Hey everyone, been a while since I’ve posted a topic here

These days, more and more of our ‘private’ data is more accessible to third parties than ever. Often people’s views of privacy fall into two categories - “I have nothing to hide” and “everything is terrible, I don’t exist online”. In this topic, I’d love to instead start a conversation around it really being a spectrum, where everyone can improve their privacy somewhat.

Background

Why is privacy important, even if we supposedly have nothing to hide? In essence, it boils down to informed, explicit data sharing is great, but when consent is implied or not informed, issues arise.

Think of it this way - if you truly have nothing to hide, put all of your CC details in this thread . What about your address? The last adult content you consumed?

And if you’re happy to share all of the above, great! More power to you! But would you share someone else’s data in this thread without consent too? Your parent’s phone numbers? Their addresses?

All of this data could likely by collected from our day to day activities online.

Now none of this is intended to be scary - we get some amazing things by sharing our personal data, but we should also consider our level of risk and see what else we might want to implement:

The basics

1. The obvious one - don’t do seriously illegal things in public / semi public relatively insecure places

2. Implement some general privacy practices - check if you’re reusing passwords and usernames, consider setting up separate email accounts for certain things, improve your work / personal separation

3. Be aware of the difference between ‘secure’, ‘encrypted’ and ‘private’ - just because something is secure doesn’t mean only you can access it for example

4. Use an adblocker - this is actually something that is recommended by the FBI (yes, really - or at least by some US gov department)

Some reasonable risk mitigations

1. If you are slightly concerned about an application, some midrange suggestions are:
   a. Android: use a work profile / app like ‘Island’ to separate personal data
   b. PC: use an open source browser + good ad blocker + a web version where possible - can even usually get notifications using this approach
   c. Minimise personally identifiable information shared, and ideally don’t use unencrpted DMs for sensitive data - look at more secure messaging (Signal etc.)

2. Use a VPN - but be aware of exactly what they can and can’t protect you from, and pick one that stores as little information as possible

More extreme risk mitigation

If you’re concerned enough about certain applications etc. to desire to run them in a virtualised environment, here are some suggestions:

1. Look into Tor / I2P, but be aware of their limitations / they can be significantly slower than a VPN

2. Have a work phone, a secure communication method (LineagoOS? Graphene? Linux based mobile?) and if you can’t live without social media, a secondary ‘normal’ smartphone

3. Have multiple lightweight sandboxes setup for various companies / purposes

4. Create PGP keys with a public rotation scheme and use that for secure messaging where needed

BTW, anyone who wants more information on privacy etc., let me know, I am most certainly not an expert but I may be able to give some initial direction and am always looking to learn more! Looking forward to hearing everyone’s thoughts

Excellent suggestions.

Some of my personal rules for privacy:

• Removed all content, posts, friends, photos from FB back in 2010 and don’t use it except for managing public pages for other orgs
• If there is a web version of something, I will use it before I install an app.
• Never install hardware-specific apps if I can help it. i.e. apps for your Chinese Roomba knock off.
• If you absolutely must install an app, I use a separate phone/tablet for those apps. That phone is on a separate VLAN and can’t see any of my sensitive devices.
• Smart home, Amazon and other hardware devices are also on a separate VLAN
• Keep location off on your phone unless you need it
• If you have a google account, go in and turn off all the “history” options. (Skeptical of how much this makes a difference in what they collect and store)
• do not give apps permissions unless they absolutely need it for the functionality. Apps that won’t run without arbitrary access to data I delete.
• Don’t use online password managers. I use KeePass, which is 100% local. Less convenient, more secure.
• If a site offers 2FA, use it. I keep several Yubikeys and a Fidesmo card with the same keys on all.
• I use a process to make (and remember) complex passwords unique to each site I sign up for.
• I use a “catch all” email address so each site I sign up for gets a unique email address.
• Work would pay for my phone, but I prefer the “inconvenience” of carrying two phones to keep them completely separate. I only have to do so when traveling for work so it’s minimal.
• When traveling I always connect to my home VPN so all traffic is securely routed through my home internet.
• Never use public wifi or hotel wifi if I have cell service
• In addition to ad-blockers, Run a PiHole DNS server at home, which forwards to a non-
  tracking secure DNS provider.
• Never connect your phone to your car in a manner that shares any information with the car. Especially rental cars. (https://www.youtube.com/watch?v=lKTn_i1PMd4)
• Never log into your streaming services in a hotel or AriBNB. Travel with a firestick or USBC to HDMI cable so you can stream from your phone/tablet/PC yourself.

Some OSINT link collections:
https://start.me/p/rx6Qj8/nixintel-s-osint-resource-list
https://start.me/p/z4rkrg/ctw-osint-tools-links-updated-9-18-23

There are some interesting “digital footprint” checkers

great solution; I’m assuming you run your own email server ???
Another system for those who don’t have their own server or wan’t to add and manage multiple email accounts, a single sacrificial email should last you a long time using the technique below.

Lets use a sacrificial gmail account as an example.

There are 2 options ( That I know of )

+ or .

+

if your sacrificial email is emailmcemailface@gmail.com ( FYI that’s taken, I checked)
add a “+” symbol after your email, then something like the website name you are giving your email account to.
eg.

emailmcemailface+fakebook@gmail.com

emailmcemailface+shadyshoppingsite@gmail.com

or simply ( as @Hamspiced mentions below )

emailmcemailface+spam@gmail.com

If the site accepts it as a valid email, it will still reach your inbox, and you can set up a rule to send to a specific folder eg. junk/ spam, its own folder etc.

This “+” doesn’t always work (some sites may block the “+”), but it is a better function option than the “.” option so try the “+” first

.

Add a dot anywhere within the address. and will at the least allow you to filter / identify sites you don’t trust
i.e. emailmcemailface@gmail.com, becomes email.mcemailface@gmail.com will still hit your inbox.

depending on how long your email name is, you will get a lot of options ( you can add multiple dots)

email.mc.email.face@gmail.com
e.m.a.i.l.m.c.e.m.a.i.l.f.a.c.e@gmail.com
etc.

the “.” always works.

Also, don’t take advice from weirdos on the internet

Now the question is, do you trust me or don’t you???

It does actually work, You can test these yourself.

Just use the above options (+ or .) to send yourself an email

I do this already. But i always add +spam onto mine so it automatically gets filtered out.

Nope, use google workspace on a custom domain. (No longer free)

While these are valid and accessible options and have used these on occasion, I always felt it was too easy for spammers to know to strip it from gmail addresses.

a fair point, I considered this also, but assume it is too much effort for them, and also why it goes to a sacrificial email.

I usually just assume it is an automated spamming system and no actual human ever looks at my email address…

Two other commercial options I have personally tried in the past for catch all:

1. Proton(mail) - What is a catch-all email address? | Proton
2. Mailbox - https://kb.mailbox.org/en/private/e-mail-article/using-catch-all-alias-with-own-domain

Nice collections, have any specific (or rough) suggestions for good footprint checkers? I saw some for username based checkers, any more advanced than that?

This is unbelievable. I could spend months on this page and still not check every resource

I don’t really. I got those from a friend who got them from some government training. I haven’t really dug into them myself but was amazed an all the tools.