With his Stupid Sexy Privacy podcast miniseries, B.J. Mendelson’s mission is to get people to do the bare minimum of work to protect their privacy and data. He shares his tips below.
One day B.J. Mendelson with his school-age nieces Roblox when he suddenly heard a stranger’s voice coming through one of their iPads. As a longtime digital security fanatic, he was quite intimidated. He knew how to protect himself online, but the incident highlighted just how many opportunities for data breaches lurk in everyday devices. Most people, including his own brother and sister-in-law, run them without a playbook.
So this fall he decided to start a podcast miniseries with the goal of making digital privacy more accessible. Even sexy. The result is Stupid Sexy Privacy, a show in which he and his co-host Rosie Tran give listeners bite-sized, actionable tips on how to handle basic tech stuff like password management, not having your car tapping your data, and all things Elon Musk does admit to Twitter. Mendelson was kind enough to share some of this privacy wisdom with Slate, though you should probably get a VPN before reading it.
For reasons of clarity, this interview was shortened and edited from two interviews.
Heather Schwedel: Consider the hypothetical person who knows absolutely nothing about privacy – what can they do to improve their security, right now?
BJ Mendelson: Use the right browser and get a forwarding email address. I use DuckDuckGo and an @duck email address. Today, most marketing emails contain trackers that collect data about you. The @duck forwarding address removes the tracker and forwards it to your real email address, allowing you to receive messages without companies collecting your information.
You can also use ClamAV to scan for malicious software and use Signal for messages. Signal is great – it’s not demanding, it has a lot of fun features, there’s a group chat option, and you can securely chat with your friends and family without worrying about someone being able to access your messages. If I can get people reading this to just switch over to Signal, I’ve already done a lot of the work.
Also, get a VPN (Virtual Private Network). It obfuscates your web activity and limits the data your internet service provider can collect about you.
I thought a VPN was for watching streaming services from other countries and buying dark web drugs. As an average person, do I really need one?
If you are at home, you don’t have to worry. But if you’re on the go and using public Wi-Fi, by all means do it. About 90 percent of Gen Z and Millennials own a smartphone. [Actually, it’s about 98 percent for Gen Z and 94 percent for Millennials.] We’re all on the go, using and connecting to different Wi-Fis that are probably not secure. This is serious business. That’s why I use tools like Proton VPN, which has an app. You light it up and then you go.
Can you tell me about some of the biggest takeaways from the last episode you protected yourself after a breakup?
If you’re going through a breakup and have shared your device with this partner, you absolutely need a new device. This is the only way to guarantee that there is no keylogger – which allows the person who installed it to monitor everything you type on your keyboard, including passwords, emails, etc. – or any other type of spyware , which they installed there .
When I heard this tip, I balked at the idea that it was easy. First of all, they recommend getting a new Mac, which is expensive!
You’re right, it’s expensive. And it sucks. And I wish there was an alternative. But for most people, this is the easiest and most basic way to protect yourself.
It also seemed a little extreme to me to get a new computer every time you go through a breakup. In many cases you’ve been with a decent person and it just didn’t work out – should you really be afraid of them?
That’s always the question, isn’t it? In the privacy space, they talk about threat vectors, which is really just a nice way of asking how likely it is that someone will do some shit to you. But today it’s easy to be evil. Unfortunately, revenge porn is a huge thing. That’s why we’re talking about this stuff.
But you are right. I have a few ex-girlfriends who had access to my stuff. Am I afraid they will spy on me? no But is it possible? The possibility is always there.
These costs must add up. How much money do you personally spend on data protection every year?
Signal is free. DuckDuckGo is free. DuckDuckGo forwarding email address is free. ClamAV is free. Proton VPN is a regular expense that is around $100 per year. Again, the beauty of privacy is that a lot of these things are open source, meaning they’re freely available, and the incentive is usually to protect users rather than make a profit. There are services like 1Password that I also pay for.
Unfortunately, DeleteMe, the other service that I think everyone needs, is also expensive. It is a tool that removes personally identifiable information collected by data brokers. If you have two weeks of free time, you can visit all 600 of these data brokers yourself and fill out a form on their individual websites, often buried under a bunch of lawyers. This may allow you to create even more data that then goes back to them. So, DeleteMe constantly searches for your information and then deletes it again, saving you time. I paid about $250 for it.
All in all, I spend about $300 or $350 a year on data protection. And I want to be clear: this sucks. I shouldn’t have to pay for this. Something like DeleteMe should be government funded for everyone to use.
What’s the dumbest infosec mistake people make?
Clicking on suspicious links in emails and text messages. We all fall for it. I fell for it. My dad fell for it recently. Just understand that not everything you receive is secure, especially in email. There’s a company I work with and we keep getting phishing emails that look like they’re from the CEO. Everything looks so real and sophisticated that people click on it. And that was the most common.
People have to look for typos and misspellings in these emails. And to check if the domain from the sender was correct. What does the site look like when you click through? And when you click, please do so with Tor, for heaven’s sake. Anytime you find a link suspicious, on a desktop you can just download Tor and paste the link there. This way, you can safely view a link without worrying about it hijacking your system.
Your first book on data protection was published a few years ago and you are currently working on a new one. In your opinion, what have been the biggest changes in this landscape since the last book was published?
Definitely that thing that’s going on with Twitter. But before that, it was the scope and scale of Russia’s hacking of the DNC [Democratic National Committee]. We didn’t know how deep it was. But I think the level of sophistication is something people should be aware of.
Here’s the scary thing: The tools and tactics that Russia used have now been co-opted by republican activists, fascists, and other maniacs to harass, punish, and spread misinformation. Things like trying to smear people with old tweets or things taken out of context have also become so much more common and aggressive for the everyday person. When I first wrote the book we talked about governments, journalists and big organizations being affected by these attacks, but now we all have to deal with it.
I definitely want to talk about Twitter. What should people do now in relation to Twitter?
If you’re staying, the first thing you should do is protect your tweets by going to your settings, then going to the “Privacy & Security” tab, then clicking “Audience and Tagging.” This makes them private so only the people who follow you can see them. That’s important, because what will happen when Musk releases the new Twitter Blue? If you look at the ad for Twitter Blue, it says, “Push right to the top of @messages and DMs.” If I were a bad actor, I could buy Twitter Blue and just start harassing people in a way , which is harder to ignore. Protecting your tweets can help.
The second thing is using a YubiKey, Google Authenticator, or Authy. Google Authenticator and Authy are two-factor authentication apps that are more secure than SMS. However, the most secure option is a YubiKey, a physical key that plugs into your USB drive or phone and that you must have with you to log into Twitter.
The third thing, and this goes into the legal realm, is deleting your DMs in case someone breaks into your account. The response I got to this is, “Well, that doesn’t delete them from the Twitter servers.” Two things on that: First, you should delete all your past and future Twitter DMs, just in case someone in Breaks into your account and finds information that could be used to break into your other accounts. Second, if Twitter employees access your DMs, the company is liable under the Stored Communications Act. Employees of companies like Facebook and Google can be prosecuted for accessing this type of private information and using it in certain ways.
I think there is a real risk that if you are the average person using Twitter you can still be hacked. Also, privacy is something we need to do together. Not only do you protect yourself, you also protect other people you have had conversations with.
Another idea I’ve always been suspicious of is that I need to put a sticker on my laptop camera.
This is also a crime of opportunity. Let’s say you are at work and there is a security breach in the company server. When that happens, people can find a way to access your laptop, and there’s a good chance they’ll activate your microphone and video camera without you knowing. For a long time I told people to just stick a post-it note over the camera. I know it sounds silly, but it’s a valid concern.
Just talking about hidden cameras for a second, this is a global epidemic across the world that is adversely affecting women. Therefore, getting an RF detector — a small device that detects hidden cameras — can go a long way in protecting you and your privacy. You can also get a microphone blocker to disable microphone access so no apps on your phone can hear you.
OK, one more question. What’s the sexiest thing about privacy?
There’s nothing sexier than sharing pictures and videos with your partner, especially during times like a pandemic, and not having to worry, “Oh my god, is that going to end up on a man’s hard drive or website?”
I find the intimacy with the knowledge of security very sexy.
What are the top 10 ways to protect your identity online?
How can I protect my identity online?
- Protect your computer and smartphone with strong, up-to-date security software. …
- Learn how to spot spam and scams. …
- Use strong passwords. …
- Monitor your credit score. …
- Check your credit score. …
- Block your balance. …
- Only use reputable websites when purchasing. …
- Stay alert.
What is the first step in dealing with identity theft?
SECURITY FREEZE A freeze prevents identity thieves from opening fraudulent accounts on your behalf. This also means that if you wanted to open a new account or apply for a loan, you cannot easily apply for a loan. You must contact each of the credit bureaus to freeze your credit report.
What is the first step in identity theft? Step 1: Collecting Personal Information The first step in identity theft is for thieves to steal your personal information. This can be done in a variety of ways including hacking, fraud and scams, phishing scams, email stealing, and data breaches.
What Are the 5 Most Common Types of Identity Theft?
Driver’s License Identity Theft. Mail Identity Theft. Online shopping scam. Social security number identity theft.
What 2 things should you do if your identity is stolen?
Explain that someone has stolen your identity and ask them to close or freeze the compromised account. Contact any of the three credit bureaus and ask for a free fraud alert to be included on your credit report. Also, ask for a free credit report.
What 4 steps should you take if your identity has been stolen? Contact your local police station. Place a fraud alert on your credit reports. Block your balance. Sign up for a credit monitoring service.
What is step two if someone steals your identity?
2. Notify companies of your stolen identity. Don’t wait to notify companies where fraudulent transactions or accounts have taken place. Call them right away to make them aware of the problem.