Jackie Ferrentino for NPR
Before I became a reporter at NPR, I worked for a few years at tech companies.
One of the companies was in the marketing technology business — the industry that’s devoted in part to tracking people and merging their information, so they can be advertised to more effectively.
That tracking happens in multiple senses: Physical tracking, because we carry our phones everywhere we go. And virtual tracking, of all the places we go online.
The more I understood how my information was being collected, shared and sold, the more I wanted to protect my privacy. But it’s still hard to know which of my efforts are actually effective and which are a waste of time.
So I reached out to experts in digital security and privacy to find out what they do to protect their stuff – and what they recommend most to us regular folks.
Here’s what they told me.
1. To protect your accounts, practice good security hygiene.
There are some steps that make sense for almost all of us, says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation. Those include using strong passwords, two-factor authentication, and downloading the latest security updates.
She and other experts make a distinction between privacy and security when it comes to your data. Security generally refers to protecting against someone trying to access your stuff — like stealing your credit card number or hacking your accounts. Privacy is more often used to talk about keeping your movements from being tracked for purposes of advertising or surveillance.
It turns out that the steps to protect your security are more clear-cut than those for privacy — but we’ll come back to that.
Use strong passwords or passphrases for your accounts. Longer than a password, passphrases should be strong and unique for each site. Don’t use 1234. Bring some randomness and special characters into it. And don’t use the same password for different websites: you don’t want all your accounts to be compromised just because one gets hacked.
Use a password manager in order to keep track of your passwords, Galperin says — then all you have to do is remember the passphrase for your password manager.
Turn on two-factor authentication for your important accounts. You’ve seen this: Usually you’re asked to put in your mobile number so that you can receive a text with an additional number you input before you can log in.
That’s the most common type of two-factor authentication — but it’s not the strongest, Galperin says, because SMS messages can be intercepted by your internet provider, law enforcement, or the government.
If you want to go a step further, Galperin recommends using an application that sends the second factor to an app on your phone, like Authy or Google Authenticator, as these are harder to intercept. (Full disclosure here: NPR receives funding from Google and Facebook.) You can also use a physical key you carry with you that plugs into your computer’s USB port and serves as the second factor.
Download the latest security updates.
Those nudges you get from your computer or phone to install the latest security update? You should download those.
“Most applications, when they’re compromised, are not compromised by scary zero-day bugs that nobody knows about,” Galperin says. “They are compromised by problems that everybody knows exist that have been publicly reported, and that the company has fixed and they have issued a patch in their security update. But if you do not take the security update, you do not get the benefit of the work of the security engineers at that company.”
2. Beware of phishing.
Not all attacks on our security come through malware or hackers invisibly breaking into your account. It’s very common that we’re tricked into handing over our passwords or personal information to bad actors.
These attempts can happen via email, text message, or a phone call. And generally they’re trying to get your username and password, or perhaps your social security number. But there are often signs that these messages aren’t legit – spelling or grammar errors, links to websites other than the one it should be linking to, or the email is coming from a weird domain.
If it feels fishy, it might be phishing.
3. Protect what matters most.
Depending on your situation, you might want to take additional precautions to safeguard your privacy and security.
To figure out what steps people should take to safeguard their stuff, Galperin suggests you make a security plan. The Electronic Frontier Foundation has a guide to doing this, which starts by asking yourself these questions:
- What do I want to protect?
- Who do I want to protect it from?
- How bad are the consequences if I don’t?
- How likely is it to need protecting?
- And how much trouble am I willing to go through to try to protect it?
You can use the answers to those questions to focus your efforts on securing the things that matter most to you.
4. Delete some apps from your phone. Use a browser instead.
Matt Mitchell is a tech fellow at the Ford Foundation, and the founder of CryptoHarlem, an organization that teaches people to protect their privacy, including from surveillance.
Apps can learn a lot about you due to all the different types of data they can access via your phone. Seemingly harmless apps – like say, a flashlight app — could be selling the data they gather from you.
That’s why Mitchell recommends “Marie Kondo-ing” your apps: take a look at your smartphone, and delete all the apps you don’t really need. For many tasks, you can use a browser on your phone instead of an app.
Privacy-wise, browsers are preferable, because they can’t access as much of your information as an app can.
I mentioned to Mitchell that even though I use Facebook and Twitter, I don’t have those apps on my phone — partly so that I’ll use them less, and partly for privacy reasons. I wanted to know — did I actually accomplish anything by not having those apps on my phone?
“You’ve accomplished a lot,” he says. He compares it to oil companies turning crude into petrol: your data can be turned into profit for these companies. “Every time you don’t use an app, you’re giving them less data, which is less money.”
Mitchell says that’s true even if you’ve been on Facebook a long time, and it feels like the company already knows everything about you. He compares it to smoking: it’s never too late to cut back or quit — you’ll still benefit by giving it less data to harvest.
5. To protect your chats, use an encrypted app for messaging.
If you want the contents of your messages to be secure, it’s best to use an app that has end-to-end encryption, like Signal or WhatsApp. That means you and the recipient can read the message you send — but no one in the middle.
But even though the contents of your messages are protected by encryption in apps like Signal and WhatsApp, your metadata isn’t — and someone could learn a lot about you from your metadata, Galperin warns. She compares it to what you can learn just by looking at the outside of an envelope in the mail: who sent it to whom, when and where it was sent from.
And WhatsApp is owned by Facebook — so when you share your contacts with WhatsApp, Facebook is getting that info, though they can’t read the contents of your messages.
If you’re on an iPhone, iMessages are encrypted when you’re messaging another iOS device — but not when you’re messaging an Android phone. Signal offers encrypted messaging on both Android and iPhone.
What about Facebook Messenger? Jen King, Director of Privacy at Stanford Law School’s Center for Internet and Society, advises against using the Messenger app.
The app “has access to far more info on your phone than using Facebook through a browser,” she says, recommending something like WhatsApp or regular SMS texting instead.
And if encryption matters to you, be careful about backing up your chats to the cloud. If you back up your WhatsApp messages to iCloud or Google Drive, for example, they’re no longer encrypted.
“That backup is just a database. And that database is easy for someone to open and read,” Mitchell says, if they were able to access your cloud account. To keep your messages from prying eyes, turn off cloud backups and delete existing WhatsApp backups from iCloud or Google Drive.
6. Turn off ad personalization.
Whenever possible, Mitchell recommends going into your settings and turning off ad personalization, which often gives companies permission to do invasive tracking.
Google and Android
Here’s a link to limit ad personalization on Google and Android.
This page shows you how to opt out of ad personalization on Apple. As of this writing, it hasn’t been updated for iOS 14. If you have updated to iOS 14, go to Settings > Privacy > Apple Advertising > turn off Personalized Ads.
- On this page, you can go to the Ad Settings tab and toggle the settings to Not Allowed.
- This page has steps to disconnect your activity off Facebook that is shared with Facebook, and clear that history.
- On the Off-Facebook activity page, under What You Can Do, you can click on More Options > Manage Future Activity > and toggle it to off. (This page has those steps.)
This page explains how to opt out of ad personalization.
He also recommends going to myactivity.google.com and deleting everything you can. On the left, there’s a tab that says “Delete activity by.” Select “All time.” On your My Google Activity page, you can turn off Web & App Activity, Location History, and YouTube History.
“It will show you every search term and everything you’ve ever done, every YouTube video you’ve ever looked at, all that stuff,” he says. “It’ll say, are you sure you want to delete this? ‘Cause if you delete this, it might affect some stuff.” Mitchell says: Delete it.
7. It’s difficult to protect your privacy online if there aren’t laws to protect your privacy online.
Tighter privacy settings only get you so far without laws that protect your privacy, says Ashkan Soltani, the former Chief Technologist for the Federal Trade Commission and one of the architects of the 2018 California Consumer Privacy Act.
There are laws around health information and credit and financial information, he explains, and some states have internet privacy-related laws.
But nationally, the U.S. doesn’t have a universal data privacy law safeguarding everyday online privacy.
Soltani says he rarely recommends steps like using ad blockers or VPNs for most people. They require too much attention and persistence in order to actually deliver on privacy, and even then they are limited in their effectiveness.
“The incentives are so high on the other side,” Soltani says, “to uniquely identify people and track them that [users] will never have enough motivation and incentive to do it to the degree of this multi-billion dollar ad tech industry.”
So how do you protect your privacy? Get involved and call your Congressperson, he says — tell the policymakers that you care about online privacy.
8. Start small and take it one step at a time.
Faced with this landscape, getting a tighter hold on your digital privacy and security can feel daunting. But Galperin has this sound advice: Just do a little bit at a time.
You don’t need to make a list of all of your accounts to integrate into a password manager — you can just do each account as you log into it.
Even just doing the basics — strengthening your passwords, turning on two-factor authentication, and watching out for scammers — can make your accounts a lot more secure. Then keep going: there are a lot of other steps you might want to take, depending on your needs.
We’re going to be on the internet for a long time. The more each of us understands how our data is collected and used — and how to keep private what we want to keep private — the better, safer and healthier our digital lives will be.
The podcast portion of this episode was produced by Audrey Nguyen. She also contributed research.
We’d love to hear from you. Leave us a voicemail at 202-216-9823, or email us at [email protected].
For more Life Kit, subscribe to our newsletter.