Your Digital Footprint Looks A Lot Like You
Technology has brought incredible conveniences to our civilization. It allows us to keep in touch with friends on the other side of the world, and make new ones just across town. We can purchase groceries, pay our bills and perform our jobs from the comfort of our homes or at a tray table on a plane. Computers have changed the way humans live, and the internet is the thread that ties it all together. Garage door openers, streaming devices, e-readers, speakers, thermostats, cameras and even kitchen utensils are all now internet-capable and can be controlled from our phones. Again, all very cool and convenient feats for mankind. But, because our devices connect us and our private lives to the rest of the world, have you ever stopped to think about the potential dangers bundled into all of these things? Everyone knows a family member or a coworker that covers up the camera on their laptop, merely at the speculation that our devices could be compromised. People cringe at the idea of a stranger having undetected access to our intimate lives yet, without venturing down that rabbit hole (spoiler), people overlook the little bits of details about themselves they sprinkle on computers all over the world. Our so-called “digital footprint”, the accumulated traces of you left yourself, can be compiled to build a clear picture of who you are.
“I have read the terms and conditions” is probably the biggest lie on the internet. Anytime we sign up for a new service we’re greeted with a wall of tiny text. Our time is precious and we really want to be able upload pictures of our dinner for our friends to see, and so we scroll to the bottom and check the box. Our account is created and we add yet another app to check while sitting on the toilet at work to our collection. Everyone is doing it and it’s free, so we might as well jump on board to stay current. The problem with these free services though is that, if you’re not paying for the service, generally you are the service. A quick review of some popular companies’ privacy policies reveal this:
We collect information to provide better services to all our users — from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful
we store the information we collect with unique identifiers tied to the browser, application, or device you’re using. When you’re signed in, we also collect information that we store with your Google Account, which we treat as personal information.
Facebook: We collect the content, communications and other information you provide when you use our Products.
This can include information in or about the content you provide (like metadata), such as the location of a photo. We also collect contact information if you choose to upload, sync or import it from a device (such as an address book or call log or SMS log history).
If you use our Products for purchases or other financial transactions… we collect information about the purchase or transaction. This includes payment information, such as your credit or debit card number and other card information; other account and authentication information; and billing, shipping and contact details.
We also receive and analyze content, communications and information that other people provide when they use our Products. This can include information about you, such as when others import your contact information.
We use information collected about your use of our Products on your phone to better personalize the content (including ads)
Information such as...IP address, connection speed and, in some cases, information about other devices that are nearby or on your network
Advertisers, app developers, and publishers can send us information. For example, a game developer could use our API to tell us what games you play, or a business could tell us about a purchase you made in its store. We also receive information about your online and offline actions and purchases from third-party data providers who have the rights to provide us with your information.
When you share your content with family and friends using Apple products, send gift certificates and products, or invite others to participate in Apple services or forums, Apple may collect the information you provide about those people
Apple shares personal information with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys.
We collect personal data from you when you provide, post or upload it to our Services, such as when you fill out a form, (e.g., with demographic data or salary), respond to a survey, or submit a resume
You don’t have to post or upload personal data; though if you don’t, it may limit your ability to grow and engage with your network over our Services.
We receive personal data (including contact information) about you when others import or sync their contacts or calendar with our Services
We receive personal data about you when you use the services of our customers and partners,
If you use our Services from a mobile device, that device will send us data about your location
We collect information about you when you send, receive, or engage with messages in connection with our Services.
Our Services are dynamic, and we often introduce new features, which may require the collection of new information.
We target (and measure the performance of) ads to Members, Visitors and others both on and off our Services
We use your data (including your communications) if we think it’s necessary for security purposes
We implement security safeguards designed to protect your data, such as HTTPS. We regularly monitor our systems for possible vulnerabilities and attacks. However, we cannot warrant the security of any information that you send us.
When you interact with our services, we collect the information that you choose to share with us. Of course, you’ll also provide us whatever information you send through our services, such as Snaps and Chats to your friends.
Snapchat servers are designed to automatically delete all Snaps after they’ve been viewed by all recipients
Snapchat servers are designed to automatically delete all unopened Snaps after 30 days.
Snapchat servers are designed to automatically delete unopened Snaps sent to a Group Chat after 24 hours.
We provide and improve ad targeting and measurement, including through the use of your precise location information
The above provides only five examples of such terms and conditions, and already there should be major sources of frustration. For starters, all of these services use information you provide and information they collect to share with other entities, and to target ads based on your usage. They are collecting your credit card information, your contacts, your messages, your pictures, your exact location, and information others provide about you. Even if you don’t have an account with some of these services, they may be obtaining your private info from providers you do use, “who have the rights to provide your information.” Facebook is collecting information, not just about the device you access it from, but other devices on the same network. Snapchat, while confirming they delete messages once opened by recipients, will maintain any and all pictures you send for at least 30 days until they’re opened. Not to mention, there is a serious difference between deleting files and destroying them. And the icing on the cake goes to the fact that any of these “cannot warrant the security of any information.”
This statement is very honest, and we have to give credit to those who release similar disclaimers. The truth about information security is that there is no such thing as a secure system, only varying degrees of insecurity. Much like the door to your home, it doesn’t matter how many locks you reinforce it with, somebody who is determined enough and maintains the correct knowledge will eventually find a way in. Furthermore, users need to be aware of the fact that uploading documents to Apple iCloud or Microsoft OneDrive is no different in essence than placing the information on a hard drive and mailing it to the vendor. All of your data is now just sitting on someone else’s server – one that you don’t maintain and have no control over. There are perfectly legitimate reasons for using online services, whether cloud storage or social media, but awareness is absolutely key here:
If the information isn’t on a computer you own, you no longer own the information. If the vendor closes their doors today, your data is gone.
The team that manages the service has unwarranted access to your information in its raw form. While it’s unlikely that Snapchat system administrators are looking at your lewd pictures from the back end, the possibility of this is still technically feasible.
Just because you delete something doesn’t mean it’s actually gone. You don’t know what data retention policies and backup solutions the provider has in place. If you send your grandma your social security number through a Facebook message, but later delete the message, it still may live on for years just waiting to be discovered.
Our generation is plagued by privacy issues, and companies like Google are living proof of that. These issues aren’t isolated to the private industry either. Thanks to legislation like the Patriot Act, the US government aggregates your personal information much like Facebook or LinkedIn, and shares it with other political entities. The age old mentality of “if you have nothing to hide, you have nothing to fear” simply doesn’t translate well into the 21st century where everything you do can be watched. And this is only part of the issue – the overall point to be made here is that your information is available to anyone who is able to get their hands on it, legitimately or not. Cyber attacks continue to increase in occurrences and sophistication while companies like Uber attempt to cover data breaches up. You simply cannot trust anyone or anything with your data. Before you submit anything over the internet you need to ask yourself a simple question: “Am I willing to lose this information?” And stop filling out social media surveys. If you haven’t noticed, these are gold mines for figuring out your security questions.
Even though ten locks won’t keep a cyber criminal out, it may be enough to deter them and so we must fortify where possible. The weakest point of any computer system is the human firewall. That is to say your actions are the easiest and most probable way you’ll find yourself a victim of credit card fraud or identity theft. If you configure a firewall with a single DENY ANY ANY rule, it will deny all incoming traffic using any service from any source. Hackers maintain the fundamental technical knowledge behind these things, and understand it’s much easier to get you to open an email titled TeN AwseOME NeW IDEAs For THE New YEAr even though it’s coming from email@example.com. We have to educate ourselves if we are to keep up with the looming cyber threat.
Computer exploits are made possible by a variety of things, but mostly poorly configured systems and outdated software. Unless you’re running web servers or something similar on your home network, you’ll never need to worry about properly configuring firewall rules or IDS policies. But you are responsible for keeping things up-to-date. While it’s much easier to click “remind me later” for six years, or complain about how software upgrades slow down your system, updates often include security patches and are absolutely mandatory for keeping yourself safe online. Security researchers and hackers spend their time trying to break popular software and release so-called “zero-day” exploits into the wild. Once it is available to the public, you are immediately at risk until you apply the appropriate patches from your vendor. An attacker needs only one hole to compromise your device, and outdated technology provides an easy way in. This ties back to the Ten Locks concept from earlier. Don’t let yourself become low-hanging fruit.
Complex password policies are inconvenient, but that is the nature of security. Understanding the characteristics of a strong password boils down to knowing how password cracking works. Password cracking is not some fat Russian teenager continuously typing username and password combinations into a login portal, but rather millions or even billions of mathematical equations launched against an offline password file. In an example where your Facebook password is ‘Chocolate1’, it’s important to know that this password is not stored with your username in a database as you would type it in. Rather, computer systems apply a random algorithm against it to turn it into a hash. Therefore your password Chocolate1 may actually be stored as the SHA2 hash ab6546bc3d63439a205dbc1cd5074e7225beba7de060cc37428afb76. When these databases are breached and obtained by hackers, they go to work cracking these hashes using various tools and methodologies. These password files are generally sold online, and give hackers further insight into the mental processes used by humans to create passwords. Once they know your username and password, they can try using the same combination to get into other accounts, such as Amazon or Bank of America. The bad guys also know that, just because Chocolate1 doesn’t get them in, you haven’t fooled them out of considering other variations like Chocolate2 or Chocolate!. With that said, there are several types of password attacks, which extend beyond the scope of this article. As a short synopsis, a long, completely random password unique to each individual account is ideal. If you’re unwilling to switch to a password manager, such as LastPass that can handle this for you, just know that longer passwords are better than complex ones. “I love chocolate and so does my dog1” is literally quindecillion times stronger than Ch0c0l@t31. This concept can be demonstrated by howsecureismypassword. I plan on touching on the technical aspects of password cracking in future articles, but this video does an excellent job of giving you an idea of how it all works. Also keep in mind that companies that enforce specific password policies, such as only allowing passwords 8-16 characters in length with restricted special character usage, are likely running legacy systems and don’t have security best-practices in mind. The shorter a password is, the fewer guesses a computer has to make in order to crack it.
Even if your Chocolate1 password is stolen, and now all of your accounts can be compromised, you don’t have to let yourself become a victim. Implementing two-factor authentication is an additional lock you can install on your door to keep intruders out. Once putting in the correct username and password, a hacker would then be met by a screen asking for a unique, one-time token that has been emailed or texted directly to you. Without access to the receiving device or account, the attacker will be unable to get in. This is a crucial security control you should have activated on all your critical accounts, such as anything financial-related. Know that there are three variations of authentication:
Something you know, such as a password or a PIN
Something you have, like a cellphone that receives one-time tokens
Something you are, like a fingerprint or retina scanner
Mandating that a PIN be entered after punching in your password is not two-factor or multi-factor authentication, and does not necessarily make you more secure.
Something else to be aware of are strains of malware known as keyloggers. These can actually be software or hardware-based, but both share the same goal of logging everything your keyboard types and quietly sending it home to the attacker. If you download some music or a piece of commercial software from a pirating or otherwise illegitimate site, your free goodies may be laced with unwanted byproducts. One way to ensure that attackers never get your personal information is by using the On Screen Keyboard on Windows devices. This can by opened by pressing Win + R on your keyboard and typing in ‘osk’. This allows you to use your mouse to type rather than your keyboard. If you suspect your computer is running a malicious piece of software, check out my malware removal guide.
There are a lot of things we can do or look for in order to avoid becoming a victim in the first place. Before anything else, we can head to haveibeenpwned to punch in our email address and determine whether or not we’ve been affected by known data breaches. If it comes back positive, you can assume someone somewhere knows of your username/password combination for the affected sites. This is why it’s absolutely imperative you don’t use the same password for multiple accounts. In this scenario, you want to change your passwords using the advice above. After choosing appropriate passwords, the next thing we want to pay attention to are attachments, downloads and links. Viruses don’t just magically float through the internet and land on your machine as some people believe, but are rather usually installed by you yourself. Spoofed emails containing malware is one of the most common ways an attacker can gain a foothold in your network. Free email providers, like AOL, don’t dump a ton of money into their spam filter and therefore allow a lot of junk mail through. Before ever following a link or opening an attachment from a suspicious sender we want to verify a number of things, all of which can usually be done by simply hovering over (not clicking) them:
The sender is who they say they are
The links are taking us to a legitimate site
The attachment does not contain any malware (this actually requires us to download it, but I’ll address that later).
Anything that comes after the ‘@’ is called the domain name. If you were exchanging emails with a customer representative at Chase, the format would be someone@(maybesomething).chase.com. Whatever comes last before .com, .net etc is the real deal. I know the above address is safe because I can open a web browser and go to chase.com and be welcomed by their actual site. Now, if the roles were reversed and the address had the format firstname.lastname@example.org, this is a cheap attempt to trick you and you need to delete the email. Safety is the best policy here, and the general rule of thumb is that, if you weren’t expecting it, it’s spam. When in doubt, throw it out. This concept extends further than emails as well. If you’re on a website that includes links, hover over it and make sure it’s taking you to where it says it is before pulling the trigger.
Say you download or receive a file from a backwater site or an email you believe to be legitimate; before opening it you can run it through a website like Virustotal to ensure it’s trustworthiness. Virustotal will run the file against a number of antivirus engines to look for any foul play. You may not be familiar with any of these solutions, and that’s fine. The best anti-malware software I’ve used in my professional career is Cylance, which uses AI and comparative analysis over definitions to reach a verdict on file statuses. Cylance confirming a file is safe is generally good enough for me.
Virustotal and similar sites, such as Webroot BrightCloud can also perform reputation lookups to determine whether or a not a website itself is safe. Web servers running popular sites can become compromised and serve the will of its attacker. As such, performing a reputation lookup will let you know if a site is distributing malware, for example.
Just as we would want to determine the legitimacy of a file, we also want to make sure a website in its entirety is who it says it is. At some point you may have been surfing the web and been met by a page claiming YOUR CONNECTION IS NOT PRIVATE.
While often a false alarm, there are ways we can verify this claim. If you’ve ever paid attention to the part of your browser where you type in the URL, you’ve often noticed a green lock symbol. All this tells you is that the website is using HTTPS (a secure version of the HTTP protocol), and is using a valid SSL certificate. At a very high, non-technical level, here’s how SSL certificates work:
Your browser receives a request from you to go to a website.
Your browser quickly checks the site to ensure it is using a valid SSL certificate. It makes sure the certificate is 1.) not expired, 2.) registered to the website actually using the certificate, and 3.) licensed by a valid Certificate Authority (CA), such as GoDaddy or Comodo, as opposed to a self-signed certificate.
As a real-life comparison, your web browser is acting as a police officer. It pulls over the website and verifies the legitimacy of it’s SSL certificate. If any of the three factors above don’t match up with what the browser knows, you receive the warning. You can view the certificate to any site yourself by clicking on the lock icon. If you believe the warning to be a false positive, you can create an exception in your browser and proceed. If any website is not using HTTPS, you need to be aware that anything you send through the browser can be captured and read in plain text by an attacker.
As a final approach to internet safety, browser extensions exist that empower you to allow or deny any and all requests made by your browser. When you visit a recipe website to learn how to make a fancy meal for your in-laws, there’s a lot going on behind the scenes that you don’t notice. All sorts of ad services and APIs, allowed by the website owner, rush your browser to gain a lot of the information covered at the beginning of this article. Browser extensions like uMatrix allow you to not only see these requests in action, but stop them entirely.
Rushing to the frontlines to combat the dangers of a digital future are many organizations and technologies. A large portion of people believe privacy is a fundamental human right, and movements to protect and promote this ideology have begun. As an individual living in the digital age, there are many things you deserve to be aware of. As you begin your own search for privacy solutions, keep in mind that “free software” should extend much further than just price. Open source software is free monetarily, but has also released it’s code to the public for review.
One of the best ways to protect yourself from data theft is through the employment of encryption. Similar to how hashing turns plain text passwords into random data, encryption turns the contents of your hard drive into gibberish. I could take an unencrypted hard drive out of a stolen laptop, slave it into my computer, and read the contents essentially like a flash drive. Encryption takes this possibility away from criminals as modern-day ciphers are incredibly difficult to break. As demonstrated in the Kurzgesagt video linked earlier, law enforcement agencies may push to have vendors like Apple program “back doors” into their software so that they can be accessed on a per need basis. Doing so opens up the floodgates for the next generation of privacy violations, and encryption is the lock that keeps them at bay. Many computers and phones have encryption options out of the box at no additional cost, like Microsoft’s Bitlocker, while free solutions such as VeraCrypt exist for external drives. The Founding Fathers used encryption, making this concept as American as apple pie.
Google’s terms and conditions apply to all of its products, not just its search engine. Whether you’re using Gmail, Chrome, YouTube or the latest Pixel, your privacy is at risk. Though not perfect in design, Brave browser implements a number of privacy features and offers a safe alternative to Chrome. Likewise, Duck Duck Go looks and feels similar to Google’s search engine, but does not compile all of your search data. Protonmail is an email solution based in Switzerland offering end-to-end encryption, password-protected emails, and customizable expiration dates for all communications. Wickr offers a secure messaging app on Android and iOS platforms where the contents of your communications are never stored. The exceptionally paranoid could also look into the TOR Project and VPN services for further internet anonymity.
We’ve traversed a lot of information and some very extreme scenarios in this article. The underlying message behind all of this is that the internet remembers everything. You will never be 100% safe sitting behind your free Malwarebytes subscription, and so it’s your responsibility to be aware of the dangers that lurk out there. During the tail end of my military career it was often discussed that the next war would by fought in cyber space, yet many professionals maintain the belief that a war in which we’re all a part of has already begun. While I don’t advocate you cut your cable line and throw out your toaster, I do suggest exploring safer alternatives to popular services, thinking before you click and, please, with tears in my eyes, no longer filling out those social media surveys.