OFFLINE SELF: There Threat model and attack surface are two important ideas in information security.
Another way to ask, “Who’s out to get you?” is to use the term “threat model.” If your threat model includes nation-state intelligence services’ curiosity, you have a lot more to be concerned about than J. Random User. It’s more likely that expressing a different point of view on social media will turn you into yet another unwitting Twitter main character, or that a chance remark by someone else will bring you to the notice of the internet’s trolls.
The term “attack surface” refers to a target’s weak access points that an attacker will try to exploit. It’s practically difficult to reduce your attack surface to zero on the internet – you’ll never be able to do it without going into witness protection. The purpose of this essay is to assist you in reducing the size of your attack surface as much as feasible.
Attempting to remove your offline coordinates from the internet world can feel a lot like counting cicadas during their every-17-years emergence: you can start, but you’ll never complete.
However, this does not imply that quitting up is the best option. You can make data points like your street address, phone number, and birthday less accessible online — and hence less vulnerable to harassment or identity theft — with a little effort.
This practice will also remind you — as unpleasant as the outcomes may be — of exactly how much personal information about you floats around the internet. It may also prompt you to reconsider how you want to present yourself online in the results of a stranger’s search.
1. DOX YOURSELF BEFORE OTHER PEOPLE DO
Brianna Wu, a Massachusetts game developer who was one of the more public targets of the Gamergate harassment campaign and has since become a champion for better online privacy, says, “I can tell you the cheapness and availability of the information you can acquire about anyone online will shock you.”
In some states, for example, you can find up someone’s voter registration by supplying their name and date of birth. If they own a home, you can enter their address into their county or city’s property-tax assessments page to find out how much they paid for it and how much it’s worth now.
Other sources include social media sites like Facebook and LinkedIn, your WHOIS profile, and any other information that may be circulating. Once this data is available, data brokers can mine and merge public and private records, then sell the results for a low fee – or even for free.
WHAT CAN YOU DO:
1 This is possibly the most unpleasant step: Search for your name and street address, name and phone number, name and birthday, and name and last four digits of your Social Security number in an incognito window in your browser (so Google or any other search engine shows what a stranger would see).
2 Keep in mind that while each data piece may not appear to pose a significant privacy concern on its own when combined, they can provide access to a variety of other databases.
2. OPT OUT WHERE YOU CAN
Your search will almost certainly return a list of people-finding websites like Spokeo, Intelius, and Whitepages, which offer up the output of data brokers who collect and fuse data from private and public sources.
When you browse through the search results, you’ll notice that the majority of them fall into the “not great, but not dreadful” category. Keep track of which sites claim to have your data and go as far as you can (without paying) to see how much data they claim to have.
WHAT CAN YOU DO?
1 First, you must locate all of the sites you need to investigate — as well as how to contact them if they have your information. Service for removing data DeleteMe has a list of opt-out instructions for dozens of data brokers; in one case I examined, DeleteMe offered more accurate instructions on how to remove your data than the third-party provider itself.
2 Reputable people-finding websites provide free opt-outs with varying levels of functionality. I only had to identify my listing, input my email address, and click a link in the message I received at Spokeo and BeenVerified. Instead of simply clicking a link, I had to enter a code supplied to my email at the data broker Intelius, the back end of many people-finding websites.
3 Others make it much more difficult. The “suppression request” mechanism, for example, at Whitepages, asks you to submit a phone number for an automated call. Non-California residents should phone or email MyLife; California residents, on the other hand, can use the California Consumer Privacy Act’s opt-out.
4 Some of your information may be outdated or erroneous. It’s up to you if you want to go to the trouble of erasing it in that scenario.
3. WATCH OUT FOR REPEAT OFFENDERS
Be careful that opting out once does not guarantee that you will remain opted out in the future. Back in 2014, I opted out of a Spokeo listing, only to have to do it again for this tale. This sector functions like a self-licking ice cream cone because data brokers and people-finding sites constantly ingest data from public and private sources.
Soraya Chemaly, a writer and activist who has both studied and been the target of online harassment, described it as “a game of whack-a-mole.”
In an email, Rob Shavell, CEO of Abine, the Somerville, Massachusetts-based firm behind DeleteMe, revealed that 6 months after their data was deleted, 43 percent of DeleteMe clients had part of their data resurface at one or more data brokers.
WHAT CAN YOU DO?
1 Checkup with the main data brokers every six months, if you have the time and motivation, to make sure your information is still of their sites.
2 If you don’t have the time but have the money, DeleteMe will erase your information from the sites and keep track of any modifications. It costs $129 per year to use this service (but often posts coupon codes for 20 percent off). Customers must trust DeleteMe with the same personal information they want to disappear from the internet under that business model. The company’s website says the correct things about how it relies on consumer trust to stay in business, but it doesn’t go into detail about its security procedures. (In an email, Shavell clarified, “All data in DeleteMe is encrypted at rest,” after noting that the company requires all employees to secure their accounts with two-step verification and is undergoing a “SOC 2” external security evaluation.)
4. TRY GOOGLE’S INFORMATION-REMOVAL FEATURE
Some websites may go beyond simply providing your contact information. You can use Google’s information-removal policy if you come across sites that feature sensitive financial or medical data, reveal personal information in order to dox you, or demand payment to delete personal information.
It’s worth noting that this isn’t as extensive as the results-removal options Google offers in the European Union to comply with the EU’s “right to be forgotten,” which has resulted in the removal of over 1.7 million pages as of June 1st. Google did not indicate how many pages were delisted in the United States as a result of the stricter American policy.
While Google will let people request to be de-linked from pages with their data on sites with “exploitative removal policies,” Danny Sullivan, Google’s public liaison for search, noted in a blog post on April 19th that “people may want to access these sites to find potentially useful information or understand their policies and practices,” it will not de-index those sites completely.
Bing, Microsoft’s search engine, has a similar option for removing results.
5. SCRUB YOUR SOCIAL MEDIA PROFILES
Only a few of the data wellsprings that flow into data-broker databases — or are otherwise available to strangers’ examination — allow for any kind of monitoring. Your social media profiles, on the other hand, can reveal a lot about you, and you do have some control over your privacy there.
WHAT CAN YOU DO?
1 The option to see your profile as a stranger on Facebook provides useful information about your attack surface. (To do so, go to your profile page and pick “View As” from the three dots to the right of “Edit Profile.”) The most crucial data-minimization actions to take on the social network, on the other hand, are more fundamental. To begin, leave out your street address and phone number. Second, while you may wish to include your birthday in order to receive “HBD!” texts from pals, you do not need to include your birth year. (If Facebook insists on a year, make sure it’s locked down so that only you can see it.)
2 LinkedIn and Twitter are in the same boat. However, because those networks are frequently used as outward-facing advertisements for people’s own brands, you may want to consider which publicity-safe data you’d like to include there. Neither network requires your birthday, and whatever email address you enter in your profile on either network must be one that you are fine with being broadcast on television.
3 Having a separate “business” or “public” email account allows you to save a more secure one for friends and family, at the cost of a bit more complication in your conversations. (I’ll get to that later.)
6. CHECK YOUR WHOIS PROFILE
If you’ve registered a personal domain name, you should check the WHOIS database to determine if your home address or phone number is shown.
WHAT CAN YOU DO?
1 While you must provide your registrar with contact information so that interested parties can contact you, you do not have to make this information public; any good registrar should offer domain-privacy choices that display that company’s contact information instead of yours at no additional cost.
2 This is another instance where having a distinct location and/or phone number may be beneficial.
7. VOTER ROLLS ARE DIFFERENT
A separate type of registration, on the other hand, requires your home address and does not allow you to customize your privacy settings: voter registration.
Political parties and, in many circumstances, the general public have access to voter rolls, and foreign hackers have taken use of this information. If you give further personal information, you can typically find up an individual’s voter registration status on a state’s website. You may simply need to give your birth date in some states, while others will ask for a partial Social Security number, driver’s license number, or another official ID number.
I’m curious as to where all those candidates obtain your phone number. That’s the location. And this can lead to situations like the one in which an automated Twitter account posted data about Trump donors based on Federal Election Commission records on a regular basis. (Since then, the account @EveryTrumpDonor has been suspended.)
The National Conference of State Legislatures maintains a list that explains what information is included in the voter file and what information is excluded, as well as whether states have “address confidentiality programs” that allow threatened voters to keep their contact information private. The hitch is that, if this option is accessible at all, you must first have been a victim of a threat – see, for example, the Safe at Home program in California.
WHAT YOU CAN DO
1 Work to make any metadata your state wants from someone looking up your vote information less visible. One point made repeatedly by privacy supporters is that things will not improve unless tighter privacy standards are enacted, which will not happen if privacy-conscious people opt out of democracy.
8. PUT SAFE-FOR-PUBLICITY DATA OUT THERE
To some sense, protecting your online privacy isn’t so much about starving search engines as it is about feeding them the cuisine of your choice. As I previously stated, having a different address and/or phone number for sites where this information is more likely to be collected is a good idea.
WHAT YOU CAN DO
1 In addition to having a safe-for-inadvertent-publicity email address, acquiring a separate virtual phone number — with call forwarding that you can turn off if necessary — will allow you to broadcast those numbers without fear of abusive texts or emails being sent to your own mobile. Because it’s simple to add to an existing Gmail account, Google Voice is useful for setting up your virtual digits (even though its software could stand an upgrade).
2 A PO box from the US Postal Service is still an easy and economical option to get a postal address regardless of where you live. The cost of a letterbox varies depending on the size of the box and the location and hours of the post office. Even smaller boxes at USPS sites in Washington, DC, for example, can cost anywhere from $92 to $176 per year. (For possible better rates, you can also find PO boxes in shipping stores.) If you set up the USPS’ Informed Delivery service to notify you when mail arrives at your box, you won’t have to check it as often.
3 You may want to submit bogus information, such as a false birthdate while registering for a less-than-trustworthy site. “Any time you have, pollute the information out there about you if it isn’t valuable if it isn’t related to you attaining what you want,” Wu advises.
9. USE TWO-FACTOR AUTHENTICATION
Your cell phone number may be the most significant piece of information you have. Apart from the dangers of receiving abusive texts or phone calls, messaging has become a popular technique of verifying internet accounts when their systems detect an odd login. This has resulted in an uptick in SIM swap assaults, in which criminals dupe or bribe wireless carrier staff into transferring mobile phones to their control, which they then use to reset passwords and take over accounts.
To replace texting with a verification technique that can’t be socially engineered out of your hands, go through the two-factor authentication settings on any accounts you value — starting with your email and social-media accounts — as the last item on your privacy checklist.
WHAT CAN YOU DO?
1 A USB security key, a unique USB device that you cryptographically associate with an account and then insert into a computer (or, with newer models, pair to a phone through NFC wireless) to authenticate a new login there, is the single safest method of 2FA. It can’t be deceived by a copycat phishing site because it’s already digitally linked to that address. They aren’t cheap — basic, USB-only devices start about $20 — but you can use them to manage several accounts.
2 The next best alternative is to use an app that produces one-time codes, such as Google Authenticator or Authy, which are now accessible at almost every email and social service worth using.
3 If you must use a phone number, choose a virtual one because most companies that provide them, including Google, do not provide in-person customer service that fraudsters can take advantage of.
10. REMEMBER: THIS IS AN ONGOING PROCESS
At this point, can you hoist a “Mission Accomplished” banner? Certainly not. The fact, as far as online privacy advocates are concerned, is that this task will never be completed. This is essentially the cost of doing business online.