The subject of protecting one’s privacy came up in another thread. I thought I bookmarked a few FW threads on the subject, but I couldn’t find them. Please provide links if you have any.
This thread will not be about how to completely disappear, at least not yet. There are books about it, but I haven’t read them: 1, 2. This will be about regaining control of your mailbox, inbox, sanity, and possibly improving your attention span.
We’ll start with increasing privacy by reducing or eliminating advertising from your life (junk mail, junk email, phone calls, online ads), a few other privacy tips and tricks, and see where the community takes it. I’ll start the wiki below.
Some of the topics below are also covered in this FTC Guide
First and foremost
Limit the sharing of your personal information (name, SSN, DL, passport, current or former addresses, employment info, financial info, list of nearest relatives or emergency contacts, etc). It may only be shared on a need-to-know basis, only when the “need-to-know” is an absolute, 100% certain, impossible-to-avoid requirement. For example, most banking institutions in the USA require your name, SSN, DOB, address, etc, because of the Know Your Customer regulations, so you can’t avoid it. Your employer requires it due to various state and federal employment laws. But your utility, internet, or cell phone provider do not always require all of that (even when they tell you otherwise). Your doctor, dentist, or car dealer should not need your SSN if you’re not applying for credit. The main point is just because someone asks doesn’t mean you have to provide an answer (or an honest answer).
Privacy choices affecting the rest of the items below
Read every Privacy Policy before giving up your personal information. It’ll tell you how your information may be used and what choices you may have to prevent such use.
Exercise your privacy choices in the Privacy Notices. Here’s some info from FTC. Usually you need to do this once per account, sometimes once per SSN, depending on the institution. Sometimes there are additional choices that are not on the form – for example, you can ask any bank to not call you, and you can ask any credit card issuer to not send you promotional BT checks in the mail (these may be useful, but the same or an even better offer should also be available online).
Junk Mail
Use OptOutPrescreen.com to opt out of receiving prescreened offers of credit and insurance. I’ve done a permanent opt-out a long time ago and it didn’t hurt my multiple AORs or continuous churning, because mailed targeted offers are rarely better than public offers found online.
Use DMAChoice.org to opt out of receiving catalogs from members of the Direct Marketing Association. I told them I was dead to avoid any fees or having to renew my registration after 5 or 10 years.
Use CatalogChoice.org. This was known as TrustedID Mail Preference Service before, later acquired by Equifax, and now appears to be operating under a non-profit. I haven’t used it and I don’t really know what it’s about, but I’m guessing it’s competing with DMAChoice.org.
Do not use the USPS Change of Address form. The USPS will sell your new address to marketers and there’s no way to opt out of it. Clarification from@Full_Disclosure: only permanent (not temporary) change of address is sold to the NCOA database. There was a campaign to stop this a few years ago, but I don’t think it panned out. There may be a way to stop delivery of “Every Door Direct” or unaddressed mail – I called and asked for it, got a case # that would be sent to the local PO, but I’m pretty sure it was ineffective. What I do is keep track of every single account (in a password-protected spreadsheet in a secure location), and when I need to change my address, I update it with each and every person or business directly.
Use a private mail box. You could move without changing your mailbox or telling anyone your physical address (except maybe the mail box operator). Also good if you don’t want the sender to know where you live (but ineffective if your home ownership is public record).
You can opt out of some mailers that are sent to every resident, like RedPlum, PennySaver, ValPak, etc. Sometimes I still get some of these without an address printed.
Contact the advertiser directly and ask to be removed from their list. This may take multiple attempts. You can also ask them to reveal how they obtained your name and address (you’ll probably need to reach someone in their marketing department). Most of the time they’ll ignore you or tell you “it comes from a variety of sources”, but if you press, they might actually tell you. You may need the unique codes that are often printed near the address. Once you have the source, you can try to have your info removed from that database. If you’re in California, you could use CA Civil Code § 1798.83. I’ve tried to use it a few times, but I never get a response and I never tried to follow up, because the mailings stopped.
It’s much easier to clean up your mailbox if your name is not public record. If you buy a home in your name, real estate agents and mortgage providers will spam your mailbox regularly. If you are wealthy enough, you could (should?) buy the property in trust – your name won’t be public record, but it probably won’t stop these mailings.
Junk Email
Don’t want spam? Keep your email address(es) private
Set your email client preferences to not load external images automatically. An invisible image / tracking pixel / web beacon can be used to confirm the receipt of the email and thereby validate your email address.
If you can’t be certain of the authenticity of the email, do not click on the “unsubscribe” link. Like a web beacon, clicking the link validates your email address.
Use different email accounts or email aliases for different purposes. For example, one account for financial institutions, one for online shopping, one for social media, and one for things that could spam you. Many email providers also support plus addressing / subaddressing, which may be used for this purpose. More details in the Internet section below.
The next level of privacy and security is not free and may require some technical know-how. Get your own domain and sign up for an email service like FastMail or pay for your own web hosting, and use email aliases. I create a unique alias for every single online account. All aliases forward email to one or two email accounts, so reading all my email is as easy as if I just had one or two email addresses. There are multiple reasons for doing this: (1) Removes the need for spam filters and can completely eliminate spam. If an alias is compromised, I can just delete it and create a new one. I even use separate aliases for distinct groups of people. (2) Email address is often used in place of a User ID / logon for online accounts. A User ID is half of the 2-part secret required to logon (the second part is the password). More detail in the Internet section below.
Marketing Phone Calls / Robocalls
Do not give out your phone number if you don’t want to receive phone calls. If you absolutely must provide your phone number, request that it’s not shared with anyone and not used for marketing purposes.
Do not answer the phone if you don’t recognize the info in the Caller ID. They’ll leave a voicemail if they really need to reach you. Some providers allow you to block calls if the caller has a blocked Caller ID.
Do not trust the Caller ID – it’s very easy to spoof. A few years after this thread was created, the FCC started working on solving this using Caller ID Authentication, but it’s not complete yet. The latest wave of spammers use your area code and maybe even the same first three digits to make it look like a local call. One easy way to recognize this is to live in a different area than your number is normally assigned to, which is easy to do with VOIP providers and number portability laws.
It’s very difficult to block phone calls coming from entities operating outside the USA.
Register with the National Do Not Call Registry DoNotCall.gov to stop legitimate advertisers from calling you. Political organizations are exempt, unfortunately. So are businesses with an established relationship
Use Google Voice. You can get a free number (or port an existing one for a small fee) and have it simul-ring your cell and home numbers. It has lots of features and automatically detects some spammers and allows you to block numbers and report spammers.
Consider NoMoRobo. It’s only free for landlines and I don’t get many spam calls, so I haven’t used it.
Tax filing software may tell you that your phone number is required. I think it may be required for e-filing, but it’s definitely not required for paper filing. If you never give the IRS your phone number, then you won’t have to worry about the scammers that pretend to be IRS agents.
Some websites ask for your phone number even when they don’t actually need it, including the IRS-approved payment providers and counties for property tax payments. I provide a fictitious number and haven’t had any issues yet. I provide an email address for the receipt and I don’t want them calling me or knowing my number.
Internet: ads, browsing, social media, online accounts
Use a web browser that supports ad-blocking extensions, and configure them properly. I use Firefox with uBlock Origin (or Adblock Plus), NoScript, CanvasBlocker, and Smart Referer. This requires a lot of configuration, but it does a great job of blocking ads and speeding up page loads. Google Chrome also supports some of these extensions.
For even better web privacy, use VPN and a non-fingerprintable browser, with JavaScript disabled (or selectively disabled) and ads and trackers blocked.
Go to your Google Account Privacy Settings and opt out of web, search, and location history. Better yet, walk through all the privacy settings of all your online accounts and turn off everything you don’t like.
Change your digital camera settings to not embed GPS information into photos/videos (and don’t give the camera app permission to access location services). Unless you need an alibi, that is.
If you want to use Facebook but think it’s annoying, try Social Fixer. It can be a standalone extension or run as a GreaseMonkey/Tampermonkey script. It has a ton of features that make Facebook tolerable.
Don’t post your face online, don’t let friends tag you, don’t use your real name (and educate your friends). Your social media presence will be screened by your employers, your government, and your enemies. Is Enemy of the State science fiction?
Use application firewalls on all devices (Comodo, ZoneAlarm, NoRoot Firewall, Little Snitch, etc) to prevent offline applications from getting online. These can also protect you from (or warn you about) some viruses and trojans when they attempt to connect.
Windows 10 comes with all kinds of built-in tracking and telemetry that is difficult to disable (and installing updates may reset your preferences). Disable or avoid if you can.
Do not use your personal email address as a User ID / login for any of your online accounts. Treat your usernames the same way you treat your passwords – they should both be secret. Use email aliases (discussed in the Junk Email section above). Longer explanation here.
Use U2F and disable SMS fallback whenever available. The YubiKey products are the most widely used and recommended at this point (the $20 security key is sufficient if you only need U2F and not any of the additional YubiKey crypto features). This shifts the second factor vulnerability from your smartphone (vulnerable to SIM jacking and general hackery) to the physical security of your hardware key, making a remote attack more difficult.
Other Tips and Tricks
Remove your home address and phone number from your paper checks. If someone gets a hold of your check, don’t make it easy for them to steal your identity. Checks have no security measures other than harsh legal penalties for those caught cheating.
Freeze or lock your credit reports and other data aggregators (Experian, Equifax, TransUnion, Innovis, ARS, IDA, LexisNexis, ChexSystems, NCTUE) and take other measures to prevent Identity Theft: thread. Freezes and unfreezes are free nationwide since September 21, 2018.
Don’t let a private citizen swipe your Driver’s License or State ID. I’ve had this happen at hotels for check-in, or clubs and special events under the guise of making sure I’m old enough to drink, but they can read everything off the ID, including name and address. I don’t think my info was ever misused from this, but If I know in advance they scan IDs, I bring my passport, which doesn’t have my address and can’t be scanned by those ID readers.
Keep your RFID / NFC cards and devices in a Faraday cage. Keep your passport, Global Entry card, and any RFID-capable banking cards in an RFID wallet / aluminum foil so they can’t be read without your knowledge. (This is no longer an issue for EMV-enabled banking cards, assuming the bank correctly implemented security and uses the chip to secure radio communications). If you have a newer car with keyless entry or keyless ignition, same applies to your car remote – the signal can be boosted, and so can your car.
Don’t leave your vehicle registration and insurance cards in your car – they have your personal information. Keep them on you instead (in a wallet with your license, for example).
Don’t use the DNA “testing” services if you can’t do it anonymously. The data isn’t supposed to be public, but it is available for research and to law enforcement (without a warrant). Once you’ve done it, you no longer have control over it. Don’t let the Gattaca dystopia come true. Also it may interfere with your ability to get some types of insurance.
No argument against uBlock Origin. Adblock Plus (ABP) is also open source (Privacy Badger was based on it) and they support the same subscription list formats. ABP just doesn’t have a very good interface for subscribing, but you can find the lists if you look for them. ABP 3.0 is annoying enough that I might soon switch to uBlock.
I EFF, but HTTPS Everywhere is a useless and dangerous extension, IMO, because: “HTTPS Everywhere can protect you only when you’re using sites that support HTTPS and for which HTTPS Everywhere include a ruleset” (see Questions and Caveats). It creates a false sense of security for people who don’t understand what it does and assume it can do what its name suggests. Also most big sites have moved to HTTPS by default over the past few years.
As far as I know, Ghostery and Privacy Badger are both useless / redundant if you have an ad blocker and subscribe to lists that block trackers. Ghostery can delete the Flash supercookie, but Flash is dead, and everyone should remove it from their computers.
It’s a bit off-topic since we’re getting into a technical discussion, but I can answer as long as we don’t derail too far for too long .
Those are done with JavaScript. I haven’t seen such popups in a long time and I couldn’t tell you exactly which of the extensions I use blocks them, and it might depend on the site. It may be because RequestPolicy or ad blocker prevents the script file from loading, or because NoScript disables the loaded script. I also have another extension called “Controle de Scripts”, which might do something for these popups. A lot of my extensions are not compatible with the latest version of Firefox (57) because they completely changed the extension subsystem and disabled the old one. I’m not yet sure what to do about that. I might switch to an alternate browser like Pale Moon or Waterfox, or learn to live without the extensions.
If you want to PM me the site(s), I could take a look and tell you how to stop it. The last popup I battled manually was on Barclays Bank site, which pops up after you log out.
A new law signed today and taking effect Jan 1, 2020 gives Californians some additional privacy protections. Among other things, it lets consumers request that businesses not sell their data (opt-out) or even delete it, although there’s still a lot of wiggle room as I understand the text. It also includes damages for breaking the law (up to $750 per person per violation). Unfortunately, it doesn’t go far enough – instead of forcing businesses to tell the consumers exactly with which third parties they may share your information, it only requires the disclosure of “the categories” of third parties (which is basically meaningless). And it’s still privacy by “opt-out” (as opposed to “opt-in”). It also appears to have a contradiction built in – on the one hand 1798.25 (a) (1) explicitly prohibits discriminating against opted out consumers by denying goods or services or charging different prices, while on the other 1798.25 (a) (2) and (b) (1) say: “A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”
A much stricter proposition was supposed to appear on the November ballot, but its sponsor agreed to drop it if this law passed. Too bad, IMO.
As loopy as California seems to be with a lot of their rules, laws, taxes, fees, etc., they do appear to do something for the consumer every once in a while.
CA had better consumer privacy protections in place than other states since 2005 (law passed in 2003). Even if you live in another state, you might find it’s wording on your bank’s annual privacy notice and pretty much every website that collects personal information, although it wouldn’t apply to you. It gave Californians better defaults and better opt-out choices. The new law is the next step forward.
At least you don’t have to read the Prop 65 warning at The Cheesecake Factory and wonder what they’re putting in your food.
I tried to look it up, and I don’t see it at other restaurants, I’m pretty sure it was some kind of a legal settlement after it was discovered that either burnt food or something else they used in the kitchen could cause cancer.
It’s possible that Prop 65 went too far, but the bigger problem IMO is that the label doesn’t identify the chemical. And to be honest, I’d rather be safe than sorry. The list of chemicals is what it is because they have research linking it to cancer, it’s not willy-nilly.
I understand the logic and that there is some kind of link, but lawdy, miss clawdy, why not just have a sticker for the things that don’t have some kind of a link? That would be better for the environment and probably for the people who print the labels because there must be a link to cancer in the ink, glue or bleached label. :tongue in cheek emoticon here:
I have my own domain, and so I can use whatever is before the @ sign, and still get all mail into the main mailbox. So every time I register somewhere, I use an address like prikindel-thatsite@mydomain.com for example:
So should I start receiving spam from one of those and it seems to be out of control, I simply block that particular prikindel-xxx address, and nothing else gets affected.
Regarding the USPS change of address, if you use a temporary change of address instead of permanent, your address doesn’t get sold through the NCOA database.
It may still be possible for entities sending you mail at your old address to get your new address, if they pay for that when sending out the mail, but they would have to pay for it on every piece they send, not just ones with address changes.
The Dodd-Frank rollback bill that was signed into law a few months ago includes provisions requiring most CRAs to provide security freezes at no cost, effective September 21, 2018. Without addressing the broader implications of the bill, the security freeze provisions are both good and bad.
CRAs currently provide security freezes because state law requires them to; there was no federal law on this. The state laws differ, most importantly in the maximum cost to freeze or unfreeze and in which CRAs are exempt from the requirements. As usual, some states are more protective of consumers than others.
The good part of the federal law is that it makes freezes and unfreezes free nationwide. The bad part is that it preempts state security freeze laws. This matters because the federal law has several important exemptions:
(The other exemptions are for things like existing creditors or law enforcement, and are not of concern.)
Current state laws might not exempt the same CRAs, but consumers in more protective states will lose that protection once the federal law is effective. Exempt CRAs can still voluntarily choose to offer freezes, of course.
Is this correct? The exemptions to the federal law would only apply to the federal law, each state’s laws will continue to exempt whoever the state chose to exempt.
Or are these “exemptions” not really exemptions, but rather mandated access?
EFF, but HTTPS Everywhere is a useless and dangerous extension, IMO, because: “HTTPS Everywhere can protect you only when you’re using sites that support HTTPS and for which HTTPS Everywhere include a ruleset” (see 
