Understanding Digital Privacy
Sometimes our common sense fails us. We’re so wired for instant gratification that we risk digital privacy in favor of convenience.
- Ever skip over Terms of Service and click “Accept” regardless of what the apps are collecting?
- Do you keep Alexa on in the background 24/7 or wear a Fitbit device?
- Do you hop onto any public WiFi network without using a VPN?
- Do you generally trust that the websites you land on are probably safe?
Why do we rarely worry about the long-term consequences of our online activity? Especially when the collection of personally identifiable information (PII) has become unsettling at best, unsafe at worst.
Most people don’t even know what is happening when they’re online. A lot of people think of “online privacy” as something you do to dodge hackers. But it goes way beyond that. Sure, someone cracking your password is a threat, but the issue of trading privacy for convenience is deeper than a hacker stealing your password to commit online fraud.
The Emperor’s New Clothes
Although cybercrime is serious, what about the less-nuanced invasions of privacy? Who’s keeping a record on you? Do you even know what is being tracked and analyzed about who you are, where you shop, and how you think?
The “emperor’s new clothes” has become a metaphor for questioning something, even when everyone else thinks it’s ok. People are often afraid to criticize something when everyone else is doing it, right? Take, for example, Alexa. Is it just a virtual assistant or is it gathering your data? Does it make you uncool if you balk at the idea of having one in your home?
Imagine if every store you visited at the mall collected information about your identity every time you walked into their store. Imagine if there was a record of exactly when you went in to browse, how long you lingered, when you touched specific items, and/or how you paid for every transaction.
Would it alarm you to know this isn’t a far-fetched idea but actually happening through smartphone location tracking and Bluetooth beacons? It happens not only through a store’s own mobile app but also through less-obvious tech, like weather and news apps.
According to the New York Times, “these beacons are small, inobtrusive electronic devices that are hidden throughout the grocery store; an app on your phone that communicates with them informed the company not only that you had entered the building, but that you had lingered for two minutes in front of the low-fat Chobanis.”
The goal of this post is to help you understand who can see what you’re doing — where, when, and how. Perhaps more importantly, who wants to access your data and why? The next few sections will empower you to become an advocate and get the online privacy you deserve.
Why Does Privacy Matter?
It’s no secret that online privacy has become something of an oxymoron: we’re being tracked everywhere online with almost no accountability in America (more on regulations below). Google and Facebook may know you better than you know yourself.
In a recent Ghostery user survey, 78% of respondents said they weren’t okay giving companies their personal information even if it resulted in a product that’s personalized just for them. We also asked our users about their primary reasons for using the Ghostery Browser Extension: the majority cited blocking annoying ads and popups (71%) while online privacy protection (65%) and safeguarding against data leaks (39%) came in second and third, respectively.
Yet the individual concept of “privacy” varies widely. Some people might think they have nothing to hide, so why does privacy even matter? If you think you have nothing to hide, then you’re letting tech companies determine when, how, and to what extent your information is sold.
The Business of Selling Users
It’s been said that “if you’re not paying for the product, then you are the product…” Social media platforms compete for your attention. Their business model is to keep people engaged. Moreover, so-called free services are paid for by advertisers. They pay in exchange for showing their ads to consumers with hopes of influencing you in some way.
In order to be successful, free services need a lot of data. And internet companies profit by being in the marketplace of human activity. Everything done online is being measured. Every single action is recorded. Data is being used to make predictions about you — companies build models that predict your actions and then tailor what kind of information and ads to show you.
Why is that so bad? We could name several reasons why digital surveillance is a bad idea, but let’s start by reviewing how many federal laws currently protect your online privacy (hint: if you’re American, the answer is zero).
Digital Law and Order
While the European Union’s General Data Protection Regulation (GDPR) has created a privacy culture that protects the identity of European citizens, the United States presently has no federal law protecting what companies track, store, and sell about you.
In our recent Consumer Privacy Bill of Rights survey, 77% said ownership of their personal data (i.e., internet browsing history, email content, location data) should be a constitutional right. But even businesses that attempt to communicate their consumer privacy practices (from search engine giants to e-commerce sites) don’t have a law actually holding them accountable.
It would seem that the California Consumer Privacy Act (CCPA) is a step in the right direction. It’s the first and only U.S. law of its kind (effective January 1, 2020) and requires that any company that does business in California must implement security practices to protect consumer data. It mandates that companies:
- Post their digital privacy notices in an accessible format.
- Honor users’ Do Not Track privacy settings.
- Clearly explain what types of information will be collected and how the information will be shared.
- Offer a global opt-out option (to allow consumers to opt out of all sales of personal information).
But the CCPA is far less stringent than GDPR, which covers all personal data for European citizens, regardless of source; CCPA only considers data that was provided by a consumer and only helps California residents. Plus, GDPR regulations impose maximum fines of up to €20 million vs. CCPA’s smaller fines of up to $7,500 per violation.
As you can see, no one else is really working to protect your privacy. And inaction can cost you. Did you know that your “online reputation score” can affect your employment, housing, insurance, and access to credit?
Consequences of Inaction
It’s been said that when you know better, you do better. When you know the risks, you can better protect you and your family. (For example, do you really need all of those apps on your phone — and have you stopped to consider what data they collect?)
While others may be apathetic, those who take steps to limit what data is collected about them may fare better in several areas.
All Data is Credit Data
Imagine you’re applying for a mortgage in the not-too-distant future. But instead of looking at your paycheck stubs, on-time payment history, and overall creditworthiness, perhaps the mortgage gods review your total online footprint. (Think Yelp reviews, Uber rating, Facebook comments, Goodreads reviews, online receipts, and the like.)
In its State of Alternative Data report, Experian looked at whether banks, credit unions, and online lenders can look at social media profiles when making loan decisions.
The short answer is that someone’s online or social media activity isn’t yet a factor in creditworthiness. But Experian admits this will almost certainly change as more data sources emerge for determining credit scores and “financial institutions are still grappling with how it can be predictive of credit behavior over time.”
In an academic study about alternative credit and “social scoring,” researchers noted that financial institutions now attempt to factor a range of alternative data, including “non-financial payment streams, academic records, behavioral signals gleaned from online or social media footprints and results generated via digitized psychometric testing – and by assessing that data in relation to models of risk assessment based on the analysis of big data.”
Banks might eventually turn to your online history to verify your creditworthiness. But how intimate will this actually get and how far back will they go? Might this “enhanced” credit score factor in your activity on high- or low-risk sites over the last 10-20 years, your “likes” across social media, your long-forgotten comments and reviews, or all the content you’ve consumed?
Modern AdTech Threats
According to the Electronic Frontier Foundation, a nonprofit organization that advocates for consumer online privacy, the adtech ecosystem as a whole is broken. It points to a third-party advertising company called MoPub, owned by Twitter, that was collecting PII from users across apps where consumers freely share their personal information (including dating and lifestyle apps). The EFF says “MoPub operates in the vast, convoluted, opaque ecosystem of personal data collection and sharing that powers modern adtech.”
As previously discussed, there are currently no laws that tell users what happens to their data or even simple ways to minimize what data is stored and processed.
While the EFF has built an opt-out tool to minimize data sharing, until there are enforceable laws in place, privacy-invasive practices will continue.
Good Internet Hygiene
In the last few sections, we’ve explained why you must treat your identity as your most valuable asset. It goes beyond fears of a hacker stealing your data and takes into consideration that “trustworthy” tech companies are tracking and selling your online activity.
Good internet hygiene involves asking yourself some security planning basics: what do you want to protect and what are the consequences of inaction?
You should become more cognizant of what you’re downloading or accessing. Consider adding an anti-tracking tool such as Ghostery to ensure that no PII is sent to third parties while browsing. Remember, when your personal data is sold to the highest bidder, it also increases the chances of your PII falling into the wrong hands.
The Cost of Security Breaches
According to Accenture, the frequency and cost of security breaches will increase as more technologies move to the cloud. Malware was the most expensive type of attack to fix because it can steal credentials, cookies, and sensitive data, plus take unauthorized screenshots.
In addition to malware, Accenture’s data shows that “social engineering attacks” have increased. The trouble with things like phishing emails is that they often look legitimate and prey on either your short attention span, your fears, or both!
So, we recommend that you always:
- Input a website’s URL. When possible, input domain names yourself versus clicking on an ad or link. Domain spoofing is a common form of phishing in which an attacker appears to use a company’s domain to impersonate a company. Thankfully, Ghostery’s Privacy Browser has a built-in anti-phishing security feature and detects up to four times more phishing attempts than Google Safe Browsing.
- Use a tool to shield your personal data across your entire computer and apps. For example, Ghostery Midnight offers device-level security for email clients, creative software, task apps, entertainment and music platforms, and more.
- Use a VPN. A VPN keeps your activities secure and hides your IP address, making it difficult to be tracked online. One of the coolest features about Ghostery Midnight is that it has a built-in VPN. This provides a more secure digital experience, protecting you from data collection on both browsers and apps.
- Disable geotagging on photos. If your smartphone has geotagging enabled as a default setting, consider disabling it because it will become part of your PII.
- Protect your passwords. Many of us use the same log-in credentials to access multiple accounts, which is risky. Each one should be strong and unique.
- Double-check attachments. Think before you click on links, since ransomware can infect your device and steal your information. Always review the message for glaring misspellings or bad grammar that seem atypical.
- Turn on auto-updates. Up-to-date antivirus software can definitely halt the spread of malware — use it on your personal computer, smartphone, and tablets.
- Delete extraneous apps and turn off location services when not needed. To avoid those retail-spying beacons mentioned above, consider deleting any apps that may be spying on you — including apps from retailers.
As we wrap up, we hope you’ve learned some new ways to secure your privacy. After all, our mission at Ghostery is to protect, educate, and empower users to take back control of their online experiences!
The Ghostery Browser Extension makes your web browsing experience safer by detecting and blocking thousands of third-party data-tracking technologies. You can also download a free 7-day trial of Ghostery Midnight (please reach out if you need any support).
We’d also love for you to subscribe to our blog and new podcast for more information about privacy, security, and other related topics.