Protect Your Online Privacy (Without Reading All the Fine Print)

Your personal data is out there. Every thought you tap out on Twitter, every status update you post on Facebook, and even the last credit card purchase you made is accessible via the Internet.

Although you might be happy to give up such information online for immediate gain (whether it’s convenience or fun), your perspective may change when a coveted job offer fails to come through five years from now, or when marketers pester you next week with cleverly scripted personal advertising.

Here’s a guide to privacy features that you should consider before signing up for any new online service.

Do Not Track

The U.S. Federal Trade Commission thinks that when you surf the Internet, you should be able to do so anonymously. A proposed “Do Not Track” policy, similar to the Do Not Call registry, would require online companies to respect a user’s wish to opt out of online tracking. Since advertising companies track the sites you visit, Do Not Track would exempt you from that process. Although the FTC has yet to issue official guidance, browsers from Google, Microsoft, and Mozilla already have antitracking features.

Unfortunately, none of their methods are ideal. Mozilla’s Firefox requires Websites to recognize an extra line of instruction–a header request–that tells the server not to track the page request. Microsoft’s Internet Explorer 9 uses trusted lists of tracking sites to block, and Google’s Chrome simply stores user preferences. Although each method has drawbacks, the World Wide Web Consortium (W3C) is considering Microsoft’s approach as a possible Internet standard.

Et Tu, Google?

When you type in a search request, is someone listening? According to Google’s privacy policy, the company monitors what words people type into the field so that its autofill feature can better anticipate your search needs. The company is also capturing what URLs you enter in its Chrome browser. The story is roughly the same with Microsoft and its Bing search engine and Internet Explorer browser.

The Google Privacy Center includes clear information and a video walk-through.

Both Google and Microsoft have endured privacy storms. Google, however, has weathered them by being more transparent. The Google Privacy Center is populated with easy-to-understand FAQs and explanatory YouTube videos; meanwhile, the Microsoft Privacy page is mostly text, and without concrete examples it is harder to know what’s really going on.

Although Twitter lacks a privacy center, it does have a privacy policy and options. Under the Settings menu, for instance, Twitter allows you to add your location to tweets. That may seem cool, since other functions are predicated on location data, except on Twitter you have to enable the feature. Twitter also gives you the option to remove all location data from your previous tweets if you decide to opt out. Another option keeps your tweets private so that only people who follow you can see them. And Twitter discloses which apps automatically repost your Twitter posts (such as Facebook), so you have the option of revoking that access at any time.

LinkedIn has its own privacy settings, as well. Like Twitter, LinkedIn can shield your contact list from anyone who is not already connected to you. For further protection, LinkedIn will show only the contacts you share in common, not your entire list–at least not without your permission. Unfortunately, the ease of use of LinkedIn’s privacy settings lags behind that of both Facebook and Twitter.

Mashup Sites

Ultimately, the biggest privacy threats may come not via your browser, search engine, or social network but through sites that aggregate or “mash up” third-party content. FriendFeed, for one, displays the updates you make in both Facebook and Twitter. To use such a service, you’d have to trust all of the parties involved.

What if the aggregator compiles data from your bank or credit card issuer? The best-known financial aggregator is perhaps Mint.com (now part of Intuit). Mint has aggregated data anonymously from its 4 million users. You can register with the site anonymously, so your name and address aren’t part of your account information. Additionally, your credit card and bank account usernames and passwords are stored on separate servers. The company’s privacy policy further states that it “provides a strictly ‘read only’ view of your transaction information.” So far, Mint has not reported a data breach.

Third-Party Applications

Having third parties write code for a service is dicey. Last fall Facebook disclosed that developers of apps for that social network may have leaked personal information about its users; applications such as FarmVille and Texas Hold’em apparently sent Facebook ID numbers to at least 25 advertising and data firms. A class-action lawsuit filed against Facebook concerns such third-party access to data. With more than a half million apps available on Facebook, the number of plaintiffs suing the social network may continue to grow.

Mobile application stores such as those from Apple or Google may, like Facebook, find it impossible to police every app written–although Apple, with its walled-garden approach, attempts to do just that. Here’s where third-party security applications such as Lookout Mobile Security can help. Such tools can report what privacy violations an app may commit; armed with that information, you can decide whether to delete apps that have crossed the privacy line.

Cloud Privacy

Storing data via the cloud solves problems, enabling you to access your files from a remote location. But it also creates frightening scenarios of other, unauthorized people accessing your personal data. One way to mitigate that risk is to choose cloud services that include data encryption.

For example, the Dropbox remote-file-storage site employs a full-encryption Secure Sockets Layer (SSL) protocol when you upload a file, and uses strong AES 256 encryption for the data you store within the cloud. And Mozilla offers a cloud-based sync service for Firefox that encrypts your bookmark data before it leaves your computer, so the company never handles the clear-text version.

Steps to Take

When signing up for a new service, always read its privacy policy and look for opt-outs. Good privacy policies will also spell out whether a service tracks your activities and sells that information to third parties–and they’ll state what happens to your data should you terminate the service.

Additionally, use SSL when interacting with Internet sites whenever possible. SSL ensures that when you are wireless, criminals will have a harder time eavesdropping. Not all sites currently support https:// (which indicates that SSL is being used), but Facebook, Gmail, Google, and Twitter do.

What If It’s Too Late?

If you discover that sites such as Pipl, Rapleaf, and Spokeo list too much of your personal information, you have options. First, opt out of Rapleaf directly (the company will remove you if you ask). In addition, adjust your privacy settings on sites such as Facebook, LinkedIn, and Twitter, and delete as much personal information from those social networks yourself.

If, after a few weeks, you still find too much of your personal information on Bing, Google, Pipl, or Spokeo, consider hiring a professional reputation service. Since these services can cost from $630 to $3000, however, try to do as much as you can yourself first.

To a certain degree, everyone has personal data stored somewhere beyond their immediate control. For the most part, don’t sweat the small stuff; public tweets from Twitter, for instance, are being archived by search engines and even the Library of Congress. Instead, worry about the most egregious abuses, such as identity theft, in which someone has taken your personal information and used it to commit fraud.

To protect yourself, request your free credit report, but ask for it only from one of the three credit bureaus every four months. Or, for about $150 per year, subscribe to an identity-monitoring service, such as the one that your bank likely offers. Better services include an Internet scan for your personal information, as well as experts who can help remove that data if necessary.

(For advice on removing your online history completely, see “Erase Yourself From the Web.”)

Robert Vamosi is a security analyst and the author of When Gadgets Betray Us: The Dark Side of Our Infatuation with New Technology (Basic Books, April 2011).