22 years ago the vast majority of communications were either unencrypted or, if you had a fancy mobile phone, encrypted using weak, ITAR-compliant ciphers. Encryption on the Internet was for e-commerce sites with the budgets for the extra hardware, certification, and compliance needed for SSL, and the protocol was also kneecaped by ITAR outside of the US. Hell, even early DRM systems were laughably easy to break because of export-grade encryption (see DVD CSS).

The primary privacy protection for communications in 1999 was legal, not technical:

1. Police needed a warrant to listen on your communications (or, if they only wanted to know who you were calling, no warrant was needed)

2. Private wiretapping would land you in jail, and required covert access to someone's house, making it riskier to pull off

3. Analog telephone systems (already out-of-date) were entirely protected by a law that made it illegal to provide consumer-grade equipment that could be easily modified to tune to 800mhz. This is still law today, despite the frequencies being unused for analog, and is a thorn in the side of amateur radio.

This could be summed up as "we promise not to spy on you if you promise not to resist us if we change our mind".

An interesting expression of this idea happened with the whole NSA Clipper Chip debacle. Effectively, the US government wanted to move from unencrypted everything to key-escrow encryption, where private citizens would be technically prevented from wiretapping your phones, but law enforcement could still do so. It failed so hard that the US government just stopped regulating crypto export and the NSA retreated to slipping vulnerabilities in crypto standards (e.g. Dual_EC_DRBG, TLS Extended Random).

The actual legal protections I mentioned above melted away under the heat of the War on Terror. The US government adopted a classified interpretation of wiretapping law that boiled down to "if we aren't listening, we haven't spied on you". Effectively, the NSA would wiretap everything and store it securely, and then once they had legal justification to actually wiretap you, they'd open up what they had already recorded. In theory, this is just turning a wiretap order into one issued about 30 days ago. In practice, the "legal justification" part was someone filling out a form in XKeyscore and clicking a button, with no further verification in the vast majority of cases.

It was only after much of this leaked - twice, I might add - that people outside of encryption enthusiast communities actually started taking technical privacy protections seriously. Things like end-to-end encrypted messaging, Let's Encrypt, and efficient cipher implementations that actually made encrypting everything useful are things that people in 1999 could only dream of (except for the above-mentioned cypherpunks). On the other hand, all of this extra security is fundamentally reactionary. We would not be encrypting the whole web were it not for certain Nation-State Actors abandoning their already-flimsy legal protections and going for full-take.

Of course, none of that matters when you were just going to self-surveil and post everything you do to Facebook anyway. But that isn't really all that new. People have always been bad at keeping secrets, advertisers have always been spying on you (before the Internet), and there's hundreds of years of legal precedent concerning when, where, and how much privacy you lose when you open your mouth or go out in public. If there is a difference between the 90s and today, it's that today's technology makes you a lot more aware of when your privacy has been violated. Target may know when you're pregnant before your father does, but Facebook will brag about it to you.