Incognito — January 2023: Level Up Your Privacy in 2023

Welcome to the January 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security. 

Here’s what we’re talking about this month: 

• How to level up your privacy in 2023.  
• Recommended reads, including “End-to-End Encryption Comes to (Some) Gmail Users.”
• Q&A: Is Twitter still safe to use?

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. 

Every January, we reflect on the year that was and share tips and tricks on how you can improve your privacy this year. 

2022: (Yet Another) Bad Year for Privacy 

Where do we even begin? Let’s start with the obvious: 

Location tracking. The overturn of Roe vs. Wade highlighted how our location data could be used against us. And as evidenced by Google recently agreeing to pay millions to settle an investigation into how it uses location tracking, big tech might track us even when we explicitly tell it not to. On the other hand, law enforcement was found to be using a paid tool that shows them “patterns of life,” i.e., where people go and when to circumvent having to get a warrant. Oh, and Apple AirTags became stalkers’ favorite tracking device last year. 

Data breaches. Last year, we had plenty of those. Here’s a list of the most significant ones. While not all data breaches impacted consumers, many did. Globally, a third of consumers were affected by a data breach, according to the 2022 Thales Consumer Digital Trust Index. Weirdly enough, more than 8 in 10 consumers continue to trust that digital services will protect their data. 

Federal data privacy law. The American Data Privacy Protection Act (ADPPA), a privacy bill that got bipartisan support, was introduced to Congress last yet—but it didn’t go anywhere. Its biggest hurdle: it overrides state laws. Republicans think that existing state laws (in particular, the California Consumer Protection Act) are stronger, so they won’t support it. Speaking of laws, the Kids Online Safety Act (KOSA) was also approved in 2022 by the Senate Commerce Committee. Most privacy experts oppose it vehemently because it would “force platforms to spy on young people,” potentially harming minors. 

7 Data Privacy Stories to Watch in 2023

A few more privacy-related happenings from 2022 and what to expect this coming year: 

• Elon Musk acquired Twitter, causing security and privacy leaders to quit the platform. Users are leaving too, and Twitter alternatives like Mastodon are on the rise. 
• Google says third-party tracking cookies are here to stay until 2024. 
• 16 airports in the US are experimenting with facial recognition tech. 
• GPT-3 will likely be used by bad actors to write better phishing emails. 
• Five state consumer privacy laws will take effect this year (Virginia, California, Colorado, Connecticut, and Utah). 
• Google introduced a tool that lets you delete personal information that could be used to dox you. At some point this year, users will also be able to subscribe to get alerts when this data appears on Google.
• Breaches like the Uber hack showed that multi-factor authentication (MFA) isn’t foolproof. Where possible, opt for hardware-backed FIDO2/U2F authenticators like YubiKey. 

3 Easy Ways to Level Up Your Online Privacy In 2023

Privacy isn’t all-or-nothing. Regardless of where you are right now, you can take small steps to jump up a level in 2023. The following section will help you do just that. 

Online tracking

Everywhere you go online, you are being tracked. To understand how the sites you visit spy on you, check out Blacklight, a real-time website privacy inspector by The Markup. Then, use Cover Your Tracks by the Electronic Frontier Foundation to see how protected you are against online tracking. 

When you’re done, choose your level: 

• Beginner: Download anti-tracking plug-ins (Ghostery, Privacy Badger, IronVest, etc.) and ad-blockers (AdBlock, Adblock Plus, etc.) 

• Intermediate: Use a privacy-focused browser and search engine (DuckDuckGo, Brave, etc.)

• Advanced: Encrypt your traffic with a virtual private network (VPN) (make sure you choose one that won’t share/sell your data) or The Onion Router, a privacy network that lets you browse the web anonymously. 

Account safety

From Twitter to Revolut, there was no shortage of data breaches in 2022. Use the Have I Been Pwned online tool to see if your details were compromised last year. 

Then, based on the steps you’ve taken to date to increase your account safety (no judgment), go up a level: 

• Beginner: Use strong, unique passwords for every account. Here’s a list of passwords you SHOULDN’T use. 

• Intermediate: Enable multi-factor authentication (MFA). It will add another authentication step to your accounts in case your passwords are leaked. 

• Advanced: Use email aliases when signing up for new accounts. Doing so can help you fight spam and determine who sold your data. Krebs on Security has a great article about the pros and cons of email aliases. 

Social media

Although social media platforms are among the worst data privacy offenders, few people are ready to give up social networks for good. But even if you can’t live without *insert your favorite social media platform here*, there are still some steps you can take to increase your privacy—even if it’s just by a little bit. 

Depending on your baseline, jump up a level: 

• Beginner: Make your accounts private. The fewer people can see your social profiles, the less likely you are to be scammed, doxxed, stalked, have your identity stolen, etc. 

• Intermediate: Do a “privacy checkup” on all social sites you use (Facebook, Twitter, Instagram, TikTok, LinkedIn, Snapchat, Pinterest, WhatsApp, and YouTube).

• Advanced: Consider free and open-source software (FOSS) alternatives (like Fritter, Tinfoil, and of course, Mastodon.) Just make sure to do your research first (for example, here’s what the Electronic Frontier Foundation has to say about Mastodon). Remember: open source does not mean private and/or secure.    

3 Other Things Everyone Should Do Immediately 

• Make sure automatic updates are enabled on all devices. Perform any outstanding updates right now. 
• Back up your data to a cloud service or local external storage (or both). 
• Do an audit of all the apps on your phone. Delete any you don’t need, including these five you probably use—but shouldn’t. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Tax Filing Websites Shared User Data with Meta

Popular tax filing services like H&R Block and TaxAct shared user financial information with Meta, an investigation by The Markup found. The data was sent via the Meta Pixel, a piece of code the services put on their websites, and included names, email addresses, income, and more. While the tax filing services have since changed their pixels’ settings to cease financial data collection, Meta is now facing a class action lawsuit over this practice.

Amazon Will Give You $2 a Month to See Your Phone’s Internet Traffic 

Amazon is offering select users $2 a month to monitor the kinds of ads they see on their mobile devices as well as when and where they see them. The tech giant says this will help make ads more relevant. Invited users can also get $10 in Amazon credit if they share receipts of non-Amazon purchases. As expected, this offer has outraged privacy experts, who say that your data is worth much more than $2 a month. 

End-to-End Encryption Comes to (Some) Gmail Users

Google added end-to-end encryption (E2EE) to Gmail (the web version), a feature that will make the body of the email and attachments (but not the header) indecipherable to Google servers. Currently, E2EE is only available in beta for some Google users, including Workspace Enterprise Plus, Education Standard, and Education Plus. Users can apply to try out this feature until January 20, 2023.

Brave Now Shows Users “Privacy-Preserving” Ads

Brave Software, the company behind Brave, a search engine that promises not to track users, is testing “privacy-preserving” ads. According to Brave Software, ads are labeled clearly as such to distinguish them from other results and are anonymous, i.e., ads are based on a user’s search query, device type, and country. Users can also pay $3 a month for “Search Premium,” which offers an ad-free experience.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: How long do mobile providers store our location data for? Is it for like a day or indefinitely? And what do they use this data for?

A: Really good question. 

You might recall how, several years ago, wireless providers like AT&T got into trouble for selling sensitive user location data to third parties like data brokers without user consent. Amidst public outcry (and fine proposals from the FCC), they promised to stop doing so. 

So, did they keep their promise?

Earlier this year, the Federal Communications Commission (FCC) asked the country’s top telecom providers to disclose the kind of location data they collect, how long they keep this data, and whom they share it with. 

The FCC has shared the providers’ responses on their site. 

The long and the short of it is: there’s no standard for how long wireless providers keep user data. For example, AT&T retains cell-site-level data (which can give a user’s approximate location) for five years, while Verizon keeps this data for one year. 

All providers also say they don’t sell customers’ location data to third parties. But they can still share this data with civil authorities or the police (i.e., comply with legal subpoenas, etc.). In many cases, they can do this without letting their customers know. 

Q: Is Twitter still safe to use?

A: That depends on who you ask. 

Elon Musk will probably tell you that his recent policy changes (like not being able to share other people’s real-time location data without their consent) make the social media site safer than ever.

Others, like TechCrunch, have recently warned that some users can’t get Twitter’s privacy features, such as toggling direct message privacy settings, to work on iOS. Many (including Twitter employees) also predict that Twitter will soon fail. 

While only time will tell what’ll happen, there’s probably no harm in taking New York Times’ advice and archiving and locking down their data. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.