Censored padlock icon

Wash your digital hands

It's time we look after our flippin' privacy.

What is this?

Information about the things you use, and how to stay private when using them.

But like, why tho?

Do you know what your digital shadow is? Probably not. Do you have one? Yes, likely an extensive one.

(spoiler alert: that’s not good news)

A decade of internet use is about to start affecting you in some very real ways, and already has for many parts of the world population.

Think people getting fired over their Twitter usage was bad? How about getting refused health insurance, or a supermarket detecting whether you're pregnant…

Don’t sweat though, 60 seconds of reading bullet points and I’ve got you covered.

Note
Information updated as of December 2020.


Jump to















Facebook

Privacy Policy and Terms of Service


Being on public is a serious security risk, as it gives literally everyone on Facebook access to your photos, and personal information. This includes people you don't know, and bots too.

There's a suprising amount of information you can gather about someone just from a few photos and some basic details.


You can do this here.

Facebook keeps track of you even when you're not on Facebook, through technologies such as 'Cookies'.

(what on earth cookies are is hastily explained here)

Some of the culprits that are tracking you can be found by simply checking your cookies.


When you use the Facebook app, you’re, in essence, allowing Facebook to run code directly on your phone.

(no prizes for realising that this isn't a totally private idea)

This code delivers Facebook to your device, but it also allows it to run a whole host of other things secretly in the background under the guise of ‘delivering a service’.

(when I show people pictures from my aunt Suzy's wedding, I also need to know their likelihood of addiction, susceptibility to persuasion via advertising, and their political leaning first)

Using the web version of Facebook still runs code on your device, but this code is run through your browser first.

Why is this better? Well some browsers like Firefox and Safari are pretty strongly dedicated to user’s privacy, and will act on your behalf to prevent websites from tracking you or giving up your data, including Facebook.

Be warned though, not all browsers are made equally - this club of guardian browsers does not include Google Chrome, who’s data gathering habits makes it one of Google’s biggest sources of user data.


Trust me 100% when I tell you this is satisfying as hell, so give it a go.

Goodbye to the guy you met once on a night out.

Goodbye to Becky's third cousin you've never actually met.

Goodbye to Josh's second cousin, twice removed's, old Facebook account.

The reason why, is because Facebook builds a map your social circle through who you're registered 'Friends' are, and who you interact with.

Less registered friends means fewer people to give up data about you. Facebook will still know that you used to be 'Friends', but it'll make it slightly harder to link you together.

P.S.A. Once you've removed them, you can hide your reduced 'Friend count' from everyone, if that's something you're concerned with. It's in the privacy settings.


Have you 'Liked' Coca-Cola's official Facebook page? You might not, but you from 7 years ago probably did...

Remarkably, according to these chaps over at Cambridge and Stanford, their algorithm only needs 70 liked pages to be a better judge of your character than your own friends, and only 300 likes to know you better than your own spouse.

It can also tell whether you're in a relationship, going through a breakup (and how recently), or are simply just living it up in the single lifestyle.

(probably obvious by the time of day you get all your DMs...)

To be clear, it isn't just the things that you have liked that clearly give you away. The things you've liked allow them to more easily categorise you, based around thing that other people have liked.

Facebook uses 100+ data points, cross referenced with not only the data you’ve provided, but the data of other people similar to you, and builds up a profile of you.

This is how many preference algorithms work, including Netflix's and other's. If other people who are similar to you, like a new thing, the odds are that you will too.


If you're inclined to peruse other people’s, usually poorly maintained, unwanted possessions, then you might want to stop.

If there's one way to tell Facebook what kind of things you're into, it's by shopping with them. Simple as that.


Messenger is about to go through some serious changes.

(siri, play that one song by Charles Bradley)

Facebook’s Messenger service is eventually going to be merged with Instagram DMs and WhatsApp, into one big behemoth of a messaging app that practically everyone will use, perhaps more than texting.

On the bright side, this may end up being more secure, and more private for everyone, but this is Facebook, so don't hold your breath...

For now, know that Messenger is totally unencrypted. This means all images, and anything you type or send into Messenger can be read by Facebook, or anyone with access to the data.

(this could be hackers, the Government [on request], Government Hackers, or people who hack the Government, maybe even Zuckerberg himself)


So, believe it or not - Facebook can tell roughly where you are when you log on, even when you have location stuff turned off.

This means that if you open the app at your friend’s house, Facebook can infer that you’re not at home. How do they know where your home is? Statistically, it’ll likely be the place you visit Facebook from the most.

(unless you have a seriously active social life. But if that's the case, why are you constantly on Facebook?)


You can do this here.

This is opt-in, so if you have it active, it'll be because you clicked "YES" without reading what the box was actually saying.

Opting out of this will mean that your face wont be analysed and templated, and Facebook won’t be able to recognise you automatically in photos you aren’t tagged or involved in.

Bare in mind, this only disables 'algorithmic' face detection, a human at Facebook could still look at both photos and recognise that it’s you.


‘The Facebook Company' own pretty much half of the social media sites you might use: Facebook, Instagram, and WhatsApp are all owned, and managed, by Facebook, along with a host of other smaller companies such as Occulus, Giphy, and 82 others.

Instagram

Privacy Policy and Terms of Service


Let's address the elephant in the room here - if you're wanting someone specific who doesn't currently follow you to be able to see your profile and all your pictures, just follow them.

Being on public is a serious security risk, as it gives literally everyone on Instagram access to your photos. This includes people you don't know, and bots too.

Ever had your photos stolen and reposted to a different website you don't know about, with some less-that-savory comments beneath?

Horrifying P.S.A: There's now a messaging service that uses AI to digitally strip you in photos, photoshopping you to be naked based on your body shape in the photo.

Yeah, I know. Just set it to private.


Not literally obviously. That's illegal at best.

Everyone in your 'followers' list has full access to all your photos, and any photos you've been tagged in (providing the original poster is being followed, or set to public).

Many of the people in your original 'followers' list may be very different people by now, compared to when you followed them. Some of them might have hacked accounts and aren't even themselves anymore!

It only takes one follower to be a bad egg, for bad things to happen. Reduce your list just to people you actually know and trust.

150 good friends is more impressive than 800 bad ones.


When you use the Instagram app, you’re allowing Facebook (yes, because Facebook makes Instagram) to run code directly on your phone.

This code delivers Instagram to your device, but it also allows it to run a whole bunch of other things in the background under the guise of ‘delivering a service’.

Using the web version of Instagram still runs code on your device, but this code is run through your browser first.

Why is this better? Well some browsers like Firefox and Safari are pretty strongly dedicated to user’s privacy, and will act on your behalf to prevent websites from tracking you or giving up your data, including Instagram.

Be warned though, not all browsers are made equally - this club of guardian browsers does not include Google Chrome, who’s data gathering habits makes it one of Google’s biggest sources of user data.


It’s worth mentioning that when you like posts, you’re telling Instagram what you like and don’t like. Similar to the Facebook ‘likes’, this helps build up a profile on you.

Avoid liking content from accounts that aren’t your friends. This will keep your inferred data to “they liked their friend's photo” rather than “oh, they engaged 30% quicker with this particular style of sponsored content”


Instagram DMs are about to go through some serious changes.

Instagram's DM system is eventually going to be merged with Facebook's Messenger and WhatsApp, into one big behemoth of a messaging app that practically everyone will use, perhaps more than texting.

But for now, know that all Instagram DMs are totally unencrypted. This means anything you type or send in a DM can be read by Instagram, or Facebook (because they own Instagram, remember), or anyone with access to the data - same goes for images you send, even the disappearing ones.


If there's one way that Instagram can learn what your likes and dislikes are, it's the 'Explore' tab.

(hence why they're constantly trying to crowbar it into your main feed.)

Instagram will constantly be shuffling content around, seeing what holds your attention most, and seeing how many sponsored posts it can push into your feed before you lose interest.

'Explore' should just be renamed to 'Sponsored'. It would be more accurate.


Let’s be totally honest here, how many times are you checking Instagram without even realising you’re doing it?

It can actually become a subconscious reflex, mostly because Instagram is designed the same way a Casino is: to hit dopamine receptors.

(for a while, I had the reflex of tapping inanimate objects to check for notifications. True story, I was tapping all kinds of remotes, books etc, it was mad)

Instagram logs your scrolling. It takes note of how long you look at each photo on your feed, who’s feeds you go scrolling through, and how long you look at each photo. This all happens behind the scenes, and isn’t available for you to view in the woefully empty account data page.

It uses this data to see how long it can keep you scrolling for, by drip-feeding you interesting or engaging content, and padding the rest with sponsored content.

Sponsored content isn’t just ads anymore either. Want to sway an election? Pay for memes that discredit your opposition. Want to sell a product? Pay an influencer to make a video and mention it off-handedly. You’d be surprised how many posts have money behind them.

Also, on a mental health basis - excluding the effects on self-image etc - Instagram is just plain awful for your attention span.

Just use it less, and use it more meaningfully.


Instagram's data harvesting won't show up in any 'tracking protection' scheme, because Instagram isn't contacting any third party trackers. THIS DOESN'T MEAN THEY'RE NOT TRACKING YOU. It just means they're clever enough to do it on their own without any help.

WhatsApp

Privacy Policy (Europe) and Terms of Service (Europe)


WhatsApp is the wolf in sheep’s clothing for being touted as a ‘secure’ messaging service, and for the most part, it kind of is.

(it's definitely not perfect, it's likely either a backdoor already exists, or could be easily implemented, so whilst your two way chats are encrypted for now, there might still be a key knocking around somewhere.)

However, if you select the seemingly convenient option of backing up your chats to the cloud, they get un-encrypted before upload.

This means that if you back up your chats, they’re backed up unencrypted, along with the images.


When you give WhatsApp access to your contacts, you are directly giving Facebook (because WhatsApp is owned by Facebook) a list of names, their phone numbers, email addresses, physical addresses, and any other data you’ve entered into your phone’s contacts.

Unfortunately, if you deny WhatsApp access to your contacts, you get your conversations displayed with a phone number, rather than a name, which is rather inconvenient.

Currently, there isn’t really a way around this, apart from deleting excess data from your phone’s contacts. This is mostly just so you're aware.


Whilst one-to-one chats are encrypted, group chats, are not.

Everything said in a WhatsApp group chat has the same level of privacy and security that a Facebook message has. Just bare that in mind whilst you discuss your nefarious schemes...


There’s not a huge amount that can be done about WhatsApp. All your own efforts to keep your details private will be undone as soon as someone else links their contacts to WhatsApp. You have to hand it to them, they really got us with this one unfortunately.

Snapchat

Privacy Policy (UK) and Terms of Service (Outside USA)


If the concept of displaying your location publicly to everyone you have on Snapchat doesn’t trigger a privacy-related instinct within you, I suggest reading this website top to bottom, repeatedly, until it does.


Deep breath...

Snapchat collects: Filters used; screenshots; names, time, and frequency, of people you contact; custom stickers; hardware model; operating system; device memory; advertising identifiers; unique application identifiers; apps installed; unique device identifiers; browser type; language; battery level; time zone; accelerometer data; gyroscope data; compass data; microphones; headphone connection; wireless and mobile network connections; mobile phone number; service provider; IP address; signal strength; your location; your precise location (with permission); nearby cell towers;

… but that’s not all.

“If another user uploads their contact list, we may combine information from that user’s contact list with other information we have collected about you.”


Snapchat doesn’t delete all it's information, only ‘most messages’ are deleted after they’ve been opened by all recipients, or have expired. Snapchat Stories however, don't get the same treatment.

Also, if you ever decide to stop using Snapchat, you have to request they delete your account. They will then only delete 'most' of the information they’ve collected about you, after you’ve been inactive 'for a while'

("for a while" is doing a lot of heavy lifting there, and is very deliberately vague)


Snapchat does NOT encrypt your messages or snapchats, and only deletes 'most' of them after they've expired, or been opened by all recipients.

Generally, this means that they are viewable to anyone with legitimate (or sometimes illegal) access to the data.

D O N T. S E N D. N U D E S


Just to make sure we're all on the same page here: never send a photo with your body and an identifying feature, like your face, in the same photo, unless you seriously trust them - and even then, not a great idea. In general, don’t send anything that would be world-ending if it became public; don’t send nudes through Snapchat! Or Instagram! Or any unencrypted service! (and remember WhatsApp is only truly encrypted when you both have disabled 'Chat Backup') Get naked in person - it's more digitally secure!

Tiktok

Privacy Policy and Terms of Service (Europe)


If you link or sign up using your social network (such as Facebook, Twitter, Instagram, or Google), they collect information about you from these social media services, including your contact lists.

This is a general rule of thumb for most things actually - don't 'link' stuff together, no matter how convenient they might try and make it seem.


Tiktok lists a whole load of uses for your data in their privacy policy, but two things of note stand out in particular:

“We may aggregate or de-identify the information described above. Aggregated or de-identified data is not subject to this Privacy Policy.”

This basically means that they may accumulate data on you from non-Tiktok sources, and that all the data they put into this pile isn’t subject to anything written in the privacy policy. They can do whatever they want with it! It’s unclear whether your Tiktok data also becomes exempt when it gets added to this pile...

“We generally use the information we collect: […] - to inform our algorithms”

I can tell you with absolute certainty that “inform our algorithms” is one hell of a foreboding thing to have in a privacy policy. Seriously. They also don’t describe what those algorithms actually are, what they do, what data they receive, or if they’re even relevant to Tiktok as a company.

Whilst this little caveat isn’t featured in the EU/EEA segment, the part about sharing data ‘within our corporate group’ definitely is, and whether members of the ‘corporate group’ have to adhere to the EU/EEA GDPR-ified version of the privacy policy or not is also unclear.

So in summary, Tiktok can collect an unknown amount of data on you, do whatever they like with it, and use it to 'inform their algorithms'. As privacy policies go, this gets a "F-" at best...


Tiktok is a lot like a packet of crisps: nice while you’re consuming them, but a totally forgettable experience after, and you also feel a little worse off because of it.

(unless they're paprika flavoured pringles, but even then...)

You can read about the adverse psychological effects of services like Tiktok elsewhere, I’m here to tell you that in terms of data privacy, it’s an absolute train wreck.

Everything is recorded, with little oversight, and much of it is used for unknown purposes. If Trump ever did one thing right, it was being skeptical of Tiktok…

You know something's up if even Donald Trump can be vaguely correct about it.


Messages sent via Tiktok are collected and processed, which includes “scanning and analysing” messages as they’re being composed, sent, or received.

(wow, Tiktok is creepy)

Imagine Tiktok as a nosy stranger who keeps looking at your phone whilst you’re texting, except they’ve also got a notebook out, and they’re writing down everything you say. Constantly.


Quoted directly from their Privacy Policy:

"We retain your information for as long as it is necessary to provide you with the service so that we can fulfil our contractual obligations and exercise our rights [...] we retain it only for so long as we have a legitimate business purpose in keeping such data."

Just to make this clear, "so long as we have a legitimate business purpose" means forever. Not even kidding. As a company that makes a huge amount of profit from data they've gathered, your data will never not be a legitimate business purpose. They may as well say "We'll keep your data for as long as we live, even after we lose all popularity, get shut down, and witness the heat-death of the universe."

With a privacy policy like this, your TikTok data may be around for longer than the pyramids...


Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok. Please stop using Tiktok.

Fitness Apps


In 2018, security concerns were raised at 'Bagram Air Base' - the biggest US military facility in Afghanistan.

Security concerns in a huge military base sound pretty average, you'd be worried if there weren't any, but this particular concern was different.

In order to keep fit, many of the soldiers in the base were using the fitness app Strava to track their runs and cycling habits whilst they worked out at the base. What they didn't realise, is that the data of exactly where they were running was being uploaded to Strava's global database, displaying a heatmap of it's 27 million users and where they were all running...

This meant that you could zoom in, and see the US Soldiers forming a perfect outline of the military base's perimeter, as well as all the main walkways, and areas with frequent foot traffic.

(not such a great idea if you're a top secret military base)

If you start tracking your exercise the moment you leave the house, you're effectively telling the app where you live, since you'll start and finish in the same location.

Start tracking your exercise only after you've left the house and gone a small distance, and stop tracking before you get back. That way, you're not giving away the location of your house to the app, or anyone you share a screenshot with.

(I know a teacher who does this, he start his runs in a field so his pupils can't tell where he lives - pretty good idea I'd say)


Sharing your exercise habits with friends means you're surrendering health data to both your friends, and the platform you share it on.

At the very least, they'll learn roughly what your fitness level is, your ability to run away from things, and approximately where you live.

(sometimes accurately, see above)

If you're going to share, try and share only the critical bits of info, and maybe leave out the map...


Fitness apps are everywhere, and they're only going to get more omnipresent and more omniscient as time goes on. This makes it extra important that you keep tabs on how much data they're gathering, and how much of it you're sharing.

Google

Privacy Policy and Terms of Service


You can do this here.

Just as a heads up for Android users, this one might get a bit creepy for you: you’ll get to view your full location history (if you have let them track it) as well as your web and app activity (if you have let them track it).

To get the full, horrifying effect, imagine someone who you’d hate to share this data with, is looking through every detail, and then imagine what they could figure out from it.

Just a thought experiment for those who enjoy self-inflicted psychological pain.


You can do this here.

I don’t think I need to justify why ‘Turn off and delete Ad Tracking’ is included here, on a website called ‘FlippingPrivacy.com’.

(I was absoultely livid about everyone's poor privacy when I named this, sorry)

Making ads “more useful” is the opposite of what we’re trying to achieve here. Just go and do it.


Chrome is one of the biggest data gathering sources Google has, because everyone and their dog seems to use it.

If Google controls your browser, they can link all the activity within it back to your Google account; if you aren’t logged into your Google account on Chrome, as soon as you log in to a Google service, it’ll know exactly who you are.

"What's the simple solution to this?" I hear you cry. Well, simply use a privacy focussed browser instead, like Safari, or Firefox.

The easiest way to tell if a browser is privacy focussed is to check whether company that makes it is a huge corporate conglomerate that collects your personal data...


If using a Google owned browser results in Google linking all your browsing activity to your Google account, just image what using a Google-owned computer is like.

Generally, a Chromebook is just a machine to allow you to use Google services, with very few alternatives. General rule of thumb - just avoid them whenever you can.


This will be somewhere in your browser's privacy settings.

Be aware though, the ‘Do Not Track’ requests are just that: a ‘request’. Many sites won’t honour it, and won't change their tracking behaviour as a result of you requesting it.

It’s more like asking each website, very nicely, if they won’t gather data on you for financial purposes.

You can guess how well that usually goes down…


In order to use Google services, you need to agree to their privacy policy and terms of service, which gives them permission to track you. So, and bare with me here because this might get a bit technical:

If you avoid using them, they track you less.


Every time you google something, (which in theory, should be fairly frequently) you give away your approximate location to Google. This means that millions of people are going about their daily business each day, periodically updating Google as to their current whereabouts.

In this way, Google is like an overprotective spouse, or a really creepy friend using Snapmaps, and they can keep ahold of your searches for up to two years after you’ve made it.

‘The big G’ is also tracking you based on your cookies (what they are is explained below), as well as your IP address, and verifying you by ‘fingerprinting’ your device based on it’s characteristics, like the software platform and screen resolution. All in all, Google Search is quite a bad egg. An incredibly useful bad egg, but a bad one nonetheless.

‘DuckDuckGo’ is the alternative service commonly recommended in this scenario. DuckDuckGo is just like Google, but privacy focussed, and doesn’t track you around the internet.

(Ecosia, the 'tree planting search engine', whilst seeming green and friendly, simply uses the ad revenue to help plant trees, so it’s not at all private, and if anything, has a stronger incentive to track you.)

Turning to ‘the duck side’ may take some small adjustments though, mainly, getting more specific with your googling.

If you’ve spent years searching for things like “pictures of uncle Robert” and been relying on Google knowing exactly who you mean, that won’t work anymore. Treat DuckDuckGo like you’re asking a stranger a question, rather than a slightly too knowledgable intimate friend.

To start using another search engine properly, set it as your default search engine on both your phone and your other devices, that way, whenever you’re tapping away at your keyboard typing things into the bar at the top (Google tracks this too, even if you don’t hit enter), it’s searching using your new search engine, rather than Google.


Alphabet, Google’s parent company, decided to take “Do the right thing” as their brand new company motto in 2015, which is a slightly better replacement for their former motto: “Don’t be evil”. I’m not even kidding. “Don’t be evil” used to be Google’s company motto before some bright and upcoming spark realised how that might reflect on them, and they immediately downgraded the phrase to be the first line of their code of conduct instead…

Amazon

Privacy Policy, Usage of Information (Alexa), and Privacy Policy (Ring, [Amazon owned])


This is a very short, but very broad rabbit hole to go down, because there are many, many, types of Amazon’s smart-home, Alexa-connected devices:

Headphones; earphones; watches; PCs; laptops; TVs; smart-speakers; table-lamps; sound bars; children’s toy robot; baby monitors; landline phones; mobile phones; car consoles; toothbrush; thermostats; smoke detector; carbon-monoxide detector; light switches; light bulbs; microwaves; wifi routers; home security hubs; intercoms; doorbell; exterior cameras; interior cameras; and home security drones

(seriously, voice controlled security drones...)

You may be wondering, “why on earth have they forced their ‘voice-controlled cloud service’ into so many products” and also “wait what Amazon make an Alexa Microwave!?” and the answers to both are “data” and “yes, for data” respectively.

In return for letting all these microphone and camera enabled devices into your homes; cars; bedrooms; and ceiling mounted light fixtures; so they can deliver a conglomerate’s ‘voice-controlled cloud service’, you get the minor convenience of standing a few meters away from a device as it does something, after it uploads your voice data into the cloud for analysis.

Alexa constantly listens for it's 'wake word' (aka: "ALEXA"), and all commands (or just any noise that it thinks is it's wake word), are uploaded to the cloud, analysed, and associated with your Amazon ID, which includes your full name, address, bank details, and online shopping habits.

In all, these microphone controlled speakers, and camera enabled door bells can record a rather large amount of data about you for Amazon, (some going so far as to “perform analytics including market and consumer research [...] [and to] operate, evaluate, develop, manage and improve our business”) and very effectively turn your private spaces into public ones.


Amazon can take a surprisingly good guess at your income level based on where you live, and use this information, as well as your shopping habits, to sell you as many products it can.

They know where you live because you entered your full house address when you got something delivered, and they know your shopping habits because they track and log every page and product that you click on, look at, and scroll past.

As with any service, using it less can be the single most effective way to stop it gathering data about us.


You can view your recorded voice data through the Alexa Privacy Settings.

Amazon will keep ahold of your voice data, and a written transcript of what was said, in order to improve it's voice recognition. Even if you enable 'instant auto-deletion' for your voice recordings, the transcript is kept for 30 days after the request is made, and the content of that interaction (what happened) is still kept in Amazon's servers.


Your Kindle logs the exact time and date for each and every tap, exactly what you tapped on, what books you read, and your reading sessions for each e-book (timed to the millisecond).

(this one really upsets me actually, more so than any other Amazon-related privacy issue, because it means that not even my book is a sacred space anymore.)

But have no fear, for I have concocted a devious work-around: by downloading the books you want to read, in advance, and then putting your Kindle into offline mode, it will stop your reading habits being uploaded to the cloud instantly as you tap things.

The caveat is, to prevent this data from being instantly uploaded the moment you re-connect to the internet to find your next book, you have to factory reset your kindle and erase all the data on it, before booting it back up again, re-signing in, and finding a new selection of books to read offline.

A pain, I know, but this is what happens when no one fights back against this privacy stuff...


Calling/Texting via Alexa causes periodic imports of your contacts, and then analysis of your message content to turn it into text.

This means that full names, phone numbers, addresses, birthdays, and other contact details of everyone in your phone are uploaded to Amazon, and associated with your Amazon ID.

If you want to opt out of this after opting in - you have to ring up customer services.


“We keep your personal information to enable your continued use of Amazon Services, for as long as it is required in order to fulfil the relevant purposes described in this Privacy Notice”

This doesn’t mean any times are given elsewhere in the policy, it means “just read a bit of the policy - we’ll keep that data for as long as it takes to in order to do some things vaguely related to that"


Amazon has literally made so much money through advertising and selling people stuff that the CEO started a space program for want of something to do with all the excess money, and that quite frankly, is a major financial flex on everyone.

Most Websites


This started appearing because of GDPR.

Whenever you visit a website, you’ll likely get a pop up that asks you about agreeing to ‘privacy policies’; ‘data collection’; ‘partners’; ‘legitimate interest’; and such.

It is ABSOLUTELY CRITICAL that you don’t just hit “Accept all” and continue on, because you’re giving the website, and all of it’s trackers, permission to dive right on in.

The reason for the constant, omnipresent annoyance is the EU’s GDPR laws. Beforehand, websites could do this all without your consent. Now, they have to ask permission first, and in order to make you click yes, they make answering the question very, very arduous, and infuriatingly time consuming, unless the answer is “yes”.

What you need to do is make sure everything is disabled. Whenever you see a ‘reject’ button - hit it. Look through each tab (privacy, partners, legitimate interest, etc) and hit ‘reject all’ for each. Not all of them will be off by default due to a few loopholes in the GDPR laws, so you have to make sure you do it each time, every time you visit a new website.

After swiping left on all those privacy-invading options, you’ll likely be met with some mislabelled buttons. You might see a big green one that says “Accept”, or “Continue”, but it’s a trap.

The one you actually want to press is likely labelled “Save Preferences” or something else that roughly means “Continue using the preferences I’ve set”.

If you accidentally hit the larger, brightly coloured “accept” button by instinct - it’s game over, and you’ll have accepted all the trackers by default again.

F.Y.I. You might also see some sneaky inverted logic too like “Press OFF to opt-out of our ‘we won’t track you’ settings”. They're especially hard to spot, so be careful with those.


Think of them like a passport stamp.

When you visit a website, the website can optionally store some data on your computer to show that you've been here before.

That’s a cookie.

A website might store your username as a cookie, so that when you go to a different page on the website, it can check the cookie and see that it’s still you, and load the website appropriately.

When you visit a site, it checks to see if you have any cookies from them already, so it can adjust the site appropriately.

This system, however, is also how you get tracked across the web. Showing whether or not you’ve been somewhere before is the exact same concept as being flagged.

Cookies can only be seen by the website that created it, so many websites use a third party site, embedded in, that flags you with details about what you were doing (eg: stuff you were looking at, what time, how long etc), and then when you visit a different site that also embeds the same third party site, it can check you to see if it flagged you at any previous site it was embedded in.

Now, remember, that Google, Amazon, and Facebook, all offer this service - so the likelihood you’ll bump into one of them when browsing around the web is quite high.

The other approach people take is just to stuff as many trackers into their site as they can, sometimes hundreds, with the hope that one of them will have seen you before at some point.

This allows your web habits to be tracked from site to site. It’s a bit like being the bad guy on 'Crime Watch' and everyone’s ringing in to say where they’ve seen you before.


Encryption basically means that something is safe and secure when it’s being sent around the place.

If a text message is encrypted, such as on iMessage or one-to-one WhatsApp messages, if means that the text can’t be intercepted, read, or modified on it’s way to the recipient. Think of it like a letter that only unlocks once it goes through your front door.

You can take this one step further too, with end-to-end encryption, which means the thing is safe from the moment it leaves your device, until the moment it enters the other device. This is even more secure because it means that not even the thing that is handling your message can have a peek before it mails it off. Think of it like a letter that stays locked, right up until it’s literally in your hands as you open it.

With a website, an encrypted connection is marked with the little padlock in the bar in the top (as well as the letters HTTPS’). This means that whilst everyone can know which website you’re connecting to, they can’t see what you’re doing on the site. Hurrah for security!


From personal experience, I can tell you that when your influencer housemate posts a load of photos that feature you, to their public account which anyone can view, it’s very frustrating if you’ve been trying to keep a low profile.

This comes under ‘digital good manners’ as much as it does privacy, but get into the habit of asking someone before you post a photo that includes them, otherwise, they have no control over where their face is being posted and who can see it.


Bare with me on this one...

If you had a housemate that really, really likes bananas, and you come into a room, only to find it strewn with more banana skins than a game of Mario kart, you’ll probably have a good idea of which housemate was in this room last.

That, is the concept behind de-anonymising data.

There was nothing that told you their name, what they looked like, or anything identifying about them, but you still knew exactly who it was based on the quite frankly abhorrent amount of banana skins.

(your housemate might want to see someone about that)

The same concept applies to data. You can infer who created the data just from various bits and pieces you find within the data. So when a company assures you that they ‘anonymise’ the data before they share it, know that it can still potentially be tracked back to you.

(remarkably, Tiktok actually admit they do this in their own privacy policy)


A VPN basically hides your web traffic by getting someone else to do the googling for you. By getting someone else to go around the web for you, handing back the results as they go, your personal association with the web searches is mostly eliminated.

Sounds too good to be true right? Well, sorta. For one, this method is a bit slower since everything has got to go through a middle person, but also, the middle person might betray you...

See, if the middle person is secretly taking notes of everything you’re asking them to google, they can then sell on your activity themselves and get the money for it first.

Rule of thumb, if it’s free, they’re making money some other way, so if a VPN is free - avoid it like the plague.


The easiest way to not give up your data is simply by not joining in the first place. It seems pretty obvious, in fact, it seems incredibly obvious, but not signing up to a service results in that service not having your sign up details.

In the same way a criminal doesn’t go around introducing themselves to all the local policemen, you probably shouldn’t go around introducing yourself to all the tracking websites, if you can avoid it.


When it comes to privacy, if you’re paying for something, usually you’re getting a better deal.

When you use something for free online, you’re incentivising them to make money in other ways - since it’s not coming from your pocket.

This is the basic principle behind why free services have Ads, and paid services often offer an ‘ad-free experience’


Browser Extensions, Plugins, and Addons, make up the holy trinity of the wild west in the privacy world.

Think of it a bit like letting someone sit in on your gossip sessions or top secret business meeting. Yes, they probably won’t go off and tell everyone afterwards, but it’s safer not to invite them in at all.

(one particular example comes to mind, a certain browser extension that automatically searches for coupon codes when buying things online. Now, why would a browser extension want permission to log everything that you buy online so it can ‘search for coupons’…)

Some extensions can be great, and do some genuinely useful things, but it's nearly impossible to quickly tell if there's something else going on in the shadows.


Credit cards are one of the easiest ways to identify someone, as they’re (hopefully) unique to each of us. Use your card in one location, and the data can follow you over to the next. They know who you are because of the card you pay with.


Whenever you set a preference on a web page, like preferred zoom level or whether downloads are enabled, your browser will make a note of the website, and the preferences you set for it.

This means, if you delete your browsing history, some of the websites will still be listed elsewhere because they have preferences attached to them.

If you want to wipe your browsing history (for perfectly innocent purposes i’m sure) then make sure you clear your website preferences too.


There’s a very sneaky difference between the two, and many websites will default to directing you towards the latter.

This is because deleting your account requires the removal of your personal data as well as the user profile they’ve built up of you, whereas deactivating an account simply does nothing, other than stop you being able to access it.

So what’s with the ‘deactivation’? Well, if your account is deactivated, it’s a bit like giving them the keys and exclaiming “meh, you keep it” as you walk away. A deactivated account allows them to keep ahold of all the data under the guise of letting you come crying back to them at a later date (a.k.a just reactivating your account).

Bare in mind though, not all data disappears straight away when you delete an account, but it’s certainly better than leaving all the data lying around after you’re done with it.


The internet is probably here to stay (what an outlandish statement). So in about 10 years of being on the internet, think of how many accounts you’ve created in that time.

A good way is to look at your browsers autofill-passwords, and look at all the websites you have accounts for. They’re probably from around the last 5 years or so, so imagine how many accounts you might have in another 5 years time.

All this is leaving a digital shadow, showing exactly where you were on the internet, and what places you used to frequent regularly.

Now obviously it’s hard to know for certain when you’ll stop using something, but if you reckon it's on the way out, go ahead and delete (not deactivate) your account.


Sharing things on social media via a website’s social media buttons links that content to your social media account, and also allows those buttons to track you around the web.

In the same way that websites embed other websites to track you using cookies, websites that embed social medias into their site also allow the social media to track you around the internet.

If you want to share something, just copy the url from the bar at the top and paste it into whatever you’re sharing. It’s a much more secure way of sharing content.

Oh, and also, if you’re going to share content on social media, READ IT FIRST, THEN QUESTION IT'S AUTHENTICITY.


Signing into a service using social media will link that service to your social media account, helping build a bridge between two unrelated parts of your online activity.


It's honestly exhausting being on the web in today's world. The struggle to stay private is definitely real, but trust me that in the future you'll definitely be glad you did. The consequences will range from 'kinda annoying' to 'completely black-mirror'.

Physical Shopping


The terms of service for loyalty cards (think Club Cards, Nectar Cards, Starbucks cards etc) allow a vendor to take a record of the sale, along with a record of what was bought, and when, and then associate it with your name and address.

In return for giving them all this data, you'll get about £0.01 off your next purchase.

Repeated purchases then allow vendors to know your buying habits, and how far you'll travel to buy something. The vendor can then advertise or discount items accordingly.

(whilst discounts might sound like a good thing, if they know you’ll always buy something regardless of price, they actually might stop giving you a discount for it)


Giving a shop your email so they can email you a receipt is an easy way for a vendor to start gathering data on you, as it gives them an identifier to associate your data with.


Physical shops only tend to start gathering data from you when you give it to them, through their apps, email receipts, or loyalty systems. This means it should be very obvious when you’re surrendering personal data to them.

What could possibly happen?


Right, so we've been through the things you can do right now, let's now look at the lesser known things that could happen if you don't.


In 2016, the ACLU (American Civil Liberties Union) found over 500 police organisations had signed up for a service called ‘Geofeedia’, which scraped social media data to help officers look for users in a specific location or attending any specific protest.


Facebook offered advertisers 1.5 million people “whose activity on Facebook suggests that they’re more likely to engage with/distribute liberal political content”

The now-infamous voter profiling company ‘Cambridge Analytica’ got ahold of 87,000,000 (87M) Facebook user’s data.

One marketing service called 'Lookalike Audiences' went beyond the familiar Facebook programs allowing advertisers to target people by their ages or likes. The ‘Lookalike Audience’ feature allows marketers to examine their existing customers or voters for certain propensities — like big spending — and have Facebook find other users with similar tendencies.


We already have health insurance providers that give a discounted Apple Watch along with a discounted rate for coverage, providing you provide them a copy of your fitness data, but it can get less implicit too:

Buying workout gear online once, but never again, might imply that you’re not using it, and therefore never needing to replace it.

Your supermarket’s loyalty card might indicate you have an unhealthy diet, or your diet doesn’t meet certain specifications to be deemed ‘low risk’ by the healthcare provider.

An app that shares your runs with your Facebook friends might indicate that you’re running too much, and are at statistically greater risk of sustaining injury.

All this data could be used by a healthcare provider to limit or deny coverage, and all are caused by surrendering personal data, either to claim discounts, or by openly using social media.


According to one specific insurance provider, shoppers who purchase fresh fennel regularly at the supermarkets flags them as a ‘proud homeowner’ type, and therefore are a low risk customer, enabling them to offer better insurance. This system works both ways, enabling you to be flagged as a high risk customer too.


It’s no secret that people have lost work due to their Twitter or Facebook history, and it’s also no secret that employers may search you up on Instagram before agreeing to a second interview. If elements of your digital shadow become available for sale, it might be in a companies interest to purchase a copy and use it in the interview process.


Knowing where you live allows companies like Amazon to take a rather good guess at your current income level. This would theoretically enable them to pinpoint your salary bracket, and how much to pay you.


If you’ve previously had issues with gambling, or are particularly susceptible to it, being flagged as such would target you for gambling based products and services.


The data you produce forms your digital shadow, which is a product that can be bought, sold, or stolen. How you think, and what beliefs you hold, are open for purchase. This can be used not only to sell you things, but to influence your world view.


If you’re flagged as receptive to a certain kind of marketing or political view, this can be exploited by people who wish to convince you. With people on the internet creating huge digital shadows, this can be performed on a worldwide scale.


Oh man, this one gets really sinister, really quickly.

Imagine your Uber score, or Depop sellers rating, but for everything you do and everything you interact with.

China is in the middle stages of implementing a social credit system, which judges citizen’s behaviour and trustworthiness though offences like jaywalking, not paying bills on time, and playing music too loud on the train. All of these could result in losing certain rights, like being able to book a flight or train ticket.

These systems likely wouldn’t be mandated upon you, rather, they’d probably include incentives for participating, and disincentives for not participating. Which would effectively force people into to scheme, just on a logical basis.

Similar to how companies force users to agree to a privacy policy before using their service, they could easily start requiring users to have a social rating, forcing many people to get one.

(dating site 'Baihe' teamed up with one social credit service to allow users to match based on their social score, which might be one of the single most pretentious things I've ever seen in a dating service)

In Rongcheng, China, all residents start with 1000 points, and authorities make deductions for bad behaviour like traffic violations, and add points for good behaviour like donating to charity. There’s a problem here though, since wealthier people could donate a set amount each year to make up for any bad behaviour reflected their score, whereas poorer wouldn’t have such luxury.

Being penalised in a social credit scheme would also create a snowball effect. Simply running a red light would result in a fine, but now, also a lower score, which could result in getting a privilege removed, which would force you to make further changes to your lifestyle, all on what could feasibly have been an accident.

(Mareike Ohlberg, research associate at the Mercator Institute for China Studies, noted this, explaining that a few bad marks on a social credit record could easily spark a negative spiral.)

Playing video games for too long (which is a statistic recorded by ‘Sesame Credit’, a Social Credit provider) could result in being deemed ‘unproductive’ and denied or limited economic or social support and care.

It also, as an aside, becomes very easy to tie political power to social and economic development.

A quote from a Wired article about China’s forthcoming social credit system:

“Liu Hu is a journalist in China, writing about censorship and government corruption. Because of his work, Liu has been arrested and fined — and blacklisted. Liu found he was named on a List of Dishonest Persons Subject to Enforcement by the Supreme People's Court as "not qualified" to buy a plane ticket, and banned from travelling some train lines, buying property, or taking out a loan.”

"What's really scary is there's nothing you can do about it. You can report to no one. You are stuck in the middle of nowhere."


You might be thinking "we’d never let that happen", but we already have health insurance that gives you a discounted Apple watch providing they get a copy of the data. We already have a taxi service that refuses you if your rating falls below a certain threshold. We already have numerous online marketplaces that direct people not to purchase from you if your ratings are too low. It doesn’t hit you all at once, the cracks slowly erode over time. Each step a slight increase on the last, so nothing ever seems like an outrageous breach of privacy.


The only way to stop these cracks in privacy eroding over time, is to draw a clear line and push towards it as hard as possible, and the only clear line you can feasibly draw is one pushing for absolute privacy, and nothing less.