Facebook Backdoor Gives Clues To Private Email Addresses

by Adam Tanner, Contributor

If you forget your Facebook profile name, you can enter your name, email or phone number into a page called Find Your Account to find your Facebook profile and some alternative email addresses, which are partially obscured such as j*******s@yahoo.com.

The same technique works if you type in other people’s details. Then Facebook can act as a Caller ID and produce a photo, name or clues about a private email. That could help if someone telephones but does not leave a message, or if you want to find a private email address from a company email.

As a test I looked up Gary King, one of two dozen who hold Harvard’s prestigious title of University Professor. His email address is listed on his public webpage. A search of Find Your Account leads to his Facebook profile photo and revealing clues to his alternative email addresses.

I repeated the process for several other people. It did not find everyone– perhaps the telephone numbers or email addresses were not linked with Facebook — but in many cases it did, including for a well-known private detective in Las Vegas whose photo I was able to see.

“This is an interesting case where a feature aimed at giving users a better service actually exposes their private data,” said Michael Bar-Sinai, a software engineer at Harvard’s Institute for Quantitative Social Science where King serves as director.

He pointed out his privacy settings allowed only friends of friends – not everyone – to look him up with his email address or his phone number. Yet a search finds his photo, name and partial email addresses.

In many cases, “Find Your Address” would not reveal any startling information. However, often a little bit of personal information here and there allows outsiders to gain a far 


more intimate portrait of us than we imagine. One chapter in my upcoming book tries to find a woman whose thumbnail-size image is posted on a Yelppage. Tiny clues in obscure places help reveal her double life on the steamier side of the Internet.

Asked about the information shown by Find Your Account, a Facebook spokesman who did not want to be named said: “Certain information on Facebook—such as your name, profile photo, and networks (if you choose to add any)—is treated as public because it plays a crucial role in helping your friends and family connect with you. In this case, showing a profile photo helps people avoid accidentally initiating a password reset for the wrong account.”

This page describes what Facebook considers public information. Users can adjust their privacy settings with details given here to mask the name and photo from being visible in the password recovery process.

“If you use the password recovery feature to search for someone who has modified these settings such that you can’t look them up using this information, you will see only ‘Facebook User’ and will not be able to view their name, profile photo, or networks,” the spokesman said.

Still, the partial email address remains visible. So using his phone number, I looked up the spokesman via Find Your Account. His name and photo were not given, but I could easily guess what his private Gmail address is from the partially masked information. It showed the first letter of his first name, stars, and the last letter of his uncommon surname followed by @gmail.com.

“We show obscured email addresses in the password reset flow because our experience with helping many people recover their accounts over the years suggests that this information is important for helping people find the account recovery message we send,” he said. “Many people have multiple email addresses and don’t always remember which one is registered with Facebook.”

In the case of Professor King, his photo is available elsewhere and he posts his university email on his web page. His private email addresses – for which Facebook provided some clues — would be harder to locate. But he is relaxed about this information being visible.

King cited outgoing Microsoft CEO Steve Ballmer as someone who has made his email address public and referred to that fact in interviews. Ballmer “said he does the same and has no problems.  I get a lot of email, but just like he said, people tend to be respectful,” King said. “I sign out of every automated mailing, which cuts things down some.”

full story: http://www.forbes.com/sites/adamtanner/2014/01/17/facebook-backdoor-gives-clues-to-private-email-addresses/

NSA collects millions of text messages daily in ‘untargeted’ global sweep

• NSA extracts location, contacts and financial transactions
• ‘Dishfire’ program sweeps up ‘pretty much everything it can’
• GCHQ using database to search metadata from UK numbers

by  in New York

Texting on BlackBerry mobile phone

The NSA has made extensive use of its text message database to extract information on people under no suspicion of illegal activity. Photograph: Dave Thompson/PA

The National Security Agency has collected almost 200 million text messages a day from across the globe, using them to extract data including location, contact networks and credit card details, according to top-secret documents.

The untargeted collection and storage of SMS messages – including their contacts – is revealed in a joint investigation between the Guardian and the UK’s Channel 4 News based on material provided by NSA whistleblower Edward Snowden.

The documents also reveal the UK spy agency GCHQ has made use of the NSA database to search the metadata of “untargeted and unwarranted” communications belonging to people in the UK.

The NSA program, codenamed Dishfire, collects “pretty much everything it can”, according to GCHQ documents, rather than merely storing the communications of existing surveillance targets.

The NSA has made extensive use of its vast text message database to extract information on people’s travel plans, contact books, financial transactions and more – including of individuals under no suspicion of illegal activity.

An agency presentation from 2011 – subtitled “SMS Text Messages: A Goldmine to Exploit” – reveals the program collected an average of 194 million text messages a day in April of that year. In addition to storing the messages themselves, a further program known as “Prefer” conducted automated analysis on the untargeted communications.


An NSA presentation from 2011 on the agency’s Dishfire program to collect millions of text messages daily. Photograph: Guardian

The Prefer program uses automated text messages such as missed call alerts or texts sent with international roaming charges to extract information, which the agency describes as “content-derived metadata”, and explains that “such gems are not in current metadata stores and would enhance current analytics”.

On average, each day the NSA was able to extract:

• More than 5 million missed-call alerts, for use in contact-chaining analysis (working out someone’s social network from who they contact and when)

• Details of 1.6 million border crossings a day, from network roaming alerts

• More than 110,000 names, from electronic business cards, which also included the ability to extract and save images.

• Over 800,000 financial transactions, either through text-to-text payments or linking credit cards to phone users

The agency was also able to extract geolocation data from more than 76,000 text messages a day, including from “requests by people for route info” and “setting up meetings”. Other travel information was obtained from itinerary texts sent by travel companies, even including cancellations and delays to travel plans.


A slide on the Dishfire program describes the ‘analytic gems’ of collected metadata. Photograph: Guardian

Communications from US phone numbers, the documents suggest, were removed (or “minimized”) from the database – but those of other countries, including the UK, were retained.

The revelation the NSA is collecting and extracting personal information from hundreds of millions of global text messages a day is likely to intensify international pressure on US president Barack Obama, who on Friday is set to give his response to the report of his NSA review panel.

While US attention has focused on whether the NSA’s controversial phone metadata program will be discontinued, the panel also suggested US spy agencies should pay more consideration to the privacy rights of foreigners, and reconsider spying efforts against allied heads of state and diplomats.

In a statement to the Guardian, a spokeswoman for the NSA said any implication that the agency’s collection was “arbitrary and unconstrained is false”. The agency’s capabilities were directed only against “valid foreign intelligence targets” and were subject to stringent legal safeguards, she said.

The ways in which the UK spy agency GCHQ has made use of the NSA Dishfire database also seems likely to raise questions on the scope of its powers.

While GCHQ is not allowed to search through the content of messages without a warrant – though the contents are stored rather than deleted or “minimized” from the database – the agency’s lawyers decided analysts were able to see who UK phone numbers had been texting, and search for them in the database.

The GCHQ memo sets out in clear terms what the agency’s access to Dishfire allows it to do, before handling how UK communications should be treated. The unique property of Dishfire, it states, is how much untargeted or unselected information it stores.

“In contrast to [most] GCHQ equivalents, DISHFIRE contains a large volume of unselected SMS traffic,” it states (emphasis original). “This makes it particularly useful for the development of new targets, since it is possible to examine the content of messages sent months or even years before the target was known to be of interest.”

It later explains in plain terms how useful this capability can be. Comparing Dishfire favourably to a GCHQ counterpart which only collects against phone numbers that have specifically been targeted, it states “Dishfire collects pretty much everything it can, so you can see SMS from a selector which is not targeted”.

The document also states the database allows for broad, bulk searches of keywords which could result in a high number of hits, rather than just narrow searches against particular phone numbers: “It is also possible to search against the content in bulk (e.g. for a name or home telephone number) if the target’s mobile phone number is not known.”

Analysts are warned to be careful when searching content for terms relating to UK citizens or people currently residing in the UK, as these searches could be successful but would not be legal without a warrant or similar targeting authority.

However, a note from GCHQ’s operational legalities team, dated May 2008, states agents can search Dishfire for “events” data relating to UK numbers – who is contacting who, and when.

“You may run a search of UK numbers in DISHFIRE in order to retrieve only events data,” the note states, before setting out how an analyst can prevent himself seeing the content of messages when he searches – by toggling a single setting on the search tool.

Once this is done, the document continues, “this will now enable you to run a search without displaying the content of the SMS, especially useful for untargeted and unwarranted UK numbers.”

A separate document gives a sense of how large-scale each Dishfire search can be, asking analysts to restrain their searches to no more than 1,800 phone numbers at a time.


An NSA slide on the ‘Prefer’ program reveals the program collected an average of 194 million text messages a day in April 2011. Photograph: Guardian

The note warns analysts they must be careful to make sure they use the form’s toggle before searching, as otherwise the database will return the content of the UK messages – which would, without a warrant, cause the analyst to “unlawfully be seeing the content of the SMS”.

The note also adds that the NSA automatically removes all “US-related SMS” from the database, so it is not available for searching.

A GCHQ spokesman refused to comment on any particular matters, but said all its intelligence activities were in compliance with UK law and oversight.

But Vodafone, one of the world’s largest mobile phone companies with operations in 25 countries including Britain, greeted the latest revelations with shock.

“It’s the first we’ve heard about it and naturally we’re shocked and surprised,” the group’s privacy officer and head of legal for privacy, security and content standards told Channel 4 News.

“What you’re describing sounds concerning to us because the regime that we are required to comply with is very clear and we will only disclose information to governments where we are legally compelled to do so, won’t go beyond the law and comply with due process.

“But what you’re describing is something that sounds as if that’s been circumvented. And for us as a business this is anathema because our whole business is founded on protecting privacy as a fundamental imperative.”

He said the company would be challenging the UK government over this. “From our perspective, the law is there to protect our customers and it doesn’t sound as if that is what is necessarily happening.”

The NSA’s access to, and storage of, the content of communications of UK citizens may also be contentious in the light of earlier Guardian revelations that the agency was drafting policies to facilitate spying on the citizens of its allies, including the UK and Australia, which would – if enacted – enable the agency to search its databases for UK citizens without informing GCHQ or UK politicians.

The documents seen by the Guardian were from an internal Wikipedia-style guide to the NSA program provided for GCHQ analysts, and noted the Dishfire program was “operational” at the time the site was accessed, in 2012.

The documents do not, however, state whether any rules were subsequently changed, or give estimates of how many UK text messages are collected or stored in the Dishfire system, or from where they are being intercepted.

In the statement, the NSA spokeswoman said: “As we have previously stated, the implication that NSA’s collection is arbitrary and unconstrained is false.

“NSA’s activities are focused and specifically deployed against – and only against – valid foreign intelligence targets in response to intelligence requirements.

“Dishfire is a system that processes and stores lawfully collected SMS data. Because some SMS data of US persons may at times be incidentally collected in NSA’s lawful foreign intelligence mission, privacy protections for US persons exist across the entire process concerning the use, handling, retention, and dissemination of SMS data in Dishfire.

“In addition, NSA actively works to remove extraneous data, to include that of innocent foreign citizens, as early as possible in the process.”

The agency draws a distinction between the bulk collection of communications and the use of that data to monitor or find specific targets.

A spokesman for GCHQ refused to respond to any specific queries regarding Dishfire, but said the agency complied with UK law and regulators.

“It is a longstanding policy that we do not comment on intelligence matters,” he said. “Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee.”

GCHQ also directed the Guardian towards a statement made to the House of Commons in June 2013 by foreign secretary William Hague, in response to revelations of the agency’s use of the Prism program.

“Any data obtained by us from the US involving UK nationals is subject to proper UK statutory controls and safeguards, including the relevant sections of the Intelligence Services Act, the Human Rights Act and the Regulation of Investigatory Powers Act,” Hague told MPs.

full story: http://www.theguardian.com/world/2014/jan/16/nsa-collects-millions-text-messages-daily-untargeted-global-sweep

Privacy concerns raised as Google+ makes it possible to send email via name search

Questions raised as new automatically enabled feature in Google+ lets people send emails to strangers without knowing their email address


Salesforce: Google Plus logo and website screen close up

Google Plus logo and website screen close up Photograph: Alamy

Google is integrating its Gmail service and Google+ social tracking network so that people without your Gmail address can send you emails by a name search.

The move has raised questions about its privacy implications, after similar moves with Gmail and its then-new Google Buzz social network in 2010 led to a row over alleged privacy invasion. Those in turn led to Google being bound to a 20-year privacy oversight by the US Federal Trade Commission.

Google has also made the change opt-out, so that users will have to change their settings to prevent unknown people emailing them. The senders will not see the email address of the person they are sending the message to unless the recipient replies.

Announcing the move in a blogpost, Google product manager David Nachum wrote:

Have you ever started typing an email to someone only to realize halfway through the draft that you haven’t actually exchanged email addresses? If you are nodding your head ‘yes’ and already have a Google+ profile, then you’re in luck, because now it’s easier for people using Gmail and Google+ to connect over email.

Marc Rotenberg, the executive director of non-profit Electronic Privacy Information Center, told Reuters that the new feature was “troubling” and added: “There is a strong echo of the Google Buzz snafu”.

Buzz created an uproar because it tried to create a social network built out from the email contacts that people had. One woman who had separated from her abusive ex-husband said that it revealed the identity of her new boyfriend to him, potentially endangering her and him. Google’s executive chairman Eric Schmidt later said “nobody was harmed” by the moves.

Google says that Google+, set up in June 2011, has 540m “active” users, but has been vague about how it counts activity. Analysts have suggested that Google+ is not a social network aiming to compete with Facebook, but instead a system for collecting more information about people’s web use. The number of “active” users will have increased since Google made it obligatory in November 2013 to use Google+ to leave a comment on YouTube.

Google has recently faced criticism for over-tight integration of Google+ into products after one transgender user of an early version of its newest version of Android discovered that Google+ had been integrated into its chat system, and sent a message to somone under the woman’s name they were adopting rather than the man’s name the intended recipient was used to. The woman had not expected the system to search Google+ for a contact name – but it did.

Facebook also allows people to send messages through a name search, but does not reveal any information such as emails if the person replies.

Google says it will be rolling out the system over the next few weeks and will automatically email all Gmail users telling them of the changes. It is not possible to create a Gmail account without having a Google+ account.

full story: http://www.theguardian.com/technology/2014/jan/10/privacy-concerns-raised-as-google-makes-it-possible-to-send-email-via-name-search

With Great Computing Power Comes Great Surveillance

The dark side of Moore’s Law


If an algorithm somehow lands you on a no-fly list, it can be a nightmare to get off. (Reuters)

Nearly 50 years ago, Gordon Moore suggested that the number of transistors that could be placed on a silicon chip would continue to double at regular intervals for the foreseeable future. Known as Moore’s law, the truth of that observation has made computers cheap and ubiquitous. Cellphones are so inexpensive there are now more than six billion of themalmost one for every person on the planet.

Moore’s Law has also made mass automated surveillance dirt cheap. Government surveillance that used to cost millions of dollars can now be carried out for a fraction of that.

We have yet to fully grasp the implications of cheap surveillance. The only thing that is certain is that we will be seeing a great deal more surveillance—of ordinary citizens, potential terrorists, and heads of state—and that it will have major consequences.

In the past, surveillance was labor intensive. Twice as much surveillance required twice as many people and cost twice as much. But when surveillance became automated, its cost declined exponentially.

To understand the economics of surveillance, it is worth looking more closely at Moore’s Law.

In 1965 Gordon Moore observed that the number of transistors on a single chiphad doubled every year since the invention of the integrated circuit in 1958. Since that time, his Law has been modified. The increase in transistor count has slowed to around 40 percent per year. A number of similar predictions have been made about exponential rates of increase in network capacity, pixels, and magnetic storage. Many of those predictions have proven true.

These technologies are the building blocks for surveillance systems. If you combine a number of technologies that are improving at the rate of 40 percent a year in a system, you can end up with systems whose performance is increasing even faster. Consider computer systems.

Computers combine integrated circuit technology, semiconductor storage, magnetic storage, and network performance into a single system. As a result in the 1990s, while the transistor counts were increasing at a 40 percent rate,system processing power was growing at an 80 percent rate.

Something growing at the rate of 80 percent a year increases by a factor of more than 300 in ten years. If the capability of surveillance systems were to increase at this rate, in ten years a dollars’ worth of today’s surveillance could be bought for fractions of a penny. Applications that were not feasible at a dollar suddenly are practical. These types of advances made the NSA collection of metadata feasible.

And if the capability of surveillance systems continues to increase at this rate, technologies that, say, identify people’s faces when they enter a store or board a plane are suddenly practical.

To my mind, there are two broad classes of automated surveillance— participatory and involuntary, and the line that separates them is fuzzy. Participatory surveillance arrived with the widespread use of the Internet. During this period users were actively involved in exposing their information over the Internet when they provided personal information in the course of purchasing products, searching for information, or interacting on social networking sites.

People were voluntary participants in the surveillance process even if they did not fully understand its implications. When they granted companies the right to use their information, they got services of great value in return.

Consciously or not, users were monetizing their privacy. That is, they traded information about themselves and access in virtual space and got free services in exchange. Amazon captured customer information and in return provided better selection and service, like one click shopping.

Google, founded in 1998, provided valuable free search in return for serving up targeted ads to users. Facebook provided communities, timelines, and “walls” for people wanting to network. Facebook users—now numbering more than a billion—received these services free in return for allowing Facebook to use their information.

Involuntary surveillance on a large scale—driven by Moore’s Law—arrived shortly thereafter. Its primary instruments are cellphones, smartphones, GPS, and inexpensive cameras. When these devices are employed, there is no need for users to be actively involved in creating information about their activities. They get little or nothing in return for involuntarily providing valuable information about themselves. The NSA does not provide services of any kind to cell-phone users in return for their metadata.

Nobody knows how quickly the cost of mass surveillance is declining or at what rate it is growing. What we do know is that existing participatory and involuntary surveillance technologies are proliferating and new ones are being introduced and becoming more effective every day. As costs drop, new frontiers in surveillance open up. Low-cost facial recognition will let the government and retail establishments track us with our cellphones turned off and our loyalty cards left behind.

As the cost of automated surveillance continues to drop, there will be a rapid increase in surveillance applications. Disparate pieces of our personal puzzle will be brought together in monstrously large databases. Big data analysis tools will combine the bits and pieces to create a full picture of who we are, where we go, what we read and watch, what we do, and what we like. There will be files of facts about us such as our addresses, phone numbers, the calls we placed on our cellphones and where we were when we placed them, and the Internet sites we visited. But there will also be algorithmic predictions about our tastes, behavior, plans, opinions, thoughts, and health. Almost everything about us will be known or predicted. Those predictions may well become the self-fulfilling prophecies that determine our future.

While much of the world’s concern has been focused on NSA spying, I believe the greatest threat to my freedom will result from my being placed in a virtual algorithmic prison. Those algorithmic predictions could land me on no-fly lists or target me for government audits. They could be used to deny me loans and credit, screen my job applications and scan LinkedIn to determine my suitability for a job. They could be used by potential employers to get a picture of my health. They could predict whether I will commit a crime or am likely to use addictive substances, and determine my eligibility for automobile and life insurance. They could be used by retirement communities to determine if I will be a profitable resident, and employed by colleges as part of the admissions process.

Especially disturbing is the notion that once you become an algorithmic prisoner, it is very difficult to get pardoned. Ask anyone who has tried to get off a no-fly list or correct a mistake on a credit report.

Businesses are supporters of both participatory and involuntary surveillance. They want to use surveillance intelligence to market to customers, identify the most desirable ones, and employ location-based marketing. Involuntary surveillance is extremely appealing to government agencies that want to make our airports safe and protect us from crime and terror attacks. The average Internet user seems unconcerned about participatory surveillance. He is prepared to give up his privacy to get valuable service for free. As a result there is little or no organized resistance to automated mass surveillance.

My advice: Live your life with your eyes wide open, because Moore’s Law of Mass Surveillance is here to stay.

full story: http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/

Why hackers want your phone number

Lessons from the data breach at Snapchat

By Quentin Fottrell

Though most people wouldn’t give their phone number to a stranger on the street, they’re happy to share their digits with Google GOOG -0.73%  , FacebookFB -0.28%  , and other sites. But as millions of young Snapchat users just learned, phone numbers are valuable information to hackers.

On Wednesday, Snapchat became the first company to have its data hacked in 2014 when 4.6 million account usernames and partial phone numbers were posted online as a warning to those using the photo messaging service. “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the alleged hackers told tech site TheVerge.com . A spokeswoman for Snapchat declined to comment, but the company released a blog postsaying it’s added counter-measures “to combat spam and abuse.”

Consumers should be wary about sharing their mobile numbers, security experts say. “Phone numbers are unique identifiers that tend to last for a long time,” says Michael Fertik, CEO at Reputation.com, a site that helps consumers protect their privacy online. “You change your phone number much less often than your IP address and probably even your home address.” While Snapchat users have fake usernames, many people use the same I.D. across a range of social networks, says Graham Cluley, a U.K. security blogger and technology consultant. “Use a different user I.D. than the one you use publicly on Facebook and Twitter,” he says. What’s more, typing just a mobile number into Facebook will reveal the profiles of the owner if he or she added it to their account information.

Snapchat’s alleged data breach is also a misstep for a company founded on the principle of preserving your online anonymity. Launched in September 2011, social networkers can send “Snaps”—photos or videos—that last between 1 and 10 seconds, depending on the time limit set by the sender. The service—which reportedly spurned a $3 billion offer from Facebook last November—has over 100 million users and shares 400 million snaps daily. “It’s embarrassing for Snapchat,” Cluley says, but could be more embarrassing for its users. After all, photos can be saved by recipients who “screen-grab” them in time. “These photos and mobile numbers could potentially be used for cyber-bullying and blackmail,” he says, especially if they’re connected to a real name.

Hackers can also fake a caller I.D. by using your number to sidestep a security step, says Bo Holland, founder and CEO of AllClear ID, an identity protection firm. Even without a real name, however, consumers can be spammed with text messages—known as “smishing”—asking people to click on links that contain malware—a virus that can retrieve data stored there: photos, contact lists, emails and passwords. “Phone numbers are a building block for hackers,” says Adam Levin, co-founder of online security company Identity Theft 911. Some 37.3 million Internet users faced phishing attacks in 2013, an 87% rise over the last three years, according to a survey from online security company Kaspersky Lab. “Smartphones are not just communication devices,” Levin says. “They are data storage devices.”

So why do companies want your mobile number? “It’s is a necessary and useful part of e-commerce,” Fertik says, “but you should not give it without a specific reason.” For those waiting for a package or taking a flight, for example, it helps to receive a text message about delays. Plus, mobile numbers can be a useful two-factor authentication, says e-commerce consultant Bryan Eisenberg. Step 1: input your username and password to your email, social networking or bank account. Step 2: receive a text message to validate any changes. This can also be done with a secondary email address or Google Voice number that redirects calls and texts to your cell; for that reason, Eisenberg has given his mobile number to Google, but hasn’t given it to Facebook. He doesn’t have a Snapchat account.

full story: http://www.marketwatch.com/story/why-hackers-want-your-phone-number-2014-01-03


Hack-proof your life: A guide to Internet privacy in 2014

by Keith Wagstaff NBC News

hours ago

James Braund / Getty Images When it comes to the Internet, you can never be too careful.

When it comes to the Internet, you can never be too careful.

It’s no secret that 2013 wasn’t a great year for Internet privacy.

Former National Security Agency contractor Edward Snowden leaked thousands of classified documents that revealed the depths of the agency’s electronic surveillance program. Users had their information stolen en masse from private databases, including a security breach in November that reportedly resulted in 42 million unencrypted passwords being stolenfrom Australian-based Cupid Media, which was followed by a massive hack of Target credit and debit card information.

So, what’s a concerned netizen to do in 2014? Turns out there are plenty of ways to keep your data safe without breaking your Internet addiction.

Take two steps towards better security
Even if you aren’t worried about NSA agents reading your email, you should still be concerned about hackers taking a peek at your sensitive bank information or your “50 Shades of Grey” fan fiction.

That is why it’s a good idea to take advantage of two-step verification, something thatGoogleFacebookMicrosoftTwitter and other companies have been pushing more often lately as big password leaks have hit the news.

Basically, not only will the service ask you for your password, but it will provide you with a code via a text message or an authentication app that will verify your identity.

“People should take the extra step because it’s incredibly effective in making it hard for someone to break into your account,” Yan Zhu, technologist for the Electronic Frontier Foundation, an advocate for Internet privacy, told NBC News. “They not only need access to something you know — which is your password — but they need access to something you own, which is your phone or another secondary device.”

Check your URL
Every website you visit should have “https” before the URL in the browser, instead of just “http, to ensure Web traffic is encrypted for a more secure connection — especially in spaces with public Wi-Fi like airports and cafes. What do you do if that extra “s” is missing? You might want to install HTTPS Everywhere, a browser plug-in for Chrome, Firefox and Opera that rewrites requests to websites to keep you protected.

Change your terrible password
The top three passwords in a November security breach that reportedly affected 38 million Adobe customer accounts:

  • 123456
  • 123456789
  • password

Not exactly impenetrable. And password cracking software — much of it freely available — isonly getting more advanced. So how can you protect yourself?

“Use long passwords, at least eight characters, but the longer the better,” Maxim Weinstein, security advisor at Sophos, wrote to NBC News. “Avoid words (including names) and predictable patterns like adding a number to the end of a word. One trick is to choose a phrase or song lyric and use the first letter of each word (e.g., “Oh, say can you see, by the dawn’s early light” equals “oscysbtdel”), perhaps making some substitutions to make it more complex.”

Don’t use the same password for everything
You should also have a different password for every site, so that a hacker who gets your dating website password won’t all of a sudden have access to your Gmail account. Weinstein also recommended using a password manager like 1Password or LastPass to keep track of all of them, or, at the very least, creating three different passwords for your work email, personal email and websites that you visit.

DuckDuckGo DuckDuckGo CEO and founder Gabriel Weinberg.

Browse without being tracked

Normally, when you search for something on the Internet, the site can see what search term you used, not to mention your IP address, which can be used to identify you. Switching from your current search engine to one like DuckDuckGo is one step you can take to protect your identity.

“When you visit anything on the Internet, your computer is sending information about itself over the Net that can be used to tie things back to you. Most services store this information, which then can be used by these government programs and other things to identify you,” Gabriel Weinberg, the site’s founder and CEO, told NBC News. “DuckDuckGo, on the other hand, does not store any personally identifiable information, so we literally have nothing to tie your searches to you.”

When you are using Google, you can browse inIncognito mode. It doesn’t mask your searches or IP address, but it does have some added privacy benefits, like not recording your search history and deleting new cookies after you close your browser windows.

Consider the power of Tor
For the strictest level anonymity, you can download Tor, a software network that bounces Internet traffic around thousands of relays around the world to mask what sites you have visited and where you have visited them from. (Although, as the recent arrest of a Harvard student who allegedly used Tor while sending a fake bomb threat shows, it doesn’t guarantee you will be completely anonymous).

Encrypt your email
While free Webmail services like Gmail, Microsoft’s Outlook and Yahoo Mail have upped their encryption standards over recent years, you might still want the added protection of end-to-end encryption. It basically cuts out the middleman and sends email messages directly to the recipient, who can only read it if he or she has two encryption keys, one public and the other private.

“I really hope end-to-end encryption becomes more popular over the next year,” Zhu said. “One of the great things about it is that because it happens on the user’s computer, they have full control over it. They don’t have to trust a third party to keep their data safe.”

The downside? It’s not very easy to implement. Even Glenn Greenwald, the former Guardian reporter who broke the Edward Snowden story, had trouble with it. You’ll need to download encryption software called PGP (Pretty Good Privacy), or the open-source GPG (GnuPG), and start using an email client like Thunderbird. (The Press Freedom Foundationhas a good explainer on how to set everything up). It’s all not very attractive or user-friendly — something that Mailpile, which raised $163,192 this year on Indiegogo, is hoping to change by developing a more Gmail-esque interface.

Protect your chats and cloud storage
Email isn’t the only personal data you should be worried about. Plenty of services store chat logs, and while cloud-storage services usually have strong protections, your information could still be at risk from hackers or anyone who has your username and password.

Some good solutions: Programs like Cryptocat or Pidgin with the OTR plug-in, for encrypted chats, and Cloudfogger or BoxCryptor for storing sensitive documents on services like Google Drive or Dropbox.

Of course, the reason people pick passwords like 123456 is because it’s easier than the alternative. If you want complete privacy and security in 2014, you’re going to have to work for it.

Keith Wagstaff writes about technology for NBC News. He previously covered technology for TIME’s Techland and wrote about politics as a staff writer at TheWeek.com. You can follow him on Twitter at @kwagstaff and reach him by email at: Keith.Wagstaff@nbcuni.com

full story: http://www.nbcnews.com/technology/how-protect-your-internet-privacy-2014-2D11762947