Today is the official Data Privacy Day. Since I was supposed to be teaching my class yesterday, I wanted to take a few minutes and tell my fledgling trans-humans about privacy. You see, as they offload more and more of their consciousness into the cloud based systems, social media and services, they become more vulnerable. As their personas extend into the cyberspace, and as they rely more and more on mobile hardware to stay connected they give potential attackers a much larger surface area across which they may execute attacks. Unfortunately the weather and traffic conspired to stretch my 20 minute commute into a 2.5 hour ordeal making me completely miss my class.
So I figured I might as well post some of the things I wanted to talk about in class here. Here is a very simple scenario: you leave your cell phone unattended for a few minutes and someone swipes it. Whoever has it, can now be you – at least for a while. He has your entire contact list, so he can freely message any of your friends under the guise of your identity. He also likely has access to your email and all your social networks, since cell-phone apps commonly save authentication information so that you don’t have to log in every time you use them. What’s worse, he can now attempt to lock you out of all your accounts by changing the passwords on all of them.
Of course, you can always try to tell me that some random dude getting access to your email and facebook is not the end of the world. After all, these things are not that important. You can always create new accounts, and the friends who care about you will figure out how to contact you. You of course would be correct. Losing Facebook account to a phone thief is small potatos. But consider this: your phone is a treasure trove for identity mining.
Depending on how much detail you have put in your Facebook profile, the potential thief can usually get your full name, your cell phone number, your date of birth, the schools you went to, your home town, your current town, names of your parents/siblings and more. Going through your email may reveal even more information. For example, a recent Amazon shipment notification may yield your full address and a partial credit card number.
Even worse, since the attacker now has access to your email, he go around and submit “I forgot my password” requests to all online stores and accounts he can find looking at notifications and alerts in your email. Some of these accounts may store your credit card numbers, or even more sensitive information. Losing your smart phone is a huge privacy risk and may lead to identity theft.
What can you do in terms of damage control when it happens? Not much… You can try changing passwords on your email and social network sites to prevent the thief from abusing the password recovery systems. Unfortunately, chances are that if you haven’t noticed your phone missing right away, but only realized it was gone several hours later, you might already be locked out. You can phone your cell company and immediately disconnect the device but a lot of the email and social network data will still be cached there, and can still be mined for sensitive information. It is a very sticky situation.
But you can prevent it. You can stop all of that from happening by a little of forward thinking: just password protect your phone. Yes, it is a little bit of hassle to unlock it every time you want to use it, but think of the trouble you will save yourself when it is lost or stolen. A built in password protection will thwart all but most determined and skilled thieves because it will usually be faster and easier for them to just wipe and resell the device than try to break into it.
Just a word of advice: don’t use that finger swipe pattern thingy. Every time someone gave me their phone protected by it I was able to figure out the pattern in 3-5 attempts. Mostly because people are not very creative when it comes to their lock codes – they stick to the edges and diagonals almost exclusively.
But that’s just one line of attack. We should also make sure our young ones know that nothing ever dies on the internet. Anything you ever post online can and will return to hunt you in the future. This includes your drunken party pictures, as well as any personal information you may reveal intentionally or unintentionally. This is especially important to emphasize that the sphere of influence of a network-connected trans human is much greater than that of a traditional old-style person. For example, rooting for your home town sports team on twitter or uploading pictures taken by identifiable landmarks near where you live to some public photo-stream, can give a potential internet stalkers a good way to pin-point your location. Doing anything public on the internet can be risky. One day you are making a silly youtube video for a friend, next day like half of 4chan is outside your house shouting memes hoping you come out and play. How did they find you from just the video? Via the ephemeral electronic trail we all leave as we do stuff on the internet. Defunct social sites, throw-away posts on forums, picture sites, online games, etc… All of us have dozens of online accounts, half of which we can’t even remember – all of which could potentially be pooled for information. On one forum you could have mentioned your high school mascot. On another you might have ranted about a bus or train line you hate. Yet another may have a your defunct AIM account that could be linked to an old Webshots account with a treasure trove of old pictures that could be used for identity mining. That’s you “internet detective” someone out. It is almost impossible to keep track all the stuff you might have posted online in the past – but it is there, indexed by search engines, cached, mirrored and preserved. The only way to avoid leaving such trail is to be ever vigilant about what you post online, and always take few seconds to scan for potential privacy issues before you hit that submit button.
Of course your average future-shocked grandpa will try to tell the young people to get off facebook, stop doing anything online, throw out their smart phone and etc. This is silly and counter-productive though. Young people will continue using internet enabled phones and social networks. In fact, they will become more and more connected as the time goes by. They will find new emergent ways to use these tools – stuff we didn’t even think about.
So this is my message to the younger generations:
Keep your private affairs private, even if they extend out to the network. Use privacy features to limit access for anyone outside your inner circle of friends. Be extremely careful of what you post in public. Be especially careful with these geo-locating services like foursquare. They can be fun to explore with friends, but remember that you might also be giving random strangers the ability to track all your movements on a map. Think about what that implies. Password protect everything – especially your phone. Have a low-tech fallback plan in case you get disconnected or separated from your hardware. You need to know how to disconnect your phone at a moments notice. Finally, learn about encryption and use the shit out of it.
Happy data privacy day folks!
Also change your passwords regularly and try to avoid using the same word for every single account you own, stay away from easy guesses like birthdates, maiden names and so on. None of this should be news to your students. It’s not like the dangers of sharing private information should be unknown to them, it’s pretty often depicted in movie, TV shows, books and I’ve rarely met anyone who hasn’t had problems with it at some point, or doesn’t know someone who has.
Yet I see more and more private information on Facebook and Twitter pages of people I know. Amazon doesn’t let me to purchase something without saving my credit card information, which I have to delete manually after the transaction each time. Something’s wrong…
Most people I know have some sort of code or another to enter when the phone’s turned on, but since it’s usually always on I don’t see the point. I’ve never seen anyone password protect their phone. I assume you do, but when exactly does it kick in ? When you’re waking the phone from standby, trying to answer a call, access the internet, send login information ? Do you have to type a real password or just a 4 character numerical code ?
@ Zel:
Right now I have a blackberry and the password kicks in every time I holster it. It also kicks in after like 5-10 minutes of inactivity, or if I push the lock button on purpose.
The way I have it set up right now, I can place and receive calls when the phone is locked but texting, email and apps are locked. So a potential attacker could still browse through my phone book and call long distance but I could disable that too only allowing incoming calls. It was a pain though – for example, having to type in a password just to make a quick call while driving (with a bluetooth headset) was too inconvenient.
And yes – you are right, people are sort of aware of privacy issues but in most cases it is compartmentalized. For example, they know to make their Facebook private to keep stalkers and potential employers out of their business, but they usually don’t realize how seemingly innocent pieces of information can be connected to build a profile on them. For example, listing an email address or aim username on your public profile can be innocent but it can help someone to connect the seemingly anonymous twitter, four square and flicker accounts to you.
So the internet is now even on computers?
I’d love to regularly change my passwords and such. But it’s nigh impossible to do. I think I’ve got accounts on over a hundred websites (forums, blogs, news websites, whatever).
Changing those would mean thinking of a new password system and changing those 100+ old passwords to adhere to said system.
Facebook login and such provide a solution for this, but creeps me out.
Having 1 master login account for every single thing you do online just removes the biggest hurdle for potential attackers: Piecing hundreds of different bits of information together to form 1 personality.
Maybe you could highlight that topic as well?