How to Protect your Privacy -- Personal, Financial, Digital

Or the cost of lobbying against any reform on liability for data storage/handling parties becomes prohibitive.

In some large companies (Google for example) the penalty to mitigate your information from being sold or shared must be in the multi millions. This is the information age. You can do things proactively to minimize your exposure but the reality is every websearch you do, every credit card you use, anywhere you go with a smart phone or any picture you post to facebook can potentially track you; the things you buy, the places you go to, the things you do. As more data becomes compiled across many companies it’s even more susceptible to hacker or data breach. There’s really nothing we as a consumer of society can really do.

Most people don’t care. Data analytics and data capturing is the future and it will be a billion dollar industry. Choose to live off the grid or recognize there will be a lot of data you truly can’t protect and no company is guaranteed to protect it (no bank accounts, smart phone, and cash only purchases anyone? Better stock up on your guns & ammo and food stuffs). Even then it’s only a matter of time before facial recognition software begins to advertise to you walking into a store. You have all seen the sci fi movies and netflix films of the last decade, right?

Edit: I appreciate the OP is about minimizing spam mail, etc, and perhaps this is a de-rail/rant. However, it’s imprtant to recognize the trend for the future. Political play and regulation of some sort must come into the picture eventually, but how many years did it finally take to start taxing internet sales? It’s even farther behind on any kind of legislative enforcement.

We haven’t talked much about online privacy other than email and online ads. There are a few things you can do. Maybe I’ll add it to the wiki.

• Go to Google Privacy settings and opt out of web, search, and location history. Better yet, walk through all the privacy settings of all your online accounts and turn off everything you don’t like.
• Change camera settings to not embed GPS info into photos/videos (and don’t give the camera app permission to access location service). Unless you need an alibi, that is.
• If you want full web privacy, use VPN with a non-fingerprintable browser (with all the javascript and ad blocking).
• Don’t post your face online, don’t let friends tag you, don’t use your real name (and educate your friends).
• Use application firewalls on all devices (zonealarm, no-root-firewall/droidwall, etc) to prevent offline apps from going online.
• Windows10 is a huge piece of shit with built-in tracking and telemetry that’s difficult to disable completely. Disable or avoid if you can. I’m seriously considering finally switching to Linux (especially now that there’s a huge effort to make Windows games playable on Linux).

Not all of those steps will stop all tracking all the time, but they are steps in the right direction.

Not much we can do about Mastercard selling us out, but I believe it is still possible (but not trivial) to disconnect our online presence from our real world identity and render the data useless.

That’s best case scenario. Worst is Enemy of the State and Minority Report.

Also, Gattaca – for the love of the Flying Spaghetti Monster, do not do a DNA test on yourself if you can’t do it anonymously.

Yep, apathy is a huge problem. Ignorance too.

Well said. All my computers remain on Windows 7 which is a wonderful OS. However, 2020 looms. And Windows 10 sucks.

I actually started, back circa 2000, with Linux. I even have Linus’s book, Just for Fun, and enough Linux manuals to choke a horse.

Perhaps, as you suggest, it will soon be time to return home.

Better yet, delete your Google account and use an email provider where you are paying for the product instead of being the product. I use FastMail.

Little Snitch on macOS.

For the same reason, use iOS mobile devices.

A reasonable alternative for non-technical people.

I was contemplating another benefit of using email forwarders (aliases) recently. I realized that most people probably have only one email address, and not only do they use it for their personal email, but also as their User ID / logon for all kinds of accounts, including social media and banking. The User ID should really be treated as a secret the same way as password and secondary backup questions & answers. If you advertise your email address to the world, you’re giving away half of the information required to logon to your other online accounts. You’re also giving someone half of what’s required to get into your inbox, which can cause all kinds of havoc if you use one email address for everything. It would allow the hacker to bypass any multi-factor authentication that sends an email with one-time codes for password resets or for logins from new devices.

Using separate email addresses for all online User IDs and using them exclusively can keep them secret. Even better if those addresses are not fully fledged email accounts, but are forwarders / aliases that just forward the email to another, completely secret address. Even if a hacker obtained your forwarder, they couldn’t login to your email.

The best way to do this is to get your own domain ($10-$15/yr) and web hosting ($3-$10/mo) with unlimited email accounts and forwarders. It’s not easy though.

Agreed. I have my own domain (via Gandi) with email hosted by FastMail. I can create aliases @mydomain or @any of FastMail’s domains. Most of mine are on my domain, but I use aliases @FastMail’s domains for anonymity in some cases.

Also, use U2F 2FA whenever available and disable SMS fallback. FastMail, Google, and Gandi support it. (That’s not meant to be an exhaustive listing.)

If email hosting is the primary purpose, I would definitely suggest using a proper email provider rather than some random shared web host that includes email as a feature (but really just a checkbox on the feature list), unless their email service is actually a G Suite signup (as I recall some hosts doing in the past).

Wiki’d (new word?!) the info from my earlier post on general online privacy.

I read their pricing and it seemed like it was $3-$5/mo per account, so if you have to pay for aliases it’s not very cost effective. Unless an alias isn’t an account and is free…

Wiki’d!

I suppose the following are too obvious for the wiki:

• don’t write your password on a post-it note and stick it on your monitor
• don’t write your PIN on your debit card
• don’t keep your U2F key with your backup key or the devices that need it!

It isn’t really clear from their pricing page, but aliases are not user accounts and are free (up to 600 aliases per account + 15 per user). Aliases are associated with one user account; user accounts are actual separate logins.

• don’t use ‘password’ as your password

I’ll add to the wiki that YubiKeys are the most widely used keys, sort of the industry standard right now. There are others (U2F is a standard, though YubiKeys aren’t just U2F keys), but I’d be cautious.

Quite well thought out … or maybe I think that because I’ve got them covered.
I am not aware of a non-fingerprintable browers. My browser is FF 5x esr (Noscripted) which randomly masquerades as IE, various versions of FF and Netscape. Yet, when I check my fingerprint:

without Javascript - supposedly un-fingerprintable, yet 13.5 bits of info (1 in 12000)
with Javascript - 21 bits of info and 1 in 2.1 million.

Can you share the name of a non-fingerprintable browser?

Thanks.

Along the same vein, I use one browser for surfing places that have non-identifiable or false data. I use a completely separate pc with a different OS and browser for all $ related items. Thus, they may easily fingerprint me, but I’ve already given them the info.

Nope, doesn’t exist. This is more of a wish and an awareness campaign . I hear the Tor Browser actively tries to defend, and the latest version of the most popular browser (Chrome) on the most popular OS (latest Windows) maybe with a common monitor resolution and no custom fonts may result in a very common (i.e. useless) fingerprint.

Apple is trying, though I would be surprised if they actually manage to stop all fingerprinting on the first few tries. (I speak favorably about Apple in this area because this is a case where their business interests align with our privacy interests. Apple realized awhile ago that they weren’t very good at hosted services and the related advertising business model; the pro-privacy stance is their way of differentiating themselves in the market.)

I feel this is a bit of a simplification of the issue of why people are not proactive about all of those things.

First, there is a huge tech awareness/skill barrier. You cannot teach this stuff to my mom. You also cannot set it up for people who don’t get it since a lot of the measures required are on-going diligence (setting up new email addresses for each new user ID online). I’ll admit that I’m in the middle of the pack for tech skills. I’ll change browser settings, I use a VPN, I don’t tag people on social media and ask others to remove my tags when I’m alerted, I use 2FA for important logins, and have separated email accounts into categories (Family account, personal account, serious business account, regular shopping account, work account, associations account (church, PTO, sport clubs, etc), school account, and 3 different junk-spam accounts that I mostly don’t monitor at all. But some stuff like setting up your own domain and webhosting, setting up aliases and forwarders, etc… is beyond me.

Then there is also the scale of the issue. If you have a family of 5 each with email addresses for each of their activities, controlling the privacy settings of the 4 other individuals linked with you increases dramatically the workload of the information “gatekeeper”. You can educate all of them but if only one of them doesn’t care because it’s inconvenient, it’s a bit like the “castle is as strong as its weakest wall” issue.

Also there are direct costs to the privacy (domain+webhosting, VPN) to the privacy protection and many people do not really gauge as directly the costs of NOT preserving their privacy. Plus there are opportunity costs as well to factor in which are even less obvious. Most of my (limited) inbox spam is actually stuff I somewhat requested for the occasional discount or promo that it’ll bring me that I wouldn’t know otherwise. It’s a bit like targeted credit card promo offers. Yes I can save my mailbox from those but now and then, there is a targeted promo that will benefit me that I wouldn’t be able to get if I did not allow them to send me those mailers.

Finally, the benefits are still pretty obscure to most people. If the worst that happens to them is being served somewhat relevant ads, many will be fine with it.

So for a lot of people, there are low-lying fruits that do not take much expertise or effort to setup. There’s really few excuses for not taking those easy steps (aside from the completely tech inept maybe).

But beyond the simple steps, the benefits of extreme privacy settings are not an easy sell compared to the obvious cost in $, expertise, and effort of taking the extra steps. That’s why you don’t see 2FA being more widespread. Even for those people who know that 2FA is better, it’s either costly (using say YubiKeys) or simply it’s inconvenient to have to wait 10 sec for a SMS, then copy and paste that into your login, after you’ve entered login and password. And they just don’t see the benefits because not many have been very badly financially affected by identity theft (yet).

The fingerprinting info is very eye-opening.

I am unique. In all of my browsers. Terrible.

Great test here:

Middle of the pack? You are in the top 1-2% of people if you are using all those security measures.

I remember when you only needed an 8 character password to log in to a website. Now you need a 12 character password with an upper and lowercase letter, number, and punctuation mark plus a one-time-use nine digit code send to you via e-mail or SMS. Tomorrow, you’ll need all that plus a signed letter from your great-great-grandmother and a stool sample. Where does it stop?

I was just looking at the financial websites I regularly log in to and absolutely zero offer the use of a open standard hard or soft token for 2FA. I bet a majority of us are caring around a smartphone with a fingerprint scanner. Logging into a website today really should be just as easy as picking up your smartphone, but it isn’t.

So what are merchants, financial institutions, and their business partners doing to protect customer data besides having us jump through hoops? Hackers are not going to waste their time on us when it is so easy to hack into a database and grab sensitive data on multiple people at once. How do you prevent that?

Privacy and security requires a trade-off between risk, convenience, and cost. I try to balance the importance, complexity, and cost when organizing the bullet points in the wiki.

True, so you just do what you can. Disabling IE in favor of Firefox (or Chrome) with ABP with ad and tracking filters is a must in my book.

Your practices are already very advanced, so I’m sure it’s not beyond your ability. It just may be unnecessarily complex. One advantage I just thought of for rolling your own or paying for email service is that it won’t expire as long as you keep paying. If you have 3 junk-spam accounts that you don’t monitor at some free provider, they could expire (6-9 months is common). Obviously it’s not important for junk, but if you have other accounts that you use as forwarders and never login to them directly, it could be a problem.

Don’t forget the cost of sifting through and deleting / shredding spam. I find that the occasional discount/promo is not worth the time I’d spend looking at the rest. Also in my experience targeted offers are rarely better than other offers I can find online.

Funny, but the tech industry is aware of this problem (it probably affects everyone in the industry more than the general public). Hopefully it stops with hardware tokens like the YubiKey.

It’s a valid point, but I think fingerprint scanners aren’t that common, only present on the more expensive flagship phones. I have a small problem with biometric scanning in general. Cause, you know, the basic fingerprint scanner doesn’t check the finger temperature… (and AFAIK none can check the consciousness of the finger owner). Also fingerprint fingerprinting is worse than browser fingerprinting .

As others have said, you’re not anywhere near the middle of the pack. As for 2FA, it is far from perfect. Brian Krebs has written of several 2FA failures. They were generally high dollar accounts, and partially involved phone company employees, but I can see this becoming more common until the phone companies get a better handle on it.

You’d be amazed at how many people leave the default user/pass combo on their internet facing router. It is only because most routers don’t automatically enable external configuration that tons more of them aren’t compromised.