Friday, May 11, 2018

Which browser and search engine are the best for privacy?

I get this question all the time. As a privacy advocate I appreciate that most users want to avoid having every interaction on the Internet being tracked and recorded. The truth is that if you really want to avoid all the tracking technology, you will need to take additional steps beyond changing your browser and search engine. Even so, it is an excellent and easy start. The less trail of cookie crumbs that lead back to us the better. 

Here are my suggestions:


The browser built for privacy is the TOR browser. Because all of your web surfing traffic is encrypted and anonymized, it can be slower than other browsers. Your IP address can be used to identify you, and this browser does address that concern. Even so, you may discover websites that block you from viewing them when using the TOR browser. Chances are you will need to use another browser besides TOR from time to time.

Firefox is a non-profit that creates the browser that TOR uses as its base. If TOR is not for you, then use Firefox. Install add-ons such as HTTP Everywhere, UblockOrigin, Noscript, and Disconnect. These add-ons will make web surfing with Firefox even more private and secure. Unlike TOR, with Firefox your IP address will not be anonymized.

If you love Chrome but want privacy, then you must stop using Chrome and switch to Iridium. Chrome is actually an open source project fork from the Chromium browser but both are funded by Google. That means that Chrome and Chromium track your Internet activity and send the telemetry back to Google. The Iridium browser starts as Chromium but all of the Google tracking is stripped out and what is left is a "Chrome" like browser without Google spying. Like Firefox, your IP address will not be anonymized.

Configuring Firefox and Iridium is also critical. You want to avoid third party cookies and as much browsing history as possible. Go through the settings and allow only those cookies you absolutely need and configure the history to be erased upon closing the browser.

Search Engine

DuckDuckGo and Startpage are both excellent choices for search engines. Neither maintain records of your search requests. They both encrypt your connection so your ISP can't view your inquiries either.

Next Step
When you are ready the next step in your journey to better privacy is using a VPN and changing your DNS provider. I will cover that in a future post.

Tuesday, March 20, 2018

Europe Is Far Ahead of US In Data Protection

   On May 25th of this year a shift in data protection practices and policies will be required throughout the business world as the European Parliament regulation known as General Data Protection Regulation becomes enforceable law.  Even businesses operating outside of Europe will be affected if they have customers who live in Europe.  This kind of law has been long overdue in the US.  If businesses in the United States wish to remain competitive they should heed the principals of the General Data Protection Regulation or GDPR.
   In the United States, the ramifications of Supreme Court decisions have severely limited privacy protection. When considering the vast troves of information held by corporations and government, such limited protection means almost nothing is confidential.  Legally, within the United States information has no privacy protection when provided to a third party like Facebook, Google, Yahoo, telephone company and even your bank. There are exceptions for a limited and specific type of information such as Social Security Numbers, Credit Card account numbers, and medical information. Outside those narrow parameters, all other data can be shared with others without requiring your consent.  It doesn’t matter if that breaks the social protocol of confidentiality; it is legal and can be done. What’s more, private information, such as medical conditions, has been determined by someone’s shopping habits, location information, and phone call logs. Internet users lack of awareness of the aforementioned does not mean those users condone having their information, which was provided in confidence, shared with anyone and everyone indiscriminately.
   With a millennium of social protocol, people assume that information shared with an individual or organization means that the receiving party will respect the privacy of the giver of that information.  The collectors of our Internet activities are no longer benign advertisers interrupting our viewing or listening with advertisements.  Our information has been thrown into the oven of massive databases where our activities are analyzed.  That analysis eventually leads to conclusions.  From conclusions come decisions upon which action is taken. There is always a danger when analysis, conclusions, and decisions are done in the dark by mostly large institutions that have power and profit as a motive.
    The openness that is the notable characteristic of the Internet is being subverted by opportunists using that very openness to promote their own interests in secret using expropriated information as a means of control, manipulation, and exploitation, which is at odds with the very reason users are drawn to the Internet. What people know about criminals breaking into databases is just the tip of the iceberg. The privacy invaders that have emerged could be characterized as Virtual Peeping Toms, Cyber Criminals, Spys For Hire, Blackmailers, Data Snatchers, Bait and Snitch Data Sellers, Black Market Data Brokers, and Surveillance Spooks.  They all view information in whatever form - be it text, database, video, audio - as a means to an end.  They collect it, sell it, broker it, and most definitely use it.
   The information that is used always benefits the user of the information, and most notably at the expense of privacy and an individual’s self-determination. Internet users have difficulty imagining how their personal information could be used other than to provide a service. They have no clue as to the multiple uses of information beyond its original intended use.  Some may be devastated to find out the re-purposing of their data by unknown third parties has very real consequences impacting their lives in subtle ways. Others understand that misuse and abuse of information will lead to real harm.  This is why 93% of adults say that being in control of who can get information about them is important according to a Pew Research poll.
  One method to prevent harm is to restrict access to information to only those you trust.  However, in the United States of wild west of data protection common sense has been brushed aside.  The computer security experts tasked with protecting data are often plagued with conflicts of interest. In the parlance of information security, the acronym CIA has been the CYA for computer technicians for decades.  For clarification for the uninitiated, CIA does not stand for the Central Intelligence Agency which admittedly is the more infamous “CIA”.  The acronym is known as the triad of information security: Confidentiality, Integrity, and Availability.  For too long computer security technicians have focused on data integrity and system availability as the CYA for their job security.  After all, end users do notice when systems are down or data is incorrect.  But, violation of confidentiality may only be known when private information falls into the wrong hands, and that information is abused or misused.  Since data is simply copied when an information breach occurs there is no service disruption.  It lacks the immediacy of a system crash and therefore has been treated with a lower priority.
   Given the current political climate in the United States, it appears that the GDPR is our best hope to improve the dismal state of data protection.

Wednesday, July 12, 2017

Don’t Take Away My Netflix and Hulu! Why “Net Neutrality” Means Consumer Choice and Freedom of Expression

Without Net Neutrality sites like You Tube, Netflix, Hulu and Spotify may not even exist today. Cable companies like Comcast would prefer to choose what websites you could access by implementing censorship or slowing down the access to the point you would never visit the website. AT&T, Comcast, Verizon and other Internet Providers want to dismantle “Net Neutrality” so they can play middleman in order to make more money. They will find ways to charge you more for getting the same Internet service that you get right now.

  • According to Fight For The Future…Cable and phone companies like Comcast would be able to: 
  • Slow video streaming sites, causing your videos start and stop unexpectedly. 
  • Add new fees to your Internet bill. Imagine paying extra for YouTube! 
  • Censor videos or content they don’t agree with, like political blogs. 
  • Throttle any new sites or apps they don’t own or invest in. 
  • Make your connection painfully slow, and charge you more to make it work again. 
  • Force streaming sites like Spotify, Netflix, or Hulu into a slow lane, causing them to buffer constantly. 
  • Slow online gaming. Call of Duty would lag and glitch without paying more to your ISP. 
  • Charge big sites special “prioritization fees” and slow down everyone else. 
  • Take you out of the driver’s seat, and control what you see and hear online. Make the Internet look a lot more like cable TV. 
  • And, worst of all, become the first gatekeepers of the Internet in US history. 

Net neutrality says we get the *entire* web without interference – no gatekeepers, no tollbooths, no slowlanes. This is why it is considered the First Amendment of the Internet. It protects our free speech in the digital age.

Let the Federal Communications Commission know that you support Net Neutrality. Visit the website and submit a comment in favor of Net Neutrality.

Friday, September 16, 2016

How Easy is it to crack an iPhone password?

Our smartphones increasingly contain a wealth of information about us. We make phone calls, send emails, visit websites, send texts, take photos, connect with Facebook friends, and share files. They have become mini-computers. Our smartphones go where ever we go, unlike our desktop computer that rests on a table top safely in our home. That means access to the phone is just a moment of physical theft or loss away.

How safe are the contents of your smartphone anyway? Take the iPhone, which has been in the news lately, with FBI wanting Apple's help to access the contents of an iPhone. Apparently, the FBI is having some difficulty getting into that iPhone. Does that mean that the iPhone is impenetrable? Not exactly. The answer is that it depends.

First of all you need to password protect the phone. With iOS 9 Apple has created some impressive security to prevent repeated guesses of the password. After five wrong guesses, the phone's software makes the hacker wait one minute before guessing again. After nine wrong guesses, one will have to wait an hour. And depending on how the phone was set up, it might delete all its data after ten wrong tries. Even if the aforementioned security measures were disabled, Apple has another security feature that makes automated password guessing difficult. When you enter a passcode into your iPhone, the processor makes a calculation to check if your code is correct. What Apple has done is make the math so complicated that it takes about 1/12 of a second for the phone to crunch the numbers. That may not seem like a long time to humans, but to a computer it is an exceedingly long wait. “This means it would take more than 5 ½ years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers,” according to Apple security guide.

The iPhone security is impressive, but can be rendered useless if you choose a weak password. Six lowercase letters and numerical digits can be arranged in 2.17 billion combinations. A six digit alpha and numeric password at about 12 attempts a second, will take an encryption cracking tool five and a half years to go through all combinations. Compare this to a six digit, numbers only, password. Six numerical digits can be arranged in only one million ways. Such a simple six-number passcode can be cracked within just 22 hours.

The lesson here is that complexity of a password is essential. Secondly, the longer the password the harder it is to crack. On iPhones with only a four-digit numeric passcode, there are only 10,000 combinations. It would only take 13 minutes for the FBI to try all the different possible passwords. Compare that to a six character passcode where you mixed in capital letters in addition to lowercase letters, and numerical digits. Then there would be 56.8 billion possibilities, instead of 2.1 billion. Instead of 5.5 years, it would now take 144 years to crack such a passcode!

Thursday, March 24, 2016

The Easiest Way To Avoid Being Hacked

For decades we have been told by security professionals that the best way to stop from being hacked is to be careful when opening e-mail attachments, to install anti-virus software, and use a firewall. That has been the security mantra since the 1990s. If you’ll notice, we are not in the 1990s anymore. Hackers have had over 20 years to poke holes in those defenses, and have largely been successful. It is time for a new approach.

At a recent security conference, Avecto, a security product manufacturer, conducted an analysis of Microsoft Security Bulletins from 2015, focusing only on the security vulnerabilities labeled “Critical”. What they discovered is that 85% of the vulnerabilities exploited to hack a computer, can be mitigated by removing administrator privileges from the current user. In other words, if you use a "standard" user account as opposed to an "administrator" user account, malware could be stopped from being installed on your computer 85% of the time. What is the difference between "standard" and "administrator" user accounts? A "standard" user account cannot install software or make configuration changes to your computer. Only an "administrator" account can do that.

When you create your user account in Windows, you have a choice whether to create a "standard" or "administrator" user. You can also change the account type by going to Control Panel > User Accounts > Change Your Account Type. There has to be at least one “administrator” user on a computer. That means you will need to create two user accounts; one “standard” and one “administrator”. You use the “standard” one for your everyday activities and the “administrator” account just for making changes or installing software.

So, why don't most people use standard user accounts? The answer is convenience. They want the immediate gratification of installing software or making changes on the fly. Most users are not aware that Microsoft has already made it more convenient to user a standard user account. Since, Windows 7 you can now operate in your standard user account and install software by right clicking on the installation file and selecting from the menu "Run as Administrator". You will then be prompted to enter your administrator username and password. That means you can still stay logged in your standard user account, but invoke the administrator account when you need to without logging off and switching accounts.

Working in a standard user account is essential for keeping the hackers from invading your computer. Consider these other findings:

● Of the 251 vulnerabilities in 2015 with a Critical rating, 85% were concluded to be mitigated by removing administrator rights ● 86% of Critical vulnerabilities affecting Windows, can be mitigated by removing administrator rights ● 99.5% of all vulnerabilities in Internet Explorer, can be mitigated by removing administrator rights ● 82% of vulnerabilities affecting Microsoft Office, can be mitigated by removing administrator rights ● 85% of Remote Code Execution vulnerabilities, can be mitigated by removing administrator rights ● 82% Critical vulnerabilities affecting Windows 10, can be mitigated by removing administrator rights ● 63% of all Microsoft vulnerabilities reported in 2015, can be mitigated by removing administrator rights.

Saturday, January 30, 2016

Best Privacy Policy Statement Ever

Being a privacy advocate, I am one of the few people who actually read the privacy policy of a website.  Most privacy policies are so convoluted with legalese that the average person can't make any sense of it.  I was pleasantly surprised when I came across a privacy policy statement that was simple, easy to understand, and clearly states the privacy protection principles of the business. The privacy policy statement below belongs to  (Why I was looking for a gong is a whole other story, which may be an entertaining story, yet irrelevant to discussing privacy policies. So, I will do the reader a favor and not digress.) Like all good privacy policies this one states what information the company collects and if they share that information with a third party.  What makes this one stand apart is the personable language that plainly states why they believe in protecting their client's privacy. Admittedly, I also like the emphatic and irreverent tone spiced with just the right amount of humor.  Read it below for yourself....


Everyone at Gongs Unlimited treasures their privacy and we trust that our customers treasure their privacy as well.  If you are anything like the 15 year old daughter of the Head Mallethead here, you really really treasure your privacy.  Because we are just a retail store. You come in and buy a gong. That's all we want to know.

We will never give your email address or any other information you used to purchase a gong to any third party. And not any fourth or fifth parties either.  Screw them! If you wanted Spam, you'd go to Hawaii and order some with eggs!

If you bought a gong at a local mall, you wouldn’t expect to be hounded by salespeople from other stores chasing you to your car, calling you and yelling into your phone, or filling your mailbox with garbage. We believe that you shouldn’t have to experience that in your computer when you buy a Gong either.

Friday, October 16, 2015

Data Breach: Vacaville Housing Authority

When and Who
Organization Name: Vacaville Housing Authority (VHS)
Date(s) of Breach (if known): Monday, August 24, 2015
Date(s) of Discovery of Breach: Tuesday, August 25, 2015

What Happened
This data breach is an example how one innocent mistake can expose personal identifying information.  A VHS employee sent an email with a file attachment, that included Social Security Number information, accidentally to the wrong recipient.  Fortunately, when the recipient viewed the email she notified VHS and deleted it from her inbox.  As required VHS did report the incident to the local police, California's Attorney General's Office and to HUD.  The local police did confirm that the recipient deleted the email. 

One lesson that can be drawn from this incident is to be careful to review who you are sending an email to in order to avoid this kind of mistake.  After all, not all recipients may be as conscientious as the recipient in this data breach.  In all fairness, mistakes do happen, and it is better to have a process in place that takes into account potential mistakes.  For example, using file encryption that requires the recipient to enter a password to view the file could have prevented this incident.   

What Kind of Data Was Breached 
Social Security Numbers

Who Is Affected
Number of those affected were not mentioned in notification of breach by the organization to those affected.