Welcome to the March 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.
Here’s what we’re talking about this month:
If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter.
Next month is Identity Management Day. Created to raise awareness about the increasing ubiquity of identity-related attacks, it’s a reminder to update our privacy settings on all accounts and use a password manager (among other things).
But while being privacy-aware and protecting passwords is important, these things alone won’t keep our digital identities private.
Here’s why. Plus steps you can take to actually protect your identity.
We’ve all heard it: our identity is for sale on the dark web.
Depending on who you are, that may or may not be true.
But what’s 100% true for everyone is that a) our identities are being sold on the surface web (i.e., the web we use every day and that is visible to everyone), and b) these identities are getting more comprehensive (and as a result, easier to exploit).
This is due to data brokers.
Once a way to get mostly basic directory-style data points on someone you may know, data brokers’ profiles have become much more detailed. In addition to names, phone numbers, and addresses, they now feature information about our families, past residences, employment, and much more.
So where do data brokers get the information that lets them build out our identities with such precision?
There isn’t just one source that data brokers rely on for information.
Instead, data brokers get their data from various different sources, like public records (i.e., birth certificates, marriage licenses, court records, etc.) and social media.
You’d be surprised how many people, groups, and organizations want to use data brokers to buy your identity — and for how many purposes.
Here are some examples:
The first step for keeping your identity private is to opt out of data brokers.
Even if you do nothing else, removing yourself from people search sites and data broker websites will help you protect your identity.
The reason why is that data brokers sell your identity to third parties. This makes a bad actor’s job easy.
On the other hand, if a bad actor can’t find your information on a data broker source, they’ll need to assemble your identity piece by piece. This is a much more time-intensive and complicated task. Not everyone will be willing to put in the time to find all your public records, social media accounts, etc.
The second step is to minimize how much data you personally put out on the internet. Do you share tidbits from your personal life and photos on social media? Contribute to online forums? All this activity leaves a trail of digital breadcrumbs that someone with enough time can follow.
Remember, your online activities are also an important source for data brokers.
So are public records. The third step is to reduce how much personal data can be accessed about you through sources like court records and marriage licenses.
In certain circumstances, like if you’re a victim of domestic violence, you may be able to seal your records. Even if that’s not possible, you might still be able to change some personal data on certain public records, for example, swap out your real address for a P.O. box.
Finally, the fourth step is to remember that you’ll probably need to make tradeoffs.
For instance, if you want to get retail discounts, you’ll likely need to sign up for a loyalty card, but loyalty program data is often sold to data brokers. The same goes for free apps etc.
Our recent favorites to keep you up to date in today’s digital privacy landscape.
TruthFinder and Instant Checkmate Breached, User Personal Data Leaked
The background check services TruthFinder and Instant Checkmate experienced data breaches that impacted more than 20 million customers. The breaches were discovered after databases of customer personal information (names, phone numbers, email addresses, encrypted passwords, and password reset tokens that are inactive/expired) were shared on the dark web. Only customers that created accounts between 2011 and 2019 seem to have been affected.
Booking.com Customers Are Being Scammed, And No One Knows Why
Booking.com customers have been getting scam emails that look like they come from Booking.com and include their travel plans and other personal data. While the first incident was recorded in 2018, and the latest was in February 2023 (as of this writing), Booking.com says its systems have not been compromised. Instead, according to the travel marketplace, scammers have sent phishing emails to a number of properties that accidentally compromised their accounts. Affected guests have reportedly been contacted.
ChatGPT Is Being Trained On Our Personal Information
ChatGPT was trained on information scraped from the internet, including people’s personal data, writes Ars Technica. This is problematic because a) individuals never gave it their consent to use their data, some of which might be sensitive and could identify them, and b) there’s no way for people to see if OpenAI (the company that owns ChatGPT) stores their personal data and no mechanism to ask for them to remove it. By using ChatGPT, people may also inadvertently feed it more sensitive data.
Reddit Confirms Breach, Says Users Are Not Impacted
The forum and social news website Reddit confirmed that it was breached and that threat actors accessed its internal systems. The breach happened after a Reddit employee clicked on a targeted phishing email. Attackers were able to access internal documents, dashboards, business systems, and code, as well as some information on current and former employees and other contacts. However, Reddit user data was reportedly not exposed.
Here are some of the questions our readers asked us last month.
Q: Is it a good idea to flood the internet with fake data about myself?
A: Yes. but it shouldn’t be relied on for privacy.
Data poisoning (or OSINT poisoning), as the practice you’re talking about is sometimes known, can confuse data brokers and algorithms that serve you personalized ads.
The practice can involve things like:
Those who engage in data poisoning attest to its effectiveness.
“You’d be surprised what sort of coupons CVS prints for me on the bottom of my receipt. They are clearly confused about both my age and my gender,” said one The New York Times reader in an article from a few years ago on how not to leave tracks around the internet.
At the same time, those determined to figure out who you are will find ways to do it (“monitor/update/wait because one day someone might slip and it all falls together,” said one person in a forum thread asking how to overcome data poisoning).
And even though some of the information a data broker has on you might be incorrect, a lot of it will be accurate.
As such, it’s best not to rely just on data poisoning but also to take the time to remove data about you from the internet that is correct.
Q: How can I find all of my old accounts? I want to delete them but can’t remember everything I ever signed up for.
A: Consumer Reports has a great article on this, with tips like:
We’d love to hear your thoughts about all things data privacy.
Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).
Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.
Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito?
That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.
DeleteMe is our premium privacy service that removes you from more than 30 data brokers like Whitepages, Spokeo, BeenVerified, plus many more.
Save 20% on DeleteMe when you use the code DIYPRIVACY.
Our privacy advisors:
Save 20% on any individual and family privacy plan with code: BLOG20
Over 575 reviews with an average rating of 4.5 out of 5
© 2023 Abine, Inc. All Rights reserved.