Privacy Settings Checkup
UTHSC IT SECURITY TEAM
What portable computers do you own?
• MacBook
• PC Laptop
• ChromeBook
Which Smartphone/Tablets do you own?
• iPhone
• iPad
• Android Phone
• Android Tablet
• Windows Tablet
• Kindle (Fire) Tablet
UTHSC
Which online applications do you log into?
• Facebook
• Twitter
• YikYak
• Tumblr
• LinkedIN
• Dating Sites
• SnapChat
• Instagram
• Youtube
• Pinterest
When was the last you checked you privacy settings
on both your device(s) and online application(s)???
Website Privacy
• In the 90's website were little more than digital brochures and “interactivity”
meant signing up to receive a monthly e-newsletter.
• Modern websites have evolved into complex and powerful information
platforms – collecting, processing and sharing data at blinding speeds on
massive scales.
• When we share personal data with these online platforms it is often passed on
to numerous third parties, such as advertisers, vendors, and partners.
•
Protecting privacy in this spider web of data flows is no easy task: it's easy to see how
personal information can be compromised, either accidentally or intentionally.
• Fortunately, many websites, from social networks to eCommerce website,
provide Internet with privacy enhancing options:
Privacy Controls
• While websites today share more information, they also provide their users with great specificity and
control over these sharing activities.
• On many websites you'll find that you can define your audience when you share personal information or
content, whether it's an audience of one or the entire public.
• YouTube, for example, allows users to upload “Private” videos visible only to people whom the author
specifically authorizes via email or make videos available to their millions of monthly visitors (learn more
on YouTube Private videos here).
• Facebook also offers the same selective sharing ability to its more than 400 million users.
•
•
A Facebook user can, for example, choose to make a photo album visible only to their immediate family (learn more about
Facebook's privacy options here).These are just two examples of privacy controls available on modern websites.
You can often find privacy controls on a site by navigating to a control panel or settings menu. Sometimes, websites will
draw attention to privacy controls while in other cases they will group them under broader categories like “Account
Settings”.
• Privacy controls may also be offered during the sign-up process for a new online service or account. To
best protect your privacy you should explore and understand privacy controls available to you on a given
website/platform before you share personal information on or with the site.
Privacy Policies
• Privacy policies communicate a site's privacy practices to its visitors.
These policies can be lengthy documents, filled with language only
readily comprehensible to lawyers.
• Given an increasing focus on privacy, however, major sites are
experimenting with way to make privacy notices more consumer
friendly and actionable.
• Taking the time to read a privacy policy in part or in whole to
understanding the data relationships that exist on the site will help
you make informed decisions when using available privacy controls
on a site.
The public/private distinction
• For a number of websites today making information public and open is the name of the game.
It's important to understand when signing-up for a new online service or account what model
the site defaults to and how its users share information on the site.
• Twitter, for example, is an example of an online service where the default is public: unless you
specifically opt-in to private mode your messages exchanged using Twitter are available to the
general public.
• Some websites straddle the line between public and private, while some websites that have
been traditionally private are moving toward a more public model. When signing up for a new
online service or account take the time to understand the information sharing defaults on the
service and the site's general information model: are they trying to keep information private
are they pushing to make it public and interconnected with the greater Web?
• Blindly signing up for an online account or service understanding and appreciating the site's
public/private model can lead to privacy disasters.
Email Privacy
• Email has remained largely unchanged in the last decade. Methods
of exploiting email, however, have evolved significantly and
protecting personal information in email environments has become
more challenging.
• In the past decade hacking has become more effective and phishing
techniques, more elaborate.
Here are some strategies for
protecting your privacy when
using email:
Use a secondary, “spam” email address
• Signing up for new accounts and services or making purchases
online usually requires you to share your email address.
• If you do not trust a website it's helpful to have a secondary email
address you can use in these cases.
• This way, if the website shares your email address with marketers or
other third parties without your permission you will not be
inundated with spam or potentially malicious emails at your
personal email account.
Use email service providers with strong security and spam
filters
• Does your email service provider offer message encryption? Do
they have robust spam filters?
• These are questions to ask before signing up for a new email
account. Three of the world's most popular email services,
Microsoft Outlook, Yahoo Mail, and Gmail offer their users the
ability to encrypt emails, which prevents third parties from
intercepting messages.
• If you use an email service provider that does not offer built-in
encryption capabilities you can use free email encryption protocols
such as OpenPGP.
Exercise caution when opening emails
• Be especially wary of emails sent from individuals or businesses you do not recognize.
You should never download attachments from unrecognized senders, as they are likely
to contain viruses or malicious software that can take over your computer and/or
harvest your personal information.
• Another type of malicious email practice known as “phishing” uses elaborate ruses to
attempt to trick a recipient into handing over personal information or money.
Sometimes “phishers” will claim they have a large sum of money that they need your
help transferring or depositing and will reimburse you in exchange. Others will claim
they need you to “verify your account” or “confirm your billing information” by
providing them with the requisite personal information. A good rule of thumb for
email is that if it sounds too good be true or seems potentially fraudulent, it probably
is and you should not download the attachment or respond.
• Even emails sent from acquaintances or from allegedly legitimate businesses or
entities can be malicious. Viruses, for example, can take over your friend's email
account and automatically distribute malicious messages to your friend's email
contacts.
Recognize that email is evolving towards openness and
interconnectivity
• While the basic function of email – sending and receiving messages and content via a
private channel - has remained largely unchanged in the last decade, recently we've
seen a push to make email more open with embedded features that mirror the
functionality of social networks.
• Both Yahoo and Google made changes in this direction to their respective email
services with the introduction of Google Buzz and Yahoo! Pulse. Email service
providers are increasingly moving toward models that publicize and interconnect the
data in your account. For email this includes information like your contacts and
communication habits, and, in some cases, even the contents of your emails.
• If you don't want to participate in this evolution toward openness you should set your
privacy controls appropriately.
Use strong passwords and remember to sign-out
• Setting a strong password is an important part of email privacy. As a rule
of thumb, the more complex the password, the better. Your password
should include letters and numbers, make use of upper and lower cases,
and incorporate characters such as exclamation points and dollar signs.
• Microsoft provides a helpful guide on setting strong passwords available
here and a secure password strength checker, available here.
• Also, remember to sign out of an online service or account when you are
finished with your session, especially if you are using a public or shared
computer. This will prevent others from being able to access your
account, which can still be open and signed in even after you have closed
the browser.
Mobile Privacy
• 1. On mobile devices your personal information is more likely to be compromised via device theft or loss take appropriate precautions
• Because they're smaller and more portable, you're more likely to suffer device theft or loss compared to
your desktop computer or even laptop. These mobile devices can also store vast amount of data
comparable to desktop computers and laptops. Considering using encryption, and enabling options that
will allow you remotely wipe data on the device in the event of loss or theft. For users of Apple's popular
iPhone, Apple “Mobile Me” product allows iPhone users to remotely wipe data on a lost or stolen phone
(learn more here).
• 2. Your mobile device may be aware of your location and may share that data with applications and
advertisers
• Mobile devices with GPS capabilities are fast becoming the norm. Location aware mobile applications can
use GPS data to help you navigate, alert you to events, friends and deals in the area, and serve you
location specific advertisements. For example, Fandango mobile applications for Blackberry, iPhone, Palm
and Android devices allows users to identify nearby movie theaters and buy movie tickets (learn more
here). Most mobile platforms enable you to turn off this location feature, and some mobile platforms
offering application specific location controls. If you feel that location-aware applications are invading
your privacy, take appropriate action with your privacy controls.
Check your native DEVICE settings
• Settings Option
• Privacy
• Photo Sharing
• Location Settings
•
Turn off when not in navigation mode
Application – Website Privacy Settings
Facebook Privacy Checkup Tool
(http://www.cnet.com/news/facebook-launches-its-privacycheckup/)
Google+ Privacy Checkup Tool
(https://www.google.com/search?q=Google%2B+Privacy+Checkup+T
ool&ie=utf-8&oe=utf-8)
Common Application Website Settings
• LinkedIN – Settings/My Profile
• Twitter – Settings/My Profile
• General Email - Settings
• Yik Yak - Settings
• Snap Chat - Settings
• Instagram - Settings
Prevention is KEY!
BEST ONLINE PRIVACY PRACTICES
Minimize personal information sharing
• Often you will see a laundry list of data fields to enter various bits
of personal information when signing up for a new online service or
account.
• Typically, only certain pieces of personal information are required to
register, sometimes noted with an asterisk (*).
• If you don't trust the website with your personal information there
is no need to enter more information that that which is required to
use the service or sign-up for an account.
Look for trustmarks on websites and verify their authenticity
• The TRUSTe TRUSTed Websitesis the leading online privacy trustmark,
but there are other types of trustmarks that provide consumers with
online assurances about a business' integrity or practices.
• Security trustmarks, like those offered by Verisign and McAfee,
demonstrate that a website uses technological measures like encryption
to protect your data.
• Reputation trustmarks, like those provided by the Better Business
Bureau, verify a business' legitimacy and legal status. To verify these
seals' authenticity you should always click on them and see that the
verification page is hosted by the respective company.
• For example, if you click on a TRUSTe seal and the site that pops up
begins with anything other than “https://www.truste.com,” you know it's
a fake
Consider temporary credit card numbers when shopping
online
• Many credit card companies offer their customers the ability to
activate temporary credit card numbers for online shopping use
that are linked to their financial account, but are valid only for
single or limited transactions.
• This technique protects a cardholder's actual credit card account
from fraud and theft. Examples of this service include Bank of
America's ShopSafe ® program, Citibank's Virtual Account Numbers
and Discover's Secure Online Account Numbers.
Use strong passwords and remember to sign-out
• Setting a strong password is an important part of email privacy. As a
rule of thumb, the more complex the password, the better.
• Your password should include letters and numbers, make use of
upper and lower cases, and incorporate characters such as
exclamation points and dollar signs.
Use anti-virus and anti-spyware protection
• When browsing online you may intentionally download any number
of files, such as desktop applications and songs, and unintentionally
download tracking files, some of which can be malicious.
• Ensuring your computer has up-to-date anti-virus and anti-spyware
software is an important part of protecting your personal
information online.
• Trojans and keystroke logging software can steal personal
information from your computer when you use the Internet.
Take advantage of browser privacy enhancing capabilities
and options
• Update your Web browser (Internet Explorer, Firefox, Safari etc.) to
ensure that it's the most recent version so you can take full
advantage of the included privacy features like ‘private browsing
mode'.
Summary…
 Check you device’s native privacy and location settings daily.
 Only turn on your location settings when using navigation system. You may turn it off when you arrive to your
destination.
 Conduct a weekly Privacy Checkup on all of your apps and online social media networking sites like Facebook,
Instagram, and Twitter.
 Be reminded that many apps must have access to your location in order to perform like Yik Yak and Shopkick.
 Instead of allowing an application to access your location, enter the closest zip code to satisfy location settings.
 Always read and review Privacy Statements and other information before downloading an app or signing up for a
site. Some applications may be able to access information stored or cached on your device like your credit card
number or other private data.
 Lastly, when in doubt, contact your UTHSC Information Security Team at (901) 448-1579 or itsecurity@uthsc.edu.
Let’s Check Some Devices and
Applications!!!
THANKS!
UTHSC Information Security Team
Frank Davison
Jessica McMorris
L. Kevin Watson
Ammar Ammar
fdavison@uthsc.edu
jmcmorr1@uthsc.edu
lwatso20@uthsc.edu
aammar@uthsc.edu
(901) 448-1260
(901) 448-1579
(901) 448-7010
(901) 448-2163
•
Information Security Email: itsecurity@uthsc.edu
•
Website: security.uthsc.edu
•
To report phishing and spam email forward it to abuse@uthsc.edu
•
UTHSC Help Desk: (901) 448-2222 ext. 1 or helpdesk@uthsc.edu