Online Privacy: Hiding from the Data Brokers
Privacy Online (and everywhere) is increasingly becoming a battle. Here I show you some tips, tricks and tools you can use to start regaining yours.
I have always been wary of installing apps on my smartphone, and have never allowed such things as Facebook (let alone Facebook Messenger) anywhere near it, nor any banking apps. I restrict my use of those services to an isolated instance on my desktop, where I can carefully curate their experience to protect my privacy. And the same goes for anything else I use too (e.g. TikTok), although some things (such as Snapchat and Omegle/OmeTV) I have never felt the urge to use in any manner.
One of the few apps I have reluctantly allowed on my smartphone is WhatsApp, but I have taken steps to ensure that Meta can never link it to my Facebook account, and the majority of my private messaging takes place over Signal anyway (because since Meta’s involvement, I consider WhatsApp only one step removed from public broadcast).
Facebook has never had a photo of my face, and nor have any of the other “social” platforms, only LinkedIn and Substack which I consider more “professional”. People attempting to tag me in Facebook photos has been an occasional issue, and while I obviously have things set to ensure that’s not allowed that doesn’t stop Facebook rolling out changes to permissions. Luckily I have very little use for Facebook and only log on briefly every couple of months, and I rarely talk to anybody on there.
The mega-platforms such as Amazon and eBay are huge risks of course, because they harvest vast amounts of data to resell to data brokers, so you really want to keep those accounts as isolated as you possibly can.
If you want to know how much any of the platforms I have mentioned above know about you, make a Subject Access Request (SAR). And then consider what could happen if any company that has your data suffer a hack and your data is lost!
In addition to the above, which is all theoretically “secure” with various companies and the data brokers they sell it to, I have always been very mindful of the risk of Open Source Intelligence (OSINT) being used to harvest data from countless other sources, and someday I may write a series of articles about some of the tools and techniques that exist to assist that activity.
And of course once harvested there are hundreds of data brokers that will combine the data with further sources to form an even more detailed profile on you, and then sell it to anybody and everybody who is prepared to pay. Ethics and morality never enter the equation where your privacy is concerned.
And because I believe that…
Privacy is not about having something to hide,
it’s about making a conscious and informed decision about what I wish to share,
including an understanding of how it may later be used and by whom.
…that’s not something I’m happy about.
Add the increased risk of IoT devices, and the problem gets worse still. I know there are no IoT devices in my home with Wi-Fi access (that’s easy to stop just by not granting access!) but as manufacturers are now starting to roll out white goods with SIMs that use 5G, which is difficult if not impossible to block (especially in a manner than is both convenient and legal), the threat model is changing. And it’s not not in the favour of those who value their privacy, who are increasingly under attack.
I have therefore decided it’s time to ramp up my own online privacy, and it’s a journey that I will be taking you, the reader, on with me. If you wish you can follow along and improve your own privacy as you go. If you wish to, I recommend you Subscribe Now.
Linking Accounts Across Platforms
The first thing to do is make it harder for data brokers to link accounts across platforms. The easiest way for them to do this is via email address and/or smartphone number, both of which are globally unique identifiers.
Email
The risk of linking via email has never been a problem for me as I use Proton Pass which allows me to generate a unique email alias for every website I use along the lines of:
<website name>.<random word><random number>@<proton alias domain>Where:
<website name> will be the website you require an alias for e.g. substack, ebay, facebook, instagram, linkedin, amazon etc.
<random word> will be any word selected from the dictionary e.g. affirm, cauterize, educated, radiated, zealot
<random number> will be any three digit number from 001 to 999
<proton alias domain> will be one of passmail.net, passmail.com, passinbox.com, passfwd.com
So example email aliases may look like:
substack.affirm731@passinbox.com
ebay.cauterize456@passfwd.com
facebook.scammed911
These could be my email aliases for Substack, Ebay and Facebook respectively (they’re not, obviously). And whenever I shop online, or subscribe to a newsletter, it takes just seconds for me to create a new and unique email alias for that website.
If you don’t already have Proton Pass then I highly recommend it. You can signup for a month’s free trial of all Proton Services by using this link. I did this a long time ago.
Another advantage of using email aliases is that if there is a data leak and that address is compromised (something that Proton scans the dark web for and will notify you if it happens) it’s the work of a moment to disable that email alias and generate another. So…
Never give out your real email address, always use an email alias
Password & Phone Number
You then also want to avoid using your phone number for 2FA on these platforms if possible as it clearly ties them together for the data brokers, and instead look at using a security key for 2FA. You should also create a secure pass phrase (as opposed to a short password) with at least three words (mixed upper and lower case), a number and a special character.
e.g. GreedyKenAte24CakesYesterday! or MargaretThatcherWas150%HotIn1979:) which (at 29 and 34 characters respectively) are both easy to remember and hard to brute force crack (billions of years with the technology currently available to most hackers - but that may change within a few years).
However…
It’s very important not to use the same password on more than one website
…because when a data breach occurs it’s normal for the hackers to store every unique password they steal in a list, which can then be used for a dictionary attack on other websites. Password dictionaries are routinely sold on the dark web, and sometimes freely available on the indexed web. This means that even if you are using a different email address on another website, your 34 character password could still be vulnerable if you use it elsewhere and it gets stolen.
So you’ll need a password manager. Again, I recommend you take a look at Proton Pass and maybe signup for a month’s free trial of all Proton Services by using this link.
And when I order something online, I never provide the seller with my phone number. They can always contact me via the email alias I gave them if they have a query, or to send me tracking info.
The exception is of course Amazon and eBay who demand that you provide a phone number to use their platforms. For this problem I have a simple phone (a Nokia 105, cost new £20) with two SIMs on the cheapest tariffs available, one for each platform. It’s sole role it to receive SMS from them, and to protect my privacy by ensuring the accounts cannot be linked. The phone itself gets so little use (just the occasional SMS) that it easily lasts a month between charges, and the design allows for the battery to be removed (so you don’t need a Faraday bag). You could of course use VOIP mobile numbers if you prefer. I also use a different credit card on each of Amazon and eBay, which I’ll cover later.
TIP: If you’re young and just starting out in the world then keep a dedicated mobile number (and email address) for all your interactions with government, because that will make it far harder for them to tie you to the data they buy from data brokers. To learn more about why this matters, read this post:
User Name / ID
As with email and phone number you should always use a unique username on every website, especially if you have an unusual name.
For example, if Esmerelda Goodhand-Hughes uses her real name on LinkedIn, Facebook and SubStack it won’t take a genius to link those accounts together, along with anywhere else that she appears e.g. in the presenters list for a training course, finishing a marathon, commenting on a flower arranging forum, peer-reviewing a professional paper, a mention in her local paper, or (most unhelpfully) on her employer’s website as a team member.
Jane Doe, John Smith and Joe Bloggs are more likely to get away with such indiscretions as their names are far more common, but still not impossible to link cross-platform. And the rapid rise of AI is likely to make it much easier for data brokers to do this. So if possible pick a unique username for every platform you use.
There are of course obvious exceptions, and in my case I came to Substack via LinkedIn…
When I created my account on LinkedIn 25 years ago data harvesting was not the global problem it is now, and the biggest problem was finding colleagues to connect with and discuss professional topics. So we all used our real names, and that helped to generate business which (at least from the perspective of the unpaid content creator) was the main raison d’etre for being on the platform. And it wouldn’t have worked so well had I been called BikerBill27 or similar.
When, after 20 years of happy usage, I then got fed up with LinkedIn censoring (i.e. deleting) my posts a few years ago (when I first started to post about the plandemic, and then later exposed some shill accounts from the 77th Brigade) it made sense to create an account on Substack, post them here as the primary repository, and simply link to them from LinkedIn. There was thus a good reason to use my real name on SubStack too, along with the same photo, for continuity of user experience.
However, I no longer have an account on LinkedIn, because after 25 years they deleted it (along with my career history and testimonials from 60+ satisfied clients) when I refused to provide them (specifically Persona) with my government issued ID, despite LinkedIn’s claim that:
Adding a verification is optional. You’re not required to add one to your profile.
I can only assume that I had made one “censorship worthy” post too many, and they really wanted to know exactly who I am!
Having very carefully read the T&Cs around how my ID would be handled by Persona, I decided I would rather lose my account of a quarter of a century than submit my PII to this American company which isn’t even governed by GDPR.
For now though I’ll leave my real name on SubStack, but as a general rule:
Create a new and unique username on every platform you use
Photos & EXIF Data
The other obvious way to link people across websites and elsewhere is of course to use their photo.
At one time this would have been limited to humans looking at the images to see if they look the same. To an extent that disappeared when Google introduced free reverse image lookup, making it very important to use different images on every platform (unless you want them linked), even if you really do want to show your face.
But the rise of AI, and platforms such as Facebook training AI in facial recognition techniques, means that if you want privacy online it’s important to…
ensure that your face never appears anywhere.
And to that end, with immediate effect, I have just changed my Substack profile photo to this:
We’ll ignore the fact that, having been given a sneak preview, my daughter announced…
“Hey Dad, that’s obviously you, I can tell that in an instant.”
…because she’s genuinely intelligent, not just artificially, so hopefully I’ll be OK for a few years yet!
One other point on photos is that they contain a lot of hidden EXIF data which includes details of not just the camera used to take them, which can obviously be used to help link across platforms, but even the location they were taken. So if you take a photo of a flower in your garden and use that as your profile photo, you’re effectively sharing where you live with the world!
Fortunately EXIF data is easy to strip. And if you have the Signal app for instant messaging (as I do and recommend to everybody) it’s as simple as sending it to yourself and then downloading the clean (i.e. metadata-free) image to use on platform XYZ. Remember, to protect your privacy…
always strip EXIF data before uploading any photo to anywhere.
Credit Cards
If you’re shopping online it’s worth considering that your credit card company not only harvests as much data as possible about your activity, as they also do when you use the card in person, but that they then sell your data to data brokers. You may therefore wish to consider obtaining multiple credit cards, from multiple different providers, to frustrate their data harvesting and combining efforts.
Ideally you want a minimum of one credit card per phone SIM where your mobile number is to be exposed (e.g. Amazon, eBay), one for use on other ecommerce sites where you can keep your phone number private, and one for use when out and about. That’s the minimum, there’s no problem having more.
Fortunately (beyond the privacy cost of data harvesting) credit cards are often free to obtain and, provided you pay them off in full, also free to operate. If you’re in UK then the Money Saving Expert website is a good place to look for credit card deals.
Unused Accounts
You will perhaps by now begin to appreciate just how much data there is floating around about you, both available to people using OSINT to research you (on which topic, more another day), and much more still that is less readily available but still accessible to data brokers.
Some of this data may be associated with social media, ecommerce and other accounts that you no longer use or need; and as such it is nothing more than a social engineering attack surface against you, that delivers you no benefit in return.
You can often find these unused accounts by sorting emails alphabetically and then looking at the senders. If you have reasonable tech skills, and depending upon your email platform, you may be able to speed the process up by downloading the list of senders (metadata) and then writing a quick macro to reduce it to unique entries to look through.
To protect your privacy it is important to
delete all unused accounts
Creating New Accounts
You may also wish to consider deleting some accounts that you still use and recreating them again from fresh in order to break the audit trail. You may for example wish to “publicly” (i.e. as seen by data brokers) disassociate yourself from certain free newsletters and yet still receive the content. This is usually best done by unsubscribing your old email address from the list and resubscribing your new one, because simply changing address creates an obvious link.
However when you resubscribe it’s important to understand that many others factors can be used by data brokers to try and relate your accounts, and these may include (but are by no means limited to):
IP address / location
operating system
browser
screen resolution
cookies
etc.
So as far as you reasonably can, try to ensure these are all different from the account that you deleted. There is more advice on this in the article I link below.
If you have the technical skills, and a suitably powerful laptop/desktop, you may wish to consider installing VMware and running multiple separate VMs for every persona that you wish to isolate to ensure that there is no crossing over of cookies etc. If you want to go extreme then install Qubes, or for an easy solution in Windows just create multiple local user accounts.
Next Steps
If you’ve read this far, well done. Let’s finish with a quick recap.
Action Points
Ensure that every live account you retain has a unique email alias;
Ensure that every live account you retain has a unique password;
As far as is possible, never give out your phone number, and have multiple numbers for when you must;
Remove any and all photos showing your face, and ensure that any photos you take and upload have the EXIF data stripped first;
Obtain multiple credit cards and use them alongside your phone numbers;
Delete all unused accounts;
Consider deleting accounts that are in use and creating new accounts to break the trail;
Subscribe Now to ensure you don’t miss the next article in this series!
The above should keep you going for a while, especially if you need to create an account with Proton (remember to use this link for a month’s free trial) before you can start creating email aliases.
Note that this is not a quick exercise and if it takes you a few months to work through the above that is not unusual.
Further Reading
This Substack article that I shared last year will explain to you how to search and browse in privacy, to stop search engines and browsers harvesting your data. It will also teach you a little about DNS, which is one way in which your ISP harvests your data to sell to data brokers.
Internet Searching & Browsing In (almost) Total Privacy
Let’s start the series with something that most people do a lot of, and leak almost unimaginable amounts of personal data in the process: running search queries and surfing the internet. Much of that data leakage is quite easy to resolve, and that’s what we’ll look at in this article.
I look forward to seeing you for the next article in this series.
It’s almost become a full time job ensuring our privacy. Great tips! I’ve saved the article, obviously have a lot to do on my part..