News

IT NEWS

Data Privacy Day: Know your rights, and the right tools to stay private

Not all data privacy rights are the same.

There’s the flimsy, the firm, the enforceable, and the antiquated, and, unfortunately, much of what determines the quality of your own data privacy rights is little more than your home address.  

Those in Chile, for example, enjoy a globally rare constitutional right to data protection, and if any Chilean feels their rights have been disturbed or threatened, they can file a “Constitutional Protection Action.” People in the European Union and the United Kingdom enjoy strong data protections because of the General Data Protection Regulation, the sweeping data privacy law which gave the public many new rights in 2018, including a “right to access”—which allows an individual to ask a company to hand over all the data it has collected on them—and a “right to erasure,” which allows a person to ask that company to delete that data. In Germany, already  covered by GDPR, the newly-agreed-upon government is reportedly considering the addition of a “right to encryption,” which, depending on how it is defined, could be the first of its kind, and a much-needed defense against other international efforts, like in Australia, to weaken encryption through regulation. That anti-encryption thrust is not too different in America, where federal law enforcement officials have repeatedly blamed strong encryption as one of the largest reasons that they cannot stop crime before it happens.

Speaking of America, the variety in data privacy rights around the world applies just as well to the country itself: People who live mere miles apart enjoy wildly different data privacy protections because, in the absence of a comprehensive, federal data privacy law for all Americans, individual states have passed data privacy laws for their residents and their residents alone.

This segmented, legislative push has created a patchwork quilt of privacy in the country. In its most north-eastern reaches, those east of the Salmon Falls River—which serves as a dividing line between Vermont and Maine—are protected from having their Internet Service Provider (ISP) sell, share, or grant access to their data without their specific approval. Those west of the river, however, have no such protection. And Californians, separately, have the fortune of data privacy protections similar to those included in GDPR, but their neighbors in Arizona, Utah, and Oregon are without luck.

This is the frustrating state of data privacy rights today, but you have a role to play to make it better.

Thankfully, in many countries around the world, the public can still use online tools to protect their own data privacy. No legal regime to worry about, no case law to be cited. Just user choice.

So, want to hide your internet activity specifically from your ISP, or from eavesdroppers while you’re connected to a public, unprotected network? Use a VPN. Want to gain even more privacy and send your Internet traffic through a few layers of encryption? Use the TOR network and its related browser. Want to stop invasive ad tracking? Use a more private-forward browser or download a devoted browser extension. Want to hide your online searches? This one is easy—use a private search engine.

This Data Privacy Day—which we are celebrating for the whole week— don’t limit yourself to just the data privacy rights you’re given by your country or state. Instead, broaden and deepen your own data privacy by finding out which of the many data privacy tools is right for you.

The tangled web of US data privacy rights and laws

In the United States, there is no federal law protecting all types of data for all Americans.

Instead, the national data rights that every American enjoys are purely sectoral—isolated, industry-specific protections regarding, for example, healthcare information, credit reporting accuracy, children’s data, and, bizarrely enough, VHS rental records. (Since that law has not been found to apply to streaming services, it is presumably only of use to the residents of Bend, Oregon, home to the so-called “Last Blockbuster.”)

This piecemeal strategy is the consequence of occasional laser-focus from US Congress members on only the problems facing them at that very moment. That VHS rental history law? That was passed in 1988 after a newspaper published the video rental records of then-Supreme Court nominee Robert Bork. (The journalist who wrote the story succinctly proved a point—that, as Bork himself had argued, Americans had no real rights to privacy beyond those explicitly encoded in law.) A separate law protecting children’s privacy was signed in 1998 as the public feared wanton collection of kids’ data online.  

For about two years, though, that laser-focus found an ironic subject: Broader protections.

Starting in 2018, US Congress members homed in on crafting a comprehensive data privacy law that would restrict how companies and organizations collect, use, share, and sell Americans’ data. Roughly a dozen bills were introduced in the House of Representatives and the Senate, and substantive, new ideas on data privacy were considered.

There was also Senator Ron Wyden’s bill, which recommended jail time as a consequence for tech company executives who played a vital part in violating Americans’ data privacy rights. There was Senator Amy Klobuchar’s bill, which tried to standardize perplexing, yawn-inducing—and potentially unfair—“Terms of Service” agreements by requiring that those agreements be written in “language that is clear, concise, and well-organized.” There was Senator Marco Rubio’s bill and its light touch on regulation, which simply asked that the US Federal Trade Commission write its own rules on privacy that Congress later adopt. And there were other, novel proposals, like the ACCESS Act, which focused on data portability, and the Data Accountability and Transparency Act, which erred away from today’s singular focus on user “consent,” which, even under the best intentions, can often translate to a deluge of webpages all asking: “Do you agree to our use of cookies?”

Disappointingly, none of these bills moved forward, and following the US presidential election in 2020, new priorities were mapped out for Congress. Thankfully, in the United States, there are more legislative machines at work that can pass data privacy laws at home—the individual states themselves.

For years now, the majority of US states have at least attempted to lasso companies into better handling the consumer data that is collected whenever users interact with their websites, use their products, or respond to their social media posts. In fact, according to a recent analysis by The New York Times, only 15 states have essentially ignored consumer data privacy legislation; every other state has either introduced, passed, or signed a law, or replaced a comprehensive data privacy bill with a task force committed to researching the topic.

Within those 35 states, though, only three have found success—California, Colorado, and Virginia all passed consumer data privacy laws in the past few years. And not to immediately rob those successes of their merit, but each of those laws has its own problems, and the law in Virginia, especially, has drawn rebuke from Electronic Frontier Foundation (EFF) and American Civil Liberties Union (ACLU).

Kate Ruane, senior legislative counsel at ACLU, said in speaking with The New York Times that Virginia’s law, when it was still a bill, was “pretty weak.”

“It essentially allows big data-gathering companies to continue doing what they have been doing,” Ruane said.

At this point, it’s easy to think that US data privacy rights are following a sad trend of one step forward, two steps back. Just a few years ago, federal lawmakers were interested in data privacy. Then, they weren’t. Stateside, multiple states introduced broad data privacy laws for their residents. Then, only three such laws actually passed, and each law has its own problems.

The good news here is that you don’t have to—you shouldn’t have to—wait around for your government representatives to decide when you deserve data privacy rights. You deserve those rights today.

Here’s how you can take some first steps forward.

The right data privacy tools for you

In the US and in many countries abroad, one of the most powerful data privacy rights you have is the right to use a tool that can put data privacy into your own hands.

Data privacy tools are actually a lot like US data privacy rights, in that there are specific tools that protect specific types of data, or they protect your data in specific circumstances. While this variety is appreciated, it also means there is no one single solution to keep your information private online at all times.

To avoid any confusion about what tool can protect what data, here’s a quick run-down of what is available and how it can help you:

  • A privacy-forward web browser or a devoted web browser extension can block third-party ad tracking
  • A private search engine keeps your online searches private, protecting your interests from being sold to advertisers who want to serve you more ads
  • A VPN can obscure your Internet traffic from your Internet Service Provider and encrypt your data on public networks
  • The Tor Network and the Tor browser can route your Internet traffic through multiple “relays,” or servers, encrypting the data multiple times along the way

Knowing all that, let’s start with the simplest option that can also protect you from the most subversive and invisible form of data privacy invasion.

Privacy-forward web browsers and browser extensions

If you’re using a web browser that is made by a company that makes the majority of its money from online advertising (according to Wired, Google’s advertising revenue alone in one quarter of 2020 was $26 billion), your online browsing behavior is being stealthily watched across nearly every website you visit. As your browsing habits start to form a profile of who you are, where you live, what you like, and what you typically buy, you’ll start to see ads that follow you around constantly.

This is the work of third-party ad tracking. Due to the implementation of cookies in nearly every corner of the public-facing Internet, nearly all of our Internet behavior is tracked online. That information then gets packaged and sold to companies that want to deliver ads specifically to you and people like you.

To stop this type of invisible, online tracking, you should use a web browser that takes your privacy seriously. Options like Firefox, Safari, and Brave all block many types of ad tracking by default, which means that from the first time you launch these programs, you’ll start being protected, no user intervention needed.

If you’re too attached to your web browser to ditch it, you can also download a browser extension for this very same purpose. Several browser extensions that block ad trackers include Malwarebytes Browser Guard, EFF’s Privacy Badger, and the self-titled ad-and-tracker blocking extension made by Ghostery.

For those interested, Ghostery has also released a web browser that, with a monthly subscription fee, comes with a host of other privacy tools, including the company’s web analytics tool and a private search engine.

Speaking of which…

Private search engines

A private search engine, like the ones built by DuckDuckGo or, more recently, Brave, will keep your searches yours. Both companies promise that they do not collect or track your searches, and that they do sell that search data to third parties.

Though Brave’s search engine is newer and still in beta, DuckDuckGo has been in business for years, and this month, it passed the 100 billion total search mark.

VPNs

Any discussion on data privacy wouldn’t be complete without talking about VPNs. VPNs, or virtual private networks, are tools that can help you hide your Internet traffic from your Internet Service Provider, which might appeal to you in the United States because your ISP could actually take what it knows about you and then sell that data to the highest bidder, who will then use your information to send you even more ads across the Internet.

VPNs can also provide vital protection to you whenever you connect to the Internet on a public network, like at a coffee shop, an airport, or hotel. If those networks are not password-protected, then it is easier for eavesdroppers to watch your Internet traffic on that network. With a VPN, your traffic is encrypted and illegible to outside parties.

Because there are so many options out there, you can read our guide about how to choose the best VPN for you.

The Tor network and browser

The Tor network, in a way, is the Internet run by people—not companies, not conglomerates, not revenue-chasing decision-makers. The way it works is that volunteers around the world set up individual servers for Tor users to connect to—and through—when browsing online. This means that whenever you browse the Internet through the Tor network, your Internet traffic actually moves through three separate servers, which Tor calls “relays.” The last relay that you connect to then connects you to your final destination online, like a website. Because your traffic has been sent through three relays and encrypted each time it goes through a relay, the website you eventually connect to does not actually know who you are. It cannot collect any meaningful data about your age, your gender, your location, your politics, or your interests.

With the Tor network, then, you can obscure what advertising companies the world over want to know about you and what they spend countless dollars to discover.

Years ago, utilizing the Tor network required quite a bit of technical work, but with the nonprofit’s release of the Tor browser, much of that work can be done by the browser itself.

If you’re interested in taking your privacy to the next level, consider downloading the Tor browser and connecting to the Internet through a Tor connection, which the browser can configure the first time you start it up.

It’s not just about tools. Adopt new rules

While all the tools we described above can better protect your online privacy, there’s one more thing you should consider this Data Privacy Week, and that’s how you treat other people’s privacy online, too.

The devices that we carry in our hands every single day are capable of recording so much of our daily lives, and that includes private moments of other people’s lives, too. The photos you take with family, the conversations you have with friends, the videos you record and share—all of these can and do include people other than yourself who have their own idea of privacy, both online and off. Think about how much you care about your own privacy, and then think about what you can do to protect the privacy of others around you.

Don’t share private conversations, don’t post embarrassing videos, and don’t send photos around unless you know that other people in the photos are okay with it.

For years, we’ve heard that cybersecurity is a team sport. It’s time to treat data privacy like one, too.

The post Data Privacy Day: Know your rights, and the right tools to stay private appeared first on Malwarebytes Labs.