Hackers continue to find ways to sneak malicious extensions into the Chrome web store—this time, the two offenders are impersonating an add-on that allows users to have conversations with ChatGPT and DeepSeek while on other websites and exfiltrating the data to threat actors' servers.

Beware these Chrome extensions

On the surface, the two extensions identified by Ox Security researchers look pretty benign. The first, named "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI," has a Featured badge and 2.7K ratings with over 600,000 users. "AI Sidebar with Deepseek, ChatGPT, Claude and more" appears verified and has 2.2K ratings with 300,000 users.

However, these add-ons are actually sending AI chatbot conversations and browsing data directly to threat actors' servers. This means that hackers have access to plenty of sensitive information that users share with ChatGPT and DeepSeek as well as URLs from Chrome tabs, search queries, session tokens, user IDs, and authentication data. Any of this can be used to conduct identity theft, phishing campaigns, and even corporate espionage.

Researchers found that the extensions impersonate legitimate Chrome add-ons developed by AITOPIA that add a sidebar to any website with the ability to chat with popular LLMs. The malicious capabilities stem from a request for consent for “anonymous, non-identifiable analytics data." Threat actors are using Lovable, a web development platform, to host privacy policies and infrastructure, obscuring their processes.

Researchers also found that if you uninstalled one of the extensions, the other would open in a new tab in an attempt to trick users into installing that one instead.

How to avoid malicious browser add-ons

If you've added AI-related extensions to Chrome, go to chrome://extensions/ and look for the malicious impersonators. Hit Remove if you find them. As of this writing, the extensions identified by Ox no longer appear in the Chrome Web Store.

As I've written about before, malicious extensions occasionally evade detection and gain approval from browser libraries by posing as legitimate add-ons, even earning "Featured" and "Verified" tags. Some threat actors playing the long game will convert extensions to malware several years after launch. This means you can't blindly trust ratings and reviews, even if they've been accrued over time.

To minimize risk, you should always vet browser extensions carefully (even those that appear legit) for obvious red flags, like misspellings in the description and a large number of positive reviews accumulated in a short time. Head to Google or Reddit to see if anyone has identified the add-on as malicious or found any issues with the developer or source. Make sure you're downloading the right extension—threat actors often try to confuse users with names that appear similar to popular add-ons.

Finally, you should regularly audit your extensions and remove those that aren't essential. Go to chrome://extensions/ to see everything you have installed.

There are many good reasons to get a VPN (Virtual Private Network) app installed on your phone or laptop: They make it harder for anyone else to track your browsing, they keep your data safe when you're on public wifi networks, and they even let you spoof your location so you can access geolocation-locked content.

You'll also find plenty of choice when it comes to VPNs. Our own guides to the best paid VPNs and the best free VPNs show the wealth of impressive apps out there, and even when you narrow down the criteria, you've still got lots of options to pick from—see our recommendations for the best free VPNs for Android.

So what exactly should you be looking for when it comes to choosing the right VPN for you? These are the features and selling points that you'll see mentioned when you're browsing VPN comparisons, and what they mean (and once you've built up a shortlist from these criteria, then you can look at the prices and extras).

Browsing speed

One of the downsides of loading up a VPN is that your browsing speed can suffer, while your data gets pinged around multiple servers across the globe. Ideally, you want all the protection that a VPN offers, without too much of a hit on download and upload rates (no matter how many other people are using the same VPN).

Unfortunately, this isn't really something you can gauge just by looking at VPN listings and ads, as most VPNs will claim to be the fastest. Either read benchmark tests put together by publications and authors you trust (watch out for sponsored content), or make use of as many free trials as you can and do some testing yourself.

Server locations

Even VPN service will tell you how many servers it has, and where they are. Credit: ExpressVPN

Your VPN of choice needs to reroute your internet traffic somewhere, and how many servers a particular VPN has around the world can make a substantial difference to speed and availability. It's also going to determine where in the world you can pretend to be of course, if you want to jump to another country virtually.

Broadly speaking, the more servers the better, though as with VPN speeds you may have to do some testing of your own to check reliability and transfer rates. Look for server locations close to you (for speed), and outside of heavily censored or surveilled countries (for privacy), and check any technical specs that are given for them.

Split tunneling and kill switches

Something else to look out for is split tunneling, or the ability to send only some of your internet traffic through a VPN. This means you get better speeds (and less security and privacy) on data that's not so important, if you're just reading the news or learning a language. It's a feature that many of the best VPNs now offer.

Another feature worth checking for is a kill switch. It sounds rather dramatic, but it's simply a feature that shuts down your internet connection if the data encryption somehow fails—cutting you off from the internet, but preventing your connection and data from being exposed. Again, this is now fairly common, but not every VPN offers it.

No logs or zero logs

Mullvad VPN lets you pay by cash, if you don't want to enter payment info. Credit: Mullvad VPN

You should only consider VPNs that have clear no-logs policies (no browsing data is permanently retained) or zero-logs policies (supposedly even stricter, covering more data). Don't take the VPN's word for it. though: Look for third-party audits from independent security companies, carried out regularly, to verify these claims.

If these logs are retained, they might be sold to data brokers, or pulled by law enforcement agencies—so check the individual privacy policies for details of what happens when you're connected to your VPN. Some VPNs go above and beyond when it comes to letting you stay anonymous: Mullvad VPN lets you pay by cash through the post, for example.

VPN protocol

A VPN protocol is the way that the VPN connects to the internet at large: It makes a major difference to speed and security, and you'll often see it mentioned in VPN listings. However, as important as it is, it's not something that's easy to compare across different VPN services—most VPNs will simply say their protocol of choice is the best.

Once you've got a shortlist of VPNs together, do some background reading on the protocols they use: Look for independent assessments of their security and transparency, technical benchmarks, and protocols that have been open sourced so they can be analyzed. OpenVPN and WireGuard are two well-regarded protocols, for example.

Location and reputation

Where a VPN is based is important, as well as where it connects to. Credit: Lifehacker

VPN companies are bound by the laws and regulations of the country that they're based in—so it's a good idea to look for ones based in places where surveillance regulation and government monitoring is less strict. If necessary, check the VPN's policies on how it deals with data requests from the authorities and law enforcement in its local region.

It's also worth weighinga VPN company's reputation: How does it make money? What other services does it offer? What's its record with data breaches? This is much more important with a VPN than it is with your streaming music provider, for example, because you're trusting it with all of your online data while you're connected.

Trials and money back

Generally speaking, it's worth paying for a VPN, as you're giving it so much responsibility in terms of your online access and security. The paid options are almost always going to give you a faster and more reliable service, and if you regularly make use of a VPN then the monthly fee is well worth the investment.

It is, however, worth looking for services that offer free trials and your money back if you're not satisfied (usually after 30 days). Not only does it reflect well on the VPN company, it means you can see if the VPN suits your needs—and check how fast its servers are—before signing up for any kind of payment plan.

There's very little privacy on the internet: Data brokers collect tons of information about you and your online activity and sell it to anyone interested in marketing to you. California residents have gained more control over their personal data than those in other states since the passage of the California Consumer Privacy Act (CCPA) in 2018, and they now have a one-stop shop for requesting that their information be removed from hundreds of data brokers registered with the state (and any that do so in the future).

California isn't the only state to enact stronger consumer privacy laws in recent years, but its Delete Requests and Opt-Out Platform (DROP) is the first of its kind. The tool is live now, though brokers won't begin processing submissions until August. Here's what to do now if you live in California—and some options for removing your information from data brokers if you don't.

How to sign up for California's data removal platform

To get started with DROP, you'll need to confirm that you are, in fact, a California resident by verifying personal information via California Identity Gateway or signing in with Login.gov credentials. To be eligible, you must either live in California or be domiciled in the state even if you live elsewhere temporarily. (This is based on the location of your primary residence, where you are registered to vote, and which state issued your driver's license.)

You will then be able to create and submit a deletion request. You'll need to provide some personal data, which will be used to match your request with records held by data brokers. Data types include names, date of birth, zip codes, email addresses, phone numbers, Mobile Advertising IDs (MAIDs), and vehicle identification numbers (VINs). You can enter multiples of everything except your date of birth and update your request at a later time—if you get a new car or change your email, for example.

While you can begin submitting requests now, know that data brokers won't actually begin processing them until August 2026 and could take up to 90 days from then to delete your data. If they find a match, they are required to delete all of the information they have about you, though there are some exceptions, such as data available through public records or provided directly to a business.

Once processing begins later this year, you'll be able to track the status of your request on the DROP platform.

Alternatives for deleting your data

If you don't reside in California and qualify for DROP, all is not lost—though you will have to invest a bit more time and/or money to remove your information from data broker sites than simply mass deleting via a single request.

To start opting out of data collection, download Consumer Reports' donation-based Permission Slip app, which tracks where your data can be found and follows up on removal requests. You can try to manually opt out by identifying data brokers and going directly to their sites, but this can be tedious, and there are a handful of other paid services that will do it for you. (None are perfect, nor do they guarantee 100% success.)

We also have a guide to blocking companies from tracking your online activities, which can help mitigate the problem somewhat before it begins.

The internet has become a vital tool for human connection, but it comes with its fair share of risks, with the biggest being your privacy and security. With the big tech giants hungry for every ounce of your data they can get and scammers looking to target you every day, you do need to take a few precautions to protect your online privacy and security. There's no foolproof approach to these two things, and unfortunately, the onus is on you to take care of your data.

Before you start looking for a VPN or ways to delete your online accounts, you should take a moment to understand your privacy and security needs. Once you do, it'll be a lot easier to take a few proactive steps to safeguard your privacy and security on the internet. Sadly, there's no "set it and forget it" solution for this, but I'm here to walk you through some useful hacks that can apply to whatever risks you might be facing.

Don't use real information, unless you have to

When you install an app on your phone, you'll often be bombarded with pop-ups asking for permission to access your contacts, location, notifications, microphone, camera, and many other things. Some are necessary, while most are not. The formula I use is to deny every permission unless it's absolutely necessary to the app's core function. Similarly, when you're creating a profile anywhere online, you should avoid giving out any personal information unless it's absolutely necessary.

You don't have to use your legal name, real date of birth, or an email address with your real name on most apps you sign up for. Some sites also still use antiquated password recovery methods such as security questions that ask for your mother's maiden name. Even in these fields, you don't have to reveal the truth. Every bit of information that you put on the internet can potentially be exposed in a breach. It's best to use information that's either totally or partially fake to safeguard your privacy.

You can remove yourself from Google search results

Credit: Pranay Parab

If your personal information is easily available on Google, and you want to get it removed, you can send Google a request to remove it. Check Google's support page for how to remove results to see specific instructions for your case. For most people, the simplest way to remove results about yourself is to go to Google's Results About You page, sign in, and follow the instructions on screen.

Use email aliases to identify where your data was leaked from

Most modern email services let you create unlimited aliases, which means that you don't need to reveal your primary email address each time you sign up for a new service. Instead of signing up with realemail@gmail.com, you can use something like realemail+sitename@gmail.com. Gmail lets you create unlimited aliases using this method, and you can use that to identify who leaked your data. If you suddenly start getting a barrage of spam to a particular alias, you'll know which site sold your data.

Your photos reveal a lot about you

When you take a photo, the file for it contains a lot of information about you. By default, all cameras will store EXIF (exchangeable image format) data, which logs when the photo was taken, which camera was used, and photo settings. You should remove exif data from photos before posting them on the internet. If you're using a smartphone to take photos, it'll also log the location of each image, which can be used to track you. While social media sites may sometimes remove location and exif data from your pictures, you cannot always rely on these platforms to protect your privacy for you.

You should take a few steps to strip exif data before uploading images. The easiest way to get started is to disable location access for your phone's camera app. On both iPhone and Android, you can open the Settings app, navigate to privacy settings or permissions, and deny location access to Camera. This will mean that you won't be able to search for a location in your photos app and identify all photos taken there, and you'll also lose out on some fun automated slideshows that Apple and Google create. However, it also means that your privacy is protected. You can also use apps to quickly hide faces and anonymize metadata from photos.

While you're at it, don't forget that screenshots can also leak sensitive information about you. Some types of malware steal sensitive information from screenshots, so be sure to periodically delete those, too.

Think about what you use AI for

Credit: Pranay Parab

Nearly every single AI tool is mining your data to improve its services. Sometimes, this means it's using everything you type or upload. At other times, it could be using things you've written, photos or videos you've posted, or any other media you've ever uploaded to the internet, to train its AI models. There's not much you can do about mass data scraping off the internet, but you can and should be careful with your usage of AI tools. You can sometimes stop AI tools from perpetually using your data, but relying on these companies to honor those settings toggles is like relying on Meta to keep your data private. It's best to avoid revealing any personal information to any AI service, regardless of how strong a connection you feel with it. Just assume that anything you send to an AI service can, and probably will, be used to train AI models or even be sold to advertising companies.

You can delete information stored with data brokers

Yes, big companies like Facebook or TikTok can track you even if you don't have an account with them. Data brokers collect vast troves of information about your internet visits, and sell it to advertisers or literally anyone who's willing to pay. To limit the damage, you can start by following Lifehacker's guide to blocking companies from tracking you online. Next, you can go ahead and opt out of data collection by data brokers. If that's not enough, you can also use services that remove your personal information from data broker sites.

A VPN isn't always the right answer

Now, I'm sure some of you are thinking that using a VPN will protect you from most of the tracking on the internet. That may be true in some cases, but using a VPN 24/7 is not the right approach for most people. For starters, it just routes all your traffic via the VPN company's servers, which means that you need to place your trust in the company's promises not to log your information, and its ability to keep your data safe and private. It also won't protect you from the types of data leaks that might happen from, say, publicly posting photos tagged with location data.

Many VPN providers claim to be able to protect you, but there are downsides to consider. Some companies such as Mullvad and Proton VPN have earned a solid reputation for privacy, but using a VPN all the time can create more problems than it solves. Your internet speed slows down a lot, streaming services may not work properly, and lots of sites may not load at all because they block VPN IP addresses. In most cases, you'll probably be better off if you use adblockers and an encrypted DNS instead.

Try a different combination of privacy tools

For most people, ad blockers are a good privacy tool. Even though Google is cracking down on ad blockers, there are ways to get around those restrictions. I highly recommend using uBlock Origin, which also has a mobile version now. Once you've settled on a good ad blocker, you should consider also using a good DNS service to filter out trackers, malware, and phishing sites on a network level.

Having a DNS service is like having a privacy filter for all your internet traffic, whether it's on your phone, laptop, or even your router. I've been using NextDNS for a few years, but you can also try AdGuard DNS or ControlD. All of these services have a generous free tier, but you can optionally pay a small annual fee for more features.

Use a good firewall for your computer

Credit: Little Snitch

Almost all apps these days send telemetry data to remote servers. This isn't too much of a problem if you only use apps from trusted sources, and can help with things like automatic software updates. But malicious apps or even poorly managed ones may be more open with your data than you would like.

You can restrict some of that by using a good firewall app. This lets you monitor incoming and outgoing internet traffic from your device, and restrict devices from sending unwanted data to the internet. Blocking these requests can hamper some useful features, like those automatic app updates, but they can also stop apps from unnecessarily sending data to online servers. There are some great firewall apps for Mac and for Windows, and you should definitely consider using these for better online privacy.

Switch to a good password manager

I've probably said this a million times, but I will repeat my advice: use a good password manager. You may think it's a bit annoying, but this single step is the easiest way to greatly improve your security on the internet. Password managers can take the hassle of remembering passwords away from you, and they'll also generate unique passwords that are hard to crack. Both Bitwarden and Apple Passwords (which ships with your Mac, iPhone, and iPad) are free to use, and excellent at their job. Go right ahead and start using them today. I guarantee that you won't regret it.

We’ve been using passwords to protect our various accounts for a few decades now, and, to be honest, we’re not very good at it. Many of us use the same simple, easy to remember passwords for all of our accounts—convenient for logging in, but horrible for security. Not only will a bad actor (or computer) be able to guess that password easily, they’ll try it against your other accounts. Before you know it, you have multiple breaches, some of which may involve financial or private information.

There are a number of steps you can take to beef up your password security, of course. First, you can use a complex and unique password for each of your accounts, making sure to never reuse a password. A well-made password can be impossible for a human to guess, and virtually impossible for a computer to guess. But even if a company loses your password in a data breach, using two-factor authentication (2FA) can protect you further. Without a trusted device that either generates or receives a 2FA code, your password becomes essentially useless to hackers. And since you didn’t repeat passwords, they can’t try it on your other accounts. That’s what makes this combo a winning strategy.

But many, if not most, of us aren’t using this winning strategy. Many are still at risk, or putting their organizations at risk, with insecure authentication measures. As such, there’s a push for consumers to adopt a new form of authentication, something that combines the convenience of passwords, with the security of 2FA, all without you needing to remember a thing: passkeys.

What are passkeys?

Passkeys are a (relatively) new authentication method that offer a similar experience to passwords without actually involving a password of any kind. The measure relies on something called public key cryptography: When you create a new account with a passkey, or you create a passkey for your existing account, a “key pair” is generated. One of these keys is public, and is stored by the company that runs the account in question. This key is not a secret, and, theoretically, could be stolen or lost in a breach. However, the other key is a secret. This private key is stored on your device–such as a smartphone, tablet, or computer—and is what is used to actually authenticate your identity.

To create the passkey, you simply need to use your device’s built-in authentication method. That might mean a face scan, a fingerprint scan, or a PIN. Once you successfully authenticate yourself, the passkey is established. To log in in the future, you simply authenticate with one of those same three methods. If it goes through, the system then checks with the account that holds the public key to confirm your identity, and you're in—no password required.

Your passkeys are securely stored on your devices, typically in a “vault” such as a keychain or password manager. Apple generates and stores passkeys in iCloud Keychain, for example. If you use a password manager, like Bitwarden or 1Password, you can create and store passkeys there. Any device that has access to that password manager can then also access the passkey for authentication.

However, you don't need to log into your accounts on the device that contains the passkey. If you're using a different device, say a friend's computer or a tablet that doesn't contain the passkey, you will have the option to use your trusted device to authenticate. For example, say you want to check your bank account on your PC, but your account uses a passkey stored on your iPhone. You can choose to authenticate using the passkey device, which will trigger the account's site to present a QR code. You can scan the QR code on your iPhone, authenticate using Face ID, Touch ID, or your PIN, and you'll log in. This is also how the feature works when signing into accounts on devices that don't store passkeys directly, like a PlayStation 5.

Are passkeys secure?

The short answer? Yes. Passkeys are an extremely secure authentication method. While they're way more secure than passwords, they're even more secure than 2FA. 2FA is great, and certainly better than using a password alone, but it is possible for attackers to steal the authentication codes—especially when these codes are SMS-based. This can be as sophisticated as hacking into the platforms that send your codes, or as simple as a phishing scheme: Scammers can pose as representatives of the account in question, and trick you into sharing your 2FA codes with them. As such, 2FA, while secure, has an inherent phishing flaw.

Passkeys don't have this flaw. You can't be tricked into giving over one of your passkeys, nor can a hacker steal it from your device. The system won't prompt you to authenticate unless you are visiting the exact domain for the platform, which means scammers can't create dummy sites that trick you into logging in: The passkey process will simply not start. Importantly, signing in via a passkey requires the trusted device to be physically close to the device you're logging into. As such, a hacker can't send you an image of a QR code, trick you into scanning it, and then convince you to authenticate to log in. Unless you're in the same room as the hacker, they're not getting your passkey.

What if I lose my device?

One of the most common concerns regarding passkeys is what happens when you lose the device the passkey is stored on. After all, if the secret key is kept only on your smartphone, what happens if it is lost, stolen, or breaks?

As it turns out, there are a few possibilities here. First, it is true there is a risk of losing the passkey for good should you lose access to the trusted device. If you choose to store your passkeys on a physical security key, like a YubiKey, losing or breaking the key will mean losing your passkey. However, depending on the account, you may have recovery options—such as answering security questions to prove your identity. This will be case-dependent, of course: If your account only has a passkey set up, and that passkey is only stored on one device, you may lose access to the account. Check if your accounts offer recovery options, or even backup authentication measures. Some accounts may still have you create a password, even if you opt into passkeys, because of this possibility.

But more importantly, you don’t need to keep your passkeys to just one device. There are secure protocols that allow you to sync your passkeys between different devices. For example, if you create a passkey on your iPhone, iCloud Keychain securely syncs that passkey to your other connected Apple devices as well, such as an iPad and Mac. That way, when you want to log into your account on any of these devices, the option to authenticate with your passkey will be available on any—you just need to use Face ID, Touch ID, or present your PIN, and you’re in.

Can you export passkeys?

At this time, no. This is probably passkeys' biggest drawback. Unlike passwords, which you can export to other password managers, passkeys are stuck to the service they're generated with. If you set up a passkey for your Google Account on your iPhone, you won't be able to directly transfer it to, say, an Android device. If your passkey lives in Bitwarden, you can't transfer it to Google Password Manager. As such, you should try to create passkeys on the platform you most widely use. If you're fully in the Apple ecosystem, Apple's iCloud Keychain will work well for you. But if you have a mix of devices from different manufacturers, you'd be better off creating passkeys on a cross-platform password manager. You can always authenticate with your iPhone, of course, but the true convenience of passkeys is quickly logging in on a device that already contains the passkey.

That doesn't mean you need to keep this service forever, however: You can set up new passkeys for existing accounts on other services, so you can securely get rid of your old passkey devices. However, make sure to keep the old device until you have the passkey established on a new one. If something goes wrong, and you're not able to set up a new passkey on another device, you'll need the old device to confirm your identity—unless you have an alternative authentication option, like a password.

Passkeys aren't perfect: In practice, they can be a bit complicated, especially when working across different devices. But at their best, they offer both convenience and security. If you aren't particularly tech savvy, or if you're not totally entrenched in one tech company's ecosystem, it might be a bit too early to go all-in on passkeys. But passkeys can keep your accounts safe and secure, so long as you understand these other weaknesses.

You may be doing everything you can to protect your privacy online—using tools like multi-factor authentication, a secure password manager, and a VPN—but unfortunately, not all privacy-focused apps and services are actually doing what they promise. In its November fraud and scam advisory, Google is warning users about VPN apps and extensions that appear legitimate but are actually vectors for malware.

VPNs may actually be spyware

A VPN, or virtual private network, makes your internet activity much more difficult to track by routing your traffic through a different connection rather than your regular internet service provider (ISP). This allows you to hide your IP address and location, obscure your browsing data, and protect your information and devices from bad actors.

According to Google, malicious VPNs (posing as real ones) are delivering infostealers, remote access trojans, and banking trojans to user devices once installed, allowing hackers to access sensitive personal data like browsing history, financial credentials, and cryptocurrency wallet information. This means that an app you rely on to keep your information private could be doing the exact opposite. Cybercriminals are capitalizing on user trust in these services, creating apps that look and feel like legitimate VPNs but are actually dangerous spyware.

How to ensure your VPN app is safe

As with any app or extension, only download or install a VPN from an official source like the Google Play store. While malicious programs do sometimes sneak through, it's typically safer and more reliable than sideloading through a messaging app or other unvetted site.

In January 2025, Google launched a VPN verification process to help users identify trustworthy VPN apps in the Google Play store. To earn a "verified" badge, VPN apps have to undergo a Mobile Application Security Assessment (MASA) Level 2 validation and opt into independent security reviews. Badges are awarded only to VPNs that have been published for at least 90 days and reach 10,000 installs and 250 user reviews.

Of course, this system isn't perfect either: As TechRadar reported earlier this year, a popular (free) Chrome VPN extension earned a badge and was later discovered to be spying on users. That's why you should rely on a reputable VPN service—which means you'll likely have to pay for it. Free VPNs are far more likely to a privacy nightmare, and any app that sounds too good to be true probably is. You aren't going to get unlimited traffic at no cost without sacrificing something.

Finally, review VPN permissions carefully, and allow the minimum access possible for the app or extension to function. (You should do this with any app you download, and you should audit apps regularly to remove unnecessary permissions.) You can check your VPN service's support pages to find out which permissions are essential—this should not include access to your contacts, camera, microphone, or photos, for example.

Age verification is coming to app stores in Texas, meaning that users could soon be required to provide some form of identification in order to download anything from the Google Play and Apple App stores, regardless of the app's content.

Earlier this week, Gov. Greg Abbott signed the Texas App Store Accountability Act, which is set to take effect at the beginning of next year. The new law, which purports to be about keeping children safer online, has significant implications for user privacy and data security.

What will be required for app store age verification in Texas?

The Texas law will require Google and Apple to verify the age of all users before they download any app through their app stores, even if the app has no sensitive or age-specific content. Parents will have to provide consent for minors to download apps or make purchases, and app stores will have to confirm that parents or guardians have the legal authority to make those decisions for their children. App stores will also have to share which age categories users fall into (child, young teen, older teen, or adult) with app developers.

While the specifics are yet to be determined, that means Google and Apple will have to collect some form of user identification, whether that's a driver's license, passport, or other government-issued ID, or biometric data, such as a facial scan, for anyone using their app stores in Texas. Even more documentation will be required for parents proving legal guardianship of minor users.

Utah passed a similar bill earlier this year making app stores responsible for centralizing age verification, and while its requirements are slightly less onerous, they're not much better when it comes to your privacy.

How age verification compromises your privacy

Privacy experts—as well as both Apple and Google—have raised alarms about the implications of age verification, noting that requiring all users to turn over sensitive personal information included in data-rich documents that can prove your age is a form of digital surveillance. It creates an identifiable record of online activity and increases the risk that the data will be used, shared, or sold (unlike physical ID checks, which are momentary and impermanent).

Age verification also presents security concerns with how sensitive user data is collected and stored. Data breaches are a fact of life in 2025, and individuals may have very little (if any) knowledge about whether and how their information is used and stored without their consent, and without recourse if it is compromised.

Aaron Mackey, free speech and transparency litigation director at the Electronic Frontier Foundation (EFF), notes that the Texas law doesn't have any built-in protections for user data, such as minimizing what is collected and transmitted and for how long it is retained. Plus, there are risks present in the likelihood that app stores will utilize third-party verification services to comply with the requirements, meaning data is available to multiple parties.

The EFF and the ACLU also argue that online age verification requirements violate users' First Amendment rights, as they may make protected free speech inaccessible—if adults don't have a valid form of identification, or facial recognition inaccurately estimates age, or minors can't get parental consent—or force people to choose between shielding their privacy and being online.

"If I have to provide this level of personal information because the government mandates it just to download an app from an app store, I'm going to be significantly worried about what happens to my data, and I might just decide to not actually download the app or even use this app store," Mackey says.

How far would you go to keep yourself private online? There’s little doubt that advances in technology over the past three decades have eroded traditional concepts around privacy and security: It was once unthinkable to voluntarily invite big companies to track your every move and decision—now, we happily let them in exchange for the digital goods and services we rely on (or are hopelessly addicted to). 

Most people these days either tolerate these privacy intrusions or outright don’t care about them. But there’s a growing movement that believes it’s time to claim our privacy back. Some are working piecemeal, blocking trackers and reducing permissions where they can, while not totally ditching modern digital society as a whole. Others, however, are as hardcore as can be—a modern equivalent of "going off the grid."  

We put out a call looking for the latter—people who are going to great lengths to protect their privacy in today’s mass surveillance world. We received a number of insightful, fascinating, and unique situations, but for this piece, I want to highlight four specific perspectives: "Ed," "Jane," "Mark," and "Jay."

Ed is "ruthless" with app choices and permissions

The first respondent, I’ll call Ed, since their privacy journey began with the Edward Snowden leaks: “I'd known something was likely up…as early as 2006[.] I remember headlines about AT&T possibly spying, but high school me didn't take it too seriously at the time. The Snowden leaks, when I was in college, really opened my eyes. Ever since, I've taken steps to protect my privacy.”

Ed says the biggest step they’ve taken towards a digitally private life has been their Proton account. If you’re not aware, Proton is a company that offers apps designed for privacy. Their email service, Proton Mail, is the most famous of the company’s products, but Proton makes other apps as well. Ed uses many of them, including Proton VPN, Proton Calendar, and Proton Drive. Ed pays for Proton Ultimate, which costs them nearly $200 every two years (a new account is now billed yearly at $119.88). You don’t have to pay for Proton, but your experience is much more limited. That’s not totally dissimilar to Google’s offers, which gives you more features if you pay, but most people can definitely get by with a free Google Account. I'm not so sure the reverse is true. 

Speaking of Google, Ed does have a Google Account, but rarely logs into it. They don’t keep anything attached to it, however—Ed stores all files, for example, in Proton Drive or Tresoirt (another end-to-end encrypted service).

Ed uses SimpleLogin for throwaway email addresses. That’s not just for the times Ed wants to avoid giving their email address to someone. According to them, they use an alias anytime an organization asks for their email, and frequently delete it when it’s no longer useful. Each online purchase gets its own alias, and that alias is deleted once the purchase is complete. Whenever Ed travels, they use an alias for any flights, hotels, and rental cars they use. Once the trip is up, they delete the alias. If one of those aliases receives a spam message, they delete it as well.

Ed’s smartphone of choice is iPhone, and although Apple arguably has the best reputation for privacy in big tech, Ed is no fan: “Apple is no bastion of privacy of course, but they seem to be the least-worst of the big tech companies.” Ed doesn’t use iCloud for any backups: Any iPhone files are kept in Tresorit. 

That iPhone, of course, contains apps. But each app is there for a reason, and no app gets access to permissions unless it requires it: “I'm ruthless about apps and app permissions. If I'm not going to use the app regularly, I uninstall it. I grant only those permissions I think the app reasonably needs.” Ed protects his mobile internet traffic with Proton VPN, and only accesses the web via Firefox Focus, a special version of Firefox designed for privacy. 

Location services are always off on Ed’s iPhone, unless they’re using Apple Maps for navigation. Once they arrive at their destination, Ed disables location services again. They also have an interesting trick for getting back home without revealing their actual address:  “Additionally, when I'm navigating home, I don't enter my home address. I enter the address down the street just as an extra layer so I'm not entering my actual home address…I'll end navigation and turn off location while still driving…if I know the rest of the way home myself."

Most of us deal regularly (if not daily) with spam calls. Not Ed: They use the “Silence Unknown Callers” setting on iOS to send all numbers not in the Contacts app to voicemail. They then review all voicemails, and if they didn’t leave a message, they block the number. Our initial call out for this piece referenced how using a VPN can sometimes block incoming phone calls, but Ed isn’t bothered by that: “Since most calls these days are scams or telemarketing, and most people I do want to talk to aren't going to call me anyway, I see this as more of a feature than a bug.” 

For their desktop computing needs, Ed uses Windows. They admit they aren’t privacy experts when it comes to Microsoft’s OS, but they do what they can, including changing all privacy settings and uninstalling all programs they don’t use. (That includes OneDrive and Edge.) They also run a clean version of Windows 11 after following Lifehacker’s guide. Firefox is their go-to PC browser, and they use a variety of extensions, including:

• ClearURLs: removes trackers from links.

• Decentraleyes: blocks data requests from third-party networks.

• Disconnect: blocks trackers from "thousands" of third-party sites.

• Firefox Multi-Account Containers: separates your browsing into siloed "containers" to isolate each session from one another.

• PopUpOFF: blocks pop-ups, overlays, and cookie alerts.

• Privacy Badger: blocks invisible trackers.

• Proton VPN: Proton's Firefox add-on for its VPN.

• uBlock Origin: popular content blocker.

Ed didn’t say how much of an impact this array of extensions and settings has on their browsing, save for YouTube, which they admit does sometimes give them trouble. However, Ed has workarounds: “When YouTube wants me to 'sign in to confirm you're not a bot,' changing VPN servers usually does the trick.” Ed also uses the audible clues for ReCAPTCHA prompts, rather than the pictures, since they don’t want to help train Google’s “braindead AI.”

Ed deleted all their social media accounts, including Facebook, X, Instagram, and LinkedIn. Though they’ve never had TikTok installed on their phone, they will watch it in Firefox when a friend sends them a video. 

Jane uses an open-source smartphone OS designed for privacy

While Edward Snowden may have kicked off Ed’s interest in personal privacy, "Jane" has many strong beliefs motivating their desire for privacy. They are concerned about data brokers and Meta’s practices of tracking internet activity, and how these companies build profiles based on that data to sell to third-parties; they’re concerned about the possibility of telecommunication companies tracking our locations via cellular towers; they worry about US law enforcement and agencies reviewing citizens’ social media accounts accounts and tracking people. Their focus on privacy is fueled by true concern for their own well-being, not only the value of privacy as a concept.      

Jane uses a VPN on all of their devices. Instead of Proton, however, Jane opts for Mullvad. They enable ad and tracker blocking, as well as a kill switch, which blocks your internet if you lose connection with the VPN—thus protecting your connection from being leaked out of the secure network.

I’m a big advocate for strong and unique passwords and proper password management, but Jane definitely beats me when it comes to secure credentials. Jane uses six to eight-word passphrases generated by diceware, a tactic that chooses words based on dice rolls. Something like this diceware generator will roll a die five times, then find a word in a bank based on that five-digit number. You can repeat this as many times as you want to come up with a passphrase built up with random words. Jane saves all of their passphrases to a password manager, except for the ones for important accounts, like their bank. They commit those to memory, just in case someone breaches their password manager.     

Like Ed, Jane uses Mullvad, but instead of just using their VPN, they opt for the web browser, which has those protections built in. Mullvad’s strict privacy settings break persistent logins on websites, so any sites Jane wants to stay logged in on are kept in Brave browser. For both Mullvad and Brave, Jane uses uBlock Origin.

“From time-to-time I do run into sites that will block access due to being on a VPN or blocking ads and trackers. Instead of disabling [my] VPN completely, switching my connection to one of Mullvad's rented servers instead of ones they own usually helps. Barring that, I occasionally go into [uBlock Origin] and temporarily whitelist a needed [URL] ([ReCAPTCHA] etc). This works for me to get around site blocks most of the time.”  

Jane uses a Mac, and configured macOS based on various privacy guides. But instead of an iPhone, Jane opts for a Google Pixel. That might surprise readers who assumed hardcore privacy enthusiasts would break away from Google entirely. But X doesn’t run Android: Instead, they installed GrapheneOS on their Pixel, an open-source OS designed for privacy. Following a restart, Jane configured the Pixel to only unlock with a seven-word dice passphrase—for general use, they use a fingerprint scan and a six-digit PIN. If the don’t unlock their Pixel for a while, their phone automatically reboots to put it back into this “First Unlock” state. They also keep airplane mode on at all times to disable the phone’s radio communications, but maintain a wifi connection with timed automatic Bluetooth and wireless disabling. 

Jane also deleted all their social media accounts after downloading all data associated with those platforms.

Mark uses phone and credit card masks

“Mark” is perhaps the least hardcore of the respondents in this story, but that makes their experience both interesting and relatable. Unlike most of the people we spoke to, Mark is still on Facebook and Instagram. That’s due to their job, which requires them to be on the platform, but they’ve been “systematically” deleting everything they can over their 19-year Facebook history and saving the data to an external hard drive. Mark doesn’t follow anything that isn’t relevant to their job, and only uses Facebook and Instagram inside the DuckDuckGo browser. They don’t react to posts they see, and following their privacy tactics, Facebook doesn’t show them relevant ads anymore. “If there is an ad I'm actually interested in I'll search it up in a different browser rather than click it.”

Mark has had four Google Accounts in their time online, and has deleted two so far. Like Facebook, they have to use Google for their job, but they delegate all their work to Chrome. All other browsing runs through Firefox, DuckDuckGo, or Tor. The latter is perhaps best known for being the browser of choice for browsing the dark web, but what makes it great for that is also what makes it a great choice for private browsing.

Unlike others in this story, Mark hasn’t de-Googled themselves completely. In addition to using Chrome for work, Mark has a phone mask through Google, and has their contacts, calendar, and maps tied to the company—though they are moving away from Google as much as they can. They've been running through their old emails to find and delete outdated accounts they no longer use. Any accounts they do need now use an email mask that forwards to a Mailfence account, an encrypted email service.   

Mark was the only respondent to talk about entertainment in relation to privacy: “I've also been switching to physical media over streaming, so buying CDs and DVDs, locally as much as possible. I'm lucky to have a local music store and a local bookstore...one of the owners of our bookstore wrote a book on how to resist Amazon and why. Any book I want, I can either order through them or on Alibris. For music, I use our local record store and Discogs.”

When shopping online, Mark uses a credit card mask, but still uses the card itself when shopping in person. They want to start using a credit card mask in retail locations like Janet Vertesi, an associate professor of sociology at Princeton University, but they haven’t quite gotten there yet.   

What really piqued my interest most about Mark, however, wasn’t their perspective on their own privacy concerns, but the concerns around the privacy of their kids: “They each have a Gmail, two of them have Snapchat. Their schools use Gaggle and Google to spy on them. I don't even know how to start disconnecting them from all this...I was a kid during the wild west of the internet and this feels like getting back to my roots. My kids are end users who understand apps and touchscreens, not torrenting their music or coding a basic website. (Is this my version of "I drank out of the garden hose"?) I feel like Big Data has its grip on the kids already and I don't have a guidebook on navigating that as a parent.”  

Mark’s current focus on their kids’ privacy includes deleting their health data from their local health system. That’s in part due to a data breach impacting the health system, but also the language about autism from Robert F. Kennedy Jr., the current Secretary of Health and Human Services.

Jay de-googled their life and uses a VoIP phone number

"Jay's" origin story with personal privacy dates back to 2017. That year, Equifax suffered a major hack, where nearly 148 million Americans had sensitive data stolen and weren’t notified about the breach for months. Jay was frustrated: You don’t choose to give your data to Equifax, or any credit bureau, and yet so many people lost their data. They also felt that companies were not properly held responsible for these events, and lawmakers were simply too out of touch to do what was necessary to protect citizens’ privacy, so they took it upon themselves to protect their own data. 

Ever since this incident, Jay freezes their credit: “It was frustratingly difficult back then, but nowadays, it is very easy (it just requires an account, which I use a burner email for)...The freeze will not allow anyone to pull credit for large purchases in your name, even if they have your social security number (and because of the data breach, someone probably does). I decided I wanted to pursue some privacy for the things I do have a choice over.”  

From here, Jay de-googled their life, including both Google Search as well as YouTube. They’ve found no issue with using alternative search engines, and, in fact, sees Google getting worse, as it tries to show you results based on what it thinks it knows about you, not what is most relevant to your actual query: “The internet was supposed to be a place you went to find information, not where you became the information that companies take instead."

Jay uses tools to prevent fingerprinting, where companies identify you and track you across the internet, but worries that going too far with things like ad blockers puts a target on your back as well. Jay chooses to pick “a couple of effective tools,” and runs with those.

For their smartphone needs, Jay goes with Apple. Like Ed, Jay doesn’t believe Apple is perfect, and even considers their privacy policies a bit of a gimmick, but sees them as the better alternative to Android. Jay likes the security of the App Store, and the array of privacy features in both Safari and Apple Accounts as a whole. They highlight Safari’s “Advanced Tracking and Fingerprinting Protection” feature, which helps block trackers as you browse the web; iCloud’s Private Relay, which hides your IP address; and “Hide My Email,” which generates email aliases you can share with others without giving your true email address away.

Most of us are plagued with spam calls, but following the Robinhood data breach in 2021, Jay started receiving a flood of them. They decided to change their phone number and made a point of never sharing it with businesses. For the times they need to give out their number to parties they don’t trust, they use a number generated by My Sudo, which, for $20 per year, gives them a VoIP (Voice over Internet Protocol) phone number. It works with most services that rely on SMS, but it won’t function for two-factor authentication. (Which is fine, seeing as SMS-based 2FA is the weakest form of secondary authentication.) My Sudo lets you change your number for an additional $1, so if Jay’s number ever was compromised or started receiving too much spam, they could swap it.        

Jay, like many respondents, deleted all social media services: “It has its place in society for a lot of people, and is no doubt a great way to connect. However, I found that the fear of deleting it was a lot worse than actually deleting it. The people you care about won’t forget you exist.” That said, Jay doesn't mind any of the obstacles this lifestyle does throw their way: “It is a challenging topic, as most people consider you a little bit 'out there' if you take steps to make your life a little less convenient, but more private. The modern world sells you convenience, while pretending it is free, and harvesting your data for so much more than you actually get out of your relationship to them.”      

What it takes to be private on the modern internet

There's no one way to tackle personal privacy. Every one of the respondents to our query had something unique about their approach, and many had different motivations behind why they were so concerned about their privacy.

There are plenty of common through lines, of course. Most privacy people love Proton, which makes sense. Proton seems to be the only company that offers a suite of apps most closely resembling Google's while also prioritizing privacy. If you want your email, calendar, word processor, and even your VPN all tied up nicely under one privacy-focused umbrella, that's Proton.

But not everyone wants an ecosystem, either. That's why you see respondents using other VPNs, like Mullvad, or other private storage options, like Tresorit. These apps and services exist—they might just not be owned by one company, like Apple or Google (or Proton).

Google and Meta are more commonalities, in that most privacy enthusiasts ditch them entirely. Some, like Mark, haven't been able to fully shake off these data-hungry companies. In Mark's case, that's because they need these platforms for work. But while most hardcore privacy people delete their Google and Meta accounts, most of us have trouble de-Googling and de-Metaing our digital lives.

In general, though, the keys to privacy success include the following: Use a VPN to protect your internet traffic; prioritize privacy in your web browser, both through the browser itself, as well as extensions that block ads and protect your traffic; shield your sensitive information whenever possible, by using email aliases, alternate phone numbers, or credit card masks; use strong and unique passwords for all accounts, and store those passwords in a secure password manager; use two-factor authentication whenever possible (perhaps passkeys, when available); and stick to end-to-end encrypted chat apps to communicate with others. While there's always more you can do, that's the perfect storm to keep your digital life as private as reasonably possible.

Some might read through the examples here and see steps that are too much effort to be worth it. It might seem out of reach to ditch Gmail and Instagram, break certain websites, and force your friends and family to learn new numbers and email addresses to protect your privacy, especially if you don't feel your privacy has that much of an impact on your life. But even if you aren't sold on the concept of privacy itself, there are real-world results from sticking with these methods. Jay no longer receives spam calls and texts; Mark no longer sees ads that are freakishly relevant to their likes. It's a lifestyle change, to be sure, but it's not just to serve some concept of privacy. You can see results by changing the way you interact with the internet, all without having to actually disconnect from the internet, and, by extension, the world at large.

It's not easy to maintain your privacy when using technology today. That's largely the fault of companies who prioritize data collection over the integrity of their users. But even though I'm quite used to the lack of respect most companies pay towards my privacy and security, I have to admit, I'm a bit taken aback by T-Mobile's latest decision.

T-Life, T-Mobile's tech support app, has a rather unconventional and unnerving feature. For some users, it appears T-Life can record your screen whenever you have the app open. This setting is quite hidden, and worse, enabled by default. Who signed off on this?

How T-Life's screen recording works

Thankfully, the privacy and security implications aren't quite as bad as the headlines make it seem. T-Mobile says the feature is strictly for T-Life tech support—not for spying. As a T-Mobile spokesperson told CNET, "To help us give customers who use T-Life a smoother experience, we are rolling out a new tool in the app that will help us quickly troubleshoot reported or detected issues. This tool records activities within the app only and does not see or access any personal information."

Still, this explanation doesn't excuse quietly enabling in-app screen recording for customers without their knowledge. I have no issue with a company like T-Mobile offering tools that aid tech support when all parties are willing and able, but as CNET points out, the app already has such a feature called "Screen Share" under Help & support. Seems redundant to have a separate "screen recording" setting that serves a similar purpose—especially when it appears the company wasn't planning on telling people about it before the news broke.

When you do take a look at the setting in the T-Life app, you'll see the following description: "We use a tool to record how customers use the app to analyze and improve your experience. Only T-Mobile will review and analyze your info. If you turn this toggle on or magenta, we will record your screen while you use the app. If you turn this toggle off or gray, we will not record your screen." Yikes.

How to disable T-Life's screen recording

To disable the feature, open T-Life, then head to Settings > Preferences. Here, you'll see Screen recording tool, where you can disable the setting. (You'll know it's off if it turns gray.)

If you don't see the setting, you might not be affected. T-Life hasn't rolled out this feature to all users yet, so it is possible the app isn't screen recording for you at this time. Reports say T-Mobile has rolled this out to iPhone and Android users alike, so don't assume you're safe because you use one platform or the other.

Shopping has always been a battle. Companies work hard to convince you that their product is better, while also trying to ensure you pay the highest possible price for your purchase. That’s fair enough, and most of us are accustomed to researching everything we buy to make sure we’re not being ripped off.

But modern technology has changed the game. Companies have been hoovering up information about us for years now, and that means they have a pretty good idea about our shopping habits—including what we’re willing to pay for specific products and services, something called Individualized Consumer Data (ICD). New tools like artificial intelligence are now making it very, very easy for companies to engage in what’s known as surveillance pricing.

What is surveillance pricing?

As its most basic, surveillance pricing is when companies put together a profile of you and your shopping habits, then adjust prices specifically for you. A basic example would be shopping for a television: Two people go to Amazon to look at the same television. One person sees a price of $499, while the other sees $599—for the exact same television, at the exact same moment. The discrepancy is due to their different spending habits and other information that Amazon has gathered about them—their ICD—that tells the company that one person would be willing to spend that extra $100, and the other wouldn’t.

Companies create those profiles by scraping an incredibly large volume of information about you from a wide variety of sources. Internet cookies, your shopping history, your IP address (and the geographic and demographic information it provides), are just the basics—the profiling goes much deeper. Even behaviors like how far you scroll when searching for products or what you leave in your shopping cart and never buy contribute to a detailed picture of who you are as a consumer.

You might be thinking that most of your personal and financial information is protected to some extent by privacy laws and policies, and you would be right. A lot of this stuff is anonymized. But the sheer amount of information that you leak when you go online—not just cookies and IP addresses, but the browser you use, the plugins you have installed, your time zone, screen size, devices, even system fonts on your computer—can be collected to create a detailed “fingerprint” of your online life.

Combined with data gathered from loyalty apps and other sources, this means that an “anonymous” profile of you can be reliably created and identified. In other words, companies may not know that it’s you shopping for that TV, but they know that a unique consumer with specific habits is shopping for one, and thus they can tweak their pricing as needed very effectively.

The signs to look out for

What’s fun about surveillance pricing is how hard it is to tell it’s happening. After all, you surf to a site to buy something, you see a price, you assume that’s just the price that’s been calculated. How can you know that someone else will see a higher or lower price?

It’s not easy. You can look for a few subtle signs and try a few experiments if you suspect you’re running into surveillance pricing:

• Changed prices. If you go back to a specific website regularly and notice that the price changes, it might be because you’re using a different device or because some other aspect of your online fingerprint has changed. Or it might be because your ICD tells the company that you always visit multiple times looking for a lower price.

• Inconsistent pricing. If you know someone who is shopping for the same item on the same platform and they’re getting different pricing, that’s a potential clue.

• Reactive advertising. Even if you haven’t noticed price changes, seeing ads that are narrowly targeted to you can be a sign that ICD is being collected and used on you. For example, if web searches or comments on your social media channels seem to inspire related ads, there’s a good chance that your online fingerprint is specific enough to be used for surveillance pricing.

Defending against surveillance pricing

Surveillance pricing is harmful to consumers because it means you wind up paying more for items simply because of where you live or other extraneous factors—it’s inherently unfair. Defending against it, however, can be challenging—there are basically four strategies you can employ against surveillance pricing, and none of them are magic bullets.

Comparison shop

The simplest way to combat suspected surveillance pricing is to shop around for items at different stores—including physical locations, if possible—to get a clear idea of what the “normal” price should be. This can be time-consuming and not always effective, as different online platforms may all use similar surveillance techniques against you.

Another aspect of this is to engage your friends and family who live in different areas and use different devices (Android phones versus iPhones, for example). A news station recently had several people from around the country check the prices of different products online, and found prices swung by several hundred dollars depending on location and other factors. If you can ask people who live in different areas to check prices, you can at least determine if you’re getting an okay deal, comparatively.

Use a VPN

One of the most common pieces of advice whenever pricing issues come up is to use a Virtual Private Network (VPN) to mask your location—you’ve probably seen this advice in conjunction with finding the lowest airline prices for trips. It seems to make sense: If retailers are charging more for people living in affluent zip codes, changing your reported location should defend against that.

I tried this, using a VPN to change my IP address to locations in Mexico, the Netherlands, Japan, and different areas of the U.S., and actually saw no price changes whatsoever. One reason this might not work is because your IP address and associated location are just one piece of your online fingerprint, and companies can still track you when you mask it (your browser gives away a lot of information—you can see just how much at this site). Another reason this might not work as well as you expect is because companies can pretty easily tell that you’re using a VPN because the IP addresses they assign their users are used over and over again, often by several people at the same time. This creates patterns that allow companies to flag those IP addresses as VPNs.

However, that doesn’t mean that using a VPN is pointless in the fight against surveillance pricing. If you routinely surf the net behind a VPN and combine that with other steps like incognito browsing, regularly clearing cookies from your browser, and deleting your internet history, you deny trackers a wealth of information about you, which can help cloak your identity, making it harder to create that online fingerprint.

Avoid loyalty apps

Loyalty apps that offer coupons and discounts to regular shoppers are, of course, data vacuums that make it very easy to create a profile about you and your shopping habits. For a few measly discounts, you’re basically giving companies everything they could possibly need to track and profile you—and they can (and do) sell that information to other retailers. If you want to make it harder for them to use surveillance pricing against you, giving up those little perks is probably necessary.

Use different devices

The final piece of advice for defeating surveillance pricing is the one thing that did actually make a difference when I tested it. I randomly searched Amazon for a 65-inch TV made by TCL. On my desktop browser, it was listed at $469.95. When I switched to my phone, it was suddenly $479.00. Less than $10 isn’t a huge difference, but changing devices was the only strategy that yielded any results at all for me, and indicates that checking prices on different devices is an effective strategy for ensuring you’re getting the best possible price despite what your profile might say about your shopping habits.

Of course, all of this checking and device-swapping takes time and effort, so you have to consider whether the money you might save by getting around surveillance pricing is worth the time you put into it. Using a VPN with an incognito browser regularly is probably the best passive strategy you can employ to frustrate attempts to profile you without making it into a second job.

Last year the Federal Trade Commission opened an investigation into surveillance pricing, which could lead to new rules and enforcement to end the practice, and several states have some kind of legislation to regulate or ban the practice in the works. But until those become reality, keep your eyes open.

Everyone wants privacy, but how far are you willing to go for it? For most people, the answer is "not very far." The cost of privacy is not only the knowledge it takes to navigate safely and invisibly online, but often also the inconvenience that comes with security practices practices like using VPNs, installing ad blockers and other extensions, and using a non-Chrome browser. If you go to extra lengths to protect your online privacy, we want to hear from you. And if you go to extreme lengths, we definitely want to hear from you.

The first time I switched to a privacy-focused browser, I wondered why I hadn't done it sooner. I left Google Chrome after reading one of the countless stories about how Chrome is the worst browser for your data and privacy, and after importing my bookmarks and settings, I admittedly felt rather smug. I was a Brave user now, separate from the flock of sheep who gave their data away to Chrome, resigned to having their data tagged and tracked wherever they went. I also deleted my Facebook account, installed a VPN on my phone, and used Tor to browse anything I would be less than proud of. I also stopped using Google Maps. At least, I tried. As you might have guessed, few of these changes lasted long.

Protecting my privacy online was one inconvenience after another. At first, I attributed my minor annoyances to a learning curve. My VPN broke certain websites, so I got in the habit of switching it on and off whenever I needed, for example. But while some decisions made life easier—I still don't miss Facebook, and browsing the internet without an ad blocker seems unthinkable now—others created accumulating obstacles. Websites wouldn't load, citing compatibility problems with my browser. Extensions were unavailable. Tech walkthroughs with friends and IT teams each invariably met the point where I would need to explain that, no, I am not on Chrome, or Firefox, or Edge.

Once, I spent several days debating companies, agencies, and friends who insisted they tried calling me even though my phone never rang. Frustrated, I eventually called Verizon, and a customer service representative ran me through a series of tests and pings to identify the problem. After half an hour, my call was escalated to a higher tech support team that walked me through heavier solutions like resetting my network. Eventually, in a moment of clarity, I apologized to customer service, confessed that it was user error, and hung up the phone. I knew what the problem was, even if I couldn't explain it: I left my VPN on, and somehow it was blocking incoming calls. I turned it off, and life went back to normal.

I began to feel less smug and more impractical, my decision to live a privacy-focused life having downsides I wasn't sure I was willing to accept. My breaking point came when I was on a trip and a Netflix error informed me that my browser was no longer supported. Stuck at an airport with yet another inconvenience, I got frustrated, threw in the towel, and found myself back on Chrome.

Of course, my failure is my own, and there are endless reasons to push past the inconveniences to make your online privacy a standard practice. As part of our Safety Net series, I want to speak with people who take their privacy seriously enough to go to great lengths—arguably extreme ones, even—to keep your identity and privacy safe. I want us to learn what you do for privacy, what it's like to use technology the way you do, and how much convenience you sacrifice to do it. If this sounds like you, email me at jcalhoun@lifehacker.com with the subject line "Safety Net" or message me on Bluesky, and I'll get back to you if your story is selected to be featured. If it sounds like someone you know, please send them this article to share their experience. You can, of course, stay as anonymous as you'd like.

We may earn a commission from links on this page. Deal pricing and availability subject to change after time of publication.

Online security and an ad-free browsing can be expensive, but right now, StackSocial is offering the AdGuard Family Security Suite for just $49.99, bundling two services that would normally run you a lot more. You can also add the promo code GUARD5 to take off an additional $5, bringing the final cost of this sale down to $44.99. This bundle includes a five-year AdGuard VPN subscription (for up to 10 devices) and a lifetime Family Plan subscription to AdGuard Ad Blocker (covering up to 9 devices) across iOS, Android, macOS, Windows, and common browsers like Chrome. Just note that this plan is only for new users, and you need to redeem your code within 30 days of buying.

Unlike free VPNs that might log and sell user data, AdGuard operates with a strict no-logs policy, meaning that with AdGuard VPN, your browsing history will stay private. It also lets you connect to over 60 server locations worldwide, so you can bypass geo-restrictions, access region-locked content, and keep your online activity hidden from prying eyes. Whether you're working remotely, streaming content from another country, or just trying to protect your information on public wifi, this VPN encrypts your data with industry-standard AES-256 encryption, preventing ISPs, hackers, and advertisers from tracking you. And with support for up to 10 devices, you can secure your phone, laptop, tablet, and your family’s gadgets under one plan.

The AdGuard Ad Blocker Family Plan takes care of the other internet headaches too, blocking pop-ups, banners, and video ads across browsers and apps, meaning you get faster page loads and a cleaner experience without autoplay videos or sketchy pop-ups trying to trick you into clicking. Unlike most ad blockers that only work in browsers, AdGuard’s system-level filtering works on apps too, giving you cleaner feeds on social media and ad-free experiences on mobile games. It also includes advanced parental controls, letting you filter out inappropriate content to create a safer browsing environment for kids. The $45 deal with the promo code GUARD5 runs through March 30.

Sometimes it feels like privacy, as a concept, has vanished from the world. Advertisers certainly seem to know everything about you, serving up frighteningly accurate ads that make you think your phone’s microphone has been turned on and marketers are actively listening to your every mumble.

They’re not—yet. But they are engaged in something called “data mining,” which is the process of collecting enormous amounts of anonymous data from your every connected activity and then analyzing that data to infiltrate your life with advertisements and other influences. And it’s not just corporate America—criminals can mine your data in order to rip you off.

If that bugs you—and it should—you can take some steps to minimize data mining in your life. You can’t completely escape it unless you plan to live off-grid with zero Internet connection, but you can reduce your exposure. After all, it’s your data, you’re not being compensated for it, and it’s creepy that some anonymous marketing team knows you’re really into RPGs and craft beer.

Read those EULAs

One of the biggest vectors for mining your data is your smartphone, especially the apps you’ve installed on it. Every time you install an app you agree to its terms—the end user license agreement (EULA) and other requirements.

A first line of defense against data mining is to take the time to review those EULAs. You can’t negotiate, but if you see you’re being asked for blanket permission to send data back to the mothership, you might at least look for an alternative. The key warning signs that the app is just a data-mining vessel are granting permission to monitor your Internet activity, to explicitly collect personal information, or to use your computer or device for their own purposes. If you see anything that gives you pause, think twice before agreeing.

Check settings

When you install an app on your device, you probably click through a series of permissions that grant that app access to everything it needs to gather data about you. This is a data-mining goldmine.

A few years ago, for example, an investigation found that about 5,400 apps were siphoning data from just one person’s smartphone—1.5 gigs of data in all. And back in 2017, an app maker called Alphonso was caught tracking what people were watching on TV by activating the microphone on their smartphones.

If an app requires a lot of unnecessary permissions—does a game really need access to your microphone, location, and camera?—you should assume it’s more of a data-mining app than anything else. Your next line of defense: Stop installing garbage free apps and spend that dollar. Every app wants to make money from you, and if you’re not paying up front, you’re paying in some other way, most likely by having your data stripmined.

Be boring on social

Social media is very obviously a dumpster fire when it comes to privacy. You’re literally posting a photo of you at the store with the hashtag #LiveToShop, so you shouldn’t be surprised when that store’s ads start popping up all over your life.

If you’re concerned about data mining, you can take a few simple steps to reduce the access that data miners have to your social media:

• Set your profile to private. If your main goal on social media is to connect with friends or colleagues, restrict the reach of your posts to just those folks.

• Be a snob. Don’t accept every request you receive to connect—if you don’t know that person, they don’t need to be let in to your inner circle.

• Discretion. Don’t blast your travel plans, spending habits, or product reviews out into the universe.

Using social media compromises your privacy, but if you’re mindful of the information data miners want, you can at least refuse to make it easy.

Log out

When you log into platforms like Google or Facebook, that platform can pretty easily track what you’re doing. And as long as you’re signed in, that ability persists—even if you leave the site. These companies are really data mining companies, and they have perfected the art of following you around.

It’s a pain in the butt, but logging out of those services when you’re not actively using them (and clearing cookies and browsing history regularly) can slow down the vacuuming of data. It’s inconvenient to do so by design, but it has a real impact on how much information is being mined from your online activities.

Avoid memes

Data mining isn’t just about advertisers selling your stuff. It can also be weaponized by scammers to get personal info they can use to rob you blind, steal your identity, or steal your identity and then rob you blind.

One easy way they can do this is to just wait for you to respond to a phishing meme. These memes look like innocent fun quizzes where you supply some seemingly innocuous bits of personal information and receive a chuckle in response. Common examples include posting your “porn name” (a combination of common security question answers like your middle name or the model of your first car or something similar) or using the last digits of your phone number to do some math magic.

Luckily, there’s an easy way to avoid data mining via phishing memes: Ignore the memes. Your life will actually be incrementally better anyway.

Tech solutions

One of the most effective ways to cut down your exposure to data mining requires a bit more effort. Various privacy tools exist that can really stem the flow of your data to the unappeasable black hole of marketing:

• VPNs. Virtual Private Networks are useful for privacy because they obscure your location and IP address, which makes it a lot harder for data miners to collate the data they get. Since your data appears to come from a wide range of random locations, it’s impossible to build a coherent profile of your preferences and habits. Installing a VPN on your computer, phone, and devices will go a long way towards cutting off the flow of private information.

• Tor. The Tor Browser routes your web surfing traffic through many encrypted nodes, making it basically impossible to track your travels on the Internet. If you really want to go dark, combine Tor with a VPN and you’ll be practically invisible. If you’re not ready to use Tor as your everyday browser, use a privacy-focused browser like DuckDuckGo or Brave, or at least adjust the privacy settings in your browser to make it as secure as possible.

• Ad blockers. Almost every single website you visit tracks your activities and gathers data about you. While using a privacy browser is an effective way to stifle that, ad-blocking plugins can go the extra mile by denying intrusive access to your browsing experience altogether.

Do you keep getting unwanted messages from random WhatsApp groups you never asked to join? Spammy groups can be annoying, but you can change a single setting to limit them. Let's see how you can adjust your WhatsApp settings and keep yourself from being barraged with spam messages. After that, you can adopt better privacy habits to keep your chats clear of unsolicited content.

Set up the WhatsApp Group invite settings

The instructions and screenshots below are from the WhatsApp app for iOS. The steps are similar for Android, with minor variations.

1. Open WhatsApp and tap Settings. In Android, Settings is located under the kebab menu (three vertical dots) at the top right.

2. Tap on Privacy on the Settings screen.

3. Select Groups. You'll see multiple options for "Who Can Add Me to Groups?".

4. By default, it's set to Everyone. Anyone with your phone number can add you to any group. Here are three more settings that give different levels of control.

• My Contacts: Only people in your address book can add you to groups. They'll need to send a private invite for you to approve within 72 hours.

• My Contacts Except: This offers more granular control. Choose this option and select specific contacts to exclude from adding you to groups.

• Nobody: This gives you complete control and is the recommended setting. You have to explicitly give your permission when you receive an invite from a WhatsApp group. WhatsApp on Android doesn't display this option (and some users on iOS may not see it, either)—choose "My Contacts" instead, or "My Contacts Except" and manually select people, if you have contacts who are trying to spam you. (If you don't have the "Nobody" option and you really don't want invites, choose "My Contacts Except" and then "Select All.")

Credit: Saikat Basu

You will still receive invite links in a private DM to join a group. But now you have the choice. If you want to join a group, you'll have three days to accept the invite before it expires.

Note: Group privacy settings can’t be changed on WhatsApp Web or Desktop. When you change the settings on your phone, they will be synced with WhatsApp Web and Desktop. Also, this setting doesn't apply to community announcements; if you're in a community, you'll always be added to these.

More tips to avoid unwanted WhatsApp Groups

WhatsApp makes texting and sharing easy—which makes it easy to overlook some basic privacy guidelines.

1. Don't share your number publicly online. Spammers can scrape contact information from social sites.

2. Don't click on unknown links or phishing messages that use link shorteners from unknown sources.

3. Be cautious of messages with urgent language or unknown senders.

4. If you accidentally join a spam group, you can report it by tapping on the group info and selecting Report Group. Then, select Exit Group to leave the group. You can archive the WhatsApp group and hide it from view.

5. WhatsApp also has a Privacy Checkup tool. It's like a guide that takes you to the ideal settings to apply and control your privacy on the app.

Tip: While you're at it, tweak another setting to silence all unknown and spam callers on WhatsApp. 

If you run a WordPress website or have a blog on Tumblr, you've probably produced and published a sizable amount of content there. While we all know the internet isn't "private," you probably posted those texts and images thinking they were yours, and wouldn't be stolen by the very companies you relied on to host them.

As it happens, WordPress and Tumblr are preparing to do just that. As first reported by 404 Media, the parent company for both sites sites, Automattic, has a entered into a deal to sell user data from Tumblr and WordPress to AI companies like Midjourney and OpenAI. The AI companies intend to use the data to train their systems.

As if that weren't bad enough, preparations for the sale went poorly, and it seems large categories of Tumblr posts that weren't supposed to be sold were added to the mix anyway. That data includes:

• Private posts from public accounts

• Posts on deleted or suspended accounts

• Unanswered asks

• Private answers

• Explicit posts

• Posts from partner accounts, like ad campaigns where Tumblr doesn't own the rights. (Apple is specifically named here.)

It's possible this data was not actually sent to OpenAI and Midjourney, and that it was simply identified and cleared for that use. However, 404 Media could not confirm this. They could confirm, however, that password-protected posts, direct messages, and media identified as CSAM were not in the bunch. So...that's good.

It might not be all WordPress sites

Automattic specifies that only WordPress.com sites are affected by this data scraping, as opposed to content created on the WordPress CMS that you might use with a site hosted elsewhere. In theory, your WordPress CMS sites not hosted with Automattic should be safe from these actions.

That said, 404 Media could not confirm whether using Automattic plugins like JetPack would bring a self-hosted site into Automattic's scummy data-sharing policies.

You don't need to be OK with Automattic selling your data

A source tells 404 Media that Automattic will be adding a new setting for its properties on Wednesday to allow users to opt-out of selling and sharing data with third-party companies. The outlet received a copy of a new FAQ section, which details that this opt-out option will block crawlers from accessing your sites if you enable it "from the start." If you choose to opt-out later, Automattic will contact partners and "ask" that they remove your content from their datasets and training.

This wording is not particularly encouraging. However, whenever Automattic does release this opt-out option, I suggest you use it on your Tumblr and WordPress sites anyway.

Following the 404 Media piece, Automattic published a statement saying it blocks major AI platform crawlers, and updates its lists to add new ones; has features to block search engines from indexing your sites, which can also discourage AI crawling; and that they only share public content hosted on WordPress and Tumblr from sites that haven't chosen to opt-out. That said, they admit no laws exist to prevent crawlers from abiding by these preferences, and that they are working with certain AI companies, "as long as their plans align with what our community cares about: attribution, opt-outs, and control."

What will AI companies do with this data?

Companies like Midjourney and OpenAI require huge datasets to train their AI systems. Programs like Midjourney and ChatGPT wouldn't be possible without pushing enormous amounts of information their way: It's how they "learn" how to do the things they do.

So your WordPress blog posts filled with your favorite recipes can be fed to generative AI models to train them on how to "talk" about food (or anything at all); your photo dumps on Tumblr can train models on how to recognize subjects like a car or a bird. The data from all your sites, plus the sites of millions more users, is invaluable to AI companies, which means it's extremely valuable to the companies that own those sites, and can sell it. Automattic will likely make a ton of money on this deal, just as Reddit will likely make a ton of money on its own AI content licensing deal with Google.

It's fun to post and share on the internet, but it might be about time to take back what's yours: If you don't own the platform you're sharing your original ideas on, consider taking them to one that you do own, before your ideas become training wheels for artificial intelligence.

It’s one thing to be vaguely aware that privacy no longer really exists. We live in a world filled with doorbell cameras, so your chances of turning up in random TikToks or YouTube videos are never zero, after all. But most people assume that there’s a clear line between what we consider our personal business and the information available in public records. But the truth is that line isn’t much of a line at all—you don’t have to be a billionaire with a private jet to experience the joys of public records.

If you’ve ever Googled an old school friend out of curiosity you’ve probably gotten a bunch of results back from sites like Spokeo or Whitepages promising to generate a report that lists everything about that person. Maybe you thought it was a scam, but those sites can actually offer you a ton of information about just about anyone, because there’s a lot more information about you in public—and publicly accessible—records than you might think.

The truth is out there

So what’s in public records? A lot. The basics—your name, birthday, home address—certainly. But also most probably stuff like

• your driver’s license number and status

• your Social Security number

• traffic fines and accidents

• your voter registration

• your marital status

• your home address

• employment history

• your photo and physical description

• the names of your immediate relatives, spouse, and children

• property records including liens, foreclosures, and mortgages

• arrest records

Some of this is obvious. If you’ve ever maintained a LinkedIn profile, your work history, photo, and contact info was likely scraped and repackaged. If you list your home for sale, everyone in your neighborhood can know about it immediately when your house shows up on Trulia or Zillow.

But you might imagine that things you don’t voluntarily post online would remain private. For example, if you get into financial trouble and your home is foreclosed on, you’re probably not posting that to Facebook with a frowny face emoji, so you might expect it to remain private. But you’d be wrong. If someone wants to know if you’re in foreclosure on your home, it’s very easy to find all that information, too. By triangulating mortgage, foreclosure, and court records you can assemble a pretty clear picture of someone’s financial state without violating a single law.

One reason this is so easy? The government is actively selling your information via that beloved institution: The DMV. In order to obtain a driver’s license, you have to submit a lot of personal information to your state’s Department of Motor Vehicles or equivalent, and they actively and enthusiastically sell that information to third parties. That alone makes it insanely easy to find out most of this stuff. And anything classified as a public record is legally accessible by anyone—otherwise it wouldn’t be considered public.

Reclaiming privacy

So details about your life are in public records. What can you do about it?

Not a ton. Agencies like the DMV aren’t going to scrub your personal data because they need that to perform their function, and they’re not going to stop selling your data until the laws change. And once information from social media is scraped, there is no way to unscrape it. But there are a few things you can do to remove private information from at least some public records:

• People-search sites. You probably know about sites like Spokeo, Intelius, or WhitePages where you can search public records for people. These sites often have a surprising amount of information available about you. They also all offer tools to have your information removed from their database, so you can often search for opt-out pages and privacy tools pages on those sites to scrub some of your information from the Internet.

• Remove unused profiles. If you have old social media profiles or online memberships that you no longer use, remove them. Most platforms offer some form of account removal, and getting this data off the public-facing Internet is a small step towards controlling the publicly available information about you. While you’re at it, switch social media accounts to private if you can.

  You should also reach out to the Internet Archive. This invaluable service preserves web pages for posterity, but old social media profiles, personal websites, and other artifacts of your prior online lives are often preserved as well. You can request their removal pretty easily, but the Archive warns it makes no guarantee it will comply.

• Contact government agencies, banks, and other entities. It can be extremely difficult to remove public information from government sites, but there are some actions you can pursue. Many states will obscure or block your voter registration information if you fit certain criteria, for example. If you resolve a foreclosure, you can (and should!) ask your lender to remove the Notice of Default, though this may not propagate to real estate sites in a timely manner (or at all). You can also try to get real estate listings of your home taken down, and you can ask Google to blur your house, though sites like Zillow probably won’t be willing to remove your home from their database. Depending on where you live, you may be able to request that identifiable information like phone numbers and Social Security numbers be removed from public records. You can visit your local County Clerk and ask to see the public records you appear in, and request their removal. Your mileage will vary.

That’s about all you can do. Public records are persistent and play a vital role in local governance, so you won’t be able to remove everything—and the stuff you might be able to remove will require a lot of work.

And then constant vigilance, because the chances that your information just pops up again some time later are pretty good. To combat that, you can consider paying for a service like DeleteMe or PrivacyBee, which will monitor people search sites and other online repositories for your personal information and automatically request its removal. These services cost money (ranging from $8 to $20 per month), but knowing someone is opting you out of online databases on your behalf can help you sleep at night.

Just being aware of what’s out there is useful, though. At least you’ll know just how little privacy you actually have, and what people can find out about you with minimal effort.