If you're like most people in the 21st century, your digital footprint is constantly growing. This makes you vulnerable to risks like identity theft and doxing. This document will provide you with some practical techniques to protect yourself.
The key idea throughout this document will be to increase the signal-to-noise ratio by reducing the amount of signal (i.e., reducing the amount of true personal information shared online) and increasing the amount of noise (i.e., sharing irrelevant or misleading information). You want to image the hacker/analyst/stalker investigating you being drowned in a vast chan of misleading clues and finding nothing of value.
Strategies to decrease the signal-to-noise ratio:
- Reduce the amount of useful information shared online.
- Intentionally share misleading or irrelevant information.
- Use different identities for different online platforms (decorrelation).
In the document we will also use a concept of a threat model. A threat model for our purposes is a hypothetical adversary who is trying to gather information about you. This adversary could be a stalker, a hacker, an advertising agency, a big tech company, or a government agency (foreign or otherwise). Different adversaries have different capabilities, different granularities of analysis (a stalker is interested in you personally, while an advertising company is interested in you as a member of a demographic), and different goals.
Our default threat model are stalkers (including criminals) and private investigators, but we will also consider other adversaries in some sections.
1. Security through Silence (Signal :arrow_down:)
The first pillar of online privacy is discretion. Curb your unhealthy impulse to share personal information, whether it be related to your routine activities or sensitive data that could potentially compromise your privacy.
Silence is golden.
- In silence deep, where secrets lie,
- Your treasures rest, beneath the sky.
- No prying eyes, no grasping hand,
- Your mysteries in shadow stand.
- But whispers spread on careless wings,
- And unseen eyes glean precious things.
- The web entangles, secrets bare,
- What once was hidden, now laid bare.
- Let silence guard your precious store,
- A shield against the prying roar.
- For in the shadows, safe and sound,
- Your treasures rest on silent ground.
- Scrutinize the information displayed on your social media profiles. If necessary, edit or remove any sensitive details.
- Ensure that none of this information is connected to your account security questions or passwords.
- Regularly update yourself with the latest security and privacy settings. Apply these updates whenever available.
- Restrict the visibility of your profile and posts to a select group of trusted individuals.
As the adage by Nicholas I Pavlovich, Tsar of Imperial Russia, suggests, adversaries may collect diverse information from a variety of sources to gain insights into your activities, capabilities, and intentions.
I have no need for spies. I have The Times.
Apart from social media, there is plenty of other sources of information an adversary can leverage to draw conclusions about your capabilities, activities, or intentions:
- Observation of your activities to discern patterns.
- Online data extracted from social media, web pages, blogs, and chat groups.
- Intercepted unsecured communications.
- Information obtained from observers, spies, or other agents.
- Discarded documents and waste materials.
- Movements tracked utilizing geolocation data from your social media posts and spyware on your devices.
- Search engines: Using keywords and phrases associated with your name can assist in locating your information on the internet.
- Background check websites: Services such as Intelius and TruthFinder offer paid facilities to search for individuals' personal information.
- Data brokers: Companies specializing in collecting and selling individuals' personal information.
- Public records: These records can provide insights into your legal and financial history.
Being mindful of your digital footprint is essential. Always assume you are under observation and take proactive steps to limit the amount of true personal information you expose. What seems secure today may not remain so in the future. Therefore, being prepared for potential leaks is crucial.
2. Security through Misinformation (Noise :arrow_up:)
Misinformation is a defensive strategy that involves intentionally spreading misinformation about yourself online. By strategically sharing misleading details, you decrease the ratio of accurate personal information (the signal) to false or irrelevant information (the noise). This makes it more difficult for potential attackers to piece together a true profile of you, hindering their efforts.
Putting a twist on one of the military deception maxims, “Jones’ Dilemma,” the 1988 Army Field Manual 90-2, Battlefield Deception states
The greater the collection capability an opponent has, the greater the opportunity to feed him specifically designed false information.
To make the attacker doubt their own actions and second-guess their attempts to access your information, you use confusion and uncertainty to make the situation more complex and difficult to navigate. For example, you could create multiple dummy accounts and fake profiles, and share different pieces of false or outdated information through each one. This can make it more difficult for the attacker to determine which information is real and which is fake, and can create confusion and uncertainty that makes the attacker less likely to continue their attempts to access your information.
Faking Personal Details You can use fake data generators to fill in any personal information fields that services ask for as long as they are not essential to the functionality of the service. E.g. often, you can specify your real name, age, and gender on the forums. Use different fake information for each of your accounts. To make it even more confusing you can use fake information combined with tiny bits of real information, e.g. use your real name but then a fake date of birth.
Temporal Dissonance Post content at times that don't align with your actual timezone or typical online hours. This dissonance can throw off attempts to correlate accounts based on activity patterns. Automated scheduling tools can help manage this irregular posting strategy without requiring you to be online at odd hours.
Misleading Metadata When sharing digital artifacts, intentionally alter metadata (such as geotags, timestamps, and camera details) to mislead about when, where, and how a photo or document was created. Tools that manipulate metadata can help in crafting these digital red herrings.
Interests Smokescreen Occasionally express interests in topics completely outside your actual preferences. For example, if your genuine interest lies in technology, sporadically post about gardening or fashion. This not only adds noise but can create a misleading pattern of interests that further complicates profiling efforts.
Manipulated Digital Artifacts Share photos, videos, or documents that have been digitally altered to misrepresent your activities and locations. With the sophistication of current editing tools, it's possible to create convincing artifacts that serve to mislead anyone attempting to construct a coherent profile based on your shared media. When creating fake affiliations, don't explicitly put any real names into your posts to avoid ethical issues.
Ethical Considerations The techniques above were selected to reduce the potential harm of obfuscating your identity. The core principle is to be deceptive to adversaries, but plausibly ethical to everyone else. No one will blame you for a bit of obfuscation to preserve your own privacy.
- In shadows' whirl, my truth takes flight,
- False trails blaze in fevered light.
- Whispers coil, a maddened song,
- Where truth and lies together throng.
- Numbers dance to my decree,
- Identities dissolve and flee.
- A swirling storm, my smoke and guise,
- Confusion gleams in hungry eyes.
3. Security through Decorrelation (Signal :arrow_down:)
Decorrelation is the process of separating or unlinking two or more identities. This is done to prevent an attacker from linking multiple identities together. For example, if an attacker is able to link your social media account to your email account, they can use this information to compromise your email account. This is because many online services use email addresses as a form of identification. If an attacker is able to compromise your email account, they can use this to gain access to other online accounts that use your email address as a form of identification. This is known as a "chain of compromise". To prevent this, it's important to use different identities for different online platforms. This makes it difficult for an attacker to link multiple identities together.
An attacker may also connect multiple different accounts across different platforms based on account metadata, such as:
- Usernames
- Emails
- Profile pictures
- Real names
- Personal details
- Friends
- Phone numbers
- IP addresses
- Browser fingerprints
- Device fingerprints
- Geolocation
To ensure your digital footprint remains secure, it's crucial to decorrelate, or separate, your online personas. This involves creating distinct identities for different online spaces, thereby making it more challenging for potential attackers to find a common thread that links all your online accounts. By decorrelating, you sow confusion and uncertainty.
Custom Email Addresses for Each Service: Instead of using a single email for all registrations, use a unique email address for each online service. GMail allows creating multiple emails per single phone number.
Unknown tag: note-block
Contradictory Digital Footprints Across different platforms, use multiple digital personas that are not only separate but explicitly contradict each other in terms of demographics, interests, and behaviors. For instance, one persona could be portrayed as a tech enthusiast in a particular country, while another shows interest in classical arts from an entirely different region. This not only confuses potential attackers but also challenges automated profiling algorithms.
Diverse Profile Pictures Avoid using the same profile picture across multiple platforms. Instead, opt for unique images, or better yet, use abstract images or avatars that do not reveal any personal information. Tools like AI avatar generators can create diverse, realistic images that don't trace back to you.
Selective Engagement with Content Be mindful of the content you interact with and how you interact with it. Liking, commenting, or sharing content across different personas in a similar manner can create patterns that might inadvertently link your identities.
Careful Management of Friend Lists and Connections In social media or networking platforms, avoid connecting the same group of friends or contacts across different personas. This is often an overlooked vector that can easily betray the effort to decorrelate identities.
Randomization of Security Answers When setting up security questions, do not use real answers that could link back to your true identity or be easily guessed across services. Instead, use randomized responses and store them securely in a password manager.
Unknown tag: note
Personal Detail Variations In cases where you are required to provide real information, consider how far you can bend those rules. For instance, you could use variations of your name (shortened versions, alternative spellings, etc), slightly different birth dates (keeping them plausible for age verification). You can use plausible deniability when making spelling errors or date errors by one. Such variations can make it difficult to correlate accounts based on personal information even if it is mandatory to provide such inforamtion.
Physical Address Alternatives For services that require a physical address, consider using a P.O. Box or a mail forwarding service instead of your actual address. This can prevent the correlation of accounts based on address information, especially for deliveries or services that necessitate a physical location.
Use of Privacy-Focused Browsers and Extensions (Threat Model: Advertisers & Big Tech) Leverage browsers and extensions designed to block trackers, ads, and fingerprinting techniques. These tools can significantly reduce the amount of metadata collected about you, making it harder to correlate your activities across the web.
Strategic Use of VPNs and TOR (Threat Model: Advertisers & Big Tech) To mask your IP address and geolocation, use VPNs and the TOR network strategically. Changing your apparent location regularly can disrupt attempts to correlate accounts based on IP logging.
Use of Alias Names in Voice or Video Calls When participating in voice or video calls, especially in professional settings where recording might occur, consider using an alias name. This can be particularly useful in webinars, interviews, or podcasts, where your voice or image might be shared widely.
- Separate selves in shadowed streams,
- Where truth dissolves in fractured gleams.
- One name, then none, a shifting guise,
- Lost in echoes, veiled in lies.
- Profile pictures twist and bend,
- No single face the world will comprehend.
- Likes and shares, a scattered trail,
- Confusing paths where hunters fail.
- Friends appear, then melt away,
- Connections forged, then thrown astray.
- Birthdays shift, names rearrange,
- A web of falsehoods, ever strange.
- With whispered words and hidden smiles,
- I weave a maze of countless miles.
- The hunted vanish in the night,
- Leaving shadows, fading light.
4. Security through Toxic Correlation (Noise :arrow_up:)
Opposite to the decorrelation principle, toxic correlation is a strategy that deliberately connects your online personas in a way that breeds confusion and misdirection.
Username Overlap: One practical method to foster toxic correlation is by choosing usernames that are incredibly common or mimic existing accounts with high activity. Search for popular names on other platforms and adopt those for your own. This makes it exponentially harder to isolate your activity within the noise of other similar accounts. Counterintuitively, use tools designed to create a unique namenamecheckr, nordpass-username-generator, to create names that do not identify you uniquely.
Recycled Content: Find pre-existing posts, memes, or images that are shared by some other moderately active user on a chosen platform. Repurpose them across your accounts. An adversary who searches this seemingly unique content will be forced to establish a false link between you and another person. Copy at most one or two people from each platform, preferably choosing people with similar account names. Copying too many will result in each individual connection seeming less plausible.
Behavioral Mimicry: Alongside using similar usernames and content, mimic the posting frequency and style of the users you are blending with. If they often use specific hashtags, emojis, or slang, incorporating these into your posts can further obscure your digital footprint by aligning your behavior with theirs. However, avoid direct interactions with the accounts you're copying to prevent drawing attention to the mimicry.
Ethical Considerations Behavioral Mimicry and using Recycled Content may be perceived as unethical. It is important to respect copyright law and to use these ideas in moderation. Furthermore, linking to another person may expose them to harm in case you are being tracked down by criminals. Username Overlap, however, is arguably ethical as no one user holds a right to a particular username and it is quite common for people to have the same usernames. That being said, be mindful of your impact on the other people.
Use of Dead Drop In digital terms, a "dead drop" could be an account, document, or other online resource that you create and then abandon after seeding it with misleading information. Linked with your other usernames, these can serve as breadcrumbs leading nowhere. This is a more ethical (although less effective) version of the above techniques.
Use services like Have I Been Pwned to check if your email address or username has been involved in a data breach. If it has, consider changing your username or email address to avoid being linked to the compromised data. Furthermore, assume that if the username, emails, or passwords got leaked or stolen, that likely indicates that other data was stolen as well. Companies have a vested interest in keeping the extent of a breach secret, so it's best to assume the worst.
- In names that echo, truths distort,
- A web of selves, of twisted sort.
- Shared words and styles, a borrowed face,
- Lost in the crowd, no single trace.
- Recycled whispers, mirrored sighs,
- The hunter's trail obscured by lies.
- Where shadows dance and mirrors gleam,
- Who am I? Lost within the stream.
- With breadcrumbs false and trails misled,
- A ghost I walk, a name unsaid.
- The mask I wear, a cunning game,
- In chaos born, I hide my fame.
5. What if I already fucked up?
You have to understand and accept that you cannot undo past mistakes. Once sensitive data is disclosed or compromised, retroactive application of the rules is ineffective. Controlling access to the information becomes almost impossible once it's publicly available, containing or recalling the data is often a futile pursuit.
Communications on the digital platforms have a long lifespan and any information shared online could potentially be available indefinitely. Even if you delete a post or a comment, there might be replicas of it stored elsewhere on the internet. Hence, always ponder over the long-term ramifications before sharing any information.
But not all is lost! In the next couple sections we will outline some techniques that will help you reduce the impact of privacy violations. The information may be out there, but we still have plenty of ways to confuse and disorient any adversaries trying to make sense of it.
6. Purging Old Information (Signal :arrow_down:)
One effective approach to reducing the signal-to-noise ratio is to eliminate your digital information. Rather than trying to clean up old social media accounts, consider deleting them entirely.
Privacy Provisions Make the most of privacy provisions like the General Data Protection Regulation (GDPR) to delete your information in a (hopefully) unrecoverable manner. Additionally, stay aware of other relevant privacy regulations like the California Consumer Privacy Act (CCPA) in the United States or Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which can help in mitigating personal information exposure.
These privacy provisions can be weaponized against deceptive companies that do not explicitly allow account deletion. As long as they operate in a jurisdiction where one of the provisions applies, use them to your advantage.
Adversaries may use web archives to correlate your old information with new data, but some adversaries are insufficiently sophisticated to do that. A partial solution is better than none.
7. Implementing Toxic Correlation Over Time (Noise :arrow_up:)
After deleting your online account, it can be beneficial to wait awhile before creating a new one with the exact same username. Once you do create a new account, add plausible but misleading information to the account. Tying this new account to someone else's online identity can further increase confusion and complicate any attempts to track your online activities through your username. An adversary will search for your username and stumble upon a decoy account first, reducing the probability of them checking the web archival services.
To add another layer of protection, explicitly archive the decoy version of the profile to make sure that the most recent archived results are fake.
- In shadows deep, where secrets lie,
- Unseen, untamed, where treasures hide.
- No prying eyes, no grasping hand,
- Within this shroud, your mysteries stand.
- Unheard whispers, careless things,
- Unseen eyes glean precious strings.
- The web ensnares, where secrets bleed,
- What once was veiled, now lies unfreed.
- Still, silence shields your precious worth,
- A guard against the spying Earth.
- For in the shadows, sound and deep,
- Your treasures rest, where darkness sleeps.
- In echoes false, where truths take flight,
- A web of selves in fading light.
- Shared words re-spun, a borrowed face,
- Lost in the throng, without a trace.
- Recycled sighs, mirrored deceit,
- The hunter's path led on retreat.
- Where shadows dance and fragments gleam,
- Who am I? Lost within the scheme.
- With whispered lies and trails obscured,
- A ghost I walk, my name unheard.
- The mask I wear, a cunning play,
- In chaos born, I veil my sway.
- Fractured selves in shifting streams,
- Where truth dissolves like fleeting dreams.
- One name, then none, a changing guise,
- Lost in whispers, veiled in lies.
- Profile pictures warp and bend,
- No single face they'll comprehend.
- Likes and shares, a muddled trail,
- Confusing paths where hunters fail.
- Friends like phantoms, come and fade,
- Connections forged, then swift unmade.
- Birthdays shift, names twist and turn,
- A web of falsehoods, strange and stern.
- With hidden words and feigned delight,
- I weave a maze through endless night.
- The hunted vanish in the gloom,
- Leaving shadows, fading doom.
- The past, a wraith, whispers in blight,
- Where choices made spill poisoned light.
- Data lost, like windblown ash,
- A fading trail where sorrows clash.
- But in the embers, hope ignites,
- A spark of will that fiercely fights.
- Though shadows shift and echoes toll,
- I'll shape my future, spirit whole.
- Purge the old, let data blaze,
- A cleansing fire, through bygone days.
- Though whispers linger in the blight,
- New trails I'll forge, in boldest flight.
- With cunning truths and twisted wiles,
- I'll spin a web of cryptic smiles.
- False names and paths, a swirling maze,
- Through endless nights, they'll seek my ways.
- The fight rages on, though wounds remain,
- I'll rise from ashes, strength regain.
- In chaos forged, my spirit soars,
- And from the fragments, my will restores.
References
MilitaryBenefits.info - What Is OPSEC?
Security Awareness Hub - OPSEC Awareness for Military Members, DOD Employees and Contractors
Department of Defense Education Activity - Introduction to Operations Security
ThreatStack - Five OpSec Best Practices to Live By
Wikipedia - Compartmentalization (information security)
Wikipedia - Information securtiy
OPSEC for Security Researchers
Military Deception: Transparency in the Information Age
Web of Deception: Social Media and Implications for Military Deception
Doxing
Risk management
This Person Does not Exist
Midjourney
Stable Diffusion Web
NordPass Username Generator
LuxusMail
Namecheckr