The CEO of a major technology company once famously opined that, in the internet Age, "You have zero privacy. Get over it."
Some of us would rather not. We'd like to keep our personal information--whether it be what we share with friends on Facebook or our credit card and Social Security numbers--under some control. We'd prefer not to let such details but into the wild, where they can be bought and sold and, often, used against us.
If you, too, are a privacy traditionalist, take heart: There are things you can do to make browsing, shopping, socializing, and other online activities less of a threat. That CEO was doubtless right in some ways: We probably can't keep all of our private Information private. But we can certainly make it harder for those who'd like to make it public.
Web Browsing
Ad networks, search engines, Internet service providers, and social networks track, analyze, and sell almost everything you do online.
Advertising Networks
The Risk Ad networks such as Double-Click, Quantcast, and others track the sites you visit and the ads you respond to, and then target ads at you.
How to Protect Yourself To opt out of the major tracking networks, go to the Network Advertising Initiative's opt-out page (macworld.com/6930). It checks your system for tracking cookies from participating ad networks, and allows you to opt out of receiving them.
Next, you can block cookies from third-party and advertising sites. In Safari go to Preferences * Security * Accept Cookies and set the option to Only From Sites I Visit. In Firefox's preferences, click the Privacy tab; from the Firefox Will drop-down menu, select Use Custom Settings For History; then deselect Accept Third-Party Cookies.
[ILLUSTRATION OMITTED]
To really browse under the radar, you'll need some plug-ins. AdBlock for Safari (payment requested; safariadblock.com) and AdBlock Plus for Firefox (payment requested; adblockplus.org) block most ads and embedded tracking; Ghostery (free; www.ghostery.com) blocks tracking by more than 200 companies.
For complete browser control, try NoScript (free; noscript.net) for Firefox and the Plugin Customs extension (free; extensions.apple.com/#productivity) for Safari, but be warned: Both disrupt how sites work.
As a final stopgap, use a privacy tool like MacScan (free; macscan.securemac.com) to sweep your system for any lingering tracking information (as well as malicious spyware and Trojan horses).
Flash Cookies
The Risk Local Shared Objects (LSOs) are small text files saved by Adobe Flash that function much like cookies yet evade most standard privacy tools. These kinds of files are extremely common on major Websites and are frequently used for tracking visitors.
How to Protect Yourself Go to the Adobe Flash online-settings manager (macworld.com/6931) to restrict how Flash stores LSOs. In the Global Storage Settings panel on that page, deselect the Allow Third-Party Flash Content To Store Data On Your Computer option (doing so will get rid of tracking). Setting the allowed storage space to zero will let you manually approve any requests for a new LSO.
[ILLUSTRATION OMITTED]
For additional control in Firefox, I recommend the BetterPrivacy plug-in (free; macworld.com/6932). Tins will delete all LSOs when you exit your browser or after a specified period of time. Note that if you do a lot of Flash gaming, you will want to allow LSOs for those sites. --RICH MOGULL
Shopping
Most shoppers focus on guarding the privacy of their credit card data, and that's important. But it's not the only privacy concern you should have when shopping online.
[ILLUSTRATION OMITTED]
Identity Theft
The Risk Any time you use your credit card online, your identity is at risk. Criminals can harvest thousands or even millions of credit cards at a time. That's a problem for two reasons.
First, of course, your card can be used to buy all lands of goods in places you've never been. Second, an attacker can combine your credit card number with other personal data to steal your identity and secure credit in your name.
How to Protect Yourself Follow your instincts: Does an online merchant feel legit? Next, do your homework. Check out merchants via the Better Business Bureau (www.bbb.org/us) or the Internet Retailer Top 500 Guide (www.internetretailer.com/top500). Look for feedback on opinion sites like Epinions.com (macworld.com/6927) and Bizrate (macworld.com/6928).
Make sure you're actually on the site you think you're on. Phishing or network-redirection attacks can link you from an e-mail message or a Web page to a fake site that looks like the real thing. One Firefox plug-in, LocationBar2 (free; macworld.com/6929) can help: It makes clear what Website you're using.
Attackers will go to great lengths to make their domains look plausible--http://amazon.com.itakeyourmoney.ru, may look like the real Amazon at first glance, if you don't check the full URL. (And the fake URLs are rarely this obvious.)
When you're on the real site, check the vendor's privacy policy. It should specify what the vendor will and won't do with your data. Search for terms like third-party, e-mail address, or personally identifiable information.
Regardless of your best efforts, your personal information may still be compromised. That's why it's also important to monitor your identity through services such as Debix ($10 per month; www.debix.com), Citi Identity-Monitor ($13 per month; www.identitymonitor.citi.com), and Experian ($13 per month; www.experiandirect.com). They will alert you when any new requests for credit appear in your file. Get into the habit of checking your credit card and banking accounts frequently to make sure there are no unauthorized charges.
Spying
The Risk You may find it convenient when your favorite online merchants e-mail you offers for products you were thinking about buying. But wait--how did they know what you're interested in? Well, it's not a secret. You told them what you like to buy and when, or perhaps you told Google, as you were browsing Web pages for similar products.
With the advent of tracking technologies and sophisticated analytics, many Web merchants know exactly who you are and what you are most likely to buy (see "Web Browsing"). They know because you tell them through your buying and surfing patterns. This is valuable data, and merchants can (and do) sell it to each other.
How to Protect Yourself As mentioned above, reputable retailers spell out how they use your information in their privacy policies. Check to see if your favorites sell your information to other merchants. If they do, then see if you can opt out of offers from third parties.
Consider connecting to the Internet through a VPN or private proxy, which will obscure your IP address and therefore your location (see "Networking"). This is effective only when browsing; once you decide to buy, your identity will be exposed.
Finally, if you're really paranoid, shop at a variety of sites to limit the depth of knowledge about you that any one retailer can acquire. This has its risks, however; buying from a merchant who may be shady just for the sake of variety is counterproductive. --MIKE ROTHMAN
Social Networking
Maintaining privacy on social networks is like hanging your dirty laundry on a highway billboard and asking only your friends to look. While you can maintain some degree of privacy on social networks, it takes a lot of effort and is often contrary to the goals of the services. Remember, these services are free because they're selling access to you.
[ILLUSTRATION OMITTED]
Your Private Profile
The Risk Since the entire goal of social networking is to help you connect and communicate with other people, the privacy settings on most social networks default to Wide Open. They often stay that way, because many users don't know how to adjust them.
[ILLUSTRATION OMITTED]
How to Protect Yourself The ease with which you can customize privacy settings varies by service. Twitter has just one option: On your Settings page, you can select your Tweet Privacy to protect your tweets (meaning that only people you approve can see them). At the other end of the spectrum are services like LinkedIn, which scatters its privacy settings across nine screens, and Facebook, whose supposedly simplified privacy settings span menus up to four layers deep.
No matter which service you use, it's incumbent on you to find out where these settings live (Google is your friend in that regard). Once you find them, the most important settings to look for concern:
* Who can read your profile
* Who can see your posts and activities
* What information is shared with external sites and businesses
* Which applications can access your data
* What information your friends can share about you
* Who can see your pictures and/or location
* Which sites integrate with your social network (for example, those that link with Facebook's Like feature)
Most services allow you to adjust privacy settings in these categories: friends (or immediate contacts); friends of friends (or second-degree contacts); third-parties; or everyone in the world. On Facebook, be sure to control what your friends can share about you (under the hard-t--find Account * Privacy Settings * Apps And Websites * Info Accessible Through Your Friends), because that could override other settings. Also, keep an eye out for changes in the service's privacy policies, and adjust your settings accordingly.
Finally, consider what you put in your profile in the first place. There's no rule that you have to provide all the information for which there's a field. If you don't want everyone to know how old you are, don't fill in that birthday field. It's possible to provide virtually no private information yet still use the service.
Public Profile
The Risk Most services show the world a public profile, one that's different from the one your network can see. But that public profile can still include some pretty private information.
How to Protect Yourself Review your profile and see what information is public. Check your settings, then log out and look at your profile. Have a friend check from his or her account.
External Applications
The Risk With your approval, most social networks allow access from external applications, third-party games, and third-party sites such as Twitter. Some of these apps require complete access to your account, including ongoing access to all of your activities, perhaps even your friends' information.
How to Protect Yourself Depending on the service and application, you may be able to control what such applications can access. Do you really need to give that snowball app access to all your photos and posts?
Your Friends and You
The Risk You and your friends can be the biggest threat to your privacy. You may accidentally reveal too much about yourself by tweeting, posting, or updating without considering the consequences.
How to Protect Yourself The first rule of social networking: Assume that everything you post is public and accessible to anyone forever. These networks are great for sharing and connecting, not so great for private communication. So think before you post. Leave Twitter alone when you're skipping work for a happy hour that the boss wasn't invited to. --RM
What Happens to Your Data?
When a criminal obtains your e-mail address, credit card, or Social Security number, your information enters an underground economy where it's sold, bought, and (perhaps) eventually used in a crime.
However it's acquired, stolen personal information is aggregated and sold in online criminal marketplaces that function much like eBay. For example, the ShadowCrew site that was busted by the U.S. Secret Service in 2004 had an estimated 4000 members and up to 8 million credit card numbers. Another site, carders.cc, was itself hacked twice in 2010, but is still operating.
Different kinds of data have different value: A credit card number may be worth as little as a few cents; that same number with your name, address, and Social Security number could be worth $30. The extra data can be used to perpetrate identity theft, which can be much more lucrative than simple credit card fraud.
Credit Cards
A carder who buys financial data on the underground market can convert it to cash through a money mule. Mules are usually recruited through work-at-home job offers that claim to be hiring "payment transfer agents"; often, they don't know they are committing crimes. Credit cards are used to purchase goods or gift cards, which; are then shipped to the crime boss.
Other mules know exactly what they are doing. For example, they might use stolen credit cards to purchase large numbers of gift cards, and then use those gift cards or sell them online. Stolen card numbers are usually tested ahead of time with small ($1 or less) donations to charities--that's something to keep an eye on.
Bank Account Fraud
As the monitoring of credit card fraud improves, criminals are turning more toward bank accounts that lack the same kinds of automated protection systems. Access to online bank accounts is now one of the most valuable items in the criminal underground.
In bank account fraud, the bad guys log in to your account and transfer funds directly to a mule (smuggler); the mule then uses a money transfer service to immediately transfer the funds again. (Doing it quickly reduces the chances the transaction will be reversed.) Small businesses, whose bank accounts often lack the protections of consumer accounts, are currently hot targets; such a Company can be decimated if it cant recover the funds.
In one of the most brazen online crimes in history, criminals hacked into the servers of RBS WorldPay, gaining access to debit card accounts. The attackers raised the limits on 44 of those accounts to as high as $500,000, and then issued functional cards to accomplices around the world. More than $9.5 million was stolen in 12 hours by using over 2000 ATMs. (The RBS attackers were later caught and convicted.) --RM
Despite the rise of social networks and Twitter, e-mail is still the way many of us communicate. But it can put a tremendous amount of your private data at risk.
Compromised Accounts
The Risk If you're like most people, your e-mail account contains old bank statements (or links to them), addresses, information about other accounts, and even credit card numbers or passwords: It's a treasure trove for identity thieves. And if attackers gain control of your e-mail account, they can also gain access to (and reset the passwords of) your other accounts. Finally, attackers can harvest your friends' e-mails for spam or phishing attacks.
How to Protect Yourself Don't use e-mail to send critical data. And make sure you use encrypted connections. That means using SSL (look for the lock icon in the upper left of Safari's window) for Webmail and a secure protocol (usually IMAP or POP3 over SSL) for other accounts. (In Mail, for example, go to the Accounts preference pane, choose an account, open the Advanced tab, and select Use SSL.) Do that on your portable devices and on your Macs.
[ILLUSTRATION OMITTED]
Use very strong passwords for your e-mail accounts. Password utilities like iPassword (**** [1/2]; 5; macworld.com/6722) and Mac OS X's own Password Assistant utility can help you generate and manage them.
[ILLUSTRATION OMITTED]
Compromised Address
The Risk Your e-mail address alone is worth money to spammers, scammers, and other thieves, and is therefore worth safeguarding.
How to Protect Yourself Use one-time e-mail addresses for different online accounts and services. Many ISPs will provide such addresses for free; MobileMe, for example, provides up to five such aliases (Mail [right triangle] Preferences [right triangle] Addresses). If that e-mail address starts getting spammed, you can cut it off without changing your primary address.
Some spammers still crawl Web pages looking for text strings that look like e-mail addresses. So make sure your e-mail address doesn't show up in online forums or blog comments, much less any Websites you control. Or use a simple obfuscation technique, such as username (at) domainname (dot) com to make the address harder to recognize. --MR
Networking
It's all well and good to take precautions when you're browsing, e-mailing, or using a social network. But if you're doing all that over an insecure network, your privacy could still be at risk.
Sniffers
The Risk Any time you use a public network, someone else could be listening in: Nearby miscreants could be sniffing your network traffic or snooping on your visits to sites like Facebook to hijack your login.
How to Protect Yourself First, don't use a public Wi-Fi network you don't absolutely trust. Second, think long and hard about the applications and sites you use on a public network; don't, for example, do any online banking.
Encrypt your network traffic via SSL whenever possible. It's fairly easy to do in e-mail clients (see "Compromised Accounts, page 54). It's easy to do in Safari, too: Safari defaults to SSL on sites that support it. (Again, you'll know SSL is in effect by the closed padlock in the browser window.) For Firefox, try the HTTPS Everywhere plug-in (free; macworld.com/6993), which forces SSL sessions for services that support it. Absent that, replacing http://with https://works on some sites.
You can also use a VPN (virtual private network) or Internet proxy service when connecting via public networks; either will make your traffic unsnoopable. Anonymizer ($80 a year; www.anonymizer.com); StrongVPN (about $5 a month; strongvpn.com); and PersonalVPN ($5 a month; www.witopia.net) are good ones.
[ILLUSTRATION OMITTED]
ISP and Network Tracking
The Risk Internet service providers, or whoever manages the network you're using to connect to the Internet, can see all of your traffic. A number of ISPs now track their customers' browsing and sell aggregated information to market analysis firms. As with some other privacy violations, this is more creepy than dangerous.
How to Protect Yourself If your ISP tracks your online whereabouts, you might be able to opt out on its Website. As with ad networks, opting out of ISP tracking means setting a cookie in your browser telling the ISP to ignore your traffic. If you clear that cookie, the ISP will resume tracking. However, you can't always fully opt out of the monitoring.
If you're worried about your ISP or network provider sniffing your traffic, the only way to protect yourself is to encrypt the traffic (by using the same techniques described above for preventing snooping), or to use an anonymization service such as Tor (free; www.torproject.org). Tor encrypts your connection and routes it through a number of random servers on the Internet. Your traffic is still visible at the exit node, but it can't be tracked back to you on your local network or by your ISP. Unfortunately, Tor can significantly slow down browsing and other activities. --MR
ILLUSTRATIONS BY ASAF HANUKA
Rich Mogull has worked in the security world for 17 years. He writes for TidBits (tidbits.com) and is a security analyst with Securosis.com. Mike Rothman is an analyst at Securosis.com and author of The Pragmatic CSO (www.pragmaticcso.com).
Комментариев нет:
Отправить комментарий