technology

Is Clubhouse safe?

Despite its sudden success, the Clubhouse app appears to be missing some basic privacy and security features. Can you trust Clubhouse with your data? Let’s find out.

What is Clubhouse?
Clubhouse is an invite-only audio chat room app. Users can listen to live audio streams from virtual chat rooms and even join in discussions if the moderator allows it. At just over a year old and with 2 million users, including some of the world’s greatest minds, it’s easy to get caught up in the excitement. However, the app hasn’t managed to seduce privacy and security experts in quite the same way.

From Chinese servers to contact sharing, we dissect Clubhouse’s security misdemeanors to help keep you safe.

Data spillage
A month after the app’s release, a user was discovered streaming audio feeds and metadata from multiple rooms to another website. Admitting the “data spillage” in an interview with Bloomberg, Clubhouse said that this violated its terms of service, banned the user, and added safeguards to stop this from happening again. How safe those safeguards are is impossible to say at this stage.

Does Clubhouse access your contacts?
Clubhouse is invite-only. Once you manage to join, you can invite two other people. But there’s a catch. You have to give Clubhouse access to all your contacts to invite others.

Not everyone in your contact list is a trusted friend. It could include your previous boss, a bad ex, your hairdresser, business associates, or, if you’re a journalist, confidential sources. When you give an app access to a contact, not only are you telling the app that you’re connected to them, but you’re also telling the app that they are connected to you.

While granting an app access to your contacts isn’t big news, it poses some privacy issues:

Awkwardness: As soon as someone from your contacts joins Clubhouse, you’ll receive a “walk them in” notification. Tapping on it immediately throws you both into a private room, along with other Clubhouse users who also had them in their contacts. Wonderful if you get to reconnect with some old school friends. Weird if you get shoved in a private room with your ex and their new partner.
Blind consent: If you want to invite others, Clubhouse will pull up a list of your contacts who haven’t yet joined. Here’s the non-consensual part: Clubhouse ranks each contact based on how many people they already know on Clubhouse. This undermines people who haven’t agreed to have anything to do with Clubhouse. It’s also non-consensual if your Clubhouse contacts are revealed to someone you’ve blocked or are trying to get away from.
Government snooping
When you hear the words “plaintext” and “data” in one sentence, it’s rarely a good thing. Combine that with certain governments that prosecute citizens for opposing speech, and you have a recipe for disaster. Clubhouse audio messages leave no public record after the speech occurs, but the SIO discovered that users’ unique Clubhouse ID numbers and chat room IDs are transmitted in plaintext (unencrypted) to servers operated by Agora, a China-based company. What does this mean?

The Chinese government could access Clubhouse data.
Agora provides the “real-time voice engagement” part of Clubhouse. It transmits user data via Chinese servers to the rest of the world. Agora acknowledged that it would be required to support PRC law, including the oath to protect national security and aid criminal investigations by supplying user data. Since Agora claims they don’t store any user audio or metadata (except to monitor network quality), users are reassured. Partially. Given that SIO observed unencrypted room metadata being relayed to servers hosted and managed by China, the Chinese government can collect this information without even accessing Agora’s networks.

Clubhouse could violate your privacy and aid unnecessary data harvesting.
Researchers have discovered a flaw within Clubhouses’s backend infrastructure that could let hackers extract audio chat from the Agora API without having to use the Clubhouse app. Agora does not mix the audio from speakers into one track — each speaker is assigned an audio track containing metadata like their unique user ID. It’s also likely that Clubhouse IDs can be connected to user profiles, which means that your data could be harvested, including your phone number, the subjects you’re interested in, and who you’re talking to – not ideal in countries where certain speech is punishable.

Is your data safe on Clubhouse?
Is your audio data safe with Clubhouse? That depends on where it’s stored, how long it’s stored for, and whether your voice ever gets cloned.

How long is Clubhouse audio data stored for?

Clubhouse temporarily stores user audio for the purpose of trust and safety investigations (e.g. terrorist threats, hate speech, threats to children, etc.). But how long “temporarily” is, remains unknown. We are informed, however, that if no trust or safety report is filed, the audio is deleted.
Where is Clubhouse data stored?

To add fuel to the fire, Clubhouse’s privacy policy does not mention Agora or any other China-based data sub-processors. So, we don’t know where audio data is stored. If audio data is stored in the US, a federal law would prohibit the disclosure of information requested by the Chinese government. If Agora has access to Clubhouse’s raw audio traffic (which is deemed likely by SIO investigations), it could be intercepted and transcribed if the data is not end-to-end encrypted.
Can your voice be cloned from Clubhouse?

Adobe’s audio manipulator, Voco, can clone anyone’s voice in seconds by inspecting audio waves. Frighteningly realistic, you’d have a hard time defending an audio deepfake from someone’s actual words. Great as a silly joke between friends — not so great if you’re the president of a country.
Final thoughts
Voice notes are overtaking text, podcasts have the same demand as video, and forums like Reddit and comment sections are blowing up. Clubhouse is the natural next step for social media and a refreshing reprisal from a society soaked in images.

Now, you can drop into a live conversation about a new medical insight or talk to a researcher who is one of the best minds in their field. It’s great to hear that Clubhouse is operating a bug bounty program with HackerOne to weed out security holes. But what we also need from Clubhouse is a better managed outlet for discussion with tighter privacy controls. Clubhouse is still in beta mode, which is why we should demand privacy now instead of boycotting it later.

technology

DATA OF 1.3 MILLION USERS LEAKED IN CLUBHOUSE SECURITY BREACH.

It was only a week ago that hackers were able to gather personal information from billions of Facebook and LinkedIn accounts and were put for sale on the internet. It now seems as if Clubhouse had fallen prey to a similar attack. The audio-only chatting platform oversaw more than 1.3 million users having their records stolen and posted online on a popular hacker forum.

This means that consumers had all the data from their Clubhouse profiles leaked which consisted of their:

Full Names
User ID and username
Number of followers and followings
Other social media account handles
Account creation dates
Invites sent and who they were invited by on the app
Is Clubhouse’s API Susceptible to Allowing Mass Scrapes of User Data?
Clubhouse later came forward with a statement regarding the issue, claiming that they did not observe any form of a security breach in their systems. They went ahead and stated that the leaked data was already public information available to anyone and easily accessible through their API(Application Programming Interface).

These comments did little to ease the general public’s concerns and their user base, as this event showcased the position of Clubhouse with regards to their privacy policy. Public information was obtainable for a large number of accounts through Clubhouse’s API, which can have severe ramifications for user privacy.

Mantas Sasnauskas, a senior information security researcher at CyberNews, called this policy into question, stating that the platform allowed anyone with a token or an API to collect the entire library of public profile information from the Clubhouse app without an expiration period in place for said token.

He further added that despite Clubhouse having a privacy policy in place which does not permit unauthorized data mining and data scraping, they should take measures to make it difficult for anyone to scrape user data, rather than just writing a few sentences against it in their policy.

How Can This Impact Users?
The consequence of the public data being leaked online is that cybercriminals can use it to carry out attacks such as phishing and social engineering attacks. On the hacker forum mentioned above, the SQL database posted revealed only public Clubhouse profile information. There were no signs of sensitive data, such as credit card information, present for any user. However, for certain cybercriminals, this basic public information is sufficient and useful in their efforts to commit heinous acts against innocent individuals using these apps.

These individuals are able to compare information found in the leaked SQL database with other data breaches through which they create comprehensive profiles of their targets. This sets a platform for them to conduct identity theft against the people whose information they can find readily available on the hacker forum.

Next Steps
There are a few necessary steps that you must undertake if you are fearful that your Clubhouse profile information has been leaked and published online. This includes:

Avoid accepting Clubhouse connection requests from dodgy people who you do not know.
Going forward, create strong passwords and use a password manager tool to help you remember them.
Begin enabling two-factor authentication for all your accounts.
Be wary of suspicious emails and messages you receive online, as these can contain links that may lead to your privacy being compromised.

technology

Over 1 lakh Fake Nudes Made Using Deepfake Bots on Telegram :

The menace of deep fake pictures and videos is getting bigger and worrying. The latest revelation by an international cybersecurity firm will leave you shocked. Sensity’s researchers have found a “deepfake ecosystem” on the encrypted messaging app –Telegram, which is centered around AI-powered bots and can generate fake nudes on request.

The security firm claims that over one lakh women have been targeted and their personal “stripped” images have been shared publicly by the end of July 2020.

According to cyber experts, these stripped images can be misused by sharing it in private or public channels beyond Telegram as part of public shaming or extortion-based attacks.
Researchers say that the people are using these bots to mainly create nudes of women they know. They are copying images of their target from social media and after converting them it in nudes they then share and trade with one another in various Telegram channels. The software is used to generate these images is known as DeepNude.

Explained: How Deepfake bots on Telegram work.
Explained: How Deepfake bots on Telegram work.
To “strip” an image, a user simply needs to upload a photo of a target to the bot and receive the processed image after a short generation process.
There are various other similar underground tools but what is worrying about this bot service is that it easy to use and accessible. It comes with a simple user interface that functions on mobile phones as well as computers.

These bots are free to use, but they create fake nudes with watermarks or only partial nudity. However, users can pay it more to “uncover” the pictures completely.
“The number of these images grew by 198% in the last three months until July. Self-reporting by the bot’s users indicated that 70% of targets are private individuals whose photos are either taken from social media accounts or private material,” Sensity said in its key findings.

The finding also shows that the bot and its affiliated channels have so far got around over a lakh member worldwide. A maximum of 70 per cent is from Russia and ex-USSR countries.
The misuse of Deepfakes is becoming a big concerning as it allows to manipulate or fabricate visual and audio content on the internet to make it seem very real. These software are quite similar to face animation techniques used in movies.

technology

Beware! These 7 Google Pay and PhonePe scams will let hackers steal your money.

HIGHLIGHTS:

Requesting money, taking remote access of the phone, and vishing some popular UPI scams
SIM cloning and SMS forward scams have also cost people lakhs of rupees
Other common methods include fake helpline numbers and counterfeit UPI apps that trick users into giving them money.

Online payments services like Google Pay, Paytm, and PhonePe have grown in popularity over the past few years thanks to the government’s ‘Digital India’ push. UPI (or Unified Payments Interface) has made it easy for users to transfer money and our dependence on these services may have even increased during the ongoing coronavirus lockdown as people are forced to stay at home and make payments online instead of doing it in person via cash. Thus, this is the time to be extra vigilant when it comes to UPI scams as fraudsters try to dupe unsuspecting users since scammers are always on the lookout to trick users into giving them money directly from their bank accounts, and UPI is a great tool for them to do so. In fact, several people have lost thousands and lakhs of rupees in these UPI scams. Here are a few popular UPI scams through which fraudsters are able to scam people using apps such as Google Pay and PhonePe.

  1. Request Money scam
    One of the most common UPI scams is the ‘Request Money’ scam. This happens when a user receives a request to pay money instead of getting a payment, and isn’t paying enough attention to the transaction. OLX and Quikr are well-known for hunting grounds for frauds using this scam. On apps like Google Pay, PhonePe, BHIM, etc., there is an option to request money from another person, which is something fraudsters take advantage of. Say you’re expecting a payment from a person for a product you want to sell, but instead of paying you the amount, the person sends a payment request for that amount. You receive the request and, unassumingly, enter your UPI M-PIN. As soon as you enter the PIN, you have validated the transaction and the money gets transferred from your bank account to the fraudster’s account.

Example;

I Just got a call from +91 9064342853. Saying I hv got 3999 from @PhonePe_ as reward. The guy is still on call on 8:49. He even tried requesting me rs 3999 through phone pe. Please look into this number. I’m attaching some screenshots. @phonepe_safety @PhonePeSupport pic.twitter.com/7z2syFA4jj

— 🇮🇳SHIVAM KUMAR (@_EKANSH11) MAY 5, 2020

  1. Cashback/ refund scam
    This is a variation of the Request Money scam, wherein the scammer will call and pose as an agent of the bank or a major retail chain. She/ he says the user has been awarded some cashback and asks them to accept it via any UPI app of your choice. Many scammers even keep an eye on Twitter and Facebook for complaints shared by users on the platform; they then call as executives of such companies and promise to process a refund. Within seconds, the user gets a message mentioning the said amount on your UPI app; in a rush to encash the cashback, many users enter their PIN. However, this will be a payment request — UPI apps do not require users to enter PIN to accept a payment. This means they authorised a UPI payment from their phone instead of accepting money from the caller. This is a fairly common scam and many have fallen for it.
  2. Remote access/ Vishing
    UPI has a simple four-digit PIN to authorise transactions. The simplicity of this process also makes it easy for hackers to transfer funds from your bank to their accounts once they discover your PIN. One of the ways hackers can do this is by accessing your phone remotely using apps like AnyDesk. This is a remote desktop software that can allow hackers to gain access to your phone and all the OTPs it receives.

In such a scam, you can get a call from a fraudster pretending to be a bank representative calling regarding an issue with your account. They will then try to establish a conversation, asking for personal details such as your date of birth, name, and mobile number. They will then ask you to download an app like AnyDesk or ScreenShare or TeamViewer from Google Play Store. The fraudster will then ask for an OTP that is generated when setting up the app. They will also ask you to grant all the necessary permissions in the app. Once this is done, the hacker will have full control of your phone and can make transactions using your UPI account.

In such a case it is important to understand that a bank representative will never ask for your credentials such as passwords or OTPs. They will also never ask you to download a third-party app. If anyone asks you to do any of these over the phone, they are most likely trying to scam you. Notably, apps like Paytm will not work if you have a screen-sharing app installed in order to protect your confidential data.

  1. SIM cloning
    Another way fraudsters have been able to hack someone’s bank account is by cloning their SIM card without their knowledge. By cloning the number, the fraudster can receive OTPs, allowing them to change the victim’s UPI PIN and access banking apps and payments services like Google Pay, Paytm, and so on. The process for SIM swapping or cloning is not easy, which is why it’s not popular even among scammers. SIM swap fraud has been steadily increasing in India in recent times. Last year, a person reportedly lost Rs 25 lakh due to SIM cloning.

Notably, this method happens after some of the previous scams we mentioned such as phishing and fraudsters pretending to be bank representatives. Once they obtain enough personal information from the victim, they can call the mobile operator and convince them to block your SIM number. They will then obtain a new SIM and access your banking accounts via SMSs and OTPs.

  1. SMS forwarding scam
    This is a relatively elaborate scam in which the scammer will ask you to send an SMS from your phone in order to authenticate an order or to process a refund, etc. However, this SMS actually contains an alphanumeric identifier for your smartphone — this alphanumeric identifier tells UPI that the request to register a UPI account was made from the users’ registered phone number. When you send the requisite SMS to the scammer, they will get this alphanumeric identifier too, which allows them to register for a UPI account from your phone number. Then they will be able to steal money from your account. This usually involves the fraud guessing the UPI PIN based on the personal info they have of the user. However, there have been cases where the scammer convinced the user to give their PIN in order to process refunds etc.
  2. Fake helpline numbers
    This is a fast-growing UPI scam these days. When you search for something innocuous, like the phone number of courier service or a local restaurant, Google may show a listing that is unverified and actually belongs to a scammer. The scammer achieves this by optimising the website for social media as well as by registering as a business on multiple platforms to convince users (and Google) of its authenticity. When you call that number, the person on the other end will ask you for details or your package or take your order; then will request partial or even full payment to confirm the order via UPI. After this, money will be deducted from your account and the phone number will become unresponsive.
  3. Counterfeit UPI apps
    Counterfeit UPI apps are available by the hundreds on the Google Play Store, with names that try to trick the user into downloading them. These include and are pretty easy to spot due to poor ratings and few downloads. Nonetheless, if someone does end up downloading such an app, they can not only give away their phone number in the registration process but also their debit card PIN and access to their bank account. In many cases related to these fake banking apps, the OTP the user receives and then enters in the app is used to authenticate a payment/ transaction by the scammer.
life, technology

Your Cat Videos May be Giving Away Sensitive Data to Hackers, and You Didn’t Even Know it.

According to a new security report , scammers and cyber attackers worldwide are scraping social media posts for data that may seem irrelevant, but are actually key personal identifiers.

Using social engineering and scraping information off the open web, hackers are targeting unsuspecting users
These include personally identifiable information posted casually by users on social media
Such tactics are being used by cyber criminals to send targeted mails with malware payloads
Your personal cat videos, stay at home birthday party photos and casual snaps of yet another day spent under Covid-19 restrictions may not just be what meets the eye.

casual social media posts made by many of us staying at home appear to be leaking key identifiers on to the open cyber space. While such things, such as you celebrating your birthday party, sharing your adoration for the puppy whom you rescued, or even something as trivial as a mid-work snap to break the boredom may not have anything sensitive at all, such data can be put together by cyber attackers, scammers and hackers to form a pool of identifiable data, all linked to you. This, in turn, is helping threat actors create targeted cyber advances and dupe individuals, in a spree of advanced online scams that no longer remain simple.

How trivial is trivial data?

“Scams are a preferred form of attack for many criminals. They are often simple to launch and, if well-executed, can have relatively good success rates. As we have become more aware of scams, criminals have had to become more cunning. One way they have sought to boost success rates is to personalise scams – think spear phishing-type attacks. No longer do we see “Dear user”, but rather “Dear [your name]”. And, scams now even use your old passwords within their messages to you,”

Such incidents aren’t particularly unprecedented – cyber crime has always evolved to keep pace with what’s topical, and in today’s world, this has a far greater reflection. For instance, numerous reports highlighted the now-well documented surge in Covid-19 related scams and spear phishing efforts during the early months of the global pandemic. As the times evolved, attackers adapted to target the Covid-19 contact tracing and vaccine efforts, and subsequently, more advanced tasks too.

But as it turns out, one of the key signifiers of advanced cyber threats were born out of casual social media posts, including very basic stuff such as a photo of your first Zoom meeting. Thanks to AI image resurrection tools, even compressed images shared on social media could be refurbished to reveal details – sometimes highly sensitive in nature. Such social media posts, as the Sophos report claims, have included personal details under popular hashtags. As it states, “Photos tagged with WorkFromHome, WorkingFromHome, HomeOffice have also revealed birthday parties (celebrated on Zoom or Teams), thereby exposing birth dates; home addresses through photos revealing addresses on Amazon parcels or postal mail; and names of family members, children and pets.”

The risks that they represent.

To put things in perspective, such identifiable data can be stitched together by attackers to contact you via email, pretending to be a work acquaintance – or from social engineering, a friend whom you have not been in touch with for a while. These attacks can, in one of the methods, include emails with attachments that directly address you. All it takes is to pique a target’s interest, enough to make them download the attachment sent via email. Once downloaded, the attachments can use one of the thousands of malware available for nominal cost, thereby handing attackers a direct route to access your files on your work PC.

For example, an attacker may contact an employee under the guise of a known supplier, drawing on information gathered from an email. Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would (should!) be aware of.

“In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks. There have been similar issues with numerous data breaches in the past where unsecured corporate servers online have leaked data, including millions of business and customer records.

The perils of casual social media posts.

While such risks may not be apparent at first,it establishes the latest favourite tactic used by cyber attackers on the open internet – social engineering. Such processes can help malicious users to create a digital map of yours by using your social media posts, and use this data to gain your trust and trick you into downloading ransomware, malware and stalkerware payloads. In extreme cases, such tactics are being used to target celebrities and personalities to infect them with spyware.

As general security advice, users are urged to not download any attachment from emails where they are not personally confident of the sender. For video conferences, users are advised to use virtual or neutral backgrounds that do not have identifiable details, and in general, social media posts are better kept to the least possible.

technology

How To Protect Yourself From Online Violence:

A Guide For Women In India.

India has the highest number of Facebook and TikTok users in the world and the eighth highest on Twitter. Our country has one of the largest and fastest growing presence on various social media platforms. With such a large population accessing the internet and social media platforms, there is a likelihood of online abuse and harassment. As indicated by the most recent National Crime Records Bureau data, the number of cyber-crimes have been steadily increasing each year, with 2018 seeing 27,248 cyber-crimes. The curfew and lockdown measures imposed by the government during the COVID-19 pandemic has further increased the dependency of people on the internet for work, entertainment and information, putting many vulnerable groups including women further at risk.

In January 2020, Amnesty International India published Troll Patrol India, exposing the online abuse that women face on a daily basis in India. While the social media platforms and the government are primarily responsible for ensuring safe spaces for women, it is important to know not only how you can protect yourself online but also how you can be a more responsible netizen. Here is what you need to know:

What is online violence/online abuse?
Online violence or online abuse is not specifically defined under Indian law. There are several kinds of harassment and abuse that people face on the internet. Online violence and abuse can take many forms. This issue has a profound impact on the fundamental human rights of people, especially the right to equality, right to life and right to freedom of expression.

The following are some forms of online violence:

Threats of violence: Direct and indirect threats of physical or sexual violence.
Violations of privacy: Sharing of sexual and private images without consent, and ‘doxxing’ (revealing personal or identifying details without consent, with the aim to cause distress).
Discrimination: Targeted content that is sexist, racist, homophobic or related to an individual’s identity that aims to belittle, humiliate or undermine them.
Online harassment: Sustained or repeated communications involving one or more people working together to target an individual, using abusive comments or images online, over a short or coordinated period of time, with the aim of humiliating or otherwise distressing them.
It is important to remember that online settings where such violence can occur includes but is not limited to social media platforms like Twitter, Facebook and Instagram. They also include emails, messaging apps like WhatsApp and Viber; blog sites such as WordPress and Blogger, and even comments sections of different websites like news sites and YouTube.

Online violence and abuse is experienced by Internet users of all gender. However, women’s experiences online often mirror the discrimination, sexism and violence that women experience offline.

How do I report online harassment?
A complaint can be filed anywhere, as cybercrimes don’t have any jurisdiction. To report online harassment, the following options are available to you:

Reporting on social media websites: Most social media platforms have the option of reporting online harassment. You can check the reporting guidelines by clicking on a particular platform and accordingly report:
Facebook
Twitter
Instagram
Tiktok
Whatsapp
YouTube
Cyber cells: They have been established especially to deal with victims of cybercrime. They come under the purview of the crime investigation department. Here are the Nodal Cyber Cell Officers for each state. You can also file a complaint at http://www.cybercrime.gov.in. The National Cyber Crime Reporting Portal also has a manual on reporting cyber-crimes to help guide you through the process.
Local Police Station: You can also file an F.I.R. at a local police station. Remember: It is compulsory for a police station to register an F.I.R, you have the right to this redressal if you choose it.
Ministry of Women and Child Development: A specific email account has been established by the Ministry which is dedicated to complaints related to abusive behaviour, harassment or hateful conduct on social media. You can email at: complaint-mwcd@gov.in
The National Commission for Women: In the case of women, the National Commission for Women can take cognizance and enquire into cases of online harassment against women. You can either make a complaint online, email at: complaintcell-ncw@nic.in; or call the NCW at: +91-11-26944880.
Do I need to give any proof when I report?
While it may be appealing to delete evidence of abusive/harassing interactions that you have faced online, it is important not delete the evidence. Consider keeping screenshots as well as print-outs of photos, emails, or any other information sent by the perpetrator, this will make it easier for the concerned authorities to trace evidence in the virtual world.

What are other ways I can keep myself safe online?
Keep personal identifying information private. This is your location, date of birth, address, any identity documentation.
Be an active bystander. Do not allow cyber bullying to go unchecked. If you see someone else being harassed online, report it to the website. Help your friends.
Be cautious of those you meet online. Do not trust everyone who approaches you online. If you are meeting someone who you have only interacted with online, ensure that a trusted friend or family member knows where you are.
Trust your instincts. Ask yourself whether the interactions you are having feel right? Ask yourself, if your friends and family knew what was being shown and said, would you be embarrassed?
Stop the chain. Do not forward, copy, download content that you think is inappropriate. If necessary, contact the Cyber Cell to report the spread of inappropriate content.
The National Cyber Crime Reporting Portal has more tips on online safety and how to protect yourself on social media platforms.

technology

Cyber Prox

Get regular updates on the go about our Facebook page and WhatsApp and recent technological and legal advances in order to keep safe.

Cyber crime consultation.

We are here to help in any way possible to keep you away from the menace of cyber crime and to help you technically or legally in case you are a victim.

technology

Internet safety for parents.

The Internet can be wonderful for kids. They can use it to research school reports, communicate with teachers and other kids, and play interactive games.

But online access also comes with risks, like inappropriate content, cyberbullying, and online predators. Using apps and websites where kids interact, predators may pose as a child or teen looking to make a new friend. They might prod the child to exchange personal information, such as address and phone number, or encourage kids to call them, seeing their phone number via caller ID.

Parents should be aware of what their kids see and hear on the Internet, who they meet, and what they share about themselves. Talk with your kids, use tools to protect them, and keep an eye on their activities.

Internet Safety Laws
A federal law, the Children’s Online Privacy Protection Act (COPPA) helps protect kids younger than 13 when they’re online. It’s designed to keep anyone from getting a child’s personal information without a parent knowing about it and agreeing to it first.

COPPA requires websites to explain their privacy policies and get parental consent before collecting or using a child’s personal information, such as a name, address, phone number, or Social Security number. The law also prohibits a site from requiring a child to provide more personal information than necessary to play a game or enter a contest.

Online Protection Tools
Online tools let you control your kids’ access to adult material and help protect them from Internet predators. Many Internet service providers (ISPs) provide parent-control options. You can also get software that helps block access to sites and restricts personal information from being sent online. Other programs can monitor and track online activity.

Getting Involved in Kids’ Online Activities
More important than blocking objectionable material is teaching your kids safe and responsible online behavior, and keeping an eye on their Internet use.

Basic guidelines to share with your kids for safe online use:

Follow the family rules, and those set by the Internet service provider.
Never post or trade personal pictures.
Never reveal personal information, such as address, phone number, or school name or location.
Use only a screen name and don’t share passwords (other than with parents).
Never agree to get together in person with anyone met online without parent approval and/or supervision.
Never respond to a threatening email, message, post, or text.
Always tell a parent or other trusted adult about any communication or conversation that was scary or hurtful.
Basic guidelines for parental supervision:

Spend time online together to teach your kids appropriate online behavior.
Keep the computer in a common area where you can watch and monitor its use, not in individual bedrooms. Monitor any time spent on smartphones or tablets.
Bookmark kids’ favorite sites for easy access.
Check your credit card and phone bills for unfamiliar account charges.
Find out what, if any, online protection is offered by your child’s school, after-school center, friends’ homes, or any place where kids could use a computer without your supervision.
Take your child seriously if he or she reports an uncomfortable online exchange.
Call the National Center for Missing and Exploited Children at (800) 843-5678 if you’re aware of the sending, use, or viewing of child pornography online. Contact your local law enforcement agency or the FBI if your child has received child pornography via the Internet.

Watch for warning signs of a child being targeted by an online predator. These can include:

spending long hours online, especially at night
phone calls from people you don’t know
unsolicited gifts arriving in the mail
your child suddenly turning off the computer when you walk into the room
withdrawal from family life and reluctance to discuss online activities
Talk to your kids! Keep an open line of communication and make sure that they feel comfortable turning to you when they have problems online.

The Internet and Teens
As kids get older, it gets a little trickier to monitor their time spent online. They may carry a smartphone with them at all times. They probably want — and need — some privacy. This is healthy and normal, as they’re becoming more independent from their parents. The Internet can provide a safe “virtual” environment for exploring some newfound freedom if precautions are taken.

Talk about the sites and apps teens use and their online experiences. Discuss the dangers of interacting with strangers online and remind them that people online don’t always tell the truth. Explain that passwords are there to protect against things like identity theft. They should never share them with anyone, even a boyfriend, girlfriend, or best friend.

Taking an active role in your kids’ Internet activities helps ensure that they benefit from them without being exposed to the potential dangers.