Think Like CDT: How to Protect Your Privacy

How much privacy do you want?

This isn’t a trick question–people have different preferences and interests in sharing or obscuring their personal information. January 28th is Data Privacy Day [WATCH HERE], a day that, “commemorates the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.” While privacy goes hand-in-hand with important values like personal autonomy and free expression, privacy itself is a poorly defined concept.

Often, folks think about privacy as akin to keeping secrets or another’s confidence. For us at CDT, we think about privacy in the context of how we’re able to control what information is collected about us, how it’s used, and with whom it might be shared. Giving individuals control over their digital selves gives offers flexibility and legitimizes different points of view on a nuanced issue, but it also places the obligation to protect our privacy on each and every one of us, which can be a confusing and onerous task.

Government regulators and advocates have long called for companies to provide users with choices about how data is used, and companies have responded with a tremendous number of tools to manage information. Most major tech companies offer a suite of preference-setting tools, there are third parties that offer extensions you can install on your computer or phone, and the original decisions about what devices you buy and which products you use determine how your data is managed. But how do you know how to use these tools? And can you trust the results?

Taking control of our personal data is often easier said than done. It can be overwhelming to think about how much data we generate each day, whether at work or just living our lives, and sharing some of this information is a non-negotiable part of modern life. Attempting to stop, let alone control this process, can feel daunting or hopeless, even for people in the privacy weeds.

It is a fool’s errand to come up with a standard set of tips for how best to protect your privacy. Even among people working at CDT, we each care about our privacy in different ways and manage our digital lives quite differently as a result. But in the spirit of Data Privacy Day, the staff at CDT wanted to offer a list of ideas for where to start, based on what we personally do to protect our privacy.

Embrace tools and technological solutions.

Use two factor authentication, use two factor authentication, use two factor authentication.

— Tim Hoagland, Digital Strategist, Communications Team

Use a VPN when connecting to public WiFi. When I’m doing work at a coffee shop with free wifi, I use a VPN service I’m subscribed to, called PureVPN, when I browse the internet. The VPN creates an encrypted tunnel that shields all my internet traffic from lookers-on. Additionally, using a VPN to browse the internet associates my traffic with the IP address, location, etc. of my VPN provider, thereby providing an additional layer of anonymity.

— Vijay Kasschau, Privacy, Data & Technology Fellow

Consider using browser extensions. I use Ghostery and Disconnect.me. These programs interrupt tracking technologies that power the ad ecosystem, increasing my privacy and hiding ads while I’m browsing.

— Ali Lange, Senior Policy Analyst, Privacy & Data Project

Audit app settings on your phone. You’d be surprised what apps may be tracking your location, even when you don’t think they need to. Reviewing app permissions can help you regain control of what data you’re providing to companies through your apps. I tend to turn off sharing my location information by default so that I know where my location data is being sent. I don’t mind the inconvenience of having to type in a zip code rather than having my phone automatically relay my exact location.

— Vijay Kasschau, Privacy, Data & Technology Fellow

Use TorBrowser. We all need to think about the signals we leave behind us as we navigate cyberspace. Everyone should download the latest version of the TorBrowser. This is an anonymous browser that bounces your web traffic through three different nodes around the world to make your visits to sensitive web pages anonymous. You may not think you need strong anonymity, but there are very typical uses for these kinds of tools. For example, when poking around a potential hire’s website, you don’t want them to see just how much you are interested in them and what pages you particularly loaded from their site.

— Joseph Lorenzo Hall, Chief Technologist

I use a password manager. KeePassX is an open source password safe where I can encrypt and lockup a list of my passwords for all my accounts. Instead of having to remember a fleet of passwords, each with different length and character requirements, I can remember a single strong password and retrieve the others when necessary. Every password manager has security flaws, but being an open source platform, the code can be analyzed so we don’t have to put all our faith in the product without being able to examine it.

— Vijay Kasschau, Privacy, Data & Technology Fellow

I use the long-and-nonsensical phrase approach to passwords (though I should use a password manager).

— Gabe Rottman, Deputy Director, Freedom, Security & Technology Project

Use Signal. Signal is an end-to-end encrypted chat app that ensures no data is available to snoopers, overzealous governments, or organized criminals. There are many many messenger applications to choose from, and the best use the underlying signal protocol (WhatsApp, Google Allo’s Incognito chats, Facebook Messenger’s secret conversations). I recommend using the Signal app itself, as that is the most pure (and security conscious) instantiation of the underlying Signal protocol.

— Joseph Lorenzo Hall, Chief Technologist

Think before you share.

Facebook and other social media platforms ask you a lot of personal questions for your profile–but you don’t have to answer them all! Social media platforms are designed to maximize sharing, because the more information you provide, the more money the platform and third parties can make through targeted advertising. Don’t get tricked into sharing more than you normally would. Share selectively, and check your default sharing settings.

— Natasha Duarte, Plesser Fellow

Don’t give out your zip code or phone number (or SSN!!) to retailers. They often ask for more information than they need for marketing purposes and it’s ok to say no. The less information they have about you, the less likely your information will fall into the wrong hands. Data breaches have hit retailers hard, and when your data is a part of a breach, you have a 1-in-3 chance of having your identity stolen. You can use haveibeenpwned.com to see if your username and passwords have been a part of a breach.

— Michelle De Mooy, Director, Privacy & Data Project

I minimize my social media footprint, to the extent possible, and am vigilant with respect to phishing and other social engineering attacks.

— Gabe Rottman, Deputy Director, Freedom, Security & Technology Project

 

Don’t Instagram a picture of your new passport or driver’s license, no matter how good you look in the picture. In fact, go ahead and delete from your phone any pictures of documents or ID that could be used for identity theft.

— Natasha Duarte, Plesser Fellow

Lie. Just because someone on the Internet asks you a question, doesn’t mean you have to answer it. There are obvious exceptions–for example you have to give Amazon your true address if you want to receive that package. But does your utility provider need to know your mother’s real maiden name? Often, as long as you can remember the answer you gave, you don’t need to tell the truth.

— Ali Lange, Senior Policy Analyst, Privacy & Data Project

Instead of opening a new tab, open a new browser.

I primarily use one browser where I’m logged out of all services, and reserve another for staying logged in to Gmail, Twitter, and other services. I also have several privacy plug-ins on the logged-out browser (NoScript, Disconnect.Me, Privacy Badger), and can pop a URL into the definitely-being-tracked browser if all of the privacy-blockers render the page unusable.  

— Emma Llansó, Free Expression Director

Many social media platforms nowadays offer the ability to link personal and professional accounts . . . and most often require that organizational/brand accounts be linked to and maintained by individual accounts. So that means, digital marketers, that your personal account security is equal to your company or organization’s account security.

— Tim Hoagland, Digital Strategist, Communications Team

Cross-device tracking has become a major marketing trend, and one easy way for companies to follow our activities from computer to phone to television is through universal logins. I try to limit where I sign into various services. For a long time, for example, I only ever accessed or signed into Facebook on Internet Explorer on my work computer.

— Joseph Jerome, Policy Counsel

Monitor your money.

Pay in cash. While credit cards and mobile payment options can offer considerable convenience, we’re also giving up a tremendous amount of control over our financial information and our purchase history. Using credit cards to pay for things like counseling, lottery tickets, or yes, porn can make you look like a bad credit risk, too. Paying with cash can protect your privacy, and you’re likely to spend less money, too!

— Joseph Jerome, Policy Counsel

I’ve been skimmed before at an ATM, so I’m careful which machines I use to get cash.

— Gabe Rottman, Deputy Director, Freedom, Security & Technology Project

Monitor your bank account regularly, if not daily. After stealing a debit or credit card number, thieves will often make small purchases to both stay under the radar of a bank’s fraud algorithm and to see how closely the account holder is paying attention. You can forestall a lot of paperwork and headaches by identifying unknown or suspicious charges to your bank as soon as they happen, so the bank can block the card number and issue you a new one.

— Michelle De Mooy, Director, Privacy & Data Project

Consider others’ privacy, too.

Give the privacy of your friends and family a thought, too! It’s one thing to overshare about ourselves online, but we also need to do a better job not oversharing about others. We all know friends who post about their children’s potty-training habits on Facebook, or otherwise break big news on social media without thinking how that could affect others’ privacy or their reputation down the road.

— Joseph Jerome, Policy Counsel

Talk about digital privacy and why it matters with your kids. Technology is infused in so many parts of their lives but there is little to no education in schools about the importance of data privacy and steps kids can take to protect their privacy. Data about kids is being gathered and collected on an unprecedented level through EdTech, social media, and apps, and kids are even more likely than adults to be victims of identity theft. Walk the walk, too: ask your kids whether it’s ok to post photos of them online.

— Michelle De Mooy, Director, Privacy & Data Project

Sometimes a “dumb” approach can protect privacy.

I have a detachable privacy screen that I take with me to conferences or meetings and on planes. A lot of times, the privacy risk that’s most relevant to me is the nosey over-the-shoulder one.

— Emma Llansó, Free Expression Director

Think twice before you buy your next “smart” device. The Internet of Things is exploding, and companies are rushing to connect everything to the internet–from ovens, to dolls, to toilets. But each connected device you bring into your home makes you more vulnerable to hacks and data breaches. Next time you consider buying a smart device, ask yourself if the object really needs an internet connection.

— Natasha Duarte, Plesser Fellow

And put a piece of tape over your webcam lens (hey, if it’s good enough for the FBI Director…).

— Michelle De Mooy, Director, Privacy & Data Project