The first pillar of online privacy is discretion. Curb your unhealthy impulse to share personal information, whether it be related to your routine activities or sensitive data that could potentially compromise your privacy.

Silence is golden.

• Scrutinize the information displayed on your social media profiles. If necessary, edit or remove any sensitive details.
• Ensure that none of this information is connected to your account security questions or passwords.
• Regularly update yourself with the latest security and privacy settings. Apply these updates whenever available.
• Restrict the visibility of your profile and posts to a select group of trusted individuals.

As the adage by Nicholas I Pavlovich, Tsar of Imperial Russia, suggests, adversaries may collect diverse information from a variety of sources to gain insights into your activities, capabilities, and intentions.

I have no need for spies. I have The Times.

Apart from social media, there is plenty of other sources of information an adversary can leverage to draw conclusions about your capabilities, activities, or intentions:

• Observation of your activities to discern patterns.
• Online data extracted from social media, web pages, blogs, and chat groups.
• Intercepted unsecured communications.
• Information obtained from observers, spies, or other agents.
• Discarded documents and waste materials.
• Movements tracked utilizing geolocation data from your social media posts and spyware on your devices.
• Search engines: Using keywords and phrases associated with your name can assist in locating your information on the internet.
• Background check websites: Services such as Intelius and TruthFinder offer paid facilities to search for individuals' personal information.
• Data brokers: Companies specializing in collecting and selling individuals' personal information.
• Public records: These records can provide insights into your legal and financial history.

Being mindful of your digital footprint is essential. Always assume you are under observation and take proactive steps to limit the amount of true personal information you expose. What seems secure today may not remain so in the future. Therefore, being prepared for potential leaks is crucial.

Misinformation is a defensive strategy that involves intentionally spreading misinformation about yourself online. By strategically sharing misleading details, you decrease the ratio of accurate personal information (the signal) to false or irrelevant information (the noise). This makes it more difficult for potential attackers to piece together a true profile of you, hindering their efforts.

Putting a twist on one of the military deception maxims, “Jones’ Dilemma,” the 1988 Army Field Manual 90-2, Battlefield Deception states

The greater the collection capability an opponent has, the greater the opportunity to feed him specifically designed false information.

To make the attacker doubt their own actions and second-guess their attempts to access your information, you use confusion and uncertainty to make the situation more complex and difficult to navigate. For example, you could create multiple dummy accounts and fake profiles, and share different pieces of false or outdated information through each one. This can make it more difficult for the attacker to determine which information is real and which is fake, and can create confusion and uncertainty that makes the attacker less likely to continue their attempts to access your information.

Faking Personal Details You can use fake data generators to fill in any personal information fields that services ask for as long as they are not essential to the functionality of the service. E.g. often, you can specify your real name, age, and gender on the forums. Use different fake information for each of your accounts. To make it even more confusing you can use fake information combined with tiny bits of real information, e.g. use your real name but then a fake date of birth.

Temporal Dissonance Post content at times that don't align with your actual timezone or typical online hours. This dissonance can throw off attempts to correlate accounts based on activity patterns. Automated scheduling tools can help manage this irregular posting strategy without requiring you to be online at odd hours.

Misleading Metadata When sharing digital artifacts, intentionally alter metadata (such as geotags, timestamps, and camera details) to mislead about when, where, and how a photo or document was created. Tools that manipulate metadata can help in crafting these digital red herrings.

Interests Smokescreen Occasionally express interests in topics completely outside your actual preferences. For example, if your genuine interest lies in technology, sporadically post about gardening or fashion. This not only adds noise but can create a misleading pattern of interests that further complicates profiling efforts.

Manipulated Digital Artifacts Share photos, videos, or documents that have been digitally altered to misrepresent your activities and locations. With the sophistication of current editing tools, it's possible to create convincing artifacts that serve to mislead anyone attempting to construct a coherent profile based on your shared media. When creating fake affiliations, don't explicitly put any real names into your posts to avoid ethical issues.

Ethical Considerations The techniques above were selected to reduce the potential harm of obfuscating your identity. The core principle is to be deceptive to adversaries, but plausibly ethical to everyone else. No one will blame you for a bit of obfuscation to preserve your own privacy.

Decorrelation is the process of separating or unlinking two or more identities. This is done to prevent an attacker from linking multiple identities together. For example, if an attacker is able to link your social media account to your email account, they can use this information to compromise your email account. This is because many online services use email addresses as a form of identification. If an attacker is able to compromise your email account, they can use this to gain access to other online accounts that use your email address as a form of identification. This is known as a "chain of compromise". To prevent this, it's important to use different identities for different online platforms. This makes it difficult for an attacker to link multiple identities together.

An attacker may also connect multiple different accounts across different platforms based on account metadata, such as:

• Usernames
• Emails
• Profile pictures
• Real names
• Personal details
• Friends
• Phone numbers
• IP addresses
• Browser fingerprints
• Device fingerprints
• Geolocation

To ensure your digital footprint remains secure, it's crucial to decorrelate, or separate, your online personas. This involves creating distinct identities for different online spaces, thereby making it more challenging for potential attackers to find a common thread that links all your online accounts. By decorrelating, you sow confusion and uncertainty.

Custom Email Addresses for Each Service: Instead of using a single email for all registrations, use a unique email address for each online service. GMail allows creating multiple emails per single phone number.

Unknown tag: note-block

Contradictory Digital Footprints Across different platforms, use multiple digital personas that are not only separate but explicitly contradict each other in terms of demographics, interests, and behaviors. For instance, one persona could be portrayed as a tech enthusiast in a particular country, while another shows interest in classical arts from an entirely different region. This not only confuses potential attackers but also challenges automated profiling algorithms.

Diverse Profile Pictures Avoid using the same profile picture across multiple platforms. Instead, opt for unique images, or better yet, use abstract images or avatars that do not reveal any personal information. Tools like AI avatar generators can create diverse, realistic images that don't trace back to you.

Selective Engagement with Content Be mindful of the content you interact with and how you interact with it. Liking, commenting, or sharing content across different personas in a similar manner can create patterns that might inadvertently link your identities.

Careful Management of Friend Lists and Connections In social media or networking platforms, avoid connecting the same group of friends or contacts across different personas. This is often an overlooked vector that can easily betray the effort to decorrelate identities.

Randomization of Security Answers When setting up security questions, do not use real answers that could link back to your true identity or be easily guessed across services. Instead, use randomized responses and store them securely in a password manager.

Unknown tag: note

Personal Detail Variations In cases where you are required to provide real information, consider how far you can bend those rules. For instance, you could use variations of your name (shortened versions, alternative spellings, etc), slightly different birth dates (keeping them plausible for age verification). You can use plausible deniability when making spelling errors or date errors by one. Such variations can make it difficult to correlate accounts based on personal information even if it is mandatory to provide such inforamtion.

Physical Address Alternatives For services that require a physical address, consider using a P.O. Box or a mail forwarding service instead of your actual address. This can prevent the correlation of accounts based on address information, especially for deliveries or services that necessitate a physical location.

Use of Privacy-Focused Browsers and Extensions (Threat Model: Advertisers & Big Tech) Leverage browsers and extensions designed to block trackers, ads, and fingerprinting techniques. These tools can significantly reduce the amount of metadata collected about you, making it harder to correlate your activities across the web.

Strategic Use of VPNs and TOR (Threat Model: Advertisers & Big Tech) To mask your IP address and geolocation, use VPNs and the TOR network strategically. Changing your apparent location regularly can disrupt attempts to correlate accounts based on IP logging.

Use of Alias Names in Voice or Video Calls When participating in voice or video calls, especially in professional settings where recording might occur, consider using an alias name. This can be particularly useful in webinars, interviews, or podcasts, where your voice or image might be shared widely.

Opposite to the decorrelation principle, toxic correlation is a strategy that deliberately connects your online personas in a way that breeds confusion and misdirection.

Username Overlap: One practical method to foster toxic correlation is by choosing usernames that are incredibly common or mimic existing accounts with high activity. Search for popular names on other platforms and adopt those for your own. This makes it exponentially harder to isolate your activity within the noise of other similar accounts. Counterintuitively, use tools designed to create a unique name^{namecheckr, nordpass-username-generator}, to create names that do not identify you uniquely.

Recycled Content: Find pre-existing posts, memes, or images that are shared by some other moderately active user on a chosen platform. Repurpose them across your accounts. An adversary who searches this seemingly unique content will be forced to establish a false link between you and another person. Copy at most one or two people from each platform, preferably choosing people with similar account names. Copying too many will result in each individual connection seeming less plausible.

Behavioral Mimicry: Alongside using similar usernames and content, mimic the posting frequency and style of the users you are blending with. If they often use specific hashtags, emojis, or slang, incorporating these into your posts can further obscure your digital footprint by aligning your behavior with theirs. However, avoid direct interactions with the accounts you're copying to prevent drawing attention to the mimicry.

Ethical Considerations Behavioral Mimicry and using Recycled Content may be perceived as unethical. It is important to respect copyright law and to use these ideas in moderation. Furthermore, linking to another person may expose them to harm in case you are being tracked down by criminals. Username Overlap, however, is arguably ethical as no one user holds a right to a particular username and it is quite common for people to have the same usernames. That being said, be mindful of your impact on the other people.

Use of Dead Drop In digital terms, a "dead drop" could be an account, document, or other online resource that you create and then abandon after seeding it with misleading information. Linked with your other usernames, these can serve as breadcrumbs leading nowhere. This is a more ethical (although less effective) version of the above techniques.

Use services like Have I Been Pwned to check if your email address or username has been involved in a data breach. If it has, consider changing your username or email address to avoid being linked to the compromised data. Furthermore, assume that if the username, emails, or passwords got leaked or stolen, that likely indicates that other data was stolen as well. Companies have a vested interest in keeping the extent of a breach secret, so it's best to assume the worst.

You have to understand and accept that you cannot undo past mistakes. Once sensitive data is disclosed or compromised, retroactive application of the rules is ineffective. Controlling access to the information becomes almost impossible once it's publicly available, containing or recalling the data is often a futile pursuit.

Communications on the digital platforms have a long lifespan and any information shared online could potentially be available indefinitely. Even if you delete a post or a comment, there might be replicas of it stored elsewhere on the internet. Hence, always ponder over the long-term ramifications before sharing any information.

But not all is lost! In the next couple sections we will outline some techniques that will help you reduce the impact of privacy violations. The information may be out there, but we still have plenty of ways to confuse and disorient any adversaries trying to make sense of it.

One effective approach to reducing the signal-to-noise ratio is to eliminate your digital information. Rather than trying to clean up old social media accounts, consider deleting them entirely.

Privacy Provisions Make the most of privacy provisions like the General Data Protection Regulation (GDPR) to delete your information in a (hopefully) unrecoverable manner. Additionally, stay aware of other relevant privacy regulations like the California Consumer Privacy Act (CCPA) in the United States or Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which can help in mitigating personal information exposure.

These privacy provisions can be weaponized against deceptive companies that do not explicitly allow account deletion. As long as they operate in a jurisdiction where one of the provisions applies, use them to your advantage.

Adversaries may use web archives to correlate your old information with new data, but some adversaries are insufficiently sophisticated to do that. A partial solution is better than none.

After deleting your online account, it can be beneficial to wait awhile before creating a new one with the exact same username. Once you do create a new account, add plausible but misleading information to the account. Tying this new account to someone else's online identity can further increase confusion and complicate any attempts to track your online activities through your username. An adversary will search for your username and stumble upon a decoy account first, reducing the probability of them checking the web archival services.

To add another layer of protection, explicitly archive the decoy version of the profile to make sure that the most recent archived results are fake.