There is a summary at the end of this post for anyone who struggles with the full text, although on this one I’m not sure it will be of much use.
Note: Knowing absolutely nothing about Apple products, I have omitted them from this post. Other than strictly online stuff, you’re on your own.
After a conversation with Jules Clarke on twitter over the measures that I have employed to protect personal data, control my digital footprint, and generally be more secure online, it came to my attention that a couple of the things I do are not especially common or at least aren’t something your average user considers.
After a recent resurfacing of a stalker who is mostly interested in digging up my personal history (thankfully it’s that rather than wishing to cause physical harm), I’d like to share just a few of the basic things that I have used to help limit my own spread of data around the web and prevent anyone from being able to explore my life through any trails I’ve left.
This is not a comprehensive list and some of the suggestions are simply about making you more secure than your average user rather than completely locking everything down so no one can ever find you.
I’ve attempted to format it in a way that you can jump to your area of interest, especially given that I have managed to make it so bloated with my chatty style of writing. My apologies for that! Regardless of the enormous amount of text, I do hope it can help some of you perhaps pick up some things you previously weren’t aware of.
I do kindly ask that people do not message me on twitter or elsewhere with their take on online privacy. I do understand this is something you may have an interest in, and you may disagree if your approach to these things differs, but as with anything in technology it tends to lead to a barrage of information or lecturing on things I already know.
If you have anything you wish to add to this list, however, you are welcome to add it in the comments below and if I feel like discussing it I will.
1) Use the Ghostery app/browser plugin. This prevents trackers on websites right down to Google analytics. You have the option to completely block all trackers on all sites, pause tracking if you wish for it to be temporarily disabled, or selectively choose which ones you wish to have blocked. You can find it on their website here
What a VPN does is mask your IP address. Every website you visit, every service you use online, you give away your IP address which is a unique identifier. It can also be used to narrow down your location to a certain country and with some ISPs, the area in which you live.
By using a VPN, you connect to the IP address of a server designed expressly for the purpose of hiding your own. Your web browsing continues as normal without interruption, but instead of giving away your IP, you give away that of the server you’ve chosen. This means that if someone sets up a malicious website intended to get your IP address, they’re unable to. If you use Internet Relay Chat (IRC) – a place where things such as Distributed Denial of Service attacks aren’t uncommon at all if you piss someone off – it can prevent your internet connection from being clogged up with enormous amounts of data sent to your IP to take you offline. This is especially a problem if you have data limits or are on an IP address you cannot change.
You can still get viruses and malware as everything you do is still directed to your own computer so be aware of that.
For IRC you can also purchase products such a bouncer (BNC) which does the same thing, only expressly for IRC.
3) Keep an inventory. I have a spreadsheet that’s kept on a USB stick encrypted with PGP that contains the name of every website I have ever opened an account with as well as the usernames (note: not the passwords or security questions), email addresses and phone numbers that have been associated with the account (including what the back up address is). I also keep track of all my email addresses as well as any account that I have since closed, and how it was closed.
For example, recently I went through the list and closed around 60 accounts. Some of these accounts could, according to the companies, not be closed in a way that involves full deletion (this is bullshit but whether you start quoting the data protection act at them depends on your patience because fucking hell they run around in circles sometimes). If a lack of deletion is an issue, mark it down. I leave a note saying that I have removed all personal/identifying information I can from the account and deactivated it, or that I have hidden all of the contents but not closed it as I don’t wish to lose it.
I’ve put together a template inventory, 2 pages long. It contains example accounts, both email and websites, and column suggestions for each.
Example of an inventory of online accounts
4) Use a password management system. While it can be argued there’s a risk keeping everything in the same place, services handling such sensitive data pile large amounts of money into securing it. There are a few of these around such as Dashlane, LastPass, Roboform and others. Many password managers charge for some services, but there are some out there that are reasonably priced and easy to use.
They will keep track of passwords for you which makes it easier for you to use insanely complicated passwords. They tend to have a secure password generator built in, generating such things as lH^e63nm9CpfjADA@)*&J* (though you can remove special chars). You simply install the app or browser add-on, create and account and start saving.
With a password manager, you can use your account across any number of computers without having to remember details. Needless to say, you should keep the login information very private and use a good password for it. A full sentence is usually a good one, for example.
5) Email management. For any sensitive data you may get over email, use IMAP (is POP3 still a thing?) and ensure SSL is enabled. They’re options that every email provider should be able to support and, if they don’t, you should consider not using them.
If you are particularly concerned about the safety of something you are sending and the person on the other end is willing to take part in the handshake, use encryption methods such as PGP. There’s a few options you can find on Google along with how to use it.
If you have a custom email address on your own domain (or someone else’s), it’s worth looking into just how secure it is. Over the years I have seen some terrible shoddy practices from domain providers where breaches of customer has been a problem. A way that a lot of the risk can be taken away in this is by using something like Mozilla Thunderbird or Microsoft Outlook (ew). Set your email up so that once it has downloaded to your device it’s deleted from the server. Responsibility for backing up and storing your emails is placed squarely on your own shoulders so any loss of data is on you.
6) Use a good firewall. At the very least, use a firewall. Any at all. You may find your router already has one, it’s worth logging in to it and looking under the ‘Security’ tab if it has one. Check the settings are allowing outgoing data while blocking incoming. You should also be able to set up blocked websites (bye-bye Daily Mail, if only I barely knew thee) and any particular rules for certain addresses and IPs.
If you’d prefer to use a software one for any reason, be it Microsoft’s inbuilt one if you’re using windows or some third party software, I’m afraid I have no recommendations now that Deerfield’s VisNetic has gone. Frankly that was a masterpiece of a firewall but sadly even the archive is now gone.
For years now I’ve been using a Firebox (a ridiculously over the top bit of kit for a home user). There are, however, an awful lot of reviews out there that can give you an idea of what’s available, both ones with fees and free. I would offer to rule a few out but given I’ve not used them for some time, they may well have changed. Beware of anything too bloated. It shouldn’t make your computer act like a kitten attempting to drag a row of terraced houses up a hill.
7) Use an anti-virus program. AVG and avast! are, for the most part, alright for home users if you don’t want to deal with fees. For complete coverage Kaspersky and BitDefender are probably the ones I would recommend if cost isn’t an issue, although I’m sure others would disagree with me as tends to be the case with anything. Symantec’s and McAfee’s products are ones I wish had a physical manifestation so I could throw them off a cliff, pick them up, and then throw them under an articulated lorry. That’s something I know I’m not alone in. They are the bane of many an IT professional’s lives.
Trend Micro also have some pretty good products that are worth checking out. HijackThis is a neat little tool that I used regularly used before the switch to GNU. It scans everything from start up applications to browser add-ons and, if there’s anything suss your antivirus may not pick up as it’s not technically a threat, HijackThis will. It can take some time if you’re unsure of what each thing in the list is, but Google is your friend for that. If you’re a techie it’d be no problem.
Malware Bytes is also reasonably good and I know a couple of IT management companies that use it when viruses become a problem on individual computers.
If you’re on any Linux/GNU system I probably don’t have to recommend anything at all, you’re likely on top of it, but look at clam av etc etc.
8) Restrict information. Use, say, the birthday of your mother when you open accounts rather than your own, your favourite musician’s last name instead of that of your Mother or Grandmother, and the name of the nearest major hospital instead of the one where you were born (or the next nearest if you were born local to where you are). While I wouldn’t really recommend writing down security information, you can keep track of what details you are using by writing things like “Mum’s <month>”, “<name of hospital” and so on. It would tip you off if you struggle to remember.
I know this seems ridiculous, but there are a lot of ‘phishing’ games that go around which ask you to use your Mother’s maiden name for this, your pet’s name for that. A good example is the ‘find your porn name using x’. It leads you to give up information which makes up a lot of security questions, and if you answer a few it’s possible some of the services you use could be compromised.
9) Social media. This is a long one given the enormous part it plays in our lives and some recent (and distant) experiences so please bear with me.
This is technically something that falls under the last point; restrict your data. As anyone following my new Twitter account will know and as I mentioned at the top of this post, I have a stalker. To illustrate the lengths that some people will go i’ll explain what it is he has done and the measures I can take to restrict his access. Much like the odd troll on there, he sets up scripts to search through account archives where possible as well as trying to break into accounts when he finds them. Being lax on both data and passwords, I had left myself very open to him and I was very lucky to notice his return so I could begin to fix my mistakes.
I had a lot of tweets on my old account which makes for a goldmine of information. It gives away details of every part of my life if pieced together, and with the right phrasing and buzzwords it could mean he finds some very painful information to confront and mock me with.
While it is easy to say ‘just delete your old tweets’, to do so can actually be a lot harder than you would expect. Twitter’s API only allows for the deletion of the first 3200 tweets through apps, and while tools like Twitter Archive Eraser are capable of going over it again and again, it can take a hell of a lot of time. It’s probably obvious and as I’ve explained, this is why I deleted my old account.
What I’ve done on my new account is set up Tweet Delete. It’s an application which automatically deletes your tweets after a set amount of time, meaning your archive never becomes that kind of mine of everything you share of your life.
On Facebook you’re a little more stuck as it’s up to your friends how information you share with them (i.e. tags, comments on their posts) is managed. If you put a comment on a public post, there is no way that you can limit it. You also need to be careful of the information apps you use collect on you; rarely are these things truly free. There is a pay off.
You can, however, limit a lot of other things. Who is able to add you as a friend can be changed to friends of friends if your social circle is not particularly wide and unrelated. If you go through the account settings you can also restrict how you are found; make it that no one can find you via your email address or phone number. If you go into your ‘about’ tab you can also restrict that information so others aren’t capable of seeing it, including things like your birthday, website, and other things you may have put on there. So that you don’t end up with your friends list showing to all and sundry you can open the ‘friends’ tab, click the ‘manage’ (little pencil in the top corner of the list) button and change the privacy.
One of your biggest friends on Facebook is easily the ‘Limit the audience of past posts’. Anything that was previously public or shared with friends of friends is automatically reeled in so that no one outside of your friend’s list can see it. This is right down to being unable to see the full image or comments on your public profile photo. It does not affect posts you have kept to yourself or limited to a custom audience. You can also set it up to stop automatic tags, both on other’s posts and on yours. It gives you the option to make it that you can review all tags before they’re applied, so you can be kept out of other’s posts or prevent friends from letting strangers see your content.
Facebook keeps things such as things or people you have searched for, and while packed with so much stuff it’s a little confusing, the Facebook activity log holds the answer. Go to ‘View Activity Log’ on the top of your profile, and click ‘More’ underneath Photos, Likes, and Comments. Towards the bottom of the list you will see ‘Search’. At the top of the page is the option to clear it. You can’t turn logging of search off, but it’s something (I’ve included an image as I know some have struggled to find it before.)
Screenshot of where to find the search history on Facebook
The activity log is generally handy to filter out and figure out what you’re shared in the past, making it easier to delete where you feel it necessary. Of course, if they’re things you want to keep and otherwise don’t have copies of, you can download your Facebook archive.
A lot of social media and other accounts do also allow you to be notified every time someone logs in, the IP address that they use, and their location. If you are worried someone may be accessing your account this is definitely worth employing in the arsenal of things you can use.
Though for a lot of people it’s certainly over the top, going over posts every few weeks to delete ones over a certain age can stop it from becoming an overwhelming task later on.
10\ Make sure you have a back up for account access. Although this wouldn’t be necessary if you keep an inventory and use a password manager, it’s not uncommon to abandon email addresses that are associated with any number of accounts. Over time passwords and security questions are forgotten and, if that email address is among them, it can leave you completely locked out of any number of accounts, unable to do anything about it. You can stop this from happening with a second email address and phone number.
Most email accounts, and sometimes others such as social media accounts, now ask that you put a phone number of secondary email address in your settings so that if you’re locked out it can be used to verify who you are and give you back your access.
Online pharmacies are relevant as recently one or two got in trouble for their handling of NHS prescription data (presumably in raw format, mind), although in fairness, anonymised data is also handled badly by the NHS under their care.data scheme. You can learn how to opt out of that here but it’s obviously a whole other barrel of ferrets.
11) Two-step verification. This is another obvious one, I know, but also a very, very handy one providing you’re able to get a mobile phone signal or access your email account. You enter your password, and the service will send a code which you have to enter before you are given access. Not all services allow for this to be done through email, a mobile phone number may be required.
If you live out in the Styx, as mentioned, getting a signal can be impossible which can make it difficult to impossible for some services.
12) Clear you browser on closing. Go to the settings in your browser and search for the options to clear your history. Somewhere there should be the option to delete your history every time you close the browser.
13) Clear and turn off your browser history in Google. This is quite simple but an option that a lot of people are completely unaware of. In fact, a lot of people have no idea that their Google account even keeps their search history, which can make things just a little bit awkward if somehow someone gets ahold of it given the kind of things we all search for. I imagine a lot of people would be confused if they found I was looking up eating nasal mucus for sexual gratification and shitting dicknipples (I don’t recommend that one). Don’t worry though, there is a way you can stop this being an issue and Google has a nice little run through of how here.
14) Do not click any links you do not recognise. Again, this does seem obvious, but with the way we share links around now you can end up accidentally having a problem from clicking something from a person you trust.
This goes for shortened links, unfamiliar and suss looking domains, too. If the link is from someone you know and it looks legitimate but you’re unsure, search google for it. It can give you some idea of what it is you’re going to be looking at and any virus checkers on your browser should alert you to issues.
A lot of link compilers that are used on Twitter to collect the day’s news stories a person has looked at (and then shared via that same system) include malware. While I’ve managed to offend a person by refusing to look at one before because of this, it can even cause problems right down to an influx of spam accounts as clicking has alerted them to your presence. It’s better someone’s annoyed you won’t look at something than deal with that.
When receiving emails, even if it looks like it’s perfectly legitimate and from a company you recognise and not caught by a spam filter, it’s better not to click any links but instead go to the website in question manually to do it. Some look quite sophisticated and mask what they are well. It’s better to be safe than potentially hand your IP, password, and other information over to someone with malicious intent.
Summary: Unfortunately I am unable to walk you through the steps in so few words, but I’ve made it so that hopefully you can get the gist if you look over the bold areas of the post and explore the ones that interest you. From two-step verification to keeping an inventory of accounts, they’s just some largely basic things that can help keep you a lot more secure than your average home user and generally keep you more in control of your footprint.
Edit: Some things I have not mentioned here that are useful.
- TRUSTe’s opt-out removes you from many major targeted advertisers (the notifications for their website is hilarious in Ghostery).
- Ad-Aware by lavasoft which blocks pop-ups (which your browser should anyway) and the majority of adverts across all website, they also do all sorts of other security products.
- Duckduckgo, a search engine that has privacy in mind, for example they don’t track you the way that Google do. I personally don’t find it to be as good as google and it can be glitchy as hell. I find most home users won’t go near it with a barge pole but it depends how far you wish to go. As long as you turn Google’s tracking and history collection of, I find mind people carry on using it.