Security and Permissions
Showing posts with label Security and Permissions. Show all posts
Showing posts with label Security and Permissions. Show all posts

What happens to your blog if your Google account becomes inactive?

April 14, 2013 Add Comment
This article describes Google's Inactive Account Manager, a new tool that gives you control over what happens to your Google account if you don't log on to it for a period of time.



Ages ago, I read a thought-provoking article on ProBlogger about making a "blogging will". His main aim was to ensure that his family could access his business assets (ie his blogs etc) if something untoward happened to him.

Now, Google's Data Liberation Front have annnounced a new tool called the Inactive Account Manager, which lets Google account owners say what should happen if they ever stop using their account.

This tool lets you decide
  1. If and when your account should be treated as inactive
  2. What happens with your data if it becomes inactive, and
  3. Who else is notified, and what is said to them.

At the moment, it covers these Google tools - which are attached to your Google account:
  • +1s
  • Blogger
  • Contacts and Circles
  • Drive (which I guess means Docs too)
  • Gmail
  • Google+ Profiles, Pages and Streams
  • Picasa Web Albums
  • Google Voice
  • YouTube.

AdSense is a notable exception: I don't know what happens to your outstanding balance and income if your AdSense account becomes inactive.   But I suspect that it might be managed in the same way as a bank account or book royalties - and because each country will have different laws about managing estates and the like, it's not possible to let you "opt-out" in the same way as it is for regular data.


What situations is this for

There are a few scenarios that the IAM ("Inactive Account Manager" is such a mouthful) might be useful for.

Death / Serious illness or injury

The most obvious thing that you could use the IAM to provide for is if you unexpectedly die, or become so sick/injured that you cannot log in any more.

In this case, if your blog and other Google content (eg YouTube videos) is personal, you may or may not want family or friends to access it - and you may or may not want it to be deleted.

But if your blog belongs to an organisation or a business, it's quite a different scenario:   you will almost certainly want someone else to have access.

And if it contains material about a hobby or public interest topic, you may well want to have it transferred to some kind of "data steward" - or you may want your estate to manage it as an asset, if it is profitable.

Losing access to your account

Some people lose access to their Google account because they:
  1. Set them up with an external email address
  2. Lose access to that email address
  3. Forget the Google account password
  4. Cannot remember enough details to regain access via the forgotten-password wizard.
The IAM will only help these people if they have set it up, and if they (or a friend) still has access to the alternative email address they entered.   So it's not a universal cure for this problem, but may help a little.

Losing interest in your account

People's lives and priorities change over time.   The blog that was all-important ten years ago may now be a distant memory.   In this case, if IAM is set up, people will at least get a chance to think about whether they want to maintain what was there, or not

The best approach?

There is no "one right way" to use the IAM to look after your blog when you stop updating it.   It's a very private decision, and depends on what risks you think you want to cover off, and how you are using your Google account.

Personally, I don't think that losing interest or losing access are likely to happen.    So I've set up my IAM information to cover the first case, ie death or incapacity, and used it to send messages to carefully selected friends and relatives.  I could do more, eg include details about selling a couple of blogs that would be "assets" in the right hands, and send messages to the firm who would be looking after my affairs.   But it's a start - and as with so many "death and taxes" type of issues making a start is half the battle.


How to set up your inactive account information


Once you have thought about what sort of situations you want to deal with, then setting up your inactive-account information is pretty easy.

To start with, go to the Account Management option your Google account settings page.   Once you're there, there is an easy set-up wizard, which covers the following points.

Warning that you're in danger of becoming inactive

Google doesn't want your account to suddenly become inactive.   So they collect details are used to warn you by sending a text message to your cellphone and email to an alternative address, saying that your account is close to becoming inactive. The current definition of "close" is one-month. Basically, this is your chance to stop the account becoming inactive by logging in.  

They ask for:
  • A mobile phone number (which needs to be verified - so it must be one that you can access now)
  • An alternative email address (which isn't verified - yet!)

Setting the timeout period

You need to choose how much time needs to go by without you logging in before your account is considered to be inactive. The default is three months, and other options are six, nine and 12 months.

Who else to tell

You can nominate one or more trusted contacts - ie email addresses that receive notification, and (if you choose, access to your data), once your account actually becomes inactive.



For each trusted contact, you need to give some message-text and also say which specific Google products they should get access too.



You can also set up an auto-reply to messages to your Gmail account, which is sent in response to all incoming messages after your account becomes inactive - or at most once every 4 days if one account sends you lots of messages.


What happens to your account:

Finally, you choose whether to delete your data once your account is inactive - the default value is "no", but you should change it to "yes" if you want to be sure that your blog etc are removed.


Confirmation

After you have saved your settings, you will get an email confirming that you entered.    (In my case, this message took several days to arrive - possibly because I get up my IAM settings fairly shortly after it had been introduced.   Hopefully it's got quicker now.


Limitations of the IAM

At the moment, IAM lets you set thresholds, notifications and actions for a whole Google account - there is no way to say that some blogs should be kept, and some deleted.

And there are still lots of things that we don't know about how IAM will work in practise.
  • Do you get only one reminder - or one every time you reach the inactive-account threshold again  (ie every 3, 6, 9 or 12 months)?
  • What happens if you're one administrator of a team blog, and your account becomes inactive with instructions to delete it - but there are other member or administrators who are still actively contributing?   (I would hope that the presence of these people means that your "delete" instruction is ignores, at least for the blog.   But I suspect that this won't be an easy scenario to provide for - and it's possible that Google haven't worked through all the options here.

    Ditto other shared resources (YouTube Channels, Shared folder/documents in Drive, etc)?  The dimensions will be different in each product, but the underlying problem is the same.


So while I think that IAM is a great idea, I'm also a little nervous about what problems it could cause if people choose to delete things without thinking through all the consequences.

And if you are going to set it up for your own personal blogs, then maybe now is a good time to transfer ownership of blogs that you made for clubs / societies / organisations / businesses to generic accounts being managed for them.



Related Posts

Understanding Google accounts

Team blogs:  letting other people write to your blog

Transferring blog ownership

Understanding how Blogger and Picasa-web-albums work together

Setting up AdSense for your blog

The "Single-Slash Double-Dot" rule for identifying spam links in phishing emails

February 04, 2013 Add Comment
This article is about email phishing, and spam-links in emails: how you can recognize them and what to do about them.


Understanding Spam vs Phishing


Most people know what regular spam is. Phishing is a more sophisticated type of spam, which combines information that the spammer knows (or guesses) with conventional spam techniques. Often phishing emails are addressed directly to you, and offer a "product" or "service" that you might realistically want. For example, they may offer to fix a security problem with your on-line banking (just as soon as you have gone to their website and given them your real on-line banking details).

Bloggers are particularly susceptible to phishing emails, because we write websites where we share information about ourselves. For example, anyone who reads Are-You-Blogger should have no trouble guessing that I use both Amazon Associates and Chitika, and that I have a domain hosted with DomainDiscount24.  It's not much harder to work out that I'm interested in folk-music, and know a lot about public transport in my city. And even though I don't display my email address on the blog, it isn't that hard to guess from some of the screen-shots I use, or by subscribing to my RSS feed.    And you might be even more vulnerable if you link your blog to your Facebook profile instead of a Page.


Protecting yourself from Phishers

ISPs and email services detect and delete most regular spam emails before they are delivered. But this is harder to do with phishing emails, because they often look genuine. So you need to protect yourself against phishing.

The best way to do this is to be curious-and-cautious about any email you receive. There are lots of suggestions below about what this means, and what characteristics to look for. None of them can give a 100% certain answer about whether a message or offer is dodgy. But being aware of the sort of things you need to check, and in particular the "single-slash-double-dot" rule for checking links, is a an excellent start.


How to spot phishing emails

An email message may be a phishing attempt if some of the following are true:
  • You were not expecting the message, or any contact from the organisation it apparently comes from.
  • You've never heard of the organisation or company that it comes from - or you don't have any dealings with them.
    (That said, sometimes unknown organisations do contact you - try to establish their legitimate website or phone number from another source, to check if they're "for real" or not).
  • The message asks you to confirm account details by giving some personal information: no reputable company will ever want you to do this by email. Intelligent reputable companies will not expect you to do so by clicking on links in their website.
  • The message tries to make you respond quickly, to stop something bad from happening. (Basically, they're trying to stop you from thinking about the message before you respond to it.)
  • An email doesn't have your address in the To field - or it has your address and many others which you don't know.
  • The message-body doesn't start with your name (eg if it says "Dear Customer" instead of "Dear Joe Soap")
  • The from address, or the name as the bottom of the message (like the "signature" in a paper-based letter) is missing, or seems strange given where the message came from.
  • Bad spelling. Bad grammar. Poor formatting. Odd looking graphics / pictures / logos. Strange sentence structures (either to try to trick you, or because the author doesn't know your language well).

None of those features guarantee that a message is dodgy. But any of them should be enough to make you a little suspicious.

But there are some features that are more of a give-away:
  • The URL / hyperlink in the message isn't the right one for the company (eg it's from www.ebay.org instead of www.ebay.com)
  • The message contains a link which doesn't match the website show when you hover the mouse over it eg www.amazon.com - notice that it's linked back to Blogger-HAT instead of to the real Amazon.
    NB Even if a link looks like a link, ALWAYS check where it goes to by hovering your mouse over and seeing what the "tool tip" text is.
  • The message uses an URL shortening service (eg tinyurl.com, bit.ly, goo.gl) which stops you from checking where the link really goes.
    (This is a good reason why you shouldn't use link shortening services yourself:  they make it look like you have something to hide. Whenever I tweet about a post, I always put in the full URL: even though Twitter doesn't display all the characters in the message, they are available to anyone who hovers over the link).


A simple rule for evaluating links:

The last three points are the most helpful - but they rely on you being able to look at a website-link and know if it's spammy or not.

And spammers know that it's easy to confuse people by showing them long, complicated real links, that superficially look like real ones.  For example, consider
www.cnn.com.newslist.2013-01.headlines.trouble.com/headline-listing/xx03/index.html
Lots of people will look at this, see the "cnn.com" and think "ahh, that's a reliable news site, it must be fine."   But that's not actually true.

Fortunately there's a simple rule that you can use to find the real website that a link points to. It is
Single-Slash, Double-Dot

To use it, look at where the the link really goes (by hovering the mouse above it) and:
  • Find the first single forward slash
  • Look at the words between the two or three dots just before the slash
  • Decide if the link is genuine, based on these words.

The Single-Slash Double-Dot rule explained


In the example above, the first single forward slash is actually half-way through the link:
www.cnn.com.newslist.2013-01.headlines.trouble.com/headline-listing/xx03/index.html

So the website that it is pointing to is actually trouble.com - which might not be a place that you want to visit.  Compare this with
http://www.bbc.com/future/story/20130129-blue-heart-of-the-planet
where the first single-slash is quite near the start, just before the very genuine www.bbc.com.

In summary, the website name between these two or three dots should match the one that is shown in the email, and should be the right one for the company. For example, one of these points to the real TradeMe, and one doesn't:
TradeMe 
TradeMe
(Yes they look the same:  remember you need to start by hovering your mouse over the links, to find out where they really point to.


Two vs three dots?

You sometimes have to check back three dots because some countries have two-level internet addresses. For example, instead of .com you will find
  • .co.uk - in the United Kingdom (two level, so you need to check three dots)
  • .com.au in Australia (again,two level, so you need to check three dots)
  • .ie - in Ireland, (single-level, so you only need to check two dots).

So like the many internet security issues, there are still judgements you need to make, and knowledge you need to apply.   But still, it's fair to say that you can ...
Use the single-slash-double-dot rule to work out where the link in an email message really goes to.
[Tweet this quote].


What do to if an email or link is suspicious

With old-fashioned spam, the rule was always to delete the message, no questions asked.

With suspected phishing emails, it's a little harder.   You need to make a judgement:
  • What are the chances that this is genuine?/
  • What are the consequences if it is genuine, but I ignore it?
  • Is there some other way that I can check out this out, without clicking on the link in the email? For instance by going directly to the banks' website by typing in the address myself - or by phoning the person to ask if they really did email me.

You need to weigh up these three factors, and based on them decide whether to investigate further (eg by going to the website directly, or emailing the sender for more information, whether to trust the email message, or to just delete it.


TL/DR:

Phishing emails use information about you to personalize spam.

Apply common sense and intuition to every email that you receive. Check that links go where they are supposed to - and don't click them if they don't.

Use the single-slash-double-dot rule to work out where the link in an email message really goes to. [Tweet this quote]





Related Articles:

Displaying email addresses on your blog

Offering an RSS feed

Linking your blog to your Facebook profile

How to make a "tweet this quote" option.
Pages 2 of 2 Prev12
Subscribe to: Posts (Atom)