How can I protect myself from online threats - 15 April 2022
Introduction to rethinking online safety and security
If you have been online for more than ten years, most of the mistakes made in terms of leaking your digital footprint to Big-Tech and other lesser organisations. We all remember the infamous �2012 LinkedIn hack� where 6.5 million accounts and their passwords were hacked and sold. It happens all the time. Not too long back, I had a reminder by LinkedIn to set up a mobile number to increase my online protection. �Okay, so you allowed your platform to get hacked whereby personal data was stolen. Now you want me to expose myself to that risk whilst also handing out my mobile number?� Now, there has been an alleged breach in June 2021.
At Info Rhino, we have zero interest in our users using passwords to access our website. Where passwords are essential due to legacy software, other steps should be taken.
If you have been online for less time, start taking the steps now to secure yourself online. Whilst not a bulletproof article, we hope that some of these steps will help your online experience to be a little safer.
Talk to us at Info Rhino about this
Finally, Info Rhino cannot be held accountable for issues you encounter in following this advice.
I am a business, you're a business - it doesn't make sense to think about protecting users?
Before getting into the meat of the article, we must address "the elephant in the room" businesses want to know more about their customer. We can then move onto helping users and businesses think about their online presence and security.
Whether you are a business or an individual, we hope this article provides valuable insights into how we view online privacy and security? We have tried to not speak too technically.
This article is very much aimed at the individual in terms of thinking about protecting themselves online more so it will be very interesting for many people to see some of the ideas around this. Potential clients will read this and think why is a company involved in data information trying to help users to the main harder to identify online. Instead we should be asking - why do we want to identify users online? What is the benefit to identifying users online? A simple example will suffice.
Buying items online
Currently, when buying products and services online, we hand over all of our card details every time. We don't know where these card details go, there are multiple gateways between you and your bank, and whilst it is encrypted and we are unlikely to see fraud it happens a lot. There is a growing online solution, already we are seeing the growth of cryptocurrencies to replace this precarious card payment system. The need to keep revealing yourself and risking your information being taken and you being defrauded is becoming a less common occurrence.
The reason why companies wish to understand more about their customers has been through the increased benefit from the use of machine learning and artificial intelligence to try and understand the persona of a customer. If we can understand more about what a customer is interested in we can tailor our services more specifically to what they require or recommend products that they may wish to buy. This can be a great benefit to a customer or a great irritation. Social media platforms try to maximise this by presenting a range of items they think their customers can benefit from.
Keeping our customer aware
Another reason companies wish to keep contact from their users is because they can keep sending them things they may be interested in. There is nothing wrong with this. However, do we need to know everything about a person? Do we wish to risk doxing them to other third parties? How serious is reputational loss to our business?
Online communities
Where we may need to think about who our users are, is when our website has a community. Is it appropriate to just have a website featuring anonymous users? Don't we care more about the actual content that needs is being shared? Should that not be our focus?
Passwords
Do we need our websites to feature passwords? Do we really think we're providing our users with a better and safer online experience by storing their passwords within our platform?
Jobs to be Done - Situation, Motivation, Outcome
We must appreciate that users want to achieve an objective. Once we understand that, we can move forwards.
So, how can I protect myself from online threats?
Thinking of ways to protect yourself online but often advised to do things like;
Not use the same password across different websites
Update your software and operating system frequently
Use two factor or three factor authentication
Not revealing too much information online about you which is personal or sensitive
Using a VPN when accessing websites and online content
Ensuring the connection to website uses a padlock and is secure
The above are all good ways to protect yourself online. The problem is they leak out information about you, continually doxing yourself, and revealing too much information about your digital footprint online. Sometimes, this can't be helped.
Often, what we are told protects us, like Cookie policies really are old hat. Browsers can use hardware detection to uniquely identify a user. This information won't be ubiquitous across websites but rest-assured, companies will be using this approach.
As a data person that builds reporting systems and Analytics, and have built website scraping engines to connect content from different websites, it is remarkable when you collect small fragments information how this can be connected to other information to build a much more powerful picture. Just think about a postcode, what it tells people about your surroundings? From that single piece of data, we can figure out the age demographics of your area, know the population, know how many entertainment venues are nearby, what towns are nearby to you, what the crime rates are in these areas, what the health general health conditions of the population? They could look up local news items and feign being local to build up your trust.
An even better anchor is an email address. The majority of individuals uses one single email address to go about their business. The idea of having many email addresses is too much to contemplate for most people. If your main email address is over 10 years old, it's probable that you will have used this for online shopping, booking holidays, ordering medication, communicating with friends. Worse, it is likely this email address will be tied to your Facebook account, your Twitter account perhaps your YouTube account, you probably have your Google account linked to this address too. It is likely your mobile number is attached to this. Your bank account we tied to this email address it is likely you will have set up any cryptocurrency linked to this email address.
The good news - even where we have this kind of common link it is still incredibly hard for artificial intelligence and Analytics to post data to accurately understand a person. What is likely to happen is this types of Media will be analysed and monitored looking for signals or keywords, these triggers would be the potential cue to investigate these accounts in more detail to see if anything of interest is appearing on them. No worrying is this Minority Report type scenario, this is a real risk. Machine learning advances and artificial intelligence we can already find patterns in unseemly unrelated data to help us to potentially identify particular groups of activities and individuals.
A theoretical and genuine example which may seem implausible is a child attending a nursery where they use a digital fingerprint scanner for entry to the premises. These scanners didn't work that well. If we think about what a fingerprint actually is it is a 2D projection with a series of lines which can be mapped onto a chart or within an array of vectors, and then set about trying to see whether this new images match this array. Now of course this data it should be encrypted or hashed to prevent people reusing this for other purposes. It can be hard to know who the company developing the software were, and how the data is stored. For the average person that should be quite hard to uncover. Given that we often put our photos online on social media, this may seem a little bit paranoid but we have to think about who has access to the data and not context that data access is. Whilst not advisable, if we put a photograph of us at a venue having fun on Facebook, we know or think that this information is at least protected and shown only to friends and potentially friends of friends. We don't imagine our employer or child's school has access to all the kid's parents Facebook accounts to see what they get up to. What immediately concerns us is the following. Could a fingerprint be mapped to indicators to determine IQ? Temperament? Imagine if this information can be used to determine what level of attainment a child should taught at?
We should remain aware that whenever we write and post content online, our written text is also a unique fingerprint. Undertaking this kind of analysis isn't a trivial task, often, trying to identify people's online presence across different platforms will be more trouble than it is worth. We still must not underestimate the future potential for this technology to track all manner of information.
Another important consideration is the right to protest, the right to have a voice. Most employers place conditions on their employees to maintain a certain level of conduct in their non-professional capacity. This often means people can't voice opinions openly. A real challenge to this is that some opinions can be considered hateful. Even opinions on seemingly non-contentious issues can be misused. Every time you put something online, you place yourself in the court of public opinion. What is okay to say today may not be okay to say in the future. April 2022 � Elon Musk has put in a takeover bid for the control of Twitter at a time when it seemed the freedom of speech question was only heading in one direction. Does this mean we shouldn�t concern ourselves with protecting our digital footprint? Not at all.
Basic principles of protecting your digital identity
Anonymity
Proximity
Fragmentation
Temporality
Obfuscation
Anonymity
We often hear cries of � �I�ve nothing to hide�. Everybody has something to hide even if it has no potential of harm. Even where it isn't criminal, and we know that law shouldn't be retrospective in most cases, but there are risks to leaving too much about your identity online. Being anonymous online offers some degree of protection for an individual.
Proximity
In our earlier seemingly far-fetched example of the fingerprint scanner as a school the problem we have here is proximity. A fingerprint scanner in itself may not be a big deal it is that it is directly linked to the educational establishment and the distance between that information and using it for different purposes within the context of the educational establishment is quite narrow.
Fragmentation
The more places where our information is spread, the harder it is to link. If our information is all in one place it is far easier for somebody to find out if anything about you.
Temporality
This is a very esoteric point to consider with regards to data. We may think having access to a person's; emails, interactions on social media, purchasing habits, dating preferences, is going to be an easy thing to put together - it isn't. Developing effective Change Data Capture systems is vital if we are to be able to connect up information.
Obfuscation
We take information which we understand and convert it into unintelligible information which is hard for others to understand.
Encryption
Taking beta and applying an algorithm using a key to protect it from being read without that key. A simple example. "This needs protecting" apply an encryption key of "hello" and apply an encryption algorithm to make it become "vbhwert�%$_)�".
Isolation
Providing a means by which a central authority cannot assume control of your account. There are many reasons why this is a big deal.
Goals when protecting oneself online
Making it harder for your digital identity to be assimilated
When one account of an individual is hacked, this should not allow another account belonging to this individual to be hacked
To take back the choice as to when you wish to remain anonymous
To only provide information that is genuinely needed
To retain access to your information without third party interference
We will present some examples where we can take actions to protect ourselves online. You must keep an open mind when thinking these through. These are not designed to allow people to become deceptive to become malicious and abusive online without impunity. This is not the purpose of this discussion. Some strategies appear to be slightly hacky but we have to balance out protecting the individual vs just playing by the rules to avoid easier identification and assimilation of our digital footprint.
Remember, there are times when you do want to be identified online. This isn't secret police state stuff. It just makes sense to take back your digital identity.
Don't provide your mobile number. Consider a second mobile?
Especially on social media platforms, we really want to avoid using a genuine mobile number. Unless we've broken that barrier whereby we don't need a job or genuinely don't care about our perception by others, we will find ourselves compromising ourselves. Opinions that may have been acceptable 10 years ago, due to changes in social scenarios, are no longer acceptable. If you wish to keep a personal account, by all means tie this to your mobile number. Instead you can consider buying a separate mobile number, paying for an online mobile account whereby you can receive messages, or using these free online date ways whereby you can receive activation code for different social media accounts.
Use a free password manager
Nothing is impenetrable, but the social benefits to using a password manager. As a software developer I need to know tens of accounts. Often there are two factor authentication two dimensions to handle too. It can be tempting to simply use the same password across different websites. Any website we join, simply create a new password account entry generate a strong password and save it. This does have one potential Downside, if there is no access to the password manager, you will be shut out. Most online accounts allow for password resets through an email verification, allowing for passwords to be reset. This is particularly useful for work scenarios. If we have multiple clients and need to retain their settings, storing these details in a password manager is a good idea. Another benefit is you can store files in them, in an encrypted format. It is recommended to save these in a central shareable location only you can access. Remember, what you're trying to do is to not use passwords in your essential accounts and make other access to online activity a more trivial process.
Have more than one email address
Without saying which email addresses I own, I have accounts on many different platforms. Email addresses I set up more recently use non personal mobile numbers. This information is saved in a password manager, meaning I am very confident that I will not lose access to this account. Another point, I don't need to really care if I lose access it account I can just set up another one. Does an estate agent need to know the same email address which might be used for your online banking or a dating website? You can even purchase your own website/email domain, and hosting if you wish.
Not using your real information online
Do you need to use your name, do you need to provide a date of birth? Just add or subtract a year and a bit on a modified slightly from date? Something simple.
Payments
If you have more than one bank account, and are lucky enough to have quite a lot of money in an account, don't use a bank account that has lots of money in there.
Actively close personal social media accounts
I closed both my Facebook and Twitter social media accounts years ago. Information I publish online I'm starting to move to different platforms which remains anonymous unless there is a clear commercial benefit to using my own personal information. Do be mindful of identity theft though.
Recognise the distinction between convenience vs security
Whilst not always true - the more convenient something is, the less secure it tends to be.
Separate activity - especially personal and corporate
Start using non-personal email addresses for corporate work. There will be those occasions where you have made the mistake of joining websites that could compromise your integrity in a more professional capacity.
Protocol based authentication - a new approach by Info Rhino
Info Rhino has built a powerful protocol based authentication system into our Web Data Platform. It is a more versatile form of two Factor authentication. The current implementation permits one or more email addresses to be used as part of the registration process. We could have an email account from one provider on our phone and an email address account on our desktop. Both email providers could know you have a presence on a website but wouldn't have access to the other email account.
A great example could be where an employee may use a corporate account to access external web services but may want to add an extra degree of control over access to this. We may say that this could damage the reputation of the business. It could also damage the reputation of an individual. how this individual know that organisations email accounts wouldn't get hacked, and then these services being accessed by impersonators?
Links
https://www.ncsc.gov.uk/blog-post/linkedin-2012-hack-what-you-need-know
https://twitter.com/elonmusk/status/1514564966564651008
Written with StackEdit.