Back to the Basics
This week, nothing particularly explosive happened in the privacy or cybersecurity world. Governments and major service providers continued to be hit with malware, data brokers continued to swoop up people’s personal information without so much as a blink from the law, and people continued to feel as if they have no choice to but to submit the abuses of surveillance medias like Facebook and Twitter (news flash: humanity existed just fine before Facebook, you can go back to not having it. But that’s a rant for another day).
So I’ve decided this week is a great opportunity to take advantage of the calm and remind ourselves of some basic habits. In the military, troops are continually trained on basic stuff like how to handle and shoot a weapon, how to build and guard a temporary encampment, how to conduct patrols, and more. This is because any skill – when left unpracticed – gets forgotten and rusty. It’s never enough to say “oh, I learned this basic, day-one, 101-type skill, I’m good.” You have to keep coming back to it and keep it sharp, make it habit. So this week, let’s go back to some of the basic stuff and make sure we’ve got our fundamentals tight.
As some of my readers probably noticed, I tend to take a more security-focused approach on my website. I view privacy as an important part of your security model, as well as a fundamental human right, but while some resources say “it’s most important that you use encrypted messaging to prevent your cell carrier from reading your messages,” I say “it’s most important to prevent identity or account theft.” So with that focus in mind, I’ll start our refresher with best security practices.
First off, any American reading this should freeze your credit. In my time promoting this to people (especially parents with children), I’ve learned that a “credit freeze” is actually a misnomer. Many people assume based on the name that freezing your credit means that nobody, not even you, can access your credit. This is disastrous for people who are trying to get out of debt, building their wealth, boost their credit scores, or otherwise still in the process of actually using their credit. However, that’s not the case. Rather, a credit freeze is like adding two-factor authentication to your credit file. Nobody can open any new accounts without the PIN they issue you upon freezing your credit, but changes can still be made such as updates to accounts, debts paid off, or changed addresses or scores. (Friendly reminder from personal experience: don’t lose the PIN they send you. It can be replaced but it’s a nightmare process.)
On the topic of two-factor authentication, literally every online account you use that offers two-factor authentication should be using it. Fortunately, in recent years, 2FA has become more widely accepted and many places offer some form of it (even if it’s only a weak, privacy-violating form such as email or SMS). Honestly, if you use two-factor correctly, you can get away with having a weak password. I don’t think you should, but you can. That’s how important it is.
For privacy, I would argue that the most basic, important thing you can do is to look at the settings on your phone and pay attention to them. While phones are virtually impossible to make private by nature of what they do and how they work, you can dramatically reduce the amount of data that it leaks and that the apps themselves collect. You can change a variety of settings to restrict apps to only having access to the things they actually need and to collect less data by default. Additionally, you should remove any apps you don’t actually need or use regularly. Apps are the biggest attack vector for malware and other security and privacy breaches on mobile devices. My general rule is if you can wait and do it on a desktop where you have better security and more control, you should. On that note, be sure to examine the settings on your desktop machine as well.
It’s important to know that privacy and security aren’t just a bunch of apps or products you buy, they’re also habits you develop. In the classic TV show “Seinfeld,” there’s an episode where the titular character’s apartment gets robbed while he’s away because his friend Kramer had failed to close the door. When Kramer asks Seinfeld if he has insurance to cover the losses, Seinfeld’s incredulous retort to Kramer has stuck with me since childhood: “I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED.”
You can invest in all the best tools, hardware, and services but if you don’t use them correctly it’s all for naught. In the studio audio world, there’s a saying that a good recording is the result of a hundred tiny good decisions. Good privacy and security are the continual result of a bunch of tiny decisions. Just as with dieting, it’s not about running ten miles every day and eating salads. It’s about switching to diet sodas instead of regular, or passing on the fries with the burger. With privacy and security fundamentals, it’s important to make habits. Fortunately all of the stuff I listed here is pretty passive – you uninstall an app and you never think about it, or you enable 2FA and it works. But there’s other, effective basics like considering metadata, or using good internet practices. There is general agreement among the cybersecurity community that the NSA – elite, well funded, and advanced as they are – probably uses common tactics like credential stuffing or phishing more often than not to access a target’s accounts. It makes sense. Even as we near 2021, people are still falling for this stuff. So while you’re taking the time to examine your basic steps, don’t forget to check your habits and make sure that you’re not undoing all your hard work with bad habits that make the good steps you took meaningless.