How to stay safe online: Personal Information
A REPORT into the positive economic impact of universal digital inclusion by Doteveryone [pdf], highlighted the pressing need to support people not just in getting online but in gaining the computer literacy levels needed to effectively make use of online services.
As the Government continue with their "digital by default" strategy, the report explains how helping people acquire these skills is "important not just for individuals but also for the wider economy" and that "the government, businesses, and individuals are at risk of losing out substantially" if people remain digitally excluded.
- Filling out online application forms
- Making a booking or purchase
- Access online services
- Register on and use a social website
So in this section we'll look at the situations when we might be entering personal information into websites and how to make sure we're doing this safely.
Protecting your information
One of the best ways to stay safe is to be prepared, and often that means knowing what we're likely to come up against before it happens.
In terms of protecting our information online, there are three main things to be really aware of:
- Where we could be entering your information into an unsafe website
- Where an otherwise safe website could pass on our information
- Where an otherwise safe website could expose our information to others
Let's look at those three in more detail.
Entering information into unsafe websites
As is the case with scam emails, replica and fake websites may seem to sell goods or services - but rather than selling us a product they simply collect our information to use or to sell on for fraud.
This is a pretty opaque tactic and the best way to avoid it is to only shop with websites we know and trust.
Stick to big names like Amazon, Tesco, Marks and Spencer or Debenhams for example - and access them either by typing their addresses directly into the browser, or by finding them on a reputable search engine and clicking through from there.
As well as helping prevent the risks that may come from using small retailers or online outfits that we don't really know anything about, it'll help cut down on exposure to replica site scams in which fraudsters exploit our trust of those safer big name brands to harvest our details.
Many scammers now use adverts on social media sites like Facebook and Instagram to lure us in, and while the Internet is full of "good buys" and "discounts", if something sounds too good to be true it probably is and we're better off avoiding it.
If we do feel the need to investigate, clicking away or opening another browser window and going directly to the site ourselves may seem like additional hassle, but it's worth it to avoid the potential risk.
What help is available
HTTPS and the padlock
Legitimate websites know people are wary about shopping online and will use security certificates to help ensure consumer confidence.
While VeriSign is probably the most well known provider of such certificates, there are plenty of others which all work more or less the same way.
When we head to a shopping website's checkout, we should be transferred to an encrypted connection. We'll know this has happened because the web address in our browser will change from "http" to "https", and we should also see a padlock appear somewhere near the address bar.
HTTPS means that any information we enter will be sent encrypted, so hackers can't intercept the data transfer and access our information.
Make sure to look for the "padlock", and don't be afraid to check the security certificate of any site you buy goods or services from is valid - click on the padlock, which should bring up a window like that shown above.
Credit card fraud liability
The majority of credit card providers subscribe to an industry guideline called the Lending Code.
The Lending Code sets out maximum liabilities for cardholders who fall victim to fraud, whether online or otherwise.
The guidelines state that where fraud is committed without a cardholder's knowledge or consent, they cannot be held liable for more than £50.
Some credit card providers go even further than this, by offering "Internet fraud guarantees" with zero liability when the fraud takes place online.
The result is that it's usually safer to pay by credit card when shopping online if we possibly can.
Section 75, a piece of consumer credit law, is another good reason to use a credit card when we can. If we buy something online and it fails to turn up, arrives damaged or is not as described, the credit card provider is held equally liable with the supplier for the full purchase price.
Whether paying online by credit or debit card, the "3D secure" services provided by Visa and MasterCard offer some further protection against fraud online.
They're not foolproof: in fact, all they protect against is unauthorised use of our cards with participating merchants.
But they do provide an extra level of protection, in the form of a request for a preset password in addition to our other credit or debit card details when shopping online with particular retailers.
PayPal buyer protection
It's worth being aware, however, that using PayPal removes our Section 75 consumer protection, even though we may well be paying PayPal with a credit card. That's because we're adding a third party into the supplier > credit card provider chain, and Section 75 only applies to direct purchases.
However, PayPal often comes into its own when shopping on smaller sites and, of course, eBay.
The main benefit of PayPal is that it hides our payment details from the company or person we're buying from, which means our personal information stays safe.
PayPal also offer their own "buyer protection", which guarantees our money back if we run into problems such as those mentioned under the Section 75 protections.
What you need to do
As we've covered, safe browsing often means visiting sites we know and trust.
As mentioned above, the best way to do this is by manually entering the web addresses of sites we want to visit into our browser; if we don't know the address, use well known search engines like Google, Yahoo! or Bing and search for the company name.
It's not unheard of for some bad websites to slip through the net, but generally speaking search engines are pretty good at detecting spam sites and hosted malware, and Google will flag up suspected sites.
Using some of the tools we've mentioned in part two on browsing, such as Norton Safe Search - a search engine powered by Ask.com - will help to protect us further.
Double check the web address
It's also worth double-checking the domain name - is it what we could expect it to be? Is it spelt correctly? Make sure you're on "amazon.co.uk" and not "amazona.co.uk" or "amazon.a.com" for example.
Like email phishing scams, we can also come across replica sites occasionally just by browsing in the wrong places too. Sites can be made that replicate trusted online shops, such as Amazon, as well as banks.
Secure your wireless network
Before we start doing next year's Christmas shopping in the sales, it's also worth double-checking that our wireless network - if we're using one - is secure too.
Wireless networks can be hacked into and the information we send and receive whilst online can be intercepted if our network is left open (something worth bearing in mind when using public wi-fi to connect a mobile device as well).
Find out more about how to prevent this in our guide to securing a wireless network.
Where a website could pass on your information
Then there are the websites that seem completely above board but do things with our information that we might not like. This is a tricky one to spot and can require a bit of digging around on any site asking for our data.
Of course, fake and scam websites probably won't stick to the law, but checking privacy policies is the way to be sure about what happens to our information on sites that fall into the middle ground - say, legally operating companies that are on the borders of being unscrupulous, unethical or just not very consumer friendly.
These websites may well provide a good service, but then sell on or otherwise distribute our information to partner companies, who may begin to contact us with advertising offers, or in worse case scenarios signing us up to paid services on the quiet.
There's a good example of this from 2007, when Interflora passed on customer details to a company that automatically signed them up to a shopping discount program charging £8 a month for membership.
Many customers were completely unaware of this until they noticed the money being taken from their accounts.
"If you are a new or existing customer, and where you permit selected third parties (such as Webloyalty, as described below) to use your Personal Information, we (or they) will contact you by e-mail, mail, telephone, SMS or other means."
So far, so good.
Interflora then set out the terms of consent for this information to be passed on. This involved not much more than agreeing to permitting "select third parties" to access personal information, as mentioned above, then clicking on a button offering details of a discount voucher.
At this point, the following applied:
Basically, the online equivalent of looking at the money off coupon that came with the receipt tied people into whatever Webloyalty wanted.
What you need to do
That includes any one or more of the following:
- Our name
- Email address
- Mobile number
- Home address
- Home phone number
- Payment details (like our credit or debit card number)
Most sites will have a couple of check boxes near the boxes for our contact or payment details, asking us to opt in or out (usually out) of the company's marketing campaigns, and one allowing them to pass our details to other companies.
Frustratingly, these aren't consistent: some will ask us to opt in to one or both, others to opt out, and some particularly annoying sites will ask us to opt in to theirs but to opt out of their third party list.
Read the information by the checkboxes carefully before ticking or not.
Where a website could expose your information
The first time we register and create a profile with Facebook anything we post will not only become visible to anyone with a Facebook account, but our profile will be made accessible to public search engines.
A study carried out by Get Safe Online for 2016's Safer Internet Day found that 23% of social media users have never updated their privacy settings, with 58% of those users saying they didn't know how to.
In fact, research carried out by Consumer Reports in June 2012 revealed that 28% of users were sharing almost all of their posts with more than just their connected friends.
That could of course mean that people are simply sharing posts with friends of friends - but there are also those sharing with thousands of people they've probably never met.
Since we first wrote this article, Facebook have updated their stance on privacy to make the options for users much clearer - but we're still not sure why the site doesn't lock more down by default - surely for a "personal" profile, the opt-in should be on publication, not privacy.
Indeed, a research paper written in February 2014 [pdf] highlighted that there were 17 different settings to consider, making it difficult for users to get a handle on exactly how private their profile and posts would actually be.
Additionally, research from GetSafeOnline found that only 50% of UK Facebook users had secured their personal information using the highest available settings, and just 25% had done so on Twitter.
So when using social media sites two of the most important things to constantly keep in mind are, "who can see this information I'm entering?" and "am I going to be sharing this information with people I don't want to?"
There are plenty of guides online as to how to set Facebook privacy settings, as well as Facebook's own dedicated safety centre and privacy settings page.
So we won't go into how to set each setting in this guide.
Instead we'll look at a few examples that highlight the importance of learning and using privacy settings in Facebook, as well as simply being aware of the importance of considering what information you are sharing or even publishing in the public domain.
One potential danger of inadvertently exposing too much information on social media sites or personal blogs is identity theft.
A 2013 article by The Independent highlighted the need for social media users to become more "information vigilant" in light of the hacking of 250,000 Twitter accounts.
The article pointed out that when such hackers gained access to social media accounts, they also accessed enough information to commit identity theft and fraud.
James Jones from credit reference agency Experian was quoted as saying "Criminals typically need just three pieces of data to commit ID fraud so any unauthorised access to an online account is bad news."
Neil Monroe from Equifax was also quoted in the article:
"Many people would be shocked to know how little information criminals need to be able to steal an identity."
It's not difficult then to imagine how a public or unprotected social media account is putting its owner at risk of exposing too much personal information.
It's not just children who are vulnerable to personal security online; criminals, fraudsters and predators can target a whole range of vulnerable or simply unsuspecting adults using the Internet socially.
Don't reveal your location
Hitting the headlines in April 2012 was a new iPhone app called "Girls Around Me".
The App combined information from FourSquare - a social location-based review site - and Facebook accounts.
The premise of the application was that it "scans your surroundings and helps you find out where girls or guys are hanging out. You can also see the ratio of girls to guys in different places around you."
Even more worrying, it also claimed "In the mood for love, or just after a one-night stand? Girls Around Me puts you in control!"
Unsurprisingly the app came in for a lot of criticism over privacy and personal safety, and FourSquare blocked the app from accessing its location data.
While this is a somewhat extreme example, and it was taken offline by the data providers almost as soon as it was launched, it does highlight the danger of revealing our location on social media sites.
Or that you're going away
Burglars are another good reason not to give away our whereabouts.
Not revealing online when we're out of town, or planning to go on holiday, has been one of the most crucial safety tips since the dawn of the Internet, and before.
Nowadays, even posting photos of our house or tagging its location are Internet safety no-nos.
Do you know who you're talking to?
It's not just revealing where we are in real life that poses a danger though. Simply communicating with people we don't know online poses a personal safety risk too.
The 2010 "Facebook film" Catfish became popular for highlighting just how little we really know about the people we meet online.
What you need to do
Set Social Media privacy settings
The moment we register for an account with Facebook or Twitter, we need to check and set up our security and privacy settings - before posting any information or photos.
In Facebook, that starts by hiding our profile from search engines. This means it will only be possible to find our profile via Facebook itself, not Google or Yahoo!
Then look for the setting allowing us to hide the information we enter from all but people we confirm as friends. Again, this setting isn't on by default, so it's worth spending some time making sure our profiles are only visible to people we know and trust.
There are a few other privacy settings to be aware of on Facebook, and some on Twitter too - so it's best to check out a dedicated guide.
Here are some options:
- Facebook's security centre: here
- Facebook's privacy page: here
- Twitter's privacy page: here
- Sophos best practices for identity protection on social media: here
Are they your friend in real life?
Despite increased awareness of the risks involved, in 2016 researchers in Auckland, New Zealand found that 61% [pdf] of Facebook users would accept friend requests from strangers.
As we've seen, it can be difficult to know if the people we meet online are who they say they are, and adding people we don't know to our social media accounts can mean we're sharing personal information with people who might take advantage of it.
It might sound nanny-ish, but stay safe by only connecting with people you know in real life.
Facebook does allow people to share different amounts of information with different groups of people. We can choose to share more with close family than with the people we went to school with, for example.
That said, even when we know someone we should still be careful about what we share with them: when we comment on another user's posts, for example, it's their privacy settings that dictate who can see our response.
That means that even if our own profile is locked down, we may still be leaving a trail of information via our interactions with less guarded individuals and companies - which we should consider carefully when contacting companies and brands via their Facebook pages.
There's no benefit in having the most "friends" or connections on Facebook, and lots of people have chosen to leave the site all together with many citing privacy concerns or feeling over-exposed.
Be careful about what you post
Aside from not being rude or setting out to offend people, there are certain other things we shouldn't do on Facebook, which include not giving away:
- Our location
- When we're going to be away from home
- If we're at home alone
- Our full birthday
- Our email and home address
- Where our children or grandchildren go to school
- Photos of our home
- Photos of our possessions
- The same or other personal information about friends and family
In 2009, a poll from Sophos found that nearly 100% of users post their email address, 89% of users in their 20s gave out their full birthday, and between 30% and 40% of users published data about their family and friends.
As we've seen criminals only need three pieces of information to steal an identity, so a combination of just a few of the details listed above can make our identity and financial details vulnerable.
Also be careful when it comes to giving away information that could reveal clues about passwords or other security information, such as questions used to confirm identity with our bank or other companies.
High up on the list here are things like our mother's maiden name, a first pet's name, and the street we grew up on, among others.
Choose a strong password
Choose a different strong password to go with each account you create online.
Strong passwords typically consist of a mixture of upper and lower case letters, numbers, and even punctuation where allowed.
It's difficult to remember multiple passwords, especially if they're genuinely strong (read: difficult to crack), and to come up with fresh ones for every account, but there are secure programs available that can help.
Mac OSX has a built in Keychain Access utility, which can remember usernames and passwords for websites and programs and enters them automatically for us. Passwords stored are protected by our main Mac login.
Windows users will have to download a separate program, but there are free options available, such as KeePass.
Each year SplashData publish a list of the most commonly used - and therefore the worst - passwords from the past 12 months.
Here's 2016's top ten:
The list remains remarkably constant from year to year, showing that many people still haven't got the message about strong password protection.
Lastly, if we ever experience online harassment on the Internet, through social media or otherwise, the most important thing we can do is tell someone, and try to block any further contact if we can.
It may be painful, but it's also important to keep a record of the communication in case we need to escalate the problem to a mobile or Internet provider, or the police.