Posts Tagged security

Privacy and social engagement

Posted by on Wednesday, 28 August, 2013

IMG_5332On the heels of last week’s post about the fear of saying the wrong thing, there’s another fear that also prevents some people from engaging in social media: privacy.

Privacy and security fears have been noted as the number one biggest fear for anyone who spends time on-line. For some of these people, those fears and concerns about privacy are also preventing them from engaging in social business. While I will go on in a moment to help address some concerns and outline a few ways to tighten things down, I’ll say this first and up front: privacy on the internet is a myth. If you are engaging in any social medium, you are doing so knowing that you can be identified by the information you share and have hopefully consciously made the choice to accept that you will not have complete privacy.

Social business thrives on the building of your own digital eminence, which can’t be done anonymously. Social business transcends the digital realm and connects us to the physical world as well. Make no mistake, when we play on social sharing sites, we do so either with pseudo-anonymity or we compromise how much factual data we reveal about ourselves.

That said, the question becomes “how can I maintain some level of privacy and still be relevant on social media?”  Simply said, using your real name, but maintaining minimal other profile information will let you build your reputation based on what knowledge you share without providing any more identifying information than your name. This allows you to connect your professional career and online presences to build digital eminence and grow your career.

Most sites require very little to be in your social profiles. Typically this profile information consists of your display name, real name, and possibly location. Some may require an image, though that is easily and often addressed with a non-personal photo. Both of these have solutions which involve obfuscation to help bolster your privacy, both of which, however, go against best practices for building your own online reputation. So, at the minimum, your name will be visible. That alone can make some people uncomfortable, but that is the starting point for playing in social business: people should know who you are, as that builds trust across your network.

Beyond your name, and preferably a photo, any other bits of information you provide should be done so with the knowledge that anything you share will likely be publicly accessible. Even if you have multiple disconnected accounts, if there are common names or usernames between them, people can begin to connect those dots. Unless you have a VERY common name, the concept of security through obscurity is no longer relevant. While not mean to scare you, this is a big consideration and something to think about every time you share a link or write a post: that content will follow you. Here is a great article on a social engineering hack just published yesterday that allowed access to accounts based on shared or publicly available content.

One way to help improve some levels of privacy would be to maintain separate digital personas for personal and professional use. While I don’t necessarily recommend this approach as noted in my previous blog post on the topic, I do understand why some individuals would prefer the multiple account strategy. My recommendation for those who do adopt this method is to use your real name in your professional account only, and not for any personal account. This will help disconnect the personal content from your professional content. Likewise, only share information and content related to your professional expertise, as this will help grow your eminence but also helps protect your personal privacy if only professional content is shared.

In cases where your real name is required for a personal account (as is the case for Google+ and common practice on Facebook), you have the ability to lock down those accounts to reduce the potential for search indexing to occur and connect content from your personal and professional accounts which share the same real name.

Following are a few great articles on how you can improve privacy settings on Facebook, GooglePlus, LinkedIn, Twitter (with a tumblr bonus), and Pinterest:

Of course, there are also some simple things you can do that don’t require any configuration of preferences or settings:

  • Understand that anything you say/ post online will stay online. The internet remembers everything.
  • Manually approve or disapprove follow requests. Approve only those you know, ignore or block those you don’t. If unsure, ask who they are via DM or private message.
  • Remember that it is possible to inadvertently reveal identifying information through status updates, photographs, comments in friends’ networks, community or group membership, and other non-direct means.
  • Some may seem overtly obvious, but every day I hear of how this information has been posted and them misused: So don’t publish your date of birth, phone number, email address, or physical address. And especially not your social security, credit card, or driver’s license numbers.
  • Remember that what you post can be seen and shared by others even in a small controlled group. Always think about what you say and what photos you post as it could be reshared by someone in your network or otherwise be seen by people not in the intended audience .
  • Don’t publicize future vacation plans, especially the time you’ll be traveling.
  • Don’t use location-based services when posting to social networks.
  • Actively manage your friends lists, circles, or following/followers to ensure your own comfort level with your network.
  • Ok I kind of lied, this is a preference/setting bullet, but it is important! Check your privacy settings often. Many social sites roll out new features and new privacy settings without widespread announcements.
    .

For more tips, check out the page at PrivacyRights.org which discusses cyber stalking and steps to take to mitigate potential issues: https://www.privacyrights.org/fs/fs14-stk.htm#3

Please note that this is not a comprehensive security/privacy post, but one intended to help get you thinking about how you can manage your own privacy to the level that is right for you.

And. as always my dear friends, #StayVigilant!

Protect yourselves, stay vigilant

Posted by on Wednesday, 25 April, 2012

On Monday, I ran across a story on a local news station regarding a security breach of some DNS servers, how the FBI put a temporary safety net in place, and now how the servers will be shut down in July. This prompted a larger scale informational campaign to help computer users determine if their own systems were ‘infected’ and are using the DNS servers which are slated to go offline (when that happens, if your system isn’t using good DNS servers, you’re internet connection will be gone).

I posted this article to Facebook with the intent of spreading the word and helping people check their own systems to be sure we are all using good DNS servers. But as I went through my personal validation process to be sure that the information I am passing on is genuine, I realized there’s a lot stuff I just do and never really explain how/why. So in the spirit of knowledge sharing, here’s some tips to help you stay safe on the internet, avoid malware, and do more to protect your own privacy:

First and foremost: Lock down your privacy settings anywhere you may have an account so you can identify with whom you are sharing information. Take some time whenever you create new accounts to research and set privacy controls before doing anything else on a website.

Here’s a great write-up which explains some of the Facebook behaviours which may affect privacy, and what you can do to control it to some extent: http://www.hanselman.com/blog/FacebooksPrivacySettingsAreTooComplexForANYONEToUseChangeTheseSettingsToday.aspx

Think you’re safe if you only touch Facebook settings? Think again. Google tracks a plethora of information too. You can stop Google from tracking your history (which is tied to your Google account) and opt out of the Google ads with these three links:

  • https://www.google.com/history
    “Pause” will stop the tracking of your Google web history (searches and which links you followed from the results), while “Remove” will clear out the selected history.
  • https://www.google.com/settings/ads/
    After opting out, you’ll still see ads, but Google won’t use your personal information to target those ads specifically to you. Be sure to opt out for both Search/Gmail and ads on the web.

 

Now that I’ve touched on the two ‘biggies’, let’s focus in a bit more generally with some catch-all solutions:

I’ve personally had success with all three of these, though your mileage may vary depending on your preferences and system setup.

 

But you know what? Tools and settings aren’t enough. Sometimes it all comes down to what I called “wetware” when I was working for a content filtering company: your brain. Tools and options just don’t protect us from ourselves, which is why we need to be able to think critically and be ever vigilant (bordering on paranoid) as we surf the web.

Did a Facebook friend just read a really provocative looking article? Are you sure they did? Is that the kind of article you think your friend would spend time reading and “Like” on Facebook? Do yourself a favour and don’t click the link, it’s likely a phishing attempt to get you to allow an application access to your Facebook profile and post on your behalf; your friend is likely the latest in a long line of victims.

Before clicking links, stop and hover over it. If it goes to a known server  and is relatively ‘clean’ of characters like ? or & and doesn’t end in an active file extension (like .pl, .js.exe, etcetera) it is most likely a good link. But you need to be careful of embedded links which point somewhere other than the link text, as well as shortened links which don’t expand to show the full URL.

Which gets me closer to  the point: don’t trust links. Unless you absolutely trust the source posting the link, and the server for the link itself, don’t click it, just run a quick search instead and find the info outside of Facebook (here’s a GREAT Oatmeal cartoon which explains this without raising the spectre of malware as the reason for searching).

 

Let’s take the above article about the FBI and DNS servers as an example:

I originally saw the story posted by KPTV News on Facebook. Since I trust this account, and the story/link was consistent with other news they post, I clicked the link into the story. From there, however, I stopped trusting. Specifically, the story describes an FBI business partner in this case, and links to their site to ‘check’ your system to see if you are using the wrong DNS servers.

At this point small alarm bells start ringing in my head, but I head over to http://www.dcwg.org/ to check it out. Alarm bells are ringing even more since this site asks you to click a button to run a check, something you should never do unless you trust the source completely. Plus, I am a bit more dubious as the site runs WordPress as the engine. I should note here that while I adore WordPress as a platform, the fact that dcwg.org uses it made me immediate skeptical about the authenticity since anyone can build a WordPress site like that. Heck, I run 5 of my own WP installations, including this one; I KNOW anyone can do it!That all said, I’ll give credit to dcwg.org for acknowledging the need for trust and helping people validate the authenticity as well by pointing to FBI.gov hosted materials.

Rather than using the automated link in the original article (which was down due to heavy traffic anyway, but also because you should never trust sites that ‘fix’ your computer without doing your research), I used the following PDF from FBI.gov which outlines exactly how to check your system for this issue: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Since I trust the fbi.gov servers and pdf files to not auto-run malware on my system, I knew I’d be able to validate the issue by virtue of understanding the solution through text. I can happily say that I was indeed able to validate the authenticity of the problem, solution, and third-party business partner as trustworthy, but only after doing a little research before hand. (Now, you should all review the PDF file as well to understand how to correct your system, or at the very least, what the dcwg.org “fix” button will do to your system to correct the problem.)

While the above turned out to be a perfectly safe example, it really is the perfect scenario to explain how and why you need to check before you click, as similar tactics are exactly what caused people to click buttons and modify their DNS server settings in the first place.

Want to take privacy and protection to an even greater level? Check out the fine folks over at https://priv.ly/

This is a new tool being designed and developed by Oregon State scientists working on changing the paradigm of content sharing. Priv.ly is intended to take control away from the content hosts like Facebook and Twitter and put that control right back to the user, where it belongs. This works to remove companies’ rights to control and sell your data, putting your data privacy in your hands. If you are concerned with privacy you need to check these people out.

Stay vigilant, my friends. Protect yourself. No one else will.

Why you should care about online activity tracking

Posted by on Friday, 30 September, 2011
My friend, Augustine von Freiburg, recently put out a call over on G+ asking to “Convince me that I should care that [insert name of all-powerful social network here] is tracking me.” The conversation continued for a bit noting that the likely only real issue is that now advertisements can be targeted to you.
Since I am one of those people who has recently been sharing a good amount of information under the auspices of “Staying Vigilant” when it comes to knowing what’s going on with your information on social sites, I felt compelled to think more deeply as to what the issues at hand here really are. So I began collating some ideas as the conversation continued on (I’d noted I had thoughts on the matter, but wasn’t able to accurately or intelligently voice them at the time, but would come back to it later… now is obviously later). Over the course of the other comments, some good items were brought forward, items which should be acknowledged, but still left me feeling like the right answer was still eluding me.
There was a point made regarding police states and tracking. A very good point, and one which we shouldn’t ignore especially with the recent Carnegie Mellon application specific to connecting individual information with a picture via facial recognition. The source story from The Atlantic can be found here. Connecting offline lives and information with the online persona and information can indeed be a damaging prospect for many people. The same arguments regarding Google’s “Real Name” policy can be made here as well, since the veil of anonymity is even more readily lifted with technology like this. Visions of 1984’s Big Brother are quite cliché, but still accurate within this context.
But imagine you aren’t a revolutionary or progressive fighting against a totalitarian regime, does it really matter to you? Likely you can brush off police state fears as irrelevant to your own life of privilege as a middle class American; the likelihood is still an issue of the future, not the present. It is simply tough to identify with the fear and feelings of living in a police state where information tracking has actual, tangible consequences if you are living the right life. So how is online activity tracking a relevant concern to the “every day middle-class American”?
There are the obvious employment concerns of potentially exposing behaviours in which employers may deem unsuitable for their employees to be engaging. We have all, of course, seen examples of this in the media over the past few years, and know that employers make it a habit these days to use social sites as research tools when hiring both to weed out the bad as well as bubble up the good; a double-edged sword there to be sure, all depending on who you are and the relative conservatism of the employer. The issue here, of course, isn’t the tracking of your online activities per se, but rather the potential exposure of such activities.
When sites like Facebook begin changing how information is displayed, bringing some information to higher visibility than previous shown, the social code is broken. I’m not saying FB change their security (they didn’t), but rather when they shifted how the site functions all of a sudden users who had once felt safe under the blanket of ‘security through obscurity’, were left cold as their activities were now up in the fore-front, exposed to not just people who went looking for it, but to anyone who has logged in and noticed the ticker. Again, the issue here is the exposure of the information made possible by both direct user actions as well as tracking. The information has been there for a long time, but it was now exposed in a much more visible fashion.
This brings up the idea here that this isn’t even about ‘privacy’, as nothing on the internet is really “private”, but rather about owning my information and being able to mitigate the potential exposure (understanding that removing the risk entirely is not possible, even if you delete all your data and account and logout for good… the internet remembers everything). So, the problems begin when Terms Of Service change to allow companies to cast wider nets, and new settings are implemented in an opt-out rather than opt-in fashion. Had the ticker on Facebook been rolled out as an opt-in feature, I doubt anyone would have complained; it wouldn’t have had a great adoption rate either, but the ‘privacy’ concerns wouldn’t have been founded.
Is there a real, tangible concern with social sites just tracking your information as they please? Not from my perspective. The issues begin when they expose that information at their will and without the individual’s explicit confirmation. Yes, we’ve all agreed to the terms of service in order to play on these sites, and have likely not thought of all the potential consequences of clicking Agree. Without knowing the full text of the Facebook TOS agreement, I’ll set up a small example: say there is a line in there which binds the user in agreement to allow FB to share the user’s data with 3rd party entities. When you clicked ‘agree’, there were likely only one or two companies to which FB was actually providing data, and they were likely advertising or some other benign company. But now, FB has your agreement and now brings in another company, one like “BigBrotherMedical” or some such insurance provider, and now your data can be shared with them potentially impacting your eligibility for medical insurance since you buy your cigarettes and booze on-line, increasing risk factors for health problems, which are now tracked, thanks to a silly little cookie in your browser. I am sure you can build out a slew of your own ‘what-if’ scenarios here on your own….
It is these unforeseen changes to the service, and the default opt-in which is of concern. It removes the control of the individuals information and places that control in the hands of the social site, giving the user a sense of false security by providing some basic ‘privacy controls’ or options. This is one of the reasons why I am vocal about exposing the underlying workings of what Facebook has been doing recently. It behooves every user to be aware of what changes are happening and what consequences those changes could have down the line. I am not warning people to quit FB, logout and never come back, but rather to be aware of what they are agreeing to. A choice is not a choice if one is not informed properly… which is why I tag many of my posts highlighting these ‘issues’ as “Stay Vigilant”; simply said, every user needs to make their own choice about what they are comfortable sharing on a site, as well as making the choice as to how comfortable they are with having their activity tracked beyond the spectre of just targeted advertising purposes.
But all that fear is indeed just a healthy dose of paranoia and speculation. So let us talk about an even more dangerous issue surrounding the use of the information being tracked today. An issue which has actually been building for a few years now and one which has already had consequences. I’ve been referring to it as “social homogenization” in different contexts (surrounding how we tend to surround ourselves with like-minded individuals on social sites and tend to have less interactions with people of dissenting opinions with whom we are directly connected). This “social homogenization”, however, has been going on behind the scenes as well.
Google, Facebook, and many other of the smaller companies have been doing this for years now, under the guise of ‘personalization’; where content is filtered for you by algorithms and internet robots watching your every click. A great TED Talk (available on YouTube here go watch it now, I’ll wait….) was recently shared by another acquaintance on G+ regarding this exact behaviour and presented in such a way that it really shows the dangers inherent with personalization: filter bubbles.  These filter bubbles, controlled by algorithms with no ethical balance, begin working to insulate us from information it thinks we don’t want, based directly on our online activity tracking. The results of which begin insulating us by providing only information the algorithms think we do want. This is likely the most dangerous aspect in the present, as it has immediate and direct impacts on the information available to us right now.
In the TED talk linked above, you will see how a real world example used this personalization based on activity tracking to result in no mention of the Egyptian revolution on the first page of a Google query on “Egypt”, while it flooded the first page result set for another user. The differences in the two users being (from what I can glean from the video) location mainly. Even then, the speaker regale the audience at the beginning with the anecdotal evidence he personally encountered on Facebook; where he was seeing far less of his conservative friends’ posts, and much more of his liberal/progressive friends’ posts based on the algorithms which indicated he was clicking on the links shared by his liberal friends far more than those shared by his conservative friends.
At a base level, this scares me more than anything else about how tracking my online activities can be used in an ostensibly benign fashion couched as ‘personalization’, but have much more insidious effects in keeping relevant and important information from being surfaced in my news feeds of Google query results. As the speaker noted, these algorithms have no built-in ethics as the gatekeepers of knowledge, and because of that, there is no real editorial review and passing on of information because it NEEDS to be seen, only because it thinks I want to see it. A very, very dangerous behaviour if you ask me, and truly the reason why I will continue providing warnings and information about how social sites are tracking and using your personal data.