Privacy & Security / Jan 30 2023

7 Online Privacy Myths Debunked

We debunk seven online privacy and security myths that are still misleading users and keeping them at risk.

Awareness and interest in digital privacy and data security has been on the rise in recent years. According to Google Trends, search volume for "data privacy" has never been higher, meaning that more and more people care about protecting their private data online.

That said, there are many myths and misconceptions in the online privacy space that can give people a false sense of security, sometimes even cause unnecessarily careless behaviour. Here are seven privacy and security myths that are ready to be bust!

Myth 1: A commercial VPN protects your privacy

Let's face it - the sponsored recommendation from your favourite YouTuber can be pretty convincing. After all, you want your data to be protected, right?

VPNs, or Virtual Private Networks, are often used to get around location-based content restrictions to do things like watch Netflix shows exclusive to another region. They're also sometimes used to hide browsing data from ISPs when using torrents to download movies or video games.

But it's not just entertainment people are using VPNs for. Often, they're trying to maintain privacy and anonymity for political, investigative, or cybersecurity reasons - whether they're activists protecting their identities from government oppression, white-hat hackers probing security flaws, or investigators and journalists securely sourcing information.

A computer with a VPN connection online.

The VPN basically creates an encrypted, virtual tunnel that conceals all your data transfers. If you need to connect through a public WiFi router when you're at the café or the airport, using a VPN ensures that any hidden hackers that could possibly be preying on you have no way of seeing your connection.

Unfortunately, VPNs are certainly not the privacy panacea they - at least, some of them - claim to be. VPN websites are often full of marketing hype, offering perfect security, military-grade encryption, and zero logging, which should be weighed with a healthy dose of skepticism. Issues public VPNs might have include IP leakage, data retention, and using outdated protocols or insecure encryption. But most importantly, VPN technology was not designed with anonymity in mind, so relying on them exclusively for privacy protection is not a good idea.

To be clear, even if everything technically works, there is just no way for you to verify that a VPN isn't logging your data or sharing it, or that it has appropriate security protocols in place to mitigate potential risk factors and protect their users. VPNs also won't protect you from ad network trackers, since those prefer using browser cookies and fingerprinting as identifiers, both things a VPN cannot block.

In the end, it's all a question of whether or not you have trust in the VPN provider. Unfortunately, commercial VPN providers have been caught selling P2P network bandwidth to third parties before, and several VPNs have experienced hacks, all grave breaches of trust that leave users exposed to significant risk.

As a consumer, it's not easy to rely on online reviews either, since many tech media outlets and blogs participate in affiliate programs offered by VPN providers. It's hard to gauge whether the "best VPN of the year" is actually the best, or if it just offers the best affiliate reward.

The good news is that you can create your own home VPN server on your own hardware or host it with a web hosting provider. Windows and Apple Server both offer built-in ways to host VPNs, or you can install a third-party, open source VPN server like WireGuard. Hosting your VPN server remotely might even turn out to be more affordable than a dedicated VPN provider.

Myth 2: If you are not a public or wealthy person, you are not a target

This one goes hand in hand with the "I've got nothing to hide" mantra that people like to repeat. The idea is that if you're just the regular old Joe or Jane, living your basic old life, nobody will really care enough about you to make the effort of tracking or attacking you online.

Let's quickly dispose of the nothing-to-hide mentality and put it this way: everybody has something to hide, or at least, things they are not willing to show. For example, you probably close the door when you go to the bathroom or take a shower, right? Even if you're a naturist, there are things you'll want to do behind closed doors, if you know what I mean!

You are always at risk of being targeted online, no matter how deep your pockets are.

It's no different online. Just because you're not doing anything weird doesn't mean that you cannot be exploited, and just because you're not wealthy doesn't mean you can't be the victim of ransomware or some other malicious cyberattack.

This is because hackers aren't necessarily after your bank account. They might look for sensitive business documents that can be used for blackmail or sold to a competing business. They could be looking to take control of your computer to perform further malicious attacks like DDoS, or they might want access to your social media accounts to use them to sell likes.

In any case, all of these attack strategies require hackers to cast a wide net and infect as many victims as possible for greatest impact.

Still, some hackers actually may be after your bank account. We might imagine hackers like those in movies - lone actors in hoodies typing up a storm in the dark. Realistically, however, most hacking today is done by immensely powerful computers that can brute force passwords using a range of attack methods, with minimal input from the attackers themselves beyond choosing the target and method.

A film version of a hacker that has nothing to do with real life hackers.

All this is to say that you shouldn't downplay the risk you're exposed to, but instead actively try to minimize it according to your abilities. Do what you can to protect your privacy and data.

Myth 3: Incognito mode lets you browse the internet anonymously

You might be expecting to have complete privacy when using the incognito mode or private browsing feature of your browser, but you would be misled.

To explain why that is, let's look at what these "privacy" browser features actually do: they erase the cookies and browsing history from your incognito session. They also erase any information you might have entered in forms when using this feature.

Incognito mode only protects your privacy within a single device, but you can still be tracked.

However, there are also a number of things the incognito mode will not delete. Any files you download and bookmarks you save will be retained in the browser.

Effectively, all the incognito or private browsing mode does is erase certain activity on your own computer. Your activity could still be visible to any websites you visit, your ISP, and your network administrator, if you're on a school or work network.

There are other, less well-known issues with private browsing, even though they might be obvious once you think about them. You can't use it for anything where you might have to log in to a website or service, since the act of signing in would clearly reveal your identity. And then there's the issue of DNS data storage, which is not usually emptied when the incognito session is closed, so with the right skills and access, someone could still see what websites you visited.

The main issue with incognito mode from a user perspective is also that it could give you a false sense of security and privacy. For example, incognito mode doesn't offer any additional security or encryption, so you're equally at risk of being hacked or spied on through your network connection as if you weren't using incognito. Also, if you were to use private browsing continuously without regularly closing your browser window, your browsing data would continue to be available in the private window as well, which would defeat the purpose of this feature.

Does using private browsing ever make sense? Certainly yes, especially when you're using someone else's device or a shared one. If you're doing something you'd like to keep confidential and hidden from other people around you, like gift shopping or researching medical or legal issues, by all means, go for incognito.

To wrap up, private browsing modes can definitely be useful and can contribute a degree of privacy for users within a certain device. If you know how they work, they can still be an important part of your privacy toolbox - as long as you don't rely on them for protecting your privacy outside of your device.

Myth 4: Offline devices are immune to cyberattacks

Just keep your computer off the internet and nothing bad can happen, right?

Well, no. While it's true that you're closing off an important vector of attack, malware can spread very well using physical data storage as well.

One infamous example of a computer worm that spread through an infected USB flash drive is Stuxnet, which was first uncovered in 2010 and is believed to have caused substantial damage to the nuclear program of Iran.

An infected external device can be used to attack your computer.

Still, air-gapping (keeping computers or storage disconnected from a network) is an important mechanism of protection, and implementing it in your overall privacy and security mix can be a good idea, especially in terms of backup strategies.

At the same time, make sure to quarantine and scan any new-to-you storage devices or media (USBs, CDs, etc.) using anti-malware software to avoid any nasty surprises.

Myth 5: Setting your social media accounts to "private" makes them private

Most social media services give you a selection of privacy and security settings to cater to their users' preferences. Unfortunately, even if you tweat everything for maximum security, there are still ways your personal data can leak out that are often overlooked.

On one hand, there is always a certain amount of profile-related data that will be available to the public. For example, even if your Facebook is configured to favour privacy, things like your name, profile picture, cover photo, gender, username, and user ID are always public. Things like age range and location are also public, although not necessarily displayed, as Facebook uses them to provide context-appropriate content.

There is also public information that can be accessed by anyone using Facebook's APIs, as well as by games, apps and websites that are integrated with Facebook and you have approved permissions for. Generally, the latter means accessing at least your list of friends.

There are many ways your private information can leak because of Facebook.

Why is this relevant? Well, this is exactly the mechanism that was used by Cambridge Analytica to harvest the personal data of 87 million Facebook profiles.

The consulting firm combined data collected by its survey app called This Is Your Digital Life with profile data like News Feed, timeline, and messages (which users gave the app permission to access), and created individual psychographic profiles for the data subjects and those in their friend networks. Cambridge Analytica used this data to run targeted ads for campaigns like the Ted Cruz and Donald Trump presidential campaigns of 2016.

There's one other way Facebook collects your personal data, and you might not even know about it: the Meta Pixel. This tracking tool works whether or not you are logged in to your Facebook account. While the Pixel mostly just tracks users to allow businesses to run retargeting ads (that means showing targeted ads to people who had previously visited their website), conversion tracking events can end up collecting sensitive data you didn't intend to share.

One example why this is relevant is the aftermath of last year's Roe v. Wade decision. Privacy experts have been warning us about the different ways users leave data trails online, and how this data could be used as evidence for prosecuting abortion cases. The Meta Pixel collecting sensitive data, like booked "abortion consultations" at anti-abortion clinics, is just one example - and according to The Markup, there are 120 crisis pregnancy centers, in US states that recently have or are about to ban all or most abortions, that send data about their website visitors to Facebook. Read the article by The Markup for more harrowing details about this.

The Cambridge Analytica data scandal sparked the #DeleteFacebook movement, which has not had an impact on Facebook growth.

While broadly speaking not as egregious as Facebook, there is certain always-public data belonging to profiles elsewhere, for example Twitter, Instagram, or even LinkedIn. All of these companies run on advertising, and you can be sure that all of them track you online. Be mindful of what data you share with third-party apps when you use OAuth to connect with them, too - or, preferably, just use an email address. And an ad-blocker.

Myth 6: The websites you visit use good encryption for your passwords

If there's a lesson in the latest password manager software data breach, it's this: you cannot trust websites. Period.

The responsibility to remain vigilant shouldn't fall only on you, to be sure, but the reality is that nobody can do more than you.

Maintain good password hygiene. This means using a unique password for every online service account. Keep your passwords long and difficult to guess by using a mixture of letters, numbers, and symbols. Read more of our best password-related tips in last year's World Password Day article.

Use strong passwords and take care of your own encryption.

Myth 7: Zero-knowledge encryption cannot fail

Zero-knowledge is a term that refers to the concept of an online service provider having "zero knowledge" of your client-side encrypted data. (It has nothing to do with zero-knowledge proof, but it might have been lifted from the blockchain world by marketers because it sounded cool.) It simply means that the provider, for example a cloud storage service, doesn't receive the encryption key used to encrypt files.

Client-side encryption does offer a higher level of privacy, which is why we created Koofr Vault. It's a near-perfect solution for storing your sensitive data - but all client-side encrypted services have an Achilles heel you need to be mindful of. You.

If you lose the secret key you used to encrypt your data, you can say goodbye to your files. Some providers do offer recovery codes, but if you lose them and can't remember your encryption key, there is just no way to recover your files. So it's really important to keep this data in a secure location.

Did any of these myths surprise you? Got another myth bugging you? Join our community on Reddit and share your thoughts!

Enjoyed this article? Why not check out what we do.

Related tags