Your Guide to Online Privacy

No foil hat or thermal-image-cloaking hoodie required.
Photograph by Daniel Scott for Bloomberg Businessweek

Should you tape over your webcam? Is it OK to use your computer’s operating system, or do you have to run Tails? And what the hell is Tails? Unless you’re a high-profile target—and you’re probably not—you can take some simple steps to block hackers. Etc. asked one of Bloomberg’s cybersecurity reporters to outline your options below on a scale from “sane” to, with apologies to the former National Security Agency contractor, “Snowden,” who recently and perhaps understandably took tweezers to his phone.

Try Two-Factor Authentication: “Factor” No. 1 is your normal password. No. 2 is a one-time code that’s texted to you. All major internet-based services—e.g.,Google (google.com/landing/2step), Twitter (support.twitter.com), and Facebook (facebook.com/help)—offer this feature. It’s the most basic step you can take to protect yourself.

The importance of two-factor authentication got Silicon Valley’s attention when journalist Mat Honan, who didn’t use the technology, was hacked in 2012 and wrote about the experience. Honan’s attackers posted racist and homophobic messages from his Twitter account, took over his Gmail, and commandeered his iCloud account, deleting everything from his Apple devices.

Download an Authentication App: Google Authenticator (support.google.com) bypasses the need for a code to be texted to you. The app syncs with Google’s servers and generates a code that exists only there and on your phone—nothing is sent that can be intercepted. Another app, Duo Security (duo.com), is free for consumers and starts at $1 per month for businesses. Facebook and Twitter have in-app authenticators; Snapchat uses Google’s and Duo’s.

Put a Security Code on Your Cell Phone Account: Two-factor authentication makes it hard for hackers to hit most people. But it has a flaw: If hackers call your cell phone provider and trick a representative into changing your SIM card number to one in a phone they control, they can capture those authentication codes and lock you out. Major cell-service providers will let you add a PIN code or password to your account, which anyone would need to make changes.

This happened last month to Black Lives Matter activist DeRay McKesson, whose Twitter account was hijacked by hackers who used it to endorse Donald Trump and “confess” to McKesson’s almost 400,000 followers that he wasn’t black.

Clear Your Cookies: Browser cookies don’t just enable the creepy ads that follow you around the internet; hackers can intercept them, too. Documents from Edward Snowden’s cache showed that the National Security Agency has even used cookies to identify and track its targets. Clearing cookies resets this process and forces snoops to restart. Look for the option in your browser’s settings menu. Go a step further and clear your entire browsing history, which will get rid of cookies and any stored files.

Beware Public Wi-Fi: Before you’re even online, your laptop is talking to the Wi-Fi network, and that dialogue is vulnerable to attack, says Nico Sell, co-founder of encrypted-message app Wickr. That goes for encrypted sites, too: Just because you see “https” in a web page address bar doesn’t mean you’re safe. Yong-Gon Chon, chief executive officer of consulting firm Cyber Risk Management, says using public Wi-Fi is “like your computer having a one-night stand—you don’t know what you’re going to walk away with.”

Subscribe to an Identity Theft Monitoring Service: Protection services used to be glorified fraud alerts, which you can get for free. Now services like AllClear ID ($14.95 per month; allclearid.com) and LifeLock (from $9.99; lifelock.com) look for your personal info on hacker forums and monitor for false insurance claims filed in your name.

Message on an End-to-End Encryption App: Many messaging apps provide end-to-end encryption, so anyone intercepting traffic (including the app’s maker) sees or hears only gibberish. Try WhatsApp (whatsapp.com), Signal (whispersystems.org), or Wickr (wickr.com). WhatsApp and Signal can be compelled by law enforcement to produce information about who’s talking to whom. Wickr can’t; it runs on a type of network that prevents the company from keeping those records.

Tape Over Your Webcam: In June, Mark Zuckerberg posted a photo of himself at his desk on Facebook in celebration of Instagram’s reaching 500 million active monthly users. Later, someone pointed out on Twitter that Zuck’s MacBook had tape over its camera and mic jack. Security experts have long urged potential targets to do this to prevent adversaries from secretly recording every move and sound. There aren’t many known cases of this, but GQ reported that young women have been filmed naked or having sex, and then extorted.

Invest in an Audio Jammer: These are white-noise machines on steroids, calibrated to project speechlike garble in the same spectrum as a person’s voice to foil eavesdropping devices. The Rabbler Noise Generator ($365; brickhousesecurity.com) is a good choice.

Go All Cash: Bank and credit card statements provide a vivid record of spending and travel habits; retailers send price, location, and time information to financial institutions. The good news is debit and credit transactions are processed so quickly that stores don’t share more than they have to. They jealously guard the more granular information they collect—specifically, the products you buy—in the hope of monetizing it someday. So at some point in the future, those statements will be even more vivid.

Run Tails: You can boot up Tails, a free, open source operating system (tails.boum.org), on a PC or a Mac. It routes browser and e-mail communication via the Tor network, which anonymizes it to defend against traffic analysis. If a program tries to connect to the internet directly, and not through Tor, it’s blocked.

Wear Sunglasses: Wickr’s Sell, who wears sunglasses for public appearances, says, “There are no pictures of my eyes on the internet—but even if one slips, one picture of my eyes is better than 1,000.” Sell wants to give profiling algorithms as little data as possible; she says there’s a lot of it in the distance between our eyes.

Buy a Bug Scanner: Bug scanners seem like something out of a spy movie, but with surveillance equipment getting tinier and tinier—fitting into car keys and electrical outlets, Snowden says—real security pros use them. If you’re concerned that your home, foreign hotel room, or office is being monitored, check out the pen-style radio-frequency bug detector from KJB Security Products ($245; limited quantities at walmart.com).

Fly Like a Security Pro: The best way to ensure that your luggage isn’t tampered with might be to pack a gun in it, says a security expert who goes by the name Deviant Ollam. He explains how a quirk in air-travel regulations requires that when you fly with a firearm, it must be checked in a bag that no one else can access. This differs from regular luggage, which must use Transportation Security Administration-compliant locks that agents can open. Ollam says he declares the gun at check-in and shows it isn’t loaded; rarely, he adds, does anyone inspect it or the other contents of his luggage—and when they do, he’s present, which is the point.

Dismantle Your Smartphone: In his Vice News interview in May, Snowden showed how to make a smartphone “go black” using tweezers to pluck out cameras and mics. His decision was not unreasonable, considering his predicament, but it might be more aggressive than you need to be. Still, going full-Snowden would be a great conversation starter, one you could be confident no one else would listen in on.

Tip: Save Your Money
Many of the most provocative antisurveillance measures have little practical use

All kinds of accessories and clothing—wallets, coats, purses, pants—promise to block radio-frequency identification (RFID) signals. These products make people feel good, because they prevent hackers from scanning the airwaves and snatching the codes associated with driver’s licenses or passports. But there are limitations to what a hacker can do with that information. An RFID code alone typically doesn’t tell a hacker much; he would need to associate it with another data set (say, the names of passport holders to whom the codes correspond) for the keys to be useful. Some types of credit cards can be cloned through the airwaves, but there’s little point in buying a new wardrobe to protect such information.

You also don’t need a face mask or “invisibility” glasses that use infrared to blind surveillance cameras at night: They do block night-vision cameras from capturing your image, but they’re the opposite of discreet, replacing your head on film with a ball of white light. People sell hijabs and hoodies, too, that they claim block drones’ thermal-imaging equipment. Intelligence services use a range of data points to target drone strikes, however, from cell phone signals to human sources—not just heat signatures.

(Corrects Deviant Ollam's area of expertise in the 17th paragraph.)
    Before it's here, it's on the Bloomberg Terminal.
    LEARN MORE