Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Manage Your Mobile Privacy

Everything I’ve discussed so far about online privacy applies when you’re using a computer to access the internet. Your smartphone or tablet is also a computer that can connect to the internet, and I’ve called out a number of issues that affect mobile devices as much as their desktop counterparts (including private web browsing and email access) But mobile devices pose additional, unique challenges:

Smartphones—along with some tablets and smartwatches—connect to cellular data networks, which increase your privacy in limited respects but put you at greater risk in other ways. I discuss these issues in Cellular Data Considerations.
Because your mobile device is much more likely than your computer to be with you all the time, the fact that it (and, by extension, other entities on the internet) can determine your physical location can become a problem. See Location Awareness.
Your mobile device is also a camera! In fact, it may be your main camera. If you take photos or videos of anything, ahem, sensitive in nature, you now have to think about whether or under what circumstances they might be automatically uploaded to the cloud. I talk about that in Photos and Videos.
Do you back up the data on your mobile device? I hope so! But some methods of backup could inadvertently expose your private data to hackers. Read Mobile Backups for details.
If you’re traveling across international borders, all your electronics—but especially your mobile devices—may be subject to scrutiny, putting your privacy at risk. See the sidebar Privacy and International Travel to learn more.

Cellular Data Considerations

When your smartphone or tablet happens to be connected to a Wi-Fi network, the same rules apply as for any other device—barring the availability of WPA3 encryption, you should use a VPN to connect to the internet (see Prevent Snooping). But when you’re using your carrier’s cellular network (LTE, 4G, or whatever), you have to worry about some additional problems.

Your SIM Card

First, consider your device’s SIM card, which specifies its phone number, carrier preference, and so on. A report published in February 2015 revealed that Gemalto, the world’s largest SIM card supplier, had been hacked and its SIM card encryption keys stolen, with the result that security agencies in the United States and Britain might have the capability to decrypt any information—phone calls, text messages, or data—sent or received by any of countless millions of mobile users (see GCHQ and NSA Collaborate to Steal the Keys to Your Cellphone). The company conducted an investigation, and the resulting report makes the situation look considerably less dire than initially feared. In the worst case (if Gemalto’s claims are correct), attackers could have the capability to compromise 2G connections, but not 3G or later.

Nevertheless, I mention this story to point out that numerous factors influence your privacy—including things entirely out of your control like the security of the company that manufactured your phone’s SIM card. Assuming, however, that your SIM card’s encryption key was not in fact compromised, the content of most of your cellular communication is almost certainly much more secure than data transferred over an open Wi-Fi connection.

If you don’t think that’s a safe assumption, you can download apps that use their own encryption for voice calls—but the person on the other end of the conversation will need a compatible app too. I mentioned Silent Circle and Signal earlier; you can also use apps that provide their own encryption for text messages (such as Apple’s Messages when used with Apple ID accounts). And you can use a VPN on your mobile device to protect data transfers. But all these things will make your phone harder to use for everyday activities.

Supercookies

In 2014 the public learned that two large mobile carriers in the United States—AT&T and Verizon Wireless—had been using a technology nicknamed supercookies to track all the websites users visited while using their mobile phones on cellular networks and sell that data to advertisers. Unlike regular cookies, supercookies can’t be blocked or deleted, because the carrier inserts these unique identifiers between the time a request for a page leaves your device and the time it’s sent to the server.

Almost as soon as this news broke, AT&T claimed it had only tested the feature briefly and was no longer using it. However, whether using that specific technology or not, AT&T still, by default, collects “Customer Proprietary Network Information” (CPNI) and uses it for marketing purposes; it’s opt-out only. (For details, read What is my CPNI and Why Does AT&T Want to Share it?.)

Verizon, meanwhile, tried to spin supercookies as a beneficial feature, but under public pressure, finally agreed to let its customers opt out. You can read more about the controversy, and the steps to opt out if you use Verizon, in How to Say “No Thanks” to Verizon’s Supercookie, by Josh Centers at TidBITS. (Several months later, Verizon announced it was using supercookies to provide targeted advertising via AOL’s ad network. You can still opt out, but Verizon doesn’t make it easy.)

Even so, there’s no guarantee that other carriers aren’t using technology like supercookies, and the nature of these tracking mechanisms makes it nearly impossible for an ordinary user to figure out whether it’s happening. In addition, there’s nothing special about mobile carriers in this regard; any internet provider could use a mechanism like this to track its users. Unfortunately, this lack of transparency means there’s nothing you can do to protect yourself preemptively, but if you discover that a provider you use is employing something like supercookies, you’ll know to opt out immediately.

Proximity-Based Logins

If you own an Apple Watch and a recent Mac running macOS 10.12 Sierra or later, you can configure your devices such that your Mac unlocks automatically when you come near it while wearing your Watch. Because this trick stops working if you remove your Watch from your wrist, it’s reasonably secure. But comparable capabilities offered by third-party apps for your iPhone or Apple Watch could potentially betray your privacy by unlocking your Mac without a password. Here are a few examples of such apps:

Knock is a pair of apps—one runs on your iPhone (with an optional Apple Watch component) and the other runs on your Mac. After you set it up, as long as your phone is within a few meters of your Mac, you can unlock your Mac (except when you initially turn it on) and respond to administrator password requests by merely knocking twice on your phone.
MacID also uses an app on your iPhone (also with an optional Apple Watch component) and a companion app on your Mac. Unlike Knock, the iPhone app requires you to use Touch ID to unlock your Mac, which makes it more secure than systems like Knock. It can also automatically lock your Mac when you move away.
Sesame 2 combines a Mac app with a keychain fob. Whenever you bring the fob into proximity with your Mac, it unlocks—no iPhone (or knocking) required. Sesame 2 also locks your Mac when you move away from it, regardless of your sleep/screen saver settings.

All these apps require a 2012 or newer Mac with Bluetooth 4.0 LE support. Knock and Sesame 2 assume that their respective proximity sensors (your iPhone or key fob) will remain safely on your person at all times. That’s their biggest weakness—anyone who got hold of the object that serves as a key could unlock your Mac and thereby have access to all your data.

So, Knock or Sesame 2 might be worth considering if you have little or no sensitive data to protect, and MacID (if properly configured) could possibly be helpful even for people with a slightly higher risk. But think carefully before using any of these products, because their added convenience can also increase your vulnerability.

Granting Apps Access Permission

Third-party apps on your mobile device may ask for permission to access your contacts, calendars, and other private information for various reasons. In most cases, such requests are legitimate—for example, if you’re using an VoIP or instant messaging app, you may want it to be able to look up your contacts’ phone numbers or email addresses. However, apps have been known to overreach, requesting access to data that’s truly none of their business. (In one recent example, mobile games were found to be using devices’ microphones to determine what TV shows the users were watching—even when the games weren’t being played.) And, once an app has your data, there’s nothing stopping it, in principle, from sending that data to the developer, to advertisers, or to other parties.

My advice, as always, is to be suspicious. Your default response, when an app asks you for permission to access private data, should be to say no; if that causes problems later, you can always change your mind. If you’re unsure which apps can currently access what, it doesn’t hurt to check. (On an iOS device, go to Settings > Privacy and then tap a category, such as Contacts or Calendars, to specify which apps can access that type of data. For Android devices, see Control your app permissions on Android 6.0 and up.)

Location Awareness

Mobile phones and other devices that use wireless data are constantly connected to cellular networks—even when you’re not using them. So, the mere act of carrying a mobile phone or other device that uses cellular data networks reveals your approximate physical location to the carrier, because the carrier knows which cellular tower(s) your device connected to. Depending on the circumstances, more exact details (including GPS coordinates) might be transmitted. Location awareness is part of the very nature of cellular communication: cellular networks can’t operate without it, and if you use a cell phone, you can’t avoid it.

That wouldn’t be terrible if cellular providers guarded your location data carefully. They don’t—in fact, the three biggest carriers in the United States sell location data pretty freely. The ease with which someone can obtain that data is shocking. (And, as I write this, U.S. carriers are supposedly starting to clamp down on this practice.)

Realistically, though, most people have little to fear from that location data, except perhaps for a greater number of location-sensitive ads. A much bigger privacy concern, in my opinion, comes from your mobile apps, many of which will ask your mobile device for its location in order to provide maps, driving directions, traffic reports, real estate listings, weather reports, or any of countless other pieces of information. The photos and videos you take are almost certainly geotagged with your location when you took them. There are also the Find My Friends and Find My iPhone features of iOS devices (and comparable features on other platforms), which let you track your own device or someone else’s (with their permission) in near-real time. And the list goes on.

All these things are useful, and most people have no reason to turn them all off en masse. But you can’t know for certain what happens to that location data. Maybe the app developer uses it for something sinister, maybe they resell it, or maybe it falls into the wrong hands through hacking or other means, and someone discovers your location who has no business knowing it.

So consider curtailing apps’ privileges to know your location if:

You need to keep your location secret for personal or professional reasons.
You think you might be individually targeted for a crime (including property crimes when someone can tell you’re away from home).
You find location-based advertising creepy and intrusive.
You can’t think of any valid reason a particular app should know where you are.

The exact procedure for restricting apps’ access to your location data varies by operating system and version. On an iOS device, go to Settings > Privacy > Location Services. There, you can either turn off Location Services entirely or restrict it on an app-by-app basis. You can also tap Share My Location to control whether and with whom Find My Friends shares your data. For Android devices, see How to Turn Off Google Location Awareness on Android Mobile.

Another aspect of location awareness involves your device’s Wi-Fi MAC (media access control) address, which is continually broadcast when Wi-Fi is enabled. Because this address is unique to your device, any receiver within Wi-Fi range could know when your device is nearby (and, depending on your actions or what information has been collected previously, could associate that address with you personally). Even though recent versions of iOS and Android use a technique called MAC address randomization to change this address regularly (which should reduce the possibility that you’ll be personally identified), that feature is significantly broken and exploitable on both platforms. The only way to be certain no one can identify you is to turn off Wi-Fi completely (which I don’t recommend because of the significant inconvenience that would cause).

Photos and Videos

I already mentioned that your mobile device most likely geotags your photos and videos, which can tell you (or anyone else who has the files) where you were when the photos or videos were taken. Although that can sometimes be a privacy issue, a more common problem is controlling who gets to see your photos in the first place.

It’s increasingly common for mobile camera apps to offer instant syncing of your photos to the cloud. That’s tremendously convenient and useful, as it eliminates tedious manual steps, gives you an automatic backup, and makes sharing simpler. However, the fact that your images are stored in the cloud means that anyone with your username and password could potentially download all your photos and videos too. It has happened to celebrities, and it could happen to you, too. In fact, even without your credentials, there’s always the possibility that a clever hacker could access your data somehow, or that your cloud hosting company suffers a security breach.

Of course, no one else should have your username and password. You can make it much more difficult for someone to guess it by choosing a long, strong, random password (I offer more detailed advice in Take Control of Your Passwords). You can also turn on two-factor authentication or two-step verification (see the sidebar About Two-Factor Authentication) if your cloud provider offers it.

Nevertheless, if you take photos or videos of an intimate nature—you know what I’m talking about here—it’s not worth taking chances, and I suggest that you turn off all automatic photo syncing features.

iOS devices have two distinct built-in features that sync photos to iCloud and from there, to your other devices: My Photo Stream (which stores up to the last 1,000 photos you’ve taken) and iCloud Photo Library, which syncs all your photos from the Photos app. To stop using them, go to Settings > iCloud > Photos and turn off everything you see there. But note that third-party photo apps may have their own syncing settings. For example, the Dropbox app can grab photos from your camera’s photo library and upload them to Dropbox. So look through your apps for all such features and turn them off if you’re concerned about keeping your photos private.

For other mobile platforms, the story varies from one device or app to the next. On an Android device, look in the settings for your photo-syncing app(s) (such as Amazon Photos or Google Photos).

Mobile Backups

Even if you disable cloud syncing of photos and videos from your mobile device, those images—along with your calendars, contacts, email, documents, and other data—may be backed up to the cloud. In general, that’s a good thing. I’m a huge proponent of backups, and for a mobile device, automatic, wireless backups to the cloud are by far the easiest way to get the job done. However, just as someone with your credentials (or someone who has hacked into a server) could download your synced photos, someone could download a backup of your data, restore it to a new device, and have full access to everything.

As with other aspects of mobile security, making sure your password is strong is an absolute necessity, and using two-factor authentication can only help. If the data on your phone is extremely sensitive, however, you might choose to forgo cloud backups and instead back up directly to your own computer.

If you have an iOS device, you can turn off Settings > Your Name > iCloud > iCloud Backup > iCloud Backup to stop backing up to iCloud. The alternative is to back up your data to your Mac or PC (via USB or Wi-Fi) using iTunes as a conduit. That requires more manual effort, and proximity to your computer, but it avoids storing a backup copy of potentially sensitive data in the cloud. In iTunes, select your device, and in the Backups portion of the window, select This Computer under Automatically Back Up. (It’s a good idea to select Encrypt Device Backup, too, and enter a good password.) For Android devices, see Back up or restore data on your Android device.

Privacy and International Travel

International borders pose significant challenges for travelers with electronic devices such as laptops and smartphones that may contain private data (in other words, pretty much everyone). When entering the United States, for example, customs agents are permitted to examine electronic devices for any reason or no reason. If your device is encrypted (as it should be!), the agents may ask for your password, and if you don’t supply it (which you should not) they may impound your device temporarily for forensic examination, even if they have no grounds to prevent you from entering the country.

Appallingly, some travelers have also been asked for the passwords to their social media accounts at the border as a way of checking whether they’re the “right” sort of person to enter the country. So, with or without access to the data on your devices, your online privacy may be at risk when you cross the border.

Whether or not such behavior is legal or justifiable, it happens—and you, as the traveler stuck in the customs line, have little recourse. Although I can’t offer any solutions to this problem, I can mention some ways people have chosen to address this situation:

If you use 1Password, enable Travel Mode to remove passwords from your devices before you reach the border.
Encrypt the data on all devices and then turn them off before you get to the customs checkpoint; that way, they’re less vulnerable to exploits that might examine their active RAM, and can’t be unlocked with just a fingerprint or face scan. Decline requests for passwords, even if they mean giving up your devices temporarily.
Securely erase all the data from your devices and then reinstall virgin operating systems before traveling. That way, a customs agent can examine an unlocked device, but there will be nothing to find. Data can later be restored from a backup or cloud storage.
Use a “burner” phone and a cheap laptop when traveling, so that they can be erased or ditched without major consequences.

For further discussion of this problem, see A Guide to Getting Past Customs With Your Digital Privacy Intact at Wired, Can Border Agents Search Your Electronic Devices? It’s Complicated. at the ACLU, or Getting Your Devices and Data Over the U.S. Border by Geoff Duncan (who edited this book) at TidBITS.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Manage Your Mobile Privacy

Create new playlist

Sign In

Sign Up