Archives for May 2024

This is the first in a series of posts I’m entitling: Going Digitally Green (Reducing your Digital Exhaust)–Privacy in an Age of Pervasive Surveillance.

Digital exhaust is data on the Internet about you. You create some of it directly. Some is created as a by-product of your activity on the net. Some is created by others. Third-parties exploit your data, often without your knowledge or informed consent. Some uses of your data are benign. Other uses are much less so.

In these posts I provide recommendations on actions you can take to reduce your digital exhaust. Following this guidance should provide protection against digital surveillance and reduce your “threat surface.” Most of this guidance is easy to implement at low or no cost. And while there is no perfect protection, don’t let perfect become the enemy of the good. Small steps add up.

I’ve deliberately limited these posts to the minimum amount of information required to understand my recommendations, and move forward with those you find worthy. I’ve not included step-by-step implementation guides. The details change too quickly and there’s plenty of step-by-step guidance out there. I seldom recommend more than two products in any one area. Too many choices lead to inaction.

I include references to further information that I think might be helpful, but I encourage you to focus on taking action and not merely becoming better informed. There’s a world of information out there and it’s easy to fall down the rabbit hole.

And I’ve tried to keep it light-hearted, but accurate—a tough balance to maintain.

I’m hosting this blog on my author website because I have one with a blog, and I’m already paying for it. If you enjoy comic science fiction, give the book a look. It’s a collector’s item! (It sure ain’t a best seller.) But it is funny. At least I think so.

Why should you listen to me? I’m the recently retired CTO and Chief Engineer of a multi-billion-dollar health IT business. I have over forty years of experience designing and deploying large-scale command and control, intelligence, logistics, transportation and health IT systems. These systems have stringent cybersecurity requirements. I’m a Certified Information Systems Security Professional (CISSP). And most importantly, I’m paranoid. Although I’m told you’re not paranoid if they’re really out to get you.

I have no business or personal relationships with any of the products or services I recommend in these posts. I recommend products I have confidence in and value and follow the recommendations of fellow professionals. It’s not impossible that we are all deceived, however, the alternative to not trusting anyone is doing it all yourself. No one has that breadth of knowledge and competence. I surely don’t. I encourage you not to let uncertainty paralyze you. Most of what I recommend is straight-forward and low risk. I encourage the more technically adept among you to assist those who might struggle a bit. Think of it as “social networking.”

I’ve enabled comments on the blog site. If you wish to comment, please restrict your comments to the topic at hand and be respectful. I’ve also enabled spam filtering and comment moderation. Your comments may take a little time to post. And if they trigger a filter, I’ll never see them. On-topic comments should post just fine.

The following five posts address some preliminaries, and then we’ll dive into the recommendations. You may navigate among the posts most easily by selecting the Sitemap at the bottom of every page.

But before we start, my attorney colleagues recommended I include a disclaimer for these posts. I offered, “If you follow any of the guidance in these posts and die a horrible death, don’t come crying to me.” They gently suggested something a little more formal, so here it is.

DISCLAIMER:

The views, thoughts, statements of fact, and opinions expressed in these posts belong solely to the author. The author makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information or process disclosed in these posts. This material is for educational purposes only and is not a substitute for independent professional advice from a subject matter expert. The author has no business, professional or personal relationship with any of the recommended products and services. There are other excellent products and services. You are advised to do your own evaluation.

Let’s start with a few caveats.

Following this guidance will not protect you if you are personally targeted by law enforcement or a foreign national intelligence agency. If it’s law enforcement, don’t even think about it. If it’s a foreign intelligence agency, don’t make it too easy.

I’ve written these posts from the perspective of a U.S. citizen, but the guidance broadly applies. Outside of the U.S., law and regulation may constrain implementation of some of this guidance. It’s up to you to stay within the law in the locality where you live.

Read the privacy statements for products and services that you use. Yes, it’s painful. Read them anyway. And consider opting-out of further data sharing by the service. This is often possible.

The information in these posts should be current as of the date of the post. Things change, but a web search should take you to the most current information.

Take one step at a time. Don’t change everything at once. Work with a new product or process until you get used to it, and before you make another significant change. You may find it useful to write down what you changed just in case you decide to return to a prior configuration.

In some instances, reducing threats to your privacy also reduces the convenience of using a product or service. Ultimately, you must choose the balance of privacy and convenience that’s right for you.

Information provided in this post is subject to the disclaimer in the first post of this series.

I have no desire to scare the pants off of you, so I won’t belabor the threat too much. However, thousands of companies use digital tracking to monitor, analyze, and influence the lives of billions of people. They continuously share and trade digital profiles about you. This occurs in the background and is invisible to you.

Much can be inferred about you from web searches, browsing histories, video viewing behaviors, social media activities, and purchases. This includes sensitive personal attributes such as ethnicity, religious and political views, relationship status, sexual orientation, and alcohol, cigarette, and drug use. Data collectors can predict personality traits such as emotional stability, life satisfaction, depression, and sensationalist interest. Exploitation of your data directly affects your available choices in highly consequential areas such as finance, insurance, and health care. And the data collected or inferred about you may be just plain wrong. It’s often impossible to locate, review and correct bad data.

The U.S. Federal Government purchases your data from commercial companies, bypassing restrictions in privacy law and regulation.

Foreign governments are increasing influence operations activities. The Rand Corporation defines influence operations as “the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent.” In the minds of some foreign intelligence agencies, you are a citizen of an adversary and a target to be influenced to their advantage.

Given these threats, you must take deliberate action to protect your privacy or you will lose it.

If you wish to explore these threats further, a great deal of information is available on digital surveillance. The Great Courses are an excellent source of information. I recommend “Taking Control of Your Personal Data” by Jennifer Golbeck, “Privacy, Property, and Free Speech: Law and the Constitution” by Jeffrey Rosen, and “The Surveillance State: Big Data, Freedom, and You” by Paul Rosenzweig.

https://www.thegreatcourses.com/

Bruce Schneier is a public-interest technologist, a Harvard Kennedy School fellow and lecturer, and a member of the board of the Electronic Freedom Foundation (EFF). He has written extensively on security and privacy. I recommend “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.” Mr. Schneier has an excellent blog and a monthly newsletter that I’ve followed for years. His website is:

https://www.schneier.com/

The Electronic Frontier Foundation (EFF) is a leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, the EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. Their website has a lot of good information. You will find it at:

https://www.eff.org/

As we begin our journey together, while I encourage you to become more informed, I caution you not to focus too much on the threat. It’s easy to feel overwhelmed and powerless. This can lead to inaction. Instead, use this knowledge to motivate yourself to take action. Control what is within your power to control. And having first taken action to improve your own privacy and security posture, then add your voice to those advocating for law and regulation that better protects your privacy rights and those of your fellow citizens.

Information provided in this post is subject to the disclaimer in the first post of this series.

So what exactly is privacy and how does it differ from security? Privacy rights are the right of a person to be free from intrusion into, or publicity concerning, personal matters. Privacy is about controlling your personal information and its usage. Security protects the confidentiality, integrity, and availability of your personal information. There’s no privacy without security.

And what are your privacy rights? The Fair Information Practices, paraphrased below, provide a reasonable summary.

Collection Limitation Principle. There should be limits to the lawful collection of your personal data and, where appropriate, your personal data should only be collected with your knowledge and consent.

Data Quality Principle. Your personal data held by a third party should be accurate, complete and up-to-date.

Purpose Specification Principle. The purposes for which your personal data is collected should be specified not later than the time of collection.

Use Limitation Principle. Using your personal data for purposes other than those specified at the time of collection should only be done with your consent or by the authority of law.

Security Safeguards Principle. Reasonable security safeguards should be employed to protect your personal data against loss or unauthorized access, destruction, use, modification or disclosure.

Openness Principle. Data holders should disclose how they will manage your personal data, including who they are, that they hold your data, and how they intend to use it.

Individual Participation Principle. You have the right to know what personal data is being kept and by whom, to review your data or told why your review is being denied, to challenge retention of your data and if successful, to have your data erased, or amended.

Accountability Principle. A third party that holds your personal data should be accountable for complying with the principles stated above.

Question: Do you believe your privacy rights as articulated in the Fair Information Practices are being honored? Should they be? If not, what actions might you take? Hint: Start by following some or all of the recommendations in this blog.

We often trade privacy for convenience. But it’s fair to ask, must we do so? Is this a real or a false dilemma? I’ll explore this question further in the posts that follow.

But before we go on to the next topic, it’s also fair to ask—what about the bad guys? Do they have a right to privacy? Will these tools protect the bad guys from the good guys?

There’s a balance to be struck between personal privacy and the common good. This is a vigorous and complex debate. I focus this blog on taking simple and practical actions that protect your privacy, and will not enter into this debate here. If you wish to better understand the legal and philosophical foundations of the debate, I recommend “Nothing to Hide: The False Tradeoff between Privacy and Security” and “Understanding Privacy”, both by Daniel Solove. With this information under your belt, you will be better prepared to tackle the many specific issues raised.

Information provided in this post is subject to the disclaimer in the first post of this series.

The 1996 film, Jerry Maguire, launched the Internet meme, “Show me the money!” Products and services that protect your privacy cost money to create, maintain and operate. And those doing the work deserve a fair wage. While many of the products I recommend come at no or low cost, some do cost money. But if all products and services cost money, why are some of them free or nearly so? How can that be? And why are others more expensive? These are important questions. Let’s think through them together.

If a product or service is provided by a commercial company, expect to pay for it. Commercial companies are in business to make money. Marketplace competition sets the price. And while there may be a free basic offering, you can bet that it’s offered in the hope that you will upgrade to a paid service.

Free products and services also have a business model. Dedicated volunteers and contributions sustain many fine open source products. Advertising revenue supports others. I strongly recommend that you research and understand the business model of free products and services that you use. “Show me the money!” Because if the business model does not make sense, you are the product.

For the products and services I recommend in these posts, I’ve done the work for you and believe the underlying business model is sound. If you choose other offerings, what things might you consider?

The first question is what sort of infrastructure and/or ongoing development does the offering require? Virtual Private Networks (VPNs) require substantial worldwide computing infrastructure to provide a viable service. This is expensive and you should expect to pay for it. The same is true, to a lesser extent, for secure cloud backup services. Antivirus products must be continually updated to keep pace with constantly changing threats. Bad actors are quite innovative. This also costs money. Expect to pay for it. These services may be bundled. Antivirus products often also offer a VPN, cloud backup, a password manager, and fraud detection monitoring. Such offerings can be good value for money. But you are paying for it. You should very carefully evaluate free services that have substantial ongoing costs.

Other services have smaller ongoing costs and may be sustained by modest annual fees or donations. These include secure email, secure browsers and text messaging. Privacy preserving contextual advertising may provide income for secure web search and browsers. Contextual advertising shows you ads based only on your search criteria or the web page you are actively viewing. If you search on fly fishing, you may see ads for fly rods. This seems fair. If instead you see an ad for the new wide screen TV you searched for last month, you are being profiled by data brokers. Not so good.

Informational web sites may generate revenue through affiliate programs. If the site recommends a product and provides a link, they receive a small payment if you click through, at no cost to you. This also seems fair. Note that I do not take part in any affiliate programs on this site.

The open source community maintains excellent open source products that don’t require physical infrastructure or continual software updates. Donations are normally welcome. These products include password managers, file and disk encryption, and other niche products.

The message to take away is: the business model matters. It pays to understand it. If it makes little sense, you are the product. Your privacy will not be respected.

And if you use a free product, please consider making a contribution. Every little bit helps, and fair is fair.

Information provided in this post is subject to the disclaimer in the first post of this series.

“Danger! Danger, Will Robinson!”

In the 1960s TV serial “Lost in Space”, there was always at least one moment per episode where the rotund robot, mechanical arms flailing, uttered these immortal words. I mention them now, early in these posts, because as you move forward to improve your privacy and security, you may explore free and open-source software not discussed here.

CAUTION: Please be sensitive to the risk of using lesser-known open source products. Some of them contain malware. This includes backup, password management and anti-malware tools. Yes, you heard it here. Some open-source anti-malware tools contain malware. Do your homework. Research open source tools thoroughly.

It’s a jungle out there, so go armed (with information).

Other than avoiding products and services provided by Dr. Evil, what additional criteria might you consider?

Prefer products and services from companies based in a good privacy jurisdiction: countries with strong privacy laws and regulations. The European Union (EU) and Switzerland are good choices. Your data is better protected from government intrusion and commercial exploitation in these countries. I regret to say that the U.S. is not a good privacy jurisdiction. All major operating systems are U.S. based and there are few practical alternatives. The same is true of many strong antivirus products. It is, however, a consideration when choosing VPN, secure email and secure web browsing services.

Prefer products and services whose features and claims have been verified by a reputable third party audit. This increases your assurance that the claims are legitimate.

Prefer services that maintain little or no logs of customer access or usage. This reduces the possibility that personal information might be exposed through a security breach or legal action. This is particularly important for VPN services.

Prefer services with strong encryption that encrypt all your private information with a key that you control. This is a must for secure email, secure messaging and password managers. The term of art is “end-to-end zero knowledge encryption.” Encryption and decryption are only performed on your device (end-to-end), and the service provider has no access to the keys and therefore, no access to your data (zero knowledge).

And as stated in the prior post, “Show Me the Money,” prefer services with a business model that encourages good behavior: up-front or annual payments, contextual advertising, affiliate programs and donations. Otherwise, you are the product.

Information provided in this post is subject to the disclaimer in the first post of this series.

In the posts that follow, I strive to be Virgil to your Dante, guiding you through the dark wood of fear, uncertainty, and doubt; making a straight way past the three beasts of pervasive surveillance, pernicious malware, and catastrophic hardware failure, leading you onward to privacy paradise. You may note that I’ve skipped over hell and purgatory in this overwrought allusion, but they’re boring and it’s not really that hard.

As for the roadmap, I’ve organized the posts that follow into three sections: device security, Internet access, and other things to think about.

The first order of business is to secure your digital devices, including desktops, laptops, tablets and mobile phones. The operating systems on these devices are not secure out-of-the-box and don’t protect your privacy. Common operating systems include Microsoft Windows, macOS, iOS, and Android. Devices with Linux installed can be readily configured to be both private and secure. If you use Linux as your operating system, I assume you’re highly technical and don’t need my help.

To secure your digital devices, I walk you through four important topics: backup and recovery, password management, virus and malware protection, and full disk encryption. I follow these discussions with some additional considerations to include keeping your operating system and applications up-to-date, managing device privacy permissions, and secure file deletion.

Next, I talk about five products that preserve your privacy while accessing the Internet: virtual private networks (VPNs), private web browsers, web search, text messaging, and email.

Other things to think about include freezing your credit, avoiding scams, social networking, tracking a lost device, locking your phone account, the Internet of things (IoT), the Phone Company, and related topics. I sprinkle these in among the prior two topics as Interludes.

For each of these topics, I discuss a variety of approaches and products. Where I recommend products, I usually present only two options to keep things simple. My recommendations reflect my personal assessment. In most cases, they also reflect the judgment of the broader privacy and security community. That said, there are other good products. I include evaluation criteria for most product categories to assist you in your search.

Most of my recommendations are just that, recommendations. Perhaps strong recommendations, or very strong recommendations, but in the end, recommendations. Occasionally I use the word “MUST.” When I say must, I mean MUST. Should disaster strike, no amount of wailing or gnashing of teeth will avail you if you ignore a must. I’ve received more than a few calls in the middle of the night where I could not be helpful because someone ignored a must.

To reiterate a caveat in Post 2—take one step at a time. Don’t change everything at once. Work with a new product or process until you get used to it, and before you make another significant change. Write down what you change just in case you want to return to a prior configuration.

On to backup and recovery.

Information provided in this post is subject to the disclaimer in the first post of this series.

There’s an old saying, “A stitch in time saves nine.” A little work done now will save a lot of work later. Of all the things we discuss on our journey together, this is most true of backing up your devices: desktops, laptops, tablets and phones. This recommendation is a MUST. You MUST backup the contents of your digital devices.

If your device is damaged or lost, or your files are inadvertently or intentionally corrupted, overwritten or deleted, there is little that can be done to recover them in the absence of a backup copy. The files that are lost could be inconsequential—last week’s shopping list perhaps, or irreplaceable—precious family photos that are not stored elsewhere. Take no chances, backup your files.

Backups containing sensitive data MUST be encrypted, ideally with an encryption key that you control. If you can’t conveniently select an encryption key, keep sensitive data in a virtual encrypted disk and backup the file containing the disk. I explain how to create virtual encrypted disks in the next post. Unencrypted backups are easy targets for hackers and other ne’er-do-wells.

Your encryption keys MUST be kept in a safe place. Password managers, discussed in a later post, are great locations to store encryption keys. Post-it notes stuck to your keyboard are not.

I strongly recommend that you validate the integrity of your backups. Different tools provide different means to accomplish this. A simple way to validate a backup is to recover a file and view it to make sure that it’s not been corrupted.

Backup and recovery is a little more involved than other topics in these posts, so we’ll take it a step at a time. We’ll start with strategy and end with some examples. Ultimately, you must decide how important your data is to you, and what steps you are willing to take to protect it.

For files you don’t wish to lose, I recommend you follow the “3-2-1 Rule.” Keep three (3) copies of your files: the original, a copy of the original, and a second copy of the original. Keep two (2) copies locally: the original and a copy of the original. Store one (1) copy remotely for disaster recovery. It’s common to save the remote copy online in secure cloud storage, and the local copy offline in an encrypted external drive.

For Windows desktops and laptops, it pays to keep two other types of backup: a recovery drive and a disk image. A recovery drive enables you to start your computer if the operating system on the internal drive is corrupted. This makes the process of recovery easier. A disk image is a copy of the entire internal drive, which enables you to restore the system to a known state if the disk fails. Should this occur, you can restore the disk image to a new drive, and add file changes since the last image backup. This is much easier than the alternative, which requires reinstallation and reconfiguration of the operating system, reinstallation and reconfiguration of all software products, and restoration of all files. A stitch in time saves nine. That said, many people lack the technical knowledge, and the desire, to recover a damaged PC. Don’t overthink this step. You’re making these backups for others to use. Put them in a safe place and, with luck, you’ll never have to use them.

For macOS, making a clone (a complete copy) of the internal disk drive supports recovery if the internal drive completely fails. This combines the recovery drive and disk image discussed above for Windows PCs. Making a disk clone requires third-party software, which I’ll discuss in a later post.

How often should you create backups? For files, that depends on how concerned you are about losing changes or new files. We’ll discuss this further in a later post, but daily is a good answer. Continuously is a better answer. Third-party products discussed in a later post make continuous backup painless.

You should update the recovery drive after major operating system updates (which happen infrequently). I recommend updating Windows disk image backups and macOS clones semi-annually. I put it on my calendar so I won’t forget.

In summary, you MUST backup your desktops, laptops, tablets and phones. Backups containing sensitive data MUST be encrypted. Your encryption keys MUST be kept in a safe place. Validate your backups to make sure they’ll work when you need them. For file backups, follow the 3-2-1 rule. For Windows desktops and laptops, create a recovery drive and a disk image. Create a disk clone for macOS. Run file backups at least daily. Update the Windows recovery drive after major operating system updates. Update the Windows disk image and macOS clone semi-annually.

Onward to the details.

Information provided in this post is subject to the disclaimer in the first post of this series.

Oops, before we get to the details, let’s talk about encrypting sensitive backup data.

If you’re backing up your data locally to an external drive, here are two options. You can create a virtual encrypted disk within a file on the external drive, mount it (give it a drive letter on your laptop) and point the backup software at the virtual disk. Or you can purchase an encrypted external drive that unlocks using a password or a keypad on the drive, and backup directly to the drive.

To create a virtual encrypted disk, I recommend the free and open source software (FOSS), VeraCrypt. You can download it from:

https://www.veracrypt.fr/en/Home.html

VeraCrypt has been around for a long time and is reliable. It runs on Windows and macOS. It’s a little clunky but easy enough once you get used to it. There’s documentation on the website. You can purchase a 128 GB USB stick for less than $20. I suggest you size the virtual encrypted disk to fill the entire USB stick. You can’t resize it after you create it. This is the least expensive approach.

A multi-terabyte external drive costs less than $100. I recommend Seagate external drives. External drives normally come with encryption software built in, so you don’t need VeraCrypt to protect your data. A password is required to access data on the drive. This is a middle-of-the-road approach.

Or you can purchase an encrypted external drive with a keypad. The Kingston IronKey and the Apricorn Aegis Padlock are two examples. They’re easier to use but more expensive and can cost $200 or more. Unlock the drive with a PIN using the keypad and go.

If you’re backing up your data remotely to the cloud, and can’t choose your own encryption key, I recommend creating a virtual encrypted disk on your internal drive, using VeraCrypt, and storing sensitive data there. Sensitive data might include financial and healthcare information as well as those humiliating love letters you wrote as a teenager. The file containing the virtual encrypted disk will backup to the cloud like any other file, but your data will not be exposed.

If you use VeraCrypt to protect data that will be uploaded to the cloud, there are a few technical details to note. To ensure the “Date Modified” for the file containing the encrypted disk changes when the disk is dismounted, select “Settings/Preferences” in the VeraCrypt menu and uncheck “Preserve modification Timestamp of containers.” Otherwise, cloud backup services will not recognize that the contents changed and will not backup the file. Also consider creating several virtual encrypted disks. If the contents change, the entire file containing the virtual disk gets uploaded to the cloud. This can take time if the file is too large.

Which ever option you chose, make sure you save passwords and PINs safely in your password manager.

And if you use VeraCrypt, please consider a donation.

Now, on to the details.

Information provided in this post is subject to the disclaimer in the first post of this series.

In the words of famed inventor Thomas Edison, “Strategy without execution is hallucination.” We now have a strategy. Let’s talk about executing it. In this post, I discuss backup and recovery options for the four primary operating systems using tools they provide at no or low cost.

There’s a lot of variation among products and approaches, as well as additional “free” offerings. To keep things as simple as possible, I’m deliberately ignoring these differences and focusing just on basic backup. And while I don’t include step-by-step instructions, I provide links with further information.

Brief Windows instructions:

• To create a recovery drive: Enter “Create a recovery drive” into Windows Search and follow the instructions. Creating the drive may take some time. The recovery drive should be unencrypted. Verify the recovery drive by restarting your PC with the drive inserted. It should start in recovery mode (this will be obvious). If it starts up normally (not in recovery mode), you need to change the boot sequence in your BIOS. If this statement makes sense, carry on. If it does not, skip the verification step.
• To create a disk image, follow the instructions found at: https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-system-image-in-windows-11-and/036110b8-66bb-4cc7-b9e2-2d66df27d236 . The backup will take some time. Make sure the backup drive is encrypted and large enough to store the disk image. In the File Explorer, if you right-click on the drive you are imaging, “C:” for instance, and click on “Properties,” look for “Used Space.” Size the drive to at least this value plus 10%.
• To create a local file backup, follow the instructions found at: https://www.computerworld.com/article/1621193/how-to-use-file-history-windows-10-windows-11.html . Make sure the backup drive is encrypted. Once enabled, File History will take a snapshot of files in common directories on a schedule that you set. It defaults to hourly. And also set “Keep saved versions” to “Until space is needed.” Otherwise, you will rapidly overflow the drive.
• To create a file backup in the cloud, use Microsoft OneDrive. One Drive provides 5 GB of free cloud storage. Additional storage is available for purchase. Note that only the Desktop, Documents and Pictures directories can be configured to backup automatically. Other files can be backed up manually. And you cannot choose your own encryption key, so consider storing sensitive data in a virtual encrypted disk. More information may be found at: https://support.microsoft.com/en-us/windows/back-up-your-windows-pc-87a81f8a-78fa-456e-b521-ac0560e32338#ID0EBF=Windows_10

Brief macOS instructions:

• To create a local disk clone, purchase Carbon Copy Cloner at https://bombich.com . It cost $49.95 the last time I looked. Make sure the backup drive is encrypted.
• To create a local file backup, follow the instructions found at: https://support.apple.com/en-us/104984 . Make sure the backup drive is encrypted.
• To create a file backup in the cloud, use Apple iCloud. iCloud provides 5 GB of free cloud storage. Additional storage is available for purchase. Enable Advanced Data Protection for iCloud to provide end-to-end encryption for your data. More information may be found at: https://support.apple.com/en-us/109344

Brief iOS instructions:

• To create a local file backup, use iTunes on a PC or a Mac. A copy on your laptop is a reasonable approach to maintaining a local backup of your iPhone. If you back up to a USB drive, make sure the backup disk is encrypted.
• To create a file backup in the cloud, use Apple iCloud. iCloud provides 5 GB of free cloud storage. Additional storage is available for purchase. Enable Advanced Data Protection for iCloud to provide end-to-end encryption for your data.
• iPhone backup instructions may be found at: https://support.apple.com/en-us/108771

Brief Android Instructions:

• To create a local file backup to your PC, there are options. Review the information at: https://www.lifewire.com/how-to-backup-android-phone-to-pc-4769775
• To create a file backup in the cloud, use Google Drive. Google Drive provides 15 GB of free cloud storage. Additional storage is available for purchase. Further information may be found at: https://support.google.com/android/answer/2819582?hl=en

In the next post, I review third party options that are more feature-rich, easy to use and convenient—but a little more expensive.

Information provided in this post is subject to the disclaimer in the first post of this series.