As a cybersecurity consultant, I help companies protect themselves from cyber threats that range from commodity malware to highly targeted attacks from professional criminals and nation-state actors. My clients are often entrusted with the financial or medical data of millions of users, so it makes sense for them to devote millions of dollars every year to protect against cyber threats. Even as an individual without a million-dollar cybersecurity budget, however, there are plenty of ways to protect your digital privacy and identity without forgoing the conveniences of living in a connected world. Here are some things the things I do for my own privacy and security online:
#1: Use a password manager
Use a password manager like LastPass (FREE) to generate and save unique passwords. Most of us know that we should make unique, strong passwords for every website we have an account with, but doing so is near impossible given how many different online services the average person uses today. LastPass and other password managers provide a way to create, save, sync and auto-fill unique passwords across all your devices and websites. All these passwords are protected by a single master-password and are stored in an encrypted format so that even LastPass itself cannot view your passwords. While this may seem like a “single point of failure” for all your passwords, the truth is that it’s better to entrust their passwords to a password manager which is constantly tested for security vulnerabilities than it is to attempt to manage your passwords yourself.
#2: Use two-factor authentication
Use Authy (FREE) for two-factor authentication across multiple devices: Two-factor authentication gives you a much higher degree of security for online services by requiring a second way to verify your identity (usually through a text message or randomly generated code on a device you own). With two factor authentication, even if your password is compromised, an attacker will also need access to your phone or other device to log in. If you happen to lose or factory reset your phone, however, this security feature may quickly become a headache. Authy allows your two-factor tokens to sync across multiple devices (such as a laptop) so that you’re much less likely to be locked out of your own accounts. Authy is compatible with the vast majority of websites using two-factor authentication. If a website offers Google two factor authentication, then it is also compatible with Authy.
#3: Use a VPN
Use a trusted VPN service (approx. $10 a month) to protect your Internet traffic and hide your IP address: A virtual private network (VPN) is a paid service that encrypts your Internet traffic to and from a VPN server, so that the websites and online services you visit will see your traffic coming from the IP address of a VPN client rather than your own network. (This is also useful if you want to get around region-specific blocks like using the US version of Netflix when you’re out of the country). The privacy benefit of VPN services is less about hiding your IP however and more about preventing middle-men from snooping on your web browsing. Without a VPN, your ISP (Internet Service Provider) can track the websites you visit (even ones with the HTTPS lock icon) and sell that information to third parties. For in-depth reviews of the many VPN services available, check out the website restoreprivacy.com to find the best one for your needs.
#4: Use a privacy-enhanced browser
Use a privacy-enhanced browser such as Brave (FREE): Every time you visit a website there are likely hundreds of tracking services working in the background to “fingerprint” your browser. Your public IP address only identifies the network you’re on, for example, your home network or your work network, both of which may have many active users. To track individual users, web trackers use a variety of clever tactics including requesting such innocuous things like which fonts are installed and how well your browser renders an image. Brave is a browser-based on Google Chrome that integrates privacy-enhancing features such as blocking most browser-fingerprinting by returning false data to such requests. If you’ve ever been creeped-out by ads that seem like they’ve “overheard your conversations” (which is a myth) give Brave a try – it will likely throw off the ad-trackers.
#5: Use a virtual debit card
Use a virtual debit card such as the service from Privacy.com for online purchases (FREE): Perhaps the hardest thing for individuals to protect is our personal financial information: every bank is required by law to verify your identity when opening an account, and furthermore credit-card companies sell your purchase history to third parties to build a “consumer profile” of you. Such profiles are then data-mined to create sometimes uncomfortably accurate predictions of your personal life, like a famous case in 2012 when Target predicted a high schooler was pregnant before her own father found out. Now, our purchase history is added to our web-browsing activity to create an even better understanding of you as a consumer: Google alone announced in 2017 it had access to 70% of all credit and debit card transactions (not just online transactions, but also in-store) across the US. To fully protect your personal transaction information from banks, advertisers, tech giants, and the government would be way outside of the scope of this article, but a good first step would be to use a virtual debit card service like Privacy.com, which gives you a single-use debit card number to purchase things online you may not want to be added to your consumer profile and data-mined. Privacy.com promises to never sell your information to third parties because it makes money off of the fees merchants pay to accept debit cards.
I hope these tips will help get you started on the journey to reclaiming your online privacy. This article just covered the basics of securing your privacy online, but there are many other areas such as mobile device security, computer security, network security, cloud security, email privacy and financial anonymity that I did not cover. For more advanced guidelines, stay tuned for future articles on the Freedom in Tech Alliance blog.
Andrew Chang-Gu is a Freedom in Tech Alliance Contributor and a Strategic Security Consultant at Mandiant, a FireEye company. The views and opinions expressed herein are his own and do not reflect those of FireEye, Inc. or any previous employer.
Consider donating to the Freedom in Tech Alliance, a 501c3 non-profit, here.