The opt-out steps for ChatGPT, Claude, Gemini, and Adobe — I’d published those. Readers could action them. And based on the response, a lot of you did. Good.

But I had kept researching while I was writing, and I knew the published piece only covered the four tools with the cleanest story. I hadn’t yet worked through Canva. Or Copilot. Or Notion. Or Runway. And I couldn’t publish those sections without running through every setting myself, verifying every path, taking every screenshot.

So I kept going. What I found turned the article into something bigger than an article.

Canva can record your screen.

Not your uploaded images. Your screen. While you work.

It’s buried in Settings under Privacy Controls. The toggle is called “Allow your sessions to be recorded.” The stated purpose is product discovery and improvement. The recordings are deleted after three months — which means they exist for three months.

I want you to sit with what that means for a working photographer or videographer.

You’re in Canva building a client-facing proposal. You’ve got their brief open in another tab. You’ve got pricing information. A contract draft. And Canva has the option, if you’ve never been to that settings page, to record everything you’re doing on screen.

The toggle is opt-in — which means you’d have to have turned it on deliberately to be recorded. But how many people scroll to the bottom of every privacy settings page they’ve never heard of? The only way to know for certain you’re not being recorded is to go find the setting.

So I went and found it. And I put the exact path in the guide.

Copilot is designed to watch your screen and listen for its name.

There’s a feature in Microsoft Copilot on Windows 11 called Copilot Vision. When it’s on, Copilot continuously views your screen — not a screenshot, a live feed — to provide contextual help. There’s also a Voice Mode setting that keeps Copilot listening for the phrase “Hey Copilot” at all times.

Neither of these is on by default. But they’re also not where you’d think to look. Copilot on macOS has different menus than Copilot on Windows. Copilot running inside Edge has a third set of settings entirely. The guide covers all three — with screenshots — because the tool behaves differently depending on how you access it.

For artists who use Microsoft 365, Copilot is already threaded through your workflow whether you use it intentionally or not. Knowing where all the privacy controls are — not just the obvious ones — is the whole point.

One tool is actually doing it right.

Here’s something I didn’t expect to write: Notion AI’s training program — called AI Leap — is opt-in only. Verified April 2026. You have to actively sign up for Notion to use your content for training. If you haven’t done that, you’re not in it.

I want to give credit where it’s due. Opt-in should be the standard. It isn’t. Notion is one of the few tools in this space where the default protects you rather than exposes you. I documented it in the guide for that reason — both to show you what “good” looks like, and because it’s worth knowing your Notion content is actually protected without you having to find the off switch.

And then there’s Runway.

If you edit video and you use AI tools to do it, Runway is in your world. Video artists have a very specific exposure problem: the content you’re processing through Runway often belongs to clients. It’s not a brainstormed prompt. It’s finished footage.

WARNING: No Opt-Out on Consumer Plans On Runway’s Free, Standard, Pro, and Unlimited plans, your inputs and outputs — including the videos you generate — are used to train Runway’s models. Runway claims perpetual rights to use this content for training. There is no setting to change this. The only alternative is an Enterprise plan.

The part that changed how I think about this.

By the time I had all nine tools documented, I realized the individual opt-outs were only part of what an artist actually needs. You could do the ChatGPT opt-out today and forget about it. You could miss the Canva session recording entirely because you never knew it existed. You could opt out of Gemini training and not realize you still haven’t touched the “Improve Services” toggle.

What you actually need is a way to see your full picture. Know which tools you’ve locked down, which ones you’ve left open, and which ones change their policies without announcement.

So the guide includes an AI Privacy Scorecard — a pre-filled reference table comparing all nine tools on the same criteria — and a personal audit worksheet where you log your own settings.

Work through it once and you’re not guessing anymore. Set a reminder to re-audit in six months, because these companies update their policies quietly.

That’s why this became a guide instead of a second article. An article tells you about the problem. The guide gives you a completed audit of nine tools, a worksheet for your own settings, and a checklist that doesn’t let you miss Copilot Vision.

PAID subscribers can immediately download the guide below.

Not ready to become a PAID subscriber? You can check out the guide here.

Subscribe now

Read more

One reused password. One unencrypted hard drive. One bad download.

That’s all it takes.

I’ve spent thirty years auditing cybersecurity for some of the largest companies in the country. I’ve seen exactly how the bad guys get in. And I’ve watched creative professionals ~ photographers, videographers, podcasters, musicians ~ run the same three mistakes over and over because nobody ever translated this into plain language for them.

I’m also an amateur photographer. I have a photography Substack. I have client files. I have years of work sitting on hard drives right now. So when I say this is personal, I mean it.

Image by Lucas Bieri from Pixabay

Here’s what I know from thirty years of doing this professionally: most of the harm that lands on a creative’s machine is preventable. Not with expensive software. Not with an IT department. With the right ten steps, in the right order.

The bad guys are not sophisticated. They are patient. They look for easy, soft targets. They are buying lists of stolen email-and-password pairs for pennies and feeding them into automated tools that try your credentials on every major service ~ your cloud storage, your email, your bank ~ until something opens.

Your Lightroom catalog won’t get them excited. Your PayPal or Stripe account will.

I built this guide because I got tired of watching artists get hurt by things that are entirely preventable. It covers every layer of macOS Tahoe security ~ passwords, hard drive encryption, two-factor authentication, antivirus, firewall, VPN, safe download habits ~ with the exact menu paths and the exact reasoning behind each step. I wrote it the way I’d explain it to a fellow photographer, not the way I’d write it for a corporate audit.

At the end is a printable master checklist. Work through it, check every box, and your Mac is hardened.

If you are not ready to choose a paid subscription yet, you can check out the guide here. It’s less than a shoot day’s worth of memory cards, and it protects everything on them.

Subscribe now

Have you ever had something go wrong on your Mac ~ a sketchy download, a suspicious email, anything that made you think “that could have been bad”? Tell me what happened. I read every response.

PAID Subscribers can download the guide below and put it to work immediately.

Read more

Have you checked your AI tools’ privacy settings lately?

Not the settings you chose when you signed up weeks or months ago. The settings that exist now, after the companies rewrote their policies, mostly without making headlines about it.

I went through them. What I found wasn’t surprising. It was worse than that -- it was boring. Routine corporate behavior dressed up in privacy-policy language designed to be skipped. The default in almost every tool is the same: your conversations, your prompts, your images go to the company and stay there. They improve their products with your work.

You can stop it. But you have to know where to look.

This is where to look …

What These Tools Are Actually Doing

Every major AI tool you use has a data collection policy. Most of them changed those policies in 2025. Most of the changes moved in the same direction: from “we don’t use your data for training” to “we do, unless you tell us not to.”

Here’s what the tools artists are most likely using are actually doing right now.

ChatGPT (OpenAI)

By default, ChatGPT uses your conversations to train its models. OpenAI gives you a way out, a toggle in your account settings, but you have to find it. If you haven’t touched this setting, you are contributing your prompts, your questions, your project descriptions, and your image uploads to OpenAI’s next model whether you intended to or not.

There’s a catch even if you opt out: OpenAI retains your conversations for 30 days regardless, citing “safety and abuse monitoring.” Zero is not on the menu.

Claude (Anthropic)

In August 2025, Anthropic announced that Claude would begin using conversations for training. Before that, it didn’t. The new policy gave users a choice: opt in or opt out; but the framing mattered: if you didn’t respond to the policy change, your silence was treated as consent. Anthropic began collecting data in October 2025.

Claude Free, Pro, Max consumer account plans:

If you opt out: 30-day retention, same as before.

If you stay opted in (or missed the window): five-year retention.

That’s not a typo. Five (5!!) years. Ugh!

Gemini (Google)

Gemini saves your conversations for 18 months by default. That’s adjustable down to three months or up to three years, but the 18-month default is where you start if you’ve never changed it. Google also notes that human reviewers may examine conversations as part of product improvement. This is a major reason I don’t use Gemini. You must make your own decision here.

There’s a newer feature worth knowing about: Temporary Chats. These disappear after 72 hours and are not used for training. If you’re working on something sensitive, a project pitch, client-facing creative work, anything you wouldn’t want Google to keep, Temporary Chat is the right mode.

Adobe / Lightroom / Firefly

This one matters most for photographers and visual artists, so it gets more space.

Adobe allows content analysis of files processed or stored through Creative Cloud and Document Cloud apps. The company says this analysis is used for product improvement, understanding how features are being used, what’s working, what isn’t. You can opt out at the account level.

What Adobe doesn’t advertise loudly: Firefly, Adobe’s generative AI image tool marketed as “ethically trained” and “commercially safe,” was partially trained on AI-generated images from competitors including Midjourney. This came out in a Bloomberg investigation in 2024. Adobe acknowledged that approximately 5% of Firefly’s training data came from AI-generated images produced by rival platforms.

For artists who chose Adobe precisely because of the ethical-training promise, that disclosure matters. It does appear Adobe’s exposure after the investigation may have influenced its emphasis on “commercially safe” model training and tighter integration within its own ecosystem. Looks like yet another giant company acting without permission and asking for forgiveness later.

The Settings: Here’s the Off Switch

This is the part that matters. The opt-outs are real. They work. They take less than five minutes per tool. Here’s exactly where to find them.

ChatGPT

1. Log in at chat.openai.com

2. Click your profile icon (top right corner)

3. Select Settings

4. Click Data Controls

5. Find “Improve the model for everyone”

6. Toggle it off

Done. New conversations from that point forward are not used for training. The setting applies to your entire account, on every device.

Note: This does not delete past conversations. If you want those gone, you’ll need to delete your chat history separately through the same Data Controls menu.

Claude

Desktop / Browser:

1. Click your name or profile icon

2. Select Settings

3. Click Privacy

4. Find “Help Improve Claude“

5. Toggle it off

Mobile:

Same path ‚ your name‚ Settings‚ Privacy ‚ Help Improve Claude ‚ off.

Once the toggle is off, new conversations are not used for future model training. Already-stored conversations and anything already in training pipelines may still be used, Anthropic’s policy is explicit about that. You’re changing what happens going forward, not erasing the past.

Gemini

To stop data collection going forward:

1. Go to gemini.google.com and sign in

2. Click the Activity icon (clock with arrow, top of left sidebar)

3. Find Gemini Apps Activity

4. Toggle it off

To use conversations that disappear automatically:

Look for the dotted chat icon next to the New Chat button. This starts a Temporary Chat, conversations in this mode expire after 72 hours and are excluded from training data by default.

For sensitive creative work, Temporary Chat is worth making a habit.

Adobe Creative Cloud - Personal Account

To opt out of content analysis:

1. Go to account.adobe.com/privacy and sign in

2. Find the content analysis option (listed under machine learning / product improvement)

3. Deselect or toggle off the permission

Adobe’s opt-out does not affect:

• Content you’ve submitted to Adobe Stock

• Any content analysis you’ve already consented to

The Honest Part

I want to be straight with you, because there’s a version of this piece that isn’t.

Opting out of training is not the same as opting out of data collection. These companies still retain your conversations after you opt out, for 30 days (OpenAI and Anthropic) or up to 72 hours for Temporary Chats (Google). The data passes through their servers regardless. The opt-outs tell them not to use your conversations to build future models. They don’t promise your data never touches their infrastructure.

If you want zero data collection, there’s only one answer: don’t send your data to their servers at all. Tools like Ollama, LM Studio, and Jan.ai run AI models locally on your machine, with no external connection unless you configure one. Nothing leaves your computer. No retention policy matters because there’s nothing to retain.

The trade-off is real. Local models are improving fast, but they are not ChatGPT. They require more setup. They require a machine with enough processing power to run them. For most artists, a local model is the wrong tool for everyday work, it’s a specialist choice for specific situations.

But for sensitive work, contract negotiations, client communications, business strategy, knowing the local option exists is worth something.

Midjourney, the exception worth naming

One tool I haven’t given you opt-out steps for: Midjourney. That’s not an oversight.

Midjourney has no opt-out for prompt training. When you type a prompt into Midjourney, that prompt goes into their training pipeline. There is no setting to change that. If you use Midjourney, your prompts train their model. That’s the product’s terms of service.

Midjourney earned a privacy rating of D+ (38 out of 100) from Common Sense Privacy Watchdog. I’m citing that number so you know it came from somewhere, not because I think grades tell the whole story. The story is: if prompt privacy matters to you, Midjourney is the wrong tool.

Where I Landed

I use AI tools every day: Claude, CoPilot, Brave Leo, NotebookLM. I’ve been a Google Gmail subscriber for over 20 years. I have written about reducing Google surveillance before and have locked down my personal account as tight as a snare drum. I am fully aware that using Google’s AI tools (and others) exposes me to their surveillance. My personal process is to minimize my footprint when using online tools as much as possible.

The only way we can eliminate surveillance of our activity online is to reduce our own online activity. Therefore, when I need an AI tool, my first choice is to find one that runs locally on my Mac or Windows 11 PC. I have sufficient expertise and time to tinker under the hood of my systems to make sure things work safely and securely. If you have similar expertise, this is the path forward. If not, stay tuned for more guides like this to help you in the future.

Which of these tools surprised you most and have you found a setting I missed? Tell me in the comments.

And if you want this kind of analysis in your inbox every two weeks — cybersecurity, AI tools, privacy, and the tech industry’s fine print translated into plain English for creative professionals — hit the Subscribe button.

Subscribe now

Keep those online Nosey Neighbors guessing about what we are doing, because it’s none of their bee’s wax!

You spent six hours last Tuesday editing a 45-minute podcast episode. Four of those hours were you staring at a waveform, hunting for the exact moment your guest said “um” for the forty-seventh time. One hour was actually creative work. The other hour was you questioning your life choices. Meanwhile, AI tools exist right now that could have handled the um-hunting, the noise reduction, the level balancing, and the transcript — all before your coffee got cold.

Every tech company with a microphone icon in their logo wants your recordings. They want them to train their AI +models, improve their products, and quietly turn your unreleased works into someone else’s competitive advantage — all buried in page 47 of an obfuscated terms-of-service document written by lawyers who were paid to make it not readable by mere mortals.

Here’s the thing they don’t want you to know:

The most powerful AI audio tools available today don’t need to keep your files. They run on your machine, offline, and they’re free.

This is the guide the SaaS industry hoped you’d never find.

The best privacy protection for your recordings is for them and your audio processing to never leave your machine. That’s what “runs locally” means: recordings, edits, special effects, stay put on your device. Period. An added benefit is improved tool performance due to reduced wait time for network activity (latency) when using a cloud service.

This is not to say that online cloud services can’t do the job. There are many quite capable services out there that protect your recordings to various degrees, two of which I’ll cover after local tools are discussed. Before using the cloud for your audio processing, you must make an informed decision about specific cloud service trustworthiness.

Key question to answer:

Will the cloud service respect your data & intellectual property (IP) rights and not convert your recordings into their AI training materials or other unauthorized use?

There may be a case where a cloud service offers a feature or function that is vital to your operation. In that situation, you should invest some time to read their terms of service to determine what intellectual property rights and data you relinquish, if any, when agreeing to use the service.

IP and Data Safety: 3 tools that run locally on your machine

Ultimate Vocal Remover (UVR) with Demucs

Best for: Musicians, audio engineers, music producers

UVR is a free, open-source desktop app that wraps Meta’s Demucs AI model in a point-and-click interface — no command line required. It separates any mixed audio into individual stems: vocals, drums, bass, guitar, piano, and other instruments. Once the models are downloaded, it works entirely offline. Your source recordings never go anywhere.

Use cases: isolating a guitar part to learn a riff, creating instrumental tracks for practice, remixing, or studying how a favorite record was produced.

Honest caveat: The original Demucs GitHub repo is no longer actively maintained (the lead researcher left Meta). UVR’s maintained community wraps the last stable version and keeps it working. It’s not a concern for normal use, but worth knowing.

Tutorial: Aleksandr Hovhannisyan, a developer and musician, wrote a step-by-step guide with screenshots specifically for setting up UVR with Demucs models. It’s practical, no-fluff, and written for people who aren’t programmers. Check it out at https://www.aleksandrhovhannisyan.com/notes/stem-separation/

MacWhisper (Mac) / Whisper via Audacity (Windows/Linux)

Best for: Podcasters, audio recordists, interviewers

MacWhisper is a native macOS app built on OpenAI’s open-source Whisper model. It runs fully offline on Apple Silicon and transcribes audio to text with over 100 languages supported, batch processing, and speaker identification. One-time purchase is available along with standard Apple AppStore subscription options. The developer is Jordi Bruin, a well-regarded indie Mac developer with a track record of privacy-respecting apps.

For Windows/Linux users, Whisper can be integrated into Audacity (free, open-source), giving them the same local transcription capability in a familiar audio editing environment. Please be aware that Audacity itself has some controversy: it was acquired by Muse Group in 2021; there was some embroilment after the acquisition regarding data privacy—particularly a privacy policy clause mentioning that personal data might occasionally be shared with “our main office in Russia“. Also, its terms of service and data protection became murkier.

Honest caveat: MacWhisper Pro features (batch transcription, global dictation mode) require a paid upgrade. The free tier handles single-file transcription, which is enough to evaluate it then you can make an informed decision.

Tutorial: MacWhisper has official documentation at https://macwhisper.com. For the Audacity + Whisper integration on Windows, have a look at https://businessoddcast.com/free-audio-to-text-transcription-guide-using-audacity/ for a step-by-step guide. Check the MacWhisper Community on Reddit - https://www.reddit.com/r/MacWhisper/ for current issues and use cases.

FYI:

• If you want to open m4a files (macOS/iPhone audio) you will need to install the ffmpeg for Audacity library from https://lame.buanzo.org/FFmpeg_5.0.0_for_Audacity_on_Windows_x86_64.exe

• In the Windows instructions above ~ OpenVINO AI Effects are found under the Audacity Effect menu item

Magenta Studio (Google) — Ableton Live Plugin

Best for: Musicians using Ableton Live

Google’s open-source Magenta project ships a set of AI plugins that run inside Ableton Live. The tools assist with melody continuation, drum pattern generation, and harmonic interpolation. Once installed, they run locally against downloaded models. No cloud calls during use.

Honest caveat #1: This one has a steeper learning curve — it requires Ableton Live (not free: $99, $439, $749) and some setup. It’s for the serious musician audience, not podcasters or recordists. Worth including because it’s the most musically sophisticated local tool available, and it’s developed by Google Brain researchers, not a SaaS startup with a training-data business model.

Honest caveat #2: Magenta Studio is viewed more as a research/experimental instrument than a polished production tool, since it was developed by a Google Brain research group rather than a product team. This likely explains the lack of serious critical reviews — it’s positioned as an academic/creative experiment rather than a commercial plugin. For more hands-on opinions, browsing the r/ableton or r/WeAreTheMusicMakers subreddits would yield the most honest user feedback.

Tutorial: The Magenta team maintains official tutorials and demo videos at https://magenta.tensorflow.org/studio.

CLOUD TOOLS

Upload required, but contractually protected (or not)

When considering using a cloud service, remember that you are uploading your recordings to someone else’s server over which you have no control. The question: do the service’s contractual protections and data practices give you reasonable confidence that your recordings are protected. That’s where I actually found meaningful differences. A well written law mandating data protection (EU GDPR) is preferable to impenetrable corporate Terms of Service agreements that can radically change on a whim.

You must make a decision weighing that the features, functions, and outcome of the service sufficiently justifies you relinquishing some, most, or all of your data protection.

Auphonic

Best for: Podcasters, broadcast audio producers

Auphonic is an Austrian company operating under EU GDPR. It automates the most tedious post-production tasks: noise reduction, adaptive level balancing, loudness normalization to platform standards (Spotify, Apple Podcasts, YouTube), silence trimming, and transcript generation. Two hours of processing free per month.

Why this cloud service earns some trust: A third-party service called CleanCut VO explicitly documents in their terms about Auphonic (Audio Processing Partner) “No data is used for AI training or external analysis.“ Auphonic deletes processed files on a roughly 21-day cycle. The company is GDPR-bound — meaning EU data protection law, not just a self-written privacy policy that can be summarily modified on impulse. They also added two-factor authentication in September 2025.

Honest caveat: You are still uploading your recordings to someone else’s server that you do not control. If your recording contains something you’d never want on a server in Austria, use a local tool instead. The privacy protection here is contractual and legal, with sharp teeth, not architectural.

Tutorial: The Auphonic blog and documentation is written by founder Georg Holzmann, an audio researcher who built the algorithms. The official tutorial library is at https://auphonic.com/blog and covers every feature with technical depth.

Descript

Best for: Podcasters who want text-based audio editing

Descript lets you edit audio by editing a transcript — delete a word in the text and the audio cut happens automatically. It’s genuinely one of the most effective time-saving tools in podcasting. Studio Sound cleans up room noise and phone-recorded audio automatically.

The honest privacy picture: Descript is a US-based cloud service. The Freedom of the Press Foundation studied Descript and noted the company has the technical ability to access uploaded audio.

From Freedom of the Press article:

Behind the scenes, Descript is using a small handful of services to process transcripts. Descript uses Google Cloud Speech-to-Text to provide automatic transcription. Google says it deletes your data from its servers after the transcription is completed. According to its documentation, Descript also uses Rev to provide automatic or human transcription. Descript says, “If you request a White Glove transcription, we will share your audio files with Rev, which has strict confidentiality agreements with all of its employees.”

The “Overdub” feature explicitly uses your recordings train AI:

Descript offers a powerful feature called Overdub, which allows users to insert realistic computer-generated voices into the transcript. To accomplish this, Descript uses Google Cloud to process and reproduce your voice. Descript will generate “nondefamatory” samples of your voice, and human reviewers on Amazon’s Mechanical Turk will listen to this sample audio to confirm the resulting voice sounds accurate. The company is clear that if you use Overdub, “We train and host your artificial voice using Google Cloud. Also, we use the audio that you shared as ‘Training Audio’ to improve our service.” Descript says its employees may also review the uploaded audio, as well as computer-generated output audio for quality assurance.

Descript does not offer two-factor authentication for standard accounts (only enterprise accounts with SSO). This is a concern for independent reporters, podcasters, and activists who publish controversial or political topics. Your only source of protection here is by using an anonymous email address and a very long and complex password created by your local password manager. Not ideal, but usable.

Tutorial: Descript maintains an official YouTube channel with professional tutorial videos. Podcasting educator Pat Flynn (Smart Passive Income, 5+ million podcast downloads) has published workflow guides using Descript that are practical and beginner-accessible.

Your Path Forward

You got into music, podcasting, or audio recording because you love music, lively conversations, and strive to make the world a better place. You did not sign up to become an unpaid data laborer for a Silicon Valley company’s AI training pipeline. And yet — here we are.

The good news: you don’t have to choose between powerful AI tools and keeping your recordings off someone else’s server. Ultimate Vocal Remover, MacWhisper, and Magenta Studio run entirely on your machine. No uploads. No terms-of-service gymnastics. No lawyer-written surprises on page 47.

If you need cloud features, Auphonic earns a cautious green light under EU GDPR. Descript is genuinely powerful — just go in with your eyes open about what it does with your voice if you use Overdub.

Five tools. One decision framework. Zero excuses to spend another Sunday afternoon hunting for the forty-seventh “um.”

If this breakdown saved you time, spared you a bad decision, or just made you feel slightly less alone in your production suffering — share it with a musician, podcaster, reporter, or audio recordist who needs it. They’re out there right now, staring at a waveform, questioning their life choices.

And if you want this kind of analysis in your inbox every two weeks — cybersecurity, AI tools, privacy, and the tech industry’s fine print translated into plain English for creative professionals — hit the Subscribe button. Your recordings will thank you.

Let’s make something worth protecting.

Subscribe now

You’ve heard the arguments. AI is coming for artists. It’s going to replace photographers, devalue videographers, and turn every person with a phone into a creative professional. If you’ve been skeptical, I don’t blame you. Some of that skepticism is well earned.

But here’s what most of the breathless AI coverage gets wrong: the most useful AI tools for visual artists aren’t the ones generating images from text prompts. They’re the ones that handle the tedious, repetitive production work you’ve been doing manually for years — the hours of noise cleanup, masking, color matching, and reformatting that eat your weekends while contributing nothing to your creative vision.

The eye is yours. The composition is yours. The story you’re telling is yours. AI can’t replace any of that. What it can do is carry the grunt work so you can spend more time behind the camera and less time hunched over a screen pushing sliders.

Let me show you what I mean.

The Craft vs. The Grind

Every visual artist knows there are two sides to the work. There’s the craft — choosing the angle, reading the light, timing the shot, framing the story. That’s the part you trained for. That’s the part that makes your work yours.

Then there’s the grind — batch editing noise out of two hundred event photos, manually masking a sky in every landscape shot, color matching clips from three different cameras, reformatting a horizontal video into six different aspect ratios for six different platforms. That’s not creative work. That’s production labor. And it’s exactly where AI earns its keep.

The distinction matters because the AI tools worth your attention aren’t trying to be the artist. They’re trying to be a really good assistant — one that handles the mechanical tasks so you can focus on the decisions that actually require a human eye.

Practical Example: Photography

The scenario: You shot an outdoor portrait session at golden hour, but the light faded faster than expected. Your last thirty frames were captured at ISO 3200 and above. The shots are beautifully composed — great expressions, perfect timing — but they’re noisy, and the sky behind your subject has gone flat.

The old way: You’d spend an hour or more in Lightroom manually brushing masks around your subject’s hair, adjusting noise reduction frame by frame, then separately selecting and enhancing the sky in each image. For thirty photos, that’s an entire evening.

The AI way: Two tools can cut that time dramatically.

First, Adobe Lightroom’s AI Masking can automatically detect and select your subject, sky, and background with a single click. Select Subject isolates the person. Select Sky grabs just the sky. You make your adjustments — boost the sky’s warmth and saturation, brighten the subject’s exposure — and the AI-generated mask handles the edges, including flyaway hair and complex silhouettes that would take fifteen minutes to brush by hand. Apply those masks across all thirty images, and you’ve just saved hours.

Second, Topaz Photo AI can tackle the noise. Load your high-ISO raw files, and its Autopilot feature analyzes each image individually, selecting the right noise reduction model and strength. It distinguishes between noise and genuine detail — preserving texture in skin, fabric, and hair while smoothing the grain in shadow areas. Wildlife photographer Kate Scott, writing for Fstoppers, described how the tool changed her entire approach to low-light shooting because she no longer has to worry about pushing her ISO.

Step-by-step tutorials to get started:

• Adobe’s official guide to AI Masking in Lightroom Classic (https://helpx.adobe.com/lightroom-classic/help/masking.html)

• Fstoppers’ complete three-part guide to Lightroom Masking by Ryan Mense (Part 1) (https://fstoppers.com/lightroom/complete-guide-mastering-lightroom-masking-part-1-658761)

• Michael Breitung’s walkthrough of Topaz Photo AI (Fstoppers) (https://fstoppers.com/post-production/how-unlock-full-potential-your-photos-topaz-photo-ai-626509)

Practical Example: Video

The scenario: You filmed a short promotional video for a local gallery using two different cameras — your main camera and a backup with a different color profile. Now the footage from Camera B looks warmer and slightly overexposed compared to Camera A. You also need vertical versions of the final cut for Instagram Reels and TikTok.

The old way: You’d manually color grade each Camera B clip to match Camera A, adjusting white balance, exposure, and saturation shot by shot. Then you’d go back through the entire timeline and manually reposition every clip for a 9:16 crop, keyframing the position to keep your subject centered as they move.

The AI way: DaVinci Resolve — the industry-standard color grading software that also happens to have a powerful free version — includes AI tools that handle both tasks.

For color matching, the Color page’s Shot Match feature lets you select a reference clip from Camera A, then automatically match Camera B’s color and exposure to it. The AI analyzes lighting conditions, skin tones, and scene context, then applies a grade that gets you 80–90% of the way there in seconds. You refine from there instead of starting from scratch.

For reformatting, Smart Reframe (available in the Studio version) uses AI to track your subject and automatically reframe your 16:9 footage for vertical or square output. It generates the position keyframes for you, keeping the subject centered as they move through the frame. What used to take an hour of manual keyframing now takes a few clicks.

Step-by-step tutorials to get started:

• Larry Jordan’s walkthrough of automated color matching in DaVinci Resolve 20 (https://larryjordan.com/articles/how-to-color-match-clips-in-davinci-resolve-20/)

• Salik Waquas (FilmmakingElements) on three practical color matching methods (https://filmmakingelements.com/color-match-in-davinci-resolve/)

• Envato Tuts+ AI-assisted DaVinci Resolve workflow (https://photography.tutsplus.com/articles/davinci-resolve-ai--cms-109186)

• Blackmagic Design’s Beginner’s Guide to DaVinci Resolve 20 (PDF) (https://documents.blackmagicdesign.com/UserManuals/DaVinci-Resolve-20-Beginners-Guide.pdf)

Before You Upload: The Security Sidebar

Here’s where I put on my cybersecurity hat, because this part matters.

Before you feed your original images or footage into any AI tool, ask yourself three questions:

Where do my files go? Some AI tools process everything locally on your computer. Others upload your work to cloud servers. Topaz Photo AI and DaVinci Resolve both process locally by default — your files stay on your machine. Cloud-based AI tools are convenient, but you should know whether your original files are being stored, used for training, or shared before you hand them over.

What do the terms of service say about my work? Some platforms grant themselves broad licenses to use uploaded content. Read the fine print. If the terms say they can use your uploads “to improve their services,” that may mean your images end up in a training dataset.

Am I uploading client work? If you’re processing images or video for a paying client, you may have contractual obligations about how that work is handled and stored. Uploading client work to a third-party cloud service without their knowledge could create liability issues you don’t want.

The tools I’ve described in this article were chosen partly because they respect your files. But the landscape changes fast, and new tools appear every week with flashy promises. A healthy habit: before you try any new AI service, spend two minutes checking whether it processes locally or in the cloud, and what rights you’re granting when you click “agree.”

You Don’t Have to Love AI

You don’t have to be an AI enthusiast to benefit from these tools. You don’t have to change your artistic philosophy or embrace every new platform that launches. You just need to know what AI can carry so you can focus on what only you can see.

The composition, the timing, the emotion in the frame — that’s still entirely yours. AI can’t replace your eye. But it can give you your weekends back.

P.S. If you found this useful, consider subscribing to Essential Risk Management. I write about the places where creativity and cybersecurity collide — which, it turns out, is basically everywhere now. Free subscribers get the articles. Paid subscribers get the peace of mind that comes from knowing a paranoid cybersecurity professional is watching the internet so they don’t have to. That’s cheaper than therapy.

Subscribe now

Subscribe now

The King is DEAD! Long live the King!

Linux is the new King.

Windows 10 support expired 10/14/25. Keeping Windows 10 after that date, with no further updates, is a major security risk I’m not willing to accept. What to do? Reincarnation: install Linux Mint.

My Windows 10 hardware was purchased in 2015. It has an Intel i5 processor ~ medium powered CPU for word processing, email, and web browsing. I installed 32Gb of RAM to give multiple applications elbow room to coexist during a session. I added a 1Tb SSD for fast and vast storage. The hardware is still in good condition, quite usable and I’m unwilling to part with it. Hence, installation of Linux Mint is a no brainer for me.

Linux Mint was chosen after days of research into a viable Linux alternative to Widows 10. Why Linux? Free, as in zero cash outlay. Works “out of the box” on my ancient “Legacy Hardware”, including my existing Logitech webcam, Zoom Technologies USB-C audio interface, and Logitech wireless keyboard & mouse combo. Hardware upgrades are not needed. It just works.

Another major consideration for my choice of Linux is familiarity: I’ve been working with UNIX-like operating systems as an IT professional for over 30 years and I know how to “tinker with the twiddly bits” under the hood when needed. However, after a long day at work, I have no desire to mess with stuff under the hood, thus my main desktop and laptop are Apple Macintosh machines. Point-and-click is my preferred mode of operation. The Mac platform operates in that mode flawlessly and does not unexpectedly crash like Windows. I also have a pair of Windows 11 virtual machines on my Mac’s I use for Windows-specific applications, such as Visio, a Microsoft diagramming tool used extensively in enterprise networking. I wanted a Linux environment where I had no need to tinker under the hood and I could point-and-click with little fuss, therefore Linux Mint is my choice.

One obstacle to overcome is how to access my years of data stored in the Microsoft ecosystem: OneDrive cloud storage, MS Office - especially OneNote that I use extensively, Outlook for enterprise email/calendar/contacts, and video & photo editing. As I have ready access to those tools on my Mac and Windows virtual machines, I’ve decided to table that issue for now and focus my efforts on a gradual move over time to non-Microsoft tools that are acceptable alternatives.

The remainder of this article provides an overview of what it took to get Linux Mint up and running on my legacy hardware.

My funeral ritual commenced as follows:

1. Download Linux Mint; Create an Installation Flash Drive

Go the Mint download site at https://linuxmint.com/download.php and choose your edition. I selected the “standard Cinnamon” desktop edition. It is a 3Gb software image with easy to follow Linux Mint Installation Guide.

2. Verify Your ISO Image

From the Linux Mint Installation Guide:

It is important to verify the integrity and authenticity of your ISO image.

The integrity check confirms that your ISO image was properly downloaded and that your local file is an exact copy of the file present on the download servers. An error during the download could result in a corrupted file and trigger random issues during the installation.

The authenticity check confirms that the ISO image you downloaded was signed by Linux Mint, and thus that it isn’t a modified or malicious copy made by somebody else.

I was still running Windows 10 and the instructions were a bit different for me ~ I found easy to follow verification instructions at https://forums.linuxmint.com/viewtopic.php?f=42&t=291093.

I created a folder on my Desktop, put the ISO image and two verification files in the same folder, ran the verification program, and the output showed my files were intact and official. I could now create a bootable installation flash drive.

3. Install Etcher and Create a Bootable Installation Flash Drive

Etcher is a wonderful tiny software program used to copy ISO images onto flash drive media. You will need a flash drive with at least 4Gb capacity. I had a 16Gb flash drive available, which worked fine. A 4GB DVD disk will function just as well and will be slower due to the limited DVD drive playback speeds.

I downloaded and installed Etcher from https://etcher.balena.io/#download-etcher, choosing the Etcher for Windows (x86|x64) (Installer) Download option. I saved the download and ran the installer.

Copying the ISO image to the flash drive is a snap:

• Start Etcher

• Select the ISO image from where you saved the file

• Select the flash drive - be sure it’s the smallest disk size on the menu or you may inadvertently erase another hard disk! Oops!

• Start the Flash copy ~ Etcher provides percent status as it goes

• Done!

Exit Etcher and I’m ready for installation of Linux Mint!

4. Boot Linux Mint

What should have been a very simple process became a typical Microsoft Windows “pull my hair out” experience.

Under “normal” circumstances, all I should have to do is:

• Power off my machine

• Power on and immediately hit the Escape or Delete key to enter my machine BIOS and set the USB flash drive as the boot device

• Reboot

But NO! Microsoft has to go and mess with this process!

An hour of power off, Escape or Delete, blank screens, and boot back into Windows 10 was frustrating. I had no idea that Windows 10 uses a “Secure Boot” process that prevents access to the native machine BIOS. Sigh.

Microsoft’s security requirements do not obscure the native BIOS directly but enforce a shift to UEFI mode, which disables Legacy BIOS functionality and makes certain settings inaccessible. This is a deliberate design to enhance system security, not a hidden or obstructive feature. Sigh, again.

In my research, I stumbled across this solution at https://support.microsoft.com/en-us/windows/reset-your-pc-0ef73740-b927-549b-b7c9-e6f2b48d275e. I scrolled the page down to “Reset your PC from Settings” and chose “Remove everything” option. This process took about 30 minutes to complete. When done, I was finally able to use the Delete key on machine power up to get into my AMI branded BIOS, tab to the Boot section, and select the USB flash drive as the boot device.

Eeee-gads, what a pain in the ass that was!

5. Install Linux Mint

Reboot from flash and I use the instructions at https://linuxmint-installation-guide.readthedocs.io/en/latest/boot.html to start Mint.

Mint starts into a “Live” sessions, meaning its fully running from the USB flash drive. To install Mint on my hardware, I saw a disk ISO icon in the upper left of the screen, double-clicked that icon, and installation started.

As my hardware was already connected to the Internet with Windows 10, I followed the screen prompts and Mint installation proceeded.

Upon completion, I clicked the “Restart Now” button, removed the USB flash drive. Hit Enter, and my machine rebooted into a newly installed Linux Mint on my legacy hardware.

I logged in with the username and password set during the installation prompts and, presto! ~ my legacy hardware has a new lease on life. Until some irreplaceable piece of hardware fails, like an out of production power supply, I have an up to date machine fully supported with security updates that I can use for various and sundry tasks.

6. Explore Linux & Mint

There are software tools available immediately in Linux Mint that can be used to be productive:

The Cinnamon desktop environment, which is the default on Linux Mint, includes a Start menu, system tray, and a panel that closely resembles the Windows 10 interface, making navigation intuitive for new users. For accessing storage devices, users can click on “Computer” in the Start menu, which functions similarly to the “This PC” feature in Windows 10. This can also be enabled as a desktop icon through System Settings under Desktop preferences.

Additionally, Linux Mint provides the Disks utility, accessible via Menu > Preferences > Disks, which allows users to manage and view all storage devices, including SSDs, offering a centralized tool for disk management. The operating system is designed to run efficiently on older hardware, often outperforming Windows 10 on systems with limited RAM and processing power. Tools like Wine and PlayOnLinux are also available, enabling the execution of some Windows applications, further easing the transition from Windows 10.

Libre Office - a “Free” alternative to Microsoft Office

Libre Office is included in the default installation on Mint. It has a word processor, spreadsheet, presentation, drawing, database, formula, and charting software that can read and write Microsoft Office documents.

Many European municipalities, states, and countries are moving to this suite of tools and away from Microsoft to enable local control and data sovereignty ~ they no longer trust U.S.-based Microsoft with their data and the native file formats adhere to international standards for document portability. A powerful endorsement.

Explore Linux Software

There exists a large body of software in Linux that perform the same functions as those in Windows 10/11. Have a look at Linux software equivalent to Windows software to get inspired to try some.

A Requiem

My Linux Mint installation has delayed my legacy hardware from the fate of the recycle pile. I’ll get good use of the machine to manage my home network and server lab. While it does not have the latest and greatest technology, it turns out I do not need that for a humble interactive management machine. There is no need for me to tinker under the hood as well. I do enough of that at work. Windows 10 was a faithful sidekick for a long time. I bid it farewell and look forward to many hours of enjoyment of a fully supported and updated operating system on my legacy hardware once again.

Data stolen impacting 4 million people: names, SSN's, dates of birth, billing addresses, email addresses, phone numbers, and customer support messages.

How you are affected:

• TransUnion has sent notification letters for those affected by the data breach.

• The credit bureau is offering two years of free credit monitoring services (provided by Cyberscout) to those impacted, according to the letter.

• Not all affected people may have received notification

• Contact TransUnion directly by calling its fraud assistance line at 1-800-516-4700. The call center is open Monday through Friday, 8 a.m. to 8 p.m. Eastern time.

Date of Breach: July 28, 2025. As of this posting, the incident is till under investigation.

Breach entry point: part of larger wave of cyberattacks linked to a major SalesForce.com data breach impacting multiple organizations.

Data Breach Notice Postings:

Maine - https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/3dcd9b7c-bce3-4685-bffd-f728ce96e2fd.html

Texas - https://www.documentcloud.org/documents/26078139-transunion-breach-texas/

News articles:

• Money - https://money.com/transunion-data-breach/

• CNET - https://www.cnet.com/tech/services-and-software/credit-bureau-transunion-hit-with-data-breach-affecting-4-4-million-people/

• Reuters - https://www.reuters.com/markets/europe/transunion-says-44-million-consumers-data-compromised-hack-2025-08-28/

• Techradar - https://www.techradar.com/pro/security/transunion-data-breach-may-have-affected-4-4-million-users-heres-what-we-know-and-how-to-stay-safe

Reduce Your Risk with These Actions:

• Call or login to the three major credit bureaus and FREEZE your credit account and place a FRAUD ALERT on your credit files

  • Equifax - https://equifax.com 1-888-548-7878

  • Experian - https://experian.com 1-800-493-1058

  • Transunion - https://transunion.com 1-800-916-8800

• Obtain a FREE CREDIT REPORT at www.annualcreditreport.com | 1-877-322-8228

• If you are offered Credit Monitoring Service in a letter notifying you of a data breach, sign up for it. Make note of the day your coverage starts and add and end date in your electronic calendar, as an All Day event reminder

• Change your password at the company effected by the data breach

• Sign up for 2-Step Authentication using an Authenticator app on your phone

• Do not use text messaging for 2-Step Authentication

• Use a Password Manager to generate and store a long and complex password

• If a stored credit or debit card was compromised, cancel the card and get a replacement. Update any recurring payments associated with the new card

• Monitor you card and bank statements for unauthorized charges. Look for out of area charges or small amount charges at unfamiliar merchants.

• File disputes with your card issuers to recover funds

• Ensure your browsers, email apps, social media apps, computers, and phones have the latest updates installed

• Delete old accounts with services you no longer use or are inactive

Subscribe now

🎨 Browser Privacy: Your Digital Studio Needs Better Locks 🔒

July 2025 Browser Privacy Roundup: The cybersecurity world has been buzzing about secure browsers that truly protect your privacy. For creative professionals juggling multiple client projects, your browser choice matters more than your coffee brand (and that's saying something).

Actionable Steps:

1. Switch to Privacy-First Browsers: My Favorite browser Brave, with privacy settings tweaked and security add-ons installed, is among the best private browser solutions with great Chrome extension compatibility. For the extra paranoid (we're looking at you, photographers who've had work stolen), Brave provides very fast browser experience with built-in ad and tracker blocking, including annoying YouTube ads.

2. Essential Browser Extensions: Ghostery blocks a variety of trackers, including cookies and scripts, and provides a report about all the trackers present on each website you visit. Think of it as your personal bouncer for the internet.

3. Disable Autofill Features: If you lose your phone, autofill could hand over your PII to anyone with access. Turn off autofill in Safari, Chrome, and other laptop and phone browsers - your future self will thank you when your device is stolen at that coffee shop photoshoot.

Sources:

• 13 Most Secure Browsers for Privacy in 2025 | NordVPN

• 15 Best Browser Extensions for Security and Privacy in 2025

📱Mobile Device Security: Your Phone Isn't Just for Instagram or Substack anymore!

July 2025 Mobile Security Alerts: With mobile phones becoming essential for everything from healthcare to government services, securing your mobile device is no longer optional, especially when you're managing client communications and storing high-res portfolio images.

Actionable Steps:

1. Lock Down Your Device: Set up six-digit passcodes that you enter every time you unlock your phones. Yes, even if Touch ID/Face ID usually works - technology fails at the worst moments.

2. Disable Risky Features: Turn off Bluetooth and file sharing when not in use, as open protocols can be exploited in crowded environments. That coffee shop Wi-Fi might be convenient, but joining public Wi-Fi networks without a VPN isn't safe, as your web activity and IP address are exposed.

3. App Permissions Audit: Be especially wary of apps requesting SMS access, call logs, or system-level permissions. Does that photography filter app really need access to your contacts? Probably not.

Sources:

• Top 10 Mobile Security Tips for 2025

• The Best 10 Ways to Protect Mobile Devices in 2025

Creative Applications Security: Adobe's Privacy Plot Twist 🎭

The Big Adobe Drama of 2024-2025: Adobe caused quite the stir with changes to terms of service that grant Adobe the option to spy on a user's work, even works protected by confidentiality agreements. While Adobe later clarified their position, the incident highlighted important privacy concerns for creatives.

Actionable Steps:

1. Review Your AI Settings: When you use Creative Cloud and Document Cloud apps, Adobe may analyze your content using machine learning to improve their products - but you can opt out of content analysis at any time.

2. Understand What You're Agreeing To: Adobe's updated terms potentially allow them to scan and use any part of any design a user has in Creative Cloud to see how it was made. Read those terms of service - yes, all of them.

3. Backup Alternatives: Consider maintaining copies of critical work outside cloud-based creative platforms, especially for client work under NDAs.

Sources:

• Adobe's ToS Changes Could Be an AI Overreach

• What Do Adobe's New Privacy Rules Mean for Creatives?

AI Privacy Settings & Controversies: The Plot Thickens 🤖

July 2025 AI Security Developments: The AI landscape continues evolving rapidly. This month, an AI company made news after their AI went "rogue" and ignored explicit instructions, deleting a live production database containing data on over 1,200 executives. Yes, AI can have bad days too.

Actionable Steps:

1. Content Credentials: Adobe is launching its Content Authenticity web app in beta, allowing creators to apply content credentials to their work using digital fingerprinting and invisible watermarking. It's like a digital birth certificate for your artwork.

2. AI Training Opt-Outs: Review the privacy settings of AI tools you use. Many now offer options to prevent your work from being used in future AI training.

3. Watermark Your Work: Even if it seems obvious, visible watermarks remain one of the simplest deterrents against unauthorized use.

Sources:

• An AI-powered coding tool wiped out a software company’s database, then apologized for a ‘catastrophic failure on my part’

• AI coding tool wipes production database, fabricates 4,000 users, and lies to cover its tracks

• Best Watermark Tools for Digital Artwork

General Security Hygiene: The Basics That Save Careers 🧼

Password Management: Create a password that has meaning for you, one that even empowers your art practice, containing a creative mixture of letters and symbols to make it secure. Think "MyArt2025IsAmazing!" instead of "password123."

Backup Strategy: Put a system in place to back up your computer regularly, whether it's a physical backup weekly or a third-party application to continuously back up your data to the cloud. Lost portfolio files are career-ending disasters waiting to happen.

Email Security: Email encryption ensures that only the intended recipient can view the content, even if it's intercepted during transmission. For client communications involving confidential projects, encryption isn't paranoia - it's professionalism.

Sources:

• The best password managers in 2025

• The best cloud backup services in 2025

• The Best Email Encryption Services for 2025

July 2025 Security Headlines You Should Know 📰

Major Incidents in July 2025:

• Microsoft released patches for two severe zero-day vulnerabilities in SharePoint, with over 75 confirmed compromises spanning banks, universities, hospitals, and corporate enterprises

• Multiple printer vulnerabilities discovered, with organizations patching only 36% of printer firmware promptly (Yes, even your studio printer can be a security risk!).

• Use your WiFi router settings to block your printers from accessing the Internet. These settings can also be described as "Parental Controls". Ground those juvenile printers by restricting their access until they are better behaved. This also prevents stealthy updates that can reduce printer functionality by greedy manufacturers (we're thinking of you, HP).

Sources:

• July 2025 Cybersecurity News Recap | SWK Technologies

• 18 Cybersecurity News Summarised – July 2025

• Should You Upgrade Printer Firmware? Read Before You Regret!

The Bottom Line for Creative Professionals 🎯

Your creative work is your livelihood, and in a world where collaboration tools are increasingly digital, every email attachment, shared design file, or collaborative document is a potential target for hackers. The good news? Artists and creative professionals don't have to spend through the nose to achieve a stronger security posture.

Start with the basics: strong passwords, regular backups, and browser security. Then layer on mobile device protection and review your cloud service privacy settings. Remember, our motto for information security is "progress, not perfection" - you don't need to implement everything at once. Beware of "security guru's" that relentlessly post "Get it done". Acting like a grumpy Drill Sergeant likely will not motivate a Creative like you into action.

Stay secure out there, and may your only crashes be creative breakthroughs!

P.S. - If you're still using "password123" for anything, please change it before reading another article. Your future self will send thank-you cards.

Subscribe now

Android phones have just been proven to be vulnerable to having all web browsing safety features bypassed. The fundamental architecture of Android is vulnerable to this specific security bypass, converting the phone or other Android device into a complete user surveillance platform, which cannot be fixed.

The unfixable Android vulnerability is known as "Localhost Access" where the internal communications software creates a virtual local network on the phone. This functionality was originally designed and used for network software development, software inter-process communication, and network testing in the early days of the web when the assumption was localhost access was inherently trusted. That trust has now been broken. Companies abuse this trust to bypass all standard web security settings to unmask your identity at virtually every web site you visit. They collect and sell data about your specific browsing activity.

You can reduce the risk of the vulnerability by disabling Google Chrome on your Android phone then installing:

1. the Brave browser on your phone

• set it to be your default web browser

• use the "localhost permission system" set to deny access to "

https://localhost

• • " or "

https://127.0.0.1

• this could impair functionality of some applications (Facebook, Instagram, Threads)

deny localhost access for applications you do not trust or have a reputation for surveillance (Facebook, Instagram, or Threads)

2. GrapheneOS - another phone operating system that can run on the physical device, which places similar localhost access controls as the Brave web browser into your hands

The options above do not remove the vulnerability, they place access controls for localhost into your hands. If such access controls are not implemented, due to lack of expertise as an example, then the vulnerability remains active. There are no technical means to prevent other applications on the Android phone from silently misusing access to localhost.

If complete elimination of the vulnerability is desired, only one option is available: abandon the Android platform altogether and replace it with

• a "feature phone", a mobile phone with basic functionalities, as opposed to more advanced and modern smartphones

• an Apple iPhone, which does not implement the vulnerable localhost architecture

Meta (Facebook, Instagram, Threads) and Yandex (Russian browser and search engine) have been discovered to be exploiting this vulnerability by researchers.

When the research was published in June 2025, Meta and Yandex abruptly ceased their exploitations, knowing full well their activity violated the Google PlayStore Terms of Service. Such violation could have their exploitive applications removed from the PlayStore, which in turn eliminates distribution of their applications.

The vulnerability and exploit operate without user knowledge, consent, or acknowledgement, in the background, when visiting any web site with Meta's or Yandex's server-side scripts installed. Web sites voluntarily install scripts that communicate with Android localhost and receive highly detailed user analytics from Meta and Yandex, including specific user identifiers.

Here is how the localhost access vulnerability works, for those with technical understanding of network software, from the Register article:

The researchers describe Meta's approach thus:

1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be logged-in with their credentials on the apps.

2. The user opens their browser and visits a website integrating the Meta Pixel.

3. At this stage, websites may ask for consent depending on the website's and visitor's locations.

4. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.

5. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).

6. The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running on the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users' fbp ID (web visit) with their Facebook or Instagram account.

Now that the Android localhost vulnerability and exploit have been published, other unscrupulous app makers will likely take advantage of the steps above to create their own user unmasking and surveillance tools for user data collection. We could also foresee malware being developed that not only observes user behavior, but can cause damage or financial loss for the device user. A sobering thought.

Some questions to consider:

• Are you a high risk phone user: journalist or high-profile individual communicating controversial issues?

• Are you involved in political activities that may be contrary to your country's government actions or stated policies?

• Are online privacy and security major concerns in your daily activities?

• Is online surveillance without your consent an issue that concerns you?

• Is there a possibility you can trade-in your Android phone for a "Feature Phone" or iPhone without a fundamentally vulnerable software architecture?

Only you can decide if a phone change is right course of action now. Many of the apps available in the Google PlayStore are available in the Apple AppStore.

How will you protect your phone and yourself from further undisclosed surveillance and exploitation?

Browser Fingerprinting

Google has created your permanent trackable browsing identity during your daily use of the web. That identity follows you to each site you visit. Every. Single. Day.

Like it or not, Google has implemented digital fingerprinting as of February 16, 2025. This means that your browser has been uniquely identified, stored in a Google database, and sold to advertisers. You can now be identified by each web site that uses Google's platforms and analytics tools to have advertisements specifically targeted to you. If you are logged in to an Amazon, Facebook, Google, or Microsoft account with your identified browser, your logged-in account data is also tied to that unique browser.

Search for doughnuts? You'll see more ads for doughnuts in search results and many other web sites. Search for medicines or medical conditions? Receive ads for drugs or treatments. Click on an item while online window shopping, receive ads for that or similar items at other retail sites or in search results.

While the database is usually used for ads, it is potentially a nightmare for political activists and journalists. The government can currently subpoena your Google Account and search history. Now data can be specifically tied to the browser and you as part of the subpoena. What could go wrong?

Google is not the only storage location for your browser fingerprint and identity. There is a vast Data Surveillance Industrial Complex that has grown out of the online advertising industry whose sole purpose is to track, categorize, and package groups of similar identities to sell to advertisers, governments, corporations, and anyone else willing to pay their fees. The U.S. Government routinely purchases data and profiles for intelligence gathering and law enforcement. Profile databases are also gold mines for those organizations attempting to shape public opinion and, combined with voter registration records, are used to promote political outcomes, as was the case with Facebook and Cambridge Analytica.

Google Chrome's tracking and fingerprinting capability generates a vast array of user behavior and insights. Customer online behavior has become so important that some sites are designed to collect the maximum tracking data available within Chrome. Those sites will present reduced functionality or may not function at all when using an alternative browser. If the site provides important product or service desired, you must then make an informed decision to use Chrome to purchase those products or services instead of a web browser that defends against online tracking.

Google reCAPTCHA

Have you ever been prompted by a web site with a visual puzzle to identify all the squares with a bicycle in them prior to being allowed access? This is Google reCAPTCHA, which stands for "repeated Completely Automated Public Turing test to tell Computers and Humans Apart". Your browser and human behavior are being fingerprinted.

Here is how Google reCAPTCHA works:

• in your local browser local storage, a small file is delivered, known as a cookie. The cookie identifies you and your specific device.

• Pixel-by-pixel fingerprinting: reCAPTCHA takes a pixel-by-pixel snapshot of your browser window, capturing information such as:

  • Your network address

  • Browser type and version

  • Screen resolution and size

  • Operating system and version

  • Language and locale settings

  • Browser plugins and extensions

  • Mouse and keyboard behavior

• Risk analysis engine: reCAPTCHA uses a risk analysis engine to evaluate your behavior and device characteristics. This engine assesses the likelihood of you being a human or a bot.

• Score-based verification: reCAPTCHA returns a score to the website, indicating the risk level of your interaction. If the score is above a certain threshold, you are considered human and are allowed to proceed.

• It's worth noting that reCAPTCHA also uses other methods to verify human users, such as:

  • Account verification: If you are currently logged in to your Amazon, Meta/Facebook/Instagram, Google or Microsoft account, reCAPTCHA uses this information to verify your identity by reading their cookies in your browser's local storage. There is no easy or practical way to prevent other sites from reading any of the other cookies in local browser storage.

  • Behavior analysis: reCAPTCHA analyzes your behavior, such as mouse movements and click patterns, to determine if you are a human or a bot.

  After having your browser fingerprint stored, the cookie dropped into your browser identifies and connects you and your browser with that fingerprint. You can return to the site and, if your browser cookie and fingerprint matches the ones stored online, you are allowed access without solving the puzzle again. The fingerprint and cookie lookups take mere milliseconds, short enough to be imperceptible to humans.

How can you protect your privacy?

Clear Browser Cookies

The first way to protect your privacy is to adjust your browser settings to forget all cookies upon session and browser exit. This does not erase your fingerprint and you will likely be required to solve the visual reCAPTCHA puzzle at next login to any sites using them.

Disrupt Fingerprint Databases

We cannot prevent browser fingerprinting but we can make those profile databases less reliable to advertisers and data brokers. We do this by switching from Google Chrome to a browser with built-in fingerprint resistance. Microsoft Edge has some fingerprint resistance, however, it does store browser behavior information in Microsoft's databases.

• The objective of fingerprint resistance is to disrupt fingerprint databases by presenting a unique browser fingerprint to each web site encountered, thereby filling databases across the web with unreliable data. The result: Garbage in, garbage out. How many web sites do you visit in a week? With a fingerprint resistant browser, each of those sites thinks you are a unique user again, and again, and again. This makes it much more difficult to track your daily browsing activity across the web resulting in fewer "relevant" advertisements and less reliable data collected by data brokers.

  Several browsers and extensions have been developed that are specifically designed to present random fingerprints to sites, also known as fingerprint resistant or fingerprint defenders. Examples of fingerprint resistant browsers are Firefox, Brave, Opera, and several others.

Choosing a Fingerprint Resistant Browser

Google Chrome is an open source browser. Google allows anyone to download and modify its Chrome source code for free. This has led to a plethora of Chrome-based browsers that have removed Google's tracking code and substituted fingerprint resistance. The public benefits from modified browsers retaining the ability to access and use a wide array of Chrome extensions available in the Chrome Web Store. Chrome extensions are used to "extend" browser functionality beyond what is provided by Google and software developers. Examples of common extension plug-ins are password managers, privacy enhancements, disabling automatic playing of audio and video, screen capture, and a host of other capabilities.

A Note on the Firefox Browser

Mozilla Foundation's Firefox browser has held second place market share for several years, well behind market leading Google Chrome. Firefox's major attraction has been its focus on privacy and security. Firefox has well developed fingerprint resistance. Mozilla operates as a nonprofit organization and funding has been challenging. In late February 2025, Mozilla created a public relations nightmare by walking back its promise to not share user browsing data. Many people are abandoning Firefox for Chrome-based browsers and Firefox's reputation has been damaged.

• LibreWolf: LibreWolf is a privacy-focused fork of Firefox, which can be used with the Chrome engine. It includes a feature called "ResistFingerprinting" which aims to prevent fingerprinting by standardizing certain browser characteristics.

• Firefox has faced reputation issues primarily due to its historical performance compared to Chrome. When Chrome was first introduced, Firefox was perceived as slower, contributing to Chrome's rapid rise in popularity. Additionally, some users remember Firefox from its earlier days when it was part of Netscape, which may influence their perception negatively.

• Another factor affecting Firefox's reputation is that many modern websites are optimized for Chrome, leading to impaired performance and reduced functionality issues when accessed with Firefox. This problem persists even if Firefox's speed and security remain competitive on other web sites.

Fingerprint Resistant Chrome-Based Browsers

Here are some Chrome-based browsers that offer fingerprint-resistant features:

• Brave Browser: Brave is a popular Chrome-based browser that offers fingerprint-resistant features, including a fingerprint randomizer and tracker blocker.

• SRWare Iron: SRWare Iron is a Chrome-based browser that offers fingerprint-resistant features, including a fingerprint blocker and tracker blocker.

• Comodo Dragon: Comodo Dragon is a Chrome-based browser that offers fingerprint-resistant features, including a fingerprint blocker and tracker blocker.

• Tor Browser (with Chrome engine): The Tor Browser is a privacy-focused browser that uses a modified version of the Chrome engine. It includes fingerprint-resistant features, including a fingerprint randomizer and tracker blocker.

• There are several more available not included in this write-up.

Brave Browser Option

I gave up Firefox years ago due to reputation issues and web site optimizations for Chrome noted above. After reviewing various Chrome-based browser comparisons, my choice has become the Brave browser.

Browser Profiles

One useful feature of most browsers is the concept of user profiles. Profiles allow different browser configurations for different purposes. For example, profiles can be configured for:

• Online financial services

• Shopping

• Bill payments

• Children's activities

• School or work

• Gardening

• Entertainment

• Health & Wellness

• Hobbies

The degree of separation of internal functionality differs between each browser. Google Chrome itself wants to be logged in to a single account on a single site. Brave browser developers have adjusted Chrome internals and fingerprint resistance to allow multiple logins to one site, each with a different site account, and remain internally separated within each profile.

For example, I have two Substack publications, each with a different associated email address: Paul's Visual Arts and Essential Risk Management. I set up a Brave profile for each account with different bookmarks and extensions. I use 1Password password manager and Malwarebytes Browser Guard in both profiles. I can then login to Substack with each profile using the appropriate account email address. Brave's internal separation makes its presence known to Substack as two different browsers, without any internal session overlap. In this scenario, standard Google Chrome is unable to present as two separate browsers due to its internal tracking mechanisms.

My use case for being logged in to Substack with two separate accounts is to enable me to apply some automation using the Scheduled Notes Extension for Google Chrome, from software developer , in my Brave browser. I can write several Notes in advance, for each account, then schedule posting them throughout the day or week. This frees me to work on more pressing issues.

Setting Up Brave Profiles

Brave Profiles for Techies

To create Brave profiles, follow these steps:

• Open Brave and click on your avatar in the top-right corner, click "Settings", click "Profile name and icon", then select "Get started"

• Click on "Profile name and icon" in the window to create a new profile.

• Name your profile

• Pick themes and colors

• Done

Each profile maintains separate bookmarks, extensions, and browsing data like cookies and history, allowing you to compartmentalize your browsing for privacy. Add the bookmarks, extensions, and themes that work for the new profile. Switch profiles by clicking on your avatar in the top-right corner, then select you desired profile.

Brave Profiles for the Non-Technical

There are many amazing and brilliant people, just like you, who will read this article. Words, Cooking, The Arts, or Body/Mind/Spirit are your expertise, for example. Your encounters with technology are avoided when possible, yet necessary for daily life. You implement the steps above, then feel lost or want a helping hand to get your profiles up and configured properly.

• Do you find that tinkering with technology settings is more akin to a root canal?

• Are you frustrated with how much data is collected about your web browsing?

• Does making informed choices about how much browsing data to give up in order to purchase a product or service make you feel like a stronger consumer?

• How would it feel to play your part, however small, in disrupting the Data Surveillance Industrial Complex every day?

If you found this information helpful, you're not alone! Many people rely on our community for expert advice on staying safe online. To take your protection to the next level, consider becoming a PAID subscriber to Essential Risk Management.

For just a small fee, you'll get access to an exclusive tool, included below with this post, that will give you and your loved ones even more peace of mind when browsing the web. We're grateful for your support and look forward to helping you stay safe online.

If you’re not yet ready for a paid subscription, please consider getting a copy of the guide here.

Read more

I saw an Associated Press article on April 30, 2025 that piqued my interest regarding Visa encouraging giving my credit card to an AI Agent so it can go shopping for me.

My first reaction was "No F*&#ing Way! What could possibly go wrong?"

It took me a while to come up with a response to the article. I have 20 years experience, specifically in credit card data security, and this new position of Visa appears to go against all the data security controls for which they have advocated this entire century.

In the early 2000's, electronic commerce was new. Banks wanted to capitalize on the new trend and began exposing their internal account databases to the Internet. On one hand, this enabled credit card transactions to be accomplished over the Internet instead of their highly controlled and secure internal networks. On the other hand, the rush to Internet connectivity revealed that bank security processes were unprepared for attacks and theft of millions of payment cards that resulted.

To combat theft of credit card numbers in bulk from banks, merchants, and payment processors, Visa created the Cardholder Data Security Program (CDSP), which required any company that stored, processed, or transmitted payment card data to implement a specific set of security controls. Visa also required those companies to undergo an annual audit of those controls by independent third parties and prove the prescribed controls were implemented. The results of those audits were sent to Visa for review and approval.

Visa receives copies of audit reports from large merchants and companies authorized to process payment transactions and perform payment management functions. Those companies were known as Service Providers. In the same department, Visa had staff developing and executing training for the auditors to ensure its CDSP requirements were evaluated uniformly by the Qualified Data Security Professional companies (QDSP) who were performing the audits. The CDSP/QDSP programs were intended to apply basic security controls across its payment card ecosystem. In 2005, I worked in the Visa department reviewing audit reports for Service Providers. I also assisted in training the QDSP technology professionals.

Around the same time, the other payment card companies developed their own security programs similar to Visa's CDSP. American Express, Discover, Mastercard, and Japan Commerce Bank created similar programs. Each program was intended to secure payment card data but each had different controls. This caused confusion in the marketplace and a demand for uniform standards was demanded.

The five payment card companies got together and formed a nonprofit, independent organization to develop and promulgate payment card data security standards, payment software security standards, vulnerability scanning standards, and training qualified technology professionals to audit those standards. In 2004, the Payment Card Industry Security Standards Council was born and it released the first industry-wide standard: the Payment Card Industry Data Security Standard, Version 1.0 (PCI DSS v1.0). This satisfied the need for uniformity in the protection of payment card date.

All five of the payment brands adopted PCI DSS 1.0. They required its controls be implemented along with annual audits proving to the newly trained Qualified Security Assessors (QSA)'s PCI DSS 1.0 controls were implemented. The controls covered all aspects of Internet technology: firewalls, servers, databases of stored card data, antivirus, secure software development, controlled access, user controls, physical facility controls, incident response, audit trails, security testing, company security policies, to name a few. I worked as a QSA for 15 years.

PCI DSS 1.0 was a start to a long process of protecting payment card data. The standard evolved every 2-3 years and included additional controls. Each payment brand maintained its own fraud detection and response teams. Those teams would bring attack information to PCI SCC and work on placing mitigating controls into the standard. The makeup of PCI SSC was representatives from American Express, Discover, Mastercard, Japan Commerce Bank, and Visa. They were competitors trying to tackle a common problem. This made unanimous consensus imperative to include an issue in the next standard. It also explains why, even today, the perception is the standard sometimes does not do enough to protect cardholder data. Technology moves at light speed and consensus usually moves at a snails pace.

In 2025, we are now at PCI DSS 4.0. We can look in hindsight to say that PCI DSS has been successful in drastically reducing theft of payment card data in bulk from banks, merchants, and their Service Providers. There is rarely a news article where those companies are broken into and data stolen. When there are news reports of payment card data theft, its usually incidental and part of a larger phishing or ransomware attack and rarely the main target. PCI SSC, PCI DSS and related standards have shown the payments ecosystem can work together to solve a common problem; it just takes a long time and consensus to get changes implemented.

With all of that mind numbing background, we arrive at a new precipice in the land of payment card data protection: Autonomous AI Agents going shopping and executing payment transactions on behalf of consumers. This is uncharted territory at best, science fiction at worst.

The pitch: "Set a budget and some preferences and these AI agents — successors to ChatGPT and its chatbot peers — could find and buy you a sweater, weekly groceries or an airplane ticket."

From the AP Article:

Visa announced April 30, 2025, it is partnering with a group of leading AI chatbot developers — among them U.S. companies Anthropic, Microsoft, OpenAI and Perplexity, and France’s Mistral — to connect their AI systems to Visa’s payments network. Visa is also working with IBM, online payment company Stripe and phone-maker Samsung on the initiative. Pilot projects begin Wednesday, ahead of more widespread usage expected next year.

“The early incarnations of agent-based commerce are starting to do a really good job on the shopping and discovery dimension of the problem, but they are having tremendous trouble on payments,” Forestell said. “You get to this point where the agents literally just turn it back around and say, ‘OK, you go buy it.’

Visa sees itself as having a key role in giving AI agents easier and trusted access to the cash they need to make purchases.

“The payments problem is not something the AI platforms can solve by themselves,” Forestell said. “That’s why we started working with them.”

Multiple questions come to mind when considering to give my credit card to an AI Agent:

• How do I know I can trust the agent and developer?

• What proof is there that my card data is protected when stored or transmitted by the agent?

• What recourse do I have if the agent has an error in execution and buys a something that inadvertently max's out my credit limit?

• What protections prevent the agent from getting hijacked by another agent or autonomous process?

• How do I know my payment card data is not being copied and stored elsewhere without me or the developer knowing? What if the developer knows and does not tell me?

• How do I know the agent software was developed securely and is free from vulnerabilities?

• What audit trails are available to me so I know what the agent did, when, where, and how an action was performed?

• How do I know may payment card data was securely deleted when requested at account closure or payment method modification?

• What payment card data protection standards must AI Agent developers be required to implement? Will they be required to undergo audits to prove compliance?

Until these and many more questions are answered and new payment card data protection standards are defined, promulgated, implemented, and audited …

While researching my previous post “Slamming the Door on Google Account Surveillance”, I uploaded multiple source documents to Google’s NotebokkLM AI tool.The AI was helpful in providing me a braod view of online surveillance.

A sampling of the online surveillance sources I uploaded:

• Alice Marwick, UNC Chapel Hil, Surveillance & Society

• American Civil Liberties Union

• Amnesty International

• Brennan Center for Justice

• Federation of American Scientists

• Middle East Research and Information Project

• United Nations

• Surveillance Technology Oversight Project

A fascinating option presently available in NotebookLM is the capability to generate audio in a podcast format. The tool has the ability to accept a specific prompt on what to cover in the podcast and it generates a pair of AI voices discussing the topic as if real people were interacting with each other. The results are impressive!

I downloaded stock images and videos from Pixabay.com to use as illustration for the audio and included a smattering of text titles for emphasis during playback. I’m quite pleased with the discussion and and found it helpful to cement the concepts for me.

Listen carefully to the voices and speaking patterns. They are quite human and believable. I have encountered at least one other writer on Substack attempting to pass off NotebookLM audio as their own. If you hear these same voices, rest assured that Google’s NotebookLM was used to create it. If the author trys to claim the work as their own original audio, you can be assured the claim is entirely without merit.

Have a listen and let me know how I can improve the video in the comments.

Leave a comment

When online services are free, the product becomes us, the users! Who are the actual customers if we are the product? Online advertisers and data brokers are the actual customers of Google, Facebook/Meta, and other major platforms. Google has built such a ubiquitous online advertising empire, that the U.S. Department of Justice brought an antitrust lawsuit against them resulting in a judgement on August 5, 2024 declaring that "The court reaches the following conclusion: Google is a monopolist, and it has acted as one to maintain its monopoly,"

How did Google accomplish this? One of several ways by surveilling user activity of its plethora of "free" services. Every user of Google services agrees to surveillance in its convoluted Terms of Service pages prior to acquiring access to a particular service. Google has added software sensors in its accounts and services which aggregate those inputs to build exhaustively intrusive profiles of each of us for sale within is advertising network. The process has become so successful, that Google has found a way to print money in perpetuity.

Google's Chrome web browser extensive surveillance has been covered in my previous post detailing the user data collected and recommendations to switch to alternative privacy-focused browsers.

My standard web browser is Brave, which has Leo AI built-in. I asked Leo for a definitive list of free Google services, including a numeric count, and it returned 30 services. Microsoft CoPilot AI returned 36 free Google services. The common denominator in all these services is your Google Account and its privacy settings. Therefore, your first step in reducing Google surveillance is using the settings available to disable as many Google Account sensor settings as possible, resulting in less of your usage activity being recorded into your Google profile.

Here is the checklist I use to regularly review my Google Account settings. My recommendation is to review these settings quarterly, as Google makes new services available, upgrades existing services from time to time, or as you sign up for new Google services. This review should be a regular part of your own periodic online security and privacy review processes.

Google Account Settings Review

1. Review Activity History

• Log in to your Google Account

• Go to My Activity

• Turn off data collection for Web & App activity, Location history, and YouTube history

• If keeping history, set auto-delete to 3 months

2. Disable Ad Personalization

• Visit Google My Ad Center

• Turn off ad personalization to prevent tracking-based ads

3. Turn Off Shared Endorsements

• Find this setting under “People & Sharing” in Google Account

• Disable endorsements to prevent Google from using your profile in ads

4. Check Location Sharing

• Review who has access to your location

• Disable unnecessary location sharing

5. Secure Calendar Settings

• Go to Calendar settings

• Restrict access to only trusted individuals

6. Manage Google Family Group

• Review members and adjust sharing settings as needed

7. Review 3rd Party App Connections

• Navigate to “Connections” in Google Account

• Remove apps that no longer need access to your data

8. Turn Off Additional Tracking

• Access “Other Activity” in My Activity

• Disable tracking for YouTube interactions, Google Photos facial recognition, and more

9. Check Google Fit Data Sharing

• Adjust privacy settings to restrict unnecessary data sharing

10. Audit Your Google Services

• Review all active Google services at least quarterly

• Remove or disable unused services

Prioritizing Google Account Settings

To determine which steps are most important for your Google privacy settings, consider these factors:

1. Data Sensitivity – If a setting involves highly personal data, such as location history or search activity, it's a higher priority.

2. Exposure Risk – Some settings, like shared endorsements or third-party app access, expose your data to others. These should be reviewed first.

3. Usage Patterns – If you rarely use a Google service, you may not need extensive personalization settings turned on.

4. Privacy vs. Convenience – Some restrictions may limit Google features. Prioritize the settings that maximize privacy without disrupting your workflow.

5. Default Risks – Certain Google settings collect data by default. Turning off unnecessary collection is a top priority.

Top-Priority Privacy Settings Adjustments

1. Adjust My Google Activity

• Most critical: Turn off --> Web & App Activity, Location History, and YouTube History

• If keeping history, enable auto-delete every 3 months

• Delete existing history under “Delete Activity By”

2. Disable Personalized Ads

• Go to Google My Ad Center

• Turn off ad personalization to stop targeted ads

3. Limit 3rd-Party App Access

• Check "Connections" in Google Account settings

• Remove apps that don’t need access to your data

4. Manage Location Sharing

• Ensure no unintended location sharing is enabled

Medium-Priority Settings

5. Turn Off Shared Endorsements

• Located under “People & Sharing” in Google Account

• Prevent Google from using your profile in ads

6. Restrict Google Family Group Access

• Review members & what’s shared with them

7. Secure Google Calendar

• Limit access to only trusted individuals

8. Disable Extra Tracking in Google Services

• Review "Other Activity" settings in My Google Activity

• Turn off tracking for YouTube, Google Photos, Google Pay, etc.

Lower-Priority But Useful Settings

9. Check Google Fit Data Sharing

• Adjust privacy settings to restrict unnecessary data sharing

10. Audit Your Google Services Usage

• Review all active Google services and remove unused ones

There is no way to completely disable Google Account surveillance other than closing the account and removing your legacy stored data. I've used Gmail for 20 years, so there is no way I will delete all that activity and those memories. This situation is an illustration of "vendor lock-in". There are many of us in this predicament. All we can do is toggle the available account switches to reduce the data collected about us.

I’ve created a comprehensive guide for review of your Google Account Settings here.

Adjust your Google Account settings today so you can reclaim your privacy while using Google Services.

Alert: Data Breach at Hertz Corporation

"On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo's platform in October 2024 and December 2024,"

Number of people impacted: Not disclosed

Locations affected: Not disclosed

Data exposed:

"… customers' names, contact information, date of birth, credit card information, driver's license information, and information related to workers' compensation claims.

"A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers' compensation claims), or injury-related information associated with vehicle accident claims impacted by the event,"

Date of Breach: October 2024 and December 2024, confirmed February 10, 2025

Attacker: Not disclosed

Breach entry point: Cleo Communications US, LLC (“Cleo”), a vendor of Hertz, https://www.cleo.com/

Data Breach Notice Posting:

https://www.hertz.com/content/dam/hertz/global/resources/Notice_of_Data_Incident-United_States.pdf

News article:

https://www.bleepingcomputer.com/news/security/hertz-confirms-customer-info-drivers-licenses-stolen-in-data-breach/

Reduce Your Risk with These Actions:

• Call or login to the three major credit bureaus and FREEZE your credit account and place a FRAUD ALERT on your credit files

  • Equifax - https://equifax.com | 1-888-548-7878

  • Experian - https://experian.com | 1-800-493-1058

  • Transunion - https://transunion.com | 1-800-916-8800

• Obtain a FREE CREDIT REPORT at www.annualcreditreport.com | 1-877-322-8228

• Hertz is offering two (2) years of Credit Monitoring Service - sign up for it. Make note of the day your coverage starts and add and end date in your electronic calendar, as an All Day event reminder

• Change your password at the company effected by the data breach

• Sign up for 2-Step Authentication using an Authenticator app on your phone

• Do not use text messaging for 2-Step Authentication

• Use a Password Manager to generate and store a long and complex password

• If a stored credit or debit card was compromised, cancel the card and get a replacement. Update any recurring payments associated with the new card

• Monitor you card and bank statements for unauthorized charges. Look for out of area charges or small amount charges at unfamiliar merchants.

• File disputes with your card issuers to recover funds

• Ensure your browsers, email apps, social media apps, computers, and phones have the latest updates installed

Creative Artisans

Creative works flow from somewhere deep within you then burst like confetti into your consciousness. Sometimes you struggle to set inspiration free into your chosen media or form. Other times you are compelled to drop everything and focus on creation right now: jot some notes to capture ideas in the fleeting moment, then proceed to give the ideas shape in the present. You labor, adjust, and tweak, until your creation is manifested and ready for presentation to the world.

• If your work is a physical object, you must photograph it so it can be presented to the world.

• If your work is music or the spoken word, your clips, compositions, demo's, recordings, and Midi files are your stock-in-trade.

• If you are a visual artist, photographs and/or videos become your presentation medium.

• If you are a writer or poet, your words become captured into digital form somewhere in your process.

The common denominator is creating a digital repository for your works used in distributing, marketing and selling your creations. That repository is your livelihood, your critical asset.

Cybersecurity Threats

Cybercriminals on the Web are laying traps for you so they can snare your money, health records, government identifications, and credit data to use for their own profit.

• Artificial intelligence is being used to increase the likelihood you will fall into one of their traps.

• Ransomware is a constant and pernicious predator waiting for you to click on the wrong link, encrypting your entire computer, and extorting you for hefty fees for promise of recovery.

• There is no guarantee paying a ransom fee will return your data whole.

How much of your data can you afford to lose and still meet your commitments? This is your Recovery Point Objective (RPO).

How long can you be without that repository before your operation is severely impacted or required to cease altogether? This is your Recovery Time Objective (RTO).

Threat Reduction

There is technology available to help reduce online threats. The problem is we have various devices that store our critical data without a uniform way to protect them. Most Creatives are familiar with and have installed antivirus on desktop and laptop computers.

• How many Creatives have installed antivirus for their phones, tablets, or WiFi routers?

• How many Creatives understand that their web browsers can be used against them by cybercriminals and malicious web sites?

• There are browser "extensions" that can be installed in to flag and prevent browser attacks.

• How any Creatives install these protective and detective extensions?

The days of online privacy are over, at least in the U.S. The General Data Protection Regulation (GDPR) helps somewhat in the European Union.

The Google Chrome browser has become an invasive user surveillance tool.

• Marketers and advertisers can observe your daily activity across the Web.

• Your activity is then sold to other companies who slice and dice you into a profile.

• Profiles are then sold to retailers, other marketers, and government agencies.

Do Creatives know how to reduce their surveillance profile and browser fingerprints while enhancing online privacy?

Cybersecurity as Transformation

Integrating cybersecurity into your life can be a transformative experience for Creatives. It can help you develop a new perspective on the digital world and the importance of protecting your sensitive information on your various devices. Self-learning is the key for protecting your critical data. What happens when you harmonize cybersecurity into your Creative life? You improve your

• Understanding the of risks and threats in the digital landscape which helps Creatives become more deliberant and vigilant when navigating online.

• Knowledge of cybersecurity best practices empowers Creatives to make informed decisions about online activities, such as choosing strong passwords, using two-factor authentication, and avoiding suspicious links.

• Learning cybersecurity encourages Creatives to think critically about the potential consequences of actions and where malicious actors can deploy various types of attacks.

• Understanding cybersecurity best practices can help Creatives protect personal data, critical production files, finances, and online identities from various cyber threats.

• Learning about cybersecurity, Creatives can better navigate the online world, avoiding phishing scams, malware, and other cyber threats.

• Learning about the importance of cybersecurity, you may feel a sense of responsibility to protect not only yourself but also your families, organizations, communities, and the broader digital ecosystem wherever you recognize a potential threat.

Protecting Critical Assets

How much of your critical data can you afford to lose and still meet your commitments? This is your Recovery Point Objective (RPO). Only YOU can decide this.

How long can you be without your data repositories before you are severely impacted or required to cease operations altogether? This is your Recovery Time Objective (RTO). Only YOU can decide this.

To adequately protect your critical assets, you must build incident response and recovery processes that meet both your RPO and RTO.

Challenge of Learning Cybersecurity

Fortunately there are a plethora of courses, dozens and dozens of tools to use, processes and procedures to learn and implement. The questions then become:

• To whom do you turn to when a guiding hand is needed?

• Who can you trust to provide clear, actionable advice that fits your Creative needs?

• Can your family techie help?

• Friends or work acquaintances can sometimes help each other out with solutions to tech problems but that assistance has its own limits.

There are many cybersecurity courses available at online education platforms, but choosing one or more becomes a daunting task in itself.

• How do you know it’s the right one?

• When will it cover the topics you need covered?

• Are there prerequisite courses or knowledge needed?

• Will it make sense to a nontechnical person?

Look for a Cybersecurity Expert and Fellow Creative

My twenty-five years of cybersecurity experience, while supporting my photography habit, will be shared with fellow Creatives to protect your critical data.

I will armor you with:

• Knowledge you need to be safer online.

• Written in a way that is understandable and accessible.

• Gaining the knowledge and confidence to make informed decisions about your online privacy and security that easily integrate into your life.

• Achieving more confidence to protect not only yourself but also your families, organizations, communities.

• Workable solutions that help protect the broader digital ecosystem wherever you recognize a potential threat.

I am a fellow Creative:

• Have a look at Paul's Visual Arts SubStack

• I display my photography, multimedia creation works

• Link to my online photo store.

Become a Subscriber

As a free subscriber you will

• Receive data breach news reports that affect Creatives credit card data, Social Security Numbers, email and physical addresses, health insurance breaches, and other privacy compromises.

• Improve your own Cybersecurity process from periodic CYBERSECURITY FOR CREATIVES TIDBITS via SubStack Notes.

Become an Annual Paid Subscriber

Most people dislike monthly subscriptions. I find annual subscriptions much easier to add to my calendar reminder and allocate funds every year. Maybe you are the same? If so, annual subscriptions are discounted more than 20% from monthly!

Paid subscribers will learn to integrate cybersecurity processes into their daily lives with:

• Everything free subscribers receive

• Defeating malicious web sites using tools and processes

• Adjust privacy and security settings on your devices: PC, Mac, Phones, Tablets, WiFi routers to increase your confidentiality and privacy

• Safer public WiFi usage at coffee shops, transportation, and retailers

• Understand current and emerging cyberthreats along with protections for Creatives

• Exploring new security and privacy tools that enhance confidentiality, integrity, and availability of Creatives business or production activities and processes

• Chat to share experiences and solutions unique to Creatives

• Discounts on Cybersecurity Intelligent Response ^TM knowledge, tools, and training produced specifically for Creatives that make you safer and increase confidence in daily online activities

• Supporting a fellow Creative and giving back to our community

How will you feel having a Trusted Cybersecurity Advisor with actionable recommendations to help protect yourself online?

Now, it is up to YOU. Become an Annual Paid Subscriber now.

Subscribe now

Alert: Data Breach at Pennsylvania Education Association (PSEA)

Data stolen impacting 517,487 people:

State IDs, Social Security numbers, financial account numbers, payment card information, passport numbers, taxpayer IDs, health insurance information.

Locations affected:

Residents of Iowa, Maine, Maryland, Massachusetts, New Hampshire, New Mexico, New York, North Carolina, Oregon, Pennsylvania , Rhode Island, Washington D.C., current and former members of PSEA.

News article:

"PSEA represents more than 177,000 teachers, school nurses, bus drivers, cafeteria workers and others in roles across Pennsylvania’s public schools. The organization bargains compensation and benefits on behalf of school workers and has existed since 1852."

-- The Record Media, March 19, 2025. https://therecord.media/half-a-million-impacted-pennsylvania-education-data-breach

Date of Breach:

July, 6 2024

Attacker:

The attack on PSEA was claimed by the Rhysida ransomware gang in September 2024.

Breach entry point:

PSEA network environment. No further specifics provided.

Data Breach Notice Posting(s):

• Maine - https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e44266ce-8099-4d3c-8635-2c5cdb41f24a.html

• Massachusetts - https://www.mass.gov/doc/2025-493-pennsylvania-state-education-association/download

• New Hampshire - https://mm.nh.gov/files/uploads/doj/remote-docs/pennsylvania-state-education-association-20250318.pdf

• Pennsylvania - https://www.psea.org/pages-without-a-home/notice-of-data-security-incident/

Reduce Your Risk with These Actions:

• Call or login to the three major credit bureaus and FREEZE your credit account and place a FRAUD ALERT on your credit files

  • Equifax - https://equifax.com | 1-888-548-7878

  • Experian - https://experian.com | 1-800-493-1058

  • Transunion - https://transunion.com | 1-800-916-8800

• Obtain a FREE CREDIT REPORT every twelve (12) months at www.annualcreditreport.com | 1-877-322-8228

• If you are offered Credit Monitoring Service in a letter notifying you of a data breach, sign up for it. Make note of the day your coverage start and end dates in your electronic calendar, as an All Day event reminder

• Change your password at the company effected by the data breach

• Sign up for 2-Step Authentication using an Authenticator app on your phone

• Do not use text messaging for 2-Step Authentication

• Use a Password Manager to generate and store a long and complex password

• If a stored credit or debit card was compromised, cancel the card and get a replacement. Update any recurring payments associated with the new card

• Monitor your card and bank statements for unauthorized charges. Look for out of area charges or small amount charges at unfamiliar merchants.

• File disputes with your card issuers to recover funds

• Ensure your browsers, email apps, social media apps, computers, and phones have the latest updates installed

Does your child, grandchild, sibling, or relative attend Riverdale Country School in Bronx, NY? If so, the school incurred a data breach and ransomware attack by RansomHub. The school did not pay the requested ransom. The nonpayment led to the leak of 42Gb of student data.

• Riverdale Country School (Pre-K to 11)

• Location: Bronx, NY

• Data breached: biographical info, contact info, personal medical information

• Data exposed or stolen: Feb 20, 2025

• Links to news & disclosure: https://www.bxtimes.com/hackers-leak-sensitive-data-from-elite-bronx-private-school-after-ransomware-attack/

Reduce Your Risk with These Actions:

If your child's data was compromised in the Riverdale Country School data breach, here are some steps you can take:

1. Contact the school: Reach out to Riverdale Country School's administration to report the breach and express your concerns. They may provide more information on the affected data and the steps they are taking to mitigate the situation.

2. Report the breach to the relevant authorities: File a complaint with the Federal Trade Commission (FTC) and the New York State Attorney General's Office, as they oversee data protection laws.

3. Monitor your child's credit report: If you child has a Social Security Numner, they likely have a credit report. Request a copy of your child's credit report from the three major credit bureaus (Experian, TransUnion, and Equifax) to ensure there are no unexpected changes or accounts opened in their name.

4. Seek assistance from a credit monitoring service: Consider enrolling your child in a credit monitoring service to detect any potential identity theft or financial misuse.

5. Consult with a data protection attorney: If you believe your child's data was mishandled or if you're unsure about your next steps, consider consulting with a data protection attorney who can guide you through the process.

Additional resources:

• Federal Trade Commission (FTC) Complaint Assistant: https://www.ftc.gov/complaint

• New York State Attorney General's Office: https://ag.ny.gov/

• Credit monitoring services: Consider services like LifeLock or IdentityForce to monitor your child's credit report and detect potential identity theft.

• Data protection attorneys: Look for attorneys specializing in data protection and identity theft cases in your area.

I was in my easy chair late last night reading news and one social media post alarmed me to believe yet another social contract I've relied upon for the last few years was jeopardized.

The Social Security Administration has updated their web site Terms of Service to disclaim any responsibility for "the improper disclosure of any information that the Social Security Administration has provided to me or any information that is on or from my computer or other device, whether due to my negligence or the wrongful acts of others."

Several questions immediately came to mind:

• Can I no longer trust the information the Social Security Administration has provided to me?

• Can the Social Security Administration now read information on my computer without my consent when I login?

• Can the Social Security Administration now collect and disseminate information from my computer without my consent?

• Is the Social Security Administration now anticipating others will be provided my information or access to my computer or data without my consent and disclaiming responsibility?

I think it's time to get involved and call my Congressional Representatives and Senators to report this blatant abuse of our ow devices and personal information.

I'll also notify my local chapter of http://ACLU.org to get them into gear as well.

This. Must. Stop.

Article link: https://www.dailykos.com/stories/2025/3/4/2307754/-A-curious-clause-in-the-Social-Security-Administration-website-s-Terms-of-Service-Is-this-new

Beatles song for the moment: https://www.youtube.com/watch?v=BGLGzRXY5Bw

Myth: Mac's are safe, Mac's don't get viruses or malware!

Reality: Mac's are vulnerable to malware and viruses!

There are two main reasons why Mac's are thought to be safe from malware and viruses. First, fewer of them are in the marketplace compared to Windows machines. As of early 2025, Windows holds a significant lead in the desktop and laptop market with a 73% share, while MacOS accounts for about 14%. Windows remains the dominant operating system for personal computers, whereas MacOS is popular among creative professionals, education, and those within the Apple ecosystem (iPhone, iPad, AppleTV, Mac users).

Second, Apple has done a very good job of building secure settings into their products. Apple has also done an excellent job of creating the perception their products protect privacy and security using big budget marketing programs to differentiate brand awareness in their favor.

One of the byproducts of Apple marketing their high-ticket products is many web sites have begun to use your browser's Operating System parameter, sent when you connect to any site, to charge Apple users higher fees for products and services. The assumption being, if you can afford an Apple product, you can pay a higher fee. Also, Apple's market share is steadily growing in both personal and corporate environments. I've worked in several corporations where being provided a company MacBook was a huge perk and created considerable employee loyalty.

Updated MacOS Attacks

Cybercriminals have taken notice of MacOS as an "untapped resource" and have begun to focus more of their efforts on MacOS users with:

Advanced Malware: Newer and more sophisticated malware variants, such as XCSSET and Poseidon, are being developed to exploit MacOS vulnerabilities. These malware types can steal sensitive data, including passwords and cryptocurrency wallets.

AI-Powered Attacks: Cybercriminals are using AI to create more advanced and stealthy attacks. AI tools can automate compromise of tasks like network monitoring and vulnerability patching, making it easier for attackers to scale their operations.

Malware-as-a-Service (MaaS): The rise of MaaS has made it easier for inexperienced individuals to launch MacOS-focused campaigns. These services provide tools and instructions for bypassing MacOS defenses, lowering the barrier to entry for cybercriminals.

Social Engineering: Cybercriminals are leveraging social engineering tactics to trick users into bypassing MacOS’s security measures. This includes guiding victims through the process of manually bypassing Gatekeeper, Apple’s security feature.

Remember: These malware tools attack your built-in human preference to trust what is placed in front of you while online. While malware uses technology to coerce the receiver to take an action that infiltrates and extracts information and funds, fundamentally the attack is targeted at the weakest link in the chain: the Human! Beware of your own reactions, especially when the message is designed to create urgency to click or download something immediately.

Best Practices for Securing MacOS

Use Strong Passwords:

Strong passwords are hard to guess and help protect your accounts from unauthorized access. Using a password manager ensures that you can use complex and unique passwords without needing to remember them all. If you have used the same password on more than one web site, remember to login and change that password to a newly generated complex password created by the password manager. Enable Two-Factor authentication on every web site that allows it (more info below).

Enable MacOS FileVault:

FileVault encrypts your entire Mac internal hard drive, making it difficult for anyone to access your data without the correct password. This is essential if your laptop is lost or stolen. Create a pass phrase that is easy to remember when enabling File Vault. I use a phrase from a favorite song, which is easy to remember and is at least 20 characters long. This make it very difficult for a thief to guess your password if your machine is stolen. Store the pass phrase in your password manager tool for future reference.

Keep Software Updated:

Regular updates patch known vulnerabilities in the operating system and installed applications. Keeping everything up-to-date reduces the risk of malware exploiting these vulnerabilities. Remember to have your Mac install MacOS updates automatically. This is the easiest way to stay up to date. Also, be sure to run backups after the update has completed so you can recover to an updated state, if needed.

Use Antivirus Software:

Apple uses built-in technologies like XD (execute disable), ASLR (address space layout randomization), and SIP (system integrity protection) to make it difficult for malware to do harm. This is a good start. Advanced malware can get past these technologies, so the concept of "defense in depth" should be implemented.

Defense in Depth means there are more than one defense technologies deployed to protect against malware. Antivirus software provides an additional layer of protection by detecting and removing malware that might slip through existing defenses. It helps ensure your system stays clean. I use Malwarebytes on my Mac Mini desktop and MacBook Air laptop machines as my second line of malware defense.

Enable MacOS Firewall:

The built-in firewall blocks unauthorized network connections to your system by monitoring incoming and outgoing network traffic. It acts as a barrier between your Mac and potential threats. A quick YouTube video tutorial explains MacOS firewall settings here. Having your firewall enabled is critical for laptops used at coffee shops, airports, or other public WiFi locations. More on WiFi below.

Limit Administrative Privileges:

Granting administrative privileges only to trusted users minimizes the risk of unauthorized changes to system settings and installations. Using standard user accounts for daily activities reduces the chance of accidental malware installation. This is important if more than one person uses your Mac. If so, each person should have their own standard login account. You, as the owner, will automatically have administrative privileges that allows changes to the entire system. No one else should have that privilege. One exception would be a repair shop or Apple technician, if your machine must go in for hands-on servicing.

Backup Your Data with Apple Time Machine:

Regular backups ensure that you can recover your data in case of an attack or hardware failure. Backups provide peace of mind, knowing that your important files are safe. You will need an external USB drive with capacity that is at least 2X the size of your internal hard drive to start. If you have additional external drives you want to backup, you will need to increase the size of your backup disk to include those as well. These instructions and video will get you started.

Once your backups are operating normally, another best practice is to disconnect the USB drive and reconnect periodically and after system updates. Disconnected drives ensure your data remains safe and out of reach in the event your machine is attacked by malware, also known as an Air Gap. This establishes your Recovery Point Objective (RPO), which is the point of last recoverable data.

You must determine for yourself how much data you can allow to be lost between backups (RPO) and connect the backup USB drive to match that frequency. For example, if you can only lose two days of data, then reconnect your USB drive every other day to stay up to date.

Saving your important documents to a cloud drive service, such as Google Drive, Microsoft OneDrive, Box.com or Dropbox, can reduce your frequency of connecting your backup USB drive, as those files are backup up to their cloud hosts in minutes. You also must understand that a malware infection may be included in a recent backup and, with a good backup, a tech professional will be able to assist you in restoring to an earlier uninfected backup date, if needed.

When running your backup, ensure there are no other applications or browsers running that make outgoing connections. You might consider shutting down the network entirely by disabling WiFi, Bluetooth, and unplugging any network cables attached to USB ports. This eliminates the risk of an application allowing an undesired outbound network connection that could trigger a malware event. I usually try to start the backup process with a network disconnected machine before going to bed at night and it is done the next morning when I start my day.

Be Cautious with Downloads:

Downloading software from trusted sources helps avoid malicious programs that can harm your system. When downloading files, it's essential to be cautious because of:

Malware Risk: Files can contain viruses, spyware, ransomware, or other malicious software that can harm your device and compromise your data.

Phishing: Some downloads might trick you into revealing personal information, like passwords or credit card numbers.

Copyright Infringement: Downloading copyrighted material without permission can lead to legal issues.

Data Breaches: Malicious files can be used to gain unauthorized access to your personal or financial information.

Unreliable Sources: Not all websites or links are trustworthy. Downloading from dubious sources increases the risk of getting infected files.

By keeping your antivirus software updated and ensuring you download files only from reputable websites, you can mitigate these risks. Always double-check the source before hitting the "download" button!

Be especially careful when download links are included in unsolicited email messages, also known as Phishing Emails. If you are not expecting a download link from recently purchased software, the surprise download may be malware than can cause catastrophic loss for you. By the way, never click on a download link in your email Spam of Junk folder. Your email provider has likely already analyzed and flagged the message as suspicious. Better safe than sorry.

Use Two-Factor Authentication:

Two-factor authentication adds an extra layer of security by requiring a second form of verification (e.g., a code sent to your phone) in addition to your password. This makes it harder for attackers to gain access to your accounts. This second factor can come from one of the following categories:

Something you know: This is you password or PIN.

Something you have: This might be a smartphone, hardware token, or an authenticator app that generates a time-sensitive code.

Something you are: This includes biometric factors like facial recognition (iPhone/iPad), fingerprints (Mac laptops), retinal scans, hand geometry scans, or voice recognition.

• Using two of the same factors does not satisfy Two-Factor Authentication, i.e. using two different passwords is not Two-Factor Authentication.

CNET provides a simple explanation of Two-Factor Authentication:

"Instead of entering only your password to access an account, you need to enter your password -- the first verification factor -- and then a code sent via SMS or a prompt through an authentication app -- the second factor. This means a hacker would need to steal both your password and your phone to break into your account."

Authentication is controlled by the site to which you login. They elect which type of Two-Factor authentication to implement: none, SMS, or both SMS and App as options. If none, you should ask yourself if the risk is acceptable that the company may not take seriously the protection of your account and data. You might consider an alternative company that has more secure login options but that may not always be an option.

Issues with SMS

SMS is a text message to your phone with a six to eight digit code for you to enter into their web page before login is granted. SMS is not very secure. Again CNET describes as follows:

"… receiving 2FA codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your Social Security number, data that tends to get leaked (in data breaches, ed.) from time to time from banks and corporations. Once a hacker has redirected your phone number, they no longer need your physical phone in order to gain access to your 2FA codes."

Safer Two-Factor Authentication

The more secure way is to use an Authenticator app, such as Google Authenticator, Microsoft Authenticator, or Authy. I personally use Authy because Google & Microsoft have too much of my personal data already. Grrr! You download the app to your phone, scan a QR code presented by the web site with your phone camera, the app registers the site, then generates codes every thirty seconds that can be verified by the web site. If codes match, login is allowed to the site. Very simple and safe.

Also note that when you are changing very sensitive settings in MacOS, Apple will generate a six digit authentication code, send it to your iPhone screen display, and have you enter that same code on your Mac prior to allowing setting change.

Secure Your Home Wi-Fi:

Using a strong Wi-Fi password prevents unauthorized users from accessing your home network.

Public WiFi spots are favorite locations for laptops to be snooped upon or broken into because many people ignore security advice and use their machines in an unprotected state. Be sure to enable MacOS firewall "Stealth Mode" so your laptop appears invisible on a public WiFi network.

Another setting to enable is iCloud Private Relay. iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party — not even Apple — can see both who you are and what sites you're visiting. You can find out how to set that up here.

Use a VPN (Virtual Private Network)

A VPN adds an extra layer of security by encrypting your internet connection, especially on public WiFi networks. VPN's on the internet offer several benefits:

• Enhanced Privacy: A VPN encrypts your internet traffic, making it difficult for anyone to monitor your online activities. This is especially useful for preventing your ISP (Internet Service Provider) from tracking your browsing habits.

• Security on Public Wi-Fi: Public Wi-Fi networks, like those in coffee shops or airports, are often less secure. A VPN protects your data from potential hackers on these networks by creating a secure, encrypted connection.

• Access to Restricted Content: Some websites and services are geo-restricted, meaning they are only available in certain countries. A VPN can help you bypass these restrictions by masking your IP address and making it appear as though you are browsing from a different location.

• Avoiding Censorship: In some regions, to certain websites and services is restricted by the government. A VPN can help you access these blocked sites by routing your traffic through servers in other countries.

• Improved Anonymity: While a VPN doesn't make you completely anonymous, it does add a layer of anonymity by masking your IP address and encrypting your data, making it harder for websites and advertisers to track you.

By following these best practices, you can significantly reduce the risk of cyber threats and keep your MacOS device secure.

Disclosure: I may earn a fee if you purchase some of the items from my affiliate links. You can support my work by doing so and I'll be able to buy some afternoon tea ☕ and a cupcake. 🧁