How to Check if a Website is safe

It’s natural that as the internet has grown in size and complexity, so to have the scams and tricks that criminals play to try and steal your information for insidious purposes.  This guide aims to show you what to look out for when visiting websites and how to spot the…

It’s natural that as the internet has grown in size and complexity, so to have the scams and tricks that criminals play to try and steal your information for insidious purposes. 

This guide aims to show you what to look out for when visiting websites and how to spot the dodgy ones.

Unsafe websites

Broadly, unsafe websites are websites designed to extract information – either personal or financial – from unsuspecting victims through some sort of scam or trick. 

Some unsafe websites will look like poor copies of genuine websites they’re trying to mimic. Many use reputable brands to try and convey legitimacy to their victims. Other unsafe sites go for original designs but include things like ‘trust badges’. These badges make up the little banner of credit card symbols you often see before paying. 

Guaranteed self checkout

Source: https://trustlock.co/free-website-trust-badges-trust-seals-to-help-boost-sales/ 

As you can see, it’s pretty easy to get a hold of these online, and it’s not like you have to prove your check out is safe, in this instance, to get the badge. It’s a good reminder that you can’t just trust a name because you’ve heard of it previously. 

How to check if a website is safe?

The important thing to remember with the below tips is that most of them don’t provide full certainty a website is safe, but rather good indicators that one is.

This means they should be taken as mutually supportive; in other words, you should be using them in combination with one another rather than relying solely on a single method or criterion. 

  1. Check for the ‘S’ on the end of HTTPS 

    One indication that a site is probably safe is whether it uses the secure scheme, also known as (HTTPS://), now often symbolized with a green padlock in the address bar and known as an SSL certificate. However, the operative word in the previous sentence is, unfortunately, ‘probably’ – we can no longer say with assurance that this definitely means a site is safe. 

    The APWG (Anti-Phishing Working Group) revealed that an SSL was used in the URL of 77.6% of the phishing sites they detected in the second quarter of 2020, a number that rose to 80% in the third quarter. This is no longer a good criterion for determining the authenticity of any given website.

    According to the report, approximately 40% of phishing sites have free SSL certification from authority Let’s Encrypt. The long and the short of this situation is that now, it’s more likely than not that a given phishing website will have a green padlock/HTTPS URL. However, it’s still advisable to stay away from sites without this certification – and you can tell because it’ll say ‘not secure’ in the address bar. 

  2. Check the URL 

    Some scammers bank on unsuspecting users misspelling the web addresses of genuine, popular websites. They take over website domains that might be just one letter or symbol different from the URL of a widely-visited site. So if you do suddenly find yourself on a suspicious-looking site, definitely have a look to see if you made an error in the address bar. 

    If you are going through a link on another site or in the body of an email address, hovering over the link with your mouse can often reveal where the link is going to take you. If it looks suspicious – including having a spelling error, for example – then just don’t click it!

    You can also run the URL through a website safety checker. There are some nifty free sites out there that will scan URLs you plug into their page for viruses and malware. Virustotal is recommended by several cybersecurity firms. However, if there’s little information about their site available, a free checker may struggle. To learn more, check out our how to spot a fake website guide for more information about how to read URLs.

  3. Google it

    Again this is simply another indicator, rather than a full-proof method of knowing, but googling whether a website is legitimate is certainly a savvy move if you suspect it might not be. There are a number of reputable websites set up to provide precisely this service, one notable one being TrustPilot. 

    Asking Google or any other search engine whether a website URL is legitimate may return limited information – that’s a big red flag, especially if the website claims to be an appendage of a reputable, well-known company. 

    Another thing you can do is simply google the website’s URL (in the search bar of a search engine, not the address bar of your browser) followed by the word ‘scam’. This may get you an answer pretty quickly if it’s been particularly successful and hit a lot of victims. 

  4. Check the contact information 

    Check to see whether the contact information listed on a website is legitimate. Do emails to the email address actually send? When you search for the company address (providing it is real) does the location look plausible? You could even ring their phone number – whether (or how) they answer will give you a good indication of their legitimacy. 

    If you are using this method to check whether a website is safe and you do get an answer, never give out any personal information over the phone. Remember, you’re using this call to help you to determine whether the website or operation is a scam – you aren’t phoning up to buy their product or hand over any money. Remain skeptical throughout and don’t take a good conversation as proof the business is legitimate. 

  5. Adjust your browser’s safety options

    Every browser you use will have slightly different safety settings that will likely need adjusting to suit your needs. These settings can be a good tool to help you decide whether a website is safe.

    Enhanced protection
    These are not always the default setting either – as you can see above in Google Chrome, for example, you can turn on the enhanced protection version of the safe browsing tool, which checks website URLs for you and gives you an advanced warning on dangerous activity. 

  6. Download and install antivirus software

    Like browsers, antivirus software will have features that will help you to determine whether a website is in fact safe to visit. Many will provide you with warnings about websites either on search result pages or when you click on the site link itself, whilst others will bar you from entering without bypassing a warning screen that highlights the dangers associated with your imminent visit.

    Some antivirus software will be more useful than others – check to see if your provider has an anti-phishing certificate, for example, because this will really help you out if it does. 

  7. Check the spelling

    Another indication that a website is safe is flawless spelling and grammar. Legitimate businesses will want to look as professional as possible for customers, so most will have spell-checked the text that appears on their website thoroughly.

    This is so crucial to success that a real business will usually pay a professional copywriter to write their website copy and seek a lawyer or legal advisor to help them construct their privacy policy.

    If you’re spotting error after error, it’s highly unlikely anyone with any level of relevant training or skill has looked at the site – which suggests it might belong to something other than a real business that has a reputation to uphold. 

Other types of ‘safety’

Some websites might be perfectly legitimate, yet still, clash with user conceptions of ‘safety’. Some users will consider sites unsafe if they have shady practices when it comes to data. Control over private information is, for many people, intimately linked to safety. 

A website’s privacy policy should, in theory, inform you how the data you hand over and your browsing activity will be used, and what other companies or sites it might be shared with. This should be somewhere at the bottom of the page – no visible link to a privacy policy is not a good sign. 

Spotting fake websites

One easy way to protect yourself and confirm a website is safe is to become familiar with what scam websites tend to look like and the features they often share.

Remember, the vast majority of scammers do not have the time, resources, or technical know-how to create sites that are exact replicas of legitimate ones, especially if they’re trying to target victims from countries where they don’t speak the language. It’s also important to remember that scammers’ targets are primarily people who aren’t the most clued up with computers and technology – so knowing what to look for, in a way, is one of the best defenses. Bearing this in mind, you should leave a site immediately if it:

  • Has so many pop-ups you can’t smoothly navigate the website.
  • Redirects you to a completely different website.
  • Provokes warnings from your search engine. 
  • Immediately slows down your mouse movement. 
  • Keeps refreshing itself without instruction. 
  • Is claiming to be a legit brand’s site but has spelling errors en masse.
  • Has countdown timers and threats of service revocation. 
  • Unusual payment methods, like paying in Google Play gift cards. 

Other red flags

Other signs that may be indicators of shady activity and should lead to browsing with extreme caution include:

  • Ridiculously low prices, or free offers on expensive products.
  • Weird uses of caps/exclamation marks to inject urgency 
  • A lack of user reviews, or blatantly fake ones from bots.
  • No privacy policy or terms of service.
  • Pop-ups with pornographic imagery/adverts of a sexual nature. 
  • Poor design/odd color and font combinations.
  • Looking more like a site from the early 2000s than 2021.

Conclusion: use your common sense

Legitimate websites will never ask for your personal information unless it really needs it. They won’t ask you to input it into a flashing pop-up, demand you enter it before a timer runs out to avoid punishment, or ask for your financial information when there’s nothing to pay for.

If you’re being threatened with arrest, service revocation, or a fine, you wouldn’t find out through a spontaneous website visit, through clicking on a link in an email riddled with spelling errors or a phone call you’ve had to make because a pop up has frozen your computer. Remember, that’s not how legitimate businesses communicate with their customers.

Genuine companies will be more than happy to go to great lengths to show you they’re the real deal, both in correspondence and on their website. I know, for example, when an email is really from my bank because they prove who they are by showing me information only they could know. 

You likely visit hundreds of legitimate websites every month, so you do know what one looks and feels like through experience, and you know what legitimate correspondence is like too. Always ask yourself ‘would a legitimate company do this, and have legitimate websites ask me to do this before?’ If the answer isn’t a definite ‘yes’, it’s time to leave.

Is Amazon Sidewalk Private? – Do you want to live in Amazon’s neighborhood?

In late 2019, at a fall hardware event, Amazon unveiled Sidewalk – a “new way to stay connected”, according to the company itself. [[post-object type=”divider” /]] With Amazon Sidewalk, customers who own smart lights, pet trackers, motion detectors and other internet-enabled devices will be able to keep them connected to…

In late 2019, at a fall hardware event, Amazon unveiled Sidewalk – a “new way to stay connected”, according to the company itself.

With Amazon Sidewalk, customers who own smart lights, pet trackers, motion detectors and other internet-enabled devices will be able to keep them connected to the net even if they’re out of range of the household router.

Now that it’s 2021, Sidewalk is readily available to customers in the US with compatible devices – and this includes Echo speakers and Ring cameras.

However, this impressive functionality raises an old question – how much trust should we place in Amazon? Do the benefits of Sidewalk’s range-boosting network outweigh the privacy concerns, or the slew of security breaches and leaks that have beset the company in recent years?

Ultimately, Sidewalk creates a number of small mesh networks to extend the range of compatible devices. It also uses a bit of your home Wi-Fi to relay 900 MHz and low-energy Bluetooth signals to the gadgets around your home. So, if you have smart lights or a camera tucked away at the end of the garden, Sidewalk makes it possible to keep these devices functioning like any other.

It’s also possible to pair a Tile tracker with Sidewalk, and extend the range of the device so long as you’re within half a mile of another! This comes in handy if anything goes missing beyond the reach of your usual Wi-Fi signal.

For those interested in Sidewalk, there’s no need to rush out and purchase any shiny new hardware – it can simply be enabled on existing devices. Additionally, Sidewalk is free for all users, provided that they have the applicable hardware.

However, these factors have nothing to do with why Sidewalk has been raising eyebrows for a while, now. Sidewalk actually shares a small part of your internet bandwidth with your neighbors – and vice versa.

“Customers with a Sidewalk Bridge can contribute a small portion of their internet bandwidth, which is pooled together to create a shared network that benefits all Sidewalk-enabled devices in a community” says Amazon on its Sidewalk page.

In practical terms, this means that if your internet drops or is often unreliable, you’ll still be able to use your Ring camera and smart lights without interruptions. If they’re set up with Sidewalk, they’ll simply borrow the bandwidth they need from a neighbor in order to keep sending alerts – and the reverse is true, too. Sidewalk is programmed to lend a helping hand to any nearby devices that need it.

It’s easy to see how Sidewalk might become popular, and as such, we could see entire networks and neighborhoods of Sidewalk-enabled devices, all borrowing and lending from one another. In fact, the more people who use Sidewalk, the stronger that network becomes.

Sharing data of any kind is a tricky thing in the digital world, and Sidewalk has drawn due concern, with skeptics questioning how Amazon plans to keep user data safe. Amazon authored a white paper to address the issue directly.

It claims that the amount of bandwidth used by Sidewalk-enabled devices is pretty minimal. Each network has a maximum bandwidth of 80 Kbps – that’s about 1/40th of the bandwidth needed to stream in HD! Data allowance is also capped at 500 MB per month which, again, works out about the same as watching 10 minutes of high definition video.

Elsewhere in the white paper, Amazon insists that it makes use of a number of cryptographic algorithms, one-way hashing keys, rotating device IDs, and three levels of encryption. All these measures work to keep data private and protected from snooping – the next-door neighbor won’t be able to take control of the smart lights or speakers, and Amazon itself will be unable to collect or read user data. As a final cherry on top, Amazon also asserts that it deletes the information that routes data packets every 24 hours.

“Preserving customer privacy and security is foundational to how we’ve built Amazon Sidewalk. Sidewalk is designed with multiple layers of privacy and security to secure data traveling on the network and to keep customers safe and in control”. Amazon said in its white paper.

So, prospective users have a conundrum to consider.

Is it worth extending the range of the household Smart devices if it means sharing data with Amazon’s servers? Amazon has already admitted that it may choose to share data with third-parties in the future! Of course, Sidewalk’s functionality can’t be understated, but there are more than 100m Alexa-enabled devices in homes across the world. That’s an awful lot of cameras and microphones, and potentially a lot of neighborhood networks that Amazon would have access to.

It’d be remiss of us not to remind you of the vulnerabilities that were detected in Alexa devices in late 2020. Hackers were able to check out user information and conversations, as well as delete apps, all without the owners knowing – and all it took was one malicious, hand-crafted link. Amazon has patched the flaw since then, but the company also had to address a leak caused by an employee. Customer details, like email addresses, were disclosed to a third-party in 2020.

Customer details were leaked in 2019, too, when a data breach was caused by a “technical issue”. This issue resulted in customer names and addresses being posted to the site. And in 2017, Amazon came under fire for not stating that humans can potentially listen to the recordings collected by Echo devices.

As was uncovered by a Bloomberg investigation, Amazon uses its staff and contractors to listen to voice-activated requests to improve the service. Of course, the average user might not know that this is happening – and might not believe you if you told them.

Most insidious of all, perhaps, is Ring’s relationship with the authorities. This is no secret, and Amazon makes a habit of passing user data on to the police – and isn’t that troubling? Amazon has put itself in a position where it can facilitate how the police and regular citizens communicate! But Amazon has no qualms about this invasive level or surveillance, and is actually coaching police on how to acquire security camera footage from its customers. Amazon has also been denounced by civil rights organizations for cutting secret deals with police departments.

So, it might be a good idea to pass on Amazon Sidewalk – the company’s checkered history of privacy scandals and leaks, as well as its contribution to a growing surveillance state, should be enough to convince you to be wary.

And if you do decide you’d rather have no part in Sidewalk, you’ll need to opt-out manually. Luckily, it’s pretty easy to do so:

  1. Open the Alexa app
  2. Head into More, then Settings, Account Settings, and finally Amazon Sidewalk
  3. Then, toggle the switch

What is 2fa – Two-factor authentication definition and advantages

Two-factor authentication (also known as 2FA or two-step verification) requires users to verify their identity by providing two different types of information before accessing an account or application. Generally considered more robust than traditional username and password combinations, two-factor authentication acts as an additional layer of security, and prevents unauthorized…

Two-factor authentication (also known as 2FA or two-step verification) requires users to verify their identity by providing two different types of information before accessing an account or application.

Generally considered more robust than traditional username and password combinations, two-factor authentication acts as an additional layer of security, and prevents unauthorized access to sensitive details and resources. But why is 2FA necessary, and how does it work? Keep reading to find out!

What is 2FA?

You’ll often be required to verify your identity before you log in to an account or application, connect to a network, or access resources. Services with simple authentication may only require a password from you, but others might insist that you provide additional evidence before gaining access.

Two-factor authentication simply means that two pieces of evidence are necessary to verify your identity.

In this way, users can confirm that they are who they say they are when attempting to access an account, and anyone else – hacker or cybercriminals – won’t be able to take a peek at sensitive information without the additional requisite evidence, as it’s incredibly unlikely that they have it!

Even if you’re unfamiliar with the inner workings of two-factor authentication, you’ve almost certainly used it before. An ATM, for example, requires two pieces of evidence before it allows you to make transactions – namely your bank card and PIN!

Types of two-factor authentication

So, now that we’re familiar with what two-factor authentication (2FA) is, and the reason it comes in handy, let’s take a look at how it’s implemented.

Two-factor authentication requires the user to present two or more pieces of evidence before they’re allowed to access a certain resource – like a website, application, or network. This evidence is also known as a factor, and they tend to fall into one of the following categories:

  • Something the user knows – by far the most popular factor, it refers to a password, a PIN, or any other piece of knowledge that can be proved by the user. Security questions (like the classic “What is your mother’s maiden name?”) technically fall into this category, too, but are considered incredibly insecure, seeing as hackers could intuit these answers with social engineering techniques.
  • Something the user has – think of a key and a lock, and you’ll understand this factor in an instant! The user will need to keep this special item on their person at all times, and it could be a key, a bank card, or a USB. Whatever it is, it’ll need to connect to the computer to access secure accounts. It’s becoming increasingly more popular to use smartphones as that special something a user “has”, now, given that we’re glued to them!
  • Something the user is – this factor might seem a little sci-fi, considering it deals with fingerprint scans as well as iris and facial recognition, but it actually only leverages the technology already available in most modern phones! Behavioral biometrics use the individual themselves as the factor.

There are all sorts of two-factor authentication methods in use today, and some are much stronger than others. However, regardless of its form, 2FA is bound to be more secure than relying on a password. We’ll take a closer look at passwords a bit later, but for now let’s examine some of the more prevalent types of 2FA.

SMS

Nowadays, if a service offers two-factor authentication, they probably offer it via SMS. SMS 2FA directly interacts with the individual’s phone, and once they’ve input a username and password, texts them a unique one-time passcode. In order to access the application or account, the individual simply needs to enter that one-time passcode into the site!

These ever-changing passcodes provide better security than static passwords, and there’s no need to worry about the whereabouts of an additional physical token like a key fob.

SMS 2FA does come with a few concerns, however. Phones are handy, given that we’re always using them, but they can be compromised, and hackers can still employ phishing attacks to try and collect a user’s one-time passcode, as well as their password.

Hardware Tokens

Although this form of 2FA has become a little dated in recent years, it’s still a popular method, and utilizes physical tokens and generated numeric codes to secure private accounts and networks. So, if a user wanted to access a secure computer, they’d need to look at their key fob and input the code it displayed into the computer.

Creating these little tokens is expensive work, however, and it’s all too easy to misplace them – further driving up distribution costs.

Push Notifications

Push notification 2FA eliminates the need for bulky tokens and takes advantage of the ubiquitous nature of phones, and sends the user a notification when there’s an authentication attempt happening. Then, the user takes a look at the details, and verifies the attempt with a tap.

Because there are no passwords needed here, push notification 2FA puts a stop to phishing scams, and even man-in-the-middle attacks. It simply establishes a direct connection from the application to the 2FA service.

However, this method does require internet access, and necessitates a device that can install apps.

Are passwords secure?

Passwords are certainly still today’s secure standard when it comes to keeping our accounts safe, but there’s some doubt as to whether they should be. Countless breaches have compromised vast swathes of passwords (and even put them up for sale with their email counterparts on the dark web), and users do themselves a disservice by using weak phrases, or by reusing passwords across different sites and services. It’s a hacker’s dream, seeing as they can just input these known password and email combinations into websites and check out which ones work.

Secure passwords can be difficult to remember and this is why we recommend using passwords. Check out our best password manager page for a list of the best services and tips on keeping passwords safe and secure.

So, if you’re relying on a password to protect your devices, the hurdle for hackers to overcome is pretty small. For this reason, more and more folks are taking advantage of two-factor authentication.

The Best call blocking apps in 2021

It feels as if spam calls have been part and parcel of owning a mobile phone since the technology came into existence.  Nowadays, however, there’s a multitude of apps that can help mitigate this problem – but many of them have problematic privacy policies and checkered pasts when it comes…

It feels as if spam calls have been part and parcel of owning a mobile phone since the technology came into existence. 

Nowadays, however, there’s a multitude of apps that can help mitigate this problem – but many of them have problematic privacy policies and checkered pasts when it comes to user data. In this article, we list the best call blocking apps in 2021 and list some you should avoid.

The best call blocking apps in 2021

Here’s a quick look at the best call blocker apps you can find on the Google Play and Apple App Store. A much more detailed analysis can be found further down in this article, but here’s a brief rundown of our top picks:


  1. Should I Answer?

    – The best call blocking app around. It’s effective, privacy conscious alternative to the most popular call blockers.

  2. WideProtect

    – an excellent call blocking app that is easy-to-use that doesn’t collect any personalised data.

The best call blocking apps | In-depth analysis

All the providers in this article have been chosen because they pledge to protect their users’ privacy whilst still providing a useful service, standing in stark contrast to some of the most popular call blockers available. 

Should I Answer? is the best call blocking app around. It’s our top pick because it genuinely prioritises user privacy in a market that is notorious for the opposite.

  • Free option

    Yes

Should I Answer? is a great pick if you want a privacy-conscious call blocker. Not only does it block spam calls consistently, but it also lets users categorize them, which is a pretty unique feature in this space. Although their database isn’t the biggest on this list, they’re rapidly expanding and adding over 30,000 number reports a day. Should I Answer? unblocks numbers from other countries as well as hidden numbers, and the service is completely free to use. This does mean it runs adverts, but this is only on their webpage, which you might use for reviews or a database update. The ad networks they use and why they use them are actually mentioned in the privacy policy. 

What sets Should I Answer? apart from many of the call blockers discussed in this article is their approach to privacy – they don’t need your phone number or phone contacts for their service to work, and the app confirms that your number and contacts will never be sent to their servers. They just require an email address, like many apps and websites, and this is only so you can write reviews of numbers and share them with the rest of the community. You can write reviews of spam numbers that are publically available to others, but their privacy policy clearly states they have no interest in receiving reviews or information regarding personal numbers and implores you not to write them. If someone puts your number on their review database for whatever reason, you can request its immediate deletion.  

WideProtect is an excellent call blocking app that is only interested in blocking spam calls and doesn’t need your data, making it another good alternative to the big names.

  • Pricing

    From 

    $2.99

Wideprotect is an app made by independent developer Valerii Andrusyk, who designed it such that it never extracts personal data from your device – in fact, it doesn’t collect any at all. There is no user registration and the app only works locally on mobile phones. Unpersonalised data like the device model is collected, but this is just for Wideprotect’s analytics system and cannot be used to identify you. We contacted Valerii to confirm the app’s privacy credentials, and he told ProPrivacy that the app does not even require customers’ phone numbers to function. 

Wideprotect can block up to 70 million numbers and offers SMS filtering capabilities, and you can even purchase extra call blocker extensions within the app. The interface is really user-friendly and the developer responded quickly and helpfully to questions about the app, which is a great sign. It’s presently only available for iPhone users, so if you own one, check it out – it’s only $2.99 to download. 

Is Hiya safe to use?

Hiya is one of the most popular call blockers around and has a number of impressive features as well as a large database. AT&T, and T-Mobile all use Hiya’s call-blocking infrastructure and database and they have a partnership with Samsung. Although the app has thousands upon thousands of positive reviews, The NCC’s Dan Hastings revealed around 18 months ago that Hiya sent data about users to analytics companies before a privacy agreement was even displayed to them. When these claims were made by Cnet and TechCrunch in 2019, the company said: 

While it is true that Hiya currently sends some basic device data to third-party services upon opening the app (a standard industry practice in compliance with Apple’s guidelines), that does not and has never included phone numbers or any Personally Identifiable Information (PII).”

Hiya

They went on to say that they would submit their apps to the app store to ensure information was not sent without user consent and issued this response to the articles. In their privacy policy at present, Hiya says that information shared for marketing and advertising is ‘de-identified’. However, some studies have suggested that de-identified data can often be re-identified with just a small amount of extra information

Hiya’s privacy policy also says they can process your personal data if it “has been provided to us by one of our users.This means that our user granted us access to your personal data, for example, data that was stored or otherwise available on his/her device.” It’s unclear how this would be ‘provided’, and exactly what sort of personal data they’re referring to. 

Is Whoscall safe to use?

Whoscall has the largest spam call database in East Asia and over 80 million worldwide downloads. Whoscall says it will never share unencrypted data and has independently reviewed and awarded ISO 20071 security certification, one of the most widely-used standards for information security.

It does collect your user data and makes you upload your contact list, but claims to use ‘de-identification technology’ to convert it into non-identifiable information, and informs customers it employs two layers of encryption because Whoscall is ‘liable for the security of all user data’. However, similarly to Hiya, they also say information is de-identified, but as was covered, this isn’t an irreversible process. Any suggestions that your data can be ‘de-identified’ should be treated with caution, regardless of the company making them. 

Is PrivacyStar safe to use?

Privacy Star is made by First Orion, a scam protection and call management software company with hundreds of employees. PrivacyStar has a number of features, including the ability to assign Caller IDs to unknown numbers and perform a reverse lookup on those dialing into your phone. There’s also a pretty unique tool called CallerYD (Android only), which not only tells you who is calling, but why. 

Although PrivacyStar’s privacy policy details that the app does “collect identifying information in the form of your phone number”, it also says in PrivacyStar’s privacy policy that it “do[es] not use any information from your contacts for any other purpose” besides dynamically creating spam contacts (that are then deleted), which is its way of showing you who is calling. They also state that First Orion “does not sell any personal information collected in connection with PrivacyStar”. However, other parts of the privacy policy are vague and confusing. 

For example, PrivacyStar’s privacy policy also states, just after its pledge to not sell any personal information, that they “do sell names for phone numbers you look up in the App that come from carriers and other public and private sources” and advises that if you want to “remove your name from this sale, go to privacy.firstorion.com”. This link appears to no longer work. 

Furthermore, it seems like a lot of previously satisfied customers on the Google Play Store have had some issues with a recent update, although PrivacyStar’s customer support team has responded politely to the negative comments, asking users to detail their problems in emails and assuring customers that they are currently working to fix the issues.

Is Call Control safe to use?

Call Control, like many of the call blockers, uses a community-based feedback mechanism to identify spam numbers and reliably block them for its more than 12 million users. Along with blocking incoming spam calls, the app prohibits fraudsters leave irritating voicemail messages and lets you create your own personal blacklist. Call Control can be customized to block specific area codes, something it can also do for foreign numbers.

Call Control claims that uploading your contacts is totally optional but also states in its privacy policy that “the use of the Service may result in your personal information such as contacts, messages, emails, or other forms of personal information to be transmitted to our servers. Examples of this use are backing up your block or allow lists within Call Control or sending support requests from within Call Control.” ‘Examples’ are provided, but not an extensive list.

Call Control also says that, when you use the service, its “servers automatically record certain information that your web browser sends whenever you visit any website” which includes, amongst other things, “web requests”, “pages viewed” and “the amount of time spent on certain pages” tracked by “one or more cookies that may uniquely identify your browser.” 

Spam calls and scam calls 

Every day, millions of cold calls are made by salesman, technicians, and scammers across the world, each operator with their own pathway to profit. 

Spam calls are usually defined as unprompted and unwanted communications from salespeople and marketers looking to sell you some sort of product or service. They shoot from the hip; it doesn’t matter how poor the product or service they’re offering is, the more individuals they manage to contact, the more likely that they will make a sale. Although irritating – especially when it’s a robotic voice – the product and sales process is legitimate. They could even be from a company you’ve previously done business with. 

Scam calls, on the other hand, involve malicious actors intentionally looking to con you out of your money or sensitive, personal information via a phone call. Over the phone, this usually involves the fraudster trying to sell those who pick up products – but these sorts of calls can also involve made-up threats of fines, arrest, and imprisonment to intimidate victims. 

The call-pocalypse 

Call blocker app Truecaller analyzed 145 billion calls in 2020 and found that spam calls rose globally by around 159%. This is likely due to the fact that spammers are looking to take advantage of the uncertainties plaguing almost every nation on earth. 

Brazil seems to be a hotspot for spam callers, with a 9% rise on last year’s total and the overall highest number of spam calls, over half of which are outright scams. 

The US, on the other hand, saw a 56% increase on last year’s numbers – and 55% of recipients of spam calls got one that was Covid-related. Between April 2019 and April 2020, US citizens lost upwards of $19.7 billion to fraudsters via scam calls, a cruel illustration of the financial impact the practice is responsible for. 

There has also been a huge increase in Europe – countries like the UK, Spain, Ukraine, Greece, Belgium, and several others have entered the ‘top 20’ countries for spam calls despite being nowhere near it last year. 

Call blocker apps are a privacy minefield

Call blocker apps do exactly what they say on the tin: they block calls from unfamiliar or unusual numbers and allow you to take back control of your mobile phone and who exactly can come into your space. As you can probably imagine, this sort of app isn’t just handy when it comes to blocking spam and scam calls, but any unwanted correspondence at all from your personal life.

However, the problem with many call blocker apps – including some of the most widely downloaded ones – is that they crowdsource their databases for their service to work, something which often requires customer’s contacts to be uploaded to servers. Where your contacts – or indeed your phone number and other personal information – end up is not always clear. The privacy policies of some of the most widely used call blockers have worried security experts: 

I carefully read through these policies, and it was disheartening, if not entirely surprising. Even products specifically designed to prevent spam invade user privacy.

Dan Hastings, Senior Security Consultant at the NCC Group

Many call blockers available on the Apple and Google Play stores rely on advertising to get by; many are free. A lot of others claim to use third-party entities to deliver certain app functions. This leads to a data-sharing relationship with third parties organizations that makes some users uncomfortable, particularly those searching for a call-blocking app who likely feel their privacy is already at risk. However, this is how many apps, call blockers and others, make their money whilst remaining free to download. 

Call blocker apps you should probably avoid

Although call blocker apps can be a powerful tool to help you reclaim your privacy, not all of them operate with customer security in mind. Some of the most recognizable names in the industry have been exposed for having incredibly poor data practices. We cannot recommend these providers in good faith due to either how they operate and their recent history of data practices. 

Truecaller, in terms of blocking calls, is a real sector leader and produces detailed reports on the state of the spam call landscape regularly. This is made possible by its huge database of numbers collected from over 10 billion processed calls; you can even check through it to see exactly which company is attempting to get a hold of you. Truecaller has tens of thousands of reviews online and over 200 million active users.

However, Truecaller has to access your phone contacts to work. The company claims they ‘do not upload phonebooks to make them searchable to the public‘, and instead get their numbers from community suggestions and ‘partnerships with various phone directory providers’. Truecaller is one of those call blocking apps that relies on a crowdsourcing technique to build its database. However, there have been several reports that they upload entire phonebooks to their servers, but Truecaller says this only happens when Enhanced Search is enabled. Either way, it seems like you end up with people on Truecaller’s books who haven’t been asked if they want to be. Speaking on Apple and Google’s policies that bar apps from uploading phonebooks to servers three years ago, their then marketing director said: 

We are 100% compliant with these policies. We do not upload the phone book from users who download the app from Google Play Store and Apple App Store

Mana Shah, Truecaller Marketing Director (2018)

However, since then, there have been reports Truecaller has allegedly jeopardized the work and welfare of journalists, whilst India’s Economic Times, the second-most read business paper in the world, reported in 2019 that Truecaller user data was found for sale on internet forums

Trapcall is, similarly, another call blocker app that looks useful on the face of it but is actually not the best choice in the world for blocking calls. Trapcall uses patented technology to force all callers to reveal their IDs. You can just decline the call, and Trapcall will reroute it back to you with an ID attached. The app uses a spam call database to weed out all the regular offenders as well as a ‘number disconnected’ voicemail tone. Recently, however, in 2019, it was found to be sharing data with three analytics companies, something which wasn’t initially stated in the app’s privacy policy but has since been added. 

Although Trapcall has since suggested this is only to ‘power internal analytics’, the fact this wasn’t previously stated isn’t assuring. In response, Trapcall said in a statement that it “only shares phone numbers with service providers who power our internal analytics and app messaging platforms. Additionally, service providers are prohibited from using TrapCall data for their own or any other purpose.”

Built-in call blockers

The majority of Apple and Android devices that have the capacity to receive calls afford users the ability to add numbers to a blocked list and have modes that can bar calls from everyone except a select few contacts. Further, Apple has a setting you can turn on that reroutes all calls from non-contacts straight to voicemail. 

However, for some, this might actually be too stringent for some people; if you’re waiting to hear back from a prospective employer or the doctors, you probably don’t want all calls blocked. But then again, you could always temporarily modify these settings. 

Well-designed call blocker apps are often better at location-sensitive blocking and have larger dedicated spam directories – but as has been discussed, these often come alongside an unpalatable compromise of user privacy. They do tend to be the more feature-rich option than a built-in call-blocker with higher customizability, but this isn’t necessarily worth it.

Are ‘do not dial’ registers obsolete?

Years ago, the general rule of thumb for those who wanted to avoid unwarranted spam calls was to sign up to a given country or region’s ‘do not dial’ register, which businesses that incorporate cold calling into their sales strategies sign up to. 

In the US this is called the ‘Do Not Call Registry’ whereas in the UK the organization that compiles the list is called the Telephone Preference Service. Other nations will have different names for their register. 

But the world has changed. A lot of spam calls now come from outside of the country that the recipients reside in, and the spammers are thus not beholden to any of the domestic laws enforced by the government of the people they’re calling. Depending on where you live, your country’s do not dial registers might not stop: 

  • Calls from companies you’ve done business with 
  • Political advertisements and other similar content 
  • Charity cold-calling and other third-sector calls 
  • Calls that are classified as ‘informational’

Besides, what if one of the companies using a ‘do not dial’ database has a weak security parameter? One data breach could mean the list is compromised and you could actually end up receiving more calls. 

All things considered, it’s now better to take responsibility for protecting yourself from spammers rather than handing your phone number over to a registry that can no longer guarantee to be that helpful. 

Conclusion

If you want the most robust defense possible when it comes to unwanted calls without compromising your privacy, then a third-party call blocker app recommended in this article is the best way to go. Although the two suggested have slightly different features, they’re both there to give you maximal control over your incoming calls.

Remember, there are spam and scam messages designed to reach users across all sorts of mediums – be that email, websites, or phone calls – so make sure you check out the services designed to give you more control over other mediums of communication. But we’d never advise compromising your own privacy to block a few calls, so be sure to check service privacy policies before signing up. Here’s a final reminder of the services featured here today: 


  1. Should I Answer?

    – The best call blocking app around. It’s effective, privacy conscious alternative to the most popular call blockers.

  2. WideProtect

    – an excellent call blocking app that is easy-to-use that doesn’t collect any personalised data.

EU and UK move towards frictionless digital trade and transfers

The European Union has provisionally confirmed that the United Kingdom is set to join the list of countries with which they transfer data in a free and unfettered manner.  The decision is in the ‘draft’ stage at present but is likely to be adopted soon result after it’s put to…

The European Union has provisionally confirmed that the United Kingdom is set to join the list of countries with which they transfer data in a free and unfettered manner. 

The decision is in the ‘draft’ stage at present but is likely to be adopted soon result after it’s put to the EU’s 27 member states. 

What is the EU granting the UK?

The EU has decided to push forward with a decision to grant the UK something called ‘adequacy’ status. A draft of this decision was released on February 19. 

Adequacy status for the UK means that the bloc considers the privacy laws and rules enforced in the country’s territories to be of sufficient standard to move information to and from freely, safe in the knowledge it won’t be abused or misused because the same protections don’t apply. 

Previous recipients of adequacy status include New Zealand, Canada, Uruguay, Argentina, Israel, and Japan. Smaller, non-EU European nations like Andorra and the Faroe Islands have also been afforded unfettered access in terms of data, and talks are apparently ongoing with South Korea to forge a similar deal. 

Brexit bridges 

When the UK officially withdrew from the European Union in January 2020, many aspects of the relationship between the two parties continued to be governed by transition-period protocols as a post-Brexit trade deal was fleshed out. 

They were essential, too – it took until Christmas Eve for the UK and EU to agree on a deal, just days before the end of the transition period on December 31, 2020. In a dramatic illustration of how down to the wire negotiations became, the House of Commons only ratified the agreement on December 30. The EU is yet to ratify the trade agreement. 

Within this deal, a ‘bridge period’ of four to six months was agreed to continue to allow flows of data to pass between the two entities whilst the EU mulled over its adequacy decision. 

A smooth transition?

The Commission arrived at their decision to push forward with the adoption of this decree after the Commission’s assessment determined that the UK ensures virtually the same protections and privileges as the EU’s GDPR regulation and Law Enforcement Directive does. 

Another factor in the Commission’s decision is the fact the UK has remained party to the European Convention of Human Rights as well as Convention 108 of the Council of Europe, which the EU dubs “the only binding multilateral instrument on data protection” and is one of the first pieces of legislation that seeks to prevent individuals from experiencing harms born out of data abuse.

One thing making this process smoother – and a likely signal that the adequacy status will be adopted – is that UK data and privacy policy has been sculpted around EU legislation for several decades now. The hope is that, once the decision has been firmed up, digital trade will continue in a frictionless fashion.

UK GDPR vs EU GDPR

However, it’s important to remember there will still be two separate sets of legislation: UK GDPR and EU GDPR. Since the first day of 2021, companies or organizations that handle data in both regions are now subject to both.

In terms of immediate change, companies may now need to appoint two different representatives to handle proceedings in the UK and EU, and also decide which one they will take as their ‘lead authority’. 

The ICO details that UK GDPR will have all the existing EU adequacy decisions and other data transfer mechanisms like Standard Contractual Clauses. However, now the UK will recognize no new transfer mechanisms approved by the EU, the ICO says, and will have to introduce its own SCCs. 

Another change they detail is that UK GDPR will apply to ‘processing for national security purposes’ whereas the EU GDPR never applied to this, and the UK had to use an ‘applied GDPR’ for such processing previously. 

What have EU officials said?

Věra Jourová, EU Vice-President for Values and Transparency, said that despite Brexit, the bloc still considers the United Kingdom a close partner on data-related issues:

Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family.

Vera Jourova, VP for Values and Transparency

However, she also emphasised the importance of reviewing and monitoring the situation, highlighting the “strict mechanisms” that have been installed in order to tackle any “problematic developments” of the UK system that would lead to regulatory incongruence. 

And the UK government?

Downing Street is equally keen to push ahead with proceedings but did not pass up the chance to throw a jibe in the EU’s direction for its purportedly sluggish approach, claiming the UK made its representations to the EU in a “timely manner” and it was in fact the Commission’s decision not to finalize draft decisions in time that has drawn this out beyond the transition period. 

The UK’s Secretary of State for Digital was equally anxious to get the ruling over the line but echoed the government line on the EU’s apparent lack of urgency:

Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework.

Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport

Dowden also called on the EU to confirm their decision as quickly as possible, as to not disrupt the flow of data and trade between the two entities now under distinct yet similar data regimes. 

Whats happens next?

The EU still has to vote on adopting the adequacy status, which will have to be agreed upon by the 27 remaining nation-states that make up the bloc.

Before that, however, the decision has to be put to the European Data Protection Board, which offers a ‘non-binding opinion’ on the subject matter. The bloc’s Commissioner for Justice said:

A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European data protection authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel.

Didier Reynders, Commissioner for Justice

The UK has also agreed to maintain a data-sharing relationship with the countries that the EU has adequacy agreements with, so performing such processes with places like Japan and Uruguay is scheduled to continue.

If the vote goes against the adequacy decision – which at this stage looks extremely unlikely – this could cause major problems for UK businesses.

HMA changes its logging policy – Now a no logs VPN

As of May 5th, HideMyAss finally became a no logs VPN – a massively encouraging step for a VPN that’s had its fair share of troubles, including acquisitions in 2015 and 2016 and some concerning press coverage. But, being a veteran of the VPN market and rekindling an innate desire to facilitate…

As of May 5th, HideMyAss finally became a no logs VPN – a massively encouraging step for a VPN that’s had its fair share of troubles, including acquisitions in 2015 and 2016 and some concerning press coverage.

But, being a veteran of the VPN market and rekindling an innate desire to facilitate a secure and borderless online experience has provoked real change. HMA began when Jack Cator wrote a proxy to circumvent a school firewall – and this is very much the spirit HMA has recaptured with its no logs announcement.

HMA goes no logs – how and why?

HMA has been a longstanding staple of the VPN scene and a consistently popular choice for streamers thanks to the fact it has little trouble accessing streaming sites across the globe, but its privacy concerns left other users wary.

However, with its v5 launch, HMA has turned a new leaf and been singing from the rooftops.

We’ve updated our privacy policy, we’ve revamped our legal mumbo-jumbo, and now we can, one more time, proudly declare that we are a no-log VPN. It’s true. But we don’t expect you to take our word for it: we’re in the process of getting our infrastructure audited by an independent security company.

HMA

The commitment should reassure anyone side-eyeing the VPN after its involvement in criminal cases in 2011 (wherein a LulzSec member was accused of hacking Sony Pictures) and 2017 (where a Galveston County judge was arrested for harassing his ex-girlfriend), where HMA logs and connection timestamps were used to convict. Now, HMA has done away with retaining some connection logs for 30 days entirely.

We should note at this point that activities that are illegal without a VPN are just as illegal with one, and we don’t advocate for lawbreaking – only the privacy of everyone who uses the web.

Existing and prospective HMA users will be able to enjoy the internet without surrendering identifying information. What’s more, HMA’s shiny new no logs policy is going to be subject to a third-party audit by VerSprite.

Which logs has HMA ditched?

As of its v5 launch, HMA VPN no longer stores the following data:

  • Your original IP address
  • Any DNS queries
  • Your connection timestamps
  • Your online activity
  • How much data you’ve transferred

Plenty of VPNs already play by these rules, and whilst this doesn’t detract from HMAs improved stance, it should be treated as a baseline for all VPNs.

Does HMA keep any logs now?

It does, but none of the data can be traced back to you or identify what you were up to when connected to the service. Here’s the bare minimum:

  • General connection dates – these are used for customer service inquiries and are kept purposefully non-specific, only identifying whether you connected at morning or evening
  • The subnet of your originating IP – the final octet will always be anonymous, and this data is held onto in order to plan network demand and capacity
  • The IP of the HMA server you’re using – again, used exclusively for customer service troubleshooting and to identify demand
  • A general estimate of your data usage – the exact amount is never recorded, being floored to the first digit, and HMA won’t ever know what the data is, exactly, or tie it to you permanently

Seal of approval

As HMA say themselves, it’s all well and good to go around claiming that you have a no-logs policy – but having this proved through an independent audit is one of the surefire ways to make sure that guarantee is cast-iron. Recently that’s exactly what they’ve done, roping in the highly reputable cybersecurity firm VerSprite to verify that they’re keeping their promises.

The good news for both HMA users and prospective customers is that they passed! This is great news for the provider but also for anyone that cares about privacy; the more VPNs that request an independent audit by security companies, the more likely it is to morph into a universal industry standard. HMA said of the audit: 

The introduction of the no-logging policy in May this year was phase one of our privacy champion initiative. This stamp of approval from VerSprite completes phase two, and moving forward we will also be introducing new privacy features, connection protocols, and improvements to our infrastructure so we can better protect user privacy

HMA

Overall, this is a really encouraging move to see from HMA, and shows they’re serious about keeping their users safe. Exactly like a VPN should do. 

No logs and more: the rest of the HMA update

Besides its no logs policy, HMA has introduced several other features in its v5 upgrade, including:

  • An app redesign – driven by user feedback, HMA has decluttered its interface and made even its more advanced features a cinch to use.
  • IP refresh – a handy feature if you’ve been blocked, giving you a new IP in the same location.
  • Kill switch – no VPN is totally infallible, and a kill switch keeps you protected even if your server connection drops.
  • Split tunneling – a useful tool that routes selected data through your VPN and the rest of your apps local, for Android only.
  • Speed test – Mac and Windows users can check out their speeds in a few clicks.
  • Faster server speeds – HMA is rolling out 20Gbps servers across its infrastructure.

All in all, with the promise of updates to come and more news on the way, it’s certainly an exciting time to follow HMA’s development as it steps back up to the mantle of a real champion of its users’ right to privacy. If you want any more information about their service, check out our HMA review.

Analysts: Email spy pixels have become 'endemic'

Analysts at the Hey messaging service revealed that a staggering two-thirds of the emails sent to its users’ email accounts contained a ‘spy pixel’ – a minuscule, effectively invisible image file embedded into the body of an email that can expose certain information about the email recipient, even their location….

Analysts at the Hey messaging service revealed that a staggering two-thirds of the emails sent to its users’ email accounts contained a ‘spy pixel’ – a minuscule, effectively invisible image file embedded into the body of an email that can expose certain information about the email recipient, even their location. Proponents of spy pixels argue the practice is nothing out of the ordinary and a conventional tactic used by marketers to track email marketing campaigns. Digital privacy advocates, however, are quick to point out the alarming privacy implications of the practice.

At the BBC’s request this week, analysts at Hey reviewed its email traffic and disclosed its findings that the majority of emails sent to its users’ accounts contained spy pixels. And that is not including spam emails. The findings suggest that the prevalence of the furtive marketing tactic is arguably far greater than most people would have imagined it to be, if they even realized that the practice existed in the first place.

Indeed, the practice of embedding spy pixels into marketing email messages is widespread and employed by some of the largest companies doing business in the UK. The BBC’s report named British Airways, TalkTalk, Vodafone, Sainsbury’s, Tesco, HSBC, Marks & Spencer, Asos, and Unilever as some of the more prominent organizations in the UK that are actively deploying spy pixels in the marketing emails they are sending to consumers. The widespread and pervasive use of spy pixels by large organizations like these and others has led to the practice being labeled an ‘endemic’ by analysts at Hey. And the privacy implications of the practice are highly concerning – concerning enough that Hey co-founder David Heinemeier Hansson has labeled the stealthy tactic a “grotesque invasion of privacy”.

Essentially, spy pixels, also known as beacons or pixel tags, are tiny image files – commonly in the form of .gif or .png formats – embedded into an email’s header, footer, or body. These pixels can be as small as 1×1 and are typically designed to be deliberately transparent, blending into the email message and rendering them virtually impossible to detect visually. Email recipients would literally have no idea that they’re even there. Nor would they typically be aware of what spy pixels are capable of tracking; things like precisely when and how many times the user opened the email, information regarding the user’s device and operating system, and even the recipient’s location through their IP address.

Equally concerning is that no action whatsoever from the email recipient beyond opening the email is necessary for the spy pixel to activate and broadcast this information to the sender. This is because the pixel is automatically downloaded when the recipient opens the email and the recipient’s data is logged and sent to a server operated by the sender for analysis.

Businesses who deploy spy pixels justify their use by maintaining that the practice is merely a commonly used, industry-standard marketing tool and that the pixels are designed to be tiny and transparent as to be as unobtrusive as possible.

Never will these businesses (publicly) concede that the practice is in any way an intrusion on the privacy of the email recipient.

Companies also rationalize their use because they notify consumers of the pixels’ presence in their privacy policies. That may indeed be the case, but any such notice is typically buried somewhere in a voluminous and at times impenetrable privacy policy that consumers typically do not bother reading, anyway.

Consider, for example, the following three examples from the privacy policies of a few of the companies explicitly mentioned by the BBC as employing spy pixels in their email marketing communications: 

Vodafone UK: “We use cookies (small text files stored in your browser) and other techniques such as web beacons (small, clear picture files used to follow your movements on our website).”

Tesco: “We and our partners use cookies and similar technologies, such as tags and pixels (“cookies”), to personalize and improve your customer experience as you use our Websites and Mobile Apps and to provide you with relevant online advertising.”

Marks & Spencer: “Our website uses cookies, and similar technologies such as pixels and beacons, to collect information. This includes information about browsing and purchasing behavior by people who access our websites. It also includes information about pages viewed, products purchased, the customer journey around our websites and whether marketing communications are opened”.

In the examples above, the language may be clear and straightforward enough for any English-speaking individual to comprehend, but the information presented is not nearly as comprehensive as it could be. Nowhere is it mentioned that these beacons are exposing the recipient’s device information and location to the sender; and rarely is it mentioned that the sender is able to see when and how many times the email was opened. Nor is it communicated to consumers that the spy pixels are intentionally made invisible so as to entirely conceal their presence from the recipient.

The language that companies use to “inform” consumers of the practice is deliberately vague. But by mentioning their use of beacons in their privacy policies, these companies are largely able to insulate themselves from the reach of privacy legislation. By using the website and receiving the marketing emails, consumers have agreed to abide by what is spelled out in the privacy policy.

Some email services may include a feature that warns users any time a spy pixel is detected, but users are otherwise left on their own when it comes to protecting their privacy against the practice. Email users can either install a plugin into their email client to block the pixels, read their emails strictly in plain text, or manually set their email client to not automatically load images.

Alternatively, users can connect to a VPN to conceal their true IP address and effectively hide their physical location when opening an email. Doing this will only prevent the email sender from knowing the email recipient’s true location, however. When and how many times the email was opened as well as the recipient’s device information could still be logged and divulged to the sender.

Although companies will undoubtedly continue to employ sneaky methods to collect consumer data surreptitiously, consumers still have certain options at their disposal to counteract such tactics.

Best encrypted cloud backup services in 2021

Cloud backup services are the best way to protect your data against device malfunction loss, or theft. Most cloud backups have apps for all platforms, and the features you need to schedule backups. However, not all services back up your data completely privately. In this article, we have pinpointed the…

Cloud backup services are the best way to protect your data against device malfunction loss, or theft. Most cloud backups have apps for all platforms, and the features you need to schedule backups. However, not all services back up your data completely privately.

In this article, we have pinpointed the best encrypted cloud backup services with a zero-knowledge framework. Our recommendations provide end-to-end-encryption (E2EE) so that you can back up and restore your data while retaining complete control over the encryption keys for your files.

What are the best encrypted backup services?

Below we have included a list of the best 5 encrypted cloud backup services. If you need more information, simply scroll down for full in-depth summaries about each provider.


  1. Sync.com

    – is the best encrypted cloud backup service. It leaves you in charge of your data 100% of the time – at an extremely reasonable cost.

  2. IDrive

    – an excellent cloud storage platform that offers strong End 2 End Encryption so you can upload data in a fully encrypted state.

  3. MEGA

    – a well-known encrypted cloud backup from New Zealand that offers secure End 2 End Encryption and a generous free plan.

  4. NordLocker

    – a secure service with end-to-end encryption that you can use to backup your data and share it privately.

  5. ElephantDrive

    – a reliable encrypted cloud backup that works with all popular platforms including Windows mobile and Linux.

To ensure you get the best services we have chosen encrypted cloud backups with the following features:

  • Strong encryption
  • Great apps for Windows, Mac, iOS, and Android
  • Enough storage for photos, videos, and large documents

An in-depth look at the 5 Best Encrypted Cloud Backups

We take a closer look at the best encrypted cloud backup services below. If you require further details about any of our recommendations, please check out our cloud backup reviews.

Sync.com is the best encrypted cloud backup. It is a highly secure cloud backup service with E2EE, apps for all platforms, superb cross-platform synchronization and fully-featured mobile apps.

  • Pricing

    From 

    $5.00 –
    $15.00

sync com

Sync.com offers outstanding value for money without sacrificing any important features. It is a zero-knowledge service that provides watertight end-to-end encryption for your backups. And it implements two-factor authentication to further improve the security of your account. 

With Sync you get custom apps for Windows, macOS, Android, and iOS. However, this service does work to back up NAS or FTP, and Linux users will also need to shop elsewhere. The good news is that Sync has a free 5 GG plan, which never expires. That means you can test the service yourself to see whether you enjoy using its apps on your devices.

If you do need to upgrade and get more storage, you get plenty of options because it is highly scalable depending on your needs. Best of all, the basic plan provides 2 TB of storage that can be accessed and backed-up to from an unlimited number of devices. This sets sync apart from some of its competitors, which set limitations on the number of devices you can connect to the storage space.

Finally, we love that this backup service has secure file sharing, and file versioning to ensure you can backtrack to previous versions of files if you need to. You can even preview files before downloading them (though, unfortunately, you can’t listen to music or view video files directly from Sync’s storage).

A great all-rounder that is well worth considering if you need secure cloud storage with end-to-end-encryption.

IDrive is a super-secure cloud back up service. It is a reliable and secure cloud backup for Windows, Mac, iOS, and Android and you can try it for free!

  • Pricing

    From 

    $17.38 –
    $72.62

IDrive website

IDrive is a popular cloud storage service that provides watertight end-to-end-encryption for its users. This means that you can opt to upload your data in a fully encrypted state if you want to. To provide a service that is appealing to all kinds of consumers, the service makes the option to control your encryption key optional, however. So please remember you will need to opt for the secure cloud storage option if you want to utilize it.

IDrive has apps for all popular platforms, and it is extremely easy to use. This makes it suitable for beginners in need of cloud backup for a mobile device, or power users needing to back up from desktop machines as well. And this service is suitable for those who want to back up from NAS devices. On the other hand, if you do want to back up from FTP, you will need to look elsewhere.

During testing, we enjoyed using IDrive across all our devices. And we were impressed by its fully-featured service. Users can easily sync data across devices and access their account via a web portal on any machine. Plus, this service has secure file sharing and file versioning for up to 30 previous versions of files. This service also has a 5 GB free plan and upgrading to more storage starts from as little as $52 per year for 5 TB of storage on an unlimited number of devices. 

MEGA is a superb encrypted cloud storage service that you can use to backup data from mobile devices and computers. It offers users 50GB of free space too!

  • Free option

    Yes

mega website

MEGA is a secure cloud storage service based in Auckland, New Zealand. It is an incredible service that provides secure end-to-end-encryption for your data by default. This makes the service ideal for consumers who want to retain full control of their data. 

MEGA is a service that is oriented primarily at consumers and individuals. That said, it has a secure sharing facility and even comes with a private messaging platform (that all users get access to for free). We love that anybody can get 50 GB of storage space for free, which sets this service apart from most of its competitors. And you can scale up and get extra storage space at a very reasonable cost.

You can schedule when you want to transfer your files to the cloud for safekeeping, and you can share files via a secure link feature. You also get file versioning and syncing. And this service even works for backing up NAS devices. Overall, we think this is an excellent cloud backup for anybody wanting to store important files online. And it even allows you to play your music directly from your storage without downloading the tracks to save space, using the MPlayer. 

NordLocker offers a fast cloud storage service with strong encryption. It has excellent apps for Windows and Mac and also offers a free 3 GB plan.

  • Pricing

    From 

    $3.99 –
    $7.99

Nordlocker

NordLocker 2.0 is the latest version of the encryption backup tool developed by the much-respected VPN company NordVPN. It is an easy-to-use cloud backup for desktop users that provides watertight end-to-end encryption. As a result, you can use it to back up your data from Windows or macOS without fear that anybody might intercept it or access it while they store it at rest.

Admittedly, NordLocker is a relatively new service, and it is missing many of the bells and whistles you get with other services. However, the service can be trialed for free thanks to its 3 GB free plan. And it’s apps provide for super-easy drag-and-drop saving, that you can use to back up your entire disk if you want to. Plus, this service has automatic, scheduled backups and secure file sharing – which means you do get the most important cloud backup features. 

We do hope to see NordLocker roll out mobile apps at some point too. And, again, we urge you to remember that this service is not for backing up from external drives, NAS, or FTP. However, if simple cloud storage for a desktop machine is what you need – this reputable company is definitely worth considering.

ElephantDrive provides a cloud backup with end-to-end encrypted and superb NAS compatibility (QNAP, Netgear, Synology, Western Digital, Drobo, D-Link Vault, Thecus, Seagate).

  • Pricing

    From 

    $10.00 –
    $20.00

elephant drive website

Elephant Drive is a US-based cloud backup platform that provides a zero-knowledge service. And it is one of the few secure cloud backup services that has apps for Windows, macOS, Android, iOS, Linux, and NAS devices. In fact, it is one of the most comprehensive services we have ever encountered for backing up NAS to the cloud. 

With Elephant Drive you get file versioning, secure file and folder sharing, syncing across devices, backup scheduling, and many other advanced features. This makes it perfect for power users who want to back up from a wide choice of devices. Unfortunately, this provider does not have a free plan, and getting a paid account starts at $10 per month, which is quite pricey. However, you can still try the service because it has a 30-day free trial. 

All things considered, Elephant Drive a highly professional cloud backup service with strong encryption for your data, which means it will be of interest to some users (and is definitely worthy of a place in our best 5).

What kind of encrypted cloud backup service is secure?

Secure cloud backup services store your data on their servers in an encrypted state. However, some of those services keep control over the encryption keys on your behalf. This allows the cloud storage company to provide you with access to your data if you forget your password.

This type of security is called server-side encryption, and it is problematic because it theoretically means that the cloud backup company can access your data if it wants to. As a result, your data is potentially vulnerable in the following ways:

  • The cloud company could snoop on your data to perform data analysis
  • A rogue employee could access your data 
  • The cloud storage company could make a mistake and accidentally leak your data
  • A hacker could steal the encryption keys to your data from the cloud storage company to access your vault
  • The government could serve the cloud storage company with a warrant to access your data using the encryption key

End-to-end-encryption for cloud backups

This type of encryption ensures that only the account holder is in control of the encryption key to their data. With this kind of backup service, the end-user encrypts their data themselves before uploading it, so that it always passes over the internet (and is stored at rest) in a completely secure state.

Most importantly, the end-user retains exclusive control over the encryption key for their data. This ensures that even if the cloud company wants to, they can access none of the files and folders you have backed up.

This kind of encryption is the only way to guarantee strong data privacy and security for your backups. The only downside is that the user must protect the key to their vault at all times because if they lose it, they cannot regain access to their data.

Because the cloud backup company does not have a copy of your encryption key, you can never do a password reset to regain access to your data.

This will put some users off, and, depending on your needs (and whether you are prone to losing passwords), you may be better off sticking with a backup with server-side encryption.

That said, if you have important business data, sensitive R&D information, intellectual property, or any other sensitive information that you need to keep safe; we recommend you stick to a cloud backup with E2EE.

Conclusion

If you require secure cloud backups that only you can access via a private encryption key, it is essential that you stick to a zero-knowledge service. In this guide, we have explained why our recommended services are the best options for backing up data with complete privacy and security. 

All our recommendations provide backups for many platforms and devices. However, if you require backups for more specialist devices such as FTP or NAS, we recommend you check with the provider before subscribing.


  1. Sync.com

    – is the best encrypted cloud backup service. It leaves you in charge of your data 100% of the time – at an extremely reasonable cost.

  2. IDrive

    – an excellent cloud storage platform that offers strong End 2 End Encryption so you can upload data in a fully encrypted state.

  3. MEGA

    – a well-known encrypted cloud backup from New Zealand that offers secure End 2 End Encryption and a generous free plan.

  4. NordLocker

    – a secure service with end-to-end encryption that you can use to backup your data and share it privately.

  5. ElephantDrive

    – a reliable encrypted cloud backup that works with all popular platforms including Windows mobile and Linux.

How to use a VPN on Kodi

[[post-object type=”best-buy-table” condensed=”right” title=”The Best VPNs for Kodi:” /]] If you are a fan of Kodi, you probably know about the use of VPNs to stream extra content. In this guide, we discuss how to set up a VPN on Kodi so that you can enjoy a wide array of…


If you are a fan of Kodi, you probably know about the use of VPNs to stream extra content. In this guide, we discuss how to set up a VPN on Kodi so that you can enjoy a wide array of the best addons.

With a VPN, any Kodi user can quickly pretend to be in a different region to stream more content. A VPN can also let you access exclusive Kodi addons that show live sports, live TV, box sets, and movies – without fear that your ISP might track you.

The easiest way to use a VPN with your Kodi is to install the VPN’s custom VPN client. This allows you to enjoy the VPN connection on Kodi with no manual setup or technical knowledge. However, we will also explain how to use VPN add-ons like Zomboided for Kodi to set up a manual VPN connection if you want to.

Kodi Logo

What is the easiest way to use a VPN with Kodi?

The best and easiest way to use a VPN on Kodi is to install a VPN provider’s custom VPN app onto the device you run Kodi on. Consumer-facing VPNs have apps for Windows and Mac computers, which means you can easily install the VPN and begin using it with Kodi without needing to do anything else.

Some VPN provides even have VPN apps for Android TVs and set-top boxes as well as offering VPN apps for firesticks. This means you can install the VPN directly onto your Smart TV or Android Box. As a result, the VPN will encrypt your data and allow you to spoof your location, without the need for any in-depth knowledge or technical wizardry.

Alternatively, you could set up a VPN connection on your Wi-Fi router, so that every device in your home (including whichever device you run Kodi on) connects to the internet via the remote VPN server location automatically.

If you are a regular home user, we strongly recommend setting up your VPN in one of these two ways. And, if you are interested in the router method (but don’t want to set up the VPN on your router yourself) you have the option to purchase a pre-setup VPN router that comes ready out-of-the-box.

Setting up a VPN on Kodi with Zomboided VPN manager

If you still prefer to set up your VPN connection manually by using a VPN add on, a good option is to use Zomboided VPN Manager.

Perhaps you are one of the few people who has set up your own VPN server, or maybe you want to connect to your VPN provider from within Kodi for some other reason. If this is you, the following walkthrough will help!

What is Zomboided?

Zomboided VPN Manager is an addon for Kodi that supports over 30 VPN services. This makes it a highly versatile add-on that can be used to connect to a variety of consumer-facing VPN providers. The addon can be set up on Kodi running on the following systems:

  • OpenElec (v5 onwards)
  • LibreElec (v7 onwards)
  • Linux (OSMC, Raspbian etc)
  • Windows (v7 onwards)

Unfortunately, Zomboided is not compatible with Android devices. 

How to set up a VPN with Zomboided on Kodi Leia 

Below we have described how to install Zomboided on Leia (Kodi version 18.5). If you have a different version, the menu system may look slightly different but the steps will be the same. 

  1. The first thing that you must do is to subscribe to a VPN provider. Without a VPN subscription, you cannot set up your VPN using the Zomboided VPN manager addon.
  2. Now, install OpenVPN GUI onto your device. It is available for download at openvpn.net. (Bear in mind that OpenElec 5 and 7 come with OpenVPN pre-installed. If you are using either of these platforms, simply install the Zomboided VPN Manager add-on using the instructions from step 4 onwards).
  3. You will now need to set up OpenVPN GUI using the .ovpn files for the VPN server you wish to connect to. Your VPN provider will provide the configuration files for its servers in the member’s areas of its website. Your VPN provider will also have a guide for setting up the .ovpn file in the OpenVPN GUI application.
  4. With that done, you must download the Zomboided repository to your Kodi device. (Clicking the link will start the download in .zip format.)
  5. Now, launch Kodi and navigate to Addons > Install from zip file. Here, locate the Zomboided repository in your downloads folder and select it.

    install zip file Kodi

  6. You will now get an “Addon enabled” notification with the Zomboided logo, which means it has installed.
  7. Next, head back to your Kodi system menu, hover over Add-ons in the menu and select Install from repository on the right.

    Kodi Addons

  8. Now, choose the Zomboided repository from the menu and select Services > VPN Manager for OpenVPN. Click Install.

    VPN manager for OpenVPN

  9. Zomboided VPN Manager will now have installed. When prompted choose Settings.

    VPN manager settings

  10. Another window will now open. Choose VPN Configuration on the left, and select the VPN Provider that you want to set up. (You will need to have subscribed to a VPN prior to this stage, to see the best VPNs for Kodi click here.) For the purposes of this guide we opted to set up ExpressVPN:

    VPN configuration

  11. Now fill out the User name and Password fields for connecting to your VPN. (You will have gained these details when you took out the VPN subscription.)
  12. Next click on VPN Connections on the left-hand menu (it is under the VPN Configuration tab you just used).
  13. Click on First VPN Connection (used to auto connect at start up)fast VPN connection
  14. Now, choose the server location you wish to connect to.
  15. You can add more VPN connections by entering each server (maximum 10 default servers permitted)
  16. Click OK to finish setting up your VPN connection

If you encounter an error after following these installation instructions, it is probable that you have not installed OpenVPN GUI and set it up with your VPN’s .ovpn files. You must do this in order to allow Zomboided to leverage it to establish the connection. 

How to install an OpenELEC VPN add-on for Kodi

A few VPN providers have a custom VPN add-on that you can install on Kodi running on OpenELEC (and prior builds such as Isengard 15.0 and onward). If your VPN provides a custom add-on of this kind, you can install it using the steps below:

  1. Launch Kodi and navigate to Settings > File Manager
  2. Double click Add Source
  3. A box will appear, click on None and enter the URL provided by your VPN for its Kodi addon. Now, click Done and give the addon a custom name (for this example, we will use the name Kodiaddon). Now click Done and then click Ok.
  4. Go back to the Kodi home screen
  5. Click on Add-ons >Add-on Browser (the package box icon located at the top left corner) > Install from zip file > Kodi-addon. Select the .zip file for your VPN’s Kodi add on.
  6. Wait for the repository to install (it may take a few minutes)
  7. Once the add-on is installed, go to Program Add-ons and select the add on for your VPN provider. Click on it and select Add-on Settings
  8. A box will appear, enter the username and password for your VPN account
  9. To change the server location, click on Change or disconnect VPN connection 

Pros and Cons of Kodi VPN Addons

So, what are the pros of using a Kodi addon like Zomboided? The main benefit is that a VPN addon can allow you to control the VPN from inside of Kodi itself. It can also allow you to connect to the VPN automatically when you launch Kodi, which will prevent you from using Kodi without a VPN connection.

In addition, it can be useful for techy users who want to connect to a VPN server you have created yourself on a Virtual Private Server. 

Of course, the con is that using a VPN addon for Kodi is much trickier to set up, meaning that it is only really for hardened tech-heads. Another drawback is that a manually setup VPN connection may not be as secure, and will have fewer features.

Thus, market-leading VPN clients are not only easier to use, but they are designed to give you robust data privacy and security with added functions:

As a result, custom VPN apps can be trusted to provide you with the privacy and data security you need to use Kodi without being tracked. (As long as you stick to a trustworthy and reliable VPN provider for Kodi in the first place.)

Do you need a VPN for Kodi?

Many people use a VPN for Kodi VPN to make the most out of their Kodi media player. By using a VPN, you can access more content and prevent anybody from monitoring what you are streaming. Below we have included all the benefits of a Kodi VPN:

Can I Use Kodi Without A VPN?

Yes. You can watch plenty of content available where you live on Kodi – without using a VPN. However, if you want to make the most out of your Kodi to stream content from all over world, you will need a VPN for Kodi.

What is the best way to use a VPN with Kodi?

Although we have described how to install a VPN manager for Kodi in this guide, we still strongly recommend users not to use this method to use a VPN with Kodi. Setting up a VPN connection manually using Zomboided is tricky, and users often encounter problems. For this reason, it is far better to follow the steps below:

  1. Subscribe to a VPN for Kodi
  2. Download the VPN software and install it on your Kodi device (Our recommended VPNs for Kodi have software for Windows, macOS, Android, and iOS)
  3. Login to the VPN app using your credentials
  4. Pick a VPN server location from the list (in the location where you need it) and click Connect.
  5. As soon as the VPN connection is established, launch Kodi on your PC or mobile device and use it as you usually would. It will now work as if you were located in the location of the VPN server, and you will have complete privacy thanks to your VPN connection. 
  1. ExpressVPN – The best VPN for Kodi. It’s super fast, secure, has great apps for all popular devices including Firestick, and has a smart DNS included.
  2. NordVPN – An excellent VPN for Kodi. It’s secure and great at unblock streaming service from around the world.
  3. Surfshark – A cheap VPN for Kodi. But, although it’s cheap it has excellent features and matches up with more expensive services.
  4. IPVanish – A fast VPN for kodi. It unblocks everything and has a great apps for windows, mac, iOS, Android, and Firestick.
  5. VyprVPN – A great all-round VPN. It has great apps, unblocks almost anything, and has been audited by a third party to prove it’s secure.

EFF appeals to court to uphold student speech rights

The Electronic Frontier Foundation (EFF) has filed an amicus brief in the U.S. Court of Appeals for the First Circuit, asking the court to uphold students’ right to freedom of speech while off-campus.  According to EFF, students have rights that are protected under the first amendment and should be…

The Electronic Frontier Foundation (EFF) has filed an amicus brief in the U.S. Court of Appeals for the First Circuit, asking the court to uphold students’ right to freedom of speech while off-campus. 

Students on phones

According to EFF, students have rights that are protected under the first amendment and should be able to express opinions and beliefs freely while outside of school – without fear of repercussions. As a result, EFF concludes that schools are overstepping their mark by punishing students for actions that occurred outside of their jurisdiction. 

To back up its claims, EFF provides historical context that draws on a student’s freedom of speech decision from 1969. EFF points out that the Tinker v. Des Moines Independent Community School District case upheld students’ right to express free speech as long as it did not:

  1. Cause a substantial disruption on school premises.
  2. Have the potential to cause a substantial disruption on school premises.
  3. Infringe on the rights of other students. 

Wrong decision

In its brief to the Court of Appeals, EFF explains that the federal judge made an “erroneous” decision in the case of Doe v. Hopkinton when he declared that “it does not matter whether any message was sent from an on- or off-campus location.” 

EFF contends that schools have no right to police social media messages made by students on Snapchat or other platforms while off-campus, as long as those posts do not directly affect the three clauses mentioned above.

In a blog that dissects its decision to file an amicus brief, EFF states that while the Tinker decision only technically applied to freedom of speech on school campuses, we should still take it as evidence that students have a right to express themselves elsewhere without fear of repercussions: 

“At the time, it may have seemed obvious that students can publish op-eds or attend protests outside of school, and that the school has no authority to punish students for that speech even if it’s highly controversial and even if other students talk about it in school the next day.”

Online habits

The digital rights group has warned that in the age of social media, schools have punished students for actions taken off-campus increasingly regularly. EFF believes this raises serious concerns for students because of how the internet has altered the way in which students engage in self-expression, political speech, and activism. 

“In the social media age, the line between off- and on-campus has been blurred. Students frequently engage in speech on the Internet outside of school, and that speech is then brought into school by students on their smartphones and other mobile devices.”

EFF hopes it can persuade the US Court of Appeals to uphold student rights to express freedom of speech outside of schools. For example, EFF refers to the case of B.L. v. Mahanoy Area School District when the court upheld a high school cheerleader’s rights after she was unfairly prevented from participating in the junior varsity cheer squad because of comments she made while off-campus. 

Cheerleader

That high school student made a comment online to express her dissatisfaction at not being picked to advance from junior varsity to the varsity cheerleading squad. On that occasion, it was decided that the high school student should not have been excluded from ongoing cheerleading activities for expressing her feelings. 

EFF rightly asserts that similar cases occur regularly across the US and that it is imperative for the court to “reaffirm the free speech rights of public-school students and draw clear limits on schools’ ability to police students’ private lives”.

“It is essential that courts draw a bright line prohibiting schools from policing off-campus speech so that students can exercise their constitutional rights outside of school without fear that they might be punished for it come Monday morning.”