Most of you know by now that I am a huge proponent of self-sufficiency. Getting to this place is much more of a marathon than it is a sprint. It is truly about taking small steps at appropriate times, to get you to a place where you have control over your life. I know that once you have control, you will be able to teach the rest of your family and those for whom you have responsibility, similar lessons.
There are big parts of me that struggled with whether or not to write these articles about how to truly stay private. Certainly some of these abilities would be better left unsaid as criminals may use them for purposes, which, I would not agree with. Knowing this could be the case, I felt it more important to empower regular people like me and you with tools that will keep your identity safe, your private things private, and give you a measure of solitude when it comes to that information.
Today I’m going to talk to you about basic settings in your android phone or in your IOS phone. I’ll also discuss mobile payments and operating in the “cloud.” We’ll discuss briefly TOR, VPN’s and finish with operating systems which are more focused on privacy.
BASIC PRIVACY-PROTECTING SETTINGS FOR ANDROID AND iPHONE
Android devices are highly fragmented, with different versions of operating system and different manufacturers adding something on top of Google’s stock OS. However, there are some basic settings that will help you reduce tracking, profiling and snooping.
- Encrypt your Android device. Go to Settings → Security → Encrypt Device → follow prompts. Some older devices do not support encryption, though.
- Protect it with a strong passcode or password. Go to Settings → Security → Screen Lock → choose either a more digits for PIN, or alphanumeric password for better protection. Be wary of fingerprint locks – they can be hacked; some states legally compel you to unlock a fingerprint-locked device; in case of a physical assault using your finger to unlock a device is easier than brute-forcing a strong password; you can always change your password and make it more complicated – you can never change your fingerprint.
- Disable cloud-based backup to your Google account. This will keep your photos, contacts and Calendar events stored locally on your device. It means you won’t be able to sync it across devices, but it also means Google does not have it. To make up for the loss of sync functionality, do a manual backup to local SD card, or computer. Yes, it requires more input on the user part, but who said you could have your privacy without breaking a sweat? To turn off cloud backup, go to Settings → Backup and Reset → disable Back up my data.
- Disable location tracking. Settings → Location → disable. And Settings → Accounts → Google → Location Services → disable recent location requests and location services of Google location History.
- Disable stock bloatware. Do you use all apps pre-installed on your device? If not, you can’t uninstall them anyway, but still they remain active, often in the background, sending tracking data to the manufacturer or Google servers. You can’t uninstall them, but you can disable them. Go to Settings → Application Manager → go through the list of apps and tap Disable or Turn off for the ones you don’t plan to use. This is how you can successfully disable the pre-installed Google Drive, Dropbox, Com2uSPoker, Hangouts, Maps, Picasa Uploader, Street View, Yahoo bloatware, and such.
- Log in to your Google account and take a closer look at the following settings – Location history, search history, YouTube history. Disable.
- Google settings → Smart Lock for Passwords → disable. This will not upload your password to Google.
- Google app → Google settings → Ads → Opt out of interest-based ads. Rather self-explanatory measure, isn’t it?
- Google settings → Search & now → Voice → OK Google Detection → from the Google app. This will limit the use of Google Now personal assistant feature to the ones who can unlock the device. Or, disable the feature altogether by going to Search & Now → Accounts & Privacy → Google Account – sign out. Did you know Google keeps a creepy history of your voice searches?
- Make sure your device locks itself when it enters the sleep mode. Go to Settings → Security → Automatically Lock → Immediately.
- If you have a password or pin code enabled for your lock screen, you can also enable a self-erase function for your device in case the password or passcode is entered incorrectly ten times. You can enable this feature from Settings → Security → turn on Automatically Wipe. Note: this feature won’t be available until you enable the password or passcode lock screen.
- Use firewall apps, such as NoRoot Firewall. It’s free, easy-to-use and blocks all apps from accessing the Internet unless you authorize them to do so. With a firewall app in place, you are in control of the apps and games trying to access the Internet behind your back. You can create rules, and change your permissions on the fly. Apps like this one give a lot of peace of mind and save some device resources by cutting short the background activity that consumes your bandwidth.
- Make sure you have the latest security patches installed, that is if your device’s manufacturer is kind enough to release them. Go to Settings → About phone/About tablet → System Updates → enable Auto update and check the Update Now to see if there are any pending updates.
Unfortunately, very few manufacturers release security patches for devices older than their newest flagships. Among the ones that receive the updates are Google’s own Nexus, some Samsung and some LG devices.
- Install an ad-blocker. Choose whatever you like from Google Play store, or take a look at Block-This.
IOS 9 (IPhone):
iOS devices are significantly less fragmented, but if your device runs an earlier version of the operating system, just see which options apply to it, and additionally browse for “privacy and security settings for iOS your version.”
- Set a complex passcode, choose 6 digits over the regular 4. Settings → Touch ID & passcode → enter your current passcode or Turn passcode On → Passcode Options → choose the more complex alphanumeric or numeric code.
- Location tracking – this needs to be turned off by default, but your iPhone is configured to track wherever you go literally. To stop it, go to Settings → Privacy → Location Services → System Services → Frequent Locations → turn it off. To ensure better privacy protection, tap the Clear History button, too.
- iOS requires apps and games to notify you the first time they want to upload your personal data. This may include the data you wish to keep private. Go to Settings → Privacy → select an app (Contacts, Calendar, Email, Photos) and toggle the On/Off bar if you wish to revoke the permission to upload your data.
If this setting was previously enabled, disabling it won’t erase the previously uploaded data.
- Deny or limit some apps from tracking your location in the background, and some of them access your location even when you’re not using these apps. When you see pop-up messages from apps wanting to use your location, you can choose Don’t Allow, or limit it from your device’s settings.
- Enable two-factor authentication. This will send a code to your device whenever someone tries to access your data in the cloud from a different device, even if they have your login and password. This measure was introduced after a horrendous iCloud celebrity hack, when a dozen female celebrities had the contents of their iCloud uploaded to public forums, including explicit selfies.
- Set the expiration date for your video and voice iMessages as opposed to keeping them on your device indefinitely. You can do this from Settings → Messages/ or Audio Messages or Video Messages → Keep Messages → select the time.
- Don’t leave default settings in anything that is related to privacy and security. Among other things, change your default WiFi hotspot password. Make it alphanumeric.
- iPhone location-based tracking services are system-level, iOS native, and not only drain your battery but track your location heavily. These could use a little tweaking, too. Settings → Privacy → Location Services → System Services → disable the services you do not plan to use.
- Install an ad blocker from the iTunes app store to prevent the tracking ad cookies from tracking your online activities. There are many of them, some commonly recommended are Crystal and Blockr. You can see your list of ad blockers by going to Settings → Safari → Content Blockers. Here, you can enable or disable them.
- Block ad cookies and trackers in Safari settings. Go to Settings → Privacy → Advertising → toggle on Limit Ad Tracking. Also, tap Reset Advertising Identifier feature to enable your new preferences.
- Another nifty thing you can do is enable DuckDuckGo as your preferred search engine, instead of Google. To do so, go to Settings → Safari → Search Engine → select DuckDuckGo as your default option for Safari, Siri, and other apps.
Privacy and security are pressing concerns in the mobile ecosystem as such, but mobile payments make a standalone case. In late-2015, a global cybersecurity association ISACA released a 2015 Mobile Payment Security Study, which surveyed more than 900 cybersecurity experts on the safety of mobile payments.
- 89% said cash was the most secure form of payment, but only 9% prefer to use it.
- 47% believe mobile payments are not secure.
- 87% expect to see an increase in mobile payment data breaches and hacks in 2016.
- 23% believe mobile payments are secure.
Among the greatest privacy and security vulnerabilities of mobile payments are:
- 26% use of public Wi-Fi
- 18% phishing/shmishing and other social engineering techniques
- 21% lost or stolen devices
- 13% weak passwords
“People using mobile payments need to educate themselves so they are making informed choices. You need to know your options, choose an acceptable level of risk, and put a value on your personal information,” said Christos Dimitriadis, ISACA International President and group director of information security for INTRALOT. “The best tactic is awareness. Embrace and educate yourself about new services and technologies.”
Cybersecurity experts recommend two-factor authentication as the most effective way to increase the security of your mobile payments. Installing an antivirus solution on the mobile device is also a good precaution.
MOBILE AND THE CLOUD:
Do not store private data in the cloud that comes bundled with your device when you buy it. Normally that’s Google drive, Dropbox or iCloud simply because these services offer no privacy.
OF CLOUD STORAGE – SAY NO TO MAINSTREAM PROVIDERS. CHOOSE ALTERNATIVES
Microsoft, Google, and Dropbox offer cloud storage with many perks – sharing, syncing, collaboration, online web versions of popular file formats you can use on the go from your smartphones and tablets, expandable storage, and whatnot. Convenience, affordability, accessibility, ease of use, cross-platform availability, all of which go down to better performance and productivity on a personal and professional level. However, privacy is not a part of the equation.
We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.
We’ve discussed open-source vs proprietary solutions already – there is no independent audit that can confirm no backdoors or vulnerabilities are siphoning your data. The fact that these companies are not zero-knowledge means they store your passwords, meaning they can have the access to your account at any given moment. Worse yet, all these factors create a huge window of opportunities for hackers.
Your best bet would be to migrate to an alternative service, which offers the luxury of keeping your files private, even from its own employees.
PRIVATE BROWSERS and BROWSER SETTINGS, ADD-ONS, ALTERNATIVE SEARCH ENGINES
Your entire life is in the browsers, and trackers, audio beacons, and cookies send this data to third parties. How it may backfire at you at some point is a hypothetical question, but chances are it might.
Google has monopolized the Internet, and your searches, preferences, contents of your emails and passwords are collected, stored and sold to advertisers. To stop that, use alternative browsers and search engines.
Add-ons and plug-ins (the following are for Mozilla Forefox, but many have versions for other browsers, too):
Firefox → Options → Privacy →
Use Tracking Protection in Private Windows/Do Not Track – On
Always Use Private Browsing Mode – On
Accept Third-party Cookies – Never
Firefox → Options → Search →
Default Search Engine → DuckDuckGo
ADVANCED SETTINGS FROM SOURCE: PRIVACYTOOLS.IO:
Enter “about:config” in the firefox address bar and press enter.
Press the button “I’ll be careful, I promise!” and toggle the following criteria to:
privacy.trackingprotection.enabled = true
This is Mozilla’s new built in tracking protection.
geo.enabled = false
dom.event.clipboardevents.enabled = false
Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
network.cookie.cookieBehavior = 1
1 = Only accept from the originating site (block third party cookies)
network.cookie.lifetimePolicy = 2
cookies are deleted at the end of the session
2 = Accept for current session only
browser.cache.offline.enable = false
Disables offline cache.
browser.send_pings = false
The attribute would be useful for letting websites track visitors’ clicks.
webgl.disabled = true
WebGL is a potential security risk.
dom.battery.enabled = false
Website owners can track the battery status of your device.
browser.sessionstore.max_tabs_undo = 0
Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.
Fix your browser leaking your real IP, even if you’re using a VPN – online tool with instructions.
Tor is the go-to browser when it comes to privacy and anonymity online. It is free, open-source, and helps you defend yourself from data mining, traffic analysis and even overcome state-imposed bans on certain websites aka Internet filters (for example, if you live under oppressive regimes).
Technically, this is the kind of software that might turn off a newcomer, but if you go through the setup process once you will be able to enjoy anonymity, which is a step ahead of privacy.
Things you should keep in mind when using Tor in order not to compromise your own anonymity:
- Do not torrent over Tor – torrent applications ignore proxy settings and compromise your real IP address.
- Do not install browser plugins in Tor – the browser is configured to provide anonymity, and so it blocks Flash, Quicktime, RealPlayer, which can reveal your IP.
- Use HTTPS versions of sites.
- Do not use other browsers simultaneously when using Tor.
- Don’t open files downloaded through Tor while you are online, especially DOC and PDF since these can contain Internet resources that come bundled with the files and the program you use to open them will reveal your real IP address.
- Use bridges – this will take a little reading, but it’s important if you think your ISP (or anyone else) is monitoring your traffic. While Tor prevents them from knowing which websites you visit, they will still know you’re using Tor. Tor Bridge Relay will help you reduce that risk.
Below are some basic criteria to take into account when choosing a VPN service provider:
- Choose a non-US based provider – this is a common tendency to avoid US and UK based services in general, not just VPN providers, mainly due to the Five-Eye surveillance agreements between these countries (US, UK, New Zealand, Canada and Australia). For more information on why read about PRISM surveillance program revealed by Edward Snowden.
- That said, study the provider’s jurisdiction carefully. This will tell you a lot about what they might be legally compelled to reveal about you.
- Choose a provider that does not require your real credentials when creating an account – no names, addresses. Just the username, password and a valid email address.
- If you aim to protect your identity when paying for your VPN, you might want to check if the provider accepts Bitcoin, cash, cash cards or debit cards.
- Beware of paid reviews – derive your conclusions about VPN service providers comparison and reviews on independent forums and privacy-related websites only.
Some VPN service providers you might want to check out (no affiliation) – most offer free trial:
ALTERNATIVE, PRIVACY-FOCUSED OPERATING SYSTEMS:
Debian – Linux distribution, open-source, free.
Trisquel – Linux-based OS derived from Ubuntu.
Qubes OS – endorsed by Edward Snowden, open-source, based on Xen, the X Window System and Linux.
Whonix – Debian GNU/Linux based security-focused Linux distribution, consists of two virtual machines – workstation and a Tor gateway. Secure, anonymous, private.
Tails – pretty universal since you can use any machine to run it, even old PCs – it starts from a bootable USB or disk or SD card. Uses Tor, leaves no trace on your computer, encrypts files, messages and emails.
KNOPPIX – based on Debian, runs from USB flash drive or CD/DVD.
Puppy Linux – lightweight Linux distribution, easy to use, light on resources and RAM.
Next week we’ll talk about bringing and using your own device at work, Windows 10 and 0 privacy, we’ll wrap next week up with social networks and how to maintain your privacy while using them. In the final part of this 5 part series, we’ll discuss METADATA, various “Smart” devices (locks, cars, thermostats, TV’s, fridges, etc). I’ll give you some common sense tips and a handful of very useful links.
Until next week, take one step in your self-sufficiency. I believe in you and know you can do it!
Another link to a great article on cybercrime written by the people at Cloudwards: https://www.cloudwards.net/cybercrime-5-things-you-need-to-know