Privacy Enhancing Technologies, or PETs for short, is an umbrella term for a wide range of technologies and tools designed to protect our privacy online. You may not realize it, but you probably already use PETs on a daily basis. Some common examples [1] include
- HTTPS, securing connections between you and websites
- End-to-end encryption, ensuring only you and the recipient can read your messages
- VPNs, adding additional layers of security to your internet connection
Even today, PETs are crucial for protecting our privacy – while data protection laws have arguably caught up to the realities of Big Tech and the data economy, their enforcement often falls short. For example, websites illegally tracking users remains a widespread issue, because most users do not even realize that their rights are being violated [2]. Moreover, companies have also been accused of using a practice known as “dark patterns” to trick users into giving consent to data collection [3].
Even in cases where the data collection is technically legal, based on the supposed “informed” consent of the user, it seems doubtful that they are fully aware of the way their data is used. Privacy policies are often designed to protect the company, not the user [4], and the global data market is highly obscure.
Data Collection
This vast amount of data, regardless of whether it was obtained legally or not, often finds its way onto the global data market, where our data is nothing but a commodity to be bundled, repackaged, and sold [5]. There are cases where data brokers gave away portions of this data for free as a way to wet the appetite of potential buyers, just like a supermarket offers free samples to their customers [6]. Although the data peddled on these platforms is supposedly anonymized, it has been repeatedly shown that deanonymizing this information is possible [6,7].
Confronted with this mix of bad-faith actors, a non-transparent data economy, and poorly enforced data-protection laws, relying on a technological solution to this societal problem is unfortunately still our best way of protecting our privacy online. PETs either limit or block the widespread collection of user data on the Internet, or they provide alternatives to overly intrusive services.
User data can be collected either explicitly, implicitly, or through third-party APIs [8].
Data that is collected explicitly is any data that the user directly provides to the site or service, such as their billing address when ordering online.
Implicitly collected data is most often collected through tracking technologies. Cookies are an example of such a tracking technology. Originally conceived to log in to sites or to keep track of the content of your shopping cart, cookies are often abused to silently amass data about your browsing habits. Another example is browser fingerprinting, where a third party, such as a website, creates a unique identifier by analyzing your browser’s configuration. Even if you didn’t create an account, websites can use browser fingerprinting to track you when you visit them again.
As understanding these tracking technologies demands a certain level of technological literacy, most users often see only the effect, such as being followed across the web by an ad, but they remain in the dark about the reason.
Third-party APIs collect data when a website includes third-party services such as Google Maps. While it’s similar to usage data, the key difference is that the collected data goes to the provider of the third-party API instead of the website or service you use.
Using PETs to Preserve Privacy
Beyond the examples pointed out at the outset of this piece, how can you maximize your usage of PETs while minimizing the friction with your online life? Practically, this means choosing which data to keep private and which data you feel comfortable sharing with a given provider.
Here are a few scenarios to give you an idea when to use PETs:
Example 1: Sharing photos
You might use social media platforms like Facebook or Instagram to share your photos with friends and family. However, be aware that these services use publicly visible photos to train their AI image-synthesis model [9]. Although private photos are currently excluded, and Switzerland and the EU are currently exempt from this policy [10], there is no guarantee that this will remain so in the future.
If you value both your privacy and the privacy of the persons in your photos, you can opt for alternative ways to share them, such as an end-to-end encrypted messaging app like Signal.
Example 2: Browsing the web
Although seemingly harmless, targeted ads can be harmful, such as gambling ads being shown to people suffering from a gambling addiction [11]. Furthermore, though it is common to joke about skeletons in our digital closets (a.k.a. browser history), accusations of illegal abortions, based on search history are troubling [12]. If you use a browser that allows for multiple profiles, such as Firefox, consider setting up a profile with privacy-friendly settings and privacy-preserving plugins for sensitive searches and tasks, such as those related to health care, online banking, or shopping.
Example 3: E-Mails
Although messenger apps are convenient for your day-to-day communications, e-mails often handle more sensitive communications, such as those with your lawyer or financial advisor. Some e-mail providers scrape your e-mails to train artificial intelligence (AI) algorithms for their products, such as Gmail’s “Smart Compose” [13]. A significant concern with this practice is that these algorithms have a tendency to memorize their training data, potentially leading to the leakage of your personal information to third parties. If you frequently send or receive sensitive information in your e-mails, consider choosing an alternative e-mail provider that does not engage in such practices, for example Proton Mail.
Trade-Offs when Using PETs
The examples above illustrate when to use PETs, but it is equally important to consider when they might not be appropriate or even harmful. When deciding on what PETs to use, you should take into account the following:
- the potential effect on functionality
- the level of technical expertise required
- the time and effort to set them up.
When adopting PETs, it is important to be aware that they can come with certain limitations or trade-offs in terms of functionality. For example, some browser plugins can prevent websites from loading properly, requiring you to temporarily disable the tool or whitelist the site to access its content. Similarly, alternative services can offer fewer features or a more streamlined user experience compared to their mainstream counterparts. Another example is the relevance of search results, as alternative search engines such as DuckDuckGo do not take into account your personal data – as a result, the results are more generic.
A common criticism of PETs is that they are challenging for less technical users to use effectively. For instance, what is the difference between blocking 1st site scripts vs. 3rd party content? Some popular PETs, such as Privacy Badger, have addressed this with simplified user interfaces, but this can come at the cost of reduced functionality. Choose PETs that are adapted to your level of technical literacy to make sure that you will use it regularly and not turn it off when there is too much friction. Practically, this means choosing a PET whose user interface you feel comfortable with and that you can configure on your own, without having to rely on somebody else to help you set it up.
It is crucial, however, to understand that using PETs without proper caution, as with any third party software, can potentially do more harm than good. For example, malicious ad-blockers have been known to hijack their users’ social media accounts, and fake or outdated browser plugins can expose you to security threats [14,15]. VPNs, for instance, are in a unique position to capture your network traffic – and there have been cases of VPNs spying on their users [16]! Always research the PETs you use to make sure that they are developed and actively maintained by a trustworthy party.
By carefully considering factors, such as the sensitivity of the data, your technical know-how and your needs in terms of functionality, you should be able to strike the right balance between your privacy and your other needs.
Your PETs for X-mas
Are you curious about which PETs can help you take charge of your digital footprint? Here’s a quick overview to get you started.
Popular alternative e-mail providers are for example Proton Mail and Posteo. Choose a provider that offers encryption or at least stores data in a country with strong privacy laws.
The same rule applies for alternative messaging services, such as Signal or Matrix.
To cover your tracks when surfing the web, use a privacy-oriented browser such as Firefox equipped with plugins such as Cookie AutoDelete and Privacy Badger and opt for privacy-friendly services such as DuckDuckGo for search.
Once you make your choice verify your browsing privacy with EFF’s Cover Your Tracks!
Last but not least, visit our newly updated web page on PETs!
Links
[1] https://en.wikipedia.org/wiki/Privacy-enhancing_technologies
[2] https://www.wired.com/story/webxray-online-privacy-violations/
[3] https://www.theregister.com/2024/06/13/noyb_gdpr_privacy_sandbox/
[4] https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html
[5] https://netzpolitik.org/2023/eu-country-comparison-how-data-brokers-are-screening-us/
[6] https://netzpolitik.org/2024/berliner-unternehmen-datenhaendler-verticken-handy-standorte-von-eu-buergerinnen/
[7] https://netzpolitik.org/2024/data-broker-files-how-data-brokers-sell-our-location-data-and-jeopardise-national-security/
[8] https://www.digitalocean.com/community/tutorials/user-data-collection-balancing-business-needs-and-user-privacy
[9] https://arstechnica.com/information-technology/2023/12/metas-new-ai-image-generator-was-trained-on-1-1-billion-instagram-and-facebook-photos/
[10] https://www.edoeb.admin.ch/edoeb/en/home/kurzmeldungen/km2024/21062024-meta.html
[11] https://www.fastcompany.com/90656170/targeted-ads-arent-just-annoying-they-can-be-harmful-heres-how-to-fight-back
[12] https://www.theverge.com/23185081/abortion-data-privacy-roe-v-wade-dobbs-surveillance-period-tracking
[13] https://www.theguardian.com/technology/2024/sep/27/gmail-meta-x-ai-data-privacy
[14] https://arstechnica.com/information-technology/2020/10/popular-chromium-ad-blockers-caught-stealing-user-data-and-accessing-accounts/
[15] https://arstechnica.com/information-technology/2020/06/chrome-extensions-with-33-million-downloads-slurped-sensitive-user-data/
[16] https://www.techradar.com/computing/cyber-security/facebooks-onavo-vpn-used-to-wiretap-competitor-data-court-filings-reveal