During the first week of lockdown, Singapore, a country known to embrace the latest and greatest in technology, banned teachers from using the video conferencing application Zoom. What pushed government officials to act was hackers snooping around in virtual classrooms, projecting obscene imagery on shared screens of teenagers.
Of the world’s eight billion people, never before did such a large portion of the population work from home. Watercooler banter now takes place on the collaboration app Slack, meetings open in apps like Zoom, and even classic end-of-week drinks are now virtual.
While on one hand this will give a sizable boost to all remote working technologies (and the valuations of the companies behind them), on the other hand this forced reckoning with a digital-first working modus forces us with a heavy hand to reckon with our privacy skills. For modern-day privacy does require skill. A skill to realise that expanding online activity dramatically expands potential attack surface, as evidenced by Zoom. A skill to prevent unwelcome snooping in your accounts and files. A skill to make sure sensitive information is properly encrypted, protecting your clients, colleagues, and loved ones. This article will show four easy ways how to hone your privacy skills across connectivity (VPN), communications (encryption), access (passwords), and settings (cyberaudit).
1. Connectivity: VPN
Why it matters:
- Using the internet securely starts with the entry point. Vulnerabilities on the connectivity level extend to vulnerabilities to all what is communicated across that connectivity infrastructure.
- A VPN (Virtual Private Network) is basically a private extension of a public network. VPNs are nested in your browser toolbar, set up to provide a higher degree of anonymity (by hiding IP addresses) as well as a private encrypted lane while browsing (providing a secure connection).
What you should pay attention to:
- Do not connect to unprotected private networks (like the ones in coffee bars, remember those). You never know who owns them (i.e. if the Starbucks_Wifi is owned by Starbucks) or if they have been compromised.
- Rogue/Dubious VPNs do exist. The now-deactivated “Facebook Research” app paid participants aged between 15 and 35 years $20 per month to install a VPN on their mobile devices in order to obtain near limitless access. Next to recording all phone and web activity, the app also captured biometric data and extracted sensitive information from third parties such as period cycles.
- Good VPNs are not free (£2-£10 per month).
What you can do now:
- Set a desired encryption level on a company wide basis, and select a VPN accordingly.
- Install a reputable VPN: NordVPN, ExpressVPN.Refresh your VPN host regularly (i.e. if you stay connected to the same server for 6 months hiding your IP address is of limited value).
2. Communication: Encryption
Why it matters:
- Generally defined as a mathematical method of reversibly transforming information, the two most important kinds of encryption include encryption-in-transit and end-to-end encryption.
- Most likely, you have already used encryption-in-transit, as this is commonly used in Internet browsers today. The (green) web browser prefix “HTTPS” denotes encryption between the service (e.g. a website) and you, the user. Encryption-in-transit has two main benefits. The first benefit seems obvious: the content is encrypted, and thus private. The second benefit is less obvious: when encrypted, it is not possible to edit or otherwise alter the content in the data package that is being transferred. In other words, the integrity of the message is protected.
- Yet, although most web traffic now flows using HTTPS, the majority of email, chat and audio messages do not. This is what sets the second kind of encryption, end-to-end encryption, apart. Only the users that are communicating with each other can read the messages.
What you should pay attention to:
- What type of encryption is needed? WhatsApp, for example, uses a combination of public and private keys. Signal, another messaging app, uses a new symmetric key for each message, providing a feature cryptographers call “forward secrecy”: decrypting one message does not decrypt the rest.
- What type of encryption is really used? Cryptographer emotions flared high when news broke that Zoom, contrary to its own insistence on end-to-end encryption, turned out to have retained the ability to decrypt its product. This matters because Zoom-the-company, as well as anyone who has illegally (hackers) or legally (subpoenas) gained access, consequently retains the power to reveal contents of calls of its platform. NASA and SpaceX immediately suspended their use of the app.
What you can do now:
- Make encryption-in-transit the default. Download the extension HTTPS Everywhere from the Electronic Frontier Foundation.
- Do your own due diligence. The takeaway here is that if you are a CEO, do not assume you are in the clear if marketing materials contain the word “encryption”. Let the IT team do their own due diligence to assess exposure to risk, just as you would enlist the finance team to research M&A deals
3. Access: Passwords
Why it matters:
- Poor password management is expensive: The class-action lawsuit details that the consumer credit reporting agency Equifax, hacked in 2017, used the username “admin” and password “admin”. Two years later Equifax conceded to pay a stunning $700 million fine, of which $300 million set aside for the victims.
- Watch out for vulnerabilities by association: Unlike a password or account name, you cannot change your fingerprint or face.
What you should pay attention to:
- Update regularly. Even a high-complexity password is pointless when cross used across every service. LinkedIn was hacked in 2012, and what initially seemed to be a theft of 6.5 million passwords turned out to be a breach of 117 million. This “minor” detail was confirmed in 2016, four years after the fact.
- Randomise passwords. Use a combination of letters, numbers and symbols at least 8 characters long.
What you can do now:
- Download a password manager: Dashlane, LastPass, 1Password.
- Do not reuse your master password anywhere else.
4. Settings: Cyberaudit
Why it matters:
- On average, people have up to 90 online accounts. To a hacker, that’s 90 different ways to gain access to your information.
What you should pay attention to:
- What are your privacy settings? What information is shared per account? What information does the service require to function?
- What are your access settings? Passwords can be strengthened via 2FA. Two-factor authentication (2FA) is a security tool that requires a user’s password as well as an additional form of authorisation. This combines something you know; – your password – with something you have; such as your phone).
What you can do now:
- Make an inventory of damage to date. Check on the website Have I Been Pwned what personal information has already been exposed.
- Enable 2FA in your privacy settings
- Update your privacy settings at least once per 6 months.
- Install an ad blocker to prevent digital trash coming in: uBlock Origin, Ghostery, Privacy Badger.
- Companies should provide cyberaudit training, so their employees can safely work from home.
The Internet Is Not Bullet-Proof
The internet is not a bullet proof bunker for our data. And we should not treat it as such. Connecting everybody includes the bad people. Just as the Singaporean government proactively protected its teachers and their students from rogue actors in the online classroom, companies have an opportunity to usher in a safe digital-first working culture. One where we commute less, love the planet a little more, and transform time saved into quality time with our loved ones. As COVID-19 forces us to adapt to this new, new normal, let’s embrace this as a chance to make the internet a little bit safer for everyone.
Arwen Smit specialises in technology ethics and its intended and unintended consequences on society. Smit is the author of Identity Reboot, a book examining how the break-down of personal data privacy is being exploited from profit and power perspectives, arguing that human behaviour is being devalued to an optimisation game, and that we are providing the data that will be optimised for. Smit is a mentor at the Web 3.0 accelerator Outlier Ventures and an expert advisor to the European Commission.