I have some unfortunate news for you: your data isn't safe. You don't have to panic or rip the Wi-Fi card out of your laptop, but you should know that not only is it not safe, but the fact that your data is potentially insecure isn't even surprising.
By its very nature, the act of getting online is a risky affair. It's easy for us to forget that because we often use the internet from the safety of our own homes, and we'll even warn people about the danger of using "public" access points instead of your definitely safe home network. However, even when you're dealing with big, security-minded companies, it's worth remembering that nothing makes it impossible for bad things to happen. And, in fact, depending on your definition, bad things are already happening.
Governments Are Spying on You
Ever since we first heard about the NSA's massive surveillance database, conflicting reports and statements have emerged and it's hard to pin down exactly what happens with any level of certainty (as you might expect from a top secret surveillance program). How much data is stored, how easy it is to pull it up, how often a human being interacts with your specific name and, perhaps most important of all, how much private companies voluntarily hand data over instead of fulfilling legal requirements are all things that we have trouble knowing for sure.
Here's what we can safely assume: some information either about or created by you is probably stored somewhere. According to the deputy director of the NSA, speaking to a House judiciary committee, the NSA is able to perform a "second or third hop query" to acquire information on a suspected terrorist. This means that in addition to requesting data from a suspect, the agency is able to pull data from everyone that suspect has communicated with, everyone those people have communicated with, and then everyone those people have communicated with.
If you'd like to get a sense of what that kind of scale looks like, take a look at this tool from The Guardian. Using an average number of Facebook friends as a metric, it can show how many people you can interact with by proxy up to three hops. For a single person with the average number of Facebook friends, a three hop query could potentially include over five million people. Multiply that by the number of suspected terrorists and your chances of staying off a server somewhere are probably pretty slim.
Whether or not your data is actually on a government server somewhere is a bit irrelevant. You can't know for certain, you can't press a button and erase it, and the only recourse you have for changing this fact is a political shift. I'm not here to tell you what you need to believe on the subject. That's up to you. What's not up to you is that — for now at least — once you step on to the internet, some data of yours is probably getting swept up. Even if you use burner phones and encrypt everything, there's still not much you can do to stop this. It's ok to be outraged by this, but after years of shady policies and leaked practices, it shouldn't be a surprise anymore.
Websites Get Hacked
Of course, the main reason that the last section hasn't convinced us all to drop off the face of the internet is because most of us don't tend to find ourselves looking down the barrel of a full-scale investigation. It's a very serious concern in principle (and in reality for a minority of people), but largely, we quietly accept it until election time and life goes on. What about something more tangible though?
Even if you're OK with government agencies collecting massive amounts of data for surveillance purposes, you probably don't want some random internet hacker to have access to your login information for major websites.
On that note, here's an incomplete list of major websites who have been hacked and had login information leaked over the last 18 months:
- Adobe was hacked and 150 million user account IDs and passwords were leaked.
- Dropbox was hacked leaving an undisclosed number of email addresses visible (and subsequently spammed).
- LivingSocial was hacked and 50 million names, email addresses and encrypted passwords were leaked.
- Cupid Media was hacked, leaving 42 million names, addresses, birthdays and plaintext passwords out in the open.
- LinkedIn was hacked and over 6.5 million hashed passwords were published. While the corresponding email addresses were reportedly not released, some of the hashed passwords were converted to plain text.
- Yahoo! Mail couldn't stop getting hacked for a period of a few months.
Now, in some cases, this isn't that big of a deal. Adobe immediately reset the passwords for everyone affected, and many of these hacks involve hashed passwords that are unlikely to be read anyway. However — and this is the important part — you'll never know which service you signed up with is going to get hacked next, nor do you know what security measures they use. Maybe when your account password leaks, it will be encrypted and reset immediately. Maybe it will be in plain text. Maybe you'll never hear about it at all. The one thing you can be pretty sure of is that even if nothing bad happens, if you're online long enough, some of your data will be accessible by people you don't want having access to it.
Of course, the potential damage is compounded if you use a common password, or re-use passwords on different accounts. We've talked before about how to use a password manager to help avoid the latter issue, yet easy-to-guess passwords still remain some of the most widely used. This actually means that if you practice good security habits, you might just be secure enough to not get eaten by that bear. However, as with the last section, it's not going to be a surprise the next time that you find a service you use got hacked. In fact, it will be a bigger surprise if, over the next decade, some piece of data belonging to you isn't leaked in a major hack.
Your Biggest Threats are Close to Home
Just like your house probably isn't going to get robbed by an elite team of international jewel thieves, chances are that most people aren't going to be interested in breaking into your Twitter account. Unless they know you, of course. If the person trying to get access to your data doesn't know you personally (and you're not a high-profile person like a famous business executive or a celebrity), then there are only so many motivators they can have for wanting to get into your accounts, and money is probably the biggest one.
However, for people you know personally? Well, the sky's the limit on why they'd want to see what's behind your password. Insecurity, jealousy, revenge, mischief, curiosity, thrill. There's a whole host of motivators for someone to sneak a peek at the Facebook account you left logged in or go through your text messages. Security is so often aimed at preventing the big bad hacker from getting access to your encrypted hard drive that we forget that something like 44% of people don't even bother using a PIN lock on their phone.
There's also the matter of data you send to others. Apps like Snapchat promise to make your data more secure by destroying it as soon as it's viewed or after a pre-determined time period. There's just one problem: it doesn't work. For casual use, it can be a nice way to ensure there aren't extensive records of everything you ever say, but at the end of the day, the old adage stays true: locks only keep out the honest.
Your Digital Life Will Go On
OK, so we've more or less established that your data isn't entirely safe in the hands of governments, corporations, friends or family. Wonderful. There has to be some good news here, right? As a matter of fact, there is. Your data is not now, never has been and never will be perfectly safe. And that's ok.
For starters, you can get by just fine without all of the internet services you use being 100 per cent bulletproof, much in the same way you can drive a car every day while accidents still exist. However, in the event that you absolutely have to make sure that some piece of data is safe, there is one person you can trust with your data: yourself.
We've talked before about how to build your own servers, create secure offline backups, lock down that sensitive information and hide special data you want to keep. The common thread among these techniques is that you maintain as much control over your data as you can and assume that any link in the chain that can be broken will be.
You'll never be 100 per cent safe as long as you're on the internet. You can, however, reach a point where you're as safe as you reasonably need to be. While it's tempting to get worried or scared when you hear about a looming conspiracy or a company that got hacked, just remember that online security isn't just about having the strongest lock. It's about using the right tools for the job and knowing when to take your data offline. And, above all else, don't panic when you hear that some scary policy is in effect, or some company screwed up with your data. It's not good when that happens, but it's not new either. Yet the internet lives on.