Welcome to the January 2024 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.
Here’s what we’re talking about this month:
How to take better control of your privacy this year.
Recommended reads, including “Hackers Accessed 6.9m People’s 23andMe Profiles.”
Q&A: Is there anything I can do to stop spam calls?
It’s that time of the year again – every January, we reflect on the previous year and share tips and tricks on how you can level up your privacy.
2023: A Privacy Recap
We can’t not mention the MOVEit breach, which began mid-2023 and involved the managed file transfer software MOVEit. Over 2,600 organizations were impacted, and more than 91 million people’s data was affected as of this writing (for the most recent tally, check out Emsisoft’s list).
Also: Last year was particularly bad for healthcare breaches, with 480 healthcare breaches recorded by October 2023, according to an Atlas VPN study, and more than a quarter of Americans impacted. California, New York, and Texas were the states most badly hit.
What are cybercriminals after? Personally identifiable information. It’s the most valuable data and is hackers’ no.1 target almost half the time a breach happens. The reason: criminals can use it alongside the PII they find on the dark web to carry out harder to prevent fraud or identity theft.
You probably know you’re being tracked online but may not know the specifics. Well, here’s how real-time bidding, which targets you with particular ads, works.
Also, if you see an ad for something online, you probably shouldn’t buy it – the product shown is likely to be around 10% more expensive than it would be if you found it yourself.
The hype surrounding AI has died down somewhat, but if you still use generative AI tools, remember to never share anything with AI chatbots like ChatGPT that you want to keep private.
Watch out for: AI-powered social engineering campaigns. Criminals now use AI to make their emails sound more realistic, so don’t count on being able to spot a phishing message based on spelling or grammar mistakes.
They’re still out of control, even selling your mental health data. Among the people/groups who buy information from data brokers is the feds (turns out, data from brokers is a great way to bypass the Fourth Amendment). In a karmic sort of way, the brokers Instant Checkmate and TruthFinder were breached, impacting 20 million customers.
Some good news: California passed the Delete Act, which will come into effect in 2026. The act will allow California consumers to make personal information deletion requests to all data brokers that have this information (and have registered with the state) through a central dashboard with a single click. It’ll also make DeleteMe’s job easier, as data brokers will legally have to comply with opt-out requests.
The caveat: Not all data brokers might register, and the state doesn’t necessarily have the resources to ensure compliance with opt-out requests.
7 (New) Things You Can Do to Improve Your Privacy
If you use Firefox, you can now enable Global Privacy Control – a setting that tells websites about your privacy preferences – right from the privacy settings.
I’m also keen to hear any feedback you have about this newsletter.
What’s Your Threat Model?
Think about privacy enough, and it’s easy to end up overwhelmed with everything you should be doing (usually according to random strangers on the web).
But the truth is that you don’t need to protect yourself from everything – just the attacks you’re most likely to face, which will be different depending on who you are (journalist, gamer, domestic abuse victim, activist, someone who worries about identity theft, etc.)
If you want to see what actions you should prioritize in 2024, create your own threat model.
The Electronic Frontier Foundation has a good guide, which involves answering 5 simple questions and matching your responses to the tools and actions you need to take.
The questions are:
What do you want to protect? (for example, laptop, bank account, etc.)
Who do you want to protect it from? (for example, doxxer, family member, identity thief, employer, nosy neighbor, government, etc.)
How likely is it that you’ll need to protect it? (for example, with so many breaches happening all the time, the chances that you’ll need to protect your online accounts are high).
If you fail to protect whatever it is you want to protect, how bad are the consequences? (for example, if you fail to protect your bank account, the consequences could include losing a lot of money, stress, etc.)
How much effort are you willing to put in to prevent these consequences? (depending on your situation, some threats will require more effort than others).
Tip: This Reddit post looks at four different threat models relating specifically to keeping your personal information safe from different individuals/groups/entities.
Whether or not you create your threat model, you should, at the very least, embrace minimalism. This means getting rid of anything you don’t need/use, including, but not limited to:
Our recent favorites to keep you up to date in today’s digital privacy landscape.
Hackers Accessed 6.9m 23andMe Users’ Profiles
Hackers who broke into 23andMe in early October accessed the personal data of 6.9 million users (about half of the company’s customers), not 14,000 as initially reported by the company. The compromised information included ancestry data and, in some cases, health-related information. The company also recently changed its terms of service, allegedly to make it harder for customers to sue it following the breach.
Google Making Its Maps Tool More Private
Google is making changes to its Location History policy. Currently, if users have Location History enabled, their Location Timeline is saved on the company’s servers (and can be potentially obtained by local and federal authorities). Starting in 2024, Location Timeline will be saved on users’ devices instead. The auto-delete control will also change when you first turn on Location History to three months rather than 18 months.
Pharmacies Found to Be Sharing Patient Records Without Warrant
According to a congressional inquiry, some pharmacy chains in the US shared patients’ prescription records with law enforcement without a warrant and, in many cases, without a review from a legal professional. While pharmacies can legally tell customers that government agencies requested their data, most don’t. Lawmakers have urged the Department of Health and Human Services to strengthen data-sharing procedures.
The FTC Warns of Fake QR Codes
The Federal Trade Commission has warned consumers about harmful QR codes. Due to their widespread presence, scammers increasingly use QR codes to direct people to malicious websites and steal their personal information. The most common types of harmful QR codes include postal scams, malicious file sharing, and messages that look like they come from HR, IT, or payroll departments.
You Asked, We Answered
Here are some of the questions our readers asked us last month.
Q: Have I Been Pwned tells me a lot of my online accounts were breached. What should I do?
A: That depends on the website, but generally, the number one thing you should do is change the password on that account and change the passwords on any other accounts where you might have reused it.
The site that has been compromised might notify you what you need to do next, but you can’t count on that.
If your account was breached on a site where you shared your bank account or credit card details, you might also need to notify your financial institution.
In any case, you should keep an eye on your financial statements. It’s good to check them periodically anyway. I found that out when I randomly checked my bank statements a few years ago (back when I didn’t do it regularly) and noticed a charge I didn’t recognize. An online booking platform I have an account with was breached around the same time.
Q: Is there anything I can do to stop spam calls?
Unfortunately, no. If you’re getting scam calls (rather than official business calls), there isn’t much you can do to stop them completely.
For example, you could add your number to the Federal Do Not Call Registry, but as you might have already guessed, scammers ignore the Registry. In fact, some people have reported that adding their number to the Registry has made things worse, although that could be a coincidence.
You could also block these numbers, but that’s likewise pointless since scammers spoof other people’s numbers.
That said, there are things you can do to reduce how many scam calls you receive. These include:
Not answering unknown calls in general. If it’s important, the caller will likely leave a voicemail.
Answering unknown calls but not speaking first or putting yourself on mute until the person/robot on the other line speaks. Anecdotal evidence suggests that scammers listen for signs that the number they call belongs to an actual human to determine if it’s worth calling them again.
Silencing unknown callers on your phone’s settings.
Removing your phone number from the internet, including data brokers, social media profiles, etc.
Back to You
We’d love to hear your thoughts about all things data privacy.
Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).
Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.
Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito?
That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.