Cybersecurity for the Trumped

7. Facebook

Thu, 24 Nov 2016 11:24:11 GMT

Facebook is a problem. Privacy-wise, it's riddled with concerns, but it's so embedded in many people's lives that it's hard to uproot. I have never used Facebook, so everything I'm going to write below is second-hand; please correct me where needed.

Why worry about Facebook?

Here are some reasons why many people feel that Facebook should not be trusted with the details of your daily life.

First off: Mark Zuckerberg is a jerk. He does not respect his users; their privacy, even less so. He's called his users 'dumb fucks' for trusting him. Does that offend you? It probably should.

Secondly, privacy settings on Facebook change all the time. They can't be relied upon. If there is something you're not ready to share with the entire world (under your real name,no less), you should not be sharing it with anyone through Facebook.

Facebook is not designed to show you what you want to see. It's designed to keep you clicking around within the Facebook walled garden for as long as possible. It is, in fact, designed to be addictive. That shouldn't be a surprise, since many websites are.

Facebook tinkers with your emotions in ways that aren't good for you. It actively makes people unhappier.

Facebook stores ridiculous amounts of data about its users and probably never deletes it, even after you close your account.

Facebook builds a very detailed profile of you, based on your behaviour both on the site itself and on other sites, and uses that for targeted advertising. It also sells this information.

That's right: Facebook tracks your surfing even when you're not on Facebook. If you click a 'like' button anywhere on the web, that is of course recorded; if you don't click it, that's fine too. The fact that it's shown in your browser at all is enough to track your online behaviour.

Facebook gets information from Google searches that lead you to specific companies' websites. Those companies don't just know you visited their website, they know what you searched for that led you there. And now they can follow up with you on Facebook. All for your own convenience, mind you.

Facebook is keylogging your status updates as you type them. So even if you decide never to post them, they're being stored.

All this data is in the hands of a US based company. The US government, or any random cybercriminal, can certainly gain access to it. If you don't want to be spied on, don't use Facebook, not even if you're in Europe. EU laws don't protect you.

Getting away

So if you don't want to use Facebook, what other options are there? No worries, it's a wide, wide Web out there. Here are some options, depending on what you use Facebook for. Whether these options work for you, also depends on why you want to get away from Facebook. Always check who owns the platform you're considering joining. This can change rapidly and dramatically!

Part of this information comes from here.

LinkedIn: A professional social networking site with approximately 347 million users worldwide. Good for maintaining professional contacts with colleagues, clients, and others, LinkedIn can also be used for finding jobs and recruiting employees. Now owned by Microsoft.

Twitter: While smaller and more narrow in focus, Twitter is hardly an also-ran. At last count, it boasted over 284 million active users and 500 million tweets a day. It is growing at least as fast as Facebook and is causing quite a lot of waves with a well-publicised role in revolutionary movements in Egypt, Iran, and other countries. Here is information about staying safe as an activist on Twitter.

Pinterest: This platform revolves around the concept of "pinning" interesting photos, web pages, articles, and other content onto virtual noticeboards, then sharing them with people. You can create different pinboards for different interests, events, collections, or whatever you want. You can view things on other people's pinboards and repin them on your own. Pinterest has over 72.8 million users and is growing rapidly.

Instagram: This isn't just a social network, but it is being used as one by many. It's an online mobile photo-sharing, video-sharing, and social networking service that lets users to share images, videos, and words. Instagram says 300 million people use its photo app every month, with 70% of them coming from outside the US.

Tumblr: Tumblr is part blog and part social networking site. Users can create their own blogs and follow others' in a similar way to social networks. Last I checked, it had 420 million users, probably 30-50 of which are active, and 217 million blogs.

MySpace: Originally the big name in social networking, it is most popular with young people and has 50.6 million monthly active members. Following a re-branding, it is now a music-orientated site targeted at young people.

Tagged: A social networking site with approximately 100 million users (but no clear data on how many are active), it is now also known as if(we). It was the subject of significant controversy in 2009 for allegedly using member's email accounts to repeatedly send invites to all of their email contacts.

LiveJournal: Used to be a very popular blogging/networking site, that is still used by many groups in fandom. Currently in Russian hands, and not advertising-free. Faded glory, but still quite usable. But: hosted in Moscow, so don't consider it private or safe.

DreamWidth: Forked from LiveJournal years ago, and the better alternative if you ask me. Popular with fandom, but also good for keeping an online diary that can be as public or restricted as you want it to be. Ad-free, free to use and founded in high ideals.

Diaspora: This is a nonprofit, user-owned and distributed social network that gives you full ownership and control of all the data, photos, writing, etc. that you post. This is in direct contrast to Facebook, whose policy is to use your data and posts however it likes.

Ello: Created by a small group of artists who'd grown tired of clutter, negativity, data mining, and ads. You won't be forced to watch videos or see ads. Instead of being the intended facebook killer, it found its niche as a thriving, supportive portfolio service for digital artists.

Path: A social network that limits you to 50 friends. The idea of this is to allow you to interact with and share your photos, thoughts, and your life, really, with only the people you are closest to.

MetaFilter: Metafilter is a weblog that anyone can contribute a link or a comment to. This website exists to break down the barriers between people, to extend a weblog beyond just one person, and to foster discussion among its members. Also has subsites like AskMefi and FanFare (discussion of popular media like films and books). Good moderation. Good place to find activists.

Reddit: A social news aggregation, web content rating, and discussion website. Reddit's registered community members can submit content, such as text posts or direct links. Registered users can then vote submissions up or down to organize the posts and determine their position on the site's pages. Beware of the dark corners, not all of this site is safe/pleasant.

Medium: in its own words, a place where everyone has a story to share and the best ones are delivered right to you. Every day, thousands of people turn to Medium to publish their ideas and perspectives. Leaders. Artists. Thinkers. And ordinary citizens who have a story to tell.

BookCrossing: a worldwide community of book lovers, who want to make the world into a library by leaving books behind in public places, for others to find.

Sticking around

If you feel that Facebook is something you can't do without, there are still ways to cut down on the tracking and the data gathering. As always, the more of these you can do, the better it is. But even doing just one of them is already an inprovement.

Go through your privacy settings with a fine-toothed comb. Some tips here, here and especially here.

Harden your browser. Install NoScript (or a different blocker) and disallow Facebook scripts.

Have a separate browser (or browser profile) for all your Facebook activity. Allow Facebook scripts only in that one.

Don't use the Facebook app on your phone. If you must use Facebook on your phone, do it through a browser. The app is notorious for spying on you. Keep in mind that your smartphone knows exactly where you are

Follow the guidelines posted here.

Bonus link!

This browser add-on probably doesn't make Facebook safer, as such, but it seems like it could make it more pleasant and at least better for your mental health: FB Purity.

Back to Index

comments

4. Browser hardening

Tue, 22 Nov 2016 13:22:49 GMT

As we've established, we're not going to give up the internet. It's informative and it's full of cats. But we do want to be safer while doing it, and less trackable. So how can we make this happen? Let's take a good look at the tool we use to look at the web: our browser.

Browsers help us view a lot of information. But the information stream goes both ways. Websites that we visit gather a lot of information about us, if we let them. For example, the fact that we've visited a website is generally logged. But also whether or not an individual picture has been shown in our browser, and that picture may very well be hosted on a different server (so we don't even know who is getting that information). Previous browsing history is collected, too. Our searches are logged, and also specific information about our computer (such as installed fonts and plugins) and location. All of this makes it quite possible to pinpoint a specific computer user, and follow them around from one website to another. Here and here is some information on how that works.

Browsers

There are more browsers than you can shake a stick at, even if you're very good at shaking sticks.
I would recommend not using anything made by or in cooperation with any of the big corporations: Google, Microsoft, Apple. So that means: it's best to avoid Chrome, Internet Explorer / Edge, and Safari. Here are some options:

Firefox. A good old standard that used to be innovative. Has a LOT of good privacy enhancing add-ons available. Win, Linux, OS X, Android.
Seamonkey. My personal favourite. Classic looks, robust features. Comes as a suite, bundled with (good!) software for email, HTML editing and IRC (= Internet Relay Chat). Win, Linux, OS X.
Pale Moon. A Firefox fork. Like Firefox before they got the Chrome-like interface. Win, Linux.
Chromium. Like Chrome, but not linked to Google. Open source. Win, Linux, OS X, Android.
Iron. Based on Chromium, but the makers claim it's fully anonymized. Win, Linux, OS X, Android.
SlimJet. Another Chromium fork. A newcomer. I heard good things, seems pretty privacy-centered. Win, Linux.
Vivaldi. Technically similar to Chrome. A newcomer. Win, Linux, OS X.
Opera. Now uses the same rendering engine as Chrome. Win, Linux, OS X, Android.

This list is by no means exhaustive. Some others are listed here.
Browsers are a personal preference. Pick your favourite... then pick another one and another one. Why? Because:

- Not all browsers are compatible with all websites.
- It's good to have separate browsers for specific activities. Google and Facebook come to mind. If you need to use these, and especially if you use them in such a way that requires you to log in, then it's a whole lot safer to run them in a browser that's just for those activities. Compartimentalize!

Add-ons

Add-ons are small pieces of helper software that add functionality to your browser. There are a lot of add-ons that can increase privacy and security. Most of them can be installed through a feature inside the browser (add-on manager) or on a specific webpage that lists all of them for your specific browser. Here are some good ones.

Adblockers:
AdBlock Plus used to be good. Nowadays it's not the best option anymore. Will allow some 'non-intrusive' ads unless you tell it not to; if you're running this, check the settings carefully.
UBlock Origin is a better replacement for AdBlock Plus. Blocks adds really well and can hide stuff you don't want to see.

Tracker blockers:
Ghostery used to be very good, but now needs it settings checked carefully, and a user account in order to see full tracker info.
Disconnect does much the same thing and is said to be good.
Privacy Badger protects your privacy by blocking spying ads and invisible trackers.

Other:
DecentralEyes protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
Selfdestructing Cookies allows you to accept cookies, and then gets rid of them automatically when you're done with them.
NoScript keeps sites from executing Javascript on a case by case basis. Lets you whitelist and blacklist sites.

My advice would be:
- For starters: run an adblocker because it makes the web so much safer, faster and more pleasant.
- Add a way to deal with cookies. Can be a browser setting or an add-on. Accept them selectively or accept them but do not keep them.
- Add DecentralEyes just because you can, if you can.
- Finally add NoScript. It's a bit of a pain but it works very well. You can allow Facebook-scripts in your dedicated FB-browser and not anywhere else. Same with Google.
You'll have to adjust this recipe for your OS, browser and personal preferences.

Search engines

Step away from the Google. Google is not your friend. Google listens in on your searches, doubly so when you are logged into a Google account (so don't do that). Here are some privacy-conscious search engines.

DuckDuckGo
StartPage <--- my personal favourite
Ixquick
Qwant
Blekko

What about Private Browsing /Incognito Mode?

That only limits what gets saved to your own computer. It has no influence on what gets sent to others.

'Safe' Browsing

Mozilla-based browsers (Firefox, SeaMonkey, and others but apparently not Pale Moon), and also Chrome and Safari, have an option called Safe Browsing. If that is switched on, pages get checked against a blacklist hosted by... Google. It's a useful feature in principle, but it means that Google gets to keep tabs on your browsing, which is one of the things we're trying to avoid!
Once you have add-ons installed that block ads, scripts and other potential security risks, it's better for your privacy to switch the Safe Browsing feature off. More information here.

Another way to compartimentalize (slightly more advanced)

If you really really really like Firefox (for example), and can't get to grips with any other browser, there's another way to make separate 'sandboxes' for things like Facebook and Google: you can set up different profiles, and make icons on your desktop that start an instance of Firefox working in each of these profiles. Name them after what you're going to use them for and set the settings accordingly in each of them.
Hey presto, separate browser profiles for your different activities. That means data from your surfing behaviour in one instance will not bleed over into the Facebook usage in another instance, even when they're running at the same time.

Bonus!

Firefox settings, including tracking prevention settings, made easy: FF Profile Maker.

If you want to go further...

Want more anonymity? There's the Tor browser, a modified Firefox with extra security features for fully anonymous surfing. I don't use it, but you might want to, so here's a how-to or two.

Back to Index

comments

2. A list of things you can do

Tue, 22 Nov 2016 11:52:42 GMT

A lot of people are worried about their level of online privacy and safety lately, for reasons that shouldn't be too hard to understand. The big thing here is that US companies collect data, and the US government can grab hold of that data if they feel there's a need; if you are now under a government that you distrust, it makes sense to reduce the amount of data that you hand over to US-based companies.
Here's a list of things you can do. Some are easy and some are hard, but every one of them can help. Even if you can only do one of these things, it's worth doing.

Here's the hardest one, for many of you: Get off of Facebook. Facebook collects a LOT of data, even when you're not on it. It's not just what you post on Facebook, it's also about your surfing habits on other sites, and a lot more. All this data is under the control of a man who called his users 'dumb fucks' for trusting him. If that offends you, good! It should. If you feel you cannot do without Facebook, consider abandoning your account and setting up a new one, using an altered version of your name, and reconnecting with your friends on that. Changes like that help obfuscate your digital trail.

Get away from Google. I will post in more details about this later, because Google is an ecosystem that consists of a lot of services. Most of them have good replacements! The very fact that Google has all these services is also why it's so potentially dangerous: they collect a LOT of different data from all those sources and combine it all into a very detailed profile. Need a good search engine? Try StartPage.

Get your e-mail off of US soil. Use an e-mail provider that's hosted in Europe and offers encryption. There are plenty of them and some of the good ones are free. More information on that is now posted here.

Compartimentalize. Use different browsers for different purposes. Use different providers for different services, so that your data is split up and therefore less meaningful. Keep your profiles on social media and other websites separate. (I know, I don't always do that either. But I do have a few online hangouts that you probably don't know about.)

Here's another hard one. Don't use a smartphone. If you must, be very wary of the apps you install. Review and think about the permissions your apps ask to use. Can they also operate with less? Switch it off when it's not in use. If you can make do with a nonsmart cellphone, or use that for phone calls and use your smartphone for data only, do that. That's compartimentalizing too.

Here's some easy stuff! Use adblockers and other browser add-ons that improve privacy. Your surfing experience will be safer and faster and the sites you visit will look nicer! This is another good topic for a separate post, but for now I'll throw out some names: UBlock Origin, Ghostery, BetterPrivacy, PrivacyBadger, DecentralEyes, SelfDestructing Cookies. If you use Ghostery, be sure to check the settings carefully, as the default is not great.

Also easy: if a service you are using offers two-factor authentication, set that up. It makes your accounts a lot harder to break into. This is especially important for webmail accounts, since they are often the key to a lot of other things, because many services use email to reset passwords.

Another fairly easy one, and we should all be doing this already: use good, strong passwords and be smart about using them. Read more on that here.

Learn to use an e-mail client that supports encryption. You may not need it now, but it's a good option to have. Thunderbird is just fine for this; with the add-ons Enigmail and GPG installed, it works well. It's also an all-around good e-mail program. And if more people use encryption, those who use it won't stand out anymore. Remember when mail used to be private? E-mail should be private, too.

If you haven't yet, consider getting away from Apple and Microsoft. Linux isn't just for geeks anymore. There are several good looking, easy to use Linux based OSses nowadays, they can run on most of the hardware that you are using, and they are free. Ask your friendly local nerd or cybersmart cousin to show you Linux Mint. Bonus: your computer will probably run faster, and will not need to be replaced as rapidly!

One of the best things you could do would be to attend a cryptoparty: an interactive workshop about cybersecurity, often aimed at beginners. Find out here when and where they are happening. A good place to ask about this would also be your local hackerspace; hackerspaces are physical spaces (as in, buildings/rooms) where people get together to tinker and to share knowledge about many things, cybersecurity being one of them. Don't worry about the bad reputations of hackers; there are good reasons why malicious hackers generally stay away from hackerspaces (they don't need them, they aren't welcome, and they don't want the extra visibility).

Back to Index

comments