After a string of posts about age verification, DNS safety nets, and Google’s ongoing war against sideloading, it is probably time for something slightly less “heavy.” Many people rely on digital “comfort blankets” that provide a false sense of security. These tools aren’t entirely useless, but the marketing surrounding them often obscures the technical reality of how they actually function.
Since I prefer to deal with facts rather than marketing fluff, I have compiled a few persistent myths that need to be addressed.
Incognito Mode Is a Local Instruction
Opening an incognito tab is often treated as if it activates a Klingon cloaking device. It does not. All it does is instruct your local browser instance not to write history or cookies to your storage. Your ISP still sees every single packet leaving your gateway. The destination web server still sees your IP address and browser fingerprint. It is a “don’t show my partner what I am buying for their birthday” button, nothing more. This is precisely why I use Brave; it actually attempts to strip away the tracking headers that incognito mode ignores.
The “Privacy Settings” Whack-A-Mole
Big Tech companies are experts at hiding “Opt-Out” toggles under five layers of sub-menus with labels like “Enhanced User Experience Analytics.” Even if you find and disable them, a “stability” update frequently resets these to the default “On” position. Relying on a giant corporation to respect a checkbox is optimistic at best. Content blocking at the DNS level—as I discussed in my DNS safety net post—is a far more reliable method because it puts the control back on your hardware, not their software.
The Myth of the “Delete” Button
There is a common belief that deleting a social media account is like shredding a paper document. It is not. Data is highly liquid; by the time you click “delete,” your profile has likely been scraped, replicated, and cached by third-party data brokers. You are deleting the access point, not the data itself. This is a primary driver for my preference for self-hosting on Proxmox; when I want to decommission a container or wipe a virtual disk, the bits actually go away because I own the physical storage.
“I Have Nothing to Hide”
This is the one that really grinds my gears. Privacy isn’t about hiding “bad” things; it’s about user agency. You have curtains on your windows, right? Are you doing something illegal in your living room? Probably just watching Star Trek in your pants. You still don’t want the neighbours watching. Data collection is about building a profile of you to manipulate what you buy and how you think. That’s worth hiding.
VPNs: Rerouting Trust
VPN marketing is pervasive and often intentionally misleading. A VPN does not magically make you “anonymous”; it simply shifts the point of trust from your ISP to the VPN provider. If you are using a free service, your data is the currency. Even with reputable paid providers, you are still essentially hoping their “no-logs” policy is more than just a pinky-promise. It is one layer of a security stack—useful for things like Tailscale to secure remote access—but it is not a standalone solution.
HTTPS Is Not a Privacy Shield
Visible padlock icons in the browser address bar make people think they are invisible. HTTPS encrypts the content of your communication so a man-in-the-middle cannot read your password, but it does nothing for metadata. Your ISP still knows exactly which domain you are visiting and when. They might not see the specific article you are reading, but they know you are on a specific site. Encryption protects the “what,” but metadata reveals the “who” and “where.”
“Apple Is a Privacy Company”
This is a masterclass in branding. Just because Apple isn’t an advertising company like Google doesn’t mean they aren’t collecting data. They still track your app usage, your location, and your iCloud habits to lock you into their ecosystem. Privacy should not be a “feature” you pay a premium for; it should be a baseline. Swapping one master for another isn’t freedom; it’s just a different set of expensive handcuffs.
FOSS Is Not Autonomously Secure
I am a FOSS enthusiast, but “Open Source” is not a magic spell for security. It means the code is available for audit, not that it has been audited. If only three people are looking at the source code for an obscure Docker container you found on GitHub, vulnerabilities can sit there for years. The strength of FOSS is the community’s ability to fix things, but you still need to vet what you pull into your home lab environment.