Kids will click on anything – I spent a week trying to teach my family how to stay safe online

I’ve been a technology journalist for over 15 years, and if there’s one thing I’ve learned it’s to never talk to my family about technology. It will end in anger.

But it's Digital Privacy Week and, as someone who writes about privacy and security software, I suppose I have a responsibility to change the online world for the better. For a week, at least. A week will do. That’s enough.

So, with that in mind, I decided to break my golden rule and spent seven days trying to teach my family about digital privacy. Here’s how it went and how you can do a better job, if you ever dare to try.

Day 1: Hit them where it hurts

It had been a long day. For everyone. In fact, it was Blue Monday, possibly the worst day of the year to do anything. So, like an idiot, I tried to do something.

There had been late football practice for the kids – one tweenaged, the other the full acne and hormones – and my wife had spent too much of the afternoon trying to juggle her job with the demands of the kids.

It was nearly bedtime and I could read the exhaustion of the day on their faces by the light of their mobile screens. I asked for 20 minutes of their time to talk to them about digital privacy. My wife looked at me like I’d slapped her in the face. My children didn’t even take their eyes off their phones.

“Ugh, you can have 10 minutes,” my wife replied.

Fine. I could work with that.

I started by explaining the internet – web pages stored on computers without screens, databases on servers full of everything we’ve told them about ourselves, and lots and lots that we hadn't meant to as well.

“Can you do this quicker, please?” asked my wife. It had been about 30 seconds. Don’t blame her. Blame me. She’s a good woman. She was just exhausted.

I knew I had my foot in the door, though. I mean, she was still listening. She was still looking at me. The signs were that she’d even understood what I’d been talking about. I was in.

But I had to grab them, and if there’s one thing I have to report from my Day 1 experience is that, when it comes to explaining data privacy, you've got to hit them where it hurts. In my wife's case, it was shopping.

She hadn't really considered how much information she'd entrusted to all these retailers. Even the kids' ears pricked up when they considered all the fashion drops they'd signed up for.

I talked about all those companies that had their email addresses, that knew where they'd lived, what they'd bought, and to whom they'd given their payment details. Had they stopped to consider that anyone intercepting any of that data was in for a serious payday?

It was enough to convince them each to use a VPN for a week. I installed our three best VPNs – one for each: NordVPN, Surfshark, and ExpressVPN on their phones. I set them to auto-connect and then I walked away and hoped for the best.

Day 2: Keep it simple

I went for a fresh start on Day 2. Something simple. I called my sister.

I call my sister once a week. We fell out years ago when we stopped talking, so we agreed to speak more often. Got a sibling? Try it.

Normally, we ask about each other's kids. We talk about mum getting old. Today, I was going to hit her with data privacy. No risks. Entry-level stuff: passwords.

It turns out my sister is a data privacy enthusiast! All this time wasted.

Her password habits are the healthiest – camel configuration, a mixture of numbers and letters, and some special characters, too. More importantly, she uses a different password for every service. And did she know why this was important? Yes, she did.

So, how on Earth did she know this? She hates tech. The only interest she's ever shown in the subject was when she agreed to play Bubble Bobble with me once when we were 10. The answer? Well, it's what can only be explained as divine intervention.

It seems that an IT Security professional parent decided to take it upon themselves to educate the school population of parents about how to look after themselves online. My sister said ‘parent’ but the truth must be that this was an angel sent from the online security gods. Who else in their right mind would take on such a thankless task? And succeed!

Not only had my single-parent, two-job, soccer mom of a sister listened, but she’d actually embedded this into her own practice. I tried her out on cookies.

“You mean those notices you get every time you go to a website? Yeah, I know you’re not supposed to but I just hit Accept All. Who’s got the time?”

I shouldn't have pushed it. Note to self: keep it simple.

Day 3: Apps-olutely no need

Reinvigorated after a successful Day 2, I went back to my wife and children for another session.

Not messing about this time, I just went straight to the Take Control of Your Data articles on the Data Privacy Week website and read them verbatim

Now, I’m not claiming it was my delivery. I'm not saying that years of reading bedtime stories have turned me into some kind of IT support Homer. You can decide that for yourself, but, you know what? They listened.

They even raised an eyebrow, when I got to the section about considering what permissions we grant the mobile apps that we download.

What are these 'free' apps asking in exchange for us using them: an email address and password, our location at all times, access to our photos and contacts? Why does a gaming app need all of that, and is it worth trading all that data to use it?

I don’t think it’s going to stop them playing Bacon any time soon but they thought about it. They definitely thought about it.

Day 4: Public Wi-Fi – encryption, encryption, encryption

My kids will connect to any public wireless network – airports, hotels, cafes, restaurants, you name it. They want to get online and they don’t care how it happens. Even if a hacker set up a hotspot and called it "I will steal your data", my kids wouldn't even think twice. Snapchat streaks trump all.

But while the habit is strong, this is a pretty easy one to fix. It seemed like a target worth aiming for, especially with a family holiday around the corner.

I explained about unsecured networks, about checking for https:// on websites, and even went into the details of man-in-the-middle attacks – but it was the concept of encryption that struck a chord.

“So, as long as we use a VPN that encrypts our data, and so long as we’re using a genuine version of a website, then we can still use whatever public Wi-Fi we like?”

Yeah, that'll do.

Day 5: Phishing – no such thing as a free lunch

Phishing is a great one to go through after talking VPNs because all of the encryption and obfuscation in the world are useless if you willingly input sensitive information into a bogus website. It didn’t take my family long to understand that.

We talked about the early days of phishing attacks. Nigerian princes. Sort codes and account numbers, and how things have got more sophisticated since.

I showed everyone a particularly well-designed phishing email about a free lunch from Deliveroo. The branding, my name, my company name and pretty much everything was spot on – aside from the email which was noreply@deliveroe.com.

They all got the point. I made my own lunch.

Day 6: Tough cookie

I’ll tell you now: cookies are a bridge too far.

I can explain cookies but to get people to reject them is very, very difficult. Quite honestly, I’m not sure it’s worth the effort either.

My family was interested in the idea of cookies. The kids had never even heard of them. My wife was aware of the pop-ups. She clicks Accept All. She was unaware of the consequences.

I used the following two videos. What cookies are and how they work! is an excellent session cookie explainer video. It introduces the idea of the dreaded third-party cookie too but stops short of the details. Try How can cookies track you (simply explained) from about 3 minutes when you really need to scare your audience into changing their behavior.

So, now my family understands something about cookies. They get that third-party ones track us. They appreciate that we have a choice of whether or not to accept them. But they still want to press Accept All.

They don’t really care if companies track them. They have no interest if businesses are getting rich off our data. More importantly, it’s quicker just to Accept All, and, in a way, they have a point.

It’s not realistic to get rich off our own data. There just isn’t enough of it. And time is precious, so why waste it toggling off all the Legitimate Interest switches every time we want to look at a web page? Yes, it’s an outrage but why get emotional about it? Let the world turn and let us save time.

I can’t say it’s where I land with third-party cookies but I understand it, for sure, and while there are few massive dangers involved, and while it’s easier just to click the big button to move on, well that’s what my family, and most people in the world will do.

Day 7: Your mother should know

My week had been building up to this. Could I use all I’d learned for the ultimate challenge in digital privacy education? Could I explain it to my mum? It turned out, much to my surprise, that I barely had to.

My mum is old. There are no two ways about it. She is at an age where you just can’t frame it any other way. Old. Sorry, mum.

But stupid, she is not. While she had no idea what a VPN was and knew almost nothing of cookies, she seemed to understand both once I'd explained them.

If you’re looking to teach people about data privacy, there’s an order I used that seemed to make some sense that runs from passwords (the easiest to understand) all the way to cookies (the most technical), through public Wi-Fi (introducing the idea of security and encryption), VPNs (encrypted traffic), phishing (because a VPN won’t save you), and app permissions (what access should we be agreeing to).

At some point between public Wi-Fi and VPNs, you’ll need to explain how routers, servers, and ISPs all hang together too. Like I say, though, it’s best to begin with passwords because everyone understands those.

It worked like a charm. My mum is now armed to the teeth with data protection knowledge and has a passable understanding of how the internet works, too, which will make her an interesting conversationalist at her next knitting circle.

Even before I schooled her, though, she already had pretty healthy password habits, she never used public Wi-Fi anyway and, by her own admission, she’s far too paranoid to download any apps, use social media, or give away many permissions at all.

“I don’t trust them and I don’t want all the crap on my phone” were her exact words. Sweet music.

She will be toast, however, if John Lewis or Marks & Spencer ever get hacked again. Both have her financial details on file for easier purchases. I let her know that that might not be a good idea in the future.

She was, however, the most concerned member of my family when it came to third-party cookies.

“I don’t want to give all my information to people who I don’t even know who they are.” The perfect attitude.

She still clicks Accept All, though, because “life’s too short", and, at her age, it’s hard to argue with that.

Still, impressive stuff from the old girl. I knew we were related.

So, what did my family and I learn?

Well, first, it is very possible to teach one’s family about data privacy. But you can’t make them care.

Convenience is king for the average internet user and, so long as they’re not directly in the firing line of the consequences, then they’ll take the quickest route to get what they want, regardless of who might be getting rich from tracking their behaviors.

What else did I learn? Oh yes, that kids are terrible for data privacy. At least mine are. They have almost no concern for it. They’re a generation of little patience.

They’re smart enough when it comes to scams but they have no interest in the importance or value of the data that they give away freely. They don't actually browse much anyway. It’s all games and social media, and what is social media if not freely telling the world everything about yourself?

The opposite is true for the older generation, well, at least that’s the case in my sample of one. Age makes you paranoid and paranoia is one of the pillars of the security community. My mum might finally have found her people.

So, what did my family notice from employing all of these new habits over a week? Absolutely nothing. And, for them, that’s not very compelling. If you're doing your job properly, then there’s not much you'll notice.

For me, though, I can sleep easier knowing they’re data wiser and that they probably won’t remember to switch off auto-connect on their VPNs. Next time they’re making a purchase over public Wi-Fi, their payment details will at least be encrypted. Which is important. Because it's probably my credit card.