Most of us were never taught to question the tools we use online.
We were handed a phone, shown how to set up an account, and told to get on with it. The people who built these things were smart. They seemed trustworthy. The apps were free. Our schools told us which platforms to use. Our employers sent an email with a link that said “click here.” And just like that, we were migrated to the new system.
So we got on with it.
This is a post about five people doing exactly that. You probably know them. You might be one of them. At different points, I’ve been these people. I work with folks like this every day.
Jose
Jose is 44. He works in sales, coaches his daughter’s soccer team on weekends, and uses his phone constantly. He uses this for directions, for email, for looking things up mid-conversation, so he doesn’t have to admit he doesn’t know something.
He has had the same Gmail account since 2008. His Google Photos has about 14,000 pictures. His kids growing up, vacations, random things he photographed and forgot. He uses Google Maps every single day. He has never really thought about any of this as a system. It’s just his phone.
A few months ago, something stuck with him for a day and then faded. He and his wife had been talking about maybe getting a dog. Just talking, out loud, in the kitchen. A few hours later, scrolling through his feed, he saw an ad for a local dog breeder.
He mentioned it to a coworker. The coworker said, “Yeah, that happens.” Jose said, “That’s kind of creepy.” They both laughed and moved on.
Jose didn’t change anything because nothing bad had actually happened. The ad was almost convenient. He was just thinking about dogs anyway. And if he did think it was creepy, he wouldn’t have known what to change even if he’d wanted to.
What Jose doesn’t know is that the ad almost certainly wasn’t from his phone listening to him. That’s a common fear, but the reality is stranger and in some ways more unsettling. It came from a combination of things. His location data showed he’d driven past a pet supply store twice that week, his wife’s search history on a phone on their home network, and a behavioral profile quietly built up around their household over the years. One that identified them as statistically likely to be in a “life transition” moment, the kind when people get pets. No one was listening. Something more comprehensive than listening was happening.
Think of it like this. If someone followed you around for ten years and wrote down everything you bought, everywhere you went, everything you searched for, and everyone you talked to, they’d start to know things about you that even your friends don’t know. A behavioral profile is that, aside from being automatic, it never sleeps and is being built whether you know about it or not.
His data, all of it, was constantly being processed to predict what he would do before he had decided to do it.
Jose is not a target. He is a pattern.
Donna
Donna is 67 and retired. She’s sharp, reads widely, and is more skeptical of technology than most people her age because she watched it hollow out her industry, publishing, from the inside.
A couple of years ago, she read something about data privacy and decided to do something about it. She downloaded Signal. She switched her search engine. She told her daughter about it.
Her daughter still texted her on regular SMS. Her book club was organized through a Facebook group. Her doctor’s patient portal required a Google login. Her grandkids sent photos through iCloud.
Within a few months, Donna was back to using everything she’d been using before. Signal still sitting on her phone unused, plus a faint background sense of guilt she couldn’t quite shake.
She hadn’t failed. She had run into the most honest problem in this entire conversation. You cannot opt out of a networked system on your own. Your privacy is partly determined by the choices of everyone around you. Your family, your doctor’s office, your insurance company, and the organizations you belong to. Donna did everything right, and it didn’t matter because the system isn’t designed around individual choices. It’s designed around the assumption that leaving is too hard.
She still thinks about it. She just doesn’t know what to do with the thinking.
Marcus
Marcus is 31, works in marketing, and will tell you, without any defensiveness, that he genuinely likes the personalization.
He likes that Spotify knows him well enough to surface an artist he’d never heard of and get it exactly right. He likes that Google Maps knows he goes to the gym on Tuesday mornings and offers directions before he asks. He likes that his shopping recommendations have gotten weirdly accurate. He’s aware of the trade-off, and he’s decided it’s worth it.
This is a reasonable position. It’s probably the most honest version of the bargain that most people, consciously or unconsciously, make. Marcus isn’t naive. He understands the transaction. He’s just decided he’s fine with it.
What Marcus hasn’t fully thought through is that the deal he’s agreeing to now isn’t necessarily the deal he’ll be held to later.
Here’s the thing about your agreement (Terms of Service or Terms of Use) with a tech company. You hold up your end permanently. You’ve already handed over the data. But their end? That can change. The company gets sold. The terms get updated. A new owner decides to monetize the data differently. None of that requires your permission. You agreed to whatever the terms say, and the terms say they can change. Marcus made a deal, but he only signed one side. The other side reserves the right to revise.
There’s also something harder to name. The version of Marcus that the algorithm has built isn’t quite him. It’s a model of his past behavior, optimized to keep him engaged. When Spotify serves him a song, it isn’t thinking about what would be genuinely good for him. It’s thinking about what will keep him listening to Spotify. It wants to make sure he doesn’t go to a different music app. When a social media feed shows him something, it isn’t curated for his growth or understanding. It’s curated for his attention and to keep him engaged with his feed on that social media network.
The recommendations feel personal. They are actually mechanical. And over time, the things optimized to keep you clicking have a quiet way of shaping what you click on, what you care about, and what you think you want.
Marcus is getting something real. He’s also giving something he hasn’t fully accounted for.
Idris
Idris is 47 and has spent the last fifteen years working in human rights documentation for a nonprofit. His organization collects testimony from survivors, tracks patterns of abuse, and connects local communities to international advocacy networks. The people he works with trust him with information that could harm them if it fell into the wrong hands.
His organization runs on the same tools most small nonprofits use. Google Workspace for email and documents. WhatsApp for quick communication with field workers. Zoom for calls with funders. A shared Drive folder where reports, testimony summaries, and contact lists live.
Nobody chose these tools through a security review. They chose them the way everyone does. They were free, they worked, and everyone already had them on their phones. When someone new joined, they were added to a Google Drive and a WhatsApp group. That was onboarding.
Then a colleague at a similar organization told Idris something that stayed with him. A government organization approached a major US tech company and legally demanded access to private messages and documents stored on its platform. The company handed them over. They were required to. Under US law, and under the terms of service every user clicks through without reading, platforms can be compelled to share user data with governments under certain circumstances. The users whose data was handed over had no warning, no appeal, and no idea it had happened. They thought their messages were private because the app said they were private. They weren’t.
Idris thought about his own organization. The contact lists in Google Drive. The testimony documents. The WhatsApp group with field workers in countries where that kind of work made you a target. He had never considered a shared Drive folder a security decision. Now he couldn’t stop thinking about it.
Idris didn’t do anything wrong. He built his organization on the tools available, just as everyone does. The problem isn’t that he made bad choices. The problem is that nobody told him these were choices at all. That choosing a free platform was also a decision about who could access his work, his people, and the information he trusted them to protect.
Naomi
Naomi is 18 and in the middle of one of the most exciting and stressful moments of her life. College applications. A first credit card. The beginning of something new.
She grew up in the school system, as did her whole generation. She was handed a Chromebook in third grade, required to log into Google Classroom, then Schoology, then Microsoft Teams, then whatever the district had switched to by the time she hit high school. Every year, a new platform. Every platform, a new login. She made accounts she didn’t choose, on systems she didn’t select, managed by people she never met, under terms of service her parents technically agreed to but nobody read.
She didn’t think about any of this. Why would she? These were school tools. Required tools. The assumption baked into every IT rollout, every mandatory login, every “please use your student email” instruction was that someone responsible had already thought it through.
Last week, Naomi was applying for a student credit card when the application flagged something. There was already a line of credit open in her name. She had never opened one.
After several phone calls and a lot of time she didn’t have, she tracked it back to a data breach. Not from anything she had chosen to use, but from an edtech company her middle school had used for about two years before switching to something else. She had no memory of the platform. She had no idea her information was still out there. The company had gone under, its assets sold off, its data…including hers …passed along in the transaction like furniture in an estate sale.
She was twelve when that account was created. Consent wasn’t part of the conversation.
The breach had happened years ago. She was finding out now, at the worst possible time, because someone else had found out first and used it.
Naomi didn’t do anything wrong. She just went to school.
What’s Actually Happening
Jose, Donna, Marcus, Idris, and Naomi aren’t making mistakes. They’re doing what most people do. Using the available tools, trusting that someone smarter has thought through the implications, and getting on with their lives.
Here’s what connects their stories.
Every digital service runs on the same basic engine. You use it, and in return, it learns from you. Not in a vague way, but in an extremely specific way. It pays attention to where you go, who you talk to, when you sleep, and what worries you at 2 am. It tracks how your mood shifts through the week and starts to predict what you’re about to do before you’ve consciously decided to do it. This information is stored, processed, bought, sold, and retained. It is collected, usually indefinitely, by companies whose primary obligation is to their investors, not to you.
This is not exactly hidden. It’s disclosed in terms of service nobody reads, privacy policies nobody understands, and settings menus designed to be as confusing as possible. That design is not an accident. The harder it is to opt out, the more data they collect.
It’s worth saying plainly. A private group on most systems, like Facebook, Google, or Discord, is not actually private. The companies can see it, their algorithms process it, and their data retention policies are not designed with your needs or intentions in mind. When you create a “closed” group, you’re choosing who else can see it. You’re not deciding whether the platform sees it. The privacy settings control other users. They don’t control the company. They don’t control the platform itself.
The companies holding this information will not be stable forever. They get acquired, hacked, or quietly replaced. When that happens, your data moves with the transaction. Sometimes, without your knowledge, to whoever bought the assets. The deal you made with an app in 2015 may not be the one the current owner of that app is honoring. Naomi didn’t open a line of credit. A company she’d never heard of, holding data from when she was twelve, went under. As a result, her information was passed to someone else.
The institutions that might protect you (governments, employers, schools) are mostly operating on a significant lag. The rules exist, but enforcement is slow, consequences are often small enough to absorb, and by the time regulation catches up to a practice, the practice has already moved on.
And there is always something new to buy. A new phone that promises more privacy. A premium tier where the ads stop. A new platform that says it doesn’t store your data. Some of these promises are real. Many are temporary. The business model underneath tends not to change.
This Isn’t Just a Personal Problem
Who do we trust with our conversations? Whose infrastructure are we building on? What do we owe the people in our networks who are more exposed than others?
These aren’t abstract questions. They’re the questions that educators, nonprofits, and community organizations ask when they sit down to figure out where to put their documents and how to talk to each other across borders. They usually reach for the same defaults that everyone does. Facebook, WhatsApp, Google Drive. Because those tools are free, familiar, and already on everyone’s phone.
But Facebook is effectively banned or severely restricted in several countries. A “global” network built on Facebook has already excluded people before the first post goes up. WhatsApp is owned by Meta, the same company as Facebook. It encrypts message content, which matters. But the metadata (who is talking to whom, when, how often, from where) is visible to Meta. For members in certain countries, being identified as part of an international network communicating through a US platform is not a neutral fact. It’s a potential exposure. Google Drive is convenient, but documents stored there reside on US servers and are subject to US law. That matters more in some contexts than others. It matters most when you don’t expect it to.
These are the same questions that entire countries are now asking out loud.
The European Union has spent the last decade building privacy law specifically because European governments decided they couldn’t trust US tech companies to protect their citizens’ data. The concern was legal and concrete. Data stored on US servers is subject to US law, including surveillance law, regardless of what the privacy policy says. European citizens’ data could be accessed by US intelligence agencies without those citizens ever knowing. European governments decided that this was unacceptable and built regulations (imperfect, slow, contested) to push back against it.
Several countries are now auditing or restricting American platforms in schools, hospitals, and government agencies. Not because they hate American technology, but because they asked whose infrastructure they were building on and didn’t like the answer.
Countries around the globe are actively debating whether to depend on the US or Chinese platform infrastructure or invest in building their own. The concern isn’t just privacy, it’s sovereignty. When your country’s communications, your citizens’ data, and your institutions’ records all live on someone else’s servers, that someone else has leverage. Information is power, and whoever holds the infrastructure holds a kind of power that doesn’t show up on any map but is very real.
American users and American institutions have largely not had this conversation. The protections that a German teenager has over her personal data, or that a French school district has over its students’ records, don’t exist at the federal level in the United States. The same questions that moved European governments to act are questions most American individuals, schools, nonprofits, and community organizations are still not asking.
A small network trying to figure out where to host a group chat is operating at the same frontier as national governments trying to figure out whose cloud to trust. The scale is different. The question is the same.
What This Means
Jose’s instinct, that’s kind of creepy, was right. He just didn’t have anywhere to put it. Donna understood the problem and still couldn’t solve it alone. Marcus made a conscious choice but only saw part of what he was agreeing to. Idris built his organization on the tools available, as everyone does, and only later realized that choosing a free platform was also a decision about who could access his work and who trusted him with their safety. Naomi didn’t open a line of credit. She just went to school.
None of them was careless. All of them are navigating a system that was not designed with their interests as the first priority.
The standard response at this point is a list of tools to switch to. That list exists, it’s useful, and it will show up in a follow-up to this post. But it’s not where this starts.
This starts with a simpler shift. The assumption that someone has already thought this through and decided it was fine is not true. It has never been true.
The institutions you’ve trusted to make these decisions are mostly making them without full information, under time pressure, based on what integrates with existing systems and what fits the budget. And often, the people making those decisions aren’t really deciding at all; they’re following. Everyone else moved to this platform, so we moved too. This one is newer, so it must be better. The tool showed up in a demo, it looked good, and someone signed the contract.
The companies providing these tools have a financial interest in keeping the implications unclear. A confused buyer is a compliant buyer.
You are not paranoid for noticing this. You are not a conspiracy theorist for wanting to understand it. You are not being asked to become an expert or to fix a systemic problem through personal virtue alone.
You’re just being asked to stop assuming the door is locked when nobody has checked.
Some organizations and countries have started checking. What they’re finding is that the defaults were never neutral. They were just quiet.
I write about digital literacy, privacy, and education at wiobyrne.com and in the Digitally Literate newsletter. If this resonated, my other posts cover practical first steps. What to change, where to start, and how to think about it without burning out.