Online Security

Online security is not something to take lightly. Fortunately, I have been aware of the risks for a long time. The one foremost in my mind is the risk of identity theft: someone uses my name, picture, and a few details to impersonate me. I can be used as a vector to spread a digital virus, or even have my false identity used to commit serious crimes [theft, fraud, hate crimes, and so on]. I also remember watching Sandra Bullock in the Net [1995], as a computer programmer who puts her entire life on the then-nascent internet, and puts her life in danger.

Not taking care of your online security can potentially put other people at risk, too. In this experiment, some ABC journalists shared the digital footprint left behind by their mobile phones over a weekend. In the case of one young man, the wider public were then able to correctly guess when he was moving house, where that new house was, the mobile phone number of his living-in significant other, and that of his mother!

While that kind of revelation is easily shocking, I’m not as overly protective about my data as some people. For example, if I want a mapping application to show me directions around an unfamiliar location, then my mobile will need to transmit data about my location to its server. Given that I have also worked in freedom of information, I am also aware of privacy law, and the regulations around it. So here are a few handy lessons which I’ve learned.

1. Artificial intelligence is still really stupid. Despite how much data I have given to Facebook, over more than ten years, I have had to literally LOL at some of the recommendations it’s made to me. Even while I mostly access it on my mobile, with the aforementioned location signal broadcast, it still seems to have a vague idea of where I am [to within ~100 km]. Google Maps and WhereIs – with all the data in the white pages, no less – sometimes can’t even find a street address where I have been before. Just as ridiculous are the suggested contacts provided by LinkedIn, including people I have never met, from completely different industries and countries, with no common connections or interests. Then of course there is the controversy over how easy it is for a picture to be banned for “offensive content” which include “female-presenting nipples”, but not images of rape or torture. If the machine is so easily fooled, I don’t believe that I am at risk.
   
   
2. Mess with the machines. Perhaps one reason why Facebook and Google are so easily fooled is that I lie to them sometimes. Facebook and Google+ are broadcast media; your profile is available indiscriminately to basically anyone and everyone. I do have real pictures of myself on my profile, but my main profile picture is not one of them. Images which I have used previously include:
   1. Gordon Freeman, from video-game series Half Life;
   2. Gordon Tracy A.K.A. #6, from the Thunderbirds T.V. programme;
   3. Coran, from the new Voltron T.V. programme;
   4. Gordon Brown, former British Prime Minister;
   5. A random mural on a wall in inner Melbourne.

What all of them have in common is that they mostly look like me, but are images cleverly sourced from elsewhere on the internet. [I also did this for a joke about how Gordon is a relatively uncommon name.]

Additionally, I don’t put my home address into a navigation app. when I’m going home from somewhere unfamiliar. Instead, I’d use a nearby landmark, and I would never put it on a publicly-available digital profile.

Because my main image and location are not the first things immediately broadcast about myself, putting my name into a search engine doesn’t find me, which brings me to the next point.

3. Be a small target. Who would want to be me? Specifically, of all the billions of identities available to steal – and infinitely more which you could just make up – why would you choose to be a mature-aged Caucasoid student in Australia. Writing “Gordon Douglas + Australia” into Google turns up at least a dozen separate identities on the first three pages. These include an ANZAC, a corporate Director, a criminal, a visual artist, and even dead writers and filmmakers. The Director, artists, and the news website who reported on the cases of child abuse all have a vested interest in ensuring that their search results rank highly; I do not [yet]. If you wanted to cheat people out of serious money, wouldn’t you try pretending to be them instead? Since most giant search engines are for-profit causes, they can easily be manipulated by money. That brings me to my next point. 
   
   
4. Remember legal responsibilities. Despite what Facebook might say, Australians legally own their personal data. This is the foundation of our privacy law, which they and all others must obey. If you believe that your data is being misused, or inadequately protected, there are State and Federal Government agencies responsible for enforcing your rights. At the extreme end, someone who successfully steals your identity could be sued, and even imprisoned for fraud. I can also tell you that the Victorian Information Commissioner would put more time and effort into scrutinising your complaints than Facebook would.
   
   
   Related to this, some credit should be given to digital giants now having internal complaints and review procedures, which they didn’t have at the start. Anyone dealing with big volumes of personal data now realises that they need multiple checks and balances in place, and it’s best when they are automatic. My bank doesn’t know my PIN, or my online password, and doesn’t even track my keystrokes when I’m entering that in, just in case. When dealing with Centrelink or the Tax Office, you have to enter a digital password, then wait for another code sent to the email address or mobile phone number you’ve previously provided, making it effectively a three-stage identity screen, which no one at the client organisations can access.
   
   
5. On that note, it also helps if I don't know my own online passwords. That might not make any sense, so hear me out: I was introduced to the 1Password application, which creates randomised passwords, of any length. I generally make them ~36 characters long, which means that I can't even remember them. The probability of someone being able to guess this string – keeping in mind that lower- and upper-case letters are recognised as different characters – is extremely reassuring. If you really wanted to, you could then change to a different, long, random, complex password every so often.
   
   
6. Analogue data is sometimes best. I still remember when 9MSN messenger chat windows all had a helpful tip written down the bottom: “never give out your passwords or credit number in a chat message”. Part of this is that records of your online chats are easy to save for later use; they were never intended for secure communications. When a friend writes a chat message asking me to lend them some money, for example, I ask them to give me a phone call to pass on their bank account details for a transfer, which I then write down on a piece of paper, so that I can tear it up and bury it once I’m done. [Either that, or we arrange a time and place to physically hand over the money.] It would be much more effort to hack every stage of that process, just to take the small amount of money available, than to hack into a single, random chat session. Similarly, at a business like a legal firm or insurer, personal information is destroyed once it is used for its intended purpose. That means that document shredding and recycling has become a serious business.
   
   
7. The medium is the message. This is a quote from Andy Warhol which I enjoy using. I also like a quote from Chris Rock, saying “you won’t break the law if you just use common sense” [which is a lot like the anti-piracy advertising, “you wouldn’t steal a car…”]. Likewise, your digital footprint won’t be compromised if you don’t put details online that you wouldn’t want someone overhearing in a casual conversation.
   
   
   Following the earlier example of Will Ockenden from the ABC, you would likely tell your co-worker’s that you were about to move on the weekend. You probably would not tell them the origin and destination, and what time you planned to leave, or which vehicle you would be using to transport all your stuff.
   Sending your data on an encrypted website is like sending it in an armoured truck. You could, of course, be suspicious of the people in the armoured truck. In that case, you still have analogue options, as above.