Digital Security and Privacy
Most people have a good understanding of the need for physical security. We take steps to protect family and home from attack or intrusion, so we use Tactics, Techniques, and Tools to help us.
- We build fences and put locks on our doors
- We put up motion lights and security cameras
- We install smoke and alarm systems
- We we get a dog to alert us of trouble
In other words, we build a buffer of security around what we want to protect.
We also change our habits and create behavior and procedures to prevent loss.
- When we go places, we hold up our heads and pay attention to the people around us.
- We do fire drills.
- We have our keys in hand before we get to the door and then lock the door behind us.
- We take self-defense and firearms classes
- We train ourselves to be more situationally aware.
- We avoid “stupid people” in “stupid places” doing “stupid things”.
There is no one-size-fits-all solution, so we consider each security situation individually.
For example, you protect your baby different from your financial papers. Both are important, but how you protect them can be very different. These same principles also apply to our Digital Security and Privacy.
Privacy vs Anonymity
Digital Security protects your digital and online identity (your online accounts and information) and helps protect your Privacy (the information and activities about you that you want to keep to yourself or family).
It’s been noted that every culture has carved out private spaces, even in oppressive regimes where people have no right to privacy. This means that humans not only want, but need privacy.
Anonymity is the other side of the coin, where you want your identity kept secret but want to have information known. This is important to whistle-blowers who expose corruption in government or business, and citizens who report crime tips. They have a legitimate fear of retaliation.
Protecting your anonymity is quite different than protecting your privacy and must be planned differently.
There is a flawed argument says, “If you don’t commit crimes, then you don’t have anything to hide”. That same person will protest if you try to get their bank password or rifle through their financial papers.
Your natural right of privacy is not negated because of someone else’s presumption of your behavior.
The Risk and Consequences of Losing Privacy
We have laws enacted to protect your credit card information (PCI), health information (HIPPA), and the European Union has their data privacy law (GDPR). And now, California’s new privacy laws are in effect.
However, laws do not stop data breaches (e.g. breaches at Yahoo, Facebook, Linked-In, various Federal and State Agencies, Equifax, or Marriott).
These are now becoming everyday occurrences and there is nothing you can do to stop it.
Laws also don’t stop criminals who intend to steal from you. A television can be replaced if it is stolen – but if someone steals your identity, it may take decades of time and thousands of dollars to fix. The emotional and financial damage will be very difficult for your family. Most small business will close within a year of a data breach.
A loss of privacy or anonymity also can open up the possibly of physical harm if you are part of an oppressed group, or in witness protection, have a stalker, or be a whistle-blower.
Evaluating your Threat
The first step to secure your digital life is to do a “Threat Modeling” assessment.
The Electronic Frontier Foundation recommends asking these questions:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent consequences?
Answering these questions can help you systematically apply digital security tools, privacy procedures, and legal tools that you need to use to protect you and your family.
- If you want to protect yourself from identity thieves and data breaches, then you may only need some basic tools and procedures. (see Appendix A below)
- If you a Law-Enforcement Officer protecting their family, or want to protect yourself from a stalker, or protect yourself from corporations collecting data and selling your data, then you need to add more advanced tools and procedures.
- If you are a victim of abuse, or you are an investigator or a journalist in a freedom-restricted country, then you need to take more radical steps.
Typically, the security and privacy you maintain will require inconveniences in your everyday life. You have to decide your balance of privacy, security, and convenience.
What actually needs protection?
Below are items in your personal life that need protection:
- Home Address
- Mobile phone number (this is the new identifier for public data)
- Your likeness
- Financial and Medical account information (Your medical data is worth 100x your financial data)
- Online account logins and passwords (including email, entertainment, etc.)
- Other general Information: Location, purchasing habits, websites visited, etc.
Reduce Your Attack Surface
Your mobile phone number, email addresses, and home address all are places where criminals and other bad actors can start their activities against you.
They will attempt to phish, spoof, attack, crack, or social engineer their way past your physical or digital defenses to get what they want. However, if they don’t know these, then they can’t even start.
This “Attack Surface” can be minimized by:
- Reducing the publicly available information about yourself by opting out of collection, by removing what information you can, and by legal misdirection.
- Compartmentalizing available information so you remove the ability for your information to be combined and matched from different sources.
Pro Tip – Never give false information to banks or government officials. However, it is not illegal to use an alias or hide your information for non-criminal purposes.
Free Stuff for All
One of the more concerning Privacy issues is that we are trained to compromise our own privacy to get free stuff or services. Your data is very valuable to others.
If the product or service is free, then you are the product. – Michael Bazzell, Privacy Consultant
Google, Facebook, and Instagram are the largest companies that profit from us. See the documentary: The Creepy Line and the Breitbart Town Hall ‘Masters of the Universe’. Many companies ( your credit card company, gym, Union, grocery store, etc.) sell their customer information. Your employer, your city and your state have sold data about you. The California DMV has made over 50 million dollars from sale of their data.
Publicly gathered and shared data is also problematic. This data has been gathered, indexed, sold, and resold for everyone to see. According to some recent high-profile news reports, people have had information dug up from 10-40 years ago and this information is now jeopardizing their careers.
Because you don’t have a good reason today for privacy, does not mean you won’t have a good reason tomorrow.
- What if you were involved in an incident and the media started camping out at your home and digging into your life? Or, finding out where all your family members live?
- What if someone wanted to Dox you for sport or revenge? (“Doxing” is the purposeful release of your private and public information by others in a public forum with the intent to harm or intimidate you)
- What if someone wanted to SWAT you? (“SWATing” is someone acting as you and creating a hoax that you are holding hostages. When the SWAT team breaks in to your house, you may get shot.)
- What if someone wanted to temporarily steal your phone number by “SIM Swapping”, stealing your online accounts with password resets? (This is relatively easy)
- What if you came across political or business corruption by organized crime and wanted to report it?
Do you go purchase a fire extinguisher when your house is on fire? Or is that something to do before you need it?
You should start today to build your privacy “safe house” before you are a victim of identity theft or doxing. If you don’t protect your family with basic steps, then when something happens, it will be too late to fix things.
- Basic privacy and digital security techniques can be done immediately.
- More advanced and follow-up privacy techniques should then be applied over the next few months and years.
- Review your threat model and privacy effectiveness on a regular basis.
How do I Start?
Below are suggestions for how you can start your privacy and digital security over the next month. (You can also listen to podcast #58 starting at 20:30) https://inteltechniques.com/podcast.html
- Lock down your Social Media – It’s not as private as you think! Delete old content and comments. Reduce the amount you share. Consider deleting all content, then after a few months delete the accounts. Google, Facebook, and Instagram are the worst three social medias.
- Use a Password Manager – You need an encrypted way to record information and to generate strong, unique passwords for each account. Start to create unique logins.
- Implement Two-factor Authentication (2FA) on all accounts – SMS codes to verify your login are better than nothing but are vulnerable to “Sim Swapping”. A generated one-time password (better), or a physical device like a YubiKey (best) greatly increases your account security.
- Do a digital account review, cleanup, and then migration to encrypted platforms – Delete unneeded data. For accounts that you do not need anymore, randomize account information, then delete. Move from less secure and less private services (Yahoo, Hotmail, OneDrive, Evernote, etc.) to encrypted and privacyfocused services such as Protonmail, Tutanota, etc. Look for ones that are “zero knowledge”.
- Purchase a PO BOX and CMRA (Commercial Mail Receiving Agency) – Do not associate your name with your home address. Start sending mail and packages to these services. Try to get that PO or CMRA address on your driver’s license.
- Secure your data in motion – Internet browsing, SMS texting, and phone call metadata are all visible to your ISP or phone provider. This information is sold. Use encrypted communications and use a recommended VPN provider on your devices and home router.
- Protect your phone number – Sim-swapping, where a criminal will steal your phone number to get access to your accounts, is on the rise, so do not give out your real phone number and use an alternative number from Google Voice or MySudo. You should have 3-4 or more phone numbers to segregate your life out more. Marketers find your mobile number more valuable than your social security number, as they can legally track you by this number.
- Protect your email address – Do not give out your real email address; give out a unique alias email address from Abine Blur or 33Mail. I quickly generate a new email forwarding address for each new website I create an account with. Banks get a real email address.
- Opt out of all Data Collection – Opt out when you can. Remove online records where you can. Your data is collected and then resold many times over, so you have to be prudent and search for this data several times a year. Get the free http://inteltechniques.com workbook for helping you with this process over the next few months..
- Implement a Credit Freeze for every member of your household – A Credit Freeze is now free for all adults and children. Identity theft of minors is a growing problem because discovery of problems can take years.
- Lock down all your devices – such as Mobile, laptop, desktop and routers. Make sure your devices have all the necessary security updates. Remove applications you do not need. Be suspicions of every app because many free apps have spyware capabilities. Lock down privacy settings and review them after OS updates. See the 30-day security challenge below:
Appendix A – Tools to Get Started Quickly
LastPass – https://www.lastpass.com (Password Manager – Beginner)
- Free – Create and store strong passwords for websites and other information such as credit card numbers, passport scans, software licenses, secure notes, etc. LastPass is encrypted and cloud based. It has apps for iPhone, Android, and different web browsers.
- Paid – LastPass for Families lets you share password folders with your family or business.
When you are new at using LastPass or other password managers, you will find that there is a learning curve on how to use it effectively. You might start with a few accounts that you use on a regular basis. Make strong 15+ character passwords from LastPass. When you are more comfortable, go back through every online account and have LastPass generate a new unique strong password. Then, start making your usernames random as well.
KeePass – https://keepass.info/download.html (Password Manager – For Experts)
- Free, open source – This password manager that stores all passwords locally, which are secured with a master key or key file. Make sure you backup your KeePass database as you have more control and responsibility.
LastPass Authenticator – https://lastpass.com/auth (One Time Token Generator)
- Free – This creates one-time passwords (OTP) tokens for two factor authentication (2FA). This authenticator can be set to backup into LastPass, so if you replace your phone, then you can recover all your entries.
Authy – https://authy.com/ (One Time Token Generator)
- Free – This creates one-time passwords (OTP) “tokens” for two factor authentication (2FA). This authenticator can be set to backup, so if you replace your phone, then you can recover all your entries.
Signal – https://signal.org (Messaging App – for Beginners)
- Free/Donation – Signal is end-to-end encrypted instant messaging and voice/video calls. Use this instead of texting or using your voice line on your mobile phone as the phone company keeps a copy of SMS texts and they keep location and call metadata for 5+ years. Will need to share your mobile number.
Threema – https://threema.ch/en/ (Messaging App)
- Paid – Threema got high praises from Steve Gibson from the Security Now! podcast. You pay once for the app. Use this instead of texting or using your voice line on your mobile phone as the phone company keeps a copy of SMS texts forever and they keep location and call metadata for 5+ years. You don’t need to share any personal information with Threema.
Wire – https://wire.com/en/ (Messaging App)
- Free/Paid – Wire is free for consumers and paid for business or organizations that need team features. Use this instead of texting or using your voice line on your mobile phone as the phone company keeps a copy of SMS texts forever and they keep location and call metadata for 5+ years. You don’t need to share any personal information with Wire.
Protonmail – https://protonmail.com (Encrypted and Secure Email)
- Free – This is a fully encrypted “zero knowledge” email account and is encrypted end-to-end with other Protonmail users. Emailing others is not encrypted unless they have PGP setup. Protonmail replaces Yahoo, Hotmail, Gmail, etc.
- Premium – (recommended) It has more email space and five email aliases
- Premium Package – Protonmail and ProtonVPN (see below)
Tutanota – https://tutanota.com (Encrypted and Secure Email)
- Free – This is a fully encrypted “zero knowledge” email account and is encrypted end-to-end with other Tutanota users. It replaces Yahoo, Hotmail, Gmail, etc.
- Premium – (recommended) It has more email space and email aliases
ProtonVPN – https://protonvpn.com (Virtual Private Network)
- Free – ProtonVPN has a limited free tier. Do not use other free VPN apps as many free VPN apps are malware.
- Paid – Allows more devices and faster speed
Use a paid VPN to secure your mobile devices/computers over Wi-Fi or to keep your ISP from selling your data.
My Sudo – https://mysudo.com (Virtual Mobile Numbers)
- Free – Lets you create 3 email “personalities” but can only communicate with other MySudo users. Encrypted.
- Premium – It creates 1, 3 or 9 “personalities” on your phone with email addresses and phone numbers. It separates out family, friends, work, dating, Craigslist contacts, etc. Then, you never have to give out your real phone number. It is good to protect you from “sim-swappers” who temporarily steal your phone number to steal your online account with a password reset. Calling/Texting/Emailing other MySudo users is encrypted, but Calling/Texting/Emailing non-MySudo contacts is not encrypted.
Abine Blur – https://dnt.abine.com (Virtual Email Addresses/Virtual Credit Cards)
- Free – It masks email addresses. You create unique random email addresses to forward to your real email account. This way you don’t ever have to give out your real email address anymore. I use this for every new non-critical website that I create an account on.
- Premium – It masks credit card numbers and creates single-use or single-vendor credit cards, so your real credit card number isn’t stored on a website. I don’t use this feature much.
33mail – https://33mail.com (Virtual Email addresses)
- Free/Premium – This creates a masked email subdomain that forwards any email to your real email address. I don’t use this as much has Abine Blur.
Privacy.com – https://privacy.com (Virtual debit cards)
- Free – It masks debit card numbers. It creates single-use or vendor locked debit card numbers, so your real debit card number isn’t stored on a website. You can use a fictitious billing name and address.
- Paid – Create more Privacy cards per month. Can get 1% back on each charge.
The free tier has no cost to you since Privacy.com are paid from the merchant interchange fee. They do have to have an access token into your checking or savings account (PayPal is the same way).
Credit Freeze and Data Removal Workbook – https://inteltechniques.com/data/workbook.pdf
This is updated every month. Do the public data removal and then the credit freeze procedure. It will take a few weeks or months to start being effective. In addition, you will have revisit this on a quarterly or semiannual basis.
Social Security Administration – https://secure.ssa.gov
Secure and review your Social Security account on a regular basis.
Secure you Mobile Devices – https://operational-security.com/thirty-day-security-challenge/
Apple iPhones are easier to lockdown the privacy settings than Android devices, so consider purchasing one for your next mobile device. Use the device encryption. It is recommended to do Security updates on a weekly basis. But don’t use iCloud for backup
Start using privacy-oriented apps –
Most mobile “utility apps” are not needed and some are malware. Remove Social media and unused apps. Be very cautious of “free” apps. Review your devices privacy and security settings monthly and then after updates.
Desktop/Laptops – https://operational-security.com/thirty-day-security-challenge/
Windows 10 is horrible on privacy. Consider a Macintosh (better), or a Linux (best) computer with Intel management disabled for your next laptop or desktop. Freshly reinstall the operating system. Do whole-disk encryption. Run as a regular user (not as Administrator). Do recommended security updates on a weekly basis.
Use privacy-oriented software –
Remove unused apps. Run any suspicious or problematic software inside a virtual machine or software sandbox.
More Privacy Resources
- https://www.securemessagingapps.com/ (not updated but still valuable)