What can be done and how difficult is it? This is the core question. The answer is that quite a bit can be done that is not very hard. Of course it is up to each person to decide how much effort to invest for how much gain. Taking even a few of these measures puts you well outside the main information harvesting (and potentially identity stealing) drag net..
Awareness and Operational Security
The first thing that can be done is simply to become more aware of privacy and security concerns. Following this information is a start.
Thanks for reading Practicing Privacy! Subscribe for free to receive new posts and support my work.
An important aspect is simply not giving out more information or information that points too directly to oneself than is required. Awareness is asking about every on sign up form:
- Does what I am signing up for really need this information?
- Does it really need to know my main email address? Does it even need to communicate by email or only to verify by email? Do I want email from them?
- Is the password (if applicable) I am giving strong and unique to this side?
- Does the site need my phone #? Does it use it for one time verification or are they going to SMS spam me. Is this information secure? Does it need my cellular number or will a temporary number or a VOIP number do?
- If it asks for my mailing address do I expect to receive any physical delivery from the site? If not why give it my true home address?
- If there are security questions about details of your life why give it true information? Do you know that information is and will stay secure and not usable by hackers? Why not give random answers and store them in your Password Manager as a note in case you need them later? No site legitimately needs to know the name of your first crush!
Awareness is thinking before you share details of your activities and who you did them with. Do you really want to give that information to random strangers and data brokers? It has become fashionable to “let it all hang out”. Doing so makes us much less secure. It gives hackers a lot of extra information to attempt to beg a reset of account credentials. It gives hackers a lot to go on. It is a bonanza for criminals if you leak information explicit or implied as to how much money you make, when you will be out of town and so on.
I know it may seem too hard but for privacy and security you should practice “need to know”. Only really close high trust friends should know many things. Online friends or acquaintances should know much less. And strangers should know very little beyond what opinions and thoughts you may decide to share publicly.
Credentials
Credentials in the form of email and password can be made much more proof against leaks of privacy and security issues.
The email address provided need not be the same and for the most part should never be your widely known and linked directly to you primary or one and only personal email address. Otherwise it is an always the same personal identifier to build up a large graph of information everywhere you use it. It is best to have multiple email addresses with some able to reply from the address given and some not (temporary or one way email address). It is very easy to set up multiple addresses. One less thing to track you with.
Passwords
Using a good Password Manager it is easy to have a unique strong password for each and every site that has such credentials. Never use the same password multiple places. Never use OAuth from Big Tech providers for authentication. Reusing passwords means if the password leaks or is stolen or cracked once other sites are vulnerable as well, especially if same email was used. Using Big Tech OAuth lets these providers track you more completely and if you Big Tech account is every compromised it puts much more of your online life at risk.
Weak passwords can be cracked within minutes by a competent hacker.
While email protocol was not made for high degree of privacy it is possible to be much more private and secure than by using Big Tech provided email. Big Tech providers generally have the keys to your email contents if they bother to encrypt it at rest. Some such as Google are known to scan and data mine the content of your email. You email may be given to authorities which is a problem as we had to a deeper Police State and in these highly punitive privately and publicly times.
In is not hard to use E2EE encrypted with zero knowledge of private key providers. Many offer email alias address and email under your own domain services as well. When exchanging email with other users of such a service the email is encrypted on send and only readable by the intended recipient. All email contents are encrypted at rest. There is no scanning of email contents by provider or even any ability to do so.
VPN
Using a trustworthy no-logging VPN protects you IP address from being used to track all your internet traffic. Your IP address also identifies your physical location within roughly a few house or a block or two.
Another part of this topic is using a DNS provider that does not log and possibly sell all the site look-ups you do.
Transaction Privacy
Financial transactions using Credit Cards (CC) are all recorded by at least the card issuer. This information is made available to authorities and others. The card itself is fully KYC to you in the US and many other developed countries since 911. It is a major leak of privacy.
In some parts of the world there are virtual credit cards that act as controllable limited debits on an underlying bank account. This gives one step removed increase of privacy as they can be set to not tell your bank where a spend was made as well. When using them online the name on the card can be anything you like as no name is hard-tied to the card. There is also no tightly tied address so that can be whatever you like if requested on the payment form.
Some credit cards allow secondary cards in alias names without requiring identity proofs on the name on the secondary card. These can be helpful.
Where possible in person paying with cash is as private as it gets. Paying online in crypto is a lot more private, with some caveats left for subsequent posts, than using CC.
Phone Number[s]
It is ideal to have multiple phone numbers for the same reason it is ideal to have multiple email addresses. It makes it harder to pin all usage and communication with a number to the same identity and makes it harder for a hacker to pass as you.
You can have multiple VOIP numbers without paying a meant for multiple cellular numbers. In some areas such as the US there are very easy ways to do this. It is recommend to segment use of these numbers, for instance:
- one for friends and family
- one for business
- one for misc merchants
Generally only give true cellular number to government, financial sites and others that don’t work with VOIP.
Smart Phones
Smart phones by default as normally set up are a privacy and security nightmare. They leak more information and on a more continuous basis than online actions by default. A phone of any kind with a sim card and active account can be used as a tracking device pinpointing your location within 10-20 meters or better. With GPS and/or wifi on it can locate you within as much accuracy as 0.1 meter or less. An unprotected activate cellphone can be used to make a trail of everywhere you go.
The provider, especially Google, scoops up a tremendous amount of information. Even on an iPhone people usually have some google services on which give google by default a lot of information. Many apps use ads provided by Google or Google Analytics as well.
By default the DNS is either from the provider or your default ISP both of which track and log your DNS lookups.
The best that can be done short of using dumb phones is to use a de-googled Android phone free of as much Google spying as possible. This can be done with little or no loss of app functionality.
Private Messaging
SMS by default is not very secure even if encrypted in flight. It is not encrypted at rest and is commonly stored by cellular providers. Yes, iMessages are a bit better but are not end-to-end including at rest encrypted.
SMS can also be hacked by Sim Card cloning allowing the successful attacker to receieve and send SMS as if they are you.
There are many better alternatives including Signal, Session and WhatsApp. There are others that are less well known but much better than the SMS defaults.