I cover a lot regarding your personal information security on my Privacy page — for your interest, shared-learnings, and transparency in how I respect and protect anything you share with me.
I’ll publish more articles on this subject too because, although you may not have had any bad experiences yet, it is of increasing importance in a connected world.
The internet has enabled, and somewhat inspired, a global reach for bad actors and overzealous organisations — so good people need to know how they work, to stay safe from exploitation and protect everyone’s right to privacy.
Below are some of the things I use and recommend, to make a habit for security-by-design, and make our setups safer and worry-free by default.
For a start, you should be viewing this page with
https, a 🔒 padlock icon in the address bar, and only on the URL https://www.marcusquinn.com (or possibly a translator URL if you use one).
Https means our connection, and data being transferred, is encrypted. The data you see being transferred is only (practicably) visible to me and you.
Secure connections are a start, but not the whole story for data security — and can be a false sense of security. So, I shall endeavour to cover some other helpful security measures, both for this website and many of your common online safety needs.
Often websites will say they are secure, based or referring only to this aspect of connection — which is almost default nowadays, very easy to offer as most platform and hosting setups will configure this anyway, and it’s usually a one-time setup — it’s the absolute minimum of security acknowledgements you should expect.
For your reassurance, this website is only available on a secure connection, and any messages or email addresses, names and details submitted here will only be received over that same secure connection.
I actively avoid using any 3rd-party hosted services that would otherwise be able to see, and therefore store, readable copies of your data. They can’t use what they don’t have, and we know that data is so cheap to store it can be kept indefinitely, and used far beyond our imagination and memory for what we share where.
Think of this principle and choice being similar to that between laminated toughened safety-glass, and untreated standard glass — they can both be broken with an amount of force. If you have a choice, avoiding breakage is the first preference in lowering the risk of potential harm. The safest environment in the event of any breakage is one that does not have scattered shards, and is largely quick to recover.
Self-hosted software (your computers, devices or virtual private server), is the first preference to have in avoiding 3rd-party duplications of your data — this is lamination to contain your data fragments with your immediate reach.
Open-source, peer-reviewed software is toughened by design — because, as is often said; obscurity is not security, and ignorance is not a protection.
I also prefer and recommend separating your use of products and services that engage in data-driven marketing from those that you use to store data. This I hope will become common-sense for more people over time, and ideally become a regulatory requirement — for separation of responsibilities in companies that are still operating as one with these conflicting multi-faceted and data-mining funded services.
This is a common one; we assume, or perhaps are educated to be naturally biased in thinking we are insignificant in the grand scheme of things, with safety in a crowd. This is just not true now. You have value, your time, and money, is typically finite — and some seek more value from others than they offer in return. Exploitation of this innocence can yield significant profits quite nicely. This is done by playing the numbers game in specifically targeting crowds arbitrarily — otherwise known as audiences or users — and even more creepy when you hear a talking-head refer to people as our users, like a drug pusher.
So! I have written here on this subject specifically to offer verbose and transparent explanation in the areas of security. All the legal pages on this site are for both your reassurance, and onward awareness to question a little more those sites, services, and people that may not offer similar with their services. Certainly, all security information should be written in a frank and open way that you can read, understand, and any layperson should be able to make reasonable decisions and choices based upon knowing.
We will assume nothing and start from there. I offer my insight, you choose what, if anything, to share of your own. If we can help each other with comfort in this knowledge, then we have a more secure relationship than anywhere you might not be so sure if the balance of information is equitable.
Data protection & policy transparency
There’s still quite a lot more you need to know and trust about your data recipients, concerning their security competencies and data-handling. This, of course, is a big part of the inspiration for the recent, and now synonymous, European GDRP data-protection and transparency regulations.
We are well-advised to learn more about data protection because the search engine technology can already recognise; at least your site’s acknowledgement of GDPR compliance, and over time will be able to recognise if your actual processes are compliant with the total and accurate transparency spirit of it too.
The simplest possible summary of GDPR and its objective, is that anything that is considered personally identifiable information, and that data being stored, should be optional, or opt-in — as opposed to opt-out. Hence, all those Accept or Reject pop-ups that plague us, and there’s a large school of though that suggests this should be a global browser setting to save us all that interruption and bandwidth.
Encryption at rest
The real question, differentiator, and much harder thing to do with data that you should be looking for, is an assurance of what we call encryption-at-rest.
This is not a default setup for most platforms or devices, and is challenging and costly enough. Encryption has further considerations in backup, searching, and restoration — so much so, that probably still only a small percentage of people, organisations, and devices do this.
There is one family of devices that now comes with this by default though, in their advocacy and promotion of their user privacy protections, and is familiar and easy enough for everyone to use, and that is any Apple device. Apple’s latest operating systems, macOS and iOS, use what they call FileVault — and specifically FileVault 2.
Thankfully, privacy has now become a feature, and although Apple isn’t perfect by a long stretch of the imagination, their direction, and defaults are generally a good baseline for what you should aim for with any alternative platforms too.
Anything stored on a cloud service will typically not use encryption-at-rest by default. It is up to you to assess the value and security expectations for that data, and preferably use at least private keys stored in your password manager, two-factor authentication, and ideally open-source and peer-reviewed encryption wrapping mechanisms, such as Cryptomator. It’s up to you to assess the value of your data privacy to you, but an awareness of these things and options to protect is necessary to minimise your chances of any accidental or malicious leakage.
If you don’t already use a password manager, you really, really should!
Browser default password managers are pretty basic and the minimum possible protection, only in that they make it easier to use different passwords on all websites without remembering them. A dedicated application and browser extension will always be better — they will sync across devices and different browsers, and you can update your device to use these instead for handy autofill, too.
Two/multifactor authentication (2FA/MFA)
Again, I’ve written more on this subject for business on the same subject, and it’s highly recommended reading to include in your awareness of the same in the Password Security Policy 2FA/MFA section at Brandlight.org.
2FA is a time-cost and faff for even us techies — but you can make it faster and easier by using a Password Manager that has a
TOTP field for saving the 2FA key alongside your user/password. This makes it quicker to save and enter into login pages all through one application or extension, and the data is easily portable if you later want to change password manager for any reason.
If you don’t already know, here’s a handy tip for tracking your email address usage with a little habit I encourage when subscribing to any website — add a
+ to your email address and identifiable tag.
We’ll use my website email as an example: .
We need to add
hello and before
And it can be anything, for example: .
I'll only use that email address on this page, so if you email it, I'll get it — with no additional setup on my side than creating that link here — and I'll know where you found it.
It doesn't matter what you add, you should still receive the email, as most modern systems support this syntax. The difference being because it is unique, you can both; easily create email filter rules to handle those emails specifically for filing or ignoring or whatever, and wherever you use
+somethingunique you will know where you submitted that email address to!
If you start receiving emails from an unexpected source to this
+somethingunique address, you know it was shared, or otherwise somehow leaked. If that then causes you any nuisance, you can contact the original recipient of that unique email address to complain — or just block emails to that only address, without losing any others.
Spammers are of-course aware of this too, and might strip it out, but most probably don't, since that's effort and they are usually spamming with minimal effort for maximum attempts.
You could also mitigate this kind of data-harvesting and spamming by always using a
+something in your email address, and having filter rules to mark anything without
+ i the
To: field as unimportant, or moved to a folder called
Unknown or similar.
You've probably been using your email address for a while. This could be undesirable, but it is an option. It would be a reasonable habit you can to start now, and it is certainly a good habit to have if you create a new email account to give your inbox a fresh start.
This is largely an option for home users. Handy if you travel a bit and use public (or commercial) Wi-Fi or are away from your home country. It isn't an unjustifiable cost or inconvenience if you feel you may be targeted in some way by scammers, exploitation profit-seekers or unscrupulous snoopers.
Money, and the pursuit of it, can do funny things to people. Privacy for your potential value to these sorts of targeting is a little more protection because your internet traffic is invisible to your local internet service provider. Often the weakest link in security is the integrity of those that have privileged access.
The latest iteration in this technology for security and speed is called WireGuard, and their website explains that in more detail.
WireGuard is an open-source technology development, but doesn't offer the service directly. You can search for "WireGuard VPN" in your favourite search engine to find providers.
In my research in this area for businesses, I like the features and declarations of security and privacy by AzireVPN — but there are many others if you are shopping around. Just be aware, they can vary significantly in price, speed, policies, and reliability. Not all online reviews are unbiased, especially when VPN is a common area for professional affiliate marketing, with a financial interest in your research leading to a subscription regardless of their objectivity.
DNS (Domain Name Servers)
This sounds techie, like something only website people might need to know, but every computer and router needs a DNS service to find other places on the web. Yours is likely to, also, for the current state of the internet at-least.
Your computer, phone, and router all have a settings page for DNS, and will usually have what looks like a random number in with this 123.456.789.000 format.
Do no evil
Of course, this phrase was (amusingly at the time, and perhaps more ironically now) included in Google's original founding mission statement. It has now become both infamous, and somewhat increasingly difficult to ensure, as their organisation has grown far beyond the comprehensions of any single person or principle.
It is also a principle we must all live by for a happy and meaningful life.
If you intentionally do wrong, you might not get caught or called-out straight away, or ever, but you will know — and responsibility will always be with you. Hence, I respect and live by my hard-working parents' good guidance in this area, and always advise anyone, in any decision-junction or optionality, that you always consider ethics in your choices and commitments.
Using ethics as your primary decision-making criteria will almost always yield you the smartest, reliable and most enjoyable products, services and partnerships.
Start with ethics as a prerequisite. If you can't find what you're looking for with ethical providers, you trust, then it may still not be the time to decide. It's always OK to just wait and see because behind every missed opportunity is often a better one, anyway.
With good intentions, respect for others and proactive protection of human rights, we can all do and create great things without causing harm or conflict. The best way to do make any decision is with transparency, dedication to principles of doing the right thing. Working to make sure we guide and perfect all we do to be good, lawful, and sustainable for the long term.
It is much harder to be 99% honest than it is 100% because that 1% takes a lot of additional effort to hide or repair — whereas a 100% transparent work ethic is relatively easy. It frees our focus for doing the good work that we can without distraction. So, as a promoter and dedicated enthusiast for efficiency, I can thoroughly recommend ethics as a guiding principle for an easier and more productive life anyway.
Ultimately, we all need trust to get anything done without analysis-paralysis, and I offer my trust, in our common social-exchange and contract, for expecting the same.
With all that, if you do wish to subscribe to my personal blog, I hope you can now do so with confidence in my guardianship of your personal and private data in our correspondence. Let's learn more on these subjects — for your needs, and onward sharing, to help others protect their good names, emails, personal security and right to privacy.
This is a free & open-source document ♎️
Copyright © 2020 marcusquinn.com. Permission is granted to copy, distribute and/or modify this article or parts thereof of under the terms of the GNU Free Documentation Licence, Version 1.3 or any later version published by the Free Software Foundation. A copy of the full licence is included in the link below, entitled "GNU Free Documentation License".
To follow my online adventures — with commentary on; creative technology, building a brand, ethical business, copywriting, ecommerce, blogging, SEO, data protection, privacy, and online security — find me on X.com…