Incognito — October 2023: X (Formerly Twitter) Has a New Privacy Policy

Welcome to the October 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• X’s new privacy policy and social media in general. 
• Recommended reads, including “Google Starts to Roll Out Privacy Sandbox In Chrome.”
• Q&A: Is having multiple email accounts, each for a different purpose, worth it?

Do you use X (formerly Twitter)? If so, you might want to know that its privacy policy changed pretty dramatically last month. 

What’s new is that you’ll soon be giving the company even more personal information than before. And X isn’t the only social media platform that is disrespecting your privacy, either. 

X’s New Privacy Policy 

There are three important changes to X’s privacy policy you need to know:

1. X company will now collect (some) users’ biometric data. Per the policy, this will be based on user consent and, for now at least, only apply to X Premium users who want to share their government ID and picture with X as an extra verification layer. The policy doesn’t explain how long X will retain biometric data or its deletion policies. In general, the language around biometric collection in X’s privacy policy is considered by lawyers to be “vague.”

2. X will also collect your education and employment history. X will use this information to recommend jobs, share it with employers to help them find better candidates, and show you more targeted ads. This relates to X becoming an “everything app,” specifically the new job posting feature known as “X Hiring.” Like biometric data, this data collection will also apparently require user consent. Privacy experts worry this will lead to algorithms making career decisions for us and reinforcing biases.

3. X might use the data it collects about you to train its AI models. Private and confidential information won’t be used to train AI models, according to Musk, but public data like posts (previously tweets) more than likely will. In any case, X doesn’t define “private” vs.“ public” data. 

(Even) Less Anonymity On the Net

Overall, these changes do not bode well for privacy.  

Speaking to Fortune magazine about X’s privacy changes, computer scientist Jacopo Pantaleoni said collecting biometric data and job history “might establish a system where it becomes virtually impossible to remain anonymous on the net, further eroding the very notion of online privacy.”

Other Social Media Platforms Are No Better

X is bad for your privacy, but other major social media platforms aren’t any better. 

Facebook, for example, gets a grade “E” (terrible) on “Terms of Service; Didn’t Read,” a community project that grades major internet sites’ policies. 

• Some of Facebook’s many issues include collecting many different types of personal data (including biometrics and location data), storing your data whether you have an account or not, and holding onto content you’ve deleted. 
• Instagram, TikTok, Snapchat, Pinterest, YouTube, Reddit, and LinkedIn get an “E,” too. 

By the way, Threads, an alternative to Twitter (X), has also been disparaged by privacy experts for its data collection practices. 

What does that mean in real terms? Whenever you “Like” or post something on social media, you give advertising firms a better picture of who you are. 

Besides advertisers, your social media interactions also provide data to bad actors who may want to harass or doxx you, as well as identity thieves and cybercriminals. For instance, threat actors increasingly use information LinkedIn users share on their profiles to target organizations with cyber attacks. 

The cybersecurity company Trend Micro writes:

“Knowing that a user wants to change jobs, is unhappy with the current employer, or is looking for a particular job, could allow a fake recruiter profile to induce the user to send their curriculum vitae filled with personal information, open malicious files, or fill in some forms.”

Small Steps You Can Take to Take Back Your Privacy

The best thing you can do is give up social media altogether, but let’s be honest: few people are willing to go that far. Besides, even if you don’t have an account with certain platforms, they may still track you. 

Fortunately, small steps like using an alias instead of a real name and not using a real photo as a profile picture can go a long way in helping you stay more private. 

At the very least, explore the privacy settings available on each platform you use:

• LinkedIn
• X 
• Pinterest
• Facebook
• Instagram
• TikTok
• YouTube
• Snapchat
• Reddit
• Threads

Another critical thing to remember: Even when you think you’re anonymous, the tidbits of information you share on social media can be pieced together to figure out who you are. I learned this the hard way when someone on Reddit was able to track me down on LinkedIn.

On Our Privacy Radar

What: ActivityPub – a technology that powers the “Fediverse,” a collection of social networks that allows users to communicate with others across multiple platforms. 

Why: Because the fediverse is governed by open protocols rather than the “walled gardens” of closed platforms, it gives control back to users. It’s a way to avoid algorithms (what you see depends entirely on who you follow) and advertising (there are no ads on the Fediverse). 

Which (platforms): You might have heard of Mastodon, which is based on ActivityPub. But there’s also PeerTube and Pixelfed (basically a decentralized YouTube and Instagram). Other platforms, like Tumblr and Threads, also said they’d add support for ActivityPub. 

How: Fedi.Tips has a guide on how you can join and use Mastodon and the wider Fediverse. The Fediverse Wiki also has a beginner’s guide. 

Quote: “I was there in the early days of the web, and this whole thing with ActivityPub is as big a deal as HTML was back then. This is the single biggest opportunity I’ve seen for the web since the dawn of the web.” – Mike McCue, the CEO of Flipboard.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Google Starts to Roll Out Privacy Sandbox In Chrome

Google started rolling out Privacy Sandbox, an umbrella term for a new set of technologies that will eventually replace third-party cookies on Chrome (Firefox and Safari already block third-party cookies). Although Privacy Sandbox is supposed to improve privacy by only sharing topics users are interested in with advertisers instead of additional user information, it has been criticized by some privacy experts.

Delaware Passes Comprehensive Consumer Privacy Law

The Delaware Personal Data Privacy Act was signed into law by Governor of Delaware John Carney in September and will come into effect on January 1, 2025. Described as one of the “strongest” privacy laws in the nation, the law gives consumers rights to be informed about personal data collection, access this information, correct any inaccuracies, and request the deletion of this data. 

MGM Hack Likely Achieved By Impersonating Employee 

The recent hack on MGM Resorts was likely carried out by the Scattered Spider hacking group, who, around the same time, also breached Caesars Entertainment Ltd. and other companies. It is believed that the technique used to hack into MGM’s systems involved impersonating an employee in a call to the help desk. In some cases, the group also engages in swatting, i.e., calling heavily armed police to executives’ homes. 

California Passes the Delete Act 

The California legislature passed the Delete Act, which would allow California residents to delete their personal information from multiple data brokers registered in the state with a single request. For the Delete Act to become law, it needs to be signed by Governor of California Gavin Newsom, who has until the 14th of October to do so. He has given no indication of whether or not he will. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: How is Google Photos in terms of privacy? 

A: Not great. 

The good news is that Google says it doesn’t use your photos for targeted ads: 

“We don’t sell your personal information to anyone or use the content you store in Photos for ads purposes.” 

However, something to be aware of is that Google scans photos for child sexual abuse images, or CSAM (although it apparently does this only after a user takes “affirmative action,” like backing up photos to Google’s cloud). 

A story from last year in The New York Times about a dad who took pictures of his kid for a doctor and was reported to the government as a criminal illustrates how this can go horribly wrong. 

The practice has good intentions, but, as the Electronic Frontier Foundation says, scanning people’s images could lead to consequences unrelated to CSAM and punishment for other crimes like drug use. Furthermore, wrong accusations (inaccurate scans are not unusual) of individuals living in communities or countries with less friendly or corrupt police may not always be solved in the accused person’s favor.   

If you’re looking for an alternative to Google Photos, there are dedicated services that offer secure photo storage, but make sure to do your research – not all of them will be any better than Google. 

There are also self-hosted options, but that means you’ll need to manage the infrastructure yourself. 

You could also always keep your photos on a hard drive. Just make sure to back it up once in a while and make a copy that’s stored somewhere else. 

Q: Is having multiple email accounts, each for a different purpose, worth it?

A: Absolutely! 

Having different email accounts for different purposes can reduce the likelihood of falling victim to phishing scams – currently a huge problem. 

It can also help reduce spam and generally improve your privacy and security. For instance, many websites let people use their email address as their username. If someone has your email address and your passwords are weak (most people’s are, anyway), someone can potentially access your accounts (MFA won’t always help here, either). 

How many email accounts you have is up to you. You may want to create one for personal use (i.e., communicating with family and friends), social media, junk mail/shopping, financial transactions, etc. 

There are apps that can make managing different email addresses easier, and if you use Gmail, it lets you forward emails from your other Gmail addresses to a master email. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.