Danger of Unique Identifiers
As we have seen, the collection of data about all of us adds to a graph of information whose central nodes are, at worse, unique identifiers pointing straight to our person.
Those identifiers are generally of some common types:
- email address
- phone number
- true name (name on government documents)
- true address
- true answers to “Security Questions”
- Big Tech account Id (Google, Microsoft, Apple, Meta)
The strategy here is twofold.
First do not use or share the same identifiers or identifiers that can too easily be tied to your actual identity.
Second do not use Big Tech products requiring Big Tech account IDs.
Here I will focus on best practices regarding the first strategy by decreasing uniqueness and places where such identifiers are shared. Avoiding being tracked by Big Tech Account IDs has a deeper answer of getting away from using Big Tech. There are however ways to mitigate what can be tied to such IDs if you have them. This will be covered in a subsequent segment.
Email Address Mitigation Measures
Aliases
Email aliases are one of the most powerful strategies. For many types of online accounts email address is effectively a user identifier in addition to communication channel from the site to its users. There is no reason this email address need be your primary email address. In particular the bit of the email address before the ‘@’ does not need to be as in our main email account or any of the custom domain direct associated accounts.
There are many services (e.g. SimpleLogin) that can produce alias addresses. When email is sent to such an address, which usually includes some hint for the user of what site it is for, the email is forwarded to the underlying email address the user chose for that alias. If you reply to that address then while it looks to you like you are replying from the underlying address the alias address is seen by the receiver you are replying to. Most email alias suppliers provide some mechanism, which can vary by supplier, for originating email from an alias address as well.
Another advantage of alias addresses is spam control. It is immediately obvious where the unwanted email is coming from. If the normal unsubscribe actions do not work then you can simply delete that alias and you will get no more spam from that source.
Using email aliases the activities done on some sign you registered with that may be tracked through one or more of the common mechanisms are associated with some alias email address rather than one that more directly points to you or is know to be yours. So there are a bunch of disjointed subgraphs in the data brokers information rather than those subgraphs attached as branches to the tree rooted around your true identity.
Provider Account
Many privacy oriented providers have free and paid accounts where the payment can be made in crypto. Thus even who owns the underlying email account is not so obvious. Of course the traffic to the main account address and custom domain (if any) secondary addresses can be tracked down to owner unless extra precautions were used. But at least there is not a direct Credit Card flag on the email account itself.
Protecting Your Phone Number
Limit Giving Out Any Phone Number, Give VOIP Numbers When Possible.
It is fairly common for a phone number to be asked for in some registration or other form.
If it is optional then simply do not give one.
There are N remaining cases:
- phone number used for one time verification
- phone number wanted for continuing communication
- phone number with no apparent use for the site requesting it
- requested by some government or banking site
If the number is used for one time verification then any number capable of receiving an SMS including temporary phone numbers will suffice.
If you wish for or need to allow continuing communication or there is a likelihood of periodic verification using SMS 2FA then use a VOIP number when possible. Note that this will not be possible with banking and government sites generally. This is one of the few instances when it is OK to give out a true cellular number.
If there is no apparent use case for the site having a phone number from you then try something like all 9s. Many forms will accept this. Hopefully some poor soul doesn’t have (999)-999-9999 as their number!
As mentioned government and banking sites generally will refuse a VOIP number. Google account sign-up is notorious for this as well. There are some temporary phone number sites that claim to get around this but I would not recommend it for anything as official as a government or banking site.
When Your Name Is Asked For
Whenever your name is requested on some form you are not obliged to give your full legal name in most cases. This is especially true when the form is not on a government or banking site and is not part of forming a legal contract. It is not in your interest to give your legal name more places than absolutely required. A site merely asking for it is not a binding requirement.
You may thing sharing your true name far and wide my build up your rep or leave perhaps a virtuous trail. But given your true name all activity everywhere can easily be logged and analed pointing straight at you. This is not at all safe. Deep information and profile of you can be used against you by all matter of bad actors, public and private.
By now you likely understand the drill. If the site doesn’t need to know your true name and you have no need to use it for some business purpose then don’t give your true name. If the site needs a true name you can often abbreviate such as first name and addition, nickname, nickname and initial, variation of name or middle name and so on.
Another useful way around legal request for name is to instead give an LLC name or a the name of a Trust you have previously established.
Responding to Request for Address
You know the routine. If the fields are optional do not enter this information. Next , if this is a non-government or banking request and if you expect no physical shipment from the requester, then DO NOT give your home address. Many online businesses will request your address in order to compute appropriate sales tax or VAT. It is built into some payment systems. Giving any address whose zip or equivalent matches the rest of the address is good enough. Many processors don’t check even this much. Some will check whether your IP address matches but this is rarer. In such a case be sure your VPN is appropriate for the address.
A stronger tactic is to have a post office box or other CMRA (commercial mail receiving agency). These can be used in many situations but not generally for government and some business purposes. A PMB (personal mail box) can be used for many government and legal purposes. PMBs can be set up to forward to wherever you wish including to stopping points such as hotels if you are on the road. This can provide a lot of anonymity.
It is prudent to have your true physical address in as few places as possible. There are too many nefarious actions that can be taken if your true address is known. Not to mention it being a powerful unique identifier that all kind of information can be concentrated around.
Beware of Security Questions
Some sites ask you to pick from a set of “security questions” and provide answers for them or they will ask you to provide security questions and answers. This is purportedly for your “safety”.
NEVER EVER provide true answers to these questions!
Think about it. The site stores your question/answer pairs away. You have know way to know how secure that storage is against hacks, leaks, site even selling the information, malicious employee and so on. If you enter true information then more information is known to use to steal your identity or more random facts are know in information trove about you. This information could also be used if the same questions and answers are present to fingerprint you across sites.
Always give made up randomized answers. Store your question/answer paints in your Password Manager entry for the site under notes. This way you are assured you will give the same answers if ever asked. You do use a decent Password Manager, right?