Understanding digital privacy and safeguarding your personal data against unwanted appropriation and distribution are key skills in the new digital world. While the Office of Digital Scholarship and Scholarly Communications generally advocates for openness, we believe that sharing information should emerge from deliberate choice rather than the tacit interventions of third-parties. Indeed, some forms of scholarly communication can only take place over secure channels because the data being exchanged is politically or personally sensitive, or becaue it might harm the interests of others. For these reasons, the the Office of Digital Scholarship and Communications regularly teaches patrons how to protect their personal data online as well as how to exchange information securely with scholars around the world.
Passwords that are long and consist of various kinds of characters are hard to hack, and passwords that are shorter and consist of only alphabetic characters are easier to figure out. It’s a good idea for passwords to be at least 8 characters long and consist of a combination of upper- and lower-case letters, numbers, and special symbols (although some accounts place limits on the symbols that can be used). It is a terrible idea to use passwords that consist of your name (or parts of it), your username, “password”, sequences of numbers like “12345”, etc. Passwords that are essentially random are the best, but can be difficult to remember, especially if they are not reused.
It’s a really bad idea to reuse passwords between online accounts, since if one account gets hacked, your reused password can be used to gain access to the other accounts. Because secure passwords are by their nature hard to remember, you might consider using a password manager app on your phone. One good option that is free is LastPass. It syncs data across platforms and is available for iOS devices and PC.
One thing to consider carefully if you use a password manager is what you will do if you lose your phone. First, you need to make sure that you have an alternate way to access your passwords without the missing phone. Second, you need to make sure that your phone is secure in the event that a nefarious finder or thief cannot get into it and use the password manager to access all of your accounts.
With the advent of iOS 13, Apple is offering a “sign in with Apple” feature that has some advantages over Facebook and Google logins, and perhaps even over password managers. For more information, see this Wall Street Journal article (subscription required, free subscriptions for Vanderbilt people thanks to your friendly Libraries).
Depending on the app you use for messaging, your messages may or may not be encrypted or subject to being hacked or searched at a later time. Perhaps the most recognized secure messaging app is Signal, which is available for iPhone, Android, or desktop use. Signal can be used to send messages as well as voice and video calls. Messages can also be set to disappear after a set interval. It is free and open source.
Keybase is a less well-known service that provides encrypted messaging as well as other services, such as 250 GB of free, encrypted cloud storage and private/public keys that can be used with other services. It is available for Mac and Windows operating systems and for mobile devices.
Although most browsers have “incognito” or “private” browsing modes that delete browsing history and cookies, they do not actually protect you from online data harvesting or monitoring of your browsing activities. The Tor Browser enables real anonymous and private browsing through a number of technologies that encrypt your browsing and sends your traffic through a network of volunteer-run Tor Relay servers. It also isolates each website you visit and aims to make all users look the same so that you can’t be “fingerprinted”.
Because of the way the Tor browser uses the network, it operates more slowly than other browsers. Because its whole purpose is to make you anonymous, you won’t be able to use settings that are shared across devices, saved passwords, etc.
By default, the Tor browser uses DuckDuckGo, a search engine that does not track you.
These suggestions apply most directly to iPhones, but some of them apply to smartphones in general.
Use two-factor authentication! If you’re running iOS 12 or later, go ahead and sign up for TFA on websites you visit. Those sites will send you a confirmation text when you sign in, and your iPhone will automatically copy that confirmation code into your web browser, making 2FA a breeze.
Don’t re-use passwords! Go to Settings > Passwords & Accounts > Website & App Passwords. You’ll see all the passwords your iPhone has saved to your Keychain. Any password with an exclamation mark in a triangle next to it is used on more than one site. You should make these unique! Tap to change that password.
Use strong passwords! When you use your iPhone to generate a password for a website, top the “Use Strong Password” to make a better password. iOS will automatically save it in your keychain, so you don’t have to remember it. Stronger passwords means that if a website gets their database hacked, you’ll be safer.
Use Safari! By default, it will stop advertisers from tracking you around the web, slow down Facebook and Google, and stop websites from requesting your device’s unique digital signature.
Audit and block apps that have access to your camera, microphone, and location! Go to Settings > Privacy to see a list of these things, then tap on a category to see which of you apps have access. For apps that don’t really need access to, say, your location or your microphone, cut them off!
Search using DuckDuckGo! Their business model doesn’t rely on collecting data about you, and so they don’t. Go to Settings > Safari > Search Engine and tap on DuckDuckGo. Their results are just as good as Google.
Be ready to turn off Touch ID and Face ID! Thanks to the Fifth Amendment, law enforcement can’t compel you to give up your passcode. But they can compel you to unlock your phone using Touch ID or Face ID. Go to Settings > Emergency SOS and turn on “Call with Side Button.” Now, when you press your iPhone’s side button five times, only your passcode will open your phone.
Delete lockscreen widgets that display person info! Swipe to the right and see what widgets you have available who picks up your phone. If there are any that display personal info (like your calendar), scroll down to tap “Edit” and remove them. Similarly, go to Settings > Touch ID & Passcode and look for “Allow Access When Locked.” Disable any feature you don’t want strangers to access.
Don’t show strangers your messages! Go to Settings > Notifications > Messages > Show Previews, then select “When Unlocked.” Otherwise, incoming messages are readable on your lock screen to anyone holding your phone.
Enable Find My iPhone? Go to Settings > Apple ID > iCloud > Find My iPhone. Enable this if you’d like the ability to wipe your phone remotely, if it gets stolen. Disable this if you’re more worried about Apple knowing where your phone is.
For information on “geofencing” (using location services on your phone to identify you and your habits) and how to prevent it, see this Wall Street Journal article Subscription required, but Vanderbilt community members can get a free subscription through the library. Visit https://www.library.vanderbilt.edu/pdf/wsj-vu-registration.pdf for more information.
Keep your operating system up to date. Yes, those nagging reminders are annoying, but don’t put off doing the updates. If you have a PC and aren’t running Windows 10, take special precautions. Most viruses are targeted towards PCs, so Windows users need to be careful.
Use extreme caution when installing software. Macs make it difficult to download software from unapproved developers. On PCs, software from commercial vendors is relatively save. On both platforms, do not install software unless you trust the developers and have retrieved the software from a reliable download site. Some “free software” websites that provide legitimate software are nevertheless designed to trick you into clicking on the wrong thing and downloading legal adware that you didn’t intend to install.
Don’t click on links in emails. It is very easy to impersonate a sender and to make an email look like it came from your bank or some other trusted sender (a phishing scam). It’s better to log in to banks and commercial websites via a bookmark or by typing in the URL. If you do click on emails in links, always mouse over the link and make sure that the URL shown is the actual website you want to go to. At Vanderbilt, Outlook scans links in emails to block unsafe sites. However, this system makes it difficult to know the actual URL of the link.
Back up your computer. The best protection against ransomware (which makes your data unavailable by encrypting it) is to back up your computer to the cloud or removable media. This will protect you against hard drive crashes as well!
Avoid sketchy websites. You are unlikely to get a virus from visiting reputable websites, such as Wikipedia, well-known news sites, YouTube, Facebook, Amazon, etc.
Change default passwords to strong passwords. Many people use devices like WiFi routers, security devices, etc. without changing the default passwords, making them vulnerable.
Don’t share memory sticks. Viruses can be spread through flash drives so avoid putting yours in someone else’s computer or using someone else’s flash drive in your computer. This method of spreading viruses has become less common as more files are stored on the cloud.
Frequently asked questions:
Can Macs get viruses? Yes, they can, although there are a lot of built-in features that make it less likely than on Windows. Nevertheless, be sure to pay attention to any warnings you see when you download files or install software.
Do I need to download virus scanning software? If you are running one of the current operating systems (Mac OS 10 or Windows 10), you probably don’t. On Windows 10, Windows Defender is now build in to the operating system and should automatically update virus signatures. The Mac OS has a built-in scanning too (Xprotect) that works automatically in the background. Windows operating systems prior to Windows 8 are vulnerable and shouldn’t be used without running anti-virus software.
How can I know if I have malware? Windows Defender scans your computer periodically and reports suspicious files that it finds. You may discover that your computer is infected when an unusual window pops up. When computers are infected to mine Bitcoin, you might notice your computer running very slowly, getting unusually hot, or the cooling fan running more frequently than normal.
What should I do if I think my computer is infected? The best thing to do is to get help immediately. If you are connected to the network by a cable, unplug the cable. If your laptop has a hardware WiFi switch, turn it off. Advice varies as to whether you should turn the computer off. Vanderbilt IT advises leaving it on.
If you are affiliated with Vanderbilt:
If you are not at Vanderbilt:
malware handout in PDF form (2019-03-14) http://bit.ly/2F53VGr
For an informative and somewhat chilling report on how web browsers, phone apps, and smart speakers are tracking you, listen to this July 2019 interview of Washington Post tech colomnist Geoffrey Fowler. See also his posts I found your data. It’s for sale, Goodbye, Chrome: Google’s Web browser has become spy software, It’s the middle of the night. Do you know who your iPhone is talking to?, Alexa has been eavesdropping on you this whole time, and others on his website.
There are many other important topics you can research, including: file and hard drive encryption and the Tails safe and anonymous operating system.
Security in a Box has links to many useful tools.
privy.sh link shortener provides a service that does not track clickthroughs (no cookies saved).
Questions? Contact us