Hacker knows best: Privacy tips from Kevin Mitnick

This security expert knows all the tricks for stealing your personal information. His new book tells you how to keep your data safe.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
5 min read
Enlarge Image

Kevin Mitnick, author of "The Art of Invisibility," wants to teach you how to protect your digital privacy.

Jari Tomminen

Kevin Mitnick knows all the ways your privacy could be violated through your phone, computer and tablet.

An incorrigible hacker since he was a teenager, Mitnick eventually spent almost five years in prison for computer crimes. Now on the right side of the law, Mitnick works as a consultant who turns his skills on paying customers who want to know where their vulnerabilities lie.

Usually, he can find a way to get to a business' crown jewels, whether that be its intellectual property or the personal data of their customers. But you're vulnerable, too, he says.

Mitnick's new book aims to help everyone -- from the everyday internet users to the hardcore paranoid -- do a better job of keeping personal information private. "The Art of Invisibility," released Tuesday, covers a range of topics that some readers might find overwhelming. From creating secure passwords to sending encrypted email, there's no dearth of ways you can try to keep your data to yourself.

There's even a section on protecting your data from Customs and Border Patrol when you enter the United States.

But Mitnick said he wanted to let readers pick the solutions that work for them. There's no "medium" solution that works for everyone, and oftentimes the solution that's a little easier to use is also a little less secure. So he includes all the options.

"My whole vision for the book was to teach people how to find the best technology to protect their privacy, rather than just have me say hey, use Signal," Mitnick said, referring to an encrypted messaging service.

Mitnick and I spoke at the annual RSA cybersecurity conference happening this week in San Francisco, where experts gather to discuss the latest hacking threats and how to better defend computer systems. Here's an edited transcript of our conversation.

You know many of the techniques for accessing someone's digital life from personal experience, with your history as a convicted hacker. But your book is geared toward regular people. How do you think like someone who isn't a hacker, and how do you get them to think like you?
Sometimes that's challenging. When I teamed up with my first co-author, he couldn't wrap his head around having a need to protect his privacy, because he's not doing anything wrong. I had to have a long discussion with him. Well hey, it's important to protect your privacy because once you give up those privacy rights, you don't get them back.

I give people a short list of things to do that raise the bar this much, and make it much, much harder [for others to get their data]. So using a password manager, like LastPass, is easy and simple. If you use LastPass, can I still hack you? Yes, using sophisticated methods. But will it raise the bar from the general adversary out there? Yes. There's no silver bullet.

What do you tell people who say they have nothing to hide?
I say cool, unlock your phone for me. Cool, can I check your emails and texts? "Oh no." Well why not? You have nothing to hide. Then it becomes, "Oh shit, I'm not going to do that."

When you're having personal phone calls at home, do you want somebody on the extension listening to you? It's uncomfortable, it changes your behavior, it's something that violates your fundamental right to being private. You have a right to speak your mind, think how you want to think, socialize with the people you want to socialize with in a private way.

You yourself are a target for hackers, and you were once hiding from the federal government. Who should the rest of us be worried about invading our privacy?
Maybe your kids might want to get into your phone, maybe your parents. Maybe your instructors in school. Maybe your employer. Employers can now legally monitor a lot of your work, by the way, [which] people don't know about. And criminals, they want to steal your identity, they want your credit information, they want to become you.

The question of whether customs and border officials can access your accounts and devices has come up, with US Department of Homeland Security chief John Kelly floating the idea that CBP agents could demand passwords. What would you tell people to keep in mind in this situation?
There was a JPL guy [Sidd Bikkannavar], he was forced to give up the password to his phone [at the border]. I would never have done it, because I'm a US citizen. They can't say, you can't come in. I mean if ICE wants to take my computers, so be it. I'm not giving up my credentials at all, ever.

If I take an iPhone across [the border], and I have TouchID enabled for example, a court in the US can force you to put your thumb against the device, to open it up. They can't force you to reveal your password -- at this point in time. Who knows what shift might happen?

Try to take minimal data across [the border]. Use a cloud service that can encrypt the data. What I normally do -- and it's crazy -- I basically encrypt a complete backup of my system, I Fedex it or UPS it to a friend, and I don't fly back home until that's received. The only thing they can do is take my hardware.

But that requires you to refuse to give up your passwords.
Normally the average person will not even want to be detained an hour, or two or three. I'm different, I'm more of a rebel. I just won't do it. I've done nothing wrong. You have no right. The law is on my side.

What would be the ideal system to defend people's privacy?
Everything is secure, but you don't even know about it. You don't have to enable anything. Maybe when you buy something, if it's as a security product, you hit a button, "Oh, I paid for that." And it's done.

What needs to be happen to make this reality?
Innovation, demand by the market, and manufacturers like Apple, Dell, HP, and Samsung building and acquiring these products. And making it part of [their devices] so you don't have to think about it.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.