Archives for July 2024

“Senno ecto gammat!” Translation: “Never without my permission!” Leeloo in The Fifth Element.

In the next posts we’ll review how to manage privacy permissions on Windows, macOS, iOS and Android devices. We’ll discuss controlling access to your device, user account management, deleting unnecessary applications, and managing privacy permissions. The first three are straightforward. The last is more involved. Take one step at a time.

Job one is to control access to your Windows computer. A password, PIN or biometric should be required to sign in to your computer. I recommend using a PIN or a password. A PIN should be 8 characters or more. Instead of a password, consider using a passphrase. It’s easier to type and you’ll be typing it a lot.

But what about a biometric? Windows supports Face ID and fingerprints.

Opinions vary.

I prefer using a PIN or passphrase for three reasons. First, I can change them if they are compromised. I can’t change my fingerprints or my face in any way I wish to contemplate.

Second, my face is publicly available. I wear it every time I step out the door. I’ve traveled internationally and Face ID is used to board international flights and in customs and border control. It’s in pictures on the Internet. My fingerprints exist in several places. I’ve had security clearances. I’ve used CLEAR at the airport. A skilled hacker could lift my fingerprints from anything that I’ve touched. Since my fingerprints and face are stored in multiple places that could be breached, there’s a possibility that my biometrics could be compromised.

Third, while the law is evolving, law enforcement generally can’t compel me to provide something I know, a password or PIN, but they can compel me to provide a fingerprint or use my face to unlock a device. Use your own judgment.

I recommend configuring your computer to go to “Sleep” if it’s been idle for a period of time. Perhaps you went to make a cup of coffee, or to enjoy a walk in the countryside, and left your computer unattended. And make sure you require a sign-in when your computer wakes up. This is easy to do:

• Windows 10: Go to “Settings > System > Power & Sleep,” and adjust the timing you see there. Five to 15 minutes are reasonable values. Then go to “Settings > Accounts > Sign-in options,” scroll down to “Require sign-in,” and set it to “When PC wakes up from sleep.”
• Windows 11: Go to “Settings > System > Power & Sleep,” scroll down to “Screen and sleep,” and adjust the timing there. Then go to “Settings > Accounts > Sign-in options,” scroll down to “Additional setting,” and set “If you’ve been away, when should Windows require you to sign in again?” to ”Every time.”
• Note that your computer will go to sleep if you close the lid.

You should always control access to your desktops and laptops by requiring a PIN, password or biometric to sign-in, and after it wakes up from sleep. This is basic computer hygiene, much like brushing your teeth.

On to user account management.

Information provided in this post is subject to the disclaimer in the first post of this series.

“A computer, by definition, cannot be held accountable for anything because there is no mechanism to hold it to account … Only humans can be accountable.” Mark Walpole.

You may not be able to hold your PC accountable, but you do need an account on your PC. They come in two varieties. When you install Windows for the first time, you choose between using a local or a Microsoft account. Unless you’re starting out with a new computer, you’ve already made that decision. Let’s talk about the difference between the two.

A local account is more private. It applies to one computer. A local account does not share any user settings or preferences with Microsoft. Your account settings are not synchronized across your Microsoft accounts that might include Outlook.com or other devices hosting Windows. You don’t have ready access to the Microsoft store. You don’t have access to free storage on OneDrive.

A Microsoft account offers the features above that a local account does not. In addition, it’s required to enable “Find my device,” which I discuss in a later post. You can store your Bitlocker recovery key with Microsoft in the cloud (although I would store it in my Password Manager instead). Microsoft also stores your license keys. So a Microsoft account is more convenient. It’s also less private. You’re sharing a lot of data with Microsoft. It’s also arguably less secure. If your account is hacked in one place, it’s hacked everywhere it’s used. If your account gets locked, it’s locked everywhere.

How can you tell what kind of account you have? In both Windows 10 and 11, go to “Settings > Account > Your info.” If you see “Sign in with a Microsoft account instead,” you’re using a local account. If you see “Sign in with a local account instead,” you’re using a Microsoft account. You can toggle between the two by clicking the link that you see. If you change to a local account and see a warning to backup your Bitlocker recovery key, don’t ignore it. Capture the recovery key and store it in your password manager if you have not already done so.

Which type of account you select is a choice between more convenience or more privacy. Choose the option that’s best for you. I would note, however, that if you’ve been using a Microsoft account, you’ve already shared a great deal of data. Switching to a local account will not put that horse back in the barn.

One other bit of computer hygiene before we address privacy permissions. PCs often come with applications you never plan to use. Applications they are trying to sell to you. People refer to these unasked for applications as “bloatware.” And over time, you may accumulate applications you installed to try out and then stopped using. I recommend you uninstall these applications. They’re clogging up your system and may pose a security risk. Briefly:

• Windows 10: Go to “Settings > Apps,” and you’ll see a list of all the apps installed on your computer. Click on any app you wish to remove, and select “Uninstall.”
• Windows 11: Go to “Settings > Apps > Installed Apps.” Click on the three dots to the right of any app you wish to remove, and select “Uninstall.”

Don’t go crazy here. If you don’t know what an app is for, research it before you remove it. Or perhaps leave it alone. If it’s obviously bloatware, uninstall it.

Information provided in this post is subject to the disclaimer in the first post of this series.

“It’s easier to ask forgiveness than it is to get permission.” Rear Admiral Grace Hopper.

Whether you know it or not, you’ve already given permission to Microsoft to collect an extraordinary amount of data about you—how you use your computer and your online activities. If Microsoft requires any forgiveness, it’s because it’s so hard to figure this out, and it’s so hard to manage your privacy permissions to your comfort level.

To make this as simple as possible, I recommend you download a free privacy management tool called O&O Shutup10++. The name says it all. It also works on Windows 11, but they chose not to change the name. You can find it at: https://www.oo-software.com/en/shutup10. To establish basic privacy permissions, do the following:

• The program does not need to be installed. Store it in a directory, double-click the program, and proceed.
• The program has two tabs: “Current User” and “Local Machine”. Take a quick look through both. There are a lot of settings. Each setting restricts some data collection activity or process. If you click on the text of a setting, more information about the setting will be displayed.
• To the right of the text of each setting, under the column heading “Recommended”, you’ll see “Yes,” “Limited,” or “No,” with green, yellow and red dots respectively. These recommendations reflect the level of risk associated with enabling the settings. Settings with a “Yes” recommendation are low risk.
• If you’re highly motivated, I would spend some time reviewing and understanding the settings.
  The settings are grouped by category. “Privacy” and “Activity History and Clipboard” are two examples. Settings that are enabled are toggled “Green”. Otherwise, they’re “Red.” You can ignore the current settings, we will change them.
• Click on “Actions” in the menu bar and select “Apply only recommended settings.” A pop-up will appear asking “Do you want to create a system restore point?” Click “Yes.” All the Recommended (Yes) settings should now be enabled (Green), and the other settings (Limited and No) should be disabled (Red).
• Scroll through all the settings in both tabs. Make sure they look right to you. And there are a few things you may wish to change. On the “Local Machine” tab:
  • If you use Cortana (Personal Assistant), disable all the settings. Note that I recommend against using Cortana. It’s collecting more data about you than you know.
  • If you intend to turn on “Find my device,” which I discuss in a later post, under “Location,” disable the setting “Disable functionality to locate system.”
• Select “File” in the menu bar and then “Exit.” Start the program again and review the settings to ensure your changes are all there.

As you become more comfortable managing your privacy permission, you may wish to enable some of the “Limited” settings. And you should review all your settings after operating system updates. Updates may change some settings.

Technical Note: You can manage some settings in “Settings > Privacy” in Windows 10 and “Settings > Privacy & Security” in Windows 11. If you do so after configuring settings with O&O Shutup10++, you may see a message that says “Some of these settings are hidden or managed by your organization.” The setting will be locked. This is because O&O Shutup10++ runs as Administrator and made the change in the Registry. If you wish to change the locked setting, go back to O&O Shutup10++ and make the change there.

Next, we’ll review the same privacy permissions for macOS.

Information provided in this post is subject to the disclaimer in the first post of this series.

“You don’t know how much you appreciate your privacy until you don’t have it.” Morgan Freeman.

If you read the posts on Windows, you’ll note that I’m repeating some text I had there, modified for macOS. If you have a Mac and not a Windows PC, you may have skipped those posts. So here goes.

It’s essential to control access to your Mac. Modern versions of macOS require a password to login. Some Macs support login with a fingerprint. I recommend using a password. And you might consider using a passphrase instead. It’s easier to type and you’ll be typing it a lot.

But what about a fingerprint? Some Macs support Touch ID to login with a fingerprint.

Opinions vary.

I prefer using a passphrase for three reasons. First, I can change it if it’s compromised. I can’t change my fingerprints in any way I wish to contemplate. Second, my fingerprints exist in several places. I’ve had security clearances. I’ve used CLEAR at the airport. A skilled hacker could lift my fingerprints from anything that I’ve touched. Since my fingerprints are stored in multiple places that could be breached, there’s the possibility that my fingerprints could be compromised. Third, while the law is evolving, law enforcement generally can’t compel me to provide something I know, like a password, but they can compel me to provide a fingerprint to unlock a device. Use your own judgment.

I recommend you configure your Mac to go to “Sleep” if it’s been idle for a period of time. Perhaps you went to make a cup of coffee, or to enjoy a walk in the countryside, and left your Mac unattended. And make sure you require a login when your computer wakes up. This is easy to do:

• Click the Apple icon on the top left and select “System Settings >Lock Screen.” Set the following four options: “Start Screen Saver when inactive,” “Turn display off on battery when inactive,”
• “Turn display off on power adapter when inactive,” and “Require password after screen saver begins or display is turned off.”

Note that your Mac will go to sleep if you close the lid.

You should always control access to your Mac by requiring password to login and after it wakes up from sleep. This is basic computer hygiene, much like brushing your teeth.

On to user account management.

Information provided in this post is subject to the disclaimer in the first post of this series.

While it’s possible to have an account on your Mac without an Apple ID that links it back to Apple, it significantly diminishes the experience and prevents you from getting automatic software updates, which is a serious security risk. As discussed in prior posts, protect your account with a strong password or passphrase, use two-factor authentication to access your account in the cloud, and enable automatic updates for macOS and applications you purchased from the App Store. You’re sharing data with Apple, but there’s little that can practically be done to prevent it.

One other bit of computer hygiene before we address privacy permissions. Macs may come with applications you never plan to use. People refer to these unasked for applications as “bloatware.” And over time, you may accumulate applications you installed to try out and then stopped using. I recommend you uninstall these applications. They’re clogging up your system and may pose a security risk.

This link provides instructions: https://support.apple.com/en-us/102610

To tighten up your privacy permissions, go to “System Settings > Privacy and Security.” Review the options there. I recommend special attention to:

• Reviewing which apps use “Location Services,” and disabling access to the service if you don’t believe they require it.
• Reviewing which apps use your “Contacts,” “Photos,” “Microphone,” “Camera,” and “Screen & System Audio Recording.” Apps that use these services for surveillance can be particularly invasive.
• Turning off all options under “Analytics & Improvements,” and “Apple Advertising.”

For more information, see: https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/mac

Next will discuss privacy permissions for iOS.

Information provided in this post is subject to the disclaimer in the first post of this series.

“In the digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous?” Al Gore.

If you read the posts on Windows or macOS, you’ll note that I’m repeating some text I had there, appropriately modified for iOS. If you don’t have a Mac or a Windows PC, you may have skipped those posts. Off we go.

Controlling access to your iPhone is a must. Set a passcode to control access to your phone. It should be 8 characters or more. But what about a biometric? iPhones support Face ID.

Opinions vary.

I prefer using a passcode for three reasons. First, I can change it if it’s compromised. I can’t change my face in any way I wish to contemplate. Second, my face is publicly available. I wear it every time I step out the door. I’ve traveled internationally and Face ID is used to board international flights and in customs and border control. It’s in pictures on the Internet. Since my face is stored in multiple places that could be breached, there’s the possibility that my biometric could be compromised. Third, while the law is evolving, law enforcement generally can’t compel me to provide something I know, like a password, but they can compel me to unlock a device using my face. Use your own judgment.

I recommend you configure your iPhone to auto lock if it’s been idle for a period of time. And make sure you require a passcode to unlock it. This is easy to do:

• Go to “Settings > Face ID & Passcode.” You must enter your passcode to proceed, if one is enabled. Scroll down and “Turn Passcode On,” if it’s off. This will require you to enter a passcode. If your current passcode is short, select “Change Passcode” to change it to 8 characters or more. Set “Require Passcode” to “Immediately.”
• Scroll down to “Allow Access When Locked” and review the settings. Limit access to your comfort level.
• Scroll down to the bottom and consider enabling “Erase Data.” This will erase all data on the iPhone after 10 failed passcode attempts.
• Under “Settings > [Your Name] > Sign-in & Security,” enable “Two-Factor Authentication.”

You should always control access to your iPhone by requiring passcode to login and after it wakes up from sleep. This is basic computer hygiene, much like brushing your teeth.

On to user account management.

Information provided in this post is subject to the disclaimer in the first post of this series.

While it’s possible to use your iPhone without an Apple ID that links it back to Apple, it significantly diminishes the experience and prevents you from getting automatic software updates, which is a serious security risk. As discussed in prior posts, protect your Apple ID account with a strong password. Use two-factor authentication to access your account in the cloud, and enable automatic updates for iOS and applications you downloaded from the App Store. You’re sharing data with Apple, but there’s little that can practically be done to prevent it.

One other bit of computer hygiene before we address privacy permissions. And over time, you may accumulate apps you installed to try out and then stopped using. I recommend you uninstall these apps. They’re clogging up your system and may pose a security risk. To remove an app, press on the app icon on the screen and the click “Remove App.” You should delete all associated data as well.

To tighten up your privacy permissions, do the following:

• Go to “Settings > Privacy & Security > Location Services.” Review which apps use this service and set to “Never” those which you believe do not require it. For those that do, change the settings to “While Using.”
• Under “Settings > Privacy & Security > Location Services > System Services,” turn off “Significant Locations.”
• Go to “Settings > Privacy & Security > Tracking.” Disable “Allow Apps to Request to Track.”
• Under “Settings > Privacy & Security,” review and limit which apps use your “Contacts,” “Photos,” “Microphone,” and “Camera.” Apps that use these services for surveillance can be particularly invasive.
• Under “Settings > Privacy & Security,” turn off all options under “Analytics & Improvements,” and “Apple Advertising.”
• Consider disabling Siri. It’s collecting more data about you than you know. If you choose to do so, go to “Settings > Siri & Search,” and turn off all options.
• Don’t jailbreak your phone. This creates significant security vulnerabilities.

Next will discuss privacy permissions for Android.

Information provided in this post is subject to the disclaimer in the first post of this series.