One day, B.J. Mendelson was playing Roblox with his school-aged nieces when suddenly, he heard a stranger’s voice come out of one of their iPads. A longtime digital security buff, he was pretty creeped out. He knew how to keep himself secure online, but the incident brought home just how many opportunities for privacy breaches there are lurking in everyday devices. Most people, including his own brother and sister-in-law, operate them without a playbook.
That’s why this fall, he decided to start a podcast miniseries with the goal of making digital privacy more accessible. Sexy, even. The result is Stupid Sexy Privacy, a show in which he and co-host Rosie Tran give listeners bite-size, actionable tips on dealing with basic tech stuff like password management, not letting your car harvest your data, and whatever Elon Musk is doing to Twitter. Mendelson was kind enough to share some of these pearls of privacy wisdom with Slate, though you should probably get a VPN before you read them.
This interview has been condensed and edited from two conversations for clarity.
Heather Schwedel: Let’s consider the hypothetical person who knows absolutely nothing about privacy—what are some things they can do to improve their security, like, right this second?
B.J. Mendelson: Use the right browser and get a forwarding email address. I use DuckDuckGo and an @duck email address. These days, most marketing emails have trackers in them that collect data about you. The @duck forwarding address strips away the tracker and forwards it to your real email so you can get messages without companies collecting your information.
You can also use ClamAV to look for malicious software, and use Signal for messaging. Signal is great—it’s not sophisticated, it has a lot of fun features, there’s a group chat option, and it lets you chat securely with your friends and family without worrying whether someone can access your messages. If I can get people reading this to just switch to Signal, I’ve already done a large part of my job.
Also, get a VPN (virtual private network.) It disguises your web activity and limits the data your internet service provider can collect about you.
I thought a VPN was for like, watching streaming services from other countries and buying dark-web drugs. Do I, an average person, really need one?
If you’re at home, then you don’t have to worry about it. But if you’re out and using public Wi-Fi, you absolutely do. Something like 90 percent of Gen Z and millennials own a smartphone. [Actually, it’s roughly 98 percent for Gen Z and 94 percent for millennials.] We’re all out and about using and connecting to different Wi-Fis that are probably not secure. That’s a serious thing. That’s why I use tools like Proton VPN, which has an app. You fire it up, and then off you go.
Can you tell me about some of the biggest takeaways from the recent episode you did about protecting yourself after a breakup?
If you’re going through a breakup, and you’ve shared your device with that partner, you absolutely need a new device. It’s the only way to guarantee that there’s not a keylogger—which lets the person who installed it monitor every single thing you enter on your keyboard, including passwords, emails, etc.—or some other kind of spyware that they’ve put on there.
When I heard that tip, I balked at the idea that it was easy. First of all, you recommend getting a new Mac, which is expensive!
You’re right, it is expensive. And it sucks. And I wish that there was an alternative. But for most people, that is the easiest, most basic way for them to protect themselves.
It also struck me as a little extreme to get a new computer every time you go through a breakup. In a lot of cases, you were with a decent person and it just didn’t work out—should you really be afraid of them?
That’s always the question, right? In the privacy space, they talk about threat vectors, which is really just a nice way of asking what the probability is that someone’s going to do something shitty to you. But, it’s easy to be evil today. Revenge porn is unfortunately a huge thing. That’s why we talk about this stuff.
But you’re right. I have a couple of ex-girlfriends who’ve had access to my stuff. Am I concerned that they’re spying on me? No. But is the possibility there? The possibility is always there.
These costs must start to add up. How much money do you personally spend on privacy stuff annually?
Signal is free. DuckDuckGo is free. The DuckDuckGo forwarding email address is free. ClamAV is free. Proton VPN is one regular expense, which is about $100 a year. Again, the nice thing about privacy is that a lot of this stuff is open-source , which means it’s freely available, and the incentive is usually to protect users rather than turn a profit. There are services like 1Password that I also pay for.
DeleteMe, the other service that I think everyone needs, is also unfortunately expensive. It’s a tool that removes personal data captured by data brokers. If you’ve got two weeks’ worth of free time, you can go to all 600 of those data brokers yourself and fill out a form on their individual websites, which is often buried under a bunch of legalese. In doing so, you might even create more data that then go back to them. So what DeleteMe does is constantly look for your information and then scrub it again, which saves you time. I paid about $250 for it.
All told, I spend about $300 or $350 a year on privacy stuff. And I want to be clear: That sucks. I should not have to pay for this. Something like DeleteMe should be something that’s government-funded so that everyone can use it.
What’s the dumbest infosec mistake you see people make?
Clicking on suspicious links in emails and texts. We all fall for it. I’ve fallen for it. My dad recently fell for it. Just understand that not everything you get is safe, especially in email. There’s a company that I do some work with, and we constantly get phishing emails that look like they’re from the CEO. Everything looks so legit and sophisticated that people click on it. And so that’s been the most common thing.
People need to look for typos and spelling errors in these emails. And to check if the domain from the sender was correct. What does the website look like when you do click through? And if you do click, please, for the love of God, do it using Tor. Any time that you’re suspicious of a link, if you’re on a desktop, you can just download Tor and then pop the link in there. That’s a secure way to look at a link without having to worry about it hijacking your system.
Your first book about privacy came out a few years ago, and you’re working on a new one now. What would you say have been the biggest changes in this landscape since the last book came out?
Definitely this thing that’s going on with Twitter. But before that, it was the scope and scale of Russia’s hacking of the DNC [Democratic National Committee]. We didn’t know how deep it was. But I think the level of sophistication is something that people should be aware of.
Here’s the scary thing: The tools and tactics that Russia used have now been co-opted by Republican operatives, fascists, and other weirdos to harass people, dox them, and spread misinformation. Things like trying to smear people with old tweets or things that have been taken out of context have also become so much more common and aggressive for the day-to-day person. When I first wrote the book, we were talking about governments, journalists, and big organizations being hit with these attacks, but now we’re all dealing with it.
I definitely want to talk about Twitter. What should people do about Twitter right now?
If you’re going to stay, the first thing you want to do is protect your tweets by going into your settings, then the Privacy and Safety tab, then clicking Audience and Tagging. That makes them private, so only the people who follow you can see them. This matters, because what’s going to happen when Musk rolls out the new Twitter Blue? If you look at the ad for Twitter Blue, it says, “Rocket straight to the top of @-messages and DMs.” If I were a bad actor, I could purchase Twitter Blue and just start harassing people in a way that’s harder to ignore. Protecting your tweets can help.
The second thing is to use a YubiKey, Google Authenticator, or Authy. Google Authenticator and Authy are two-factor authentication apps that are more secure than SMS. But the most secure option is a YubiKey, which is a physical key that plugs into your USB drive or phone that you need to have with you to log in to Twitter.
The third thing, and this gets into legal territory, is to delete your DMs in case someone breaks into your account. The response that I’ve gotten to this is, “Well, that doesn’t delete them from Twitter servers.” Two things to say about that: First, you should delete all your past and future Twitter DMs just in case someone breaks into your account and finds information that could be used to break into your other accounts.
Secondly, if Twitter employees access your DMs, the company is liable under the Stored Communications Act. Corporate employees of companies like Facebook and Google can face criminal charges for accessing this sort of private information and using it in certain ways.
I think there is a real risk that if you’re the average person using Twitter, you can still be hacked. Plus, privacy is a thing that we need to do together. Not only are you protecting yourself, but you’re also protecting other people whom you’ve had conversations with.
Another idea I’ve always been suspicious of is that I need to put a sticker on my laptop camera.
Again, it’s a crime of opportunity. Let’s say you’re at work, and there’s a breach in the company server. If that happens, people can find a way to get on to your laptop, and it’s entirely possible they could activate your microphone and your video camera without you knowing. For a long time, I was telling people to just put a Post-it note over the camera. I know it sounds silly, but it’s a legit concern.
Just talking about hidden cameras for a second, that’s a global epidemic around the world that adversely affects women. And so, getting an RF detector—a small device that detects hidden cameras—can go a long way to keeping yourself and your privacy secure. You can also get a mic blocker to disable mic access so no apps on your phone can listen to you.
OK, one more question. What is the sexiest thing about privacy?
There’s nothing sexier than being able to share images and videos with your partner, especially during times like a pandemic, and not having to worry about, “Oh my God, this is gonna wind up on some guy’s hard drive or website?”
I think intimacy with the knowledge of security is very sexy.
Source: VPN, phone security tips: How to avoid phishing, identity theft
New Phishing Campaign Impersonates Flipper Zero to Target Cyber Professionals