'Incognito' browsing isn't really private, and 4 other privacy myths

Marc Saltzman | Special for USA Today

Show Caption Hide Caption Online privacy myths, exposed Just because everyone uses public Wi-Fi doesn't mean you should. And you need to go the extra mile to wipe hard drives. Columnist Marc Saltzman has tips for making your surfing safer.

Many Internet users are rightfully questioning how secure their private data really is.

But it takes an explosive scandal like Facebook's acknowledgement that 87 million users may have had their information improperly shared with political ad targeting firm Cambridge Analytica to shine a bright spotlight on the issue.

Many of us think we’re taking the right precautions, when in fact we’re putting our info at risk.

The following are five such misconceptions, the truth behind them, and what to do about it.

Myth No. 1: Using a private browser keeps my information private

Truth:

Whatever your browser calls it – Private Browsing, Incognito Window, or In-Private Mode – it’s meant to let you browse without leaving behind a local trail of history, passwords, cookies, and other assorted bits of revealing information.

Whenever you leave a private session, the browser is supposed to scrub your information, but your online activity is still visible, saved, and could be shared or sold to third-parties, says Paige Hanson, chief of identity education at cybersecurity firm Norton.

In other words, while private browsing prevents information from being automatically stored on your device, such as browsing history or downloaded cookies, your activity is still visible to the Internet Service Provider, as well as to the organization that provides the Internet connection (such as a school or company). Also, the websites you visit may be able to view the session, too.

What to do:

Just remember a “private browsing” mode may not be as private as it suggests. Those who are concerned about privacy could install a reputable Virtual Private Network (VPN), which provides anonymity when browsing online. An up-to-date security suite should also help you keep away from prying eyes.

More: 3 ways to clean up your online history on Facebook, Google and Apple's Safari

More: How to download your Google data and what you'll find

Myth No. 2: It’s safe to use public Wi-Fi, because, well, everyone does it.

Truth:

It’s true Wi-Fi hotspots are a popular way to get online. They’re free, easy to use, and available in many places – from coffee shops, restaurants and bars to airports, hotels, sports arenas, and schools.

But there are risks in using them. One is you may not be joining the network you think you’re joining – even though it may be called McDonaldsWiFi, for example – as it could be a fake, “rogue” network setup by someone nearby, who’s trying to access your info. Secondly, even if it’s a legitimate Wi-Fi hotspot, there are still risks in using the same one as everyone else. Malicious types can use tools to hack your device; it’s not common, but technically possible. Third, those who provide free Wi-Fi can (and often) collect and sell data about your browsing habits.

Another misconception is a public Wi-Fi hotspot is safe if there’s a password required, often given out by the establishment. But Hanson says this is not much safer than having a password if it’s freely given out to everyone indiscriminately.

What to do:

If you can avoid them altogether, don’t use public Wi-Fi. Instead, consider your smartphone’s cellular connection by creating a personal hotspot. If you want to use free public Wi-Fi, use a VPN (per above) to browse anonymously.

And once you’re in a Wi-Fi hotspot, refrain from inputting personal information, such as passwords and usernames (yes, this means don’t read email or access social media). And of course, never conduct financial transactions, such as paying bills, shopping online, day trading, or filing taxes.

If you want to read the news or check sports scores, have at it.

One last tip: don’t let devices automatically log onto free networks, which is sometimes an option (depending on the device), and if prompted, always say “no” to allowing your device to be visible on the network for sharing purposes (a common Windows prompt).

More: This little-known iPhone feature lets you share your Wi-Fi with friends in seconds

Myth No. 3: My personal data is gone once I delete it from a device.

Truth:

Deleting files, emptying the Recycling Bin and even formatting a computer’s hard drive, USB thumbdrive or memory card can still leave your personal files buried among those 0s and 1s. Yes, it’s true. Cybercriminals can still retrieve your documents, images, and other files using easily accessible “recovery” tools found online.

Unless you take the necessary steps to properly wipe the hard drive or Flash drives clean, don’t sell, donate, trade-in, or recycle your computer.

What to do:

There is downloadable software that can properly erase your hard drive. Sometimes referred to as “shredding” a drive, these tools, like Eraser and CBL Data Shredder, that can comb through every sector to clear all your data. The process can take a while, so wait it out.

If your wiping software asks you to identify the number of passes you would like it to run, three is a sufficient number, suggests Hanson.

Some people physically destroy hard drives before recycling an old computer, such as taking a drill or hammer to it, but you don’t want to physically hurt yourself in the process. Good software will do the trick.

As for smartphones and tablets, the good news is newer iOS and Android devices support encryption, therefore opting for a “restore” or “factory reset” should be fine (it will say something like “Erase All Content and Settings?)” Or use reliable third-party software to do the job on an Android device.

Myth No. 4: If your Facebook is set to Private, only my Friends can see me

Truth:

Not entirely true. While Facebook gives you the option to only share info with your chosen friends, even private profiles show your name, profile picture, cover photo, user I.D., and more, to others on the network.

Plus, apps you downloaded may have had access to your entire friends list. If you’re using Facebook to sign in somewhere, or play a game, carefully read what you’re granting access to.

What to do:

If you still want to be on Facebook, take the time to read your privacy and security settings. If you don’t understand them all, talk to someone who does or do some online research — so your permission choices are clear to you.

Don’t allow any third-party apps. They’re “free” for a reason: they want your data. Uninstall third-party apps now, even though they already have some data now. It’s still not too late.

Nothing is completely secure, private, or anonymous. For example, your birth date may be in a friend’s Contact list and he or she might agreed to sync those contacts when signing up for a social media platform, or an app.

More: How Facebook tracks your every move: Fact vs. fiction

More: I downloaded all my Facebook data. This is what I learned.

More: Know of an app that's abusing Facebook user data? It could be worth $40,000

More: Why you should think twice before you 'sign in with Facebook'

Myth No. 5: I can use the same password for everything, because it’s not easy to guess.

Truth:

Never use the same password for all your online activity, because if a service is hacked and your password is exposed, cybercriminals will likely try it on another account. Even if your password is super long and complicated, once it’s known, the bad guys have the keys to the kingdom.

A related myth is you have nothing of interest to hackers. Perhaps you think you’re not wealthy or famous, so you’re safe.

Wrong. Everyone’s data is valuable.

What to do:

Not only should you use different passwords for all accounts – and reputable password manager apps can be a handy way to remember them all – try to use a passphrase instead of a password, therefore a sequence of words and other characters including numbers, symbols, and a combination of upper- and lower-case letters.

What’s more, make it harder for malicious types to access your data by adding a second layer of defense. With two-factor authentication (or sometimes referred to as “two-step verification”), you not only need a password or passcode (or biometrics logon, like a fingerprint of facial scan) to confirm only you can access your accounts, but you also receive a one-time code to your mobile phone to type in.

More: Why you should think twice before you 'sign in with Facebook'

More: 7 steps for crafting the perfect password