Most digital privacy content falls into one of two extremes. Either it’s a paranoid manifesto about how every app is surveilling you and you need to delete everything and move to a self-hosted server in the woods. Or it’s a dismissive “nothing to hide nothing to fear” take that ignores legitimate concerns.
Neither is useful. Here’s a more grounded version.
What’s actually being collected
When you use most apps, a combination of things gets recorded:
Identifiers, your device ID, advertising ID, IP address, and sometimes your phone number or email. These are used to link your activity across sessions and sometimes across apps.
Behavioral data, what you tap, how long you look at something, what you search for, what you skip. This is the most valuable data for advertisers because it predicts what you’ll do next.
Location, even apps that don’t explicitly request location permission can estimate it from your IP address. Apps with location permission can be far more precise, including tracking you when the app isn’t open if you granted background location.
Social graph, who you contact, message, or interact with. Even if you’re careful about your own privacy, the contacts on your phone may have uploaded their address book to an app that now has your number in it.
The uncomfortable reality is that individually none of this feels intrusive. Collectively it builds a detailed profile.
The things that actually matter
Not everything is worth worrying about. Here’s where effort actually pays off:
Passwords, reusing passwords is the highest-risk habit most people have. One data breach exposes every account that uses that password. A password manager (Bitwarden is free and open source) solves this completely. This is the single highest-impact privacy/security habit change you can make.
Two-factor authentication, add it to email, banking, and any account that matters. App-based 2FA (Google Authenticator, Authy) is better than SMS-based 2FA because SIM swapping is a real attack. But SMS 2FA is still much better than nothing.
App permissions on your phone, go through your installed apps and check what permissions they have. Location, microphone, contacts, camera. Most apps that request these permissions don’t actually need them for their core function. Revoke what doesn’t make sense.
What you share in messaging apps, messages on WhatsApp are end-to-end encrypted in transit but stored on your device and backed up to Google Drive or iCloud by default (often unencrypted). If you’re sharing something sensitive, be aware of where it ends up.
The stuff that’s overhyped
“Incognito mode protects your privacy”, it doesn’t hide your activity from your ISP, your employer’s network, or the websites you visit. It only prevents your browser from storing local history. Useful for shared devices, not for privacy from external parties.
VPNs as privacy tools, a VPN shifts who can see your traffic from your ISP to your VPN provider. If your VPN provider logs your activity (many do), you haven’t gained much. Useful for specific situations (public wifi, bypassing geographic restrictions), not a general privacy solution.
Deleting social media posts, deleted posts may still exist in platform backups, have been scraped by third parties, or been seen/screenshotted before deletion. The internet has a long memory. The privacy gain from deletion is real but limited.
Anonymous sharing, when you actually need it
Sometimes the need is specific: share an image with someone without it ending up permanently attached to your identity or stored on a server indefinitely.
This comes up more than people expect, sharing sensitive documents temporarily, quick image transfer without cloud sync, publishing something you want readable but not attached to your name.
For temporary image sharing with auto-delete, Blink is what I built for this. Select an image, share via QR, it disappears after the timer. No account on either end.
For anonymous writing, posting thoughts, notes, or content without an account or email, Echo lets you publish with just a link, no identity attached.
Neither of these is for extreme threat models. They’re for the normal everyday situation where you just don’t want your data hanging around permanently for no reason.
The realistic takeaway
Perfect privacy online doesn’t exist and trying to achieve it is exhausting. What’s achievable is reducing your exposure in the places that actually matter.
Password manager, 2FA on important accounts, sensible app permissions, and being thoughtful about what you put online permanently, that covers the majority of realistic risk for most people.
The rest is up to your personal threat model and how much inconvenience you’re willing to accept in exchange for additional privacy.