The Five Days of Privacy -- Day 4: Logging In, Phones, and Wireless

December 20, 2016
Bill Fitzgerald Director, Privacy Initiative

CATEGORIES Privacy Evaluation Initiative

As we head into Day Four of the Five Days of Privacy, we have already covered topics that include in-person privacy protections, filter bubbles and online tracking, and strategic use of email, file storage, and virtual private networks. Today, we will continue our journey into various ways of protecting our privacy by looking at password managers, two-factor authentication, some tips for phones and tablets, and an overview on using public wireless.

Password Manager

Our advice on password managers is straightforward: Use one. LastPass, Password Gorilla, 1Password, KeePass, and Dashlane all are solid options.

While no single solution is perfect, password managers eliminate the problems of reusing the same password across multiple sites and using passwords that are too short or too simple. Password managers also generate passwords that are truly random and un-guessable. Additionally, many password managers have a mechanism wherein you can create secure notes to save important information.

To state the obvious, putting all this information in a single location is also a risk; this is why the password manager must also be protected by a strong password and a second factor of authentication, such as your mobile phone. While writing passwords down is almost never a good idea, writing down only the password to your password manager and your primary device (i.e., computer or mobile phone), and then storing these passwords in a safe location, allows you to have a suitably strong password protecting these key services while eliminating the risk that you will forget the passwords. This post contains tips on creating both secure and memorable passwords.

This study looks at four leading password managers and provides some good information on evaluating them.

While both Firefox and Chrome offer the ability to store passwords, avoid using this feature. It is not as secure as a password manager.

Two-Factor Authentication

Two-factor authentication -- also called 2FA, or MFA (multi-factor authentication) -- is based on the idea that we can be more secure if we expand authentication to include two (or more) of the following criteria:

  • something we know (such as a username and password or a security question);
  • something we have (such as a phone, access to an email account, or a USB key); or
  • something we are (such as a fingerprint, an iris scan, a typing pattern on a keyboard, or other biometric indicators).

The most commonly used form of two-factor authentication involves the provider sending a text message to our mobile phone, in a process that works like this:

  • We log into a web site with our username and password;
  • a successful login forwards us to a screen that asks us for a second confirmation code;
  • we receive a text message with a one-time use code; and
  • we enter that code on the screen, and we are fully logged in.

However, there are three main issues with using a text message to support two-factor authentication. First, if one of our concerns is tracking by corporations, this form of two-factor authentication provides a direct connection among us, a mobile phone number, and our account. This information can then be used to track us further.

Second, two-factor authentication can be tricky for people who travel to or live in locations with unpredictable cell phone reception. If our phone can't get an adequately strong signal to receive the text, we're out of luck.

Third, hackers have started to use a technique called SIM hijacking to actually take over a phone and have texts forwarded to a different phone. While this technique is more complicated and requires a reasonably skilled and determined person to pull off, SIM hijacking appears to be occurring more frequently.

Services such as Authy address some of these issues but still involve sharing data with a third-party company. However, if our primary risk is getting hacked, and corporate or ad tracking is secondary, two-factor authentication via text or via a service provides an additional level of protection.

An additional option that has some advantages over using text or a service is to use a special USB key, such as the one offered by Yubico. These keys don't have the same privacy risks from tracking as other forms of two-factor authentication, which makes them an effective protection against hackers without them compromising other privacy concerns. Yubico keys can also be used to provide two-factor authentication when you're logging into a computer, which is most effective when the hard drive is encrypted. Keys sold by Yubico currently cost between $18 and $50 for individuals.

But to summarize, any form of two-factor authentication adds a level of protection against unauthorized access. Using a USB key also protects against hackers and doesn't leak information to the other companies that will use personal information -- such as a phone number tied to an email address and other personal information -- to track us.

Phone/Tablet and Apps

The tips in this section assume that you have evaluated the apps you have installed on their phones. For Android-based systems, you can review the permissions of apps in the Play store or on your phone. For iOS-based systems, you need to review the privacy settings on your phone, which allow you to control which apps can use tools such as location, contacts, and so on.

The advice given above about searching online and using a VPN while browsing the web applies to phone and tablet use as well. However, the use of apps on phones -- and the data they collect and share -- raises additional issues that need to be addressed for us to take control of our privacy.

One of the easiest things you can do to protect your privacy when using your phone is to install Signal. Signal is an encrypted text and voice app. Other texting apps (WhatsApp, Telegram, iMessage, Allo, and so on) all have greater or smaller issues that compromise privacy.

Using Signal on your phone also protects you from having the information in your texts logged and stored by your mobile phone carriers. As with email and file storage, deleting old text threads can protect against these threads being accessed.

While browsing the web, using a VPN will protect your communication, especially if you're connected to free wireless in a store or a coffee shop (wireless use is covered later in this post). Just as you would when using your browser on your computer, you should also clear cookies on your mobile browser (Safari and Chrome). For people using iPhones, you can also use the recently launched Firefox Focus. While there are also tracker-blocking tools for Android, we are not making any explicit recommendations because some of the apps that are marketed as ad blockers are actually trackers. Before installing any blocking apps in Android, be sure to read through the permissions they require.

Mobile phones contain multiple tools that have privacy implications. Applications can use your phone's location services, wireless connection, and Bluetooth connection to track your location. This data is collected and stored and often shared with data brokers and advertisers. The process of delivering ads based on a person's location is called "geofencing." At times, however, this technique has been used to compromise the privacy of people seeking health care.

Fortunately, this type of tracking can be minimized by turning off your phone's location services, Bluetooth connection, and wireless connection. If you turn these services off -- and then enable them only when you need them -- you minimize the amount of data you share and when you share it. Credit card companies have been using the locations where we shop as a means to adjust our credit scores for years. The next frontier of this type of tracking appears to be our location as we move throughout our day. Minimizing the amount of location data we share, and with whom we share it, allows us a degree of control over this aspect of our privacy.

Of course, turning off your phone or tablet minimizes the risk of tracking from most sources. For those of us who want to ensure a higher level of privacy protection but want to be able to selectively use a phone or tablet, you can also use a Faraday Bag to block wireless signals and any potential tracking.

Wireless

Wireless internet or "hot spots" are now widely offered in many public places. As with anything that is free, the offers often come with strings. Be selective with free wireless. It is generally a tracking tool. The risks of using publicly available wireless can be mitigated by using a virtual private network (VPN) and/or Tor.

Free wireless internet with no password is the highest level of risk for wireless. If you're using a wireless connection that has no password, it's very easy for anyone to join that network and eavesdrop on your activity on the network. In many cases, stores that offer free wireless can use the information they collect about you when you're using their free wireless connection to track and target advertising to you, even while you're still in the store. Free wireless with a password is better, but not by much, and quality and safety will vary widely.

Institutional or organizational wireless is theoretically easier to secure, but the actual security will vary widely. In very general terms, the security within an organizational network will be set up to protect organizational assets first, personal privacy second. Institutional wireless often incorporates tracking, which is an appropriate security measure for the organization, but that can interfere with personal privacy. Additionally, if an organization leaves its wireless passwords unchanged for a significant amount of time, this erodes the value of security protections in place on this network.

Home wireless networks are as secure as the wireless-encryption protocol and the passwords used to access the settings on the routers and the passwords or security on any connected devices. For most of us, home wireless networks are relatively safe.

It's also worth remembering that our devices will automatically connect to "recognized" wireless connections. This can be exploited by hackers who can create illicit networks in public places. Common names such as "attwifi," "xfinity," or "linksys" can easily be spoofed -- and once you connect to a wireless access point, the person who controls that access point has the ability to see and control your online activity. A VPN mitigates this risk, as does turning off wireless on your phone when you go out. You can also minimize risk by deleting wireless networks that are outside your regular locations.

Conclusion

Protecting our logins via a strong password is an essential step toward protecting our information online. Using a password manager simplifies this work. Two-factor authentication can help minimize the risk of one of our accounts being compromised, and using a USB key-based solution can provide some additional privacy protections. When going out into the world with your phone, turning off your location services, Bluetooth, and wireless can protect you from leaking information. Finally, avoiding free wireless and using a VPN on your phone can help you use the web more securely.

On Thursday, the final day of the series, we will wrap up the Five Days of Privacy by summarizing simple steps we can all take that will have an outsized impact. See you then!


Share your thoughts