In the first half of 2017 alone, more private data records were exposed than in the entire year prior.  Despite this, up to 80 percent of us use the same password for all of our accounts online. 
Clearly, the fact that so much of our personal information is vulnerable online is lost on the average Internet user. According to Digital Security consultant Rob Pope , even high-profile public figures often fail to realize the importance of keeping their data secure. “In spite of everything you stand to lose from a data breach, few people take digital privacy seriously — let alone spend time or money keeping their devices secure,” said Pope.
In practical terms, “privacy” refers to the degree of control you have over your anonymity and security online. It’s also a benchmark that can be used to gauge the amount of risk you are facing at any given time. In this post, we’re going to lay out everything you need to know about protecting your privacy online in 2018 and beyond.
Who’s watching you?
There are a variety of nefarious types online who are looking to gain something at your expense. Who are they? Let’s take a look:
HackersAlthough this term is grossly overused today to the point of blurring its definition entirely, these are individuals out there looking to “hack” into your personal information, either for personal or political gain, or just for the sheer anarchistic entertainment value of the act.
The methodology used by petty cybercriminals can vary, but it often involves gaining access to sensitive information such as bank account numbers, passwords, or government documents like social security cards. This can lead to digital theft, as well as to unchecked identity fraud if immediate steps aren’t taken to halt the attacker’s actions.
AdvertisersAdvertising has had a presence on the Internet since nearly day one, and today, the practices used by companies all over the world to gain insights into how you browse (and how you spend your money) are more complex and controversial than ever before.
Industry titan Google accounts for an awe-inspiring 33 percent of the world’s $223.7 billion in digital ad revenue for 2017 alone.  Its robust content delivery network and adtracking services operate in all corners of the web, making it an ever-present force lurking behind most of the pages you’ll end up visiting.
NSA & Other Governmental GroupsThere are many reasons why certain groups of governing bodies would want to track your habits online, with the main one presumably being to combat terrorism and crime. Regardless of the “why,” we know that this is a common practice of many different agencies charged with civilian oversight.
Situations like the groundbreaking NSA leak perpetrated by former CIA analyst Edward Snowden have shifted the public dynamic considerably in recent years, open the doorway to the realization that the powers at be may not always have our best interests at heart.
Internet Service ProvidersThis is a big one. WIth a recent bill passed through Congress allowing ISP’s to begin selling off their user’s data habits , this issue is only going to become more pervasive as time goes on.
ISPs have some of the most robust, complete data-acquisition methods around, and as such, their newfound ability to sell off this information can only mean that your online habits will be more exposed than ever before.
How are they watching?
The groups above have a constantly evolving arsenal of tools that they can use to keep tabs on your actions online, some of which are more involved than others.
Metadata gatheringMetadata is essentially data that refers to or informs other pieces of data. As such, it often contains seemingly innocuous information, so why the commotion over other collecting and studying it? While many websites only record the latest time you’ve accessed their content, some can actually keep a historical track record of your movements on their servers. This can even mean tracking your IP address, potentially identifying where you are logging in from in the process. In the wrong hands, this information could be used in a variety of potentially worrisome ways.
This brand of cybercrime usually involves some form of deception, commonly in the form of a misleading email, text message, or other form of communication. For instance, you may receive a message from someone claiming to be a co-worker asking for a sensitive piece of information, or an email from a source claiming to represent a legitimate business (Facebook, Amazon, etc) asking for your password. It almost always includes an attractive incentive that sounds too good to be true, and yet, more than 80,000 users fall for it and take the bait each and every day. 
Password leaksWe all have an ever-increasingly library of passwords that we use to access the various online platforms we use day in and day out, and occasionally, a company slips up and this data is exposed. This can happen because of an honest mistake, or as the result of a targeted, multi-stage attack, and in either case, the victim count can (and often does) number in the millions.
3rd party cookiesCookies were first conceptualized as a way to make browsing the web more convenient and fluid by keeping certain pieces of information on-hand in your local browser. On the bright side, they’ve handily achieved this goal when it comes to forms, login persistence, and other quality of life features.
There’s a dark side to cookies, however, and it centers around special “tracking cookies” which can be programmed to track and report back to a group your activities online.
Website trackersWebsite trackers are a suite of tools used by the owners of the site to gain insight into how you are interacting with the content and design. Admins use these tools to determine how long you visited the pages you go to, where your attention was centered, and why (and when) you ultimately left.
Tracking linksTracking links were created to help marketers understand how effective their promotions are in real-time. When clicked, these links can report a variety of information, such as how long you viewed the content on the other end of the link, whether or not you made a purchase, and more.
Email trackersEmail trackers are similar to tracking links in that they help report on your activities based around a particular email. Marketers use this to see how often you are opening and reading their emails, as well as whether or not you are interacting and clicking on content within the body of the message.
There’s a positive spin to be had here, thankfully. Device fingerprints have been used in recent years to help with the detection and prevention of identity theft and credit card fraud cases, and security teams are only just exploring their true potential for proactive prevention.
Basic browsing privacy
When browsing the web on your devices, there are a few simple steps you can take to regain a bit of control over the digital wake you leave behind. Let’s take a look at a few of them:
Managing your cookiesWe already covered the basics of cookies above, so how can you ensure that yours don’t betray you? Frequently clearing out your cookie list is a good start, but browser extensions such as EditThisCookie for Chrome give you expanded control over your online presence, allowing you to add, delete, change, or block any cookies you choose.
Two-factor verification is your friendOne of the easiest ways to stop a would-be robber from breaking in and stealing your valuables is to add another lock and key to the equation, and that’s exactly what you’re doing when you use two-factor verification. More websites and services are offering this feature than ever before, and for good reason; according to online security firm Symantec, up to 80 percent of the world’s security breaches could be prevented using this method. 
Disable flashAdobe Flash is dead. The once-ubiquitous rich content medium was dropped unceremoniously by Google at the end of 2016, and Adobe has announced its intent to kill the plug-in entirely by 2020. Seriously, people want it gone so badly that there are websites dedicated to killing it. By disabling it, you’ll eliminate one more potential vulnerability.
To disable Flash on Chrome, follow these steps:
- Type the following in your URL bar: chrome://plugins
- Locate “Flash Player” in your list of plugins. There may be more than one in your list.
- Select Disable on all of them.
Tracker blockers 101Tracker blockers refer to any program that prevents website trackers from collecting and relaying back information on your online habits and actions. Browser extensions like Ghostery are dedicated to helping you identify and block trackers.
Using a VPNBy now, many of us are familiar what with a VPN can do when installed on our personal devices directly. For the uninitiated, Virtual Private Networks allow you hide your browsing habits from your local ISP (and your government) by routing your data through a separate, encrypted channel.
Many different paid and free options are available, but as long as it can allow for concurrent connections (if you have more than one device) and doesn’t throttle your bandwidth, you should be alright with whatever you choose.
We’ve written a helpful guide to the top VPNs in 2019 to help you compare the different companies.
Check your pwn status onlineUsing the website haveibeenpwned.com, you can check your various email accounts to determine whether or not they have been leaked as a result of a data breach. The records go pretty far back, and also seem to be updated regularly, so it’s a good idea to check back periodically to make sure that your information is still secure.
Advanced browsing privacy
If you’re searching for more advanced browsing safeguards, you’ve come to the right place. Let’s unpack several robust tools used by savvy browsers to conceal their activities online.
Understanding TORShort for The Onion Router, TOR began life as a worldwide network of U.S. Navy-developed servers that allowed for anonymous browsing. Today, it’s a fully-fledged non-profit organization dedicated to the research and development of advanced privacy tools.
The Tor network masks your identity by routing your traffic across an array of random server nodes, encrypting and scrambling traffic so that it cannot be traced back to your specific location (or device). The free TOR browser represents one of the easiest ways to mask your movements online, but it is far less foolproof than many have assumed in the past.
Router-level VPNsWe covered the perks of using a basic VPN above, and it’s definitely something you should be doing on your main browsing device if you aren’t already. But what about your mobile phones, tablets, smart TV’s and other connected devices? Enter the router-level VPN.
These networks provide a catch-all service for all connection points connected to your local WiFi environment. This means that it doesn’t matter whether you have a VPN running on a given device; all of them connected to the network will have their data routed through the VPN, allowing you to mask everything that happens on the network in one swift motion.
Network MonitoringNetwork monitoring programs can help you regulate what your applications can and cannot send when connected to the Internet. While most applications send data that helps you, like automatically checking for updates for instance, some have more dubious goals in mind, such as trojans, spyware, and tracking software.
Software like Little Snitch for Mac users help to manage which programs have full access to the Internet, including the ability to decide on a case-by-case basis what permissions you want to assign.
Extensions like uMatrix for Chrome allow direct control over all of your browser’s requests, allowing you to allow or disallow them on a case-by-case basis.
The state of email in 2017 is, at best, unstable. While the medium is still widely used and almost universally recognized, staying secure while sending and receiving messages has arguably never been more of a confusing and frustrating task than it is right now.
Free vs paid email servicesGmail is ubiquitous (and good, for being free), but there are also a host of companies popping up online who are offering extended security oversight in the form of a paid private email account. These services typically include end-to-end encryption with additional features like self-destructing messages and personal-information-free accounts.
Blocking email trackersAs we covered above, email trackers give individuals and companies insight into when you open their messages, and in some cases, it can even alert them to where you are when you do so. If you’d prefer not to share this information, here are a few methods you can try out to prevent the trackers from loading.
- Click on the gear icon and go to Settings.
- Under the General tab, scroll down to Images.
- Select “Ask before displaying external images.”
- Click Save Settings.
- Open the Settings app.
- Tap on Mail, Contacts, Calendars.
- Turn off “Load Remote Images.”
- Open the Gmail app.
- Select your account.
- Tap on Images.
- Select “Ask before showing.”
Email EncryptionEncrypting your emails means that your messages are converted into ciphertext when you send them, preventing anyone except for the intended recipient from seeing its contents. You may not care about encrypting all of your mundane, day-to-day emails, but it’s probably a good idea to lock down messages with potentially sensitive information.
Gmail users have email encryption on by default, but it’s important to note that this only applies to sending mail to other Gmail users. If you use Gmail and Chrome, you can use an extension like Snapmail.co to ensure that your emails are secured, regardless of who the recipient is.
Designing for privacy
The concept of “privacy by design” was first proposed by Ontario’s Privacy Commissioner Anne Cavoukian in the late 1990’s. It centers around the idea that privacy should be a major consideration from the inception of a website’s design, instead of something tacked on at the last minute. Since its introduction, privacy by design has become the defacto international standard for online privacy practices.
HTTPSHTTPS is the secured version of standard Hyper Text Transfer Protocol, or HTTP. To obtain HTTPS-level security, a site admin must first have a certificate that is issued as part of a web hosting package, or sold separately though a standalone vendor. When you connect to one of these websites, your local machine is sent a “code” that must match up with the one on file with that particular URL. HTTPS is one of the most widely used security measures on the Internet today.
Opt-in vs Opt-outOne of the most heated debates in the world of online security in recent years has centered around the use of “opt-in” and “opt-out” options during the signup process for various accounts and memberships. The conversation tends to be focused on concepts of user consent, or the optional choice to reveal certain pieces of potentially identifying information.
For instance, when a website uses an “opt-in” system, you will need to manually check a box to allow a specific action, such as granting a company the right to contact you about brand-related happenings. Using the same example, an “opt-out” system would require you to remember to uncheck a pre-filled box in order to decline this action. The difference may not seem that important on the surface, but this conversation has inspired new legislation in the EU, the US, and elsewhere around the globe.
Surfacing privacy settings in UXThere’s been a lot of talk about the “user experience”, or UX, in recent years on the web. As the technologies underpinning the Internet have evolved and matured, users have come to expect more control over their experiences, and this extends to their personal privacy as well.
Several best practices have emerged as a result of this demand, such as avoiding dense “lawyer-speak” in user agreements, providing transparent cookie and tracking information, and abstaining from collecting more personal data than necessary. When used together effectively, these help to provide a sorely needed sense of individual control over personal data.
Is privacy a right?It’s good to see the trends above gaining footholds online, but the core debate remains; is privacy a right of every user, or is it something that we need to accept might not be possible in the long run?
This is a difficult one, and depending on who you talk to, you might hear a few different responses. As global terrorist organizations continue to gain a foothold in the darkest corners of the web, governments seem to be stripping back more and more individual consumer protections every single year.
Ultimately, this will likely end up being one of the great debates of the Information Age we’re living in now. How we share our personal data, and how that data is protected are fundamental questions in a world dominated by connectivity and the Internet. Lacking a definitive solution, all we know is that this question will continue to be a talking point for years to come.
Conclusion: the importance of staying vigilant
Privacy and security online are in a constant state of flux, and the price for a free and open Internet is eternal vigilance. Be wary of all threats big and small, and don’t just assume that the services and extensions you use now will always be the best options. Things change, technologies grow and evolve. Be sure to use more than just one source when deciding how to approach the online world from a security standpoint (and yes, that means reading guides other than just this one.)
At the end of the day, you’re the only one who can keep yourself safe online. Hopefully, this guide will simply give you the tools you need to do so.
References and Footnotes
- http://breachlevelindex.com/assets/Breach-Level-Index-Report-H1-2017-Gemalto.pdf ↩
- https://keepersecurity.com/assets/pdf/Keeper-Mobile-Survey-Infographic.pdf ↩
- https://www.dogtownmedia.com/ ↩
- https://www.recode.net/2017/7/24/16020330/google-digital-mobile-ad-revenue-world-leader-facebook-growth ↩
- https://www.usatoday.com/story/tech/news/2017/04/04/isps-can-now-collect-and-sell-your-data-what-know-internet-privacy/100015356/ ↩
- https://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-en.aspx ↩
- https://www.slideshare.net/cheapsslsecurity/vip-strong-authentication-no-passwords-infographic-by-symantec ↩
Share with your friends
Zachary Riley is a consumer services and electronics expert based in Massachusetts. He draws on his background in product testing and quality assurance to create helpful, consumer-friendly guides.