There are two key concepts in information security: threat model and attack surface.
“Threat model” is another way of asking, “Who’s out to get you?” If your threat model includes the curiosity of nation-state intelligence services, you have many more things to worry about than J. Random User. It’s more likely that voicing a contrary opinion on social media might make you yet another unwitting main character of Twitter, or that a stray mention by someone else could bring you to the attention of the internet’s malcontents.
“Attack surface,” meanwhile, describes a target’s vulnerable access points that an attacker will seek to exploit. When it comes to the internet, it’s nearly impossible to collapse your attack surface to zero — you’ll never achieve that without going into witness protection. Our goal in this article is to help you condense your attack surface as much as possible.
Trying to scrub your offline coordinates from the online world can feel like counting cicadas: you can start, but you will never finish
Admittedly, trying to scrub your offline coordinates from the online world can feel like counting cicadas during the every-17-years emergence of those sex-starved insects: you can start, but you will never finish.
But that doesn’t mean that giving up is the right answer. With some effort, you can make data points like your street address, phone number, and birthday less visible online — and therefore less easily available for harassment or identity theft.
This exercise will also renew your awareness — as unpleasant as the consequences might be — of just how much data about you sloshes around the web. And it may get you to think anew about how you want to craft the picture that emerges of you online in a stranger’s search.
1. Dox yourself before other people do
“I can tell you the cheapness and the availability of information you can get about anyone online would shock you,” says Brianna Wu, a Massachusetts game developer who was among the more public targets of the Gamergate harassment campaign and has since become an advocate for better online privacy.
For example, in some states, you can look up someone’s voter registration by providing their name and birthday. That will yield their home address; if they own a home, you can then plug the address into their county or city’s property-tax assessments page to see what they paid for it and what it’s worth now.
Other sources include social media such as Facebook and LinkedIn, your WHOIS profile, and any other information that may be floating around. Once this information is available, data brokers can then mine and combine public and private records, with the results on sale at low, low prices — sometimes, for free.
What you can do:
- This first step may be the most unsavory: open an incognito window in your browser (so Google or any other search engine shows what a stranger would see) and search for your name and street address, name and phone number, name and birthday, and name and last four digits of your Social Security number.
- Note that, individually, each data point may not look like a huge privacy risk — but combining them can unlock various other databases.
2. Opt out where you can
The results of your search will probably include a list of people-finder sites such as Spokeo, Intelius, and Whitepages that serve up the output of data brokers that themselves collect and fuse information from private and public records.
As you look through the search results, most will be somewhere in the “not great, but not terrible” range. Note which sites claim to have your information and get as far as you can (without paying) to see how much data they claim to have.
What you can do
- First, you have to find all the sites you need to check — and how to contact them if they have your data. Data-removal service DeleteMe maintains a list of opt-out instructions for dozens of data brokers; in one I tested, DeleteMe provided more accurate help on how to remove your data than the actual third-party service in question.
- Reputable people-finder sites offer free opt-outs of varying usability. At Spokeo and BeenVerified, I had to do little more than identify my listing, enter my email address, and click a link in the message sent to me. At the data broker Intelius, the back end of multiple people-locator sites, I had to input a code sent to my email instead of just clicking a link.
- Others make it a lot harder. For example, at Whitepages, the “suppression request” protocol requires you to provide a phone number for an automated call. MyLife tells non-California residents to call or email; citizens of the Golden State, however, can use the opt-out required by the California Consumer Privacy Act.
- Some of your data may actually be defunct or incorrect. In that case, it’s up to you whether you want to go through the trouble of deleting it.
3. Watch out for repeat offenders
Be aware that opting out once doesn’t mean you will stay opted out. I opted out of a Spokeo listing back in 2014, only to have to do that all over again for this story. Because data brokers and people-finder sites continually ingest data from public and private sources, this industry operates as a self-licking ice cream cone.
“A game of whack-a-mole,” summed up Soraya Chemaly, a writer and activist who has both studied and been a target of online harassment.
Rob Shavell, CEO of Abine, the Somerville, Massachusetts, company behind DeleteMe, said in an email that 43 percent of DeleteMe customers saw some of their data resurface at one or more data brokers six months after having their info expunged.
What you can do
- If you have the time and inclination, go back to the major data brokers about every six months and check to make sure your information is still off their sites.
- If you don’t have the time, but you do have the funds, DeleteMe will remove your data from the sites and monitor any changes. It charges $129 per year for that service (but often posts coupon codes for 20 percent off). That business model requires customers to trust DeleteMe with the same personal info they want to make vanish from the public web. The company’s site says the right things about it needing customer trust to survive but doesn’t get into details about its security measures. (Shavell provided more context in email, saying, “All data in DeleteMe is encrypted at rest,” after noting that the company requires all employees to secure their accounts with two-step verification and is subjecting itself to an “SOC 2” outside security audit.)
4. Try Google’s information-removal feature
Some sites may go beyond offering your basic contact info. If you encounter sites that include sensitive financial or medical data points, expose personal information in order to dox you, or demand payment in order to remove personal info, you can avail yourself of Google’s information-removal policy.
Note that this is not as sweeping as the results-removal options Google provides in the European Union to comply with the EU’s “right to be forgotten” — which as of June 1st had led to more than 1.7 million pages being delisted. Google did not say how many pages had been delisted in the US under the narrower American policy.
While Google will let people request to be de-linked from pages with their data, it will not de-index those sites completely
In an April 19th blog post, Danny Sullivan, Google’s public liaison for search, noted that while Google will let people request to be de-linked from pages with their data on sites with “exploitative removal policies,” it will not de-index those sites completely in case “people may want to access these sites to find potentially useful information or understand their policies and practices.”
Microsoft’s Bing provides a similar results-removal option.
5. Scrub your social media profiles
Only some of the data wellsprings that flow into data-broker databases — or are otherwise open for the inspection of strangers — allow any sort of feasible oversight. But a great deal of information about you can be gleaned from your social media profiles, and you have some degree of control over your privacy there.
What you can do
- Facebook’s option to view your profile as a stranger yields valuable insights about your attack surface. (To do that: go to your profile page, click on the three dots to the right of “Edit Profile,” and select “View As.”) However, the most important data-minimization steps to take on the social network are more basic. First, don’t include your street address or your phone number. Second, while you may want to list your birthday to soak in those “HBD!” messages from friends, you don’t need to add the year of your birth. (If Facebook insists that you enter a year, make sure it’s restricted so only you can see it.)
- The same goes for LinkedIn and Twitter. That said, since those networks often function more as outward-facing ads for people’s personal brands, you may want to think more about which publicity-safe details you’d like to list there. Neither needs your birthday, and whatever email address you post in your profile on either network had better be one you would be comfortable seeing splashed on TV.
- Having a separate “work” or “public” email address will let you reserve a safer one for friends and family, at the cost of a little more complexity in your communications. (More about that later.)
6. Check your WHOIS profile
If you’ve registered a personal domain name, you should do a WHOIS lookup to see if your home address or phone number appear in the record for your domain.
What you can do
- While you do have to provide your registrar with contact information so interested parties can reach you, you don’t have to make this public; any good registrar should offer domain-privacy options that will display that company’s contact info instead of yours, and that should not come at extra cost.
- This is another area where a separate address and / or phone number might help.
7. Voter rolls are different
A different kind of registration, however, requires your home address and offers no custom privacy options: your voter registration.
Voter rolls are available to political parties and, in many cases, to the general public — and foreign hackers have helped themselves to this data too. You can also usually look up an individual’s voter registration status on a state’s website if you provide additional personal data. For some states, you may only need to enter a birth date, while others require a partial Social Security number, driver’s license, or other government ID number.
Wonder where all those candidates get your phone number from? That’s where. And this can lead to situations like the one where an automated Twitter account regularly released data on people who donated to Trump using Federal Election Commission records. (The account, @EveryTrumpDonor, has since been suspended.)
A list maintained by the National Conference of State Legislatures spells out what information is included and what is kept out of the voter file, as well as which states maintain “address confidentiality programs” that let threatened voters keep their contact details private. The catch here is that if this option is available at all, it requires you to have been a victim of threats first — see, for instance, the criteria for California’s Safe at Home program.
What you can do
- Work to reduce the visibility of whatever metadata your state requires from someone looking up your voting information. One point that privacy advocates repeatedly make is that things won’t get better without stronger privacy rules, and those won’t happen if privacy-conscious people opt out of democracy.
8. Put safe-for-publicity data out there
To a certain extent, managing your privacy online is not so much a matter of starving search sites, but of giving them the diet of your choice. As I mentioned above, it’s not a bad idea to get a separate address and / or phone number for sites where this information is more likely to be collected.
What you can do
- In addition to having a safe-for-inadvertent-publicity email address, getting a separate virtual phone number — with call forwarding that you can disable if necessary — will allow you to post those digits without worrying that your personal cellphone will get besieged by harassing texts or emails. Google Voice is helpful for setting up your virtual digits (even if its software could use an update) because it’s simple to add to an existing Gmail account.
- A US Postal Service PO box remains a simple, affordable way to generate a mailing address independent of where you live. Rates vary by box size and the location and hours of the post office. For example, even the smaller boxes at USPS locations in Washington, DC, can run from $92 to $176 a year. (You can also find PO boxes in shipping stores for possibly better rates.) You don’t need to make a habit of checking that box if you set up the USPS’ Informed Delivery service to tip you off when mail arrives at your box.
Managing your privacy online is not so much a matter of starving search sites, but of giving them the diet of your choice
- When you register for a less-than-trustworthy site, you may want to provide incorrect information, like a false birthdate. Wu’s advice: “Any chance you get, pollute the information out there about you if it’s not useful, if it’s not relevant, to you getting what you want.”
9. Use two-factor authentication
The single most valuable data point out there may be your mobile phone number. Aside from the risk of abusive texts or calls, texting has become a common verification method for online accounts when their systems notice an unusual login. That’s led to a plague of SIM swap attacks, in which crooks fool or bribe wireless carrier employees into transferring mobile numbers to their control — and then use that to complete password resets and account takeovers.
So your last item on this privacy checklist involves going through the two-factor authentication settings on any accounts you value — starting with your email and social-media accounts — to replace texting with a verification method that can’t be socially engineered out of your hands.
What you can do
- The single safest form of 2FA is a USB security key, a special USB dongle that you cryptographically associate with an account and then plug into a computer (or, with newer models, pair to a phone via NFC wireless) to confirm a new login there. Because it’s already been digitally paired with that site address, it can’t be fooled by a lookalike phishing site. They aren’t free — basic, USB-only models start at $20 or so — but you can use one with multiple accounts.
- Using an app that generates one-time codes, like Google Authenticator or Authy, is your next-best option, now available at pretty much every email and social service of any value.
- If you must use a phone number, make it a virtual one because the companies that provide them, Google included, generally don’t have in-person customer service that crooks can con.
10. Remember: this is an ongoing process
Can you hoist a “Mission Accomplished” banner at this point? Absolutely not. The reality here, online privacy advocates agree, is that this work never ends. This is basically an operating cost of having an online life.