The no-nonsense guide to digital privacy (Part 3: Case studies)
In part one of this three-part series on privacy, I walked through the changing privacy landscape and the various risks worth considering. In part two, I recommended many methodologies and tactics to reduce those risks. In this final installment, I’ll tie it all together by exploring a range of everyday behaviors in which many people engage - posting to Facebook, sending a text, making an online purchase, etc. This collection of case studies will provide you with a clear mental model for how to balance the convenience and connectivity of modern life with the privacy risks.
But first:
Some key assumptions
If you are the average citizen of a Western country, then when it comes to privacy you tend to think and act as follows:
When performing a public action:
It’s nothing that you wouldn’t want the government, a business, an employer, a friend, or even a stalker to observe
You think about it as a one-off event, but do not think about the story it tells about you when combined with other sources of information
When performing an action that seems like it should be private:
You only expect connections you’ve authorized very explicitly to be able to observe it
You expect any company facilitating it to keep your data safe, not overshare it, and to honor any privacy settings available to you
Below we’ll look at some real-world case studies and discover how they stack up.
Case studies
Posting a photo to social media platforms
Some people don’t realize that Instagram is public by default. Facebook, meanwhile, is only semi-private. Profile photos, for example, are public by default. Your mileage will vary with other services, but they tend to follow similar patterns. The stream of photos that end up on these services pose a number risks: creating bias against you, opening avenues for shaming and stalking, and of course government surveillance.
I recommend following the advice in the second installment of this series to ensure your photos are completely private. Moreover, though, check your private followers and ensure that you’re comfortable sharing the photos you post with all of those people. This will de-risk things significantly by cutting off avenues for most bias, shaming, and stalking.
Government tracking will remain a risk and it’s one you must accept by using a third party to communicate with large groups. Meanwhile, you can always actively work on a civil level to fight for less surveillance.
Reacting to photos, posts, and brands
It seems innocuous. You like something, you click a button to react, and you move on. But when you like a public profile (like a business or a celebrity), then by default, your friends and followers will be told so when that page shows them advertisements. And if you react to a photo or post that seems private, your reaction will not actually be private if the person who posted it did so publicly or shared with people who are not part of your network. These conditions do vary a bit by social network, but tend to follow along these lines.
Reactions can be disastrous in terms of creating bias and shame. So think twice about what you want your connections to be able to observe. Go into your privacy settings and limit how your reactions are broadcast. Also be sure to disable any aggressive ad targeting based on your reactions.
Sending a text
Text messages seem private. But standard text messaging - SMS - was first introduced in the early 90s. The technology is crude, insecure, and surveillance-prone. Because texts are routed through phone company’s networks unencrypted, it is trivial for those companies, the government, or even private hackers to intercept and store those messages.
If you intend for communication to be truly private and secure, opt for messaging services that are designed from the ground up to accomplish as much. Apple’s iMessage service, for example, is end-to-end encrypted. This means that if you a contact, for example, both have iPhones and use the default messaging service on those phones, your conversations are orders of magnitude more private than another pair of folks using different manufacturers’ phones, most of which still utilize SMS. For non-iPhone users, there are other options, such as the Signal messaging app which works across platforms.
Making a retail purchase
Again, this is an action that seems private. However, if you dig deep into the terms you agree to - with social networks, your credit card company, and other entities - you will find that it is well within their rights to share your data with each other. This means that whether you make a purchase in a store or online, it is commonplace for the retailer you engage with - or the credit card company you pay with - to tell various social media and ad networks what you’re buying, where you’re buying it, and when.
This is a tough one to avoid, but you can go a long way by not giving the companies in that chain much to share in the first place. For example, if you’re purchasing in the store and want the convenience of digital payment, use gift cards or credit cards produced by companies with strong privacy guarantees. Apple’s new credit card has strong terms promising no sale of your data for marketing or advertising purposes. If you’re purchasing online, consider using an incognito browser window and a virtual credit card service. And either way, try your best to avoid loyalty programs and profiles that can easily identify you. It may be tempting to save a few bucks here and there, but make no mistake - you are not saving that money in exchange for your loyalty; you are selling your data, and in the process, your right for your actions to remain private.
Using a VPN service
Whenever you use the internet, your traffic is routed through your Internet Service Provider (ISP) and multiple other computers / networks until it reaches its final destination. Then a similar return trip ensues. This means that any traffic that is not encrypted can very easily be intercepted and even logged by your ISP, the government, or a malicious private actor. For this reason, many have recommended using VPNs as a way to maintain your security and privacy when using the internet.
But let’s be clear about how a VPN works: A VPN establishes an encrypted connection between the VPN service and your device, which means that rather than trusting your ISP and all of the computers / networks in the middle of you and your destination to not intercept, log, or share your private data, you instead just have to trust your VPN service not to do that. And make no mistake - this is a lot of trust you’re placing in one service. First decide if this is a choice you even want to make. And if so, then when choosing the VPN company that best addresses your concerns, consider factors like the company’s geography, regulatory obligations, business model, and privacy guarantees. On the last point, to take a VPN company seriously it must at minimum:
Have its information security and privacy policies audited annually against well recognized standards such as SOC 2 or ISO 27001
Contractually promise not to ever log or share your data with third parties except when legally obligated
Have no known incidents or press indicating a breach in any of the above
Privacy is your right, but also your responsibility
There is a lot that has been said about government and corporate overreach when it comes to privacy. And make no mistake - more public scrutiny and regulation is crucial in this fight for privacy.
However, it ultimately has to be up to everyday people to learn the basics and make educated decisions for themselves. At the end of the day, even better regulations won’t save people from willingly engaging in risky behavior.
I truly hope this series has helped you to better understand the landscape of privacy risks and the options you have at your disposal to reduce them. Stay safe out there. And please, reach out to me with any questions, concerns, or opportunities to advance this conversation.