Taking control of our digital information is often easier said than done. The sheer amount of data we generate on a daily basis can be more than 300 MB each day and sharing some of this information is a part of modern life. Attempting to control who collects, uses and shares our personal information requires technical tools and know-how and a basic understanding of what risks can ultimately emerge. But before anyone offers up a standard set of tips for how best to manage your privacy, it’s worth taking a moment to learn more about the complex data ecosystem in which we all now live – and what that means for controlling information about us. So many modern technologies work to eliminate friction across websites, services and even devices, giving us a seamless experience when shifting from watching movies on our phones to connecting on our televisions. But these same technologies also facilitate the tracking and aggregation of ever more information about us. This is known in privacy circles as cross-device tracking. The Federal Trade Commission has explained that companies are tracking users with increasing accuracy and correlating their movements and data streams across different platforms.

Tracking across devices occurs in two general ways.

Deterministic tracking is based on login information. For example, Facebook knows what computers and phones you use because you sign in to Facebook on each of them, but deterministic tracking can also occur when companies you’ve never heard of share email addresses with partners. Probabilistic tracking is even harder to detect, relying on IP addresses and other settings, such as the fonts installed on your computer, to create digital fingerprints about individual users.

Cross-device tracking can be difficult for users to control, and it’s not always clear what the benefit to users is from this type of tracking. To limit the impact of tracking across devices, it’s important to try to break linkages among them. Divvy up services among different email addresses and use different browsers for different activities. For example, consider using one privacy-protective browser primarily to surf the web and another for staying logged in to Gmail, Twitter and LinkedIn.

Clearing cookies and limiting ad tracking on mobile devices can disrupt some of this tracking, but our digital footprints today extend far beyond browsers and smartphones. Viewing habits from our smart televisions, health information from wearable devices and data about our brick-and-mortar shopping habits are all collected and analyzed by trackers. Companies frequently stress that they do not share “personally identifiable information” and while this is technically true, customer loyalty programs track every bag of Cheetos and box of luxury cat toys we buy. Our credit cards provide detailed data trails of where and when we shop and what we buy. Sensitive information about individuals can and often is gleaned from seemingly innocuous places; when it’s not found, it might be inferred. What else can the outmatched individual user do in response?

First, recognize the value of your location. There is a reason so many apps and services either ask for or try to infer your general location. Geolocation data doesn’t just reveal where you are; it often reveals who you are, including your innermost interests, beliefs and desires. Mobile location options, private browsers like Tor and virtual private networks (VPNs) can be used to limit some access to your location data, but even the Supreme Court is currently grappling with all the many ways our location information can be acquired.

Second, to the extent you feel comfortable, obfuscate. Data brokers will tell you that much of the information they obtain is publicly volunteered from surveys we complete ourselves. Think twice before eagerly handing over your email address or phone number for a coupon. (This is where having multiple email addresses can come in handy when your hotel or grocery asks for an email to stay in touch.) Remember, the goal is to try to break the linkages that are being made about your activities online and off.

Third, cash is still legal tender. Pay with it where you can. While credit cards and mobile payment options can offer considerable convenience, we’re also giving up a tremendous amount of control over our financial information and our purchase history. Using credit cards to pay for things like counseling, lottery tickets and pornography can make you look like a credit risk. Paying with cash can protect your personal information (and you’re likely to spend less money, too).

Finally, remember that knowledge is power. Nine out of ten Americans feel like they don’t have any control over their information, but this is because most do not know how it is being collected or trust how it’s being used. Sometimes information has to be shared – to take out a loan, to rent an apartment or even to get a job and yet in the wake of the Equifax data breach last fall, it can be easy to feel like our data is already irreparably out in the open and exposed. But shrugging our shoulders or burying our heads in the sand isn’t productive. According to Equifax itself, 42 percent of Americans have never looked at their credit reports.

We face an information deficit, and unfortunately the burden is on each of us to learn more about our complex data ecosystem. That takes time and energy, and there is almost an overabundance of resources from government agencies and privacy and security advocates. One place to start is our own DIY Digital Security Quiz, and another great way to get bite-sized downloads about our data ecosystem is to tackle Note to Self’s five-day “Privacy Paradox” challenge. It may be hard to take complete control of our digital identities, but a bit more knowledge can go a long way.

A new study by Google has revealed insights to better explain how emails and other accounts are hacked and hijacked by malicious hackers. A 12-month study wherein Google partnered the University of California, Berkeley to provide a better understanding on how customer accounts are hijacked has also revealed ways in which users can better secure their online accounts.

Google wrote:

What we learned from the research proved to be immediately useful. We applied its insights to our existing protections and secured 67 million Google accounts before they were abused. We’re sharing this information publicly so that other online services can better secure their users, and can also supplement their authentication systems with more protections beyond just passwords

Over a 12-month period, the study revealed that a staggering 788,000 credentials were stolen via keyloggers – malicious software or hardware that records the keystrokes on a keyboard. The study, which lasted between March 2016 and March 2017, also discovered 12.5 million potential victims of phishing kits and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums. A further 3.3 billion credentials were exposed by third-party breaches.

Revealingly, phishing continues to pose the biggest cybersecurity threat, farming some 235,000 usernames and passwords every week. Relatively speaking, keyloggers were found to be stealing nearly 5,000 credentials per week. Furthermore, 74% of keyloggers and 82% of phishing attempts also tried to collect a user’s IP address and physical location. A further 18% of malicious tools collected phone numbers as well as the victim’s device make and model.

Google engineers added:

By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.

Most Americans rank filing their annual taxes right up there with a visit to the dentist. It’s tedious and occasionally painful, but it must be done. However, as with both filing your taxes and going to the dentist, the sense of accomplishment when you’re finished can be rewarding. For an increasing number of taxpayers, that sense of completion is, unfortunately, being short-circuited by thieves: After filing legitimate tax returns with their state or federal IRS, they may receive notice that someone has already filed a tax return in their name—and that a refund has already been issued.

Since we’re in the midst of those important tax forms going out and other personal information changing hands, it’s good to think about filing your taxes and the opportunity identity thieves see during this time.

All it takes for an identity thief to file a fraudulent tax return is your name, birth date, and Social Security number—pieces of information which may be readily available if your identifying information has ever been stolen in a data breach.

If someone has beaten you to the punch, then you may face serious delays in filing your genuine return, while also tackling the seemingly insurmountable task of proving you were not the one who filed the fraudulent return. For too many victims of this specific type of identity theft, finding out they’ve been stolen from is devastating and is often just the start of a series of unforeseen domino effects in the aftermath of the crime.

As recently as 2014, tax refund fraud was the single-most reported crime to the Federal Trade Commission, and cost the government more than $5 billion a year.

Fortunately, the IRS has implemented some new strategies that have already begun to put a dent in tax refund fraud, but that doesn’t mean consumers can’t take a few extra precautions to help secure their returns:

1. File as Early as Possible

Many identity thieves already have the information they need to file fraudulent returns, and they know they have to get to your tax return before you do. The sooner you can file your legitimate return, the better the chances that your return will be the one the IRS recognizes.

2. Be Extra Careful if You Know Your Information Has Been Stolen

If you’ve received a data breach notification letter in the past, then your identifying information may already be in a criminal’s hands. That doesn’t mean you give up, of course; instead, it means you work a little extra to make sure you’re staying on top of your accounts and your credit reports.

3. Report It as Soon as You See Something Suspicious

If you receive any kind of notice from the IRS that indicates someone may have filed in your name, then report it immediately to the IRS. Start with the Federal Trade Commission and the Identity Theft Resource Center’s toll-free call center. Both of those organizations can point you in the right direction.

Remember, if someone has access to your personally identifiable information (PII) and has used it to defraud the government, then there’s a very real chance they’ll use it for other types of identity theft, like new account fraud or medical identity theft. Once you learn of any kind of crime involving your data, be on the lookout for signs of other fraudulent use and take immediate action.