If you want to improve your online privacy, you’re supposed to "use Signal, use Tor." The clichéd phrase, now five or so years old, was meant to be a sardonic joke underscoring the need for more nuanced online security and privacy advice. But even as the humor became lost on security practitioners (not to mention the general public), the point remains an important one: There's a lot more to managing your online data privacy than just using an end-to-end encrypted messaging platform (Signal) and a network based on onion routing (Tor).  

While using Signal and Tor do provide varying degrees of security, anonymity, and privacy depending on how they're used, there is much more to improving online privacy. In the absence of strong consumer privacy regulations and enforcement, software tools to enhance user privacy have thrived. There are numerous browser add-ons to reduce the personal information that data brokers collect, apps to encrypt and reroute Web traffic, and websites to help figure out who's tracking you.

Your Personal Privacy Risk Assessment
However, it's no small feat and not very effective to start using a bunch of apps simply because they're supposed to be good at protecting privacy, says Lorrie Cranor, professor and director of the CyLab Security and Privacy Institute at Carnegie Mellon University. There are no cookie-cutter models, she says.

"When people say, 'What should I do?' I ask them to think about the things that are most important to them," Cranor says.

She notes that many people conflate online privacy and security, although there is crossover between them.

"Some of the big-bang-for-the-buck things are using a password manager, using good password habits," she says. "If they don't want to be tracked in their browsing plug-in, use an ad blocker — with the caveat that some things on websites break because of it. So if you turn it off, you have to remember to turn it back on."

Studies consistently show that people are concerned about online privacy but lack the support and tools to act on those concerns. More than 70% of Americans believe that their smartphone activities are being tracked by advertisers and tech companies, that they personally don't benefit from this data collection, and that they want the right to control and delete that data, according to a May 2020 Pew Research report. Yet 85% of consumers across the United States, China, India, the United Kingdom, and Canada worry that they can't trust corporations with their data, despite executives stating the opposite, according to a February 2020 PricewaterhouseCooper survey.

Even though there are no online privacy-protective solutions that will work for everybody, experts say that answering questions about what to protect is helpful in figuring out what privacy protections are needed. These include: What kinds of personally identifiable information am I sharing, and with whom? Do I care about seeing online ads, and are they targeted? And how private do I want my conversations to be?

Figuring out that privacy threat model is one of the most important steps consumers can take in deciding what online privacy actions they need to take. Even privacy experts don't lock everything down. 

The Lies We Tell
Jennifer Granick, a surveillance and cybersecurity counsel at the American Civil Liberties Union, says that although she uses Signal and encrypts email with PGP to communicate with clients and colleagues, she enjoys being shown targeted ads, so she doesn't take steps to block them. 

"I really enjoy the products and services that come along with commercial surveillance. I love Google Maps, figuring out traffic patterns. I did 23andMe," she says. "But I lie about the answers to the security questions because that information is readily available. My dad died recently, and the accountant said it's really important to report the death to credit companies because the answers to those security questions are on the [public] death certificate."

Answers to security questions can be a privacy nightmare. Experts recommend choosing answers that are either nonsensical but easy to remember ("I like pizza!") or straightforward falsehoods — was your first car really a DeLorean?

Whitney Merrill, a privacy attorney at collaboration software company Asana, tells lies, too ... sort of. Merrill uses her password manager to generate lengthy passwords for security questions and then saves them as a note in the manager. 

Truth comes with other risks. Cranor advises that carelessly posting to social networks can lead to major problems.

"We've studied regrets on Facebook, and the biggest regret is not thinking before posting," she says. 

Breaking the Brokers' Hold
Other experts have suggested segmenting important online activities, such as banking and finance and website subscriptions, with separate emails managed in the same email client to help mitigate phishing attempts and spam.

Covering up laptop cameras with a sticky note or piece of electrical tape when not in use, disabling automatic image-loading in Gmail, and going through all of your major online accounts to make sure the privacy settings are dialed up are all recommended actions for the privacy-conscious.

New privacy laws in California and Europe might make it easier for residents there to force online services to delete their information, although you don't have to live in those locations to get commercial data brokers to delete your information.

Merrill recommends periodically spending several hours requesting that data brokers clear your information. Unfortunately, there's no easy way to do it.

"It's so burdensome to do in bulk," Merrill says, but adds, "They do respect that request."