In 2026, most people believe they are “covered” because they use a VPN, browse in incognito mode, or occasionally decline cookies. These actions create a sense of control, but they only address a small part of the problem.

The reality is more complex. Privacy today is not about a single tool or setting. It is about how data flows across systems, how identity is inferred, and how behavior is tracked even when you think you are anonymous.

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”
Source: The Guardian

If you want real protection, you need to understand what actually works and what only creates the illusion of safety.

Table of Contents

• Privacy Is No Longer About Hiding Your IP

• The Illusion of Incognito Mode

• The Rise of First-Party Tracking

• Encryption Still Matters, But It Is Not Enough

• Devices Are the New Weak Point

• Behavioral Data Is the Real Commodity

• Where VPNs Actually Fit

• Identity Is the Core Problem

• Regulation Helps, But It Has Limits

• What Actually Protects You

• The Trade-Offs Are Real

• The Future of Privacy

• Closing Perspective

Privacy Is No Longer About Hiding Your IP

A decade ago, privacy conversations centered on IP addresses. If you could mask your IP, you were considered relatively anonymous. That model is outdated.

Modern tracking systems rely on fingerprinting. Your browser, device type, screen resolution, installed fonts, GPU behaviour, and even how you move your mouse can uniquely identify you. This means that even if your IP changes, your identity can still be reconstructed with high confidence.

Companies no longer need a single identifier. They build probabilistic profiles. These profiles combine dozens of weak signals into one strong identity.

This is why simply using a VPN does not guarantee privacy. It hides where you are connecting from, but it does not hide who you are behaving like.

The Illusion of Incognito Mode

Incognito mode is one of the most misunderstood features in modern browsers. It does not make you anonymous. It simply prevents your local browser from saving history, cookies, and form data.

Your internet service provider can still see your activity. Websites can still track you. Third-party scripts can still build profiles. Incognito mode protects you from other users on the same device, not from the internet itself.

In 2026, relying on incognito mode for privacy is like closing your eyes and assuming no one can see you. It changes your local environment, not the external systems observing you.

The Rise of First-Party Tracking

One major shift in recent years is the move from third-party tracking to first-party tracking. Browsers and regulators have restricted third-party cookies, but this has not reduced tracking. It has changed who does it.

Large platforms now collect data directly. When you log into services, your activity is tied to your account. This is more accurate than cookie-based tracking and harder to block.

Even when you are not logged in, platforms use techniques like link decoration and server-side tracking. These methods bypass traditional browser protections. As a result, blocking cookies is no longer enough.

Privacy today requires reducing how much data you generate, not just controlling how it is stored.

Encryption Still Matters, But It Is Not Enough

Encryption remains one of the most important tools in digital privacy. It ensures that data in transit cannot be easily intercepted.

HTTPS is now standard, and end-to-end encryption is widely used in messaging apps.

However, encryption protects content, not metadata.

Metadata includes who you communicate with, when, how often, and from where. This data can reveal patterns that are often more valuable than the content itself.

For example, knowing that two people communicate regularly at specific times can be enough to infer relationships or activities.

In 2026, sophisticated surveillance systems rely heavily on metadata analysis. This means encryption is necessary, but it is not sufficient.

Devices Are the New Weak Point

Most privacy discussions focus on networks, but devices have become the primary attack surface. Smartphones, laptops, and even smart home devices continuously collect data.

Operating systems gather telemetry. Apps request permissions that go far beyond their core function. Background processes transmit usage patterns, location data, and behavioral signals.

Even trusted platforms collect large amounts of data. This is often justified as necessary for improving services, but it creates detailed user profiles.

Real privacy requires controlling what your devices share. This includes limiting permissions, reducing app usage, and choosing systems that minimize data collection by design.

Behavioral Data Is the Real Commodity

In 2026, raw personal data is less valuable than behavioral data. Companies are less interested in who you are and more interested in what you do.

Behavioral data includes browsing habits, purchase patterns, scrolling speed, typing rhythm, and engagement signals. This data feeds machine learning models and AI automation platforms that predict future actions.

These models power everything from targeted advertising to risk scoring. They are also used in fraud detection, hiring systems, and financial services.

As AI increasingly shapes online interactions, understanding how your data is analyzed can be valuable. It is also important to recognize whether content is generated or influenced by AI. AI detection platforms like ai checker help users identify AI-generated content while supporting greater transparency in digital environments.

The challenge is that behavioral data is difficult to hide. It is generated passively through normal usage. Protecting privacy means reducing the amount of behavior that can be observed and linked over time.

Where VPNs Actually Fit

VPNs still have a role, but it is narrower than most people think. They are useful for securing connections on untrusted networks, such as public Wi-Fi. They can also help bypass geographic restrictions.

However, they do not make you anonymous. They shift trust from your internet provider to the VPN provider. If the provider logs data, your activity is still traceable.

This is where the market has evolved. Users are now looking beyond traditional VPNs such as NordVPN and exploring options that offer stronger privacy guarantees, such as decentralized networks or tools with strict no-logging architectures.

In this context, the idea of a traditional VPN alternatives often comes up, not as a rejection of VPNs, but as a recognition that privacy requires a broader approach.

The key is understanding that a VPN is one layer, not a complete solution.

Identity Is the Core Problem

At the center of modern privacy is identity. Every system you interact with tries to answer one question: is this the same user as before?

If the answer is yes, your actions can be linked over time. This creates a persistent profile.

Breaking this link is difficult. Logging into accounts, using the same device, and maintaining consistent behavior all reinforce identity. Even small signals can reconnect fragmented data.

True privacy requires disrupting this continuity. This can involve using separate environments for different activities, avoiding unnecessary logins, and limiting cross-platform data sharing.

It is not about being invisible. It is about being harder to correlate.

Regulation Helps, But It Has Limits

Privacy regulations have expanded globally. Laws now require companies to disclose data practices, obtain consent, and provide user controls.

These changes have improved transparency, but they have not fundamentally changed data collection. Consent banners are often designed to nudge users toward acceptance. Privacy policies remain complex and difficult to interpret.

Enforcement is also uneven. Large companies adapt quickly, while smaller players may ignore rules altogether.

Regulation sets boundaries, but it does not eliminate incentives. As long as data drives revenue, companies will find ways to collect it within legal frameworks.

What Actually Protects You

Real privacy in 2026 does not come from one app, browser setting, or security tool. Privacy works best as a layered system where several habits work together. Tools help, but behavior matters more. Strong privacy comes from sharing less data, separating identities, reducing tracking signals, and using the right tools carefully.

The first step is to minimize data sharing. Every account signup, app download, connected service, and permission request creates another source of information collection. Share only what is necessary. Use fewer apps and services when possible. Avoid unnecessary integrations between platforms. Review permissions such as location, contacts, microphone access, and background tracking. Less information leaving your control means less information available to collect, sell, or track.

The next step is separating digital identity. Avoid linking every activity to the same account or profile. Use different emails, accounts, or even devices for work, personal use, and anonymous activities. Keeping activities separate makes it harder for systems to build one complete profile about you.

You should also reduce behavioral signals. Modern tracking systems use cookies, tracking pixels, app behavior, and device fingerprinting to identify users. Review app permissions and limit tracking where possible. Fewer signals make profiling harder.

Privacy-focused tools add another layer. Use secure browsers, encrypted messaging apps, secure DNS, and VPNs when needed. Keep them updated and properly configured. Privacy is not about becoming invisible. It is about staying intentional and keeping control over your information.

The Trade-Offs Are Real

It is important to acknowledge that privacy comes with trade-offs. More privacy often means less convenience. Personalized services become less accurate. Seamless experiences may require more manual effort.

Most users are not willing to sacrifice convenience entirely. This is why complete privacy is rare. Instead, the goal should be proportional privacy.

Protect what matters most. Accept some level of exposure where the cost of protection is too high.

The Future of Privacy

Looking ahead, privacy will become more integrated into system design. Technologies like on-device processing, differential privacy, and zero-knowledge proofs are gaining traction.

These approaches aim to reduce data collection while still enabling useful services. Instead of sending raw data to servers, computations happen locally or in privacy-preserving ways.

However, adoption will take time. Economic incentives still favor data collection. Until that changes, users remain responsible for their own privacy posture.

Closing Perspective

The biggest misconception about online privacy is that it can be solved with a single tool. In reality, it is a continuous process.

What protects you in 2026 is not just technology, but how you use it. It is the combination of reducing data exposure, understanding tracking mechanisms, and making deliberate choices about your digital behavior.

Privacy is no longer about disappearing. It is about controlling how visible you are, to whom, and under what conditions.

If you’re looking for a simpler, open-source, and privacy-friendly solution, Umami is a great alternative. It’s lightweight, easy to deploy, and doesn’t track personal data, making it compliant with modern privacy laws like GDPR.

In this article, you’ll learn what Umami is, why it’s an excellent Google Analytics alternative, and how to set it up on your own server from scratch using Sevalla.

What We’ll Cover:

1. Understanding Umami

2. Why Choose Umami Over Google Analytics

3. How to Install Umami

   • Step 1: Get the Source Code

   • Step 2: Configure the Database

   • Step 3: Build the Application

   • Step 4: Start the Server

   • Step 5: Keeping Umami Updated

   • Step 6: Adding Tracking to Your Website

   • Step 7: Exploring the Dashboard

4. Hosting Umami on the Cloud using Sevalla

5. Privacy and Compliance

6. Conclusion

Understanding Umami

Umami is an open-source web analytics platform designed to be fast, simple, and privacy-focused.

It collects essential website data like page views, referrals, and device information without storing personally identifiable details. Unlike Google Analytics, Umami doesn’t use cookies or share data with third parties.

The project is actively maintained by the open-source community and has grown into one of the most trusted tools for developers and businesses who want full control over their analytics. It provides a clean dashboard that shows all the key metrics in real time and works across any website or application.

You can find the project on GitHub at github.com/umami-software/umami and even try a live demo here.

Why Choose Umami Over Google Analytics

Google Analytics is powerful but often overwhelming for simple websites. It’s also tied to Google’s data collection ecosystem, which can conflict with privacy-focused organizations.

Umami takes a different approach. It collects only the information you need to make decisions, such as traffic sources and popular pages, and it stores everything on your own infrastructure.

There are no third-party cookies, no user tracking, and no hidden integrations. You get complete ownership of your data and peace of mind knowing that it’s not leaving your server.

Plus, Umami is free under the MIT license, making it suitable for both personal projects and commercial deployments.

How to Install Umami

Before you begin, make sure you have a few basic tools and requirements ready.

You’ll need a server with Node.js version 18.18 or newer installed. Umami also requires a database to store analytics data. It supports PostgreSQL (version 12.14 or higher), MySQL (version 8.0 or higher), and MariaDB (version 10.5 or higher).

Step 1: Get the Source Code

The first step is to download the Umami source code from GitHub. Open your terminal and run:

git clone https://github.com/umami-software/umami.git

cd umami

pnpm install

The pnpm install command installs all the necessary dependencies for the application. Make sure you have pnpm installed globally before running this command. You can install it by running npm install -g pnpm.

Step 2: Configure the Database

Next, you need to configure a database connection. Create a new .env file in the root directory of the Umami project. Inside this file, add the following line:

DATABASE_URL=connection-url

Replace connection-url with your actual database connection string. Here are two examples depending on your database type:

For PostgreSQL:

postgresql://username:password@localhost:5432/umami

For MySQL:

mysql://username:password@localhost:3306/umami

This connection string allows Umami to connect to your database and automatically create the necessary tables during the setup.

Step 3: Build the Application

Once your configuration is complete, you can build the application by running:

pnpm run build

This step compiles the code and prepares it for production. It will also initialize your database with the required tables and create a default admin account.

You can log in with the username admin and password umami after setup. It’s a good idea to change this password immediately once you log in for the first time.

Step 4: Start the Server

Now it’s time to start the application. Run the following command:

pnpm run start

By default, Umami will start on http://localhost:3000. You can open this address in your browser to access the analytics dashboard. If you want to make it accessible publicly, you’ll need to configure a reverse proxy using a web server like nginx.

Step 5: Keeping Umami Updated

Like any software, Umami receives regular updates that include new features, security patches, and performance improvements. Keeping your installation up to date is simple.

If you installed from source, navigate to your Umami folder and run:

git pull

pnpm install

pnpm run build

This command updates the source code, installs new dependencies, and rebuilds the app. If you are using Docker, you can update by pulling the latest images and restarting the containers:

docker compose pull

docker compose up — force-recreate -d

Regularly updating ensures you have access to the latest analytics features and bug fixes.

Step 6: Adding Tracking to Your Website

After you log in to the dashboard, you’ll see an option to add a new website. Once you create it, Umami will generate a small tracking script.

Copy the script tag and paste it into the <head> section of your website’s HTML pages.

This script is lightweight and won’t slow down your website. Once added, you’ll start seeing traffic data in your dashboard almost instantly.

You can track multiple websites from the same Umami installation, making it ideal for developers managing several projects.

Step 7: Exploring the Dashboard

The Umami dashboard is clean, modern, and easy to understand. It shows metrics such as page views, referrers, operating systems, and devices. You can filter by date, view live visitors, and export data for reporting.

There are no complicated configuration options or hidden features  –  just the information you need to make informed decisions about your website traffic. Everything runs fast, even on modest servers.

Hosting Umami on the Cloud using Sevalla

When you are ready to move beyond testing, Umami gives you two options. You can self-host it using your own infrastructure or use their managed cloud version at Umami.is.

Self-hosting gives you full control and is usually preferred by technical teams who want to keep sensitive data in-house.

You can choose any cloud provider, like AWS, DigitalOcean, or others to set up Umami. But I will be using Sevalla.

Sevalla is a PaaS provider designed for developers and dev teams shipping features and updates constantly in the most efficient way. It offers application hosting, database, object storage, and static site hosting for your projects.

I am using Sevalla for two reasons:

• Every platform will charge you for creating a cloud resource. Sevalla comes with a $50 credit for us to use, so we won’t incur any costs for this example.

• Sevalla has a template for Umami, so it simplifies the manual installation and setup for each resource you will need for installation.

Log in to Sevalla and click on Templates. You can see Umami as one of the templates.

Click on the “Umami” template. You will see the resources needed to provision the application like PostgreSQL and Redis. Click on “Deploy Template”

You can see the resource being provisioned. Once the resources are provisioned, go to your Umami application and click on “Visit app”

You will get a cloud URL with a login page. Use the default login credentials admin for username and umami for password. You will see the empty dashboard.

You now have a production-grade Umami server running on the cloud. You can use this to setup analytics for your website by clicking on “Settings” and then “Add website”.

You can then click “Edit” to get the tracking code for your website.

Once you add the tracking code for your website, you can start monitoring your traffic and other analytics in your new dashboard.

Privacy and Compliance

One of the best reasons to use Umami is its commitment to privacy. It doesn’t use cookies, doesn’t track individual users, and doesn’t share data with any third-party service.

All information stays on your server. This makes it a great choice for websites that need to comply with privacy laws like GDPR, CCPA, or PECR.

Since you own the data, you can decide how long to keep it, how to analyze it, and who has access.

Conclusion

Setting up your own analytics system might sound complex, but with Umami, it’s surprisingly easy. It gives you everything you need to understand your website traffic without compromising user privacy. You control the data, the infrastructure, and the configuration.

By following these steps, you can deploy Umami on your own server in less than an hour and start monitoring your website visitors right away. Whether you run a personal blog, a SaaS platform, or a client project, Umami offers a transparent, fast, and privacy-friendly alternative to Google Analytics.

Hope you enjoyed this article. Find me on Linkedin or visit my website

Apps are hungry for your data. Hackers are always looking for cracks in your security. And sometimes, we accidentally give away more than we realize.

The good news is you don’t need to be an expert to tighten things up.

Here are seven simple changes that can seriously improve your phone’s privacy. Each one takes just a few minutes, and together, they make your phone much harder to track, hack, or snoop on.

Control What Tracks Your Location

Let’s start with location tracking.

Most people don’t realize how many apps can access their exact whereabouts. Even seemingly harmless apps like weather or games may collect this info in the background.

Some use it to target ads, others sell it to data brokers, and a few could open doors to more serious threats, like someone building a full profile of your movements.

To reduce the risk, go into your phone’s settings and check which apps can access your location. Both iPhone and Android let you limit access to “While Using” the app, instead of “Always.” This way, apps can’t track you silently in the background.

Also, turn off “Precise Location” for apps that don’t need it. Your phone will still know your city, but it won’t pinpoint your exact house. This one tweak keeps dozens of apps from silently tracking your every move.

Make Your Passcode Stronger

Next up is your passcode. It’s your phone’s first line of defense, but far too many people still use weak ones  –  like birthdays, 123456, or just swiping a simple pattern.

If someone grabs your phone, a weak passcode makes it much easier for them to get in, especially if they’ve watched you unlock it a few times.

Switch to at least a six-digit PIN or, even better, an alphanumeric passcode with letters and numbers. Yes, it takes a second longer to type, but it’s far harder to guess.

And if your phone supports it, use your fingerprint for unlocking instead of facial recognition. Face unlock can sometimes be fooled by photos or similar faces, while fingerprints are generally more secure.

You should also consider enabling a setting that erases your data after multiple failed login attempts. This way, if your phone falls into the wrong hands, it won’t just be sitting there, waiting to be cracked.

Cut Back Unnecessary App Permissions

Many apps ask for permissions they don’t really need.

A flashlight app that wants access to your contacts? A calendar app asking for microphone access? These are red flags.

The more permissions you grant, the more ways your data can leak  –  sometimes to advertisers, other times to third parties you’ve never heard of.

Go through your app permissions and turn off access that doesn’t make sense. Does that casual game really need your location? Does a recipe app need to see your photos? Probably not. This isn’t just about avoiding creepy behavior  –  it’s about reducing the number of ways bad actors can exploit your phone if something goes wrong.

Some malicious apps have been caught using these permissions to record audio, access files, or even track your activity across other apps. A regular permissions check-up can help stop that from happening.

Switch to eSIM for Better Security

One of the most overlooked privacy upgrades is switching to an eSIM card. That’s a digital SIM card built into your phone, and it offers real advantages over traditional physical SIM cards. The biggest one is security.

Physical SIM cards can be switched out easily if someone steals your phone. There’s also the risk of SIM swapping  –  where attackers convince your carrier to transfer your number to a different SIM, giving them control of your calls, texts, and even two-factor authentication codes.

With an eSIM, there’s no physical card to remove, and activating or transferring it requires extra authentication through your carrier.

If your phone supports eSIM – and most modern iPhones, Pixels, and Galaxy devices do –  you can switch by contacting your mobile carrier or using their app.

Once your eSIM is set up, consider removing the physical SIM entirely. It’s one less way someone can try to hijack your phone number.

Don’t Leave Bluetooth and Wi‑Fi Open

You might not think twice about leaving Bluetooth or Wi-Fi turned on, but doing so can leave your phone exposed.

Even when you’re not actively connected, your phone continues to look for known networks or nearby devices. This “sniffing” can give away your location, expose your device to tracking, or even let attackers try to exploit unpatched vulnerabilities.

For instance, there have been real-world attacks like BlueBorne, which let hackers take over phones just by being nearby with Bluetooth turned on.

Another risk is “Wi-Fi spoofing” –  when someone sets up a fake public network to trick your phone into connecting, giving them access to your traffic.

To protect yourself, get into the habit of turning off Wi-Fi and Bluetooth when you’re not using them. You’ll save battery, too.

If you’re connecting to public networks, avoid auto-connect settings and tell your phone to “forget” the network afterward. This keeps it from reconnecting without your knowledge later.

Use Encrypted Messaging Apps

Plain old text messages are easy to intercept. Phone carriers can access them, and if someone manages to snoop on your network, they can read your texts without much effort. That’s why encrypted messaging apps matter.

Signal is one of the best options out there. It uses end-to-end encryption, which means only you and the person you’re chatting with can read your messages. Not even the app company can see them. It’s also open-source, which means experts can inspect the code for flaws.

WhatsApp also uses strong encryption, but it’s owned by Meta (formerly Facebook), which has a spottier track record when it comes to data privacy.

If you’re serious about protecting private conversations  –  especially with family, coworkers, or anyone handling sensitive info  – make the switch to an encrypted app.

Keep Your Software Updated

The last one is simple, but often ignored: keep your phone and apps updated. Every update includes security patches that fix known issues.

Hackers and malware often target devices running old software because those bugs are public knowledge by the time they strike. If your phone isn’t set to update automatically, change that now.

Also check your app updates regularly. Some apps introduce new permissions or bugs, so keeping everything current helps close those holes before they can be used against you.

Phones with outdated operating systems are more vulnerable to spyware, data theft, and unauthorized access. So even if you’re not excited about the new features, updates are your silent protectors behind the scenes.

Conclusion

None of these steps will make you invisible –  but they will make your phone a lot harder to compromise. That’s the goal. Privacy isn’t about locking everything down forever. It’s about knowing what you’re sharing, and taking steps to control it.

Hope you enjoyed this article. You can learn more about me or connect with me on Linkedidn.

But it can be hard to understand exactly how to do this. So I built this tutorial and this personal security/privacy assessment, based on what I've learned building Loki Privacy. These resources sum up thousands of hours of practice and research into five impactful (and largely free) steps.

By following these guidelines, you can really increase your digital security and privacy, and perhaps help mitigate a devastating hack of your personal finances or data.

Here's What We'll Cover:

1. Use Credentials Wisely
2. Choose Your Browser Wisely
3. Understand Encryption and What it Means
4. How You Spend Your Money Digitally Leaves a Trace
5. The Devices You Use Do Matter for Privacy and Security

1: Use Credentials Wisely

The first step is to properly manage your passwords, and add a layer of security with two-factor authentication.

Nowadays, digital passwords control an immense amount of power and personal information. You might access your bank and/or life savings with them, or critical and personal medical information about yourself. With great power as an Internet user comes great responsibility – and this is true of using modern passwords.

Use a Password Manager

Ideally, password managers are the best system to manage your credentials. They offer encryption and security to prevent undesired access, and they're able to give two critical properties to good passwords.

• First, they give you the ability to auto-generate passwords and login with the password manager if chosen. This helps avoid the cardinal sin of personal security on the web: password reuse across multiple services. If one service gets hacked with your password and you're reusing it across the web, hackers will try your login/password across the web, potentially turning one hack into multiple.
• Second is that password managers allow you to more easily create longer and more complex passwords.

Good options are services like 1Password and BitWarden. You can host your own version of BitWarden on your own server with something like StartOS and the open source implementation of BitWarden, Vaultwarden.

Use a Strong Password

The number and type of characters in your password can prevent people brute-force attacking you – that is, using machines to guess letter combos. Password strength is very dependent on character length. If you use 14-16 characters or more, it'll take a machine centuries to try to guess the password. But if you use 6 or fewer characters, it's likely your password can be cracked in seconds.

Your password strength can also improve if you add special characters, vary the case from uppercase to lowercase, and add numbers – anything that throws off machines that are going through character combinations by rote, hoping to get lucky.

Examples of strong passwords:

• 32-strings of random characters, ideally including numbers and special characters
• Multiple words strung together with some numbers/special characters to make it easy to work manually

Examples of weak passwords:

• Commonly used and reused word + number combos, like hello12
• Shorter strings like 342yf – the shorter your combination even if seemingly random, the easier to brute force
• Passwords you use across multiple services no matter their strength (if one of the passwords gets leaked, that will be attempted with all of your services).

Setup Two-Factor Authentication

You should also add two-factor authentication throughout your devices, and ideally the strongest versions of these. That way, even if one of your passwords gets cracked, it won't matter – because attackers won't have access to a second factor that allows them into your account.

You'll also want to get notifications for failed login attempts. That way you'll know if somebody has cracked your password (and you'll want to remove that password from any online services you currently use.).

Normally, this would be a combination of what's called HOTP and TOTP two-factor authentication.

HOTP and TOTP are both different one-time password schemes used by either hardware security keys or 2FA apps like Google Authenticator. You'll have seen it in action if you use a tool like Aegis or Raivo where you get resetting passcodes that you copy and paste into your browser every 30 seconds.

The difference between the two is that the HOTP code scheme tends to be used with hardware security keys and increments per use. But this leaves a longer time window where an attacker can breach the code.

Time-based systems only give you between 30 seconds to 60 seconds to login with the code, but the user is given enough time to retry codes given such a short window. Some of the most secure elements combine both HOTP and a time-based window.

Takeaway: Probably the best things you can do for your digital security right now are:

• Have a password manager system that allows you to avoid password reuse
• Have two-factor authentication either through an app (such as Aegis or Raivo) or if you're willing to invest, a hardware security key like a Yubico.

2: Choose Your Browser Wisely

Next, you'll want to think about the browser you’re using and what data you're revealing about yourself.

Use a Security-focused Browser

The browser you use to access the Internet stores data about you and shares data about who you are and what your interests are. Your choice of browser and the extensions you load will determine how much ad tracking you allow through, as well as the number of cookies.

A default installation of Firefox, Chrome, or Safari won't have much in the way of privacy-preserving features. But you can download extensions such as Privacy Badger, https everywhere, and uBlock Origin to help you better defend your online privacy and security.

These tools will serve as script-blockers and ad-blockers, as well as a guarantee that you'll be browsing sites where your data is encrypted – an important consideration when we get to point 3.

Consider using a VPN

Also, if you're using your regular Internet without a VPN or without using a service like Tor, you're likely revealing your IP address and your MAC address.

The IP address is malleable, but can reveal roughly where you are. IPInfo, for example, shows that you can tie an IP address to your location with the latitude and longitude represented, the company providing your Internet, and perhaps the business that owns the IP address.

Your MAC address is tied to your device and is relatively static. When you put on a VPN or use Tor, you can show a different IP address than the one tied to your home network or insecure open networks like the Wifi at your local coffee shop. But depending on the VPN you use, you could be giving them access to every site you visit – so it's important to ensure that you work with a provider that has a no-logs policy such as MullvadVPN.

Takeaway: If you're concerned about digital privacy and security, use a privacy-focused browser variant either on desktop or mobile. This could be something like Librewolf and Duckduckgo on mobile.

Your default search engine should not be Google. It should be Duckduckgo or a more privacy-focused variant (though note that Duckduckgo will still serve ads through Microsoft's ad exchange).

You should also understand the implications of giving off your IP address and MAC address. Make sure you evaluate whether or not using Tor or a VPN makes sense for you. Consider carefully the VPN you choose.

3: Understand Encryption and What it Means

The term "Encryption" is often bandied about. But you might be wondering how it really matters to you.

Well, when it comes to digital privacy and security, understanding the difference between https:// and http://, cleartext vs. hashed text, and end-to-end encryption matters a lot.

HTTP vs HTTPS

Let's start with https:// over http://. Why does it matter what type of site you're browsing?

HTTP powers the web. Essentially, when you're browsing the Internet, under the hood your device is making a series of HTTP requests to servers you direct it to. With regular http:// traffic, however, anytime somebody sees HTTP requests and communications, they can see the text within. This means that if you were sending passwords, credit card information, or other sensitive communications, it would be trivial to intercept those messages.

HTTPS, on the other hand, signs HTTP with encryption keys using a method called TLS. The short of it is that if you're using https:// and browsing sites everywhere with https:// (which an extension like HTTPs Everywhere can help force), that you're less likely to leak your data to attackers.

Cleartext vs Hashed Text

You'll often hear about cleartext vs hashed text when it comes to explaining a password breach. Cleartext means that if an attacker gets ahold of password data, they have your password in its full-text form. If it's hashed, that means the attacker will get a bunch of symbols that aren't your password but perhaps with some work, they can get to your password in plaintext.

If a website is storing your passwords in plaintext, it means that attackers that get a database full of passwords will be able to easily use that stash right away. A cleartext/plaintext leak means that you need to immediately change your passwords with much more urgency, though even if a password is hashed, you should still switch it over.

Services like haveibeenpwned.com will help you determine which password leaks apply to an email – and it's good to check every once in a while to see if you have any compromised credentials (some password managers will automatically check this for you as well.).

End-to-end encryption is a technical term that seems complex but delivers a simple promise: within the codebase, only the sender and receiver of a message will be able to see and decrypt the original message. This means that the service the messages are hosted on can't see what is being transmitted, and therefore can't send over that information to anybody.

Services like Signal offer end-to-end encryption by default (including in group chats) and are seen as the gold standard. WhatsApp also offers end-to-end encryption by default, though its association with Meta sometimes gets privacy advocates wary.

Other services offer variants, but you have to trigger them – for example, Telegram has end-to-end encryption for "Secret chats", but not group chats and non-secret private chats.

Takeaway: Make sure you're browsing on https:// sites with a browser extension (HTTPs Everywhere). Also, check to see if your passwords have been compromised and how they've been compromised with HaveIBeenPwned.com. And stick to end-to-end encryption on chat and communications if you want to make sure the people you want to see your communications are the only ones that do.

4: How You Spend Your Money Digitally Leaves a Trace

Online, one frontier for digital privacy is how you spend and own money. In the analog world, you can spend cash and rest assured that it is unlikely that your transaction will be traced back to you.

In the digital world, however, you have the burden of a credit card or debit card linked back to your address and names for every transaction you do. While online security has been developed to ensure that these don't leak (though they still can and have), there are also new ways to transact online with a (relatively) privacy-preserving option: Bitcoin, Lightning Network.

Lightning Network is a second layer technology built on Bitcoin that doesn't record its transactional flow between nodes on-chain, but rather settles channel opens/closes on it. This allows you to transact Bitcoin rapidly, without a fee, and not have your each transaction show up on the Bitcoin chain.

Now, the nuances of how to use tools like Lightning Network and Bitcoin in a way that preserves privacy merits a much fuller discussion – but be aware that a tradeoff now exists.

Yes, using Bitcoin will expose you to broadcasting your transactions over a public ledger, one scanned by perhaps millions of people. But it will also allow you to transact with the IP address of your choice, the device of your choice, and the identity of your choice. It's up to you to do the legwork and determine if that's a tradeoff worth having.

Takeaway: Be aware that there are alternatives to using a credit card or debit card online for all of your payments that are closer to how you might use cash in the analog world.

5: The Devices You Use Do Matter for Privacy and Security

Lastly, the devices you're using do matter for privacy and security. The Internet is a tradeoff: you get access to many different services, but you subject the devices you're using to access these services to giving off and receiving data.

Most of the commercialized laptops and phones out there have privacy and security features built in. An example of this is hardware changes that make recent iPhones more resilient, or frequent security updates for the operating system in question, from Linux, Microsoft, to Mac, to iOS and Android.

The tradeoff with devices, though, tends to be the expense, cost, and maintenance. In theory, having a second device on both laptop and mobile (for travel purposes, for example, to avoid border seizures) is ideal. And you may want to experiment with different operating systems – for example, the privacy-focused GrapheneOS for mobile, and System76 or Pinebooks for Linux-based laptops.

You might even go further and decide to experiment with home-based servers to run your own services.

Ultimately, the choice is yours: the cost of experimentation here can be high in terms of time and money spent, but can be well-worth it to maintain control over your own devices and data.

Takeaway: Consider the devices you use. Make sure you're on top of security updates, and determine how and which devices you want to use going forward.

Wrapping Up

If you're interested in learning a bit more about how your digital security and privacy stacks up, this assessment will help you determine your level and give you specific recommendations.

The most important thing about digital security and privacy is to be mindful of the tradeoffs, and to consider and often re-evaluate best practices in an actively evolving ecosystem.

When first announced, Apple stated that in the Spring of 2024 (read – spring is already here), having a privacy manifest is expected and will be part of the application review process. Apple also asks application developers, as well as SDK developers, to adopt the privacy manifest.

Fast forward to December 7th, 2023, Apple announced a list of “commonly used third-party SDKs” that, if included by your application, you have to have a privacy manifest for. No real explanation has been given as to why the third-party SDKs listed are the ones that have been selected, but there has been much speculation about it.

And here we stand after February 29th, 2024 (on a leap day!), when Apple announced a timeline for enforcing the required reason API section of the privacy manifest.

All of this has led to quite a bit of confusion from developers who are scrambling to understand if their application or SDK falls into a privacy manifest category.

Developers are unsure if they should add a privacy manifest to their SDK, even if it is not listed. The documentation itself, while being adept at giving an outline of everything, lacks the necessary distinctions and details developers are looking for.

Part of me wants to say that Apple is keeping things vague since the near future has coming changes that privacy manifests will bring. Another part of me says that Apple has always been this vague, and it is just their modus operandi.

In any case, you are reading this article because you want to understand how all of this affects you. So, let’s break things down.

⚠️ Disclaimer: This article won’t deal with explaining what the privacy manifest is or how to add it to your application/library, as that has been covered by Apple's documentation fairly well.

The Four Horsemen

Privacy manifest is divided into four subjects:

• NSPrivacyTracking.
• NSPrivacyTrackingDomains.
• NSPrivacyCollectedDataTypes (nutrition labels).
• NSPrivacyAccessedAPITypes (required reason APIs).

The first two are tied together and can pose the most substantial changes to your application/library, so we’ll ease into this list by starting with number three.

What are NSPrivacyCollectedDataTypes?

This section holds various categories of data collection that if your application or SDK does something with, you have to declare them.

Each type of data collected must be supplied with the reason for collecting it.

The categories range from contact information about the user (such as email/phone number), to Location and Purchases.

Inside your privacy manifest file, you will have an array of NSPrivacyCollectedDataTypes, where each item will hold:

• The type of data collected.
• Whether or not this data is linked to the user.
• Whether or not this data is used to track the user.
• The reason(s) for collecting this data.

Let’s do one as an example. Imagine your application collects the precise location of a user in order to track the user’s movement to see if the user is nearby any specific stores.

If the user is nearby such a store, you present a relevant ad to them. Factoring all that you will need to create an entry where:

• The data type will be NSPrivacyCollectedDataTypePreciseLocation.
• Mark true as we are linking the data to the user.
• Mark true as we are tracking the user with this data.
• Since we are going to display ads to the user, we will choose. NSPrivacyCollectedDataTypePurposeThirdPartyAdvertising, NSPrivacyCollectedDataTypePurposeProductPersonalization, and NSPrivacyCollectedDataTypePurposeAppFunctionality since all of those fit for the data we collect.

What are NSPrivacyAccessedAPITypes?

As mentioned, this section gets a bit more obscure and a bit more demanding.

Here, Apple lists very specific APIs from different categories that if you happen to use, you need to declare them.

For every API listed, there are specific reasons you need to fall into in order to declare your use of it. Some reasons state clearly that even if you use the API, you cannot send the data received by this API to a server (off-device).

If you find that your application or SDK uses one of the listed APIs, then you need to list it with an appropriate reason(s). For example, if we use the example from the previous section, our application reads and writes data to user defaults that has to do with the user’s location. So, we will need to:

• List NSPrivacyAccessedAPICategoryUserDefaults as the NSPrivacyAccessedAPIType.
• Use CA92.1 inside the NSPrivacyAccessedAPITypeReasons.

If you think you don’t see the reason you are using an API for, you can let Apple know about it.

🎯 None of the APIs listed can be used for tracking the user.

At last, we come to the two most problematic categories.

What are the NSPrivacyTracking and NSPrivacyTrackingDomains?

What is tracking? Do you know? Does anyone know? It really doesn’t matter, because Apple has a definition for it:

“Tracking” refers to linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker.

So, if your application or SDK doesn’t fall into that definition, you need to mark false as the value for NSPrivacyTracking and you can exhale.

Because if you have to mark true as the NSPrivacyTracking, then you must supply all the domains your application or SDK uses for the purpose of tracking as part of NSPrivacyTrackingDomains.

By now, you must be asking yourself, why I am making a big fuss about this. Well, it has to do with the fact that Apple will block all requests to any domain listed under NSPrivacyTrackingDomains if the user doesn’t allow the application to track him/her.

Read the paragraph above again.

Get it? You will now need to re-route network requests differently based on whether the user has given consent to be tracked or not.

On the client side (application/library), this might be a small change to handle. But on the server/infrastructure side, this might require some heavy lifting as new domains (or sub domains), need to be created.

Data that has been aggregating a certain way, now needs to be aggregated from another source. You obviously also need to make sure that no tracking related data is sent to your newly created domains. You wouldn’t want to end up in a scenario where your application/library stops working entirely.

To assist you in understanding which domains fall into the tracking category, you can use Instruments. Be aware that if your domains do not fall into that category now, it doesn’t mean that they won’t fall into it later.

Conclusion

As with any new regulation or policy, many questions are still left unanswered:

• If my application has a webview, where some network requests are made, do I have to include those as domains for NSPrivacyTrackingDomains?
• Are sub domains good enough or do developers need to create completely different domains?
• If my library is not listed as part of the commonly used SDKs, is there a chance that it might be in the future? What is the criteria used for listing such SDKs?
• Do I have to include a signature to my SDK even if it is not listed under the commonly used SDKs?

Also, when looking at the current state of things in the developer community, the response is quite the same. At the time of writing this article, numerous SDKs that are listed in Apple’s list, still haven’t released a version with a privacy manifest.

As we will get closer to the date of when it will be mandatory to have a privacy manifest, hopefully more details will emerge and better clarity. Until then, brace yourselves.

Though some apps don't need it depending on their use case, many do. You might spend a ton of time building an authentication module to provide a secure experience to your users and protect their data and privacy. But you can also extract this out into a separate service like AWS Cognito.

According to the site,

Amazon Cognito helps you implement customer identity and access management (CIAM) into your web and mobile applications.

In short, AWS Cognito is designed to simplify the implementation of user authentication and authorization. With Cognito, you can focus on building your application's core functionality, while offloading the complexities of user management to the service.

In this tutorial, we will dive into the world of AWS Cognito by creating an AWS Cognito User Pool for user authentication. You'll see how to read the data from AWS Cognito and display it in a simple NextJS app.

Here is a quick demo of the app that we'll be building. I'll be focusing more on AWS Cognito than on NextJS, because you can port this service with any UI framework you wish. Still, you can get the full source code of the NextJS repo from here.

AWS Cognito integrated with NextJS app

What is an AWS Cognito User Pool?

AWS Cognito User Pools are a fully managed user directory service that allows you to create and manage a pool of users for your application.

User Pools provide a set of features that enable you to handle user registration, sign-in, and account recovery seamlessly.

Benefits of AWS Cognito User Pools

Easy Integration

Cognito User Pools seamlessly integrates with various application platforms and frameworks, including web, mobile, and server-side applications, making it versatile for different use cases.

Secure User Authentication

User Pools supports various authentication methods, including email and password, social sign-in (such as Google, Facebook, or Amazon), and multi-factor authentication. This ensures robust security for user authentication.

User Registration and Management

User Pools simplifies the user registration process by providing customizable sign-up pages and email verification. It also offers user self-service features like password reset and profile management, reducing the burden on the application backend.

Scalability and Performance

AWS handles the scalability and performance aspects of the user pool, allowing you to seamlessly handle millions of users without worrying about infrastructure provisioning or performance optimization.

How to Create an AWS Cognito User Pool

Let's dive into the step-by-step process of creating an AWS Cognito User Pool.

Sign in to AWS Management Console

Sign in to your AWS Management Console using your credentials.

AWS Cognito Service

Search for "Cognito" in the AWS Management Console search bar and open the Cognito service. You will see a page as shown below:

AWS Cognito Console

Create a User Pool

Click on the "Create User Pool" button. You can see two provider types. One is the Cognito user pool which will be selected by default and provides regular email and password authentication. The other one is Federated identity providers which will allow users to log in with their social identity like Facebook, Google, and so on.

To keep it simple, I'm selecting only the Cognito user pool and selecting a User name and Email for sign-in options

AWS Cognito - Configure sign-in options

Configure security requirements

Configure your desired settings, such as password policies, multi-factor authentication, MFA methods, and User account recovery.

AWS Cognito - Set password policy and MFA

AWS Cognito - Set User account recovery

Configure sign-up experience

Configure the sign-up experience based on your needs. You can set required attributes and custom attributes which will be shown to the user on the Sign-up page. Those data will be stored in the Cognito user pool.

Configure message delivery

You'll want to select the email provider as "SES" for production applications. Since this is a demo, I'm selecting the "Send email with Cognito" option.

AWS Cognito - Configure message delivery

Integrate your app

Provide a unique name for your user pool. Check the "Use the Cognito Hosted UI" option to use the UI provided by AWS.

AWS Cognito - Integrate App

Choose your desired domain type. To use a custom domain you must provide a DNS record and AWS Certificate Manager certificate.

AWS Cognito - Select Domain type

The next step is to initialize the app client. This app client represents your application and allows it to interact with the user pool. Configure the app client settings, including the allowed OAuth scopes and callback URLs. In our case here, it'll be http://locahost:3000, as we'll be running only on our local machine.

Enter a user friendly "App client name". You need to provide the callback URL of your site. After authentication, the user will be redirected to this URL.

We have to query the Cognito service to fetch user details. To do so, we need a client secret. Select the "Generate a client secret" option.

Explore all other options on the page and configure them based on your needs. I hope they're self explanatory. If you don't understand any of the options, just leave them as the default selection.

AWS Cognito - Generate a client secret

Review and Create

Finally, a review page will be shown where you can review all your configurations. Click on "Create pool" to create your user pool.

We're half done. We've successfully created the User Pool.

Hosted UI Customization

To customize your login page, click on the user pool you just created and click on App Integration tab.

AWS Cognito - App integration Tab

Locate Hosted UI Customization and click the "Edit" button. You can upload your logo and custom CSS and that will be applied on the Signup and Login page.

AWS Cognito - Hosted UI customization

You can view the hosted UI with your customization applied by constructing the following URL, with the specifics for your user pool, and typing it into a browser: https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>. You can pull all the data from the dashboard.

Hit the URL. If you don't see the login page loaded and see an error page instead, don't panic. The changes you made on the dashboard may take a few minutes to be available.

Sign in page

As we don't have any account created, let's try to sign-up. AWS Cognito handles all the hassle of sending a verification email, asking the user to setup MFA, and so on.

Sign up page

AWS Cognito - Email verification

AWS Cognito - MFA

Hopefully, on pressing your final "Sign in" button, you'll be taken to an error page. Do you know why? We don't have our client up and running. If you notice the URL, you'll be in http://localhost:3000.

But, this is the right time for us to verify if our integration is correct. Let's open the User pool dashboard and see if our new signed up user is shown there.

AWS Cognito - Users database

Great work! Our first user has shown up in the dashboard. Now let's pull the user info from the Cognito using NextJS.

How to Pull the User Info from AWS Cognito using NextJS

To pull the data from Cognito, we are going to use the APIs provided by Cognito. First, we need to get the access token using the Token endpoint and use that access token to get the user info using the User Info endpoint

To follow along with me you can use this repo which contains the NextJS boilerplate code.

Clone the repo, install the dependencies by entering the yarn install command, and run the app by entering the yarn dev command.

Once you're done, you'll land on this page after hitting http://localhost:3000:

If you follow the same signup / sign-in process as we done above, you'll be re-directed to the above page.

Post Request to AWS Cognito Token Endpoint

Sample Request:

POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token&Content-Type='application/x-www-form-urlencoded'&Authorization=Basic ZGpjOTh1M2ppZWRtaTI4M2V1OTI4OmFiY2RlZjAxMjM0NTY3ODkw                            
&grant_type=authorization_code&client_id=1example23456789&code=AUTHORIZATION_CODE&redirect_uri=com.myclientapp://myclient/redirect

The token endpoint needs the following parameters:

1. Domain name – Go to the Cognito user pool, and in the App integration tab you can find the Domain name.
2. Client ID and Client Secret – At the bottom of the same page, find the app client list and click on the app client you created. You can see the Client ID and Client Secret.
3. Authorization Code – this is a code that is available in the URL we're being redirected to. (Refer to the below screenshot)

AWS Cognito - Authorization Code

Let's write the code to get the authorization code.

Open the index.tsx file and add the following code:

import { useSearchParams } from "next/navigation";
...
...
export default function Home() {
const searchParams = useSearchParams();
const code = searchParams.get("code");
...

Create an .env.local file in the project root folder and add the following credentials into it:

NEXT_PUBLIC_COGNITO_CLIENT_ID=<cognito_client_id>
NEXT_PUBLIC_COGNITO_CLIENT_SECRET=<cognito_client_secret>
NEXT_PUBLIC_COGNITO_DOMAIN=<cognito_domain>

Now add the useEffect with the following block of code inside it:

import axios from 'axios';

...

export default function Home() {
  const searchParams = useSearchParams();
  const code = searchParams.get("code");
  const [name, setName] = useState("");
  const [email, setEmail] = useState("");
  useEffect(() => {
    if (!code) return;
    const clientID = process.env.NEXT_PUBLIC_COGINTO_CLIENT_ID || "";
    const clientSecret = process.env.NEXT_PUBLIC_COGNITO_CLIENT_SECRET || "";
    const cognitoDomain = process.env.NEXT_PUBLIC_COGNITO_DOMAIN || "";
    const credentials = `${clientID}:${clientSecret}`;
    const base64Credentials = Buffer.from(credentials).toString("base64");
    const basicAuthorization = `Basic ${base64Credentials}`;
    const headers = {
      "Content-Type": "application/x-www-form-urlencoded",
      Authorization: basicAuthorization,
    };
    const data = new URLSearchParams();
    let token = "";
    data.append("grant_type", "authorization_code");
    data.append("client_id", clientID);
    data.append("code", code);
    data.append("redirect_uri", "http://localhost:3000");
    axios
      .post(
        `${cognitoDomain}/oauth2/token`,
        data,
        { headers }
      )
      .then((res) => {
        if (res.status != 200) return;
        token = res?.data?.access_token;
        const userInfoHeaders = {
          Authorization: "Bearer " + token,
        };
        axios
          .get(
            `${cognitoDomain}/oauth2/userInfo`,
            { headers: userInfoHeaders }
          )
          .then((userInfo) => {
            if (userInfo.status != 200) return;
            setName(userInfo.data?.username);
            setEmail(userInfo.data?.email);
          });
      });
  }, [code]);

...
...

What are we doing in the above code? Let's explore.

We need to get the access token. This token is needed to authorize the user whenever they use the app.

To get that token, we have to make an HTTP POST request to the AWS Cognito service attaching the Base64 encode of our client id and secret in the Authorization Header. Also, we have to pass the code that we received from the URL when the user was redirected.

We'll use this token to get the user's info. We're storing the user info (name and email) in the app's state variable.

We got the user's name and email from the above code. Let's display them on the screen.

...
...
<h2 className={inter.className}>Welcome to 5minslearn!</h2>
      {name && email ? (
        <>
          <h2 className={inter.className}>{name}</h2>
          <p className={inter.className}>{email}</p>
        </>
      ) : (
        <></>
      )}
...
...

Awesome. Our app is completely ready now.

Once you sign-in from Cognito again, you'll be redirected to your site and you'll be shown a page with your name and email (like the one shown in the below screenshot).

Get user name and email from AWS Cognito using Next.js

Awesome – we successfully pulled the data from AWS Cognito and showed it in our app.

Conclusion

In this tutorial, you learned how to build user authentication by creating a Cognito user pool. You also saw how to pull data from Amazon Cognito using NextJS.

Hope you enjoyed reading this article! Here's the link to the repo.

If you wish to learn more about AWS, subscribe to my newsletter (https://5minslearn.gogosoon.com/) and follow me on social media.

Because it's not dead. Security and privacy are as or more important than anything else in IT. Most of us don't think about them enough, but it's something you can't really overdo.

As an outstanding IT professional I once worked with would have said: "Paranoid is only the beginning." And besides, there are still some urgent and fascinating topics we haven't addressed.

So we'll spend some time exploring how the core security tools (like authentication controls and encryption) can be applied to solve a much wider range of security and privacy problems. And we'll also go face to face with a couple of significant threats that exist thanks to the very devices we've come to love.

This chapter was taken from the book, Keeping Up: Backgrounders to All the Big Technology Trends You Can't Afford to Ignore. If you'd prefer to watch this chapter as a video, feel free to follow along here:

Blockchains and Security

The new-technology-hype machine just loved blockchains when they first came to public attention. There were frequent gushing articles in the media about how this was it: blockchains were poised to change the world, ushering in a golden age of endless joy and fluffy fairy unicorns. Rejoice! Salvation is come.

But despite all that, blockchain technologies are, in fact, a big deal. Before we go there, though, just what is this stuff all about?

A blockchain is a distributed string of digital records used to record and validate transactions. The goal is to maintain a reliable and incorruptible public "ledger" of transactions to secure and improve the way financial and commodity operations are recorded.

The blocks in blockchains are actually data packets containing some identifying meta information (including a timestamp) and a cryptographic hash.

The hash – which is produced by software running on the computer that generates the block – is derived from the unique contents of the previous block in the chain which, in turn, was based on the block that preceded it.

Because the contents of one block are dependent on the state of others, no single block can be modified without leaving behind some obvious and easily traceable evidence.

This explains why it's called a chain, because if any one link (block) is altered, the entire chain will break. In effect, a chain will never be trusted unless it maintains the clear consensus of the creators of all its blocks.

Generating the hashes for blockchains is compute-intensive and can incur significant costs in compute power and electricity.

This is by design, since it all but forces blockchains into the hands of distributed communities, rather than individuals or small groups. This decentralization makes chains less vulnerable to attack and adds robust reliability to the data that's being managed.

Blockchains and Cryptocurrency

Like most people, I first heard about blockchains in the context of cyptocurrencies like Bitcoin and Ethereum. Cryptocurrencies are digital assets that can be used as alternatives to fiat money (that is, the kind of virtual and mutually accepted representations of value found in exchange instruments like national currencies).

Using the funds in a cryptocurrency account, I could pay for goods or services while, in many cases, retaining anonymity. Of course, this very anonymity carries significant risks.

Cryptocurrencies have, for instance, been used to support criminal activities. The people behind ransomware attacks will often demand cryptocurrency payments in exchange for the decryption keys that you hope will restore access to your lost data.

And the contents of large cryptocurrency accounts have been effectively lost when controlling servers crashed (or were forced down) or, in at least one case, when the administrator of a currency worth millions of dollars died without sharing his authentication information.

It's worth noting that the relative value of funds in the account itself – when measured against the ability to exchange them for fiat money – has historically been volatile, unpredictably suffering from violent market fluctuations.

Blockchains and Accounting

Blockchains can solve many of the same old problems addressed by traditional accounting practices. Specifically, integrating blockchain verification into a business's financial processes can provide secure transactions and on-demand access to immutable and transparent records.

The ongoing, real-time existence of such records could possibly remove the need for periodic audits and monthly reconciling.

Many of those same features could profoundly change the very nature and value of contracts – a change that could spill over beyond accounting, in to the practice of law.

Blockchains and Insurance

The potential security and privacy features of properly designed blockchains can also create efficiencies and value in the insurance industry.

For one example, having a single blockchain where all the insurers within a particular market can reliably share their customer account information can help reduce claims fraud. Suspicious behavior and multiple claims for a single event will be more readily visible within a transparent and highly accessible system that includes data from all participating parties.

Being able to reduce administrative duplication can also greatly streamline the processing of legitimate claims.

You'll appreciate this when you consider how a victim's insurer will often process their customer's claim using similar steps to those used by the insurer you're claiming from. But if both companies are able to openly share their data, the process can be unified and, even better, automated.

Perhaps most significantly, the delivery of healthcare can be enhanced and made more efficient if critical personal records can be safely and instantly accessed. And – you guessed it – blockchains can be helpful here, too.

What kinds of automation are we talking about? Well, going back to accident claims, a "smart contract" is software that regularly checks for changes to the status of associated objects. The simple mouse click approval of an insurance appraiser, for instance, could set into motion all the events necessary to pay a claim, notify all related parties, and update existing records.

Maybe – just maybe – insurance isn't as boring as people think.

What is Multi-Factor Authentication?

Passwords are terrible things. Sure, we can't just leave our devices and online accounts open to anyone. But who decided that asking people to memorize long strings of meaningless text (like sIIkdm^&sv234LKi) was the solution?

Sure, you could choose easy-to-remember passwords like mysecret or this clever variation: mysecret22. But anything that's that easy to remember is equally easy to guess. And double that if you're using the same password for multiple accounts. In other words, that kind of protection is just not worth the effort.

There are, by the way, two ways to improve your passwords:

• Use a password vault to generate and safely store insanely complex passwords that you won't need to remember: you can just copy and paste them into any login pages you visit.
• Use long (15-20 character) passwords that incorporate memorable, but unconnected, words. Something like: house-seventy-warfare-calf.

Mathematically speaking, it's highly unlikely that anyone will have the compute power and time needed to crack that one. And it's not so hard to memorize.

But when it comes to particularly sensitive sites – like the ones where you do your banking – even good passwords aren't good enough. For that reason, more and more organizations are incorporating multi-factor authentication (MFA) into their security profiles.

A website or application configured with MFA requires you to present more than one kind of evidence that you are who you claim to be.

One could be based on something you know, and another could be evidence based on something you have. "Something you know" could be a password, while "something you have" could be a standalone MFA device or an app running on your smartphone.

It'll often work by having the application send a short-lived code via instant message to a preset phone number. You'll be expected to enter the code onto the authentication login page.

What Are Federated Identities?

Once you've got the basics of authentication out of the way, through strong passwords and/or MFA, there's the question of authorization. In other words, what resources your logged in account will be able to access.

Individual systems will control users through some kind of access controls. Microsoft Windows, for example, uses Active Directory, Linux has object permissions, and cloud providers like Amazon Web Services can apply roles and policies.

But if you want your users to be able to move between services without having to log in to each service individually, or if you would just prefer not to have to manage authentication at all, you can implement a federated identity.

You've probably already experience federation without even knowing it. Logging into a third party web service using your Google account is one form of federation.

The service integrates its authentication system with a federation provider using an identity technology like Security Assertion Markup Language (SAML) or OAuth.

When you accept the terms and log in, the provider will share just enough of your identity information with the third party service to enable an account.

Digital Surveillance

Because it can both protect you from harm and also invade your privacy, surveillance is a two-edged sword. But digital surveillance is a two-edged sword that's a whole lot sharper. Let me explain why that is.

Closed circuit video cameras have been in use within security systems since at least the 1930's, but they really did only one thing: record images that were usually stored locally and then, after a few days or so, overwritten with new recordings.

That was helpful but, to be useful, you would need to physically get to the tape and then laboriously search through, find, and view any images of interest.

Digital surveillance cameras are certainly cheaper than their analog equivalents, much easier to physically hide, and easy to access through networks.

But there's also a lot more you can do with digital video feeds. You can, for instance, configure email alerts whenever the camera detects motion. Or you can redirect a video stream to cloud services (like Amazon's Kinesis) where it can be integrated with your data analytics and machine learning operations or interpreted in near real-time by an object and face recognition service (like Amazon's Rekognition).

All of those tools can be used in the service of both positive and harmful goals. The fact is that there are now countless millions of such cameras deployed around the world that are, in many cases, connected to large-scale surveillance operations. At the very least you should be aware of the potential as well as the risk that such technologies present.

What is a Backdoor?

A backdoor is a hardware or software-based vulnerability that was intentionally built into a device or the operating system that runs it.

In some cases, the backdoor exists with the full knowledge of the customer, as it was intended to enable remote support or the automated installation of patches and updates. But that's not always the case.

Governments, government-associated companies, and criminal organizations have been caught shipping sensitive compute and networking devices with dangerous backdoors. Such vulnerabilities have been used to bypass encryption protection to monitor communications, steal research data, and harvest authentication information.

Backdoors can take the form of active malware that collects local data and then sends it to remote attack servers, or passively permits remote logins through insecure network environments.

Protecting yourself from backdoors requires defence on multiple levels, including:

• Careful vetting of potential hardware vendors (taking into account their home countries and associations)
• Regular monitoring of reliable technology information sources for news of new vulnerability discoveries
• Careful monitoring of your devices' network activities
• Regular patching of your networking and compute systems
• Blind, stupid luck in large doses

Thanks for reading! Hopefully you now have a better idea of why security and privacy are so important and how to protect your own.

YouTube videos of all ten chapters from this book are available here. Lots more tech goodness - in the form of books, courses, and articles - can be had here. And consider taking my AWS, security, and container technology courses here.

Well, you might have also heard that you should use a VPN to protect your online privacy. But do you have any idea what it is and how it works?

Don’t worry – in this article, we will go through everything that you need to know to about what and when to use a VPN and when to avoid using it. So, without any further delay, let’s get started.

What is a VPN?

VPN stands for Virtual Private Network. It is a type of network you can connect to which will help you protect your online security and privacy.

A VPN acts as a tunnel through which all your data goes from your location to your destination. It's all properly encrypted and secure so that any outside party can’t see what data you are transferring.

There are many advantages to using VPNs, such as:

• Privacy
• Anonymity
• Security
• Encryption
• Masking or changing your original IP address, so others can’t track you

We'll discuss these advantages and more further down in this article, but first you need to understand how a VPN works so you can use it properly.

How Does a VPN Work?

Image source

A VPN works by routing / forwarding all your data from your laptop or phone through your VPN to the internet, rather than directly through your ISP.

When you use a VPN, it encrypts all your data on the client side. Then after the data is encrypted, it's passed through a VPN tunnel which others can’t access, and then it reaches the internet.

But before going through the VPN tunnel, the request is first sent to your ISP, but as it's encrypted, ISP can’t figure out what you are trying to access. So it forwards your request to your VPN server. Then the VPN sends the request to your desired IP address or website.

Advantages of Using a VPN

Now let's discuss some of the advantages in more detail.

Unblock websites & bypass filters

There might be scenarios where you won’t be able to access certain websites which are blocked by your office or school or college department, but you still want or need to access them.

These websites may include social networking sites, movie downloading websites, or any kind of media streaming websites.

In these cases, a VPN will help you bypass all the blocking filters and let you access the websites that you wish to access without anyone’s help and others will have no idea what you're accessing.

Bypass regional restrictions

People in certain countries cannot access any websites outside their country like YouTube or Google because their government doesn't want them to use any other websites.

If you're in one of these places and still want to access these blocked websites, then a VPN can help by bypassing all the regional restrictions. You'll be able to access all the restricted or blocked content without letting the government know about your activity.

Access geo-blocked websites

There are several websites, special offers, and services which are available for specific countries or regions. But what if you also want to take advantage of that opportunity, but it’s not accessible in your region?

A VPN can help you by changing your IP address which will change your location on the internet. Then you will seem to be a user from that country and you can also have all the benefits that people in that particular region are enjoying.

Change your IP address

Your ISP is tracking your every move on the internet – which websites you are visiting, the amount of time you are spending there, and when you log in and log out from a website.

But sometimes you may need to hide your browsing history/activity from your local network/ISP. In that case, using a VPN can help you keep all your records encrypted, and your ISP will have no idea what you are doing with your internet. All your internet browsing activity will be masked by the VPN.

Online anonymity and privacy

Everything on the internet is tracking you. Website and web servers that you use or visit know your IP and location. That can be used to their advantage and every time you visit the same website, they will know that it’s you, and they will track your usage and your behavior. This isn't necessarily a good thing since you are giving them a lot of information without knowing what.

A VPN can help keep your identity anonymous so you don't need to worry about identity leakage or any kind of tracking activity.

Enhanced security

As discussed above, using VPN can keep your identity safe and also keeps your data encrypted while you browse the internet. As a result, it enhances security and the chances that someone might hack you will be lower.

So, using VPN will keep you safe when you are using any public Wi-Fi or browsing websites which are not secure.

Disadvantages of VPN

There are some downsides to using a VPN as well:

Slows your connections

VPNs tend to slow your internet connection. As the VPN servers might be located far away from you (might be in some other geographic location or country), your data will need to travel farther across the internet and will slow your connection speed.

VPNs log your activities

VPNs keep logs of your activities. You heard right. Regardless of what policies they have, even if they say that they don’t keep any logs, they do. Governments have taken action against VPNs, and the VPN companies tend to deliver all the activity logs of a user in cases of international crime, terrorist activity, or hacking.

So – it goes without saying – make sure you don’t use VPNs for any illegal activities. Use it instead to protect yourself and your identity from malicious hackers.

Specific blockades of VPN services

There are many websites and streaming services like Netflix which will not allow any unusual VPN users to access their content. So, there might be many cases where your VPN will help, but there are many websites and servers which won't allow you to access them using a VPN.

Cost

Although there are many free VPN services which you can use, if you are planning to use VPN on regular basis then you might need to purchase a paid version. Free VPNs don’t provide good speed and the amount of data usage is also limited on a daily basis. VPNs cost around $10 to $15 per month for the premium services.

How a VPN Can Help You Protect Your Online Identity

When you use the internet, the data you send or request through a web browser to any server (for example, when Google searching), along with your request, IP address (for example, your laptop or mobile) and destination IP address (like Google) first reaches your ISP.

The ISP monitors all your activity and then forwards your request to the destination IP address and also gets back the information in the same way.

All your information travels through a middle station, your ISP. They have all your history of using the internet and how you are using the internet. But when you are using a VPN, that's not the case.

Whenever you send any request to any website or server, instead of connecting directly to the server, it first reaches the VPN server. There, all your requests and information are encrypted and then sent forward to your desired website.

Your ISP is still there to monitor things. But if you're using VPN, it will automatically change the IP address of your destination to a different IP address and encrypt the destination IP address. This way, your ISP won’t be able to read it and will assume that all your requests were going to the IP address of the VPN. So it will forward all your requests to the VPN.

When your request or information reaches your VPN, it will be decrypted, and it will forward your request to the website you wish to access. The website or server will get the VPN request and will assume that the request is coming from that VPN server. It will allow the VPN to access the website and you'll be able to visit the website without letting your ISP know.

Similarly, when you download a file, all the traffic or information flows from a web server to the VPN. The VNP encrypts all the information and then forwards it to your ISP – which will still have no idea what’s going on, as the information is encrypted.

Finally, the info gets forwarded to your laptop or mobile. When it reaches your device, it will be decrypted, and you will be able to view the website as it's available to others.

Frequently Asked VPN Questions

Is VPN traffic encrypted?

YES! As explained above, all the traffic passed through VPN is encrypted through various encryption algorithms like the RSA (Rivest–Shamir–Adleman) algorithm, AES (Advanced Encryption Standard), and others.

What is an always-on VPN? What is a kill switch?

I will try to explain this concept in approachable terms. Always on VPN is a service which allows you to automatically connect to a VPN whenever you are connected to the internet. These kinds of services are used by companies which don’t want outside users to access their data and only want their employees to access their data from an outside, remote location.

Whenever an employee, company, or user who has access to the resources tries to access, then they need to enter valid credentials to automatically connect to the VPN. This also allows them to access all their work and resources present inside the company from an outside or remote location.

A VPN kill switch is another major feature offered by VPN service providers. Whenever there is a sudden or accidental loss of a VPN connection, in that case, your information might get exposed.

To deal with that, a VPN kill switch is used to terminate your internet connection when there is no VPN connection. This is a very useful feature for protecting your data from outside users.

So, when the kill switch is ON, internet connections will be terminated. But when the kill switch is OFF, then the internet will not be terminated when there is a loss of VPN connection.

Is a VPN necessary?

A VPN is not strictly necessary depending on your needs and activities, but it's useful.

Using VPN helps protect your online security, privacy, and anonymity. It will also protect you from malicious threats and trackers when you are using an unsecured website or using any unknown wi-fi connection which might be public.

Is a VPN 100% safe?

Nothing on the internet is 100% secure. There are and will always be ways to expose services like VPNs. But using a VPN will typically help you more than it'll harm you.

Is VPN legal in India?

Yes! VPNs are legal in India and can be used freely to access any content on the internet without any restrictions. Just remember that you should not use it for any illegal activity, as there are always ways to track you regardless of what VPN service you use.

Do VPNs log or store my data?

VPNs log all your data and store all information, and it might be able to share your data with government authorities. There have been many cases where VPNs say they have a no logs policy but still keep logs of users and shared them with authorities.

What is the main difference between a firewall and a VPN?

Conclusion

VPNs definitely have their advantages and disadvantages. Organizations use them to protect their private networks and information. You can also use one to access blocked content, and to protect your privacy, anonymity and security. Using a VPN for legal activities is beneficial and adds extra security.

When you are not sure about using or accessing any unknown (public/private) wi-fi or unsecured untrusted website, then you should always use a VPN (free/paid). Although paid VPNs have their advantages, occasionally using free VPNs won’t harm you and will still serve the purpose.

And just remember – don't ever try to use a VPN to perform any illegal activities.

Figuring out how you want to balance the benefits against the costs can take some careful thinking. Here's a concise and effective way to describe the equation (whose source I've sadly forgotten):

"Select any two of privacy, security, and convenience. But you can't have all three."

In other words, if security is a critical value for you, then you'll need to give up on 24/7 instant access to your money, credit, and personal accounts. That's because that kind of access requires exposing your accounts across public networks at a level that won't permit as much data protection as you might want.

Similarly, what if you just can't live without the convenience of getting news updates and social connectivity through sites belonging to third party businesses that collect and use your personal information? Well, you'll need to "pay for it" by giving up a measure of your privacy.

This tutorial was taken from my book, Keeping Up: Backgrounders to All the Big Technology Trends You Can't Afford to Ignore. If you'd prefer to watch this chapter as a video, feel free to follow along here:

Of course, most of us will choose some blend of those three elements based on a practical compromise between competing values and needs. But making a reasonable decision on that blend will require solid information. That's what you'll find through the rest of this article.

How Companies Get Your Data

Curious about what kinds of personal and even private data you may be exposing through the course of a normal day on the internet?

How about using "all kinds" as a starting point? Perhaps the best way to understand the scope and nature of the problem is to break it down by platform.

Data from Financial Transactions

Take a moment to visualize what's involved in a simple online credit card transaction. You probably signed into the merchant's website using your email address as an account identifier and a (hopefully) unique password.

After browsing a few pages, you'll add one or more more items to the site's virtual shopping cart. When you've got everything you need, you'll begin the checkout process, entering shipping information, including a street address and your phone number. You might also enter the account number of the loyalty card the merchant sent you and a coupon code you received in an email marketing message.

Of course, the key step involves entering your payment information which, for a credit card, will probably include the card owner's name and address, and the card's number, expiry date, and a security code.

Assuming the merchant infrastructure is compliant with Payment Card Industry Data Security Standard (PCI-DSS) protocols for handling financial information, then it's relatively unlikely that this information will be stolen and sold by criminals. But either way, it will still exist within the merchant's own database.

To flesh all this out a bit, understand that using your loyalty card account and coupon code can communicate a lot of information about your shopping and lifestyle preferences, along with records of some of your previous activities.

Your site account comes with contact information and your home location. All of that information can, at least in theory, be stitched together to create a robust profile of you as a consumer and citizen.

It's for these reasons that I personally prefer using third-party e-commerce payment systems like PayPal because such transactions leave no record of my specific payment method and on the merchant's own databases.

Data from Devices

Modern operating systems are built from the ground up to connect to the internet in multiple ways. They'll often automatically query online software repositories for patches and updates and "ask" for remote help when something goes wrong.

Some performance diagnostics data is sent and stored online, where it can contribute to statistical analysis or bug diagnosis and fixes. Individual software packages might connect to remote servers independently of the OS to get their own things done.

All that's fine. Except that you might have a hard time being sure whether all the data coming and going between your device and the internet is stuff you're OK with sharing.

Can you know that private files and personal information aren't being swept in with all the other data? And are you confident that none of your data will ever accidentally find its way into some unexpected application lying beyond your control?

To illustrate the problem, I'd refer you to devices powered by digital assistants like Amazon's Alexa and the Google Assistant ("Ok Google"). Since, by definition, the microphones used by digital assistants are constantly listening for their key word ("Alexa..."), everything anyone says within range of the device is registered.

At least some of those conversations are also recorded and stored online and, as it turns out, some of those have eventually been heard by human beings working for the vendor. In at least one case, an inadvertently-recorded conversation was used to convict a murder suspect.

Amazon, Google, and other players in this space are aware of the issue and are trying to address it. But it's unlikely they'll ever fully solve it. Remember, convenience, security, and privacy don't work well together.

Now if you think the information from computers and tablets that can be tracked and recorded is creepy, wait 'till you hear about thermostats and light bulbs.

As more and more household appliances and tools are adopted as part of "smart home" systems, more and more streams of performance data will be generated alongside them.

And, as has already been demonstrated in multiple real-world applications, all that data can be programmatically interpreted to reveal significant information about what's going on in a home and who's doing it.

Data from Mobile devices

Have you ever stopped in the middle of a journey, pulled out your smartphone, and checked a digital map for directions? Of course you have.

Well, the map application is using your current location information and sending you valuable information but, at the same time, you're sending some equally valuable information back. What kind of information might that be?

I once read about a mischievous fellow in Germany who borrowed a few dozen smartphones, loaded them up on a kids' wagon, and slowly pulled the wagon down the middle of an empty city street. It wasn't long before Google Maps was reporting a serious traffic jam where there wasn't one.

How does the Google Maps app know more about your local traffic conditions than you do? One important class of data that feeds their system is obtained through constant monitoring of the location, velocity, and direction of movement of every active Android phone they can reach - including your Android phone.

I, for one, appreciate this service and I don't much mind the way my data is used. But I'm also aware that, one day, that data might be used in ways that sharply conflict with my interests. Call it a calculated risk.

Of course, it's not just GPS-based movement information that Google and Apple – the creators of the two most popular mobile operating systems – are getting. They, along with a few other industry players, are also handling the records of all of our search engine activity and the data returned by exercise and health monitoring applications.

In other words, should they decide to, many tech companies could effortlessly compile profiles describing our precise movements, plans, and health status. And from there, it's not a huge leap to imagine the owners of such data predicting what we're likely to do in the coming weeks and months.

Data from Web browsers

Most of us use web browsers for most of our daily interactions with the internet. And, all things considered, web browsers are pretty miraculous creations, often acting as an impossibly powerful concierge, bringing us all the riches of humanity without even breaking into a sweat. But, as I'm sure you can already anticipate, all that power comes with a trade-off.

For just a taste of the information your browser freely shares about you, take a look at the Google Analytics page shown in the iamge below. This dashboard displays a visual summary describing all the visits to my own bootstrap-it.com site over the previous seven days. I can see:

• Where in the world my visitors are from
• When during the day they tend to visit
• How long they spent on my site
• Which pages they visit
• Which site they left before coming to my site
• How many visitors make repeat visits
• What operating systems they're running
• What device form factor they're using (that is, desktop, smartphone, or tablet)
• The demographic cohorts they belong to (genders, age groups, income groups)

The home dashboard of a Google Analytics page displaying visualizations of visitors to a website.

Besides all that, a web server's own logs can report detailed information, in particular the specific IP address and precise time associated with each visitor.

This means that, whenever your browser connects to my website (or any other website), it's giving my web server an awful lot of information. Google just collects it and presents it to me in a fancy, easy-to-digest format.

By the way, I'm fully aware that, by having Google collect all this information about my website's users, that I'm part of the problem. And, for the record, I do feel a bit guilty about it.

In addition, web servers are able to "watch" what you're doing in real time and "remember" what you did on your last visit.

To explain, have you ever noticed how on some sites, right before you click to leave the page a "Wait! Before you go!" message pops up? Servers can track your mouse movements and, when they get "too close" to closing the tab or moving to a different tab, they'll display that popup.

Similarly, many sites save small packets of data on your computer called "cookies." Such a cookie could contain session information that might include the previous contents of a shopping cart or even your authentication status. The goal is to provide a convenient and consistent experience across multiple visits. But such tools can be misused.

Finally, like operating systems, browsers will also silently communicate with the vendor that provides them. Getting usage feedback can help providers stay up to date on security and performance problems. But independent tests have shown that, in many cases, far more data is heading back "home" that would seem appropriate.

Data from Website Interactions

Although some of this might be covered by previous sections in this article, I should highlight at least a couple of particularly relevant issues.

Like, for instance, the fact that websites love getting you to sign up for extra value services. The newsletters and product updates that they'll send you might be perfectly legitimate and, indeed, provide great value – but they're still coming in exchange for some of your private contact information. As long as you're aware of that, I've done my job.

A perfect example is the data you contribute to social media platforms like Twitter, Facebook, and LinkedIn. You may think you're just communicating with your connections and followers, but it actually goes much further than that.

Take a marvelous – and scary – piece of software called Recon-ng that's used by network security professionals to test for an organization's digital vulnerability. Once you've configured it with some basics about your organization, Recon-ng will head out to the internet and search for any publicly available information that could be used to penetrate your defences or cause you harm.

For instance, are you sure outsiders can't possibly know enough about the software environment your developers work with to do you any damage? Well perhaps you should take a look at the "qualifications" section from some of those job ads you posted on LinkedIn.

Or how about questions (or answers) your developers might have posted to Stack Overflow? Every post tells a story, and there's no shortage of clever people out there who love reading stories.

Software like Recon-ng can help you identify potential threats, but that only underlines your responsibility to avoid leaving your data out there in public in the first place.

The bottom line? Smile. You're being watched.

Why Companies Want Your Data

Data is money. Some of the biggest and most successful tech companies of the past decade or two made their billions from data. Generally, that'd be from your data.

Of course, the value doesn't all move in one direction. Big tech companies do, as a rule, provide useful services.

Health tracking apps do track and report on your health. Social media companies do (on rare occasion) provide for healthy social interactions. And historical performance data does sometimes help improve customer and technical service.

But businesses exist to generate revenue and, as a rule, the more data they own, the more revenue that data can generate. The more potential customers there are who provide their email and social media account coordinates, the easier it'll be to connect to them with new offers. And the easier it would be for other companies working in overlapping industries to connect to a business's customers as well.

The incentive for you to sell your contact list to an interested third party is clear.

Naturally, legal restrictions and user agreements can sometimes stop such sales of data sets. But not every use-case is necessarily covered by such laws, and not every company is necessarily bound by a strong desire to follow the law.

A delicious case in point would be Canada's Do Not Call list from all the way back in 2004. The law prevented telemarketers from contacting anyone who had added themselves to the national list. The law required all telemarketers to remove all entries from the list from their own call lists.

The problem was that spammers happily downloaded the Do Not Call lists and, confident that they represented confirmed active accounts, called those specifically. The only law that was effective in this case was the law of unintended consequences.

Your data can also be useful for personalizing the results you get from search engine queries. Of course, you might sometimes enjoy seeing results relating to previous browsing behavior, but don't lose sight of the fact that your behavior is being used as part of a campaign to sell you stuff.

It's not only search engines: smartphone browsing histories are sometimes used by nearby businesses to push customized ads in your direction – sometimes even through automated digital displays on physical billboards and other signage.

Perhaps the biggest value your data can offer is when it's aggregated along with data generated by thousands or millions of other users.

Data scientists can stream and parse huge, dynamic data sets to extract significant insights about subtle but significant trends. In many cases, such data is sanitized to remove any personally identifiable information (PII).

We can nicely sum up the 21st Century web application business model with this popular – and accurate – expression:

"If you're not paying for the product, you are the product."

How to Protect Your Data

All that sounds pretty bleak. After all, George Orwell's 1984 was meant to be a warning, not a how-to guide. What can you do to push back?

Be aware of your environment.

Do you still even notice those terms of service disclosures you "click to sign" before they'll let you use some service or tool? Some of those disclosures are as long as this article – and, if I may say so myself, a whole lot less fun.

But the fact is that they contain information that can have a profound impact on both you and your data.

Many agreements describe what data they're likely to collect and what they're planning to do with it. They'll often also offer assurances that they'll never sell your data to third parties – an assurance that they might sometimes even honor in both the letter and the spirit of the law (although there have been famous cases of companies that did neither).

I've never met anyone who has the time and energy to read through those endless disclosures from end to end. But if an organization pays a bunch of lawyers to write something, you can bet it's a serious business.

Be aware of your rights.

Beyond your specific agreement with a technology service provider, the use of your data might be regulated by government legislation.

One example is the European Union's General Data Protection Regulation (GDPR), which controls how organizations must treat any personal data they encounter in the course of their operations.

Another example is the US government's Health Insurance Portability and Accountability Act (HIPAA), which regulates the handling of private information in the health insurance and healthcare industries.

Be aware of your alternatives.

Consider adopting privacy-first tools instead of the more heavily commercial services you're using now. For instance, the DuckDuckGo.com search engine, whose home page is shown below, doesn't track your search behavior and will return the same results to a particular query for you as for anyone else.

They are a for-profit business, but they earn much of their income through affiliate links that pay them a commission for sales generated through search links – none of which has any impact on your privacy.

The DuckDuckGo browser homepage

The Brave browser, as another example, has been shown to send far less undocumented data out to the internet than any other major browser.

To be specific, in early 2020, Douglas Leith of the School of Computer Science & Statistics, Trinity College Dublin, tested six browsers for their risks of revealing unique identifying information about their host computers (scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf). He found that Brave clearly offered the greatest privacy protection.

Brave also blocks web page ads by default, which raises a question. Since many web pages earn income exclusively through display ads, does Brave expect content providers to offer their services for free?

The browser provider actually has a business model that includes the content providers: users of the Brave browser can opt to be shown simple and extremely unobtrusive ads from carefully curated advertisers in exchange for micro payments in a crypto currency. The users can then choose to make micro payments to website content providers using those funds as a way to pay for their content through the Brave Rewards program (pictured below).

Screenshot of the Brave rewards program

Opting for open source applications can also be an effective privacy strategy. OpenStreetMap (openstreetmap.org) is an alternative to Google Maps. It might not have all the bells and whistles and built-in connectivity you may be used to, but it's just that connectivity that powers our reservations, isn't it?

If you're not comfortable with the big mobile operating system players (Android and iOS), you could, instead, buy a phone and install one of a number of experimental mobile Linux variations.

Going down this road will likely be bumpy. Expect to run into unexpected configuration and compatibility challenges, and don't expect to find all the convenient apps that you've come to know and love using the big app stores.

See a hole that needs filling? Why not contribute your own innovation by participating in existing open source projects or adding your own solutions to the community?

Thanks for Reading!

I hope this article has given you the tools to take good care of your digital privacy.

YouTube videos of all ten chapters from this book are available here. Lots more tech goodness - in the form of books, courses, and articles - can be had here. And consider taking my AWS, security, and container technology courses here.

In today’s digital age, cybercriminals have no shortage of methods to steal people's identities and sensitive data. One such method is synthetic identity theft, which is becoming one of the most dangerous and common forms.

In fact, according to a figures published by Federal Reserve Bank of Boston in August of 2022, the losses from synthetic identity theft in the U.S. were estimated to be around $20 billion in 2020, rising from $5 billion five years ago

But what is synthetic identity theft? And how can you protect yourself from it? Keep on reading till the end to find out.

Here is a quick visual spoiler of how synthetic identity theft works:

Image Source: Socure on VentureBeat

In this post, we’ll discuss everything a coder/software engineer/developer needs to know about this form of identity theft, such as:

• What is synthetic ID theft?
• How does synthetic identity theft work?
• Real life examples of synthetic identity theft cases
• Who does it usually target?
• How a developer can recognize and prevent synthetic identity theft
• Technologies you should use to combat synthetic identity theft
• Warning signs of ID theft & how to stop yourself from becoming a victim

Feel free to click the sections above to jump to any one of them or just scroll to read through each one in order.

Ready? Let's roll...

What is Synthetic ID Theft?

Synthetic identity theft is a type of fraud in which a hacker creates an artificial identity by combining real and fake information.

This includes stealing legitimate identifying documents such as Social Security numbers (SSNs) and then using them to apply for credit cards, loans, or other services that need personal identification.

The thief can then use this new “synthetic” account to buy goods or services. It is called "synthetic" because the identity created is not entirely real or false, but rather a combination of both.

Unlike other forms of fraud, such as credit card fraud and traditional forms of identity theft that involve stealing and using existing pre-existing accounts, synthetic fraudsters use stolen data to make entirely new accounts.

And what makes it so dangerous is that it’s challenging to detect and prevent, as it often involves many compromised accounts and false identities.

How Does Synthetic Identity Theft Work?

Most cases of synthetic identity theft start with the criminal stealing a real SSN. This can be done in various ways, such as buying stolen SSNs from the dark web or using publicly available information.

Once they have an SSN, criminals will create fabricated details to go along with it, such as names, addresses, and dates of birth. They can also use stolen personal details from other victims of fraud to create “Frankenstein” identities.

The thief can then use this information to apply for credit cards or loans, and buy assets while ultimately leaving the bills unpaid.

Not only does this damage the victim’s credit score, but it also allows the criminal to remain hidden as the accounts are made using another victim’s SSN.

This also makes it difficult for victims to prove that they are innocent and that their stolen data was used to commit fraud and default on payments.

Two Examples of Synthetic ID Theft in the News

There have been many in the news recently that have highlighted the growing prevalence of synthetic identity theft. Below are just two notable examples:

• In 2020, a 43-year-old male named Adam Arena, and 12 other alleged accomplices, were charged in New York on suspicion of attempting to defraud banks of more than $1 million using synthetic identities they created by merging legitimate SSNs with fake or mismatched names to construct new identities.
• In 2013, one of the biggest international credit card fraud schemes took place in the U.S., involving more than 7,000 synthetic identities. The crime ring consisting of 18 individuals was estimated to have stolen north of $200 million before being caught.

Who Does 'Synthetic' ID Theft Target Typically?

Cybercriminals typically target those who have a lower risk of being detected. Often, these are people who aren’t keeping track of their credit reports or using identity theft protection services.

Some of the most commonly affected targets of synthetic identity theft include:

• Children
• Seniors
• New immigrants
• Inmates
• College students
• Military personnel deployed abroad

How Common is the 'Synthetic' Type of ID Theft?

Source: IdentityTheft.org

Synthetic identity theft is evolving and becoming more common, with the FTC noting that it’s one of the fastest-growing forms of fraud.

In fact, "true-name" identity theft in which hackers pretend to be you now only makes up roughly 10-15% of all ID theft cases.

The harsh reality is that in 2021 alone, this form of fraud cost Americans about $5.8 billion and this trend is only expected to continue.

Why is this Type of ID Theft Becoming More Common?

Synthetic identity theft has become more common for a few key reasons.

• This type of fraud can be challenging to detect because it’s often spread out over many accounts and victims. This makes it hard to trace back to one person or group. This makes it easier for criminals to remain unknown and continue working for longer.
• Criminals are becoming increasingly aware of the power and amount of data available. Due to data breaches, cybercriminals can easily steal or buy leaked data like your SSN from the dark web for as little as $2. This allows them to create compelling identities without much effort.
• Finally, new technology has also made it easier for criminals to commit this type of fraud in bulk. They can now use bots to apply for different accounts at once or generate fake data, making the process faster and more efficient.

How Do I Recognize and Prevent Synthetic Identity Theft?

The best way to spot and protect yourself from this type of fraud is to be vigilant and watch your personal information online. If you do find something you do not want to be public, there are several ways to remove personal information.

Remember to always:

• Avoid using SSNs if possible. Some websites and services may ask for your SSN as part of the registration process. Never provide this information unless you trust the website or it's necessary, as it can be used to generate a synthetic identity.
• Check your credit report regularly. Look for any suspicious activity, such as unauthorized accounts or suspicious inquiries. Also, make sure you review all bank records, especially if there are any surprise transactions or new loans that don’t match your spending habits. Use a credit monitoring service to help you monitor your credit proactively.
• Freeze your credit to help avoid identity theft. Freezing your credit can help to prevent new accounts from being opened in your name, making it more difficult for criminals to commit fraud. So, if you think your information has been stolen, it’s always a good idea to freeze your credit with the major bureaus.
• Use identity theft protection software. Identity theft monitoring services like Experian or Lifelock can help track your credit report, alert you of suspicious activity, and help to restore your credit if it’s been compromised.
• Check the mail for any suspicious enrollment letters or payment letters. If you receive any enrollment letters or payment notifications that don’t seem to make sense, it may be a warning sign of synthetic identity theft. So be sure to check these regularly and contact the sender if necessary.

How Can a Developer Protect Themselves against Synthetic ID Theft?

Developers should also take steps to protect themselves and their companies from synthetic identity theft. Some of the measures they can take include:

• Hashing important data. Hashing is an approach used to mask sensitive information, by changing it into an unintelligible string of characters. This makes the data harder for criminals to access or use for synthetic identity theft. A popular formula for data hashing is MD5, which always produces hashes that are 32 characters long. You can try hashing different texts with MD5 here.
• Requiring user authentication on each URL page. A common mistake by website developers is not requiring user authentication on each website page. This may allow copied URLs with personal data, like confirmation pages, to be opened in another session without logging in. This is why requiring authentication on each page of your website or app can help you protect against automated attacks by bots and malicious actors. Using an identity and user management API service such as okta Developer makes adding authentication to web pages a much easier process.
• Avoid placing secret backdoors. Backdoors are small pieces of code that can be used to gain access to a system and its data. While backdoors may seem like an easy way for developers to troubleshoot and test the application, it’s important not to leave them in place, as criminals can exploit them for synthetic identity theft.

How Can a Company Protect Employees' IDs against Synthetic ID Theft?

DevOps and Security departments at companies need to take a proactive approach to protect their employee's and customer’s identity from hackers. Some of the actions they can take include:

Implementing data security policies. Organizations should develop and enforce a comprehensive set of Data security policies that fall into two categories – people and technology.

People elements include:

• Establishing an acceptable use policy, which outlines how your company expects users to interact with company resources.
• Enforcing a password policy using a password manager tool such as IdentityForce or Lifelock which generate and encrypt complex passwords.
• Defining how employees are to use email services while at work
• Educating and reminding employees to use a VPN whenever they connect to a public WiFi network at an airport, cafe, restaurant or a public location.

Technology elements include:

• Backing up and restoring server configurations using various cloud services.
• Segregate corporate mobile devices to networks with limited access to company intranets.
• Encrypting data, so it is unreadable to any third party who gains access to it. Using a procedure such as the Zero-Trust security protocol can help identify data that should be protected.
• Running background and criminal checks on potential new employees. Background checks provide a way to confirm the details provided by applicants and look for any discrepancies. They’re a great way to ensure that new hires have not been involved in any type of identity theft or fraud.
• Restricting access to vital information to only those employees with a business need-to-know. Companies should ensure that vital data is only accessed by those who need it for business uses. This helps to protect business data from being accessed by malicious actors and used for fraudulent purposes.
• Closely managing temporary workers’ activities. Temporary workers – such as interns or contractors – should also be closely managed to prevent them from accessing or sharing sensitive information without authorization after they part ways with your firm.
• Avoid using SSNs to identify employees in the computer systems. Instead of using SSNs to identify employees in databases, firms should create and use random employee numbers. This makes it more difficult for criminals to access their personal data and use it for synthetic identity fraud.
• Train staff with access to personal information about keeping that information secure. All staff with access to personal data should be trained on how to handle it and keep it secure properly. This includes explaining the importance of keeping confidential information protected and taking steps such as encrypting documents, not sharing passwords or personal data with anyone, and teaching them how to recognize phishing attempts or data breaches.
• Keep personal information in locked file cabinets and password protected. It’s important to store vital information in a secure place, such as locked file cabinets or password-protected databases. This helps to reduce the risk of an unauthorized person accessing or leaking it.

Final Words

Synthetic identity theft is on the rise, but with vigilance and the right measures, you can protect yourself from this type of fraud.

To protect yourself against synthetic identity theft as a consumer, it's important to:

• Regularly track and check your credit report.
• Be aware of the type of information you're sharing online, and never input personal information like your SSN into shady websites.
• Use identity theft protection software and services.
• Regularly check your inbox for suspicious enrollment or payment emails.
• Freeze your credit if you feel like your personal data has been stolen.

At an organizational level, companies should take a proactive approach to stop synthetic identity fraud by:

• Implementing data security policies.
• Running background checks on potential new employees.
• Restricting access to vital information to only need-to-know employees.
• Avoid using SSNs to ID employees in computer databases.
• Training staff about how to protect personal information.
• Storing sensitive data in secure locations like locked cabinets and passcode-protected databases.

With these tips in mind, you can help ensure that your information remains safe and secure.

Remember, prevention is always better than cure. So make sure to take the right steps beforehand to help reduce the risk of you becoming a victim of synthetic identity theft down the line.

Technology, after all, amplifies the impact of everything we do with it. The things we say and write using communication technologies can be read and heard by many, many more people than would be possible without.

The ability to conveniently connect with people and collaborate on projects of all kinds is much greater.

The tasks we can perform are, through the magic of automation, almost limitless. The scope of information we can instantly access through the simplest and least expensive devices towers far beyond anything the greatest scholars could have hoped to see in a lifetime just a few decades ago.

All that means that criminals and other individuals unconstrained by moral conscience will have yet more powerful tools to compromise the data you create and consume, and steal or damage the property you acquire.

So you've got a strong interest in learning how to protect yourself, your property, and that of the people and organizations around you.

This tutorial (taken from my book, Keeping Up: Backgrounders to All the Big Technology Trends You Can't Afford to Ignore) will present a brief overview of what's at stake in the technology security domain.

We'll define the kinds of threats we face and discuss the key tools at our disposable for pushing back against those threats.

If you're interested in digging deeper into the topic, my LPI Security Essentials book is entirely devoted to giving you the full picture.

If you'd prefer to watch this chapter as a video, feel free to follow along here:

Hacking? What's Hacking?

Defining computer hacking in a way that doesn't anger someone, somewhere, is like talking about politics at work. Be prepared for long, awkward silences and possibly violence.

You see, purists might insist that the term hacking should apply exclusively to individuals focused on forcibly re-purposing computer hardware for non-standard purposes.

Others reserve the title for people who bypass authentication controls to break into networks for criminal or political purposes.

And how about those who wear the title as a sign of their practical expertise in all things IT? (And then, of course, there are crackers.)

But this is my book, so I'm going to use the term any way I want. I therefore decree that hacking is all about plans the bad guys have for your digital devices. Specifically, their plans to get in without authorization, get out without being noticed, and (sometimes) take your stuff with them when they leave.

Using the term this way gives us a useful way to organize a discussion of some common and particularly scary threats.

How Hackers Get In to Your System

The trick is to find a way through your defenses (like passwords, firewalls, and physical barriers). In most cases, passwords probably provide the weakest protection:

• Passwords are often short, use a narrow range of characters, and are easy to guess.
• If a device came with a simple factory default password (like "admin" or "1234") just meant to get you in for the first time, then the odds are pretty good that many users will never get around to trading it in for something better.
• Even strong passwords can be stolen by deceptive phishing email scams ("Click here to login to your bank account..."), social engineering ("Hi, it's Ed from IT. We're having some trouble with your corporate account. Would you mind telling me your password over the phone so I can quickly fix it?"), and keyboard tracking software.

We'll talk more about firewalls later in this tutorial. And physical barriers? I think you already know what a locked door looks like. But it's probably worth spending a few moments thinking about other kinds of digital attacks.

The big prize is usually getting to your data and making off with copies. But for some, simply destroying the originals can be just as satisfying.

Obviously, logging into your devices using stolen passwords is the most straightforward approach. But access can also be achieved by intercepting your data as it travels across an insecure network.

One approach that's commonly used here is known as a man-in-the-middle attack. This is where data packets can be intercepted in transit and altered without authorized users at either end knowing anything's wrong.

Properly encrypting your network connections (and avoiding unsafe public networks altogether) is an effective protection against this kind of threat. We'll talk more about encryption a bit later.

If the hardware you're using has an undocumented "back door" built in, then you're pretty much toast whatever you do. We'll talk more about back doors later in the book but, for now, I'll just note that there have been no shortage of factory-supplied laptops, rack servers, and even high-end networking equipment that's been intentionally designed to include serious access vulnerabilities. Be very careful where you purchase your compute devices.

If the attackers find a way into your physical building (sometimes posing as employees of a delivery company), they could quietly plug a tiny listening device into on unused ethernet jack on your network. That'll give them a nice platform to watch and even influence all your activities from the inside.

Protecting your physical infrastructure and carefully monitoring network activity is your best hope against that kind of intrusion.

Even if your home or office is all fortressed up, there's no guarantee that data moving around on mobile devices (like smartphones or laptops) won't find its way into the wrong hands.

And even if you've been careful to use only the best passwords for those devices, the data drives themselves can still be easily mounted as external partitions on a thief's own machine. Once mounted, your files and account information will now be wide open.

The only way to protect your mobile devices from this kind of threat is to encrypt the entire drive using a strong passphrase.

What Hackers Are After

Now that entire economies are run on computers directly connected to public networks, there's money and value to be had through well-planed corporate, academic, or political espionage efforts...and through old fashioned, traditional theft.

Whether the goal is building up a military or commercial competitive advantage, completely destroying the competition, or just getting your hands on "free" money, illegally accessing other people's data has never been easier.

So what are hackers likely to be after? All the important financial and other sensitive information you'd prefer they didn't have. Including, it should be noted, the kind of information you use to identify yourself to banks, credit card companies, and government agencies.

Once the bad guys have got important data points like your birth date, home address, government-issued ID numbers, and some basic banking details, it's usually not hard to present themselves as though they're you, completely taking over your identity in the process.

Digital attacks can also be used as blackmail to force victims to pay to undo the damage they've done.

That's the objective of most ransomware attacks, where hackers encrypt all the data on a victim's computers and refuse to send the decryption keys needed to restore your rightful access unless you send them lots of money.

Such attacks have already effectively brought down critical infrastructure like the IT systems powering hospitals and cities.

The very best defense against ransomware is to have full and tested backups of your critical data and a reliable system for quickly restoring it to your hardware. That way, if you're ever hit with a ransomware attack, you can simply wipe out your existing software and replace it with fresh copies, populated with your backed up data.

But you should also beef up your general security settings to make it harder for ransomware hackers to get into your system in the first place.

When their primary goal is to prevent you or your organization from going about its business, hackers can remain at a safe distance and launch a distributed denial of service (DDoS) attack against your web infrastructure.

Historical DDoS attacks have used massive swarms of thousands of illegally hijacked network-connected devices to transmit crippling numbers of requests against a single target service. When large enough, DDoS attacks have managed to bring down even huge enterprise-scale companies using sophisticated defenses for hours at a time.

The site hosting one of my favorite online open source collections was hit hard more than a year ago and still hasn't fully recovered.

What is Encryption?

If your data is unreadable, there's a lot less bad stuff that unauthorized individuals will be able to do with it. But if it's unreadable, there's probably not a whole lot you'll be able to do with it either.

Wouldn't it be nice if there was some way to present your data as unreadable in every scenario except where there's a legitimate reason? Well waddaya know? There is, and it's called data encryption.

How to Encrypt Data in Transit

Encryption algorithms encode information in a way that makes it hard, or even impossible, to be read.

A simple (and ancient) example is symbol replacement, where every letter "a" in a message would be replaced with, say, the letter three positions on in the alphabet (which would be "d"). Every "b" would become "e" and so on. "Hello world" would be "khoor zruog". People subsequently coming across the message would be unable to understand it.

Of course, it wouldn't take long for a modern computer (or even a smart 8-year-old) to decode that one. But some very clever cryptologists have been working hard over most of the past century to produce much more effective algorithms.

There are some significant variations of modern cryptography. But the general idea is that people can apply an encryption algorithm to their data and then safely transmit the encrypted copy over insecure networks. Then the recipient can apply a decryption key of some sort to the data, restoring the original version.

Encryption is now widely available for many common activities, including sending and receiving emails. You can similarly ensure that the data you request from a website is the same data that's eventually displayed in your browser by checking the lock icon in your browser's address bar. The icon confirms that the website server employs Transport Layer Security (TLS) encryption.

Over the past few years, the Let's Encrypt project (letsencrypt.org) has encouraged millions of new websites to use encryption by provided free encryption certificates and simple-to-use tools to help server administrators install them.

How to Encrypt Data at Rest

TLS will protect your data when it's out and about, but what'll keep it safe even when it's relaxing in its comfy storage disk? File and drive encryption, that's what.

All operating systems now offer integrated software for encrypting all or part of a storage disk either at installation time or later. Each time you power up an encrypted disk, you'll be prompted to enter the passphrase you created when you enabled encryption.

The thing is that if you forget your passphrase, you're pretty much permanently locked out of your system and the data is as good as gone forever.

But the other thing is that if you don't encrypt your system then, as we noted earlier, anyone who steals the hardware will have easy and instance access to your private information. It's a tough world out there, isn't it?

What Does a Firewall Do?

You can think of a firewall as a filter. Just like, say, a water filter is able to block certain impurities, allowing only clean water through, a firewall can inspect every packet of data coming into or leaving your infrastructure, blocking access where appropriate.

Besides not needing to be replaced every few weeks, the big advantage of a firewall over a water filter is that it can be closely configured to permit and refuse entry to exactly match your security and functional needs. Then you can update it later should your needs change.

Hardware Firewalls

A hardware firewall is a purpose-built physical networking device that's commonly used within enterprise environments. Such firewalls are installed at the edge of a private network and set to block potentially dangerous incoming traffic, redirect other traffic to remote destinations, or permit traffic to access hosts within the local network.

Hardware firewalls are sold by companies like Cisco and Juniper, and general equipment manufacturers like HP and Dell. They can be used to manage traffic for networks comprised on many thousands of hosts.

Firewalling appliances tend to be very expensive, often costing many thousands of dollars. They're normally only deployed to manage enterprise infrastructure.

Software Firewalls

A software firewall is an application that runs on a regular PC that can perform just about any function that you'd otherwise expect from a hardware firewall. There are two important differences:

• Firewall software (like the Linux iptables utility) is often free and, while complicated, enjoys the benefits of vast documentation resources. The software can also be installed any old PC that's just lying around, reducing the overall cost to nearly nothing.
• You won't want to use such a firewall within a busy business environment however, since such a PC probably won't have the compute power to manage high volumes of network traffic. Nor, in most such cases, will it be reliable enough to provide mission-critical services 24/7.

There's another flavor of software firewall that's used as part of consumer-grade operating systems. Such firewalls allow you to better secure your OS by setting rules for what kind of activities you want to allow. These can be especially useful for mobile devices that frequently move from network to network.

Cloud computing platforms – like Amazon Web Services (AWS) and Microsoft's Azure – provide a firewall-like technology for use with the resources you might deploy within their systems. Firewall policies might exist in objects with names like "security group" or "access control list" that can be applied to whichever resource requires them.

Who Does Security Best?

In the not too distant past, you would often hear IT professionals swearing they would never run their IT operations on infrastructure they didn't physically control. This was common when referring to outsourcing to third party, offsite companies or to cloud computing platforms.

Whether it was because those administrators didn't trust the reliability and security of compute infrastructure run by strangers, or because regulatory restrictions required that sensitive workloads remained local, the sentiment was widely shared. And it made sense.

But the past is a foreign country. Today, it can be forcefully argued, the most secure and reliable environments can be found in the biggest public cloud providers.

Why? They've got the money and incentive to hire the very best engineers, and the money and incentive to build the very best infrastructure.

Beyond that, cloud providers maintain data centers in political jurisdictions around the world, and go to great lengths to ensure their deployments comply with industry and government standards.

Let me illustrate. Remember the DDoS threat we discussed a bit earlier in the chapter? Well, back in the summer of 2020, an unnamed organization deploying resources on AWS was hit with a DDoS attack peaking at 2.3 Tbps. That is, each and every second, requests hit that organization's public-facing service with 2.3 terabytes of data.

What does "2.3 terabytes" actually mean? Well, a megabyte is (approximately) one million bytes of information (a PDF version of this book would probably take up six megabytes or so). A gigabyte is one thousand million bytes of information. A terabyte is one thousand thousand million bytes of information. That would be the equivalent of around 165,000 PDF books. 2.3 terabytes would be the rough equivalent of 380,000 PDF books.

Now try to imagine all the text characters used to fill 380,000 PDF books being thrown at a web service each second.

Got that image in your mind? Now here's what happened to that web service: Nothing. It just carried on working as though it hadn't a care in the world. How on earth is that even possible? Amazon's AWS Shield service simply mitigated the attack. The customer didn't have to do a thing.

That is why moving your workloads to the public cloud doesn't necessarily involve compromising your standards.

Thanks for reading!

YouTube videos of all ten chapters from this book are available here. Lots more tech goodness – in the form of books, courses, and articles – can be had here. And consider enjoying my LPI Essentials resources here.

Why Online Privacy is Important

Have you ever wondered how valuable your data is?

Every app, website, and business is fighting to get more information about you. The more they know, the better they can predict what you want. Sometimes even before you do.

Personal privacy protects us from potential harm or unwanted intrusions into our lives. It also allows us to maintain our dignity and autonomy.

Most importantly, personal privacy is our fundamental right. Without it, we are just data points used to train an AI model.

Cynics argue that “personal privacy is a relic of the past”. Not really.

In today’s data-hungry world, it is still possible to protect your privacy and use the great products the internet offers.⁠ Here are five tools that will help you protect your privacy online.

Brave Browser

_Photo by [Unsplash](https://unsplash.com/@rubaitulazad?utm_source=medium&utm_medium=referral" rel="photo-creator noopener">Rubaitul Azad on <a href="https://unsplash.com?utm_source=medium&utmmedium=referral" rel="photo-source noopener)

Brave is a web browser that focuses on privacy and security. It blocks third-party ads and tracks cookies by default. It also allows users to control which ads they see and how their data is used.

Here are a few of the key features that set Brave Browser apart:

• Privacy: Brave blocks third-party ads and tracking cookies by default, which helps protect your privacy online.
• Security: Brave uses HTTPS Everywhere to upgrade insecure websites to secure HTTPS connections. This helps protect you from man-in-the-middle attacks and other forms of online surveillance.
• Performance: Brave uses the same technology as Google Chrome — the Chromium open-source project. This means it is fast, stable, and has support for the latest web standards.
• Rewards: Brave allows users to earn rewards in the form of the Basic Attention Token (BAT) for viewing privacy-respecting ads. This gives users a way to support the websites they visit and content creators they enjoy, without having to share their data with advertisers.

Brave browser offers a combination of privacy, security, and performance. Brave is a safer alternative to Chrome or Edge to protect your privacy.

1Password

CC: PcMag

1Password is a password manager and secure digital wallet. It is a software program that allows you to store and manage your passwords, credit card information, and other sensitive data in a secure, encrypted vault.

With 1Password, you only need to remember a single master password. This will help make it easier for you to use strong, unique passwords for all of your online accounts.

1Password is available on a wide range of devices and platforms, including Windows, Mac, Linux, iOS, and Android.

There are other alternatives to 1Password like Lastpass and LogMeOnce. But here are a few reasons why 1Password is a better choice:

• Security: 1Password uses strong, industry-standard encryption to protect your data. It has many security features to help prevent unauthorized access to your vault. This can give you peace of mind that all your information is safe and secure.
• Ease of use: 1Password is easy to use. It has a simple, intuitive interface and support for a wide range of devices and platforms. It also integrates with your web browser, so you can save and fill in passwords as you browse the internet.
• Features: 1Password offers a range of features including the ability to generate strong passwords. 1Password also can store credit card information, and you can choose to share passwords with others if needed.

Overall, 1Password offers a combination of security, ease of use, features, and support that make it a popular choice among password manager users.

Privacy Badger

CC: Wikipedia

Privacy Badger is a free browser extension that helps protect your privacy online. Privacy Badger is a product from The Electronic Frontier Foundation (EFF). EFF is a nonprofit organization that advocates for digital rights and civil liberties.

Privacy Badger works by detecting and blocking third-party tracking cookies. It also analyzes the behavior of third-party trackers to see which ones are tracking you without your consent. Privacy Badger is available for Chrome, Firefox, and Opera web browsers.

Here are a few reasons why Privacy Badger is a great tool:

• It’s free: Privacy Badger is a free and open-source browser extension, which means you can use it without paying any money.
• It’s simple: Privacy Badger is easy to use, with a simple interface and no complex settings to configure. You can just install it and let it do its thing.
• It’s effective: Privacy Badger uses advanced algorithms to detect and block third-party tracking. It also has the ability to learn and adapt as it encounters new trackers. This means it can be effective at protecting your privacy without requiring you to do any work.
• It’s transparent: Privacy Badger’s developers are EFF, which is a well-known and trusted organization in the community. EFF regularly publishes reports and updates about Privacy Badger’s development and performance.

Privacy Badger offers a simple and effective way to protect your privacy online. With a simple interface powered by AI algorithms, Privacy Badger is an essential tool to protect your privacy.

Express VPN

CC: PcMag

ExpressVPN is a virtual private network (VPN) service that lets you access the internet safely.

ExpressVPN encrypts your traffic and routes it through a remote server. This can make it appear as if you are browsing from a different location.

This is useful for many reasons, including protecting your privacy. You can also access restricted content in your region, and bypass internet censorship.

ExpressVPN is one of many companies that offer VPN services, but it is known for its speed and reliability.

Here are a few reasons why ExpressVPN is a great choice:

• Speed: ExpressVPN is popular for its fast speeds, which make streaming videos or playing online games easier.
• Reliability: ExpressVPN has a reputation for being a reliable and stable VPN service. ExpressVPN has a large network of servers and a team of engineers working around the clock to maintain the service.
• Security: ExpressVPN uses strong encryption to protect your data. It also offers many security features, such as DNS leak protection, to help keep you safe online.
• Privacy: ExpressVPN has a strict no-logs policy. This means it does not collect or store any information about your online activity. This can give you peace of mind that your privacy is protected.
• Compatibility: ExpressVPN is available on a wide range of devices and operating systems. This includes Windows, Mac, Linux, Android, and iOS. It also offers custom VPN apps for routers, gaming consoles, and other devices.

ExpressVPN offers a combination of speed, reliability, security, privacy, and compatibility. This makes it a popular choice among VPN users.

HaveIBeenPawned

CC: Sophos

Have I Been Pwned (HIBP) is a website that helps you to check if your personal information has been exposed to a data breach.

Security researcher Troy Hunt created HIBP in 2013. It has since become a widely-used resource for checking compromised personal information.

If HIBP finds that your information is exposed, it will recommend steps you can take to protect yourself. These may include changing passwords, enabling two-factor authentication, and so on.

Here are some features of HIBP:

• Data breach search: You can enter your email address or username to see if it has been included in any of the data breaches in the HIBP database.
• Notification service: You can sign up for HIBP’s notification service, which will alert you if your email address appears in a new data breach.
• Breached password search: You can enter a password to see if it has appeared in any data breaches. This can help you determine if a password is secure or if you should change it.
• Pwned Password API: HIBP offers an API that lets developers use the breached password search feature in their own applications.
• Data breach statistics: HIBP provides statistics on data breaches. This includes the number of records compromised and the types of data that were exposed.

Even if you set a strong password, the applications you use can encounter a data breach. HIBP helps you keep track of these breaches and make sure your data is secure.

Summary

Online privacy is not a myth. There are great tools that we can use to secure our digital life and use the internet safely.

Use these five tools in addition to standard safety practices like setting strong passwords and enabling two-factor authentication. Here are a few more tips on staying safe online.

Loved this article? Visit https://www.stealthsecurity.io/ to find more cybersecurity content. You can also connect with me on LinkedIn.

Whether you need to use your phone for banking over a public airport or coffee shop WiFi connection, or you're worried about the wrong people listening in on your online interactions, the tunneled encryption a good VPN gives you can be invaluable.

The trick, however, is finding a VPN that really is "good" – and one that's both convenient and affordable.

There are plenty of commercial VPN services out there, and configuring one of those for your phone or laptop is usually simple enough.

But such services come with two potential down-sides: they're often expensive, with payments averaging around $10 monthly, and you can never be quite 100% sure that they aren't (accidentally or on purpose) leaking or misusing your data.

Also, cheaper VPNs often limit your data use and the number of devices you can connect.

If you like watching video versions of tutorials to supplement your learning, feel free to follow along here:

What WireGuard Delivers

But if you happen to have a cloud-based Linux server running anyway, building a WireGuard VPN can be a simple and free way to add some serious, compromise-free security and privacy to your life.

If you plan to limit the VPN to just devices owned by you and a few friends, you'll probably never even notice any extra resource load on your server. Even if you had to fire up and pay for a dedicated AWS EC2 t2.micro reserved instance, the annual costs should still come out significantly cheaper than most commercial VPNs. And, as a bonus, you'll get complete control over your data.

Right now I'm going to show you how all that would work using the open source WireGuard software on an Ubuntu Linux server.

Why WireGuard? Because it's really easy to use, is designed to be particularly attack resistant, and it's so good at what it does that it was recently incorporated into the Linux kernel itself.

The actual work to make this happen really will take only five minutes - or less. Having said that, planning things out, troubleshooting for unexpected problems and, if necessary, launching a new server might add significant time to the project.

How to Set Up Your Environment

First off, you'll need to open the UDP port 51820 in whatever firewall you're using. Here's how that would look for the security group associated with an AWS EC2 instance:

Now, on the Linux server, using a sudo shell, we'll begin by installing the WireGuard and resolvconf packages.

Technically, we probably won't need resolvconf here, but since that's what you'd need if you wanted to set up a Linux machine as a WireGuard client I thought I'd throw that in here, too.

apt install wireguard resolvconf

How to Generate Encryption Keys

The wg genkey command generates a new private encryption key and saves it as a file in the /etc/wireguard directory. This directory was automatically created when we installed WireGuard.

The chmod command sets the appropriate restrictive permissions for that private key file.

Like everything in Linux, there are other ways to get this done, but just make sure you do it right.

wg genkey | sudo tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Next, we'll use the value of our private key to generate a matching public key – which will also be saved to the /etc/wireguard directory. The goal is to add the server's public key to the WireGuard configuration on all the client devices we'll be using, and then to add those clients' public keys to the server configuration here.

Private keys should never leave the machines for which they're created – and should always be carefully protected.

cat /etc/wireguard/private.key | wg pubkey | sudo tee

How to Configure the WireGuard Server

We're now ready to create a server configuration file. Following convention, I'll name the file wg0.conf, but you can give it any name you'd like. You can also have multiple configurations (with different filenames) existing at the same time.

Here's what our configuration will look like:

[Interface]
Address = 10.5.5.1/24
ListenPort = 51820
# Use your own private key, from /etc/wireguard/privatekey
PrivateKey = your_key

[Peer]
# Workstation public key
PublicKey = your_key
# VPN client's IP address in the VPN
AllowedIPs = 10.5.5.2/32

[Peer]
# laptop public key
PublicKey = your_key
# VPN client's IP address in the VPN
AllowedIPs = 10.5.5.3/32

Notice that this file has three sections: an Interface, and two peers. The Interface section defines the private NAT network address that our server will use. That's the private address the clients will connect to – after first requesting access through the server's public IP address, of course.

You don't have to follow my addressing, as long as you use a valid private IP range that doesn't overlap on any network blocks being used by either your server or client.

Matching the UDP security group rule I set up earlier in AWS, I'm defining the ListenPort as 51820. But I could choose a different address to add a tiny bit more security if I want.

Finally, I would paste the server's Private Key as the value of PrivateKey so WireGuard will be able to authenticate incoming client requests.

The first peer section contains nothing more than the public key and assigned private IP address of one client. The second peer section does the same for a second client machine.

Getting those public keys from the client is the most manual task involved in this whole setup. But, since this is your own VPN, you can usually find a way to copy and paste directly into your server configuration so you don't need to painfully type the whole thing in.

That should be everything. I'll use the wg-quick command to bring the VPN to life. up tells WireGuard to read the wg0.conf configuration we just made and use it to build a new VPN interface.

wg-quick up wg0

Running wg will show us that it worked. Finally, I'll run systemctl enable to tell Linux to load this WireGuard interface automatically each time the server reboots.

systemctl enable wg-quick@wg0

How to Configure WireGuard Clients

That's all we'll need from the server end of things. Getting your client device set up with WireGuard is either going to be much easier or more or less the same.

What does that mean? Well, if you're working with Windows, macOS, Android or iOS, then there are links to GUI apps available from this wireguard.com/install page. Those apps will generate key pairs for you. You'll only need to enter the server's IP address or domain and its public key. You'll then take the client's public key and add it to the server wg0.conf file the way I showed you earlier.

However, if it's a Linux PC or laptop client you want to add, then it's a bit more complicated. You'll basically follow all the steps you saw for the server configuration, including the key generation. You'll even create a configuration file named wg0-conf (if that's the name you like). But here's how that config file should look:

[Interface]
# The address your computer will use on the VPN
Address = 10.5.5.2/32
DNS = 8.8.8.8
# Load your privatekey from file
PostUp = wg set %i private-key /etc/wireguard/privatekey
# Also ping the vpn server to ensure the tunnel is initialized
PostUp = ping -c1 10.47.47.1
[Peer]
# VPN server's wireguard public key
PublicKey = your_key
# Public IP address of your VPN server (USE YOURS!)
Endpoint = 54.160.21.183:51820
# 10.0.0.0/24 is the VPN subnet
AllowedIPs = 10.47.47.0/24
# PersistentKeepalive = 25

The Interface section represents the client machine this time, while the Peer section down below refers to the server. Let's begin with Interface. The private IP address should match the address you give this particular client in the configuration on the server.

If you need your client to by-pass a local DNS server, you can specify a custom DNS server here. This one is the one provided by Google.

Instead of hard-coding your local private key into your configuration file the way we did on the server, you could tell WireGuard to read the privatekey file whenever it loads. This is probably a bit of a security best-practice – and we could just as easily have done it on the server, too. Finally, the configuration script will test our connection with the PostUp ping command.

The Peer – or server – configuration requires the server's public key, which is added here.

The Endpoint is where you tell WireGuard where to find the server. Nothing will work without this one! That would require the server's public IP – or it's domain name – followed by the port you've chosen. Again, 51820 is the WireGuard default.

Finally, the AllowedIPs setting defines the network address range you'll be using, and the optional PersistentKeepalive value can prevent dropped connections.

You launch WireGuard on the client exactly the same why you did on the server, using wg-quick up wg0. Again, though, all those steps will only be necessary for Linux clients. You can use the apps for other platforms.

Wrapping Up

So that's that. Just as I said, a working VPN in around five minute's work. You've now got one less excuse for protecting your online privacy and securing your communications.

For more technology goodness, please do subscribe to my YouTube channel and, when you've got a moment, check out the many Linux, security, data analytics, and AWS books and courses available through my bootstrap-it.com website.

What's the difference between data privacy and data security?

Data security is about protecting your data from unauthorized access (basically ensuring that hackers can't access your data).

Data privacy, on the other hand, is about giving you more granular control over how (and by whom) your data is accessed, used, or shared.

Both are extremely important.

Why is Data Privacy Important?

There are a couple big reasons you should care about data privacy (in addition to data security).

Cybercriminals and scammers

Cybercriminals and scammers leverage personal information in order to better target scams to you. The less data they have on you, the harder it is to target scams to you and the less likely you are to be targeted.

Also, with sensitive information like your social security number (or other government identification number if you're outside the United States), as well as a couple personal details, scammers can try to steal your identity, open credit cards in your name, or otherwise cause financial and reputation harm.

Corporations

If companies are collecting and storing your data (often with poor cybersecurity practices) and are later hacked, that leaves you vulnerable to hackers obtaining that data and carrying out scams.

Even if companies aren't losing your data, they're collecting it for a number of reasons, including:

• Personalized services (and ads)
• Better understanding of their customer base (which improves their ability to effectively sell products)
• Training data for models

Even if you're okay with this, the down side is that often companies are using data to manipulate you in ways that are hard to realize or break out of.

For example, Facebook performed experiments on their users in order to see if they could manipulate their emotions (without their consent) – and found that they could (Source). Additionally, the spread of data collection has been shown to boost disinformation campaigns around the world. (Source)

Government agencies

Often corporations will provide data to law enforcement or other government agencies without a warrant (or the government agencies will collect the data themselves).

This can lead to broad, sweeping surveillance programs, sometimes targeted based on racial or ethnic groups, or by political affiliation. These programs have typically had disproportionate effect on people of color in the United States, and minority groups throughout the world.

Additionally, in the (recent) past, the US government admitted that:

"the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline." (source)

Just because you don't have anything to hide right now, doesn't mean that you want everyone in your life (or your government) to monitor everything you do every moment of every day. Protecting your information protects you from some of these effects.

Sometimes, I hear folks complain that it's too late – that their data is already out there and there's no point to trying to improve their data privacy. But the best part about data is that you're constantly generating new data as you browse the internet, make purchases, and go about your life. It's never too late to cut back on sharing your data. And the sooner you do so, the less data you're giving up.

It's a little bit like smoking – even if you've been smoking for many years, it's always a good idea to cut back or quit.

How to Improve Your Digital Privacy

So, if you want to mitigate the amount of information that is tracked about you, here's a quick list of 10 ways you can improve your digital privacy.

First, improve your digital security. You can find my quick guide here. Having strong digital security and making sure that no unauthorized users can access your data is the first step to protecting your privacy.

Switch to using a browser like Brave or DuckDuckGo which will protect you against trackers and ads that track you as you search the internet.

If you continue to use a browser like Chrome, use browser extensions like uBlock Origin or Privacy Badger, which stop advertisers and other trackers from secretly tracking where you go and what you're looking at on the internet.

Use end to end encrypted chat apps like Signal or iMessage. While this is also a security measure, using apps which don't track your metadata is a privacy one.

For example, while WhatsApp has encrypted messaging, it is also owned by Meta (Facebook), and Meta uses the metadata (who's calling whom, when the calls are made, how long they last, and so on), which isn't really protecting your privacy, so I don't recommend it. Plus, if you back those messages up to the cloud, the messages may no longer be encrypted.

Opt out of ad personalization. You can do so for more than 50 companies here. Opting out will not prevent companies from collecting your data, but will significantly reduce the data they collect.

Apple rolled out a similar option in a new iPhone update, where you now have the option to ask apps 'not to track'. Additionally, opt to delete your user data from sites like Google, Facebook, and Twitter (and set up a recurring option to clear your cookies and search history regularly from Google).

Clear out data you no longer need. If you're disposing of a device, make sure you completely wipe the data (and reset to factory settings) before you do so (and make sure you're doing so for every internet connected device).

If you're very paranoid (like me!), look up the instructions for how to 'sanitize' or permanently erase a device before getting rid of it.

At the same time, review your backup settings for your device and your chat apps. Are you keeping information past the time when you still need it? All of that information is at risk of being used by any applications you've given access to or stolen by hackers in a data breach.

Use a tool like Privacy to protect your credit card information. They provide a virtual card for the exact amount of the purchase (or a recurring purchase) so you don't have to disclose your actual credit card number (though you will still be giving away your other information like name and address).

Also consider using a credit card that prioritizes your privacy (like the Apple card, which states that they don't know your transaction history, and don't share or sell your transaction information to third parties).

Review your social network privacy settings regularly. Check to make sure you're not sharing more information than you'd like. Also make sure that you're covering all of your accounts (Facebook/Instagram, Twitter, Google/Gmail, Yahoo, Venmo, TikTok, and so on).

Close old accounts rather than leave them dormant. That means that your old accounts (and the information they have on you) are less likely to continue being used by old applications or third parties you've given access to, sold by the application/website, or lost in a data breach.

Review the applications on your phone, and delete the ones which you don't need or are no longer using. In fact, if you can only use the site via a browser instead of downloading the application (or switch to doing so) it will significantly reduce the amount of data you're sharing.

Take this one step further, and don't sign up for accounts you don't need, and avoid downloading additional applications unless you really need them.

Lastly, contact your congresspeople/local government representatives. There's a limit to how much you can do as an individual to maintain your privacy, without taking extremely drastic measures (covered in the additional resources section below). The best option for consumers is better, more consistent regulation of data privacy around the world.

Looking for more information?

• This book from Michael Bazzell is the gold standard for internet privacy, if you're looking to erase your online identity.
• This book from Michael Bazell is about starting over and re-creating an online presence.
• This book from Kevin Mitnick gives some high level tips to improve your data security and privacy.

With the advent of Web 2.0, authenticating users became a crucial task for developers.

Before Web 2.0, website visitors could only view the content of a web page – there was no interaction. This era of the internet was called Web 1.0.

But after Web 2.0, people gained the ability to post their own content on a website. And then content moderation became a never-ending task for website owners.

To reduce spam on these websites, developers introduced user authentication systems. Now website moderators can easily know the source of spam and can prevent those spammers from accessing the website further.

If you are want to know how to implement content moderation on your website, you can read my article on How to detect and blur faces in your web applications.

Now let's see what we'll be getting into in this tutorial.

What You'll Learn in This Tutorial

In this tutorial, we will discuss different authentication techniques you can use to authenticate users. These include email-password authentication, phone auth, OAuth, passwordless magic links, and at last facial authentication.

Our primary focus will be on authentication via face recognition techniques in this article.

We'll also build a project that teaches you how to integrate facial recognition-based authentication in your React web application.

In this project, we'll use the FaceIO SaaS (software as a service) platform to integrate facial recognition-based authentication. So, make sure you set up a free FaceIO account to follow along.

And finally, we'll take a look at the user privacy aspect and discuss how face recognition doesn't harm your privacy. We'll also talk about whether it's a reliable choice for developers in the future.

This article is packed with information, hands-on projects, and discussions. Grab a cup of coffee and a slice of pizza 🍕 and let's get started.

The final version of this project looks like this. Looks interesting? Let's do it then.

Different Types of User Authentication Systems

There are many user authentication systems out there right now that you can choose to implement in your websites. There are no real superior or inferior auth techniques. All of these auth systems depend on using the right tool for the job.

For example, if you are making a simple landing page to collect emails from users, there is no need to use OAuth. But if you are building a social platform, then using OAuth makes more sense than traditional authentication. You can pull the user's details and profile images directly from OAuth.

If your web application is built around any investment-related content or legally binding services, then using phone auth makes more sense. A user can create unlimited email accounts but they'll have limited phone numbers to use.

Let's take a look at some popular authentication systems so we can see their pros and cons.

Email-password based authentication

Email-password-based authentication is the oldest technique for verifying a user. The implementation is also very simple and easy to use.

The pro of this system is you don't need to have a third-party account to log in. If you have an email, whether it is self-hosted or from a service (like Gmail, Outlook, and so on), you are good to go.

The primary con of this system is you need to remember all of your passwords. As the number of websites is constantly growing and we need to log in to most sites to access our profiles, remembering passwords for every site becomes a daunting task for us humans.

Coming up with a unique and strong password is also a huge task. Our brains aren't typically capable of memorizing many random strings of letters and numbers. This is the biggest drawback of email-password-based authentication systems.

Phone authentication

Phone authentication is generally a very reliable auth technique to verify a user's identity. As a user typically doesn't have more than one phone number, this can be best suited for assets-related websites where user identity is very important.

But the drawback of this system is people don't want to reveal their phone numbers if they don't trust you. A phone number is much more personal than an email.

One more important factor of phone authentication is its cost. The cost of sending a text message to a user with an OTP is high compared to email. So website owners and developers often prefer to stick with email auth.

OAuth-based authentication

OAuth is a relatively new technique compared to the previous two. In this technique, OAuth providers user authentication and useful information on behalf of the user.

For example, if the user has an account with Google (for example), they can log in to other sites directly using their Google account. The website gets the user details details from Google itself. This means that there's no need to create multiple accounts and remember every password for those accounts.

The major drawback of this system is that you as a developer have to trust the OAuth providers and many people don't want to link all their accounts for privacy reasons. So you'll often see an email-password field in addition to OAuth on most websites.

Magic link authentication

Magic links solve most of the problems you face in email password-based authentication. Here you have to provide only your password and you will receive an email with an auth link. Then you have to open this link in your browser and you are done. No need to remember any passwords.

This type of authentication has gained in popularity these days. It saves a lot of time for the user, and it's also very cheap. And you don't have to trust a 3rd-party like in the case of OAuth.

Facial recognition authentication

Facial recognition is one of the latest authentication techniques, and many developers are adopting it these days. Facial recognition reduces the hassle of entering your email-password or any other user credentials to log in to a web application.

The most important thing is that this authentication system is fast and doesn't need any special hardware. You just need a webcam, which almost all devices have nowadays.

Facial recognition technology uses artificial intelligence to map out the unique facial details of a user and store them as a hash (some random numbers and text with no meaning) to reduce privacy-related issues.

Building and deploying an artificial intelligence-based face recognition model from scratch is not easy and can be very costly for indie developers and small startups. So you can use SaaS platforms to do all this heavy-lifting for you. FaceIO and AWS recognition are examples of these type of services you can use in your projects.

In this hands-on project, we are going to use FaceIO APIs to authenticate a user via facial recognition in a React web application. FaceIO gives you an easy way to integrate the authentication system with their fio.js JavaScript library.

Project Setup

Before starting, make sure to create a FaceIO account and create a new project. Save the public ID of your FaceIO project. We need this ID later in our project.

To make a React.js project, we will use Vite. To start a Vite project, navigate to your desired folder and execute the following command:

npm create vite@latest

Then follow the instructions and create a React app using Vite. Navigate inside the folder and run npm insall to install all the dependencies for your project.

After following all these steps, your project structure should look like this:

.
├── index.html
├── package.json
├── package-lock.json
├── public
│   └── vite.svg
├── src
│   ├── App.css
│   ├── App.jsx
│   ├── assets
│   │   └── react.svg
│   └── main.jsx
└── vite.config.js

How to Integrate FaceIO into Our React Rroject

To integrate FaceIO into our project, we need to add their CDN in the index.html file. Open the index.html file and add the faceIO CDN before the root component. To learn more, check out FaceIO's integration guide.

<body>    
    <script src="https://cdn.faceio.net/fio.js"></script>
    <div id="root"></div>
    <script type="module" src="/src/main.jsx"></script>
</body>

Now remove all the code from the App.jsx file to start from scratch. I've kept this tutorial as minimal as possible. So I've only added a heading and two buttons in the UI to demonstrate how the FaceIO facial authentication process works.

Here, one button works as a sign-in button, and the other one works as a log-in button.

The code inside the App.jsx file looks like this:

import "./App.css";
function App() {
  return (
    <section>
      <h1>Face Authentication by FaceIO</h1>
      <button>Sign-in</button>
      <button>Log-in</button>
    </section>
  );
}

export default App;

How to Register a User's Face using FaceIO

Working with FaceIO is very fast and easy. As we are using the fio.js library, we have to execute only one helper function to authenticate a user. This fio.js library will do most of the work for us.

To register a user, we initialize our FaceIO object inside a useEffect hook. Otherwise, every time a state changes, it re-runs the components and reinitializes the faceIO object.

let faceio;
useEffect(() => {
    faceio = new faceIO("Your Public ID goes here");
}, []);

Your FaceIO public ID is located on your FaceIO console. Copy the public ID and paste it here to initialize your FaceIO object.

Now, define a function named handleSignIn(). This function contains our user registration logic.

Inside the function call the enroll method of the faceIO object. This enroll method is equivalent to the sign-up function in a standard password backed registration system and accepts a payload argument. You can add any user-specific information (for example their name or email address) to this payload.

This payload information will be stored along with the facial authentication data for future reference. To learn about other optional arguments, check out their API docs.

In our sign-in button, on user click we invoke this handleSignIn() function. The code snippets for user sign-in look like this:

const handleSignIn = async () => {
    try {
      let response = await faceio.enroll({
        locale: "auto",
        payload: {
          email: "example@gmail.com",
          pin: "12345",
        },
      });

      console.log(` Unique Facial ID: ${response.facialId}
      Enrollment Date: ${response.timestamp}
      Gender: ${response.details.gender}
      Age Approximation: ${response.details.age}`);
    } catch (error) {
      console.log(error);
    }
  };

<button onClick={handleSignIn}>Sign-in</button>

FaceIO screen

How to Sign In using Face Recognition

After registering the user, then you'll need to get the user into the authentication or log-in/sign-in flow. Using the fio.js library also makes it very easy for us to set up a log-in flow using face authentication.

We have to invoke the authenticate method of the faceIO object which is equivalent to the sign-in function in a standard password backed registration system and all the critical work will be done by the fio.js package.

At first, define a new function named handleLogIn() to handle all the log-in logic in our React app. Inside this function, we invoke the authenticate method of the faceIO object as I mentioned earlier.

This method accepts a locale argument. This is the default language of the interaction of users with FaceIO widgets. If you are not sure, you can assign auto in this field.

The authenticate method also take more optional arguments like permissionTimeout, idleTimeout, replyTimeout and so on. You can check out their API documentation to know more about optional arguments.

We invoke this handleLogIn() function when someone clicks on the Log-in button:

const handleLogIn = async () => {
    try {
      let response = await faceio.authenticate({
        locale: "auto",
      });

      console.log(` Unique Facial ID: ${response.facialId}
          PayLoad: ${response.payload}
          `);
    } catch (error) {
      console.log(error);
    }
  };

<button onClick={handleLogIn}>Log-in</button>

Our user authentication project using FaceIO and React is now complete! You learned how to register and login a user. You can see the process is fairly simple compared to implementing an email-password based or some other authentication method we discussed earlier in this article.

Now you can style all the jsx elements using CSS. I didn't add CSS here to reduce complexity in this project. If you are curious, you can take a look at my GitHub gist.

If you want to host this React FaceIO project for free, you can check out this article on how to deploy your React and Nextjs project in Cloudflare pages.

How to Use the FaceIO REST API

Besides providing widgets via the fio.js library, FaceIO also provides REST APIs to streamline the authentication process.

Every application in the FaceIO console has an API key. You can use this API key to access the FaceIO REST API endpoints. The base URL for the REST API is https://api.faceio.net/.

The URL schema accepts URL parameters like this https://api.faceio.net/cmd?param=val&param2=val2. Here cmd is an API endpoint and param is an endpoint parameter if it accepts any.

Using the REST API endpoints, you can automate various tasks in your backend.

1. You can delete a face ID on a user's request.
2. You can attach a payload with a face ID.
3. You can change the PIN associated with a face ID.

This REST API is intended to be used purely on the server side. Make sure you don't expose it to clients. It's important that you read the following Privacy and Security sections to learn more about this.

How to Use FaceIO WebHooks

Webhooks are event-driven communication systems among servers. You can use this webhook feature of FaceIO to update and sync your backend with new events happening in your front-end web application.

The event of this webhook fires on new user enrollment, facial authentication success, facial ID deletion, and so on.

You can set up FaceIO webhooks in your project console. A typical webhook call from FaceIO lasts for 6 seconds. This contains all the information about a specific event in a JSON format and looks like this:

{
  "eventName":"String - Event Name",
  "facialId": "String - Unique Facial ID of the Target User",
  "appId":    "String - Application Public ID",
  "clientIp": "String - Public IP Address",
  "details": {
     "timestamp": "Optional String - Event Timestamp",
     "gender":    "Optional String - Gender of the Enrolled User",
     "age":       "Optional String - Age of the Enrolled User"
   }
}

Privacy and FaceIO

Privacy is the most important thing for a user nowadays. As big corporations use your data for their good, questions arise on whether the privacy of these face recognition techniques is valid and legitimate.

FaceIO as a service follows all the privacy guidelines and gets user consent before requesting their camera access. Even if the developer wanted, FaceIO doesn't scan faces without getting consent. Users can easily opt-out of the system and can delete their facial data from the server.

FaceIO is CCP and GDPR compliant. As a developer, you can release this facial authentication system anywhere in the world without facing privacy issues. You can read this article to know more about FaceIO privacy best practices.

FaceIO Security

The security of a web application is an important topic to discuss and consider. As a developer, you are responsible for the security of a site or application's users.

FaceIO follows some important and serious security guidelines for user data protection. FaceIO hashes all the unique facial data of the user along with the payload we specified earlier. So the stored information is nothing but some random strings which can't be reverse engineered.

FaceIO outlines some very important security guidelines for developers. Their security guide focuses on adding a strong pin code to protect user data. FaceIO also rejects covered faces so that no one can impersonate someone else.

Conclusion

If you've read this far, thank you for your time and effort. Make sure to follow along with the hands-on tutorial so you can fully grasp the topic.

The project should be approachable if you follow all the steps. If you make something out of it, show me on Twitter. If you have any questions, please ask. I will happy to help you. Till then, have a good day.