Incognito — January 2022: New Year Privacy Reboot

Welcome to the January 2022 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month:

• Privacy is not a myth. It’s a right, and, using our tips below, you can — and should — take back control of it in 2022.
• Recommended reads, including “Found: The Most Serious Computer Vulnerability In Decades.”
• Q&A: What’s Netflix like for privacy?

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter.

2021 Was (Truly) a Terrible Year for Privacy

If you’ve been following the news headlines, then this likely won’t come as a shock to you: 2021 was a cyber security (and consequently, privacy) nightmare.

Here are three important trends from last year:

1. We have entered a “golden era” of ransomware. Ransomware attacks went through the roof in 2021, with cybercriminal gangs turning ransomware into a multi-billion dollar business — think cybercrime gangs employing project managers and PR professionals, working 9 to 5, and taking the holidays off. Massive attacks on tech giants like Apple and Acer and critical infrastructures such as Colonial Pipeline, JBS, and the entire Irish Health Service (HSE) prove that no organization is safe. Ransomware is now “a serious national and global problem.”

2. Last year saw more data breaches than in 2020. By the end of September 2021, the number of recorded data breaches had already exceeded the total number of 2020 by a whopping 17%. This means that hundreds of millions of people have had their personal information exposed in 2021 (but many may not even realize they’ve been compromised).

3. Accessing people’s personal information has never been easier. According to our own research, the amount of online personally identifiable information available for the average individual has grown by 150% in the past 2 years. Not only are there more places to find this information online, but there are now also more data categories available about individuals than ever. So, whereas in the past, pretty much anyone could find out your “basic” information like your name, address, and phone number, today, they can also know who your spouse is and where you work, and even see your court and property records.

What Else Happened?

Facebook was busy. In 2021, the tech giant: 1) Released RayBan Stories, first-generation smart glasses that many experts have described as a “privacy nightmare”; 2) Rebranded itself to “Meta” to reflect its commitment to build a metaverse ecosystem, which sounds cool… until you look at the privacy implications that this would have on users everywhere; 3) Was fined $270 million by Irish authorities for lack of transparency on what WhatsApp, the messaging service it owns, does with the data it collects from its users.

Other social media platforms have been misbehaving, too. TikTok quietly changed its privacy policy to give itself permission to collect users’ “voiceprints” and “faceprints.” Snapchat tried to circumvent Apple’s new privacy rules that require apps to seek user permission to be tracked. And Zoom and TikTok have been found to have violated data privacy laws, with some users now able to file a claim.But there were some privacy wins, as well. Google said it would cease selling ads based on people’s browsing activities, Twitter banned people from sharing private content without users’ consent, and Venmo has stopped displaying people’s transactions on its feed. Meanwhile, a group of utility companies has agreed to stop showing the Immigration and Customs Enforcement (ICE) the data it collects about its customers. Additionally, several states in the US have signed privacy acts into law while the Feds continue to debate consumer data privacy.

Ways You Can Take Back Control of Your Privacy

Almost three-quarters of Americans are worried about their online privacy. However, apart from changing the occasional password, the vast majority are, weirdly enough, not willing to do anything about it.

Don’t get us wrong — changing passwords is important (more on that below). But there are a number of other precautions you should take to ensure you have a safe and privacy headache-free 2022:

Protect your accounts and devices

• If your password is “123456,” “qwerty,” “password,” or anything else from the “Top 200 most common passwords” of 2021 by NordPass, you’re in trouble.You can double-check if your accounts have been compromised by typing your email into Have I Been Pwned?
• Make sure all your passwords are unique and don’t forget your smart home devices.
• Weak passwords are the number one way smart devices get hacked. If changing passwords manually sounds like a major waste of time, get a password manager.
• Enable two-factor authentication to block 99.9% of automated attacks on accounts.
• Don’t use your work laptop for personal stuff — unless you want IT to know everything you’re up to.

Secure your web browsing (and online shopping)

• Use a privacy-focused browser like Brave and a search engine that doesn’t track your online searches, for example, DuckDuckGo.
• Install ad and tracker blockers to stop ads and trackers from following you from site to site.
• Consider using a virtual private network (VPN). However, know that your VPN provider will be able to see your internet traffic, so choose one wisely (some VPNs may be worse than not using a VPN).
• Opt-out of data sharing with platforms like Apple, Google, Netflix, Reddit, and Pinterest.
  Install the HTTPS Everywhere extension to be redirected to an https (safer than http) version of a site when it has one.
• When shopping online, don’t use your real email or phone number. Most browsers now have “Hide my email” functionality, but you can also use a masked email. Pay for things with Apple Pay, Google Pay, or a masked credit card.
• Apps are notorious for tracking users — particularly those on Android phones. Cull any apps you don’t use (especially these five that are “the worst” for privacy.) And don’t forget that you can use a browser version of most apps instead (here are some of the most common apps that also run in the browser).

Safeguard your social media and email and remove your name off the web

• Besides going to great lengths to not overshare on social media (that includes not checking your horoscope on Snapchat or taking Facebook quizzes), make sure you also utilize each social media platform’s privacy and security settings.
• Don’t click on any suspicious emails or text messages and hang up if a phone call seems phishy. For real-life consequences, look no further than the Irish Health Services attack. One unsuspecting employee clicking on a malicious link was all it took for hackers to gain entry into the entire nation’s hospital network. If an email or text message is critical, ring the sender using the phone number you find on a reputable site online. Particularly this time of the year, beware of fake store surveys.

Delete your name from common data broker sites (and do it often). Or, better yet, get a professional service to do it for you.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.

Found: The Most Serious Computer Vulnerability In Decades

A critical vulnerability in many versions of the Apache Log4j library, a ubiquitous Java logging tool, has been discovered. The vulnerability, dubbed “Log4j,” allows cybercriminals to access companies’ computer servers. By mid-December, there had been over a million hacking attempts, with almost 50% of corporate networks affected by the vulnerability.

Verizon Automatically Enrolls Customers Into a Data Collection Program

All Verizon users are automatically enrolled in the “Verizon Custom Experience” and “Custom Experience Plus” programs. Previously known simply as “Verizon Selects,” the programs track user data, like the sites they visit and their location. While Verizon does not share this data with third-party advertisers, it does share it with service providers who work with them and can use the data to personalize its offers to you (luckily, you can opt out).

DuckDuckGo Will Soon Have a Desktop Web Browser

DuckDuckDuckGo, the internet search engine that prioritizes searcher’s privacy, is now building a desktop browser that will come with “robust privacy protection” from the get-go. According to DuckDuckGo CEO Gabriel Weinberg, just like the DuckDuckGo mobile app currently, the browser will also have a “Fire” button that will let users delete their browsing history, tabs, and stored data instantaneously. The browser will also supposedly be significantly faster than Chrome.

Family Locator App Life360 Sells Precise User Location Data

The family location sharing app Life360, used most often by parents to track children, appears to have been selling user data to about a dozen data brokers. However, while this data is free of the most obvious identifying information, it is not aggregated, fuzzed-out, hashed, or otherwise obfuscated, meaning that anyone who buys this information can tie it back to individual users.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: I have a lot of recipe apps on my phone, are they OK to use?

A: Unfortunately, while recipe apps may look innocent enough, as the vast majority of apps, they also track your activity.

The nonprofit Mozilla Foundation recently conducted an investigation into how bad this tracking is. The answer? It’s pretty bad. Most popular recipe apps have been found to send personal data and behavioral data to third-party advertisers for the purpose of improving their marketing.

The data these apps collect frequently includes everything you do on the app, your location, and device information (the model and OS version but also things like screen brightness, battery level, and whether your phone is on charge or if your headphones are plugged in). In one app studied by Mozilla, an Amazon Ads tracker asked for user data as many as 36 times in just 2 minutes. In another app, a tracker constantly asked for information on how long users were looking at certain ads.

If the above hasn’t scared you off downloading recipe apps (or deleting them off your phone), at the very least, avoid Recipes Home, Allrecipes Dinner Spinner, and Food Network Kitchen. According to the report, these are the worst recipe apps for data collection and sharing. On the other hand, BBC Good Food is probably one of the least offensive recipe apps. Even though the app uses trackers, they don’t appear to be collecting that much personal information about users.

Q: What’s Netflix like for privacy?

A: It’s not the best. But it’s also not the worst, either.

Terms of Service; Didn’t Read, a community project that analyzes and grades the terms of service and privacy policies of popular services and sites, gives Netflix a rating of “C.”

Similarly, Common Sense Media, an advocacy group for families, gave Netflix a rating of 46%, meaning that the streaming service fails to meet the group’s privacy and security requirements. Interestingly, the only streaming service that passed the group’s requirements was Apple TV+.

Looking at Netflix’s privacy policy, you can see the kind of data it collects about its users:

1. The information you provide yourself (including taste preferences and ratings).
2. Information collected automatically (shows you search for and watch and your interests — that last one is courtesy of cookies, web beacons, and device identifiers).
3. Information from partners (things like search queries and commands related to Netflix that you might make through voice assistant platforms and other partner devices).
4. Information from other sources (your location, payment information, and social media posts).

Although Netflix says that it doesn’t sell users’ data, it does target them with ads. The company also says it might share user data with service providers and partners, which can include your internet provider or mobile phone carrier. It can also share data with third parties to run joint promotions and programs — and these third parties are responsible for their own privacy policies.

Scarily, Netflix seems to keep the data it collects about you for quite some time. For instance, in an article for Wired, journalist Kate O’Flaherty found that Netflix had information on her going back to 2015. What’s even more frightening is that, based on the data collected by Netflix, privacy consultant Rowenna Fielding was able to accurately guess O’Flaherty’s living circumstances (relationship status, income bracket, and values and cultural backgrounds).

You can always request to see what information Netflix has about you, as well as enable a few options in your settings to improve your privacy at least somewhat (if you haven’t done that already).

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @Abine and @DeleteMe).

Share with friends! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. How’s your online privacy? Did you find the above tips useful? Also, are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito?

That’s it for this issue of Incognito! Stay safe and we’ll see you in your inbox next month.