Change Your Online Habits
The topic of "changing your online habits" is a big one, but as I said in the introduction, this chapter of the site/book is dedicated to teaching you how to fish - that is, rather than giving you a to-do list, it's about teaching you to recognize things and make your own informed decisions.
Phising & Clicking Links
Speaking of fishing, let's start there. Phishing historically has been and remains one of the top ways to gain unauthorized access to a specific machine, account, or network. Phishing occurs when a person clicks on a link and either enters information or downloads a payload that gives a malicious actor access to an account or device, which they can use to access the data on that machine or the network the machine is connected to. Typically this link-clicking occurs in the form of an email that appears to be legitimate, such as an email that appears to be from your bank asking you to confirm account details. Those details are actually logged by a hacker who now has your bank login information. Or it could be a text seemingly from your mother saying "here's a link to some old pictures I found" and it's actually a virus.
Phishing could also come in the form of a link on a website that appears to be legitimate. This is why ad-blockers are so important. In the early days of the internet, it was common to search for a specific software (such as a codec to play a certain type of video) and stumble on a website with an ad that says "click here to download your codec!" when in reality the true link was further down the page. This is called "malvertising," or "malicious advertising," and using an adblocker is a critical part of preventing this type of deception.
In the case of direct messages, there's a lot of ways actors pretend to be someone they're not. Many of them are easy to see through. The email may say it's from "Chase Bank," but looking at the actual email address quickly reveals that its from "email@example.com," clearly not your actual bank.
Sometimes a technique may be more complex: a hacker may have gained access to a relative's account (usually through phishing) and then send an email from them, appearing totally legitimate in every way. In cases like this, your best defense is to be cautious. If something seems out of character, contact the person and ask about it. If your notoriously serious aunt sends you a funny video, ask her if that was actually her. If your bank sends an email requiring confirmation of something, ignore the email and go straight to their website. If it's legitimate, the same warning will pop up when you log in or be waiting in your messages. If you're still not sure, contact their support team and ask.
Another important digital habit to change is the handing out of information. I'm not opposed to sharing your life or picture online. I have a personal Mastodon account where I share my day-to-day and I even have a selfie as my profile picture. But think about what you're sharing and what it reveals. Back in the early days of social media, it was common that people would public share that they were going on vacation for a week, so criminals in the area would find their house and rob it while they were gone. That exact crime may or may not live on, but the principle still does. One woman had a stalker find her because she took a selfie where the street sign was visible. Again, I'm not saying don't share things online, but be mindful of what information is visible in the photo, such as a company logo on your shirt or financial information in your screenshot.
Sharing Information (Continued)
Additionally, when I say "handing out of information," that includes actual information. Try this experiment: next time you sign up for a website or pay for something online, try submitting as little as possible. Try filling out just your email address and password. It will likely stop you from moving on and ask for some more information, but you might be surprised exactly what information is optional. It may not need a last name, or maybe the phone number is optional. You should view every website as a data breach waiting to happen, and anything that isn't a password or card number is probably not encrypted, so the less personal information you hand over the better.
When it comes to handing over that information, have false information ready to go. I have three important caveats to that: first, don't commit fraud. Don't give your bank a fake address when applying for a loan. Second, don't screw someone else. Don't use an actual home address where some poor person you've never met is going to get your spam mail. Third, don't be stupid. Don't give your doctor a fake phone number, they need to actually be able to contact you. But when someone asks you for information, ask yourself "do they really need this piece of information?" If the answer is no, use a fake phone number (your area code plus 867-5309 works in a lot of situations). For an address, I recommend using an apartment search site to find a large complex and then using that address without an apartment number. They already get tons of spam and mail from previous residents, it would go unnoticed. Ideally you would just not hand anything over, but sometimes the information is required in order to continue even though it's not actually needed. In those cases, use your fake information to continue.
While I am opposed to mainstream social media services for a number of reasons, I understand that sometimes you have no choice in using them. My recommendation would be to not use the apps whenever possible, post as little as possible, and make your profile as private as possible.
If you feel the need to have social media, try checking out the decentralized and more privacy-respecting Fediverse. This is a volunteer run, peer-to-peer social networking system, and one of the coolest things about it (in my opinion) is the way it interacts universally. Imagine if you had a Twitter account but wanted to follow someone on Instagram. In mainstream social media, you have to sign up for Instagram. On the Fediverse, you can follow them from your own platform even without having an account with that service. For Twitter fans, I recommend Mastodon. For Instagram fans, PixelFed. Facebook users might feel more comfortable on Frendica and YouTube users might find new content on PeerTube.
Delete any and all unused accounts. This includes old Myspace accounts, old emails, services you signed up for once and never used again. If you can't delete them for whatever reason, change it to a secure password and hold onto it somewhere safe.
Mindful Digital Correspondence
Also remember that even with encryption, no online communication method should be considered secure for a variety of reasons. You never know if the person is going to print it out and share it or leave their messages open while they step away from their device briefly. Be careful what you send digitally, even if it is properly encrypted. There is always a risk.Previous Next