Straightforward, actionable tips to strengthen your digital privacy and security.
I was recently asked: what are the risks of using Skype for sensitive conversations?
The short of it is that by default, Skype (and Microsoft, which owns Skype) can listen to everything you're talking about, read every message, and access every file you share.
But Skype does offer a "Private Conversations" feature. In a Private Conversation, messages, voice calls, and file-sharing are all end-to-end encrypted...
...This means that nobody, including people working at Skype, can access any of the content of those conversations.
However, even if it cannot eavesdrop on your conversations, Skype will still know who you're talking to and when. If this is a concern, Signal remains the best option out there!
2/2
In the news: In a marketing presentation, media giant Cox Media Group says it can target adverts based on what people said out loud near device microphones.
What you can do: It's unclear whether the presentation was truthful or marketing bogus, but it's a good idea to regularly check your phone's permissions to make sure only apps that need it have access to your microphone. And if you are particularly wary, "smart" devices like Google Home or Amazon Alexa are a no-go!
If you share a document, chances are you are exposing some of this information. So automatically removing this metadata is a great privacy measure for those who want to be extra-safe with those documents. To enable it, download the latest version of LibreOffice, go to Settings > Security > Security Options and Warnings, and enable "remove personal information on saving".
2/2
In the news: In a recent update, LibreOffice (which offers open-source, free alternatives to Microsoft Word, Excel, etc) added a major new privacy feature: automatic removal of personal data from documents.
Why that matters: documents like text files or spreadsheets often contain a ton of information (called metadata) that users aren't even aware of: who created the doc and when, who last edited it, who left comments and what those comments were, etc.
In the news: a research firm found that 30% of 7 to 9 year olds have a Twitter/X account.
What you can do: Since it changed ownership, X has become a cesspool of misogynist, neo-nazi, and conspiracist content, with little to no moderation. To protect your child, you may want to block X on shared family devices or in parental control apps.
Some #privacy good news! Google will start deleting everything it knows about users’ previously visited locations.
What it means for you: Any piece of personal information that a company deletes is good news, as it's a piece of personal information that cannot be leaked or sold. To take advantage of this change, make sure the "Timeline" feature, which keeps track of your location, is off in your Google account's settings > Data and privacy > Timeline.
In the news:
For the first time ever, Android malware uses a device's NFC reader in a way that basically clones the card so it can be used at ATMs or for purchases.
What you can do:
The malware was installed on users' devices using standard phishing techniques: the attacker messaged victims and encouraged them to install an app from websites impersonating official bank websites. Be mindful of people contacting out of the blue, and never download apps outside of official app stores.
In the news:
The Singaporean police found most scams and cybercrimes start on messaging platforms, with WhatsApp and Telegram making up the overwhelming majority of cases.
What you can do:
These numbers focused on Singapore but the trend is true across the world: more and more phishing and scamming attacks take place on instant messengers. Always be cautious when you get a message from someone you don't know; don't click on suspicious-looking links, and don't download attachments!
In the news:
New malware targets Mac users and steals system information, iCloud Keychain passwords, browser cookies, and Telegram account information.
What you can do:
We often feel like Mac users are safe from malware. There is less malware on Mac than Windows, but it doesn't mean we shouldn't be cautious. On Mac, as on other systems, always download software from trusted sources and stay away from unverified apps. And always keep your computer up-to-date!
Incredible project that maps out the the funders, partners, and subsidiaries of the surveillance companies that invade our privacy and, in the case of activists and journalists, threaten lives.
This is the most extensive list I've seen and and it's beautifully presented. Check it out: https://buff.ly/3XjQJa9
A Consumer Reports study found that some of paid services to remove our personal info from data brokers are completely useless. Doing the work yourself (by directly requesting these websites to remove your information) actually yields better results.
If you're willing to take the time to do it yourself, the most accurate and up-to-date list of people-search sites is this: https://buff.ly/3mbBkDU . If you'd rather pay, the study finds that EasyOptOuts and Optery yield decent results.
In the news:
Google is facing a class action lawsuit for collecting users’ data through Chrome without their consent, including rowsing history, IP addresses, persistent cookie identifiers, and unique browser identifiers.
What you can do:
It's not the first time Google Chrome is caught red-handed collecting users' data without their consent. For better privacy, use a more trustworthy web browser like Mozilla Firefox, DuckDuckGo Browser, or Brave.
2.9 billion records have been leaked from a company that runs background checks. If you are in the US, your social security number is likely in the leak.
Our best option to protect ourselves against identity theft is a 'credit freeze': contact credit score companies (Equifax, Experian, and TransUnion) and ask them to freeze your credit. This prevents creditors from viewing your credit report during a credit application process and to open new accounts in your name.
On Saturday, Pavel Durov, founder and CEO of Telegram, was arrested in Paris. A lot of people, including in the media, are writing a lot of inaccurate things about Durov and Telegram, so this is a good opportunity to clarify some things:
- Telegram is often described as an "encrypted messenger". Actually, Telegram is not any more encrypted than Skype: both Skype and Telegram are, by default, *not* encrypted from end-to-end. This means that the Telegram team can read/listen to all the conversations you have on Telegram, and can give access to these conversations to anyone they wish. And like Skype, Telegram offers a "secret chat", which *is* end-to-end encrypted, but most users don't even know about the feature. In fact, Skype uses an encryption algorithm that is far more trusted by cryptographers… So if you're looking for privacy, Telegram is just not it. Signal is the gold standard when it comes to private communications, but even Skype is a better option than Telegram.
- It is not Telegram's "encrypted" :eye-roll: features that led to Durov's arrest. None of the encrypted messaging apps out there face similar charges as Telegram (though for example WhatsApp has many more users and is end-to-end encrypted by default). Durov was arrested because Telegram is, in addition to a messaging app, a social network. It offers "channels" that can be followed by millions and "super groups" that can have hundreds of thousands of members. Telegram's social networking features have no moderation. This means that Telegram has become a cesspool of conspiracy theories and incitement to violence. But like all social networks, it is bound by laws around moderation to prevent harassment, cyberbullying, violence, and spread of fake news. So the arrest may be unexpected but it makes sense.
We'll see what the case on content moderation brings, but this is an opportunity to remember that even when it comes to privacy, Telegram is a terrible company: it's not just terribly insecure, it has also misled millions of people into thinking their communications were private while they're just using a better-looking and less secure version of Skype.
In the news:
Attackers convinced mobile users to install Progressive Web Apps, a type of website that looks like regular apps. These looked exactly like the users' banking apps.
What you can do:
Never install apps from outside the official app stores. Not all apps on app stores are trustworthy, but official app stores offer a basic level of security you don't get if you install apps from other channels.
In case you missed it, Proton released this summer a private alternative to Google Docs: Proton Docs. It has all the features you expect from a collaborative document, but no one other than your team (not even Proton themselves) can access your docs.
If you're interested in leveling up your team's privacy, it's worth checking it out! https://buff.ly/3X8QZZa
A sophisticated phishing campaign against Eastern European organizations reminds us that:
- emails coming from @protonprivacy can also be impersonated
- you should be cautious of emails sent by people you know
- attackers can be SMART. In this case, they asked recipients to review a document but "forgot" to attach it to the email, to make it more realistic.
Phishing is one of the biggest threats. Shira.app is a good way to get better at detecting attacks.
A new report on phishing found that .top was one of the most common suffixes in phishing websites over the past year (only second to .com). So if you see a suspicious email coming from a .top email address, or a link in an email that leads to a .top URL, you know what to do: don't click!
And to practice your skills in identifying and defeating phishing attacks, check out https://shira.app
@Walker oh cool, thanks for sharing!