Extreme Privacy

Backlinks: Disinformation

In light of another data breach, I came across Extreme Privacy: What It Takes to Disappear by Micheal Bazzel in a HN comment. Being simply responsible, even if you have "nothing to hide" requires the most basic of these techniques. I've been using a password manager for years (see personal data infrastructure) and it makes my life easier (my wife wouldn't agree).

The whole book is presented as an extremely long checklist. Some of the steps are complicated, some are easy. I can't say it any better the MB himself: it all depends on your "threat model". I should note that he doesn't love that term, prefering a more direct

What do I want to hide?

What's missing is a framework to apply to each of these ideas. He talks about what you're hiding, and often from whom, but I think we can do a slightly better job organizing this into a framework. The what and who all depend on the circumstance, and his approach is all-in but most of this is not practical for everyone. We need a framework MB!

Who are we hiding from

First, we can break down who we are hiding information from:

  • Public (e.g., google search)
  • Public, slightly hidden
  • Public, with incorrection information
  • Advanved public / private investigators
  • Unscrupulous private company
  • Private company
  • Law enforcement

To make this useful, we need to differentiate information that is so blantantly public as a Google search through information that is online but requires a lot of digging.

Most of MB's techniques move your information from lower to higher on this spectrum. There are very cases where we're effectively hiding information from this entire list and only very limited situations where that is warranted. The one example is not having phone location data immediately accessible to law enforcement through truly anonymous cellular data use (and one legimate reason he gives an exmample of: a geofence warrant getting you wrongly arrested). For home and car ownership, these are never hidden from law enforcement (and they shouldn't need to be).

Sometimes, he notes it's only possible to move information from public to slightly more hidden by requesting removal from google searches and adding noise (disinformation). He gives many examples of each (e.g., de-listing revenge porn).

A major focus is to prevent information from flowing higher to lower on the spectrum. Sharing information with unscrupulous companies means it will end up with a data aggregator and either be hacked or leaked. Sometimes you don't have control, like the SSN leak that started my search here.

What are we hiding

All of the tasks in EP focus on this: the specific information we're hiding (and from whom with different techniques).

Let's try to make a list. Some combinations of pieces of information

  • Access to digital accounts
  • Historical and current location
  • Access to your assets
    • For money, this can often mean simply digital account access
    • Obviously for physical assets this is physical security
  • SSN
  • DOB
  • Real name
  • Home address
  • License plate / VIN / cars owned
  • Goverment IDs (license, passport details)
  • Face (photos/videos online)
  • Credit
  • Digital footprints (purchases, etc)
  • Health information

Again, you can't hide all of this from everyone, and you don't want to. You need your bank to know who you are, and be able to verify it. At the same time, I don't want criminals using my credit (which they can access through having enough of the other things on this list).

At the time of writing, SSN is out of the bag (maybe, possibly, for sure?).

Takeaways

I'm not about to set up a trust for my cars or house (I'm already associated with them). Will I set up a trust for a next house? Maybe it really would be worth the hassle.

We have to constantly be vigilant that our information is safe. Access to pieces of the information can compromise the whole system.

Here's some concrete basic steps with some notes on what I've already done. I think these might apply to everyone?

  • Secure your online accounts
    • All of them
    • Always use a password manager (1password)
      • I use an online syncing one, striking the balance towards convience
    • Access to this, and devices with it, should be protected appropriately
      • Yubikeys are great for this (I use 3 of them)
  • Never give our government ID, SSN, DOB unless you MUST
  • Don't bother trying to protect home address (or cars)
    • Hard to set up, manyyyy hurdles to maintain
    • Most of the book hinges around maintaining this and preventing linkages to it at every step
    • I won't talk about home security here (since my address is effectively public via ownership information!)
  • Limit use of social media
    • No twitter/X, linkedin, instagram, facebook, snapchat, tiktok, etc
    • I do use Strava (lots of location data!) & Youtube
      • I could limit Strava (& Garmin's) publicity, but I am implicitly trusting Apple/Google/Strava/Garmin with detailed location data (they won't get hacked or resell).
    • This blog is very public! Hm…
  • Not worried about public photos / videos (youtube, old images are just out there)
  • Be careful about DOB implicit sharing (happy birthday Tweets… or in my case blog post)
  • I used to use Google Voice and VOIP as a burner phone #
    • At one point I had google's cell service which combined the numbers
    • Lost the google voice number in some part of those transitions (on or off of Fi)
    • I recall a lot of work switching 2FA between phone lines…
  • For email / document storage can trust google/apple but set up lots of authentication!

All of this should prevent my credit from getting stolen or unauthorized access to my assets. I could still get "doxxed" quite easily, but that's not something I am taking action to prevent. While SSN may be public, address is public, maybe I can keep DOB private. Those three together are a lot for gaining access to online accounts.