blog: Don Marti


honest answer to a CCPA email

09 October 2022

(When privacy people send an opt-out, RtK, or RtD, you have to acknowledge it. May never see them again, so why waste the opportunity? This is a draft of a letter to include with the response. Might not get this approved as is, though.)

Dear [name],

This attachment does not contain any information specific to you or any legally required information.

Still reading? Good. First of all, I want to wish you well on your privacy quest. I hope that you will return and check out our company someday in the future, when all this corporate surveillance stuff is over.

Sometimes, when you're installing and configuring privacy protection tools, or taking actions like the request you sent to us, it can feel like you're barely making any progress. But each of your individual privacy choices has a bigger impact that just the protection that it provides for you. In the long run, your real impact will be not so much in how you're protected as an individual, but in how you help drive future investments away from surveillance and toward more constructive projects.

Please keep doing what you're doing. You're not just making a better society, you're helping me. If creepy surveillance works less well as a way to reach you, then I won't have to deal with as much creepy surveillance at work. And the less that creepy surveillance matters on the company side, the less risk and work for you. We can help each other out here.

Nobody has time to do every possible privacy tip. From the inside of the corporate surveillance business, I have a pretty good point of view to see what works best. From what I can see, here are some of the steps that you can take that look like they will be most effective over the next year or so.

Remove surveillance apps from your phone. This includes not just the obvious ones (Facebook, Instagram, and WhatsApp are all one company, and we all know about TikTok by now) but also a lot of other apps that have surveillance built in. It's hard to tell which apps are feeding into which data practices, so in general it's best to just keep the number of apps down.

If you know people who are only reachable on a surveillance app, you can't always completely switch away. Some options:

  • Remove the mobile app, but continue using the service from a trustworthy browser.

  • Keep the app but avoid adding new contacts. Add new contacts on Signal.

  • Make a habit of checking Signal before you check surveillance apps, so people learn that it's a better way to reach you.

Check your phone settings. On Apple iOS there are two settings for surveillance ads: one for most companies' ads, and one for Apple's own ads. Don't forget to check both.

  • In Settings, go to Privacy & Security, then Tracking, and make sure Allow Apps to Request to Track is turned off.

  • Also in Settings under Privacy & Security, find Apple Advertising and make sure that Personalized Ads is turned off.

On Android, you can open Settings, go to Privacy, then Ads and select Delete advertising ID.

These settings are only one layer of protection. Both iOS and Android have a lot of apps with other surveillance techniques—so get rid of extra apps when possible. Source: How Mobile Phones Became a Privacy Battleground—and How to Protect Yourself

Turn on Global Privacy Control. This will automate your California do not sell for sites you visit. Still not supported everywhere, but will have more effect as more companies come into compliance and more jurisdictions require companies to support GPC. A lot of companies are still violating the law in the same ways that one major retailer did, but expect GPC to have more effect in the near future. More info on the Global Privacy Control site.

Privacy Badger will turn on Global Privacy control for you, by default. This will not have much of an impact right away (I'm adding this update in December 2022) but will start to do more and more as more companies come into compliance. (More companies are required to comply with Caliornia privacy law than there are people who understand how to comply California privacy law.)

Delete your info from the largest surveillance firms. Since you sent us a CCPA email, you're probably already working on this, but just in case:

Both California and Vermont have data broker lists, so you can make a copy of the full list and work your way down, or try one of the services that does Right to Delete for you. (A lot of surveillance firms are still not complying with the law, so will contact you even if you use an authorized agent service. For now, if you are good with mail and shell scripting it can sometimes be faster to send Right to Delete mails directly once you get a system going.) The agent services are promising and making progress. Consumer Reports Permission Slip is easy and worth a try. (I worked on the original research and processes leading up to this one.)

Check your browser. This is especially important if you have an ad blocker. Some sources recommend an ad blocker as a privacy tool, but it's not that simple. Many ad blockers are either adware, or contain a paid allow-listing scheme that allows tracking by default. Visit EFF's Cover Your Tracks to run a test.

If you use YouTube a lot, it's probably a bigger surveillance risk than most random sites. Put YouTube in a separate browser profile to limit tracking, or even use it from a different browser. (That's a link to a set of tips that won't just limit tracking—you can also get rid of auto-play and recommended videos to limit the YouTube rat-hole effect.)

On the Google Chrome browser, ad blockers, along with tracking protection tools that work in a similar way to ad blockers, will soon be limited in what they can do. See Ad blockers struggle under Chrome's new rules. If your chosen privacy tools and settings are not going to be supported, you might have to switch browsers. (Browser compatibility has gotten a lot better recently, so if you switched because a site you like was broken on your old browser, please check it again.) Once your browser passes the EFF test (you might have to install Privacy Badger to do it) you are probably good for most purposes. In case you're interested, some helpful privacy extensions include:

  • Cookie AutoDelete. Cleans up cookies after leaving a site. Not for everyone—it does create a little extra work for you by making you log in more often and/or manage the list of sites that can set persistent cookies. But it does let you click agree with less worry since the cookie you agreed to is going to be deleted.

  • Facebook Container because, well, Facebook.

  • Link Cleaner. Get rid of tracking parameters in URLs, and speed up browsing by skipping data collection redirects.

  • NJS. This minimal JavaScript disable/enable button can be a good way to remove some intrusive data collection on sites where the real content works without JavaScript.

  • Personal Blocklist is surprisingly handy for removing domains that are heavy on annoyances and surveillance, but weak on actual information, from search results.

If you do decide to keep Google Chrome, there is a bunch of brouhaha about the impending end of third-party cookies, but you can turn them off today without breaking much, if anything. (Sites already have to support browsers that don't do third-party cookies.) From the Ad Contrarian newsletter:

  1. Open the Chrome browser. Click the three dot thing in the upper right corner.
  2. Click "Settings"
  3. In the left column click "Privacy and security"
  4. Click "Cookies and other site data"
  5. Click "Block third-party cookies"

Google Chrome also has new in-browser advertising system, confusingly called Privacy Sandbox. Find it at chrome://settings/privacySandbox and turn it off, or find it in Settings. Source: Here's how to opt-out of Google Chrome's Privacy Sandbox (FLoC) trials)

Finally, remember to vote. California has the CPRA because people voted for Proposition 24 in 2020. The CPRA isn't perfect, but voting made a difference. While you're voting, please don't eliminate a candidate from consideration just because they're using the big surveillance platforms. They're hard to avoid completely. In today's environment it's generally better to make a little progress than to achieve privacy purity but lose the actual election. Thank you for reading, and see you on the other side of the surveillance mess. We'll get there.

notes on chapter 6

I Scanned the Websites I Visit with Blacklight, and It’s Horrifying. Now What? – The Markup

Disconnect Research Featured by Consumer Reports: TikTok Tracks Your Sensitive Web Activity, Even if You Don't Use TikTok

Mozilla reaffirms that Firefox will continue to support current content blockers

Data brokers and scammers team up to target the elderly, vulnerable

A showdown between an ad tech firm and the FTC will test the limits of U.S. privacy law

Facebook Engineers: We Have No Idea Where We Keep All Your Personal Data

A Free Period-Tracking App That Doesn’t Sell Your Data, by Naomi Kresge, Bloomberg

YouTube algorithm pushed election fraud claims to Trump supporters, report says

California Attorney General Announces $1.2 Million CCPA Settlement With Sephora Amid Ongoing Enforcement Sweep

Websites Can Identify If You’re Using iPhone’s New ‘Lockdown’ Mode, by Lorenzo Franceschi-Bicchierai, Motherboard

GPC and the CCPA F.A.Q.