My Personal Information Was Stolen

1.3 What Can We Do to Prevent This?

We all need to take steps to protect our data from prying eyes. Let's hear from an expert on their top tips for keeping your information safe.

 

Transcript

Davis: Welcome back, everybody. In our last video, we heard a lot about hacking and who’s behind it, and how our data is getting stolen and shared on the dark web. And in this video, let’s talk a little bit about prevention. My name is Davis. I’m joined here by Erin, and my first question for this video for you, Erin, is: what is your number one tip to help people prevent this from happening to them?

Erin: Thanks, Davis. I think my number one tip is actually to practice something called data minimization. So this is really just us being selective about what data we give out and where we give it out and and all of that. And so a good example, for me, would be signing up for a loyalty card program. Do you want to give over your actual phone number or email or your real name and birthday?

I think everyone’s got to do their threat assessment for themselves to determine what level of information are they comfortable sharing. So what I would do is, every time you’re getting ready to share a piece of personal information, just ask yourself, am I okay with this information being sold on the dark web? Because it might be and that might be okay, but you need to just be conscious about what you’re sharing, who you’re sharing it with, and if you’re comfortable with sharing it.

Davis: Thank you very much. I think it’s true that people’s risk assessments for themselves are very different, and I also want to just flag here that marginalized communities often suffer greater consequences from data breaches and and all that stuff that’s happening. So as you’re working with patrons, that’s a good thing to be aware of, I think.

I also think that, much like other large-scale social issues — climate change, capitalism — oftentimes it falls on the shoulders of individuals to take precautions where these things are happening on a collective level. So I wondered, is anything being done on that collective level that you can share with us that could sort of provide us with some hope?

Erin: I don’t know how much hope I can share and provide. I mean, there are lots of organizations and lawmakers, you know, out there trying to do this work and trying to improve online security and privacy. The amount that they’re successful in that is debatable. I think the Electronic Frontier Foundation — EFF — is really a fantastic organization. They do a lot of lobbying and fighting for changes the legal system. In the E.U., they passed a few years ago GDPR, which is a really sweeping privacy regulation.

Now the United States, though, doesn’t have any online privacy laws that impacts everybody. There are some that are specific for minors and students, but instead here in the U.S., we have this piecemeal system where various states keep on adopting their own laws. But none of these laws are really fantastic. They help, but they have a lot of good intentions and the outcomes of those aren’t always fantastic.

So, for instance, you may have seen in the last year or so these cookie banners that pop up all over every single website. And that’s to be in compliance with GDPR and some of the other privacy laws that are out there. But, you know, the companies designed them to be pretty confusing. They pop up on every site and most of them you have to click like four times to turn off the cookies. And then even then you’re not sure if you actually turn them off or turn them on. I’ve talked to multiple people who work in the privacy realm within libraries, and all of us are pretty probably like you, which is just frustrated by it and so we just give up and don’t do anything. And that’s kind of the whole point. It’s this illusion of control, but again it puts that burden on you as the user to change that.

Ultimately the the online world is paid by advertising, and the only way that that advertising has any value is if your data is freely given over. There are organizations working on it and creating laws. but it seems like as fast as they create laws. these businesses are also creating ways to kind of follow the letter of the law, but not really change their practices very much as far as how their your data is collected. That’s at least what I’m seeing out there.

Davis: Yeah, that sadly makes a lot of sense. I’m going to just make a little sneak preview and say that in a future series, we’ll be talking about advertising and how and why those ads follow us along the web and what it means for our data, and what it reveals about our data. So it sounds like, in the absence of any collective response, we do as individuals need to keep plugging away at these things. So I wondered if you could just share more tips with us while we’ve got you here.

Erin: Yeah, for sure. I think my next tip would be to have good password hygiene. The best way to do this is to utilize a password manager. I think if you’re not using one already, there are several good companies out there. I highly recommend doing that. That allows you to actually utilize the random password feature. None of us can be expected to remember all of our passwords that we have out there. And because of that, it leads us to creating really simple passwords, and those are really vulnerable to these like brute force attacks, where there’s a password cracker and it’s just going in to guess those really easy passwords. If you set up a password manager, it takes some time and patience to get it set up, but it’s really worth it at the end.

I was able to take my mom and and go from her deck of index cards that had all of her passwords on it to getting her set up in a password manager. I have access to her master password so I can help with that. And so there are pathways to help people get set up with something like that, which is a much more secure system.

I also recommend setting up multi-factor authentication. This is especially important for any accounts that you have that have sensitive information. Multi-factor authentication means that just your password alone isn’t enough to gain access. Oftentimes, you’ll log into your email, for example, but then you also have to have your fingerprint, a biometric, or your face, or it’ll send you a text and then you have to enter a code. It usually means like you have to have your phone in an unlocked in addition to having just your email password, so if someone gains access to that password they still can’t gain access to your account.

I recommend using that for your email, your banks, your social media accounts, so that nobody will actually be able to gain access fully to your account even if you have your data breached.

And the last is to really understand what phishing and smishing is all about and how to avoid falling victim to it.

Davis: Thank you, and, yeah, we’ll be talking about smishing and fishing in a future video series as well. So stay tuned for that. So, unfortunately a lot of us already have our information out there on the web, so in our next video we’ll be talking about what happens if your data’s been stolen and you find out about it. Say, your bank contacts you, or you notice that there’s been nefarious activity on your social media profiles. So we’ll be back for an episode on that, so stay tuned.

Further Reading

Relevant Terms

  • Data minimization

    The practice of sharing or collecting the amount of personal information that is necessary to complete a specified purpose

  • Threat Assessment

    The practice of determining the likelihood and seriousness of a potential threat, as well as the probability that the threat will become a reality.

  • Dark Web

    The part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable

  • Password Manager

    A computer program that allows users to create, store, and manage their passwords.

  • Multi-factor Authentication

    A method used by online services in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. These systems often rely on an item that is known (e.g. a password) and something the user has (e.g. their phone).

  • Phishing

    The fraudulent practice of sending emails purporting to be from reputable companies in order to persuade individuals to reveal personal information like passwords and credit card numbers

  • Smishing

    the fraudulent practice of sending text messages purporting to be from a reputable company with the purpose of inducing individuals to reveal personal information like passwords or credit card numbers

Go to Glossary

Contributor Bios

  • This project is funded by the Mayor’s Office of the Chief Technology Officer, and produced in collaboration with Brooklyn Public Library, The New York Public Library, and Queens Public Library.