Category: Internet privacy

---

For years, Facebook and Google have been running a racket for tracking people on the Internet — “Sign in with Facebook,” and “Sign in with Google.” I have never fallen for this, and I hope you haven’t either. If you use these things, you’re practically handing Facebook and Google a detailed dossier on where you go on the Internet and everything you do.

Now that Apple is coming out with “Sign in with Apple,” one wonders why they didn’t do this a long time ago. Do I trust Apple’s policies on privacy? Yes. Do I trust Facebook and Google? Never in a million years.

One nice feature of Apple sign-in is that, if you use it to create a new account somewhere, you don’t have to give your real email address. Instead, Apple lets you hide your real email address by randomly generating a virtual email address for that account.

Before I upgraded my iPhone to an iPhone XR about six months ago, I would have imagined that “Face ID” was a minor frill of no great value. With Face ID, you sign in to your iPhone (and to many apps on the iPhone) just by letting the phone’s camera have a look at your face. But I have found that Face ID saves a huge amount of time and aggravation, not only because I don’t have to poke in a password with my fingers, but also because I have fewer passwords to remember. When devices can securely remember your passwords for you and you don’t have to key them in, you can have longer, more random, more secure passwords.

The ability of Apple sign-in to hide your email address also is a welcome feature. The reason we all get spam is because dark players on the Internet “harvest” email addresses and sell them. I have an email address that I’ve used for more than 20 years. It gets lots of spam. I also have an Apple email address that I use only for people (and a very few companies) that I trust. The Apple email address has never received any spam, and I have used it since 2012.

What the world is still waiting for is secure email, in which email is always encrypted and always signed with a security certificate. The technology for doing this has long existed, but no one has turned it into a system that is easy to use, because Internet companies all want to bombard us with email. I dream that Apple will do that someday. (For now, there is OpenPGP, but I doubt that anyone other than nerds would want to use it.)

Slate has a pretty good piece about Apple sign-in. Slate’s angle is that Apple actually is regulating Facebook and Google (since the U.S. government won’t). The Slate article also mentions other matters of security that I need not go into here (such as reminding people that, if you have a Gmail account, Google can read all your mail). The article is Apple Is a Tech Regulator.

Apple says that Apple sign-in will be available later this year.

---

When I first started shopping for VPN services some years ago, there was a sleaziness involved. VPN providers seemed to be located in countries that we don’t trust, the kind of countries that Internet scammers work out of. The targeted customers for VPN service seemed to be criminal types with a great deal to hide, as opposed to law-abiding but security-conscious computer users like me. Two or three years ago, I signed up with a U.S.-based VPN provider. But about eight months ago, after I started using HughesNet’s satellite service as my Internet provider, I had to stop using VPN. For some reason, satellite latency makes VPN protocols so slow that they become unusable.

Recently I discovered a new VPN provider, WindScribe. It’s a Canadian company. If we can’t trust Canadians, then whom can we trust?

WindScribe offers two types of VPN. One is a VPN tunnel that encrypts all traffic through your computer. Unfortunately, that’s as slow and useless as any other VPN service on a satellite connection like mine. But WindScribe also has browser plug-ins for Chrome, FireFox, and Opera. I’m using the FireFox plug-in, and it is acceptably fast. The browser plug-ins encrypt and anonymize only the traffic through your web browser, which is enough for me.

You can get either type of VPN service free from WindScribe if you don’t use much data. If you give them an email address, then you get 10 GB free per month. If you don’t give them an email address, then you get only 2 GB per month. The paid service, which is unlimited data billed annually, is reasonably priced. I may upgrade to that after I’ve tried out the free service a bit longer.

Everyone should use a VPN service! Here’s a recent article on why.

---

---

Update: According to the Washington Post, some security experts think there may be something fishy about Equifax requesting six, rather than four, digits of Social Security numbers. Also, Equifax may have whipped up a “terms of service” agreement that tricks you into forfeiting your right to participate in a class-action lawsuit. For now, it might be best to avoid Equifax’s EquifaxSecurity2017.com web site, though a credit freeze would still be appropriate, as far as I know, for those who want to do that.

Here’s a link to the Washington Post story: Equifax asks consumers for personal info, even after massive data breach

It would appear that Equifax is bungling their response to this.

---

You probably know by now about the huge data breach at Equifax, one of the three American credit-reporting agencies. According to the New York Times, since data for 143 million people was stolen, the odds are greater than 50 percent that you were affected.

Equifax set up a web page where you can enter your last name and six digits of your Social Security number to see whether you were affected. I was.

I can testify that even a minor case of identity theft is a pain in the neck that is very difficult to straighten out. When I lived in San Francisco, someone used my name and Social Security number to get a telephone in San Jose. They didn’t pay the bill, of course, and Pacific Bell came after me. I was shocked to learn that, under California law, it was up to me to prove that I did not open the account, rather than for Pacific Bell to prove that I did. Can that be constitutional? The burden to undo the damage was entirely on me. It took several months to resolve the whole thing, following an irritating process defined by the California Public Utilities Commission.

After the California problem, I put a fraud alert on my records. A fraud alert lasts for seven years. That has now expired, of course.

After some Googling, it seemed that the smartest thing for me to do after the Equifax cyberattack was to freeze my credit. This is a pain in the neck. You have to set up a freeze at all three credit-reporting agencies — Equifax, Experian, and TransUnion. However, this can be done on line. It’s very rare for me to open new accounts, so dealing with the freeze process won’t be too great a burden. But a total credit freeze (which can be overridden by a PIN number you’re assigned when the freeze becomes active) might be too inconvenient for some people.

[Update: Avoid this link until more is known about how Equifax is handling this.] Here’s the Equifax link with which you can determine whether you were effected: Equifax2017

This article includes links on how to set up a credit freeze online: How to do a credit freeze

Here is a credit freeze FAQ from the Federal Trade Commission: FAQ

It’s really pretty terrifying how dangerous a place the Internet is. My guess is that the fallout from this data breach will go on for a long time. Whoever stole the data probably will break it into chunks and retail it all over the world.

---

The change should be transparent, but this blog has switched over to SSL, or “secure sockets layer,” protocol. You might have noticed that your URL window now says “https:” rather than “http:”. Depending on the browser you use, you may also see a padlock icon with the URL.

SSL uses encryption to improve the security of web sites. Though encryption is not really critical for blogs, since no private information is involved, nevertheless encryption is never a bad idea. Also, Google ranks sites higher when they use SSL encryption.

Remember pop-ups and how obnoxious they were? Then we all got pop-up blockers. But the war wasn’t over.

Using Javascript, the anti-social brats who code web pages came up with a new way to assert domination over us: “overlays,” also called “modal windows.”

With an overlay, a new window opens up, everything behind it turns gray, and you’re stuck until you interact with the new window. Odds are, you’re still putting up with that.

But there is a way to defeat it. If you’re using the Google Chrome web browser, check out an extension named “Auto Overlay Remover.” There may be similar extensions for other browsers, but I’ve not looked into that.

The attitude of web programmers, of course, is “This is my web site, and I’ll control what you do here.” But the attitude of the rest of us is, “This is my browser, your web site is open to the public, and no you won’t tell me what to do.”

Wikipedia commons

Once upon a time, if a thug wanted to take your money, he pretty much had to be close enough to hold a gun on you. Not anymore. These days, somebody halfway around the world can steal from you. Estimates of the size of the global criminal economy approach $1 trillion a year, or roughly 1.5 percent of global GDP. There are a lot of people in the world who make their livings from crime. If we’re not careful, we’ll end up as their victims.

A couple of recent scrapes with the criminal economy have reminded me of just how vulnerable all of us are, assuming that we have a computer, a cell phone, a bank account, and credit cards or debit cards. Don’t we all?

Increasingly, criminals try to reach you through your cell phone. Long ago I stopped answering calls from unknown callers outside my area code. Just yesterday a scammer with an 855 area code left this voice mail:

“Hello, I’m calling in regards to a formal complaint that’s been filed against [name of friend in California]. If you have any information that can lead to the whereabouts of this individual, please contact us at 855-207-2381. Again, 855-207-2381 or press any key on your dial pad to be connected immediately. Our next step will be filing the necessary paperwork with the local county court. Thank you for your cooperation.”

I had heard of this scam before, so all I did was alert my friend in California. His mother and sister had received similar calls. How did the scammer get my telephone number? I’ll never know. One possibility is that malware on my friend’s computer or cell phone compromised his address list. But what’s troubling about this particular scam, though, is that it generally targets people who have had previous minor scrapes with the law, so it’s easy to believe that that person is in trouble again. I suspect that the scammers are scouring public records. About 12 years ago, I had posted bail for this person after he was arrested for an unwise altercation with a parking lot attendant. My name would appear in the court documents, which are public record. The scam, I understand, is to try to get someone to send them money to drop a charge, though there is no charge.

A few months ago, I took responsibility for maintaining the web site for the Democratic Party in my county. The web site had been hacked a few months earlier and needed to be cleaned up. I did the cleanup work, rebuilt the web site, and went through the onerous process of getting Google to remove the dreaded “This site may be hacked” line in Google searches. About two months later, in spite of some extra security precautions, the web site was hacked again. I cleaned it up again. That very night, it was hacked a third time. Criminals use this kind of web site hacking to build their “bot” networks. Hijacked web sites can be used to distribute malware, to send spam, to market illegal products, or even to host illegal forms of porn.

I certainly am not boasting, but this web site and blog have never been hacked. Though I have taken every precaution I know how to take to secure this web site against hackers, constant vigilance is required. That takes time. The security logs for this blog show that it is regularly under attack. I recently added the ability to block access to this blog to most countries outside North America and Europe. Until I started that country blocking, most of the hacker probes came from Russia, Ukraine, and Asia.

There are three categories of global crime to which most of us vulnerable: Identity theft, online risks such as malware, and credit card fraud.

I’m no stranger to identity theft. Some years ago when I was living in San Francisco, someone using my name and Social Security number got a telephone in San Jose and ran up a bill that they never paid. Believe it or not, the law required that I prove to the telephone company that I didn’t do it, as opposed to the telephone company having to prove that I did. You can imagine how much time and aggravation that cost.

Secure banking

If you’re concerned about identity theft, online security risks, and Internet privacy (we all should be), then I’d recommend that you do some Googling and reading on precautions that you can take. A good place to start is the Electronic Frontier Foundation: https://ssd.eff.org/

However, I do want to talk a bit about secure banking.

For 25 years, I have been using the same account with Bank of America. When I opened the account, I had just moved to San Francisco, and Bank of America was a San Francisco hometown bank. Some years later, after an ugly buyout, Bank of America moved its headquarters to Charlotte. It’s now a big bank, and a mean one. But I have kept my Bank of America account because the bank has never been mean to me personally and has never charged me a cent. Bank of America also has some of the best security of any bank. Twice in the past, someone has made fraudulent charges using my debit card number. In both cases, the bank immediately detected the fraud, alerted me with phone calls and text messages, cleared the fraudulent charges, and sent me a new debit card.

For years, I’ve paid my bills online using Bank of America. Almost all my spending went through my debit card. I carry very little cash. Though I did not need a credit card, Bank of America kept tempting me with a credit card with “cash back” benefits. You get 1 percent on all purchases, 2 percent at grocery stores and wholesale stores, and 3 percent at gas stations. That would add up to a few hundred dollars a year for me. But what really sold me was a feature that was not available with my debit card. It’s the ability to create temporary “virtual” credit card numbers for online purchases. You assign enough money to the virtual card to cover the purchase. The virtual card expires in a month or two. And the online merchant never knows your real credit card number. I now use virtual credit cards for all online transactions, and I “locked” my debit card, which I still have, to block transactions. I can “unlock” the debit card any time from my computer or cell phone. Another free benefit that came with the credit card is a free monthly credit report. All in all, I think this is a pretty good deal. Bank of America is giving customers the ability to protect themselves, which also protects the bank. And as long as you pay your bill in full at the end of the month, there are no charges for the card, and you get “cash back.”

Don’t lose things!

A couple of months ago, on a trip to Asheville, I thought I had lost my wallet. It turned out that I had not lost it. Rather, while riding in a friend’s vehicle, my wallet had fallen through the crack between the seat and the console when I had awkwardly gotten my wallet out to pay us out of a parking deck. But in the three-hour period in which I thought my wallet was lost, I realized what a pain in the neck it would be to lose it. That would be an invitation to identity theft, and all one’s cards would have to be quickly canceled and replaced. Precaution: Make a copy of everything important that you carry with you so that you know whom to call and what has to be replaced.

Where is law enforcement?

As far as I can tell, almost no one ever gets arrested and prosecuted for online crime. Criminals now routinely ignore do-not-call lists, etc., and they get away with it. We spend untold billions of dollars on the low-level threats (more rare than lightning strikes) that are hyped in the media, such as the threat of terrorism. The political class have been worse than useless in taking a rational approach. Instead, for political gain, they hype non-existent threats such as transsexuals in bathrooms and do next to nothing to defend us against these new forms of global crime. We’re on our own.

Living off the grid and leaving no digital trail is a wonderful fantasy, but almost no one can pull it off. Corporations and governments know a heck of a lot about us. All we can do is try to prevent information about us from falling into the hands of the criminal economy.

From an NSA presentation leaked by Edward Snowden

Bloggers at the Washington Post have reported on an important new leak by Edward Snowden. This one reveals that the National Security Agency uses Google cookies to identify and target computers on the Internet. This should surprise no one, but we need all the information we can get on how elites snoop on us.

What the leak reveals is that the NSA uses Google’s PREFID cookies to identify and track computers on the Internet. So what is a PREFID cookie and how does it work?

When you sign in to any Google service (such as Google mail), Google knows who you are. They assign your browser a PREFID cookie. This cookie reveals your identity to any site on the Internet that references the cookie and wants to track you. This tracking is not anonymous. Google knows who you are, and there is nothing to stop them from sharing your information.

How much does Google know about you? What did you tell them when you signed up for Google mail? You probably also gave them your cell phone number, right? In addition to the personal information you’ve given Google when you filled out their sign-up forms, Google has tracked you and captured and stored your Internet browsing history, which they have mapped to your real name and real identity. The Snowden leak does not reveal whether Google shares its identifying information with the NSA, but we’d be fools not to assume that they do.

It shocks me sometimes how revelations like this don’t disturb a lot of people. I think the assumption is that, because they’re doing nothing wrong or illegal, all this tracking doesn’t matter. But remember, this information is saved in Google’s (and the NSA’s) vast databases. Like a credit history, it will be used against you for years, perhaps for your entire life. When this secret information about you is sold or shared, you won’t know about it. Unlike credit histories, there are no laws that permit you to know what information about you is kept in these databases or that would permit you to challenge errors. There is nothing from stopping a company like Google from selling this information about you to anyone who wants it — a potential employer, for example, or to private investigators. If you’re ever involved in a lawsuit or a legal scrape, you can be sure that they’ll check your Internet history.

So what can you do? Don’t use Google mail! Don’t use Yahoo mail either. If you insist on using any of Google’s or Yahoo’s services that require you to sign in, then don’t stay signed in, and work out a means of keeping your cookies cleared. One solution, if you insist on using Google mail, would be to have two browsers on your computer. Use Firefox, say, for email only. Use a second browser, Chrome maybe, for all your browsing, and don’t sign in anywhere in this browser. Load up Chrome with all the essential privacy extensions — Ghostery, DoNotTrackMe, Flashblock, Referer Control, Facebook Disconnect, AdBlock, etc. Yes, some of these extensions will make your browser less convenient, but that’s the cost of greater privacy and security.

It’s ironic that Google Chrome, as far as I can determine at present, can be configured as the most secure browser. This is not a Google virtue, it’s that there are a lot of good privacy extensions available for Chrome. Here’s a DuckDuckGo link to get you started.