Computer Security and Privacy.
Online Privacy section
Privacy In General section
Online Security section
Theft recovery software section
Miscellaneous section
Terms:
Ways to protect your privacy online:
Paul Bischoff's "75+ free tools to protect your privacy online"
Fried's "The Ultimate Guide to Online Privacy"
Noah Kelley's "A DIY Guide to Feminist Cybersecurity"
Privacy Alert's "Internet and software privacy"
Privacy Alert's "Data broker opt-out"
xkcd's "Security"
Smartphones: Android, iPhone, etc
Facebook:
How do companies justify selling your information ?
Why should I care about privacy ? I have nothing to hide.
From HFTI:
Suppose you do some searches about cancer, or diabetes, or alcoholism. Do you want that info popping up the next time you apply for health insurance or car insurance or a job ? Even if you don't have cancer, diabetes, or an alcohol problem ? Easiest for the company to just deny you the insurance or the job, rather than investigate or take a risk.
Dilbert
Suppose you're a woman with an abusive ex-husband, or a creepy ex-boyfriend ? Do you want them to be able to track your location in real-time, or track you even if you move to another city ? Or to know where your new job is, or who many of your friends are ?
Suppose some of your friends or family care much more about their privacy than you do about your privacy. Exposing your info to the world could expose some of their info to the world. It even could affect future generations of your family: suppose you post about some genetic disease you have, and years or decades later this affects your descendants ability to get medical insurance ?
Some people do depend on privacy for their profession, or their life. They work in journalism or activism or investigations. Maybe they live under oppressive regimes, or investigate regimes which have a history of retaliation against opponents, or work in the justice system (where criminals might retaliate against them). If the rest of us don't value our privacy, there will be fewer tools to protect them, too.
From noir_lord on reddit:
Some people (including myself) are not comfortable with a faceless corporation knowing
Now each of those on its own is somewhat unsettling, but when you combine all that together and then you don't really know how your data is handled now and how it might be handled in the future, then it starts to get really unsettling.
The thing with all this data is that it just accumulates, and over time the companies can really build up an accurate profile of you, and that is just f***ing creepy.
From Daniel J. Solove's "Why Privacy Matters Even if You Have 'Nothing to Hide'":
Some responses to the "I've got nothing to hide; you have something to hide only if you're doing something wrong" argument:
... the nothing-to-hide argument stems from a faulty "premise that privacy is about hiding a wrong." Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.
...
Another potential problem ... is one I call exclusion. Exclusion occurs when people are prevented from having knowledge about how information about them is being used, and when they are barred from accessing and correcting errors in that data.
...
Yet another problem ... is distortion. Although personal information can reveal quite a lot about people's personalities and activities, it often fails to reflect the whole person. It can paint a distorted picture [and that can have consequences].
...
What if the government mistakenly determines that based on your pattern of activities, you're likely to engage in a criminal act? What if it denies you the right to fly? What if the government thinks your financial transactions look odd - even if you've done nothing wrong - and freezes your accounts? What if the government doesn't protect your information with adequate security, and an identity thief obtains it and uses it to defraud you? Even if you have nothing to hide, the government can cause you a lot of harm.
Reasons someone might want to attack you:
Srikrishna Sekhar's "Why worry about privacy?"
Ruth Coustick-Deal's "Responding to 'Nothing to hide, Nothing to fear'"
Patrick Allan's "Why Your Privacy Matters, Even If You're Not 'Doing Anything Wrong'"
New Yorker cartoon
Another way to look at it: will anyone ever develop a grudge against you, and look for ammunition against you ? Ways to embarrass you, or harass you ? Perhaps you'll get involved in a divorce, get in a dispute with a neighbor, get in a feud with a coworker. Or some idiot on the internet might come after you. How much information do you want to make available to them ?
From someone on reddit 1/2014:
As an employer I run every name and email address I am given by a potential hire through Google and Facebook. I look at everything public to make sure there isn't something completely f**king insane.
Things I don't do: I don't hold what their friends say against them. I don't Friend them or try to look at things that are private. I don't hold it against them if they don't have an account or I can't find it.
I do look at public photos and statuses. I don't care if they go to parties. I do care if they skip work to do so or because of it.
So far I'd say 80% of the applicants are fine. But in that other 20% I have found obvious racists, people who actively hate gays, people who play games every working minute (while at work).
Funniest was someone who had set their account to public and constantly complains about being at work FROM work and asked friends to come by and visit and talk, at a job where that was not appropriate.
For people who apply as interns, I let their school know to have them remind the student to lock down their account. For people who apply for real jobs, I don't say a word.
Some people say: Innocent people have nothing to fear from government spying.
I'd certainly feel uncomfortable and creeped-out if someone followed me around all day, videotaping everything I did, documenting every place I went and everything I did, watching me. Should it be okay for the govt to do this ?
Why was protection from unreasonable search put in the Bill of Rights (4th Amendment) ? It fits this situation exactly: govt is supposed to have a good reason for invading your privacy.
Some huge government investigations have targeted and ruined the lives of innocent people: the McCarthy hearings, the Atlanta Olympics bombing (Richard Jewell was innocent), and the anthrax attacks (Steven Hatfill was innocent) come to mind.
Government powers have been used to target people with unpopular views, or journalists reporting news that politicians didn't want reported: FBI under Hoover, Nixon's enemies list.
Wikipedia's "COINTELPRO"
My response to someone who asked "Why is this NSA scandal such a big deal ? I'm not doing anything illegal.":
Some reasons:
1- NSA scandal is just one symptom of a bigger issue: govt checks and balances have broken down. Intelligence spending and activities are out of control, military spending is out of control, citizens got panicked by 9/11 and let govt take major new powers and now govt is out of our control.
2- NSA is just one point along a spectrum of threats to you. It is the least likely but most powerful threat. It points out that you are vulnerable to scammers, stalkers, eavesdroppers, online criminals, etc. It reveals that our online security and privacy tools and laws are weak.
3- Technology, and the threats from it, will only get more powerful and more invasive in the future. Insurance companies and advertisers and your wacky neighbor will all get more powerful tools to threaten your privacy.
4- Things you do that aren't illegal still may be private. Why do you have curtains on your windows ? Why do you close the door when you go to the bathroom ? Would you mind if someone published your tax returns, your salary and net worth numbers, your credit-card statements, your bank account statements, your medical records ? Why ? You're not doing anything illegal.
Future threats to privacy will be greater:
From Intelensprotient on reddit:
More about the future: new technologies such as Google Glass and face-recognition and license-plate-recognition and CCTV will connect your "real" life and your online life more tightly, and in real-time. Facebook, law enforcement, even big retail stores are starting to do facial recognition. Things you do in public without giving your name, or giving fake data, and using cash, may still be connected back to your personal info. What you do online won't stay only online; what you do offline won't stay only offline.
Michelle Starr's "Facial recognition app matches strangers to online profiles"
George Dvorsky's "How Your Body's Unique Biosignatures Are Used for Surveillance"
In the future, CCTV and consumer cameras only will get better and better. In public, or through your window, cameras may be able to read the screen on your phone, hear your conversation from a distance, photograph you in infrared at night. One of the first users of this is the police force that brought us "stop and frisk": Joe Coscarelli's "The NYPD's Domain Awareness System Is Watching You".
And "The Internet Of Things" is coming: your own devices (car, house, refrigerator, toilet, etc) will make more and more data available, and some of that could be used to reveal your activities.
Another hint about where tech may go in the future: scanning your face and posture and movements to diagnose your health: Ben Amirault's "Diagnosing depression with facial recognition technology". Maybe a good thing in a doctor's office. Maybe a bad thing when a retailer is doing it and selling the data to insurance companies.
Some ideas gleaned mostly from lifehacker's "How You're Unknowingly Embarrassing Yourself Online (and How to Stop)":
Will Oremus's "Of Course Colleges Are Reading Kids' Tweets and Facebook Posts"
Katie Lobosco's "Facebook friends could change your credit score"
Karl Bode's "Banks Now Eyeing Cell Phone Metadata To Determine Your Loan Risk"
Ralph Nader's "Corporate espionage undermines democracy"
Yasha Levine's "What Surveillance Valley knows about you"
Justin Jouvenal's "The new way police are surveilling you: Calculating your threat 'score'"
Brett Thomas's "Online Porn Could Be The Next Big Privacy Scandal"
Grady Johnson's "With New Medical Technologies, Opting Out May No Longer Be an Option"
David Auerbach's "We Can't Control What Big Data Knows About Us. Big Data Can't Control It Either."
Cindy Cohn and Trevor Timm's "Busting Eight Common Excuses for NSA Mass Surveillance"
Ben Amirault's "Diagnosing depression with facial recognition technology"
Thor Benson's "We Need to Regulate Technology That Can Detect Your Emotions"
Yaniv J Turgeman and Eric Alm and Carlo Ratti's "Smart toilets and sewer sensors are coming"
Brendan I. Koerne's "Your Relative's DNA Could Turn You Into a Suspect"
Rick Falkvinge's "What's Privacy Good For, Anyway?"
Neil J. Rubenking's "5 Ways Identity Theft Can Ruin Your Life"
Some societal nuances to privacy:
My response to an article saying "Google and Facebook and Twitter have not created new products that stand alone like a car or a new house; they have created things that invade every other aspect of the economy and our culture. That is a different level of power.":
I think this is overblown. I could stop using Facebook and Google and Twitter tomorrow, with some effects but not big effects on my life. I can give them false info, give them minimal info, use alternatives to them, do without them.
Government and military and police have the potential to have unavoidable, huge effects on my life. They take some of my money (and give me services) without much choice on my part. Sometimes they cause other people to attack our country. They have access to my tax information, credit info, bank account info, phone records, etc.
Some companies have large physical effects on my life and my health. Fossil-fuel power companies, and other companies that put who-knows-what into the air I breathe and the food and drink I consume.
Other companies have pervasive effects throughout our economy and/or culture. TV networks. Phone companies. Walmart. Exxon.
The two political parties control much of what happens in the government and culture and economy.
Super-rich people could destroy me with lawsuits, or buy laws that affect me severely.
No, I think Facebook and Google and Twitter are pretty low on the list of powerful entities to worry about.
Companies that could have large access to your activities:
Some ways technology is stretching old notions of privacy:
Key data you might want to keep private:
Jay Stanley's "Plenty to Hide"
John C. Dvorak's "On Privacy: It's Not What I'm Hiding (Or Not Hiding) That Matters"
Evgeny Morozov's "Your Social Networking Credit Score"
The Economist's "Lenders are turning to social media to assess borrowers"
Sarah Kessler's "Think You Can Live Offline Without Being Tracked? Here's What It Takes"
This Modern World's "Sensible Thinkers Think About Leaks"
Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Dave Greenbaum's "New Tax Fraud Scam Reminds Us: Protect Your Social Security Number"
Wired How-To Wiki's "Protect Your Data During U.S. Border Searches"
EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud"
Evan Dashevsky's "Admit It, You Don't Care About Digital Privacy"
The law (in USA):
[Mostly from Daniel Zwerdling's "Your Digital Trail: Does The Fourth Amendment Protect Us?"]
Two legal ways the govt or others can get your data:
But location of your data matters:
But there are other standards. For example, once NSA collects masses of phone-metadata, it isn't supposed to search within it and use pieces of it without a "reasonable, articulable suspicion" (RAS) that it is related to terrorism. [from Ryan Lizza's "State of Deception"]
And your cell-phone data may get swept up with that of criminals, with each phone company applying its own rules about what data is given to police. [from David Kravets's "Cops and Feds Routinely 'Dump' Cell Towers to Track Everyone Nearby"]
Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Andrew Cunningham's "A beginner's guide to beefing up your privacy and security online"
Haelan Man's "Digital Wellness? How I Found Peace of Mind in My Digital Life."
Kashmir Hill's "Journalist Invited Hackers To Hack Him. Learn From The Mistakes."
Adam Clark Estes' "How to Encrypt Everything"
Justin Carroll's "Thirty-Day Security Challenge"
Filippo Valsorda's "I'm throwing in the towel on PGP, and I work in security"
Fried's "The Ultimate Guide to Online Privacy"
Andy Greenberg's "How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone"
Products:
One note: if someone (a hacker or ex-spouse) finds out your theft-recovery password, they might be able to tell the software to delete all of your data, even though your device hasn't been stolen !
Password / login issues:
All of these theft-recovery products work by your computer sending "here I am" messages over the internet to a central site. But a computer running Windows 7 Home can't access the internet until the user has logged in to Windows. So the thief has to be able to get past the BIOS/firmware password prompt and the Windows password prompt.
There are three ways this could happen:
1- you always use your laptop with no passwords set, or
2- you have passwords set, but the thief resets the BIOS password and OS password (it can be done), and then logs in, or
3- you have passwords set, but the thief resets the BIOS password (it can be done), reformats the hard disk, installs a new OS, and then logs in.
In case (1) or (2), obviously a thief or casual snoop can log in right away, and read all of your files. Unacceptable.
Under Windows 7 Home Premium, there is no way to have a Guest account that can log in but then be unable to read files.
In case (3), a few of these theft-recovery products can survive the reformat/re-install and be capable of reporting their location when the thief eventually logs in and connects to the internet.
Case (2) or (3) represents a sophisticated thief; they could just pull out the hard disk and attach it to another PC, so they could read your files that way. Unless you're using some special full-disk-encryption product.
And case (2) or (3), the sophisticated thief, probably would be aware of the existence of theft-recovery products.
So it seems to me that this is a Catch-22 situation: these theft-recovery products work best in case (1), but that's the case where you've left your data most vulnerable to a naive thief or casual snoop. And in case (2) or (3), nothing protects you very much from a sophisticated thief.
I believe Linux and Mac systems are slightly better than Windows in that: once the OS password prompt is displayed, the machine can connect to the internet, even though the thief hasn't logged in to the OS. The thief would still have to get past the BIOS password to get to this point. So for Linux and Mac, if you set no BIOS password but do have an OS password, the laptop might report its location while the thief is sitting there trying to guess your OS password.
Let's look at fundamentals:
What is important to you ?
What are you trying to protect or prevent ?
Privacy Alert's "Computer hardware privacy"
Mobile phone security:
[Do I have this right ?]
Three things to protect: your data, your device, and access to the service(ability of thief to make calls and run up bills on your account).
Recovery issues:
What "location" information do you get once the thief has logged in and connected to the internet ?
You'd get the IP address. Maybe also the Wi-Fi or Ethernet network name ? If your stolen device had a GPS in it, you could get latitude/longitude. If your stolen device connects via cellular data-modem, you could get approximate latitude/longitude. Software could use the list of visible Wi-Fi networks to calculate approximate latitude/longitude.
From the IP address, you could find the ISP's info, and contact them.
If the IP address is specific to a person or house, the identity of the thief is fairly clear.
But if the IP address maps to a public Wi-Fi spot (such as provided by a school or library or McDonald's or Starbucks), or a private house that's running an open Wi-Fi signal, the identity of the thief is unclear.
Most products can use the laptop's webcam to take a picture of the thief, which helps.
The companies selling the commercial theft-recovery products may assist in the tracking and recovery process, helping you follow the IP address, contact law-enforcement, etc.
Some users who had devices stolen report great cooperation from law-enforcement in recovering their property; others report that police were uninterested in helping them. Probably varies from town to town and country to country, and also depends on how much info you can give to the police.
Whitson Gordon's "Can I Track My Laptop or Smartphone After It's Been Stolen?"
Lincoln Spector's "Protect your Android phone from loss or theft"
Hitesh Raj Bhagat & Karan Bajaj's "How to track & recover stolen or lost gadgets"
Patricia Laurie's "How to avoid buying a stolen laptop"
Stolen-property.com
Get Safe Online's "Report a lost or stolen computer"
Max Eddy's "What To Do When Your iPhone is Stolen"
Neil J. Rubenking's "What to Do When You've Been Hacked"
Lincoln Spector's "You've fallen for a scam! Now what?"
Patrick Allan's "What to Do When Someone Gets Unauthorized Access to Your Computer"
Nicholas Tufnell's "Naked selfies extracted from 'factory reset' phones"
Melanie Pinola's "What Should I Do If My Credit Card Gets Hacked?"
Alan Henry's "What To Do If Your Social Security Number Has Been Stolen in a Hack"
FTC's "IdentityTheft.gov" (what to do in case of identity theft)
TL;DR about computer privacy, security and safety:
Anticipate problems:
Maintain a secondary email account, preferably on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary.
Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email, you get "hey, we see a login attempt from a known-dangerous country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.
From DrStephenPoop on reddit:
> BACK UP YOUR DATA
And not just what's on your hard drive.
Do not trust the cloud!
Google recently ended my account for an unidentified TOS violation. I am not sure what I did. I just logged into gmail one day and instead of an inbox I saw a message saying my account had been disabled. I lost:
8 years of email contacts
6 years of favorited YouTube videos
About a dozen videos I made with my brother that were uploaded to YouTube.
All my Drive/Doc files including original writing.
My passwords to several sites, including banking and insurance sites.
Three albums I had purchased from Google Play.
Here's the kicker: I was a google believer. I am one of the 5 or so non-developers who actually owns a first generation Chromebook. I believed in the cloud!
Use and enjoy Google's services, but do NOT rely on them. Even though you buy their computers and purchase music from them, you are STILL not the consumer with google. You are the product (sold to advertisers). So when you are shut out from their garden, you have no customer service to appeal to, or to even find out why you got tossed. You might as well be staring at an angel with a flaming sword, wondering where your pants are.
> Didn't you contact Support ?
When you get the "your account has been disabled" screen, they give you a link to voice your grievance. After submitting, you get a message that says something to the effect of: "If we find we have reason to contact you, we will contact you."
You can also go the community forums and plead for help. Sometimes someone associated with google will actually say: "I'll have people take a look at this." In all my pleas, I never got a response. That is as far as support goes. You are not a customer. You are the product, and you are merely a commodity. Have you ever heard of "commodity support"?Tienlon Ho's "Can You Live Without Google?"
From someone on reddit:
A few days ago my Facebook account was disabled suddenly and without warning. I've gone through what I thought was a fairly routine appeals process - filled in the form they link you to when you try to log in and included a scan of my photo ID as they requested to prove I'm a real person etc. However, I just received an email from Facebook saying the following:
> ... Upon investigation, we have determined that you
> are ineligible to use Facebook. ... Unfortunately, for
> safety and security reasons, we cannot provide
> additional information as to why your account
> was disabled. This decision is final. ...
This is really bizarre and quite upsetting - it's easy to forget just how much we rely on this service. If I can't get my account reactivated, that's six years of content (and memories) lost, and a huge blow to my ability to keep in contact with some friends and family.
The only possible reason I can think of for my account being disabled is what I was doing at the time - sending some photos to someone through the private messaging system. Some of the photos were (mildly) adult in nature (at her request!) which could be deemed a breach of the Community Standards if you look at it in strict black and white terms ("Facebook has a strict policy against the sharing of pornographic content"). However I can't bring myself to believe that there is someone monitoring private message attachments and instantly banning people if they see boobs. Beyond that, I genuinely can't conceive of a reason as to why my account was singled out for anything.
Any advice would be appreciated as to what I should do next - I am not yet willing to just give up and lose all of that content. I have replied to the email, though I doubt anyone will read it, but beyond that there's really no other contact options I can see, and Googling this problem does not produce much beyond more horror stories like this.
From sugarbreach on reddit:
I am writing this to warn Google users to back up their data, and to realize that everything you take for granted can be taken away in an instant.
About a week ago I attempted to log into my Gmail account and was greeted with a page saying my account was disabled. It says that it was disabled due to a perceived violation of the terms of service and product specific polices. I have read and reread the google terms of service, and I know I haven't done anything to violate them. The only possibility I can think of is that someone may have hacked into my account. I have been an enthusiastic gmail user since it first came out in beta, and you had to be invited to get an account. I have relied on google apps to make my life easier. I have filled in their account recovery form, and even tried calling members of the Gmail team, but have had no luck. I also have posted on the gmail help forum, but an expert there said he contacted google and there was nothing he could do and google wouldn't tell him anything "for privacy reasons".
This has created the ultimate real-life nightmare, and has turned my life upside down, a few examples of which are listed below.
All of my contacts were linked to this account. I now do not have access to emails, phone numbers, addresses, etc.
My google voice telephone number is no longer working. I had this phone number on my business cards and email signature, and now when someone dials the number, they are given an error recording. "We could not complete your call, please try again".
My youtube account with many videos I cherished of my children are now gone.
I have all of my photos backed up to the account for nearly my entire life, as I thought this was the safest place to keep them (the cloud!) I have photos of my beloved grandparents who have since passed away, and the thought that I can no longer access these photos makes me sick. I also have thousands of pictures from vacations and of my children that I fear are gone forever.
A nice chromebook that I purchased to access all of the google apps is now almost useless since my account has been disabled.
I have multiple documents in my google drive that I have spent hours of work on, and can no longer access them.
I placed an enormous amount of faith and trust into google's products and services, as millions of people have worldwide. It is a shame that something this important in someone's life cannot even warrant a response from a live person at Google.
I have been very depressed because my entire life was encased in google's products, and now everything is gone.
Again, I am writing this to warn others that this can happen to anyone at any time, so it would be wise to back up treasured items in your google account. Ironically, google provides the means to do this through their "takeout" app, which I did not learn about until after my account was disabled. If there is anyone out there reading this that can offer any guidance for getting my account reinstated, I would sure appreciate it!
If you lose a cloud account, you can lose stored data, remaining time on a subscription, any accumulated credit or gift cards, network link that makes some device (such as Amazon Echo) work.
Maybe some people don't consider their email to be "cloud data", but it is. If you're saving 10 years of past emails in GMail or Hotmail or something, it may be valuable to you, and it may be used by a hacker if your account gets hacked. It's also hard to back up. I'm a big believer in keeping your email account as close to empty as feasible. Clean it out !
Jon Christian's "Deleting the Family Tree"
DanDeals' "PSA: Don't Mess With The Google!"
Alex Hern's "Pixel phone resellers banned from using Google accounts"
Eric Griffith's "Back Up Your Cloud: How to Download All Your Data"
Adam Dachis's "How to Protect Your Data in the Event of a Webapp Shutdown"
And of course back up your local data, not just your cloud data.
How-To Geek's "What's the Best Way to Back Up My Computer?"
Eric Griffith's "The Beginner's Guide to PC Backup"
/r/techsupport's "backuptools wiki"
From someone on reddit:
The basic methods of "hacking" accounts are:
General security and privacy issues:
Threats:
[Generally from most likely to least likely:]
And some people say "trust no one !". Well, I think it is reasonable to trust the CPU chip vendors, and the compiler-writers. I don't see how useful "backdoors" could be built into those things (and I have BS and MS degrees in Computer Science). Trusting the OS vendors is a little more dubious; I guess I trust the basic OS, but maybe not all of the standard apps and services supplied with them. Same for trusting browser vendors.
Of course, if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.
Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems (SCG's "6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.
A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
Eric Boehm's "Reuters: Law enforcement use info from NSA phone database to go after common criminals"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"
Costs of counter-measures:
Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"
General counter-measures:
How to attack cryptography:
[From hardest to easiest:]
Low-tech solutions:
Things that may not increase security and privacy:
Operating systems and environments:
Testing your privacy and security:
New things we need to increase our privacy or security:
Privacy In General section
Online Security section
Theft recovery software section
Miscellaneous section
Terms:
- Preservation: prevent loss of your data.
- Security: prevent someone from reading or modifying your data.
- Privacy: prevent unauthorized use or reading of your sensitive data.
- Anonymity: prevent someone from connecting your activities to your identity.
Online Privacy
Ways to protect your privacy online:
- Don't put really private stuff online. At all.
Naked pictures of yourself or your spouse ? Personal embarrassments ? Dark secrets ? Something illegal ? Just don't put it online, or transmit it over the internet. Maybe don't even put it on your computer or phone or camera. - Give "them" as little data as possible.
Don't fill in all of those "profile" fields. Why tell Facebook where you've worked, where you went to school, who your family members are ? - Give them fake data.
Don't give them your real birthday, or real mailing address, or real phone number. Misspell your name slightly.
[But: if Facebook or whoever later challenges you to produce real ID to verify your account, and your info doesn't match, you'll lose the account.]
Similar when installing an OS, or using a brand-new PC for the first time. Give your PC a generic name like "laptopJ", create a user account with a generic name like "userK", instead of using your real full name. Those names will appear on networks and other places.
Email address:
Credit-card info:
Maybe in the future we'll get "decoy" tools or services: something that posts fake info online to make it harder for others to figure out your true info. Fake pictures of you, fake address, fake postings, etc.
Some people carry a fake ID, to show to businesses that demand photo ID. I think it's legal as long as it's not a fake of a government ID, and you're not committing fraud. A fake corporate employee ID card from a fake corporation, maybe. Maybe add this fake person as an authorized user to your real credit card ? - Maybe use login/password info from elsewhere, instead of using your own.
BugMeNot
login2.me - Use "blockers".
Several ways to do this:- Extensions / plug-ins / add-ons in your browser.
Adblock Plus (and then go to stop tracking and stop social-media tracking)
Do Not Track Plus
Facebook Disconnect
FacebookBlocker
Wallflower (similar to FacebookBlocker ?)
Privacy Badger
TrackerBlock
Disconnect (prevents tracking by Facebook, Google, Twitter)
Priv3 (affects Facebook, Google +1, Twitter, LinkedIn)
EasyPrivacy addition to Adblock Plus
"Stop Tracking Me on Reddit"
Add-on to control or delete "referer" information in HTTP requests; in browser, do a "Get Add-ons" and search for "referer"
Fighting the System's "Hardening Firefox to Protect Privacy"
Decentraleyes (loads JS libraries locally; Firefox only)
More complex tools:
CsFire
Ghostery
Privoxy - Hosts file modifications.
Advantage: affects all browsers and all applications, from one place.
uBlock Origin (get from here ?)
HostsMan
MVPS Hosts file - In your network router.
Advantage: affects all devices and all browsers and all applications, from one place. - For Android smartphone:
Non-rooted: AdGuard, Netguard, Dns66, AdClear, Block This, Cygery AdSkip.
Rooted: AdAway, MinMinGuard Xposed. - General OS controls.
Spybot Anti-Beacon (prevents Windows sending info to Microsoft)
- Extensions / plug-ins / add-ons in your browser.
- Set the "do not track" option in your browser to (maybe) stop "ad tracking".
In FireFox 10, it's: Options - Options - Privacy - Tell websites I do not want to be tracked.
But: Jon Brodkin's "Yahoo is the latest company ignoring Web users' requests for privacy" - Use the privacy controls in the ISP and social networks and sites you use.
Very important: Log on to the web site for your ISP and find any privacy settings they have for your account.
Facebook lets you control the access that Apps and external sites get to your data: go to Account - Privacy Settings - Apps and Websites - Edit your settings.
Melanie Pinola's "The 'Nuclear' Option for Total Facebook App Privacy"
Turn off your Google search history: here
YouTube: profile - Video Manager - History - Clear All Viewing History, and then History - Pause Viewing History, and then Search History and do the same clear-and-pause.
See and turn off data aggregating by BlueKai: here
Handy central places to start:
MyPermissions
Stay Safe Online's "Check Your Privacy Settings" - Apparently, "opting out" via NAI stops targeted ads, but does not stop companies from tracking your activities.
- Delete most cookies every now and then.
CCleaner
Or delete all cookies every time you close the browser:
Ian Paul's "How to automatically delete your cookies every time you close your browser"
But if you do this, you'll probably want to be using a password manager, because you'll be logging in to sites a lot. - Don't always use the same IP address or network, or hide your IP via a proxy or VPN.
And some people say you shouldn't use Google's DNS.
My attempt to understand VPN vs no-VPN:
If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.
Jason Fitzpatrick's "What's the Difference Between a VPN and a Proxy?"
Hide My Ass! (free proxy server)
DNS:
Mac Makeup can change your MAC address. - Stay logged out of Google and Facebook et al as much as possible, as you browse other sites.
- Don't use everything from one company.
If you use Google Apps, Google Docs, Google Sites, Chrome browser, GMail, Google search, Google Maps, and Google+, then of course Google is going to know a lot about you. Instead, spread it around: Yahoo Mail, Facebook, some free web hosting service, Firefox browser, Google search, etc. - You can delete your accounts on various services, although often they make it hard to find out how to do that.
justdelete.me
AccountKiller
Some people say: instead of just deleting an account, first go in and delete as much of your data as you can, and change as much of the rest as you can to fake data. Maybe let it sit in that state for a couple of weeks. Then delete your account.
Dibya Chakravorty's "How to clean your digital identity" - Put tape over the webcam on your laptop.
Or software:
Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?" - Turn off the microphone on your laptop or smartphone.
Maybe put a dummy plug into the external microphone jack.
Tape over the built-in microphone opening doesn't really work.
Or software:
Alan Henry's "How to Stop Web Sites from Potentially Listening to Your Microphone" (Chrome only)
Jignesh Padhiyar's "How to Find and Prevent Apps from Accessing Your iPhone's Microphone in iOS 7"
Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?" - Know the features of your devices.
Does your TV have a microphone, a camera, Wi-Fi, a wired internet connection ? Does your printer do Wi-Fi ? What connectivity does your car have ? Is your phone sharing photos to your Google or Apple account ? What EXIF data is in the photos your phone creates ? - Turn off features you don't use.
Don't use Bluetooth, NFC, infrared, Cortana, Siri, location/GPS services ? Turn them off completely, at the OS level. Don't use some old applications ? Uninstall them, or turn off their update background services. - Deleting browser history really does nothing for your privacy, unless someone steals your computer and looks at your history.
Bracelet - Anything you store on a server may reduce your privacy. Your contact list in email, buddy list on instant messaging, Friends list on Facebook, etc. Any emails in your Inbox, or saved long-term in a "folder" within your email service. Okay, email or IM or Facebook won't function without those contact lists. But maybe you shouldn't use your email as a data store.
- You have few rights to anything you store on or do with company computers or networks. Don't use them for private things.
Kashmir Hill's "How To Tell If Your Boss Is Spying On You" - Maybe turn off location-monitoring services and apps in your smart-phone and browser. But your cell-phone company will always know where your phone is, if it's turned on, or maybe even if it just has a battery in it.
- There are more-aggressive things you can do, but I think the cost/inconvenience is too high for the benefit, in most cases. (And some of them require your friends to use the same applications, or adapt to your behavior.) Tor browser, run Linux (because you don't trust Microsoft or Apple), multiple throwaway email accounts, proxy servers, encryption everywhere, prepaid throwaway phones, email and VoIP services and social networks specifically designed to be more private, run your own email server, etc.
Peter Bright and Dan Goodin's "Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?"
Jody Ribton's "The Hostile Email Landscape" - Your friends and relatives are a threat to your privacy. They may post about you on social networks, put pictures of you online, mention you in emails.
- There is no such thing as total privacy, or perfect security. If the government or a spy agency or law enforcement really wants to get your data, they can get it.
Paul Bischoff's "75+ free tools to protect your privacy online"
Fried's "The Ultimate Guide to Online Privacy"
Noah Kelley's "A DIY Guide to Feminist Cybersecurity"
Privacy Alert's "Internet and software privacy"
Privacy Alert's "Data broker opt-out"
xkcd's "Security"
Smartphones: Android, iPhone, etc
- Many apps harvest data from your Contacts list. Maybe keep only essential contacts in there, not everybody. And for those contacts, keep only essential data (name and phone number) in there.
- Some apps demand a huge list of permissions, to everything in your phone. Maybe don't install those apps; access the services through a browser instead. For example, use m.facebook.com or mbasic.facebook.com through a browser instead of the Facebook app.
- Permission-controlling add-on: XPrivacy
- Privacy blocker for your Android smart-phone, to control what info other apps can see: xeudoxus.
- There are claims that some apps may listen to you through the phone's microphone, even when you're not using the app.
- Similarly, I would keep the phone's camera pointed at something uninteresting when you're not using the phone.
- Older versions of Android give less control over app permissions. So upgrade the version (which may require getting a new phone, or rooting your phone).
Facebook:
Facebook is a special case, because they know so much about you, and they have code on many other web sites, and they buy data about you from other services.
- On phones, the Facebook app requires a huge set of permissions, and certainly harvests your Contacts list. Use m.facebook.com or mbasic.facebook.com through a browser instead of installing the Facebook app.
- Don't fill in all of those "profile" fields. Why tell Facebook where you've worked, where you went to school, who your family members are ?
- In the browser, use blockers such as:
Facebook Disconnect
FacebookBlocker
Wallflower (similar to FacebookBlocker ?)
How do companies justify selling your information ?
- They are giving you a great free service, and they need to make money to keep it going.
- With more info, they can give you more relevant ads and news items and pointers to new Friends.
- They give you lots of ways to control the privacy/selling of your info.
[But sometimes have been caught cheating on this.] - You agreed to it when you signed up for the service. And you could stop using their service and close your account.
- They sell your info in general/aggregate, not your specific name, address, phone number, etc.
Privacy In General
Why should I care about privacy ? I have nothing to hide.
From HFTI:
Privacy isn't about hiding something. It's about being able to control how we present ourselves to the world. It is the right to keep things to yourself. It's about personal dignity.
Suppose you do some searches about cancer, or diabetes, or alcoholism. Do you want that info popping up the next time you apply for health insurance or car insurance or a job ? Even if you don't have cancer, diabetes, or an alcohol problem ? Easiest for the company to just deny you the insurance or the job, rather than investigate or take a risk.
Dilbert
Suppose you're a woman with an abusive ex-husband, or a creepy ex-boyfriend ? Do you want them to be able to track your location in real-time, or track you even if you move to another city ? Or to know where your new job is, or who many of your friends are ?
Suppose some of your friends or family care much more about their privacy than you do about your privacy. Exposing your info to the world could expose some of their info to the world. It even could affect future generations of your family: suppose you post about some genetic disease you have, and years or decades later this affects your descendants ability to get medical insurance ?
Some people do depend on privacy for their profession, or their life. They work in journalism or activism or investigations. Maybe they live under oppressive regimes, or investigate regimes which have a history of retaliation against opponents, or work in the justice system (where criminals might retaliate against them). If the rest of us don't value our privacy, there will be fewer tools to protect them, too.
From noir_lord on reddit:
Some people (including myself) are not comfortable with a faceless corporation knowing
- What medical problems I have (ever googled a medical problem for yourself or someone else?).
- Who my contacts are (if you use their webmail) and what we are discussing.
- Tracking just about every page you visit.
- Build up a remarkably accurate profile of who you are and your life.
- What videos you watch.
- What topics you are interested in.
Now each of those on its own is somewhat unsettling, but when you combine all that together and then you don't really know how your data is handled now and how it might be handled in the future, then it starts to get really unsettling.
The thing with all this data is that it just accumulates, and over time the companies can really build up an accurate profile of you, and that is just f***ing creepy.
From Daniel J. Solove's "Why Privacy Matters Even if You Have 'Nothing to Hide'":
Some responses to the "I've got nothing to hide; you have something to hide only if you're doing something wrong" argument:
- Do you have curtains ? Why ?
- Can I see your credit-card bills for the last year ? Why not ?
- I don't need to justify my position. You need to justify yours. Come back with a warrant.
- I don't have anything to hide. But I don't have anything I feel like showing you, either.
- If you have nothing to hide, then you don't have a life.
- It's not about having anything to hide, it's about things not being anyone else's business.
- You are willing to let me photograph you naked ?
... the nothing-to-hide argument stems from a faulty "premise that privacy is about hiding a wrong." Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.
...
Another potential problem ... is one I call exclusion. Exclusion occurs when people are prevented from having knowledge about how information about them is being used, and when they are barred from accessing and correcting errors in that data.
...
Yet another problem ... is distortion. Although personal information can reveal quite a lot about people's personalities and activities, it often fails to reflect the whole person. It can paint a distorted picture [and that can have consequences].
...
What if the government mistakenly determines that based on your pattern of activities, you're likely to engage in a criminal act? What if it denies you the right to fly? What if the government thinks your financial transactions look odd - even if you've done nothing wrong - and freezes your accounts? What if the government doesn't protect your information with adequate security, and an identity thief obtains it and uses it to defraud you? Even if you have nothing to hide, the government can cause you a lot of harm.
Reasons someone might want to attack you:
- Your info (personal data, credit card info, etc) can be sold for money.
- Your internet-connected computer can be used as an agent in a bot-net (to send spam or attack other computers).
Srikrishna Sekhar's "Why worry about privacy?"
Ruth Coustick-Deal's "Responding to 'Nothing to hide, Nothing to fear'"
Patrick Allan's "Why Your Privacy Matters, Even If You're Not 'Doing Anything Wrong'"
New Yorker cartoon
Another way to look at it: will anyone ever develop a grudge against you, and look for ammunition against you ? Ways to embarrass you, or harass you ? Perhaps you'll get involved in a divorce, get in a dispute with a neighbor, get in a feud with a coworker. Or some idiot on the internet might come after you. How much information do you want to make available to them ?
From someone on reddit 1/2014:
As an employer I run every name and email address I am given by a potential hire through Google and Facebook. I look at everything public to make sure there isn't something completely f**king insane.
Things I don't do: I don't hold what their friends say against them. I don't Friend them or try to look at things that are private. I don't hold it against them if they don't have an account or I can't find it.
I do look at public photos and statuses. I don't care if they go to parties. I do care if they skip work to do so or because of it.
So far I'd say 80% of the applicants are fine. But in that other 20% I have found obvious racists, people who actively hate gays, people who play games every working minute (while at work).
Funniest was someone who had set their account to public and constantly complains about being at work FROM work and asked friends to come by and visit and talk, at a job where that was not appropriate.
For people who apply as interns, I let their school know to have them remind the student to lock down their account. For people who apply for real jobs, I don't say a word.
Some people say: Innocent people have nothing to fear from government spying.
I'd certainly feel uncomfortable and creeped-out if someone followed me around all day, videotaping everything I did, documenting every place I went and everything I did, watching me. Should it be okay for the govt to do this ?
Why was protection from unreasonable search put in the Bill of Rights (4th Amendment) ? It fits this situation exactly: govt is supposed to have a good reason for invading your privacy.
Some huge government investigations have targeted and ruined the lives of innocent people: the McCarthy hearings, the Atlanta Olympics bombing (Richard Jewell was innocent), and the anthrax attacks (Steven Hatfill was innocent) come to mind.
Government powers have been used to target people with unpopular views, or journalists reporting news that politicians didn't want reported: FBI under Hoover, Nixon's enemies list.
Wikipedia's "COINTELPRO"
My response to someone who asked "Why is this NSA scandal such a big deal ? I'm not doing anything illegal.":
Some reasons:
1- NSA scandal is just one symptom of a bigger issue: govt checks and balances have broken down. Intelligence spending and activities are out of control, military spending is out of control, citizens got panicked by 9/11 and let govt take major new powers and now govt is out of our control.
2- NSA is just one point along a spectrum of threats to you. It is the least likely but most powerful threat. It points out that you are vulnerable to scammers, stalkers, eavesdroppers, online criminals, etc. It reveals that our online security and privacy tools and laws are weak.
3- Technology, and the threats from it, will only get more powerful and more invasive in the future. Insurance companies and advertisers and your wacky neighbor will all get more powerful tools to threaten your privacy.
4- Things you do that aren't illegal still may be private. Why do you have curtains on your windows ? Why do you close the door when you go to the bathroom ? Would you mind if someone published your tax returns, your salary and net worth numbers, your credit-card statements, your bank account statements, your medical records ? Why ? You're not doing anything illegal.
Future threats to privacy will be greater:
From Intelensprotient on reddit:
... you do not need to be registered with Facebook for them to make a profile for you. Once you have visited any page that is affiliated with them, they will create a file about you and collect each and every visit to every site that has a "Like" button or a Facebook plugin. The amount of data collected this way can be tremendous, which few people realize. Google is even more extreme, as they collect data from every place that has AdSense, Analytics and similar services, which basically covers almost everything the average person visits. Those services may not always be as obvious as a "Like" button - for instance, some are implemented by displaying a single transparent pixel image.
...
You cannot know what kind of surveillance methods and laws will be implemented in the future. Already, biometric information gathering such as the identification of people from video recordings is becoming more and more successful, even prompting for the EU to begin implementing a system that can link people in public places to their Facebook pages and other photographs. Similar plans are implemented by the US. Other technologies include public voice surveillance, supervision of vehicle movement or behavioral analysis in public spaces. All this data can and will be linked and combined with what is collected about you online.
...
...
You cannot know what kind of surveillance methods and laws will be implemented in the future. Already, biometric information gathering such as the identification of people from video recordings is becoming more and more successful, even prompting for the EU to begin implementing a system that can link people in public places to their Facebook pages and other photographs. Similar plans are implemented by the US. Other technologies include public voice surveillance, supervision of vehicle movement or behavioral analysis in public spaces. All this data can and will be linked and combined with what is collected about you online.
...
More about the future: new technologies such as Google Glass and face-recognition and license-plate-recognition and CCTV will connect your "real" life and your online life more tightly, and in real-time. Facebook, law enforcement, even big retail stores are starting to do facial recognition. Things you do in public without giving your name, or giving fake data, and using cash, may still be connected back to your personal info. What you do online won't stay only online; what you do offline won't stay only offline.
Michelle Starr's "Facial recognition app matches strangers to online profiles"
George Dvorsky's "How Your Body's Unique Biosignatures Are Used for Surveillance"
In the future, CCTV and consumer cameras only will get better and better. In public, or through your window, cameras may be able to read the screen on your phone, hear your conversation from a distance, photograph you in infrared at night. One of the first users of this is the police force that brought us "stop and frisk": Joe Coscarelli's "The NYPD's Domain Awareness System Is Watching You".
And "The Internet Of Things" is coming: your own devices (car, house, refrigerator, toilet, etc) will make more and more data available, and some of that could be used to reveal your activities.
Another hint about where tech may go in the future: scanning your face and posture and movements to diagnose your health: Ben Amirault's "Diagnosing depression with facial recognition technology". Maybe a good thing in a doctor's office. Maybe a bad thing when a retailer is doing it and selling the data to insurance companies.
Some ideas gleaned mostly from lifehacker's "How You're Unknowingly Embarrassing Yourself Online (and How to Stop)":
- Many things people post about may be technically illegal. They may be rarely caught or prosecuted. But bragging about them online creates a permanent record, and who knows what authority might see them someday and decide to act ? Posting about downloading movies or music for free, about how drunk you were when you drove home last night, about how you got back at your Ex by doing some nasty prank.
- Someone researching you in the future may not like what they find. A potential employer, a potential mate, an insurance company. How will they react when they see you complaining bitterly about your current boss, bragging about how many one-night stands you have, how much you drank or smoked last weekend ? And they may not distinguish between 18-year-old you and 28-year-old you.
- People who have sensitive jobs, or may ever find themselves in sensitive jobs, have to be especially careful. Teacher, politician, priest, banker, reporter, law enforcement, any bonded job (bank guard, cashier, treasurer, etc). Teachers have been fired for online pictures of them doing things that are deemed bad examples to students.
- All of the online world carries risks; it's not just a problem with social networks such as Facebook. If you comment on YouTube or newspaper sites or blogs, you might be identifiable. Using pseudonyms can help avoid this, but may not avoid it completely.
- Risks come from your friends and their behavior, too. If a friend or someone else at the same party posts a party-video or party-pictures, and you're tagged on it, or identifiable in it, you may have a problem. Suppose one of your friends Photoshops your face onto a picture of someone doing something obscene, and the resulting image gets out into public ?
- Some posts can violate rules at your current job, or even violate SEC regulations. Or just massively irritate your boss or coworkers.
Will Oremus's "Of Course Colleges Are Reading Kids' Tweets and Facebook Posts"
Katie Lobosco's "Facebook friends could change your credit score"
Karl Bode's "Banks Now Eyeing Cell Phone Metadata To Determine Your Loan Risk"
Ralph Nader's "Corporate espionage undermines democracy"
Yasha Levine's "What Surveillance Valley knows about you"
Justin Jouvenal's "The new way police are surveilling you: Calculating your threat 'score'"
Brett Thomas's "Online Porn Could Be The Next Big Privacy Scandal"
Grady Johnson's "With New Medical Technologies, Opting Out May No Longer Be an Option"
David Auerbach's "We Can't Control What Big Data Knows About Us. Big Data Can't Control It Either."
Cindy Cohn and Trevor Timm's "Busting Eight Common Excuses for NSA Mass Surveillance"
Ben Amirault's "Diagnosing depression with facial recognition technology"
Thor Benson's "We Need to Regulate Technology That Can Detect Your Emotions"
Yaniv J Turgeman and Eric Alm and Carlo Ratti's "Smart toilets and sewer sensors are coming"
Brendan I. Koerne's "Your Relative's DNA Could Turn You Into a Suspect"
Rick Falkvinge's "What's Privacy Good For, Anyway?"
Neil J. Rubenking's "5 Ways Identity Theft Can Ruin Your Life"
Some societal nuances to privacy:
- Our goal as a society shouldn't be total privacy for citizens. Should your neighbor be guaranteed total privacy as he abuses his wife and children, or brews up anthrax or meth in his garage ?
- Of course the government needs to spy, on foreign citizens and foreign leaders and domestic citizens. It helps prevent wars and terrorist attacks, and helps defend against espionage from foreign sources. In some cases, it may defend against crime and commercial espionage. Sure, often the effectiveness is exaggerated and the costs (in money, and to our privacy) are not examined. And today in USA we don't have proper controls and transparency. We need to find the appropriate balance. But the spying has always happened and there are good reasons for it.
A technical issue: it's not clear that NSA can separate "domestic" and "foreign" any more, even if it wanted to. It is estimated that 90% of all internet traffic passes through US servers. US companies have servers all over the world. There are plenty of foreign visitors, temporary residents, and illegal aliens or illegal immigrants inside the USA at all times. Many US citizens routinely reside or travel overseas. US citizens or residents have traveled to foreign countries to join terrorist groups or be trained by them. US citizens or residents have sent money or information to foreign terrorists. US citizens have committed terrorist acts inside USA, motivated by foreign or domestic agendas.
Some say that the costs of the spying outweigh the costs of terrorism. I agree that the costs of spying (our privacy, our rights, money, reputation) are large. But the cost of terrorism shouldn't be judged solely by past events, bad as they were. The future of top-level terrorism is in bio-technology. A major bio-attack could kill hundreds of millions of people. I don't know if it will happen, or when it will happen, but you can't judge costs just by the past. Better arguments: spying usually doesn't stop terrorism, other risks (homicide, drunk driving, disease) are greater, perhaps we should address the causes of terrorism.
Spirit of the law
The Onion's "President Curbing NSA Spying" - Even if we develop tools to give each person total control over their private data, this may not result in "total privacy". Each individual may find it in their self-interest to give away some of that data to Facebook, Google, and other companies in exchange for services. And in fact that is what happens today in many cases: we voluntarily give away some measure of our data, to get benefits. But there are other cases where our data is taken against our will, or without our knowledge. Better tools and laws can address that issue.
- There is societal pressure to reduce your privacy. If all of your family and friends are on Facebook, they will ask "Why aren't you on Facebook too ?" They will make announcements or post pictures only on Facebook, and if you aren't on there, you will miss out. If you refuse to provide certain info that everyone else provides, insurance companies or others may refuse to deal with you. If you refuse to answer police questions that most people answer routinely, you may find yourself given extra scrutiny.
My response to an article saying "Google and Facebook and Twitter have not created new products that stand alone like a car or a new house; they have created things that invade every other aspect of the economy and our culture. That is a different level of power.":
I think this is overblown. I could stop using Facebook and Google and Twitter tomorrow, with some effects but not big effects on my life. I can give them false info, give them minimal info, use alternatives to them, do without them.
Government and military and police have the potential to have unavoidable, huge effects on my life. They take some of my money (and give me services) without much choice on my part. Sometimes they cause other people to attack our country. They have access to my tax information, credit info, bank account info, phone records, etc.
Some companies have large physical effects on my life and my health. Fossil-fuel power companies, and other companies that put who-knows-what into the air I breathe and the food and drink I consume.
Other companies have pervasive effects throughout our economy and/or culture. TV networks. Phone companies. Walmart. Exxon.
The two political parties control much of what happens in the government and culture and economy.
Super-rich people could destroy me with lawsuits, or buy laws that affect me severely.
No, I think Facebook and Google and Twitter are pretty low on the list of powerful entities to worry about.
Companies that could have large access to your activities:
- Your OS vendor (especially if they do "telemetry", or server-based voice command processing).
- Your anti-virus vendor.
- Your browser vendor.
- Your browser add-on vendors.
- Your search engine vendor (especially if they do "search suggestions").
- Advertising networks/brokers (if you don't run an ad-blocker).
- Other vendors who have code/data on many different web sites, such as Facebook "Like" button, or Flash add-on (if you don't run blockers).
- Your router vendor.
- Your ISP (Internet Service Provider).
- Your DNS (Domain Name Service) provider.
- Your email provider.
- Your phone service provider.
- Your phone OS provider.
- On older versions of Android, vendor for any of your installed phone apps.
Some ways technology is stretching old notions of privacy:
Technology makes possible:
- Constant, multimedia surveillance of people.
- Connecting together various flows of information about a person.
- Publishing that information globally.
- Storing that information publicly forever.
Key data you might want to keep private:
- Your name.
- Your physical address.
- Your email address.
- Your credit card info.
- Your phone number.
- Your picture.
- Your activity.
Jay Stanley's "Plenty to Hide"
John C. Dvorak's "On Privacy: It's Not What I'm Hiding (Or Not Hiding) That Matters"
Evgeny Morozov's "Your Social Networking Credit Score"
The Economist's "Lenders are turning to social media to assess borrowers"
Sarah Kessler's "Think You Can Live Offline Without Being Tracked? Here's What It Takes"
This Modern World's "Sensible Thinkers Think About Leaks"
Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Dave Greenbaum's "New Tax Fraud Scam Reminds Us: Protect Your Social Security Number"
Wired How-To Wiki's "Protect Your Data During U.S. Border Searches"
EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud"
Evan Dashevsky's "Admit It, You Don't Care About Digital Privacy"
The law (in USA):
[Mostly from Daniel Zwerdling's "Your Digital Trail: Does The Fourth Amendment Protect Us?"]
Two legal ways the govt or others can get your data:
- Warrant: requires "probable cause"; has to be signed by a judge.
- Subpoena: requires "relevant to an investigation"; can be signed by a prosecutor, some other govt agents, in some states even by a lawyer (such as in divorce case).
But location of your data matters:
- In your home: requires a warrant.
- If it's shared with someone else (web company, phone company, your bank, your credit-card company, etc): either subpoena or warrant. There may be even lower standards if the data has been on there more than 6 months, so is considered "abandoned" by the law (1986 Electronic Communications Privacy Act).
But there are other standards. For example, once NSA collects masses of phone-metadata, it isn't supposed to search within it and use pieces of it without a "reasonable, articulable suspicion" (RAS) that it is related to terrorism. [from Ryan Lizza's "State of Deception"]
And your cell-phone data may get swept up with that of criminals, with each phone company applying its own rules about what data is given to police. [from David Kravets's "Cops and Feds Routinely 'Dump' Cell Towers to Track Everyone Nearby"]
Online Security
- Connection security:
Use encryption on your connection: encrypted Wi-Fi, HTTPS web sites, VPN.
EFF's "HTTPS Everywhere" browser extension
UIC-ACCC's "How can I secure my internet connection?"
Alan Henry's "Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)"
That One Privacy Site (VPN and email comparisons)
wikiHow's "How to Secure Your Wireless Home Network"
Eric Griffith's "12 Ways to Secure Your Wi-Fi Network"
Lifehacker's "Top 10 Ways to Stay Safe On Public Wi-Fi Networks"
Smart Home Gear Guide's "17 Lockdown Strategies To Secure Your WiFi Network From Hackers"
Who's On My Wifi (free app to scan your network)
But: Nick Mediati's "The EFF wants to improve your privacy by making your Wi-Fi public" - Password security:
Use the password and security features of your device and software; many people don't even bother to set a password !
Use a password manager:
Don't let Windows store passwords and apply them automatically. If someone cracked your Windows password, they would get automatic access to those things. I set my backup application to not "remember" me, so I have to log in to it manually every time I run it. If you have an encrypted external hard disk, don't let Windows hold the password and apply it automatically (auto-unlock); you should type it in manually each time you plug in the disk drive.
Passwords, from article by Jacob Bernstein in The New York Times, June 24 2012:
... it is less clear to cybersecurity experts that having a password with extra numbers or special characters actually makes customers safer.
"People's choice of passwords is not the real problem today", said Dr. Joseph Bonneau, a University of Cambridge researcher who studies cyber security. "The real problem is typing in passwords to the wrong Web site, which is stealing them."
So why are Web sites suddenly requiring users to add special characters or numbers ? "It's security theater", Dr. Bonneau said. "So people feel safe. It makes the Web sites seem like they're taking things more seriously, when in fact most of them have no control if you have malware. In absence of a way to tackle bigger problems, it's easy to add restrictions. They don't want to seem less secure than competitors."
Two-factor authentication:
Dan Goodin's "'Severe' password manager attacks steal digital keys and data en masse"
Martin Vigo's "Even the LastPass Will be Stolen, Deal with It!" - Use fake data as answers to the "security questions".
If you give fake data as your mother's maiden name, town where you were born, etc, no attacker can look that up somewhere and know what answer to give. Of course, you have to write down those answers yourself. - Computer security:
Run the newest or newest-but-one version of your operating system, and turn on auto-updating. - Anti-virus software:
Install it, set it to update automatically, run a full scan every now and then.
Things that loosely fall into this category:- Anti-virus protection.
- Malware removal (such as Malwarebytes, Spybot ).
- Firewall.
- Crapware or bloatware removal (such as PC Decrapifier, Should I Remove It?, Slim Computer, AdwCleaner ).
- Slow-down diagnostics (such as Soluto ).
I use AVG (free) and Malwarebytes (free).
If you use Adblock Plus, you can then install a malware site filter.
Aurelian Neagu's "10 Warning Signs That Your Computer is Malware Infected"
/r/techsupport's "Official Malware Removal Guide" - Browser:
Set your browser to update automatically; browsers contain security features that should be kept up to date.
Enable security features in your browser: IE's "SmartScreen Filter", Firefox's Options/Security tab, Chrome's "Enable phishing and malware protection", Opera's "Enable Fraud Prevention". - Use an "ad-blocker" add-on in your browser to protect against ads that contain malware (malvertising).
uBlock Origin (get from here ?)
Adblock Plus - Turn off the computer:
When not using the computer, turn it off, so attacks can't get in.
Maybe put critical data on a thumb-drive or external drive, and only mount that drive for brief periods when you need to use that data. - Application-level encryption:
For communication apps, person at other end has to use same software.
Browser add-ons:
Encrypted Communication (Firefox only; encrypt/decrypt blocks of text in web pages or docs)
SafeGmail (GMail only; Chrome only)
Encipher.it (Chrome add-on, or client app; encrypt/decrypt blocks of text in any web page)
Other solutions require you (and person at other end) to change email providers or use different applications. Not feasible, in my opinion.
We need transparent encryption of email:
Secure messaging (text, chat, voice, video): - Keep account security info up-to-date:
If your bank or credit card company sends you a security alert, but they send it to your old email address or old postal address, it doesn't do any good.
If you never receive routine communications or verifications from your account at some company, figure out why and fix it, don't let it slide. - Monitor your accounts for evidence of problems:
Check the activity in your credit card and bank accounts every week or two. Check your credit record annually (free), or use a credit-monitoring service. Maybe use an identity-theft warning service. Maybe freeze your credit (a "credit freeze" or "security freeze"; usually free to apply and $5 to remove) or institute a fraud alert (free, but not as good).
Kristin Wong's "Keep Your Identity Secure With a Credit Freeze or Fraud Alert"
FTC's "Credit Freeze FAQs" - Be smart:
Be aware of security threats, and don't fall for them. Know how to recognize spam, scams, phishing attempts. False alerts that say "something is wrong with your computer, better run this scanning software right away !". Be especially careful when downloading and installing software.
Max Eddy's "How To Protect Yourself From Social Engineering"
Alan Henry's "Why Social Engineering Should Be Your Biggest Security Concern"
IC3's "Internet Crime Prevention Tips"
If someone says "I got a strange email from you, your account must be hacked !":This does not necessarily mean someone has been "hacked". Perhaps some software scanned Facebook, found that A and B are Friends, and found A's email address in A's Facebook profile. Then a scammer sends an email to A, claiming to be from B.
One way to check: A's email client may have a "show details" button or link, where you can see the actual email address the email originated from. It probably isn't B's email address, even though the displayed "from" name is "B".
And of course scams are not just online, they also can come via phone or snail-mail or in person.
Alan Henry's "Five Common Scams Directed at Seniors (and How to Avoid Them)"
But this is a major problem for Android smartphones: on older phones, you can't update the OS to a later version, maybe unless you "install a custom ROM". Android's update mechanism is somewhat broken, because phone vendors have no incentive to test and provide updates.
Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Andrew Cunningham's "A beginner's guide to beefing up your privacy and security online"
Haelan Man's "Digital Wellness? How I Found Peace of Mind in My Digital Life."
Kashmir Hill's "Journalist Invited Hackers To Hack Him. Learn From The Mistakes."
Adam Clark Estes' "How to Encrypt Everything"
Justin Carroll's "Thirty-Day Security Challenge"
Filippo Valsorda's "I'm throwing in the towel on PGP, and I work in security"
Fried's "The Ultimate Guide to Online Privacy"
Andy Greenberg's "How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone"
Theft recovery software
Products:
- Prey:
Free.
Will not survive a reformat-and-OS-reinstall by a thief. - LoJack / Absolute / Computrace:
$20 to $40 per year.
Will survive a reformat-and-OS-reinstall by a thief, if they re-install the same kind of OS you were using. If you're using Windows and the thief installs Linux, LoJack won't work. - GadgetTrak:
$20 per year.
Will not survive a reformat-and-OS-reinstall by a thief. [Have to confirm this.] - LocateMyLaptop:
Windows-only.
Free if just using location-display feature; $33/year or $3/month if using data-delete, multiple laptops, recovery assistance service.
Will not survive a reformat-and-OS-reinstall by a thief. - Undercover:
Mac-only.
Can't find the price on their web site. - Smart-phone apps:
iPhone has tracking/wiping features via Apple's "cloud": "Find My iPhone" app(also see Max Eddy's "What To Do When Your iPhone is Stolen").
Android has apps AndroidLost and Cerberus, and new Android Device Manager from Google (also see Max Eddy's "What To Do When Your Android Phone is Stolen" and Lincoln Spector's "Protect your Android phone from loss or theft" ).
Lookout is available for both Android and iPhone.
One note: if someone (a hacker or ex-spouse) finds out your theft-recovery password, they might be able to tell the software to delete all of your data, even though your device hasn't been stolen !
Password / login issues:
All of these theft-recovery products work by your computer sending "here I am" messages over the internet to a central site. But a computer running Windows 7 Home can't access the internet until the user has logged in to Windows. So the thief has to be able to get past the BIOS/firmware password prompt and the Windows password prompt.
There are three ways this could happen:
1- you always use your laptop with no passwords set, or
2- you have passwords set, but the thief resets the BIOS password and OS password (it can be done), and then logs in, or
3- you have passwords set, but the thief resets the BIOS password (it can be done), reformats the hard disk, installs a new OS, and then logs in.
In case (1) or (2), obviously a thief or casual snoop can log in right away, and read all of your files. Unacceptable.
Under Windows 7 Home Premium, there is no way to have a Guest account that can log in but then be unable to read files.
In case (3), a few of these theft-recovery products can survive the reformat/re-install and be capable of reporting their location when the thief eventually logs in and connects to the internet.
Case (2) or (3) represents a sophisticated thief; they could just pull out the hard disk and attach it to another PC, so they could read your files that way. Unless you're using some special full-disk-encryption product.
And case (2) or (3), the sophisticated thief, probably would be aware of the existence of theft-recovery products.
So it seems to me that this is a Catch-22 situation: these theft-recovery products work best in case (1), but that's the case where you've left your data most vulnerable to a naive thief or casual snoop. And in case (2) or (3), nothing protects you very much from a sophisticated thief.
I believe Linux and Mac systems are slightly better than Windows in that: once the OS password prompt is displayed, the machine can connect to the internet, even though the thief hasn't logged in to the OS. The thief would still have to get past the BIOS password to get to this point. So for Linux and Mac, if you set no BIOS password but do have an OS password, the laptop might report its location while the thief is sitting there trying to guess your OS password.
Let's look at fundamentals:
What is important to you ?
What are you trying to protect or prevent ?
- Prevent your device from being stolen.
Solution: physical security (locks, cables, lock-box, etc). - Prevent a thief from reading your data.
Best solution: full-disk encryption, either via hardware (built into the hard drive) or software (such as TrueCrypt or FreeOTFE or PGPdisk or DiskCryptor;Wikipedia's "Comparison of disk encryption software", Martin Brinkmann's "List of TrueCrypt encryption alternatives", Lifehacker's "How to Encrypt and Hide Your Entire Operating System from Prying Eyes", Micah Lee's "Encrypting Your Laptop Like You Mean It", Chris Hoffman's "Why a Windows Password Doesn't Protect Your Data"). The software approach offers several alternatives and gets a bit confusing; hardware encryption is the wave of the future.
But see Dan Goodin's "Western Digital self-encrypting hard drives riddled with security flaws" and Joseph Cox's "Some Popular 'Self Encrypting' Hard Drives Have Really Bad Encryption".
A more limited solution: keep your most critical data in an encrypted text file (perhaps by using NotepadCrypt or something similar). Bitlocker, 7-Zip, AxCrypt also can encrypt individual files or sets of files.
How-To Geek's "How to Encrypt Your Android Phone and Why You Might Want To"
Eric Ravenscraft's "The Essential Android Security Features You Should Enable Right Now"
I encrypted my Android 5 phone via Settings->Security, everything works fine, but it made me change from a 4-numeric PIN to a 6-8-alphanumeric passcode.
On iPhone, just set a passcode and everything gets encrypted automatically ?
Apparently, some smartphones must be jail-broken if you want to encrypt just specific folders, not encrypt or password-protect the whole phone.
Password-lock your device, unless you're using a theft-recovery product that prevents this.
Most of the theft-recovery products listed on this web page give you a "delete" or "shred" capability: when the thief connects to the internet, a command comes from the central site and all data on the hard disk is deleted. This prevents the thief from reading your data. But it works only if the thief connects to internet before trying to read your data, and if they haven't disabled the theft-recovery software somehow.
Whitson Gordon's "How to Break Into a Windows PC (and Prevent It from Happening to You)" - Avoid losing your data.
Best solution: back up your data frequently, and don't keep the backups next to the laptop.
/r/techsupport's "backuptools wiki" - Avoid future losses.
If your device contains account and password info, identity info, info about your family and friends, after a theft you'd have to take steps to avoid further damage. You'd have to change passwords, put out monitoring or alerts to prevent identity theft, contact other people at risk, etc. What else is on the stolen device ? Apps with registration codes or passwords stored in them, email in-box with account and password data, bookmarks ditto, cookies, any data files you use to record accounts and passwords, any BAT or CMD files with account/password in them.
Perhaps now, before any theft, you should evaluate your device. Does it contain sensitive data that really doesn't need to be on there ? Or should that data be encrypted ? Does the browser contain cookies that will give instant access to your email and Facebook accounts ?
After a phone or smart-phone is stolen, if you don't want to try theft-recovery, immediately report the theft to your carrier, to avoid huge call charges. Do it immediately; you are liable for calls made until the time you report the theft, and some gangs will make thousands of dollars of calls as quickly as they can after stealing the phone. Double-check with your carrier to make sure they received and recorded the report of the theft; probably a good idea to call them again and confirm it (article). Maybe report it online, and then call to confirm ? Ask them to send an email confirmation to you. A handset PIN doesn't protect you if the thief moves the SIM to another device. - Get your device back.
Solutions: etch your contact info onto the case of the device, inside and outside. Use the theft-recovery software listed on this web page. Keep a record of make, model, color, and serial numbers. Probably a good idea to have digital pictures of the device, front and back, to give to police.
Display your contact info on the lock screen or login screen or physical label, so if a Good Samaritan finds your device, they can return it to you.
After a theft, report the theft to police, and report the theft to the manufacturer (they'll probably require a copy of the police report). Maybe report it to online databases, such as Stolen-property.com. Put up fliers in the area where it was stolen, offering a reward for return ? Look for it on Craigslist or EBay, maybe in the section for your local area.
Privacy Alert's "Computer hardware privacy"
Mobile phone security:
[Do I have this right ?]
Three things to protect: your data, your device, and access to the service(ability of thief to make calls and run up bills on your account).
- Data:
- If your data is stored on SD card, there's no protection, thief just pops it out and reads it on another device.
[Except some OS versions allow full encryption of data, which would prevent this.
Patrick Nelson's "How to turn on Android encryption today"
iOS: Understanding data protection
Cyrus Farivar's "Apple expands data encryption under iOS 8" ] - If your data is stored in phone's internal memory, having a passcode/PIN set will prevent thief from accessing your data.
[Except there are tools that can unlock a phone and extract data via USB cable ? But some OS versions allow full encryption of data, which would prevent this ?]
- If your data is stored on SD card, there's no protection, thief just pops it out and reads it on another device.
- Device:
Having a passcode/PIN set prevents thief from using your phone, even with another SIM inserted.
[But is there a hardware reset that wipes everything and sets back to defaults ?] - Service:
- If phone has a SIM card, disabling service after the theft is your only protection on access to the service. Having a passcode/PIN set on the device doesn't stop thief from popping out the SIM card and using it in another phone.
But: some SIM cards do have a separate PIN for the card itself. - If phone has no SIM card, having a passcode/PIN set will prevent thief from using the service.
- If phone has a SIM card, disabling service after the theft is your only protection on access to the service. Having a passcode/PIN set on the device doesn't stop thief from popping out the SIM card and using it in another phone.
Recovery issues:
What "location" information do you get once the thief has logged in and connected to the internet ?
You'd get the IP address. Maybe also the Wi-Fi or Ethernet network name ? If your stolen device had a GPS in it, you could get latitude/longitude. If your stolen device connects via cellular data-modem, you could get approximate latitude/longitude. Software could use the list of visible Wi-Fi networks to calculate approximate latitude/longitude.
From the IP address, you could find the ISP's info, and contact them.
If the IP address is specific to a person or house, the identity of the thief is fairly clear.
But if the IP address maps to a public Wi-Fi spot (such as provided by a school or library or McDonald's or Starbucks), or a private house that's running an open Wi-Fi signal, the identity of the thief is unclear.
Most products can use the laptop's webcam to take a picture of the thief, which helps.
The companies selling the commercial theft-recovery products may assist in the tracking and recovery process, helping you follow the IP address, contact law-enforcement, etc.
Some users who had devices stolen report great cooperation from law-enforcement in recovering their property; others report that police were uninterested in helping them. Probably varies from town to town and country to country, and also depends on how much info you can give to the police.
Whitson Gordon's "Can I Track My Laptop or Smartphone After It's Been Stolen?"
Lincoln Spector's "Protect your Android phone from loss or theft"
Hitesh Raj Bhagat & Karan Bajaj's "How to track & recover stolen or lost gadgets"
Patricia Laurie's "How to avoid buying a stolen laptop"
Stolen-property.com
Get Safe Online's "Report a lost or stolen computer"
Max Eddy's "What To Do When Your iPhone is Stolen"
Neil J. Rubenking's "What to Do When You've Been Hacked"
Lincoln Spector's "You've fallen for a scam! Now what?"
Patrick Allan's "What to Do When Someone Gets Unauthorized Access to Your Computer"
Nicholas Tufnell's "Naked selfies extracted from 'factory reset' phones"
Melanie Pinola's "What Should I Do If My Credit Card Gets Hacked?"
Alan Henry's "What To Do If Your Social Security Number Has Been Stolen in a Hack"
FTC's "IdentityTheft.gov" (what to do in case of identity theft)
Miscellaneous
TL;DR about computer privacy, security and safety:
- Set passwords on your devices. Even the same 4-digit PIN on all of your devices; some password is better than no password.
- Write email address on outsides of your devices, so if they're lost, someone can return them to you.
- Make backups of your important data. Maybe using an encrypted external disk drive (such as WD 1 TB hard drive ($60 on Amazon
)) or a free cloud service (such as IDrive).
- Keep your software updated. Turn on auto-update where possible.
- Install an anti-virus program (such as AVG).
- Don't put really private stuff on electronic devices or on the internet.
- Use a password manager (such as KeePass) so you can use strong passwords without having to memorize all of them.
- Don't worry about the NSA or the Russians spying on you. Worry about you accidentally deleting something important, or your hard disk crashing, or you losing your phone, or someone stealing it.
Anticipate problems:
Maintain a secondary email account, preferably on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary.
Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email, you get "hey, we see a login attempt from a known-dangerous country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.
From DrStephenPoop on reddit:
> BACK UP YOUR DATA
And not just what's on your hard drive.
Do not trust the cloud!
Google recently ended my account for an unidentified TOS violation. I am not sure what I did. I just logged into gmail one day and instead of an inbox I saw a message saying my account had been disabled. I lost:
8 years of email contacts
6 years of favorited YouTube videos
About a dozen videos I made with my brother that were uploaded to YouTube.
All my Drive/Doc files including original writing.
My passwords to several sites, including banking and insurance sites.
Three albums I had purchased from Google Play.
Here's the kicker: I was a google believer. I am one of the 5 or so non-developers who actually owns a first generation Chromebook. I believed in the cloud!
Use and enjoy Google's services, but do NOT rely on them. Even though you buy their computers and purchase music from them, you are STILL not the consumer with google. You are the product (sold to advertisers). So when you are shut out from their garden, you have no customer service to appeal to, or to even find out why you got tossed. You might as well be staring at an angel with a flaming sword, wondering where your pants are.
> Didn't you contact Support ?
When you get the "your account has been disabled" screen, they give you a link to voice your grievance. After submitting, you get a message that says something to the effect of: "If we find we have reason to contact you, we will contact you."
You can also go the community forums and plead for help. Sometimes someone associated with google will actually say: "I'll have people take a look at this." In all my pleas, I never got a response. That is as far as support goes. You are not a customer. You are the product, and you are merely a commodity. Have you ever heard of "commodity support"?
From someone on reddit:
A few days ago my Facebook account was disabled suddenly and without warning. I've gone through what I thought was a fairly routine appeals process - filled in the form they link you to when you try to log in and included a scan of my photo ID as they requested to prove I'm a real person etc. However, I just received an email from Facebook saying the following:
> ... Upon investigation, we have determined that you
> are ineligible to use Facebook. ... Unfortunately, for
> safety and security reasons, we cannot provide
> additional information as to why your account
> was disabled. This decision is final. ...
This is really bizarre and quite upsetting - it's easy to forget just how much we rely on this service. If I can't get my account reactivated, that's six years of content (and memories) lost, and a huge blow to my ability to keep in contact with some friends and family.
The only possible reason I can think of for my account being disabled is what I was doing at the time - sending some photos to someone through the private messaging system. Some of the photos were (mildly) adult in nature (at her request!) which could be deemed a breach of the Community Standards if you look at it in strict black and white terms ("Facebook has a strict policy against the sharing of pornographic content"). However I can't bring myself to believe that there is someone monitoring private message attachments and instantly banning people if they see boobs. Beyond that, I genuinely can't conceive of a reason as to why my account was singled out for anything.
Any advice would be appreciated as to what I should do next - I am not yet willing to just give up and lose all of that content. I have replied to the email, though I doubt anyone will read it, but beyond that there's really no other contact options I can see, and Googling this problem does not produce much beyond more horror stories like this.
From sugarbreach on reddit:
I am writing this to warn Google users to back up their data, and to realize that everything you take for granted can be taken away in an instant.
About a week ago I attempted to log into my Gmail account and was greeted with a page saying my account was disabled. It says that it was disabled due to a perceived violation of the terms of service and product specific polices. I have read and reread the google terms of service, and I know I haven't done anything to violate them. The only possibility I can think of is that someone may have hacked into my account. I have been an enthusiastic gmail user since it first came out in beta, and you had to be invited to get an account. I have relied on google apps to make my life easier. I have filled in their account recovery form, and even tried calling members of the Gmail team, but have had no luck. I also have posted on the gmail help forum, but an expert there said he contacted google and there was nothing he could do and google wouldn't tell him anything "for privacy reasons".
This has created the ultimate real-life nightmare, and has turned my life upside down, a few examples of which are listed below.
All of my contacts were linked to this account. I now do not have access to emails, phone numbers, addresses, etc.
My google voice telephone number is no longer working. I had this phone number on my business cards and email signature, and now when someone dials the number, they are given an error recording. "We could not complete your call, please try again".
My youtube account with many videos I cherished of my children are now gone.
I have all of my photos backed up to the account for nearly my entire life, as I thought this was the safest place to keep them (the cloud!) I have photos of my beloved grandparents who have since passed away, and the thought that I can no longer access these photos makes me sick. I also have thousands of pictures from vacations and of my children that I fear are gone forever.
A nice chromebook that I purchased to access all of the google apps is now almost useless since my account has been disabled.
I have multiple documents in my google drive that I have spent hours of work on, and can no longer access them.
I placed an enormous amount of faith and trust into google's products and services, as millions of people have worldwide. It is a shame that something this important in someone's life cannot even warrant a response from a live person at Google.
I have been very depressed because my entire life was encased in google's products, and now everything is gone.
Again, I am writing this to warn others that this can happen to anyone at any time, so it would be wise to back up treasured items in your google account. Ironically, google provides the means to do this through their "takeout" app, which I did not learn about until after my account was disabled. If there is anyone out there reading this that can offer any guidance for getting my account reinstated, I would sure appreciate it!
If you lose a cloud account, you can lose stored data, remaining time on a subscription, any accumulated credit or gift cards, network link that makes some device (such as Amazon Echo) work.
Maybe some people don't consider their email to be "cloud data", but it is. If you're saving 10 years of past emails in GMail or Hotmail or something, it may be valuable to you, and it may be used by a hacker if your account gets hacked. It's also hard to back up. I'm a big believer in keeping your email account as close to empty as feasible. Clean it out !
Jon Christian's "Deleting the Family Tree"
DanDeals' "PSA: Don't Mess With The Google!"
Alex Hern's "Pixel phone resellers banned from using Google accounts"
Eric Griffith's "Back Up Your Cloud: How to Download All Your Data"
Adam Dachis's "How to Protect Your Data in the Event of a Webapp Shutdown"
And of course back up your local data, not just your cloud data.
How-To Geek's "What's the Best Way to Back Up My Computer?"
Eric Griffith's "The Beginner's Guide to PC Backup"
/r/techsupport's "backuptools wiki"
From someone on reddit:
The basic methods of "hacking" accounts are:
- You forgot to log out.
- Guess the password. Many people have incredibly simple passwords and guessing can work. Many websites have some kind of measure against repeated guessing (e.g. captchas). I think Facebook's countermeasures are good enough that pure guessing can rarely work on that specific site.
- Find your password in a list of leaked username and passwords. Often when there is a breach of a huge database the list ends up on the Internet and people who want to hack you can search for your name, e-mail and common usernames to see if your password has ever been leaked. If it has they can try that password and it will often work, or sometimes a simple change to your password will work.
- Guessing your secret questions. Often the answers can be learned from just searching your Facebook or other social media accounts, or at least it can be narrowed down to a small list.
- Tricking you into entering your username and Facebook on their website. Maybe they send you an e-mail that claims to be from Facebook and gives you a link that looks to be from facebook where they want you to log in. For example they may say that your account was compromised and that they need you to log in to verify your details. Another common one is that they claim that you've won something, but you just need to log in with your facebook credentials to verify it.
- Calling customer support claiming to be you and asking for a password reset saying that you have lost access to your account and e-mail. This is especially useful if they can find a lot of information about you online so it seems like they're really you. Often a lot of what they ask about has already been leaked in another breach. This can sometimes even get around two-factor authorization.
General security and privacy issues:
Threats:
[Generally from most likely to least likely:]
- Your own actions. (The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, lose your device, accidentally delete your data, trust a scammer.)
- Your family, friends, associates. (They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, accidentally delete your data, trust a scammer. They expose their Contacts list, which contains your name and email and address and phone number and birthday. They tag you in Facebook photographs, or mention that you were with them at some wild party.)
Your browser history - Your ex-spouse, former friends who now are enemies, former coworkers who you fired or angered. (They may be highly motivated, but probably don't have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.
Cyrus Farivar's "If you're a revenge porn victim, consider this free, helpful legal guide") - Your software. Some application or web site you use may be sending your data to somewhere else that you don't know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.
- Corporations selling your meta-data or data to advertisers.
- Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.
- Organizations accidentally exposing data you've entrusted to them, through careless practices or by getting hacked.
- Data criminals and hackers. (Identity thieves, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet. And you may be a special target if you have something valuable on your computer:)Laura Shin's "Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers"
Alex Hernandez's "Chase eATM user has mobile app hacked and loses $3,000" - Casual snoops or thieves. (Although with snooping software, "casual" capabilities are increasing.)
- Law enforcement (recording everyone's activity, such as cell-phone locations and car license plates).
- Internet vigilantes or lynch mobs or public shaming. (E.g. someone decides a picture shows you abusing your dog, and whips up a mob to punish you.)
- Reporters.
- Private investigators and lawyers. (They have some access to government databases and powers.)
- Law enforcement (specifically targeting you).
Jonathan Zdziarski's "Protecting Your Data at a Border Crossing"
Andy Greenber's "A Guide to Getting Past Customs With Your Digital Privacy Intact"
EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud" - Foreign government intelligence agency. (Highest technical ability, but no legal authority.)
- Government intelligence agency. (NSA, DHS, etc. Highest technical ability, PLUS legal authority.)
And some people say "trust no one !". Well, I think it is reasonable to trust the CPU chip vendors, and the compiler-writers. I don't see how useful "backdoors" could be built into those things (and I have BS and MS degrees in Computer Science). Trusting the OS vendors is a little more dubious; I guess I trust the basic OS, but maybe not all of the standard apps and services supplied with them. Same for trusting browser vendors.
Of course, if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.
Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems (SCG's "6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.
A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
Eric Boehm's "Reuters: Law enforcement use info from NSA phone database to go after common criminals"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"
Costs of counter-measures:
- Makes system harder to use. (Extra steps to do things, more software to install and update, etc.)
- Performance penalty. (Encryption takes cycles. Tor and VPNs impose multiple hops.)
- Worse results. (Such as worse search-engine results if you use something other than Google Search.)
- Have to get other people to use it, too. (Biggest problem with using encryption on email, or using a social network optimized for privacy.)
- Can't use some features. (To use Tor browser for best privacy, I think you're advised to disable Flash, Javascript, ads: Seth Rosenblatt's "NSA tracks Google ads to find Tor users". If you turn off location-tracking on your phone, you lose some features.)
- Reduced reliability or recoverability. (If your disk is encrypted, and some key sectors go bad, the whole thing may be toast. There are many recovery tools for non-encrypted disks.)
- Greater dependence on fewer vendors. (If your encryption vendor or encrypted-email service goes bankrupt, what happens ? And if you demand good encryption or privacy above all else, maybe you can't use the most popular and best services.)
- Money and time costs. (For example, some people say you should run your own domain and email server. Sounds like a lot of work.)
Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"
General counter-measures:
- Best to do encryption/decryption at the extreme ends of a transaction, not on short segments in the middle. (But even that can be defeated by a keylogger.)
- Peer-to-peer architecture better than central-server architecture. (So no one can grab all of your data by going to one place.)
- Don't put really private or valuable stuff on electronic devices, or on internet. (There is no such thing as total privacy or perfect security.)
How to attack cryptography:
[From hardest to easiest:]
- Find a flaw in the mathematics (extremely unlikely).
- Find a flaw in the algorithm.
- Find a flaw in the crypto software.
- Brute-force password-guessing.
- Find or create a flaw in the surrounding software (operating system, networking, key-logger, etc).
- Find a flaw in the configuration (software not updated, password not set, place where data is not encrypted, etc).
- Human problems (password exposed or easily guessed, social engineering, etc).
- Legal tools (warrant or subpoena to get encryption keys or tap traffic).
Low-tech solutions:
- Put tape over cameras when you're not using them, or have the phone camera facing down onto a desktop.
- Turn off devices when you're not using them.
- Maybe put your phone in a "Faraday bag" when you don't need to receive incoming calls and messages, and don't want the cell company to track you.
- Use encrypted external drives to store really sensitive data, and unplug them when not using them.
- Don't put really critical stuff on networked devices if you don't have to.
- Don't have very sensitive conversations in front of devices with microphones.
- Pay cash for things when possible.
- Shred any trash that has your name, address, phone number, email address, and/or account number on it.
Things that may not increase security and privacy:
- Private browsing in your browser.
This just prevents your activity from being recorded in the History in your browser, so the next person who sits down at your computer and uses your browser won't see a record of your activity. It does nothing to prevent spying on your activity as it travels across the internet. - Full-disk encryption.
This prevents someone from stealing your computer and reading your disk. But once you sit down at your computer and enter the password for the encrypted disk, the decrypted contents of the disk are available to all of the software on your computer. So a virus or malware could access the data on the disk, send it out over the internet, encrypt it for ransom, etc. If you get up and someone else sits down at your computer, they have full access to your data.
Operating systems and environments:
- Windows: large closed-source system with tons of features and modifications, popular target, frequent OS updates.
- IOS and Apple: closed-source system with more closed design, less-popular target, frequent OS updates.
- Linux: open-source system with modifications, less-popular target, less-frequent OS updates.
- Android: closed-source system, popular target, mostly broken OS update system.
Testing your privacy and security:
- Sites such as IPleak.com, BrowserLeaks.com, MAXA's "Privacy Test"
- Have a friend try to find your address, your email address, your Facebook info, etc online.
- Pay a company to test your privacy and security.
New things we need to increase our privacy or security:
- To use when someone (law enforcement) is forcing you to surrender your password:
- Dummy access password: a special password that you enter, and the device or account gives access to only a special "dummy" version of the data.
Known as "plausible deniability encryption" ? Maybe Veracrypt provides something like this on desktop OS's ? Maybe smartphone app "Protect My Privacy" does this ? - Self-destruct password: a special password that you enter, and the device or account wipes itself clean.
(Note: factory reset probably doesn't overwrite all data, just removes pointers to it.) - Limited self-destruct OS password: a special OS login password, and browser cookies and selected files get deleted as you get logged in.
Quincy Larson's "I'll never bring my phone on an international flight again. Neither should you." - Dummy access password: a special password that you enter, and the device or account gives access to only a special "dummy" version of the data.
- End-to-end encryption, running on the client machines, so the service companies (Facebook, email service, etc) can't read our data and can't surrender it to law enforcement.
- A "privacy noise-generator": At random intervals, it would do random searches, page-hits, chats, VOIP calls, pings. Millions of people would run it routinely, and generate traffic that would obscure the patterns of real activity. A government or company trying to analyze our traffic would have a more difficult time separating the real and false data.
[A browser add-on that does a little of this is TrackMeNot. One that clicks all ads (also can be configured to not click): AdNauseam. Also Ruin My Search History.]Thorin Klosowski's "Generating a Bunch Of 'Internet Noise' Isn't Going to Hide Your Browsing Habits"