Incognito — November 2024: Privacy Policies

Welcome to the November 2024 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Terms of service and privacy policies. More specifically, how and why so many companies have recently made changes to theirs. Spoiler alert: it’s not to your benefit. 
• Recommended reads, including “Data of 100m People Leaked In UnitedHealth Data Breach.”
• Q&A: Is it a good idea to change personal information on an old account to false information before deleting the account?

“You’re receiving this email because we’re making updates to our User Agreement and have provided you with more information in our Privacy Policy.”

Sound familiar? More than likely, you received at least one such email in the last few months. 

These kinds of emails rarely bring good news. For consumers, changes in terms of service almost always mean less privacy. 

Privacy Policy Changes: We’ve Seen a Few

And most have been to do with artificial intelligence (AI).

• In October, the social media platform X (previously Twitter) updated its privacy policy to say that, unless you opt-out, it would share your data with third-party “collaborators” who may use it for purposes including “to train their artificial intelligence models.”
• In September, LinkedIn published a post saying they’ve started to use your data to train its AI – even before they updated their privacy policy and without asking you for your permission. 
• Also in September, Meta announced that it is training the new version of its large language model on public Facebook and Instagram user posts. Even if you don’t use Meta yourself, it can still scrape your data (including photos) posted by someone else. 

Last year: Google changed its privacy policy to say it could use public information to train its AI chatbot and other services. 

FTC says: “[I]t may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for AI training—and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” 

What’s the Big Deal?

“Using publicly available information to train A.I. models is an industrywide practice and not unique to our services,” said a Meta spokesperson. 

If that makes you uneasy, you’re not the only one. 

As Vox reporter Sara Morrison says, the issue is that we don’t know what AI systems do with our data, nor how they protect the sensitive parts (if at all). 

For now, most companies are using “public data” for AI training, i.e., data available online for anyone to see. But in the future, as AI models work their way through all the data on the open web, data that can be used to train AI is likely to get more available. 

According to a New York Times article, a Google spokesperson said that a small test group of users had allowed Google to train its AI on parts of their personal emails. 

So, How Do You Opt Out? 

Depends on the platform. 

X: As TechCrunch points out, no one really knows. 

Potential options include: 

• Turning off data sharing with xAI’s Grok and other “business partners” in the ‘Privacy and safety’ section.  
• X might add A new opt-out option before the privacy policy change goes live (November 15th). 

LinkedIn: Go to ‘Settings & Privacy,’ -> ‘Data Privacy’ -> ‘Data for Generative AI Improvement’ -> toggle off. 

BTW, opting out means LinkedIn and its affiliates won’t use your data to train AI going forward. In other words, you can’t take back whatever data it has already used for training. 

Meta: Meta doesn’t provide an opt-out feature for US users. 

Other: Wired has a good article on other companies that use your data to train AI, with instructions on how to opt-out. 

AI Is Just One Privacy Problem to Look Out For

Companies can and do routinely make other changes to their privacy policies that can impact you negatively. 

In September, Telegram changed its privacy policy – it will now share users’ data with law enforcement if they have a warrant or a valid legal request. 

Meanwhile, according to PayPal’s recently updated privacy statement, users’ personal data (such as preferences, products, and sizes) will be shared with third-party vendors “to help improve your shopping experience and make it more personalized for you.” Of course, users are opted in by default (but can opt-out through the ‘Data and Privacy’ setting). 

What Else Can You Do? 

When you get an email saying that a company’s terms of service/privacy policy has changed, read it. 

Also, get in the habit of reading privacy policies in general.

Though tedious, it’s good practice and the only way to know how much of your privacy you’re giving up when signing up/using a service or product. 

To make the process of getting through privacy policies a little less painful, you could try: 

• Terms of Service; Didn’t Read (ToS;DR). This volunteer-based project rates websites’ terms of service and privacy policies from very good (A) to terrible (E). Note: Though ToS;DR was started in 2012 and includes a lot of websites, it obviously can’t cover everything. 

• Mozilla Foundation *Privacy Not Included. This is a good resource for checking connected products’ privacy and security practices. 

• ChatGPT’s Privacy Policy Analyzer. I used it to check Spokeo’s (people search site) policy, and while it seemed to return accurate information, it’s always wise to remember that ChatGPT can make things up. A good idea is to cross-reference what ChatGPT tells you with the actual policy. Note: ChatGPT can’t analyze links, so you’ll need to copy and paste the policy into it. 

• Skimming for key terms or “red flags.” Always look at the section that explains what personal information the website collects about you – is there anything that seems excessive? Then, search for terms like “sell,” “affiliates,” “targeted advertising,” “personalized,” “AI,” “LLM,” “opt-out,” etc. Also, look for a section explaining how long the company retains your data and what happens to your data after you cancel your service/delete your account. 

Let us know – anything we missed here? What are your tips and tricks when it comes to privacy policies? 

A Quick Word On Election Privacy

We did an entire Incognito issue on election privacy last month, but we didn’t cover election disinformation.

Unsurprisingly, election disinformation is on the rise and often takes the form of unsolicited texts, emails, and robocalls designed to mislead or manipulate voters. 

In Wisconsin, for example, people between the ages of 18-25 recently received text messages misinforming them about the elections and telling them they would be punished with fines and prison time if they voted incorrectly. 

As AI bots and deepfakes get more sophisticated, detecting these scams becomes harder and harder. 

Our advice? Keep on making sure your personal information is difficult to find online. The less data there is about you on the internet, the harder you are to reach and the less likely you are to be targeted with misinformation campaigns. 

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

23andMe Customers Worried About Their Data

The genetic company 23andMe “faces an uncertain future” according to numerous news reports. While the company says its data privacy policies won’t change in the event of a sale, multiple articles have since advised users to delete their accounts. One catch: 23andMe can still reportedly retain your genetic data even if you delete your account. 

Nearly 400 U.S. Healthcare Institutions Experienced Ransomware

According to Microsoft, 389 U.S.-based healthcare institutions were successfully targeted with ransomware in the last 12 months, which led to “network closures, systems offline, critical medical operations delayed, and appointments rescheduled.” Microsoft also noted that these kinds of attacks are increasingly being carried out by nation-states.

Google Messages Adds New Security Features

Google shared plans for five new security features. These include Sensitive Content (i.e., nudity) Warnings, protections against scam texts that look legitimate at first but might lead to fraud, intelligent warning alerts about potentially dangerous links, controls to turn off messages from international numbers, and improved confirmation about who you’re messaging.

Data of 100m People Leaked In UnitedHealth Data Breach

The insurance company UnitedHealth Group confirmed that the ransomware attack it experienced in February of this year impacted the personal information of more than 100 million people. Information stolen varies between individuals but can include health insurance information, health data, payment information, and other personal details (like SSNs). 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Is there a way I can find all the places online where my photos are?

A: You could try using Google’s search-by-image function (go to google.com and click the camera symbol in the search field) or use a tool like PimEyes (paid). 

To avoid giving any company more of your personal data, input a photo of yourself that’s already online (for example, your Facebook profile photo or similar). If that’s not possible, make sure you read the company’s privacy policy. You don’t want to give your biometric data to just anyone. 

Q: Is it a good idea to change personal information on an old account to false information before deleting the account?

Yes, that does seem to be the accepted good practice among many privacy-conscious individuals.

The reason why is that you can’t be 100% sure that deleting your account will result in your data being deleted. Some companies might retain your information even after you delete your account. 

The hope is that when you falsify the information on your account before deleting it, the company will overwrite old (i.e., real) data with fake data. So whatever they retain won’t be related to you (and it won’t matter if, for example, the company is breached and personal data is stolen). 

That said, it’s possible that the company will keep a backup of your old data, too, so falsifying data before deleting your account is by no means a foolproof method. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.