How to stay safe online: Personal Information

social media keyboard

A REPORT into digital exclusion by the Low Incomes Tax Reform Group in 2012 [pdf], highlighted the pressing need to support people not just in getting online but in the computer literacy levels needed to effectively make use of online services.

As Government continues with its "digital by default" strategy, the LITRG report shows that "significant numbers of citizens are being left behind as a result of government policy and are in danger of falling even further behind in the future".

Amongst sending and receiving email, and finding information online, Go ON UK noted sharing personal information as a basic online skill, particularly in relation to these four activities:

So in this section we'll look at the situations when you might be entering personal information into websites and how to make sure you're doing this safely.

Protecting your information

One of the best ways to stay safe is to be prepared, and often that means knowing what you're likely to come up against before it happens.

In terms of protecting your information online, there are three main things to be really aware of:

  1. Where you could be entering your information into an unsafe website
  2. Where an otherwise safe website could pass on your information
  3. Where an otherwise safe website could expose your information to others

Let's look at those three in more detail.

Entering your information into unsafe websites

As is the case with scam emails, replica and fake websites may seem to sell goods or services - but rather than selling you a product they simply collect your information to use or to sell on for fraud.

This is a pretty opaque tactic and the best way to avoid it is to only shop with websites you know and trust.

Stick to big names like Amazon, Tesco, Marks and Spencer or Debenhams for example. This means you're not taking the risk with small retailers or online outfits that you don't really know anything about.

While the Internet is full of "good buys" and "discounts", it's often the case that the hassle and potential risk just isn't worth it. Plus, most of the best prices can still be found on big name websites like Amazon - and of course Tesco is just as cheap online as it is in store.

Like with scam emails, if something sounds too good to be true it probably is, and you're better off avoiding it, however tempting it may seem.

What help is available

HTTPS and the padlock

Legitimate websites know people are wary about shopping online and will use security certificates to help ensure consumer confidence.

While VeriSign is probably the most well known provider of such certificates, there are plenty of others which all work more or less the same way.

When you head to the check out of a shopping website, you should be transferred to an encrypted connection. You'll know this has happened because the web address in your browser will change from "http" to "https". You should also see a padlock appear somewhere near the address bar too.

marks and spencer secure checkout

HTTPS means that any information you enter will be sent encrypted so hackers can't intercept the data transfer and access your information.

Make sure to look for the "padlock" and don't be afraid to check the security certificate of any site you buy goods or services from is valid. You can do this by clicking on the padlock, which should bring up a window like that shown above.

Credit card fraud liability

The majority of credit card providers subscribe to an industry guideline called the Lending Code.

The Lending Code sets out maximum liabilities for cardholders who fall victim to fraud, whether online or otherwise.

The guidelines state that where fraud is committed without a cardholder's knowledge or consent, they cannot be held liable for more than £50.

Some credit card providers go even further than this, by offering "Internet fraud guarantees" with zero liability when the fraud takes place online.

The result is that it's usually safer to pay by credit card when shopping online if you possibly can.

Purchase Protection
Section 75, a piece of consumer credit law, is another good reason to use your credit card when you can. If you buy something online and it fails to turn up, arrives damaged or is not as described, the credit card provider is held equally liable with the supplier for the full purchase price.

3D Secure

Whether paying online by credit or debit card, the fairly recent addition of "3D secure" services by Visa and MasterCard offer some further protection against fraud online.

They're not foolproof: in fact, all they protect against is unauthorised use of your card with participating merchants.

But they do provide an extra level of protection, in the form of a request for a preset password as well as your other credit or debit card details when shopping online with particular retailers.

PayPal buyer protection

It's worth being aware, however, that using PayPal will remove your Section 75 consumer protection, even though you may well be paying PayPal with your credit card. That's because you're adding a third party into the supplier > credit card provider chain, and Section 75 only applies to direct purchases.

However, PayPal often comes into its own when shopping on smaller sites and, of course, eBay.

The main benefit of PayPal is that it hides your payment details from the company or person you're buying from, which means your personal information stays safe.

PayPal also offers its own "buyer protection", which guarantees your money back if you run into problems such as those mentioned under the Section 75 protections.

What you need to do

Safe browsing

As we've covered, safe browsing often means visiting sites you know and trust.

The easiest ways to do this are by manually entering the web addresses of sites you want to visit into your browser, and if you don't know the address use well known search engines like Google, Yahoo! or Bing and search for the company name.

It's not unheard of for some bad websites to slip through the net, but generally speaking search engines are pretty good at detecting spam sites and hosted malware, and Google for example will flag up suspected sites.

Using some of the tools we've mentioned in part two on browsing, such as Norton Safe Search - a search engine powered by Ask.com - will help to protect you further.

Double check the web address

It's also worth double-checking the domain name - is it what you expect it to be? Is it spelt correctly? Make sure you're on "amazon.co.uk" and not "amazona.co.uk" or "amazon.a.com" for example.

Like email phishing scams, you can also come across replica sites occasionally just by browsing in the wrong places too. Sites can be made that replicate trusted online shops, such as Amazon, as well as banks.

amazon secure checkout

Secure your wireless network

Before you start doing next year's Christmas shopping in the sales, it's also worth double-checking that your wireless network - if you're using one - is secure too.

Wireless networks can be hacked into and the information you send and receive whilst online can be intercepted if your network is left open.

Find out more about how to do this in this guide to securing a wireless network.

Where a website could pass on your information

Then there are the websites that seem completely above board but do things with your information that you might not like. This is a tricky one to spot and can require a bit of digging around on any site asking for your data.

On the brighter side though, you only have to look in one place: the Privacy Policy.

The Privacy Policy is a document that websites must provide by law, in which they set out the way they'll store and use any information they collect about you or that you provide.

Of course, fake and scam websites probably won't stick to the law, but checking privacy policies is the way to be sure about what happens to your information on sites that fall into the middle ground - say, legally operating companies that are on the borders of being unscrupulous, unethical or just not very consumer friendly.

These websites may well provide a good service, but then sell on or otherwise distribute your information to partner companies, who may begin to contact you with advertising offers, or in worse case scenarios signing you up to paid services on the quiet.

There's a good example of this from 2007, when Interflora passed on customer details to a company that automatically signed them up to a shopping discount program charging £8 a month for membership.

Many customers were completely unaware of this until they noticed the money being taken from their accounts.

It turned out that hidden in Interflora's privacy policy was a clause permitting them to pass on customer details to a company called Webloyalty. They in turn could basically do as they wished with that information.

At the time, Interflora's privacy policy read:

"If you are a new or existing customer, and where you permit selected third parties (such as Webloyalty, as described below) to use your Personal Information, we (or they) will contact you by e-mail, mail, telephone, SMS or other means."

So far, so good.

Interflora then set out the terms of consent for this information to be passed on. This involved not much more than agreeing to permitting "select third parties" to access personal information, as mentioned above, then clicking on a button offering details of a discount voucher.

At this point, the following applied:

"If you do consent to your Personal Information being disclosed by us to Webloyalty... your Personal Information will be held by Webloyalty for the purposes set out in Webloyalty's privacy policy. Therefore, you are strongly advised to read Webloyalty's privacy policy and satisfy yourself as to the purposes for which Webloyalty will use your Personal Information before agreeing to Webloyalty's terms and conditions. We have no responsibility for the uses to which Webloyalty International Limited puts your personal information."

Basically, the online equivalent of looking at the money off coupon that came with the receipt tied people into whatever Webloyalty wanted.

What you need to do

Check the privacy policy

Check the website/retailer privacy policy before entering any personal information and make sure they say they won't share your details with anyone else.

Personal information we're talking about here includes any one or more of the following:

As mentioned above, Interflora 's privacy policy allowed them to do this as long as customers agreed to their information being passed to "selected third parties".

Most sites will have a couple of check boxes near the boxes for your contact or payment details, asking you to opt in or out (usually out) of the company's marketing campaigns, and one allowing them to pass your details to other companies.

Frustratingly, these aren't consistent: some will ask you to opt in to one or both, others to opt out, and some particularly annoying sites will ask you to opt in to theirs but to opt out of their third party list.

Read the information by the checkboxes carefully before ticking or not.

Where a website could expose your information

The first time you register and create a profile with Facebook anything you post will not only become visible to anyone with a Facebook account, but your profile will be accessible for public search engines to list too.

Writing for Get Safe Online, Trend Micro's Shannon McCarty-Caplan says a third of Facebook users have never set their privacy settings - and half of those users were unaware there were privacy settings.

In fact, research carried out by Consumer Reports in June 2012 revealed that 28% of users were sharing almost all of their posts with more than just their connected friends.

That could of course mean that people are simply sharing posts with friends of friends - but there are also those sharing with thousands of people they've probably never met.

Since we first wrote this article, Facebook has updated its stance on privacy to make the options for users much clearer - but we're still not sure why the site doesn't lock more down by default - surely for a "personal" profile, the opt-in should be on publication, not privacy.

Indeed, a research paper written in February 2014 [pdf] highlighted that there were 17 different settings to consider, making it difficult for users to get a handle on exactly how private their profile and posts would actually be.

Additionally, research from GetSafeOnline found that only 50% of UK Facebook users had secured their personal information using the highest available settings, and just 25% had done so on Twitter.

So when using social media sites two of the most important things to constantly keep in mind are, "who can see this information I'm entering?" and "am I going to be sharing this information with people I don't want to?"

There are plenty of guides online as to how to set Facebook privacy settings, as well as Facebook's own dedicated safety centre and privacy settings page.

So we won't go into how to set each setting in this guide.

Instead we'll look at a few examples that highlight the importance of learning and using privacy settings in Facebook, as well as simply being aware of the importance of considering what information you are sharing or even publishing in the public domain.

Identity theft

One potential danger of inadvertently exposing too much information on social media sites or personal blogs is identity theft.

Useful Links

A 2013 article by The Independent highlighted the need for social media users to become more "information vigilant" in light of the hacking of 250,000 Twitter accounts.

The article pointed out that when such hackers gained access to social media accounts, they also accessed enough information to commit identity theft and fraud.

James Jones from credit reference agency Experian was quoted as saying "Criminals typically need just three pieces of data to commit ID fraud so any unauthorised access to an online account is bad news."

Neil Monroe from Equifax was also quoted in the article:

"Many people would be shocked to know how little information criminals need to be able to steal an identity."

It's not difficult then to imagine how a public or unprotected social media account is putting its owner at risk of exposing too much personal information.

Personal security

It's not just children who are vulnerable to personal security online; criminals, fraudsters and predators can target a whole range of vulnerable or simply unsuspecting adults using the Internet socially.

Don't reveal your location
Hitting the headlines in April 2012 was a new iPhone app called "Girls Around Me".

The App combined information from FourSquare - a social location-based review site - and Facebook accounts.

The premise of the application was that it "scans your surroundings and helps you find out where girls or guys are hanging out. You can also see the ratio of girls to guys in different places around you."

Even more worrying, it also claimed "In the mood for love, or just after a one-night stand? Girls Around Me puts you in control!"

Unsurprisingly the app came in for a lot of criticism over privacy and personal safety, and FourSquare blocked the app from accessing its location data.

While this is a somewhat extreme example, and it was taken offline by the data providers almost as soon as it was launched, it does highlight the danger of revealing your location on social media sites.

Or that you're going away
Burglars are another good reason not to give away your whereabouts.

Not revealing online when you're out of town, or planning to go on holiday, has been one of the most crucial safety tips since the dawn of the Internet, and before.

Nowadays, even posting photos of your house or tagging its location are Internet safety no-nos.

Do you know who you're talking to?
It's not just revealing where you are in real life that poses a danger though. Simply communicating with people you don't know or are meeting whilst online poses a personal safety risk too.

The 2010 "Facebook film" Catfish became popular for highlighting just how little we really know about the people we meet online.

What you need to do

Set Social Media privacy settings

As soon as you've registered for an account with Facebook or Twitter, check and set up your security and privacy settings - before you start posting any information or photos.

In Facebook, start by hiding your profile from search engines. This means it will only be possible to find your profile via Facebook itself, not Google or Yahoo!

Then look for the setting allowing you to hide the information you enter from all but people you've confirmed as friends. Again, this setting isn't on by default, so it's worth spending some time making sure your social media profile is only visible to people you know and trust.

facebook privacy settings

There are a few other privacy settings to be aware of on Facebook, and some on Twitter too - so it's best to check out a dedicated guide.

Here are some options:

Are they your friend in real life?

In 2009 Sophos conducted a poll that found that 46% of Facebook users accepted friend requests from strangers.

As we've seen, it can be difficult to know if the people we meet online are who they say they are, and adding people we don't know to our social media accounts can mean we're sharing personal information with people who might take advantage of it.

It might sound nanny-ish, but stay safe by only connecting with people you know in real life.

There's no benefit in having the most "friends" on Facebook, and lots of people have chosen to leave Facebook, many citing privacy concerns or feeling over-exposed.

However, Facebook does allow people to share different amounts of information with different groups of people. You can choose to share more with close family than with the people you went to school with, for example.

Be careful about what you post

Aside from not being rude or setting out to offend people, there are certain other things you shouldn't do on Facebook, which include not giving away:

The same poll from Sophos found that nearly 100% of users post their email address, 89% of users in their 20s give out their full birthday, and between 30% and 40% of users publish data about their family and friends.

As we've seen criminals only need three pieces of information to steal an identity, so a combination of just a few of the details listed above can make you, your identity, and your financial details vulnerable.

Also be careful when it comes to giving away information that could reveal clues about your passwords or other security information such as questions used to confirm your identity with your bank or other companies.

High up on the list here are things like your mother's maiden name, the name of your first pet and the street you grew up on, among others.

Choose a strong password

Make sure you choose a strong password whenever creating accounts online.

Strong passwords typically consist of a mixture of upper and lower case letters, numbers, and even punctuation where allowed.

If you're worried about forgetting passwords, or having to create multiple different passwords in order to remain safe, there are secure programs available that can help manage passwords.

Mac OSX has a built in Keychain Access utility, which can remember usernames and passwords for websites and programs and enters them automatically for you. Passwords stored are protected by your main Mac login.

Windows users will have to download a separate program, but there are free options available, such as KeePass.

microsoft password strength tool

Another handy free tool is one provided by Microsoft, available here. It's a password strength-checking tool, which will help when having to think up another new password: because of course, each password you use is much more secure when it's unique.

Each year SplashData publish a list of the most commonly used - and therefore the worst - passwords from the past 12 months.

Here's 2014's top ten:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 123456789
  7. 1234
  8. baseball
  9. dragon
  10. football

The list remains remarkably constant from year to year, showing that many people still haven't got the message about strong password protection.

Online harassment

Lastly, if you ever experience online harassment on the Internet, through social media or otherwise, start by blocking contact if you can, tell someone (this is probably the most important thing to do), and keep a record of the communication in case you have to escalate the problem to a mobile or Internet provider or the police.

Please read our full disclaimer for important information that relates to the service we provide and your use of this site.

We aim to provide free reviews and comparisons of consumer products and to keep our editorial content as objective as possible. To keep the site free, we are paid by some providers when new customers take products after they've clicked on our links. We don't allow our editorial content to be affected by those links, however we may not include all of the products available in the market. Finally, we do not submit or process any applications for any products or services and we cannot guarantee that any product or service listed on this website will be available to you. Credit providers make the final decision on whether an application for credit will be accepted.

If you would like to get in touch with us you can contact us here.