regulatory systems that might, depending on where and how your organization operates, require your compliance include the Payment Card Industry Data Security Standards (PCI-DSS) administered by major international credit card companies and the US government’s Health Insurance Portability and Accountability Act (HIPAA).
Can Escaped Genies Be Forced Back into Their Bottles?
Well, let me ask you this: have you ever successfully returned a genie to its bottle? I thought so. Unfortunately, it would probably be just as impractical to even try to find and delete all copies of stolen data that’s been spread across an unknown number of sites, including some on the dark web.
Even getting private references removed from search engine results can involve a long, uphill struggle with no guarantee of success. Thanks to the GDPR, European residents can request help from Google using the Personal Information Removal Request Form. But you can never be sure how that will turn out, and sometimes submitting your request can make things worse. Considering taking down an offending website? Are you sure you even know how to find all the copies? Are you aware, for instance, that the Internet Archive project (https://archive.org/web/), as of this writing, hosts historical versions of more than 376 billion web pages? I’ve actually used the project to recover lost data from 15-year-old iterations of my own sites.
What Can I Do as a User?
Here’s a good place to start: think carefully before posting anything on an online platform. Are you revealing too much about yourself? Will you be comfortable having your future employers and grandchildren read this 10 or 20 years from now? Try to anticipate the places your content might end up and what value it might have for people you’ve never met—people unconstrained by ethical concerns who care only about making money.
Be realistic about your data. Don’t assume that the contacts with whom you share files and information will be the only ones to see them. Even if your own accounts will remain secure, their accounts might not. And who says those friends or colleagues will respect your privacy preferences indefinitely?
Never assume the file storage or sharing platform you’re relying on won’t change its privacy rules at some point in the future—or, even better, that it’ll never decide to sell your data to someone else.
Finally, here’s one that makes a ton of sense and is absolutely obvious. But not only am I sure you’ve never done it, I’m confident that you probably never will. Remember those check boxes you’re required to click before you can open a new online account? You know, the ones that say something like this:
“I have read and accept the terms of the privacy policy.”
Well, have you ever actually read through one of those documents before clicking? Me neither. I mean, Google’s Privacy and Terms document (https://policies.google.com/privacy?hl=en) is around the same length as this chapter (and not nearly as much fun). Who’s got the time? On the other hand, reading it from start to finish would probably give you important insights into the real-world consequences of using Google services. It might even convince you to change the way you use its products. And reading the privacy documents for all the platforms you use would undoubtedly make you a better and safer consumer.
But we all know that’s not happening, right?
Establishing Authenticity
You’ve got a strong and active interest in distinguishing between what’s real and what’s fake in your digital life. Considering how much unreliable content is out there, making such distinctions might not be so simple. Many of the choices you make about your money, property, and attitudes will at least partly rely on information you encounter online, and you certainly don’t want to choose badly. So here’s where we’ll talk about ways you can test and validate content to avoid being a victim.
Think About the Source
Always carefully consider the source of the information you want to use. Be aware that businesses—both legitimate and not—will often populate web pages with content designed to channel readers toward a transaction of some kind. The kind of page content that’ll inspire the most transactions is not necessarily the same as content that will provide honest and accurate information. That’s not to say that private business websites are always inaccurate—or that nonprofit organizations always produce reliable content—but that you should take the source into account.
With that in mind, I suggest that you’re more likely to get accurate and helpful health information, for example, from the website of a well-known government agency like the UK’s Department of Health and Social Care or an academic health provider like the Mayo Clinic (https://www.mayoclinic.org/) than from a site called CheapCureZone.com (a fictitious name but representative of hundreds of real sites).
Similarly, you should consider the context of information you’re consuming. Did it come in an email message from someone you know? Were you expecting the email? Did you get to a particular web page based on a link in a different site? Do you trust that site?
By the way, I personally consider Wikipedia to be a mostly accurate and reliable information site that generally includes useful links to source material. Biased or flat-out wrong information will sometimes turn up on pages, but it’s rare, and, more often than not, problematic pages will contain warnings indicating that the content in its current state is being contested. And if you do find errors? Fix ’em yourself.
Be Aware of Common Threat Categories
Spam—unsolicited messages sent to your email address or phone—is a major problem. Besides the fact that the billions of spam messages transmitted daily consume a fortune in network bandwidth, they also carry thousands of varieties of dangerous malware and just plain waste our time.
Your first line of defense against spam is to make sure your email service’s spam filter is active. Your next step: educate yourself about the ways spammers use social engineering as part of their strategy.
Spoofing involves email messages that misrepresent the sender’s address and identity. You probably wouldn’t respond to an email from [email protected], but if he presented himself as [email protected], you might reconsider. At the least, recognize that email and web addresses can be faked. Organizations using DomainKeys Identified Mail (DKIM) to confirm the actual source of each email message can be effective in the fight against spoofing.
Phishing attacks, which are often packaged with spoofed emails, involve criminals claiming to represent legitimate organizations like banks. A phishing email might contain a link to a website that looks like it belongs to, perhaps, your bank, but doesn’t. When you enter your credentials to log in, those credentials are captured by the website backend and then used to authenticate to the actual banking or service site using your identity. I don’t have to tell you how that can end.
Always carefully read the actual web address you’re following before clicking—or at the least, before providing authentication details. Spelling counts: gmall.com is not the same as gmail.com. Consider using multifactor authentication (MFA)
