Martin van der Kroon
Unfortunately, digital security is becoming increasingly important in an increasingly connected world that also spawns a great variety of threats. Digital security is not a partisan issue; it’s for everyone. It’s not intended to fear, but to be prepared. It’s not very sexy, but it is vital. It’s not a very futuristic topic, but it is very future-oriented, but one that has to start NOW!
But first, let’s quickly clarify what is understood as security versus privacy, as these often get mixed or conflated as the same. Digital security is the ease or difficultly with which someone can get access to your devices, accounts, and information. Privacy, on the other hand, is about what information is known about you, or what information is made available to the (limited) public by you or others.
Security and privacy can cross paths of course; someone that can breach your security could consequently also breach your privacy as a result.
Let’s tackle the twenty-first-century digital elephant in the room: “I have nothing to hide so I don’t care about security or privacy.”
That’s hard to believe, and Glenn Greenwald has an excellent TED-Talk on why privacy matters, but let’s accept this statement as true. This premise very much comes from an individualistic worldview, a free-standing house with a low-quality door lock.
There is, however, a fatal flaw in this statement – namely, none of us live in a digital free-standing house, but rather we all live in a digital housing community, a housing community that overlaps with other housing communities. Each of us has friends, colleagues, acquaintances, hobby-groups, and so on.
Security is much more an ‘us’-problem than a ‘me’-problem. Let’s go through a small thought-exercise here to illustrate. Let’s assume someone has weak passwords or no passwords for everything on a phone. Say LinkedIn gets hacked. It had a simple password, and now the hacker can try this password on Facebook, Twitter, and the linked email address. Then the hacker can pose as this person, and send messages to contacts asking for money or sending a malicious link. The malicious actor could encourage to install an app on a smartphone to track them, or to steal banking information and money from bank accounts or credit cards. All possible because one person doesn’t care about their security. An easy hack with some impostering and social engineering can do a lot of damage.
A small personal example; I bought a smart device from a friend that came with an app. My friend gave me the login-email and password. Some time later we were talking about security, and I jokingly said to him; ‘Please tell me you don’t use [password] for your email address?’. He was surprised, asked how I knew his password as he’d forgotten about the app-login. Although I didn’t ask, I can reasonably guess that he used that password for other accounts, like social media too.
How about you? How many of YOUR accounts use the same password?
It can get much worse though. A good example for this is Stuxnet, a worm, allegedly created by the US and Israel to break an Iranian nuclear centrifuge. Whether this was a good or bad thing is beside the point. Stuxnet was released into the wild to hopefully make its way into the facility. The Iranian centrifuge was not connected to the internet. The worm found its way onto a USB drive brought in by an unsuspecting employee and infected the facility. This particular attack was of course highly sophisticated and specific. This tells us something important, we may not be interesting to a malicious actor, but we may be important to get to another target.
“But I don’t know anyone important, all my connections are average Joes and Janes.” I think this would do a disservice to these Janes and Joes by calling them average, but even if so, they might know someone ‘not average’ or even ‘important’. And here we get to the ‘Six Degrees of Separation’. According to this theory every human being is connected to one another through six or less connections. As this theory was posited at the advent of the internet, it might be even less now with our increasing interconnectedness.
In short, each of us could be an important link in the chain for a hacker to get access to a military facility, power stations, research institutes, government departments, hospitals, telecommunication companies, and so on. Hacking for example the Pentagon directly might be (I hope so) hard, but going through a few individuals to get to a high-ranking official might be easier. The same can happen for utility companies. If you look around you, you’ll realize how dependent we are on electricity, or perhaps you’ve experienced the inconvenience or direness of not having electricity.
Hence, personal security is in actuality as much personal, as it is community or even national security.
Let’s backtrack a bit. Say you don’t care much about community or national security. Maybe you even think digital personal security is not important. Yet, most people will feel anxiety when an account is hacked, money is siphoned off a bank account, or Amazon delivered products you didn’t order. It would be worse if someone could easily purchase weapons or materials for a terrorist attack using that someone’s bank or shopping accounts. If not caring for the potential victims, at least it would be very inconvenient for getting visits from authorities with a lot of questions taking up personal time. Of course, such a scenario is not likely, but neither is, statistically, a plane getting hijacked, and yet we have lots of security features for that. Annoying and time-consuming as it might be, we generally and begrudgingly consider it “OK” to prevent a disaster. Similarly, digital security might bring some inconvenience, and yet many take an approach of “what could go wrong?”, not unlike the pre-9/11 airplane attitude.
People might think that what is digital isn’t real, and since one often doesn’t have to pay, it thus doesn’t have value like money, jewelry, a car, or a house. Until your house actually gets stolen using just your information. (It is unclear whether the thief used physical or digital personal information, but it doesn’t alter the fundamental point.)
Hackers and hacker groups might be after our money, or want to sell it to others, like nation-states. Some nation-states want our information at any cost, to know and control what we say about them. Saying something that is ‘undesirable’ about another country might lead to blackmail, coercion, intimidation, and even physical harassment in one’s own country. This might be you, a contact that is a critical journalist, or blackmailing a researcher or military officer in handing over important documents. This is also a good example of where privacy and security overlap. One person’s lackluster security could lead to a privacy breach that could jeopardize someone else’s digital or physical, or loved ones’ security. Make no mistake, mafia-tactics of blackmailing you with the safety or security of loved-ones is not an off-limits option to some malicious actors with a the-end-justifies-any-means mindset.
Imagine that research into longevity or genetics to improve the human condition gets stolen or handed over through blackmail, and were to be used for military purposes, or to weaponize it by creating an adverse effect to human improvement or longevity, or delete years or decades of research; then finding out that along the entire digital chain of people the malicious actors followed, no one cared enough about personal security to think about the big-picture consequences it could have.
Of course, security doesn’t fall unto us alone. Institutions, governments, corporations, and the public sector all bear responsibility for their security as well. Any and all of these also ought to improve on their ends. Ransomware attacks have skyrocketed, on companies, hospitals, utilities, and individuals alike. Among the most prolific examples was the attack on the Colonial Pipeline.
The topic of security is now a much more complex conversation than ‘me’; security has become an ‘us’-problem – whether this is for your safety, the health of people in a hospital, your city’s power-grid, driver safety in connected vehicles, for journalists, for research or trade secrets, or your country’s military ability to protect the country.
Perhaps an example from a future where we don’t value security: ‘BREAKING NEWS: “750.000 cryo-statis pods deactivated by [Insert: anti-Transhuman hacker group, ‘nation’ to silence dissidents, unpaid ransomware], all patients dead”.’ Or ‘BREAKING NEWS: “CloudMind’s servers suffered a FATAL power-surge, all digitized inhabitants lost”.’
As a society, locally, nationally, and internationally we ought to realize that we can no longer afford to only consider the individualistic worldview as the sole way to stand in this world. Your poor digital security can affect thousands or even millions of people. Whether we like it or not, we are interconnected; we’re in this together.
General Digital Security
So, what can we do? Well, some very obvious things, that likely most people will have heard or read before, but also some important but easy lesser-known steps. I’ll add some security and privacy focused website links below, too.
Close accounts of website and services you don’t use. Lower the possible attack vectors, and decrease your digital footprint in one go.
Check if your accounts have been the subject of a breach, as many companies will not notify users, downplay it, or only reluctantly admit it long after the fact. On Have I been pwned you can check if you’ve been pwned. If so, change your passwords immediately, and follow the next step.
Use unique, strong, and long passwords. This is probably the most often heard recommendation, and least implemented by people. 8-character passwords just don’t cut it; 12 characters are not even sufficient anymore. We need to think of 20 characters as a minimum. Security.org has a password strength tool to test how strong your passwords are. Since no one wants to memorize dozens of long passwords, follow the next step.
Use a password manager. BitWarden is Free and Open-Source Software (FOSS), but there are also good commercial password managers like 1Password for example. Password managers often also have password generators built in to help you create very strong passwords.
Don’t save passwords in your browser. Malicious actors have found ways to extract passwords from browsers.
Use Two-Factor Authentication (2FA). Preferably avoid SMS 2FA, as it’s easy to intercept. An authenticator app on your phone is much more secure, or even better, use a hardware token, like a YubiKey. (Just make sure you have a duplicate in case you lose it, or you won’t be able to access your own accounts.)
Change your browser. Chrome and Edge are quite popular, but because of their popularity also more prone to attacks, and not very secure out-of-the-box. Instead try Mozilla Firefox or Brave Browser.
Security For Your Devices
Use strong passwords. For your phone you can use fingerprint or facial recognition login on top of that for easier login.
Use hardware encryption on your phone and computer if available, like BitLocker on Windows for example.
Update your software regularly. Often updates come with vulnerability fixes.
Don’t install apps you don’t know or haven’t researched, and uninstall apps and software you don’t use. This results in a smaller attack vector, and a decrease in privacy risks.
Don’t use online backups for services or apps unless you know they store it encrypted. WhatsApp and iCloud for example store your data unencrypted. So even if you have strong passwords, and are careful, if the companies get breached/hacked, malicious actors can still have your data.
Regard any message or email with an urgent request, or immediate action needed and negative consequences attached if no action is taken as suspicious. Offers too good to be true should also be considered suspicious. Take your time to read it carefully, even if it is supposedly from loved ones. Check the sender information, spelling mistakes, etc. When in doubt, search for a phrase in the message in a search engine to see if others got a similar message. Contact the person by phone to confirm the message.
Use fake names and addresses for websites / services you only use for online content and that really don’t need to have your information. Even better is to use a special junk-email account for such services, so if it is breached, hackers don’t have your personal or business email account.
All Things Secured – A YouTube Channel with practical and easy-to-understand privacy and security information, and reviews of services.
TechLore – A YouTube Channel with much more in-depth security and privacy information, including a multi-video guide to privacy and security. It also has weekly security and privacy news episodes.
Privacy Tools – A privacy- and security-focused website that provides recommendations on tools, software, and services to use.
Privacy Guides – Another privacy- and security-focused website providing recommended tools, software, and services.
Disclaimer: Some of the examples given could be considered instances of a slippery-slope fallacy, but they all fall within the realm of what is possible, or even already utilized now in some form.
Martin van der Kroon is a member of the U.S. Transhumanist Party and previously served as its Director of Recruitment in 2017.