Below is an attempt at developing guiding principles for having a secure and private digital life.
What principles will ensure you make decisions that keep you and your online data secure and private?
Some things are better stored as a physical copy and others digitally.
A physical copy can be misplaced and lost. It can be destroyed by water or fire, or crushed under heavy weight. It cannot easily be encrypted (though it can be by hand). It can only be accessed in person.
However, physical copies cannot be hacked remotely. They can be hidden anywhere in the world. They cannot be duplicated or distributed as easily as a digital data.
Digital data can be easily encrypted for secure transfer and storage. And if it is online, it can be accessed anywhere you have a computer and internet connection.
But digital data can be hacked, leaked, duplicated, and shared in perpetuity.
Don’t default to storing valuable things digitally or online unless you benefit from the upside enough to justify the downsides.
You don’t need to be targeted to have your data compromised.
Companies screw up all of the time. Facebook. Dropbox. Evernote. If these big players can’t keep your data safe, it’s only reasonable to assume that eventually the other services you use will screw up too.
“On a long enough timeline, the survival rate for everyone drops to zero.”
Takeaway one: use end-to-end encrypted services. If the service doesn’t support end-to-end encryption, then at least ensure your data is encrypted at rest on the company’s servers.
Takeaway two: if the service does not support any encryption, do not upload what you would not want made public.
Security is how easily someone can break in.
Privacy is what the service knows about you and whether it can access your data.
Security without privacy is a glass castle surrounded by a giant moat. It’s easy to see in, but not to break in. Privacy without security is a shower curtain. It provides privacy but can be easily opened.
Use products that both have a good security record and respect the privacy of your data. If the product doesn’t check both boxes, then at least ensure the company has a good security record.
Evernote is not secure or private. Google accounts are secure, but not private. ProtonMail, MEGASync, and DayOne are both secure and private.
Every new account is an additional point of failure.
The more accounts you have, the more companies you are trusting with your data and the more accounts you have to keep secure.
Takeaway one: when creating a new online account, consider what data you’ll be sharing with that company, their security record, and whether they allow you to wipe your data and delete your account.
If you’ve been on the internet since you were a kid, chances are that you have dozens – if not hundreds – of accounts.
Takeaway two: Investing time towards finding and deleting old accounts is a worthwhile exercise. Try to remember the highest-value accounts you have. Old social accounts with your name on them, email addresses, apps with sensitive data like health or note apps are good candidates. Delete as many as possible.
Having fewer accounts enables you to have better security hygiene with each.
Another option is to keep certain things offline. Not everything needs to be solved with an online tool. Online apps greatly increase your surface area. Physical items, however, require a break-in and search to be compromised.
Different kinds of accounts pose different types of risk.
A service like Dropbox stores personal files. A hack would mean that files previously accessible only by you and those you authorize are now in the hands of a potentially malicious party and anyone they choose to share with.
Social media accounts, blogs, and personal websites are different. An exploitation here enables the other party to impersonate you on the internet.
The larger your audience, the bigger the downside of such an exploit. Even for us average folks who use social media to connect with family, friends, and colleagues, someone else posting content under your name can be a huge risk and embarrassment.
Takeaway: be careful what online accounts have your name on it. If you don’t use it or need it, then delete it.
There’s a class of products that add a social layer on top of a simple service. Strava, Goodreads, and Letterboxd are good examples of these. They provide a useful function (tracking your runs, books, or movies), but add a social layer and may share information publicly. They tend to have complicated sharing settings and often default to sharing information publicly.
For these, consider: does what you’re using need to be social and public? Is the trade-off between tracking and sharing worth it? (Perhaps you are tracking for the explicit purpose of sharing, in which case this doesn’t apply. But maybe you don’t want your friends or employer to know that you gave five stars to a book titled The Way of the Superior Man.)
If someone was deliberately trying to sabotage you specifically, what would your weak spots be?
Do your phone and laptop auto-lock themselves if unattended? Is your passcode easy to guess? Is your password written on a post-it? Is it a combination of your dog’s name and mother’s birthday? Do you use the same password across multiple accounts?
The previous principles mostly deal with being picky about the tools you use. But this principle is about being picky with your own security hygiene.
Even the bare minimum security hygiene practices can be difficult to keep up with.
The benefit of acting as though you are a target is that it forces you to clean up your act.
I previously wrote a far more prescriptive list of security measures. It was very in-the-weeds and needed to be frequently updated to remain useful. My goal here is to devise high-level principles that can be applied even as the specifics evolve.
As always, feedback and comments are appreciated. I’m on Twitter @adilmajid.