Things We Can Do

Ok, between privacy issues and cyber security issues what can individuals do? This is an area that is rapidly changing, and other entities are tracking specific aspects more closely that I am, so let me try to point you towards those, and then also identify my take on some of the options

Sources for current recommendations, insight and such (hopefully more current than my take here)

  • Consumer Reports Privacy protection - tool suggestions (browser, search, etc.) and links to related articles/recommendations

  • EFF (electronic Freedom Foundation) -- Privacy topics (lots, also tools & articles) -- Security topics (lots)

  • AARP online security suggestions

Jim's take on a few considerations:

Let me start with an insight provided to me by a security expert a few decades ago -- "the key to security is to make the cost of breaking in higher than the value of the data being protected." Since then the "motive" of the bad-guy affects this equation. Ransomware, encrypting your data on your computer and charging you to recover it, has become a criminal and nation-state game with fairly low cost (using known flaws in operating systems, browsers, applications, etc.) to attack random sites (criminals) or specific sites (others), and hold the data hostage. Identity theft is also a broad based target for financial gains. If you are an employee of a "target of interest", then the value of hacking your accounts goes up (N. Korea going after Sony, Iran/China/Russia going after utilities (gas, electric, refinery, etc.) and trade secrets (military, computational, just about anything). So evaluating the value you hold for any of these types of villains requires some introspection.

  • Keep your software up-to-date --- with likely thousands of zero-day attacks possible, the least you can do is install updates in a timely way. Many of the updates are fixes to known operating system or application flaws. Many of the painful attacks succeed because folks (individuals, corporations, agencies, hospitals, etc.) did not stay current on updates (a non-trivial IT management problem I will add -- an update here can break an application there.) For individuals, "Just Do It".

  • Use multi-phase authentication (phone message, email, whatever) -- if someone is really after you, personally, they can work around this (so really important persons take notice) -- but for most of us, the added layer of protection is worth the extra hassle. In most cases, once your "device" is known, you won't need to re-confirm on that device.

  • Think about passwords and use them as appropriate. Finance, health, and email (think two phase confirmation) warrant difficult, unique passwords that make it harder to crack. I'm far more skeptical about the need to protect things like your Netflix account (what will some one do if they break in? -- view movies you don't like? pay your bill for you?) Of course the companies where you subscribe would like you to protect their interests, and those where you are required to "log in" are often just doing that to be able to track your and potentially compromise your privacy via their "trusted business partners". This includes passwords on things like your router, or other devices provided by your internet supplier. And increasingly will be a concern for the Internet of Things -- protecting you baby-monitor seems odd, but then do you want other folks listening in, or perhaps talking to your child?

  • Minimize your digital footprints -- (the references above have strong suggestions here) -- setting privacy options "everywhere" is one key -- your browser, your social media sites, you cell phone, your camera (which often includes GPS coordinates on every picture), and no doubt any "Internet of Things" device you add to your collection. (Smart speakers, cars, etc, etc.) -- I make sure "third party cookies" are disabled, "do not track" is turned on (as if the companies care). I use Firefox browser with Containers, and Privacy Badger (EFF) to reduce tracking. It's just me against the largest, most profitable, most technologically advanced companies in the world (who are tracking each of us) so I don't expect a lot from my efforts, but security and privacy go together, so these steps typically protect my systems security as well.

  • BE SKEPTICAL -- who is that email/message really from?? Some zero day attacks use PDF files, MP3/4 files, directing you to infectious web sites, spoofing sites you do visit (is that really your bank? -- if not, your log-in credentials are being compromised even as you appear to have successfully logged-in) .... Don't open questionable emails at all (don't just look at the name of the sender, look at their apparent email address, j.Doe@stealingYourData.bad is probably not the same Jane Doe you know.) Does the message make sense from that person (hint, none of your friends will ask you to buy gift cards for them, if they do, they are not real friends anyway.) Just a link in the email ... trash it -- and if you expect your friends to open the neat items you send them, add some explanatory text that explains why you are sharing it (not just "I thought you would find this interesting") ... And of course don't re-send/tweet/post/whatever content that you have not vetted --- this reduces (computer) viral infections, as well as misinformation infections. If you are responsible for sending out a newsletter, don't just send me an email "see attached newsletter" -- it wastes my time deciding if it has content of interest, and is not distinguishable from a phishing attack -- give me the key headline topics I can expect to see addressed in the newsletter as part of the initial message.

  • More to come (I suspect)