The Internet provides a convenient way for governments and corporations to monitor – and control – everything everyone is doing online. There are big money and power in your private data. Governments use it to manipulate the public opinion; corporations use it to serve you ads. Data is the new currency that beats gold and oil. It comes as no surprise then that no entity is motivated to protect your privacy.
If you want to have privacy online, you’re going to have to claim it, and here's how.
Privacy and encryption go hand in hand because encryption is an effective, accessible, and increasingly mainstream privacy tool.
Its efficiency has made encryption a prime target for the NSA and the likes of it. While governments forge laws that compel tech companies to create backdoors in their encrypted products, the Snowden files reveal spy agencies are actively working on decryption technologies.
The NSA is sifting through data of all US and non-US citizens. Whereas the data it deems uninteresting is discarded, encrypted data is stored permanently until the agency can decrypt it. They want a master key for all things encrypted, but until quantum computers help them build it, they break encryption protocols one at a time. That’s why not all encryption is made equal.
128-bit and 256-bit are the two most frequently used encryption keys. In terms of the key strength, the longer the key, the longer it takes to brute-force a cipher. Brute-forcing involves trying out every possible combination until attackers find the correct one. Humans don’t do this manually – computers do.
But how long does it take for a computer to break encryption keys? In 2016, NUDT Tianhe-2 supercomputer in China was known to need a third of a billion years to crack a 128-bit AES key and 13.5 billion years or so to break a 256-bit cipher.
Before 2013, cryptographers used to predict it would take NSA another 100 years to develop a crack to 128-bit cipher. But the Snowden files have revealed the scale of resources the NSA and allies are investing in the endeavor, shaking up everyone’s optimism and estimates.
What we know for sure is that when quantum computers are here, current encryption ciphers will become useless. But until then, use them to remain secure and protect your privacy.
NSA and NIST
The US government is known to use the 256-bit AES encryption for sensitive and 128-bit for routine needs. The US National Institute of Standards and Technology (NIST) is the entity that develops and/or certifies these and other encryption ciphers and standards. For companies seeking government contracts, compliance with NIST standards is a must.
As a result, the standards have become ubiquitous throughout mainstream products implementing encryption for consumers and businesses. Because who doesn’t want a “military-grade” encryption endorsed and used by spy agencies?
The problem here is NIST works closely with the NSA in developing the ciphers and standards. In the past few years, some of the NIST-certified algorithms have been found to bundle NSA-developed backdoors.
Perfect Forward Secrecy
Despite the apparent conflict of interests behind the NIST standards, legislators are not interested in fixing the problem.
Thankfully, security experts have come up with a solution that circumvents NSA efforts to compromise encryption keys – Perfect Forward Secrecy (PFS) for SSL/TSL connections.
PFS, also known as an ephemeral key exchange, is a system that creates new and unique private encryption keys for each session. With PFS, the keys are refreshed during connections, which means brute-forcing them is so resource- and time-consuming it’s virtually impossible even for the NSA.
Without PFS, if one private encryption key is compromised, the attacker gains access to all encrypted data.
OpenVPN is the current golden standard for Virtual Private Network providers because it allows for granular control over the connection and the use of Perfect Forward Secrecy. OpenVPN connections without PFS are vulnerable to brute-force attacks.
End-to-end encryption means your data is encrypted:
- On your device
- In transit, as it travels to and from your device to its destination (i.e., cloud storage, email, chat)
- In the cloud (email, chat or collaboration platform)
Without end-to-end encryption, your provider encrypts your data only when it reaches its platform and holds the encryption keys. Such is the case with Microsoft’s OneDrive. The company holds your encryption keys and can access your emails and contents of your cloud storage when it deems necessary.
Without end-to-end encryption, your data is also vulnerable to Man-in-the-Middle (MITM) attacks.
In an industry where trust is an issue, some privacy tools providers build their solutions on a zero-knowledge principle, whereby only you have the encryption keys, not the service provider.
The weakness here is if you lose your keys, your data is as good as lost. The advantage is your service provider, be it a VPN, cloud storage or encrypted email service, can’t access your encoded data or hand it over to an adversary.
Always check the icon in the left corner of your browser’s address bar. A locked padlock stands for HTTP Secure, or HTTP over SSL/TLS. Sites have been using HTTPS for end-to-end encryption for decades now. Otherwise, online shopping and banking would have been compromised for millions of users worldwide.
Without HTTP, your data is unencrypted, and anyone interested can see what you’re up to while visiting a website, and steal your data, including your financial information.
With HTTPS, it’s possible to track which websites you visit, but not the internal pages you view or the data you transfer.
The concept of metadata is easy to grasp. Imagine the contents of your communication as all the books in the Library of Congress. That’s a lot of information to process even for the NSA.
But metadata is the index of all those books. It tells everything about who you talk to, how often, from where, who’s in your friends’ contact list, where and when your photos have been taken, using which camera make and model, who’s in the picture, and more.
Metadata is, therefore, more valuable to spy agencies and data brokers than the contents of your traffic and communication.
Important: even though WhatsApp is encrypted, Facebook still knows who you’re talking to, and how often. Facebook stores your metadata and shares it liberally. And with WhatsApp being a closed-source app, no independent audit is allowed to check the app for backdoors.
How do you hide your metadata then? VPNs and Tor can help you hide not only your browsing activity but also your metadata from your ISP. Also, don’t forget to purge metadata from files you share online.
Tip: you can remove metadata from your photos by using free, open-source image editors like XNView. Just convert your images to PNG, which automatically strips metadata.
When possible, choose open-source software rather than proprietary solutions. The terrifying scale of state intrusion trying to embed backdoors into every mainstream technology suggests closed-source solutions might not be as secure as advertised. If there’s a state-sponsored backdoor in technology, it can be discovered and abused by hackers.
Open-source solutions may lack polish and sleek looks sometimes, but they are open for independent audits. If it’s a popular open-source project, security experts take the time to review, test it and submit reports of security holes and flaws to the developers.
Open-source solutions have the transparency and accountability closed-source projects don’t. That’s why security holes often get patched quicker in open-source software than in proprietary apps, which can go on for ages with unpatched vulnerabilities.
There’s a chance NSA agents might infiltrate some open-source development teams. But for now, open-source remains more reliable and tamper-proof than closed-source apps.
Some encryption programs allow you to hide files, partitions, and entire operating systems. Here’s how it works – first you create an encrypted folder visible to the system and easy to find. That’s the one you’d give up if ever compelled.
At the same time, you create a hidden encrypted volume. You can only access it when you know where to look. It can be a simple 15 Kb TXT file, but you can hide Gigabytes of encrypted data behind it.
Should you ever be compelled to hand over your data, you can deny a hidden encrypted volume exists in the first place – plausible deniability.
Summing up, when choosing data encryption tools and using the Internet, look for the following features:
- 256-bit AES encryption
- Perfect Forward Secrecy
- End-to-end encryption
- Zero knowledge providers
- HTTPS (when using websites)
- OpenVPN (for VPN connections)
- Open-source software
- Mind your metadata
Things You Can – and Should – Encrypt
The bad news is no one comprehensive app can encrypt your everything. The good news is encryption tools and services have become mainstream and easy-to-use. Some are free and open-source, others are paid but offer zero-knowledge solutions.
Encrypt Your Traffic
Virtual Private Networks, or VPNs, are the most popular tools among modern denizens looking for privacy online.
Benefits of Using a VPN:
- Hide your online activity from your ISP, state, copyright trolls and hackers
- Bypass local, state, school, or employer-imposed censorship
- Circumvent geo-blocks when accessing sites and services
- Torrent safely
- Protect your device when browsing from public WiFi
- Protect your identity from the sites you visit
How to Choose a Reliable VPN Provider:
- Choose a company that’s not under the Five Eyes umbrella
- Providers that respect user privacy don’t require your real name and address at sign-up
- Some VPNs now accept Bitcoin, gift cards, and cash to anonymize payments
- A robust VPN implements OpenVPN, 265-bit encryption, and PFS
- Beware of sponsored review sites – there’s unhealthy competition in the VPN industry
Encrypt Your Email
There is one caveat about email encryption that can undermine all your efforts to secure your private communications – reciprocity.
You can enjoy the benefits of the encrypted email only if your contacts do the same. Unless your recipient uses email encryption, your email communication is not all that private. If the majority of your contacts use Gmail, expect Google to scan your emails even if you aren’t a Gmail user yourself.
Not helping is the fact that Google hands over its users data to the NSA, and so do most mainstream tech services.
There are three ways you can encrypt your email:
- PGP – although Pretty Good Privacy is one of the most secure ways to protect your email, it’s not user-friendly. As a result, it’s mostly used by tech-savvy geeks. Once open-source, PGP is now the property of Symantec. Besides, PGP doesn’t encrypt the email header, recipient, and other important metadata. Tip: perhaps, the easiest way to use PGP is with the Mailvelope browser extension that allows you to deploy end-to-end PGP encryption with your Gmail or Hotmail.
- GPG – GNU Privacy Guard is a free, open-source PGP alternative available for Windows, Linux, and OSX. It comes as a basic command-line UI or more sophisticated programs, as well as addon functionality embedded in some email clients, such as Thunderbird, SeaMonkey or K-9 Mail for Android and iPGMail for iOS.
Encrypt Your VoIP Conversations and Chats
Many free and paid Voice over the Internet Protocol apps allow you to make voice and video calls, group calls, and send instant messages. Some implement end-to-end encryption, and that’s what you need to protect your privacy.
Skype is not an option if you want privacy because Microsoft shares your data with the NSA and a bunch of other state entities. Likewise, WhatsApp isn’t private because it’s a Facebook service that retains your metadata.
Tip: encrypted voice and video calls may lag because encryption consumes time and bandwidth, while text messages get delivered faster. Some apps go as far as offering self-destructing messages.
Encrypt Your Cloud Storage
To be a functional human being these days, you need cloud storage. The problem is mainstream providers have persistently refused to make your cloud-stored files truly private. Pretty much all major cloud storage providers are in bed with the NSA – take some time to read your provider’s privacy policies.
Here’s how you can make your cloud-stored files and folders private:
- Encrypt them locally before uploading to the cloud – programs like VeraCrypt, BestCrypt or PeaZip let you encrypt your files locally and decrypt them on a different device, including smartphones.
- Use an encrypted cloud storage service – SpiderOak, TeamDrive, and Tresorit are end-to-end encrypted cloud storage services. SpiderOak is particularly popular because it’s zero-knowledge and robust with 256-bit AES encryption.
Tip: if you don’t want to use any third-party provider, try Synchting. It’s a peer-to-peer file synchronization program that lets you share a file or folder with your devices on your local network or over the Internet. It’s encrypted, cross-platform and intuitive. And it eliminates the middleman from the equation.
Encrypt Your Data Locally
Encrypting your files – or drives – is an essential step toward ensuring your digital privacy. Your best bet would be to encrypt your files locally and encrypt them before attaching to emails or uploading to the cloud.
VeraCrypt is an heir to TrueCrypt, one of the most popular encryption programs that helped promote encryption among non-tech-savvy consumers. VeraCrypt is open-source and lets you encrypt files, folders and full disks, as well as hide an entire drive or operating system, providing you with the advantage of plausible deniability.
Encrypt Your Mobile Device
The recent iOS and some Android devices ship with full-disk encryption by default. If your device is not encrypted, you can do so manually by going to Settings → Security → Encrypt device → and following prompts.
Android Privacy Tips:
- Use a strong passcode or password, add extra digits to your PIN.
- Be wary of fingerprint locks – they are hackable, and some states can legally compel you to unlock a fingerprint-locked device. And if you are ever assaulted, unlocking your device is much simpler than brute-forcing a password.
- Disable backup to your Google account to keep your photos, contacts, and calendar events locally, if you don’t want Google snooping on you.
- Disable location tracking.
- Only enable GPS when you specifically need it (to use Uber, for instance).
- Disable or uninstall stock bloatware you don’t use.
- Review your Google account settings - search history, location history, etc. Disable.
- Use firewall such as NoRoot Firewall to block apps from accessing the Internet without your authorization.
iOS Privacy Tips:
- Use a six-digit passcode rather than the regular four-digit one.
- Disable location tracking in Settings → Privacy → Location services → System services → Frequent locations → Off. Just in case, tap the Clear History button, too.
- To revoke permission to upload your data online for specific apps, go to Settings → Privacy → choose an app you wish to ban from uploading your data online → Off. You can grant it permission at a later point if necessary.
- Set the expiration date for your iMessages.
- Change your default WiFi hotspot password to an alphanumeric one.
- Use two-factor authentication for your iCloud
Encrypt Your Passwords Database
The importance of strong passwords clashes with the mind-numbing task of creating and memorizing them. You could try a memory training technique, or you could use a password manager that bundles a password generator and encrypts your password database.
KeePass, for instance, is free, open-source, and cross-platform. A multitude of its optional plugins allows you to expand its functionality – integrate it with your browser, use a different cipher other than the default AES, and more.
There are many excellent password managers, including Dashlane, LastPass, Keeper, LogMeOnce, Encryptr, Password Boss, Sticky Password, and more. Finding the one that meets your needs shouldn’t be a problem.
Chances are your browser knows things your parents don’t know about you. But guess what – Google knows what your browser knows. So do ad agencies, data brokers, Facebook, and your Internet Service Provider (ISP).
If you want to beef up your browser privacy, use alternative browsers, privacy-protecting browser extensions, and search engines that respect your privacy.
Tor, free and open-source, is one of the most popular and efficient anonymity tools. The browser comes with privacy embedded by design and by default, which means some features are intentionally disabled (i.e., Flash, Quicktime, RealPlayer) to avoid compromising your identity.
- Your connection routes through volunteer-powered random nodes across the world.
- Your data is encrypted each time it passes through a different node.
- Each node only knows the IP address of one node behind it and one node after it, but never the IP addresses of all the nodes in your connection.
- Even if one of the nodes were compromised, the adversary would only know the two IP addresses of the preceding and succeeding nodes and not the entire path between your computer and your destination site.
Tips for Using Tor:
- Don’t torrent over Tor because P2P apps ignore Tor’s proxy settings and disclose your real IP.
- Don’t install browser plugins in Tor to bypass its limitations. There’s a reason why Flash and Quicktime are disabled – they can reveal your IP address.
- Only use HTTPS versions of sites.
- Close all other browsers before launching Tor.
- When downloading files through Tor, don’t open them while Tor is still running, especially the .docx and .pdf. They can contain Internet sources, and the program you use to open them can reveal your real IP address.
- You can use Tor and VPN together for improved privacy and security. Some VPNs go as far as embedding the Tor-through-VPN configuration in their clients.
How to Avoid Getting Tagged for Using Tor
Tor is an efficient tool for censorship and surveillance evasion, although at some point news broke that the very use of Tor flags users for NSA scrutiny. Even though Tor prevents your ISP from tracking which sites you visit, your ISP still knows you’re using Tor.
Tip: use Bridge Relay to reduce the risk of getting flagged by your ISP for using Tor.
Alternative Browsers That Don’t Track You
Instead of mainstream Firefox, Opera, and Chrome, try the following builds that strip things like telemetry and tracking:
Search Engines That Don’t Track You
Google, Bing, Yahoo, and other mainstream search engines track and store:
- Your IP address
- Your query search terms, time, and date
- Cookie ID, which identifies your computer and lets a search engine trace your query back to your computer
Google transmits this information to:
- The requested site you visit from the search engine results page (SERP)
- Advertisers whose banners are placed on the sites you visit from the SERP
- Law enforcement and spy agencies, when legally compelled
Based on this data, sites and advertisers build a profile of you. They use it to display ads and content relevant to what they think interests you.
In response to the highly invasive practices, private search engines are becoming increasingly popular. These include:
- DuckDuckGo makes each query anonymous. The search engine doesn’t track you or create a profile of you. Unfortunately, its search results aren’t as good as Google’s.
- StartPage is a Dutch project that anonymizes your queries and sends them to Google. As a result, you get Google search results without compromising your privacy.
- Ixquick comes from the StartPage developers, but instead of Google, Ixquick queries other search engines and anonymizes your queries.
- WolframAlpha makes dynamic calculations based on sophisticated algorithms to deliver expert-level answers on queries about such topics as people, mathematics, music, movies, medicines, health, finances, and more.
- Yacy is a P2P-based decentralized search engine you have to install. Although it hasn’t gained enough traction so far, it has immense potential and is worth a look.
- Disconnect queries Google and other major search engines but doesn’t track your searches, activities, or IP address. It also lets you search by location and get results relevant to the location of your choice rather than your current location.
Browser Privacy Tips
- When possible, use Private Browsing or Incognito mode to block cookies and erase your browsing history after the session ends.
- Clear cached DNS. DNS Flusher is a great addon that does the trick for you on Firefox and Waterfox. To flush DNS manually:
- Windows: open the command prompt → type ipconfig /flushdns → enter.
- OSX: open Terminal → type dscacheutil -flushcache → enter.
- Purge Flash cookies:
- Windows: C:User\AppDataLocal\MacromediaFlash Player #SharedObjects
- OSX: [User directory] /Library/Preferences/Macromedia/Flash Player/#SharedObjects
or [User directory] /Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
- Enable a Do Not Track option in your browser settings.
- Discover the perks of a free utility Revo Uninstaller (Windows, Android). Its Tools tab lets you purge cookies, temporary files, Index.dat files, address bar history, and visited sites history for all your browsers at once, or selectively.
- Steer clear of utilities like CCleaner unless you understand what it does and how. The utility is only mildly useful but bundles a wealth of tools that, when used by inexperienced folks, can break things rather than help your computer run like new.
- Have a look at PrivacyTools.io’s list of Firefox tweaks in about:config.
Browser Extensions for Privacy
First of all, go easy on extensions. Too many will hog your browser instead of boosting it.
Also, be mindful of browser fingerprinting – a tracking technology that recognizes your browser from a myriad of others based on many factors, including the set of extensions installed. The more addons you use, the more unique is your browser.
The following list is a selection of privacy-focused extensions, some of which do the same thing. You don’t need to install all of them. Your best bet would be to choose the ones that are compatible with your browser and easy to use:
- Terms of Service Didn’t Read It – adds a nifty button in the right corner of your URL bar. Click it to get a quick insight into the current site’s ToS and privacy policies.
- HTTPS Everywhere by EFF – ensures you always use the HTTPS connection, whenever available.
- Privacy Badger by EFF, AdBlocker Plus, uBlock Origin and Ghostery – block ads and trackers.
- Decentraleyes – blocks third-party trackers by preventing a lot of requests from reaching Google Hosted Libraries without breaking how sites are displayed.
- NoScript – great for the tech-savvy because it lets you tweak which scripts can run on your browser. It can break some sites, too, so caution is advised.
- Self-Destructing Cookies purges cookies that are not currently in use. You can whitelists sites you want to recognize you when you return. It also protects your browser from Flash cookies and ETags.
Mobile Browser Privacy
Mobile browsers need even more protection than your desktop browsers because significantly fewer privacy extensions work on mobile.
- Fix some of your mobile browsing privacy leaks following these simple steps:
- Use Firefox Focus, Waterfox or Brave for private browsing
- Use Private Browsing in Chrome, Firefox or Opera
- Enable Do Not Track in your mobile browsers
- Install compatible addons:
- uBlock Origin
- Self-destructing Cookies
- HTTPS Everywhere
Understanding Tracking Technologies
Had tech giants and data brokers invested the money they throw at web tracking technologies into space exploration instead, we’d be terraforming Mars by now. But web tracking gets more sophisticated by the day while space exploration has stalled since men landed on Moon.
Here’s a quick overview of web tracking technologies and what they do:
- Browser fingerprinting identifies you with a high degree of accuracy based on your browser and OS configuration. Ironically, the more tweaks you implement to protect your browser, the more unique it looks to the trackers.
- Audio beacons in TV and YouTube commercials trigger specific apps and games (cheers Angry Birds lovers) on your smartphones and computers to ping back to advertisers’ servers to identify a user and devices used in a household.
- HTML5 web storage, aka Document Object Model or DOM, is data storage embedded in your browser that’s much more persistent than cookies and has larger storage capacity. You can disable it in various browsers via about:config settings.
- Etag, or an entity tag, is an HTTP header your browser uses to validate Web cache and process requests for resources from sites. Etags use persistent identification elements, PIE, that tag your browser, and help cookies respawn after you delete them. There’s no easy way of circumventing the plague. Either you clear cache between each and every site you visit, or you disable cache altogether. Both methods make web browsing a pain.
- History snooping technology allows sites you visit to access your past browsing history. Facebook, for instance, combines your social profile with your browsing history. As a mildly effective remedy, you can go to Digital Advertising Alliance and opt out of all browser tracking campaigns from participating companies. Alternatively, use a Private Mode at all times, or use it to access your Facebook account.
With a little research and learning, you can pay for many digital goods and services without exposing your identity. Paying anonymously helps you steer clear of mass surveillance and corporate profiling, as well as prevent identity theft since hackers try to intercept your credentials at checkout or by hacking databases of online stores.
Fortunately, many services now accept anonymous payments, including cash and Bitcoin. Let’s see how you can pay anonymously online.
Abine.com’s Blur masked cards allow you to buy digital goods legally by using a fictitious name. Simply sign up for Blur online and add your credit card to mask, then choose your fake identity, and use your alias and masked card for online purchases.
- A masked card can’t be charged automatically without your approval
- It masks your identity and address
- It masks how your transactions are shown to your credit card provider
- It’s legal
- It leaves no traces of your credit card in online databases
- You can’t spend more than $500 with one masked card
- You can’t use them for recurring payments
You can get a prepaid card pretty much anywhere from supermarkets to toy stores – it’s basically a gift card you buy for cash. You can get one online, but in this case, you’d have to submit your personal information at checkout, which beats the purpose of getting it anonymously.
- Untraceable if you buy it with cash
- Available in many stores
- Great for one-time anonymous payment
- Has a minimum limit of $20
Bitcoin is a decentralized virtual currency that relies on peer-to-peer technology and eliminates state- or corporation-controlled middleman from your transactions. That’s why governments and banks are so eager to regulate or ban it. For a detailed look at the benefits and caveats of Bitcoin, read my Bitcoin Basics guide.
Just as you use any currency, you can use Bitcoin to shop online if a company accepts Bitcoin payments. It’s not ubiquitous just yet, but many privacy-focused service providers (VPNs, encryption suites) now accept Bitcoin or are planning to support it soon.
Bitcoin is designed with transparency in mind, so it’s not anonymous per se, but there are tips and tricks you can use to make your Bitcoin payments anonymous:
- Use anonymous disposable emails
- Never disclose your real identity, address, or phone number during a purchase
- Create a new Bitcoin wallet for each purchase
- Clean your Bitcoins with a mixer service
If you buy Bitcoin from a local Bitcoin exchange, such as CoinBase, you have to submit your real credentials. A mixer service such as Blockchain.info lets you share-send your Bitcoins for a 0.5% fee. In layman terms, the platform mixes your coins with those of other users, making it highly improbable for anyone to untangle the chain back to you. This is not to say it’s impossible, but it’s rather time- and resource-consuming.
- You can use prepaid cards to buy Bitcoin online anonymously.
- You can also find local Bitcoin sellers in your area via LocalBitcoins.com and buy your coins with cash.
- Fairly anonymous when done properly
- Well-accepted by many online retailers
- May get highly technical
- Steep learning curve for beginners
- Anonymity comes at a price since local sellers and mixer services charge extra
- Most providers don’t provide refunds for payments made with Bitcoins
Not many online services accept cash, which makes those that do stand out from the crowd. Mullvad, for example, is a VPN service provider that accepts cash payments you send by mail. Just put the money and a note with your user code in an envelope, and use the service anonymously.
- 100% anonymous
- Few online service providers bother to accept cash
Miscellaneous Privacy Tips
Companies developing commercial software and major operating systems can’t be trusted not to be in bed with the NSA.
Ditch Win 10
Windows OS, especially 10, is known to send extensive logs on user activity to Microsoft servers even if you disable telemetry. Each new update chops off of your freedom to disable features you deem invasive. After the Anniversary Update, for instance, you can no longer disable the ever-listening Cortana.
Apple’s populist fight for encryption created more media buzz than advancement on the privacy front. After the infamous celebrity iCloud hack, the company needed something to patch its reputation – business as usual.
Use Alternative Operating Systems
Alternative operating systems give you a better chance of protecting your privacy than any of the mainstream OS’.
Linux is free and open-source, although some builds of it are closed-source. Experts assure Linux is less likely to be compromised than Win or Mac OS.
TAILS, endorsed by Edward Snowden, is a popular Linux distro that bundles a fully-featured suite of apps complete with Tor-powered IceWeasel secure browser and a private chat app Pidgin. All connections are forced through the Tor network, while encryption of files, emails, and chats is implemented by default.
- You can run it from a Live CD or a flash drive
- Secure and private
- Leaves no traces in your computer once unmounted
- Free, open-source
- Setup is somewhat technical
- Not apt to completely replace Win or MacOS for productivity
More Linux Flavors for privacy Wonks:
- Ubuntu – uber-popular, easy-to-use, and has a buzzing community, so you can always ask for help.
- Mint is more Windows-like than its siblings, and therefore makes for a great starting point as you begin exploring Linux.
- Debian is more advanced than Mint but also requires more tech skills to manage.
- Trisquel – a free open-source distro of the GNU OS with the Linux-libre kernel ready for home and office use. It has many programs, accessibility features, and plenty of manuals.
- KNOPPIX – a bootable Live system you can run from CD, DVD or USB flash drive on pretty much any computer. It’s apt for productivity, education, and software demos because the Live CD can have up to 2 GB of executable software installed.
- Puppy Linux – lightweight, easy to use, and fast. You can recover lost data from destroyed PCs and remove malware from Windows with its help. It even boots on a PC with a broken hard drive.
- Qubes OS is based on Xen, the X Window System, and Linux. Dubbed as “reasonably secure OS,” Qubes is free, open-source, and implements security by compartmentalization. It means you can compartmentalize various parts of your digital life into isolated “qubes,” some of which can be disposable.
- Whonix is a Debian GNU/Linux distro that consists of two virtual machines. One is a Tor gateway, and the other is a workstation. Both are completely isolated from your host OS. Whonix provides a high level of security and anonymity, where DNS leaks are impossible.
Set Up a Virtual Machine
If you can’t ditch Windows, consider setting up a virtual machine (VirtualBox, VMWare Player). A VM lets you install a secondary OS inside your host OS. It can be Linux, Windows, or Android, but Mac OS is finicky with VMs.
- All the files and folders in your VM are isolated from your host OS
- Even if your VM gets compromised, your host system is not affected
- Works great to set up secure P2P
- You can encrypt and hide it using VeraCrypt
- VMs are resource-hungry and can clog your computer’s memory and processing power
- Setup is technical
Pro Tips for Protecting Privacy when Using Commercial OS
- Set a password for your BIOS to prevent intruders from starting up and modifying your BIOS settings.
- Prevent boot from devices other than your hard drive.
- Disable Flash in your browsers or at least set it to “Ask to Activate” as it’s highly insecure and use it from a browser you don’t use for private dealings.
- Change DNS – by default all your queries go through your ISP’s DNS servers to ensure the provider knows every step you make online. You can change your DNS servers to use the free OpenDNS and Comodo Secure DNS or your VPN provider’s DNS servers to circumvent your ISP snooping.
- When using a VPN, always check for DNS leaks before performing sensitive tasks through VPN.
- Purge your Google history and disable its tracking for all Google products by logging into your Google account → My Activity → Delete → All time. In Activity Controls, you can disable history tracking for each Google product separately.
- Steer clear of security services and apps from the Five Eyes countries (the US, the UK, Australia, New Zealand, Canada surveillance alliance). This includes VPNs, secure email platforms, and encryption suites. Be wary of security suites coming from the Fourteen Eyes countries.
Online Privacy Issues
The major online privacy issue is there is no privacy online. To claim it, you must equip your devices with privacy tools, ditch Google, Facebook, Windows, GPS navigators, IoT devices, and smartphones.
But you need them to be a functional human. As a result, you end up paying with your data for supposedly free services. Ironically, paid services have the audacity to double-charge you by collecting and selling your information, too.
From surveillance agencies to ISPs, tech giants, and hackers, the digital realm is infested with parasites feeding off of your private data.
Did you know Google and Facebook account for more than 80% of online ads? They know how to serve you relevant ads because they know what makes you tick. On their servers is a detailed and comprehensive profile of your digital identity. They analyze it, sell it, and share it with spy agencies.Tech monopolies have an enormous concentration of power and money. No smaller provider can challenge them, let alone consumers.
When you use Google, Facebook, and Twitter, you probably think you have the full picture on a topic in all its multiplicity and variety. Wrong.
Mainstream search engines, social networks, and Big Data analytical centers profile you based on your search queries and liked content. When you search for a topic, they return results that agree with your point of view or can lead your opinion in the direction they need. Some take it a step further – a recent study reveals some news organizations go as far as doxxing their commenters.
You don’t get an unbiased look at alternative viewpoints because your search engine and social networks downgrade, troll, and ridicule them. You are locked in a matrix that filters the information you consume and manipulates your opinions.
With no laws to penalize Internet providers for blocking sites they disagree with, corporate-imposed censorship becomes the norm. Not only the government but also private companies censor all kinds of information, stifling innovation and making fair competition impossible.
The Five Eyes and the Fourteen Eyes alliances allow their member states to share intelligence evading domestic laws that prohibit them from spying on their own citizens. Hence, most security experts advise against using privacy tools from the companies based in the Fourteen Eyes countries.
It’s unfair because the bad fame of the spy alliances hampers US companies. But there’s no way of knowing which companies are NSA honeypots, and which are honest and transparent.Suggested visual content: Infographic on the Five Eyes
The biggest threat to online privacy is, ironically, the user. According to the Association for Computer Machinery, online shoppers fail to live up to their self-reported online privacy concerns and routinely disclose their personal information.
Remember the Cambridge Analytica scandal? Marketing experts say, “Users will forget, and then it will be business as usual.”
When online privacy makes the headlines, consumers worry about it. But when it’s no longer news, users move on without changing their digital habits. Snowden made the headlines in 2013, Equifax in 2017, Facebook and Cambridge Analytica in 2018. But all the progress to protect online privacy on the legal front has stalled because public backlash has been consistently insignificant.
Identity Theft, Hacking, and Defamation
A grave privacy issue is data trading on the Dark Web, where hacking is a commodity just about anyone can buy. Opportunist hackers routinely trade ID and SSN databases stolen from sites that collect personally identifiable information but never bother to protect it adequately.
At the same time, identity theft, revenge porn, doxxing, and phishing proliferate. It’s become possible to destroy someone’s career, credit score, and reputation through targeted social engineering and MITM attacks.
Online Gaming Privacy Issues
Any online activity has the potential to compromise your privacy, especially gaming because it’s a highly competitive field where players focus on anything but privacy.
As you climb the leaderboards, coordinate teamwork and chat with your buddies, you run the risk of becoming a target of:
- Unethical rivals
- Hackers looking to steal your identity
- Mentally unstable users
In many cases, your IP address is all an adversary needs to launch a fully-fledged attack against you.
Gaming chat rooms aren’t secure at all. If your IP address isn’t protected, cheat-happy rivals can discover it and forge a DDoS attack on you during a match. A DDoS attack clogs your connection, and you get locked out of the game during the most crucial moments.
Some obsessive players go the extra mile and call your local police department to report gunfire in your house. Your PD is then obliged to dispatch a SWAT team to your place.
Swatting is highly damaging not only to your property but also reputation. As you scramble through broken furniture trying to persuade law enforcement of your innocence, your neighbors may turn their back on you.
With your IP address exposed, your enemies can identify your physical address, full name, and your social networking accounts. Beyond that, there are public records of voter registration and property ownership, and massive databases of financial records amassed by credit-rating agencies.
Doxxing is when someone puts these pieces together and publishes online a comprehensive dossier on you. What follows can be embarrassing, infuriating, or downright dangerous.
Phishing, Spyware, and Malware
If you expose your email and IP address in gaming communities, social engineering-savvy hackers can forge a pretty convincing phishing attack. And if you indulge in gaming cheats, you run the risk of installing ransomware at some point.
With your IP address exposed, mentally unstable gamers can hack your webcam. What can ensue is blackmail or revenge porn. If you haven’t plastered non-transparent duct tape over your webcam yet, it’s about time you followed Zuck’s best privacy practices.
Online Dating Privacy Issues
With your IP address exposed, mentally unstable gamers can hack your webcam. What can ensue is blackmail or revenge porn. If you haven’t plastered non-transparent duct tape over your webcam yet, it’s about time you followed Zuck’s best privacy practices.
The architecture of dating services forces users to disclose sensitive information. Tinder requires your Facebook account name, while OKCupid wants your photo if you’re going to see other users’ pics. You end up disclosing your:
- First name (sometimes your last name, too)
- Sexual history or preferences
- Political opinions
- Sensitive photos
Considering at least 15% of Americans and nearly 300 million people worldwide use online dating, there’s a lot of privacy for hackers, stalkers, and employers to see.
Dating Sites and Apps Are Hackable
Online dating sites get hacked regularly. In 2017, Kaspersky Lab found significant security holes in Tinder, Bumble, Badoo, Mamba, Happn, WeChat. Paktor and OKCupid. The flaws exposed usernames, locations, message histories, and login information.
Due to security flaws in these apps, hackers can identify:
- Who you are on social media.
- Where you are – most dating apps indicate the distance between you and your potential date. By moving around and logging the distance, it’s easy to determine your exact location.
- Your private messages – some dating apps don’t encrypt your app data transfers, so it’s possible to not only intercept but also modify it (and request money from your date).
- Your photos, videos, GPS data, device info – many dating apps upload your media files and transfer your device info and location unencrypted.
Most dating apps are highly vulnerable to MITM attacks and can facilitate your Facebook account hijacking.
A cybersecurity company Checkmarx identified two more security issues with Tinder and other dating apps, which let hackers see what photos users are looking at and how they swipe in response.
In the Ashley Madison, PositiveSingles, and HZone hacks, dozens of millions of users had their last names, usernames, passwords, emails, addresses, phone numbers, and credit card transactions exposed. Worse yet, association with those sites revealed that users:
- Had considered an affair
- Had an STD
- Had HIV
Data breaches and users sharing information and screenshots usually contribute to unanticipated disclosure. A recent survey revealed that 81% of users saw dating profiles of someone they knew offline, while 33% had seen a coworker’s profile.
People presenting themselves as someone else, or catfishing, proliferates in online dating more than anywhere else.
To make sure you’re not talking to a scammer, you could have a meaningful conversation with them, which could reveal your sensitive information prematurely. But meeting a stranger just to make sure you’re not being scammed is a serious safety risk.
All sorts of creepy people hang around on dating sites. When they get angry, it takes very little for them to find the information they can use to stalk or blackmail you. Finding your Facebook, LinkedIn, YouTube videos, and blogs is not rocket science when they have your dating profile.
For example, when an iMessage was sent from a user’s email instead of phone number, a stalker used it to find her Twitter account, which lead him to her personal blog. So even if you take reasonable privacy precautions in your dating app, other apps may leak the data you wish to keep private.
Employment and Business
Employers can use information from your dating profile to make an employment decision. How you appear on your dating profile may have very little to do with your work ethic, but you have no control over how employers feel about it.
Also, most users report negative impressions of coworkers, public workers, and businesses after viewing their dating profiles. Something about human nature suggests that private things should remain private and well away from coworkers’ eyes.
Online Shopping Privacy Issues
Online shopping is one of the most convenient things modern technology has given us. No queues, no fuss, and with mobile payments you can shop from pretty much anywhere, anytime.
While you enjoy picking the best deals online, your financial information could be compromised. With a myriad of online shops, it’s increasingly hard to tell a legitimate merchant from fraud. Ideally, you should be securing your credit card information, but it’s not the only privacy issue with online shopping.
Lack of control
When you shop online:
- Does the merchant explain what personal information it collects?
- Do you have a say in how it’s used?
- Can you verify if this information is accurate?
- Is your information secured?
- Is the merchant liable for not securing your data or failing to disclose its privacy policies?
- Does the merchant honor its privacy policies?
Unfortunately, for most consumers the answer is “No” on every account as they feel powerless about how companies collect and share their data. According to recent researches, shoppers are increasingly concerned about their privacy, while lack of trust and control over how their data is handled keeps them from shopping online.
Information Online Merchants Access and Collect:
- Your web activity, browser information, search terms, viewed products, and online forms data.
- The time you spend on the site, your clicks, and purchases through tracking cookies.
- Your feedback – all your information from your reviews, comments, and chat with retailer’s support.
- Mobile usage and apps – when buying from a smartphone, be aware that many retailers track your WiFi signal in real time. They know which departments you visit, how much time you spend there, and what mobile apps you use.
- Health and fitness apps data – Apple, for example, monitors your Health App to know your lifestyle and pitch relevant products.
- Payment information – retailers make use of your debit or credit card info to analyze where else you shop, and what you buy from competitors.
- Your social media accounts – your likes and shares give retailers a better idea of how they can sell you more goods.
- The location of your smartphone and its unique identifier when your WiFi, GPS or Bluetooth are enabled.
Behavior tracking through browser cookies and history stealing allow stores to track you without your consent secretly. The extent of behavioral targeting is a well-kept secret in the industry since disclosing it can lead to a major consumer backlash.
Facebook’s facial recognition algorithm is one of the best in the industry. When your online retailer has your Facebook account, they know your demographic.
The moment you share your data through a loyalty program, it gets shared with dozens of other companies.
Plenti, for example, is a loyalty program with dozens of participating retailers, such as Macy’s, RiteAid, Exxon-Mobil, AT&T, and others. Each participant gets access to the shared pool of consumer data. Do they bother to protect the data on their end?Suggested visual content: this infographic is old, but something similar and up-to-date would add value
Bogus Online Surveys and Freebies
Hackers often fake online surveys to make them look like they’re coming from your retailers to steal your personal information for identity theft.
Fake freebie offers requiring your credit card information often lead to recurring charges you can’t kill or, again, identity theft. Offers of free mobile apps and entertainment content – if coming from malicious parties – can be used to hack your device.
Phishing is one of the most widespread forms of fooling consumers into feeding their private information to cyber crooks.
Popup links, emails requesting to clarify personal details, or links asking you to confirm a recent transaction are definite phishing scams.
Google Online Privacy Issues
According to Princeton, 76% of websites contain Google trackers. And despite the alleged transparency, the tech giant doesn’t want you to know the full extent of its data collection.
Google’s Bread and Butter
There’s big money in your data. Otherwise, Google’s parent company Alphabet wouldn’t have a market cap of $712 billion. In 2017 alone, the company’s revenue was $95.38 billion.
Seven of Google products have at least 1 billion users each, while the company holds an estimated 15 exabytes of data.
Google Analytics places a super-cookie that respawns in your computer every time you delete it. It identifies you to all Google products you use and Google trackers on the sites you visit. This allows Google to track your every move.
Things Google Knows about You:
- Maps – with location services enabled in your smartphone, Google knows where you’ve been, how long it took you to get there, and how long you spent there. It also stores every location you’ve ever searched for or clicked on.
- Browser history – Google knows your browsing path and every news or term you’ve ever searched for or read.
- Deleted items – Google keeps everything you’ve erased from your Google products across your devices, Google Drive included.
- Advertisement profile – your age, gender, career, relationship status, hobbies, weight, allergies, phobias, interests, and income. Google also stores every ad you’ve ever viewed and clicked on.
- Apps activity – apps you search for, install and uninstall, and how often, where, and when you use them. It also knows with whom you interact with their help, and where they are.
- YouTube history – and everything it can tell about you. That’s probably your political opinions, religion, health issues, or whether you have pets or kids.
- Events you attend – depending on how much you rely on Google Calendar to schedule events and store their details and locations, Google knows what you’ve been up to, where, with whom, and when, or if you’ve missed some scheduled events.
- Health – using Google Fit? Then Google knows your workout routine.
- Photos – years of pics including metadata about the location where each photo was taken, date and time, and device make and model.
- Emails – including deleted emails and spam.
- Voice – every voice search you’ve ever made, even if you’ve deleted them.
Note: you can request your Google profile.
Imagine someone gaining access to your Google account with the entire timeline of your digital life – the whole kit and caboodle. I’ll leave it to you to figure out how damaging this information can be in the wrong hands.In fact, it is in the wrong hands, as Google handles your data the way it sees fit, selling and sharing it with spy agencies.
Google, NSA, and CIA
The NSA refuses to confirm – or deny – its ties with Google, saying the disclosure would put the US Government IT systems at risk.
In the meantime, the CIA funds Google and its hi-tech acquisitions like Keyhole and Recorded Future through In-Q-Tel.
Privacy Issues in Online Business
The past few years have been ripe with business data breaches. The consumers’ outcry sent a clear message – organizations must be held accountable for failing to protect their data.
The European Union stepped up to protect its residents’ privacy with GDPR, making companies liable for a fine of up to 4% of their global turnover.
In the meantime, the US consumers are increasingly wary of dealing with online businesses out of fear their information might be stolen.
Not helping is the poor fame that follows the American tech companies after the Snowden revelations. The thought of a digital product that comes with the NSA-embedded backdoors haunts consumers.
As cybersecurity experts advise against using any US-made digital products, the world – especially Europe – increasingly prefers products and services developed locally. Users now care where their software is designed and where their merchant stores their data.
With the Congress allowing ISPs to gather and sell sensitive customer information, online businesses need to think carefully about how they handle online privacy.
Customers Care about Online Privacy
With the risks of identity theft growing, consumers are becoming increasingly reluctant to share their data with online businesses. According to a recent survey, 95% of Americans aren’t okay with companies collecting and selling their information without permission.
When your customers use your apps, browse your site, and buy goods or services from you, they take their time to research how your protect their data.
Brand Reputation Depends on How You Handle Online Privacy Issues
Most businesses, especially in e-commerce, work with numerous third parties – email marketing services, webstore developers, and affiliates. Your partners may have different ways of dealing with your customers’ information. The more third parties have access to your customers’ data, the more it’s exposed to unnecessary risks.
Your brand reputation depends on online privacy you afford your customers. A breach can cause significant, if not devastating damage, especially to SMBs.
According to Deloitte, customers’ privacy is not just your typical risk management issue. It’s a potential competitive edge and a cornerstone of your corporate reputation. Protecting your user privacy will gain you more customers while mishandling it can ruin you.
Privacy and Security of Your Business Data
Hackers eagerly go after poorly protected corporate data. Phishing scams and other social engineering techniques, poor cybersecurity practices, and lack of employee awareness regularly land businesses in trouble.
Protecting corporate information and personal information of your employees is also a privacy issue for online businesses.
Online businesses track and store a lot of sensitive user information – buying history, what users look at and for how long, their referring sites, browser history, time and date of their visits, their IP, and physical address, and more.
PWC found that 77% of respondents said that disclosure of personal information was a barrier to online shopping. 48% don’t shop online because they don’t trust online retailers. Consumers voted with their feet and lawmakers had to respond.
As a result, online businesses now have a slew of laws that make them liable for breaching the online privacy of their consumers, such as the FTC Act, COPPA, ECPA, and GDPR for any company dealing with the data of EU residents.
Privacy issues in online education
According to a study by EdTech Strategies, state and local education websites lack essential security and privacy protections for both students, and educators.
- Most education sites don’t support secure browsing.
- Virtually every online education site has partnered with online advertising companies. They deploy sophisticated user tracking and surveillance and don’t disclose the fact.
- Students don’t have a way of opting out of the extensive data collection and sharing.
- Online education services that disclose these practices often do it in misleading ways and make false statements.
Online Education – Not Even Close to Private
Google Analytics tracking is pervasive across online education sites. The study identified well over 40 unique tracking services, with Facebook and Twitter being the most widespread after Google Analytics.
More troubling is the fact that very few providers were found “to be approaching compliance” with Google Terms of Service, which require disclosure of privacy-related practices. In fact, 90% of sites violated Google’s ToS.
In other words, the vast majority of education agency websites do a poor job of protecting the online privacy of students.
Online education risks
In online education, the risks of identity theft, data manipulation, breach of confidentiality and hacking are high. Both students and educators run the risk of becoming a target of:
- MITM attacks
- IP spoofing
- Brute-force attacks
- Cross-site scripting (XSS)
- SQL injections
- Session hijacking and session predictions
There’s no way online education users and providers can ensure online privacy without deploying cybersecurity best practices:
- Implementing security management
- Improving authentication, and confidentiality
- Ensuring transparency and accountability
- Using end-to-end data encryption and digital right management
- Training security professionals
Unfortunately, the industry isn’t moving in the right direction, and its leaders are the first to violate students online privacy.
Case Study: Summit Basecamp
Facebook and its for-profit LLC Chan Zuckerberg Initiative (CZI) develop and oversee an online education platform Summit Basecamp. Online education benefits aside, the provider downright ignores privacy issues and numerous requests for clarification from concerned families.
The online education platform unilaterally claimed the right to access, data-mine and re-disclose students’ personal data:
- Students’ full names, addresses, usernames and passwords, and emails
- Students demographic data (race, ethnicity, economic status)
- Coursework video, audio, images, and text files
- Course progress, scores, test results, and grades
- Everything students write, including their communication with teachers
- Student attendance, teacher curriculums, notes, and feedback
- Outcomes (college acceptance, employment, etc.)
Never mind that Summit violates a good deal of state and federal laws. The fact that CZI has launched a massive PR campaign to expand the Summit program and the lack of the provider’s accountability suggests privacy issues in online education are going to get bigger and scarier.
Privacy Issues in Social Media
A recent Princeton study found that 24% of sites contained hidden Facebook trackers and 76% Google trackers. Facebook monitors you not only when you use it, but when you visit other sites. There’s more– Facebook also tracks non-users who’ve never granted it consent to do so.Tip: if you’re wondering what personal information Facebook stores on you, you can download your profile and see it for yourself.
- Your login locations, times, dates, and devices
- Posts, shares, likes, stickers, polls, and games
- PMs sent and received
- All the contacts in your phone
- Audio messages
- Topics of interest discussed with your friends
- All apps connected to your Facebook account (Tinder, anyone?), as well as when you use them, and what for
- Your location
- You date of birth
Moreover, Facebook can access your webcam and mic at any time, as well as your:
- Social circles
- Call history
- Downloaded files
- Photos, videos, games, music
- Search and browsing history
- Radio stations
- Closed groups (AAA, STD)
Both Facebook and Twitter also keep all the unpublished drafts you’ve deleted, so forget about self-censorship – you’re busted anyway.
63% of online ads are served by Google and Facebook – the unethical duopoly that’s amassed terrifying volumes of individual data profiles.
Ads aside, the duo uses your data to build sophisticated AI algorithms that put you in a filter bubble. It controls what you see online based on what their AI thinks you’re most likely to click on. They create echo chambers that distort users’ reality, increasing societal polarization.
The Cambridge Analytica (CA) precedent provides a glimpse at Facebook’s data sharing and selling activity the company keeps under wraps. That’s only one disclosed case, but it reveals 87 million Facebook users’ data was sold to CA. The company used it to build psychological profiles of US voters and, allegedly, interfere with the 2016 elections (again, through filter bubbles and targeted ads).
Things you share with WhatsApp, Twitter, Facebook, Google+, YouTube, Snapchat, and a myriad of other social networks are sold and resold. And you have no control over it.
Lack of Meaningful Protection
Employers, insurance companies, and ID thieves can easily find highly sensitive information on you. For example, Facebook’s closed groups for people with health issues and addictions are supposed to keep users anonymous. But a recent investigation by Sky News revealed:
- Groups are easily searchable
- Membership lists are accessible
- No one is anonymized on Facebook
How you treat your privacy on social networks is one thing. But how your friends and their friends treat it is something else entirely. Again, you have little to no control over it.
Hacking, Stalking and Blackmailing
Now imagine someone hacking your social networking accounts. The goldmine of data an adversary obtains makes everything possible from identity theft to impersonation, stalking, blackmailing and even compelling you to spy on your employer.
Social networks do what they ought to do to stay wealthy and powerful. But your worst enemy that discloses your personal data and compromises your online privacy is you.
Oversharing on social networks should be classified as an addiction some day. It can damage your personal life, put your children’s safety at risk, and hamper your career.
Privacy Issues in Online Marketing
Tracking cookies, user profiling, browser history stealing, beacons, canvas fingerprinting and other online marketing techniques border on privacy invasion. The fact didn’t escape consumers.
Privacy Concerns Urge Consumers to Employ Ad Blockers
Users often switch devices, so keeping track of all the touch points is getting increasingly challenging. As a result, marketing tools are becoming more and more sophisticated, leveraging Big Data, IoT, and AI. And even more privacy issues arise.
Users react to invasive technologies by installing ad blockers and opting out of tracking whenever they can. According to a PaigeFair report, 11% of internet users employ ad blockers. That’s 600 million web-enabled devices.
Users Would Rather Abandon a Site Than Disable Their Ad Blocker
To counter ad blockers, some sites use walls that disallow ad block-powered browsers from accessing their content.
Ironically, the request to disable their ad blocker urges 74% of users to abandon the site rather than disable the addon. People hate online ads that much.
Profiling Doesn’t Make User Experience Better
63% of respondents in a recent poll believe deep data mining and user profiling doesn’t lead to a better, more personalized online experience. At all.
Consumer perceptions of online ads are echoed by companies like P&G. The giant went ahead and cut $100 million in online advertising in one quarter, and discovered it had no impact on sales.
It’s not that profiling doesn’t help target your audience. It’s that Facebook and Google algorithms drive traffic to sensationalist clickbait sites away from quality publishers, says Bob Hoffman, a former ad executive at McDonald's, Toyota, and PepsiCo among others.
But consumers keep developing strong animus against tracking and profiling technology, and that’s something marketers need to address.
Privacy Issues and Lack of Trust Slow Down Sales
Lack of trust, fear of identity theft, malware, and tracking hamper online marketing campaigns and slow down sales by up to 17 weeks.
While scary headlines of privacy breaches add to the hype, the immediate response is that only 3% of users trust Facebook and 4% trust Google. The two companies suddenly landed among the companies we trust the least. And it inevitably affects how consumers view online marketing.
Some Marketers Believe People Will Forget about Privacy
Despite the apparent concern, people still do very little to protect their data online, especially if doing so involves compromising on convenience and time. Most download apps without reading their ToS and keep an app that tracks their location in the background.Some marketing experts say, "Americans complain about intrusive ads until they see the next 'Star Wars' trailer."
Privacy Issues and legal consequences
The above statement is overly optimistic. As Facebook is forced to respond to Cambridge Analytica scandal, algorithms driving ad buys will change. Privacy protection will change; legislators will have to step up. Europe now has GDPR, and online marketing will have to take privacy into account sooner or later.
Effective Marketing or Privacy Intrusion?
Targeted marketing can be ethical if it’s transparent and empowers the consumer with knowledge about:
- What types of data you collect
- How you store and share it
- The process of reviewing/rectifying their data
- Your disclosure policies, and whether you share their data with law enforcement
- Your location
When users have an opportunity to opt out of certain data collection and sharing practices, they are more likely to develop trust in your brand. In fact, people are willing to pay up for services from providers they consider privacy-protective.
Privacy Issues in Online Banking
Online banking is pretty secure. Otherwise, no one would use it. Let’s say it’s secure enough to use it, but it’s not without issues. Here are some things that might have been bothering you about online banking.
Banks Keep You in the Dark
Banks don’t like to disclose data breaches. Hacks can severely damage the reputation of any financial institution, so banks keep their sore spots under wraps.
Europe is addressing that with GDPR, which can penalize banks for failing to notify their customers of a data breach. The US is trailing behind, leaving millions of consumers vulnerable to identity theft just because banks aren’t legally compelled to let them know their data could be compromised.
Online Banking Apps Aren’t as Secure as They Should Be
Security flaws and privacy-invasive features in online banking apps and smartphones, combined, cause significant concerns. Reverse-engineering mobile apps allows hackers to insert malicious code into legitimate apps and re-upload them to the app stores. At the same time, a banking app can be secure, but other apps can compromise its data or intercept traffic.
Banking Sites Flanked Security Tests
The non-profit Online Trust Alliance (OTA) recently audited more than 1,000 banking and federal sites for their privacy practices, site, and email security. The results are disheartening – many banking sites drop the ball when it comes to responsible privacy handling and security. The country’s largest banks and the government had the worst grades among all studied categories.
Only 27% of the US 100 largest banks scored high due to increased breaches, low privacy scores, and poor email security.
In 2017, each e-banking system audited in 2017 had, on average, seven vulnerabilities. Only a third of online banking systems didn’t have critical vulnerabilities. 75% of sites had cross-site scripting flaws, 69% didn’t properly protect from data interception, 63% had poor authorization protection, 50% were vulnerable to sensitive data disclosure. Many were susceptible to brute-force attacks.
Users Do a Great Job of Compromising Their Data, too
Reused credentials and weak passwords are still a problem affecting many industries; online banking is not an exception.
Top that off with doing online banking from public WiFi without a VPN, and you don’t need banks to mess up user privacy – users can handle the task on their own.
And if you don’t use any credit monitoring service – paid or free – you have no way of identifying a possible identity theft or a credit card fraud in your name before it’s too late.
Privacy Issues and Remote Workers
According to Strategic Analytics, the global mobile workforce will reach 1.75 billion by 2020 accounting for 42% of all workforce. And according to Citrix, 61% of workers already work outside the office at least part of the time.
But privacy issues and remote work go hand in hand, affecting both remote workers and employers.
Is Your Privacy at Risk When Working Remotely?
Yes. By design, remote work suggests that most of your activities happen online and rely on cloud services. You have a big digital footprint that combines your work and personal life.
Understanding where your privacy risks are coming from (or connecting via a secure remote access point) helps you prevent – or minimize – them.
Using Public WiFi
Irrespective of whether you take one day a week to work outside the office, or you’re a digital nomad, you probably use public WiFi quite often. But while home connections are relatively secure, public WiFi is a security nightmare.
Opportunist hackers tend to launch MITM attacks and set up honeypots on unprotected public networks to intercept users data.
This is not to say you should never use public WiFi. But you definitely shouldn’t use it without a reliable VPN.
Failing to Keep Your Work and Private Data Separate
When working remotely, your work computer and smartphone are probably your personal devices. That means you check personal and work email, use personal and work social media accounts, and do your personal and work research from the same devices.
Keeping your work and private life separate takes a lot of discipline and focus. And when you post a Facebook update after a long workday, your attention may drift. Disclosing details of your private life on company social accounts, and vice versa, posting work-related information on your personal timeline is a serious blunder.
As a remote worker, you must treat your company data from the perspective of “don’t share it unless explicitly specified otherwise.”
At the same time, using corporate email or cloud storage for personal photos and files means your employer can access them at any time.
The sheer number of work and personal accounts a remote worker uses makes using complex passwords a mind-numbing endeavor. Unfortunately, users willingly compromise security when following its best practices hampers usability and convenience. Reused credentials and poor passwords leave your data and your company information vulnerable.
Also, keep in mind that your employer’s IT admins can view your password for corporate systems. Using the same password for your personal social media accounts and email is inviting trouble.
This information can be used to forge a sophisticated social engineering attack, such as phishing, to trick you into disclosing sensitive company data or make payments your company never authorized.
Over-zealous time tracking is not only privacy-invasive but can also hamper productivity as workers get so self-conscious they struggle to focus. Screenshots of workers’ desktops may contain highly sensitive information on the one hand, and may not always provide a fair insight into the time and effort your remote employees are investing in work.
Carefully vet time-tracking software to ensure it comes from a reputable provider with transparent and strict privacy-protection policies.
Online Privacy Tools
Online Privacy Laws
There’s no single, comprehensive federal law regulating the collection and use of personal data in the US. Instead, there’s a complex patchwork of state and federal laws that sometimes overlap, dovetail or even contradict one another. Also, there are industry-specific guidelines complete with accountability and enforcement components developed by governmental agencies and industry regulators.
Some of the most prominent federal privacy laws are:
The Federal Trade Commission Act:
A consumer protection law prohibits deceptive or unfair practices in online privacy and security policies. The FTC regularly penalizes companies in violation of their own privacy policies. The FTC Act, however, doesn’t give consumers the right of legal action against sites in violation of their privacy policies.
It applies to online marketing agencies, too, and can punish them big time for deceptive ads and misleading marketing messages.
The Children’s Online Privacy Protection Act (COPPA):
Applies to sites targeting or collecting data from children under 12 years. Such sites must post privacy policies describing what data it collects, and how it handles it. The site must also get a “verifiable parental consent” before collecting or disclosing information about a minor.
The Electronic Communications Privacy Act (ECPA):
Prohibits sites from intercepting or disclosing electronic communications. ECPA applies to email service providers, chat rooms, and forums.
At the same time, it allows the government to access, with a subpoena, emails, texts, GPS tracking data, and cloud storage of US citizens. No warrant is required. ECPA was previously used in a class-action complaint against ISPs intercepting customers data through deep packet inspection.
Since then, net neutrality regulation (the FCC Privacy Rule) has been repealed, granting ISPs the right to collect and sell customers data without customer consent.
The Computer Fraud and Abuse Act (CFAA):
Makes it a crime to access and share protected information.
Cyber Intelligence Sharing and Protection Act (CISPA):
Regulates how companies should share information on potential cyber threats with the federal government. EFF criticized the act for “inadequate privacy protections” considering broad cyber threat definitions.
Prohibits companies from using misleading information in email headers, subject lines, as well as obliges them to tag ads as ads, disclose their location, provide consumers with opt-outs from future emails, and monitor activities of any third parties that do email marketing on their behalf.
The Judicial Redress Act:
Gives citizens of EU member states the right to seek redress in US courts for privacy violations. It applies to cases when their personal information is shared with US law enforcement agencies.