Learning in a digital age/LiDA102/Digital environments/Online hygiene

As an online learner, you are probably well versed in maintaining good online hygiene.

Nonetheless, in this section we summarise important practices as a reminder to remain vigilant in protecting your privacy and security online. If you are unsure about good security practices, there are a wealth of online resources you can (and should) consult.

Privacy
Your privacy is a fragile thing. Like a reputation, you've got it until you've lost it, and it can happen instantaneously.

"Identity theft" happens, frequently.

Never put your birthday or your mum's maiden name online, or any other personal facts, anywhere online. The Internet never forgets, so anything you write online (including email) can, and probably will, eventually leak. Your email address is also pretty important to keep private - if you don't, you'll start to get spam very rapidly - if your email is published in a plain form anywhere on line, even if it's part of an email list with archives online, it will be "harvested" by spammers for their databases.

Spam email - at least half of all email being sent - is just an unfortunate fact of our modern lives. If you must publish an email address online, it's best to find either a "sacrificial" email (one which you use only for the purpose of publishing it online - it's easy to acquire an email "alias" which can be forwarded to your primary email, but which you can disable when spam volumes increase). Another approach is to avoid publishing the email address as something like myname@somewebdomain.net... Instead you can use text obfuscation like: myname-at-somewebdomain-net... some websites support using other obfuscation methods, but sadly the evil folks who scrape email addresses from websites to populate their spam databases are employing ever more sophisticated methods to defeat that obfuscation. Ultimately, you spam volumes will be lower if you avoid publishing any email addresses you value.

Passwords
What about passwords? Most people have just one, or maybe a few. Given the number of websites and web services for which the average person requires password-based authentication these days, this is not good enough if you want to avoid an identity disaster.

The problem with having only a few passwords is that even resource rich and security-critical organisations have suffered massive leaks. If even one of them suffers a data leak, identity thieves will get them.

Other ways someone can get your password include:


 * 1) sniffing traffic when you log into a non-secure website (using http:// rather than https:// - the "s" stands for secure because your data transmission's encrypted - look for the [[image:Lock_icon.png|16px]] in your address bar)
 * 2) sniffing emails - your email, unless encrypted, is not secure. Never send a login and password along with the web address of a service (similarly, don't send  credit card numbers).
 * 3) "phishing" attacks - where someone sends you an email that looks like it's from, say, your bank, and they want you to enter your password to confirm it... No one should ever ask you via email to enter your password. As a matter of principle, though, always check the web address (hover over the link) to make sure it corresponds to the right place.
 * 4) brute force - if someone wants to crack your account on some service, they can simply get a computer to guess your password (usually starting with a list of common passwords) and try exhaustively until they get it (or until the system, hopefully, locks them out for trying too many times).
 * 5) "how secure is my password"-type sites - never type your password into anything that isn't the appropriate place. Especially if the place you're typing it also knows your email.

Once your email and any password combination are known, identity thieves will try them all over, because they know most people only use a few - it could mean that the compromise of some fly-by-night service you're using escalates to the compromise of something very important to you - like your email system, your social media accounts, or your bank accounts.

There are services you can check to see if your email is known to be in a leaked password data set. So what can you do to protect yourself?

Password managers
Get a password manager. They are incredibly helpful, and convenient now that computer users tend to have many digital services they want or need to access, each of which requires a login and password, and many have multiple computers and mobile devices from which they want to be able to access to those password details. Password managers help you achieve that.

When you select one, make sure to create one strong password for your manager - probably a full sentence with some numbers and punctuation thrown in - this is all you need to remember - the password manager remembers the others. And make sure you generate a different fully random password for each thing that needs a password. This is crucial because it means that if any one of your passwords is compromised, it does not automatically allow whoever has taken it to access all your other secure services, as would be the case if you use a single password (or a small set of passwords) across all of your digital services.

Good password managers only ever store your details in an encrypted form, where even those storing it (if it's a company) can't see them. Normally, to get your passwords, you log into the password manager service using that strong password (via a secure web link - usually the default, but always check!), download all your passwords in encrypted form, and only decrypt them on the device (in its memory, not saved in a decrypted form) on which you're looking at them.

There are many password manager options. Some widely used proprietary options include Lastpass and 1password. There are also open source options if you prefer. Here at the OER Foundation, we use a self-hosted instance of BitWarden, our favourite password manager that also happens to be open source.

Good messaging hygiene
Always assume that anything you write in an email could be read by anyone. Email is not a secure form of communication. Technically advanced folks have ways of encrypting email, but very few people use it because it's not straightforward - both the sender and the recipient have to be technically proficient.

Text messages and instant messaging like Facebook messenger are also insecure - anyone in your government (or at least the US government) or at Facebook (or whatever company manages the messaging) can read it.

Your own
Never send sensitive data, like your credit card number or a password to something important in an email. Ring someone and tell it to them over the phone.

Use a secure (encrypted) text message service like Signal... It's available at no cost, works on most platforms, and it encrypts your texts on your phone, and if you text someone else with Signal installed, the whole transaction is encrypted.

On behalf of others
Another element of good digital hygiene is protecting the identity of others! One key practice: never send group emails in which you use To: or CC: ("Carbon Copy" - a very quaint concept in this digital era) for each email address. Doing that has the effect of revealing the email address of everyone on the list to everyone else on the list. This is especially problematic if the email is saved and shown on the web (like in an mailing list archive). It is then easy for spammers and crackers to get all those email addresses. To protect other recipient's privacy use BCC: (which stands for "Blind Carbon Copy") which hides the email addresses from other recipients. If your email software requires a To: address to allow you to send, use your own with the rest of the recipients using BCC.

With regard to email mailing lists, where you send messages to a single email address to go out to a list of people, make sure you never CC: someone else in the same message - doing this can compromise both the privacy of the CC'd recipient(s) as well as the privacy of the list - always check with the list first to ensure that you're not taking unacceptable liberties.

If someone asks you to share an email address of a friend or colleague, the ethical practice is to first request permission to share their email address, stating reasons why the third party is requesting the email.

Be a thoughtful sceptic
Technology changes at a breathtaking pace, beyond what most people can manage. So how can we protect ourselves if new threats are emerging all the time?


 * Be very conscious of what is "private" information to you, and where you put it.
 * Consider the terms of service of social media providers like Facebook. Beware. Use a service like "TOSDR" to help identify risky, overreaching services.
 * Make sure you always check the identity of websites before you enter passwords or personal information. Secure certificates are generally trustworthy, but to be sure check the names and details.
 * Always question the wisdom of trusting a provider, or a government - always ask "who benefits from me doing this?" Think about their incentives.
 * Apply all your care not only to your own data, but even more protectively to others' private information. Be very cautious posting information about, or pictures or video of your (or someone else's) children for instance.

Remember, complacency and unwarranted trust are your biggest enemies. Healthy paranoia is, well, good for your digital health.