In 2023, digital privacy is, in many ways, a fiction: Knowingly or not, we are all constantly streaming, beaming, being surveilled, scattering data wherever we go. Companies, governments, and our fellow citizens know more than we could ever imagine about our body, our shopping habits, even our kids. The question now isn’t how to protect your privacy altogether—it’s how to make choices that help you reclaim boundaries around what you most care about. Read on for our simple rules for managing your privacy, or get a list of personalized recommendations.
Three simple rules for managing your privacyThink concretely.
The more you conceptualize the internet as a real place, the more intuitive it becomes. Consider physical analogues to your online behavior as much as possible: You may be perfectly comfortable reading a newspaper or watching a movie in public, but you’d probably think twice before sharing your private medical information or details about your love life with a stranger. By that same logic, you may want to focus on protecting health and dating data more than on safeguarding less intimate information.
Share narrowly.
Much of your online privacy is out of your control. But you do have power over how much personal information you willingly share with companies and the world. Don’t share anything publicly on social media that you wouldn’t want being seen by your boss, your parents, or your children. Think twice about giving online retailers your zip code or birth date in exchange for a onetime discount. Your personal information is valuable to other people; don’t give it away for cheap.
Don’t panic.“Not all hope is lost,” William Budington, a senior staff technologist at Electronic Frontier Foundation, told me. “There are things you can do to protect your privacy by 85, 90, 95 percent that will not add much friction to your life.” Much of the discourse about privacy and personal security can be quite extreme, suggesting that if you don’t take certain steps, you’re asking to be hacked; that anyone who doesn’t buy X or do Y is an idiot; that the only way to live responsibly online is to apply so many restrictions that any benefit new technologies offer is outweighed by all that self-imposed inconvenience. This isn’t just alienating; it’s incorrect.
As experts I spoke with repeatedly told me, privacy is not a product. It’s not one-size-fits-all. It’s not binary: safe or unsafe, exposed or protected. It’s a lifestyle, a process, a series of decisions—the particular set of trade-offs (of time, of money, of inconvenience) you are willing to make based on your own circumstances, needs, desires, fears, and resources. Before you read on, think through how much friction you’re willing to introduce into your life in the name of privacy and security, and think about what you want technology to do for you. In 2023, it’s impossible to protect yourself from every conceivable threat, so focus on the likely ones.
Want to take action? Read on for situation-specific tips.
I just want to cover my bases.
Search yourself
You may be surprised by what you see when you type your (or your child’s) name into a search engine—a three-year-old wedding registry full of photos and identifying details, a professional website you’d forgotten you made, marathon results with your name and birthday, a public-school directory with your kid’s photo. Where possible, update these pages to remove or password-protect information that you don’t want to be public. If the page allows a login but you’ve forgotten your password, try resetting it; if that doesn’t work, or someone else maintains the site, look for a contact page and try emailing the site administrator or customer support.
Assess the damage.
If you’ve ever filled out an online form or made an account on a website, chances are good that data have been exposed in a hack.
Have I Been Pwned? is a database of these breaches, searchable by phone number and email address. Once your information has been taken, you can’t get it back—but you should definitely search your results page for the word “password” and update the compromised ones everywhere they were used. Yes, that means resetting your login credentials on any site where you might have used the same password: You wouldn’t want someone getting into your bank account just because it shares a password with some fly-by-night website you made an account on years ago.
Use private browsing—or, better yet, a trackless browser.
Most desktop and mobile internet browsers offer private browsing—sometimes called “incognito” or “private” mode—which essentially scrubs your history from the device itself. This is a great tool when using a shared or public computer. But it doesn’t hide your browsing or search history from websites, internet service providers, advertisers, system administrators (like your employer), or subpoena-empowered authorities. A privacy-focused browser—such as DuckDuckGo, Ghostery, Brave Browser, or Tor—prevents your activity from being stored locally and minimizes this second type of tracking.
Audit your apps.
Many browser extensions and phone apps are designed to suck up your data. The information absorbed can include the ads you click or your precise location while using the app, but it can also mean your photo roll, contacts, microphone and camera use, keystrokes, private messages, IP address, device type, and even your behavior (such as sites visited) outside the app. This information can be used to make the service work better—for example, a food-delivery app might use your location to tell you what’s available nearby—but some apps, especially free ones, also make money by selling your data to advertisers, data brokers, or the government. The good news is that you can manage access to your data by going to your phone’s privacy and security menu and looking for “Safety Check” (on an iPhone) or “Permissions Manager” (on Android). Go through app by app and disable any permissions that seem overreaching. (You may decide that you’re happy manually entering your address when you want takeout.) Pay special attention to what you’ve allowed apps to do “in the background” (that’s a slightly obfuscatory way of describing apps’ tracking you even when you’re not using them) and anything that makes reference to “third parties” (that can be another term for data brokers). Then do the same with your browser extensions. And if you’re not using an app or extension regularly, just delete your account and remove it from your device entirely.
Consider a burner email address
Use a free service to set up a second email address and use it every time you set up a new social-media account, shop online, or otherwise interact with brands, not people. Your primary inbox will be clearer of junk, and companies will have a harder time tracking you.
Protect your devices.
Any device that can be protected—your computer, phone, tablet, router—should be. On your phone, face or fingerprint ID is good enough for most people, though, of course, using either means turning over your biometric information to a tech giant. A
PIN or password is even more secure—the more characters the better.
Start changing your online passwords.
You’ve heard this one before because it’s really true: The single most important thing you can do for your security is use strong passwords everywhere—even on sites you think you’ll use only once, even if you’re not sharing personal information. Two things can make this easier.
Get a password manager. If strong passwords are the key to online security, a password manager is the key to keeping track of all those strong passwords without losing your mind. These work by storing all of your passwords in a single password-protected vault that connects with your phone and computer browser—so as long as you know that one master password, every other username and password will autofill as you travel around the web.
Be NICE: The best passwords are New (not reused between sites), Impersonal (don’t include birthdays, addresses, names, etc.), Complex (contain lots of special characters and mixed-case letters), and Extensive (at least eight characters). From now on, whenever you enter a password, check to see if it meets these requirements—and if it doesn’t, change it. Do the same with your security questions: The answer to “Where were you born?” (which is easy to figure out based on public information) should be gibberish, as though it were another password field.
Enable two-factor authentication
Two-factor is an extra layer of security standing between you and bad actors. It works by sending a unique, instantly generated code (or other prompt) to your phone or email when you try to log into an account, which you then enter in addition to a password. The result is that if, say, someone has your password but doesn’t have access to your phone itself, they won’t be able to get into your bank account. Turn this on wherever you can, and when possible use an app like Authy or Google Authenticator to do it (instead of text messages, which are more vulnerable to hackers).
Focus on what matters most.
Remember: The internet is real life. Think about what information you’re most protective of—not so you can panic, but so you can prioritize. Now think about which websites, gadgets, and apps have that information, look at their privacy policies, and see what permissions you can revoke.
Privacy Not Included, a project by the nonprofit Mozilla Foundation, offers plain-English assessments of the privacy policies for hundreds of companies, focusing especially on high-stakes arenas such as wearables; dating, prayer, fertility, and mental-health apps; and kids’ products.
Make a date with digital privacy.
You’re already in a much better position than you were before—congratulations! But policies and regulations change, so after you’ve done all this, set a reminder for a year or so from now to update your devices and spin through the preferences in your apps. Now that you’ve laid the groundwork, it shouldn’t take long.
I’m worried about protecting my childrens’ online privacy.
Don’t post photos of your kids.
If you are worried about your children’s online privacy, the best thing you can do is not post photos of them publicly—especially in “permanent” spaces like your Facebook feed and Instagram grid, as opposed to Stories—and ask the other adults in their life to do the same. If you’re looking for a more private way to share with far-flung friends and family, Google’s and Apple’s photo apps both support invitation-only group albums.
Look at their permissions.
Kids’ products are subject to different regulations than those aimed at adults, but those regulations are poorly enforced—and besides, older kids may be using apps not subject to those regulations in the first place. Check Privacy Not Included for summaries of the privacy policies of
many popular toys and games.
Teach your children digital literacy.
Walling your kids off from technology entirely is a lost cause—if they’re not playing Minecraft and Roblox at home, they’re probably using ed-tech products at school. So in the same way you’d teach them how to manage their finances or their hygiene, talk to your kids (in an age-appropriate way!) about what happens to the information they put online. Younger kids should understand the difference between public and private, and older ones should be aware that as soon as they share a photo or send a message, it can be disseminated without their permission and seen by people beyond their intended recipient. The app
Do Not Track Kids blocks tracking and offers cartoon-assisted lessons about privacy, and the National Cybersecurity Alliance has
tips for parents on its website.
I message a lot and am worried about my private communications getting leaked.
Download an encrypted messaging app and enable disappearing messages.
Not all messaging apps are truly private. Look for a service that is end-to-end encrypted (such as Signal, Whatsapp, and iMessage), meaning unreadable to cell carriers, hackers, and the messaging companies themselves. Additionally, many messaging services, including Slack and Signal, allow you to set messages in specific conversations to disappear after a certain amount of time. Note that just because an app offers “disappearing” messages doesn’t mean that they’ll necessarily actually disappear from the app’s servers—they may be invisible to users, but might still remain unencrypted and vulnerable to subpoena or hackers.
I’m an early adopter.
Think twice before doing direct-to-consumer genetic testing.
The entire premise of these companies is, after all, to collect personal health information—and all information is theoretically vulnerable to hackers as soon as it leaves your possession. (Many of these companies also comply with subpoenas, meaning law enforcement agencies could also theoretically get access to your information in the service of solving crimes.) have also used data gleaned from these companies to solve crimes.) If you do use one of these services, make sure to spin through the privacy permissions and see what you’re giving away.
Rethink your smart speaker.
And your smart lightbulbs, and your smart toothbrush, and your smart security camera, and so on. Internet-connected “smart” devices work by constantly collecting and storing highly intimate data, and that information is not always private by default. Some security-camera companies share information with police departments; depending on your settings, your smart speaker may use your voice data—including coughs, snores, baby gurgles, and barks—to sell you more products. You may want to consider exchanging some of your devices for analog versions, or just selectively unplugging the ones you have.
Don’t fixate too much on TikTok.
TikTok is owned by ByteDance, a Chinese tech conglomerate that is theoretically subject to the country’s draconian surveillance infrastructure, and that stores some U.S. user data on Chinese servers. But its data-collection policies are largely in line with those of its American counterparts, and in congressional testimony, its leadership has denied sharing user information with the Chinese government. So, in other words, there are good reasons to delete TikTok—and there’s also evidence that, despite its country of origin, it’s not much worse than other social-media apps, which also collect a mountain of data about you. This is an area where you should employ what information technologists call your “threat model”: a holistic consideration of who might realistically benefit from your data, and how they might realistically get it. If you have reason to believe Beijing is particularly interested in you, your work, or what you do on your phone—say, you’re a dissident, journalist, or U.S. government employee—you may want to delete TikTok out of an abundance of caution. But if you’re none of these things, given what we currently know, it’s probably fine to opt out of this particular category of anxiety.
Treat AI chatbots like social media.
That is, keep in mind that companies have access to whatever you type into their programs, even if it’s not being posted anywhere publicly.
Turn off tracking on your TV.
These days most TVs are “smart”: internet-enabled in order to link up with streaming services. That means they
collect all kinds of data about your viewing habits for the purposes of targeting ads. You can learn how to disable this by searching online for the name of your TV with “turn off automatic content recognition.” And if you don’t need to use voice commands, you can also disable (or cover) the microphone.
Beware the no-name device.
As a general rule of thumb, says the Electronic Frontier Foundation’s Budington, companies you’ve never heard of have less of a reputational risk when it comes to compromising your privacy or security—so when buying tech devices, it’s best to stick to well-known brands.
I really don’t like the idea of my likeness being publicly available.
Be careful who you share intimate photos with.
Disappearing messages and encrypted apps are useful tools, but the truth is that once a photo or video leaves your phone, there’s no failsafe way to stop it from being shared. So be very careful about who you send sensitive material to—if it gets out, the person you sent it to could be why.
Cover your webcam
It’s rare, but if your computer has been compromised, hackers may be able to remotely turn your camera on and surveil you. You can buy covers online, but a Post-it works just fine.
I want to limit how much advertisers can track me.
In addition to using a trackless browser, keeping an eye on your app permissions, and being judicious about smart-home devices (see “I just want to cover my bases” and “I’m an early adopter” above, you can …
Disable personalized ad tracking.
If you’ve ever gotten an eerily specific ad, you probably have personalized ad tracking to thank. This is the means by which companies assign a specific profile to your device and use it to amass a dossier of all your online behavior. You can limit this tracking by making sure your mobile ad ID is disabled—find directions by typing the name of your device’s operating system followed by “disable mobile ad ID” into a search engine—and by installing a tracker-blocking browser extension such as Disconnect or Privacy Badger on your computer. You can also change how some individual websites decide which advertisements to serve you—here are instructions in
Facebook,
Google, and
X; elsewhere, look for terms like interest-based advertising in a site’s privacy and/or preferences section.
Reject cookies (within reason).
Cookies are site-specific tracking: Some are necessary to make the website work better, for example by saving your login credentials, shipping information, or cart content. Other cookies don’t do much beyond observing your online behavior to help advertisers target you. Recent legislation has led websites to ask for your permission to store cookies—you’ve probably seen one of these fine-print-laden pop-ups before. Note that this is an area where privacy is pretty much directly in tension with usability, so consider the costs and benefits: If you click “Accept all,” you’re giving the site permission to collect as much information as it likes—but if you accept none, you may experience glitches. Accepting only essential cookies allows you to consent to much more limited data collection.
Clear your cookies every once in a while.
Despite this recent legislation, “cookies are still the No. 1 way people are tracked,” according to the EFF’s Budington. If you allow cookies even occasionally, make a point of deleting them regularly—think of it like rinsing off all the privacy dirt you accumulate via a life lived online. You can search for browser-specific instructions online, and even set a calendar reminder to do this on a regular basis.
Opt out of tracking across sites.
Visualize your personal information like a chain. The goal of data collection is to build a robust and detailed profile of your habits and interests, which means information gathered from an individual website or app becomes more valuable when it’s pieced together with similar data from other apps or websites. Recent versions of Apple’s and Google’s operating systems require apps to ask for your permission to do this; saying no breaks the chain with minimal effects on your experience. (On Apple, you can universally reject app tracking by turning off “allow apps to request to track” in the tracking subsection of your privacy settings.)
Opt out of data sharing from companies.
Many companies’ privacy policies allow them to share your information with third parties for marketing purposes; for example, a streaming service might sell your viewing habits to a company that will then serve you ads based on your interests.
Simple Opt Out summarizes these policies for many major companies, and directs you to where you can opt out. Otherwise, you can scan a company’s privacy policies for words such as partner, affiliate, third party, advertising, and personalization.
Avoid linking services.
Remember, your information is more useful when it’s part of a chain. For example, if you use your Amazon Prime account to get discounts at Whole Foods, the company now knows not just what you buy online, but when and where and how you shop offline. Similarly, connecting to services using your Google account allows them to request access to your calendar or Drive. Unlinking your accounts (or not linking them in the first place) breaks the chain.
I want to protect my location data.
Manage your phone’s location services.
Your mobile phone is with you at all times, and may be beaming your location to your phone’s manufacturer as well as third parties. Some amount of location tracking is manifestly helpful—for example, for weather and delivery apps—but it’s unlikely you’ll want every app tracking your location all the time, even when you’re not using it. You can manage these permissions in your phone’s privacy settings.
Be careful about location-based fitness apps
Apps such as Strava and Nike Run Club use your precise location to track workouts. Check your settings to make sure you’re not sharing more than you mean to.
If you want to be really careful, use paper maps.
Of course, mapping apps work by tracking your location—but depending on what settings you’ve enabled, they may also store it. You can manage Google’s ability to store your location
here, and if you’re going to a particularly sensitive location—say, a hospital, Army base, health clinic, or shelter—you can always use a paper map (or one accessed in incognito mode and printed out).
Don’t share your location on social media.
Apps such as Instagram, X, and BeReal allow you to share your location when you post. In some cases, this is something you opt into with each new post; in others, it’s a setting you can toggle. In either case, be thoughtful about sharing your precise location, and bear in mind that even private social-media posts can and do get screenshotted.
I’m a big social-media user.
Make your social-media accounts private.
Look at all of your accounts—including the ones you’re no longer active on!—and make sure that your sharing settings are set to friends only.
Audit your friends lists.
Run through your friends lists on social media and defriend anyone who you wouldn’t want knowing your updates. Don’t worry, most apps don’t notify people when they’re unfriended.
Delete old posts.
At this point, many of us have been on social media for well over a decade—long enough to share a lot. One night when you’re feeling nostalgic, go through from the beginning and delete any posts you wouldn’t want showing up at the top of your feed today. If you still want access, you can always download or screenshot posts before you delete them.
Change up your usernames on social media.
If you reuse the same usernames, or a version of them, on multiple sites, hackers or curious people can daisy-chain them together to find accounts you may not want surfaced.
Define “social media” expansively.
Many apps that we might not consider social networks have social functions—and all the attendant privacy considerations. For example, if your Venmo account is set to public, anyone can see who you’re paying and what you’re paying them for. Depending on how you’ve configured your settings, your Spotify followers may be able to see what you’re listening to. Many fitness apps allow users to broadcast their stats and location. If an app’s settings menu includes words like sharing or activity, you may be revealing more than you intend to.
I’m worried about hackers.
In addition to the basic steps outlined in the first section, you can …
Consider deleting yourself.
Search databases collect data from public records and sell it to users, typically for a subscription fee. Many of these sites contain highly personal information, including home address, age, and family members’ names, which can be used by hackers to sneak past security questions, and by regular creeps to be creepy. Companies such as DeleteMe scrub these databases, for a fee.
Install HTTPS everywhere.
This
browser extension from the Electronic Frontier Foundation encrypts—scrambles, basically—your communication with major websites, so people can’t eavesdrop on what you do and where you go online.
Actually update your software.
Yes, this is annoying! But software updates tend to include security fixes and bug patches. Make sure you have automatic updates enabled on your phone, laptop, and smart-home devices, and make sure to reboot your devices every once in awhile if you tend to keep them on. Make sure to also enable automatic app updates on your phone and computer.
Securely back your computer up.
This is especially important for people who store photos and other priceless personal information—backing your computer up won’t prevent other people from getting their hands on your data, but it will mean you won’t lose it forever if your computer is stolen, wiped, or lost. The easiest way to do this is with an online backup service like BackBlaze or IDrive that automatically backs up your files to a password-protected website (just make sure that password’s really, really good).
I want to help create a more private world.
Think about paying more for your internet.
Targeted advertising is why so much of the internet is free. When you pay—for apps, for news (ahem), for streaming— you are in some small way lessening these companies’ dependence on tracking you to pay the bills.
Fight for better privacy laws.
Mihir Kshirsagar, who runs a clinic at Princeton’s Center for Information Technology Policy, likens privacy incursions to air pollution: “Of course, we should all be thinking about what kinds of cars we drive and how we live, but we need infrastructure to help protect us.” Privacy shouldn’t be merely a personal responsibility. If anything you’ve read here has you particularly concerned, read up on the law and contact the people or groups who have power to change it. Note that this may be your state senator. According to Kshirsagar, states have been more active on privacy matters than the federal government.