Consumer Federation of California

Enjoying online privacy can happen only if you know how to shield your online activity from outside predators that want to use your information primarily for financial gain.

And there are plenty of criminal predators that are active online. They include identity thieves and hackers that can take over your computer. Turning away hackers takes awareness and effort, and it can be a tough proposition since hackers tend to be ahead of suggested security measures.

The solution lies in taking a multi-level approach of preventing, detecting and responding effectively to a variety of cyber attacks. The biggest risks to you computer’s security include:

• Viruses, or malicious software than can corrupt you entire system
• A hacker that breaks into your computer and alters files
• Someone taking over your computer to attack others
• A thief that steals your computer and accesses your personal information

Even having the best precautions in place can be inadequate to keeping your computer’s information secure. Still, if you do all you can to minimize risks to your computer and its sensitive information, you greatly limit the chances of having a problem.

Keys to safe Internet use

• Update your software

Updates to your software often include ‘patches’ that address any vulnerabilities hackers have exposed in it. Most software will automatically send you a message when an update is available, so it’s a good idea to agree to be notified of them. Only download software upgrades from websites you trust. Stay away from any that are sent via a link in an email message, they are often viruses.

For Windows users, who are more vulnerable to hackers than Apple’s, mainly because hackers like the bigger numbers of PC users, there are ways to keep your software updated. A free software program, called Secunia Personal Software Inspector. It will delete programs that are outdated and subject to hackers.

• Make passwords effective

When you create a password, make sure it’s a strong one that will be all but impossible for a hacker to crack to get to your personal information. First, don’t use the same password for different sites. Use the site’s recommended combinations of numbers and letters, upper and lower case. And answer security questions that aren’t easily answered. Many sites will rate the strength of your password. Get the strongest rating possible.

• Delete spam

You will receive at some point harmless emails that solicit business, and malicious ones trying to get your personal information, such as bank account numbers. The key is to use a spam filter in your email program.  But if you get an email that looks even slightly suspicious from unknown persons, don’t open it, just delete it. Sometimes the return address looks like it could be from someone you know, but scammers can ‘spoof’ return addresses, so check with the senders before you open the message.

Also avoid clicking on links embedded in email messages. This is a technique called ‘phishing’ in which scammers set up a seemingly trustworthy banking site, for instance, in an attempt to get passwords to your account numbers. You’ll know if it’s a phishing scam if you type in an incorrect password and it accepts it.

Also avoid pitches to install malware to detect viruses, since they can compromise your computer and get personal information.

• Careful file-sharing

Only share files with parties you trust to avoid mistakenly downloading a virus, malware, spyware or helping a data security breach. Many email programs scan files for you and will alert you to a suspicious file. Meanwhile, don’t download free screensavers, wallpaper, games or toolbars, unless they come from a reputable site. And don’t open hacker sites, sexually explicit sites, or those known for piracy, since they’re known for having malware.

• Turn off your computer

This will reduce the chance a malicious remote computer will take over your computer when you’re not using it.

• Back up your data

To keep it simple, back up your important data on encrypted USB flash drives, external hard drives or disc imaging software programs. Keep your backup media in a secured location. And encrypt any sensitive information files on your computer or laptop, so that if your machine is stolen, the thief can’t get any private information out of it.

• Wi-Fi awareness

To keep someone from driving by and getting your computer information via you home wireless network, it should be at minimum secured with WPA2 encryption. And because most public Wi-Fi hotspots are unsecured, never conduct secure transactions while using them. You can also set up a ‘virtual private network’ which encrypts your Wi-Fi connection. Also when using email, you can often add an ‘s’ after ‘http’ on the address to the mail website to get encrypted login information and messages.

Other secure Wi-Fi hotspot use tips

• Keep your computer from automatically connecting to the nearest available Wi-Fi access point, since it could get a connection to a hacker’s computer.
• Disable file sharing on your computer settings to keep hackers from accessing your files.
• Install a firewall on your computer and keep it enabled while using Wi-Fi.
• Keep your computer software updated to plug any security holes.

General online privacy tips

• Use a different email provider than one provided by your search engine by using, for instance, Yahoo for email and Google for search. That limits the amount of information collected by any one site. You can also clear your browser’s cookies, or stored searches, before new searches to keep your browsing unconnected to your email address.

• Disable automatic sign-ins

• Heed e-mail system messages that block images with URLs embedded in them. They give you the message that portions of the email have not been downloaded. The reason is that they likely contain Web bugs, so going forward and downloading them anyway is not advisable.

• If you want to opt out of tracking cookies that record your search behavior, visit www.privacychoice.org to opt out such cookies.

• Be fully aware of the pros and cons of cloud computing, which provides offsite program applications and data storage instead of those tasks being handled by a person’s computer. Read the provider’s privacy policy and terms of service of the host company to know your rights.

Smartphones

Smartphones contain a lot of personal data such as photos, emails, possible banking links, and access to social networks such as Facebook, Twitter and LinkedIn. Here are some tips on protecting your smartphone data:

• Password protect your phone with a strong password. Look in the settings area of your phone
• Don’t let your smartphone automatically remember login passwords to email, virtual personal networks or other accounts
• Use your smartphone’s lockout feature, and set it to automatically lock after specified amount of time not in use
• Install security software to allow you to remotely lock your phone and wipe the data. Never leave your phone unattended
• Check your cell carrier’s privacy policy online to learn what it shares with third parties and what you can opt out of
• Disable your photo location identification on your phone by choosing the appropriate setting
• Research phone apps before downloading them. Don’t download an app asking for more data than it needs to function. Look for privacy policies and terms of service
• Don’t do mobile banking using a Wi-Fi network, and connect only to public networks you trust. And trust the source when clicking on links, downloading files and downloading apps
• Contact the Federal Trade Commission with consumer suggestions for mobile data practices. Write Congressional representatives to update existing privacy law to keep pace with changing technology. Write to companies like Apple and Google to request better safeguards from apps to protect your data from being share with third parties

Social Media

Tips for protecting your information from hackers on social media sites when registering for an account:

• Use a strong password
• Use answers to security questions only you would know
• Never provide a work-associated email address to a social network
• Consider not using your real name, especially your last name
• Read the privacy policy before signing up
• Have strong anti-virus and spyware protection on your computer
• Provide only information you feel comfortable providing
• Don’t provide your email account password if asked for
• Set your privacy settings to ‘friends only,’ on sites like Facebook
• If you share your birthday, keep it to the month and day, but leave the year out, since it can help hackers trace your information
• Keep up on a social network’s changes to its privacy policy and terms of service
• Beware of shortened links and popups claiming viruses have been detected on your computer. Instead, run your spyware and virus protection software
• Delete cookies, including flash cookies, every time you leave a social networking site
• Don’t post any photos or comments you wouldn’t want a stranger, your mother or your boss to see. Untag photos of yourself, if you feel a need to, and ask to have content removed when necessary
• Don’t publicize vacation plans, especially the dates you’ll be traveling, since burglars can use this information. Same for routine places you visit at certain times
• If you post your address, phone number or email on a social network, use privacy settings to restrict the approved contacts
• If possible, avoid third party applications, or research them before using
• Verify requests to connect by somebody you know before accepting. If it’s a stranger, either reject it or use the privacy settings to limit the information available to the person
• Beware of requests for money, even if it comes from a trusted contact. Scam artists sometime compromise accounts to defraud for money
• If your social networking account is compromised, report it to the site immediately and alert your contacts. Do no online banking until your computer security has been ensured, since malware, including key-logging software, may have been installed on your computer.
• Delete from your ‘friends’ list regularly to keep familiar whom you’re sharing information with
• If your social network offers video chatting, see if the light on your computer is on, indicating whether your webcam is in use. This will help you avoid being caught by accident on camera
• Log off of social networking sites when not using to reduce tracking of your web surfing and to help prevent your account from being hacked

Online Shopping

Here are tips to keep your bank account information safe while online shopping:

• Never use a debit card, also know as a check card, online. This can enable access to your bank account if the card information is compromised. If you are missing funds from your account, report it promptly. A bank can legally take up to two weeks to return funds to your account.
• Consider using a single use, or virtual credit card for online purchases
• Only shop at secure sites. Look at its address for the ‘s’ in https:// which shows the vendor encrypts transaction information
• Read the merchant’s privacy policy about sharing your information with third parties and whether your email will be used to send you spam. Look for seal of approval programs regarding privacy such as TRUSTe, Verisign, or BBB Accredited Business Seal
• Provide only information required to process your order, and NEVER give out your Social Security number.
• Use a unique online user name and password for a retailer’s site. Make sure it is strong and different from those for financial accounts
• Sign up for credit card alerts for payments due or posted transactions. Watch for charges you didn’t make, and make sure you know the alerts are legitimate to avoid hackers after your account information
• Print, save or take a screen picture of your order confirmation, which should include the cost, discounts applied and shipping and handling charges when applied. It should have your customer information, product information and your confirmation number. Save any emailed confirmation messages
• Know company policy regarding personal use of company computers. Online shopping while at work may be against company policy

State/national mobile privacy legislation update

On Feb. 1, the Federal Trade Commission suggested new guidelines to protect the privacy of consumers using smartphones and tablet computers. They want a ‘do-not-track’ option for users of mobile software and apps, and other actions to further safeguard personal information.

The report, however, is not binding. But it shows that the FTC is focusing more on mobile privacy.

The FTC’s guidelines are aimed at companies like Apple, Google, Microsoft, Amazon and Blackberry, as well as app developers.

• The federal guidelines closely followed ‘best practices’ proposed to mobile app developers, their advertising partners and their host platforms in January by California Atty. Gen. Kamala Harris. The recommendations, which go beyond state and federal requirements, are unenforceable.

But Harris suggested the industry make privacy policies readable and clear, that they refrain from collecting data not needed for the app to function, and to alert users when third parties are collecting their data for uses including advertising. In December she sued Delta Airlines for failing to tell users how its mobile app used the personal data it collected.

• Last October, Gov. Jerry Brown signed two privacy laws protecting employees and students from bosses and universities getting access through asked-for user names and passwords to snoop on their Facebook, Twitter and other social media accounts. The law also prohibits retaliation, by firing, disciplining or threatening to do so, by bosses and schools against employees or students for not turning over access to their social media accounts.

• In December 2012, Assembly member Nora Campos (D-San Luis Obispo) introduced AB25, which seeks to extend coverage of the law as signed by Gov. Brown. That law applied to private employers and universities. This bill would apply the same provisions to public employers.

• In December 2012, Sen. Ellen Corbett, (D-San Leandro), introduced SB46, which expands the definition of personal data that if compromised by a business, must be reported as a security breach. It adds information in the definition that is part of an account, such as the user’s name along with their social security number, driver’s license, account number, credit or debit card number in combination of with any security code, access code or password that would give access to the individual’s financial account. It also would add medical information and health insurance information to the definition.

Children’s Online Privacy

Many children have grown up using computers, and know how to navigate the Internet with ease. While it opens up a vast world of games, images and places to explore, it has danger zones for children. Websites mine data from children when they register with sites for kids’ clubs, contests or questionnaires, then customer lists of names, addresses and favorite activities are compiled and sold off to brokers and businesses.

Parents can’t always be around to supervise and protect their kids from harmful or objectionable web content that can contain pornography, profanity or hate speech.

Here are some privacy tips to help keep children away from dangerous online content:

• Read the privacy policies on web sites visited by your children, and teach older children to do the same. Find out what information is collected, what is done with it and how to choose whether or not the child’s information can be collected.
• Decide on whether you want to give consent for information to be collected for your child under age 13.
• Look for a privacy seal of approval on the first page of the site, such as TRUSTe. Sites with such seals agree to post their privacy policies and submit to audits of their privacy practices. Seal programs also provide dispute resolution services.
• Write up a contract with your child. Encourage them, especially if they are teens, to agree about what limits to observe in surfing the Internet, and set up family rules for online computer use. Watch for excessive online use late at night, it could be an indicator of a problem. Make it a family activity by keeping the computer in a family room rather than in the child’s bedroom.

Suggested guidelines for children’s online use:

• Tell your children not to give out identifying information, such as name, address, school name, or phone number while in chat rooms or when visiting websites. Tell them to send no photos without permission, and to use ‘screen names’ that aren’t theirs when in chat rooms.
• Explain that passwords should never be given out.
• Get to know your child’s online friends and never allow a face-to-face meeting with another computer user without your attending at least the first meeting.
• Explain that people online may different than how they’re portraying themselves. Someone could be a 45-year-old man, and not the 10-year-old girl as claimed. And that everything they read on the Internet isn’t true, even ‘too good to be true’ claims, which typically aren’t.

Legislative Update

The Federal Trade Commission on February 1, 2013 fined San Francisco-based Path, a two-year-old social networking app, $800,000, charging the company violated federal privacy protections for children by collecting personal information on underage users and nearly everyone in their address books.

In December 2012, the FTC also adopted final amendments to the Children’s Online Protection Rule, which gives parents greater control over the personal information that websites and online services may collect from children under 13.