I’m not about to suggest tinfoil hats, new sneakers, or special Kool-Aid and I won’t suggest deleting your Facebook profile, trading your iPhone for a flip phone, or wearing a Guy Fawkes mask when you run out to check the mail. Instead, I’m going to propose a few easy to implement strategies that you can use to safeguard your online info. You lock your car and you lock your home – locking up your data is just as important.
There are three broad threat models you should be aware of:
- Government surveillance. Avoiding this type of surveillance would likely require a substantial lifestyle change and is beyond the scope of this post. Just be aware that this isn’t Jerry Fletcher Conspiracy Theory type stuff anymore – Sources like the Guardian, the New York Times, and the Washington Post have confirmed that this type of surveillance really exists and is pervasive.
- Criminal activity. Every scrap of personal info you have online is of interest to criminals. The big prizes are things like financial details or medical information but “trivial” stuff like email accounts, social media profiles, and logins to fan/sport/professional/etc sites are still targets. A savvy criminal can leverage details gleaned from those “lesser” accounts to gain access to more critical personal information.
- Pranksters with too much time on their hands are constantly poking around technology’s edges, trying to find a weak spot in how your data is handled. Their goal is humiliation (Hello Jennifer Lawrence!) as opposed to instigating financial ruin. These jerks would love nothing more than to post your private, personal, embarrassing details online.
Focusing on groups 2 and 3, how do you start to safeguard your digital life? You’re going to use strong passwords and implement some default encryption.
Passwords need to either be long strings of random characters or pass phrases. If you’re using an eight character password or a single dictionary word, it can be compromised in less than a minute. Twelve random characters (uppercase, lowercase, numbers, and symbols) is the bare minimum but if you can use 20 or 30 characters, do that. Visit www.howsecureismypassword.net to test how long it would take to crack your existing password.
Passwords also need to be unique. You can’t use the same password for every account.
You’re going to need to keep track of dozens or even hundreds of unique passwords and it’s going to be a nightmare, right? Fortunately, there are password managers you can use to protect yourself. You pick one hard to guess but easy to remember master password and the manager will create and organize random passwords for all your accounts.
There are dozens of managers to choose from but I recommend LastPass. It’s free, it works on major browsers, and it works on all operating systems. There’s a paid version ($12/yr) that syncs your details between all your devices.
When you send unencrypted information back and forth on the internet, it’s susceptible to interception and if someone captures it, they’ll have complete access to whatever info is contained within. You’re especially vulnerable when using public WiFi (on either your phone or laptop).
The easiest way to protect your data while it’s being transmitted to do your best to encrypt it.
Encryption is essentially a mathematical formula used to encode data. The formula is so complex that it would take decades to guess the encryption key. As it currently sits, encrypting your data is the easiest, most effective way to protect it. It’s also dead easy to use.
Visit the Electronic Frontier Foundation and install the HTTPS-everywhere browser plugin, created by the Electronic Frontier Foundation. The website should help you install the appropriate plugin for your browser and once installed, it will offer an encrypted connection whenever possible. All you do is install it and forget it.
Mobile – Facebook
Facebook’s mobile app skims a TON of data from your phone. If you’ve got an Android phone, I suggest using Tinfoil for Facebook; it’ll minimize some of what’s shared. To my knowledge, there’s not an equivalent app for iOS.
Mobile – text messages
You should also encrypt your text messages. Using one of the following apps will encrypt text and picture messages. TextSecure, RedPhone, and Signal are all made by the same developer and they’re all free to use.
If you’re on Android, install TextSecure from the Play Store. It’ll send encrypted messages to other TextSecure/Signal users. To everyone else, it’ll send plain old unencrypted messages. You’ll know your message is encrypted by the closed padlock that appears in your sent message bubble.
If you’re using an iPhone, your messages to other iPhone users are already encrypted. However, if you text someone who uses an Android phone, your message won’t be encrypted. The way to cure this is to install Signal Private Messenger. It’s made by the same people that make TextSecure so messages between TextSecure and Signal users will be encrypted.
Mobile – phone calls
Encrypting phone calls may be overkill to make a dinner reservation but if you’re discussing financial, medical, or other sensitive topics, it may be a good precaution to take.
If you’re on Android, installing RedPhone will give you the option to encrypt phone calls to other RedPhone/Signal users.
If you’ve got an iPhone and have already installed Signal, it’ll also encrypt your phone calls. You can use Signal for an encrypted phone call to RedPhone and vice versa.
Email is by far the worst offender. We include all kinds of personal info in emails and these are the easiest messages to intercept or compromise.
To lock down your email, use a strong password (see above) and – if available – two-factor authentication. That will help stop a third-party from accessing your account.
To secure your messages while in transit, you’re going to need to encrypt them. Encrypting email used to be a not-so-straightforward process but luckily, there are providers that have found a good compromise between security and usability. One of them is Tutanota.
www.tutanota.com provides free email accounts that offer default encryption. They also have Android and iPhone apps. Anytime you send a message to someone, you’ll be given the option to encrypt your email with a password. The recipient enters the password and can read your email message. You’re also able to send a plain, unencrypted email to anyone at any time.
I’d suggest not emailing the password to the recipient. If other secure ways of communicating are available (TextSecure, for example), you can share the password in that fashion or you could pick a password the recipient should intrinsically know. You could even send the recipient an olde-timey letter with the password prior to ever emailing them.