Almost every week, it seems that there is some kind of major security breach. Whether celebrity nudes, the social security numbers of the majority of Americans, or a Bitcoin heist, it seems that our private data is under constant attack.
The Internet and your co-workers are full of advice: put a sticker over your webcam, disable Flash/Java in your browser, encrypt your drives, delete your Facebook account, cover your hand while using the ATM, get a burner phone, pay for everything with cash, start wearing a tinfoil hat to protect against the NSA’s spy rays, etc.
The reality is that as more and more of our lives become digital, information security becomes increasingly important. Many bad things can happen when your privacy is breached: from finding out that you have a boat loan that you didn’t know about to having your naked photos all over the web to being thrown in jail because the government doesn’t approve what you have to say. It’s important to take appropriate measures to protect yourself, but what is appropriate for you really depends on the kind of secrets you have to keep and the kinds of threats you need to protect against.
Let’s consider three people who care about their privacy, and steps they should take to keep their stuff private:
Lisa Monroe lives in Madison, Wisconsin. She is a college student with a part-time job. She just got her first credit card, and just started going steady with a boyfriend.
To keep her private photos private, Lisa only sends them using Snapchat. Lisa doesn’t have many secrets to keep, but she is worried about fraud to her credit and debit cards and the naughty pics she trades with her boyfriend Brad.
To keep her finances secure, Lisa signed up with the free app WalletHub to keep track of her credit score and uses Clarity Money to monitor her spending and make sure there are no unauthorized charges.
To keep her private photos private, Lisa only sends them using Snapchat, which prevents photos from being saved and notifies her if someone takes a screenshot. She also has enabled a passcode on her iPhone, which she knows is automatically encrypted, so that thieves can’t access her information if it’s lost.
Lisa also uses a password manager, LastPass, which generates a random unique password for every account she keeps so that when the buggy website her college uses is hacked, the stolen passwords can’t be used to login to her bank account.
To keep his Bitcoin stash secure, Andrew stashes it on a Trezor. Andrew Stephens lives in a penthouse facing Central Park in a Manhattan high rise. Andrew was a construction worker when he purchased 1,000 Bitcoins on a whim in 2012. They are now worth $7.2 million, allowing Andrew to massively upgrade his lifestyle. Andrew is obviously worried about the security of his Bitcoin stash, but he’s also concerned about unauthorized transactions on his American Express Platinum card from that club he gets bottle service at. He likes to go diving in Cabo San Lucas and doesn’t want his wealth to leak out, lest he is held for ransom.
Like Lisa, Andrew uses WalletHub, LastPass, and has a security code on his iPhone.
To keep his Bitcoin stash secure, Andrew stashes it on a Trezor. He encrypts all MacBook and Time Machine files using FileVault. He uses multi-factor authentication with LastPass Authenticator to sign in to his email and bank accounts. To monitor his financial status, he uses Personal Capital, where he tracks spending on all his accounts. He uses a YubiKey physical security token to log into his MacBook and lock it when he steps away, so that criminals cannot install a keylogger on it when he leaves it at home or in a hotel room.
Andrew is investing in a Hong Kong startup making an ASIC cryptocurrency miner. When he goes to China, he uses a phone and cheap laptop that he keeps just for travel to protect against both Chinese industrial espionage and the TSA. He wipes the phone and laptop clean just before boarding his flight back to the USA.
Andrew’s home is protected by a home security system with remote cameras he can access anytime.
Zhao’s web browser has the extensions HTTPS Everywhere, AdBlock, and ScriptSafe to protect against malicious websites hijacking her computer. Zhao Gong Li lives in Beijing, China. She works as a lawyer who represents people defending themselves against government-backed property development companies who try to take their family plots without proper compensation. She is worried about the local police ransacking her home to find or plant incriminating evidence as well as spying on her Internet activity to spy on her communications with her clients. Zhao is helping a European NGO to produce a documentary about illegal land seizures in China and does not want the government to find out about her involvement. She also needs to access the Internet outside China’s firewall for her research.
Zhao’s router is an RT-AC86U router running the Asuswrt-Merlin custom firmware. Whenever she wants to go online, she firsts connects her router to a private VPN service that she pays for with Bitcoin. Zhao keeps all her data on an external hard drive that she encrypts with VeraCrypt. She copies the hard drive at her friend’s apartment once a month in case it is confiscated, and keeps it in her purse at all times. Zhao has a Windows laptop, but the operating system on it is just a decoy used for personal entertainment. She has a tiny encrypted Ubuntu Linux USB flash drive in her makeup case that is her work operating system.
Zhao’s web browser has the extensions HTTPS Everywhere, AdBlock, and ScriptSafe to protect against malicious websites hijacking her computer. She covers up her webcam and the microphone port on her computer. When she visits her clients, she turns off her smartphone and uses a burner phone with an anonymous sim card she replaces monthly from a street vendor. Like Andrew and Edward Snowden, Zhao uses the Signal for messaging.
As you can see, your security needs depend on the threats you need to protect against. Find a balance between security and convenience that is appropriate for your life. Trying to implement too many security measures will create a lot of extra work and frustration and tempt you (or your kids or employees) to bypass the protections entirely. Nevertheless, there are some common steps that apply to everyone. Use a device that is encrypted by default (such as the iPhone) with a long passcode. Use a password manager to avoid reusing passwords. Don’t share confidential information (or photos) with people who you don’t trust. Monitor your financial status. A few simple steps will protect from becoming yet another victim of the most common online security threats.