Life Kit - The Life Kit Guide To Online Privacy
Episode Date: October 13, 2020NPR's Laurel Wamsley talked with the experts about how to protect your information — from your text messages to your location — while you're on the phone and computer.Learn more about sponsor mess...age choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
This is NPR's Life Kit.
This episode, we're digging into digital privacy and security.
The goal is to help regular people with no special technical skills get a better handle on their digital lives.
A lot of people might think this is not especially important for them.
I'm boring, they'll say. What do I have to hide?
That's simply not true.
The people who tell you that they have nothing to hide are people who just haven't thought about it very carefully.
Eva Galbrin is the director of cybersecurity at the Electronic Frontier Foundation.
She says she hears that a lot from people, that they're not that interesting and that
they don't have anything worth hiding.
But she says we all express different aspects of ourselves in different parts of our lives.
Most of us, in spite of the fact that we have nothing to hide, still lock our doors.
We still close our windows and have shades on them. We still don't run around
sharing our passwords or our credit card numbers with just about anybody. These are things that
we do every day in order to protect our privacy and security. I'm Laurel Wamsley, a reporter at
NPR. But before I was a reporter here, I worked for a few years as a copywriter and marketer at tech companies.
The last company I worked for was in the marketing technology business,
the industry devoted in part to tracking people and merging their information
so they can be advertised to more effectively.
And I mean tracking in multiple senses.
Actual physical tracking, because we carry our phones everywhere we go,
and virtual tracking of all the places we go online.
The more I learned about this, the more I wanted to protect my privacy.
And it became clear to me that the internet was still the Wild West.
Companies had built powerful tools to collect information
on people who did not understand how this data could be used.
Our personal information is being collected and sold in massive databases
to anyone who wants
to buy it. All of this made me very uncomfortable. I started taking my privacy more seriously,
but it was also hard to know which of my efforts were actually effective.
So for this Life Kit, I wanted to reach out to some tech experts who are deeply knowledgeable
on this subject to find out the steps that they take to protect their data, and to find out what regular folks like you and me can do to make our
digital lives more secure. In this episode, you'll learn some concrete things you'll probably want to
do, plus some additional steps to consider depending on what you're trying to protect.
And a quick note, Eva and other experts make a distinction between privacy and security when it comes to your data. Security generally
refers to protecting against someone trying to access your stuff, stealing your credit card
number, hacking your accounts. Privacy is more often used to talk about keeping your movements
from being tracked for purposes of advertising or surveillance. It turns out that the steps to
protect your security are more clear-cut than those for privacy.
But we'll come back to that.
And a disclosure, NPR receives funding from Google and Facebook.
With that out of the way, let's dive in.
As Eva says, we all have something to protect,
whether it's our credit card information, our photos, or our opinions.
And even if we do want to share some of those things online, we still want to have control over who we share them with. The things that you want
to broadcast to your friends are not necessarily the things you want to broadcast to your family
or to a stranger or to a government. Let's start with protecting our accounts. Eva says there are
some steps that make sense for almost all of us, including using strong passwords, two-factor authentication,
and downloading the latest security updates.
So that's our first takeaway.
Practice good security hygiene.
All of your passwords should be passphrases.
That's right, passphrases.
Longer than a password, phrases are strong and unique for each site.
So don't use 1, 2, 3, 4.
Bring some randomness and special characters into it.
And also don't use the same password for different websites.
You don't want all of your accounts to be compromised
just because one of them gets hacked.
And then of course you have the problem
of how you're going to remember
all of your long and strong and unique passwords.
And the answer is you don't.
You use a password manager.
And then turn on two-factor authentication for your important accounts.
You've seen this.
Usually you're asked to put in your cell phone number so you can get a text with an additional number that you type in before you can log in.
That's the most common type of two-factor authentication.
But unfortunately, it's not the strongest, Eva says. SMS messages are sent unencrypted and can be intercepted by anybody who buys the right equipment and is appropriately nearby or by your to an app on your phone, using an app like Authy or Google Authenticator.
These are harder to intercept.
You can also use a physical device that you carry with you that plugs into your computer's USB port and serves as the second factor.
And those nudges you get from your computer or phone to install the latest security update, you should download those. Most applications, when they're compromised, are compromised by problems that everybody knows
exist, that have been publicly reported, and that the company has fixed, and they have issued
a patch in their security update. But if you do not take the security update, you do not get the
benefit of the work of the security
engineers at that company. But not all attacks on our security come through malware or hackers
invisibly breaking into your account. It's very common that we're tricked into handing over our
passwords or personal information to bad actors. That brings us to our second takeaway. Beware of
phishing. These attempts can happen via email, text message, or a phone call.
And generally they're trying to get your username and password, or perhaps your social security number.
But there are often signs that these messages aren't legit.
And one of the things that you can see at the email is that it is not coming from the person that it's supposed to be coming from.
It is coming from the wrong domain. It has lots of spelling or grammatical errors.
Or the link that they ask you to click is not the link for the website,
which you're supposed to be logging into.
So those are all a bunch of tells.
So if it feels fishy, it could be phishing.
If it feels fishy, it could be phishing.
Additionally, Apple is never going to call you on your phone
about your account. And neither is Google. So those are some security basics that are a good
idea for just about everybody. Use strong passphrases and use a password manager so you
don't have to remember them. Turn on two-factor authentication for your accounts. Get the latest
security updates and watch out for scammers. But depending on your situation, you might want to take
additional precautions to safeguard your privacy and security. Matt Mitchell is a tech fellow at
the Ford Foundation and founder of Crypto Harlem, an organization that teaches people in Harlem to
protect their privacy, including from surveillance. I mean, I have the luxury of working mostly with
marginalized people. So mostly with marginalized people.
So mostly with undocumented people, Black and brown people.
He never hears that, I'm boring, I don't need privacy, idea from them.
And the reason why they never say that is the harms that come from exploiting identity,
they have lived experience.
And their family and friends have a lived experience with those harms.
You know, privacy is personal and it's different. and everyone has their own concept of what it is,
right? But when someone else has like downloaded all their stuff or an ex has taken intimate
pictures and put it in a public place, everyone will have a way to that. It'll be like, whatever
my personal rules are, you've broken them. To figure out what steps people should take in
terms of privacy and security,
he tells them to start by thinking about the thing they are most scared of happening to their
accounts. I'm worried about someone taking my money. I'm worried about, you know, someone telling
someone the mean things I said about them. And then you think like, which of those things is
most likely to happen? And then it's like, okay, the money thing or my personal information, whatever it is, right?
Then you use those concerns to focus your efforts and zero in on securing the things that matter most to you.
As a general tip, Matt suggests looking at your phone and deleting all the apps you don't really, really need.
Ask yourself, when did I install this thing? Can I delete it right now?
For a lot of things, you can use a browser on your phone instead of the app.
And Matt says that's better, because browsers are simple.
They can only get certain kinds of information.
They can still track you with pixels and all kinds of stuff.
But when I have an app, I have an accelerometer, I have a camera, I have a microphone, I have your contacts.
I have so much access to your data.
The first thing I do is tell people, like, let's get rid of some apps. Let's try to throw as many apps out the window. Like,
let's Marie Kondo this, you know? Let's make that takeaway three. Marie Kondo your apps.
I mentioned to Matt that even though I use Facebook and Twitter, I don't have those apps
on my phone. Partly so that I'll use them less and partly for privacy reasons. I wanted to know,
did I actually accomplish anything by not having those
apps on my phone? You've accomplished a lot, right? So, you know, only when I could turn that crude
into petrol can I really make my money. And that's what all these companies are. They have the ability
to take your data and turn it into gold. And they don't give you the change back. So that's the
first thing. And every time you don't use an app, you're giving them less data.
Now let's talk about one app most of us really do need on our phones, messaging.
If you want the contents of your messages to be secure, it's best to use an app that has end-to-end encryption, like Signal or WhatsApp.
But Eva warns that even though the contents of your messages are protected, your metadata isn't.
And someone could learn a lot about you from your metadata.
She compares it to what you can learn just by looking at the outside of an envelope in the mail,
who sent it to whom, when and where it was sent from. And WhatsApp is owned by Facebook,
so when you share your contacts with WhatsApp, Facebook is getting that info, though again,
they can't read the contents of your messages. And other experts warn against using Facebook Messenger on your phone, which offers less privacy than WhatsApp.
Matt says that when it comes to messaging, beware of backing up your WhatsApp to the cloud if you really want to keep things private. You got to be like, never, never back up my
conversation. Because that backup is stored in your iCloud, and it's also stored in your,
if you have an Android phone, it's stored in your Google Drive. And that backup is just a database.
And that database is easy for someone to open and read.
And WhatsApp, all those images, all that stuff.
So that's why we want to clean that out.
You want to say no backups.
And then you want to go actually into that place in your iCloud and turn off WhatsApp so it deletes it. Or into your Google Drive and you've got to delete what was there before.
Eva says it's important to understand that when you're backing up to the cloud, you're not backing up to your own computer.
You're backing up to a different computer that you don't have physical access to.
It comes down to whether or not you trust the company to keep that information safe or to if you're expecting the company to be broken into or if somebody shows up with a subpoena or a warrant. These are all ways in which they can
get their hands on your backup information, and you may not even necessarily know about it.
That's takeaway four. Be thoughtful about what you back up to the cloud.
And one more note about safeguarding your accounts. Be careful about sharing your passwords
or accounts with someone, even if that person's your partner. Eva says she frequently works with people who've experienced domestic violence and
intimate partner abuse. One of the things that people should really consider when they're
sharing their devices or they're sharing their passwords or they're sharing an account
is the possibility that you trust this person now, but you're not going to trust them forever,
that there may be a time when you no longer trust them. For these situations, the safest bet is to not share important accounts
or passwords with anyone else.
But she says she knows that a lot of people are going to do this anyway.
So if you are going to share this information,
she recommends having a plan for locking out someone if you need to,
like turning on two-factor authentication.
So that's security.
Let's go deeper on privacy.
Consider deleting some apps you don't need
and turn off location services for apps that don't really need it.
Think twice before giving an app access to your contacts.
Matt also recommends going to myactivity.google.com
and just deleting everything you can.
And it will show you every search term and everything you've ever done,
every YouTube video you've ever looked at, all that stuff.
And I tell them to delete everything.
And it'll say, are you sure you want to delete this?
Because if you delete this, it might affect some stuff.
And I'm like, yeah, just go ahead.
And it's like, are you sure you want to go ahead?
And just, yeah, I do.
And just blow it all away.
And whenever possible, he recommends going into your settings and turning off ad personalization.
Which sounds so nice, right? Like, I'm personalizing these ads for you, but what it really is is permission to do
really invasive tracking, so I can personalize these ads for you, you know? And don't worry
about writing all this down. At npr.org slash lifekit, we'll have links to where you can turn
off or limit ad personalization on Google, Twitter, and Facebook, as well as some of the other tips
we've mentioned so far. A quick note on Facebook, where some of us have had accounts for a very long
time. Is it even worth trying to limit what Facebook knows about us? Haven't we already
given everything away? Matt says it's still worth it to limit what Facebook can access.
It's like smoking, he says. It's never too late to quit or cut back. You'll still benefit.
By using a browser instead
of the app, by turning off personalization, and making your account more private, you're just
giving Facebook less data to harvest. Less data that its artificial intelligence can use to
advertise to you and people like you even more effectively. Beyond some of the basics we've
talked about, protecting your security and privacy gets harder. But for many people, Matt says, it's worth it. The people who I work with who take advantage of that
are people who are, you know, survivors of domestic abuse. For them, that pain is not so much, right?
Or people who are like, hey, someone stole my identity or someone's criminalizing my behavior,
you know, or I'm trans or, you know, I'm a queer person, right? And I'm being othered.
Well, for me, maybe I do want to take those extra steps.
But the issues of consumer privacy are bigger than any one of us.
A person who knows a lot about that is Ashkan Soltani.
He was appointed in 2015 to be the chief technologist for the Federal Trade Commission.
And more recently, he was one of the architects of California's Consumer Privacy Act,
a major piece of legislation that passed in 2018.
He says people's need for privacy is on the one hand kind of abstract.
Say, you share certain things with your doctor that you don't with your coworkers.
But it's also concrete.
A few years ago, he worked on a project with the Wall Street Journal,
in which they found that there were services that monitored people's online activity to sell to car dealerships.
So when you went to the car dealership, they knew exactly your level of interest in that car that had just arrived. They know that you've been looking at
the red car for three weeks every night and that you really want that model that they just got on
the lot. And as much as you try to bluff, you know, they know. Ashkahn and his colleagues also found
that brick and mortar stores like Staples and Home Depot would charge different prices for the
products they sold online
due to factors like where a person lives
and not because shipping costs were more.
They would price the item more or less
based on how far this person was from a competitor.
So they would use information about that item
to essentially determine how much money they could extract from individuals.
And that's just on the commercial side.
There are political implications, too.
What's known about you can change the ads you see, the posts in your feed, the news
articles and videos that you're shown.
We're all being targeted in ways that aren't clear to us as we go wading through the internet.
When it comes to his own privacy and security, Ashkan takes a number of precautions.
Some of those steps are pretty common, like blocking third-party trackers with something like an ad blocker. And he'll make a point to use
certain browsers or different browsers for different activities. Other precautions are a
bit more next level, like using a service that creates a new email address for every service
he creates an account for. But he rarely recommends those steps to regular people.
One, the degree to do it effectively, it requires so much kind of attention and persistence to never screw up, to never slip up. And two, it's still kind of
limited in its effectiveness. He says real digital privacy is nearly impossible to come by because,
well, the game is rigged. The money is stacked against them. The incentives are so high
on the other side to
uniquely identify people and track them that they will never have enough motivation and incentive to
do it to the degree of this multi-billion dollar ad tech industry. He says that a decade of working
on digital privacy has convinced him that what will actually be effective is stronger laws
protecting consumers. Laws that guarantee people's right to privacy and that limit collection of their personal information.
Europe has a law that aims to do that,
the General Data Protection Regulation, known as GDPR.
And California now has a law with that goal too.
Ashkan helped write it.
He lives in California, so now when he goes to, say, a newspaper's website,
he can click a button that says,
Do not sell my personal information.
In practice, it's sell my personal information.
In practice, it's a bit more complicated. Ashkan's been working on a ballot initiative known as Prop 24 that aims to close loopholes in the state's privacy law and add teeth to
enforce it. Californians will vote on it in November 2020. In the rest of the U.S.,
we don't have those safeguards. We don't have a universal national online privacy law.
We have narrower laws
governing financial and health data, and a law protecting children's personal information.
Beyond that, we mostly have the authority of the Federal Trade Commission, which regulates unfair
and deceptive trade practices. That means a company can't lie to you about their privacy practices,
but they can collect and share a whole lot, as long as they're transparent about it.
And what that means is that buried in most websites' privacy policies
is a bunch of essentially language around how they sell data with third parties
and how your information may be bought and sold.
So that's takeaway five. Recognize that it's really hard to protect your privacy online
if there aren't laws that protect your privacy online.
But I think the important thing is just to look up and just literally search for what potential privacy legislation is occurring in your state or federally and voice your support.
I think the only way we get real change is that if people actually kind of speak up,
that this is an important right and that this is an important thing they should act on.
Getting up to speed on privacy legislation and calling your congressperson
is definitely a bigger step than adjusting a privacy setting on your phone.
But Ashkan compares learning about digital privacy to learning where your food comes from
or where your sneakers are made.
I can give you advice on downloading ad blockers
and downloading VPN software and downloading other tools, but chances are the moment you
download those tools, you'll also sign into Facebook and you'll also download the TikTok app
and you'll also download all these other privacy invasive tools that when you do,
you immediately consent
to them using, sharing, and selling your personal information. And I think we should have the right
to be able to use certain apps and tools without necessarily having to succumb to all of these
parties being able to collect our information. Faced with this landscape, getting a tighter hold
on your digital privacy and security can feel daunting.
But the best way to get started is just to grab the low-hanging fruit.
That's our last takeaway.
Start small and focus on what matters most to you.
Just do a little bit at a time.
You don't have to do all of this at once.
So on the security front, Eva says, strengthen your passwords and set up two-factor authentication, or 2FA for short.
For example, you do not have to make a list of every single account that you have and go change all of your passwords and turn on 2FA at once.
One of the things that I recommend doing when you're sort of starting to integrate a password manager into your life is every time you log into a new account, enter it into your password manager. She says trying to protect
everything from everybody all the time is a good way to drive yourself up a wall. But even just
doing these basics can make your accounts a lot more secure. And until we have stronger privacy
laws, Matt suggests that we do what we can to make a fairer deal with the services that we use.
It's a negotiation, but don't get ripped off.
These things are designed in a completely unequal way.
And you just have to free yourself a little bit and you're winning.
And you get so much from it.
All right, I'm fired up.
Let's do this.
Let's get all of our digital stuff locked down.
Here's what we've learned.
Takeaway one. practice good security hygiene.
Use strong passphrases and two-factor authentication on your accounts.
Takeaway two, beware of phishing.
Big companies are not going to call you and ask for your account information.
And look out for weird URLs before you go clicking on them.
Takeaway three, delete the apps you don't need from your phone.
Apps can collect a lot of information on you, so use a browser instead if you can. And for the apps you
keep, limit what they can access. Takeaway four, be thoughtful about what you back up to the cloud.
Those encrypted chats you have aren't going to stay encrypted when they're moved to iCloud or
Google Drive. Takeaway five, the United States doesn't have strong online privacy laws.
So while you can take steps to protect your privacy, it's going to be tough to keep yourself
from being tracked online. And finally, you can start small and take these steps one by one.
Focus on protecting what matters most to you. We have a list of everything we talked about here
and more at npr.org slash life kit. You'll find
links to good resources that'll walk you step by step through making your digital life more private
and more secure. This is far from an exhaustive list. There are a bunch of other steps you can
take to safeguard your stuff and fend off digital tracking. But hopefully you'll leave this episode
more curious about how your information is collected and used. So keep learning, give these steps a try, and then go deeper. We're going to be on the internet for
a long time. The more each of us understands about how to keep private what we want to keep private,
the better, safer, and healthier our digital lives will be.
For more NPR Life Kit, check out our other episodes on how to have a healthier relationship
with screen time for both adults and kids. You can find those at npr.org slash life kit.
And if you love Life Kit and want more, subscribe to our newsletter at npr.org
slash life kit newsletter. And now a completely random tip, this time from Sebastian Ruiz.
So here's a tip for you to stay classy the next time you're at a fancy dinner party,
eating some charcuterie with some friends perhaps.
When you're eating anything with a cracker on it, the cracker will want to crumble
and fall on your nice dress or suit or whatever you're wearing that night.
What you can do is you can inhale
as you bite down into the cracker,
which will allow you to vacuum up the crumbs
and it will keep any crumbs from falling onto you.
If you've got a good tip,
leave us a voicemail at 202-216-9823
or email us a voice memo at lifekit at npr.org. This episode was produced by Audrey Wynn.
Megan Cain is the managing producer. Beth Donovan is the senior editor. Special thanks to NPR's
Shannon Bond and to Jen King at the Center for Internet and Society at Stanford Law School.
Our digital editors are Beck Harlan and Claire Lombardo, and our editorial assistant is Claire
Schneider. I'm Laurel Wamsley. Thanks for listening. a riot we trace the collision of rhyme and punishment in america we were hunted by police
we were literally physically hunted you'd be standing on the corner
drug squad pull up everybody around new from npr music listen to louder than a riot