5 Fatal Misconceptions about Digital Privacy

I apologize for the click-bait article title, by now you’ve probably become desensitized to overly alarmist digital privacy stories. News outlets warn of shadow corporations that operate like the Stasi but answer to public shareholders. Journalists claim the NSA knows your intentions before you do and will kick your door in à la Minority Report. You’d think we should all wrap tin foil around our heads to keep the brain waves in.

Now I can understand the paranoia — after all we live in post-PRISM world where every man, woman, and child carries around an Orwellian telescreen in the form of an iPhone. But privacy issues are still intangible and confusing for the average person, and the media is scaremongering without prescribing solutions. That leaves many readers frozen with fear yet clueless about what steps to take next. Although anxiety is still preferable to naivety.

To make the whole internet privacy nebula more concrete, we’ll debunk five common privacy misconceptions that are very real for the majority of internet users, support explanations with real-world examples, and conclude with pragmatic advice you can use to protect yourself (no tin foil helmets required).

Misconception #1: “My browser’s incognito or private mode lets me surf the web anonymously.”

Reality: Unfortunately, digital anonymity is not a cakewalk. These modes only prevent local storage of your cookies and browsing history — meaning neither will be saved on your computer. While that might insulate your significant other from the horrors of your porn history, it does little to protect you from the outside world. Your ISP still records metadata (sites you connect to, what time that connection occurred, how long it lasted, and how much data was sent). Services you log into, like Facebook and Twitter, obviously still know who you are and what you’ve done on their domains. Websites you don’t log into use a variety of advanced tracking techniques that still work in private/incognito modes to monitor your movement across other sites (ex. canvas fingerprinting, supplemental object caches). In short, turning on incognito is like slapping ducktape on the side of the Titantic: you get points for effort, but you aren’t fixing the problem.

Real Example: AT&T, an industry-leading ISP and MSP serving 126.4 million subscribers in the United States recently announced that its customers would have to pay an additional $44 to $66 per month if they didn’t want their digital activity reviewed by the company and used for targeted advertising. AT&T sees exactly the same activity whether or not you’re using incognito mode.

Misconception #2: “Online tracking is only used for targeted advertising, which I don’t even mind. No one is actually manipulating what page content I see.”

Reality: You have no control over the criteria on which you’re being selected, but that criteria decides both what advertisements you see and, in some cases, the actual content of webpages. It’d be nice if your fairy godmother emailed you a coupon for glass slippers just in time for the ball, but in reality advertisers rarely have your best interest in mind. Ever seen Predator? That’s what targeted advertising looks like. And you’re not Arnold Schwarzenegger. You’re one of the cannon-fodder peons that dies first.

Real Content Example: Orbitz, a popular online travel service, showed significantly more expensive travel options to users visiting the site on Apple computers — believing that the brand is associated with wealthier potential customers.

Real Advertising Example: A research project by Carnegie Mellon University and the International Computer Science Institute found that Google was more likely to serve ads for high-paying executive jobs to male web users than to female web users with identical online activity.

Misconception #3: “If I delete my cookies I’ll stop seeing advertisements based on my search history.”

Reality: That won’t be enough to give yourself a blank slate, just like transferring high schools won’t give you a fresh start and the opportunity to be the popular kid. People are going to find out. “Evercookies” create backups of themselves in alternate local storage locations, some of which are inaccessible to the browser. Next time you open your browser, cookies you previously deleted may be restored from these hidden backups. Back to square one. Moreover, a background process known as “Cookie Syncing” allows multiple websites to match you to an identifier and then begin exchanging information about your activity, including your browsing history. Even though this back-end data sync is invisible to you, it means a record of your prior activity is being maintained by someone so it can later be linked back to you. Santa Claus isn’t real, and clearing your browser’s cache won’t erase years of Google searches you don’t want anyone to know about.

Real Example: A peer-reviewed research paper published by the University of Pennsylvania concluded that “nearly nine in ten websites leak user data to parties of which the user is likely unaware of; over six in ten websites spawn third-party cookies; and over eight in ten websites load Javascript code from external parties onto users’ computers. Sites which leak user data contact an average of nine external domains, indicating users may be tracked by multiple entities in tandem…”

Misconception #4: “Webpages taking a long time to load are normal, it’s necessary to wait for all the page content.”

Reality: For many popular websites, a significant portion of the wait time you experience is the result of 3rd party advertisements and invasive trackers being downloaded onto your machine. These are about as necessary as an engine replacement recommended by a shady mechanic — the majority of the time ads and trackers do nothing for the functionality of a webpage. In fact, most people find that removing advertisements makes online articles easier to read and that blocking both trackers and advertisements greatly speeds up page loads. It’s truly a win-win situation.

Real Examples: One comparison of ad blocking extensions showed that webpages could be loaded in about half the time with blocking enabled. In my own testing up to 70% of HTTP requests and responses were used for tracking purposes and are unrelated to site content. A review of an iOS content blocking app showed pages loading in a mere fraction of the time.

Misconception #5: “I don’t make purchasing decisions based on online ads, so no one actually making money off of me.”

Reality: You don’t have to make a single purchase to be profitable to someone, your digital data is constantly being harvested and sold. There’s a reason why so many of your favorite services are free — just as cows at a dairy farm get free food and housing. To quote Andrew Lewis, “If you are not paying for it, you’re not the customer; you’re the product being sold”.

Real Example: Axciom Corporation, a leading data broker, collects 1,500 data points per person for 700 million people worldwide, including 71% of Americans. Demographic information, like age or gender, can only be sold for a fraction of a penny. But a list of people with specific health conditions or taking certain prescriptions costs $0.26 per person. And they are free to sell each data point multiple times to multiple customers — in fact they process over 50 trillion such sale transactions per year. In 2012 that added up to $1.13 billion in sales revenue for Axciom.

At this point you should be experiencing some concern about your own privacy — hopefully a healthy level justified by the examples above. Maybe you’re even starting to get a feel for how tracking mechanisms work on a technical level. No? That’s OK — you don’t need to be a Mr. Robot worthy cyber-vigilante to take control of your online identity. The neck beard and terminal screen crowd has already done the hard part for you by creating usable, effective privacy tools. All you have to do is download a couple of the good ones! Many are even offered free of charge.

Tracking mechanisms include browser and canvas fingerprinting, web beacons, evercookies, and cookie syncing.

Here are three steps you can take to keep big brother off your back:

1. Download a Tracker Blocking Browser Extension

These bad boys are the reverse-bouncers of the internet. Instead of only allowing A-list VIPs into a club, they keep any tracker on their definition list out of your browser. If it’s something used to spy on you, they stop the download: 3rd party cookies, evercookies, web beacons, suspicious Javascript, etc. And you can enjoy faster page loads! Rejoice!

Your choices include:

2. Sign Up for a VPN Service

Completely theoretical example not adapted from my day-to-day life: say you’ve already had two pumpkin spice lattes today and you desperately need a third. But the barista already knows your face and you don’t want her judgmental gaze or another Starbucks purchase showing up on your credit card statement. First world problems. So what do you do? Send the office intern on your behalf and give them the corporate credit card, of course!

A VPN service works in much the same way. Except your intern is replaced with a server that makes requests to the internet on your computer’s behalf. That server could be anywhere in the world, but websites think it’s you — the VPN gives you a brand new IP address that can’t be tied to your real geo-location. Better yet, that IP address is like the corporate card: it’s used by hundreds of other people. Your activity becomes anonymous — lost a the sea of miscellaneous page requests that most VPN providers don’t even log. And websites aren’t the only ones who can’t keep tabs on you (pun intended): the encrypted VPN tunnel ensures that even your own ISP can’t tell where what you’ve been doing.

Reputable VPN providers include:

3. Use Privacy-friendly Tools for Your Day-to-Day Needs

While the online world is filled with boogeymen, not everyone is out to get you. There are privacy enhancing alternatives to your favorite tools and services, and many are just as easy-to-use as their mainstream counterparts. Don’t think of them as nerdy, these substitutes are hipster and chic — like tweed jackets, artisan coffee, and obscure bands. Feel free to brag about them at parties.

Popular options include:

TL;DR

Even if you’ve got nothing to hide and you’re not doing anything wrong, there are entities out there who have a vested interest in your personal information and possess sophisticated acquisition methods. They manipulate what you see online, slow down your page loads with invasive analytics/identification technologies, and sell your personal information. Incognito mode and cookie clearing won’t stop them. But all hope is not lost! You don’t need to be a l33t_h4x0r to protect yourself anymore than Batman needs superpowers to kick ass. The trick is to have the right tools in your cyber utility belt. So download a tracker blocking extension, sign up for a VPN service, and start using privacy-friendly services!

Disclaimer: I work at RedMorph, a digital privacy startup whose products I’ve mentioned in this article. We strive to build effective, intuitive tools for non-technical internet users — including parents and children. Feel free to try our products or the competing solutions offered by other companies mentioned above.