LAUREL WAMSLEY, HOST:
This is NPR's LIFE KIT. This episode, we're digging in to digital privacy and security. The goal is to help regular people with no special technical skills get a better handle on their digital lives. A lot of people might think this is not especially important for them. I'm boring, they'll say. What do I have to hide?
EVA GALPERIN: That's simply not true. The people who tell you that they have nothing to hide are people who just haven't thought about it very carefully.
WAMSLEY: Eva Galperin is the director of cybersecurity at the Electronic Frontier Foundation. She says she hears that a lot from people - that they're not that interesting and that they don't have anything worth hiding. But she says we all express different aspects of ourselves in different parts of our lives.
GALPERIN: Most of us, in spite of the fact that we have nothing to hide, still lock our doors. We still close our windows and have shades on them. We still don't run around sharing our passwords or our credit card numbers with just about anybody. These are things that we do every day in order to protect our privacy and security.
(SOUNDBITE OF MUSIC)
WAMSLEY: I'm Laurel Wamsley, a reporter at NPR. But before I was a reporter here, I worked for a few years as a copywriter and marketer at tech companies. The last company I worked for was in the marketing technology business, the industry devoted in part to tracking people and merging their information so they can be advertised to more effectively. And I mean tracking in multiple senses - actual physical tracking, because we carry our phones everywhere we go, and virtual tracking of all the places we go online.
(SOUNDBITE OF MUSIC)
WAMSLEY: The more I learned about this, the more I wanted to protect my privacy. And it became clear to me that the Internet was still the Wild West. Companies had built powerful tools to collect information on people who did not understand how this data could be used. Our personal information is being collected and sold in massive databases to anyone who wants to buy it.
(SOUNDBITE OF MUSIC)
WAMSLEY: All of this made me very uncomfortable. I started taking my privacy more seriously, but it was also hard to know which of my efforts were actually effective. So for this LIFE KIT, I wanted to reach out to some tech experts who are deeply knowledgeable on this subject to find out the steps that they take to protect their data and to find out what regular folks like you and me can do to make our digital lives more secure.
(SOUNDBITE OF MUSIC)
WAMSLEY: In this episode, you'll learn some concrete things you'll probably want to do, plus some additional steps to consider depending on what you're trying to protect.
And a quick note - Eva and other experts make a distinction between privacy and security when it comes to your data. Security generally refers to protecting against someone trying to access your stuff - stealing your credit card number, hacking your accounts. Privacy is more often used to talk about keeping your movements from being tracked for purposes of advertising or surveillance. It turns out that the steps to protect your security are more clear-cut than those for privacy. But we'll come back to that.
And a disclosure - NPR receives funding from Google and Facebook. With that out of the way, let's dive in.
(SOUNDBITE OF MUSIC)
WAMSLEY: As Eva says, we all have something to protect, whether it's our credit card information, our photos or our opinions. And even if we do want to share some of those things online, we still want to have control over who we share them with.
GALPERIN: The things that you want to broadcast to your friends are not necessarily the things you want to broadcast to your family or to a stranger or to a government.
WAMSLEY: Let's start with protecting our accounts. Eva says there are some steps that make sense for almost all of us, including using strong passwords, two-factor authentication and downloading the latest security updates. That's our first takeaway - practice good security hygiene.
GALPERIN: All of your passwords should be passphrases.
WAMSLEY: That's right, passphrases. Longer than a password, phrases are strong and unique for each site. So don't use 1234. Bring some randomness and special characters into it. And also don't use the same password for different websites. You don't want all of your accounts to be compromised just because one of them gets hacked.
GALPERIN: And then, of course, you have the problem of how you're going to remember all of your long and strong and unique passwords. And the answer is you don't. You use a password manager.
WAMSLEY: And then turn on two-factor authentication for your important accounts. You've seen this. Usually you're asked to put in your cellphone number. You can get a text with an additional number that you type in before you can log in. That's the most common type of two-factor authentication. But unfortunately, it's not the strongest, Eva says.
GALPERIN: SMS messages are sent unencrypted and can be intercepted by anybody who buys the right equipment and is appropriately nearby or by your ISP or by your government, by law enforcement. There are lots of ways in which your SMSs are not secure.
WAMSLEY: If you want to go a step further, she recommends using an application that sends the second factor to an app on your phone using an app like Authy or Google Authenticator. These are harder to intercept. You can also use a physical device that you carry with you that plugs into your computer's USB port and serves as the second factor.
And those nudges you get from your computer or phone to install the latest security update - you should download those.
GALPERIN: Most applications, when they're compromised, are compromised by problems that everybody knows exist, that have been publicly reported and that the company has fixed and they have issued a patch in their security update. But if you do not take the security update, you do not get the benefit of the work of the security engineers at that company.
WAMSLEY: But not all attacks on our security come through malware or hackers invisibly breaking into your account. It's very common that we're tricked into handing over our passwords or personal information to bad actors. That brings us to our second takeaway - beware of phishing. These attempts can happen via email, text message or phone call. And generally, they're trying to get your username and password, or perhaps your Social Security number. But there are often signs that these messages aren't legit.
GALPERIN: And one of the things that you can see in the email is that it is not coming from the person that it's supposed to be coming from. It is coming from the wrong domain. It has lots of spelling or grammatical errors or the link that they ask you to click is not the link for the website which you're supposed to be logging in to. So those are all a bunch of tells.
WAMSLEY: So if it feels fishy, it could be phishing.
GALPERIN: If it feels fishy, it could be phishing. Additionally, Apple is never going to call you on your phone about your account, and neither is Google.
(SOUNDBITE OF MUSIC)
WAMSLEY: So those are some security basics that are a good idea for just about everybody. Use strong passphrases and use a password manager so you don't have to remember them. Turn on two-factor authentication for your accounts. Get the latest security updates. And watch out for scammers.
But depending on your situation, you might want to take additional precautions to safeguard your privacy and security. Matt Mitchell is a tech fellow at the Ford Foundation and founder of CryptoHarlem, an organization that teaches people in Harlem to protect their privacy, including from surveillance.
MATT MITCHELL: I mean, I have the luxury of working mostly with marginalized people, so mostly with undocumented people, Black and brown people.
WAMSLEY: He never hears that I'm boring; I don't need privacy idea from them.
MITCHELL: And the reason why they never say that is the harms that come from exploiting identities - they have lived experience, and their family and friends have a lived experience with those harms.
(SOUNDBITE OF MUSIC)
MITCHELL: You know, privacy is personal, and it's different, and everyone has their own concept of what it is, right? But when someone else has, like, downloaded all their stuff or an ex has taken intimate pictures and put it in a public place, everyone will have a way to that (ph). It'll be like, whatever my personal rules are, you've broken them.
(SOUNDBITE OF MUSIC)
WAMSLEY: To figure out what steps people should take in terms of privacy and security, he tells them to start by thinking about the thing they are most scared of happening to their accounts.
MITCHELL: I'm worried about someone taking my money. I'm worried about, you know, someone telling someone the mean things I said about them. And then you think, like, which of those things is, like, most likely to happen? And then it's like, OK, the money thing or, like, my personal information - whatever it is, right?
WAMSLEY: Then you use those concerns to focus your efforts and zero in on securing the things that matter most to you. As a general tip, Matt suggests looking at your phone and deleting all the apps you don't really, really need.
MITCHELL: Ask yourself, when did I install this thing? Can I delete it right now?
WAMSLEY: For a lot of things, you can use a browser on your phone instead of the app. And Matt says that's better because browsers are simple. They can only get certain kinds of information.
MITCHELL: They can still track you with pixels and all kinds of stuff. But when I have an app, I have an accelerometer, I have a camera, I have a microphone, I have your contact. I have so much access to your data. The first thing I do is tell people, like, let's get rid of some apps. Let's try to throw as many apps out the window. Like, let's Marie Kondo this [expletive], you know?
WAMSLEY: Let's make that takeaway three - Marie Kondo your apps. I mentioned to Matt that even though I use Facebook and Twitter, I don't have those apps on my phone, partly so that I'll use them less and partly for privacy reasons. I wanted to know, did I actually accomplish anything by not having those apps on my phone?
MITCHELL: You accomplished a lot, right? So, you know, only when I could turn that crude into petrol can I really make my money. And that's what all these companies are. They have the ability to take your data and turn it into gold. And they don't give you the change back. So that's the first thing. And every time you don't use an app, you're giving them less data.
WAMSLEY: Now let's talk about one app most of us really do need on our phones - messaging. If you want the contents of your messages to be secure, it's best to use an app that has end-to-end encryption, like Signal or WhatsApp. But Eva warns that even though the contents of your messages are protected, your metadata isn't. And someone could learn a lot about you from your metadata. She compares it to what you can learn just by looking at the outside of an envelope in the mail - who sent it to whom, when and where it was sent from.
And WhatsApp is owned by Facebook. So when you share your contacts with WhatsApp, Facebook is getting that info, though, again, they can't read the contents of your messages. And other experts warn against using Facebook Messenger on your phone, which offers less privacy than WhatsApp.
Matt says that when it comes to messaging, beware of backing up your WhatsApp to the cloud if you really want to keep things private.
MITCHELL: You've got to be like, never - never back up my conversation, 'cause that backup is stored in your iCloud, and it's also stored in your - if you have an Android phone, it's stored in your Google Drive. And that backup is just a database. And that database is easy for someone to open and read - and WhatsApp, all those images, all that stuff. So that's why we want to clean that out. You want to say, no backups, and then you want to go actually into that place in your iCloud and turn off WhatsApp so it deletes it, or into your Google Drive, and you got to delete what was there before.
WAMSLEY: Eva says it's important to understand that when you're backing up to the cloud, you're not backing up to your own computer. You're backing up to a different computer that you don't have physical access to.
GALPERIN: It comes down to whether or not you trust the company to keep that information safe or to - if you're expecting the company to be broken into or if somebody shows up with a subpoena or a warrant. These are all ways in which they can get their hands on your backup information, and you may not even necessarily know about it.
WAMSLEY: That's takeaway four - be thoughtful about what you back up to the cloud. And one more note about safeguarding your accounts - be careful about sharing your passwords or accounts with someone, even if that person's your partner. Eva says she frequently works with people who've experienced domestic violence and intimate partner abuse.
GALPERIN: One of the things that people should really consider when they're sharing their devices or they're sharing their passwords or they're sharing an account is the possibility that you trust this person now, but you're not going to trust them forever - that there may be a time when you no longer trust them.
WAMSLEY: For these situations, the safest bet is to not share important accounts or passwords with anyone else. But she says she knows that a lot of people are going to do this anyway. So if you are going to share this information, she recommends having a plan for locking out someone if you need to, like turning on two-factor authentication.
(SOUNDBITE OF MUSIC)
WAMSLEY: So that's security. Let's go deeper on privacy. Consider deleting some apps you don't need, and turn off location services for apps that don't really need it. Think twice before giving an app access to your contacts. Matt also recommends going to myactivity.google.com and just deleting everything you can.
MITCHELL: And it will show you every search term and everything you've ever done, every YouTube video you ever looked at - all that stuff. And I tell them to delete everything. And it'll say, are you sure you want to delete this 'cause if you delete this, it might affect some stuff? And I'm like, yeah, just go ahead. And it's like, are you sure you want to go ahead? And just, yeah, I do. And just blow it all away.
(SOUNDBITE OF MUSIC)
WAMSLEY: And whenever possible, he recommends going into your settings and turning off add personalization.
MITCHELL: Which sounds so nice, right? Like, I'm personalizing these ads for you. But what it really is is permission to do really invasive tracking so I can personalize these ads for you, you know?
WAMSLEY: And don't worry about writing all this down. At npr.org/lifekit, we'll have links to where you can turn off or limit add personalization on Google, Twitter and Facebook, as well as some of the other tips we've mentioned so far.
A quick note on Facebook, where some of us have had accounts for a very long time - is it even worth trying to limit what Facebook knows about us? Haven't we already given everything away? Matt says it's still worth it to limit what Facebook can access. It's like smoking, he says. It's never too late to quit or cut back. You'll still benefit. By using a browser instead of the app, by turning off personalization and making your account more private, you're just giving Facebook less data to harvest, less data that its artificial intelligence can use to advertise to you and people like you even more effectively.
Beyond some of the basics we've talked about, protecting your security and privacy gets harder. But for many people, Matt says, it's worth it.
MITCHELL: The people who I work with who take advantage of that are people who are, you know, survivors of domestic abuse. For them, that pain is not so much, right? Or people who are like, hey, someone stole my identity, or, someone's criminalizing my behavior, you know, or, I'm trans, or, you know, I'm a queer person - right? - and I'm being othered - well, for me, maybe I do want to take those extra steps.
WAMSLEY: But the issues of consumer privacy are bigger than any one of us. A person who knows a lot about that is Ashkan Soltani. He was appointed in 2015 to be the chief technologist for the Federal Trade Commission. And more recently, he was one of the architects of California's Consumer Privacy Act, a major piece of legislation that passed in 2018.
He says people's need for privacy is, on the one hand, kind of abstract - say, you share certain things with your doctor that you don't with your co-workers - but it's also concrete. A few years ago, he worked on a project with The Wall Street Journal in which they found that there were services that monitored people's online activity to sell to car dealerships, so when you went to the car dealership, they knew exactly your level of interest in that car that had just arrived.
ASHKAN SOLTANI: They know that you've been looking at the red car for three weeks every night and that you really want that model that they just got on the lot. And as much as you try to bluff, you know, they know.
WAMSLEY: Ashkan and his colleagues also found that brick-and-mortar stores like Staples and Home Depot would charge different prices for the products they sold online due to factors like where a person lives, and not because shipping costs were more.
SOLTANI: They would price the item more or less based on how far this person was from a competitor, right? So they would use information about that item to essentially determine how much money they could extract from individuals.
WAMSLEY: And that's just on the commercial side. There are political implications, too. What's known about you can change the ads you see, the posts in your feed, the news articles and videos that you're shown. We're all being targeted in ways that aren't clear to us as we go wading through the Internet.
When it comes to his own privacy and security, Ashkan takes a number of precautions. Some of those steps are pretty common, like blocking third-party trackers with something like an ad blocker. And he'll make a point to use certain browsers or different browsers for different activities.
Other precautions are a bit more next-level, like using a service that creates a new email address for every service he creates an account for. But he rarely recommends those steps to regular people.
SOLTANI: One, the degree to do it effectively, it requires so much kind of attention and, you know, persistence to never screw up, to never slip up. And, two, it's still kind of limited in its effectiveness.
WAMSLEY: He says real digital privacy is nearly impossible to come by because, well, the game is rigged.
SOLTANI: The money is stacked against them. The incentives are so high on the other side to uniquely identify people and track them that they will never have enough motivation and incentive to do it to the degree of this multibillion-dollar ad tech industry.
WAMSLEY: He says that a decade of working on digital privacy has convinced him that what will actually be effective is stronger laws protecting consumers, laws that guarantee people's right to privacy and that limit collection of their personal information. Europe has a law that aims to do that, the General Data Protection Regulation, known as GDPR. And California now has a law with that goal, too. Ashkan helped write it. He lives in California. So now when he goes to, say, a newspaper's website, he can click a button that says, do not sell my personal information.
In practice, it's a bit more complicated. Ashkan's been working on a ballot initiative known as Prop 24 that aims to close loopholes in the state's privacy law and add teeth to enforce it. Californians will vote on it in November 2020.
In the rest of the U.S., we don't have those safeguards. We don't have a universal national online privacy law. We have narrower laws governing financial and health data and a law protecting children's personal information. Beyond that, we mostly have the authority of the Federal Trade Commission, which regulates unfair and deceptive trade practices. That means a company can't lie to you about their privacy practices, but they can collect and share a whole lot, as long as they're transparent about it.
SOLTANI: And what that means is that buried in most websites' privacy policies is a bunch of, essentially, language around how they sell data with third parties and how your information may be bought and sold.
WAMSLEY: So that's takeaway five - recognize that it's really hard to protect your privacy online if there aren't laws that protect your privacy online.
SOLTANI: But I think the important thing is just to look up and just literally search for what potential privacy legislation is occurring in your state or federally and voice your support, right? I think the only way we get real change is that if people actually kind of speak up that this is an important right and that this is an important thing they should act on.
WAMSLEY: Getting up to speed on privacy legislation and calling your congressperson is definitely a bigger step than adjusting a privacy setting on your phone. But Ashkan compares learning about digital privacy to learning where your food comes from or where your sneakers are made.
SOLTANI: I can give you advice on downloading, you know, ad blockers and downloading VPN software and downloading other tools, but chances are this moment you download those tools, you'll also sign in to Facebook and you'll also download, you know, the TikTok app and you'll also download all these other privacy-invasive tools that when you do, you immediately consent to them using, sharing and selling your personal information. And I think we should have the right to be able to use certain apps and tools without necessarily having to succumb to all of these parties being able to collect our information.
WAMSLEY: Faced with this landscape, getting a tighter hold on your digital privacy and security can feel daunting, but the best way to get started is just to grab the low-hanging fruit. That's our last takeaway - start small and focus on what matters most to you.
GALPERIN: Just do a little bit at a time. You don't have to do all of this at once.
WAMSLEY: So on the security front, Eva says, strengthen your passwords and set up two-factor authentication, or 2FA for short.
GALPERIN: For example, you do not have to make a list of every single account that you have and go change all of your passwords and turn on 2FA at once. One of the things that I recommend doing when you're sort of starting to integrate a password manager into your life is every time you log in to a new account, enter it into your password manager.
WAMSLEY: She says trying to protect everything from everybody all the time is a good way to drive yourself up a wall, but even just doing these basics can make your accounts a lot more secure. And until we have stronger privacy laws, Matt suggests that we do what we can to make a fairer deal with the services that we use.
MITCHELL: It's a negotiation, but don't get ripped off. These things are designed in a completely unequal way, and you just have to free yourself a little bit, and you're winning. And you get so much from it.
(SOUNDBITE OF MUSIC)
WAMSLEY: All right, I'm fired up. Let's do this. Let's get all of our digital stuff locked down. Here's what we've learned.
Takeaway one - practice good security hygiene. Use strong passphrases and two-factor authentication on your accounts.
Takeaway two - beware of phishing. Big companies are not going to call you and ask for your account information. And look out for weird URLs before you go clicking on them.
Takeaway three - delete the apps you don't need from your phone. Apps can collect a lot of information on you, so use a browser instead if you can. And for the apps you keep, limit what they can access.
Takeaway four - be thoughtful about what you back up to the cloud. Those encrypted chats you have aren't going to stay encrypted when they're moved to iCloud or Google Drive.
Takeaway five - the United States doesn't have strong online privacy laws. So while you can take steps to protect your privacy, it's going to be tough to keep yourself from being tracked online.
And finally, you can start small and take these steps one by one. Focus on protecting what matters most to you.
We have a list of everything we talked about here and more at npr.org/lifekit. You'll find links to good resources that'll walk you step by step through making your digital life more private and more secure.
(SOUNDBITE OF MUSIC)
WAMSLEY: This is far from an exhaustive list. There are a bunch of other steps you can take to safeguard your stuff and fend off digital tracking. But hopefully you'll leave this episode more curious about how your information is collected and used. So keep learning. Give these steps a try, and then go deeper. We're going to be on the Internet for a long time. The more each of us understands about how to keep private what we want to keep private, the better, safer and healthier our digital lives will be.
(SOUNDBITE OF MUSIC)
WAMSLEY: For more NPR LIFE KIT, check out our other episodes on how to have a healthier relationship with screen time for both adults and kids. You can find those at npr.org/lifekit. And if you love LIFE KIT and want more, subscribe to our newsletter at npr.org/lifekitnewsletter.
And now, a completely random tip, this time from Sebastian Ruev (ph).
SEBASTIAN RUEV: So here's a tip for you to stay classy the next time you're at a fancy dinner party eating some charcuterie with some friends, perhaps. When you're eating anything with a cracker on it, the cracker will want to crumble and fall on your nice dress or suit or whatever you're wearing that night. What you can do is you can inhale as you bite down into the cracker, which will allow you to vacuum up the crumbs, and it will keep any crumbs from falling onto you.
WAMSLEY: If you've got a good tip, leave us a voicemail at 202-216-9823 or email us a voice memo at firstname.lastname@example.org.
This episode was produced by Audrey Nguyen. Meghan Keane is the managing producer. Beth Donovan is the senior editor. Special thanks to NPR's Shannon Bond and to Jen King at the Center for Internet and Society at Stanford Law School. Our digital editors are Beck Harlan and Clare Lombardo, and our editorial assistant is Clare Schneider. I'm Laurel Wamsley. Thanks for listening.
(SOUNDBITE OF MUSIC)
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.