Cleanse

Day Thirteen: Shop Securely

Caucasian hand holding colorful shopping bags.
Shopping online is a privacy minefield. (Image: CC license freepngimg.com)

Let's Talk Shop

Today we are going to talk seriously about shopping on the Internet. Because the fact is, every time you enter your credit card number and information into a shopping cart or sign up for some kind of service, you are giving your information away. And you are giving it to people who may, indeed, send you the item you just bought -- but at the same time, they are making off with your data.

That's why shopping today isn't just about finding a site with the best deal. It's about understanding a little more about what's going on under the hood with the personal data economy.

Your first task today is to set up a credit card masking service that will allow you to shop online without giving out your personal credit card number. This service is so far only available in the United States -- if you are located outside the US, consider asking your bank if they offer something similar. We'll review this service and how it works.

Even if the service isn't available to you, scroll down. Because I will explain to you the other systems you need in order to check a site out before you buy something from them, or sign up for an account.

Table of Contents

Virtual Credit Cards

We (all) buy a lot of things online. And one of the ways that companies can pinpoint you is through your credit card. A singular credit card number, shared across multiple purchases at different stores, can link the owner to the purchases and be used to identify you. 

Similarly, to process the card you input your address and zip code. These tokens of personal information, taken together as we discussed on Day Three, can also be a form of identification.

Or if you use Paypal or Venmo, you're centralizing all your puchases in one place. You're probably also giving out an email address or phone number for payments as well. That's a lot of personal information, and a lot of eggs in one basket.

Enter a service called Privacy.com. This is a financial service that you link to your checking account (much like you've already done with PayPal or Venmo). Privacy.com then lets you spin up and manage virtual credit cards to use wherever you fancy.

(Note that some banks are starting to provide this kind of a service so it's worth checking with your bank to see if they can replicate this product closer to home.)

Privacy Cards can be locked to one merchant (all purchases from the same vendor) or a one-time-use card. You tell Privacy.com how much money is a limit for spending on that card per transaction, or per month, or per year. Then presto: it gives you a Visa debit card with a number, an expiration date, and a CVV code that you can use like a credit card basically anywhere on the Internet.

The card is not linked to a ZIP code or any other address identifier. So when you enter this card number into a purchase, you can make up your favorite address and zip to go along with it (even, "90210"). It essentially "masks" your real bank information from the point of purchase with a dedicated card number.

Note that it is not a credit card, but a debit card. That is, you can't spend money you don't have. For large expenses that require paying off over time, you'll have to go with the credit card.

But for small, or rotating, or one-time expenses, or really any online purchases, it's genius because:

  • You never have to give out the same credit card number twice, limiting the risk your data will be combined across companies.
  • You can keep tabs on rotating expenses, subscriptions, etc.
  • You can easily shut down or pause a card if a vendor acts suspicious.
  • In the case of a privacy breach, if your card is charged by a different vendor, the charge is denied. You lose no money. And you gain because you can see who precisely was hacked based on which card was charged.
  • If there are problems or refunds, they just go right back on the card and show up in your checking account.
  • Your checking account lists "privacy.com" and then the name of the vendor, so it's easy to track which money went where.
  • It comes with a browser plug-in that can autofill or autogenerate cards for you while shopping.

Privacy.com is one of the best defenses I've found out there against identity theft. More generally, though, it's a fantastic way to Balkanize your shopping data. Because you never have to give out your single credit card number and leave it all over the web. Instead, every expense gets its own card.

From now on, when you shop online, you are going to use a) an email mask, b) a password service and c) a privacy.com card.

Because it's not just a question of identify theft, or hacking. You are being sold out, all over the world wide web.

You Are the Product

Over the last fifteen years, companies have realized that their most valuable asset is not their product, but their customer databases.  If a small business gets acquired by a competitor or a larger company, these databases are precious. If a company gets hacked, it's user data that is stolen.

There is so much a company can do with more personal data. Recall that putting three pieces of information together can identify you. Also, your data is moving without your consent. It's all in their evolving terms of service, that they can give it away to some other third party when or if necessary.

This is the economic engine of today's internet. Attract users, grab their data, and monetize it in some way. Either by selling it to someone else, or allowing another company to sniff it or buy it from you, or by selling your company to someone else...

It's not a necessary feature of the Internet. It's driven by the specific architecture of today's corporations, which are not so much companies as they are investment vehicles. Your job, as a startup, is to make return-on-investment for your investors, and you can do this not by moving product or providing a service, but by monetizing user data.

This isn't not your 1980's style, optimistic, laissez-faire market capitalism. This is a world in which Peter Theil's words reign surpreme: competition is for losers. Monopoly is where it's at.

Hence, you are the product, a stop along the way to acquiring more resources, more power, more companies, more data.

Attracting you to a sale, or setting up an account, or some other way of registering you to a site comes with more strings attached and opportunities for companies than it necessarily does for you.

Internet freedom activist Cory Doctorow has a word for something like this: enshittification. This refers to the downgrade you perceive in the product or service you receive, largely because you have stopped being the customer and started being the product yourself.

The sad fact is, under digital capitalism, making money from you (not taking your money and giving you something in return) has become the name of the game.

Smarter Shopping

That's why smart shopping these days isn't just about finding a deal: it's about knowing which companies you're buying from and what they want from you. Not just to sell you something, but to take your information and sell you more, or sell it to someone else, or sell advertising, etc. To make money for their investors. To share your data with their partners.

Fortunately, you can make some smart guesses.

First, actually read their Privacy Policy and their Terms of Service. You're looking for those clauses where they say, "We can share your data with so-and-so and whats-er-face". If the Terms are unnecessarily long, visit ToS:TL;DR (Terms of Service: Too Long, Didn't Read) or install their browser plugin. They will summarize the privacy practices for you and if no summary is available, they'll retrieve everything for you to check out yourself.

Second, get educated about whom you are buying from. You need to pay some attention to the economics of platforms and the companies that participate in this circus. Do they have other stakeholders? With whom are they connected and with whom might they share your data?

You can get a sense of this by downloading and installing Lightbeam as an extension for Firefox. Lightbeam tells you which cookies and browser elements are connected to other companies. You can essentially visualize the trackers. While you're visiting this one site where you're considering buying a new spatula, which bubbles and trackers pop up?

Make sure you have a browser plugin like Ghostery or Disconnect.me going as well, to look over the list of data sniffers. This gives you an idea of the data ecosystem this company lives in, and a potential idea of their niche in that market.

DuckDuckGo's Privacy Essentials plugin will give the site a privacy rating. Look for third party tracking and tracker requests in particular. You're going for anything B+ and above.

Third, so much for the data ecosystem: what about the financial ecosystem? Who are their investors and creditors? How old is this company? Are they looking to get bought? Are they about to move into a next series of funding? If so, be prepared for all those terms of service to change and for your data to be put to creative new uses.

You can get a sense of this by going to Crunchbase, a database of corporate investment. Check out who has given this company money: it will give you an idea of whether their job is to return massive growth and return on investment or to spend more time in research or sales.  Asking which stage of funding they're in also gives you a sense of where they're at in their corporate lifecycle, if they're likely to get bought out, or what their next move will be to satisfy their investors.

For instance, let's say you found a sweet little shop that sells children's clothes at a discount: go you! Then you look them up on Crunchbase and find they have just got $10 million in pre-series A funding, and their CFO's last company lists investments from Sequoia Capital. It's a good chance that this company is going start out selling you cheap baby clothes, and ultimately become something of a parental data broker or some other crazy product besides. To make back that level of ROI, what it's doing now isn't what it plans to be doing in one or two years' time.

Once I supervised a project at Princeton where the student built a plugin that combined Ghostery data with Crunchbase data. If you loaded a website, it didn't tell you all the data trackers and beacons that were there: it told you everyone who invested in the trackers that were there. The project never made it past beta, but it was pretty fascinating. Especially because, at the time, the entire internet was basically making money for Ashton Kutcher.

This isn't just an academic exercise, though. You want to know--before you give your data to a service or a store--what your threat model is in terms of your data walking away from your purview. You won't get it exactly right, but you can make a smart guess.

Try (To Stay Private) Before You Buy

If you're not happy about what you see, move on. Find an alternative you do feel comfortable buying from. It's worth paying more to know your data is in good hands, every single time. 

Let's say you're satisfied and prepared to click ACCEPT on their Terms of Service. Now, as an everyday user or consumer, you can ensure that your purchases remain as private as possible. Use an email mask, a privacy.com card number, and a password generator/vault so that they can't re-assemble that information on the back end.

Shipping something to your home? Select the option to use a different shipping address from billing address. Spoof the billing address, as that won't matter to the Privacy.com card.

Then spell your shipping address out creatively. Insert a part of the company's name as your middle name or initials. Misspell your last name, or your first. The post office is just looking at the address, not the addressee.

If you ever get mail addressed to that particular creative spelling of your address, you'll know who gave the game away. And in the event that that happens, at least your combination email-mask-card-mask-super-private-password will keep your data from being used for alternative purposes.

Note that you don't have to do this just for online shopping! Once I bought shoes from a running store in Los Angeles. I didn't know much about them. In order to purchase the shoes I needed a credit card and an email address. I told them I didn't want an account. But in the store, I searched on Crunchbase, I spun up a privacy card, and an email mask. I read the card number out to them to punch into their machine.

Two years later, they tried to charge a mystery fee to that privacy card--which they claimed was for "membership fees." Fortunately the card was paused, so the charge didn't go through.

Thanks to the Privacy.com mobile app (iOS and Android), I had a mask even while shopping in person.

Summing Up

For those of you following along, that makes five tasks today:

  1. Sign up for privacy.com to make private purchases with a credit card mask
  2. Review Terms of Service and Privacy Policies (using TOS:TL;DR helps) to see what they're collecting and what they have the right to sell
  3. Install Lightbeam to see how companies are connected through data tracking technologies
  4. Install Ghostery or Disconnect.me  or the DuckDuckGo in-browser add-on to observe blocked trackers
  5. Visit Crunchbase.com and look up a few companies you have purchased from to see what their investment profiles are like

And every time you make a purchase--online or offline!!--your plan is as follows:

  1. Mask your email
  2. Mask your credit card
  3. Use your password manager
  4. Spoof the address if at all possible.