Yes, a Myth
Myths are stories (or narratives) that are often foundational to a society’s beliefs. The myth of online privacy is like that: Privacy feels foundational in our society. To the extent we accept we don’t have privacy online, it feels like something we’ve lost—something that we can perhaps recover with the right software tweaks, behaviors, or perhaps regulations.
When you think about it, the myth of online privacy is even beneficial to those industries that benefit from the lack of it. We all might agree that there’s no privacy online, but leave us to a search engine, and we’ll search an endless list of everything that comes into our minds, including potentially sensitive topics like medical questions. Police even dig through those search histories to look for criminals.
Breaking the Privacy Illusion
We may all agree that online privacy isn’t something we have. But do you realize how little privacy you actually have?
First of all, when you go online, your internet service provider—whether that’s a home internet connection or a cellular data connection—can see all the websites you’re accessing. In the USA, they can even sell your browsing data. Your mobile carrier may even be tracking and selling your app usage activity.
When you visit a website, it can see your IP address and use that to track you across visits. But it likely loads a lot of tracking scripts, too. Those tracker networks can track your activity across multiple websites. That’s one reason you see shopping ads chase you across the web after you look up a particular product. Even if you’re clearing cookies, there are a lot of ways to fingerprint your web browser.
“The cloud” is just someone else’s computer. If you upload your files to the cloud without using end-to-end encryption—something most services don’t offer—your files can be viewed and accessed by the company that owns the cloud service. The same goes for messages and emails, which generally aren’t encrypted either.
Okay, you might know all that—but did you know that advertisers can tie your in-store purchases and visits back to ads you see? For example, Google has a product that does this, and one of the data sources it uses is the nebulous “transaction data uploaded by the advertiser or aggregated and anonymized data from third parties.” Your credit card usage is being used to track you, too.
Did you know that Facebook’s advertising tools are so granular that you can target ads so narrowly that you can show them to only one individual?
Government surveillance is a given: Edward Snowden famously drew attention to massive warrantless government surveillance of internet and phone data. The NSA’s XKeyScore software reportedly allows real-time search and access to the massive amount of data being logged about online activity.
What Can You Even Do?
An article like this one could go on and on with examples. Do a little digging, and you can find many more examples. The amount of data being collected, crunched, and analyzed about us at all times is tough to conceptualize.
There are no perfect fixes. Private browsing will stop your browser from remembering your history and give you a fresh set of temporary cookies, but your IP address is still out there. You can avoid using Facebook, but Facebook has a shadow profile on you anyway. You can use a VPN, but you’re going to sign into something eventually—which will tie your identity to your browsing in the VPN—and you’re placing your trust in a VPN that hopefully doesn’t keep logs.
So what can you do? Well, you can still make a dent in it. If you’re currently broadcasting your life as a 24/7 live stream, turning off the camera means less data is out there.
You can use a VPN along with private browsing mode to disguise your browsing—but don’t just rely on a VPN alone, and understand that you’re trusting the VPN. You could use Tor—though there have been vulnerabilities in Tor, too. You can use more private, encrypted services—for example, chatting on Signal instead of plain-old SMS messages. You can keep your sensitive files more private, storing them locally or securely encrypting them before uploading them to online storage.
And yes, you can go further: Using cash, for example, and putting together facial accessories that will stop facial recognition cameras.
What’s the Point? Threat Modeling 101
But as you’re sitting there using Tor on a computer running Tails trying to figure out how to go off the grid without actually going off the grid, you might want to ask yourself: What’s the point?
No, we don’t mean give up—we mean consider what you’re actually defending against.
You might not care if Facebook realizes you’re interested in seeing the latest movie. But you might want to fire up that VPN and private browsing mode when you’re searching for information about a medical issue. You might be fine with storing photos of your vacation unencrypted in the cloud, but you might want to keep sensitive financial documents more secure. You might be fine chatting with your plumber over SMS, but you might want to have a private conversation with your spouse on Signal.
It’s all about your threat model—what are you actually trying to defend against? Once you know what you care about keeping private, you can take steps to keep that individual sensitive thing private rather than be overwhelmed with all the data collection going on all the time.
Unfortunately, that’s not a recipe for “online privacy.” There’s no easy way to flip a privacy switch and regain a mythical state of privacy. But there are things you can do to better shield specific things and keep them more private.