The paranoid's survival guide, part 1: How to protect your personal data

Who says privacy is dead? While it's true that marketers, the government, data aggregators and others are gathering and analyzing more data than ever about every individual, you can still exert some control over what's out there, who's tracking you and what they do with that information.

Share

Who says privacy is dead? While it's true that marketers, the government, data aggregators and others are gathering and analysing more data than ever about every individual, you can still exert some control over what's out there, who's tracking you and what they do with that information.

From the NSA's admission that it is capturing and analysing metadata on every American to Facebook's appropriation of users' posts, likes and images for use in product advertising endorsements, privacy concerns are now top of mind. According to a December Harris Interactive survey commissioned by privacy consultancy Truste, 74% of Internet users are more worried about privacy now than they were a year ago. Some 74% also say they are less likely to enable location tracking on the Web, 83% are less likely to click on online ads and 80% say they are less likely to use apps they don't trust.

Consumers' privacy concerns

What people are most afraid of. All percentages are up compared to last year. The study was conducted by Harris Interactive, on behalf of Truste, with more than 2,000 U.S. internet users polled in December 2013.

Online shopping - 93%

Online banking - 90%

Using social media - 90%

Using mobile apps - 85%

Truste 2014 Consumer Confidence Privacy Report

Computerworld asked nine people who live and breathe privacy what steps they recommend to get a handle on your personal data footprint -- both offline and online. Some steps are easy, while others require both time and expertise to set up.

The key, these experts say, is to know what your goals are and go for the low-hanging fruit first. "If your goal is perfection, you'll end up doing nothing. Look for good enough," says Jules Polonetsky, executive director of the Future of Privacy Forum.

There are three primary reasons why people want to reduce their footprint, Polonetsky says. One is to hide from marketers. Another is personal security. Some people have good reason to be cautious about their identity, including those worried about domestic violence or stalkers. That takes a bit more work.

But the most extreme measures are generally reserved for people who have reason to worry that they might be targeted by the NSA, or by law enforcement, or be the subject of civil proceedings. For the latter group, Polonetsky says, the required measures are more difficult to set up and use -- and the techniques may degrade the user's experience online.

Fortunately, most people don't need to go to these extremes. "Complete privacy is very difficult and expensive to achieve. But reasonable privacy -- minimising your footprint -- is easier to achieve than you might think," says Rob Shavell, co-founder and CEO at privacy software vendor Abine.

The information out there about you out falls into three basic categories, Shavell says:

Data that's implicitly collected, such as the many services that track your browsing activity online

Data that's explicitly collected, such as when you knowingly give out your email address and other data when signing up for a service online

Publicly available information about you that can be harvested by data collectors online, such as your phone number and address, Twitter feed, Facebook profile and public posts, court and property deed records and so on

The first step toward minimising your online footprint is to know who's tracking you. Tools like Disconnect and Mozilla's Lightbeam, which visually show who's tracking you as you visit different websites, can help, says Sid Stamm, senior engineering manager for security and privacy at Mozilla.

Mozilla's Lightbeam

Tools like Mozilla's Lightbeam visually show who's tracking you as you visit different websites.

"The second thing is to figure out what the risks are that you're trying to protect yourself from," he says. Do you care who reads your Facebook updates? Or if someone you don't know can read your email? The more data you want to protect, the more work you'll need to do.

"The third layer is control, and that's the hard part," Stamm says. For example, if you want to hide all of your Internet traffic and your identity, you'll need to use Tor or a VPN all the time. Most people, however, just want a reasonable amount of privacy.

Ready to minimise your data footprint? Here's where to start.

The basics: Six standard operating procedures for online behavior

Draw the line: Decide what's personal

The traditional definition of personally identifying information (PII) -- health records, credit card numbers, social security number, etc. -- is so 20th century. The big data age of the Internet is upon us, and even data not previously considered to be PII can feel very personal when viewed in a broader context. "Bits of data, when combined, tell a lot about you," says Alex Fowler, chief privacy officer at Mozilla. Those aggregated bits, which constitute the new PII, may include such information as your email address, browsing history and search history.

"The definition of PII -- information that a person has a legitimate interest in understanding and protecting -- is going to be broadened as we move further into the information society," says Fowler. "It's a different footprint than what your parents ever thought about."

"Think about what you consider personal information," Fowler adds. "You need a working definition."

Don't share your personal information -- even when asked

Are you responding to surveys by phone or online? Filling out warranty cards? (You need only your receipt to make a warranty claim.) Providing optional preference and demographic information when signing up for an online service? "Most of us give out information trivially," says Abine's Shavell, not understanding that all of that information ends up in profiles that may be used by the collector and later shared with data aggregators and others.

Lie. About. Everything.

Many online services demand that you divulge some information about yourself if you want to do business with them. If you don't want to share, you can either choose not to use that service -- or you can provide false information. Don't use your real birthday, email, address and phone number on social network sites, and don't use real answers when creating answers to challenge questions, says Robert Hansen, a security researcher and director of product management at the website security consultancy WhiteHat Security.

"Never give out any real information about yourself unless absolutely necessary. Lie about everything. That's basic operational security," he says.

You may, of course, need a working email address to validate an account. You can create a webmail account specifically for this purpose, or you can use a service such as DoNotTrackMe, which creates "disposable" proxy email addresses and phone numbers for this purpose. Yahoo Mail also offers disposable email addresses.

Create personal and professional personas

Stamm creates and maintains separate personal and professional online profiles for browsing the Web. Specifically, he uses separate instances of Firefox for each persona. "The experience is less noisy," he says, because his personal and professional web histories aren't mashed together.

Casey Oppenheim, CEO at anti-tracking software vendor Disconnect, recommends using one browser for Web surfing and another to log into your online accounts like Facebook, Google or Twitter -- to reduce cross-site tracking.

Understand how much you're paying before signing up for "free" apps and online services

By now most people realise that the price you pay for using "free" online websites, apps and services is measured in data collected about you. The question you need to ask is: How high is the price?

Understand exactly what data you are giving up and weigh that against the value of the app or service you're receiving in return. For example, you might need to share an email address for your Facebook account, but you don't need to share your telephone number and location data, or allow search engines to index and link to posts on your timeline. You can lower the price somewhat by taking advantage of available privacy controls that let you limit the types of data collected or how it's used and shared.

But privacy policies can change at any time, and no one knows what will happen to that data in the future. If the developer of an app goes out of business, for example, your data may be sold. Which is why you should always...

Delete your unused online accounts

Do you leave a trail of orphaned accounts behind you as you try different online services? Close them down, or that trail of digital relationships might come back to haunt you. "There are dozens of social networks that came and went over the years, and I think I signed up with every one of them along the way," says Mozilla's Fowler.

Many of the services you sign up for eventually disappear. "When they do, that information about you will be sold to someone at some time as an asset," he says, and the value of those assets is based on how many users they had and what they know about them.

The deeper they got with their customers, the more valuable the assets. "You have no idea how it's getting used or where it might resurface at another point in your life, so it's important to take this seriously," he says.

NEXT PAGE: Tips for surfing the Web silently

Find your next job with computerworld UK jobs