Tag Archives: Calvin Pappas

What can Bitcoin teach us about privacy?

By now you’ve probably heard a little about Bitcoin or one of the other virtual currencies. You’ve probably heard about the price fluctuations, maybe about the connections with illegal activities, or maybe even new companies starting to accept them as payments. These are all great ways to start learning about Bitcoin, but what interests me the most is the potential positive impact on privacy.

Bitcoin has been around for over five years now and many are still trying to really get a good grasp on what it is. The best way to describe Bitcoin is that it is a protocol, similar to what powers your email or phone number, which uses a public ledger to record every transaction. So when I purchase a new computer with Bitcoin or even just give some to a friend, anybody in the world can see it happen in near real time if they are looking at the ledger. This makes the world a much more public place, but still gives us more privacy by the pseudo-anonymous addresses and decentralized system.

 

Pseudo-Anonymity

The biggest case for privacy in Bitcoin is the pseudo-anonymous transactions. When looking at the public ledger we can see transactions occurring every second, the exact amount in each address, any notes attached to transactions, and what address each transaction is going to. While everything is very public in the ledger, the addresses themselves are all random strings of letters and numbers to allow the owner of each address to remain private.

One way to understand how these random strings allow for us to be anonymous, if we wish, is by making sure nobody knows what your address is. These addresses are something you can generate yourself without any need to connect with an email address or real name. You can then make payments or send Bitcoin to other people without ever having to give over personal information.

Some people may wish to publicize one of their Bitcoin addresses to allow others to send Bitcoin their way. This might be posted on a website, in an email, or even on social media so that others can see. For this reason it’s easy to generate multiple addresses that don’t need to be tied together in any matter so that you can remain pseudo-anonymous while still providing some public information.

 

Decentralized System

One of the most common themes seen in today’s technology news is breaches or hacks around credit cards.  Most of the time there is a central company or website that has a collection of credit cards, names and addresses associated with them, and sometimes even the pins to the cards. This presents hackers with a treasure chest of information to attempt to get their hands on. Using Bitcoin, all of the information remains in your hands, and any attempts to alter the transaction records and forge payments is instantly broadcast and seen by everybody.

There are many “wallets” for Bitcoin online, which allow users to quickly setup addresses and start using Bitcoin, but it’s important to make sure you utilize all of Bitcoin’s security and privacy settings by keeping things in your own hands. With any amount of Bitcoin it would be smart to send to an “offline wallet” or addresses that only you have access to the private key, similar to pins for debit cards. With an offline wallet it’s important to keep a backup of the private key and if stored on a computer encrypt so not anybody can access. The recommendation however is to print and save in a secure location like a bank or safe offline.

 

Bitcoin may be interesting to watch because of the investment opportunity and hearing about those that have become rich off of it but the protocol itself opens up a lot of doors for privacy and security in the payment industry. By being able to anonymously send Bitcoin to anybody in the world, audit the entire system at any time, and keep the keys in your own hands people should be able to feel more trust in a world full of breaches and hacks.

What does iOS 8 mean for privacy?

Apple just released the next version of its mobile operating system, iOS 8, to the world for all devices from the iPhone 4S and newer. iOS 8 introduces many new bells and whistles including mobile payments on the iPhone 6 and 6 Plus, health data, and many other features. While it will take a little while to get used to and notice everything new, we wanted to let you know of the improvements in privacy and security being made in this new mobile OS.

With a big push into wearable computing and health information on your devices, the need for improved privacy and security may be at an all-time high. The three main areas of concern we look at to see how well Apple is keeping up their privacy and security standards would be Apple Pay, device settings, and general data protection.
 

Apple Pay

Apple Pay may be the biggest news outside of the Apple Watch to be released in quite a while for Apple. Not only are they now enabling every new smart phone user to pay at over 220,000 brick and mortar stores with their phone, but they hope to do so in a much more secure manner

With Apple Pay, you are enabling your phone to act as a payment service that connects to your credit card or bank account. Apple Pay actually takes this a step further and never stores your credit card information on the devices or servers, but rather generates one-time tokens that connect to your account each time you pay. This means that you’re never actually providing your real credit card details at the point of purchase, helping protect you from fraud.

 

Device Settings

Device settings have been mostly minor updates from one version of iOS to the next, and although the changes may seem small they can help put the privacy control back in consumer’s hands. In iOS 8, there are three updates that users should be aware of in the settings: default search engine, location data, and your contact list.

Apple is introducing a new option for default searches to satisfy the privacy conscious crowd, using DuckDuckGo. DuckDuckGo is a privacy oriented search engine that doesn’t collect information on your search terms or build a profile to target advertisements at you. In fact, the search engine doesn’t even keep track of what websites you visit through your searches. This enables the DuckDuckGo to provide the most private search in a consumer friendly manner. The one downside to DuckDuckGo is that your searches will not be tailored to you; so finding what you want may take a little bit longer.

Location data has always been one of two options prior to iOS 8, either always on or always off. With the introduction of iOS 8 however, there is now a new option to allow apps to only access your location while the app is running. This could prevent rogue apps from collecting and storing data about your location at any time of the day. This setting is configurable through the Location tab in the Privacy section of the settings app, although it does require apps to accept this as an option.

Finally, your contact list contains some of the most personal and private data you might have on your phone. There have been many examples of apps uploading and saving your contacts to their servers, and this was in part due to an all-or-nothing model for accessing contacts.

Contact information is necessary for sharing with friends, finding people to connect with, and other useful tools on your device, but it’s definitely not always needed in its entirety. For this reason Apple is now introducing better developer controls so that apps can request only certain parts of your contact list, such as just email addresses, or even search and get a single contact at a time. This benefits the user as they won’t need to hand over all of their data to every app, but rather only give away the information that is needed.
 

Data Protection

iOS 8 brings a large push towards health data and wearable computing to your devices. While these are great new tools, they also generate a lot of sensitive, personal information about you. To help keep this data safe, Apple is creating a protected, centralized location that requires specific access before apps can read the data. This allows you to control who you share it with.

Outside of data that devices are tracking on us, Apple also taken steps to prevent third parties from tracking you based on your device. One of the most common ways companies would put together a profile on users was to associate behaviors, such as apps used or websites visited, to a MAC address which is a unique string that each device has. This address acted as the key that put all the pieces of data together. Starting in iOS 8, your MAC address will become randomized whenever you are connecting to new Wi-Fi spots or apps are requesting your information. This should help make sure you stay more anonymous in the online ad tracking world.

Apple has made a great start protecting your data from hackers, trackers, and government agencies, but we need to remember that much of the control is in our own hands. It is highly recommended to set a unique password for each service you use, enable 2-factor authentication when you can, and pick obscure and hard to discover security questions to back up your account. One of the biggest vulnerabilities to our privacy is ourselves.

 

Check out our twitter account at @AVGFree or follow us on Facebook at facebook.com/AVG to stay up to date with all the latest privacy and security news around Apple and other popular companies. If there is anything in particular you want to see more of, leave us a comment below or at one of our social media accounts.

Image courtesy of iosmedya.com

Is it time you used two-factor authentication?

Two-factor authentication is an additional security measure that you can add to your online accounts to help keep them safe from attack and fraud.

“Two-factor” simply means that you need something other than your password in order to access your account. This normally comes in the form of a code generated by an app or sent to you in a text or email. Two-factor-authentication means that should your password be compromised, your accounts are still protected.

You may be familiar with two-factor authentication for online banking, where it has been used for a long time to validate logins and safely setting up transactions. Given its security benefits, many of the leading websites and services have enabled two-factor authentication for users. Google, for example, implemented the extra layer of security in early 2011, but many users still don’t realize that it is available.

While logging into accounts with two-factor authentication does require a little extra effort on behalf of the user, the extra layer of security does make it well worth-while.

How to Setup Two-Factor Authentication

In this example I will be setting up two-factor authentication on a Google account but similar instructions can be found for most popular sites such as Amazon, Dropbox and Facebook.

Before setting up two-factor authentication you need to make sure you have two things available. The first is a secure password, something you should already be using, on whichever services you use (Although you should have different password for each service for greater security). The second would be a device or application that can receive a code, most commonly a smartphone.

  1. Go to: www.google.com/settings/security
  2. Click “Set Up” under 2-step verification menu
  3. Chose how you would to receive your codes: SMS or codes
  4. Download Google’s Authenticator app for Android or iOS.
  5. Link your Authenticator app or device to your Google account using the code provided

Google-Authenticator

Once you are setup for two-factor authentication it’s ready to go in the wild. The next time a new device or browser tries to access your account they will need your username and password like before, but then you will need to enter in an access code pin that is either texted to you or synced to the authenticator app. Once the username, password, and pin number are all entered correctly you are logged in.

Two-factor authentication is one of the settings we believe strongly in to help mitigate password hacking because even if somebody does know your password they still can’t get into your account. It is important to remember however there are other methods to get access to your information so just using this helps secure your password login, but won’t guarantee all information is secure.  This is a great step forward to better security and privacy of your data and we highly recommend all users activate two-factor authentication wherever they can.

What does the future hold for our privacy?

Nothing is ever certain about our future, but when it comes to privacy, we can take a look at current trends and make some educated guesses as to what we will see tomorrow, next year, or even in 10 years’ time…

Looking at those trends, it’s clear that no matter how people’s privacy is violated and taken away, there will always be new tools to help protect it combat them and most important of all, keep people in control of their own privacy.

Innovation helps both sides of the spectrum and will lead to many games of cat and mouse moving forward into the future. To be more specific though I see two primary areas where privacy will be influenced the most in the future: anonymity and user owned data.

 

Anonymity

Being anonymous is one of the hardest things to do, if not impossible, in this day and age. With the prevalence of online tracking, government surveillance, and login systems everywhere it is very difficult to keep things to yourself unless you are willing to forgo the online world. While there are many services that start to offer “anonymous” services such as Secret and Telegram, there is always something that is connecting your device to the posts you do or the interactions you make. That’s why I see a future where pseudo-anonymity is commonplace.

Pseudo-anonymity would allow people to be anonymous to others and possibly to the application they are interacting with, but still be able to put together a profile and have an account. Adopting a pseudo-anonymous system has potential far beyond simple messaging apps and in something like Bitcoin, has the potential to really change the world.

In Bitcoin, everyone has a public address where you can see where Bitcoins are being sent to and from, and follow transactions very publicly, but you can’t actually identify the person that has the addresses unless they specifically tell you. This form of pseudo-anonymity is regarded as a positive step for privacy as it allows for direct audits and transparency of information while still letting individuals control their identifiable data.

Bitcoin is just one example of pseudo-anonymous technology, while even Facebook is taking steps to allow for Facebook login where apps cannot access your identity but rather just verify you are a person. It’s important I think to separate out task of verifying users as real people and learning their identities. That way we can have quality services supported by real users but without them having to sacrifice their privacy. Pseudo-anonymityis a good bridge for these two things.

 

User Owned Data

Right now as you browse the web there are dozens of companies that are collecting information about what you search for, what pages you visit, what you watch, and more. These companies make inferences about you such as your gender, income bracket, and marital status. They then sell this information to advertisers who will try to serve you with more relevant ads so that you are more inclined to click on them. This is the current status quo but it relies heavily on inferences and guesswork, which means there is a limit to how accurate the information can be.

Currently many companies have tried to bring user control to this aspect of online data collection, but nobody has truly succeeded. To get users to willingly hand over their data to companies, there needs to be a high enough value proposition for the users. Facebook and Google do a great job of this currently by providing free services that we use every day in return for data to be used for advertising. Other companies are still trying to crack the code on what would be valuable enough to these users. Online advertising is still in a high growth phase though and has a strong outlook to expand and grow into the future. Once advertising matures enough, it may become worth enough for other companies to be able to provide proper incentives to users in return for access to their data.

While nobody can predict the future we can help build the future we want to be a part of. The next time you sign up for a site or enter a competition in exchange for your email address and phone number, consider what information you are really giving up, who is getting access to it, and how it will be used. If we want a future where we are all more in control of our privacy we must start to take better care of our data.

 

If you have any ideas of what would be ideal in your future for privacy, let us know in the comments or drop us a line on our Facebook page at https://www.facebook.com/AVG.