Online Privacy — Cost and Myths

Published in

Nerd For Tech

18 min readAug 20, 2021

It is often said that online privacy is a myth. Is it really so difficult to maintain online privacy? Why you should maintain online privacy at all? Is it true that your personal data is the most valuable asset which you possess? Are tech companies really spending billions just to collect your personal information, and offering you free products? Free emails, free games, free search engines, free apps, free storage, free services, and much more, is it really free? Are you really not paying any cost?

Let’s do one small exercise. Pick up and unlock your phone, and count the total number of apps in your phone, and then count the number of apps for which you are paying (or one time paid) for the app.

Most probably you might have apps like Netflix or Amazon Prime or probably LinkedIn (premium account), for which you might have paid or paid some timely subscription fee. The remaining almost 90% of all the apps are free. Absolutely Free. Free. Free. Free. No Money. No Charge. No Subscription. All Free. Free. Free. Free.

The same is the case if you browse the web services or web applications. Facebook, Instagram, Quora, Reddit, Gmail, Twitter, etc are all free to use.

Have you ever wondered that when you are chatting on WhatApp with your friend, and casually mention that your shoes are old and you are planning to buy new shoes. The very next moment onward, every website will start showing advertisements from Adidas, Nike and other brands. WhatsApp is end to end encrypted, but the information gets leaked from the Key Board which you use to type like default android google keyboard.

Real Problem — I don’t have anything to hide!

Most often people think that they are not doing any illegal activity online, so they don’t have anything to hide. So, let me clear this myth, it’s not and never was about illegal activities. It’s about what you share online and how it is being used by corporations, governments, and hackers.

Let’s do a small exercise. Take a pen and a paper, and try to write down some unique bullet points about you. As many points as possible. Any information about you like your name, your location, where you went for vacation, what’s your average spending on grocery, what’s the costliest item you purchased etc. Any information about you or something you did over internet. How many such points you can write? May be 100 points or 500 points. Cambridge Analytica has more than 5000 unique data points about each American, and probably each individual across the globe. Let that sink in, 5000 unique data points about each individual. We all know, how this information was used (misused) to manipulate 2016 elections in USA. Another company called IPAC in India does almost the same thing in assembly or general elections in India.

You and your data is far more valuable than you can even imagine in your wildest dreams. Your email, name, birthday, postal address, IP address, phone number, social security number or Aadhar number, bank account details, credit/debit card details, your purchase history, your social life (when you were at which place — check-ins), and even your passwords, are all either publicly available or available for sale.

Imagine if someone would want to harm you, and get hold of all these data, then how much damage can be done. IP or postal address reveals your physical location, your email, name, social security number and birthday can be used to steal your identity online, bank or card details can be used to make illegal purchases on your name, or can be used for any other monetary fraud, your social check-ins can be easily used to draw a timeline of your life, and gives a free window to intrude in your personal life. Not only any bit of your personal information exposes you, but also exposes your loved ones and your children too.

There are cases where online personal data is even used to draw a pattern of personal life, which helped the criminals to plan the killings and kidnappings.

How my info gets leaked?

Information can get leaked in many ways, and most of the time you hand over your information freely without a second thought.

Every time you open any website.
Every time you send an email.
Every time you log in or signup on to any app or website.
Every time you make an online purchase or even browse a product page.
Data breaches
Presence of spyware, malware, adware, virus, Trojans, etc in your device

If you would like to know how much information you leak just by browsing the internet, click on the following link.

Checkpoint 1 — https://ipleak.net/

A simple click on the above link reveals so much info, that is being leaked to every website you browse or visit. All this info can be used against you in many ways, for example

OS and browser info can inform the attacker what type of vulnerabilities the attacker can exploit.
Cookie information and cookie theft tell your browsing history, and in some cases user, passwords, tokens, and other personal info.
Screen-size can tell about what type of device you use, and accordingly, the customized attacks can be done.

My own information was captured from ipleak.net, revealing the OS, browser, IP, Location, Cookie, Screen size, etc.

Ever wondered how your most personal info like email, phone, passwords, address, etc gets leaked. Most people keep the same or similar password for every app or online service. Thus, if information or password from one website is leaked, it makes all your other online accounts vulnerable to attack. And if the email password is also the same, then the attacker will change all the passwords of all the online accounts including bank accounts, and thus steal your online presence completely. Click on the link below to know what personal information is leaked through breaches, and available to attackers.

Checkpoint 2 — https://haveibeenpwned.com/

When I checked, if my data is ever compromised, then it was surprising to me that my email, name, phone, address, password, pin, etc are all compromised in multiple data breaches, and that too data breaches of popular companies, like Bigbasket, Dominos, Adobe, LinkedIn, Yatra, etc. Following is the screenshot showing data breaches from few websites.

In above mentioned and other breaches, my personal data like my name, email, phone number, pin, physical address, purchase history, DOB, and even password got compromised. Any attacker with this much info, can easily create a fake identity on my name and do whatever the attacker wants. If I would have kept the same password for each service, then I would have lost all my online accounts of every website, including my email and bank accounts.

In 2015, India was fighting for Net Neutrality and against Facebook’s internet.org. More than 1 million netizens filed an online petition to TRAI (Governing body in India) to support net neutrality. TRAI put all those 1 million emails and mobile phone numbers on their website. It was very easy for anyone to download or scrape those details. Any marketing company would happily pay millions of rupees to anyone who can provide 1 million active emails and phone numbers.

It’s not wrong to say that data is the new gold, and personal data is the gold mine.

Let’s Protect Privacy

Web Browser

We use browser to browse various websites. We may compromise our data if we visit a vulnerable website, but what if your browser itself breaches your privacy even if you are not visiting any website.

Each browser collects some data, and sends the data to the company that has developed the browser. Most popular web browser Chrome transfers tons of data to it’s parent company Google. That’s why such a wonderful browser is available for free of cost, because you are paying the price with your personal data.

There is a very popular study done by Douglas J Leith from Trinity College Dublin, who tested 6 popular web browsers, and analyzed what data these browsers share with their parent companies. The study involved Chrome, Firefox, Edge, Safari, Brave and Yandex Browser. Link to the paper — https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf

The shared data involved IP, MAC address, and in some cases even the browsing history and page content gets transferred. Based on the study, the web browsers were categorized in three categories from the privacy perspective.

Worst — Edge and Yandex (shares IP, hardware serial number, MAC address)
Average — Chrome, Safari and Firefox (client identifier, no hardware identifier. Firefox and Safari slightly better than Chrome)
Best — Brave (Most private web browser. No identifiers sent.)
Honorary Mention — TOR Browser (Completely Anonymous, but opens up the portal to darkweb too)

Conclusion — If you are a privacy conscious user then chrome shouldn’t be your choice of browser at all. Either use Firefox with extensions or privacy focused browsers like Brave and Tor.

2. Search Engine
Search engine market is completely monopolized. More than 90% of market share belong to Google. The next closest competitor is Bing, that has market share in single digits. These search engine not only capture your private information, but also sensor the search results or modify the search results. The search results are not neutral, and you are also compromising personal data. Here are some of the private search engines, which provide you unbiased search results without tracking your IP, Cookies or any other personal information.

startpage — https://www.startpage.com/
Anonymous browsing by proxy, it gives Google results without tracking ip or cookies.
duckduckgo — https://duckduckgo.com/
One of the best search engines. It doesn’t track or collect any info. Loaded with unique features.
qwant — https://www.qwant.com

If you are using Mozilla Firefox or Google Chrome, you can still use duckduckgo as the default search engine. Just go to settings and search for “default search engine”, and change the search engine from Google to Duckduckgo.

3. Passwords

Best defense mechanism against compromised data, and breaches is the use of unique passwords for each service or website. We all know that a strong password must be at least 10 chars long, must contain small and capital characters along with numbers and special chars. Often people form the password as a combination of their name, birthday date, or based on the names of their loved ones. That’s a really bad practice, and gives an upper hand to the attacker to guess your password using a dictionary attack.

Every first Thursday of May is celebrated as World Password Day globally. It’s a reminder to each netizen to reflect on their poor passwords, and take their online security seriously.

So, always create and use unique complex password for each website and service. One good technique to create complex password manually is to use the diceware technique.
https://theworld.com/~reinhold/diceware.html

You can visit the following link and check the strength of any random password. I would not recommend to put your original password, but you can put something similar to check strength. https://howsecureismypassword.net/

It’s not easy for a normal human to remember 100s of unique and complex password. I would recommend to use commercially available Password Managers. These are not free tools or software, and would require subscription fee. Remember, if you are not paying for a product, then you are the product.

Password Manager
Password managers makes the life easy by managing unique passwords for each service or online account. It’s an effective way to secure all your online accounts. Some of the well known Password Managers are as follows:

LastPass
It works as an extension in web browser, cloud based and a mobile app is also available. Data gets encrypted locally before storing at LastPass cloud.
1Password
It works as an extension in web browser, desktop app (Windows and Mac) and a mobile app. Stores the passwords, payment card info and notes locally, but also syncs with cloud periodically.
Enpass
Stores password and other information locally, and provides option to cloud sync on demand. No account or subscription needed for desktop use. Though it charges for mobile devices. Available as browser extension for desktop.
KeePass and KeePassXC (community edition)
It is one of the oldest password manager, and stores data locally. Option is available to sync up the encrypted data with any popular cloud. KeePass doesn’t require any account creation, its open source, and available for all platforms.
Dashlane
Similar to other password manager, Dashlane also stores data locally but allows cloud sync. It requires an account, and offers both free and paid plans. It alerts as soon as any online account is compromised in any breach.
BitWarden
BitWarden is an open source password manager, but it is commercial. It requires account, and is available for all platforms. Stores data locally but allows cloud sync.
Master Password
This password manager is very different from other password managers, because it doesn’t store your password information anywhere. It generates same password every time by using a complex algorithm that takes username, website and master password as seed values. It is an open source tool.

Auto fill, offline random password generator of desired length, payment card info, encrypted notes, alert for old and weak passwords are some of the good features which are available in almost all of the above password managers. Use of any password manager is still better than writing the password on sticky notes and saving the passwords with browsers like Chrome or Firefox. These password managers offer their paid subscription ranging from $2 to $5 per month for whole family. Privacy is priceless, 2 dollars per month is a very cheap price to protect it.

My personal favorites are Dashlane and KeePass.

4. Browser Extension for Privacy

uBlock Origin
Better than Add Block Plus. It is a universal content blocker, thus it eliminates the need of installing multiple add-ons.
NoScript (Firefox) & ScriptSafe (Chrome)
These are script blockers which blocks the javascript code from malicious websites.
Privacy Badger
This is an intelligent blocker which learns over time about those websites that are trying to track or fetch user information, and blocks them.
HTTPS Everywhere
This extension makes sure that you are always visiting https version of a website, and thus makes sure your data is encrypted.
Disconnect
This extension blocks trackers and offers private search. This add on also provides a VPN service.
Self Destructing Cookies
This is a very useful extension because it automatically destruct the website cookies once the browser tab is closed. This extension provides whitelisting in case you want to retain active logins.
BetterPrivacy
This extension deletes super cookies. Super cookies are different from normal cookies because super cookies don’t get deleted even if you clear the entire browser history. This cookies are almost always used to track the user.
Decentraleyes
CDNs or Content Delivery Network are used widely now a days because it speeds up the loading time. The issue is that almost all the websites are using some handful of CDNs, so it becomes easy for these CDN to track user across different websites. Decentraleyes blocks connections to these CDNs
It would require another article to talk about CDN in more details.

5. Maintain Anonymity
It is more easy to maintain anonymity rather than protecting privacy. Anonymity can be maintained using various techniques, and use of some fake data. You are interested in using the web application, or visit the website, so its not necessary to always provide your real personal information. Here are some tools and techniques to maintain anonymity without compromising your interests.

Disposable Emails
There are many disposable email services available for free. Why put your real email ID if the website doesn’t allow you to proceed without signing up their newsletter. Use trash emails as much as possible to login, and register yourself. Some of the popular trash email services are:
https://10minutemail [.] com
https://maildrop.cc
https://www.guerrillamail.com/ (my personal favorite)
BugMeNot
Why create a new account on any website, if there are already lot of publicly shared accounts available for use. This is an ideal solution where website don’t allow you to access their content without sign in.
http://bugmenot.com/
Fake Name Generator
Fake name generator generates a fake profile for you to fill up online. It even provides fake phone number, address, payment card, vehicle details, website, email etc. Everything that you would need to create an account on any random website. This website doesn’t support Indian names or address, but isn’t the very idea of anonymity is that you don’t provide your real data, so wear an American or Chinese or Brazilian or Icelandic or any other identity.
https://www.fakenamegenerator.com/
Private Emails
Public email services like Gmail are good, but not private. Your emails can be used to track your personal information and also the content of emails can be read to target content specific advertisements.
Use a private email service, that may be free with limited space or may cost very little.
https://protonmail.com/
https://mailbox.org/en/
https://posteo.de/en
VPN
Very popular tried and tested way to maintain anonymity online is by using VPN or Proxy Server. Your content gets encrypted, so even your internet service provider cannot track your activities. Like I mentioned several times above, do not go for free product (FOSS are exceptions), because if a product is free, then you are the product. Same goes for VPN. Now a days VPN have become very affordable and cost very less. Connect to VPN and see how much information you are leaking at https://ipleak.net/
There is good amount of information available about various VPN providers and a comparison chart at https://www.safetydetectives.com/best-vpns/
https://protonvpn.com/
https://www.expressvpn.com
https://nordvpn.com/
DNS Server
If you use the VPN, but do not change the public DNS server, then still the ISP can track your web traffic. It is important to change from public to private DNS server to maintain anonymity.
https://1.1.1.1/ (it’s an actual website about a free and private DNS server by CloudFlare)
Cloud Drive — File Encryption
There are multiple cloud storage providers like Google Drive, Dropbox, box etc. You can encrypt the files by using following opensource tools while storing your files on public cloud storage.
https://cryptomator.org
https://www.axcrypt.net

Other than whatever tools are mentioned till now, if you want to know more about other privacy tools, add-ons, extensions, browsers, VPN, DNS, email providers, social networks, hosting services, softwares etc, then go to the following link to see a categorized list of everything you would need to maintain your online privacy.
https://www.privacytools.io/

6. Operating System

Edward Snowden is a well known name, who was a former employee at NSA, USA. Edward revealed a lot of confidential information, and exposed the extent to which the governments are spying on everyone. You can follow Edward’s recommended tools or software that he mentions in his online public posts. The most often overlooked piece of software from privacy perspective is the Operating System.

Mac OS is considered a better and more private OS, but since it is closed source and under the jurisdiction of US Govt, we can never be 100% sure if there is no infringement of privacy from the back doors.

Linus distributions like Fedora, Ubuntu, Mint, Debian etc are a step forward towards more private OS, because these are open source, but still these are not completely secured.

In the past, Edward Snowden has used an OS called as Tails. Tails is designed to be booted as a live DVD or Flash drive, and leaves no trace behind. Of-course this OS cannot be used as a replacement of permanent OS, but it can be definitely used for some sensitive tasks. Tails is a private and portable OS. Best advantage is that you can carry the OS and personal files encrypted along with you, and can open it again anyone’s computer.

Later Edward has recommended another OS called as QubesOS. This OS can be used as a permanent OS. The main idea behind Qubes is “security by isolation”. All programs like browser, office suite, email client etc are executed in a local virtualised environment, thus isolating programs from each other, and also uses sandbox to isolate the storage and networking components. The cherry on top is that the Qubes is also compatible with softwares made for windows OS. Even the browsers tabs are opened in their own isolated containers thus restricting the sharing of cookies and other details. Of-course the small trade off is required to get this enhances privacy and security, and the trade off is with respect to hardware capacity. It would require more RAM and CPU processing power.

7. Other Important Steps

Use of virtual phone numbers
Virtual phone numbers are freely available and can be used on top of your actual number. These can be easily discarded in case of breach without compromising your actual number.
Use of post boxes
Post offices and other providers provide a service to get a post box that acts as your permanent address. You don’t have to reveal your actual permanent residence address to strangers or websites online.
Remove personal information
It’s possible to remove any search result that is linked to your personal information. You can request to Google or Bing to remove search results.
https://support.google.com/websearch/troubleshooter/3111061?hl=en
Use of Virtual ID
Very few people know that you can use virtual ID instead of Aadhar number everywhere.
https://resident.uidai.gov.in/vid-generation
Use multi factor authentication
Use multi factor authentication based on physical USB keys or apps like authenticator. MFA is a good mechanism to save your online accounts even if the password gets compromised.
No nick names or pseudo names
Some users do use separate email addresses for multiple services or websites, but often they keep same pseudo name or nick name. It’s very easy to search based on pseudo name and find out all the accounts even if separate email addresses are used.
Imagine a hateful or racist post which you have written on social media 5 years back out of rage or as a spur of the moment, and that post coming in your way of your new employment during the background check. Now a days all major corporations are doing the background check of your social media posts, likes and endorsement in order to make a psychological profile, to see if you will be a fit for the organization. we all know how a social media post posted by a public figure used against them years later.

8. Incognito is a myth
It is a misconception among many that use of incognito mode protects them from everything. They cannot be tracked or no personal information is leaked if incognito mode is used. This is myth and completely wrong perception.
Incognito mode just offers to not store any cookie or browsing history in your local system. It offers no protection like hiding your IP, your web traffic, tracking and personal info leakage. It’s better to use VPN with private DNS rather than using incognito in order to truly protect yourself.

Delete Me

If you want to rectify all your past mistakes which might have compromised your privacy then fortunately there are some services available, that removes your personal data from the internet, and thus make your life more secured.

Delete Me is a service that offers to delete your digital footprints and personal information from the internet. They charge a very minimal amount for their hard work, and they also offer a DIY guide in case you want to do it yourself and don’t want to pay.

Website — https://joindeleteme.com/
Delete me example report — https://joindeleteme.com/example-report.pdf
Delete me DIY guide — https://joindeleteme.com/help/diy-free-opt-out-guide/
Delete me tips to maintain privacy — https://joindeleteme.com/help/deleteme-help-topics/privacy-tips/

Conclusion

Privacy impacts you, your loved ones, your society and your country. This is a serious matter, far more serious than we can think and imagine. Hardly we think about the repercussions at personal, national and international levels. Personal privacy or collective privacy of each of us impacts everyone of us indirectly or directly.

The most common example is 2016 elections where your personal data was used to monopolize elections, thus causing a chain reaction which resulted in riots, warfare and global political tension.

Another recent example of the privacy impact is the case where the Indian man returned from a Saudi prison after 20 months. He was imprisoned for a blasphemous post made from his Facebook account. The investigation revealed that the post was made from his compromised account. No one can return those 20 months back to the man and his family. https://www.aninews.in/news/national/general-news/man-held-in-saudi-arabia-jail-for-facebook-posting-he-did-not-make-returns-to-india-after-20-months20210819132827/

We do not need privacy only against hackers or attackers but also against big corporations, government institutions and agencies.

I didn't even discuss about the backdoors or how use of microphone in your mobile phone or smart assistant devices like Alexa or Google home are breaching the privacy which is far more serious than what ever is discussed above.

Protecting the privacy online is an ongoing process, and its not about not giving information but more about protecting the information. If a random person asks your phone number you will ask 10 questions and still wont share the details, but online you provide the same data without a second thought.

I would highly recommend to restrict or minimize the use of platforms like Facebook, Instagram, Twitter, and instead use their alternative free and open source social media which do not track your information.
https://itsfoss.com/mainstream-social-media-alternaives/

Let’s rethink the importance of Privacy and try to keep it Private.