Own Your Privacy: Start by Decluttering Your Digital Ecosystem
By Charles Cutshall
More information is collected about you than you will ever know. It's bundled and sold by entities you have never heard of and it's being used in ways that you never would have imagined possible. It’s a terrifying thought.
As a privacy professional and a person who cares deeply about individual privacy, I spend countless hours reading, learning, and thinking about privacy-related risks and harms. I will be the first to admit that I don't know all the ways that my information is collected and used. In fact, I am regularly shocked and disturbed by what I read in the news about how our personal information is being collected, analyzed, synthesized, shared, used, and sold.
It can be overwhelming to think about what you need to do to own your privacy in today’s digital world. The proliferation of smart technology has introduced countless sensors into our everyday lives. At times it seems like every move we make is being monitored, logged as digital breadcrumbs, and tied to our digital identity.
Taking ownership of our privacy is important. The risks to us as individuals and to populations of people are staggering. But, where to start?
Declutter Your Digital Ecosystem
Start now by immediately uninstalling every application on your device that you no longer use or that you haven't used in over a year. This may seem like a trivial first step, but it is important. We all have those applications that we downloaded in the moment, that we promptly forgot about and that we’ve allowed to linger on in our digital lives forever after. Uninstall them now.
You may have seen the news recently that Google plans to join Safari and Firefox in phasing out cookies in its Chrome web browser. Great news? No, sadly not. For the past two decades much of the conversation about protecting online privacy has focused on those little pieces of code known as cookies. Meanwhile, online tracking has evolved and is now increasingly done by a procedure known as device fingerprinting.
Device fingerprinting uses an algorithm to tie together hundreds of data points about your device to create a unique identifier - a hash - that can then be tied to you (it’s even possible to then link you to multiple devices using their unique fingerprints). From the folks at Mozilla, “The practice of fingerprinting allows you to be tracked for months, even when you clear your browser storage or use private browsing mode — disregarding clear indications from you that you don’t want to be tracked.”
Using browsers that default to blocking third-party requests to companies that are known to participate in device fingerprinting (like Mozilla or Safari) is a great practice. But, unlike cookies, device fingerprinting happens beyond the virtual boundaries of your browser, happening behind the scenes and inside individual applications. It happens without your knowledge or consent and without any way for you to see what data is being gathered. So when it comes to mobile devices, the most practical advice from New York Times tech columnist, Brian X. Chen, is simply to delete applications you rarely use, especially the ones from obscure brands.
Need another reason to delete those applications? Well, look no further than software development kits or SDKs.
Software Development Kits
Almost every application you have on your device was built using SDKs. SDKs are plug and play components that developers use to add certain functionality to their applications. SDKs increase efficiency by saving developers from having to recreate the wheel each time they develop an application, but they come at a cost to you — your data.
In 2018 a security researcher revealed they found 4 million Android applications sending unencrypted user profile data, such as names, ages, incomes, phone numbers, and email addresses - and, in one example, dates of birth, usernames, and GPS coordinates - over HTTP from the applications to advertisers' servers. And, as recently as this month, the developer of a popular women’s fertility-tracking application settled Federal Trade Commission allegations that it misled consumers about the disclosure of their health data. The cause? You guessed it, SDKs.
SDKs are insidious. Unfortunately, most (if not all) of the applications that you use on a daily basis are built using SDKs and there is very little you can do to stop them from leaking your personal data. For now, your best bet is to do some digital housekeeping and delete unused applications.
Decluttering My Digital Ecosystem
After researching and writing this piece, I went back through each of the applications on my personal mobile device. What I found is that it was easy to delete the applications I haven’t used in a while or that I may never use again. But, I also found that it was just as easy to look at an application, imagine a time and a place when I might use it again, and then skip to the next one. Maybe that will also be the case for you?
The one application that I downloaded as a result of writing this piece was an application that helped me better understand the risk associated with each of the applications on my device. Not only did it assign risk ratings to each of the applications, it also allowed me to inspect their permissions in a clear, readable format. There are a number of options out there (probably all built using SDKs), and I will defer to you about whether this type of application is something you want to introduce into your digital ecosystem. It gave me the extra motivation I needed when I was hesitating to tap delete and maybe it will help you, too.
Now that you’ve taken your first step towards owning your privacy, plan to take the next one by scheduling time to manage the privacy settings for those applications that you’ve consciously decided to keep in your digital ecosystem. I recommend starting with this helpful resource maintained by the National Cyber Security Alliance, which includes direct links to update your privacy settings on popular devices and online services.
Charles Cutshall serves as the Commodity Futures Trading Commission’s Chief Privacy Officer where he is responsible for managing privacy risks to individuals and to the Commission associated with the processing of personally identifiable information and for providing policy and programmatic oversight of the CFTC's privacy program.
The views and opinions expressed herein are those of the author and do not express the views or opinions of the Federal Privacy Council. In addition, any reference to products and/or services does not constitute an endorsement of those products and/or services.