Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Vulnerable Points on the Path to Privacy

Privacy and security are more important, and under greater threat, than ever before. We manage an ever-increasing amount of sensitive information and tasks, while the number of ways our information can be exposed seems to be exploding.

There are five major areas in which your security and privacy can be both exposed and protected:

  1. Your computer, including all the software on it, and the hardware itself.
  2. Your network, the vital link that connects your computers to each other and to the internet, and a potential point of major exposure.
  3. Your ISP, the provider of that vital link, wielding more power and subject to more scrutiny than most realize.
  4. Your online services: they hold your data, but do they know what they’re doing, and will they defend your privacy if needed?
  5. Your friends and acquaintances: often the weakest link in the chain. Do the people you interact with value (or understand) privacy and security as much as you do?

Let’s review each of these points of risk, exposing the technological hazards we (perhaps unknowingly) face every day.

Bridge of Trust

Become a Patron of Ask Leo! and go ad-free!

1. Your computer

Privacy and security start at home (or in your pocket).

Software

For every piece of software we run, we trust that the right decisions have been made in terms of maintaining our privacy and security. We also trust that the vendors themselves have our best interests in mind. This is true not only for our desktop and mobile computers and phones, but for the surprising number of network-connected devices in our lives, including televisions, cars, security cameras, and even baby monitors.

The operating system

Be it Windows, Linux, Mac OS, or something else, most of our technology runs some form of base operating system software, or “OS”. Even those devices we consider to be single purpose, like a baby monitor, often run a “general purpose” operating system (typically, a Linux variant).

When Windows 10 changed its approach to privacy, it became shockingly clear how much we rely on Windows for privacy and security. Many felt Microsoft had crossed a line, collecting excessive amounts of information in ways outside our control. Exactly what was being shared was unclear, and there were no trustworthy, easy-to-use solutions to avoid it. While Microsoft appears to be adding more privacy controls to more recent versions, the fact remains that for many, trust was irrevocably breached.

The most important take-away, however, is not that Microsoft may or may not be trustworthy; it’s that every operating-system vendor has the power do any or all of this, with or without letting us know. The amount of trust we place in any OS vendor to properly manage our privacy and security is enormous.

Aside from being vigilant, managing the privacy and security options that are available, and paying attention to reliable,  objective news sources, there’s little we can do if our trust is misplaced, other than switching to a more trustworthy alternative.

Applications

Everything I’ve just said about operating systems applies to every piece of software running on your computer, phone, or other device – including security software.

The average computer user has dozens, if not hundreds, of apps and applications installed across various devices, from nearly as many different vendors – and each vendor has its own approach to privacy and security.

That’s a lot of trust spread across a lot of different companies. Besides trusting that they’re competent at whatever it is we use their software for, we’re also assuming they’re competent at keeping our information safe and secure, and that they’re not, themselves, malicious. We give them much more access to our information than we might realize.

The best defense here is twofold:

Malware

When people think about privacy and security on their own computers, the first thing they think of is malware: malicious software that somehow makes it onto their computer and proceeds to steal information (or worse).

I’ve placed it last in the software category, because by now, most people understand malware and the concepts behind it. More importantly, we know how to combat it. It’s something that makes the news almost every day. And while protecting yourself from malware is terribly important, it’s a topic already well understood.

You know how to combat malware. You know how to avoid malware. You know how to be skeptical. It’s something this industry talks about every day, so I won’t belabor it here.

Hardware

An often-overlooked aspect of security is what I refer to as “physical security”. One of my frequent statements is, “If it’s not physically secure, it’s not secure.” If someone untrustworthy can touch your hardware, they can do amazing amounts of damage.

Physical access

If someone can walk up to your computer (or phone, or router, or many other networked devices) and start using it, that’s a privacy and security hole bigger than anything I’ve listed so far. If someone malicious has access to your device, they can do anything.

Most of the time, our concern is theft. The good news here is that most thieves are unsophisticated. They’re just looking to turn around the hardware for some quick cash – they don’t really care what you have stored on it. However, that data is certainly accessible to them – or the person they sell it to – should either of them have a little technical expertise.

More commonly, the risks are closer to home: spouses, co-workers, children, and friends. Be they malicious or nosy, the people around us often have the greatest incidental access to our things. It’s one thing to go snooping around our medicine cabinet, but something else entirely to poke around in our email, spreadsheets, or other personal data.

How much of a problem this is varies, of course. At one extreme, you may not feel the need to take much action. At the other, a combination of encryption, software locks, and perhaps even hardware locks might be appropriate.

Hardware compromise

We usually trust that the hardware we use hasn’t been compromised. That may not be a safe assumption when using devices in public.

A good example is a hardware key-logger inserted between the computer and keyboard. Undetectable to any software on the machine, and hidden behind the computer itself, it can passively collect massive amounts of information until the perpetrator comes along to pick it up and act on the data.

While it’s significantly less common than other forms of compromise, hardware hacking can take many forms. It’s one reason I never use a public computer for anything remotely sensitive.

2. Your network

Much of the risk we encounter every day is due to being inter-connected, or networked. It’s also what enables so many of the features, functionality, and rich experience we enjoy with technology. Your network is how your computers are connected to each other and to the world.

Router

The first device the internet reaches on entering your home or workplace is, typically, a single router. Its job is to allow your multitude of devices to share a single internet connection. As a side effect, it also acts as a security device itself: routers are great firewalls, protecting your network from many of the threats out on the internet.

Routers are powerful devices. In fact, they’re powerful computers. They’re often based on general purpose operating systems. Before even plugging the device in, we’re trusting that the router vendor is competent and has factored in appropriate measures to protect our privacy and security.

Even then, routers are interesting to hackers, because by compromising a router, they can compromise all the devices connected to it, or misdirect people into visiting malicious sites or downloading malware.

Beyond getting a reputable device from a reputable vendor, the single most important solution in your control is to secure your router. Every router comes with default settings that may or may not be the most secure configuration for you.

Wireless connections

Wireless connections are often controlled by your router but deserve additional attention. They’re an easy point of compromise, particularly in public.

Because the range of a wireless connection is a function of both the wireless access point and the computer attempting to connect, it’s possible to connect from a distance further than most people might realize. Particularly if someone is dedicated to the effort and trying to connect to a relatively close access point, it’s unwise to rely on distance alone as a security measure.

The most important thing you can do in your home and business is to never have an open Wi-Fi hotspot; always use a WPA2 key or password for the connection.

The most important thing you can do when traveling is to know how to use an open Wi-Fi hotspot safely.

Other computers

I mentioned earlier that your router protects you from many of the threats coming from the internet. What if the threat is more local?

Many people fail to realize that their computers and networks are often set up to give locally connected machines – machines on the same side of the router – a high level of trust. Sometimes, that trust is unwarranted.

Consider your child’s computer. He or she may not have the sophistication to know not to download and run malware, and a lack of adequate protection could infect other machines connected to the same local network. The same could be true of a visitor, or even a less-than-tech-savvy spouse. Sometimes, the threats come from within.

Solutions involve making sure your computer has its own defenses set properly, including its own firewall. Today these are on by default for most devices. More extreme might be segmenting your network into trusted and untrusted zones, using an additional router or a router that provides this functionality natively.

Other devices

In recent months, there’s been much made of the so-called “internet of things“, or IoT. I alluded to this earlier when I discussed devices we would consider dedicated to a single task – such as your refrigerator – that, nonetheless, run general purpose operating systems.

It turns out neither privacy nor security were at the top of many IoT vendors’ feature lists.

The good news is that their negligence has (thus far) mostly been limited to those devices becoming part of botnets used to cause havoc elsewhere. Other than using their owner’s internet bandwidth, little damage was done at home. Unfortunately, the potential still exists for more localized damage, should hackers ever decide to focus their attentions on it.

The bad news is that, aside from avoiding these devices completely, there’s little in our control. Once again, we’re limited to using information sources we trust to provide us with reviews and recommendations, now with an eye to privacy and security – an odd concept to consider when looking at an internet-connected television or kitchen appliance.

3. Your ISP

ISP: Internet Service Provider. Depending on where you live (or how you travel), you may have several options, or very few. Regardless of which you choose, you place a tremendous amount of faith in your ISP.

Home internet connection

Connecting to the internet at home has become one of the fundamental utilities folks rely on. Your ISP provides your digital lifeline – your connection to the internet.

Here’s the catch: your ISP can monitor your traffic. All of it. Unless you take additional steps, just about anything that travels over your ISP-provided connection can be examined – often in detail – or even recorded by the technicians operating the equipment.

Normally, that’s not much of an issue. Your ISP is too busy just keeping the lights on, so to speak, to pay attention to your emails or web browsing. Of greater concern are those situations when your ISP can be compelled to disclose your location and web usage by government demands or court orders.

The average computer user probably doesn’t need to be concerned. I know I’m not. But if you are, then the steps you can take generally revolve around encrypting the data that travels between your computer and your ISP.

  • https encrypts the connection between websites that support it and your computer. Your ISP can still see that you connected to askleo.com, for example, but they can’t see what it is you asked about or looked at.
  • VPN encrypts all traffic between your computer and the VPN service. Your ISP only sees that you’ve connected to the VPN, but can see nothing beyond that.
  • TOR – The Onion Router – is a web proxy (most securely used with a dedicated TOR browser) that encrypts all your web activity, and routes your traffic in such a way that the server to which you are connecting has no idea who you are, unless you explicitly tell them. Once again, your ISP can see that you’re using TOR; they just can’t see what you’re using it for.

One of the most overlooked aspects of this topic is the very literal nature of the term “ISP”. Anyone who provides you with a connection to the internet is your ISP. Be it at home, in a hotel, at a coffee shop, or at work (which I’ll discuss next), anyone who provides you with an internet connection can examine what you’re up to.

Work internet connection

When you’re at work, a separate set of rules often apply. Thus, there are several other aspects related to your privacy and security to consider.

  • If you’re using employer-provided equipment, everything I said about hardware compromise could be at play. It’s possible, and possibly quite legal1 for an employer to install either hardware, software, or both, to monitor your activities at any level of detail they wish.
  • If you’re using employer-provided internet, then in addition to being your ISP, with all the power that entails, they may be legally allowed to monitor your traffic, even to the point of using techniques to intercept encrypted https traffic.
  • When at your place of employment, your private equipment may or may not be subject to your employer’s rules and abilities.
  • Regardless of whether or not the company cares to monitor what you do, or even compromise your security, you’ll still be required to abide by the companies’ rules.

The best advice I can give here is to have a clear understanding of your workplace’s rules and capabilities and follow them to the letter. Then, depending on your level of trust, take care to isolate anything personal from their network, equipment, and possibly even facilities.

Coffee shops and public locations

Open Wi-Fi at coffee houses is rife with well-known security and privacy issues. You likely already know what to do to stay safe using open Wi-Fi.

It’s important to realize that those steps may not protect you from the owner of the coffee shop, or Wi-Fi provider. When using their internet, they are your ISP, and as such may have access to all the abilities I mentioned above.

To avoid the issues surrounding wireless connections, many people choose to use a wired connection instead. Unfortunately, the provider of that connection still has all the capabilities of an ISP, and could compromise your privacy and security. In the worst case, they could also be slightly incompetent, and expose your connection to other network users, making it just as vulnerable as open Wi-Fi.

Remember to treat any internet connection from an unknown or untrusted source with skepticism.

Shared connections

One scenario I often hear is what I’ll simply call a “shared” connection. Sharing can take just about any form the name implies:

  • Using (with or without permission) the internet connection belonging to a neighbor.
  • Using the internet connection belonging to your host when visiting friends or family.
  • Using the internet connection provided by a landlord.
  • Etc.

Unfortunately, many people don’t realize that each one of these situations, and many others like them, place the owner of the internet connection in the role of internet provider. In other words, they’re the ISP, and once again have all the capabilities associated with that.

Keep this in mind: when visiting a friend, your ISP is not their ISP; your ISP is your friend.

4. Your online services

When we talk about privacy, many people immediately think of online services. Given the regular news reports we hear of breaches at major providers, it’s important to keep the online services we use in mind.

But the topic is both deeper and wider than that. We often fail to consider all of the online services we use. On top of that, we fail to recognize that these services are themselves subject to various laws and regulations that can further put our privacy and security at risk.

Email

Email is a lifeline that almost everyone online relies on2. It’s been around for decades, and represents what might be considered the first cloud service, before “the cloud” was even a thing. We regularly share our lives, our stories, and of late, our private information with friends, family, businesses, and more, all via email.

For the most part, email is all unencrypted. Our email provider can read it all. In fact, anyone with access to the servers between our email interface and our message’s destination can access it as it passes through.

The good news is that there is so much email that, once again, we’d need to be pretty interesting for anyone to bother paying attention to what we have to say. Chances are, we’re not.

I’d love to be able to provide a simple, easy solution, but I don’t have one. Encryption is key, but email encryption is a messThere are techniques, but they’re often cumbersome and not universally compatible.

Most important to your privacy and security is to simply be aware of the limitations of “plain old email”.

Social Media

Overshare much? When it comes to social media – meaning services like Facebook, Twitter, Instagram, and others – we are often our own worst enemies. Not understanding the ramifications of such visibility, people often share more than they should. This isn’t just about pictures of the drunken party that come back to bite someone when they apply a job; it runs a range from unexpected embarrassment to online harassment.

Social media providers have a wide variety of terms and conditions that allow them to do pretty much whatever they want with the information you post. Most aren’t interested in doing anything, but be it accidental or under legal pressure, providers have been known to take action that unexpectedly exposed more than the user intended.

The key things to remember when it comes to social media are:

  • You’re probably sharing more than you think.
  • You’re almost definitely sharing to more people than you think.
  • The provider can be compelled to provide your access logs and what you post to the authorities.
  • There is no “undo”. Once you post something, it’s stored somewhere, for much longer than you think.

Share wisely.

Storage

Cloud storage is awesome. It really is. As backing up is one of the themes I beat to death regularly, the number of additional options that online storage  created is wonderful. There’s little excuse these days to lose more than a few minutes of work, even in the worst of disasters.

With that convenience comes privacy and security issues.

The single biggest issue with cloud storage is that the provider of the storage service has access to your data. When you think about it, they must have access to provide the service. That, then, exposes two risks:

  • The service provider (or its employees) can peek at your stuff.
  • The service provider can be compelled to provide your stuff to the authorities.

One of the themes you might recognize here is the solution: encryption. For example, using a utility like BoxCryptor to transparently encrypt the files you store online ensures those files are accessible only to you.

Connectivity services

One of the solutions for many types of network risk is the use of a VPN, or Virtual Private Network. This is often a fine and appropriate solution. It ensures that your entire internet conversation, from your computer to the VPN service itself, is encrypted and hidden from prying eyes. It’s a solution often recommended for people who travel a lot, who might need to make use of questionable internet services.

What most don’t realize, however, is that using a VPN simply replaces one set of risks with another.

In a very real sense, the VPN service becomes your ISP. They provide a private, encrypted connection between you and their service. From that point, your connection continues onto the public internet.

The VPN has provided your connection to the internet, and like any ISP, that implies they can see what you’re up to.

Many people focus on speed when choosing a VPN provider. VPNs add additional processing and latency to your online communications, and can slow it down – sometimes significantly – depending on the provider.

More important, I would assert, is choosing a VPN service you can trust. Not only do you need to trust their implementation of VPN technology, but also that they’re not accessing, or otherwise allowing others to access, your data. Realize, too, many VPNs are based in other countries, or have a presence in other countries, which means they may be subject to the laws of countries other than your own.

Professional services

The banking industry frustrates me. In fact, I’ll just say that I find the whole financial sector frustrating at times. While there are some good players out there who really understand privacy and security and manage it well, there are many who aren’t quite as on top of things as they should be. Everything from sending out legitimate mail that looks like spam, to outdated password requirements that are fundamentally unsecure, much of the industry is still playing “catch up” compared to many others.

My feeling is, it’s no real coincidence that many of the major hacks we hear about are in financial services.

Fortunately, your money is generally protected in the banking world. With other professional services, such as online bookkeeping, bill paying, financial reporting, and more, things are more haphazard.

When choosing an online professional service, or whether to use one provided by your bank or someone else, I’d recommend looking for a few things:

  • The ability to use arbitrary length password, including spaces.
  • The availability of two-factor authentication.
  • Telephone support that gets you to real people who speak your native language.
  • If applicable, the availability of real-time transaction alerts.
  • And of course, https, and only https, on every related website and page.

Online services can be used safely. I use them myself regularly. But here more than anywhere else, privacy and security is a partnership between a service that knows what it’s doing, and you, making appropriate security-related choices.

Account management

Once again, you may be your own worst enemy.

In my experience, most incidents of account hacking, theft, and loss are completely preventable. I see people making mistakes every day that eventually lead to account compromise. The service involved isn’t at fault, and the hackers are simply taking advantage of those mistakes.

Ultimately, privacy, and most assuredly security, is your responsibility. You may feel like it’s someone else’s – the service, the software, or the coffee shop – but ultimately,  you choose which services, software, and coffee shops to use, and you choose whether or not to use them in a secure manner.

Sometimes I wonder if people want to get hacked, because I see them neglecting the basics of safe account management:

  • Choose appropriate passwords.
  • Manage passwords appropriately to keep them private.
  • Set up account recovery, especially two-factor authentication, and don’t let such options expire.

5. Your friends and acquaintances

One of the odder yet relatively common questions I get is whether video chat can be intercepted and recorded. The short answer is, as long as you’re using a reputable service, it’s highly unlikely.

But there’s a bigger risk that most of the folks asking seem to overlook: the person at the other end. They can record it. It’s a common method of extortion: someone is lured into a salacious online chat, which is recorded by the person at the other end, who threatens to release the video unless payment is made.

This highlights one of the greatest risks we face: the person at the other end.

I’m not saying they have malicious intent. But when you communicate with someone, your information is flowing across their network and devices as well as your own. Ultimately, we’re assuming this other person is not being spied on, and knows how to keep his or her system and environment secure.

In addition, we’re trusting they don’t actually have malicious intent. Everything we send, every picture we share – even with a limited audience – they can in turn share with whomever they please, including the entire world.

Your Responsibility

At first glance, privacy and security issues may seem overwhelming and disheartening. It’s easy to feel beleaguered, and even annoyed, that the digital world isn’t a safer place.

Personally, I feel the privilege of playing and working on the internet, and the multitude of opportunities it presents, makes it worth staying on top of what I need to do to use it safely.

That includes learning who to trust, and taking the steps I need to take to keep my identity, reputation, data, and devices protected.

Podcast audio

Play

 

Footnotes & references

1: Caveat: I’m no lawyer and this is in no way legal advice. Since laws vary dramatically around the world, consult an appropriate attorney for any advice relating to your specific situation and location.

2: Or will when they enter the workforce. Smile

9 comments on “Vulnerable Points on the Path to Privacy”

  1. “A VPN encrypts all traffic between your computer and the VPN service. Your ISP only sees that you’ve connected to the VPN, but can see nothing beyond that.” – It should be noted that, when using a VPN, the provider can see what your ISP would otherwise have been able to see – and, for the most part, your ISP is probably the more trustworthy of the two.

  2. Leo says: “While it’s significantly less common than other forms of compromise, hardware hacking can take many forms. It’s one reason I never use a public computer for anything remotely sensitive.”

    Unfortunately any time you are accessing an account using a Username and Password you are using it for something sensitive. Your email account is one very sensitive possession. It’s a life line, and in addition to the sensitive information it holds, it can be a way of gaining access to other accounts. The problem is that people who don’t have their own internet access rely on public access internet in libraries or internet cafes. In cases like that, I’d rely on my smart phone, tablet or portable computer and use the free Wi-Fi provided by the library or coffee shop. Most email websites or IMAP access use SSL (https in browsers) and the interaction between you and the email service provider is encrypted end-to-end. Check if any website you are going to which requires a login uses httpS.

    One way to mitigate this issue is to use two factor authentication (2FA).

  3. Another thing to watch out for. A few years back I was checking my email at a public library (I know, this goes against what I mentioned in my previous comment, but sometimes it’s unavoidable). While I was logged in and looking at my email, my internet session ran out. I asked the attendant at the desk if that would log me out of my email account. He said no and let me log on long enough to log out of my email account. So watch out for your time on line, and if you are automatically logged of the internet, ask them to let you get back on so you can log off from your email (or other logged in) account. And change your email password as soon as you can.

  4. Your section on hardware security really hit home. After 911, someone used my work computer to send a Talaban joke to 20 managers of the company. I could not prove that I didn’t do it and I was suspended then fired – although I apologized to all of them and explained that I didn’t do it. At subsequent jobs, I never left my desk without password protecting or shutting down my computer.

  5. A big THANK YOU for this article. What a treasure trove of information all in one place. This article should be required reading for all PC users.

    Mark Jacobs comments about email being sensitive is dead on. Too many people treat email and access to their email in a frivolous or cavalier manner. One of my banks will send a new password to me via email. (That bank has some problems, but that is another story). If you lose access to an email account, frequently you can another email account to re-gain access to the first email account. I treat all my email accounts seriously.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.