Life Kit - Easy practices for online privacy
Episode Date: June 9, 2025If you're online, your personal data is at risk. It might feel impossible to protect your data from hacks and breaches, but there are methods to make it slow and expensive for bad actors to target you.... Our experts share simple measures to better protect your data online, including practices you can pick up starting now.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
Hey, everybody. It's Ian from How to Do Everything.
On our show, we attempt to answer your how to questions.
We don't know how to do anything.
So we call experts.
Last season, both Tom Hanks and Martha Stewart stopped by to help.
Our next season is launching in just a few months.
So get us your questions now by emailing how to at NPR.org
or calling 1-800-424-2935.
You're listening to LifeKit from NPR.
Hey, it's Marielle.
If you have ever used the internet, which,
given the fact that you're listening to a podcast right
now, I think you have, then your data is up for grabs.
Things like your full name, your date of birth,
what websites you visit, and your location,
among many other things.
There are people who are very interested in your data.
I mean, it seems like every day another company is admitting to a data breach.
Just a few examples from the past couple years, AT&T, Ticketmaster, Yahoo, Facebook, and the
data broker National Public Data have all experienced breaches that compromised
millions of private records.
This has been very concerning for Samuel Horace Kessler.
He's a producer for the Planet Money podcast.
We worked on this episode about the illegal and legal markets for your data.
And I've previously kind of had this stance of like, well, it's my data, but I'm not really using it.
So like if somebody else wants to take it for a spin,
you know, that's all fine with me.
But the more I learned about what people are using my data for
and how they can access it,
the more just like nervous I became,
like right in the pit of my stomach.
On this episode of Life Kit,
Sam is going to talk to experts about what kind of data
about us lives on the internet, who wants it, why, and of course, what steps you can
take to protect yourself.
The best kind of celebrity interview is one where you find out that the person who made
a thing you love also thinks in a
way that you love.
Nothing is more foreign than when Ariel says in The Little Mermaid, I want to be where the
people are.
I don't want to be where the people are.
I just don't.
I'm Rachel Martin.
Listen to the Wild Card Podcast only from NPR.
So the more I learned about how my data lives online, the more anxious I found myself becoming.
I wanted someone to help alleviate that.
So I went and spoke with Rebecca Skeet, the COO of Black Girls Hack.
It's a nonprofit focused on training in technology and cybersecurity.
I've existed on the internet for most of my life.
And during that time, I've had many accounts.
I've been on Twitter, I've been on Instagram,
I've had a Neopets account, Club Penguin probably has
my social security number at this point.
Like, am I already screwed?
Like, is everything already out there
that could be out there?
I'm not going to say everything.
Is there a possibility or likelihood
that you have been impacted in some way
by some breach at some point?
Then the short answer to that
is yes.
It's possible.
Is it likely?
Probably.
Okay.
So, Rebecca, not exactly coming in hot with the silver lining, but she did help me understand
better that even though the digital genie might already be out of the bottle, I do have
some control over the situation.
I think the first thing that you can do is take power in the ways and the opportunities
that you have to take power in.
I read this quote one time that said that,
action is the antidote to anxiety.
So what action can you take?
What action can you take?
How can you do things like protect your social security
number and credit score?
Strategies like these are what we're going to be going
through in today's episode.
But first I wanted to understand, before I take any action, what's at stake here?
Does my digital footprint really matter all that much?
Which brings us to our first takeaway. Understanding the risks and understanding your risks.
Anyone is susceptible to identity theft, and the consequences can be dire. But it's also up to each
individual to determine what exactly is at stake for them, and what consequences can be dire. But it's also up to each individual to determine
what exactly is at stake for them, and what action they can take to best ensure their protection.
To better understand my digital risks, I spoke with staff attorney for the Federal Trade Commission,
Megan Cox. She's helped prosecute cases relating to online privacy and data security.
She helped me define some questions, like who should I be worried about getting their hands on my data? When I hear about bad actors, people don't mean like Nick Cage,
right? They mean like something else. Like what is a bad actor online? Like what do they do?
When we're talking about bad actors, we're talking about identity thieves and fraudsters.
I should say no shade to Nick Cage. He's still my favorite Superman.
So to take a step back, I think defining the term identity theft is helpful.
It's when someone's using your personal or financial information without your permission.
It can include stealing your name and address, credit card, bank or account or financial information,
social security number, or even your medical insurance accounts and information.
Identity thieves might buy expensive tech with your credit cards.
They can open up new credit cards or new accounts
in your name.
They can also start utilities, electricity, phone, gas
accounts using your identity.
They can steal your tax refund if they file a tax return
before you get to it.
They can use health insurance to get medical care
and let you foot the bills.
And importantly, in many cases, they
can destroy your credit score and leave you
unable to get a line of credit in the future.
This is all if you lose a hold of your PII, your personally identifiable information.
This means things like your Social Security number, your SSN.
You can take steps to protect your SSN by not carrying your card with you, destroying
documents that have it written down, and calling the Social Security Administration and asking
them to place a self-lock on your SSN, which would make it harder for anyone to access
your Social Security records, but it also may make applying for a job harder, so make
sure to unlock it before you begin a job hunt.
You should also take care to not share freely information like your full name, your date
of birth, your address, or your financial information.
But there are other numbers that might not immediately come to mind as ways to perpetuate fraud
or create risk of identity theft to you, like a passport number or a lost driver's license.
There are ways that those forms of identification can be misused and cause problems.
So we urge everybody to try to keep as much as their information and these documents secure
and in your possession.
While protecting your most essential information,
like your SSN, is crucial for everyone, our experts recommend doing a kind of personal
risk assessment. What assets do you have? What's at risk for you? Do you have a high or low risk
tolerance? KAYLA JOHNSON
For someone who is an influencer, their risk profile is going to be different for me. I don't
have to share the level of things that someone
whose livelihood is derived from what they do online. They're going to have to share
locations and things like that, but they can still be mindful of how they do it.
We're going to discuss the ways to protect yourself and your data, but all of these may
not be applicable or useful to every individual. Think of it like a toolkit, and you can pick
and choose what tools you need. Rebecca with Black Girls Hack does want to make sure everyone understands that even if you think
you may not be a target for identity thieves, you may still be at risk.
Because I've heard a lot of people say, ah well, if they get into my bank account,
they're not going to be able to get much or whatever else. But if there are a hundred people
who have a dollar, you still get a hundred dollars if you get those hundred people,
you know? And so they're not looking at it as a, hey, this person only has $1.
It's look at all of this low-hanging fruit.
And consider that you may not even be the main target.
It could be your company or a family member.
The data you've shared online can be leveraged
to convince someone else of something that isn't true,
like that you're being held for ransom, say.
Rebecca says, when it comes to theft,
you may not have to take every effort, but employing
some basic protection can at least make it difficult and expensive for identity thieves
to get your information, which may be enough for them to look elsewhere for targets.
That brings us to our second takeaway.
Don't be an easy target.
You can adopt a healthy skepticism to every interaction online.
Rebecca calls this polite paranoia.
It's a term coined by Rachel Tobak with social proof security.
This means asking questions about how your data is going to be used, pausing and thinking
twice before you hand anyone your PII.
And then be cautious, you know, with what you share online.
You mentioned all those different platforms and places where your information may lie.
We can still be guarded and cautious with the information that we share.
Like, before you fill out an online quiz or before you jump on the hot new meme,
pause and think twice.
I used to love the things of, what's your Bridgerton name?
It's the street you live on and it's your dog's first name.
While you can do that internally,
you can play the game and maybe text it to your friends.
Don't post that online because oftentimes those questions
and things that folks ask are portals
into your personal information that people often leverage
for their passwords and things like that.
They had one of those for NPR.
It was like your favorite pattern of clothing
and then what you had for breakfast this morning.
The answer has absolutely nothing to do
with anything pertinent to me,
but argyle pancakes sounds fantastic.
So right there, you can hear Rebecca
does a quick risk assessment.
Am I asking her for any personal information
that can be leveraged against her?
And she says she did the same thing when I first reached out to interview her.
She paused, considered if what I was asking from her was suspicious
or crossed a line, and then made an informed decision.
Ask questions. If something feels weird, ask questions.
Because usually if it feels weird, it kind of is.
You know, and it's okay to say, you need this information, why?
What are you doing with it?
It might not be you, but what if someone is able to leverage you, leverage the connection
of being you, acting like you, or saying that they know you, to then infiltrate or take
advantage of a family member or your work?
A method Rebecca champions is called Take 9, meaning take nine seconds, at least, to think
over any requests for your data online. Take9 is also the name of an initiative between several
cyber organizations. They encourage web users to take basic internet safety measures to ensure we
all experience a safer internet. Some of the methods they and other experts recommend include
updating your software often, because companies use updates to fight the latest malware. You should also restart your devices at
least once a week to apply software updates and improve performance, and you should be using unique
strong passwords. You can also consider using a password manager. Some popular ones are One Password,
LastPass, or NordPass. One thing that I just kind of have been wondering for a minute now is like,
when you use a password manager,
you're giving them everything.
You're giving them passwords to all of your stuff.
And like, is there a risk?
Not a high one because password managers employ,
they have strong encryption
and other security measures to protect your passwords.
Rebecca says password managers are often built
with zero knowledge architecture,
meaning the manager doesn't have access to your passwords,
nor do they have the key to your passwords.
You're the only one who can access it,
even if they get infiltrated.
But she says, if you're still worried,
you can take things one step further.
Say your password manager has an autofill function. You can also add a special character at the end
that only you are aware of,
like a punctuation mark or a favorite number.
My password is password32.
Think, okay, why 32?
Because in Love and Basketball,
that was the number of Monica, the lead character.
And now you can never use that.
Right, and I wouldn't.
You should also turn on multi-factor authentication
or two-factor authentication.
That's where, besides entering a password, the site sends you a code via another method
to ensure you're really you.
The benefit of having that two-factor authentication in place is that even if someone were to
get your password, they don't have that second factor and it can at least be a block for
a potential intruder.
One of the preferred methods is through an authenticator app,
like Duo or Google Authenticator.
I should note Google is a financial supporter of NPR.
You can also get a physical passkey,
which plugs into your computer and enters a code automatically.
Those aren't free, though, typically,
and are susceptible to loss.
You can also get a code via SMS text,
but experts feel this is less secure because identity thieves
can SIM swap or take
control of your phone number and intercept your messages. It is better than nothing because at
least there's some secondary step in place, but it would be of them the least protective.
So maybe try Authenticator apps first. Now you've got multi-factor authentication set up,
you've got a password manager, you're being politely paranoid, you're taking nine.
authentication setup, you've got a password manager, you're being politely paranoid, you're taking nine. Congratulations, you are no longer the easiest target out there. And fortunately,
after you've taken these steps, you can mostly forget about them. They're passive. Which is why
you should also take some time semi-regularly to be active when it comes to your data.
Which brings us to our third takeaway. Clean up your digital environment just like you would your living environment.
I do a digital spring cleaning.
So, delete unused apps, remove extensions, go through your accounts and web browsers
and review your data and privacy settings, and delete your browser history.
Clear your cache.
Double check your public accounts to make sure they are not sharing any unwanted information.
People, delete those old tweets. It's a good opportunity that ideally,
we should do it more frequently,
or as frequently as possible,
but realistically, it's not something that people can do
once a month or once a quarter.
So at the very least,
if when you're doing your physical spring cleaning,
you do a digital spring cleaning
and clear out those applications,
check to see the different extensions that you have that you don't digital spring cleaning, and clear out those applications, you know, check to see the different extensions
that you have that you don't necessarily use anymore,
see what information those things are gathering.
Back up your devices on an external hard drive
and dispose of old devices securely.
This is to make sure they don't fall into the hands
of bad actors who can dredge up information
from any drives they come into possession of.
This would also be the time to change your passwords.
But remember to use unique strong passwords
for every account.
You may also consider using a data removal service
if you can afford it, like Delete Me or Incogni.
They can check for your personal information
across different databases and remove them for you.
You can also consider a credit freeze.
A freeze blocks access to your credit report,
so no one can open a credit card or get a loan in your name. You can do this with any one of the big credit reporting
agencies like what Megan Cox of the FTC calls the big three, Equifax, TransUnion, and Experian.
If you are able to, you can consider a credit freeze. And this keeps people from being able
to access your credit report for creditors to open new accounts. So if somebody wants to check your credit before giving it, a new credit card, a new mortgage,
they would be checking your credit report. And if it's frozen, they can't see it. And
so they're very much less likely going to extend credit. So in that case, a fraudster
would be blocked from opening a new credit account or a new mortgage, for example.
Credit freezes are free, take only a few minutes, and you can thaw them at any time. Like if
you need to apply for a loan or an apartment, just make sure to give it a little bit of
a window for the thaw to go into effect. You might also consider using a credit monitoring
service. These agencies offer them, and so do other companies like LifeLock. Those can
detect potential fraudulent activity, track your credit score, and give you access to
your credit reports, and sometimes offer tools and tips to boost your credit score.
Now, I should note that even these big credit reporting agencies experience data breaches.
In 2017, Equifax, one of the big three, fell victim to a data breach itself that exposed
the personal information of 147 million people. Experience suffered a similar breach in 2015, though not as severe.
Also, when you sign up for credit monitoring,
a company's terms and conditions may ask you
to waive your rights to sue the agency,
and may ask your permission to use and share the information
on the legal data market.
I think it's an individual bargain
that every consumer kind of has to determine for themselves
if engaging with a credit monitoring service
would be a pro for them and outweigh any of the cons that they might see from data being
used. I would urge them to, in that case, read the terms and conditions to understand
if they can opt out of any of that.
It's true. You can opt out from the big three, selling and sharing your personal information.
You just have to follow the steps on the website's privacy page.
That's in regards to the legal sharing
and selling of your data.
But going back to your personal risk assessment,
do you prefer to have credit reporting
in case your data gets leaked,
knowing that your data might be at risk of a leak
with one of these Big Three credit reporting agencies?
That's ultimately up to you to decide.
Another item for your digital spring cleaning? Consider using antivirus software, or what's
known as a VPN. A VPN, or a virtual private network, is like a tunnel you can use to protect
your data from anyone who wants to access it, like identity thieves or data harvesting
companies. Many people choose VPNs to provide more private browsing, but you should also
be cautious about VPNs, since whatever company offers it will have access to that data.
And just like all the other strategies we're talking about today, they're not bulletproof.
Experts recommend ProtonVPN or NordVPN for the best privacy at low or no cost.
And if you are worried about cost, Rebecca says you don't always have to shell out
on privacy products.
A lot of products come native to your device. You can start there and see if it's doing
the job you'd like it to.
Just because it's free doesn't mean it's good, but just because it's free also doesn't
mean that it's bad.
And on that note, one more practice to pick up during your digital spring cleaning. Talk
to your friends and family about their digital environments. Encourage them to do their own
personal risk assessment. Walk them through the different tools that are available to them.
This goes for the less tech literate or say children learning how to interact on the internet
for the first time.
Megan recommends talking them through the digital best practices and understanding what information
they shouldn't share online.
She also recommends freezing their credit at least until they're old enough to begin
doing things like taking out a student loan or renting an apartment. And then finally, locking down their social
networks so that they're not sharing information more broadly than they are intended or communicating
with individuals that parents might not be aware that they're communicating with when they're,
you know, starting online as a new digital citizen, I should say. Similar to fighting infectious diseases,
if each individual does their part to protect themselves,
we all become a lot safer in the digital world.
And by the way, not all of this has to get done immediately.
Any little bit helps.
Maybe today you set up a VPN,
and a week from now you change five of your passwords.
Or maybe you set aside an afternoon
to do a total clean sweep, checking off all of the
above. Remember, action is the antidote to anxiety. So if you're feeling anxious, combat it with some
small action to take charge of your digital security. But what if the worst happens? What if we do end
up having our data leaked in a breach? Well, that brings us to our fourth and final takeaway.
Don't panic.
Megan Cox has been there before.
I have received a lot of letters about different data breaches, exposures of information. And
some, they range in the circumstances they provide about what might have happened or
what information is exposed and different offers that you might get as the consumer
who's impacted.
This would be the time to see what offers the companies are giving you. They may offer
you free credit monitoring, credit reports, or a credit freeze, all of
which you can consider with the caveats we mentioned before.
So if you receive a letter in the mail saying your data has been exposed, we would urge
you to go to identitytheft.gov and find out what you can do next to learn about steps
to take to mitigate any potential harms. If someone does attempt to use your personal information to impersonate you, you can do next to learn about steps to take to mitigate any potential harms.
If someone does attempt to use your personal information
to impersonate you, you can file a report
at identitytheft.gov, and they will walk you
through the next steps there.
It is important to begin a paper trail
validating the identity theft.
That may help you in the future,
like if you have to go to court.
Rebecca says you most likely will have to be vigilant
after that point about suspicious activity. If you have been compromised, there are websites like
haveibeenpwned.com, where you can enter your email address
and see what breach has potentially been involved in,
and it'll also say what information
might have been compromised.
This would also be the time to go back
to our previous takeaways, and if you haven't taken action,
start now. Do a digital cleaning,
lock down your accounts,
set up two-factor authentication,
and delete apps and accounts you no longer need.
And then from a financial credit card account standpoint,
make sure that you're watching your charges
or new accounts opening your name.
And if you see something that looks anomalous,
place a fraud alert or a credit freeze
with major credit bureaus.
Don't waste time berating yourself.
Pivot, okay?
If it's something, if it's a personal email,
you think your email has been, your password has been compromised,
change your password.
And if your information has not been misused yet,
you don't necessarily need to make an FTC identity theft report,
but you can still go to the website to learn about all those next steps.
So I know this all can be overwhelming, but it doesn't have to be. Think of this like
your home security. Not everyone needs round-the-clock guards and watchdogs. For most people, just
taking common-sense precautions can make you less of a target, and you can always reassess
and pivot. Our experts recommended just a skeptical disposition and to always be aware
of your risks.
Consumers should be vigilant. I think that there's a lot of data that's circulating
in our ecosystems, whether it's on social media or your device or on the different Wi-Fi
networks you're navigating to. There are vulnerabilities in these systems, and so understanding
that your data is circulating out there and taking steps that make sense for you.
On that note, it's time to recap our takeaways.
Takeaway one, understand the risks and understand your risks.
Assess your personal stakes.
What assets do you have that are vulnerable
and how can you protect them?
Do you have family members or company information
that bad actors may be interested in?
What tools are available to you to help address those? Takeaway two. Don't be an easy target. Make it slow and
expensive for someone to get your data. You can do this by using a password manager, turning on
automatic updates, and using multi-factor authentication for your accounts. And remember,
if someone asks for your personal information, be politely paranoid and take nine seconds to pause and evaluate your risks.
Takeaway three, do your digital spring cleaning.
Clean out apps, extensions, and update your public-facing accounts.
Consider products like credit reports, VPNs, or antivirus software, but understand the
risks associated with those and know you can always begin with free software before investing
in paid products.
And talk to your family about their risks and best practices.
Takeaway four, if your data gets leaked, don't panic.
Change your passwords and stay updated on the situation using either a credit reporting
agency or Have I Been Pwned, or both, to know if your information is out there.
You can visit identitytheft.gov to go through your options.
That was producer Sam Yellow Horse Kessler.
For more Life Kit, check out our other episodes.
We have one on avoiding scams, and another on how to spend less time on your phone.
You can find those at npr.org slash Life Kit.
And if you love Life Kit and you just cannot get enough, subscribe to our newsletter at
npr.org slash Life Kit newsletter.
Also, we love hearing from you.
So if you have episode ideas or feedback you want to share,
email us at lifekit at npr.org.
This episode of lifekit was produced and reported by Sam Yellow Horse Kessler.
Our visuals editor is back Harlan and our digital editor is Malika Gareeb.
Meghan Kane is our senior supervising editor and Beth Donovan is our executive
producer.
Our production team also includes Andy Tagel, Claire Marie Schneider, Sylvie Douglas, and
Margaret Serino who also provided production help for this episode.
Engineering support comes from Zoe Vangenhoven.
Special thanks to Amanda Aronchik, Keith Romer, and Meg Kramer.
I'm Mary Elciagara.
Thank you for listening.