I cover a lot with regard to your personal information security on my Privacy page — for your interest, shared-learnings and transparency in how I respect and protect anything you share with me.
I'll publish more articles on this subject too because, although you may not have had any bad experiences yet, it is of increasing importance in a connected world.
The internet has enabled, and somewhat inspired, a global reach for bad actors and overzealous organisations — so good people need to know how they work, to stay safe from exploitation and protect everyone's right to privacy.
Below are some of the things I use and recommend, to make a habit for security-by-design, and make our setups safer and worry-free by default.
For a start, you should be viewing this page with
https, a 🔒 padlock icon in the address bar, and only on the URL http://marcusquinn.com (or possibly a translator URL if you use one).
Https means mean our connection, and data being transferred, is encrypted. The data you see being transferred is only (practicably) visible to me and you.
Secure connections are a start, but not the whole story with regard to data security — and can be a false sense of security. So, I shall endeavour to cover some other helpful security measures, both for this website and many of your common online safety needs.
Often websites will say they are secure, based or referring only to this aspect of connection — which is almost default nowadays, very easy to offer as most platform and hosting setups will configure this anyway, and it's usually a one-time setup — it's the absolute minimum of security acknowledgements you should expect.
For your reassurance, this website is only available with a secure connection, and any messages or email addresses, names and details submitted here will only be received over that same secure connection.
I actively avoid using any 3rd-party hosted services that would otherwise be able to see, and therefore store, readable copies of your data. They can't use what they don't have, and we know that data is so cheap to store it can be kept indefinitely, and used far beyond our imagination and memory for what we share where.
Think of this principle and choice being similar to that between laminated toughened safety-glass, and untreated standard glass - they can both broken with an amount of force. If you have a choice, avoiding breakage is the first preference to lowers the risk of potential harm — but the safest environment in the event of any breakage is one that does not have scattered shards, and is largely quick to recover.
Self-hosted software (your computers, devices or virtual private server), is the first preference to have in avoiding 3rd-party duplications of your data - this is lamination to contain your data fragments with your immediate reach.
Open-source, peer-reviewed software is toughened by design — because, as is often said; obscurity is not security, and ignorance is not a protection.
I also prefer and recommend separating your use of products and services that engage in data-driven marketing from those that you use to store data. This I hope will become common-sense for more people over time, and ideally become a regulatory requirement — for separation of responsibilities in companies that are still operating as one with these conflicting multi-faceted and data-mining funded services.
This is a common one; we assume, or perhaps are educated to be naturally biased in thinking we are insignificant in the grand scheme of things, with safety in a crowd. This is just not true now. You have value, your time and money is typically finite, and some seek more value from others than they offer in return. Exploitation of this innocence can yield significant profits quite nicely, and is done by playing the numbers game in specifically targeting crowds arbitrarily - otherwise known as audiences, users - and even more creepy when you hear a talking-head refer to people as our users, like a drug pusher.
So! I have written here on this subject specifically to offer verbose and transparent explanation in the areas of security, and all the legal pages on this site, for both your reassurance, and onward awareness to question a little more those sites, services and people that may not offer similar with their services. Certainly all security information should be written in a frank and open way that you can read, understand and any layperson should be able to make reasonable decisions and choices based upon knowing.
We will assume nothing and start from there — I offer my insight, you choose what, if anything, to share of your own — and if we can help each other with comfort in this knowledge, then we have a more secure relationship than any where you might not be so sure if the balance of information is equitable.
Data protection & policy transparency
There's still quite a lot more you need to know and trust about your data recipients, in regard to their security competencies and data-handling, which of course is a big part of the inspiration for the recent, and now synonymous, European GDRP data-protection and transparency regulations.
We are well-advised to learn more about data protection because the search engine technology is already able to recognise; at least your site's acknowledgement of GDPR compliance, and over time will be able to recognise if your actual processes are compliant with the total and accurate transparency spirit of it too.
The simplest possible summary of GDPR and it's objective, is that anything that is considered personally identifiable information, and that data being stored, should be optional, or opt-in — as opposed to opt-out. Hence all those Accept or Reject pop-ups that plague us, and there's a large school of though that suggests this should be a global browser setting to save us all that interruption and bandwidth.
Encryption at rest
The real question, differentiator, and much harder thing to do with data that you should be looking for, is an assurance of what we call encryption-at-rest.
This is not a default setup for most platforms or devices, and is challenging and costly enough — with it's own considerations in backup, searching and restoration — so much so, that probably still only a small percentage of people, organisations and devices do this.
There is one family of devices that now comes with this by default though, in their advocacy and promotion of their user privacy protections, and is familiar and easy enough for everyone to use, and that is any Apple device. Apple's latest operating systems, MacOS and iOS use what they call FileVault — and specifically FileVault 2.
Thankfully, privacy has now become a feature, and although Apple isn't perfect by a long stretch of the imagination, their direction and defaults are generally a good baseline for what you should aim for with and alternative platforms too.
Anything stored on a cloud service will generally not use encryption-at-rest by default, so it is up to you to assess the value and security expectations for that data, and preferably use at least private keys stored in your password manager, two-factor authentication, and ideally open-source and peer-reviewed encryption wrapping mechanisms, such as Cryptomator. It's up to you to assess the value of your data privacy to you, but an awareness of these things and options to protect is necessary to minimise your chances of any accidental or malicious leakage.
If you don't already use a password manager, you really, really should!
Browser default password managers are pretty basic and the minimum possible protection ,only in that they make it easier to use different passwords on all websites without remembering them - but a dedicated application and browser extension will always be better — they will sync across devices and different browsers, and you can update your device to use these instead for handy auto-fill too.
Two/multi-factor authentication (2FA/MFA)
Again, I've written more on this subject for business on the same subject, and it's highly recommended reading to include in your awareness of the same in the Password Security Policy 2FA/MFA section at Brandlight.org.
2FA is a time-cost and faff for even us techies - but you can make it faster and easier by using a Password Manager that has a
TOTP field for saving the 2FA key alongside your user/password. This makes it quicker to save and enter into login pages all through one application or extension, and the data is easily portable if you later want to change password manager for any reason.
If you don't already know, here's a handy tip for tracking your email address usage with a little habit I encourage when subscribing to any website — add a
+ in your email address and identifiable tag.
We'll use my website email as an example: [email protected].
We need to add
hello and before
And it can be anything, so `[email protected] for example.
I'll only use that email address on this page, so if you email it, I'll get it — with no additional setup my side than creating that link here — and I'll know where you found it.
It doesn't matter what you add, you should still receive the email, as most modern systems support this syntax. The difference being, because it is unique you can both; easily create email filter rules to handle those emails specifically for filing or ignoring or whatever, and wherever you use
+somethingunique you will know where you submitted that email address to!
If you start receiving emails from an unexpected source to this
+somethingunique address, you know it was shared, or otherwise somehow leaked. If that then causes you any nuisance, you can contact the original recipient of that unique email address to complain — or just block emails to that only address, without losing any others.
Spammers are of-course aware of this too, and might strip it out, but most probably don't, since that's effort and they are usually spamming with minimal effort for maximum attempts.
You could also mitigate this kind of data-harvesting and spamming by always using a
+something in your email address, and having filter rules to mark anything without
+ i the
To: field as unimportant, or moved to a folder called
Unknown or similar.
You've probably been using your email address for a while, so that could be undesirable but it is an option, it would be a reasonable habit you can to start now, and it is certainly a good habit to have if you create a new email account to give your inbox a fresh start.
This is largely option for home users but handy if you travel a bit and use public (or commercial) wifi or are away from your home country, and not an unjustifiable cost or inconvenience if you feel you may be targeted in some way by scammers, exploitation profit-seekers or unscrupulous snoopers.
Money, and the pursuit of it, can do funny things to people, so privacy for your potential value to these sorts of targeting is a little more protection because your internet traffic is invisible to your local internet service provider, where often the weakest link in security is the integrity of those that may have privileged access.
The latest iteration in this technology for security and speed is called WireGuard, and their website explains that in more detail.
WireGuard is an open-source technology development but doesn't offer the service directly. You can search for "wireguard vpn" in your favourite search engine to find providers.
In my own research in this area for businesses, I like the features and declarations of security and privacy by AzireVPN — but there are many others if you are shopping around. Just be aware, they can vary significantly in price, speed, policies and reliability, and not all online reviews are unbiased, especially when VPN is a common area for professional affiliate marketing, with a financial interest in your research leading to a subscription regardless of their objectivity.
DNS (Domain Name Servers)
This sounds techie, like something only website people might need to know, but every computer and router needs a DNS service to find other places on the web and yours is likely to also, for the current state of the internet at-least.
Your computer, phone and router all have a settings page for DNS, and will usually have what looks like a random number in with this 123.456.789.000 format.
Do no evil
Of course, this phrase was (amusingly at the time, and perhaps more ironically now) included in Google's original founding missions statement — and has now become both infamous and somewhat increasingly difficult to ensure, as their organisation has grown far beyond the comprehensions of any single person or principle.
It is also a principle we must all live by for a happy and meaningful life.
If you intentionally do wrong, you might not get caught or called-out straight away, or ever, but you will know — and responsibility will always be with you. Hence, I respect and live by my hard-working parents good guidance in this area, and always advise anyone, in any decision-junction or optionality, that you always consider ethics in your own choices and commitments.
Using ethics as your primary decision-making criteria will almost always yield you the smartest, reliable and most enjoyable products, services and partnerships. Start with ethics as a prerequisit, and if you can't find what you're looking for with ethical providers you trust, then it may still not yet be the time to decide — it's always OK to just wait and see, because behind every missed opportunity is often a better one anyway.
With good intentions, respect for others and proactive protection of human rights, we can all do and create great things without causing harm or conflict. The best way to do make any decision is with transparency, dedication to principles of doing the right thing, and working to make sure we guide and perfect all we do to be good, lawful and sustainable for the long-term.
It is much harder to be 98% honest than it is 100% because that 2% takes a lot of additional effort to hide or repair — whereas a 100% transparent work ethic is relatively easy. It frees our focus for doing the good work that we can without distraction. So, as a promoter and dedicated enthusiast for efficiency, I can thoroughly recommend ethics as a guiding principle for an easier and more productive life anyway.
Ultimately, we all need trust to get anything done without analysis-paralysis, and I offer my trust, in our common social-exchange and contract, for expecting the same.
With all that, if you do wish to subscribe to my personal blog, I hope you can now do so with confidence in my own guardianship of your personal and private data on our correspondence, and learn more on these subjects for your own needs and onward sharing to help others protect their good names, emails, personal security and right to privacy.
This is a free & open-source document ♎️
Copyright © 2020 marcusquinn.com. Permission is granted to copy, distribute and/or modify this article or parts thereof of under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation. A copy of the full license is included in the link below entitled "GNU Free Documentation License".
To follow my online adventures, with advice on creative technology, building a brand, ethical business, ecommerce and online security, find me on Twitter...