WRAL Investigates

4 tips to protect your digital presence online and in your apps

Posted July 21, 2019 8:00 a.m. EDT
Updated July 21, 2019 11:11 a.m. EDT

— As the old adage goes, if you're not paying for a service, you're the product.

This reality of the digital world has become increasingly relevant with the launch of every new tech service or application. And so it was last week after an explosion of viral selfies created by FaceApp, an AI-powered photo editor that can swap users' genders, change their hairstyles or alter their ages.

Millions have downloaded the app on Apple and Android devices. Almost as soon as photos of users artificially aged by decades began to flood social media, others began pointing out that uploading those images grants the Russian developers of the app an irrevocable license to use the photos as they please.

As innocuous as these little intrusions can seem, digital privacy advocates say they can add up in ways users don't often expect.

"In social networks, we're giving out so much information without thinking," said Anupam Das, an assistant professor of computer science at North Carolina State University and faculty member with the Wolfpack Security and Privacy Research Lab. "That's one of the major issues."

While there are certainly limitations to how far "off the grid" you can get while remaining connected to the digital world, there are a few steps consumers can take to get some control over their privacy back.

FaceApp

Get help with the fine print

Let's face it: Reading the jargon-rich privacy policies and terms of use from the dozens of sites and services we browse every day is effectively impossible.

For some of the biggest apps we use, one option is Terms of Service; Didn't Read, or TOSDR. It's a cheat sheet of sorts, summarizing the main points in privacy and TOS in easy-to-read, bulleted lists.

Its entry for Google, for example, notes that "Your identity is used in ads that are shown to other users" and that "this service may collect, use and share location data," among its long list of things to know.

TOSDR is an open-source project, meaning anyone can sign up to contribute to the initiative to rate and label privacy policies on a graded scale from A to E.

But Jeremy Gillula, tech projects director at the nonprofit Electronic Frontier Foundation, said it does have its limitations.

"Companies change their terms of service often, so it's difficult even for a website like TOSDR to keep up," he said.

With apps, Gillula said it's vital to review the permissions an app requests before you install it.

"Look at that and think: If I give this app this permission and it turns out to be untrustworthy, what could happen?" he said.

He recommends paying special attention to whether the app asks for permission to access the Internet when that might not be part of its core functionality. A flashlight app, for example, shouldn't really need to browse the Web.

"It can't phone home, it can't share data, it can't leak anything if it can't access the Internet," Gillula said.

But that can get tricky if the app is legitimately requesting Internet access to patch itself with new versions, Das said.

Depending on the context, apps that require access to contact lists, shared folders, your camera or microphone may also indicate red flags. He recommends checking potential app downloads on sites like PrivacyGrade or AppCensus, tools privacy researchers created to assess and rate apps for consumers.

Das said evaluating these permissions is an important step – even if it's an all-or-nothing approach.

"Some apps say, 'If you're not going to give me this, I'm not going to function,'" Das said.

Take control where you can

Many of the most popular services and apps we use every day provide users with at least some control over what they're required to share with the program before using it.

By familiarizing yourself with these options, you can get a better sense of the data flowing from you to the companies and which taps you can turn off.

Location services, for example, are a feature users can turn off by default to prevent apps from logging physical coordinates obtained via GPS and WiFi. WRAL News has reported in the past about how such coordinates are now being obtained in limited cases by law enforcement agencies like the Raleigh Police Department while conducting criminal investigations.

Google has a specific landing page for users to monitor their own activity, from location and search to voice and audio activity using devices like Google Assistant and Google Home. From there, you can add and delete items or pause tracking in some cases.

Facebook has a similar page allowing users to view their activity logs and set site-wide privacy settings about who can see friends lists, phone numbers or photos.

Keep in mind that disabling some services may also disable some useful features – no location services, for example, no Google Maps navigation.

And be wary: Sometimes the functionality of these controls can change or be complicated by fine print. The Associated Press, for example, found last year that Google's location tracking persisted in some form despite a setting that paused that activity.

Google has since clarified its location tracking policy and launched features allowing users to auto-delete their location history after a certain period of time.

Fight fire with fire

When certain technology giants dominant the landscape, it can be hard to make real choices as consumers. But in many cases there are tools that present either reasonable alternatives to giving up your privacy, or mitigate some of the worst abuses.

Google, for example, is a search juggernaut because it's effective at search. But that benefit comes at a cost to consumers in the form of revenue-generating tracking and information collection.

If you're uncomfortable with that, consider an option like DuckDuckGo. It's a search engine that has sworn off tracking altogether, instead relying on donations to fund its operations.

You can add the site to your browser to make it your default search, bypassing Google altogether.

A related app also allows users to implement other privacy protections on other sites across the Web. There's even integration with Terms of Service; Didn't Read to provide privacy assessments right in the browser.

Another extension created by the EFF, Privacy Badger, serves a similar purpose.

It stops so called "third-party trackers" from gathering information on what you browse across the Web. It doesn't block all ads, like other applications specifically designed for that purpose, instead focusing only on code that follows you around.

But Gillula said that programs like Privacy Badger can sometimes be more protective of privacy than ad blockers, since they sometimes just nix the ads themselves and allow the code to run in the background.

"The important thing for people to realize is that an ad blocker is not necessarily a tracker blocker," Gillula said.

Keep in mind that trackers are also present on sites like WRAL.com.

Aside from voluntary information collected when users register or enter contests, John Conway, the general manager of WRAL's digital properties, said the site also passively collects information like IP addresses as well as anonymous and aggregated information that can't be used to identify specific individuals.

"We use the three types of information to deliver relevant content and advertising messages, and to develop new products and services," Conway said in an email. "We do not share your personal information with companies, organizations or individuals outside of Capitol Broadcasting Company and affiliated companies unless you give us permission, such as when registering for a contest, or in response to subpoenas, legal process or government requests or investigations."

In some cases, Conway said, WRAL's sites and apps may collect location data for services like severe weather alerts, but only with permission.

If you want to put privacy at the center of your online experience, a few browsers have begun to focus on that approach specifically.

With versions for mobile, PC and Mac, the Brave browser is one option, as is Firefox Focus, available for smartphones and tablets.

Consider whom you trust

All the best tools in the world are no substitute for good old-fashioned skepticism.

And if an app or other digital service is free, a general rule is that you should be more skeptical.

These services have to make money somehow, and more often than not they're doing it by selling data on their users' habits – whether it's through clicks or tracking – to advertisers or other data wholesalers. That's not necessarily nefarious, and plenty of sites transparently disclose that fact to users, who can decide for themselves whether the service in question is worth the exchange of information.

"Fundamentally, it comes down to thinking: Am I getting a benefit that's worth the tradeoff of sharing my data?" Gillula said.

Das puts that decision in terms of long-term payoff: Is it an app that you'll only use once or twice?

"If it is a onetime thing, then look at what data the app will be using and make your decision accordingly," he said.

From a user perspective, some types of information might be worth more.

Clicks on that shopping site tied to your anonymized profile? Maybe that comes cheap.

But information about where you live and work – or when you were born? That might be more valuable, more worthy of protection. As is your face, which Das points out is how some users log into their devices now.

"We should think twice before giving out any sensitive data," Das said. "A lot of people don't realize that's biometric data and you can't change it once you send it out."

And you might prefer to trust those details to some more established companies than others you might not have heard of before.

Then again, there are certainly no guarantees.

Facebook made headlines – and prompted a $5 billion Federal Trade Commission fine – following the mishandling of user data in the scandal over Cambridge Analytica. The British company siphoned up the data of millions of users without their consent, using the information to power political campaign messaging.

As it stands, Gillula said, being completely informed about digital privacy risks is "more than a full-time job."

He doesn't believe it should be this way. His organization advocates for better legal protections – like recently passed amendments to the California Consumer Privacy Act – that removes the burden from individual users.

"The best thing a consumer can do, particularly if they live in California, is tell lawmakers, 'I want strong privacy protective laws,'" Gillula said.

It's an area where he sees some hope, both in the states and on the federal level, where members of Congress seem to be taking the issue more seriously – and debating it more often.

"It's a slow uphill battle, but the winds have shifted," Gillula said.