Google knows you better than you know yourself, and Facebook uses the data it’s gathered on people to carry out psychological experiments on them. The Russian app that everyone’s having fun morphing their faces has terms of service that say it basically retains the right to use your data forever (and this is common for most social media apps!). Though some companies like Apple (and even Google) are now trying to make privacy a selling point, the sheer scale of the internet means that everyone is tracking you, from the government, to the police, to most tech companies, often without admitting to this.
With all this, it’s tempting to just throw up our hands and accept that we live in a post-privacy world, but there are some basic steps that we can all take to make our presence on the Internet a little more secure. Some of it is just very basic stuff, like turning your GPS and Wi-Fi off when you’re not using them, and the others involve a little more work, but are still easy enough to do. These are not high-security solutions, and aren’t really going to keep you invisible on the Internet. Instead, these are basic steps we should all simply make a habit of following, no matter what we’re using the Web for, to bring in some basic levels of privacy.
We spoke to a number of people who are not in the tech industry but rely heavily on the Internet to do their jobs, and found that most of them weren’t doing anything in particular to protect their privacy online, because they just weren’t aware of what they should be doing. So we looked at what some experts are saying online about this, and gathered the most easy-to-implement steps in one place.
1. Use burner emails to sign up for services
One common issue that people brought up was being bombarded by spam. Anita Verma, a dentist based in Bengaluru, said she has begun to miss important mails because there is so much spam. “Gmail removes a lot of spam but even then, every day I’m getting mails from brands I’ve never even heard of, and you keep marking things as spam but they don’t go away.” Part of the problem here is that we’re too used to giving our email IDs whenever asked for it, both online and offline.
There are a lot of times when you need to enter an email ID to sign up for a service which you might only use once, and don’t actually need to connect to your real inbox. Your email ID is a valuable piece of data, along with your phone number, and whenever you’re giving this out, think about whether you actually need to do so. A number of sites such as Guerrilla Mail, Maildrop and Burner Mail allow you to create temporary email IDs for forms.
Another useful thing to do is to see which platforms are misusing your email. Gmail, and some other email platforms, allow you to create a ‘new’ email using the plus sign—essentially, if your email is email@example.com, you can sign up for services using IDs like firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org and so on, and all of these emails will come to your inbox. Then, the next time you look at spam and see it’s addressed to, say, email@example.com, you know who is leaking your data.
2. Use a VPN
A Virtual Private Network (VPN) is a secure gateway to the Internet. This means that anyone snooping on your connection can see that there’s data moving between you and your VPN, but not what is coming in and out of the VPN. You can run a VPN on your computer or smartphone, and in both cases, it’s as simple as signing up, installing an application and just running that before you start to use the Web.
There are free VPNs, which are either very slow, or have very limited data allowances, so it’s advisable to sign up for a paid VPN from a well-known provider like NordVPN or TunnelBear. “If you’re using a free VPN, you’re either going to have a bad experience with the speed or data limit, or worse, you’ve now put all of your data in the hands of someone who is giving you an expensive service for free,” said Saravanan K, a Bengaluru-based consultant working on security solutions for businesses. “I’m not saying all free VPNs are bad. But I will say that it’s worth spending the money, and a year-long subscription can often be just a few hundred bucks a month.”
3. Change your passwords from defaults
This is a really obvious tip, and yet most people reading this have probably put themselves at risk by not changing the default passwords on their Wi-Fi routers and other Internet-connected devices. Did you know that the Wi-Fi router that your Internet provider gave you comes with a password which you can use to change the Wi-Fi settings? Having access to your router means having access to all your data, so it’s pretty important to know this—if someone connects to your Wi-Fi, and you’re still using default passwords? Then you’ve basically handed over control of your network.
Most home Wi-Fi routers have been compromised, according to research by Banbreach, a Kolkata-based cybersecurity firm. According to Banbreach, cryptojacking—where attackers use your network and computing resources to mine Bitcoin, wearing out your devices and using up your data, in order to make money—is a huge problem in India.
Worse, many people using Internet-connected smart devices don’t think of changing these passwords either. You need only head over to Insecam, which is a listing of non-secure Internet connected cameras around the world to see live feeds from around the country. The good news is that in India, these are mostly in offices; the bad news is that this makes it harder for us as individuals to change the settings on the cameras.
On a related note, invest in a password manager. Password requirements are nuts, and it’s becoming impossible to keep track of all the passwords you’ll need. Either you’ll end up with a lot of weak passwords, or a strong password that you use everywhere, including on insecure sites, making it useless.
4. It’s Fine To Use WhatsApp
SMS is convenient, and it is universal. That’s a big plus. But it’s also possible to be hijacked, and there are reports of multiple police departments and scammers both doing just that, so encrypted communications are a better option.
Although WhatsApp offers end-to-end encryption and hasn’t given into government pressure to trace users yet, the Facebook-owned platform is, owing to its huge reach, a tempting target for any attacker. A recent report showed that media files aren’t secure once they reach your phone, and if you’re using cloud backup for your chats, those aren’t encrypted either.
This doesn’t mean you should stop using WhatsApp. Telegram is an excellent alternative, but WhatsApp conversations are encrypted by default, while you have to opt-in to start a Secret chat on Telegram. This added step is going to be a stumbling block for most people (see above re: passwords). Signal is another alternative, which some would say is more secure.
However, it depends on how much risk each user faces — only a few people need to be at maximum security levels. For the rest of us, basic steps like WhatsApp’s standard choice of end-to-end encryption make sense. Zeynep Tufekci, an associate professor at the University of North Carolina, Chapel Hill, at the School of Information and Library Science, explained here: “WhatsApp’s behavior increases reliability for the user. This is a real concern, as ordinary people consistently switch away from unreliable but secure apps to more reliable and insecure apps.
“Signal is well-designed. Many in the security community use and consistently recommend it. However, the very thing that makes Signal a recommendation for people at high risk—that it drops messages at any sign of hiccup—prevents a large number of ordinary people from adopting it. Our community has used Signal for a long time, and have been trying to convert people to it, but its inevitable delivery failures (some by design, to keep users safer, and some due to bandwidth or other issues) mean that we often cannot convince people to use it despite spending a lot of effort trying to convince them—even people who have a lot at stake.“
5. Make sure all your software is up to date
A lot of people are also very lax about updating their software, using old versions for months (or more) after updates have been released. “My phone kept showing me this message about updating the Android version. I kind of ignored it because who has the time to reboot your phone in the middle of work, which is when the pop-up would show up,” said Akhil Yadav, who works in the marketing division of a technology company.
“Then one day, one of our tech guys saw what I was doing and he gave me a real lecture about it.”
Either you do the same thing Yadav did, or you know people like him. It can be annoying to take out the time to update software in the middle of a busy day, many companies don’t clearly articulate why you should do it, and sometimes an update can cause new problems. Waiting a couple of days after an update comes out to make sure that nothing major is going wrong is not a bad idea—but ignoring updates for weeks, months, and even longer is definitely not recommended.
“Nearly all updates include things called security patches: they close holes in the software that make it easy for someone to hack into your software—and once they do they can often get access to everything on your phone or computer. Software can be very complex and security holes are discovered all the time, so keep an eye on those updates,” notes Amnesty International.
6. Use two-factor authentication
Amnesty also recommends using two-factor authentication (2FA), which is an important step. Two-factor authentication means that you need two different modes of access: something you know (like a password) and something you get (like an OTP). That’s right, all online payments in India require 2FA, and use the SMS OTP as the second factor.
Although this is a good step, it’s even better if the second factor isn’t an SMS-based system. Although SMS 2FA is a very convenient way to control access, this might not work if you’re traveling abroad and don’t have roaming on (for example), and researchers have shown that SMS can be hijacked.
Don’t get us wrong, SMS-based 2FA is still much better than no 2FA. But when you have the option, an authenticator app is a better choice. For example, you can set up 2FA on your Google account so that access to your account is only possible by unlocking an associated phone, and tapping the ‘Yes’ button there. Twitter and Facebook also have similar authenticators. In fact, most popular social media apps and email apps support this feature.
7. Turn off the GPS, limit app permissions, and opt out of tracking where possible
If an app has access to your location data, they’re tracking it as much as possible to understand your habits and behaviors. You’re being watched wherever you go, and often completely unnecessarily. There are a few things you can do to reduce this, and the first step is to turn off your GPS when you don’t need it. Switch it on before calling an Uber or using maps to find your way around—and leave it off the rest of the time.
More importantly, look at what information is being used by which apps. “There can be genuine reasons for asking for this information,” said Saravanan. “For example, many apps ask for SMS inbox access — just so they can read an OTP, and that’s not a bad thing. Some apps might want location access so they can offer information or deals based on where you are.” However, if you’ve got (for example) an alarm clock that wants to know your location, that’s not good.
Some apps that track your information also let you opt out. If you visit myactivity.google.com, you’ll see a list of every website you’ve opened in Chrome, details about your contacts, calendars, and apps from your Android phone, details on your voice records with Google from when you’ve used the Assistant, and all the videos you’ve searched for or watched on YouTube. It’s an unsettling insight into how visible you are.
The good news is that it’s very easy to opt out. Just go to the settings on the same page and go to Activity Controls, and you can pause all your activity history. On all your apps, check the settings to find out what tracking is being done, and what you can opt out of, in order to increase your chances of privacy just a little.
8. Browse in private mode, and disable trackers
Almost all browsers have an incognito or private mode, where they’re not tracking your history and other data. Make this your default browsing environment to keep your data more secure. An easy way to do this is to switch to a browser like Firefox Focus on your phone, since it is designed to block trackers, and delete all history when you exit the app.
You can use apps like Ghostery on your computer to help disable trackers—this browser plug-in works with Chrome, Firefox, Opera, and Edge. It’s one of the most famous apps of this kind, but there are other options as well. Its built-in ad-blocker strips away the ads on websites you visit, and also blocks the trackers that they’re using to follow you around the Internet.
Not only does this increase your privacy, but it also significantly speeds up your browsing because as it turns out, trackers and ads also use up a lot of your data. In a 2016 conversation with this writer, Opera’s CTO had said that 54% of the data that gets used when you load a webpage is due to ads. He added that the ads made up only 9% of the content on the page, but because multiple third-parties track users through ads, this ends up being a huge drain on your data.
9. Don’t use Google
Ah, now we come to this. Using Google is so common that it’s become a verb for ‘searching on the internet’. But Google searches are also giving the company an enormous trove of user data to analyse and use for advertising. Gabriel Weinberg, the founder and CEO of privacy-focused search engine DuckDuckGo, has written a long post about the different ways in which Google tracks you, which is worth reading in its entirety.
“Basically, Google tries to track too much. It’s creepy and simply just more information than one company should have on anyone,” Weinberg noted. “For starters, just switching the search engine for all your searches goes a long way. After all, you share your most intimate questions with your search engine; at the very least, shouldn’t those be kept private? If you switch to the DuckDuckGo app and extension you will not only make your searches anonymous, but also block Google’s most widespread and invasive trackers as you navigate the web.”
Duck Duck Go’s search engine is good and fast, but since it doesn’t track you, the results are not as personalised as Google’s. This is a trade-off that you’ll have to consider, but it isn’t as apparent like some of the other examples we’ve talked about, so you should consider at least trying out Duck Duck Go for a few weeks before deciding.