Digital privacy may be on life support, but Nico Sell plans to resuscitate it.
Nearly a year before Edward Snowden revealed a flurry of dystopian truths about digital surveillance, Sell had already cofounded an app called Wickr, which sends encrypted, anonymous, and self-destructing smartphone messages. Sell understood that online privacy is an illusion well before the rest of us, a prescience she attributes to a lifetime of working with hackers, she told the Daily Dot. She doesn’t have a Twitter or Facebook account, and keeps her smartphone tucked away in a Faraday cage when it’s not in use, so that it’s impossible to track. She’s only ever photographed wearing dark sunglasses, to confound facial identification software. “Nico Sell” may or may not be her real name.
Two years ago, these measures might have been snidely downplayed as the extreme circumspection of a tinfoil hat-wearer, but in a post-Snowden world, it’s downright rational. There’s safety in anonymity, we now know—and Sell is much, much safer than the rest of us.
By now, it’s accepted fact that the vast majority of digital services want to know as much about us as possible. They traffic in our data, selling our personal details and preferences to advertisers for profit—and because search engines and social networks are now as essential as they are inescapable, business is booming.
But unlike Facebook, which makes no secret of collecting and selling your data (or manipulating your News Feed), or Snapchat, which falsely promised safe, self-destructing messaging, Wickr appears to be truly secure. User names and phone identification numbers are hashed and salted several times, making them untraceable. The app never stores messages or phone numbers in its servers, and the founders hold no master set of encryption keys. Users can set a timer for messages to self-destruct. And any metadata is erased from the app’s memory, making it impossible to piece back together by hackers or law enforcement.
Even if a government agency were to petition the app to obtain a user’s communication records, Wickr simply wouldn’t have any data to hand over.
The next step, Sell said, is to make Wickr’s technology the new normal, integrating it into as many digital services as possible—servers, routers, smartphones, financial services, even video games.
Sell’s privacy pedigree is extensive; by her own calculation, she’s founded more than 20 successful security companies. She’s a longtime organizer for the Def Con hacker convention in Las Vegas, which is fast approaching in August. (Last year, after Snowden publicized the NSA’s digital spying, Def Con’s founder strongly encouraged federal bodies like the NSA, FBI, and CIA to sit the convention out.) Sell has also worked as an adviser to Crowdstrike, a security technology provider that helps companies detect flaws in their security systems, and founded R00tz Asylum, a nonprofit that teaches children and teens the joys of white-hat hacking.
So when Sell gives privacy advice, you’d better believe it’s solid. Most important is to keep fighting the good fight against Big Data, she said. “The feeling that it’s futile, ‘it’s too late for me,’ that’s what Big Brother is trying to convince you of,” she said. “It’s not true. It’s about decreasing your digital footprint and moving forward every day being aware of it. That’s a step you can take right now.”
Herein, Sell shares six simple ways to stay safe online:
1) Spread misinformation
Social networking sites, like Facebook, often won’t let you join without revealing your birth date. But who says you have to share your real birthday? That information anchors almost all of your most sensitive data—your bank records and credit history, even your social security number. But chances are you’ve given out that information to a host of websites, from social networks to online retailers, without a second thought.
“If I know your birth date and your birth location, I have a 90 percent chance of being able to steal your financial information,” said Sell. “Here’s what you can do instead: Put misinformation out there, like the wrong birth date, the wrong birth place. I do searches on random things when I’m bored. You’re trying to feed [Google] a bunch of misinformation so it doesn’t have an accurate description of you.”
So if your birthday’s in August, tell Twitter it’s in November. If you were born in Louisville, tell Facebook you’re from Omaha, or better yet, Tanzania. Don’t let anyone wish you happy birthday on Facebook. Search Google Maps for directions from Brooklyn to Times Square, even if you live in Boston.
To avoid attack, Sell said, “you need to be tougher to get than everyone else.”
2) Think about what data you’re giving out, and to whom
By the same token, why should you have to share personal information like your birth date with every website you log onto? Does the New York Times really need to know your home address just because you’ve signed up for a digital subscription?
“For me, the most exciting competition that happens at Def Con every year is the social engineering contest,” said Sell. Social engineering is when hackers use a target’s public personal information—easily available on social networking sites or through a quick Google search—to pose as a friend, or as the target themselves, in order to obtain sensitive (and sellable) information like bank accounts and social security numbers. At Def Con, “they get 100 percent of their targets, 100 percent of the time,” Sell said. “You need to be really aware of people [or sites] asking for your information. Why do you need my social security number, why do you need my address? Put in your wrong social security number, put in your wrong address.”
Simply keeping in mind that most of these sites don’t need your data—and have no right to ask you for it—will make you more privacy-conscious in the future, and will remind you to opt out of providing personal information whenever possible, Sell said.
3) Kill geolocation
Apps like Twitter and Instagram give you the option of tagging your posts with a precise location; some, like Foursquare, are entirely built around the feature. Most even make geotagging the default, so that you’re forced to dig through the app’s settings to opt out. And, Sell added, every time an app updates, the settings may revert to the default.
Sell’s daughter once posted a photo of the family dog on Instagram, and by default it was geotagged to their home, she said. “My daughter’s not the only one making this mistake.” It seems innocent enough, after all; what harm is there in letting your friends know you’re at your favorite neighborhood coffee shop? But tagging posts from your neighborhood, and especially from your apartment, makes it incredibly easy for hackers (or garden-variety stalkers) to build a profile of your migration patterns and obtain your home address. This, in turn, can be used to obtain personal information through social engineering, or even determine when to burglarize your home. After all, that’s how the Bling Ring pilfered from the likes of Paris Hilton and Lindsay Lohan.
4) Cover your cameras
Whenever she’s speaking at a security event, or just talking up Wickr on the street, Sell hands out small vinyl stickers and tells people to run home and cover their front-facing cameras. “Last year, we taught the kids [at r00tz] how to turn on the inner-facing camera on your smart TV,” said Sell. “It’s an easy hack that people all over the world use to blackmail people. It’s not even illegal, depending on where they come from.”
Any camera that looks into your home, whether it’s from your smartphone, your laptop, or your television set, can easily be activated by a hacker and used to pull details from your personal life, track your daily movements and online habits, or blackmail you with a lurid photograph.
“Whenever I see an inner-facing camera, I feel like there’s an eyeball on me,” she said. “This is a widespread attack, and it’s happening often.”
5) Read those ridiculously long privacy agreements
Facebook’s latest experiment in emotional manipulation is a reminder that those privacy policies you mindlessly accept—which Sell thinks should be termed “ownership policies,” in the name of transparency—contain some pretty wacky built-in clauses, like, say, implicitly consenting to participate in behavioral studies. When you accept one of these policies, “you’re agreeing to a free, worldwide, transferable license for eternity, for everything you put into that service,” she said.
6) Don’t trust FitBit (or any other app, for that matter)
Most fledgling apps haven’t taken the time to identify and plug security holes, as evidenced by the recent Yo hack. “These are startups with a small budget,” said Sell. “They’re going for Minimum Viable Product,” pushing out the app’s core functions as quickly as possible, with little time for extensive testing and development, “and they’re collecting lots of information on us. All the health apps and health devices out there, they really scare me.”
It goes back to thinking about who really needs your data, and why. Are the enhanced analytic features of FitBit really better than an old-fashioned pedometer, once you take into account the amount of hackable data the fitness tracker is collecting?
“I think the companies that will thrive and survive over the next decade will be companies that take this seriously,” Sell said. “Yo put out the Minimum Viable Product, and it can’t survive in today’s world. The threats are too great.”
Illustration by Jason Reed