts. The Web site of Giuliani’s security firm has been offline since shortly after the announcement, when independent experts found the site to be ridiculously insecure. Additionally, Giuliani’s own account password was hacked and published online. An incompetent White House cybersecurity effort will leave us all more vulnerable as hackers gain ever more sophistication and the government goes the opposite direction.
- Even conservatives are alarmed by the privacy views of Cabinet members selected by the new president. CIA director-designate Mike Pompeo favors lifting nearly all restrictions on government spying on the citizenry, favoring a Big Brother type of monitoring system. Conservative Review quotes Pompeo: “Congress should pass a law re-establishing collection of all metadata [who we contact and when], and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed.”
- The executive order regarding refugees that has sparked such an uproar contains a lesser-known provision that attempts to strip all privacy rights from people who aren’t U.S. citizens or lawful permanent residents.
- The White House is considering requiring anyone visiting the United States to divulge Web sites they visit, including social media, as well as their contact lists. Experts point out that bad actors will simply lie or hide their tracks, while honest individuals will have their privacy destroyed. If this doesn’t persuade you of the administration’s utter contempt for Constitutional privacy rights, consider the next point:
- It’s disturbing enough — even to some leading Republicans — that the president appointed white nationalist Steve Bannon to the National Security Council (NSC). But less noticed: At the same time, he demoted the Director of National Intelligence and the Chair of the Joint Chiefs of Staff — i.e., the nation’s top intelligence and military officials. Those two will attend meetings of the NSC Principals Committee only when "issues pertaining to their responsibilities and expertise are to be discussed," according to a memorandum issued by the president on January 28. So, how might one define “national security” in such a way that it may not “pertain to the responsibilities” of the top intelligence and military officials, but would require the president’s Alt-Right-hand man? Suppression of domestic opposition, perhaps?
We Can Secure Our Own Privacy
So, we cannot count on the federal government to protect our security or privacy online. To the contrary, the government may become an enemy of privacy, snooping on citizens in an unprecedented way. It is no a stretch that a government that has already branded the news media as “the opposition” and said it should “shut up” will also consider citizens enemies for exercising our Constitutional rights to oppose its policies. But that doesn’t leave us defenseless: There are ways we can “harden” our online presence to protect ourselves and those with whom we communicate.
Consider carefully that last phrase. Even if you feel you have nothing to hide and you aren’t concerned about government intrusion into your privacy, what about the people who communicate with you? Their texts and e-mails are on your smartphone, too.
Fortunately, there are ways we can secure our information, currently. This may not last into the far future, as new technologies make it easier to “crack” encryption (scrambling of data), but presently, most cybersecurity experts believe it’s quite possible for the average person to protect her/his data. →
Here are a few steps that will get you started. The first few tips are not time-consuming adjustments, but rather best practices to avoid the most obvious traps.
Simple but Important Cybersecurity Practices
The first, and perhaps easiest, way to secure yourself is to simply avoid falling for tricks that get you to give up your data. Some ways to do that:
- Don’t get phished. Data thieves set up fake Web sites that resemble e-mail log-in pages, bank Web sites, and other places where you would expect to enter your password. Then they send an official-looking e-mail that tells you to log in to update your records. It may say your e-mail is full and you need to request more space, or that a bank transaction failed, or something else that seems like a normal, legitimate request. (Reportedly, this is how the e-mail of Democratic National Committee chairperson John Podesta was hacked.) This is called “phishing.” What to do: Whenever you receive a legitimate-looking message asking you to log in to an account, do not click a link in that e-mail to do so. Instead, type the address of that account’s Web site in your browser yourself. If Podesta had simply typed “www.google.com” into his browser himself instead of clicking the link in the phishing e-mail, he would have been updating his password on the real Google site, not the fake one created by the hackers (apparently the Russian government).
- Use secure (not guessable) passwords. Really, any password that contains words, phrases, or names (whether related to your life or not) are guessable, as are short passwords and passwords constructed by typing patterns on a keyboard (like 1qaz, the leftmost key in each row on a standard QWERTY keyboard). Hackers can use hundreds or thousands of computers (individuals’ private machines that are infected with the hackers’ malicious software) to keep guessing your password until they get it right (in what’s called a brute-force attack). Passwords that contain a combination of upper- and lowercase letters, numbers, and special characters, in a pattern that is random, and 12 or more characters are strongest. Of course, these are also harder to remember. A good, inexpensive password vault program can solve that problem: It stores all your passwords in a secure, encrypted file, so you need remember only the password that accesses that file (and that had better be a strong password). For example, PC Magazine rates LastPass highly; it’s among the least expensive; it has versions for Mac OS, iOS, Android, Windows, and other platforms; it will automatically fill in passwords on log-in pages once set up on your device; it will generate secure passwords for you (though you may want to change the default setting to make them stronger); you can also install it on all of your devices (tablets, smartphones) and it will automatically keep the list of passwords coordinated on all devices (enter a password on one device, and it’s available on all of them). The free version has most of the features of the premium version. You’ll need the premium version (just $12/year) to coordinate passwords among different types of devices (laptops and smartphones, for example) and for some other functions, but you can always start with the free version and upgrade later.
- Use unique passwords. Don’t use the same password for more than one site. Literally billions of passwords have been stolen by hacking into various online services in the past year alone. For example, suppose someone steals your Yahoo! account log-in. One in, a hacker can look through your e-mail, and, for example, find a message that refers to the name of your bank. If your banking password is the same as the Yahoo! password the hacker already stole, there goes your money. Remembering all those different passwords, or storing them securely, can be a challenge; see the previous paragraph for information about password vaults that will store your passwords for you.
- Use two-factor authentication (a/k/a two-step authentication). Some services (including Google, Yahoo, and Facebook) offer this option, which most commonly means that when you log in, the service will send you a text or automated call with a code you’ll need to enter to continue logging in. This makes it nearly impossible for someone to log in who doesn’t have access to your phone, even if they get your password. To find out how to turn this on, search the Web for “two-factor authentication” plus the name of the service (e.g., two-factor authentication Google).
- Know your WiFi. Planning to check your bank balance using the WiFi hotspot at your favorite café or airport? First make sure it really is their network; thieves sometimes set up networks that look like they are legit, but aren’t. Once you log in to those fake networks, they can record all your Internet traffic (including passwords) as you surf. Say you stop in at The Corner Café and you see that there’s a WiFi network called TheCornerCafe. Before logging in, ask the staff whether that network really belongs to the café. Even if it does, it’s pretty risky to use if it isn’t password-protected; someone nearby could still intercept your communications. Consumer Reports has some tips to avoid getting scammed by an “evil twin” hotspot.
- Avoid logging in to unsecured Web sites. Any time you are asked to log in on a Web page, its address should begin with “https” — the “s” stands for “secure.” If not, your password and other data is being transmitted insecurely (not encrypted) and could be intercepted. Some low-security functions may be okay to use without the “s,” but make sure the password for that log-in is not the same as, or similar to, any other account’s password.
As mentioned above, I am recommending setting aside perhaps an hour each week for the next few weeks to tighten up your own information security.
For your first Data Security Hour, you may want to obtain and set up a password-vault program (such as those reviewed by PC Magazine), and as you enter passwords, change those that are weak (most vault apps will tell you how strong each password is) or that are duplicated across different accounts (you want each account to have its own unique password, now that you’re using a vault to remember them all for you). Then, if you have any time left at the end of your Hour, review the other recommendations in this blog post.
Yeah, it’s a pain, but at least it’s a one-time pain. If you find your motivation flagging or you keep putting this off, take another glance at the bulleted list near the top of this post. Even if you are never targeted by the government or by nongovernmental hackers, you’ll have more peace of mind knowing your own information is more secure, as frightening headlines about data snooping continue to emerge. And they will.
In subsequent blog posts, we’ll cover ways to secure your devices themselves (computers, iPads/tablets, smartphones, etc.), privacy settings for your social-media and e-mail accounts, and securing your data in “the cloud” (online backups, file services like Dropbox and Google Drive, etc.). Don’t want to wait? Read the in-depth data-privacy guide for activists published by the Electronic Frontier Foundation.
In the comments below, please let us know you have questions about this topic or additional suggestions to share.
Support this blog — help make it possible for us to continue sharing tips for progressive activism, securing your data against government snooping, etc.