Protecting your personal data online

Scott Curtiss 8 May 2019

Your personally identifiable information is online for anyone to see, but here’s how you can get it under control

In this post we’re sharing information on why you need to protect your personal data online, how that data is collected, and what you can do to minimize its collection. We’re not talking about intimate photos — if you put those online, you’re just being silly. We’re talking about the personal details that are used by advertisers and others to target you and, more importantly, that are used by cybercriminals to send phishing scams, conduct identity theft, and commit bank fraud in your name.

How your data is used, and why you need to protect it

Personal and confidential information usually goes by the American epithet, PII – or personally identifiable information.  Otherwise known in Europe as personal data. This encompasses things like your social security number, credit card numbers, email addresses, phone numbers, date of birth, etc. It also refers to behavioral data, such as which websites you visit and which social media platforms you follow. The first thing to understand is that the criminal dark web, and advertisers’ databases, are awash with your personal information. It is out there.  The second thing to understand is that these details tell them far more about you than you realize.

This is partly due to the growing power of artificial intelligence, which is used not only by the “good guys” to keep you safe, but also by their adversaries — the criminals who attempt to break through security and steal your personal information to use in malicious ways.

AI is also used by major platforms to develop algorithms to predict what you might want to buy and thus know what advertisements to put in front of you.  One example of the power and accuracy of intelligent algorithms can be seen in the 2013 study at Cambridge University regarding user analysis based on Facebook ‘likes’. Analyzing just ten Facebook ‘likes’ enabled the researchers to understand the person better than his colleagues understood him. The more ‘likes’ that are analyzed, the greater the knowledge acquired. At 300 likes, the algorithm understood the subject better than the subject’s partner or spouse. And algorithms have improved consistently since 2013.

Ways in which your data is gathered

Before we look at ways to protect your personal identity, we need to understand how your data is gathered. We’ll examine five primary methods

1. Cookies

Cookies are tiny files placed on your computer via your browser when you visit websites. There are two basic types: session and persistent. Session cookies are good. They enable us to move from one part of a website (say, a product page) to another (say, a checkout page) without having to continually re-log in for every page. Session cookies last only as long as your current session, and should automatically be removed when you log out of the website or close your browser. Persistent cookies can be good or bad, depending on how you look at it. They are placed on your computer and they stay on your computer. They are primarily used by marketing firms to track your browsing history. For example, If you keep visiting shoe stores, you will soon be followed by ads for shoes regardless of the site you visit. In some cases this can be intrusive, while in others it may be welcome because the ads are relevant to you.

2. Browser fingerprinting

When you visit a website, the site’s web server has the ability to transfer a javascript code snippet to the browser which gets executed by the browser locally. This javascript code can collect browser and operating system properties such as user agent, a list of installed extensions, browser type and name, time zone, screen resolution, adblock presence, list of available fonts, WebGL rendering data, computer hardware, and much more. The javascript creates a “Hash” of the collected data (this is what we call your “browser fingerprint”) and sends it back to the web site’s web server where it is typically stored in a database with other data.

Provided that the fingerprint is unique for you or at least unique for a very small group of users of that site, you can be tracked when you re-enter the site. You can also be tracked cross-site in case multiple sites share the list of fingerprints. As a website does not need to create and store cookies in the browser, browser fingerprints are also called ‘cookieless monsters’. This means even if you don’t allow cookies in your browser (most browsers will have a settings option for cookie control, which allows you to enable or disable cookies), you can still be tracked without any prevention.

In addition, a website’s web server is also able to read and understand your IP address. When using a VPN, your actual IP address can be spoofed but it only changes one data point of many now known via your ‘browser fingerprint’. This means you are still vulnerable to being tracked without any prevention.

3. Malicious Apps

Malicious, or at least dubious, apps (sometimes known as potentially unwanted programs, or PUPs) remain a primary source of personal data tracking. These programs are installed with the consent of the user, but they usually hide some negative aspects of their functionality. For example, an application might promise to prevent ad pop-ups, while it also installs adware on your system. Other apps might steal your contacts, monitor your browsing and chats, or even listen to your phone conversations.

4. Legal collection

There is another category of websites where we fully accept the responsibility and necessity of handing over personally identifiable information. Applying for a job online represents a perfect example, as we willfully enter all sorts of personal info on the application. Buying goods online represents another, as we enter our bank card details to make purchases. Booking a hotel room is yet another, especially if it requires us to surrender passport details.

5. Theft

Hardly a week passes without news of a major data breach. It has become commonplace. Your personal data is only as safe as the institution’s infrastructure that is housing it. Whoever stole the Office of Personnel Management (OPM) database in 2015 now has access to the personal details of more than 20 million past, present, and potential employees of the U.S. government. Whoever stole the Marriott Hotels database in 2018 obtained personal details of hundreds of millions of hotel guests, including several million passport details.

Minimize the collection of your personal data

In today’s connected world, we will never be able to keep all our personal data off the internet, but there are some things we can do to minimize its collection:

  1. The first is always to use a strong and unique password when you need to establish an online account. If stolen, provided the website concerned has properly hashed (encrypted) the password, criminals will be less able to crack it, and the password will remain useless to them.  And, you should change the password immediately if a site you used has been breached.

  2. Limit Cookies and fingerprinting; both make use of your browser, so which browser you use is important. Most browsers will have a settings option for cookie control. Set this to remove all third-party, persistent, or tracking cookies. Fingerprinting is less easy to stop, so the browser you choose to use is important. Some companies provide a ‘safe browser’, which is worth considering. Avast, for example, offers Avast Secure Browser, which is specifically designed to provide privacy and security. It does not record your search history or your browsing history. It gives you easy controls to hide your identity with advanced anti-tracking technology, and even has a built-in ad-blocker.

  3. Remove malicious apps.  more specifically, the PUP variety of apps — should be avoided. The primary rule is to download only from a reputable source — either a developer you know and trust or an official app store. This still won’t guarantee that you avoid them, so you also need a good antivirus product that is not afraid to remove PUPs, such as Avast Free Antivirus.

  4. Pause before you willfully give data. There is little you can do about the legal collection of your data. The principle here is to think of it as a trade, and make sure you are happy with the terms. Ask yourself, is Facebook sufficiently important to me to trade my privacy for its services? Does an online job application form collect info which I deem necessary to apply for a job? If you are not satisfied with the ‘terms’ of the agreement, walk away or find another way to deliver your information.

  5. Use security products on your devices. You can make it less likely that criminals can steal your data directly from your own PC or mobile phone by employing good security practices. Using security products such as Avast Secure Browser, Avast Mobile Security, and antivirus software really do block the bad guys.

  6. Check routinely to see if you have been hacked.  Think your data has been stolen from the online services you use? There’s not much you can do about that. If you put the data online, it will likely be stolen sooner or later. The trick is to give away as little as possible and check to see if the hack included you.  You can do this from a number of different tools such as Avast Hack Check

    The bottom line on personal data

    The key thing to remember is to put as little personally identifiable information on the internet as you can to avoid it being stolen and misused, and always take measures to protect yourself.

--> -->