Safer Internet: Develop a Privacy Strategy

Summary | Policy/Law | Planning | Behavior | Technology |
References: General | Policy/Law | Plan | Behavior | Technology

Summary

• This course will provide both... "be-aware" and "software" advice, with upgrades for human and device operating system.
• Parts of a possible strategy:
• Policy & Law, e.g., read privacy policies, lobby government representatives
• Planning, e.g., important services/features vs. privacy & security? tradeoffs; cost? risks?
• Behavior, e.g., strong passwords; backup; update; think before you click or post (or signup)
• Technology, e.g., password manager, encryption
• (References)

Policy / Law

• "Relying on the government to protect your privacy is like... asking a peeping tom to install your window blinds." ~John Perry Barlow, co-founder EFF.org
• "Privacy policies" specify how your information will be used / shared -- no guarantee of protection or enforcement;
  if you have some time, peruse -- rather than blindly accept
• Privacy policies and settings may protect you against other users, but not against misuse or carelessness by the company itself or its advertising/business partners
• Most companies do not provide details about robustness of their security practices (because they're clueless, embarassed?)
• Terms & Conditions and Privacy Policies can change without notice, usually not for the benefit of users
• e.g., Linkedin: User Agreement (T&C), Privacy Policy; also: Ad Choices; Community Guidelines; Cookie Policy; Copyright Policy
• My Data Request summarizes/links to privacy policies at over 100 different companies
• Government regulations & laws usually lag the technology;
  if they exist, they often favor corporate donors, lobbyists and surveillance agencies over consumers

Planning

• "Anything that can go wrong,... will go wrong." ~Murphy's Law; other Murphy laws
• from EFF: Assessing Your Risks: Threat Modeling:
  
• "What do you want to protect?"
• "Who do you want to protect it from?"
• "How likely is it that you will need to protect it?"
• "How bad are the consequences if you fail?"
• "How much trouble are you willing to go through in order to try to prevent those?"
• Consider risks & needs by:
• location: home, school, work, vacation
• task: banking, searching, communicating, entertainment
• device: phone, tablet, computer, etc.
• type of information: required, optional, sensitive, personal
• convenience: all mail, calendar, search, payments, passwords with one trusted provider, or different places?
• What is the business product model of companies you use?
• e.g., Facebook, Google (advertising) vs. Apple (hardware)
• How "free" are their services? Do they track you, and sell/share your info?
• How does company respond to mistakes? Do you trust them?
• Will they admit and fix a problem, or deny and repeat?
• If their privacy settings don't protect your data, delete account and/or switch providers?
• Cost of your time & attention: would you rather be doing something else with your life vs. fake news/gossip, cute videos, tweaking settings, ...?

Behavior

• "The only people who like change... are wet babies."
• "Just because you can't do everything... doesn't mean you shouldn't do anything." -- don't despair: take small, constant steps!
• "Hoaxes use weaknesses in human behavior... to ensure they are replicated and distributed. In other words, hoaxes prey on the Human Operating System." ~Stewart Kirkpatrick
• "We are all robots when... uncritically involved with our technologies." ~Marshall McLuhan
• "Denial... Is Not a River in Egypt." ~anon?
• Accept that some changes are necessary; to get the most out of this class, some homework is required.
• Invest attention and energy upfront to be proactive before problems occur.
• Since it would overwhelming to do everything that we'll discuss immediately, be selective and phase in gradually over months
  -- maybe even take the class again next year!
• Learn good habits, such as backing up regularly, updating software, choosing strong passwords, storing passwords securely,
  logging out when not using your computer; connecting to known, encrypted WiFi networks, etc.
• TV / movies often unrealistic when portraying security threats / practices
• Consider eliminating certain sites altogether, e.g., social media
• Before: minimize personal information that you provide / volunteer, e.g., Facebook
• After: inspect companies' data about you -- see What, e.g., Apple, Facebook, Google
• [2] After: purge info from data brokers
• Avoid installing malware inadvertently, e.g., clicking on links in suspicious emails, panicking & responding to scary popups
• "Social Engineering" can often defeat many otherwise secure systems -- especially if request comes from harried "boss",
  desperate "friend", incarcerated "grandchild", irate "customer", e.g., phishing, fake sites
• Quiz: What's Your Privacy Personality? Are You a Believer, Realist or Shrugger? (scroll to bottom)
• PICNIC: "Problem In Chair, Not In Computer",
  or
  PEBKAC: "Problem Exists Between Keyboard And Chair"

  the "Pledge": don't do anything stupid! {TCYOP-4: 48-50; TCYOP-3: 36-38;}

• [3] Cyberinsurance? Hire Security Consultant? Pray?

Technology

• "If you think technology can solve your security problems,...
  then you don't understand the problems
  and you don't understand the technology." ~Bruce Schneier
• "Technology is... anything invented after you were born." ~Alan Kay;
  Alan also said: "The best way to predict the future is to invent it."
• "1) Everything that's already in the world when you're born is just normal;...
  
  2) Anything that gets invented between then and before you turn thirty is incredibly exciting exciting and creative and with any luck you can make a career out of it;
  
  3) Anything that gets invented after you're thirty is against the natural order of things and the beginning of the end of civilisation as we know it until it's been around for about ten years when it gradually turns out to be alright really." ~Douglas Adams
• "1) When a distinguished but elderly scientist states that something is possible,... he is almost certainly right.
  
  2) When he states that something is impossible, he is very probably wrong. The only way of discovering the limits of the possible is to venture a little way past them into the impossible.
  
  3) Any sufficiently advanced technology is indistinguishable from magic." ~Arthur C. Clarke's 3 Laws of Prediction
• A single technology fix may not be adequate: multiple technologies and/or behavior changes may be needed.
• Start by making one-time changes, such as more secure passwords, system & browser settings, privacy options on social networking sites, etc.
• Advice & tools change over time -- security is akin to game of "whack-a-mole"
• Ongoing: check vendor sites for updates; refer back here to course summaries & reference articles

References

• {TCYOP-4: 29-50; TCYOP-3: 29-38}
• see also course section: Intro: Topics: To Do / Check Lists
• sections: Refs: Policy/Law; Plan; Behavior; Technology
• topics: data brokers, security prompts & fatigue, social engineering, threat modeling
• Vendor sites for privacy and security information, e.g.,
• Apple: How We Protect Your Privacy We protect your information on our products. We can create personalized experiences without using personal information. We give developers tools to meet our strict guidelines
• Apple: Security macOS; Software Updates; Gatekeeper; FileVault 2; Privacy Controls; Password Generator; iCloud Keychain; Sandboxing; Runtime protections; Antiphishing; Find My Mac
• Apple: Manage Your Privacy Secure your Devices: passcode; Touch ID, Find My;
  Secure your Apple ID: password, security questions, 2-step verification;
  Stay secure: phishing, passwords, notifications;
  Sharing: iCloud settings, location data, apps, ads, private browsing, children's privacy, diagnostic data
• Apple: iOS Security iOS10 white paper: System Security; Encryption and Data Protection; App Security; Network Security; Apple Pay; Internet Services; Device Controls; Privacy Controls; Apple Security Bounty; 3/2017
• Apple: Privacy Built-in; Government Information Requests; Privacy Policy
• TakeControl: Are Your Bits Flipped? trust; excerpt of e-book
• EFF: Surveillance Self-Defense TOC copied: 12/1/2016
• Playlists: Academic researcher? Activist or protester? Human rights defender? Journalism student? Journalist on the move? LGBTQ Youth? Mac user? Online security veteran? Want a security starter pack?
• Overviews: An Introduction to Threat Modeling; Choosing Your Tools; Creating Strong Passwords; Keeping Your Data Safe; Seven Steps To Digital Security; What Is Encryption? Why Metadata Matters
• Animated Overviews: How Strong Encryption Can Help Avoid Online Surveillance; How to Make a Super-Secure Password Using Dice; Protecting Your Device From Hackers; Using Password Managers to Stay Safe Online
• Tutorials: How to: Avoid Phishing Attacks; Circumvent Online Censorship; Delete your Data Securely on Linux, Mac OS X, Windows; Enable Two-factor Authentication; Encrypt Your iPhone, Your Windows Device; Install and Use ChatSecure; Use KeePassX; Use OTR for Mac, Windows, Linux; Use PGP for Linux, Mac OS X, Windows; Use Signal for Android, iOS; Use Tor for Windows, Mac OS X; Use WhatsApp on Android; Use WhatsApp on iOS
• Briefings: An Introduction to Public Key Cryptography and PGP; Attending Protests (Intl., USA); Choosing the VPN That's Right for You; Communicating with Others; How Do I Protect Myself Against Malware? Key Verification; Protecting Yourself on Social Networks; The Problem with Mobile Phones; Things to Consider When Crossing the US Border
• Passcode: Modern field guide to security and privacy CS Monitor; cybersecurity news and analysis
• How to Declutter Your Digital World NYT; 9/15/2020
• Total digital privacy is impossible, but obfuscation, the intentional shrouding of identity with useless information, can be a compromise MIT; 9/27/2019
• What We've Learned From Our Privacy Project (So Far) Surveillance Tools Are Readily Available; We Don't Know Enough About What Happens to Our Data; Privacy Violations Affect Us in Tangible Ways; Sacrificing Your Privacy Might Sometimes Be Worthwhile; 7/16/2019

Policy/Law

• Wikipedia: privacy policy
• A look at the bipartisan American Data Privacy and Protection Act, which privacy experts say might finally give the US a strong federal data protection law Wired; 7/21/2022
• The Messy Progress on Data Privacy NYT; 5/12/2022
• NSA report: This is how you should be securing your network ZD; 3/4/2022
• Companies Use 'Dark Patterns' to Mislead Users About Privacy Law, Study Shows MB; 1/13/2020
• Everything You Wanted to Know about Apple Security but Were Afraid to Ask Apple Platform Security; TB; 12/20/2019
• I Invented the World Wide Web. Here’s How We Can Fix It. Sir Tim Berners-Lee launches Contract for the Web, backed by 150+ organizations including Microsoft, Google, Facebook, and EFF to safeguard the web from abuse; NYT; 11/24/2019
• This AI reads privacy policies so you don't have to -- and it's actually pretty good TNW; 9/24/2019
• We Read 150 Privacy Policies. They Were an Incomprehensible Disaster. NYT; 6/12/2019
• The People Screaming for Blood Have No Idea How Tech Actually Works suddenly regulators' guns are blazing, but it looks thoughtless and is likely to prove pointless; NYT; 6/4/2019
• Your Privacy Is Our Business NYT; 4/27/2019
• How The Times Thinks About Privacy We're examining our policies and practices around data, too; NYT; 4/10/2019
• We're Not Going to Take It Anymore we've given up too much control over our digital lives. We need a law to take some of it back; NYT; 4/10/2019
• What Women Know About the Internet The digital world is not designed to keep women safe. New regulations should be; NYT; 4/10/2019
• Fix It Already: Nine Steps That Companies Should Take To Protect You
  Android should let users deny and revoke apps' Internet permissions.
  Apple should let users encrypt their iCloud backups.
  Facebook should leave your phone number where you put it.
  Slack should give free workspace administrators control over data retention.
  Twitter should end-to-end encrypt direct messages.
  Venmo should let users hide their friends lists.
  Verizon should stop pre-installing spyware on its users’ phones.
  WhatsApp should get your consent before you’re added to a group.
  Windows 10 should let users keep their disk encryption keys to themselves; EFF; 2/28/2019
• Most Online 'Terms of Service' Are Incomprehensible to Adults, Study Finds reading the terms and conditions of online consumer contracts requires, on average, more than 14 years of education; MB; 2/12/2019
• How Silicon Valley Puts the 'Con' in Consent If no one reads the terms and conditions, how can they continue to be the legal backbone of the internet? NYT 2/2/2019

Plan

• EFF: How to Create Your Security Plan
• Security Planner improve your online safety with advice from experts; from Citizen Lab
• Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. war exemption; NYT; 4/15/2019

Behavior

• A Paranoid Person's Guide to Preparing for Digital Danger NYT; 3/5/2022
• IT and security professionals think normal people are just the worst 'the well-meaning but negligent end user'; ZD; 4/2/2019
• Internet entrepreneur Arianna Huffington on the next big thing in tech: Disconnecting from it it is time to reevaluate our relationship with technology. If individuals want to thrive in a future dominated by AI and intelligent machines, they will need to create more time and space for human relationships that foster creativity. Less time on smartphones and apps, even disconnecting, will be key; CNBC; 2/9/2019
• Gavin de Becker, Bezos' Security Chief, Is a Guardian to the Stars peace of mind for celebrities, politicians; NYT; 2/7/2019

Technology

• EFF: Security Tips and Tutorials; Security Tool Guides
• Ethical.net: Alternatives & Resources: Browsers; Search engines; Email services; Analytics; Web hosting; Team collaboration; Messaging; Office; File sharing; Video hosting; Tools; Mobile apps; Blogging; Streaming services; Game stores; Social media; Browser extensions; Smartphones; Accommodation & Maps; Organisations; Conferences & Meetups; Magazines; Podcasts; Books; Films & Talks
• Website privacy options are often valid and relevant — but good luck finding them TNW; 11/6/2019
• Taking Steps to Maximize Privacy While Covering the Lack of It investigative reporter Jennifer Valentino-DeVries; NYT; 5/22/2019
• [2] The security threats of neural networks and deep learning algorithms
  History shows that cybersecurity threats evolve along with new technological advances. Relational databases brought SQL injection attacks, web scripting programming languages spurred cross-site scripting attacks, IoT devices ushered in new ways to create botnets, and the internet in general opened a Pandora's box of digital security ills. Social media created new ways to manipulate people through micro-targeted content delivery and made it easier to gather information for phishing attacks. And bitcoin enabled the delivery of crypto-ransowmare attacks.
  
  Deep learning and neural networks can be used to amplify or enhance some types of cyberattacks that already exist,e.g., replicate a target's writing style in phishing scams, automate the finding and exploitation of system vulnerabilities. They are overly reliant on data, which means they are as good (or bad) as the data they are trained with. They are opaque, which means we don't know how they function (or fail).
  
  Adversarial examples, inputs that cause neural networks to make irrational mistakes, accentuate the differences between the functions of AI algorithms and the human mind, e.g., computer vision, voice recognition. Data poisoning creates problematic behavior in deep learning algorithms by exploiting their over-reliance on data. Deep learning algorithms have no notion of moral, commonsense and the discrimination that the human mind has. TNW; 1/19/2019