What is Internet privacy & why you should care

More and more of our daily lives are happening online and increasingly facilitated by single devices like smartphones. There are certainly conveniences: instant news, shopping from home, phone calls and emails all on one device. What we might not easily see, however, are the ways that our personal and collective privacy is being compromised right under our noses. This isn’t even just a question of sharing personal information online: the fact of doing anything online leaves a trail of data which is behind harvested and used. We’ll probably never know the full extent of how our privacy is being violated.

It’s natural to expect that what we do online should be private: when we browse the web, send an email to a loved one, or make purchases, why should any of these things be different than going to a library, mailing a letter, or buying something in a store? In our life offline, afterall, if someone were to open our mail, come to our home uninvited, or track our movements around town, we would rightfully be alarmed.

This article explains the evolving idea of internet privacy, why it is important, and what the main threats to privacy online are. To help everyone take an active role in protecting their privacy on the internet, Nym provides a guide on key practices and tools to use while navigating the public web.

What is internet privacy?

Defining “internet privacy” is actually quite difficult and hotly debated even amongst privacy theorists and activists. Internet privacy was not necessarily a big concern at the debut of the internet; at the time, the problem of “security” predominated. It wasn’t until the 1990s, as the internet started to see more widespread and public use, that the opportunity for the collection of user data started to raise red flags. And the questions started flowing:

• What kinds of information and activities should be considered “private” when passing through or occurring on the “public” web?
• How much responsibility does a web company, with whom we share personal information, have to protect this data that they store?
• What kinds of information can web services share with third parties, and what should they be prohibited from sharing?

In one sense, these questions demand regulatory or legal answers. But as we will see, they also require immediate self-protection practices on the user side.

Internet privacy: Jurisdictional efforts

One definition of internet privacy is legal and jurisdictional. Many government constitutions guarantee certain rights to personal privacy, defending against material communications tampering or home invasion. However, at the foundation of the world wide web, there were no such governing bodies considering the privacy of what we do online. Even now they are relatively new and still in formation.

In the last decade, internet privacy has gradually risen to the level of public and legal attention, demanding governments recognize and work to protect it as a fundamental right of their citizens. Recent legislation like the General Data Protection Regulation (GDPR) in the European Union, which is the most robust governmental privacy protection law to date, is certainly an important step forward.

Unfortunately, something like GDPR has only regional jurisdiction, while the internet is global. Different countries ultimately have their own policies on internet privacy, or none at all, and are differently capable and willing to force local Internet Service Providers (ISPs) to enact certain protections. Against online privacy and freedom, some governments are actively engaged in surveillance programs of their own citizens, enforcing censorship restrictions to block web access and content, and blacklisting privacy tools like Virtual Private Networks (VPNs).

Types of online data

There are two general legal classifications of data regarding your online privacy. As we will see below in the sections on metadata and the main privacy threats, the difference between them is crucial but also insufficient.

1. Personal data (PD), or personal identifying information. PD refers to any personal information that can be used to directly identify a natural person, such as our home address or credit card number. This can also include attributes such as age, race, political affiliations, etc., insofar as these attributes specify or can be linkable to us as individuals.
2. Non-personal data (NPD), or non-personal identifying information. NPD can either be data that has no personal reference to begin with (such as weather data), or PD that has been pseudo- or irreversibly anonymized, making the data unlinkable back to the person. For example, if you post something to an online message board under a pseudonym, the content of your post is technically NPD. And if a statistical analysis publishes user traffic data connecting to a particular website after removing IP addresses from the data set, the result is NPD.

To see how the difference between PD and NPD can be neutral or personally revelatory, take a basic example: imagine someone making a list of all types of vehicles parked in an airport parking lot – say, everyday for a year. This could include data categories such as make, model, color, and condition or the vehicles. The data set is detailed, but most of the information will be NPD. Likely no one’s privacy will be at stake. Contrarily, if the data for each car also includes a corresponding license plate number, then not only does it include PD which can link back to the car owner personally, but it also can be used to analyze things like their driver preferences, likely income, and even travel records.

Ultimately, PD is the easy and prime target in exploiting internet users. This is because it is the easiest means to most directly exploit our identities (identity theft), finances (theft), and personal data (ransom or exploitation). However, PD is by no means limited to your sensitive information contents (credit card numbers, home address, phone number, medical records). Nor is PD the only way we are tracked online. The problem is now much bigger and legally unclear.

The problem of metadata leakage

The content of our communications (and thus a lot of our PD) is mostly protected these days, with end-to-end encryption becoming the norm. However, in the age of AI, encrypting your online traffic is not enough. This is because of the sophisticated systems harvesting, analyzing, and selling our metadata all across the web, usually without our knowledge and with dubious consent practices (or none at all).

Metadata technically means data about data, or the information about the message in the case of communications. It includes information like IP addresses (what device is connected to what online service), timestamps (when a message was sent or a connection made), duration (how long a connection lasted), and frequency (how often a connection or contact was made over time). So even if someone can’t read your actual message, there is a lot of information about what you’re doing online that is leaking from your traffic (in the sense that it is accessible outside of encryption).

Metadata has an ambiguous status in regards to most legislations aimed at protecting online privacy protection. On the one hand, it is not exactly PD because it does not carry explicit personal identifying information, and thus is not easily linkable to the individual user. On the other hand, it is not exactly NPD because data analysis, especially aided by AI systems, can deduce very personal information from large metadata sets: browsing histories, political beliefs, and even things like medical conditions. Complex traffic analysis and surveillance programs, with additional information gained from ISPs and VPNs, can even use metadata to lead directly back to an individual user.

What are the main threats to privacy on the internet?

How can we be said to have any control over our privacy online when the future of our data is out of our hands from the moment we click on anything? Can the privacy commitments of internet companies also stop them from using our data themselves, or for selling it to third parties? Moreover, what can prevent government or law enforcement agencies from accessing mass amounts of user data that these companies share? And how safe are their data storage systems?

Unfortunately, defending our privacy online is a multi-front battle against many possible enemies who are constantly at work in tracking us. Here are the big threats to look out for:

Cyber crime and hacking

Cyber crime is one of the biggest threats for individuals, groups, and companies worldwide, one which will directly affect your life, finances, personal security, and mental health. Hackers and cyber criminals are not simply skilled individuals, but also teams working with the advanced technical resources and finances of organized crime outfits. With access to your personal data (credit card records, identifications, addresses, medical records), they can be very effective in the cyber theft of your assets and identity, and even in impersonating you online.

Cyber crime and hacking occurs by many different means. Hackers can try to intercept your data in transit, gain direct access to your device, or they can breach your personal details from the databases of websites, VPNs, or institutions. Moreover, they can also use sophisticated tracking techniques to exploit your online activities.

Internet tracking

Everything we do is being tracked and monitored online, and internet surveillance is now ubiquitous. Each website we visit or service we use tracks us in some respects. Sometimes this is for functionality purposes, while other commercial services compile and analyze user data for targeted marketing purposes. This mass accumulation of data, however, is by no means innocuous even if our names are not attached.

These pervasive systems of aggregating user traffic (in terms of behaviors, trends, preferences, likes, purchases) create a resource potential which is sought after by third parties (such as data brokers or surveilling agencies). It allows anonymous systems to progressively know us better through our online behaviors. Of course, this might start by trying to sell us products that we are predicted to want. But it can go as far as targeting us with political ideas, theories, and information based on what AI algorithms identify as our ideological dispositions and vulnerabilities, however false the information we will receive may be.

Finally, online tracking is not also simply the practice of large, omnipresent agencies (like governments and Big Tech companies). It is also something done on more individual and personal levels: many individuals continue to struggle with online stalking, the exploitation of their personal contents, harassment, and revenge (e.g., by ex-partners). Being private online can often be a way of directly protecting one’s physical and emotional wellbeing.

Mass surveillance

In addition to the extensive tracking operations of websites and services, our data is also subject to mass surveillance efforts. Governments have been revealed to be at work in tracking web users globally. In the United States, for instance, this has involved intelligence agencies gaining exceptional access to user communications directly through major telecommunication companies as well as the databases of major tech companies like Google and Facebook. These mass surveillance efforts have been conducted in coordination with many allied countries and intelligence agencies worldwide.

So even if you put your trust in a particular web service (whether it’s a social media platform or a mainstream VPN), your data is always at risk of ending up in governmental hands even if you’ve done nothing wrong.

What to avoid doing to protect your internet privacy

The first stage in defending our privacy online should be to reduce our vulnerabilities. We cannot simply wait for governments and regulatory bodies to secure our internet privacy. It is necessary for every user to take matters into their own hands. Here are some concrete things and practices to avoid in order to better protect your privacy online:

Using the same credentials for multiple accounts

If your passwords and login IDs are revealed to hackers or cyber criminals from one web server’s databases, your other accounts online that use the same login credentials can also be compromised. Try to vary your passwords between accounts. Password managers can help get these organized and protected.

Staying logged in to websites

When you stay logged into websites over a period of time, the cookies installed on your browser store information related to your credentials and browsing history, among other data. This can increase the risks of cyber attacks like session sniffing, or even session hijacking when an adversary gains access to your account to impersonate you online. Moreover, if your device is lost, it can give thieves access to your account. The longer you stay logged in, the higher the risks.

Blindly accepting Terms & Conditions

It’s difficult to read through all the contractual details contained in documents that we usually automatically accept when starting to use a site or app. In fact, doing so would even be quite impractical and time-consuming. But the truth is that these Terms & Conditions often contain clauses that permit companies to share your data with third parties. Users face a double-bind dilemma: accepting the document can legally authorize the use of your data, and not accepting can block access to the platform entirely. When possible, try to look for equivalent services that do not seek to track or share user data, nor to hide such privacy-violating clauses in virtually unreadable and unethical contracts.

Opening suspicious attachments or downloading malicious files

One of the biggest sources of online hacking and cyber crime is the use of phishing attacks and malware. Phishing attacks occur when something like a fraudulent email formatted like a trusted service or person elicits users to click on a link or to enter their personal information on a counterfeit page. This allows hackers and cybercriminals to gain access to your accounts. Clicking on links and downloading files to your computer can also be a means of installing malware which could give hackers direct access to your device.

Concrete tips on how you protect your online privacy

There is a lot users can do to better protect their own privacy and security online. This is Nym’s non-exhaustive list of key practices:

Secure your web browser

There are many ways users can manually secure their web browser for safer and more private web browsing. The first is to keep your browser updated: updates often make your browser aware of new security threats to detect. Additional steps include installing anti-ad and -malware plugins, enabling “do not track” features if available, limiting or regularly clearing cookies, and disabling unnecessary plugins (which might be recording your traffic). These multiple steps can be expedited by choosing a web browser known for its privacy protections.

Use a VPN

VPNs encrypt your online traffic and route it through another server(s), masking your personal IP address before your data reaches the public web. New decentralized VPNs protect user privacy ever more robustly than traditional VPNs by using multi-server routing, unlinkable architectures, and advanced encryption protocols.

Keep your software up-to-date

Software updates for your devices and apps often involve new security features, like updated logs of known threats, malicious addresses and sites, and malware.

Install an anti-virus program and activate firewalls

Depending on your operating system, anti-virus software can help protect your system from viruses and malware attacks from leaking your personal information. Firewalls can help relegate what information can go in and out of your device, and even prevent certain sources (like known ad servers) from connecting with you.

Delete cookies and deny cookie requests

Cookies are pieces of data installed on your browser by websites. They are used to track your activities across multiple sessions, for example, to remember your login credentials and to tailor advertising and content to you. Deleting your cookies manually through your browser can help avoid tracking, but users should know that advanced cookies (like evercookies and zombie cookies) can persist and resurrect themselves after clearing. When a web service asks you to accept cookies (usually in terms of “essential” or “unessential” ones), you can choose to deny the request.

Adjust your settings on Google, Facebook, etc.

Many of these Big Tech platforms now include user privacy customization settings which can allow a limited amount of control over what kinds of data is collected. This may reduce the risks of data tracking, but it certainly will not solve the problem.

Use secure and reliable websites.

HTTPS is an encryption protocol for the public web. Many sites and services now secure the content of users’ activities from end-to-end while accessing their platforms. Make sure any website you are visiting is secured by checking for the lock logo next to the URL in your browser. Using a VPN can guarantee that your data is always encrypted no matter what you access, and will make your data double encrypted in most cases.

Secure online communications

Make sure to use messaging platforms that are end-to-end encrypted, and preferably decentralized VPNs for highly sensitive communications.

Share online files securely.

How you share your files online is very important. Make sure that all connections are encrypted so that the content of what you are sending cannot be easily intercepted and read in transit. Only share files with known parties, and do not open files from unknown parties under any circumstances.

Use multi factor authentication (MFA)

MFA is a process that involves verifying your credentials on your other devices before accessing a service. For example, 2FA in signing into your email account from your computer might require you both sign into service on one device while also receiving a code on a second device (like a mobile phone) before accessing. This can allow a service to verify that it’s really you when they detect suspicious login attempts (for instance, if you’re using a VPN or a new browser, or if someone is trying to login into your account from their own device).

The future of online privacy

There is perhaps a common misconception that people need extra privacy online because they are breaking the law or have something to hide. But this is a false assumption. Due to the systematic ways that everyone’s data globally is being harvested, surveilled, and exploited, it is necessary to adopt self-defensive privacy measures. This will continue to be an ongoing struggle as both online tracking and privacy technology co-evolve.T hankfully, as we’ve seen, there are many concrete things we can all do to protect ourselves online.

NymVPN is here to provide you with one crucial tool in this struggle: a VPN built on a novel mixnet to maximally anonymize all of your online traffic. Whether you’re using Nym’s 2-hop dVPN mode or its unparalleled 5-hop mixnet mode for highly sensitive traffic, users can avoid the security risks posed by centralized VPN services. The choice also allows users to custom configure what traffic needs robust protection and what less sensitive activities (like gaming) need increased speed.

In addition to these personal practices, we should also try to raise awareness of the challenges and threats we all face globally as users of the web. We should press our local governments not only to do more to protect their citizens against cyber crime, but also to stop mass surveillance programs that violate the privacy of innocent people worldwide.