Over the holidays, I had a lot of conversations with friends and family about internet privacy. With data breaches happening nearly every day, mobile advertising getting downright creepy, and Facebook constantly on trial (literally and figuratively) for repeated scandals, people want to know how to protect themselves. Internet privacy concerns are no longer the domain of hackers and conspiracy theorists!
To that end, I thought I’d write out the same recommendations I give to my friends and family. A little while back, we published a Personal Information Security Guide for Family and Friends. All of that advice is still excellent and relevant — use two-factor authentication (please!), create strong passwords, and take steps to avoid being caught by phishing scams. In this article, though, we’ll take a super practical look at privacy concerns and how to protect yourself.
“Nothing to Hide” Isn’t Good Enough
Whenever I talk to someone about internet privacy, the most common response I get is, “Well, I’ve got nothing to hide. Why does it matter?” I love the answer to this on the Reddit r/privacy wiki:
If you wear clothes, use passwords, close doors, use envelopes, or sometimes speak softly, then you do have something to hide.
Everyone wants some degree of privacy. You don’t have to be smuggling drugs to want your online life to be private too. What if your email venting to your best friend gets taken out of context and sent to your boss? What if your Google search for “heart medication” finds its way to your insurance company? That’s not even mentioning all of the serious data breaches that happen regularly these days that include sensitive data like passport information, credit card numbers, and home addresses. Nor does it address more ominous issues like government surveillance.
There are more reasons than ever to take at least minimal steps to keep your online activity private. You don’t have to go full tinfoil hat. In fact, it’s better to slowly incorporate small changes into your life so that they become habitual. As the Electronic Frontier Foundation, a privacy advocacy organization that’s going to come up a lot in this article, says: “Privacy is a process, not a purchase.” These small changes should reflect the degree to which you need privacy. You don’t need to lock down your entire life unless you’re an investigative journalist in a war zone. You should, however, reflect on how much you want your activity and data tracked and stored, especially if it were to get into the wrong hands. Those “wrong hands” could be personal, corporate, or governmental.
Two Truths to Remember
There are two axioms to remember in your journey to internet privacy.
First, there’s a tradeoff between privacy and convenience. Sometimes that convenience tradeoff is minor, like opening a different app on your phone or seeing slightly less personalized search results. Other times it’s major, like switching away from a tool that all of your social network use. You have to evaluate that tradeoff in each case. For me, a major example is Google Docs. I know that Google is scanning all of my documents. Who knows what they are doing with all of that data? But, for me, the cost of moving to a private alternative has not been worth the tradeoff when every single person in my life uses Google Docs as well. This isn’t helped by the fact that, so far, there is really no private alternative that holds a candle to the collaborative features of Google Docs (I’ve tried all of them).
So, with all of these steps, you’ll have to evaluate the tradeoff based on what you value and what the risks are. Some tradeoffs are more important than others. For example, password security is of utmost importance. Do whatever it takes to strengthen this area.
Second, with most free or ad-supported software, you are the product. Your usage, your profile, and your purchasing habits are all used for marketing purposes. This isn’t inherently a bad thing. There have been tons of advances in technology as a result of this. Just look at the continuous innovation of companies like Netflix or the fact that our phones become more useful every year. However, it is important to know this truth so that you can be back in control of this. Decide for yourself which companies can have your data and then cut out the ones that don’t matter to you. This also may require spending a bit of money on privacy-conscious software like secure email providers. Personally, I see that as a worthwhile investment instead of seeing ads all the time or wondering where my data is going.
With those two things in mind, let’s look at some practical steps you can take to make your online life more private.
Practical Steps (that Don’t Include Switching to a Typewriter)
I’ve tried to make the following list a good way to “dip your toes” into the privacy waters. Hardcore privacy folks will no doubt take issue with several of my suggestions, but my goal here isn’t to turn you into a walking Fort Knox of Privacy. I’m here to awaken you to the need for privacy and give you some simple ways to get started.
In that same spirit, don’t try to make all of these changes in one day. When I was first learning about internet privacy, I went way too deep right away. My eyes glazed over, I got completely overwhelmed, and I shut my laptop and did nothing (at first). To avoid this, pick an area in which you’re the most vulnerable and do that first. For example, you might discuss a lot of private stuff in your emails about which you’d really rather not be seeing ads, nor do you want that information scanned and used for building your “profile.” You might decide migrating to a secure email service should be your top priority. Do that and then move to the next most important vulnerability.
Okay, let’s get to the steps.
Shred Your Password Sticky Notes
Most people reuse the same password for nearly every site and app. It’s usually something easy to remember and thus easy to hack. Don’t be like most people! You want to create different passwords for each site, but you also need them to be secure: avoid dictionary words and use special characters, numbers, and mixed cases.
Keeping track of hundreds of secure passwords is an absolute nightmare, though. That’s where password managers come in. Password managers can create new secure passwords for you, store them, and then automatically fill them in for you when you visit a site or use an app. You just have to remember a master password that only you know. The two most popular and easiest to use password managers are 1Password and LastPass. Both of them are great tools. Pick one, sign up for it, install the app or extension, and shred all those sticky notes cluttering up your desk.
If you only do one thing from this article, make it this one!
Make Google Less Invasive
You may know that Google tracks just about everything you do, both on your computer and on your phone. They also scan every document you create and every photo you upload to their cloud. This information is used to build a profile on you to advertise to you more effectively, tailor your search results, and train some of the machine learning used by Google products.
If you really want to scare yourself, take a look at this incredible thread about just how much information Google and Facebook store about you:
Want to freak yourself out? I'm gonna show just how much of your information the likes of Facebook and Google store about you without you even realising it
— Dylan Curran (@iamdylancurran) March 24, 2018
A lot of people don’t know that you can actually turn off a lot of Google’s tracking and delete previous information, though. Again, this comes at a cost of convenience (some Google apps may not be as helpful as you’re used to), but you should try to turn off as much tracking as possible.
To do this, go to the Data & Personalization section of your Google account settings. You can start by doing the Privacy Checkup that appears at the top of the page. Click “Get Started” and walk through the step-by-step wizard. You’ll be able to opt out of things like location history, search history, and YouTube watch history.
Other parts of the Data & Personalization page include being able to see and delete past activity, turn off ad personalization, and download your data.
You can read more about privacy controls at the Google Safety Center.
Block Ads and Ad Trackers
When you browse, many websites keep a record of your activity and other information about you. This is called tracking. It’s not all bad — tracking helps with personalization and site analytics, not just advertising — but it is what causes your search for “mattresses” to lead to seeing mattress ads on your Facebook feed.
Luckily, there are ways to stop or at least reduce this tracking. One way is by installing browser extensions that can block both trackers and ads. There are many good ones out there, but here are a few that are both effective and easy to use:
- First, uBlock Origin is a wide-spectrum blocker that blocks ads, trackers, and malware sites. It’s available on Chrome and Firefox. You can also disable uBlock on a per-site basis if you’re finding it’s breaking something.
- Next, I am a huge fan of Privacy Badger from the EFF. Privacy Badger automatically learns to block invisible trackers. What I really like is the individual control over each tracking site on a page. For example, often videos hosted on the popular platform Wistia get blocked by default, and I can just turn that off.
- While we’re talking about browser extensions from the EFF, I should also mention HTTPS Everywhere. Created in collaboration with The Tor Project, HTTPS Everywhere isn’t a blocker, but it’s still important. This extension forces traffic to use HTTPS encryption whenever possible. It can’t create a secure connection if a site doesn’t support it, but it will be sure to enforce ones that do support HTTPS. HTTPS Everywhere is available on Chrome, Firefox, and Opera.
- Finally, the privacy-conscious search engine DuckDuckGo has released their own privacy suite that is kind of a combination of Privacy Badger and HTTPS Everywhere. The suite is available as both a browser extension and a mobile app and has features like site security grades, forced encryption, and tracker blocking.
If you really want bonus points, switch to a privacy-minded browser like Firefox or Brave. These browsers don’t sell your data to anyone and have a lot of privacy features built right in. Brave even has built-in ad and tracker blocking. I like to switch back and forth between browsers because I still like Chrome’s debugging experience for development best.
Get Out of the Filtered Search Bubble
We’ve talked about limiting what data Google tracks, but what if you could avoid generating some of that data entirely? Switching to a new search engine will help with that. It will also help you break out of the “filter bubble” of Google’s search results. When two people search Google at the same time, they don’t see the same results. Those results are tailored to their personal profiles, search history, and other factors — even in private browsing mode. While this might seem cool or harmless at first, it actually reinforces your own echo chamber and skews your sense of what else is out there. You can read more about that in this fascinating study by DuckDuckGo.
Here are the three best alternatives to Google right now:
- First, we've already mentioned DuckDuckGo, which doesn’t track you, doesn’t store information about you, and doesn’t advertise to you.
- Second, Startpage.com, which is actually an anonymized, de-tracked Google. I really like Startpage.com because I can still get the benefit of Google’s search algorithms without all the other nonsense.
- Finally, there’s searX, which is a metasearch engine. Searx aggregates the results of other search engines but doesn’t store any information about you. It’s also open source. When code is open source, it means anyone can look at the code online to be sure that nothing malicious is happening.
While all three of those are great options, I won’t lie to you. The personalized Google search results are often the best. Personally, I’ve decided to use personalized Google only for local searches. It can be incredibly helpful to have that location information, especially while traveling, even if it is a bit creepy. When I’m just doing regular searching or anything sensitive, I use one of the three I mentioned.
Get Facebook Off Your Phone
Perhaps the biggest culprits of creepy advertising and tracking are social media apps on phones. Apps on your phone have access to things like your location, your microphone, and your camera. While some of these permissions are necessary for the app to work, others can be used to track your location and spending habits and serve up targeted ads by reading through your conversations. Facebook Messenger has been especially notorious for requiring a suspicious number of permissions.
The best solution is to stop using the native apps for as many social media sites as possible, especially Facebook and Facebook Messenger. (Okay, really the best solution is to #DeleteFacebook altogether, but that’s another conversation.) You can just use your phone’s browser (preferably Firefox or Brave) to visit the mobile sites for Facebook, Twitter, and others. In addition to better privacy, you’ll also find yourself spending less time in the “infinite scroll loop” of social media.
Make Your Messages Private
If you and your friends are using Facebook Messenger, I strongly recommend moving to Signal. Signal is free, super secure, open source, and supports voice and video calls. It’s also available on multiple platforms. Signal has also continually stood up to governments and corporations for their belief in privacy. Note that WhatsApp, though it does have end-to-end encryption, is owned by Facebook, so there’s no guarantee that it is truly secure. Of course, eliminating WhatsApp from your life may be difficult or impossible depending on what part of the world you’re in. Try to use Signal where you can as an alternative to SMS texting, WhatsApp, Facebook Messenger, or other insecure messaging apps.
You might be thinking, “Why should I secure my messages? Who really cares about the endless stream of gifs and cat puns my friends send to each other?” I’d actually argue that you probably talk about more private stuff in texts or group chats than in any other medium. Think about it: when was the last time you made a phone call? I’m in so many Slack groups, WhatsApp threads, group Hangouts, and more that I simply can’t keep track. Between communicating with friends, families, relationships, and coworkers, your text-based communication may be the most critical thing for you to secure.
"Protecting your text communication with something like @signalapp is one of the most important ways you can guard your privacy."
Make Your Email Private
Okay, I’ve saved the most difficult for last: email.
Email is another scenario in which you are the product. Any ad-supported email service may be reading your emails for advertising purposes or may be subject to government scrutiny. Unless otherwise stated, you should assume that any free email service you’re using isn’t private.
The best two privacy-focused alternatives right now are ProtonMail and Tutanota. Both of these options are encrypted, anonymous, and open source. They both offer a free tier, but most people will need one of the paid tiers for more than light use.
Switching email providers is a lot of work. The privacy vs. convenience tradeoff is a big one. I’ve got about a decade invested into Gmail, so I’ve decided to migrate sensitive emails like financial transactions to a secure email provider first. Then, I'll gradually migrate the rest of my email, however long it takes.
The biggest downside for me is that neither ProtonMail nor Tutanota has a calendar feature yet. I basically live and die by my personal and work Gmail calendars, so that’s a big problem. However, I still want to gradually make the transition to encrypted email that’s not being scanned by machine learning for advertising.
The Balance of Privacy (and Where to Go From Here)
We’ve covered a lot of ground here, but I hope you leave this article feeling equipped and educated, not overwhelmed. Finding comprehensive privacy online is an extremely difficult task that requires a lot of sacrifices. Like most things in life, you need to take a balanced approach instead in order to build new sustainable habits. Start by knocking out big ones like deleting Facebook from your phone and installing a password manager. Then gradually try out other alternatives like a new browser or email provider. Don’t expect perfection and certainly don’t beat yourself up over not achieving some mythical level of hacker anonymity.
To learn more about why privacy matters, see the following:
- Why Privacy Matters by Privacy International, featuring various security experts
- Why Privacy Matters, Glenn Greenwald’s 2014 TED Talk
- Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think About Surveillance, Wired article by Moxie Marlinspike, the creator of Signal
To go deeper down the rabbit hole of learning about privacy tools, check out the following resources (don’t say I didn’t warn you):
- The EFF's Security Self-Defense series, which includes guides on how to use Signal on Android and iOS
- PRISM Break
Finally, supporting privacy-focused organizations financially is the best way to ensure that privacy tools get the features you want while also showing governments and corporations that privacy is important to you. If you’re in a country like the United States, you’re lucky to have some basic rights to privacy and a very high standard of living. Some parts of the world don’t have those and these tools can actually be life-saving. So, pay for that secure email service, donate to EFF, Mozilla Foundation, and other organizations, and spread the word.
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.