The biggest development in cybersecurity in 2017 was not a
hack. The Trump Administration has authorized Customs and Border Protection
(CBP) to demand access to electronic devices from all incoming arrivals –
citizens as well as permanent residents and foreigners. Incredibly, CBP has
also been authorized to demand social media log-in information, IDs and
passwords, so they can access your social media accounts from inside. If you
were concerned about warrantless search and seizure by the NSA as revealed by Edward
Snowden then this development should really concern you. As an aside Section
702 of what used to be called the Patriot Act also looks like it will be
extended, possibly indefinitely of some have their way.
The CBP Social Media policy is not codified in statute. The
4th Amendment is restricted at the border for routine searches. That
allows border control to conduct deeper searches of incoming passengers without
having to meet a federal warrant standard involving making a case for probably
cause. Neither Congress or the Courts have adjudicated whether this rule
applies to logging in to your social media accounts. Does it include Turbo Tax
as a social media account? Bank apps? Encrypted chat apps? Etc.
So for now, id you travel internationally and you don’t want
the federal government inside your phone and thus inside your personal
finances, taxes, private chats with your spouse or kids, either leave your
phone at home or get a burner for travel and do not leave anything on it before
you cross the border. That’s a lot of hassle but a lot cheaper than being the
test case that takes a decade to wend its way to the Supreme Court. Think of
the legal fees!
The 702 issue and the Manafort/Flynn revelations show that
the NSA remains vigilant when ot comes to communications with foreign targets.
Media suggests that 702 applies to as many as 100,000 targets. Under 702 the
NSA does not need a warrant to surveil these foreign targets even in cases
where that communication is with a US person or travels via communication links
on US territory. Section 702 needs periodic review and can fail to be renewed
if Congress does not act in time. Evidentially the deadline in Jan 2018 may be
covered by some of the language in a related law that sets the 702 cycle in
April 2018.
You might think there is no way 702 can touch you. Perhaps,
but 100,000 targets is a serious number. They are not all ISIS. They clearly
include diplomatic representation to the US, foreign governments, financial and
business leaders overseas, and so on. Maybe this does not matter to you, but MI
knows many of its readers are national security personnel and higher end
business people, this may touch you. For the record, in order to surveil a US
person as the target (not the collateral damage in targeting a foreign
communication) in their communications across the international border, the
government still needs to get a FISA warrant. To surveil you domestically, a
court issued warrant based on probable cause is required.
This background is important to know but it also the setting
for the suggestions made below. Disclaimer: MI is not a legal advice
organization, and these are suggestions that readers are free to ignore based
on their judgement. MI has no responsibility for how you conduct your personal
communications or travels. These are helpful suggestions not business
recommendations. Just don’t sue us, ok?
As the fallout from the San Bernardino terrorist attack
shows, it is not easy for federal law enforcement (FLE) to access encrypted
devices. They say they got into the terrorist’s iPhone without Apple’s help;
that may or may not have happened. Post Snowden Apple and others know that its
business model will fail to grow unless it puts people and not FLE first
(although its policies in China suggests that if the market is attractive
enough Apple’s principles may be a little softer than in a mature market). So
has MI become paranoid? Looking at the threat board too hard all year and
unnecessarily freaking out? Surely all of these measures are for criminals and spies
– they don’t apply to little ole me going about my day? What could possibly go
wrong? I don’t break the law, I help enforce it.
Crime is an old canard to prevent you from protecting
yourself – ironic really. Good digital security and privacy practices are
essential and here’s why:
1. Common
sense. The Five give you their platforms for free, right? You don’t pay for
Gmail or YouTube. It’s great! Yet if that’s true, why are The Five the most
valuable companies in the world? Where does that money come from? YOU. The Five
(and others) see you as a mine of data that they use to position their own
services that do cost money and to sell to their advertisers to pinpoint your
interest in 18th C Austrian stamps. Marketing on TV is wasteful,
especially for specialized items. The cutting edge in marketing is personalized
tailored focus on individual interests. Now instead of buying ad time on TV –
very costly and basically useless for stamp collectors - highly specialized ads
can be sent very cheaply to everyone on earth who is interested in 18th
C Austrian stamps.
So you pay for these ‘free services’ of Facebook, Google,
Amazon, and so on. The fee? Your privacy. What’s that really worth to you?
2. Life
Happens. You might become incapacitated and you have always been t6he one who
does all of the administration for the family. Incapacitation or sudden death
vastly complicates managing your affairs, The set up suggested below will
enable someone you trust to pick up exactly where you left off and operate your
life when you can’t. It should be a central part of any good estate planning.
But as argued, can be there for life events or even getting stuck overseas with
a lost phone, etc. The settings below
have you backed up and secure so you (or your trusted person) can keep driving
and paying bills and not getting behind.
3. Your
obligation to protect the country. Most of MIs readership ace national security
professionals. They know that weak security of their home, person or digital
footprint can help bad actors gain situational awareness and/or actual data and
access with which they can threaten national security directly or indirectly.
The USG has broken this professional and social contract with its unacceptable
laxness in protecting SF-86 Data that resided with OPM. Nevertheless, we all
need to work together and this is a case where protecting yourself and your
family will also maintain your sacred obligation to protect America.
4. “But MI –
The Costs of All These Services!” See point one – your digital world is not free.
In fact, you have been commodified. This should annoy you. It annoys the crap
out of us. Your spouse and your children are commodities to be traded. Ever
wondered why little Suzie gets credit card offers at age 6? It’s not because
she is a rock star shopper (even if she is, our commiserationsJ) It’s because Suzie’s
very existence has been sold to someone who wants to sell to her (they just
don’t know she’s a wee tot, as they say in Scotland).
All of the systems and services we suggest below charge fees.
If they don’t, then that’s the first hint that they may not be the best
solution to your digital fingerprint and footprint privacy. Most cost tens or a
few hundred a year. All up, even with the most high end services an individual
or family might want, you are looking at around $500 a year. That’s peanuts for
what you get for that sum.
Do you really think your name, address and social are safe?
*2013 3 billion yahoo accounts hacked
*2015 ALL OPM SF-86s hacked
*2017 143 Million credit profiles hacked at Equifax
*2017 198 Million US
voter records hacked
And you call MI paranoid J
Companies like Target and a bunch of others have all been hacked too. It’s not
going to end, it’s going to accelerate and deepen. The US election was hacked
in the sense that social media was completely manipulated to pervert the course
of the election. It goes on and on.
It’s time to get real. It’s time to protect yourself, your
family, and your country.
Here are our tips for 2018:
1.
Encrypt
everything. Phones, computers, hard
drives, thumb drives. There are now plenty of options to do this. MI recommends
picking one option across all hardware platforms. There are easy to use
software programs now that can do this. The other option is using the features
on the laptop during set up. Apple now offers this. Remember the number of
different systems you use will require remembering a lot of log-ins.
2.
Password
gatekeeper. This is a MUST. Again, as with hardware encryption options, there
are a lot to choose from – the type of program MI has in mind is 1Password and
the like. Each has different pros and cons. What they do is simple – they
create impossible to hack passwords for all the sites you use to bank, do
taxes, communicate with people, social media, etc. anything you log into – they
protect. The software conjures up long complex passwords with or without
symbols (&%$₵#), numbers, etc. It then stores these with your log-in
IDs against the relevant URLs. To access your bank, you don’t have to google
and find the bank, you simply press the bank’s icon and the password program
automatically logs you in with the long/complex password. It’s easy and
incredibly secure. The weakest link – the password you use to access the app.
3.
Log-in
IDs and email IDs. The days of using David.Smith@gmail.com are gone. Why
make it easy for the bad guys to target you. As above, you can now use password
apps to create unique log-in IDs, MI recommends random jumbles of letters,
numbers, and symbols, just like a password – so they are unintelligible to
whoever may be trying to find ‘David Smith’. MI recommends different IDs for
high impact accounts like banks and maybe a common one for low impact stuff
like Hulu. Note: Facebook is NOT low impact!
4.
Social
Media. OK, this is going to hurt. Are you sitting down? Get off Facebook.
Guess what? You can’t get off Facebook! Try it and see. It owns you. To the
extent that your data, your most private data is you, it owns you. If you load
it onto Facebook, they now own it; whether it’s a picture, your religious,
political, sexual, social, or other habits, preferences, views, etc., Facebook
owns it. This is not a rhetorical point, it is a legal fact. Remember the long
Terms of service in tiny print? Don’t worry, no one else reads it either. It’s
in there. As a matter of law, anything you put on Facebook is their property.
It’s in there. As a matter of law, anything you put on Facebook is their
property.
Why is this important? Because Facebook is the greatest human intelligence gathering platform ever devised. In the old days the following information had to be either interrogated out of you or was the fruit of weeks if not months of resource-heavy surveillance: your full name, date of birth, addresses of home and work, your up-to-the-minute location (from their geo-location settings as well as posting from your favorite café), your network of contacts from all aspects of your life, the books, magazines, websites, blogs, and tweets you read, your opinion on political social, international, gender, sexual orientation issues; digital records both still and video of you, members of your network, locations you visit, places you vacation, your home and vehicles and so on. Facebook owns that catalog of your identity. They sell that information and the patterns it depicts – pretty much anything can be known about you which helps companies market to you, but it also helps people find you and know what you are thinking and who you are associating with. If a foreign intelligence agent asked you 5% of this kind of data you’d be down to the SSO’s office to report a foreign intelligence collection operation in US soil.
Now, you are broadcasting all that highly personal and valuable data to anyone who wants to look. And if you think Facebook privacy settings are going to protect you, then… well, enjoy the ride.
How to delete your Facebook account. As noted above, you actually can’t do this. The best thing you can do is the following: Go back through all of the sub-headings that list your preferences and delete them one-by-one. This applies to any data or pictures you want removed. It will take a long time and be tedious. But at least at that point you have some control over content. FB keeps the original but this way you minimize what can be discovered if the account is hacked and just maybe FB’s record is minimized. Then, go to “delete this account”, it will explain that the best it can do for you is turn it off the web but it does not delete the files and you can go back and reactivate at any time.
Before you do this, however, send out a note to all your FB connections advising them that you are deleting your account and that you are NOT UNFRIENDING them. Account deletion can appear to friends as unfriending, leading to awkward conversations, or worse, no conversations and the appearance of a major social slight when none was intended. Put that message up once a week for a month so your key friends catch it… then follow the steps above.
Why is this important? Because Facebook is the greatest human intelligence gathering platform ever devised. In the old days the following information had to be either interrogated out of you or was the fruit of weeks if not months of resource-heavy surveillance: your full name, date of birth, addresses of home and work, your up-to-the-minute location (from their geo-location settings as well as posting from your favorite café), your network of contacts from all aspects of your life, the books, magazines, websites, blogs, and tweets you read, your opinion on political social, international, gender, sexual orientation issues; digital records both still and video of you, members of your network, locations you visit, places you vacation, your home and vehicles and so on. Facebook owns that catalog of your identity. They sell that information and the patterns it depicts – pretty much anything can be known about you which helps companies market to you, but it also helps people find you and know what you are thinking and who you are associating with. If a foreign intelligence agent asked you 5% of this kind of data you’d be down to the SSO’s office to report a foreign intelligence collection operation in US soil.
Now, you are broadcasting all that highly personal and valuable data to anyone who wants to look. And if you think Facebook privacy settings are going to protect you, then… well, enjoy the ride.
How to delete your Facebook account. As noted above, you actually can’t do this. The best thing you can do is the following: Go back through all of the sub-headings that list your preferences and delete them one-by-one. This applies to any data or pictures you want removed. It will take a long time and be tedious. But at least at that point you have some control over content. FB keeps the original but this way you minimize what can be discovered if the account is hacked and just maybe FB’s record is minimized. Then, go to “delete this account”, it will explain that the best it can do for you is turn it off the web but it does not delete the files and you can go back and reactivate at any time.
Before you do this, however, send out a note to all your FB connections advising them that you are deleting your account and that you are NOT UNFRIENDING them. Account deletion can appear to friends as unfriending, leading to awkward conversations, or worse, no conversations and the appearance of a major social slight when none was intended. Put that message up once a week for a month so your key friends catch it… then follow the steps above.
5.
Google.
Yep, them too, and not just their social media efforts. Let’s just start with
Gmail and YouTube. One of the many dorty little secrets of The Five as the
companies that run the world are known, is they are surveilling you all the
time. Have you ever wondered why the ads you get seem targeted to your interest
in skiing? Because they scan your emails looking for key words that can be used
to market products to you. Likewise, all your YouTube searches – like all of
your Google searches –are logged with the company. In the past the FBI and CIA
got into a lot of trouble for warrantless searches of people’s library
borrowing habits – check out the Church Commission that followed some major
espionage leaks, not of foreign threats but Uncle Sam monitoring citizens. You
can delete search histories from your browser, along with cookies, do you
honestly think that will do anything other than make you feel secure? They
already have the data, you are just deleting your record of it, not theirs!
(Still, it’s worth doing, BTW).
The Fix: as with Facebook, manually delete everything, then delete the account. This is possible with Gmail and YouTube. BUT FIRST, there are some steps you need to make. First, you need to move your emails from the Google servers onto your own hard drive(and/or cloud – more about the cloud below). The smartest way is a hard drive first and then the cloud – again, more below. There are a number if apps that will move all your emails in their folders from the Gmail system onto a hard drive of your own, so you have a complete record (assuming you need to keep the receipt from the Apple store where you just bought a new laptop for $2k, for example). Then Gmail has a global delete function – it save you going file to file and page to page. You can delete it all in one step. THEN make sure you empty the trash! Make sure SENT mails are collected and deleted too. Once you are satisfied that the complete record has been erased, then shut down the account.
The Cloud. Yes, both the company offering the cloud and the government can access search, harvest and sell all that data too. Google Drive, Dropbox, etc. There are cases in the courts right now where the government is forcing US cloud companies to divulge data that is not even resident on US cloud servers. All US providers use cloud servers here and overseas, Because the law never imagined needing to access an American safe in Ireland, there is no law covering accessing a US cyber safe in Ireland. MI anticipates the courts will force US cloud service providers to cough up data regardless if where it rests. Certainly US LE and the courts seem to have no regard for the domestic laws of the countries in which those servers reside (unless they are forced to, see below). Thus if you use an American cloud you are wide open.
This issue goes to the heart of the Apple v FBI situation following San Bernardino. Apple feared losing customers id the public saw them roll over to the FBI. So they took a stand (after years if secret collusion – the exposure of which embarrassed The Five – see the Snowden issue). Just to note, this impacts all The Five, not just Apple. MI welcomes the stance they have taken post-Snowden and acknowledges it’s in their economic best interests to protect the masses over the occasional bad actor who might benefit from their services (more about the crime argument below).
The Fix: back up all of your cloud files to a hard drive in your possession. This is good practice anyway. Then encrypt that drive.
Find a foreign end-to-end encrypted cloud service. Preferably this will be in a country that has strong privacy laws (any EU country has much stronger laws than the US, and some have even more stringent requirements than those mandated by the EU, such as Switzerland). Alternatively, a cloud service in a country that is not beholden to US pressure. The key is being in a non-US jurisdiction, one that has strong privacy rules, and the use of end-to-end encryption - which means that the content of the data is invisible except on the sending and receiving computers.
The Fix: as with Facebook, manually delete everything, then delete the account. This is possible with Gmail and YouTube. BUT FIRST, there are some steps you need to make. First, you need to move your emails from the Google servers onto your own hard drive(and/or cloud – more about the cloud below). The smartest way is a hard drive first and then the cloud – again, more below. There are a number if apps that will move all your emails in their folders from the Gmail system onto a hard drive of your own, so you have a complete record (assuming you need to keep the receipt from the Apple store where you just bought a new laptop for $2k, for example). Then Gmail has a global delete function – it save you going file to file and page to page. You can delete it all in one step. THEN make sure you empty the trash! Make sure SENT mails are collected and deleted too. Once you are satisfied that the complete record has been erased, then shut down the account.
The Cloud. Yes, both the company offering the cloud and the government can access search, harvest and sell all that data too. Google Drive, Dropbox, etc. There are cases in the courts right now where the government is forcing US cloud companies to divulge data that is not even resident on US cloud servers. All US providers use cloud servers here and overseas, Because the law never imagined needing to access an American safe in Ireland, there is no law covering accessing a US cyber safe in Ireland. MI anticipates the courts will force US cloud service providers to cough up data regardless if where it rests. Certainly US LE and the courts seem to have no regard for the domestic laws of the countries in which those servers reside (unless they are forced to, see below). Thus if you use an American cloud you are wide open.
This issue goes to the heart of the Apple v FBI situation following San Bernardino. Apple feared losing customers id the public saw them roll over to the FBI. So they took a stand (after years if secret collusion – the exposure of which embarrassed The Five – see the Snowden issue). Just to note, this impacts all The Five, not just Apple. MI welcomes the stance they have taken post-Snowden and acknowledges it’s in their economic best interests to protect the masses over the occasional bad actor who might benefit from their services (more about the crime argument below).
The Fix: back up all of your cloud files to a hard drive in your possession. This is good practice anyway. Then encrypt that drive.
Find a foreign end-to-end encrypted cloud service. Preferably this will be in a country that has strong privacy laws (any EU country has much stronger laws than the US, and some have even more stringent requirements than those mandated by the EU, such as Switzerland). Alternatively, a cloud service in a country that is not beholden to US pressure. The key is being in a non-US jurisdiction, one that has strong privacy rules, and the use of end-to-end encryption - which means that the content of the data is invisible except on the sending and receiving computers.
6.
Opening a
new email account. Follow the same principles as the cloud – foreign
jurisdiction, foreign company providing the service, and end-to-end encryption.
Open at least 2 accounts. One for your private conversations with friends and
colleagues and one for Administration. MI recommends also opening one for low
impact activity like TV online accounts and newspapers and the like. Things
that if you lost them would not matter to you.
You’ll be amazed at the sudden death of junk mail and ads and all the rubbish that comes with American ‘service’ providers, which should be more accurately, described as personal data wholesalers. MI hates to appear to be critical of American firms, but in fairness, they have gotten us into this situation. You are truly on your own when it comes to privacy and security. Most national security professionals know this (MIs key demographic) but it’s important to be reminded, especially when long term deep maintenance of one’s electronic fingerprint and indeed footprint takes so much work. We get that. But you owe it to yourself, your kids, and even the country to protect your data. With the politicization of national security staff these days and all the investigations, you don’t have to be a bad actor to get swept up in all if this and for CNN to run your tweets or texts to your girlfriend as headlines, to decide some protection is not a bad idea.
You’ll be amazed at the sudden death of junk mail and ads and all the rubbish that comes with American ‘service’ providers, which should be more accurately, described as personal data wholesalers. MI hates to appear to be critical of American firms, but in fairness, they have gotten us into this situation. You are truly on your own when it comes to privacy and security. Most national security professionals know this (MIs key demographic) but it’s important to be reminded, especially when long term deep maintenance of one’s electronic fingerprint and indeed footprint takes so much work. We get that. But you owe it to yourself, your kids, and even the country to protect your data. With the politicization of national security staff these days and all the investigations, you don’t have to be a bad actor to get swept up in all if this and for CNN to run your tweets or texts to your girlfriend as headlines, to decide some protection is not a bad idea.
7.
Extended
Security Questions and Dual Factor Authentication. When you change
locations (either physically or via a VPN) most email companies, banks, etc.
will ask for additional security questions to verify the right person is
accessing the account. MI suggests using a bank of standard ‘answers’ that are
mini passwords– they are not actual answers to ‘who was your childhood friend’ they
are Password Gatekeeper generated (and remembered) strings that you can use in this circumstance. So
that when you are asked ‘who was your childhood friend’ the answer is not Fred,
it’s ‘*nYss₵43$’.
Dual factor authentication particularly using cell phones can be hacked, it turns out. The bad guys can run off with the phone or cyber into it. Look for work-arounds. Password gatekeepers alone are best, a high end thumb drive is an alternate to consider based on your needs.
Dual factor authentication particularly using cell phones can be hacked, it turns out. The bad guys can run off with the phone or cyber into it. Look for work-arounds. Password gatekeepers alone are best, a high end thumb drive is an alternate to consider based on your needs.
8.
Messenger
Services. IMing is becoming more popular than emails. The state of the art
for privacy right now is Signal. It’s end-to-end encrypted, and can be set to
auto-delete chats after a period of time. But look out – one of the Five will
try to buy it for billions in order to access the data. That’s why Facebook
paid ca 15 billion for Whatsapp – Facebook’s engineers can build an IM platform
in their sleep. They wanted the data, the identities, the patterns – the key to
the money.
9.
Virtual
Private Networks – VPNs. Get one, set it on a high-privacy foreign
jurisdiction (see above discussion about the cloud/email) and use it
religiously. A VPN hides your IP address. It also places all your digital
activity inside the high-privacy jurisdiction of the country you choose. Each
time you log-in to a VPN you can pick which country you will appear to be
operating out of. MI recommends moving that location to other safe locations
periodically. VPNs are available for both fixed and mobile platforms.
10.
Alexa and
the other women in your life. Don’t let them into your home! Get off your
ass and turn off the light yourself. Sheesh. Alexa and Siri and the girls are
always listening and sending back all your requests to the mothership. Alexa
has already been taken to court, or the recordings made passively (ie., not
following a command to take action) during a murder. If you do not intend to
say “Alexa give The Five all the conversations between me and my spouse and
between us and our kids and between us and anyone on the phone who calls us
etc. etc.etc.” then as delightful and ‘helpful’ as these wonderful ladies are,
don’t let them into your abode – your castle. In 1984 the TV on the wall of
your house was the interface for Big Brother – now you bring BB into your home
on your cell phone, laptop, and increasingly on anything that can transmit…
same goes for wherever you go…you Re taking a complete suite of surveillance
tools with you, which you then turn against yourself 24/7. Not smart, people.
11.
Crossing
Borders. The fix: Get a burner and don’t register it under your name! Or
use your own phone and completely wipe it – before crossing any border. If
America is forcing you to give up your log-ins, just imagine what China is up
to! First, back it up to your new foreign cloud, then wipe it by choosing to
reinstall the system software. Some shadow data will survive but a routine
border check will not go that far. Then, once on the other side, use a secure
connection and VPN to upload the phone from the cloud. It’s best to delete all
texts, IMs, and conversations from all apps as well.
12.
Physical
Mail Security. Get a UPS store account for all your physical mail. Your
mail box at home is a sitting duck, filled with personal information and is
completely open for anyone to access. Such access is a federal crime but
proving someone stole your credit card statement from your mailbox might be
hard. Avoid it by getting a street address based alternate mailbox. Sadly, USPS
does not do street addresses, thus conceding the territory to UPS and others
(no wonder they can’t compete). UPS can then forward on your mail or you can
collect on your way home. Happy in the knowledge that it is secure and
monitored by a human being and under considerable lock and key after hours.
Remember in hacking, social engineering is often the easiest way in – mailbox
jumping is old school and works just fine. Further point on mail. Given the
legalities, if you need to send something really secure, consider the post.
13.
Cyber
Hygiene Best Practices. Keep system software updated, Use anti-virus [just
not Kapersky (Google it and DHS)] – and turn off geo-location on all hardware
and software. This will make GPS maps useless – just consider cost/benefit for
your situation. Again, a burner smart phone might be a solution. Small cloth ‘Faraday Cages’ are a super
convenient way to stop the phone transmitting your locations. No need to take
out the battery and SIMs etc…just turn it off and slip it into the soft cover –
if it’s on, it will drain the battery looking for a signal.
MI hopes you and those special to you enjoy this Christmas
present from us. Here’s to a safe, secure, private and prosperous 2018.