Episode 18: Stop. Giving. Away. Your. Data.
How Websites Seek to Capture Your Data and What You Can Do To Counter
|David Koff||Oct 2, 2019|
Hi folks and welcome to Episode #18. If it looks like I skipped a number, I didn’t. :) Our paid subscribers got to read Episode #17, something that my free subscribers didn’t get in email and don’t have access to via the TechTalk archives. Episode #17 is about the safe methods to use when upgrading/updating the software on your smartphones, tablets, computers or connected devices. To gain access to all of my posts via email and via the TechTalk archives, consider clicking this button right here. For the cost of one Starbucks latte per month, you can help support quality technology writing and (even better) make yourself safer online.
This episode is all about the traps — usually hiding in plain sight — that tech companies use to help us part with more of our privacy and security than we should. We often overlook these seemingly benign requests, so let’s learn how to better identify them so that we can start saying “No!” when we see these requests, OK?
Let’s jump right in…
The “Give Us Your Phone Number” Method
Websites — especially “free” social media and networking sites — rely on generating their profit by selling your data to advertisers. It’s a very lucrative business, something I talked about at length in Episode 15. That episode was focused on how the Google ecosystem works. I also talked about this concept in Episode 17, which detailed how the beanie-wearing CEO of Twitter had his own Twitter account hijacked.
What It Looks Like
Companys have gotten very clever at selling you on why they need access to your phone number. Here are two of the more common reasons provided: security & notifications…
There! Do you see? If you just give us your cellphone number then we can “keep your account secure” or “reset your password easily”.
How It Works
When you willingly give any website your actual cellphone number, the company owning that website now has extra capabilities and data about you that they don’t need and shouldn’t have:
The ability to message or call you. If a company has your phone number, then it’s only a matter of time before they use it.
The ability to target ads to you based on your area code. If your cellphone area code is 212, then either you live in New York City or you once did. That information is important to companies who wish to advertise to you.
The knowledge of which company provides your cellphone service. If you give me your cellphone number, this website can identify your cell service provider. If I know that, I’m one step closer to attempt SIM swapping your account. This is the same trick that malicious hackers used in August of 2019 to take control of the twitter account of the CEO of Twitter, Jack Dorsey.
Access to any public information linked to your number. Ever enter your cellphone number into Google, Yahoo, Bing, SmartPage or DuckDuckGo? It’s worth seeing just how much information is available about you all because you’ve willingly given your cellphone number to a website or other company.
If that sounds like it’s a lot of extra power and data that you’d rather not wish others to have: friend, I don’t blame you. Fortunately, there’s something we can do about it.
The Actual Truth
The truth is that you can reset your password and have a VERY secure account without giving any company or website your personal cellphone number. There is no company on the planet that needs your personal cellphone number to maintain your security or safety. Literally: none. Therefore, there’s no need to willingly provide that information to any company. Literally: none.
What to Do
Start thinking of yourself as a spy. No: I’m not joking. I want you to classify yourself! Never give out your actual cellphone number to anyone: websites, banks, the PTA, government organizations, co-workers or, obviously, strangers. Instead, if you absolutely MUST provide a phone number on certain occasions, only provide those individuals or companies with a secondary phone number. You can obtain one of those for free from either of these providers:
Google Voice works on all computers and Chromebooks, and on any mobile device running iOS or Android. The service is easy to use, integrates seamlessly into Google’s ecosystem, and offers some of the same powerful features that Google pioneered, including a powerful search engine and effective spam filtering for your phone calls.
Pinger Textfree is 100 percent free and available for iOS, Android, and over the web on any computer. The free version is funded by ads that display in various parts of the app when you’re texting and calling. There is, of course, a paid version without ads ($2.99/month) or with a reserved number ($4.99/month), but honestly, why bother for a burner number? Texting is totally free, but placing calls will cost you credits.
“But, David,” you ask, “If I’m using a Google product, won’t they just harvest more data from me?”. Good question. Yes, they will. But again, you’re only giving out your secondary phone number to non-essential companies or people. You can still provide your actual cell phone number to those who are in your “inner circle” of trust. What Google captures with the other calls is, essentially, secondary information, not your most trusted data.
The “Just Use Facebook” or “Just Use Google” Method
Some websites offer “convenience” instead of security. There’s nothing wrong with that if the website is upfront with you about it that, but most aren’t. To me, “security” means taking responsibility for guarding your log-in information: your username & password.
What It Looks Like
As a “convenience”, many websites offer you the ability to log into their systems using your Facebook or Google Account to sign in. Here are two examples:
How It Works
While it’s a convenience to not have to remember another user name and password, it’s also a liability. Giving Facebook & Google permission to log us into other websites opens all of us to a variety of consequences & trade-offs:
Giving Facebook & Google more information about you, in general. Remember, social media websites sites collect as much data about you as you allow them to. That’s their business. Giving them permission to log you into various websites provides them with much more data about who you are.
Giving Facebook & Google more information about you, in specific. We all have stories and information about ourselves that we guard more carefully. For example, are you a recovering alcoholic? Do you belong to a MeetUp group for recovering alcoholics? If you log into the MeetUp website using Facebook or Google, are you 100% sure about which data you’re sharing with those companies?
Facebook & Google can target you more specifically. With the extra data you willingly provide, Google and Facebook can then target you with even more precise ads for products, political issues & political candidates. Those ads have proven to create a more divisive political atmosphere and, in some cases, allowed foreign governments to influence our last major election cycle.
You open yourself to security vulnerabilities. If the websites you log in to hand off the security of your account to Facebook & Google, then those social media companies are now responsible for safeguarding your data. Only, they don’t. Facebook, in particular, is fucking awful at keeping their site secure. Last year, a study associated with Princeton's Center for Information Technology Policy found many security vulnerabilities with the Facebook login mechanism. Those security vulnerabilities can allow for malicious websites or hackers to capture even more additional information about you.
“The researchers found that sometimes when users grant permission for a website to access their Facebook profile, third-party trackers embedded on the site are getting that data, too. That can include a user's name, email address, age, birthday, and other information, depending on what info the original site requested to access.” — from the WIRED article on the same study.
Oh, and that doesn’t also count the 30 million Facebook users who had their account info compromised due to a security breach.
The Actual Truth
There is no reason that you need to use Facebook or Google to login into non-Facebook or non-Google websites. Literally: none. Doing so means that you are willingly providing those companies with extra information about you that they don’t need. Don’t help them.
What To Do
Instead of logging in with social media accounts, use a well-respected, well-reviewed password manager. If possible, choose an application that’s built entirely on “open source” software, so named because its source code is open for anyone — anyone!! — to view. The security community considers open-source software to be safer than traditional, commercial software precisely because anyone can see it and suggest code improvements.
In my opinion, the best open-source password manager available is Bit Warden. It’s 100% free, and available for every major operating system and browser. After using LastPass for nearly a decade, I’ve been using BitWarden for the past three months on my computer and smartphone and I like how well it works in most (but not all) cases, compared to LastPass. Grab it and use it to manage all of your user names and passwords so you don’t have to rely on your brain or on Facebook to do it for you.
At their most recent keynote address, Apple announced that they, too, would be offering a simplified, convenient log-on button to help consumers. It’s called, simply “ Sign-in with Apple” and it will look like this:
Apple’s claiming to be putting both convenience and privacy forward for consumers with their offering saying that they won’t track what apps you're using or where you have accounts. Developers (and supposedly Apple) do not see any of your data that you don't agree to provide and the company is making it very easy to hide your personal email address so others won’t have access to it:
Sounds like an interesting option. In fact, it’s worth watching the Wall Street Journal video below for a deeper dive on how Facebook, Google, & Apple’s system will work:
If Apple has done its work correctly — and the longterm reviews are yet to be seen —consumers will get a convenient login but with deeper security and privacy than either Google or Faceturd can provide. For me, that’s worth exploring. To see how the process works on iOS 13, MacRumors has an excellent write up (with pictures!!) to help make things nice ‘n easy.
Until Apple’s new system is proven to be a game-changer, I’ll share what I use:
My Favorite Email Tool
I spoke at length about these folks back in Episode #3. The company is called 33mail and they offer unlimited, free, customizable email addresses. Even better, their system and interface is simple and has helped me to nearly halt spam instantly. In fact, after using their free plan for months, I decided to sign up for the company's premium service for $1/month. It was worth it. That tier provided me with: no advertisements in forwarded emails, use of my own customized domain, and a higher monthly data cap so I could send/receive more emails using their system. Here’s how it works…
Not bad for a free service. Not bad at all…
And… that’s a wrap for today’s episode, my friends. Thank you all, once again, for reading and for being a subscriber. Let me know your thoughts in the comments section or by email.
As always… surf safe.
Links to More Great Techtalk Posts
Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.