/ Technology

How much of your personal information is available online?

When you think of hackers and criminals operating online, you might think of the so-called ‘dark-web’. But scammers and criminals don’t need to delve this deep to steal your information. Faye Lipson explains more…

The ‘dark web’ is seen as a nefarious internet underworld where whole identities are traded for a few pounds each; but in truth, it’s simply a part of the internet which can’t be accessed by conventional browsers such as Internet Explorer, Chrome, Firefox or Safari. Instead, you must use a specialist browser called Tor (short for ‘The Onion Router’) which has been modified to keep its users anonymous.

Many of us fear what the dark web knows about us, though we have precious little control over it and would struggle to access it safely without expert help.

Yet what we should really worry about is actually how most of us use the web on a day-to-day basis: the strength of our passwords and the amount of personal information we freely make available on easily accessible websites.

A decade of being us being overgenerous with our personal data, and companies failing to secure it, has made the ‘everyday’ web a paradise for fraudsters and hackers.

Information security expert Troy Hunt famously founded haveibeenpwned.com – a directory of major data breaches that victims can search using their email address – and said that ‘almost every single record [on the site] came off the clear web’.

Staying safe online

With this in mind, we set out to discover the damage that can be wrought by criminals using only the public internet.

Working with expert cybersecurity firm SureCloud, we recruited 14 volunteers as ‘targets’ and combed social media sites, forums, shopping sites, digitised public records and large deposits of information stolen in company data breaches to build as comprehensive a picture of their lives and personal information as we could.

The results were shocking. We were able to discover passwords and password hints, email and postal addresses, dates of birth, phone numbers, middle names and even signatures. We also uncovered a wealth of ‘softer’ information on people’s interests, hobbies, religion and political preferences.

The information could have been used to perpetrate a wide range of frauds, from applying for a bank account in someone’s name to taking over their existing mobile number and bank account, or ‘socially engineering’ them into divulging online banking details.

And passwords stolen in particular company data breaches could easily give you the keys to victims’ accounts on other sites as many people reuse passwords. For more on this investigation see our news story.

Seizing your digital destiny

If you’re feeling alarmed about your own online security, the good news is that there are steps you can take to make yourself safer:

Follow our tips on how to create and store strong, unique passwords for every site.

Delve into your social media settings and make sure fraudster-friendly personal details such as your birthday, middle name and contact details aren’t visible to the public.

Opt out of the open electoral roll, make your landline number ex-directory and ask to be deleted from online directories.

Your mother’s maiden name is a matter of public record. If asked to use it for a security question, make up a completely fake decoy answer (providing you can remember it).

A new data law has just strengthened your right to find out what organisations know about you and control how it’s used – brush up on your new rights.

Do you feel truly in control of your digital identity, or do you fear you’ve exposed too much of your data online? Are you doing anything differently in light of recent stories such as the Cambridge Analytica scandal?


I know “everybody ” knows my data as I always use my real name but as I never click on any rogue emails like the one from “BT Mail ” (nice try ) today secrecy in that aspect doesn’t bother me but tracking for profit certainly does , I resent it intensely –many dont but that is their choice . BT why did your US email service let that malware email through while my Russian one with good AI and virus control blocked it ? I agree with the basics of this convo but even as we speak I have been notified that Facebook has perpetrated a type of fraud in its presentation of its GDPR email to its users and already complaints have been filed with the -European Centre for Digital Rights by a Facebook user against “Facebook Ireland LTD (Eire to be exact -tax dodging ) by requiring the user to agree to the entire privacy policy and new term in one document including a clause that allows Facebook to provide TARGETED ads thus -EMPOWERING ( remember that legal definition ) as it applies to many of those emails –the company to process personal data as necessary to fulfill its “contractual obligations ” -not making it clear they dont have to agree and delete their account only giving you a big I AGREE to click on other options hidden /blocking accounts if they dont agree at 25-5-2018 . Leaving fake “red dots ” to try to make you think you have messages . With all this happening to you by a massive US social network conglomerate taking “safeguards ” elsewhere has to be put into perspective.

I sometimes wonder how we came to allow the social minefield called Facebook to take over our lives and put our security in jeopardy. I have never been there but most people have and I know many who wish they could rewind and rewrite their history. It must be one of the most phenomenal lifestyle experiments in social history and I cannot make up my mind whether Zuckerberg and the others saw its full potential at the outset [pure genius if so] or whether they astonished themselves at how it exploded way beyond its ‘innocent’ origins and expectations into the all-pervading monster it has become.

Patrick Taylor says:
31 May 2018

Agree JW.

I do wonder how much leverage through a content hungry media allows some ideas to escape beyond the original concept. Looking at AirBnB which was for people to let spare rooms we now have a monster where landlords buy and operate portfolios of properties in major cities whilst avoiding H&S and other regulations. Not to mention taking out of use flats for local people.

Perhaps there is a lack of critical evaluation at the early stages by those entrusted to govern on the significant downsides that could follow in the wake of very well-financed and connected ventures.

In case you would like some insight into the way it evolved and the serious money invested ..

Basic e. mail is useful for sending messages quicker than through a post box. One is likely to get a reply sooner too. After that, any other social media seems irrelevant. I have no desire to make instant comments on the world or what I had for breakfast, and, as you may have noticed, I don’t particularly like restricting what I write to a set number of words, just to twit to someone, or even tweet. Since an American began doing that it has debased the currency somewhat. Facebook does allow you to send photos when E. mails crash when overloaded. However all their likes and dislikes put me off. I seem to be able to communicate with relatives fast enough without it, and important photos go on a stick in a jiffy bag with a stamp on it. Anyone with enough time and effort could go through all I’ve put on here over the years and build a pretty good picture of my life and interests. However, I don’t keep any active passwords on here, so they would have to get them from careless sites I communicate with. Not much I can do to stop that. My other safeguard is to do as little as possible financial electronically. If it isn’t on the computer, it can’t be hacked. I also back up files so that they are available if the computer is compromised in any way, or it just breaks down. I appreciate that others have a greater need to use the internet for serious data transfer and the more they do, the more they must find ways of protecting themselves. Ultimately it is a battle between those who wish us harm and those who try and protect us. While the criminals have a free rein and are not caught in significant numbers, they have the edge and the tools to do some serious hacking. We can just hope we aren’t interesting enough to get their time and attention. It’s an unpleasant electronic world and it has been spoiled by those with evil intent. We’re back to Adam, Eden, the serpent and the apple. Eve got hacked.

Phone messaging also works well for me.

I dont know if the public really takes this seriously or bothers about it until they get phone calls telling them all their personal details or emails and are hit by adverts knowing their age , nationality, sex, income, location etc and letters if over 50 with death policies /insurance etc . To help with this I have a USA website that states at length but in plain English the extent of the information gathering and means of doing it by the Markkula Center for Applied Ethics -titled Unauthorized Transmission and Use of Personal Data via the Santa Clara University https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/unauthorized-and-use-of-personal-data/ read it all -no speed reading please. Sorry if you get a 404 I was able to get it with a small Linux type browser .

I can’t get that link to work, Duncan, but here is a document on the same site: https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/unauthorized-transmission-and-use-of-personal-data/

Same one Wavechange but WHY doesnt my link not work when its identical to yours? Which controls things here.

Your link does not contain ‘transmission’. Did you not use copy & paste?

Your right Wavechange, no I didnt use copy+ paste , I am beginning to worry about myself now (“senior moment” ? )

I don’t think I can teach you much about computers but I contribute Ctrl+c to copy and Ctrl+v to paste. 🙂

Control+a to copy all. Contol+x to copy and delete the original. I find when you become senior your brain gets full much more quickly. Don’t worry duncan; what’s in your head is very valuable to us all. 🙂

Thanks to both of you , I really do worry about such things, “losing my mind ” isn’t something I could live with .

Not much sign of that yet, Duncan, but the way that our regulars constantly go off-topic might suggest we are starting to lose the plot a bit.

I use Facebook to help promote a charity that I’m involved with, for example by publicising events. I don’t put any personal information on FB and I have no Facebook Friends. If someone asks a question I’m happy to provide an answer but usually someone gets there before me. It never fails to amaze me how quickly some people read and respond to posts of FB, often replying with supportive comments.

It’s interesting to see what people post on Which? Conversation.

Sometimes contributors have the same username on this and other sites. At one extreme it’s a way of getting round the Terms & Conditions, for example to help make readers aware of a pressure group or a company.

Years ago, one of our former contributors mentioned in different posts the city where he lived and that he was involved in the NGS open garden scheme. In one or maybe more post he gave his full name. It was easy to find his address, phone number and email address. Now there is a personal website describing his interests, so I suspect that the intention was to encourage other contributors to get in touch.

One website I am a member of sent me an email with the latest Facebook/Android/Twitter data gathering read in detail as I still think people aren’t appreciating the depth of the data gathering maybe this will start to open a few eyes instead of posts of –“I don’t believe you ” https://www.hackread.com/android-apps-chrome-extensions-collect-facebook-data/, By the way, thank you again Wavechange and malcolm I used the copy and paste built into Arch Linux to transfer the URL in two quick moves I think I am “mentally lazy ” and just dont bother making life easier for myself .

Derek/Wavechange -heard of Thermanator ? It steals passwords by reading thermal residue on keyboards . Yes its backed by THREE scientists and at least one of them is a Professor. https://www.bleepingcomputer.com/news/security/thermanator-attack-steals-passwords-by-reading-thermal-residue-on-keyboards/ this allows recovering a BANKING pin ,or PASSWORD. Dated 4-7-2018

Interesting, but it relies on a thermal camera being in exactly the right place over a keyboard and presumably some way of identifying the individual who last pressed the keys. Although the keys that had been pressed could be identified after the event by the thermal camera I couldn’t see how it knew in which order they were pressed. Without a bank card in the slot, or knowledge of it or of the cardholder, the PIN or password is useless, surely?

Well you are right John but if the person doing it is in the house at the same time as the card holder it makes it easier to steal his wallet and use his card , a thing done frequently in the USA. A party -a “friend” says John -(after nabbing your card ) I am going out to buy more drink back to the party soon , does the transaction , returns to house, replaces card.

This is more to do with offices, I think. An app on an iPhone could accomplish it pretty quickly and easily, but there are far easier ways of getting passwords. Loggers, for one.

I am not saying such a scenario could not occur, Duncan, but it’s pretty unlikely and people must always keep their bank cards in secure places; if they don’t then they haven’t got a leg to stand on. Things must be very slack and casual in some parts of America or among certain sections of the population. Perhaps they get what they deserve.

It seems there is no let up in information gathering , I have been informed that an Israeli spy company supplying governments with a device app to easily hack and control iPhones all over the world has caught a disgruntled ex employee trying to sell the source code . At the same time apps are available to spy on your spouse if you use an Android phone , it got headlines when a section of the UK police force had an “employee ” buy one for ” —yes what ? The organisation that told me tried to get some action but was refused and no action taken against them or the “employee ” . While this app can be bought its highly illegal here . You will notice I have not named any company nor the government “service ” as I dont want any trouble , what I am trying to put is all your mobile devices arent as secure as you might think. Having said that is anyone who uses an Android phone wanting an app I approve of and will monitor ALL outgoing data and display it for you ? I have known the US company for years -above board , not run by a US conglomerate , open , good website its app is used on PC,s /Laptops etc and now can be used on Mac,s , big display in colour showing you actual outgoing data and naming it , well proven and there is a free version -block individuals/ all /etc . Keeps a watch on your outgoing data and NO it doesnt “phone home ” .

GDPR –there seems to be some confusion on this going by replies to my posts on it . For a start the Regulations state it applies to EU CITIZENS ONLY – so Brexit ? Second even applying it there are ways round it as shown by this commercially aimed – How will GDPR affect Cold -calling , I intent to also post this in the aggravating cold calls convo http://www.outboundworks.com/how-will-gdpr-affect-cold-calling/ dont read half of it read the lot before replying.

As I understand it, since the General Data Protection Regulation has been incorporated into UK law and is therefore a UK Statutory Instrument, it will endure after we leave the EU. Lots of other EU directives and regulations have similarly been transposed. After Brexit the government can then see which ones to modify or rescind.

As the US government has allowed “open house ” on third parties obtaining data from you via recent legislation many there are now using VPN,s . There is some bad news most of the FREE VPN,s admit they collect data for third parties QUOTE — While many VPN service providers would want you to believe that they have charitable aims in offering VPN access for free, the reality is that most free VPN services are glorified data farms. I will know because I specialize in testing and reviewing VPN,s. In a recent study my organization conducted, analyzing the most popular free VPN services, we discovered that pretty much every popular free VPN service is a glorified data farm or abuse access to user data and resources in some form. Hotspot Shield, in particular, is a major culprit.While Hotspot Shield boasts over 600 million users, an increasing percentage of these in the U.S., very few of these users know that Hotspot Shield intentionally allows third parties to gather data from users of their VPN service. Hear it straight from their privacy policy page: Our ad partners may also receive information independently from you or your device.What data Hotspot Shield ad partners are allowed to gather may include your device advertising ID, IMEI, MAC address, and wireless carrier information. So much for privacy protection!There also Hola, another popular free VPN service that has managed to position itself as a free VPN service that helps users unblock and stream restricted content on streaming websites such as Netflix and Hulu. Hola boasts over 160 million users on its homepage at the time of this writing, yet it has been accused of abusing its access to user computers including turning them to botnets. END of QUOTE there is more but it gets technical and I get criticised for “being technical ” – Free mobile VPN is no better. The author is a software test/design engineer , I also have a University research paper from Australia – the Commonwealth Scientific & Industrial Research Organisation (CSIRO ) for disbelievers . The legalising of the ability of ISP,s to sell user data without user permission -the repeal of net neutrality and the meta data retention scheme in Australia etc .

DerekP says:
26 September 2018

Duncan – thanks – that looks like useful advice for anyone gullible enough to think that “free to access” internet services are only ever funded by rich benevolent billionaires and honest charitable foundations.

I guess your source was: “#1230534: Almost Every Major Free VPN Service is a Glorified Data Farm” on brica.de – i.e. some zero cost bannerware/hurt-and-rescue marketing from a subscription based internet security consultancy.

Like to add to my above post on VPN,s , just been handed new info that proves even PAID VPN,s arent secure from info gathering QUOTE- When Lin subscribed to PureVPN, the VPN service claimed to store no logs of users activity on its servers and as a result has nothing to offer should law enforcement come knocking. Color Lin surprised, however, when he was arrested by the FBI thanks to the logs of his usage of PureVPN service that PureVPN turned over to the FBI.Now, what Ryan Lin did is purely despicable, and he deserves every day he spends in jail. However, for every criminal like Lin using a VPN to perform criminal activities, there are a lot of innocent people who simply want to prevent anybody (including the government) from ever being able to track or eavesdrop on their activity. So when VPNs like PureVPN claim to keep no logs but actually have something to turn over when the government comes knocking at their door, they put real people at risk.Ive spent a huge part of my life working in cybersecurity, and Ive reviewed pretty much every major VPN service that exists. Want to know what I think? Dont ever sign up for a VPN simply based on claims they are making on their site (thats called marketing speak, and almost anybody will make any claim just to get new users). Instead, pay very careful attention to the following five things:Perhaps the most
important thing you should pay attention to before signing up to use any VPN service is the jurisdiction of the VPN service provider. The jurisdiction of a VPN service provider is more important than any claim of not keeping logs.

As far as jurisdiction is concerned, there are three key factors that matter:

A: Your own location and laws surrounding the use of VPNs.
B: The physical location of the VPN service provider you plan to use.
C: The server locations of the VPN service provider you plan to use.

You want to pay particular attention to the physical location of the VPN service provider you want to use as well as the server location of the VPN service, and you want to pay special attention to whether it is located in a Five Eyes jurisdiction, a Nine Eyes jurisdiction, or a 14 Eyes jurisdiction.In Five Eyes countries, the law empowers intelligence agencies to access and share electronic data with other member nations depending on the circumstances. Five Eyes countries can force organizations to disclose any data and also demand that they dont disclose this fact through gag orders. They are also generally some of the worst abusers of user privacy. In nine eyes countries, member nations can work together and access and share data with one another without regards for privacy laws in individual member countries this is practically an extension of Five eyes, and practices are similar. 14 Eyes is an extension of Nine Eyes and with similar practices.So essentially, you will be safer if you use a VPN that isnt in a Five Eyes, Nine Eyes, or 14 Eyes jurisdiction. For example, while popular VPN service Private Internet Access is located in a Five Eyes member country (the U.S.), competitor NordVPN is not located in any Five Eyes, Nine Eyes, or 14 Eyes country. As a result, based on jurisdiction information, NordVPN could be said to be much safer than Private
Internet Access.Another piece of information you want to pay special attention to when using a VPN service is the access and permissions required by the VPN service you are using. This is particularly important for mobile VPNs.It goes on but that is the end of that QUOTE

Next DNS leaks –One area very few VPN users pay little attention to that can make a whole lot of difference is the area of DNS leaks. If you are using a VPN service that leaks your DNS information, consider yourself not using a VPN at all because tracing you will be as easy as ABC.Not surprisingly, just a little extra research will have revealed the fact that the VPN service that turned over Ryan Lins data to the government has very lax privacy measures in place. For years they have been leaking DNS data, yet users not sensitive to this fact keep using them. Written by the founder of a renowned VPN company and author of many website guides on VPN and internet safety.

GDPR has been brought up and debated but I have been sent info from a European Rights Group who have delved into the small print of ePrivacy Regulation legislation -quote-

Its been six-hundred-fifty-two days since the European Commission launched its proposal for an ePrivacy Regulation. The European Parliament took a strong stance towards the proposal when it adopted its position a year ago, but the Council of the European Union is still only taking baby steps towards finding its position.
In their latest proposal, the Austrian Presidency of the Council continues, unfortunately, the trend of presenting the Council with suggestions that lower privacy protections that were proposed by the Commission and strengthened by the Parliament. In the latest working document that was published on 19 October 2018, it becomes apparent that we are far from having reached the bottom of what the Council sees as acceptable in treating our personal data as a commodity.

Probably the gravest change of the text is to allow the storing of tracking technologies on the individuals computer without consent for websites that partly or wholly finance themselves through advertisement, provided they have informed the user of the existence and use of such processing and the user has accepted this use (Recital 21). The acceptance of such identifiers by the user as suggested is far from being the informed consent that the General Data Protection Regulation (GDPR) established as a standard in the EU. The Austrian Presidency text will put cookies which are necessary for a regular use (such as language preferences and contents of a shopping basket) on the same level as the very invasive tracking technologies which are being pushed by the Google/Facebook duopoly in the current commercial surveillance framework. This opens the Pandoras box for more and more sharing, merging and reselling citizens data in huge online commercial surveillance networks, and micro-targeting them with commercial and political manipulation, without the knowledge of the person whose private information is being shared to a large number of unknown third parties.

You can be assured I will be checking out any storage of this sort on my PC.
Already Yandex has a data storage file but its in Temp. as Arch doesn’t trust Yandex now shifted to Chrome with its closed system. I could remove it but it would also remove blockers I have on it.
While I have easy access to all folders files if I make myself Root I dont run in that mode for safety reasons but some systems make it hard to locate hidden files.

By the way as regards the web storing your info , many years ago I had Win 7 Prof , today I had an email asking me to upgrade a long disused /forgotten email service that only works in Windows–nothing is lost on the web –is it ?

On a positive note Proton Mail has emailed me with info on additional free security apps making it harder for the NSA/GCHQ/ISP to decipher.