First rule: anything online is vulnerable, no matter who secures it. It follows that any computer/device connected online is also vulnerable.
Second rule: Public WiFi is hack-able, and doing so is not that difficult. Someone just has to want to. Using it for playing games could make you vulnerable, and using it to access your financial information (banks, brokers, etc.) is stoopid
Third rule: Anything you do electronically is forever. Any tweet, snap chat, Facebook post, cell phone text or conversation, email, web post, browsing activity, and anything else may be saved by someone. Some of those are harder to get than others: browsing activity takes a snooper on the data line, or a court order to set a snooper up at your ISP. For instance, all cell phones activity is now all saved by the NSA, including where the phone was when. No, no one looks at it, not until they have a reason to research a person, perhaps years later. ‘Smart’ TVs can record you in your own home, without your knowledge, unless you take steps to stop it (electrical tape over cameras/microphones is a start, but still not enough)
Fourth rule: Any public activity can be recorded today. Besides CCD cameras everywhere and license plate readers on many roads, facial metrics can track you in most urban and many rural areas. Even going into the desert or mountains could be spotted via satellite, should the motivation be enough to look your way.
So don’t leave your computer connected to the Internet 24/7 (a power strip that stops electricity from reaching the computer helps cut connectivity when ‘off’), do nullify the ability of other devices to spy on you in your home, and never say anything electronically you do not want going public. Use complex passwords, and never the same for multiple sites. Password safes are better than written notes (and Apple Notes are silly to use for this.) How much you protect yourself depends on your level of paranoia.
Do you have something to hide? A secret you would rather not be made public? Do not document it electronically! Or use the method below.
Now, how to be safe with electronic information: Place it exclusively on an air-gapped (no network connection at all) computer. Place that computer in a heavy steel safe. Encase that safe in concrete, take it out to a deep ocean trench, and drop it overboard. Forget the coordinates where you dropped it.
The point is, nothing is fool-proof
You can take steps to lower the probability that your information gets out, but even using paper and quill pen was only so good as the physical security the document was placed under. Learn some simple steps and you will remove yourself from the radar of most predators. People are careless, apathetic, and just plain dumb, so anything you do helps keep you safer.
I keep such information in a secure, encrypted flash drive that is not stored in a computer USB slot. Could someone break the encryption, should they find the drive and wish to spend the effort? Sure. But if they want me that badly they will get me, one way or another. Why would they? I do not have any deep dark secrets or hidden crimes in my past. Even so, why should my business be available to anyone just to browse through?
Your mileage may vary, but doing nothing is unethical in my responsibilities to my family.
Excellent information slickwilly. But even if one takes all of these precautions, going to the point of not having an internet connection or even using a computer, there remains a vulnerability. The vulnerability is private information being put on the internet pretty much every time one accesses any form of healthcare.
All of the health insurance companies and healthcare providers by nature of their business have huge databases. In 2015, 4.5 million records of the UCLA hospital system were hacked. Estimates are that more than 150 million records have been exposed since 2009. Healthcare providers were rushed into adopting Electronic Health Records even though they didn’t have adequate cyber security in place. Having your sensitive medical or mental health history exposed is the least of your worries. Medical records sell for hundreds of dollars because they provide a complete dossier of personal information–SSAN, address, date of birth, driver’s license number, credit card numbers and much more. Having your credit card number stolen is nothing compared to this.
If you manage to avoid having your records stolen, you are not out of the woods. Hospitals are regularly being attacked by ransomware, sometimes completely shutting down operations until the ransom is paid. The system is usually infected by someone opening a phishing email or other social engineering attack such as scattering infected USB sticks and waiting for someone to put one in a computer on the network thereby installing the malware.
OK, all of the above attack vectors have been secured and now you’re safe. Wrong. A plethora of medical devices from respirators, pacemakers, and infusion pumps up to MRI scanners and lab analyzers are running embedded programs and connected to the hospital network. If you are lucky, they will only hack the device to get on the network and steal records or plant ransomware. If you are unlucky, they can kill you. But looking on the bright side, a medical record is more valuable to them than your death.
What can you personally do about it? Very little as far as I can see. You can try going to doctors who don’t use EHRs but they are getting harder and harder to find and anyway sooner or later you will need to go to the hospital and they all use them. Besides, you probably have health insurance and there is plenty in those records. This is a huge problem and I think Congress needs to stop worrying about just protecting browser histories and start worrying about protecting all the health information that is out there and continuing to increase exponentially.
What is being reported is wrong, but I think even if you take the most optimistic view you’re taking a stance that is not considering all the consequences of ISPs collecting all the data.
(For background, I think the Obama rule was wrong and oppose net neutrality as proposed. I might get behind regulating ISPs as utilities, but only because currently they enjoy monopoly status because local jurisdiction prevent competitors from entering the market.)
First, the way the data is collected it is not necessarily anonymized. Actually for some types of data (say, you visit a site that distributes “cracked” software or even certain security related ones) the ISP will flag your account and send you a letter. So they are keeping your non-anonymized history. Even if they didn’t, matching a set of grouped anonymized searches to a real person is a relatively easy exercise. I know what are the four sites I visit every day and on some of them I leave comments that can be easily traced to my real identity. Anybody watching my traffic – or an anonymized collection of my website visits – can find out everything about me in minutes.
Second, the ISPs are actually storing the raw data (not the content of the pages you visit, but the full URLs). Not aggregates, not statistics. Storage is cheap these days, and whatever they can gain from that extra tenth of a cent will be saved for future use. They already have the infrastructure, so doing it is almost free.
Third, the data is stored forever, or a very long time at least, and it’s barely secured at all. There are no internal controls and they can’t even confirm if there have been external breaches. A legitimate court order can ask them for all the data they have logged on you, based on your physical location or your IP address. I don’t want law enforcement knowing that I bought “The Machinery of Freedom” and have downloaded “The Anarchist’s Cookbook”, and yet they can trivially know that by asking Comcast for it politely.
Fourth, you only know you’ve been targeted when you’re told, but there is no way to know that I have not been the subject of one of these fishing expeditions that turned up nothing. I do not know if anyone has looked at my internet history.
Fifth, your ISP has no incentive to protect you. In many places you can’t go to a competitor, and where you can they have the same policies. The best you can do is take your $50/month away, the government can make their lives comfortable or miserable for years. Guess who they’re going to side with.
What can you do to protect yourself?
– Encrypt everything. That’s not on us but on website operators. Now your ISP only has the domain instead of the full URL. An improvement, but they can still figure out if you visit unsavory places like “how to start a revolution dot com” or “ethics alarms dot com”.
– The VPN solution being suggested by some pundits is stupid. You give more money to someone else who is under the exact same position as your current ISP.
– Use TOR. I use it sparingly, and in the past have run a relay node at my IP address. Unfortunately it is so uncommon that it just brings more attention to yourself. Besides if everything went through TOR traffic the network load would slow things down noticeably.
In the end I can only think of using privacy-friendly services (e.g. DuckDuckGo for your search engine), having the ability to protect your traffic when needed (TOR, but routinely use it to make it “the new normal”) and support those developing the technology to protect privacy (e.g. the EFF). The current incentives are not in your favor, and Congress has demonstrated an absolute inability to do anything about it. This will be a long an upward battle, I don’t expect to see any gains on the individual’s side for decades.
PS: Read this essay by Bruce Schneier: https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html I generally oppose government regulation to solve these problems, but the “toxic waste” analogy makes a very strong point.