The crime TV shows have taught us Locard’s exchange principle, i.e. every contact leaves a trace. Equally, as in the physical world, we always leave our footprint during our online activity, such as an entry in the log of a website we visit. We also take elements of our visit with us, including cookies, a copy of the website that we store in the browser’s cache (to access the page faster if we load it a second time) and a record in the browser’s history of the sites we visit.

Many of the traces we leave, or the trackers we take, are very difficult to avoid. In some cases, those tracers and trackers provide a practical benefit to us, or they are irrelevant to most people who lead ordinary lives. However, other elements could lead to toxic results for us; specifically, those trackers aimed to identify our habits and bias to induce us to buy things we wouldn’t otherwise consider at the highest price we are willing to pay. In other cases, the data companies gather from our online activity leads them to increase the cost of services we purchase (for example, life, health or home insurance). Additionally, malicious actors can use our footprints as direct or indirect means to scam or steal from us, like tricking us into making security mistakes or giving away sensitive information.

Data Privacy is a matter of habit

We should incorporate security as a habit in our digital lifestyles that protect our privacy, well-being and rights, as we already do in the physical world, by locking the door of our homes when we leave or keeping our purses closed and wallets away when we walk by the street. We also must educate our children on these habits, so they incorporate them as soon as they start becoming online and they can enjoy a useful and fruitful digital life. – According to a 2018 report, by the time a child is 13, over 72 million pieces of personal data have been captured about them. This information includes name, date of birth, address, family members, where they go and with whom they interact, their regular activities, and which websites they visit.

This post results from my tests to protect my data and privacy while maintaining some services I enjoy. Please, bear in that I’m not a security expert, but a citizen interested in safe and private digital activity to preserve my interests and rights. Additionally, I have a professional background in data that makes me well aware of our personal data’s uses.

Moreover, I don’t intend to review all types of services mentioned in the post, and I certainly don’t profit from mentioning specific solutions. If you know another option, I’d appreciate you leaving a comment so we all can learn. Now, without further ado, see below a diagram with the collection of practices individuals can take to palliate their exposure to unrestrained data collection. No a silver bullet protects you from all data picking, but several routines you can incorporate to reduce it.

Chatting

The most used chat application worldwide is WhatsApp. It belongs to Meta, along with Facebook, Instagram and other products and services.

WhatsApp includes end-to-end encryption software to prevent third parties from invading our privacy and stealing our data. However, the WhatsApp Privacy Policy states that it collects user data to provide a better service. Some examples of those services are marketing and communication between Facebook and Instagram. So WhatsApp keeps track of our communications and content, and builds our profile for behavioural advertising.

I think it is better to avoid WhatsApp and choose an instant messaging application that respects privacy and has enough users to easily find most of our contacts. There are many options. I discuss two here.

The most renowned privacy-focused instant messaging service is Signal. It encrypts all communications and is developed and maintained by the non-profit Signal Foundation. The security purists don’t like that you still have to give a phone number to register. For those who switch mobiles, Signal can’t restore conversations in other mobiles or keep backups because they don’t store a copy in their servers (for security reasons).

Telegram is also a popular chat application that doesn’t leak our conversations’ content. It is a for-profit organisation based in Dubai, so it may still have some interests. We can restore our conversations on different devices because they are stored in an unencrypted format on the company’s servers.

Mail

Most of us use free webmail services. Some of them scan our mails for keyboards for marketing and advertising purposes. These services are useful to synchronize our settings and data among different devices, so we are likely to keep them, even if we use them little.

Certainly, you may consider getting a webmail service that compromises not scanning your contents, even though you may incur some expenses.

Independently of your decision about keeping or not free webmail, you can take some measures to minimise data leaking, such as reducing tracking of your activities by more actors.

Some email clients include security and privacy features, such as reformating messages to prevent phishing from external actors, recognising tracking images and removing them, asking for confirmation before downloading images or navigating to a link, encrypting messages, etc.

I am impressed with FairEmail. It is open-source, with plenty of features in the free version and a few additional capabilities in an affordable Pro flavour. Additionally, it doesn’t track users, and it doesn’t send information to third parties. In fact, it keeps a minimalistic view to remove trackers and cookies. It can also encrypt communications. Unfortunately, it is only available for Android.

Mozilla Thunderbird is another mail client built for security and privacy and has excellent features. It works on Linux, macOS and Windows. Recently, Thunderbird and K-9 Mail (a well-known mail client for Android) joined. Eventually, K-9 Mail will transform into Thunderbird on Android.

Don’t accept data collection without a good reason

Many providers request our data for marketing and advertising purposes, both in the physical and digital worlds. All contracts, application configurations, email or system accounts include by default the consent for them to use our data and share it with their partners. Before accepting any service, review their requests to collect data; if they are vague or irrelevant to the service, decline them.

For the same reason, decline cookies on websites. The cookie consent is purposely designed to be cumbersome to reject and easy to accept. However, cookies stay in your browser and trace your activity on different websites, profiling your interests and habits.

Additionally, review the privacy and security sections in your email accounts and users (Gmail, Outlook, Apple, Yahoo, etc.) and decline any offer to collect and store your activity data – it is euphemistically called personalising their services –. Also, review your smartphone, tablet and PC settings, and decline any data collection.

In the case of smartphones and tablets, delete the Advertising ID (Identifier for Advertisers, IDFA, in Apple; Android Advertising ID, AAID, in Android) in the device’s settings. It is used for ad tracking.

Unfortunately, Apple collects metrics on how you use your device even when you disable the “Share iPhone Analytics” setting. Furthermore, your device sends those metrics along with the Directory Services Identifier (DSID, which is directly tied to your name) in the same packet to Apple.

When you install a new application on your device, grant only the permissions absolutely necessary. Our bank’s app doesn’t need to know our location to check our balance or transfer money. However, the police application to locate us in case of an emergency, Google Maps and the weather widget need to access our location when we use the corresponding app.

Be mindful of the apps’ permissions if a kid uses a device, especially on something as sensitive as location, and instruct them not to share it online.

Check the apps’ details before installing

Many mobile apps contain ads, meaning they show ads to users or collect data for ad tracking. Google Play Store and Apple App Store don’t give clear information if an application includes ads. However, there are other options. I am an Android user, so most of the stores I propose here are for Android.

Aurora Store is an alternative to Play Store, and it clearly shows under the app’s name if it contains ads, is free, or requires the Google Service Framework (GSF) to run. It connects to the Play Store to get some apps, but it can do it anonymously.

Another option is Uptodown, a secure alternative app store that offers Android, Apple and Windows solutions. I particularly like the app categorisation.

If you are into free and open-source software (FOSS), there are plenty of alternatives to acquire functionality on your mobile while preventing tracking and getting innovative applications. F-Droid and Neo Store (a modern version of F-Droid) are good places to search for FOSS.

A word of warning, though. Google and Apple can make rigorous security and thread analyses of the applications uploaded to their stores. The independent app stores also control the applications they offer (e.g., Uptodown uses 46 different antivirus solutions on every app before uploading it), but they can’t compete with Google’s and Apple’s means. Before using an app store, review its security and thread policy.

Block App Tracking

Some companies track your activity through smartphone apps they don’t own, even when you are not using the apps.

Apple’s iPhone and iPad include an App Tracking Transparency feature that asks users in each app whether they want to allow third-party app tracking. You can opt-out of app tracking from every application or in bulk at any time.

However, Android doesn’t have a similar feature, and many of its applications contain hidden third-party trackers, as AppCensus reports. To prevent app tracking in Android, you can install the DuckDuckGo browser and connect the App Tracking Protection feature. Or you can install the AdAway app, which is free; it is meant to block ads on Android and offers more options than the DuckDuckGo feature.

Password Manager

If you use your home town or your pet’s name as a password and reuse it everywhere, you will likely have your accounts hacked with various consequences.

You better use different passwords everywhere, alphanumeric and at least 12 characters long. To help you remember them, you can create a fun, random passphrase instead of a password.

However, we all have over 100 accounts in different services and websites, and it is impossible for most of us to remember all those different passwords, especially if we use random combinations of numbers and letters.

Most browsers store the passwords we use on websites unencrypted, and they can share them in our browser accounts on different devices. Some can even generate secure passwords. Still, they are not the best option to store or remember our passwords when we don’t have our browser.

I recommend using a vault to store passwords, i.e. a password manager. There are free and licensed options with different features. Some of them include the means to generate the two-factor authentication (2FA) codes for the applications that allow them. For me, they are more secure than generating the 2FA codes in a mobile app because the app (or the phone) can crash, and then it is difficult (or impossible) to regain access to those applications – I talk from experience [icon name=”face-sad-tear” prefix=”far”]

Browser, Seach Engine and other measures

This post is already quite long. However, I still miss discussing browsers and search engines, which are key for data protection. My next post will address this topic and a few other considerations. Stay tuned!

This article was amended on 5 December 2022 to add that Apple collects analytics about your use of your device even when you disable the “Share iPhone Analytics” setting and to propose AdAway as an alternative method to blocking ad tracking on Android.