Three questions I now ask myself before signing up for a new app

This post may contain affiliate links. For more information visit my disclaimer page.

I have recently had the realization that a website with your personal information getting hacked is only a matter of time. It’s no longer a matter of if, it’s a matter of when.

The only way to protect myself is to be proactive about online security that is in my sphere of control.

The Equifax hacking scandal was the biggest to make the news to date in 2017, and for good reason. They control the data we find to be most personal, data which also happens to be what financial companies, employers, and many other private companies use to verify our identities and creditworthiness. We were all opted in without a choice which is why it’s particularly frustrating.

I’ve been a power user and big fan of 1Password for years, so I’d say I have been conscious of online security for awhile. At least for passwords.

Equifax, along with the many other data breaches, got me thinking way more about my online security setup and privacy.

This is a large topic, but one of the things I realized I have been doing is signing up for online accounts with my main email address just to test out a new product. Trying new mobile apps or web apps is exciting! It’s fun to see if they would be useful to me, make mental notes about the UI/UX and give it an overall personal critique.

Then I realized:

  • I hardly ever read a privacy policy.
  • What are the implications of so many random companies having my data?
  • I’m using my primary email address for all accounts, including the ones I test for fun.
  • While I create accounts with strong passwords and store them in 1Password, they sit their active and abandoned even if I don’t use them.

Yikes.

So, here are a few of the questions I have been asking myself about online security lately.

What type of data are they storing (or selling) about me?

There are tools that make it very easy for anyone to look up someone’s email address and pull a whole bunch of additional data about that individual. Tools like Clearbit and Full Contact. I also have a bit of domain knowledge in this area too. A previous employer was Infer (acquired in 2017) which builds predictive sales and marketing models for companies using large amounts of data, mostly at a company level, but we’re talking 1000’s of data points.

The data from something like Clearbit is publicly available in most cases. Aggregating from Linkedin, Twitter, and many other sources.

Also, what type of data have I willingly given them?

I did a review of my accounts and the most common data stored is:

  • Name
  • Email
  • Postal address
  • Financial – Credit/Debit/Checking account number
  • Birthdate
  • Phone number

I may sign up with only a name and my email address but a service can populate their database with a whole bunch of additional information about me. Or I may provide accounts with additional information willingly. That itself is only part of the problem.

  • What happens if they get hacked?
  • What happens if they get acquired?
  • Do they sell my data?
  • How many phantom accounts are out there that I haven’t tracked sign-ups of in 1Password?
  • Have I linked these accounts to other accounts in some way? For example, do I share my address book information from Google with other apps. What do those other apps do with my data?

It’s important to not just think about the initial exposure but also the ripple effects of a service having data on you.

There are many services I use which actually do need this type of data on file. For ones that don’t, I decided the best course of action is to remove it from the account or delete the account altogether. For the services that do need this data on file, I figured the best thing I can do to have control over it is to simply track which accounts have this type of data. I leverage 1Password’s tagging system to keep an up to date list of which accounts have what data on me.

This way, if something does happen like a data breach, I can quickly know the implications of that breach by knowing what important data is on file with that company.

What is in their privacy policy?

Have you ever received a robo call from some random company and you have no idea how they got your phone number? It happens to me (and it drives me nuts!).

A few years back I wrote about a way to control this by using Google Voice. I still use that method today as a primary proactive measure.

So, how does that happen? At some point, you willingly provided your information to a company that sells your data. Something like a giveaway or contest. It has to be disclosed in the fine print, but like me, you probably didn’t read it.

Every software company has a privacy policy which discloses what they do and don’t do with your data.

One of my favorite email clients for years was Mailbox, which was acquired by Dropbox. Dropbox then neglected its development and eventually shut it down. People mourned (including myself). I started searching for another solution right away. I eventually landed on a free solution called Spark and ended up loving it! It was everything Mailbox was and more. Search over.

Then I came across a thread in the Spark posting on Product Hunt. Someone was questioning their privacy policy. Concerned, I looked into it. I had a freakout moment.

In order to sync between desktop clients and mobile apps and use some of the features, Spark copied your emails to their servers and stored them. A lot of personal information goes through my email and if I connected my work email potentially even more sensitive information that could have larger implications beyond myself.

In all fairness to Spark, their privacy policy is actually very good explaining when and how data is stored or deleted from their servers. Authentication is done with OAuth so login credentials aren’t stored. Still, it made me reconsider. I decided to delete the app and revoke Sparks access in the Google account settings. It wasn’t worth it. I looked at other email clients like Astro, which was even more concerning. No thanks.

Not all services will have a privacy policy I agree with but knowledge is power and gives me a greater sense of control.

If the product is free how are they making money?

There is an old saying in Silicon Valley: If the Product is free you are the product.

Facebook is a prime example. They have created a product which is free to use, addictive and connects you with friends and family all over the world. You don’t pay for it and you are providing a lot of data to Facebook.

Profile data is 1st party data. It’s the data you provide them. They also collect data of your friend’s circle, interactions online, and if you stay logged in the websites you visit. I’ve read that they even now purchase 3rd party data from other sources these days.

Facebook takes that massive amount of data about you that it provides advertisers access to. I’ve played around with the options for Facebook and Instagram ads. It’s a marketers DREAM. Do I have a Facebook account still? Yes. However, I have drastically limited the amount of 1st party data I provide.

It’s always worth asking yourself how that company makes money. If they provide a paid product, great. Then their freemium model is to upsell you from free to paid. Easy to understand.

If there is no paid option then in most cases you are the product. They will make money off you in some way. Just knowing that gives you control to think twice or ask a few more questions before signing up.

Conclusion

The only way to protect yourself is to be proactive about online security that is in your sphere of control.

I outlined three basic questions I have asked myself recently as I’ve become hyper-focused on this topic. I’m not going to stop using some of these online services. That’s not realistic or even desired for me right now, but we all should ask some of these basic questions and take precautions with our online footprint.

A website getting hacked with your personal information isn’t a matter of if anymore. It’s a matter of when.