安全なデジタルライフのために

First, if you’re not at home, you should always lock your device before you put it down, no exceptions. Your phone should be locked with the most secure method you’re comfortable with—as long as it’s not a 4-digit PIN, which isn’t exactly useless but is definitely adjacent to uselessness. For better security, use a password or a passcode that’s at least six characters long—and preferably longer. If you’re using facial recognition or a fingerprint unlock on your phone, this shouldn’t be too inconvenient.

Second, set your device to require a password immediately after it’s been locked. Delays mean someone who snatches your phone can get to your data if they bring up the screen in time.

Additionally, make sure your device is set to erase its contents after 10 bad password attempts at maximum. This is especially important if you haven’t set a longer passcode.

Also, regularly back up your phone. The safest way to back up data if you’re concerned about privacy is an encrypted backup to your personal computer; however, most iOS device owners can back up their data to iCloud with confidence that it is end-to-end encrypted (as long as they have iOS 13 or later).

Along the same lines, make sure you have installed the most recent version of the phone OS available to prevent someone from taking advantage of known security bypasses.

Side-loaded apps can also lead to security issues. Never side-load an app from an untrusted source or allow an iOS app that requires a “profile” to be installed on your device if the app isn’t one you’ve created or one provided to you by your employer’s mobile device management (MDM) platform.

To mitigate such vulnerabilities via apps, regularly review the permissions that applications request from the device. […] Avoid apps with sketchy permission asks, and deny anything that seems like overreach—like when Facebook Messenger asks to be your SMS client and then logs all your phone calls to your Facebook account so it can find “friends” for you more efficiently. (Also, for the love of God, don’t use Facebook Messenger.) And if there are apps that you don’t use, delete them.

Besides issues that arise from questionable app behavior, mobile devices can be vulnerable through normal functions like Wi-Fi or Bluetooth. Consider turning off Wi-Fi when you’re away from home. Your device may otherwise be constantly polling for the network SSIDs in its history to reconnect automatically or to connect to anything that looks like a carrier’s Wi-Fi network. When this happens, your device gives away information about networks you’ve seen and might allow a hostile network access point to connect. Also, your phone’s Wi-Fi MAC address could be used to fingerprint your device and track it. (Apple randomizes the MAC address of its iOS devices’ Wi-Fi adapters while scanning for networks—but if your home Wi-Fi network’s name is particularly memorable, that may not matter.) When your phone tells you to turn on Wi-Fi to improve location accuracy, ignore it.

The same goes for Bluetooth. If your device has Bluetooth turned on, it’s broadcasting information that could identify it—and you. (I have demonstrated this to journalism classes by calling out students’ names that I picked out from the default names of their iPhones.)

I have found several common themes when things go wrong; the biggest is that malware protection is frequently not up to date or, worse, is disabled. Even allowing Windows Defender to run in the background provides a significant bump in protection over nothing, and disabling it without a very good reason is a very bad idea.

The basic fixes for these threats are straightforward but require some behavior modification. And one of the easiest behaviors to modify is how we browse the web. We need to treat this the same way we would a walk home in the dark—with extra, active attention to our surroundings.

Another helpful trick for keeping laptops safe is using a privacy browser plugin such as the EFF’s Privacy Badger and being very selective about which sites are allowed to use tracking cookies. This will reduce the threat of malicious ads.

Another easy way to minimize threats to your PC, first and foremost, is running the most recent fully updated version of the operating system of your choice. I’m not going to advocate for any particular flavor of operating system here, but if you’re on an older release of any OS and connected to the Internet, you’re increasing your risk of compromise. Turn on automatic updates and leave them on. When an update is pending, stop what you’re doing and install it immediately. Yes, this can often be inconvenient. Welcome to the modern world of malware. Suck it up and install your updates or risk compromise. (This applies to your web browser, too—stop putting off that Chrome update prompt and do it right now.)

Just as a phone’s solid unlock password prevents data theft, the same is true of enabling password or PIN protection on your notebook computer for sleep mode. When traveling in high-risk areas like airports, power-down your computer when it’s not in use so that the risk of someone playing “Evil Maid” or surreptitiously gaining access in some other physical way is reduced.

And, finally, use a password manager. An easy-to-guess password renders all other security efforts moot. Whether it’s a password built into your web browser of choice or a standalone program, use one. Chrome, Firefox, and Safari all have reasonably secure password managers, and you can replicate passwords for web accounts across devices. If you don’t like the idea of a password manager because you’re one of those folks who just uses letmein123! as your password everywhere, you need to decide if the convenience is worth the price you’ll eventually pay when you’re compromised. (Spoiler alert: it’s not.)

Or, instead of trying to follow all these suggestions, you could mitigate this entire category of risks by never using social media again.

But for everyday Internetting, you just don’t need VPNs that much anymore. Transport Layer Security now encrypts a vast majority of Internet traffic, and it’s unlikely that someone is going to grab your credit card data or other personal information off a public Wi-Fi network.

The same is true of the Tor protocol for anonymizing Internet traffic—odds are you won’t need it daily, but there are times when it’s good to have. Tor and VPNs are most useful when you’re outside of your home and on a potentially hostile network (or on the Internet in a potentially hostile country).

You’ll also want Tor or a VPN in situations where you’re on a network that has a TLS proxy that breaks traditional HTTPS encryption by using proxy certificates to decrypt traffic in the middle. At least in those scenarios, the worst that can happen is you can’t get an outbound connection.

For encrypted and verified communications with another specific person, Signal is the current standard—it’s cross-platform and doesn’t even have an option for unencrypted storage or transmission of text and voice. Lesser-known platforms such as Keybase and Wire offer encrypted text communications as well, but a full discussion of encrypted voice and text communications is a subject for another time.