“I have nothing to hide” was once a typical response to surveillance programs utilizing cameras, border checks, and questioning by law enforcement.
But now, the sheer volume of devices and technology-based “innovations” used to track us has changed the conversation. Every piece of technology in our lives — from internet browsers and mobile devices to smart energy meters — collects data on us, which can then be sold to third parties or used to create profiles suitable for targeted advertising.
Privacy used to be considered a concept generally respected in many countries with a few changes to rules and regulations here and there often made only in the name of the common good.
Things have changed, and not for the better.
Government-led surveillance, censorship at the ISP level, bulk data collection, legislative battles declared against encryption, and let’s not forget the cyberattacks constantly assaulting us and the organizations that hold our data are all making it increasingly difficult to keep privacy as a right of the many, rather than a luxury of the few.
Modern services and products can potentially erode our privacy and personal security, and you can’t depend on vendors, their security hygiene, or ever-changing surveillance rules to keep them intact.
Having “nothing to hide” doesn’t cut it anymore. We must all do whatever we can to safeguard our personal privacy not only from agencies and companies but also from each other.
Taking the steps outlined below cannot only give you some sanctuary from spreading surveillance tactics but also help keep you safe from cyberattackers, scam artists, online stalking, and more.
What is Personally Identifiable Information (PII) and why should I care?
Personally identifiable information (PII) can include your name, physical home address, email address, telephone numbers, date of birth, marital status, Social Security numbers (US), and other government IDs. PII can also include medical records and information about your family members, children, and employment status.
All this data, whether lost in different data breaches or stolen piecemeal through phishing campaigns, can provide attackers with enough information to conduct identity theft. This means you could be impersonated in social engineering attacks, you could lose access to your online accounts, or, in the worst cases, could make you vulnerable to financial fraud.
With enough information, for example, a cybercriminal could make fraudulent transactions or take out loans in your name.
In the wrong hands, this information can also prove to be a gold mine for advertisers lacking a moral backbone.
Why does paying attention to browsing activities and website visits matter?
Internet activity is monitored by an Internet Service Provider (ISP) and can be hijacked. While there is little consumers can do about attacks at the ISP level, the web pages you visit can also be tracked by cookies, which are small bits of text that are downloaded and stored by your browser. Browser plugins may also track your activity across multiple websites.
Cookies are used to personalize internet experiences and this can include tailored advertising. However, such tracking can go too far, as shown when the unique identifiers added to a cookie are then used across different services and on various marketing platforms. Such practices are often considered intrusive.
Have you ever casually searched for a product — say, a sofa — and then, suddenly, you’re bombarded with sofa advertisements? That’s targeting at play.
Why does protecting messages and email content matter?
Our email accounts are often the pathway that can provide a link to all our other valuable accounts, as well as a record of our communication with friends, families, and colleagues. Hackers may try to obtain our email passwords through credential stuffing, social engineering, or phishing scams in order to jump to other services.
If an email account acts as a singular hub for other services, a single compromise can snowball into the hijack of many accounts and services. For example, if you have tied an online account for your mobile phone provider or favorite store to your primary email account, an attacker could potentially change your password or grab the verification code necessary to log in.
Why does protecting phone numbers matter?
In targeted attacks, fraudsters use social engineering techniques to impersonate their victims in calls to telephone service providers. They do this in order to transfer a number away from a handset — even if only for a short period of time — and they then “own” the number for the time it takes to grab two-factor authentication (2FA) codes sent to the number.
Once 2FA codes have been purloined, attackers can access a target account, whether this is banking, email, or a cryptocurrency wallet. Such attacks are known as SIM-swapping.
If your phone number ends up outside of your control, this means that 2FA codes can be stolen and any online account linked to this number is at risk of being hijacked.
Why does protecting online purchases and financial information matter?
When you conduct a transaction online, this information may include credentials for financial services such as PayPal, or credit card information including card numbers, expiration dates, and security codes.
Sometimes, vulnerable e-commerce websites are targeted, with code injected into payment portals to skim and steal card data input by customers. Unfortunately, you are likely to be completely unaware that your information has been exfiltrated and sent to criminals.
Cybercriminals who steal financial services credentials through phishing and fraudulent websites, who eavesdrop on your transactions through Man-in-The-Middle attacks, or who utilize card-skimming malware, can steal these details when they are not secured.
Once this information has been obtained, unauthorized transactions can be made, clone cards may be created, or this data may also be sold to others on the dark web.
Once valid card numbers are out of your hands, this can lead to fraudulent purchases made in your name. If you see any suspicious transactions or a sudden influx of small test payments, it’s better to be safe than sorry — contact your bank, freeze your card, and check your credit report.
Why does protecting medical records and DNA profiles matter?
Hospitals are now transitioning to electronic records and home DNA services have proven popular. Genetic information belonging to consumers can be stored, or individually collected and submitted for health-related queries or for tracing family histories.
The loss of medical information, which is deeply personal, can be upsetting and result in disastrous consequences for everyone involved.
When it comes to DNA, however, the choice is ours whether to release this information — outside of law enforcement demands. Privacy concerns relating to DNA searches can be valid since you’re giving the imprint of your biological makeup to a private company.
How is my information protected?
Businesses that handle data belonging to customers are being scrutinized more and more with the arrival of new regulatory pressures and changes. Mandates such as the EU’s General Data Protection Regulation are designed to enforce adequate security measures to protect consumer data.
Lagging behind the EU, the US maintains a hodgepodge of different data protection laws surrounding tech, healthcare, finance, and government-held information, such as HIPAA. There is a lack of cohesion between different states, although some have adopted laws similar to GDPR in recent years.
Companies will often encrypt your information in an effort to maintain data fidelity and security, which is a way to encode information to make it unreadable by unauthorized parties.
One way this is achieved is by using SSL and TLS certificates that support encryption on website domains. End-to-end encryption is also popular. This form of encryption prevents anyone except the parties communicating from accessing or reading the content of messages, including service vendors themselves.
End-to-end encryption has been widely adopted by many online communication services. Privacy advocates may cheer, but governments and law enforcement agencies are not rejoicing. A political battlefield has emerged between tech vendors and governments that have attempted to enforce the inclusion of deliberate backdoors into encrypted systems, and, in recent times, have demonstrated impossible thinking concerning breaking end-to-end encryption “for the good of all.”
As it stands, you should always use end-to-end encryption when possible.
How can I make my browser more secure?
As Internet browsers are the gateways we use to access online services, it is imperative we select browsers with reasonable security.
The most commonly used browsers are Google Chrome, Apple Safari, Microsoft Edge, and Mozilla Firefox. Here are ways to improve your security without implementing major changes to your surfing habits.
Cookies: Clearing out your cookie caches and browser histories can prevent ad networks from collecting too much information about you. The easiest way to do so is to clear the cache (Firefox, Chrome, Opera, Safari, Edge, Brave).
You can also set your preferences to prevent websites from storing cookies at all. In order to do so, you can refer to these guides for each of the major browsers: Firefox, Chrome, Opera, Safari, Edge, and Brave.
HTTP v. HTTPS: When you visit a website address, you will be met with either Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS). The latter option uses a layer of encryption to enable secure communication between a browser and a server.
HTTPS is best used by default in general browsing. When it comes to online shopping, HTTPS is crucial for protecting your payment details from eavesdropping and theft.
To find out whether HTTPS is enabled, look in the address bar for “https://.” Many browsers also show a closed padlock. If a retailer or e-commerce site does not appear to have HTTPS enabled, consider shopping elsewhere.
Additionally, you should consider using Tor and other secure browsers if you want to truly keep your browsing as private as possible.
Tor: The non-profit Tor Project is an organization supported by thousands of volunteers worldwide who maintain the proxy servers that protect your identity. The Tor Browser uses layers of encryption to strengthen your anonymity.
Brave: Brave is one of ZDNET’s top browsers for privacy and security. The Chromium-based Brave browser blocks ads, fingerprinting, and ad trackers by default, and is used by millions of individuals worldwide.
Search engines: Google’s search engine, alongside other major options such as Yahoo! and Bing, uses algorithms based on your data to provide “personalized” experiences. However, browsing histories and search queries can be used to create crossover user profiles detailing our histories, clicks, interests, and more, and may become invasive over time.
Have you ever bought a toaster only to see an uptick of toaster-related ads? There’s a reason for that.
To prevent such data from being logged, consider using an alternative that does not record your search history and blocks advertising trackers. These options include DuckDuckGo.
DuckDuckGo is one of ZDNET’s favorite browsers for securing your privacy. Counting tens of millions of users worldwide, this search engine does not track you or profit from selling your information.
As a free service, you may be wondering, how does DuckDuckGo make money? The answer is this: Ads are displayed based on your search queries, rather than tracked data harvested from targeted users.
DuckDuckGo and its related extensions are available on iOS, Android, Firefox, Chrome, Edge, and Safari.
What are the best browser plugins for enhanced security?
Disconnect: Disconnect provides a visual guide to websites that are tracking your activity. Invisible trackers that monitor you and may also expose you to malicious content can be blocked. Disconnect is available for Chrome, Firefox, Safari, and Opera.
Facebook Container: Mozilla’s Firefox Facebook Container application is a worthwhile plugin to download if you are worried about the social media network tracking your visits to other websites. The plugin isolates your Facebook profile and creates a form of browser-based container to prevent third-party advertisers and Facebook tracking outside of the network.
Privacy Badger: Privacy Badger is focused on preventing ad networks from tracking you. The software monitors third parties that attempt to track users through cookies and digital fingerprinting and will automatically block those that use multiple tracking techniques.
: AdBlock is a useful extension for blocking ads while you’re surfing the web. The extension can block ads, trackers, video banners, and pop-ups, thereby cleaning up pages. You can also whitelist websites when you want such content to be displayed.
You should monitor your extensions and plugin lists. Check them often to ensure there is nothing installed you were previously unaware of.
Is public Wi-Fi safe to use?
Public Wi-Fi hotspots are convenient, especially when many of us work outside of the office. However, you may risk your privacy and security if you use one while on the move without the right precautions.
The problem with them is simple: You have easy access to them, and so do cyber attackers — and this gives them the opportunity to perform what is known as Man-in-The-Middle attacks to eavesdrop on your activities and steal your information, or send you to malicious websites.
Hackers may be able to access the information you are sending through the Wi-Fi hotspot, including — but not limited to — emails, financial information, and account credentials.
It is best not to use a public, unsecured Wi-Fi connection at all. Do not use open Wi-Fi to access anything valuable, such as online banking services. An alternative and far more secure method is always to use a mobile cellular-based connection whenever possible.
If you need an internet connection for a device other than your smartphone, set up your mobile device as a mobile Wi-Fi hotspot. You can usually find this option in your main scroller menu, or under settings. You can connect your devices through the temporary hotspot by checking the name and using the password your smartphone generates for you.
One of the most important layers of security to implement when accessing a public Wi-Fi hotspot is a virtual private network (VPN) — and the use of a trustworthy VPN should be implemented across all your devices, no matter your connection type.
What are VPNs and how can they provide security?
A virtual private network is a way to create a secure tunnel between browsers and web servers. Data packets are encrypted before they are sent to a destination server, which results in IP addresses and your location becoming hidden. Many VPNs will also include a “kill switch” that cuts off your internet access temporarily if a connection drops to keep your online activity secure.
While many users adopt VPNs to access geolocation-blocked content — such as websites and apps banned in select countries — VPNs are also popular with activists or those in countries ruled by censorship. (Note that VPNs are banned in some countries.)
VPNs are not a silver bullet for security, but they can help mask your online presence. You should consider using a VPN to maintain secure connections and prevent monitoring and tracking.
Premium, paid services are often more trustworthy than free VPNs, which are often slower and offer limited bandwidth capacity. VPNs cost money to run so providers of free services may sell your data.
Remember, when you are using a free service, whether it’s a VPN or Facebook, you are the product and not the customer.
The most important element to consider when deciding on a VPN is trust. Using a VPN requires all your traffic to go through a third party. If a third-party VPN is unsecured or uses this information for nefarious reasons, this defeats the purpose of using a VPN in the first place.
Conflicts of interest, VPN providers being hosted in countries where governments can demand their data, and sometimes less-than-transparent business practices can all make finding a trustworthy option a complex and convoluted journey. To make it easier, check out our guides:
How do passwords and vaults protect my security?
Using complex passwords is the first line of defense you have to secure your online accounts.
Many vendors now actively prevent you from using simple combinations that are easy to break, such as QWERTY12345. It can be difficult to remember complicated combinations when you are using multiple online services, and this is where password vaults come in.
Password managers securely record the credentials required to access your online services. Rather than being required to remember each set of credentials, these systems keep everything in one place, accessed through one master password, and they will use security measures such as AES-256 encryption to prevent exposure.
Vaults may also generate strong and complex passwords on your behalf, as well as proactively change old and weak ones.
It is true that password managers and vaults may have vulnerable design elements that can be exploited on already-compromised machines, but when you balance risk, it is still recommended to use one.
Do I need two-factor authentication (2FA)?
Two-factor authentication (2FA), also known as two-step verification or multi-factor authentication, is a widely implemented method of adding an extra layer of security to your accounts and services after you have submitted a password.
The most common methods are via an SMS message, a biometric marker such as a fingerprint or iris scan, a PIN number, a pattern, or a physical fob. Using 2FA creates an additional step to access your accounts and data, and while not foolproof, it helps protect your accounts.
Here’s how to enable 2FA on several popular sites: Facebook | Instagram | Snapchat | Apple | Google | Microsoft
For an in-depth guide to implementing 2FA, check out Ed Bott’s explainer, Multi-factor authentication: How to enable 2FA and boost your security
What is SIM hijacking?
2FA is a strong security standard, but if you are unlucky enough to become a victim of SIM hijacking, this layer of security means very little. SIM-wapping occurs when a cybercriminal poses as you to a service provider, such as AT&T, using social engineering techniques and information gathered about you to fool employees into transferring ownership of your mobile number.
Once in control of your phone number, attackers can hijack your accounts and intercept 2FA codes.
This type of fraud is difficult to protect against. However, you could connect 2FA telephone numbers to a secondary number that is not publicly known or ask your provider to reject transfer requests. Better yet, consider a physical security key (see below).
Are physical security keys a good idea?
Security keys provide hardware-based authentication and an additional layer of security that cannot be circumvented unless a cybercriminal has physical access to the key.
Even if a cybercriminal has managed to steal a username and password combination for one of your online accounts, or has even compromised your mobile device — enabling them to potentially grab 2FA passcodes — breaking into your account becomes far more difficult.
Security keys are now very affordable and user-friendly. For a full explainer of the benefits of security keys, check out: The best security keys to protect yourself and your business.
How do I secure my mobile devices?
Mobile devices can act as a secondary means of protection for your online accounts via 2FA, but these endpoints can also be the weak link that completely breaks down your privacy and security.
For a comprehensive guide on the top threats facing your mobile security today, see our piece on the top phone security threats and how to avoid them.
In the meantime, these are the critical points:
What other privacy settings should I know about?
iPhone: A handy security feature for the iPhone is USB Restricted Mode, which prevents USB accessories from automatically being able to connect to an iPhone if an hour has elapsed since the last time the handset was unlocked. In order to enable it, go to Settings > Touch ID/Face ID > USB Accessories.
Android: Be sure to disable the option to enable unknown developers/apps. If there have been apps you had to install outside of Google Play, make sure the “Unknown Sources” or “Install Unknown Apps” option is not left open afterward. Sideloading isn’t necessarily a problem on occasion but leaving this avenue open could result in malicious APKs making their way onto your smartphone. To disable it, select Settings > Security > Unknown Sources. On the later Android models, the option is usually found in Settings > Apps > Top-right corner > Special access.
Smartphone encryption: Depending on your smartphone’s model, you may have to enable device encryption; some phones will be encrypted by default once a password, PIN, or lock screen option is in place. If you have such a device, you can generally encrypt your smartphone through Settings > Security > Encrypt Device.
Some smartphone models do not have this option as encryption is enabled by default but you can choose to encrypt accompanying SD cards by going to Settings > Security > Encrypt SD card.
You can also choose to enable the Secure Folder option in the same settings area to protect individual folders and files.
A note on jailbreaking: Rooting your device to allow the installation of software that has not been verified by vendors or made available in official app stores has security ramifications. You may not only invalidate your warranty but also open up your device to malware, malicious apps, and data theft.
How can I encrypt my messages?
These are some of the encrypted messaging applications available to secure your online communications:
Signal: Signal is widely regarded as one of the most accessible, secure messaging services. The free app — developed by Open Whisper Systems — implements end-to-end encryption and no data is stored by the company’s servers.
WhatsApp: WhatsApp is an end-to-end encrypted messaging app. The messaging app is a simple and secure means to conduct chats between either a single recipient or a group. To tighten things up, make sure you visit the Chat Backup option in “Chats” and turn it off.
iMessage: Apple’s iMessage, a communications platform that comes with Mac and iOS products, is another option if you want to secure and protect your digital communications. Messages are encrypted on your devices via a private key and cannot be accessed without a passcode.
Facebook Messenger: Facebook Messenger is not encrypted by default. The chat service does, however, have a feature called “Secret Conversations” on iOS and Android that is end-to-end encrypted. In order to start a secret conversation, go to the chat bubble, tap the “write” icon, tap “Secret,” and select who you want to message.
Telegram: elegram is another popular chat application. Telegram has a “Secret Chat” option that is end-to-end encrypted and kept away from the Telegram cloud. These particular chats are device-specific and include a self-destruct option.
How do I keep my mobile apps secure?
No matter which mobile operating system you have adopted — Android or iOS — downloading apps from verified, trusted sources such as Google Play and Apple’s App Store is always the best option to maintain your security and privacy.
However, the permissions you give an installed app are also important.
Apps can request a variety of permissions including sensor data, call logs, camera and microphone access, location, storage, and contact lists. While many legitimate apps do require access to certain features, you should always make sure you are aware of which apps can access what data to prevent unnecessary security risks or information leaks.
To be on the safe side, when you no longer need an application, you should uninstall it.
Is mobile malware a threat?
Mobile malware is not as ubiquitous as the malicious software that targets desktop systems, but these mobile variants can still infect Android and iOS smartphones and sometimes even make their way into official app repositories.
A common technique used by malware developers is to submit a mobile application that appears to be legitimate, and then upload malicious functions after a user base has been established, such as in the case of an Android app containing the Cerberus Trojan that infiltrated the Google Play store.
The types of malware that can hit your mobile device are varied, from Trojans and backdoors to malicious code that focuses on the theft of valuable information, such as online banking credentials.
The most common way such malware can infiltrate your smartphone is through the installation of malicious apps, which may actually be malicious, spyware, or adware in disguise.
It’s recommended that you download and install an antivirus software solution for your mobile device. You shouldn’t jailbreak your phone and app .APKs should only be downloaded from trusted sources, rather than third-party repositories.
What is the most secure email?
Many email providers now encrypt email in transit using TLS, but there are few email services, if any, that you can truly consider 100% “secure” due to government laws, law enforcement powers, and the difficulty of truly implementing strong encryption in email inboxes.
However, ProtonMail is worth considering. The open-source email system is based in Switzerland and, therefore, protected by that nation’s strict data protection laws. Emails are end-to-end encrypted, which prevents ProtonMail — or law enforcement — from reading them. In addition, no personal information is required to open an account.
Another way to send emails without tracking is to use a temporary, throwaway email address. These can be generated through services including Temp Mail and EmailOnDeck.
How can I reduce my online footprint?
Now that you’re taking control of your devices, it’s time to consider what data is floating around the internet that belongs to you — and what you can do to prevent future leaks.
One of the first places to travel to is Troy Hunt’s Have I Been Pwned service. This free search engine can be used to check your email accounts, phone numbers, and linked online services for the exposure of credentials caused by data leaks. If you find you have been “pwned,” stop using all the password combinations involved immediately — not only in the case of the compromised account but across the board.
What is Google Privacy Check-Up?
If you are a user of Google services, the Privacy Check-up function can be used to stop Google from saving your search results, YouTube histories, device information, location check-ins and for you to decide whether you are happy for the tech giant to tailor advertising based on your data.
Ensure you also look at your main Google Account to review security settings and privacy measures. The Security Check-up page also shows which third-party apps have access to your account and you can revoke access as necessary.
An important feature on this page is activated if you are saving passwords in the Google Chrome browser. Google will check to see if these passwords have been compromised in a data breach, and — if so — Google will alert you and urge you to change them immediately. To make this easier, each alert will link to the impacted domain or service so you can quickly log in and change your details.
How can I stay safe on social networks?
Social networks can be valuable communication tools but they can also be major sources of data leaks. It is not just friends and family who might be stalking you across social media — prospective employers or shady characters may be following you, too. Therefore, it is important for you to lock down your accounts to make sure that only the information you want to be public, is public.
TikTok, given its popularity with young audiences, has several security settings of note:
Family accounts and Restricted Mode: You can enable Restricted Mode on an account to filter out content that might only be suitable for adult audiences. You can also filter out select keywords, create a screen time limit, and more.
Private and public accounts: You can elect to make an account public or private. Public account profiles and videos can be viewed by anyone on or off TikTok, whereas private accounts limit interaction to users you approve. It is recommended that private settings should be enabled for accounts belonging to users under the age of 18.
To begin locking down your account, go to the top-right corner, click the downward arrow, and choose “Settings and privacy” to see most of your privacy and account safety options.
Password and security: Under this tab, you can choose to enable 2FA protection, view devices your account is logged in to, and choose alert options for unrecognized attempts to log in. You can also run a privacy checkup to check the strength of your password.
Activity Log: Here, you can review your activity: posts published, messages posted in other timelines, likes, and event management. If you want to wipe your older timeline, you can use the “edit” button to allow, hide, or delete posts.
Download data: Under this tab, you can choose to download all the data that Facebook holds on you.
Privacy, profiles, and tagging: Here, you can choose who can see your future posts. For the sake of privacy, it’s best to set this to friends only, unless you’re comfortable with the default public option.
How people can find and contact you: You can tighten up your account by limiting who can send you friend requests, see your friends, and whether people can use your email address or phone number to find your profile. You can also turn off the ability for search engines outside of Facebook to link to your profile.
Ad Preferences: Here, you can manage personalized ad settings — at least, to a point. You can review what Facebook believes are your interests and the advertisers potentially connected to you.
About Me: In the “About Me” tab in the main account menu, you can choose to make your personal information public or private.
To give your Instagram account a privacy boost, there are a few changes you can implement.
By default, anyone can view the photos and videos on your Instagram account. By going to Settings and then Account Privacy, you can change this to ensure only those you approve of can see your content.
If your account is public, then anyone can view and comment on your images and videos. However, you can block people you would rather not interact with.
Under the “Settings and account access” tab there are several options and changes you should implement to improve the security of your account — although some are now unavailable to free accounts following Elon Musk’s acquisition of the site.
Additional password protection: Enabling this setting requires additional information to reset your password, being either a phone number or email address associated with your account.
Two-factor authentication: 2FA, including text messages, using authenticator apps, or physical keys, is available only to paid subscribers.
Privacy and safety: Under this tab, you can change what information you allow others to see, who can message you, ad preferences, and more.
How can I secure my Internet of Things?
The Internet of Things (IoT) started off with mobile devices, including smartphones, tablets, and smartwatches. Now, IoT encompasses everything from smart lights to voice-controlled smart speakers and home hubs, such as Google Home and the Amazon Echo.
To improve your security on such devices, check out our guide:
Are tracking devices a security risk?
Products such as Tile and Apple’s AirTag are convenient ways to monitor your pets, luggage, keys, and other belongings – but the Bluetooth technology and networks that facilitate this useful service can also be abused.
There have been reports potentially linking tracker devices to everything from stalking to car theft. As these products are small and can easily be slipped into a bag, clothing, or hidden in a vehicle, they may not be detected by a victim – and even if they are, if you can’t find the device, what can you do?
Solutions are still being tested and rolled out. Apple iOS users (14.5+) are already alerted to their presence via notifications and sound. You can also download the Tracker Detect app if you are an Android user.
Who is responsible for protecting my privacy?
The threats to our privacy and security are ever-evolving and within a few short years, things can change for the better or for worse. It’s a constant game of push-and-pull between governments and technology giants when the conversation turns to encryption; cyber attackers are inventing and evolving new ways to exploit us daily, and some countries would rather suppress the idea of individual privacy than protect it.
In a world where many of us have been asked to rapidly change our working practices and to do our jobs from home, research suggests cyber incidents are on the rise with many of us “oblivious” to security best practices, and if we don’t take basic precautions, we may be risking not only our personal devices but also company systems.
Thankfully, the threat to our privacy has now been acknowledged by technology companies. Many organizations, both for-profit and non-profit, have taken it upon themselves to develop tools for users to improve our personal security — and it is now up to us to use them.
This content was originally published here.