Feedback from Bernie #51
Description
Summary of the feedback up top, the whole email is included below.
IoT:
- Agrees with our recommendations, thinks we appropriately represent how terrifying they are.
Routers:
- Most people get their routers from their ISP and so should change their SSID along with their password and security key.
- Some routers from ISPs put a public SSID out for people who are on that ISP to plug into. Turn that off.
Both of these work for me.
VPN:
- He thinks that VPNs are worth it for anonymity and uses one continually. "HTTPS encrypts traffic on the wire, but doesn't hide endpoint info."
I think our guidance is good enough here and that we shouldn't switch recommendations.
Browsers:
- He says we don't mention Edge (but we do). He recommends Brave for tracking protection.
I'm okay mentioning it - a lot of people at 1P use it, for example - but I have heard some hinky stuff about Brave, especially with BAT and how that gets distributed. I still think Firefox should be our rec.
Webcams:
- Getting a privacy cover for a webcam.
Personally I think that this is overblown if you have a webcam that has an LED indicator, but it's probably not bad to mention. Personally I would put it in a Paranoia Alert section.
EULAs:
- They're scary and contain a lot of stuff you might not expect about how your data gets used! You should probably be aware of that.
His points are valid. I don't know if there should be a big deal about it, but it might be worth talking about going over TOS/EULAs/Privacy Policies near our "consolidate your services" guidance.
Bernie's feedback in whole:
Harold,
I think this is well written and well thought out. I agree with all the recommendations I saw, especially the ones about smart (IoT) devices. I'm frankly terrified by the potential abuse of them. Dana lectures about this; IoT devices are a stalker's best friend. Most people don't secure them and even if they do, IoT security is pretty lacking (to be generous). I got a really nice fancy IoT thermostat (essentially free from PSE &G), but I'm kind of reluctant to install it.
I'd add a few things to this paper:
In the section on routers: Many/most people get their routers from their ISP if they have a broadband connection (e.g. you and I get ours from Comcast). They come pre-configured to work out of the box and usually have a pre-assigned SSID and password (which you need to get started).
You should change these settings to your own SSID (often they have a startup that facilitates this for you) and password. You should also change the administrator login/password and the admin password should be different from your wifi password.
Some routers allow multiple SSID's and some come pre-configured with 'public' ones. Comcast does this. Your router will also have an Xfinity wifi SSID unless you turn it off. This is how Comcast (or Verizon or RCN or Cablevision or whoever) can make the claim they have a gazillion 'public' access points. They do - and your house is one of them! Usually these require an ISP account (such as with Comcast), but often you can get into another ISP's network (e.g. Spectrum) using your Comcast credentials (they often turn off the credentials requirement during disasters). They share somewhat. Which is nice for us users, but a foreign entity is now inside your private network device. When I'm out and about I can often access Xfinity wifi in stores on my phone. No need to manually log in; iphone does it all and I've got free wifi access without the store's knowledge.
Not as big a deal where we live, but in high density populations (e.g. high rise apartment building) bigger exposure.
On VPN's: everything they said is good, but I think if you value privacy and anonymity, they're worthwhile. HTTPS encrypts traffic on the wire, but doesn't hide endpoint info; a VPN makes you look like you're in LA or London or Paris (which can be useful for some things, amusing for others. Like getting Amazon prices in Euros). I use one on my main computer almost continually.
On Browsers: They're correct about Chrome, but don't mention Edge, which comes standard with every Win 10 PC. It's essentially the Microsoft version of Chrome. Really. Full of tracking, too.
If you want higher security and no #$%^ ads or tracking, the browser of choice now is Brave. I often use Brave with my VPN turned on and - voila! - no ads, no tracking. If I go to a commercial website, I don't suddenly see ads from them in my email sidebar. Bonus: it's faster.
On Webcams: This used to be commonly publicized, but in the Zoom/Covid era seems not. Get a privacy cover for your webcam and cover it when you're not using it. Late model laptops often have one built in, most external webcams have some sort of cover. You can buy stick on sliding ones for older devices for a few $ online. Worth it.
On EULA's; They don't mention this, and it might freak people out, but the terms of service for most everything these days, the End User License Agreement, pretty much gives every vendor the right to look at all the bits that go through their apps in any way (sometimes more). So Google can read all Gmail messages, for instance. And they really do. It's bots, but they're still doing it. Virtually all free email systems do this as well as many other apps. It's all fodder for big data analysis for advertising. Or propaganda. In some cases, you can opt out of some areas (like sharing your data with their partners), but they don't make it easy and often an update will reset this. There really isn't much more you can do, especially given lax US law in this area (EU is a bit better. Asia mostly worse.)
If you want the convenience and utility of these apps (of course you do!) you're pretty much stuck. But better to be aware even if you tolerate it.
Enjoyed reading this. Always appreciate having my opinions and prejudices independently confirmed. :-)
Bernie