Sat Nam! This Winter Solstice time has been filled with profound stillness and deep joy. As we emerge into the new year, the seeds we have planted in our own consciousness at the most sacred time of the year begin to germinate, take root and expand. As the year begins, I write about Online Privacy, a subject which seems to be front and center in daily headlines and a hot topic of controversy.
You've probably seen the confusing, contradictory headlines: There was a rule that was set to go into effect by the end of 2017 that would require ISPs to get our approval before they used or sold our usage history, location information and browsing history. There are rules permitting ISPs to use and sell our Social Security numbers. Breaking! ISPs indicate that they already give us the option to opt in or out of the information they collect! Privacy as a user perk - or right - is becoming big news.
Given the changes and the improved disclosure that Windows 10 Creators Update is bringing to privacy options, it's clear that it's not just the ISPs that need to be more transparent with what they do with their collected data. We all want our vendors to tell us what they are doing and what they are collecting.
I disagree with the articles and headlines that infer that ISPs can sell our Social Security numbers. In the United States, Social Security numbers and credit card numbers are considered PII or Personally Identifiable Information. This is normally an item that is legally protected -- and safeguarding that data should be considered good business. If any business used, abused, or exposed PII data on a regular basis, it would probably not be in business for too long.
Also, be aware of how the basic building block of the Internet security - the SSL certificate -- protects your information from your ISP's prying eyes. When your browser makes a secure connection to another Web site, it is protected by an SSL "handshake" that encrypts the connection between your computer and that server. Your ISP cannot see the exact details of the transaction you make in that SSL encrypted tunnel. Your browser can see when you are going to a site, but not what you do on that site.
Are We Really Private?
I was reminded of a 2014 radio story called "Project Eavesdrop: An Experiment At Monitoring My Home Office." A journalist from NPR, Steve Henn, joined forces with Sean Gallagher, a reporter at the technology site Ars Technica, and Dave Porcello, a computer security expert at Pwnie Express. He purposely allowed them to intercept all of his internet traffic and see what they could tell him about himself. They used an eavesdropping device to review what was transferred to and from his computer and cell phone. The device called "Pwn Plug" was connected to his home network connection.
Listening to the program, I was reminded by all of the information that our devices send back to device vendors as well as the ISPs that provide us with Internet connectivity. As noted in the program, the journalist's iPhone showcased a treasure trove of information including sending "my location data as unencrypted text [to Yahoo]. The phone connected to NPR for email. It pinged Apple, then Google." Using that data they could also review the subject of his Google searches, but not the exact content. As the story indicated, there were many times that older computers and servers were used and were not as protected as they should have been. As a consumer of many different websites and servers, you often have no control of the protection and privacy these remote computers have with your information.
Steps You Can Take
We want to be safe and secure on the Internet but often don't do what we should do. We should pick better passwords. We should pick multiple passwords and we don't. We should review privacy policies of all of our vendors. And we should push our vendors to be more transparent in how and what they use of what they collect from us. The website Privacy paradox has a multiple day newsletter and podcast to educate and remind us of how our privacy is under attack.
Some of the steps the Privacy paradox site recommends include the following:
- Change your privacy settings on your browser and in social media. Check out the steps for Chrome, Firefox, Twitter, and Facebook
- Create strong, unique passwords.
- Use encrypted apps.
- Turn on two-factor authorization for your key accounts (like email). It's a simple additional layer of protection against hacking.
They further recommend even more steps to keep your information private:
- Write a letter and put a stamp on it.
- Use a password manager for all your super-strong passwords.
- Try Duck Duck go, a secure search engine.
- Take the Tor browser for a test drive.
- Learn to guard against phishing and malware.
- Install the https Everywhere plugin for your browser, to minimize what data gets sent without encryption.
- Learn how to encrypt all your Internet traffic
- Use Privacy.net's privacy analyzer tool to show you exactly what data is being exposed by your web browser.
Is the Internet an Option?
Recently House of Representative Jim Sensenbrenner (R-WI) got into hot water by implying that the Internet was not a right, but that "nobody's got to use the Internet" and that we could choose to walk away from this privacy battle by not going online in the first place. I am starting to find that more and more, not having some sort of online presence is a detriment, and in fact, it's quite difficult to not have Internet access. Many pension and retirement companies now require an email address and the ability to receive payments online to a bank account in order to process payouts. Schools, healthcare and businesses are starting to mandate that people can go online to access services and information.
Use a VPN?
You may have seen several articles online recommending the use of VPN services as a means to protect your online surfing. But review the privacy policies of the VPN provider as well. Make sure you are not swapping the privacy policies of your ISP for lesser privacy policies of a VPN provider. I’ve been through several VPN services and finally settled on ExpressVPN which works on all phones and computers.
I would also be wary of "free" VPN services as companies have to make their income in some fashion and you may be the item they use to increase their revenue. Anytime you see anything advertised for free, you should remember the old adage that nothing in life is free, and if it is, the you are the product being sold.
Bottom line: Take the time to step back from the headlines and understand that even if this proposed FCC law was going to take effect, we shouldn't rely on merely our government on laws to keep us private. We should take action and add software and solutions to take back control of our privacy and not depend on others to do it for us.
You can help make this column better by sharing your topic suggestions, tips or experiences you have had with your own tech with the Sangat through this column in our Ashram newsletter. Email me and tell me your story, and keep sending me your suggestions for column topics, along with your own favorite smartphone app recommendations and reviews so I can share them here. Just email them to me at [email protected]