The Startup
Published in

The Startup

Owning Your Digital Footprint | What, Why, and How

Hey there!

In the wake of Instagram’s latest privacy policy update (which Madonna has taken to town), it feels timely to mull over the subject of digital privacy, the phrase which has made this guy a leading contender for Earth’s Most Evil Face.

But this is every other college nerd. Damn!

This post will cover:

  1. What digital privacy is, and why it’s important
  2. How people have been affected by digital privacy issues
  3. What you can do to take back ownership of your digital footprint

What you are about to read from here is heavily hyperlinked. While I would be honoured if this post is taken at face value, I encourage you to go down the rabbit trail and explore the subject in more depth from people who know better.

2013 was the year when terms like ‘online privacy’ and ‘digital footprint’ burst into the public discourse.

That was the year Edward Snowden’s revelations of global mass surveillance hit the world like a speeding freight train, generating polarized reactions. The US government went into PR mode, labelling Snowden a traitor and trying to convince the public that this program was necessary to prevent another 9/11, while numerous supporters of privacy and liberty were outraged by this unconstitutional overreach, demanding that mass surveillance be reigned in.

In the meantime, Big Tech companies were silently building a treasure trove of their own. Unlike the NSA, they didn’t have to resort to unlawful interception and snooping of communications to build a database. In exchange for conveniences like sharing photos and chatting with others, people were willingly handing over their private data to Amazon, Facebook, Google et al.

This led to incidents like the below.

Remember this?
  1. Cambridge Analytica scandal: Data gathered from Facebook without user consent was used for targeted political propaganda and is believed to have played a significant part in deciding the outcome of the 2016 US presidential election and the Brexit referendum.
  2. Zynga 2019 breach: Up to 218 million players of the Facebook-interfaced gaming company were affected, with their Facebook IDs, phone numbers, email addresses and Zynga credentials exposed.
  3. Equifax breach: Personal information of Equifax customers such as names, addresses, dates of birth, social security numbers and driver’s license numbers were exposed. To the best of anyone’s knowledge, these details were not leaked or sold, meaning the attackers’ true goal is unknown.

I’m sure you’ve heard of a few others. Cambridge Analytica aside, it is easy to dismiss most of these as “security incidents” — The companies were ‘hacked’, which is completely their fault, but if they fix that bit, everything’s surely peachy?

Not really.

First, it’s not ‘fine’ so long as they aren’t ‘hacked’. Regardless of how good their data security is, companies whose livelihood depends on selling and/or repurposing your data are the tipping point of a slippery slope, as this post will go on to explain.

Second, a breach is only as damaging as the sensitivity of the data that gets exposed. While you can’t control another organization’s security practices, you can try to control what information these entities are privy to in the first place, particularly entities which share this information with third parties who may not have good data security.

Which brings us to… Online privacy.

Why should anyone care about online privacy?

The misconception that privacy is about “hiding something wrong” is enthusiastically propagated by authoritarian proponents of surveillance. In truth, online privacy serves the same purpose as offline privacy (Think doors and windows, locks and curtains, vaults and safety deposit boxes) — To guard the things you value from nefarious actors. While you may be an upstanding individual with nothing to hide, this doesn’t mean the data you hand over can’t be misused.

Just because you can’t see it doesn’t mean it’s not happening

It shouldn’t take a lot of imagination to think of ways access to the below could lead to bad outcomes:

  1. Contacts list
  2. Browsing history
  3. Location
  4. Permission to make calls
  5. Permission to read texts
  6. Photos
  7. Interests

There is a full range of possibilities right from benign to Black Mirror. While the most obvious applications — ad targeting, showing you “On This Day” memories, suggesting friends and groups — are the most harmless and the most visible, the same data can be and have been used in nefarious ways:

  1. Spam emails/calls from third parties who bought your contact information
  2. Target masses of people with political propaganda/fake news. Facebook and WhatsApp have been especially prominent in these abuses.
  3. Censoring speech and behaviour: When governments start to define dissent as a cyber-crime and come knocking for ‘help with investigations’, do you think companies in lucrative markets will protect their customers at the cost of losing business, or… comply? How about going a step further — rewarding or ostracizing citizens and those around them based on whether their behaviour is state-approved?
  4. Identity theft: Not only would an Equifax-like breach enable this in a practical sense, even ‘only’ losing your username/email address could be terrible. After all, people on social media are fond of listing their date of birth, hometown, favourite sports teams, favourite books/movies, naming and tagging their family etc — which also happen to be answers to common security questions. There are also government agencies and corporations who think password-protecting files with your sensitive data using a concatenation of your name and date of birth is a great idea.

What about legal recourse?

Consider, for example, what would happen if any democratic government suggested that their country’s postal service — in exchange for no longer being funded by taxpayer money — could now track people’s movements, who they meet, what they do on a daily basis, record their names, addresses and contact information and sell all this information to the highest bidder (who may not protect this information well, or at all). One would imagine this referendum would result in a lopsided NO from the public. This is surely an overreach for enabling communication?

Yet, there is no better illustration of how legislation has been left in the dust by technology that the analogy mentioned above is exactly the nature of our relationship with Big Tech, allowed to continue for years to this day. In fact, they are now bold enough to be brazen about it.

We willingly give up unimaginable amounts of data about ourselves in exchange for the privilege of instant communication. The nature of technology makes it all too easy to neglect privacy. Unlike the violating mental image of a postal service employee matching you stride-for-stride from 20 yards away, tracking via software is out of sight, and out of mind.

But hey, instant messaging!

There is now a realization among the authorities that citizens are, by and large, incapable of grasping the nature of what they are signing up for with these services and laws have started to evolve (depending on the country you’re in) to protect the end user. However, there is still a way to go.

The questions that are now being asked of Big Tech are long overdue, and the problems are beyond even their own control. Damaging incidents are mostly met with apologies, perhaps a fine or two, but precious little by way of compensation for the hordes of compromised and violated users.

So, what can you do?

I can’t just live without technology!

You don’t have to. For various reasons, convenience (What can you do about Big Basket? Precious little, particularly during a pandemic) being prime among them, an outright digital detox may not be feasible, or even desirable.

Did the Unabomber have a point though?

However, when selecting a service, you can put transparency and privacy first, and actively assume the role of gatekeeper of your data, controlling what is shared, with who and for what purpose. There are privacy-friendly services that provide the same convenience as leading online services:

  1. Messenger/WhatsApp -> Signal. Signal is an open-source messaging application funded by the Freedom of the Press Foundation, a crowdfunded non-profit whose other projects include Haven and Tor. This means, among other things, that your information will not be sold, they have no incentive to buckle to authoritarian pressure, and you can verify that the app does what it is claiming. It has all the same conveniences as WhatsApp but is security-first and privacy-first.
  2. Google Chrome -> Tor or Mozilla Firefox. As defined on Wikipedia, Tor is a free, open-source browser that enables anonymous communication by directing traffic through a vast volunteer overlay network with over 7,000 relays. While Firefox’s long-held claim that it is better than Chrome at memory consumption isn’t strictly true (You can fix this by visiting “about:memory” on Firefox and minimizing the usage), it is privacy-first, and comes with a host of add-ons (Like the Facebook Container extension) and settings to keep your browsing experience private. This would be less reliable than Tor, but preferable if you don’t want websites or your work admin to know you’re using Tor. Tor is known to be slow due to its network relays, and certain websites throttle your UX if they know the visitor is using Tor (Eg. You can’t edit Wikipedia articles using Tor).
  3. Facebook/Twitter -> Reddit. Facebook sure has some great groups and pages. However, so does Reddit, which has a rich collection of communities (called subreddits, or subs) that are moderated strictly to protect the users of any given sub. The status quo on Reddit is anonymity — Expect sound, well-researched advice from people calling themselves something like ArmPitHair451. You may need to give up any desire to have the content you post be attached to your identity. While there is nothing stopping one from using Reddit with their real name, it defeats the point.

That said, a digital detox really isn’t a bad idea. Social apps (including Reddit) are designed to be addictive, and getting away from the cesspit of likes, retweets and comments can be good for your brain. However, that’s a topic for another day.

But everyone I know is already on Facebook/WhatsApp/Instagram…

Sure. You can’t convince everybody to make the switch, and network effects can’t be understated. In countries like India, where the Facebook family of apps is the default for online communication, detachment from this ecosystem can even feel like tossing away your phone. That said, you can give it your best shot, starting with the information discussed in this post :)

The barrier for entry to the mentioned alternatives is quite low — Just install a different app and go!

What’s the point? They’ve already got so much of my data.

This doesn’t mean we have to keep feeding data to them. Consider the past as a sunk cost and move ahead. You can prevent untrustworthy actors from continuing to have access to your data and your life. There are also ways to undo/minimize damage, should you need to continue using these services:

  1. Check your privacy settings. Really, really well.
  2. Prevent Facebook from sharing your data for ad-targeting or logging into other websites.
  3. Clean up Connected Apps and privacy and data sharing settings on Twitter.
  4. Manage the data that Google has on you.
  5. Delete/Deactivate your account: The nuclear option. This is something to consider if you want your profile to be completely inaccessible. Be sure to carefully explore the options, should you want a way back.

Other ways to control your digital footprint

Social apps/sites certainly form a prominent part of your digital footprint. However, their tactics have been exploited across the internet to snoop on you and gather data.

Here are some ways to protect your privacy as you browse. You lose almost no convenience by doing the below, but you gain a lot in terms of privacy.

Stock images are so cool! Yes? :(
  1. Cookies — Several websites bombard every visitor with a popup asking for cookie permissions, with the ‘Accept all’ option made prominent and attractive. Don’t “Accept all” — Always select the option to modify settings. This will let you de-select all the unwanted tracking and third-party cookies, leaving only those that the website absolutely requires. Sites count on people valuing these few seconds too much to bother with not siphoning away their data to all sorts of third-parties. Also make sure to regularly clear cookies (sparing only session cookies if you hate repeated logins).
  2. App permissions — If in doubt, deny. There’s no reason a calculator app needs access to your location, address book, camera and microphone. In fact there’s a good chance that these apps are asking for random permissions to track you and promptly pass data to Facebook, which you should check here. (Imagine my surprise to find BookMyShow and little old Sudoku on the list…)
  3. No saved card details — Do not save your card details on any website if you can help it. This removes the risk of these details getting exposed in a leak. Those extra moments punching in the number are surely worth the peace of mind.
  4. Check if you have been compromised. Immediately go about securing the concerned account if so. 2FA is the way to go, so do enable it if you don’t have it.
  5. VPN — Use a Virtual Private Network to access the internet. This makes it harder to snoop on your IP address and physical location. Corporate VPNs aren’t quite the same by the way, so don’t run amok with your work computer. In fact, just don’t run amok — VPNs are not a silver bullet. VPN companies located in Switzerland *should* be trustworthy, but it’s often better to browse with Tor (live with slightly lower speed and more Captcha tests) if you can.
  6. If not Tor, browse incognito as much as you can. Ignore the noir-themed icon of a shady unknown person, it is not (always) about hiding something wrong. Do note that unlike Tor, which routes traffic via several nodes distributed worldwide, private browsing will NOT make you ‘anonymous on the internet’, merely keeping your browsing activity from anyone else using the same computer. Note that with either Tor (which stores no cookies) or private browsing, and you have to log in to every site afresh. Speaking of logins…
  7. Use a password manager. Human memory is a terrible thing that sometimes forces people to pick the same easy password for everything, but the only thing worse than that is the risk involved in having your browsers remember credentials.
  8. Burner email IDs — A great way to safeguard yourself from both third-party spam and compromises in security incidents is to create and use a throwaway email address when signing up for a service you don’t trust. Or even if you do trust — I can’t remember the last time I had to use email to interact with a service anyway, everything should be possible in-site or in-app. The GMail process can feel cumbersome and is not very private, so you can try quick and easy services like 10 Minute Mail.
  9. Lock devices with codes, not biometrics. Not only are biometrics not that great to begin with, but do you really need these in the hands of some corporation, or an unknown third party? It’s even worse if you use facial recognition — Someone could unlock your device while you’re asleep and be long gone before you are any the wiser.
  10. Tape your webcam. There’s a reason James Comey, Edward Snowden and Mark Zuckerberg (Yes) do it. As far as possible, place your phone with its microphone blocked for good measure.
  11. Think twice about any interaction with tech. Do you really need those 5 loyalty points or random crypto tokens for linking your socials? And consider just how much you need that voice assistant.
  12. No work on mobile — You will likely have to agree to work computer monitoring when you join a company. However, you can control how invasive this gets. Syncing your work account with your mobile is probably where you should draw the line. Mobile Device Management policies often go far beyond what is necessary, sometimes requesting permission to purge the files and media on your phone (!) in case they deem it necessary. This overreach is quite needless, and besides, do you really need your work account on your phone? You likely already spend several hours logged in and available on your work computer, and if something’s that urgent, people will call.
  13. Chat shit, get banged. If you’ve posted some troublesome content, track down and delete it before anyone sees/bumps it. Or don’t post it in the first place. There are no other ways to save you from yourself.

In conclusion…

  1. Online privacy is important. It isn’t only necessary for people with something to hide, and the downsides of being carefree about it are potentially massive.
  2. Just because a site/app has been tracking you thus far doesn’t mean there is no value in putting a stop to it now. After cleaning up your digital footprint, you can either migrate to popular privacy-first services or continue using the same services with religiously monitored settings and as clean as a slate as you can manage.
  3. Social apps get a bad rap, but there are other ways your privacy can be violated. A few minor practices to handle these would go a long way in managing your digital footprint and securing private information.

I would love to hear your thoughts, so do comment liberally

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aki

Aki

Follow if you like what you read