Today’s social platforms are “public by default”, from Instagram and LinkedIn to Venmo and Strava.
Tracy Chou is founder and CEO of Block Party, a company that builds online privacy tools, and was one of Time’s 12 Women of the Year in 2022. She says this “opt-out” reality means that most of us – despite our best intentions – are leaking personal data online and don’t even know it. Often the consequences can be surprising and unfortunate.
But there are things we can do to take control. Chou talks with 1Password’s Michael “Roo” Fey on the Random But Memorable podcast about her own experiences, including harassment and stalking, that motivated her to develop privacy tools and share them with others so they could also feel safer online.
Read the interview highlights below or listen to the full podcast to learn more about Chou’s journey, including her advocacy work for diversity and inclusion in tech, and her optimism that the internet can still be a force for good.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: How did you get started in tech and cybersecurity?
Tracy Chou: Both of my parents are software engineers. I went to Stanford and studied electrical engineering and computer science, so it felt like a very well-paved road straight into tech companies. I interned at Google and Facebook and then, when I graduated from school, I worked at a couple of early-stage startups.
I joined Quora as a second engineer. I then joined Pinterest when it was about 10 people. I got to be a part of building some of these platforms from the ground up. It was super fun to be working on everything from infrastructure and APIs to the websites, moderation tools, and thinking about what policies we should have for content and user interactions.
In parallel to being an engineer, I started to do a bunch of diversity and inclusion activism work. This led me to personally building more of a platform. I was exposed to some of the less savory parts of the internet, like abuse and harassment – everything from garden-variety sexism and racism to targeted, sustained harassment and stalking. I started to have a very personal interest in security because of that.
I would get 10,000 password reset requests. So somebody was trying to get into my account. But I also experienced stalkers who showed up in person, after having flown around the world, to find me. This made me much more sensitive to things like location tagging and sharing photos in real time from where I was.
“I would get 10,000 password reset requests."
Block Party came directly out of these two different parts of my background: 1) the engineering and product side, building platforms, understanding how they work, and 2) the personal experience of dealing with safety and privacy and security issues, and wanting to build better solutions for me, and also for everybody else who might have similar situations.
MF: I imagine it wasn’t difficult to find other people who were in similar situations and needed similar solutions.
TC: Yeah, it was pretty unfortunate to hear all the stories that people have shared. I would say there’s certain types of stories that are easier to talk about publicly. Often, the people who are dealing with this stuff have a little bit more of a high profile, and they’re willing to use their platform to shed light on these issues. But sometimes it’s very difficult to talk about security and privacy issues.
Also, you don’t necessarily want your stalker to know what you’re doing to defend against their attacks, that they’re getting through to you, or that you’re aware and tracking down what they’re doing.
“You don’t necessarily want your stalker to know what you’re doing to defend against their attacks."
I’ve talked to quite a few people, mostly women, who’ve dealt with safety and security issues like stalkers. They’ve never been able to talk to anybody about these things. They definitely can’t use their platforms or talk about these things in a public setting at all.
I actually have found quite a few people who really just wanted to tell me because they couldn’t talk to anybody else who would understand and really empathize with them.
MF: Can you talk a little bit about Privacy Party and what it is, what it does, and how it works?
TC: Privacy Party is a browser extension that helps you to deep clean your social media, the settings and the notifications, so that you don’t have any accidental overexposure of your data. You can also just go clean up all the stuff you don’t want on there anymore.
We support all the major social media platforms, like Facebook, Instagram, Twitter, and LinkedIn. We also support some platforms that you might not think of as social platforms, like Venmo and Strava. These leak a lot of important data. For example, Venmo has your financial transactions, and also those of some of the people closest to you. Strava has your location, like if you’re running and cycling starting from home, or in places that you frequent regularly.
Especially with the default public profiles on both Venmo and Strava, you’re giving the whole internet a lot of information.
MF: There was a story a number of years ago where U.S. troops used Strava during their exercises and accidentally revealed the location of their military base.”
TC: Yeah, the heat map would show clearly in the middle of the desert, where there shouldn’t be anything. There was also the story of a Russian commander who was sniped and killed on, it seemed like, his daily jog. He was posting all of his runs to Strava publicly.
MF: Yikes. So, Privacy Party will go through, and it’ll lock down your settings, and it will also scrub old posts and stuff like that?
TC: We have a bunch of automations that will help you delete old things if you would like to. For example, remove all of your Instagram posts or old Twitter posts. There’s also things like untagging photos on Facebook. The way the extension works is that it will scan through your accounts and your settings and flag you to potential risks. It works in the same way that a virus scanner might run on your computer and let you know, hey, there’s some things here, do you want to take a look?
"[Privacy Party] will scan through your accounts and your settings and flag you to potential risks."
We have a very strong theme of user empowerment throughout all the products we build. So, it’s not just, we’re going to do all this for you; instead, we’re going to put it in front of you so it’s easy for you to do, but you’re in full control. You can make the decisions, like, yes, I want to click this button to delete all my old posts, or I want to lock down all my settings.
MF: This all runs within a browser extension?
TC: It does. There are some very nice things about building this product as a browser extension for privacy reasons. It’s almost like we’re a friend who’s leaning over your shoulder as you’re at your laptop and clicking on things, but we can’t do anything when you’ve closed your computer. We don’t hold your account credentials. We just have access when you have access.
MF: What was the catalyst for Privacy Party? Was there a particular moment that made you say “enough is enough”?
TC: It’s hard to pinpoint one singular moment, because it felt like I was just getting this gradual increase over time of online harassment and stalking and weirdos. But there were a couple of – if I had to call them out – catalytic moments.
One was, this is sort of a crazy story, someone who was obsessed with the idea that I was in a secret relationship with James Comey. This person started posting a lot on Twitter and Instagram about this, photoshopping us together, and continuing this crazy narrative that I was, at first, the secret girlfriend, and then, the wife, second wife – I don’t know, it was really ludicrous.
MF: Wait, James Comey of the FBI?
TC: Yes, correct.
MF: And just for the record, you were not.
TC: I have no connection to James Comey. I was like, I don’t know where this came from. They created many accounts to try to advance this conspiracy theory.
I went and tried to report the accounts on Twitter and Instagram. I think there were like 40 posts on Instagram that I went and recorded in one go. The reports got returned to me with: “We see no evidence of any issue, but thank you for your contributions to try to make Instagram a welcoming community.”
I screenshotted a bunch of this stuff and posted it on my personal Facebook, where I’m friends with some of the people who work at these different companies. Almost immediately, I got a response, which is like: “Oh, this is not cool, we will escalate internally. We’ll make sure our trust and safety team is handling this.”
They did get some of these accounts taken down, but I really hated the idea that I could have special access. First of all, I don’t like that this stuff is happening, but also that I can’t do anything about it through normal channels. I just felt like something was super broken.
“I don’t like that this stuff is happening, but also that I can’t do anything about it through normal channels."
That was one of the catalyzing moments. The other was dealing with the stalker I mentioned earlier and going to San Francisco Police Department to try to report it. They were like: “This is not really an issue, nothing’s happened. We’re not going to do anything unless something happens, and he’s probably harmless anyways.”
One of the pieces of advice I got when I started talking to more folks, including people in private security, was that it can feel really debilitating to feel like you can’t do anything about some crazy people who have decided to target you and potentially upturn your life. But that mindset, feeling that helplessness, can actually be the worst thing. It shades everything else. You feel like you’re completely stuck.
But what you can do is turn it around and think about what agency you do have. In the case of a stalker, you can think about what information you’re potentially exposing. Think from their perspective. What can they do with the information you put out there to potentially get to you or harm you? Then, you can lock down your stuff so that doesn’t happen.
“Turn it around and think about what agency you do have."
You can be more proactive about it. You may not have full agency, you may not have full control, and it can be very frustrating, but you do have some control. For me, I took it to an extreme of starting a company around building these tools.
MF: Would you consider yourself a public figure while all of this was happening?
TC: That’s a good question. At the point that it got to the James Comey conspiracy theory, I was slightly more of a “public figure” because I had been doing diversity and inclusion activism for a while. I had tens of thousands, if not a hundred thousand followers on Twitter. So, a reasonable profile, but I would say even well before that, when I was a normal nobody on the internet, I got harassment and crazy stuff, too. I think that was just the experience of being a woman who is online and happening to cross paths with people who, I don’t know, had some sort of insecurity or other issues that they were working out.
MF: The reason I ask is that I’m assuming you were your own alpha and beta tester. Was there a moment when you knew that you were onto something?
TC: It was pretty immediate. The first tool that we built was a set of anti-harassment tools on top of Twitter. I plugged it into my Twitter account, and I was immediately breathing a sigh of relief to not have to deal with this stuff.
“I was immediately breathing a sigh of relief."
It used to be the case that I would check my Twitter to an unhealthy degree at all times of the day: walking to the grocery store, in between meetings, brushing my teeth. On a semi-regular basis, I would get nasty comments in my mentions, and sometimes it just felt like a slap in the face, seeing the nastiness aimed my way. Even if I knew that it was ridiculous, there was no grounding to it, it just feels bad to have somebody send something so nasty to you.
I would draw an analogy to walking down the street and somebody harasses you or shouts at you. Even if you can brush it off, it’s nothing significant, it can sit with you for a little while and it can disturb your mental peace. Once I had our automatic filtering running on Twitter, I was like: “I’m not going to see that stuff anymore, I feel like I’m protected.”
The product we had then was built on top of the Twitter API – once their ownership changed, we had to put the product on hiatus. The product sorted things into a sort of spam folder, where you could still go see everything that’s been filtered, which was important for a couple of use cases. Knowing that I had my filters on pretty strong and I could always go check things later, I didn’t have FOMO like I might miss out. I just felt a lot better, like I had this nice little shield.
MF: I’m a parent. Does Privacy Party help me with the kids if they’re starting to dip their toes into social media and online presence and stuff like that?
TC: For sure. If you’re a parent who may not know all the ins and outs of a platform that your kid wants to use, you can use Privacy Party as a guide that will walk you through the basic settings. So instead of you having to go look up everything – what is this platform, what are the settings I should know about, and what are the recommendations on what the settings should be set at – we’ll take you through those.
These recommendations are also good tools as conversation starters to talk about how to be a citizen online, such as what are the things that you should be paying attention to as you participate in these digital spaces.
MF: There is this opinion that social media is getting worse when it comes to privacy risks and online safety. Is that something that you agree with, or do you see it slightly differently?
TC: I think it’s hard to say definitively with data and research, because it’s so hard to measure what exactly we mean. I do think over time the trend has moved towards open and sharing and public by default.
If I remember the earliest days of getting online, you weren’t supposed to share your real name with strangers because it was dangerous. Now, there’s much more of this push towards authenticity, and you share real things and real details about yourself. It’s true that if you are very authentic and share all these aspects of your life, then people can connect with you more, and we can build community online. But the flip side of that is giving up a lot of privacy.
There are the really tricky interactions with public figures, whether they’re celebrities or micro-influencers and their followers. Such as developing parasocial relationships with them, or people who shouldn’t have access to information seeking it out and finding it.
I think there’s generally that cultural trend, in addition to the technical side, where living culture is somewhat defined by the technology. When platforms have defaults that are all public, that encourages a certain type of behavior. The fact that Venmo has all transactions be public by default, has invested a ton in the emojis – so it’s kind of fun to see the transactions that are happening – it creates a certain culture around sharing. Honestly, it’s a little wild.
MF: I only started using Venmo a couple years ago. I immediately thought: “Why is all this public? Why does everyone need to know what I’m paying the babysitter?” It didn’t make any sense to me.
TC: There’s also cases that are much worse. We’ve also heard stories from folks like someone paying their landlord on Venmo, and then getting doxed because of it. Somebody’s sees, oh, you’re paying your landlord, their information is relatively public about what properties they have, then they can figure out where you live.
MF: Apps like TikTok and Instagram are normalizing “public by default”. When you and I started using the internet, we had the mindset that you should be careful and keep a tight, closed circle. For new people getting online, being public is totally normal, which can also be very dangerous.
TC: I think people are encouraged to mine their personal lives to create content around everything that’s happening. I’ve been online with the semi-public presence for a little while now, and I’ve been through all of this, like, what are the parts of my personal life I could create content out of? It seemed OK for a while, until it’s not. Somebody knows too much about you and it can get used against you.
“People are encouraged to mine their personal lives to create content."
In terms of other privacy landscape things, the fact that Europe has been pushing forward with a lot of privacy legislation and regulation does indicate to me, also, that there’s a shift in broader public perception and demands around data and privacy. The U.S. is not as far along with that, you see more patchwork regulation. California has some privacy regulation, and a few other states have introduced it.
Legislators and regulators don’t push stuff through unless people care about it. There’s a bit of a shift in expectations now around data and privacy, which I think is encouraging. I think the tech industry is still trying to figure out what exactly to do with all of this.
“There’s a bit of a shift in expectations now around data and privacy."
I would say with something like GDPR: mixed success. I think it actually has been pretty good at getting tech companies to store less data – having a reason to store data instead of just storing by default because it could be useful in the future. But it’s also been pretty annoying for consumers. It’s taking a few steps forward, maybe a few steps back, as well, in user experience and expectations.
MF: Where do you think the responsibility lies for prioritization and awareness of privacy and online safety? Is that regulation? Platform vendors? I’m sure that part of your answer will be parents and individuals themselves, but where do you think the most responsibility sits?
TC: I think it’s hard to say that it sits with one group the most. I think it has to be an ecosystem-wide effort. There’s a lot of people who call on tech companies to do better and not have so many dark patterns, and not slurp from everybody’s data, sure. But also we have to be aware of what their business incentives are, which are going to push in one direction. There’s regulation, which has to be a part of the picture. Because if we don’t have regulation guardrails in place, there’s no reason for tech companies to do things that don’t suit their bottom line.
I think lost in this discussion about tech companies versus regulators is sometimes the role of individuals and what individual people can do. I think there’s a lot of this helplessness that people sometimes experience, because it feels so overwhelming, or that the systems and powers that be have made it so we can’t do anything anyway, that we just stop caring.
I would counsel against that sort of feeling of helplessness and push people to think about what agency they do have at many different levels. One is actually pushing for regulation. But I think some of what we need to see around privacy and safety is regulators forcing tech companies to allow for different experiences and better tooling for individuals to be able to insert their rights.
MF: OK, switching gears. How do you see your efforts with Privacy Party intersecting with your work in diversity and inclusion, particularly in terms of online safe spaces and marginalized communities?
TC: I started off caring more about safety and privacy from the personal experiences of having been a DEI activist and experiencing some of the vitriol that came back to me around that. It led me to very viscerally appreciate and understand how some of the people that we most need to hear from – the activists who are going to say things that feel unpopular or are different than the status quo – will be the ones who are on the forefront of receiving negativity and abuse and harassment that is meant to silence them.
This loss of a lot of voices and perspectives hurts all of society when our spaces online can be weaponized in this way, and people who can’t be safe and are getting attacked just have to step away.
It’s not just online. If you look at the political sphere, there have been politicians who have stood down from elections because of the abuse they’ve gotten. So even democratic representation becomes a problem. And journalism. Female journalists and journalists of color get targeted a lot more. If we don’t solve that problem, what we end up with is, the only people left telling these stories or doing reporting come from specific demographics. Or, they have a very particular sort of personality, where they don’t mind dealing with abuse, which is also not so great.
“There have been politicians who have stood down from elections because of the abuse they’ve gotten."
Also, apart from public figures or people who are trying to be a part of public spaces, the internet has been really important and very useful for people from marginalized communities to find each other and be able to build solidarity. When these spaces become unsafe, there’s a big loss for people who otherwise might be able to find connection and support.
When I look at the people who’ve been able to help with our products at Block Party, I feel really good about helping people to stay online and take advantage of the good stuff, which is community and connection and learning, and being exposed to different perspectives. Also, for the people who want to, to be able to speak and have a voice so that the rest of the world can hear from them. They are more protected and can continue to do that speaking.
MF: I don’t want to sound too cheesy, but that’s a really beautiful point of view on all of this, it really is. It’s also very noble.
TC: I have a more optimistic view on the internet than people sometimes would expect, because they think, you must just be looking at harassment and abuse and privacy invasions and horrible things all the time. But I’m actually very optimistic about what is possible with the internet. I personally experienced a lot of the good stuff, like having done activism work and used platforms like Twitter to get a message out, get a movement going, and meet interesting people. I see a lot of good there.
I worked at Facebook in 2008, but it was still this early vision of, let’s connect the world. I want us to be able to get back to that promise of the internet, to all the good stuff, by cleaning up the bad, so people don’t have to throw out the good with the bad.
MF: For anyone listening who would love to give Privacy Party a try or learn more about your work, where should they go?
TC: This is so ironic because, in the name of trying to advance privacy for other people, I need to be very not private myself. You can find information about Privacy Party at privacypartyapp.com, and I am online in most places, including Twitter and LinkedIn as Triketora, which is a made-up word from the era of the internet where we were not supposed to use our name.
Tweet about this post