For non-financial data, this is a totally subjective decision based on weighing the pros (someday you might want to write your autobiography or look back fondly at that lost love) vs. the cons (you’re running for office and somebody finds a politically incorrect rant in your old files). The main thing is to think about data retention in an organized way, and of course, wipe clean (or physically destroy) any digital media before it leaves your home or office for the trash or the recycling depot.
Build yourself a sandbox.
For years, software developers have isolated test and production systems so that their inevitable mistakes won’t bring something like an airline reservation crashing down around them. You can find software (e.g. VMware and Sandboxie) to create an isolated environment on your own computer. Another approach is to just wipe everything off a soon-to-be-retired machine and re-purpose it as your “sketchy machine.” Use it for anything you think might cause security problems, after having loaded it up with virus checkers and other anti-malware software. Don’t use it for anything important or sensitive, and be ready to wipe and “re-image” it. The downside of this approach is that you might have an infected machine on your network for a period of time.
Guard Your Digital Persona Like a Hawk and Cover Your Digital Tracks.
In the 1950s, some parents would send their children down to the corner store for a jug of milk and a loaf of bread with instructions to “put it on our account.” Don’t try that today! Instead of your family’s reputation, your identity and ability to function in society is now tied to an impersonal, automated, and, it appears, quite vulnerable system of numbers and codes.
No matter where you shop, from Target to Neiman Marcus, you run the risk of hackers getting access to your credit or debit card data and other information. Both of those retailers, and countless others, have been the victims of hacker penetrations. That type of activity is beyond your control, but there are some commonsense tips you can use:
Prefer credit over debit cards.
You are definitely safer using a credit card than a debit card because, at the time of purchase, you are spending the card issuer’s money. They are keenly interested in protecting that, and have elaborate anti-fraud measures. In most cases, you’ll have zero liability for unauthorized credit card transactions. If your debit card is hacked, you run the risk of your bank account being emptied, and a protracted fight with your bank to prove it wasn’t you who did it.
You could pay cash (or Bitcoin).
Sure, there’s a risk that you’ll be robbed in the street, and you will miss out on credit card perks like frequent flyer miles and extended warranties. But immunity from hacking and protection from credit card fraud may outweigh these benefits. Then again, cash may be on its way out. Just try to use it to buy a drink on an airplane, or even to pay your telephone bill.352 Even Canada’s Passport Office now refuses to accept cash. As for Bitcoins, and other digital currencies, great idea—but good luck checking into a hotel or renting a car with them.
Monitor your accounts online regularly.
Almost all financial institutions provide the option of online access to your account, and that has major advantages. Printed statements in your mailbox or your unshredded trash can be a gold mine for identity thieves. In fact, if you are not 100% confident about the security of your postal mail, you might consider having the physical credit cards shipped to you care of your bank branch. That little extra effort could pay off in increased security.
Assuming you have set up online access, it’s possible to check your accounts regularly, and you definitely should. The earlier you catch something amiss and report it to the financial institution, the safer you are going to be. During the 2013 scandal over hacker penetration of retail giant Target, one CNN security expert urged everyone who had shopped there to cancel each of their credit cards and request a new one because “you’ll have it in two or three days.” Of course, if forty million or so customers actually took his advice, it would be more like two or three months. Still, if you have any suspicion that your card is being misused, it is better to be safe than sorry.
Set up a Google Alert on your name.
You can use the power of Google to keep a close watch on what is being said about you online. Just go to google.com/alerts and put in your name (and any variants) in quotation marks. Sure, you’ll get some false hits. I know far too much about a musician and a golfer who share the name “Tom Keenan.” Still, if someone is ranting about you online, this might bring it to your attention.
Use a privacy-friendly search engine.
The business model of major search engines, and certainly Google, is to serve up advertising to you, preferably for things you might want to buy. Advertisers pay for the privilege, and your eyeballs are even more valuable if you have been profiled and can be targeted.
Simply typing terms into the box of a search engine can have serious consequences. An accused killer’s admission that he did a Google search for “how to dissolve a body” certainly didn’t win him any friends in a courtroom.353
Perhaps the best known search engine that promises not to track you is duckduckgo.com. The folks behind it give a fascinating illustration of how search engines leak personal information about you based on your searches on www.donttrack.us. They illustrate how a Google Search for “herpes” is sent to Google along with your browser and location, which may be used to identify you.354 This can influence the kind of ads you are shown, as this information follows you around online. Just as you start that big business presentation—ads for herpes treatments appear.
Creepy tracking by search engines is not just a theoretical vulnerability. Real people have complained about having their privacy invaded in creepy and disturbing ways.
A man in Canada searched on Google for “CPAP” (continuous positive pressure airway machines, which are used for sleep disorders). In a later surfing session, he was looking at a comic strip that had nothing to do with the medical device and was creeped out to see ads for CPAP devices displayed by Google.
He filed a complaint with Canada’s Privacy Commissioner who ruled that “Google’s online advertising service used sensitive information about individuals’ online activities to target them with health-related advertisements, contrary to Canadian privacy law.” Google promised to mend its ways.355
Check your environment for things that should not be there.
Earlier in Technocreep, we learned about CreepyDOL, an unobtrusive $57 snooping device that someone could plug into the wall at your favorite coffee shop, airport terminal, or public library. The odds are good it would sit unnoticed there for weeks, intercepting everyone’s Wi-Fi traffic. While you may not have the technical expertise to sweep for bugs, there’s nothing wrong with asking “what’s that?”—whether it’s a box plugged into an outlet or some new icon on your smartphone.
Be Info-Stingy.
Many stores routinely ask for your postal code, telephone number, or some other piece of identifying information at the checkout. Savvy Canadians give out H0H 0H0, a valid postal code that happens to belong to Mr. and Mrs. Claus. Americans, of course, tend to rattle off 90210 as their fake zip code. A California woman successfully sued retailer Williams-Sonoma, Inc. for demanding her zip code, then using it to locate her home address.356 The main reason to “just say no” to that checkout clerk is to continuously remind yourself to be very stingy in giving out any personal details.
Your refusal here is, however, largely symbolic. Yes, you are throwing a small wrench into the store’s data gathering system. However, if they want more information about you, they can go to data brokers who are happy to sell your details. Or, as Target clearly did in the case described earlier in Technocreep, the retailer can simply build its own profile of you, adding data to it every time you use a debit or credit card, subscribe to a mailing list, or redeem an offer of some sort. In the future, if society allows it, stores might use facial recognition or even a TouchDNA test to figure out your identity and
track you.
Here are some ways to be properly parsimonious with your information:
Give out any phone number but your own.
Actually, it’s probably best to have a small list of bogus numbers memorized so you don’t find yourself at a store trying to return something and struggling to remember what phone number you gave when you made the purchase.
How to pick your fun number? You might want to think like a movie scriptwriter, and give out a number with the 555 prefix. Since the 1960s, the film and TV industries have been encouraged to avoid inadvertently showing a real subscriber’s number. The numeric range 555-0100 to 555-0199 is officially reserved for fictitious numbers in most North American area codes.
Or you could be a little cheeky in your choice of fake phone number.
For a while I passed out the direct private line of a government minister who was in charge of protecting consumer privacy but who didn’t seem very interested in doing that. The adult approach, of course, is to ask “why do you need that?” but who wants to argue with a cashier when you are in a hurry?
But wait, I just might want to receive a phone call from those people.
It’s hard to imagine why you would actually welcome a marketing call, but if you do feel that way, there is a simple procedure that still protects your privacy. First, create a brand new Google Account. Then (currently this will only work for users in the U.S.) create a free Google Voice number linked to it. You can then check it periodically for voicemail, or if you really want the calls, forward it to a real telephone number. You will still have the option to undo this at any point in the future, sparing you an eternity of pesky calls from telemarketers.
Telemarketers.
Many countries have “do not call lists” that often fail to work properly and are even used by spammers in faraway places as lists of people to call.
Having little faith in Do Not Call Lists, I created a script for having a little harmless fun with telemarketers. It was vaguely inspired by the legendary “Angel of Death prank call” in which the person called tells a cemetery plot telemarketer that he’s been “thinking of taking my life, and your call is the sign I’ve been praying for.” In his version comedian Tom Mabe even asks the hapless marketer if they offer financing for the plot, though of course he plans to need it right away.357
After ascertaining that a caller wants to paint my house, remotely diagnose (and hack) my computer, or clean my furnace, I express great interest but remind him or her that “You have called a premium number.” Often they will persist with their script so I repeat this until I have their attention. I patiently explain that “we charge for incoming telephone calls. It’s $75 for the first ten minutes and we take Visa, Mastercard, and American Express.” Once I did have some poor woman offer me her Mastercard number but I wouldn’t accept it. Usually they hang up, probably flagging the number in their database as “crazy person” or something like that.
If a marketer asks for you by name, don’t say you are deceased, tempting as that might sometimes be. One woman did that and her credit card company canceled her card. Do not be abusive to the telemarketers; they are only doing their job. Also, it has been reported that annoyed call center agents sometimes retaliate for rudeness by passing your number around the room for everyone to call.358
There are also various hardware devices that claim to cut down on unwanted inbound phone calls. Perhaps the most famous, the TeleZapper, plays an “intercept tone” to tell the bad guys that your phone is disconnected. Of course, this can have its own unintended consequences. One customer who reviewed the device on Amazon.com said that his credit card company called to say his payment had not gone through, but got the “disconnected tone.” This “landed me in some hot water” he reported. The TeleZapper had other quirks, like playing an annoying tone on every call, and anyway telemarkers soon figured out ways to defeat it. Likewise for devices that require friends and family to have a PIN code to make your phone ring. They sound good in principle but are pesky in reality.
I’d like to be the President of the United States.
Well, I can’t help you with that, except to mention that the official phone number of the White House is (202) 456-1111 and it’s trivially easy to make a call that looks like it is coming from there. Sites like www.spoofcard.com disguise your caller ID and even allow you to change your voice. The main lesson is that someone can do this to you. So just because the caller ID shows the name of your bank, it is not necessarily your banker on the phone.
How old would you like to be?.
Some teenagers are masters at constructing bogus birthdates for everything from joining websites with a minimum age to buying cigarettes and lottery tickets. While you may not want to adjust your age by decades in either direction, who is to say you can’t move it a few months in the interest of privacy?
Here’s an interesting experiment. Look up someone you know personally who is notable enough to be on Wikipedia. Chances are good you’ll find their full birth date listed. However, if that person is a computer security or privacy expert, like several I checked, the date is quite likely to be a fake one. One expert even asked me not to mention his name in conjunction with this point because “it will just provoke somebody to try to find the real date and change my entry.”
Is it OK to fib to Wikipedia? The site’s “biography of living persons” privacy policy states that they will show the exact birth date if it has been “widely published by reliable sources” and notes that if the person objects then just the year should be used. Even if you’re not Wikipedia-worthy yet, it’s a wise move to have a bogus birth date handy for non-official purposes. Your government and bank will still demand the real one, but for most other uses any reasonable date will do. It’s amazing how many online “happy birthdays” I get at the wrong time of each year because of this policy. The same goes for your address, mother’s maiden name, and email address.
Keep your body pure.
There’s emerging evidence that tattoos are a cancer risk, and not just because they can mask moles and other skin lesions. New research shows that tattoo inks, which are largely unregulated, can contain nanoparticles which may accumulate in the kidneys and other organs.359 So, as explained earlier in Technocreep, if your boss comes after you with a tattoo gun to apply your new password tattoo, you might want to head for the door.
However, the biggest risk of “body art” may be to your privacy. Databases of arrest records routinely describe “identifying marks” and it is best to have as few as possible. As far back as 1959, according to a news report, there was a file with over “200,000 people arrested each year by the Los Angeles Police Department, 90,000 of which are tattooed. Each person is indexed with identifying information including a description of his or her tattoos and location on their body.”360 In an interesting twist, according to the LAPD’s current webpage, sporting visible tattoos can disqualify you from becoming a member of that force.
Fast forward to 2012, when the FBI announced plans to add “scars, marks and tattoos” to its Integrated Automated Fingerprint Identification System (IAFIS), which they proudly describe as “the largest biometric database in the world.”361 Law enforcement agencies won’t just be matching and tracking tattoos, they’re going to try to understand their meaning “to help establish whether an individual is associated with a particular gang, terrorist organization, or extremist group.”
Try to Control Postings of Your Face (and Other Distinctive Features).
Of course your face is your most identifiable feature and it is pretty hard to completely control where photos of it are posted. Friends can tag you on Facebook; police can take booking photos that wind up on mugshot sites. Earlier in Technocreep I described countermeasures like tagging inanimate objects with your name to throw people off your digital scent. You might also tag lots of random people as yourself, making it hard for someone to guess which is the real you. Of course, this is moot if you have a perfect headshot of yourself as your prof
ile photo and lax privacy settings on Facebook.
The reality is that, unless you are willing to eschew all forms of social media communication, keeping your face private is going to be an uphill and ultimately futile battle. The best you can do is avoid posting photos that might come back to haunt you. That session of doing tequila shots from lab glassware in high school chem lab might cost you a lab assistant’s job later on in college. Those racy office party pictures probably belong on a USB stick in your desk drawer. There are countless websites where you can watch other people behaving inappropriately—there’s no need to add to the supply.
Posting photos of your body, and heaven forbid, sex tapes, is another no-no. Let’s just say that image recognition technology is not limited to your face—other parts of your body can also compromise your identity. A number of court cases, including the famous one involving Michael Jackson, have hinged on non-facial identification.362
Tell your devices to be less promiscuous.
No matter how diligent you are in protecting yourself, your laptop computer, smartphone, and other tech toys may subvert your privacy efforts by automatically connecting to rogue hotspots, nearby Bluetooth connections, and NFC (near field communication) devices.363 Sure, they’re trying to be helpful by reaching out, but it’s far wiser to turn off the automated connections and make your devices “non-discoverable.” Then just connect manually when you really want to share something. Turn off location services except when you really need them, and periodically wipe out all those airport and hotel networks that you no longer need to access.
Create another you ... or many!
Earlier, I described how some shoppers have posted the barcode from their Safeway loyalty card online so that people could use it to obtain the benefits like price discounts without giving up any of their own personal information.
One Internet rebel who did this, Rob Cockerham, added to his already considerable fame on the net and even managed to profit modestly from his prank. After posting his barcode online, and encouraging others to copy and use it, he sold his now-famous physical “Mint Safeway Card” on eBay for $21.53.364
Technocreep Page 22