Mobile privacy: lots of Big Brothers, little clarity

The ultimate reference for Windows Phone 7

If you’re thinking about extending your Windows experience to your smartphone, Windows Phone 7 Secrets by veteran technology writer Paul Thurrott is a must-read. This encyclopedic guide gives you everything you need to tap the power of Windows Phone 7, from pre-purchase considerations to integrating Windows Phone 7 with PCs and the Web. There are chapters on taking digital images, gaming, playing music and videos, and — oh yeah — getting work done with Office Mobile. The book is chock-full of insider perspectives that only a technical expert such as Thurrott can provide.

Thanks to our friends at Wiley, all Windows Secrets subscribers can download Chapter 1, “Pre-Flight Checklist: What to Do Before You Get Your Windows Phone.” This chapter starts with a detailed discussion of Windows Live and why it’s an important component of a Windows Phone system. It also covers key information you’ll want to know before heading to the local phone store.

If you want to download this free excerpt, simply visit your preferences page, save any changes, and a download link will appear.

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Protecting your personal information online

By Tracey Capen

All those things we have connected to the Internet, from our cell phones to our desktop PCs (and even possibly our kids), are ratting on us to online marketers and hackers.

Our second theme issue of 2011 tackles the thorny topic of personal privacy and security on the Internet and provides a wealth of tips on how to protect your children and yourself.

The topic of personal privacy in the Internet age is sufficiently scary to make a Franciscan monk paranoid. Not only do we face direct threats from cyber criminals who are out to steal our identities and money, but we now know that our clever mobile devices — such as the much-loved iPhone — are recording where we go and what we do. It’s enough to make us look a bit fondly on the days of rotary phones and padlocked file cabinets.

Well, not really. I, for one, would hate to live without my smartphone, notebook computer, and iPad.

As difficult and tedious as managing our personal data is, it’s crucial. The penalties for ignoring this responsibility are just too high. And it’s only going to get more complicated as we move more and more of our information onto the Web. So I hope you find this issue useful. Feel free to send us your thoughts on the subject to editor@windowssecrets.com, or post your questions and tips in the Windows Secrets Lounge.

Thanks for your continuing support.

   — Tracey Capen, editor in chief

Mobile privacy: lots of Big Brothers, little clarity

By Yardena Arar

What do you call software that collects and sends information about you to its developers, advertisers, and others? On a desktop, we’re likely to name it spyware.

But on a cell phone, tablet, or other mobile device we call it an app — never realizing that it might be operating much like spyware.

As difficult as the issues surrounding privacy on a desktop computer can be, they’re virtually child’s play compared to the issues that arise with mobile devices — which, at the very least, must identify themselves to gain access to public Wi-Fi or cellular networks. Cellular devices do this through a unique identification number attached to every voice call or data request — an ID that networks store as long as your device is turned on, whether it’s in use or not.

The closest equivalents in the desktop space are tracking cookies, which we have the freedom to delete. “With mobile device identifiers, there’s no ability to delete or opt out,” says Ashkan Soltani, an online privacy consultant who recently testified (PDF file) about mobile privacy issues before the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.

These unique identifiers give service providers — and many others — a powerful tool for tracking and recording your whereabouts. And although that history may be attached only to a number (not necessarily your name or other personal identification), Soltani said, a good researcher might be able to figure out your identity by cross-checking frequently visited locations — homes and workplaces, for example — against information in other databases. This information might then be used to send highly targeted marketing pitches, or it could be used for far more undesirable purposes.

How services use mobile devices to track you

You’ve probably seen those cop shows where suspects are tracked down by their cell’s proximity to cellular towers (or through GPS data on GPS-equipped devices). But geolocation technology doesn’t stop there. In his testimony, Soltani identified two additional means of pinpointing a mobile device’s whereabouts — both of which depend on databases maintained by little-known entities that also store information transmitted by the device.

The first relies on location providers — services that use sophisticated databases to correlate cell-tower, GPS, Wi-Fi–hotspot, and IP-address information with physical locations. By querying these services, mobile devices can determine their own whereabouts faster and/or more accurately than if they had to rely on GPS and cellular triangulation. Although this can improve and speed up location-based services (such as finding the nearest coffee shop), it also allows the location providers to track and record a mobile device’s current location at any given moment.

Not surprisingly, the developers of mobile-device operating systems — Apple, Google, Microsoft, and their competitors — are the most prominent location providers. Operating systems installed on their devices are frequently querying provider databases. That information is maintained on the device, but it’s also kept on the companies’ servers — and sometimes elsewhere, as we all learned recently. News reports disclosed that the iPhone operating system had been caching up to a year’s worth of geolocation data (including time stamps) in an insecure file, which was copied to the user’s computer when the phone was synched with iTunes.

Apple stated that it collected the information only to help improve location-based services. But it also released an iOS update that reduces the amount of data retained, stops the iTunes copy, and deletes the file completely when users opt out of location-based services. (The fix doesn’t apply to older 2G and 3G iPhones.)

Mobile devices typically let you opt out of location-based services, but Soltani questions whether consumers are all that well informed. Also, by default, mobile devices often collect location data anyway — even if their users never authorized any installed app to use it. You have to turn off location support at the device level.

The second geolocation tool, Soltani said, uses a location provider he calls location aggregators. Aggregators get geolocation information directly from wireless carriers; they don’t need an app running on your phone (with location-services enabled) to track your whereabouts. These services typically sell their data to third parties, who can in turn cross-reference it against other databases for a variety of marketing uses.

How data is shared among data services

So who gets all this location information, and what can they do with it? Apple, Google, and Microsoft all say that they anonymize the data they collect; in other words, they strip out any personal-identification information. (In the wake of the Apple iOS brouhaha, Microsoft patched Windows Phones to stop sending unique identifiers to their geolocation servers.) Moreover, their data servers are typically well secured, so the chances of personal information leaking into the wrong hands are probably small.

With your permission, the mobile OSes might also allow third-party, location-based services such as Foursquare (track your friends) and Yelp (find a good restaurant or spa nearby) access to your location data. You grant the app permission to access geolocation services provided by the phone’s OS when you install it. These apps typically make money from advertising, and geolocation information helps them deliver targeted ads.

Google and Apple also use UDID-related behavioral tracking to deliver targeted ads through their ad networks (AdSense and AdMob with Google, iAd for Apple). But they allow users to opt out of the tracking; you still get ads, but they won’t be as personalized. Moreover, Android and iOS devices will still provide the data to other ad networks that don’t offer these privacy options.

On iOS and Android phones, you can turn off AdSense and AdMob behavior tracking in Google app’s settings. (For example, on iOS devices, look for Ad Preferences and work through the various screens.) To disable Apple’s iAd behavior tracking on iOS 4 devices, type http://oo.apple.com in Safari’s address window. You should get a notification that you’ve successfully opted out.

What might surprise you, however, is that apps you don’t usually associate with locations — mobile browsers, screen savers, and even games — sell geolocation information to advertisers. Most ask you specifically for your consent to collect the data, but in some cases you might not realize you’ve given consent because it was buried deep in a lengthy license agreement.

Also, Soltani points out, some apps access more than just geolocation info; some tap into your address book, browser history, and other data. And most of these apps don’t allow you to opt out of any data services they want: if you don’t grant them permission to do so, you often can’t run the app at all.

Safeguards differ among mobile platforms

Apple and Google, the largest mobile-platform creators, take very different approaches to policing the privacy practices of app developers to prevent them from misusing your personal data by, for example, passing it along to third parties without your consent.

To get into the iTunes App Store, an application must be approved by Apple, which suggests that some scrutiny has gone into the application developer’s work. To the extent that this keeps the sleaziest developers out of the iPhone ecosystem, this is good news. But, Soltani points out, Apple also has a vested interest in helping applications make money because it typically gets a piece of the action. This practice sets up a conflict-of-interest situation: it might not always be in Apple’s economic interests to rigorously police how an app makes money.

The same issue appears to exist with Microsoft’s Windows Phone 7 series. You can acquire apps only through the Windows Phone Marketplace, which holds developers to guidelines that include privacy safeguards. (However, the upcoming update to the OS, code-named Mango, will reportedly allow developers to privately distribute applications via e-mailed links.) Microsoft also takes a cut of any ad revenue developers obtain from the ads they place in apps using Microsoft’s SDK.

Google’s Android, in contrast, is an open system. Anyone can write and market an Android app without any vetting by Google. So you’re on your own — you must do your own investigation into what an app does with your data.

As usual, technology has moved far faster than federal and state regulations. Privacy threats to mobile data are so new that the laws needed to protect consumers are still being written. And it’s far from clear whether existing laws governing privacy of phone calls (which regulate carriers) apply to mobile data, says Soltani.

Ultimately, privacy protection may depend on both legislation and technology. “You want guidelines to outline the principles, and you want technology to deliver those guidelines,” Soltani says. In the meantime, concerned consumers should at least stay informed about how their mobile device platforms and applications deal with their information.

Remember that, in addition to all the mobile-privacy issues just mentioned, mobile browsers have the same potential privacy vulnerabilities as their desktop counterparts. You may, for example, want to clear your cookie cache from time to time.

Apple’s gated-community approach probably keeps the worst offenders out; but to be fully informed, you have to take the tedious step of scrutinizing license agreements for details about how your data will be used. Pay particular attention to any clauses that relate to sharing of data with third parties.

You can also check which apps are using your location data by going into the Location Services section of the settings, which lists them all. It’s here that you can turn off location services completely for the iPhone or iPad. Similarly, Windows Phone 7 settings also include switches for both OS and application location–based services. (Note that you’ll find some location switches under generic settings — that is, you must look for Web searches as opposed to the name of the application.) But as with the iPhone OS, it behooves you to read license agreements carefully, perhaps simply scanning for a clause on location or other data services.

Google does nothing to police applications. The Android OS does clearly alert you to the permissions an app is requesting, making its activities more transparent.

As for the apps themselves, the larger and more reputable the application developer, the more likely it is to have a privacy policy and the means to enforce it (secure servers, for example). If you run an application from an obscure developer in a country beyond the reach of U.S. or E.U. laws, you have little recourse if it uses your data in ways you never authorized.

WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.

Parental controls for online safety at home

By Katherine Murray It’s a new era in terms of risk on the Web: from scams to spam to predatory practices, you have more reasons than ever to be proactive about protecting your kids while they’re surfing online. Fortunately, Windows 7 gives you a robust set of built-in parental controls.

Lots of convenient, but risky, Internet access

So how many computers are there in your house? If you’re like most people, just a few years ago you had one computer that everybody shared (sometimes not so peacefully). Then came the advent of laptops and now netbooks and mobile devices galore. Chances are that several — if not all — of the folks in your house have their own computers. And maybe some of you have more than one computer of your own!

When everyone used one home computer, it was fairly simple to use antivirus software to keep the computer healthy and to view the browser’s history to see who visited which websites (and decide whether some safe-surfing reminders were in order). But with more devices and more decentralized online activities, it’s considerably harder to monitor it all.

New and more sophisticated threats also make it easier for kids to be scammed, bullied, or stalked online — and if they naively disclose personal information, they could be tricked into having their identities stolen. By sharing the wrong kinds of information online, they could even open you or your family to other types of abuse — such as financial fraud, identity theft, or even physical risk.

Being able to communicate the need for safety online is an important part of enforcing parental controls at home. At first, your kids may resist the idea of being controlled online, but if you approach the topic with safety as the focus, they are more likely to see that good Web practices are one way they can help protect the family. Sitting down with your kids and showing them the parental controls you’re using can also help them understand that your objective really is safe surfing — not just another dastardly attempt to curtail their freedoms.

The newest operating systems provide tools known as parental controls to give parents the ability to manage their kids’ Internet use. In Windows 7, you’ll find these tools in the Control Panel’s User Accounts and Family Safety area. (See Figure 1.) Click Set up parental controls for any user to get started. If you have multiple computers in your house, it’s a good idea to create a homegroup in Windows 7 and set up parental controls for all the computers in your household.

Figure 1. Set up parental controls in the User Accounts and Family Safety area (circled in yellow) of the Windows 7 Control Panel.

What can you do with parental controls?

Windows 7’s parental controls make managing your kids’ use of the computer easy. You can set limits on when they can sign in, which sites they can visit, and which games and programs they can use.

The first step in putting parental controls in place is to create user accounts for each kid. Do this by clicking Add or Remove User Accounts in the User Accounts and Family Safety area in the Control Panel. You will also be prompted to add a password to your own user account, because now you’re the administrator of the kids’ accounts and want to restrict who can change settings.

When you’re ready to choose the Parental Controls settings, click Set up parental controls for any user in the User Accounts and Family Safety area of the Control Panel. Click the user account you want to control and then click the links for Time, Games, and Allow and Block Specific Programs settings. For example, clicking Time displays a schedule in which you can set the daily hours it’s OK for your child to be online. (See Figure 2.)

Figure 2. Click to set the hours that you don’t want your child to be allowed online.

The Game settings allow you to select the game-rating level you’ll allow your child to play — such as Early Childhood, Everyone, Everyone 10+, Teen, Mature, or Adults Only. You can also block specific kinds of content in games, ranging from profanity to crude humor, drug references, and sexual and violent content. You can also block or allow specific games installed on your computer. This helps ensure that your pre-teens aren’t playing the more mature games you allow your teens to play.

Finally, you can use the Parental Controls settings to determine which programs on your computer your kids can use. When you click Allow and Block Specific Programs and select the option that restricts program use, Windows 7 searches for specific programs and displays them in a list. You can then click the checkboxes for each program that your child has permission to use. Click OK to save your changes.

You can change any setting at any time by returning to the Parental Controls page in the Control Panel and clicking the user account you want to change.

Add protection with Windows Live Family Safety

Microsoft also offers a free online safety tool as part of Windows Live Essentials. Windows Live Family Safety (info/download page) adds another level of protection by letting you see who your kids are talking to online and letting you set additional Web restrictions; you can even get reports of online activity.

Windows Live Family Safety works seamlessly with Windows’ built-in Parental Controls tool. It does require a Windows Live sign-in, and it accesses the Web for activity and filtering updates. A feature called SafeSearch is automatically turned on for Bing, Google, and Yahoo Search engines; you can set up safeguards for your children’s e-mail and instant messaging interactions as well. You can also turn on and change settings remotely from the Family Safety website, which means you can monitor what your kids are doing online from any device you use to get online.

The added functions of Windows Live Family Safety are great if you’re super-concerned about what your kids are doing online. The reporting feature might appeal to some parents who want to keep track of their kids’ activities. As I evaluated the product, I could see the benefit but was bugged by the continual pull back to the website. Part of Web security in my household means having control over when I choose to use the Web, and Windows Live Family Safety pulled me online a little more often than I like.

Parental controls and parental goals

Parents’ expectations for acceptable child behavior can vary widely. As a relatively open-minded mom, I’m sensitive to the concept of control. When our children are young, it makes perfect sense to me to set parameters so they can’t inadvertently get into trouble online.

But as kids get older (usually in their upper teens), we want them to be well informed about online risks, so that over time, they’re making more of their own decisions. Our kids will eventually have to rely completely on their own assessments of online risk, so they need to understand why certain sites or ads or groups are worth staying away from.

Toward that end, parents need to make sure their kids understand why the controls are in place; they must be willing to renegotiate at some point to let the kids have increasing freedom and responsibility.

Ultimately, we want our kids to be smart, independent, and responsible for their actions — whether or not we enforce parental controls on our computers.

Katherine Murray is the author of Microsoft Office 2010 Plain & Simple (Microsoft Press, 2010), Microsoft Word 2010 Plain & Simple (Microsoft Press, 2010), and Microsoft Word 2010 Inside Out (Microsoft Press, 2010).

Arming yourself against fresh fruit

By Revia Romberg We hope that, after reading this special issue on personal privacy, you’re fully prepared to defend yourself from Internet threats. Now for something more difficult: defending yourself from fresh fruit. In this 1969 classic, a drill sergeant coaches his reluctant squad in the art of defending against enemies armed with bananas and raspberries. Who could guess the variety of defensive strategies from which you might choose? Play the video

Readers' best personal-privacy tips

By Fred Langa When asked, “What do you do to protect your personal privacy?” you answered! The e-mails poured in for this special issue, and here are some of the very best privacy-related tips, techniques, and tools recommended by your fellow readers.

But first, thanks to everyone who wrote in! The tips were wonderfully diverse. Some were full of detail. Others were just a line or two of core information. But all were worth reading!

In fact, there were more great tips than can fit into one issue. That’s no problem: reader e-mails are always the heart of this column, and more of these tips will appear in future issues.

Although this is a special issue, all normal advice and cautions still apply: make a backup before doing system maintenance, select tips that match your level of knowledge and expertise, and so on. The opinions and recommendations expressed by the contributors are, of course, their own.

To save space in the text, I linked product names to the appropriate informational pages on the software publishers’ sites. For your safety, none of the links below directly initiates a software download or an install.

Ten tips for better browser privacy

This special issue meshed perfectly with a massive online-privacy project undertaken by reader Bob Primak.

• “Hi, Fred! Strange that you should ask about privacy tips. I was just researching a presentation for a local computer-user group. Here are a few privacy tips for Chrome 11, Firefox 4, and Internet Explorer 9.

  “1. Use limited, non-admin user accounts. Spying programs and Web attacks cannot do as much damage from these types of accounts.

  “2. Clear browser data, especially cookies, when closing browser windows or tabs.

  “3. Use browser privacy add-ons; examples include the Firefox extensions NoScript and BetterPrivacy, Abine‘s privacy add-ons for all three major browsers, and opt-out options for all browsers except Chrome. For Chrome, the ChromeBlock extension can help. Keep My Opt-Outs allows Chrome to retain opt-out cookies when cleaning other data. A Google Analytics opt-out extension is available for many browser versions. Click&Clean is available for all Big Three browsers and can do almost as good a job as CCleaner each time the browser is closed.

  “4. Clean up everything personal with CCleaner when closing up shop for the day — more frequently, if you do a lot of banking or shopping where your credit card number was used.

  “5. Do not store passwords in unencrypted files, and do not use the same password at different sites. Use RoboForm or a similar password manager to keep passwords where they cannot be easily accessed or seen.

  “6. And of course, there’s the usual advice on changing router passwords; not broadcasting IP addresses, SSIDs, and MAC addresses; avoiding Public Networks; etc. [Editor’s note: See Becky Waring’s May 5 article, ‘Big-time Wi-Fi security for the small office.’]

  “7. More adventurous users can edit the browser configuration files to turn off geolocation. Be aware that this will render useless any apps and websites that find nearby businesses or service providers. [Editor’s note: See the makeuseof.com article, ‘How to disable or fake your location in Firefox, Internet Explorer & Chrome.’]

  “8. Webcams and microphones should be disabled when not in use. Wi-Fi should be turned off at the notification area or the keyboard when Internet access is not needed. Be aware of Flash Player and other apps that can be used by website operators to activate your webcam and microphone, and go to the settings pages to disable these default options.

  “9. Know which of your programs and drivers (and helper objects) are phoning home without your permission. Be aware of outgoing Internet activity on your computer and your router. There are free programs that can help monitor these activities. [Editor’s note: For examples, see the Oct. 21, 2010, LangaList article, “What’s using your Internet connection?”] Even Process Explorer can be used to find out which programs are phoning home. Closing ports on your router can help a lot in reducing unwanted traffic.

  “10. Do periodic file-level antispyware security scans, just in case something slips through. Use two or three scanners from different publishers.

  “Online privacy often comes down to one thing: common sense. Be aware of what you are clicking on. Don’t just give away personal information when someone asks. Make sure you know who is asking and why they need to know; when in doubt, just disconnect and think it over — especially when responding at social media sites.”

Great letter, Bob. Thanks!

Bob mentioned NoScript, as did many other readers. In the same vein, many readers also recommended Flash-blocking tools such as FlashBlock for Firefox or the separate, but related, FlashBlock for Chrome. In IE8 and 9, you can control Flash with the Manage Add-ons dialog box in Internet Explorer, by setting a “kill bit” in the registry, via white-listing, or by other means. For examples, see this WinHelpOnline.com article.

A collection of hard-drive data-privacy tips

Charlie Cohen is serious about keeping hard-drive data really private:

• “Create an encrypted ‘drive’ on your system. I use TrueCrypt to create a 4GB virtual hard drive. When unmounted, it just looks like a plain, large file. Name it something innocuous (but without a file extension), because viruses that steal data usually look for types of files like .doc, .xls, and so on. Use a really good password to secure the encrypted volume. Put all of your sensitive files (TurboTax, financial documents, passwords, and so on) onto this volume. Mount the volume only when you want to use a file inside it; otherwise, leave it unmounted. Nothing, including malware, can see the files when the volume is unmounted.

  “Don’t keep any sensitive data in your e-mail system. Save anything sensitive to your encrypted area, then ‘double delete’ from your e-mail — i.e., delete the file, then go to the Deleted folder and delete it from there. Forensic analysis can still retrieve the deleted data, so periodically clean and compress your inbox, however it’s done with your e-mail client.

  “Back up the encrypted volume to a CD/DVD or thumb drive that you can keep in a safe place. Keep a copy in your bank safe deposit box, if you have one.

  “For some reason, the advice columns never mention the most obvious and sure method of removing viruses, rootkits, and so on. Pull the hard drive and attach it as a secondary (nonboot) drive on an unaffected system; then scan it. This way, it’s not possible for the virus or rootkit to be active while you are trying to remove it. I once removed 23 viruses from a friend’s laptop this way — he thought he had only one.

  “Keep your hard drive clean. It’s laughably easy to recover deleted files, even on a severely corrupted partition, so periodically empty the recycle bin and securely ‘wipe’ unused disk space. Do this even if you’re keeping sensitive data in the encrypted space, because some sensitive data may still periodically transit the unencrypted portion of your hard drive.”

Thank you, Charlie. You’ve obviously thought about this a lot!

Hardware and software password managers/keepers

Many readers (including Bob, in the first letter above) discussed using tools such as IronKey and RoboForm to generate, store, and manage highly secure passwords. Here are a few of the letters touching on this topic.

• “Do not save passwords for websites inside Firefox or Internet Explorer, especially not banking passwords. Use separate, task-specific software to do this if you need to.

  “I keep all my passwords on an IronKey hardware-encrypted drive. That’s where I can look if I forget a password.

  “I use IronKey’s private VPN and servers for anything needing passwords whenever I’m not using one of my own machines. It is a good deal for what you get.” — Randy Brook

• “Use a tool like RoboForm2Go (RTG) when traveling. I just used this method while traveling in Europe with a laptop and felt much better about personal-data security.

  “All personal information of any sort is stored and encrypted inside RTG. This includes all sign-in names and passwords. In the Comments section, I also had any other sign-in info such as secret words or other retrieval info, bank-account numbers, credit-card numbers, passport numbers, and so on.

  “Should someone steal everything, he would still have to know my RoboForm master password before he could get at the data inside.” — Don Piller

You can also use a free tool such as the open-source 7-Zip to securely encrypt (and compress) just about any file or folder — among which might be a text file containing all your passwords and account numbers, scans of passports or other documents, and so on. 7-Zip is free for all uses, including commercial.

Thanks again to all who wrote in. Stay tuned for more privacy pointers in upcoming issues.

And keep those tips coming!

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Protect your finances from online threats

By Lincoln Spector Keeping your personal financial information safe from cyber thieves doesn’t require a ban on online shopping and banking — it just requires care. Follow these tips and you should be okay — even if you take the riskier path of banking by cell phone.

Financial security starts at your home PC

The Internet is a wonderfully safe place for handling financial business — as long as you’re a criminal. Compared to robbing a bank or mugging a citizen, your chances of getting caught are minuscule.

Honest citizens, on the other hand, must take precautions when they transact business online. While the hazards are real, it doesn’t mean giving up shopping on Amazon (or managing your bank account online to cover those purchases). But it does require vigilance — and a holistic approach to security, as detailed in the following tips.

Make sure you’re malware-free. Yes, yes, we talk about malware endlessly, but most of the online attacks these days aren’t initiated as a prank by some teenaged hacker; they’re sophisticated apps launched with the express purpose of separating you from your money. For the hundredth time, keep your security software up-to-date and regularly scan your hard drive with an on-demand AV product, such as Malwarebytes’ Anti-Malware.

Make sure you have a secure connection. You don’t want your personal information broadcast over the Internet unencrypted. If a website doesn’t have a Secure Socket Layer (SSL) connection, never send account numbers, social-security numbers, passwords, or any other sensitive data.

How do you recognize an SSL connection? Check out the address bar at the top of the browser window and look for an “s” following the //http (as circled in Figure 1). In other words, the site’s URL should start with https://. (Many sites will use SSL on the sign-in page and checkout cart but not use it elsewhere. So you have keep an eye out for it.)

For additional security, your browser may also display a padlock icon and a color-coded site-identification button (shown in Figure 1). If the button is green, the site is using a extended-validation security certificate. You can click on the button for certificate information. (A Firefox page has a nice, concise explanation of its Site Identity Button and the meaning of the color codes. For IE9, see the Microsoft Help & How-to page, “Tips for making secure online transactions in Internet Explorer 9.”)

Figure 1. Secure webpages will have “https://” at the beginning of the URL and may display a green security-certificate button (circled in yellow).

Protect the information on your PC. You can’t assume that your home computer will never fall into the wrong hands. If someone breaks into your house, you don’t want to lose all your personal information along with the hardware.

Start by password-protecting the system, and then consider encrypting sensitive data. You don’t have to encrypt the entire hard drive — just those files that contain financial and security information.

My philosophy on data encryption is summed up in the title of my blog post, “Avoid Windows encryption.” I recommend using a third-party product such as TrueCrypt (info) instead.

Build and protect strong passwords/phrases

In his Dec. 23, 2010, Top Story, “Check whether you’ve been Gawkered — now!,” Woody Leonhard noted Duo Security’s site, which lists the 250 most common cracked Gawker passwords. The top two are (as Woody put it) the “the insanely simple “123456” and “password.” (Followed by the equally imaginative “12345678.) That simply defies understanding.

New, more sophisticated malware is making it easier for criminals not just to steal passwords but to guess them. With the right password, cyber thieves can easily transfer money out of your bank account or go on a shopping spree with your online accounts. (Susan Bradley discussed just such an occurrence in her July 8, 2010, story, “iTunes account theft strikes close to home.”)

The best passwords are random strings of numbers and letters, both upper- and lower-case, composed of as many characters as the site allows (very secure, but hard to remember; more on that in a minute).

Your passwords should be unique — i.e., don’t use the same password for two different sites. If someone figures out your Amazon.com password, you don’t want them to have your banking password, too.

Also, don’t let your browser’s autofill feature memorize these passwords — especially on a notebook PC. Don’t assume that only you will have access to your browser. It’s fine to let the browser save some passwords, such as to your online news and gaming sites, but not the ones that could leave you open to identity theft.

Back to those random strings of numbers and letters for passwords. I won’t suggest you memorize dozens of random characters — they’ll just end up in a .txt file on your desktop.

Use a good, encrypted password manager to store them. That way, you’ll have to memorize only one password (an especially strong one). My favorite manager? Password Safe — it’s free, it’s easy, and it’s secure. It can also create completely random passwords for you, so you don’t have to make them up yourself. (For passwords that you do have to create and remember, such as the one for Password Safe — create them from uncommon, but meaningful, words and phrases.)

As an added precaution, don’t store your encrypted password file in the cloud. Keep it on your hard drive.

E-mail is like sending an unsealed letter

When you seal that check in an envelope, stick a stamp on it, and drop it into a mailbox, you can reasonably assume that no one will see it before it reaches its destination. You can’t make any such assumption about e-mail, which goes out in a virtual open-envelope and may pass through multiple servers before it arrives in the recipient’s inbox.

Simply put, don’t include any sensitive information in an e-mail. That includes credit-card numbers, bank-account numbers, social-security numbers, and even the number on your driver’s license. If you absolutely must send that information to someone over the Internet, encrypt it. See my blog post, “Send secure info over the Internet,” or Susan’s story, “Tips for transferring sensitive information,” for some ways to do it.

Don’t get caught on a phisherman’s hook. Probably you’ve received e-mail frantically telling you that your access to your bank account is about to expire and that you’d better enter all of your numbers fast to save it. Funny thing: you don’t even have an account with that bank.

Most, but not all, phishing e-mails are easy to spot. Some purport to be from your bank and look like the real thing. You click a link, and up comes what looks just like your bank’s home page. You enter your sign-in name and password, and you go immediately and properly to your account.

One problem: That sign-in page was counterfeit, and a criminal now has your sign-in name and password.

It’s easy to avoid this mistake: never click on a link in an e-mail that appears to be from a financial institution. If it looks legitimate, just go to the bank’s own website on your own.

Don’t trust secure information on public networks. The public Wi-Fi system at a library or café provides a great place to open up your laptop, check your e-mail, and browse the Web. But it’s no place for contacting your bank or making an online purchase via credit card. You don’t know who’s eavesdropping on you. (See Woody Leonhard’s Nov. 4, 2010, Top Story, “Cloak your connection to foil Firesheep snoopers,” for tips on making a more secure Wi-Fi connection.)

If you’re visiting a financial site or making a purchase, do it at home, using a secure Wi-Fi network or, better yet, Ethernet.

Mobile devices pose the biggest threat

More and more people today are banking on their smartphones, adding additional layers of security problems. After all, it’s one more network that you’re going through, and you’re far more likely to lose your cell phone than your computer.

If you choose to do so (and I don’t), follow the advice I gave in the preceding paragraphs as well as these additional rules:

Check with your bank first. See what its policy is, and use only the app (such as the one in Figure 2) it provides for your mobile OS. If your bank doesn’t provide an app, don’t bank from your phone’s browser.

Figure 2. For secure mobile banking, use the app provided by your bank.

Lock, or password-protect, your phone. Yes, it’s a hassle to enter a PIN or password every time you want to make a call, but it also impedes anyone who steals your phone from stealing your information. Android users: Don’t use pattern lock. Yes, it’s fast and it looks cool, but it’s not as secure as a real password.

Prepare for the day your phone vanishes. Several smartphone security apps can help, you should your phone disappear. By contacting the phone from another phone or a computer, you can find out its physical location, send a message to whoever has found it (in case it’s someone honest) or do a remote wipe — deleting everything on the phone. (For more on this topic, see Susan Bradley’s April 21 Top Story, “Keep your data safe while on the road.”)

Most of these apps cost money, but there are some exceptions, such as Android Lost (info) and Find My iPhone (info).

Whether you do it on your computer or your phone, banking online is a bit like driving. There’s no guarantee of absolute safety, but that doesn’t mean you shouldn’t buckle your seat belt.

Lincoln Spector writes about computers, home theater, and film and maintains two blogs: Answer Line at PCWorld.com and Bayflicks.net. His articles have appeared in CNET, InfoWorld, The New York Times, The Washington Post, and other publications.

Re-examining Facebook personal privacy

By Scott Mace A year after I first looked at Facebook privacy for Windows Secrets, some safeguards of user privacy have improved slightly. But by other measures, user privacy on Facebook is worse — here’s what’s changed.

Proliferating hacker attacks on FB users

When I first wrote about Facebook privacy settings in the May 20, 2010, Top Story, “Tighten your Facebook privacy settings,” personal privacy threats on the world’s leading social-networking site were limited mostly to overexposure — revealing personal information to people you never intended to see it. Soon after that story, Facebook made some improvements to its privacy settings (I wish I could take the credit), but new threats arose in the form of social-engineering hacks perpetrated on Facebook users.

So many of these Facebook hacks now exist that security-software companies have webpages dedicated to Facebook security — Sophos’s “Facebook security best practices” page, for example — in addition to Facebook pages such as Sophos, McAfee, and Symantec. In a recent Seattle Post-Intelligencer blog, Nick Eaton quoted Microsoft Malware Protection Center program manager Jeff Williams’s statement that “the company has seen a 1,200-percent increase in the presence of phishing via social networks” in the second half of 2010, versus the first half.

But the biggest threat to your Facebook security/privacy remains rogue applications that also use social-engineering tricks. Facebook users are fooled into giving these apps access to personal profiles, and links to the apps get posted on both the users’ and their friends’ walls.

Almost every week, my Facebook wall is tagged by a link to a rogue application. If the app is cleverly done, the Facebook user clicks on it before thinking much about it. Sometimes, the prestige of a compromised Facebook friend gives the link credibility. Some mighty tech-savvy people have been fooled into perpetuating the latest scam, whether it be the bogus Facebook unlike button or a purported video of Osama bin Laden’s end. (The “unlike” scam displayed a link that would “Enable Dislike Button” on Facebook. But there’s no such button! Clicking the link might have also run Javascript on your PC, inviting future compromises.)

Once you’ve taken the bait, it’s left to you to tell your Facebook friends you’ve been had. Facebook should (but doesn’t) make it easy for you to send out that alert.

Grouped and tagged: the beleaguered user

Unfortunately, maximizing your privacy on Facebook got harder last fall when Facebook updated its Groups feature. Groups is a handy way to keep track of specific friends all at once. (Facebook promotes it as a way for friends to keep in closer touch.) But a firestorm of criticism erupted this past October when, suddenly, any of your Facebook friends could enroll you in a Facebook group without getting your consent. (You can immediately opt out of any group you don’t want to belong to.) Because many apps can access your profile information, it might be permanently noted somewhere that you were (however briefly) a member of a group.

Despite the criticism, Facebook made only slight adjustments to Groups privacy settings. You can now hide group updates from appearing on your wall. (This isn’t so much a privacy setting as an information-flow setting.)

There’s one more nasty bit of business. Facebook lets any of your friends identify you in a photo — again, without asking for your permission first. Once the ID is posted, Facebook alerts you to this change and lets you delete the tag — but it’s after the fact. And if some app out there is mining for photo-ID data, the miner might pick up that little fact before it goes away.

All of this publicity has caught the attention of lawmakers. A growing number of them are promoting legislation that will force Facebook to strengthen personal privacy. Recently, California State Senate Majority Leader Ellen Corbett introduced SB242 (detailed in a Data Privacy Monitor story), which establishes privacy guidelines for social-networking sites.

Under this law, sites would have to set defaults to private. It would also require that users establish their privacy settings at the time they register — not after a site has already set up the new member’s accounts and profiles. Under this law, parents could also request that social networks remove images or text from their children’s social-networking pages — a requirement Facebook and others particularly oppose, according to a May 16 TechCrunch story.

New tools for a Facebook-privacy defense

Some good news: The tools that show you what you’re sharing on Facebook are getting better. This past fall saw the debut of isharedwhat.com, an online site that displays the information Facebook Connect and Facebook App share with other companies or organizations. Except for your Facebook ID, no personal information leaves your browser when you click the site.

Like no tool before it, I Shared What?!? shows precisely what’s shared, such as your Facebook friends’ names; the activities you like; your favorite music, books, and movies; everything you’ve ever “liked”; and any links you’ve shared (see Figure 1). It’s a vivid reminder of just how much information you publish when you install a Facebook app and give sharing permissions. (I Shared What?!? is supported by the donations of visitors to the website.)

Figure 1. The I Shared What?!? site reports what personal information is shared through Facebook Connect and Facebook Apps.

I recently met I Shared What?!?’s creator, Joe Andrieu, at the recent Internet Identity Workshop, where he announced his latest website, showmefirst.info. This new site lets you preview what you’re about to share via Facebook Connect or a Facebook app. If you don’t like what you see, you can decline the app and/or go back and tighten up your Facebook privacy settings.

Show Me First! asks that you install a small extension to your browser; as with I Shared What?!?, the only information that leaves your browser is your Facebook ID. The extension is available for Firefox, Chrome, and Safari but not Internet Explorer.

Better tools and same rules for strong privacy

Facebook has simplified those privacy settings since I last wrote about them, but the basic advice I gave a year ago still applies: if your privacy matters, restrict sharing settings to Friends Only. Facebook’s revamped privacy settings pages let you zero in on your settings for installed apps, games, and websites. But be aware: those same apps, games, and websites typically still have access to your list of friends.

Many of the new settings let you prevent apps, games, and websites from accessing posts in your news feed, and they deny apps access to your data any time you aren’t using the app. It’s also easier to simply remove apps from the Apps You Use settings page (see Figure 2) if you aren’t happy with the information the app requires you to share.

Figure 2. Many Facebook apps require that you let them access personal information; the alternative is simply to delete those apps using the Remove app link (circled in yellow).

Maybe we all need some common signal among Facebook friends that we want to give permission before we’re joined to groups or identified in photos. Or am I being an old fuddy-duddy? Group hug, anyone?

Scott Mace is a tech and healthcare journalist based in Berkeley, California. He hosts the IT Conversations podcast “Opening Move” and writes a blog at CalendarSwamp.com.