I used to think Incognito was doing something. Hit the keyboard shortcut, get the little grey hat in the corner, and feel like I had some shield up. Private browsing. Incognito. Whatever the browser calls it.
Then I noticed a pattern that bothered me the more it occurred. I’d search for something in an incognito window, and later, in a regular session, results related to that search would surface. Not immediately, not always obviously, but enough times that I started to wonder what was actually happening.
I didn’t fully understand the mechanism. I just noticed it. And it was enough to make me stop trusting the grey hat š¤Ø
That sent me digging in a hole I honestly wasn’t sure I wanted to go down. I’ve heard the VPN ads; you’ve probably heard the same ones, they’re everywhere on YouTube. I considered paying for a service, but every time I got close to actually researching it, I hit the same wall: do I even want to bother?
If the data is already out there, if every app and every site and every search engine has been collecting for years, what exactly am I protecting at this point?
That question came up again more recently when something odd happened in one of my Gmail accounts. I, suddenly, had emails moving from my inbox to the trash on their own. No rule I’d set up, no automation I’d configuredājust… moving. As a developer, I know enough to have a better-than-average read on what might be happening, and I still felt an unexpected jolt of helplessness. Like something was happening in a space I thought I had some control over.
After that, I started rotating credentials, auditing app permissions, and reviewing account access. The urgency was sharp right after. Then, a few weeks later, since nothing escalated, it started to fade. Clearly, the habit wasn’t fully formed. I’m still working on that.
In this post, I share my research, what I found surprising, and the steps I’m actually taking as a result. I’m a developer and a user who felt the same “why bother” that a lot of people feel, and went digging anyway.
The Desensitization Trap: Why We Stopped Caring About Online Privacy
If you’ve ever responded to a privacy conversation with “it’s already out there,” you’re in good company. Most people have.
That response even has a name in research circles, and understanding it is probably the most useful thing in this entire post.
Privacy Resignation: The “Why Bother” Loop That Keeps Most People Passive
There’s a term in privacy research called privacy resignation, and the first time I read the definition, it described that “do I even want to bother?” feeling exactly. Once you hear it, you’ll recognize it everywhereāin yourself, in the people around you, in anyone who responds to a privacy conversation with “well, it’s already out there, so…”
Privacy resignation isn’t apathy. It’s more specific than that.
Researchers describe it as a state where people do care about their personal data and want control, but have come to believe that surveillance is effectively inescapable.
The caring and the helplessness exist at the same time, and that combination tends to produce exactly one result: inaction.
It shows up in two forms:
- Surveillance realism: the normalization of data collection as just āthe way things are.ā Data gets collected, that’s modern life. Why fight it? It’s the digital equivalent of accepting traffic as an unchangeable fact of urban life rather than something worth trying to improve.
- Privacy cynicism: a coping mechanism where the more aware someone becomes of data collection, the more powerless they feel, so the more they disengage. Greater knowledge, paradoxically, leads to less action. Privacy becomes something you observe and accept rather than protect.
If you’ve ever caught yourself saying “I don’t have anything to hide anyway,” that’s privacy cynicism doing its job.
The “Nothing to Hide” Argument Doesn’t Actually Hold Up
The “nothing to hide” reasoning is repeated so often that it starts to feel reasonable. Here’s the problem with it š
Arguing you don’t need privacy because you have nothing to hide is a lot like saying you don’t need free speech because you have nothing to say.
Privacy isn’t only about concealing wrongdoingāit’s about autonomy. Itās the ability to exist, think, and move through the world without every action permanently recorded, categorized, and sold to someone who will use it to influence what you see, buy, and believe.
About 68% of consumers say they’re significantly concerned about how their personal data is being used. Yet many of those same people cynically accept the data-for-services tradeoff because it feels like the only option.
That number isn’t small. Most people do care. They just don’t believe acting on it will accomplish much.
How AI Tools in 2026 Are Quietly Expanding Your Privacy Exposure
Agentic AI (tools that connect to your Gmail, Google Calendar, files, and other accounts to act on your behalf) has created a new privacy surface that most people hand over almost without thinking. It, honestly, leaves me scratching my head raw.
An AI assistant that reads and organizes your email, schedules your meetings, and summarizes your documents (handy, yes) needs broad permissions to do it all. And in 2026, granting that kind of access has become completely routine.
The problem is that the “it’s already out there, why bother?” mindset makes people especially willing to hand over access to AI tools.
If you’ve already given up on privacy in general, authorizing one more app to read your inbox doesn’t feel like a big deal.
But those authorizations stack. They create a consolidated, detailed picture of your life that no single ad tracker ever could, a shadow profile of sorts.
How? Well, thatās what happens when your calendar, financial threads, conversations, and daily schedule are all accessible from one permissions screen you approved in 30 seconds.
Note ā¼ļø
This isn’t an argument against AI tools. It’s an argument for knowing what you’re authorizing and reviewing those permissions with the same intentionality you’d bring to any account access. The “consent fatigue” researchers describe around cookie banners? Well, it’s showing up in exactly the same way with AI permissions. People approve because they’re trained to approve.
Why Privacy Policies Are Designed to Confuse You
Something that frustrates me as a developer is that a lot of what keeps users confused about privacy isn’t an accident but architecture.
This includes:
- Privacy policies that require a college reading level and 20+ minutes to parse.
- Cookie banners designed so “accept all” is two clicks and “reject” requires navigating a submenu.
- Settings buried three levels deep.
These aren’t design failures but design decisions.
Complexity is a mechanism for preserving data collection while maintaining the appearance of user control.
Knowing that doesn’t mean you give up. It means you stop blaming yourself for being confused and start looking for the actual levers you can pull.
Incognito, VPNs, and Cookie Banners: What These Privacy Tools Actually Do
There are three tools most people reach for when they think about protecting their online privacy.
All three have real, specific use cases, and all three are misunderstood in ways that leave the actual tracking running in the background unchecked š¬
Why Incognito Mode Doesn’t Hide Your Browsing From the Internet
Incognito mode is probably the most widely misunderstood privacy tool in existence. A survey found that 72% of people believe it hides their activity from their ISP and employer.
It doesn’t.
What incognito actually does is stop your device from saving your browsing history, cookies, and form data after you close the window. That’s the complete job description.
The next person who opens your laptop can’t see your browser history. That’s it.
Here’s what incognito doesn’t do:
- Your ISP (Comcast, AT&T, Verizon, or whoever routes your internet) logs every site you visit, incognito or not. In the US, ISPs can legally sell that browsing data to advertisers.
- Every website you visit still sees your IP address and knows where you’re connecting from.
- If you’re on a work or school network, the network administrator sees your traffic just as clearly as always.
- Any time you sign into Google, Facebook, or any account in an incognito window, that provider knows exactly who you are.
A description I came across that kinda stuck put it as: incognito mode is like a secret agent who gets recognized and identified on every single mission, but dutifully shreds his diary when he gets home. The “secret” part only applies to the diary š
Note š¤¦āāļø
Chrome tells you this when you open an incognito window: “Your activity might still be visible to websites you visit, your employer or school, or your ISP.” Most people click past it without reading.
The rule of thumb is to use Incognito when you’re on a shared device and don’t want the next person to see your session.
Don’t use it expecting privacy from the actual internet.
What a VPN Does, and What It Can’t Protect You From
VPNs have the best marketing in the privacy space. I’ve seen enough YouTube sponsorships that I seriously considered just picking one and signing up.
The pitch is compelling: encrypt your connection, browse privately, protect yourself online. It sounds complete.
I held off because I kept hitting the same question I couldn’t quite answer: Is this actually buying me something real, or am I just paying to feel better about a problem that isn’t solved?
After actually digging in, here’s what I found š
A VPN encrypts your traffic and routes it through an external server. Your ISP no longer sees which sites you visit; they only see that you’re connected to a VPN.
The websites you visit see the VPN server’s IP address instead of yours. That’s a real privacy gain in the right situation.
But here’s what a VPN can’t do: it won’t stop tracking scripts from firing once you arrive at a website.
- It won’t protect you from malware you download.
- It doesn’t touch browser fingerprinting.
- And it doesn’t hide your activity from the VPN provider itself.
Pause. Read that last point again.
You haven’t become anonymous; you’ve moved your trust from your ISP to the VPN company. Which is sometimes worth doing, but it’s not the same thing as privacy.
Tip: If you go this route, look for a provider with a verified no-logs policy.
Wait, So Why Does My Employer Want Me on a VPN?
If you’ve worked remotely at any point in the last few years, you’ve probably been told to connect to a company VPN before accessing work systems. That’s a different situation entirely with an important distinction that flips the purpose.
- A personal privacy VPN is designed to protect you from outside observers.
- A corporate VPN is designed to protect the company’s data while it travels through your home connection.
Note: The two types solve different problems. Corporate VPN = secure access to company resources, protection of company data in transit. Personal VPN = shifting trust away from your ISP, limited anonymity on public networks. Knowing which one you’re using and why makes both more useful.
Here’s what’s actually happening when you connect to your employer’s VPN:
- Your device creates an encrypted tunnel directly into the company’s private network. That means you can access internal tools, files, databases, and systems as if you were physically sitting at a desk in the office, even if you’re at your kitchen table.
- The encryption protects sensitive company data from being intercepted on your home Wi-Fi or a public network, which matters a lot when you’re handling client records, proprietary documents, or anything that would be a problem if it leaked.
But, and this is the part people don’t always realize, a corporate VPN isn’t giving you privacy from your employer. It’s doing the opposite.
Your employer can monitor the traffic going through a company-managed VPN, especially when you’re accessing internal resources. The tunnel is secure from the outside world, but the company administers it. They see what goes through it.
So when your IT team says “connect to the VPN,” they’re not handing you a privacy tool; they’re opening a secure door into the company’s network, and, by design, they can see what passes through it.
It’s how corporate security is supposed to work; donāt get personal. Just don’t confuse it with the personal privacy VPN conversation.
Tip š
The single most effective thing you can add to your browser right now is a tracker-blocking extension like uBlock Origin. Free, open-source, and it blocks the scripts that actually follow you across sites, whether you’re in incognito or not.
Cookie Banners: How Sites Track You Before You Click Anything
Every time you see the “Accept All/Reject” cookie banner and click Reject, you probably assume nothing gets tracked. That assumption is usually wrong.
Many sites fire tracking scripts, like Google Analytics, Facebook Pixel, and ad network calls, before you interact with the banner at all. The request goes out on the first page render. You haven’t clicked anything. (Iāve implemented some of these myself.)
The 5-Minute Cookie Banner Audit You Can Run Right Now
You can actually verify this yourself. It takes five minutes, and you only need a browser and DevTools.
- Open any site you visit regularly in an incognito window
- Hit F12 to open DevTools and go to the Network tab
- Before clicking anything on the page, including the cookie banner, type
google-analyticsorfacebookin the filter bar - Check whether those requests already fired
If they did, that site is collecting data before consent. It’s happening at scale.
Over 3,500 consumer privacy lawsuits were projected in the US for 2026, many targeting exactly this pattern. This doesn’t mean every site does this, but enough do that the banner deserves skepticism rather than default trust.
Related: Stop Sleeping On These Super Helpful Chrome DevTools Debugging Tools
Browser Fingerprinting, Metadata, and the Other Ways You’re Being Tracked in 2026
The tracking methods replacing traditional cookies are harder to see, harder to understand, and much harder to block.
These are the ones that actually explain why clearing your history and switching browsers don’t always feel like they’re working.
Browser Fingerprinting: The Tracker That Survives Incognito and Cookie Clears
Cookies are on their way out. Third-party cookies, especially. The industry’s response hasn’t been to track you less but to find something harder to clear.
Browser fingerprinting collects between 50 and 200 data points about your device and browser configuration. Things like:
- screen resolution
- installed fonts
- graphics card capabilities
- Canvas rendering behavior
- WebGL output
- timezone
- language settings
- mouse movement patterns
Those data points get combined into a unique identifier tied to your specific device.
Research from the Electronic Frontier Foundation found that 83.6% of browsers have unique fingerprints. Over 10,000 of the top websites are actively using fingerprinting right now š
Here’s what makes this fundamentally different from cookies: you can delete a cookie. You can’t change your screen resolution or GPU.
Your hardware and software configuration is your fingerprint, and clearing your history, switching to incognito, or changing your IP address doesn’t touch it.
If your screen resolution, font list, and graphics card hash are the same, you’re the same person to the tracker, session to session, browser to browser.
Tip š„
Privacy browsers like Brave and Firefox address this by adding deliberate “noise” to fingerprinting APIs, making your device appear statistically less unique. That’s the practical counter, and it’s one of the main reasons switching browsers is worth doing.
Related: The Free Browser Tool That Does More Than You Think
Why Metadata Tells More of the Story Than Your Actual Messages
Most privacy conversations focus on the content of communications like messages, emails, and searches. Encryption protects content. But encryption doesn’t protect metadata, and metadata is frequently more valuable to advertisers and AI systems.
Metadata is the surrounding signal: who you communicate with, how often, at what hours, and from which locations.
Two people messaging each other daily at midnight from the same city tells a story even if neither message can ever be read. For behavioral profiling and predictive advertising, the pattern of activity often matters more than what was actually said.
This reframes how you evaluate privacy tools. “This app encrypts your messages” is true and meaningful.
But if that app still sees your contact list and communication frequency, the encrypted content is only part of what’s being observed.
Harvest Now, Decrypt Later: Why What You Share Today Could Be Read in the Future
This one surprised me, and it’s one of the more unsettling things I found in this research. Talk about a long game š¬
Harvest Now, Decrypt Later (HNDL) is a strategy where encrypted data is collected today with the plan to decrypt once quantum computers become capable of breaking current encryption standards.
Most public-key encryption (RSA, ECC, basically the foundational cryptography behind HTTPS, encrypted messaging, and VPNs) relies on math problems that are extremely hard for classical computers to solve.
Quantum computers running specific algorithms could crack those same problems in hours!
The critical detail is that this is already happening. Organizations are actively collecting and storing encrypted data right now.
NIST, the US Department of Homeland Security, and ENISA have all issued formal warnings about HNDL. NIST published its first post-quantum cryptography standards in August 2024. Estimates for when a sufficiently powerful quantum computer exists range from 10 to 30 years (or, dare I say, much faster with AI), meaning data collected today could be readable within most people’s lifetimes.
At the user level, there’s no direct counter to HNDL specifically since it’s an infrastructure problem being solved at the infrastructure layer.
It does, however, change how you think about what you share, who you share it with, and which services handle your most sensitive data.
Smart Devices, IoT, and the App Permissions You Forgot About
Smart speakers, fitness trackers, connected cameras, and smart TVs are all IoT devices with a privacy surface that deserves deliberate attention.
The common reassurance is “the data is securely stored.” But secure storage doesn’t prevent model inversion attacks, where researchers have demonstrated that data used to train an AI model can be partially reverse-engineered from the model itself, even without direct access to the raw data.
The patterns betray specifics:
- Microphones that are “only listening for the wake word” have repeatedly been shown to activate on similar-sounding phrases, sending audio clips to processing servers.
- Smart TVs log viewing behavior in detail by default.
- Fitness trackers have shared sensitive health data with insurance companies in documented cases.
The Gmail incident I mentioned in the intro pushed me from “I should probably audit this” to actually doing it. What I found when I went through my app permissions was a mix of things I’d actively granted and things I’d completely forgotten about (one app had calendar access from over a year ago, no idea why). Both categories were getting access to more than I’d consciously intended.
Tip š
Go through your app permissions on your phone, not just your desktop, and ask whether each app has a clear reason for what it’s accessing. If you can’t answer that in five seconds, revoke it!
How to Protect Your Online Privacy in 2026: Free Steps Worth Taking Today
Iām not going to give you abstract recommendations. These are the changes that have a measurable impact on how much of your online activity gets tracked, profiled, and sold.
Most of them take less than an afternoon to put in place.
1. Stop Making It Easy to Correlate Your Identity Across Accounts
The thing about modern ad-tech is that it’s not trying to know everything about you. It’s trying to correlate you, that is, linking your fragmented digital activity across contexts into one coherent profile.
The practical defense is making that correlation harder.
But, hey, how do they even do this correlation? Well, the single most overlooked way this happens: “Log in with Google/Facebook/Apple” buttons. Every time you use one, you’re explicitly connecting a third party to your activity on another service.
Google knows you use that app. Facebook knows. The convenience is real. So is what you’re exchanging for it.
Using separate email addresses for different categories of accounts, or a service like SimpleLogin or Apple’s Hide My Email, significantly fragments that picture. Each account becomes its own island instead of a node in a connected graph.
2. Switch to a Browser and Search Engine That Aren’t Built on Ad Revenue
I downloaded Brave on my phone after going through all of this research, mostly because of the fingerprinting and tracker-blocking piece. The ad and pop-up reduction alone was noticeable (and much appreciated).
Brave and Firefox both actively fight fingerprinting, block cross-site trackers by default, and don’t report your browsing behavior back to an ad network.
Chrome is built by a company whose primary revenue source is targeted advertising. That’s not a coincidence to ignore.
On the search engine side, DuckDuckGo and Startpage don’t build behavioral profiles from your searches. Google does. Your search history is among the most intimate datasets that existsāevery anxiety, every symptom, every 2 am question is in there. It’s worth being intentional about who holds it.
I haven’t made the full switch on search yet, but it’s on the list š
Both swaps are free. The adjustment period is a few days at most.
3. Review What Your AI Tools Can Actually Access, Then Revoke What They Don’t Need
If you’re using any AI assistant connected to your email, calendar, files, or accounts, go into the connected apps or OAuth permissions settings and check what each one actually has access toānot the general description, the specific scope.
Does a scheduling tool need read and write access to your calendar, or just read?
Does a document summarizer need access to your entire Drive, or just specific folders?
Most of these tools request broad permissions because broad permissions are easier to implement, not because they need everything they’re asking for.
Once granted, those permissions stay active until you explicitly revoke them.
Most people never do.
Tip š
In Google, you can review all connected apps and their permissions at myaccount.google.com/permissions. The list is almost always longer than you expect, and the review takes about five minutes.
4. Reduce Your Attack Surface with These Practical Habits
Go into your phone’s app permissions and check what each installed app is accessing, things like the microphone, camera, location, and contacts. Revoke anything without an obvious, specific reason to exist.
A flashlight app asking for your location isn’t a flashlight app š
Delete apps you haven’t opened in 30 days. Every installed app is a potential data collection point, even when you’re not actively using it.
When signing up for services, leave the optional fields blank. Phone number, birthday, gender, and secondary address are not required, yet all of it feeds into a profile-building you have no obligation to contribute to.
Use a password manager. Bitwarden is free and open-source. Unique, strong passwords for every account also prevent credential stuffing. When one service gets breached, attackers immediately try those same credentials everywhere else.
Rotate credentials after anything that feels off, like an unexpected email behavior, unfamiliar active sessions, or anything that gives you pause. The urgency fades fast; do it while you still care!
Emerging Privacy Technology in 2026: What’s Coming at the Infrastructure Level
This section is different from the action items above since none of this is something you set up this afternoon.
However, it’s the stuff I kept stumbling onto while researching everything else, and I think it’s worth touching on because it changes how you evaluate the services you’re trusting with your data right now.
Self-Sovereign Identity: What If You Actually Held Your Own Credentials?
Think about how identity currently works: A government database holds your license data. Equifax holds your credit history. When you log in with Google, Google is the one deciding you’re you.
You don’t hold any of that; you just have permission to access it through whoever does.
That’s the whole model SSI (Self-Sovereign Identity) is trying to flip, and honestly, the first time I read about it, I thought: why isn’t this already how it works?
The idea is that your credentialsādigital versions of your ID, certifications, verificationsālive in an encrypted wallet on your own device. Thereās no corporate server holding them or a government database. You hold the keys, and you decide what to share, with whom, and when.
Someone needs to verify you’re licensed? You share that credential directly from your wallet. They don’t need to call back to a central database to check.
It’s not widely deployed at the consumer level yet. The EU’s digital wallet initiative and a few government identity programs are actively building in this direction, but it’s still early.
I’m watching this one because it would fundamentally change the “you have to trust someone else with your data to prove who you are” problem that underpins basically all of the issues in this post. Whether in a good way or bad, I donāt know. I have plenty of questions (as a developer and user), which is good, because we all need to start asking more questions.
Zero-Knowledge Proofs: Proving You Qualify Without Handing Over Everything
A zero-knowledge proof lets you prove that something is true without revealing the underlying data.
The example that worked for me: you need to prove you’re over 18 to access a service. The way it works right now, you hand over your ID, which has your birthdate, full name, address, everything (more than anyone asked for, honestly).
A ZKP lets you prove “this person is over 18” without any of those specifics ever leaving your device. The verifier learns nothing more than one fact.
Take that further, and it gets interesting pretty fast. You could verify employment without sharing your salary. Confirm a health condition without handing over your full medical history. Prove your location is within a region without exposing your exact coordinates.
Real-world deployment at scale is limited, but the foundational work seems to be moving quickly. It’s already showing up in privacy tech and decentralized finance.
Post-Quantum Cryptography: Why the Clock Is Already Running
Remember the HNDL problem I mentioned earlier? Where state actors are harvesting encrypted data now, planning to decrypt it once quantum computers can handle it?
Post-quantum cryptography is the infrastructure answer to that, and itās rather urgent. The migration has to happen before quantum computing catches up to current encryption standards. Not after.
NIST published its first three post-quantum cryptography standards in August 2024. These are algorithms designed to resist exactly the kind of attacks future quantum computers would run on today’s RSA and ECC encryption.
Updating the entire internet’s cryptographic layer is a years-long project, and it’s underway right now.
You won’t implement any of this yourself. But what you can do is pay attention to which services are moving toward it. Signal and Apple have both announced post-quantum cryptography integration for sensitive communications.
For anything you need to stay private for years, not just today, that’s a meaningful difference to account for when you’re choosing who to trust with your data.
Privacy Is a Process, Not a Product
You’re not going to disappear from the internet. That’s not the goal, and honestly, it’s not realistic.
“Do I even want to bother?” is still a fair question. I asked it multiple times while writing this.
The answer I kept arriving at is yes! Not because you can undo what’s already been collected, but because what you share from today forward is still under your influence.
The data that exists can’t be retroactively deleted. You can, however:
- stop feeding the machine more than you have to
- make it harder to correlate your identity across contexts
- stop treating “it’s already out there” as a reason to hand over everything that comes next
Most of the options that actually matter here arenāt technical. They’re decisions.
Who am I sharing this optional field with?
Does this app need my location?
What am I authorizing this AI tool to access?
Which company am I trusting with my search history?
Those aren’t complicated questions. They just require stopping long enough to ask them instead of waiting for a weird inbox moment to make you start.
It’s a Wrap
Okay, we covered a lot of ground in this one. After all of this research, “do I even want to bother?” is still a fair question. I get it. I asked it too.
But the answer is ultimately less about going invisible and more about being deliberateāunderstanding what you’re actually trading, not just clicking through.
Take the “login with Google” point from earlier. I recently built an iOS app and offered exactly two options: Sign in with Google and Sign in with Apple. Deliberately. Because if I hadn’t, I’d have had to build and manage my own auth. The reality is that not every app you sign up for has done that work properly.
Google and Apple’s infrastructure is more secure than what a lot of smaller services are running on their own. So the call isn’t simply “don’t use it,ā it’s use it knowing Google or Apple gets a record of that connection, and check periodically what’s still active at myaccount.google.com/permissions. That list tends to get longer than you’d expect.
You don’t need to do everything on this list today. But pick one thing, just one. Run the DevTools audit on a site you visit regularly and see what fires before you click the cookie banner. Or pull up that permissions page and actually look at what’s connected. I’d bet there’s at least one thing on there that surprises you.
That’s the move. Not a complete overhaul, but one moment of actually looking at what you’ve handed over.
I’m still working through this myself. I’ll probably find something new to be unsettled by the next time I go digging. That’s fine. Privacy in 2026 isn’t a problem you solve once and check off, but a set of decisions you make more intentionally over time.
If you ran the audit, found something unexpected, or have a habit that’s actually stuck, drop it in the comments. I’d be curious what you found.
Iāll see ya on the next one š
