Latest news with #NYTWirecutter
New York Times
5 days ago
- New York Times
Our Privacy Expert Tried, and Failed, to Disappear From the Internet
Published June 25, 2025 By Max Eddy Max Eddy is a writer who has covered privacy and security—including password managers, VPNs, security keys, and more—for over a decade. A b o u t a d e c a d e a g o , I s t o p p e d h e a r i n g f r o m a n o l d f r i e n d o f m i n e . T h e y h a d a h a b i t o f d i s a p p e a r i n g . I ' d b e c o m e u s e d t o t h e i r d r o p p i n g o f f t h e m a p , s o m e t i m e s f o r y e a r s . T h e y ' d a l w a y s p o p u p a g a i n w i t h a n e w e m a i l a d d r e s s o r u s e r n a m e a f t e r a w h i l e . B u t n o t t h i s t i m e . Explore all articles Miguel Porlan for NYT Wirecutter I had long known that they were a deeply private person, but their desire for privacy never seemed to affect our friendship. We'd catch up over direct messages or meet for coffee as if no time had passed. But this time, their disappearing act seemed to have stuck. I tried to track them down by using search engines and combing social networks, and I figured something would turn up. But I was wrong. They had ceased to exist — online at least. Disappearing is a tough trick when almost anyone who knows your name and a few identifying facts can potentially find your home address, cell phone number, family members, and other personal details — a reality that is at the very least disquieting, if not dangerous. Not to mention other sources of personal information, like photos that appear on company websites for jobs you've long left, class pictures from schools you graduated from decades ago, or snapshots from a family reunion posted by a distant relative. Taking those down might require some rather awkward conversations. O n c e y o u r i n f o r m a t i o n i s o n t h e i n t e r n e t , r e m o v i n g i t c o m p l e t e l y i s a l m o s t i m p o s s i b l e . But, in part because I was inspired by and curious about my disappearing friend, I decided to try. As a privacy journalist, I have given all manner of advice for how to secure and obscure an online life, but I'd never undertaken a project that extends the idea of privacy to its logical conclusion: by disappearing completely. So I set out to erase my online life. I failed. Finding myself (online) The most obvious way to see what everyone else can easily learn about you is by Googling yourself. Type in your name, followed by 'address' or 'phone number,' and you'll likely find websites that list your personal details for anyone to see. Google offers a tool to take down some search results containing your personal information, but doing this only prevents the information from appearing in a search — the original sites still have your information. Many of these websites are owned by data brokers, which compile files about individuals from a variety of sources and then sell that information to whoever wants it. Getting data brokers to take your personal information down is possible, but you have to navigate through each broker's process manually. Or you can use a data-removal service, such as our top pick, DeleteMe, which automates the process for you (for a fee). Miguel Porlan for NYT Wirecutter Looking at data broker sites, I was shocked to see my old email addresses, current and former home addresses, and phone numbers up for sale. But the information wasn't always accurate. I found several Max Eddys who lived at an address that was close to, but not exactly, where I grew up in Michigan. I also came across Max Eddys who were older or younger than me but were linked to my parents, siblings, and cousins on these websites. Perhaps these people do exist, or perhaps they were invented as a result of errors and mismatched data. In the eyes of data brokers, we're all interchangeable. The Best Data Removal Services I tested nine data-removal services and used them to remove my personal information from data broker websites. So far, much of my information has been taken down, with only a few crumbs of correct information and old photos that persist on some data broker sites. But after spending hundreds of dollars and weeks of my life on this effort, I still haven't fully succeeded. Some sites might never take the information down, and DeleteMe's co-founder Rob Shavell told me that some data brokers may start selling my information again in the future. Miguel Porlan for NYT Wirecutter With nearly a dozen data-removal services hard at work removing me from data broker sites, I next tackled online accounts that I had created for myself. These included the obvious ones, such as Facebook and Instagram, but also all the others I'd created over the years that I'd completely forgotten about. Deleting them was obviously the easiest option, and it would have gone a long way toward actually removing myself from the internet. But I believed that keeping my online accounts alive and inactive, but with less personal information, might actually be preferable, as doing so would make it much harder for someone to fill the void created by my deletions by impersonating me. Let me explain. I came up with a plan to create what experts call 'synthetic data,' or made-up information about myself. If I were to continue to use the same information between accounts — username, email address, contact info, real name — it would be easier for companies and snoops to connect the dots back to the real me. Instead, I would use a text generator to come up with unique names and screen names and generate random bitmap images to replace profile photos so that my online accounts couldn't easily be connected back to me. I consulted Bill Budington, a senior staff technologist at the Electronic Frontier Foundation, who suggested that opting for even a slight variation on a name makes it harder for people to find you. Most online accounts require a functional email address, so I decided to replace my real email address on each site with a unique masked one to make myself harder to find. Here's how it works: If you have my email address (say, you can probably deduce who I am across a constellation of websites by looking for it. But if I change the one I use for X to aer2ao7vs@ and my address on Instagram to t1aes76r3@ and so forth across all my accounts, it becomes much harder for other parties to draw connections. You can create masked email addresses with a service like Apple's Hide My Email or the Firefox Relay tool, both of which create burner email addresses that forward messages to a personal email account. Gmail allows you to make small changes to your email address, such as adding '+' followed by any phrase, but I found masked emails easier to manage. For each account, I planned to remove as much personal content as I could, including photos, comments, and posts. I didn't want to leave up any information that a snoop could use to find me, my family, or my friends. But I was also eager to shed the baggage of 25 years of living my life online. I'm certainly not the same person who tweeted about trying out a new music service called Pandora for the first time in 2007. Your Data Appeared in a Leak. Now What? I am a security journalist, so perhaps unsurprisingly, I've been using a password manager for close to 15 years. I combed through Bitwarden, Wirecutter's budget-pick password manager and my personal favorite, to see how many accounts I had signed up for. The answer was a staggering 356. I needed to trim that list to something more manageable, so I turned to Have I Been Pwned, which lets you search data breaches for your personal information. I prioritized the accounts that I knew had been exposed to data breaches (about two dozen), and then I added about 30 more that I thought were likely to have personal information such as my address, date of birth, and financial details. 'Starting with where your accounts are and where they've been compromised is like hygiene that most people don't do, but should be doing,' Shavell told me. Confronting the past With my plan in place, I started scrubbing my accounts from websites I barely remembered using. Patreon? Gone. Gravatar? Sure, why not. Kickstarter? Kicked to the curb. An ancient WordPress blog I don't remember creating? Scrubbed clean, hopefully before anyone noticed that it existed in the first place. Other sites I had completely forgotten about, such as the beer-rating app Untappd, or had never actually used, like Nextdoor — the latter of which I did actually just delete. Erasing my online social life proved to be more challenging than I'd expected in about every way; even just getting into the accounts was challenging. Photo-album site Flickr was once a photographic repository of my life, but the website wouldn't let me log in. When its password-recovery process failed, I found an option to submit different versions of photos I had stored in Flickr to prove I was the owner. I was able to get back in, but other people might not be so lucky. Then it was time to delete LiveJournal. I hadn't recalled posting or interacting much on the online-diary website, so I was gobsmacked to discover that I had written hundreds of entries. I decided to keep those mementos of past me, even the ones that had aged like milk, but downloading them to save them offline wasn't easy. I found an option to export the entries as a spreadsheet, an almost avant-garde choice for storing prose, but I could download only one month's worth of data at a time. Share this article with a friend. Downloading the posts was exceptionally tedious — and then I had to manually delete each post. It took over three hours to delete two years of my life. Tackling X, formerly known as Twitter, proved to be another taxing task. I'd made my first tweets by text message, patiently pushing the keys of a flip phone to find the right letters. I had 103,000 tweets, 40,000 retweets, and 130,000 likes that I needed to remove. Deleting the account would have taken mere seconds, but I wanted to keep the account alive but inactive to ensure that no one would try to impersonate me in the future. Preparing to delete my data from X, I was reminded of my friend who had vanished from the web. Even in the early 2000s, they were careful about their online presence. They used Twitter, but they deleted their tweets and changed accounts regularly. If I posted something about them, a picture or even just a passing reference, they called — on the telephone — and politely asked me to take it down. I thought it was odd at the time, and I sometimes resented it a little. Now, facing down the task of deleting over 100,000 tweets, I think they were on to something. There was no way that I could possibly remove that many posts on my own. So I enlisted the help of Cyd. An open-source tool, Cyd (which stands for 'claw back your data') automatically deletes X posts, interactions, bookmarks, and direct messages. Based on my experience, Cyd can clear out 70,000 tweets in about three and a half hours. You can find other tools for deleting old tweets, such as TweetDelete, but I opted for Cyd because I'd had a good experience using it to clean up a personal Twitter account. I also liked that Cyd didn't need to store any of my personal information; the entire process is managed in an application on my computer, not a service on the cloud. Smart TVs, Cameras, Speakers and More Are Fishing Nets for Your Data. What Are They Catching? Watching Cyd work was mesmerizing. My posts flashed by almost too fast to read; it was like watching my life pass before my eyes. It was fun to revisit my posts at warp speed, but painful, too, because each time something appeared on the screen, it was also being deleted. Photo from my wedding? Gone. Photo of my pet rat, Pepper? Gone. The process made me choke up a bit. On to Meta. I had seen scammers impersonate my family members on Facebook before, so retaining control of my Facebook and Instagram accounts was critically important. Meta does provide the option to temporarily 'deactivate' Facebook and Instagram accounts instead of deleting them. That might be a good option for anyone who might return to using these platforms, but I preferred keeping my accounts alive but empty. Miguel Porlan for NYT Wirecutter Watching Cyd delete my tweets was painful, but watching the contents of my Instagram account disappear was excruciating. Cyd doesn't work on Instagram or Facebook (though the latter will be supported soon, the Cyd documentation says), so I used a macOS app called Automator to record and repeat mouse movements and clicks. I recorded myself deleting one Instagram photo and then put it on a loop to take care of the rest. (The downside: I couldn't use my computer while it ran.) The automation was still running that evening when some friends came by for dinner, and I showed it off. They were initially impressed, but it started to feel awkward. 'Oh,' said one. 'This is going to start deleting pictures of me soon, isn't it?' They quickly went back to the kitchen. Taking on Facebook was by far the most difficult aspect of this project, and where I had the least success. Deleting or temporarily deactivating Facebook wasn't a good choice for me because, like many people, my relatives use the social network to stay in touch, and those options would have prevented family from finding me on the platform. I tried to apply what I had learned so far, but I discovered that Facebook's settings are a nightmare to work through. Powerful options are available, but the process of finding them and using them, amidst pages and pages of settings and educational material, is byzantine — Kafkaesque, even. I discovered that you can retroactively limit who can see your posts, as well as prevent search engine and image search of your content. You can also pull up a log of your interactions on the platform, which lets you delete comments that have become problematic with age. I frequently struggled to trace my own steps to figure out how I took some actions. Even now I'm not sure. When I changed my Facebook profile photo, I selected one that shows my face but is also warped to be bizarre and off-putting. I felt clever, like I'd outsmarted the social graph, but within minutes it got several likes and comments. I forgot that Facebook promotes every change you make to your friends. I had blundered into feeding it more content. Share this article with a friend. I then came across hundreds of photos and copies of all my Instagram pictures in my Facebook account. I tried to automate deleting them, but that didn't work. In the end I spent several hours rhythmically clicking — and I understood all too well why most people don't attempt to do this. Finally, after days of combing through Facebook, I succeeded in removing most of my information. The only remaining photos on my Facebook page were those I was tagged in by family and friends. Here, I struggled. What would they think if I removed the tags? I asked my spouse for their thoughts: 'I untagged myself from every picture years ago,' they told me. 'Tags are stupid anyway.' But even if I were to remove the photo tags, the photos would still be on Facebook. The only way to actually get rid of them would be to ask my family members to delete them. I dreaded this, and I worried that they would feel like I was rejecting them. And so I posed the question as a hypothetical to two relatives: Would they be upset? Miguel Porlan for NYT Wirecutter To my surprise, both told me they would have absolutely no problem removing the pictures. Both said they had dramatically changed how they used social media in recent years. One had already removed most of their old posts and doesn't add anything new, except to private family groups. The other still posts but made all their old and new posts private. Both expressed a deep distrust in sharing their lives publicly these days. Taking down a photo upon my request wouldn't be hurtful, they said, because the picture lives offline — they can look at it whenever they want. This project had me concerned about other people's feelings — what would my loved ones, friends, and even acquaintances think if I asked them to remove artifacts of me? How would they respond? I n t h e e n d , o n l y o n e p e r s o n — m e — s e e m e d t o m i n d . One enormous repository of my social life escaped relatively unscathed from my efforts to delete myself. Foursquare, a social network where people voluntarily checked in to locations like shops, restaurants, and airports, was once a favorite app of mine. Nowadays, companies are more likely to siphon this information quietly from your phone with far greater geographic accuracy, but Foursquare gamified and socialized the experience when it launched in 2009, and I was a frequent user. Stripping it of information linked to me was easy, so it's unlikely to be found in a simple Google search, but short of deleting my account I couldn't find a way to hide or remove my hundreds of check-ins. But I also discovered that I didn't want to. Browsing the list, I could see all the Tuesdays I spent at the Burp Castle, the bar where I briefly held the 'mayorship' on the Foursquare leaderboard. Little icons on my check-ins showed that friends had joined me, including the person I would eventually marry. My mayorship might be long gone, but simply erasing this running record of years of my life didn't sit right with me. So I didn't. The information you can't scrub clean The experts I spoke with, and my years of reading on the subject, had all suggested that public records were the upstream sources for the reams of personal information found on data broker websites. I was able to find my information in public records, and much of it was worryingly comprehensive, but it wasn't as accessible as I expected it to be. It also wasn't easy to remove. I own my home, so I was able to pull up my property records using some surprisingly user-friendly tools on my local government's website. Depending on where you are registered to vote, your voter record can include personal details, such as your current address. But I could access property and voter records only one at a time, and I needed to know a lot about a specific person to access those records. The largest trove of personal information I found was in records for political contributions. Using the Federal Election Commission's search tools, I pulled a list of people who contributed to presidential campaigns from the past 16 years. I easily found records that showed a name, employer, and contributions. But when I downloaded the data, I found that the document included full addresses, as well. Miguel Porlan for NYT Wirecutter Budington and other experts I spoke with recommend visiting your municipal records office to ask what information is publicly available on you, and to see if there is any option to have it removed or limited. A friend of mine said that they had some success removing some minor information from their voter record in their relatively small town, but I had less luck in my city. I consulted my local municipal records bureau website, which instructed me to first reach out electronically before scheduling an appointment. The records bureau responded quickly but said that because my request pertained to records of property, by law it could be only corrected for errors, not removed. The agency that manages local elections told me that it is possible for a voter file to be made private, but only in the event of domestic violence. Share this article with a friend. The FEC told me that there was no option to have my data removed once it had been reported, but I was also told that the data cannot be used 'for the purpose of soliciting contributions or for any commercial purpose,' although there are instances where the data can be used. However, the FEC said that 'individual contributors [don't have] to divulge personal information if they choose not to do so.' The downside of disappearing Googling my name is less terrifying than it used to be. The data brokers with the top Google results no longer list me, and the ones that do might eventually give in to my data-removal requests. And I ceded the top Google result for my name — Max Eddy — to a comedian named Maxx Eddy. (Congratulations, Maxx.) I still have work to do. Searching for my usernames still pulls up accounts I have yet to remove. You can still see my photo and byline on old employers' websites, which I'll likely leave alone since it helps prove that those stories were written by Max Eddy the security journalist, not someone else. But there's less information about me out there that I don't control, and I have a framework for clearing out old accounts and creating new ones that aren't troves of identifiable information. 'Ultimately it's not futile,' said Peter Dolanjski, director of product at the privacy-focused search engine DuckDuckGo. 'Taking some steps to protect yourself is better than doing nothing.' Deleting my digital history was painful. I felt like I was both erasing myself and also preventing people I care about from reaching out to me to reconnect. I couldn't bring myself to sever the potential of future contact, as my vanished friend did. Miguel Porlan for NYT Wirecutter A few months ago, I tried to find them again. I called every phone number, searched every username, and emailed every address I could find, but nothing worked. I reached out to mutual friends — even to strangers who had been cc'd on the same emails — and came up with nothing. This person clearly doesn't want to be contacted. I looked for my friend one last time while writing this article, and I found a photo of them from middle school posted on a school-district website. After all of our efforts to disappear, traces of my friend — and of me — still exist online. Making it harder to find yourself is clearly effective — even if you don't vanish entirely, scrubbing your internet trail makes it more difficult for data brokers, strangers, and malicious actors to find your information. Some digital artifacts will always remain beyond your control and could pop up in surprising ways. But maybe you don't need to completely erase yourself from the internet to disappear. Sometimes people get the message. This article was edited by Caitlin McGarry and Jason Chen.
New York Times
5 days ago
- Business
- New York Times
Yes, Your TV Is Probably Spying on You. Your Fridge, Too. Here's What They Know.
Miguel Porlan for NYT Wirecutter By Rachel Cericola, Jon Chase and Lee Neikirk Published June 25, 2025 This is not a conspiracy theory: Many of the devices living in your home are quietly collecting towering heaps of information about you. Your TV, your doorbell, your security system, your thermostat, even your earbuds — all of them are involved. Some of that data may be shared, analyzed, and then sold to the highest bidder, hundreds of times a day, by organizations you've never heard of. To be fair, some of the information is what you voluntarily provide when you decide to use a smart device or sign up for a service. And some of it, you almost certainly agreed to share, accidentally, by clicking through boilerplate terms-of-service pages. Still, more than a thousand so-called data brokers have access to — and profit from — personal data, through a largely invisible marketplace. As Peter Dolanjski, senior director of products at privacy-software company DuckDuckGo, characterized the amount of data collected: 'It would blow the average person's mind.' Explore all articles The story of smart-home devices and your personal data is merely one chapter in a much larger tale, that of the immense, and largely hidden, data industry. More than a thousand companies in the U.S. alone, including companies that make or sell many of the products in your home, are devoted to gathering your personal data. These companies collect and sift through as much data as they can scrounge in order to create a unique profile of every consumer. They package those profiles and sell them, to advertisers and research firms, to banks and credit card companies, to home and health and car insurance companies, to landlords, to government agencies, to law enforcement — essentially almost anyone willing to pay. According to a 2021 report by the Duke Sanford Cyber Policy Program, which examined the collection and sale of sensitive personal data by 10 major brokers, all of them 'openly and explicitly advertise data on millions of U.S. individuals, oftentimes advertising thousands or tens of thousands of sub-attributes on each of those individuals, ranging from demographic information to personal activities and life preferences (e.g., politics, travel, banking, healthcare, consumer goods and services).' The report also lists a number of other collected data types, ranging from individuals' political interests and activities to profiles of current and former military personnel to the current location of people's smartphones. One of the foremost companies, Experian, boasts that its databases hold 'insights on over 250 million US consumers and 126 million US households … and bring in 4 billion devices and 1 trillion device signals to definitively connect offline records to online identifiers.' These personal profiles are also used in what is called real-time bidding (RTB), yet another largely invisible technological layer that everyone unwittingly interacts with hundreds of times a day. Smart devices, such as voice-controlled speakers, Wi-Fi security cameras, TVs, even modern kitchen appliances like smart refrigerators, generate and collect a range of data types, including sometimes very personal information. And because these devices typically connect directly to the internet and require you to manage them using a smartphone app, the data they collect may be put to use in ways that you reasonably may not expect. I Tried, and Failed, to Disappear From the Internet Every time you use a smartphone or computer to visit a web page that has ads, and every time you open many smartphone apps, a series of transactions takes place in a microsecond: Information about you and your smartphone or computer is offered up for auction, and automated bidders the world over get the chance to place an ad in your view. Their bids may be based on profiles that include highly specific traits, details about your smartphone, and your personal interests based on your online activities. This practice is controversial, because not only does the auction winner have access to personal details in your profile, but so do all of the other bidders. And while that data may be anonymized, it can include personally identifiable information about you — even your current location. The issue has been known for some time, and in 2021 a team of US senators released a letter sent to a group of prominent tech companies that broker data, including AT&T, Google, OpenX, Twitter, and Verizon, demanding details on RTB in relation to consumer data sent to foreign countries. 'Few Americans realize that some auction participants are siphoning off and storing 'bidstream' data to compile exhaustive dossiers about them,' the letter noted. 'In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments.' Last year, the Federal Trade Commission banned Virginia-based broker X-Mode/Outlogic from sharing user-location data, which the FTC said could be used to track someone to 'sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.' (This Wired article details how RTB tech physically located Russian president Vladimir Putin.) In January 2025, the Electronic Privacy Information Center, along with the Irish Council for Civil Liberties, submitted a complaint and request for investigation to the FTC. The complaint alleges that for a decade, Google, which makes Nest smart-home devices, knowingly sent sensitive user data via real-time bidding to 'foreign adversary' countries in violation of federal law. At this writing the FTC has yet to respond to requests for confirmation of any pending investigation. We requested confirmation from Google as to whether data used for Google's RTB products and services 'contains now or ever contained any data that could be collected from, or accessed by, Google Nest devices, the Google Home app, or Google Nest app.' A Google Nest spokesperson responded with this official statement: 'Google's Nest products do not sell ads through real-time bidding, nor does Google send sensitive personal data to RTB.' Data brokering is not a new business; it has been around as long as companies have collected information about their customers. But in the modern era, mass data collection has exploded, and a Senate report dating back to 2013 was already raising alarms about the industry. The report goes on to note that data sharing may happen without your consent or your knowledge of what data is being collected, who is seeing it, how it is used, and how you may be affected. More than a decade since that report, things have only intensified as a result of faster technology, the advent of AI, and the proliferation of listening devices such as smart speakers, smart-home devices, and smart TVs. The average American home has 17 internet-connected devices silently observing their activities — and more than 40% of households have smart devices (or 66% if you count smart TVs). They might have an Amazon Echo and a Roku TV. Or perhaps a Google Nest Thermostat and a few iPhones. If you've ever wondered whether these pieces of technology are passively ingesting information about you — listening as you go about your daily life, synthesizing information about your habits and preferences to help you, sure, but also to sell you things and perhaps sell your data to unknown actors — well, so have we. When we speak about smart devices, we're referring to internet-connected devices in your home that you can access using an app, many of which can be automated. That includes your smart thermostat, for example, but also your smart TV, your security camera, your smart kitchen appliances, your smart speakers, and so on. In order to do smart stuff, these devices rely on different types of data, including data that they detect — motion, voices, the temperature — but also data that they access from the internet, as well as data that is specific to you or your home, such as your location. Data is the fuel of the smart home. Enjoying the benefits of smart devices involves a fundamental trade-off: They and their associated smartphone apps track the various ways you interact with them. When you open and use a smartphone app to turn on a lamp, or ask Alexa a question, or check on a Nest camera, or watch a movie on Tubi through a Roku device, the companies behind those devices and services, and sometimes their partners, are paying attention and keeping a highly detailed record of every interaction. That data creates a unique profile of you. Some of that harvested data is used for product development and refinement. Companies refine their products, discover and fix bugs, and create new and better smart devices. But sometimes that data is also used to market other products to you — as well as to other people like you. What is especially concerning is how difficult (impossible, we'd argue) it is for a device owner to grasp what data is being collected, especially if you link one of your smart devices from one company with a device or platform from another company, such as linking your Tapo camera to your Alexa speaker. Although companies, especially large, well-known ones, do take meaningful precautions in the way they handle your personal data, they may also be overconfident in their ability to secure your privacy at best. And at worst, they fail to exercise restraint when monetizing your personal data. So if you're interested in using smart devices, and internet-connected devices in general, you need to use your own best judgment to determine whether that trade-off is comfortable for you. One of the experts we spoke with, Omar Alrawi, a scientist at Georgia Institute of Technology, noted that he operates under the assumption that a data leak of security camera footage is always going to be possible. So while he wouldn't put security cameras inside his home, he does have them outside, where he is less concerned. Share this article with a friend. Similarly, if you have smart speakers, it's prudent to consider where you place them. We also strongly advise adjusting the privacy settings in the speaker's companion app to ensure that you are comfortable with what data you allow it to access. Peter Dolanjski of DuckDuckGo noted that it's common for tech companies to rely on third-party analytics and advertising tools in their smartphone apps, including some used to manage smart devices. 'We tested the top Android free apps in Google Play, and 96% of those popular free apps contained trackers, companies that were different from the owners of the app — 87% of those send data to Google, and 68% send data to Facebook,' Dolanjski said. The issue is that when you use those apps, your personal data is shared with those third parties, which you may be unaware of. In tests of a few smart devices conducted by Wirecutter, we confirmed that some were indeed sending data to third-party endpoints. We should note, too, that data is part of the cost of affordably priced technology. It helps device makers keep track of bugs and make improvements or add new features. And as long as the companies employ proper security measures, and you as a device owner take standard privacy precautions, you should feel safe using your devices as usual. Part of our investigation was to find out if all that is true. We examined the privacy policies and data-collection practices of some of the most popular smart and connected devices, and consulted more than a dozen industry experts, to understand what risks, if any, they present. We also assembled specific instructions for how to protect yourself. Let's begin with the always-on devices that many people have invited into their homes. It's useful to think of voice-controlled smart speakers such as Amazon Echo devices, Apple HomePods, and Google Nest models as part quirky entertainment devices and part data-collection machines. You generate a ton of tempting data. When you set up a smart speaker, you need to use a companion app to set it up, and in doing so you are asked to provide a lot of personally identifiable information: an email address, your physical address or zip code, your smartphone's location, your contacts, and potentially even your photos. But what makes smart speakers unique is that almost every interaction you have with them is an expression of your interests. The music you like, the news stations you choose, the sports you ask about, the places you mention, the definitions you ask about — all of those add rich details that refine your profile. Your speaker is always listening, but not like you might think. Smart speakers have microphones that are always on. But Amazon, Apple, and Google Nest confirmed with Wirecutter that their speakers must hear a precise sonic pattern, a wake word, in order to begin recording (though they do make mistakes). Whenever they are recording, they signal it by lighting up or playing a tone. Zach Oberman, of marketing consultancy Launch Ready and a former ad product specialist at Google, confirmed what the companies claim. In reality, the giants that make smart speakers are too concerned about the reputational damage from getting caught being sneaky. 'The data-care policies that every Google employee has taken are extensive,' Oberman said. 'There are numerous, numerous privacy reviews — nobody needs the drop in stock price that would come [from a data leak].' The more you connect, the more you share. Amazon, Apple, and Google each have their own privacy policies, which state what types of data they collect, how they use it, and whether they share it. And all of them note in some form that once you integrate a third-party device with one of those respective platforms, how your data gets treated may change based on the policies of that device. (For example, Nest's policy states: 'When you use third-party services integrated with Google services, their own terms and privacy policies will govern your use of those services.') That means that if you use, say, a WiZ smart bulb in a bedroom lamp, you can look up that company's privacy policy and know how your data is protected. If you then decide that you want to control your bulb with Alexa, Apple Home, Google Home, or any other third-party service, however, the data that WiZ has access to also gets shared with that third party, and that company may use the data differently than WiZ would. As the Philips Hue privacy policy notes, once you pair your Hue bulbs with a third-party service, 'We may collect and process functional data (such as registration data, usage and diagnostic information) and your usage thereof.' Your Phone Is Stolen. Your Laptop Gets Lost. Here's What to Do. Gen AI is changing the playing field. The current versions of Alexa and Google Assistant rely on AI to perform their tasks, and on relatively basic levels they 'learn' and are improved, but only in general, not specifically tailored to you. In contrast, powered by generative AI, the emerging Alexa+ and Google Gemini (gen AI Siri is still in the distance) are intended to be highly personalized and far more proactive. During an Alexa+ demonstration event that Wirecutter attended, the presenter noted that users will be able to tell Alexa their personal preferences, including likes and dislikes in foods, songs, movies, and so on, which will get incorporated into future interactions. So if you tell Alexa+ that you are allergic to mushrooms and also music by Bob Seger, Alexa+ will filter those out when you ask for recipes or request music. Alexa+ will also make inferences about you — the more you interact with it, the more it will extrapolate. (We've begun testing Alexa+ and posted our initial experiences here). Similarly, Google says that a substantial amount of user data is collected by Gemini, and while you can prevent your data from being reviewed, it's still collected: 'Even when Gemini Apps Activity is off, your conversations will be saved with your account for up to 72 hours.' The company claims that data won't be used to serve you ads, but it leaves the option open for future changes. It makes no difference whether your TV is an LG or Samsung or most any other brand, or whether it has built-in Roku TV or Google TV. Modern smart TVs all have one thing in common: While you're watching them, they're paying attention to you, too. Your smart TV is screenshotting your shows. When you first set up your TV, you probably inadvertently agreed to enable software called Automatic Content Recognition (ACR). This technology takes a screenshot of whatever shows or movies you watch, identifies them, and sends that info to your TV's manufacturer (and potentially its partners, too). Yash Vekaria, co-first author of a study of ACR published last year, told us that ACR is 'like someone has installed a camera 24-7 in your living room.' Some TVs capture your viewing as much as multiple times a minute. Although companies are now required to ask TV buyers to opt in to ACR (following a 2017 FTC action against TV maker Vizio), most people end up doing so without knowing it. To opt out, you have to wade through your TV's settings menus to find a specific privacy setting (more details below). ACR takes in everything on your screen, not just TV shows. The built-in ACR software in your TV isn't just monitoring and reporting on your devotion to Today or even your Netflix binge sessions of Love Is Blind . ACR is capturing anything that appears on your screen, including YouTube videos, personal photos, security or doorbell camera streams, and video or photos you send via Apple AirPlay or Google Cast. ACR can even snag content from other devices connected to your TV by HDMI, including personal laptops, video game consoles, and Blu-ray players. What manufacturers do with that data is completely out of your hands. 'As of now, this data is freely bought and sold in the data broker economy,' said Vekaria. He cautions that data can be used maliciously. Your Data Appeared in a Leak. Now What? A study published in 2024 by the advocacy group Center for Digital Democracy looked at commercial surveillance in the streaming era. The authors cite a number of ways in which personal data harvested by ACR could be used to micro-target people individually, including through personalized pharmaceutical ads or manipulative political ads. ACR is tenacious. The Center for Digital Democracy's study found that in the smart TVs they tested (from LG and Samsung), ACR continued to run and capture data even when the smart TV was offline. So even if you disconnect your TV from the internet, should you ever reconnect it to your home's network, perhaps for firmware updates, it'll forward saved data to the content-recognition servers as soon as it can ping them. Short of disconnecting your TV, if you want to prevent ACR from sharing your TV viewing, you'll need to turn it off (see below). Home security cameras alert you when packages are delivered and tell you when someone is at the door. And of course, they offer priceless peace of mind, keeping a record of your environment even when you're not around. But they have the ability to capture, and share, much more. Security cameras do more than watch. According to a 2024 Surfshark report, home security cameras collect more data points than any other consumer smart devices. Luís Costa, research lead at Surfshark, further told us, 'Outdoor security camera apps are among the top collectors of user data. On average, they gather 12 types of data, which is 50 percent more than what's usual for other smart home devices.' That includes video and audio, but also data from motion, light, and temperature sensors. The Surfshark report, which focused on popular camera models (from brands such as Arlo, Eufy, Nest, Ring, TP-Link, and Wyze), notes that many cameras collect personally identifiable information (PII), such as email addresses, phone numbers, payment information, and precise location. And of that data, seven out of the 12 data points are linked by the app to your actual identity. 'The risk of sharing this information with these vendors is the same as any other company that may offer digital services like Google, Apple, or Microsoft,' said Alrawi of Georgia Tech. 'As a consumer, I have no control [over] how these vendors secure my information, and if it were to be leaked, I would simply get an apology letter with an offer for one year of fraud monitoring.' Companies that leak customer data are at risk of potentially steep regulatory penalties and civil actions — but once personal data is leaked, there's no way to undo it. Although security camera companies may not be sharing your video, audio, and still photos, we looked at the privacy policies for Eufy, Google, Ring, and TP-Link, all of which state that they do share personal data for marketing purposes. All of these policies also include a clause that the companies will respond to legal requests, with Ring stating that it may even share recordings without a court order in circumstances 'when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss.' Although most privacy policies say similar things, it's reasonable to be concerned that this type of information could fall into the wrong hands as a result. For instance, in August 2024, ADT confirmed it had been hit by a cyberattack; the company said that the attack didn't involve access to customers' systems but did include theft of customer information. AI supercharges, and complicates, everything. AI is commonplace in security cameras, serving to discern what the cameras have detected. Some models, such as Nest video doorbells, can identify specific people by name using facial recognition (which some states, such as Illinois and Texas, and localities like Portland, Oregon, have banned). Some can detect sounds such as alarms, breaking glass, or crying. All of those capabilities require AI, and AI requires training in order to work its magic. Representatives from Eufy, Google, and TP-Link (maker of Tapo cameras) all told us that user videos are not used to train their AIs and that instead they use publicly available and open-source data. Domek Yang, product security director and chief information security officer for Eufy Security, also noted that 'videos voluntarily donated by users are used to improve the models.' For example, if you send a report through the app because a video is mislabeled, it could be used for training. A Loved One Dies. No One Knows Their Passwords. Here's What to Do. More powerful AI needs more personal data. Both Google and Ring (which is owned by Amazon) have demonstrated features that let you use keyword searches of your camera recordings to find highly specific people, or moments, or objects. For instance, you can ask for videos of every time your spouse enters or leaves, or when a red car drives by your house, or whenever the raccoons visit. Those capabilities are possible because of updated versions of the companies' AI, in this case Gemini and Ring IQ, respectively, which are in the process of being rolled out. This may change the way user data is put to work, especially with smart cameras. For instance, Google's privacy policy for its AI specifically notes that Gemini employs human reviewers of user data; the policy also urges customers not to expose 'confidential information in your conversations or any data you wouldn't want a reviewer to see or Google to use to improve our products, services, and machine-learning technologies.' That may be a technically correct solution to prevent device owners from accidentally sharing confidential information, though the notion that people who own Gemini-powered smart speakers have to adjust their everyday behavior to cater to their device is concerning. All of this doesn't necessarily mean that your data is in jeopardy and that you are at risk. It may simply mean that the way you use devices impacts the way they function, and some of that may make you a valuable target for marketers and advertisers. But if you take simple precautions, you'll have less to worry about. It also depends on the trustworthiness of the devices that you invite into your home, which is why Wirecutter works hard to vet the makers of products we recommend. Discouragingly, in May 2025 the Consumer Financial Protection Bureau abandoned a proposed rule put forward by the Biden administration in 2024 that would have curbed the sale of some types of private data by data brokers in line with the way credit bureaus and background-check companies are restricted. However, the Federal Trade Commission, one of the federal agencies with regulatory power, has launched investigations into some of the related practices that have emerged, such as surveillance pricing. And the Federal Communications Commission is also in the process of launching an Energy Star–like program for certifying smart-home products, called the U.S. Cyber Trust Mark. The program aims to provide the public with an easy-to-understand way to verify that a device meets a set of security and privacy standards. Share this article with a friend. In the meantime, here are a number of simple steps you can take that will have profound impact, plus a few device-specific ones: Reputable data brokers have a process for letting you opt out of having your data collected and sold. The process is onerous, though. You'll need to contact each broker individually — and estimates indicate that there are more than a thousand. The Privacy Rights Clearinghouse outlines the basic process: Go to a data broker's privacy policy on its website, locate where it keeps its instructions for deleting personal data (usually under wording like 'consumer privacy rights,' 'delete your information,' or similar), and then file a request. You'll need to verify your identity, which may require submitting personal information. For instance, to delete your personal information and prevent the sale of your data by Acxiom, one of the largest data brokers, go to Acxiom's opt-out page and enter your details. Click the + icon beside each type of data to add it to your request, and then click Submit. You will receive an email with a confirmation link. Rinse, repeat. This Vice article contains a useful list of brokers with links on how to opt out for each one. A common feature of home Wi-Fi routers is the ability to create a secondary or guest Wi-Fi network, which stays disconnected from your own. Use that network only for your smart devices, so they don't have access to the internet activity of all the other devices you use at home on your regular Wi-Fi network. To set it up, log in to your gateway (combo modem and router, if you rent one from your ISP) or router (if you have your own) and enable a 'guest network,' giving it a name and a new password. Peter Dolanjski of DuckDuckGo told us that using unique burner email addresses that forward automatically to your main email address creates a barrier that helps prevent data brokers from joining together all the various logins and subscription services you have. The Best Data Removal Services We've written before about ways to protect your privacy, including services that allow you to relay your email address. Apple's Hide My Email is one good option built into iOS devices and is free with an iCloud+ subscription; Firefox Relay provides five addresses for free or 99 cents per month for unlimited addresses. When installing a new app, you get a prompt to allow or deny permissions for the app to access data, including your location, contacts, and photos, as well as Bluetooth or other devices on your network. At the point of install, deny all of those; then, turn them on only as needed when an app prompts you. For location, choose Only when using app . Unlike computers, all smartphones have a unique advertising identifier — representing your unique profile — that is stored on your device, and which by default is accessible to advertisers on apps and websites. You can prevent apps and sites from tracking your habits and activity by adjusting the settings. On an iPhone, go to Settings, scroll down to Privacy & Security, select Tracking , and toggle it off. In the Privacy & Security page, scroll down to Apple Advertising and turn off Personalized Ads . On an Android device, go to Settings and then Privacy, select Ads , tap Delete advertising ID , and confirm. You have a few ways to prevent ad services from collecting data on you and your devices. There are services that allow you to block ad tracking for all the devices on your Wi-FI network, though we don't currently review them. Apple iPhones have a pair of built-in do-not-track features for both the Safari web browser and Mail. When you're using Safari, iCloud Private Relay (included in a subscription to iCloud+) is a system that keeps the unique IP address of your smartphone separated from your web activity, which is encrypted. Mail also prevents trackers that are embedded in email messages. On an Android device, you can download the free DuckDuckGo web browser, which includes a feature called App Tracking Protection. Once enabled, it blocks most trackers in all the apps on your phone. (Some trackers are allowed, as turning them off may cause apps or sites to malfunction.) The Electronic Frontier Foundation's Privacy Badger, one of our picks, is a good and free choice. A VPN service can prevent your devices and your online activity from being tracked. It's a smart option for people who frequently travel or use public Wi-Fi. Each of the smart-speaker platforms handles voice requests and recordings differently. And the newer Alexa+ and Google Gemini, powered by generative AI, will bring changes. Using the Alexa app, you can view or listen to all of your voice interactions and correct them or delete them. You can also limit how long Alexa keeps recordings before automatically deleting them. Amazon says that it takes up to 48 hours for a deletion to complete. Amazon does not record video calls. Google Nest does not save chats with Google Assistant unless you specifically opt in, and it doesn't save video calls, either. Google Nest states that it keeps 'video footage, audio recordings, and home environment sensor readings separate from advertising, and we won't use this data for ad personalization.' However, interactions with Google Assistant may be used for personalization. Google does offer comprehensive controls for limiting what data can be collected, used, and stored, including the ability to delete history. (Note that Google has announced that Google Assistant is in the process of being replaced by Google Gemini on Google and Google Nest devices.) Share this article with a friend. Siri processes some voice commands locally and some in the cloud, where they are stored for up to two years. You can decline to have your recordings saved by Siri, though Apple will still send a transcript of your command to the cloud. Unlike with Amazon and Google, there is no longer a way to view a history of your interactions with Siri, though you can opt to delete your history by opening Settings and going to Siri , choosing Siri & Dictation History , and then tapping Delete Siri & Dictation History . The golden rule of internet-connected security cameras is to never point them at anything you wouldn't want the world to see — your driveway or porch might be fine, but your living room, maybe not so much. Otherwise, several models of smart cameras, such as this Eufy camera, allow you to store recordings on the device itself using a removable memory card, or sometimes on a hub. By keeping your recordings in your devices, you lower the risk of recordings being leaked in a data breach or otherwise abused. That said, the devices we recommend encrypt their recordings, so we generally recommend a cloud subscription for most people. If you didn't explicitly choose not to allow ACR when you set up your TV, you'll need to do it now, manually; fortunately, federal law requires TV makers to let you opt out. Doing so may take some digging around, as the process sometimes changes between TV model years and software versions. This SlashGear article has directions for TVs from a number of popular brands, though they may have changed. For LG TVs, this multi-step explainer from the company gives directions that differ depending on the year your TV was made. Here's the short version of how to disable or limit ACR on the TVs that we currently recommend: Hisense: Toggle off Viewing Information Services in the Privacy menu. Toggle off in the Privacy menu. LG: First, find Additional Settings in the System menu, and turn off Live Plus . Then go to the Advertisement submenu and turn on Limit AD Tracking . First, find Additional Settings in the System menu, and turn off . Then go to the Advertisement submenu and turn on . Roku: Find Smart TV Experience in the Privacy menu and toggle Use Info From TV Inputs to off . Find Smart TV Experience in the Privacy menu and toggle . Samsung: In the menu, find Privacy Choices and toggle off Viewing Information Services . In the menu, find Privacy Choices and toggle off . Sony: Go to the Initial Setup menu and disable Samba Interactive TV . This article was edited by Jon Chase, Grant Clauser, and Jason Chen.
New York Times
5 days ago
- New York Times
A Loved One Died and Didn't Leave Access to Their Online Accounts. Now What?
Miguel Porlan for NYT Wirecutter By Haley Perry Haley Perry is a staff writer focused on video games and booze. She has spent innumerable hours playing games and tasting spirits. Published June 25, 2025 Before I lost my father, I'd always heard that nothing can prepare you for the grief of losing a loved one. But in the aftermath of his death, I was especially blindsided by what came next: the bills that stopped for no one, the accounts that needed to be closed, and the frustrations of taking over someone's estate — even a digital one. You can find plenty of resources for how to prepare a digital will for your loved ones, but navigating someone's online life after they've passed away suddenly and without preparation can be complicated and downright demoralizing. Although my father left behind a proper will, documented login credentials for most of his online accounts, and even noted the passcode to his phone, my family and I still faced challenges in transferring utilities, cancelling subscriptions, and paying ongoing expenses. And after spending a month researching the legality of digital estates and the options that a person has for accessing a loved one's device or accounts, I'm still left with unanswered questions. Unfortunately, there's no universal solution for managing the digital portion of a person's estate. Not only do digital-estate laws vary by state, but every single website and company you open an account with has its own privacy policy that could supersede those laws — and ultimately bar you from gaining access after someone's death. But that doesn't mean the endeavor is hopeless, and the step-by-step list we've compiled below should prepare you for what to expect and how to get started. Explore all articles In many states, what constitutes a 'digital asset' is still unclear, as well as whether those assets are subject to the same probate laws as the rest of a person's estate. And when someone dies intestate — that is, without a will in place — the rules pertaining to ownership of digital accounts and assets become murkier. If you're locked out of your loved one's phone or device, you may want to seek legal counsel to discuss your options. Keep in mind that in many cases, only the inheritor of the estate — as determined by your state's intestate-succession laws — can request access to locked devices and accounts. Even then, you may not receive the level of access you're after. Both Apple and Google confirmed that it isn't possible to remove a passcode from a smartphone or tablet without erasing all of the data on the device in the process. However, you might be able to request a download of some of the stored data, such as photos, notes, and texts. 'We do not give access to deceased-user accounts. A family member, spouse, or next of kin can submit requests either to obtain data/funds from an account or to close the account of a deceased user,' a Google spokesperson told us. We've found similar stipulations about accessing accounts from Microsoft. Our guidelines below are intended for those who already know their loved one's login credentials, as accessing a loved one's phone or device can help preserve memories, grant contact info for other family members and friends who need to be reached, and provide useful clues to help you settle impending bills and subscriptions. Even if you do have the password, note that logging in to someone else's computer or online account is illegal under the Computer Fraud and Abuse Act, and we advise treading lightly and refraining from acting as the account owner. If you are the inheritor of the estate, you still need to abide by the terms of service for each account to see if the contents are legally transferrable. We suggest speaking to a lawyer who can better help you understand the privacy laws for the accounts you want access to. I Tried, and Failed, to Disappear From the Internet Start by requesting certified copies of the death certificate as soon as possible. Certain companies may require you to provide a death certificate in order to access data from a locked smartphone or tablet or to close or transfer phone numbers or accounts. Cindi Jo Willey, a California licensed fiduciary we spoke to, recommends obtaining five to 10 official copies. You can order them through your county or state's vital-records office or through a funeral director or mortuary. Do this as early as you can, because in some states it can take up to 16 weeks to process such requests. Collecting documents that prove your relationship to your loved one can also be beneficial down the line. This could include copies of your marriage certificate or the decedent's birth certificate, as well as any other relevant court documents. You're unlikely to need a copy of their Social Security card for tech-related disputes, but retrieving their Social Security number could be necessary for certain tasks, such as managing their internet or cell phone plan. To prevent the recurrence of credit card charges in your loved one's name, you can consult their smartphone and emails to pinpoint ongoing expenses. A good place to start is their Apple or Google Play subscription. On an iPhone or iPad, open Settings > Apple Account > Subscriptions . For Android devices, open the Google Play app, tap the profile button in the upper-right corner, and then navigate to Payments & subscriptions . A quick scan through the decedent's app library could also provide clues as to which services you'll need to cancel or investigate further. For example, your loved one could still have funds in PayPal or Venmo, or an active subscription to Spotify or Netflix. Checking their downloaded apps could also help you locate which banks or cryptocurrency exchanges they are affiliated with. If you have access to their email account, you can use search filters to find which utilities, subscriptions, bills, and financial accounts the decedent is responsible for. We recommend keeping a simple spreadsheet or handwritten list to record the accounts you've discovered, along with their upcoming billing dates and your status on settling future payments with each company. Most social media platforms allow you to request the deactivation of an account after someone passes away. But if you'd prefer to keep their online legacy intact, a few sites — including Facebook, Instagram, and LinkedIn — offer the option to memorialize the account instead. This means that the account will be locked, notifications such as birthday and anniversary reminders will be turned off, and a remembrance banner will be displayed on the profile (among other things, depending on the platform). You'll still be able to view content previously posted to the account, and on Facebook, friends will still be able to share photos and posts on the deceased's timeline. Each platform has its own set of guidelines for requesting the removal or memorialization of an account, but in nearly every case, you need to provide documentation confirming the death. In addition, some companies, such as Instagram, may respond only to removal requests submitted by immediate family members, which could require further documentation proving your relationship to the deceased. If you're just getting started, we recommend combing through Everplan's extensive database for instructions on how to close more than 230 online accounts. Share this article with a friend. Cable, internet, and cell phone providers can be notoriously frustrating to deal with. When my father passed away, my mother and I struggled to take ownership of our shared Xfinity account: After countless hours on the phone with customer service, multiple trips to our local Xfinity storefront, and several months' worth of bills that continued to roll into my dad's account, we ultimately found it easier to cancel the service entirely and start a brand-new account with new phone numbers. (Ironically, I'm still locked out of some of my own accounts due to the two-factor authentication setups linked to my previous phone number.) Your experience may be less of a headache, but regardless, you should jump on cancelling or transferring your loved one's phone number quickly to prevent their account from accruing extra charges. T-Mobile, Verizon, and Xfinity list steps online for how to proceed when an account holder passes away, but some other companies are less streamlined and may require you to call their customer service line for more information. In most cases, you need to provide a death certificate, and certain providers may require the last four digits of the decedent's Social Security number. Managing someone's digital life after they pass can be nebulous and frustrating. If you don't want your own loved ones to face the same roadblocks, it could be time to prepare your own digital will. An easy place to start is designating a legacy contact for your Apple, Facebook, and Google accounts, which would allow the person you choose to manage your accounts after you've passed. 'We talk so much about advanced deathcare directives and pre-planning, and now that pre-planning also has to include a digital plan,' said Loren Talbot, the director of communications and partnerships for the International End-of-Life Doula Association. Your digital will could include a list of login credentials for all of the websites you have accounts with, instructions for how you'd like those accounts handled, and an inventory of your subscriptions and digital wallets. If you'd like to get started on creating your own plan, Talbot recommends companies such as Cake and Evaheld, as well as Future File for those seeking a physical kit that they can complete offline. It's something that everyone, no matter their age, would do well to consider. This article was edited by Signe Brewster and Caitlin McGarry.
New York Times
6 days ago
- General
- New York Times
Sharpening Your Knives Incorrectly Can Damage Their Blades. Here's How to Do It Right.
Before you sharpen your knife, it's important to know its material, its unique shape, and the angle in which to sharpen it. The material determines how often you have to sharpen a knife, the difficulty of the task, and what type of sharpener you should use. Chelsea Miller, a knife forger whose knives have been used in the dining rooms of Michelin-starred restaurants like Eleven Madison Park, explained, 'Carbon steel or high-carbon steel knives are generally easier to sharpen at home, whereas stainless steel knives — the most common manufactured type — are more difficult to sharpen freehand.' (Freehand sharpening is when you sharpen a blade without a guided system and instead use something like a whetstone or a manual, handheld sharpener. These methods usually don't offer the ability to adjust the angle.) Knowing the type of steel a blade is made from helps determine how frequently it needs to be sharpened. Michael Hession/NYT Wirecutter High-carbon steel knives contain a higher carbon content than stainless steel, which generally makes them harder, stronger, and easier to achieve a keener edge than stainless steel knives. High-carbon steel knives are also easier to sharpen than stainless steel ones; it takes less effort to remove metal during sharpening due to its iron-carbide-rich composition. But they may require more routine maintenance since they're also less wear-resistant and can develop patina over time. And then there's high-carbon stainless steel, which we recommend in our guide to the best knife sets. It combines the best aspects of high-carbon steel and stainless steel in one, so it's strong, able to hold an edge well, and less prone to rusting, but it's typically pricier. You can expect to have to sharpen it less frequently than a high-carbon steel blade. Once you know the blade's material and how often you need to sharpen it, you can move on to determining the blade's shape and angle, so you can ensure the knife maintains its unique qualities to perform its intended job after it's sharpened. Navigating sharpening instructions is easier when you know the anatomy of a knife. NYT Wirecutter There are two key blade factors to consider before you start sharpening: its grind (the cross-sectional shape) and edge (the shape of the cutting surface, or the bevel). The most common kitchen blade grind is flat ground; that means the blade, generally speaking, tapers from the spine to the edge, and the cross-section forms a V- or a wedge-like shape, much like our budget-pick chef's knife, the Victorinox Swiss Classic Chef's Knife. (For a true full-flat grind knife, opt for a Japanese gyuto knife, like our runner-up chef's knife, the Tojiro F-808, which has a much thinner V-shaped blade than that of Western-style chef's knives.) Another popular grind is hollow ground, a blade with a concave edge that, depending on the knife, can start on the edge and slope all the way up to the spine. This isn't as popular among kitchen knives, but is common among pocket knives, like our top pick, the CRKT Drifter. The most common cutting edges among kitchen knives are typically V-edge (symmetrical edge bevels that form a 'V' shape) and compound beveled edge (a V-edge featuring multiple-edge bevels, like double bevels, which enhance cutting performance), such as the Tojiro F-808. Western knives usually have double bevels, meaning both sides of the blade angle towards the center. While many Japanese knives typically feature a single bevel, where one side of the blade is angled and the other remains flat, double-bevel variations are available as well, like the F-808. Sharpening a knife — especially one designed for a specific task — at the wrong angle can severely alter its performance. 'Say you're using a boning knife whose angle was manufactured for that task, and you start sharpening it to another angle — like one more geared towards cutting vegetables rather than deboning a fish — you can completely change the angle and its performance,' Miller said. You can generally find the appropriate angle to sharpen a knife via the manufacturer, either on their website or in a booklet provided at the time of purchase. However, if the information is unavailable, Miller recommends following general guidelines based on the shape of your knife. Most standard types of knives — like a chef's knife or paring knife — share similar angles regardless of the manufacturer. Miller also recommended examining an edge by carefully holding a knife straight out in front of you, perpendicular to your eyes, and getting a good look straight down the knife's edge. She said you should analyze from tip to heel and from heel to tip to get a better idea of the adequate sharpening angle. Carefully look down the knife's edge to analyze the blade's angle. Repeat the process from tip to heel and heel to tip. (Squinting one eye can help make it easier to see.) Maki Yazawa/NYT Wirecutter
New York Times
6 days ago
- General
- New York Times
These Are the Best Weeding Tools, From Roundup to Flame Thrower
If you were to sketch a yard designed for testing weed-control methods, it might look a lot like mine. My yard is in New Jersey, with a temperate climate (plenty of sunshine, plenty of rain, rarely blazing, rarely arctic). The soil is a type called Downer (the official soil of New Jersey), and it's productive stuff, earning the Garden State its nickname. The lot is oriented northeast-southwest, so some areas receive full sun all day and some areas get shade in the morning or afternoon. And, thanks to three huge walnut trees, some areas are dark and dank for the entirety of the growing season. Whatever conditions a plant prefers, it can find them here. The yard has not been tended in a long time, and 'volunteers' (gardener-speak for stuff you didn't plant and may not want) have taken hold. When the weather turns warm in the spring, whole sections of it sprout monocultures of creeping Charlie and purple dead nettle. The fences disappear behind walls of English ivy. Bumper crops of Asiatic dayflower and Asiatic smartweed grow in the raised beds. Broadleaf plantains and common dandelions march across the grassy sections like spear bearers. All of these things are non-native, and some of them are invasive (that means they're non-native and also harmful, crowding out native plants or otherwise disrupting ecosystems). This poison ivy vine was about 2 inches across and had climbed 30 feet up a tree. I treated it once with Roundup Weed & Grass Killer, and it never came back. Tim Heffernan/NYT Wirecutter Getting rid of them piecemeal would be the work of a lifetime, which is why I'm planning to kill everything and start over. My short-term goal was to get the worst of the weeds under control, make the property less of an eyesore, and maybe even make the yard pleasant to hang out in. State-school agricultural extensions proved to be a goldmine of advice. And I would encourage you to explore yours: It may identify locally problematic species or raise other concerns specific to where you live. In addition, I found North Carolina State University Extension's article Are There Alternatives to Glyphosate for Weed Control in Landscapes? to be a gem of clarity and concision. And it's a great general-purpose primer on glyphosate (which you may know as Roundup), other herbicides, non-herbicidal control methods, and the plants and situations they're most effective at addressing. The article A Guide to Weed Life Cycles, from UMass Amherst's Extension Turf Program, is also terrific, and it explains how to identify the different classes of weeds and why managing them requires different approaches. Then I gathered some equipment. I already had a transplanting spade (even before I wrote our guide to them), and I don't think there's a better tool for uprooting shrubs and trees. I also had our top-pick string trimmer and a hori-hori (a digging knife with a dozen uses, including weed removal). To these I added a couple of weed-pulling tools: a propane blowtorch; the first gallon of Roundup I've ever bought (as fraught a moment as ordering my first legal-age beer); and several herbicides that fall under the Environmental Protection Agency's 25(b) 'minimum risk' exemption from FIFRA registration. I added a spray bottle for general Roundup application and a couple of small applicators for daubing it on freshly cut stumps. They mostly proved effective at the different jobs for which they're intended, and this provided my first take-away: You'll get the best results if you keep multiple weed-fighting tools on hand. Connie Park/NYT Wirecutter The trademarked name Roundup is often used interchangeably with glyphosate, a powerful and controversial herbicide that Monsanto patented and began selling under the Roundup name in 1974. (Monsanto's exclusive right to sell glyphosate in the US expired in 2000, and then many other companies began using it in their formulas.) But as of 2024, no Roundup residential lawn-and-garden products contain glyphosate, including the basic Weed & Grass Killer that I used. This basic herbicide rapidly kills most plants, and it degrades quickly, allowing replanting within days or weeks. Roundup Weed & Grass Killer now contains three active ingredients. Triclopyr triethylamine salt (TEA) is what's called a systemic herbicide. Herbicides of this type get absorbed by the plants they're used on and spread to all of the plants' tissues, killing them down to the roots. TEA is also what's called a selective herbicide, which means it's most effective on certain kinds of plants — in TEA's case, woody plants and vines. It's applied to cut stumps to prevent regrowth (and it's frequently used to combat invasive species). TEA specifically works by mimicking an auxin, a plant growth hormone, triggering uncontrolled growth that kills treated plants within days or weeks. The EPA considers TEA slightly toxic to humans, not classifiable as a human carcinogen, practically nontoxic to slightly toxic to birds and marine/estuarine invertebrates, and practically nontoxic to fish and freshwater invertebrates. It is degraded by soil microbes within a few weeks. Fluazifop-p-butyl is a selective, systemic herbicide that's used mainly to kill grasses, and it's not effective on broad-leaved plants. It works by inhibiting lipid (fat and oil) synthesis, and that leads to the breakdown of cell membranes. The EPA considers it of low acute toxicity and unlikely to be carcinogenic to humans. It is degraded by microbes in the soil, and it does not travel well through soil, though the EPA notes that using both fluazifop-p-butyl and triclopyr 'in areas where soil is permeable, particularly where the water table is shallow, may result in groundwater contamination.' Like TEA, fluazifop-p-butyl is frequently used to combat invasives. Diquat dibromide kills by disrupting plants' cell membranes. It's non-systemic, which means it kills only the parts of a plant that it touches. And it's non-selective, which means it's effective on almost all plant types. The EPA considers it non-carcinogenic, of low oral toxicity, and of moderate to severe acute dermal toxicity to humans. It does not migrate through soil, and it's unlikely to get into surface and groundwater. Taken together, this mixture makes the Weed & Grass Killer a broadly effective herbicide in yards and gardens, and one that's quite safe to use and does not persist in the environment. (This allows for replanting of treated areas in as little as a day.) Still, I have qualms about using pesticides in general, and when I do, I make an effort to use as little as possible. In spring 2025, I tried three herbicides — from Sunday and Procter & Gamble — that are heavily marketed as being safer or greener alternatives to traditional formulas. Before using them in my yard, I spoke at length with Trent Lewis, Sunday's co-founder and head of R&D, and Mary Jane Watson, research and development senior scientist at Procter & Gamble. Sunday's Dandelion Doom uses chelated iron (iron HEDTA) to induce fatal iron toxicity in broad-leaved plants. Iron HEDTA is used extensively as a supplemental fertilizer (all photosynthetic plants need some iron), and using it as an herbicide is effectively a matter of vastly over-fertilizing. The EPA has found no reports of adverse effects from exposure to iron HEDTA, and it says that 'pesticidal usage of this biochemical will not have any harmful environmental effects.' Sunday's Weed Warrior is an ammoniated soap. Herbicidal soaps kill by disrupting the protective waxy coating on leaves and damaging leaf-cell walls; this leads to desiccation and cell death. I reviewed the Safety Data Sheets of several widely available brands, including Weed Warrior, and the warnings are that they can irritate the eyes, skin, or lungs and should not be swallowed; these warnings are similar to the warnings on dishwashing soap. Procter & Gamble's Spruce meets the EPA's 25(b) 'minimum risk' conditions. Essentially, this means a pesticide can contain only active ingredients that the EPA believes 'pose little to no risk to human health or the environment,' and in fact many of those ingredients are widely used in food and cosmetic products. Spruce's active ingredients are sodium lauryl sulfate (a surfactant found in a lot of soaps and shampoos), geraniol (geranium essential oil), and cornmint oil. Putting aside all other considerations, it smells delicious. (That wasn't a given. The complete list of 25(b) active ingredients includes dried blood and 'putrescent whole egg solids.') I didn't find any of them as effective as the Roundup. Neither did Wirecutter's Sebastian Compagnucci, an avid gardener who optimizes his weeding practices. This was largely expected: They are not systemic herbicides, which are absorbed into and kill every part of a plant. As both Lewis and Watson noted, that means treated plants' roots can and often do survive and regrow. It typically took two applications of the Sunday and Spruce products to kill the aboveground parts of the grasses, dandelions, and other weeds I used them on. Also, for the products to be the most effective, the plants have to be thoroughly drenched — not just lightly sprayed or wetted with a drop or two. So I wound up using a lot more of the Sunday and Spruce products than I did of the Roundup. Spruce comes in proprietary aerosol cans (they spray straight down), manual spray bottles, and jugs with built-in, battery-powered spray wands. Sunday's Weed Warrior and Dandelion Doom come in manual spray bottles and in jugs and pouches with battery-powered wands. Sunday sells refills for all of them, so you can reuse the original containers. But those wands aren't built to last, and the batteries will die. Spruce sells refills for its jugs and spray bottles but not for the aerosol cans, and its battery-powered wands aren't built to last, either. The incongruity between these 'earth-friendly' herbicides and all of that material waste struck both Seb and me. All told, I'm happier using tiny, targeted amounts of the Roundup Weed & Grass Killer and durable applicators of my own choosing. And I don't plan to keep using Sunday or Spruce after the batches we ordered run out. But I absolutely acknowledge their virtues, too. Connie Park/NYT Wirecutter If you've watched more than a couple of YouTube videos about gardening, I suspect you've gotten ads for Grampa's Weeder. It's pitched as an Olde Tyme secret weapon against unwanted grasses and broad-leaved lawn invaders like dandelions. Given my target-rich environment, I had to try it out. I also tried a similar tool made by Fiskars. This simple tool is an ace at pulling up deep-rooted lawn weeds like dandelions, but it's ineffective on other intruders and in rocky soil. On my dandelions and plantains, Grampa's Weeder and the Fiskars tool both performed as advertised, usually managing to pull out most of the taproots along with the foliage and thus killing the individual plant. (If you don't remove the taproots, a plant will just grow back.) Both the Grampa's Weeder and the Fiskars (shown) are adept at pulling out dandelions, taproots and all. Tim Heffernan/NYT Wirecutter Conveniently, you don't have to lean down or get on your knees to use either tool, the way you do with a traditional hand weeder. (You do have to use your foot to push them into the soil, however.) And they don't leave big holes in the lawn, the way a shovel or trowel can. That said, they are one-trick ponies. Neither worked well on the little walnut sprouts, for example, because the flexible but tough stems prevented the tools' claws from centering on and gripping the roots. They're useless in rocky soil, too, because the claws can't penetrate. I kept the Grampa's Weeder. It lacks the little ejector mechanism of the Fiskars weed puller, but I didn't find that to be much of a time-saver anyway. The simple bamboo-and-metal construction is sturdy, and it's comfortable to hold. And, above all, it's nearly silent. Using it became meditative after a while. The Fiskars weed puller, whose plastic parts never ceased clicking and clacking while I worked, became increasingly irritating to use. I think I'd find excuses to not use it, and that's how weeds take over. Connie Park/NYT Wirecutter Let's get one thing out of the way first: Flame weeding is not flamethrowing. Banish visions of Rambo torching the jungle from your mind. Using targeted heat to kill weeds, though, is an established practice. Steam and hot-foam equipment is used by some professionals, but for homeowners, propane torches are the way to go. For obvious reasons, they can't be used everywhere. They're intended for flame-resistant surfaces like concrete, asphalt, rock, and gravel — places where weeding by hand is difficult or impossible. The University of California's Agricultural and Natural Resources department has some additional guidelines on flame weeding safety, including advice on keeping extinguishing materials nearby and avoiding use in windy, dry, high fire-risk conditions. I tested a popular torch made by Bernzomatic. It hooks up to a standard 16-ounce propane cylinder (available for about $10 at any hardware or outdoors store), so it's light enough to carry in one hand. It has a built-in manual igniter, and its long flame tube lets you stand upright while working. This torch is lightweight, self-igniting, and long enough to use standing upright. It's a good (and satisfying) tool for controlling weeds on nonflammable surfaces. The test area consisted of gravel-choked sidewalk cracks, which the dandelions and plantains consider an excellent place to raise children. The Bernzomatic torch was easy to set up and made quick work of the weeding. After sweeping away any dead leaves and dry grass clippings with a push broom (to avoid unwanted flareups), I simply held the flame over each plant for a second or two — just long enough to make the foliage change to a slightly darker green. This indicates that the plant tissue has been heated enough to kill it; there's no need to burn the weeds to ashes. Seared to perfection. This picture was taken about 18 hours after I torched a strip of the driveway, but the plants actually withered within a few hours of being treated. Tim Heffernan/NYT Wirecutter One thing to note: Torches destroy only above-ground foliage. That's usually enough to kill young weeds outright, per the North Carolina State Extension's guide to glyphosate alternatives, but you usually have to go back and hit mature plants again. Drawing on energy stored in their roots, they can come back several times before their reserves are used up. Like weed pullers, weed torches are essentially one-trick ponies. You should not use them on lawns or in brush (a fire danger), and the flame isn't precise enough to target individual weeds within a crowded garden bed. With care, they can be used in open beds, but if the beds are mulched, make sure that the mulch is properly soaked before you light up. However, people do use weed torches for a few non-gardening purposes, like igniting brush piles and melting ice on sidewalks. There are more efficient ways to do both, but there's something to be said for the fun of wielding the awesome power of fire in your very own hands. None of the above options are ideal for use in vegetable gardens and flowerbeds. And Roundup should never be used anywhere you'll be planting food crops — not even to kill weeds beforehand. Try a stirrup hoe instead. Wirecutter's Sebastian Compagnucci got his stirrup hoe during the pandemic, when his garden became a refuge, and due to this tool's precise, efficient action, his weeding time was cut in half. For uprooting unwanted shrubs and small trees, I've never found a better tool than a transplanting spade. As the name suggests, this tool is also ideal for transplanting (or simply planting) things. And due to its short handles, a transplanting spade is much more maneuverable in the confines of a yard than a standard shovel. A hori-hori is one of our favorite gardening tools. Shaped like a short sword but dished like a trowel, it's great for digging out deep-rooted weeds that are growing close to plants you want to keep. In my raised beds, I found my hori-hori more effective than the weed pullers, which tended to sink into the soft soil and didn't get enough leverage to work properly. A string trimmer can keep weeds knocked down, and it can give desirable plants time to grow and eventually crowd out the weeds for good. I also use mine as a makeshift edger. All this said, now that I've gotten our weed situation under a modicum of control, I find myself frequently turning to the simplest tool of all: my own hands. It really doesn't take long to yank the weeds out of a patch of lawn or the corner of a raised bed. And this approach somehow seems more fair. The plants we call weeds are some of the great survivors and settlers of the living world. The least I can do is give them an honest fight. This article was edited by Jen Gushue and Harry Sawyers.
