Online Privacy and You

tl;dr: scroll down to the part in bold if you just want a pro-privacy action item.

Digital privacy has been in the news a lot, though you’ll be forgiven for missing it. About a year ago, the European General Data Protection Regulation (GDPR) became active. You may have noticed that you received an email about updated privacy policies from every single website you’ve ever had an account with. The California version of those regulations (CCPA) was passed a few months later. What do these laws do? Well, a lot; Wikipedia has a good summary of the CCPA:

The intentions of the Act are to provide California residents* with the right to:

  1. Know what personal data is being collected about them.
  2. Know whether their personal data is sold or disclosed and to whom.
  3. Say no to the sale of personal data.
  4. Access their personal data.
  5. Equal service and price, even if they exercise their privacy rights.

Writ large, these sound like good ideas. I will note that this is in conflict with how many of us experience the Internet today**.

Right now, companies are announcing very small changes to privacy settings, largely for PR purposes (Vox: Google’s Privacy Changes Are Mostly Marketing). They’re basically hoping that enough people won’t opt out of data collection to affect their business model. I recommend opting out! Here’s how to change your browser settings to limit your exposure to the tracking ecosystem:

  • Safari: Safari -> Preferences -> Privacy; check “Prevent cross-site tracking” (checked by default after a recent update)
  • Firefox: Follow the instructions to disable third-party cookies
  • Chrome: Don’t use Chrome if you care about this issue. Would you use a browser developed by Facebook? However, if you must: Settings -> Advanced -> Privacy and security -> Content settings -> Cookies; turn on “Block third-party cookies.” Like I said, Google is not particularly interested in you checking this buried option.

You can also do this on mobile devices, though the instructions vary by device, so I’d recommend looking that up yourself. Note that some sites use these in non-nefarious ways; they will probably tell you if you’re causing a disruption in your service. Notes below the fold.

*GDPR and CCPA only apply to companies with users located in their respective jurisdictions, but given how the Internet works, that is pretty much all sufficiently-large companies.

**Many ‘free’ services, such as Gmail, are funded by a Faustian bargain: in exchange for the service, the user’s information is mined as part of a broader tracking ecosystem. This data is then used in targeted advertising. If enough people opt out of data collection, the story goes, then this funding model will go out the window. What will replace it is anybody’s guess.

Full disclosure: I currently work at an ad-tech company. The opinions expressed are my own etc. This contains no privileged information etc.






54 replies
  1. 1
    Jerzy Russian says:

    The world would be an interesting place if Google started to actually charge money for its “free” services like Gmail, maps, Google voice, the search engine, etc.

  2. 2
    Snoopy says:

    I’d also suggest the “Privacy Badger” plugin, which is developed by the EFF.

    This plugin watches for, and blocks website trackers, which follow your movements across the web.

    For example, this very page lists 8 trackers, which Privacy Badger completely blocked seven, and blocked the cookies for the eighth:
    o cdn.connectix.com
    o securepubads.g.doubleclick.net
    o staticxx.facebook.com
    o adservice.google.com
    o global.proper.io
    o cdn.taboola.com
    o platform.twitter.com
    o http://www.facebook.com (cookies only)

    It found a further six items that may be trackers, but it didn’t block them because it didn’t have enough information about them yet.

  3. 3
    david says:

    Shit. Tim Conway has died.

  4. 4
    mrmoshpotato says:

    @Jerzy Russian: MapQuest would make a comeback. (It’s still around.)

  5. 5
    Baud says:

    I thought I read that Google no longer data mines Gmail for ads.

  6. 6

    @Jerzy Russian: how much would you be willing to pay?

  7. 7
    dmsilev says:

    @Jerzy Russian: They do have for-pay versions of Gmail and some other services; they’re sold to companies and universities and other orgs that want email but not the hassle of running their own servers.

  8. 8
    Mary G says:

    Back in the 70s, my Republican mother had a fridge poster with a line of fish of increasing size, each about to eat the next smaller one, with the caption
    “There’s no such thing as a free lunch.” I always think of that when people talk about the great stuff they do on Google and Facebook for “nothing.”

  9. 9
    ruemara says:

    @Major Major Major Major: I would easily plunk down $120 a year for it. That being said, I doubt even as a group action that we can pay as much as selling our data makes them for the storage space.

  10. 10
    trollhattan says:

    Slight correction versus my edition of Chrome:Site Settings rather than Content settings.

    Playing with Vivaldi browser, promising so far and an interesting use of stacked tabs.

  11. 11
    Fair Economist says:

    Chrome: Don’t use Chrome if you care about this issue. Would you use a browser developed by Facebook? However, if you must: Settings -> Advanced -> Privacy and security -> Content settings -> Cookies; turn on “Block third-party cookies.” Like I said, Google is not particularly interested in you checking this buried option

    LOL! This is a classic.

  12. 12
    trollhattan says:

    @david:
    Awww, sad to hear. Wonder comedian and a generous, truly kind person. Thanks for the memories and laughs, sir.

  13. 13

    @Baud: google no longer reads your email messages, but that’s not the only data to be mined; and at any rate a large portion (most?) of google’s revenue comes from convincing you to use these products to increase tracking and ad-serving penetration.

  14. 14
    joel hanes says:

    Thanks, MMMM (Or should I call you “Caleb”, as your mother wished ?)

    Don’t use Chrome if you care about this issue.
    Flamebait :
    IMHO, those who *don’t* care about this issue are like those who don’t care about vaccination: they destroy herd immunity for all of us.

  15. 15

    If enough people opt out of data collection, the story goes, then this funding model will go out the window. What will replace it is anybody’s guess.

    The logical replacement would be for users to pay for this kind of service directly. Most people used to get services like email together with their basic internet service from their ISP. It’s a perfectly reasonable way of doing things that we could go back to pretty easily. Or Google could charge a monthly fee for access to their services. They’re already doing that with YouTube; there’s no reason they couldn’t do the same thing with their other services.

    @Snoopy:

    I’d also suggest the “Privacy Badger” plugin, which is developed by the EFF.

    I strongly second the recommendation. It has the beneficial effect of blocking most ads at the same time it stops tracking.

  16. 16
    Baud says:

    @Major Major Major Major:

    Ok, thanks. Oddly enough, I generally prefer Google’s services over others, but I don’t use Gmail.

  17. 17
    tybee says:

    speaking of privacy issues, it seems that 3 major Anti-Virus companies in the US got pwned:

    https://www.bleepingcomputer.com/news/security/fxmsp-chat-logs-reveal-the-hacked-antivirus-vendors-avs-respond/

  18. 18
    trollhattan says:

    My bro’s work laptop recently acquired a bot that mined his contacts and spammed them all from his very computer using his (private) email address. Happened once, was supposedly resolved, then it happened a second time. And with that, the contact list went forth into the spam world–ever since one of my email accounts has 10x the spam. Bastards. Among other items, they’re convinced I am in need of a walk-in bathtub. Thanks guys, but can I have Russian hookers instead?

    The kicker: my bro is a programmer and because of relentless acquisition now works for a ginormous chip maker. If the ubernerds can’t stop these bastards, what hope for the rest of us?

  19. 19
    tarragon says:

    @Major Major Major Major:

    google no longer reads your email messages, but that’s not the only data to be mined;

    Yeah. I’m sure they mine the hell out of the meta data. Who, when, and how is more than enough…

  20. 20
    ThresherK says:

    @trollhattan: And Doris Day, at 97, also has lelt us.

    They say these things come in threes…

  21. 21

    @ruemara:

    I would easily plunk down $120 a year for it.

    That’s what they currently charge just for ad-free access to YouTube. Adding in all their other stuff would probably at least double that.

  22. 22
    SiubhanDuinne says:

    O/T, but just heard that Tim Conway has died, age 85. Funny, funny guy. May he rest in peace keep ‘em all laughing.

  23. 23
    JimV says:

    The path is different for my Chrome browser, but I managed to find it.

    I thought Chrome was from Google, not Facebook. Anyway, it works a lot better than Internet Explorer and seems to do everything I need. I do a lot of searching and downloading for stuff to rework for game mods without any problems that I know of (knock on wood). If Facebook people did some original development, hey, they did a good job. Nobody says they can’t program, do they?

    Thanks for the post.

  24. 24

    @JimV: chrome is from google; I was using Facebook as an example of a browser developer we would all run away screaming from, so why do we feel so differently about google?

    @Roger Moore: google apps, the for-pay gmail etc., is fairly pricy (pricey?) too.

  25. 25
    chopper says:

    @Fair Economist:

    behind the door marked “beware of the leopard”

  26. 26

    @Major Major Major Major:

    I was using Facebook as an example of a browser developer we would all run away screaming from, so why do we feel so differently about google?

    I think there’s a sufficiently big difference between Facebook and Google that a Facebook browser would be different in kind from a Google browser rather than just in degree. In particular, Google still benefits from the existence of a relatively open web, so they have a strong incentive to make a browser that preserves some degree of openness. In contrast, Facebook really wants to build a walled garden, so a Facebook branded browser would be much more likely to try to keep you within that walled garden.

  27. 27
    Jerzy Russian says:

    @dmsilev: Yes, I am aware. My university uses a paid version of Gmail.

  28. 28

    @Roger Moore: they’re not very different in terms of data collection, though.

  29. 29
    Jerzy Russian says:

    @Major Major Major Major: Excellent question. I would pay for the map/navigation service, but at the moment I have no idea how much I would pay, or for that matter how much this service actually costs Google et al.

  30. 30
    mrmoshpotato says:

    @Roger Moore: I can imagine a FB browser having a startup screen that reads “Good morning/afternoon/evening comrade! Since you last logged in, we sold the following information of yours to Russia and China:… Happy sharing all intimate details of your life!”

  31. 31
    Ruckus says:

    @Jerzy Russian:
    It will cost whatever they can get away with charging.

  32. 32
    spudgun says:

    @david: Well, damn…I grew up watching the Carol Burnett show, and he was a family favorite. That is so sad.

    Re: privacy, thank you for the info, M4!

  33. 33
    WhatsMyNym says:

    @ruemara: I pay for email from an old ISP I had in the past (dirt cheap). They limit your storage and you pay more if you need more. I store most email locally and backup.
    I also use Gmail for a business related account. It’s alright, but not the greatest interface – I’ve stopped using the app because of the redesign.

  34. 34
    Hob says:

    About not trusting Chrome: I think it’s worth noting that the vast majority of Chrome is open-source, and even though there’s some of it that isn’t, IMO it’d be pretty hard to embed surreptitious behavior in that part in a way that couldn’t be detected by looking at the open part (that is, the latter would need to provide hooks for the former to be able to do whatever). Of course most people won’t read the source code, but there are enough developers who will that it’s highly unlikely for there to be some kind of undetected data-mining thing embedded in there. Chrome’s popularity means there are a lot of eyes on it, and they got plenty of shit 10 years ago for doing something that web developers immediately recognized as a problem.

    As a rule, the kinds of anti-privacy practices people are worried about are implemented via well-known standard protocols.

  35. 35

    @Ruckus:

    It will cost whatever they can get away with charging.

    Sure, but if they were actually charging for it, they would have to compete on price with alternative providers like Garmin. I could easily see somebody like Open Street Map making a competitor that let you download maps onto your phone so you could use it without the risk of leaking any information, though of course that would come at the cost of not having access to things like traffic information or real-time points of interest.

    ETA: This highlights a problem with “free” services that are paid for by privacy violations. If you actually pay for services, there is real competition based on quality and price. If you pay for the service with loss of privacy, the competition winds up being between companies to see who can squeeze the most value from your private information, i.e. whoever can destroy your privacy the worst. It’s a terrible business model for users.

  36. 36

    @Hob: google is very much avoiding putting the same privacy and settings in place that apple and Mozilla now have by default. They are releasing misleading PR-driven updates to convince us otherwise. The things that might make it easier for us are hidden and mislabeled. They will continue dragging their feet on this since google’s business model relies on consumer tracking. If you are at all concerned about this issue, I would recommend using a browser from a company that behaves differently.

  37. 37
    piratedan says:

    @tybee: makes me even happier with MalwareBytes I guess?

  38. 38
    J R in WV says:

    I currently use Ghostery and uBlock origin together. For a long time I thought using two ad blockers was silly and overdoing things, but then I realized they well may be sensitive to different details about ads and trackers, and the Venn diagram wouldn’t overlap at anything near 100% — which turned out to be the case.

    Right now Ghostery is detecting 7 trackers on this tab, and uBlock is finding 5.

    Facebook is EVERYWHERE and always. I hates them!

    @Snoopy:

    I wasn’t aware of Privacy Badger, a good name. Back in the day I spent a lot of time monitoring sites like EFF, security sites, alerts, it was part of my job. But I’ve gotten away from that over the past few years of retirement. All I really do with computers is photos, music and B-J and such.

    Thanks for the tips, everyone!!!

  39. 39
    Martin says:

    So, I would note that there are different ways for the industry to approach this problem.

    One of the reasons why I’m an Apple user is that their underlying philosophy is that you own the physical device and to the extent possible, they will only store information on the device. That way you have control over what goes in/out. There are pros/cons to that. Privacy is among the pros. But there are a number of cons. It’s much harder for them to roll out services that users and industry partners want. Take ApplePay. Retailers want to do the loyalty card thing, which ApplePay doesn’t do automatically, but it can put a loyalty card system alongside of it using the Wallet. The way that you, the user, would participate in that is through the retailers app. Don’t want to be in the loyalty system, uninstall the app, or remove the loyalty card from your wallet. You don’t need to go to the retailer website, or do an email opt in/out thing. It’s all handled on your device through the normal device mechanisms.

    It was conflicts like this which led Apple to doing their own maps app. Not only was Google reserving the better Google Maps features for their own devices, but they wanted user data that Apple was not willing to provide. Apple Maps shifted the storage of past trip information to the device, but still allowed Google Maps to exist as a standalone app that could work the way Google wanted (since presumably you opted into having your information sent to Googles servers when you installed the app).

    It will be interesting to see how this shakes out. The fact that CA, home to Facebook and Google passed this law speaks to the relative lack of regulatory capture in the state.

  40. 40
    Michael Cain says:

    For some years now I have regarded much of this as a technology war between me and a bunch of big companies. Fundamentally, they insist that I must follow all embedded links, run any JavaScript they push at me (including downloading large unvetted libraries), and render things using some of the most god-awful designs. I take the position that I am under no obligation to do any of those things, can be selective as hell, and am free to display HTML in any fashion I like.

  41. 41

    Oh, and never accept a site’s request to push notifications to you. There was a recent exploit demonstrating that this service can be used to set up a background worker that executes arbitrary code forever in your browser.

  42. 42
    PhoenixRising says:

    I’ve just started reading a book about how we arrived at this point (digital pirates decided that no statute protected your commonly understood right to privacy & hijacked the exhaust stream from ‘free’ search engine use to sell as ad space and a raw material for AI) that is reviewed here: https://www.theguardian.com/technology/2019/jan/20/shoshana-zuboff-age-of-surveillance-capitalism-google-facebook

    If someone else wants to read ‘The Age of Surveillance Capitalism’ & capture the main points for other jackals, or has already…we await your views. Otherwise expect that in an open thread this weekend.

  43. 43
    Martin says:

    @Hob: It’s not about putting code in the browser, or even not honoring standards. It’s about actively intervening malicious behavior and how aggressive each of these players is.

    The go-ahead from USSC to the lawsuit against Apples App Store will be very important to watch. So far, the industry has utterly failed to contain malicious behavior. Among the best ideas out there (which Apple didn’t pioneer, but did deploy more widely than anything before) is to think of software as we do medication. We don’t allow a market free-for-all on drugs. Instead, we have layers of moderation between the drug manufacturer and the user – the FDA on the industry side, and pharmacists on the consumer side. It’s their job to know things about the drugs that the consumer can’t possibly know in order to protect us.

    The App Store serves that role reasonably well for iOS. Apps need to pass a code review, only code that carries a particular certificate from Apple can run on device, and Apple can revoke that license (preventing it from running) or even delete the app from your device remotely. The question is how can those same types of actions take place in email clients and in the web browser who serve that same moderator role. None of this is a question of compliance with standards, it’s about protecting the user.

  44. 44
    randy khan says:

    @Martin:

    The App Store lawsuit is pretty interesting because it really poses two values against each other. Apple absolutely is limiting app developers by requiring them to go through the App Store, and it also really only can have its 30% cut by enforcing that requirement. On the other hand, the same limitation ensures that customers are not harmed by malicious apps or apps with security holes in them.

    And we’ve had a natural experiment going on for the last 10 years or so on the impact of the kind of limitations that Apple has imposed, since Android has none of those, and the results are very clear – The number of Android apps that are actual malware, let alone the ones with serious security issues, is enormous, while there are almost none on the App Store.

  45. 45
    Just Chuck says:

    @Major Major Major Major:

    Oh, and never accept a site’s request to push notifications to you. There was a recent exploit demonstrating that this service can be used to set up a background worker that executes arbitrary code forever in your browser.

    It’s called a Service Worker, and it’s how notifications work in the first place. It’s no more malware than any other piece of Javascript you might run from that site.

  46. 46

    @randy khan: I read a WaPo article yesterday that explained how Gorsuch and Kavanaugh both wanted the lawsuit to proceed, but in different ways. The liberals sided with K and let him write the opinion. Not sure who is more right, but since Gorsuch is basically just a Scalia cosplayer, I suspect it is K.

  47. 47

    @Just Chuck: Trust me, I know what a service worker is. I am referring to this: Master of web puppets: abusing web browsers for persistent and stealthy computation

    Apparently it has since been patched away on all up-to-date browsers, so that’s good; it was a security hole wide enough to drive a stealth crypto-mining botnet through.

  48. 48
    KrackenJack says:

    The Book of Faces makes around $28 / yr in revenue per user globally. It’s more like $112 per user in North America. Offering a $10 a month no tracking, ad-free option isn’t something they are likely to do voluntarily since it would reduce the value of the remaining ad-based population.

  49. 49
    Anonymous At Work says:

    And a million HIPAA Privacy and Security Officers just shit their pants (again, GDPR stuff still rolling in/out). Most of this is background law for medical centers, universities/schools, but adds a few extra dimensions of compliance onto things.
    Oh joy.

  50. 50
    Origuy says:

    Intel just announced today a defect in all of their chips since 2011. This is similar to the Meltdown and Spectre problems from last year, but Intel, Microsoft, and Apple have been working on a fix for a while. There aren’t any known exploits of the problem yet, but when BIOS updates are ready for your computer, you should install them.
    There’s a guy in my group who has know about this for weeks, but couldn’t discuss it until now. We’ll need to release updates for our products based on Intel (which is almost everything.)

  51. 51

    I have a question why does Chrome and YouTube promote and recommend the most retrograde and RWNJ stories even when you don’t seek them out. I have had that experience accessing political stories regarding both United States and elections in India.

  52. 52
    KnittyGal says:

    @Jerzy Russian: Google has started charging for their maps. The non-profit I work developed an app using Maps for indoor and outdoor navigation for blind users, then last year, google started charging. Depending on the amount of usage, they’ve started charging us around $30K per month. Obviously a big problem for us.

  53. 53

    @KnittyGal: Well, Google is charging the developers of that app for using their Maps service to power a product. Google has always charged for programmatic access to their services, same as most other API providers. Perhaps they changed the boundaries of their free tier, or you got enough users that you exceeded it?

    But google has no plans to charge for going to maps.google.com and getting directions, because the maps.google.com experience is funded by showing you restaurant ads.

  54. 54
    Saving Private Equity says:

    I would suggest checking out the Brave browser.

Comments are closed.