This is a case where I’d argue, all cleverness aside, you’re not paranoid if they really are out to get you. Last night we watched The Great Hack on Netflix, which walks you through the Cambridge Analytica debacle. Even if you’re not at all techy, if you’re using the internet and have email you really need to watch this film. Whatever your thoughts on this scandal and the morality, I find it hard to believe the idea that people with unknown agendas have 500+ data points on you personally and the ability to make custom messages directed exclusively to you won’t freak people out. (Ignorance may be bliss, but it never works out in the long haul as a protective measure.) I’m also slowly working my way through Shoshana Zuboff’s The Age of Surveillance Capitalism (too scary to read straight through–and I knocked out Helter Skelter in two days). So other than being somewhat stressed at the level of carelessness I’ve inadvertently displayed all over the internet for nearly three decades, what did I really learn that can help us all?
Two years ago I wrote a post with practical info on what to do if you’ve been part of a serious data breach. I think it’s still a good start post-hack, but that those tips are a bit like treating measles when you hit the hospital to try and stave off encephalitis (absolutely necessary if you’ve been infected) and I’m a big believer in vaccines (easier to never catch the virus).
Let’s start with what we know to be true. Data brokers collect information on each person in the world. They use as many different sources as they can access to aggregate that data. None of us are reading the terms and conditions but they are universally written to favor the business, not the consumer. Understandably, businesses don’t want to be bothered by nuisance lawsuits. Lawyers are expensive and time-consuming, so if they can make it very hard for you to sue up front, they do. And if they are breaking new ground where the laws don’t extend, they’ve got even more room to block. If you have no rights in a new space, like data, then there’s nothing to stop exploitation in future use cases that emerge as a business grows. There’s not a separate set of terms for nice people like us who would never file a nuisance suit. And government information, like who owns your house, has always been public if someone went down to the right office and paid any small fees required. The internet just means that there are now businesses that aggregate that info and make it profitable. See Zillow and put in your childhood address and you’ll see what your parents paid and what the current owner’s property taxes are.
Nothing to Hide?
Why would we care about all this data being public? Well, Google Maps knows where you went and when, Instagram knows what you ate there when you photographed it, Facebook knows who you were with when you were tagged in a friend’s post, anyone with your home address knows what you paid and when, and all the entities involved in your banking chain know how much you spent last month. From that, over a month, it’s not too hard to determine your religion (if any), vegetarian/vegan, country/rock, credit rating, work address, profession, pets, Uber/Lyft/car owner, and basically everything else. A data aggregator or broker scoops up all this information, as well as public info (leases, property taxes, loans, phone numbers, emails), and can also choose to purchase credit reports. All this gets linked up into your data profile so if they want to look for single, female, vegetarian dog-owners renting in your neighborhood, they can end up with the actual name, address, phone number, and email of each and every one.
Bio Data Privacy Considerations
A quick thought on your bio data, too. I’m personally much more comfortable with all my bio data being out in the world but there are two reasons why that’s okay for me, but might not be for you. I volunteer to be a control in a lot of medical studies, living near several big research institutions. My entire genome was run along with a comprehensive family medical history for research use (and I was curious), my blood is in several studies at nearby research organizations and I’m in the long-term WISDOM study to help figure out at what age individual women should have mammograms. This year I had my brain scanned in fMRI as a control for cognitive decline. I really believe that by volunteering I can help save scientists time recruiting volunteers, so they can find answers faster. This is part of my moral view of the world—I should share this data. The other reason is that when is started doing this, my financial life was established and planned. When I give my DNA now, they can tell me about a few red flag genes, which a life, disability, or long-term care insurer might require me to disclose. But I’m already insured, so that’s not going to be a problem for me in making financial plans. As long as the pre-existing condition rules in the American ACA are held up by the courts, I can get health insurance. As it happens, I don’t have any of the red-flag genes. There’s a big hidden risk though. There’s a lot scientists don’t yet know about our genes, so there’s a chance that somewhere in my fully-shared DNA there is a red-flag gene that no one has yet discovered. When they do find out that gene combo is bad news, it’s going to suddenly become apparent that I am a bigger risk than was previously determined. So that’s the risk of bio data being out there in the world. Plan accordingly. And, yeah, I thought it was fun and did my sons’ genetic testing, too, so we have to hope for the best on this front.
Easier Privacy Fixes
There’s still a lot you can do to fix your personal data exposure, even now. Let’s start with the free things and small behaviors you can change. You can do any or all, it’s a mix and match set of choices, minimizing duplication.
- Reconsider your default web browser choice. Chrome is tracking you and odds are you already use GMail, and Google Maps. Do you need to give one company everything? I use Firefox as a backup to Brave now.
- Stop saving passwords, even super strong ones in your browser, and delete the ones they have saved. (See 7 below for the free fix).
- Switch to a search engine like Duck Duck Go that doesn’t track you, easy to add once you’ve switched browsers (or if you didn’t).
- Login to your social media accounts and confirm your privacy settings. In the heat of wanting to post, it’s easy to loosen these up, so setting a reminder to go back every month or three months to tighten them up would be the smart move. (Alternatively, download the app Jumbo which can clean many of these up with minimal effort on your part. I am loving the auto-clean of Tweets older than a month.)
- Never use public WiFi. The only WiFi I ever use are the networks I set up at home and at work, and sometimes my mom’s house where mobile coverage is nonexistent. (Turn off AirDrop on your iPhone as much as you can, definitely at a public event like a conference or concert.)
- Consider having a junk email for one-off shopping uses, so your real email is used in limited places.
- Login directly on a bookmarked page for anything important. Stop clicking on links in emails as much as you can, but definitely for anything from a financial institution.
- Double-check the web address anytime you click on a link. Make sure that’s the real site. (URLs can add “dot-word-dot” in front of the main address, but only “slash-wordnumber-slash” after .com. So your bank might have offer.bankx.com or bankx.com/paymybill, but they won’t ever have bankx.securitycheck.com. On that URL you are really on a site named securitycheck.com, which may be a scam, if you clicked on a link from a bank email. Not all phishing schemes are ridiculous stories full of typos, so be careful.
- Download Abine Blur. The free version lets you create masked emails (throwaway emails that forward straight to your real email), secure passwords (so you can stop saving them in your browser).
- Check out an app like Burner, which lets you make temporary phone numbers. You can buy credits and have these for a short period. Might be nice for a project or to get multiple bids, say for planning a wedding, a move, selling gear, renting an apartment, or a home remodel. (Paid Blur will do this, too. One reviewer cleverly used a Blur number as their family home number and anyone who abused it was blocked.)
- See if your credit card company has an app or other way to make temporary, virtual credit card numbers for online purchases.
- Put your credit card and bank phone numbers in your contacts (the ones on the back of the card or on your statement. If they call you, the Caller ID should match. If you ever get a fraud call tell them you’ll call back, then call the number in your contacts. You’ll have some level of panic or annoyance or be in a rush when you get the call, so prep now and make it easy on your future self.
Harder Privacy Fixes
Then there are the things you can do that are a little more painful. They take either time or a little money, so you have to decide what’s reasonable for your situation.
- Upgrade Abine Blur to the premium version, particularly if your credit card company doesn’t do virtual card numbers (See 9, above)
- Abine’s DeleteMe, $129 annually (auto-renew). They continually work all year to delete your info from online databases. (Search for “public records” and pick a site, then search for yourself. Decide if you want all that free info out there, much less someone able to buy more.)
- Hire a student designer or illustrator and get a custom avatar for your profiles—so it’s identifiable as you, and feels personal and welcoming, but it’s not your real photo.
- Turn off email tracking by stopping automatic image downloading. There are invisible, single pixel images in emails that report back whether you opened or read an email. (I can also report back a happy bonus to this is you are much less tempted by sales pitches from your favorite stores.) One click within the mail app and you can see the full content of any email you do want to see.
- Buy Disconnect Premium for three devices and run your phone, tablet and laptop on VPNs. I found it broke a lot of desktop websites, but between work and family, I’m on a lot of password-protected sites that should see the VPN as questionable. It’s been bulletproof on my iPhone.
- Use a password manager. They all cost money but if you simply can’t otherwise give up saving them in your browser, this is money well spent. You can get by with the free version of Blur, noted above. Once you have one of these, it’s super easy to have unique, complicated passwords for everything.
- Use two-factor authentication. It’s free, but it is a bit of hassle if, like me, you spend most of your work day on password-protected sites. I’ve never forgotten my phone at home. If I did, I’d have to go home and get it just to get through the day. My compromise on this is to let the browser save the passwords that really don’t matter—where the data isn’t a big deal and a fraudulent purchase would be my credit card company’s problem to solve. If someone gets my laptop and can surf over to a stock-music site or jcrew, they can’t do much damage to me. However, Netflix, YouTube, WeTransfer, or our company website, they could do a lot of malicious damage or see client work in progress, so I don’t let the browser remember those passwords.
Finally there’s a whole set of things you can do that are probably really smart, but likely most of us aren’t willing to suffer the related inconveniences. For example, you could run a private email server, cancel your social media accounts, keep your credit cards and devices in signal blocking envelopes, bags, wallets, even wear a mask. I’ll let you know if I fall that far down the rabbit hole.
Here’s my most advanced hack: wildcard email aliases.
You can buy a personal domain name from Google’s domain name server (e.g., hellosusan.com) and then set up a wild card email alias so that @example.com will be forwarded to my real email address. This way, for example, Chase bank has email@example.com on file for me and won’t know my real email address, and if Chase ever sells my information to some spammers, I would be able to see that they sent it to firstname.lastname@example.org and therefore trace the leak.