Monthly Archives: January 2014

Privacy Tools: Opting Out from Data Brokers

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of blog posts, I try to distill the lessons from my privacy experiments into a series of useful tips for readers.

Data brokers have been around forever, selling mailing lists to companies that send junk mail. But in today’s data-saturated economy, data brokers know more information than ever about us, with sometimes disturbing results.

Earlier this month, OfficeMax sent a letter to a grieving father addressed to “daughter killed in car crash.” And in December, privacy expert Pam Dixon testified in Congress that she had found data brokers selling lists with titles such as “Rape Sufferers” and “Erectile Dysfunction sufferers.” And retailers are increasingly using this type of data to make from decisions about what credit card to offer people or how much to charge individuals for a stapler.

During my book research, I sought to obtain the data that brokers held about me. At first, I was excited to be reminded of the address of my dorm room and my old phone numbers. But thrill quickly wore off as the reports rolled in. I was equally irked by the reports that were wrong—data brokers who thought I was a single mother with no education—as I was by the ones that were correct—is it necessary for someone to track that I recently bought underwear online? So I decided to opt out from the commercial data brokers.

It wasn’t easy. There is no law requiring data brokers to offer opt-outs. Of the 212 data brokers that I managed to identify, less than half—92—accepted opt-outs. Of those, a majority—65—required me to submit some form of identification, such as a driver’s license to opt out. Twenty-four sites required the opt-out forms to be sent by mail or fax. In some cases, I decided not to opt-out because the service seemed so sketchy that I didn’t want to send in any additional information.

Still, I achieve some minor successes: A search for my name on some of the largest people-search Web sites, such as Intelius and Spokeo, yields no relevant results.

So, for those who want to try my strategy, here are the two spreadsheets I put together with the names of companies that track your information, links to their privacy pages, and instructions on how to opt out, in the cases where they offered them.

The first spreadsheet below is a list of data brokers who will give you copies of your data. (You can scroll around inside the box below, and you can also download your own copy of the spreadsheet, in Excel format, or as a CSV file.) The second is the list of data brokers from whom I sought to opt-out, with the ones that allowed opt-outs highlighted. (Download that one as Excel or CSV.)

Good luck!

Companies that let you download your data:

All of the companies I tried to opt out of:

Privacy Tools: How to Build Better Passwords

Dragnet Nation cover artIn the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

Passwords are the first line of defense between your private data and an attacker – whether it is a criminal hacker or a spy agency.

But most of the conventional wisdom about building passwords is terrible. People are often told they should change their passwords every three months; that their passwords should be made strong with multiple symbols and letters; and the passwords should not be written down anywhere.

Computer scientist Ross Anderson has summed up this terrible advice as “Choose a password you can’t remember, and don’t write it down.” Faced with that impossible task, most people use passwords that are easy to remember – the most popular password is still 123456 – and use it for every single account.

It’s actually better advice to choose a more secure password and write it down somewhere in a safe place. After all, it’s much less likely that someone will break into your house and steal your master password list than it is that someone will hack into your account from afar through a weak password.

However, even if you write down your passwords, you still face the difficult task of dreaming up the dozens of passwords that seem to be required for modern life. At first, I tried to make up my own passwords, but after I stumbled on this password-strength estimator, I realized that many of my homegrown passwords were still easy to crack. So, after much searching for a perfect password strategy, I came up with a two-tiered solution for building strong passwords:

• For less important passwords – such as for my frequent flier and online shopping accounts – I used password management software called 1Password to generate and store passwords. Like its competitors, LastPass and KeePass, 1Password generates strong passwords from strings of letters, numbers and symbols and stores them on my machine in an encrypted file.

• For more important passwords – such as the password to my 1Password vault, my e-mail and online bank accounts – I used a simple, low-tech passphrase-generating system called Diceware. It works like this: roll a six-sided die five times, then take the numbers you roll and match them up to the Diceware word list, which contains 7,776 short words. Repeat this five times and you will end up with a five-word passphrase that is hard for attackers to crack, but easy to remember. [UPDATE 3/27/14: Diceware creator Arnold Reinhard is now recommending that people use six words.]

This XKCD comic nicely sums up the beauty of the Diceware approach.

 

Privacy Tools: How to Safely Browse the Web

Dragnet Nation cover artIn the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

One of the easiest and simplest things you can do to protect your privacy is to be a smarter Web browser.

This is surprisingly difficult because most popular Web browsing software is set up to allow users to be tracked by default. The reason is simple economics – you don’t pay for Web browsing software, so the companies that make it have to find other ways to make money.

The most egregious example of this conflict came in 2008 when Microsoft’s advertising executives helped quash a plan by the engineers to build better privacy protections into the Internet Explorer 8 Web browser. Microsoft has since added additional protections – but they are not turned on by default.  The situation is no better at Google, whose Chrome Web browser has “buried and discouraged” the “Do Not Track” button, and is pioneering the use of new tracking technology that cannot be blocked. And it’s worth noting that the other big Web browser maker, Mozilla Corp., receives 85 percent of its revenues (PDF) from its agreement to make Google the default search engine on Firefox. 

Even worse, many of the tools that Web browsers offer to protect privacy are not effective. Tracking companies have refused to honor the “Do Not Track” button. And Google Chrome’s “Incognito” mode and Internet Explorer’s “InPrivate Browsing” mode won’t protect you from being tracked. Those settings simply prevent other people who use your Web browser after you to see where you’ve been online.

And so, in order to prevent the most common types of tracking, I ended up loading up my Web browser – Mozilla’s Firefox – with a bunch of extra software. It sounds like a lot of work, but most of this software can be installed in a few minutes. Here’s what I used:

• I installed “HTTPS Everywhere,” created by the Electronic Frontier Foundation and the Tor Project. This tool forces your Web browser to use encrypted Internet connections to any website that will allow it. This prevents hackers – and the National Security Agency – from eavesdropping on your Internet connections.

• I also installed Disconnect, a program created by former Google engineer Brian Kennish, which blocks advertisers and social networks, such as Facebook and Twitter, from tracking which websites you visit.

• And finally I set my default search engine to be DuckDuckGo, a search engine that doesn’t store any of the information that is automatically transmitted by your computer — the IP address and other digital footprints — so DuckDuckGo has no way to link your search queries to you. That means DuckDuckGo won’t auto-complete your search queries based on your previous searches or based on your physical location, as Google does. So you’ll have to be a little smarter about your searches, and remember to bookmark the pages that you visit often, to save time.

After browsing with my ungainly setup for nearly a year, I found a Web browser that had all the features I wanted built in — called WhiteHat Aviator. It has built-in HTTPS Everywhere, it doesn’t retain or sell your online activity, and it uses Disconnect to block trackers from advertisers and social media companies. Its default search engine is DuckDuckGo.

It’s built by a computer security firm called WhiteHat Security, but it hasn’t been audited by any computer security experts yet, as far as I can tell. So use it at your own risk (and currently you can only use it on the Mac OSX operating system). But I’ve been using it for a few months, and after some bugginess in the beginning, I’ve started to enjoy the unusual feeling of having privacy as a default setting.