“The Smart Girl’s Guide to Privacy” is the name of a 2015 ebook by Violet Blue on staying safe online that I got in some bundle – this is not really based on it, as I never really got around to finishing it, but the name has stuck with me, as it only gets more relevant. You don’t really need a book to know that online privacy is both very important and often neglected – stalking is a serious threat on its own, and many people do not realize just how much information they’re giving away voluntarily on a daily basis.
A couple of examples
- Let’s say that someone sees you on a dating app and you two never match, but they really like you so they decide that it’s a great idea to try and look for you elsewhere. If you are not overly cautious, they probably already have enough to find you: your first name and a picture of your face. If you are using your first name and your face on your Facebook or Instagram profile, that’s it – you’re a single search away. But when they have a third “clue”, such as the name of your employer or school, or your hometown, it’s even easier.
- Or take this slightly more elaborate case: you are connected to someone (Alice) on a site such as Goodreads or Last.fm, or even Spotify. Alice wants to be “friends” elsewhere, but since you are probably using a fairly unique handle and avatar, finding your “real” social media can be much more difficult for them. However, check this out: you have friends/followers! And one of them (Bob) may be using their real name because, really, why wouldn’t they? They don’t have anything to hide, especially on Goodreads. Anyway, Alice can now look for Bob on Facebook/Instagram, and then scan their friends/followers there for anything similar to you, both in username and/or image. Chances are, they will find you, and it won’t take them a lot of time.
People will often refer to this as “stalking” but this is technically OSINT, or open-source intelligence – the practice of “collection and analysis of data gathered from open sources to produce actionable intelligence”. In principle, it’s not much different than what journalists and researchers at Bellingcat do to identify Russian intelligence officers. It’s a learned skill and once you get the hang of it, you may start doing it without any real goal other than to see if you simply can.
Some tips on privacy
If you’re not a fan, here is a bullet list that may help you regain some privacy and/or autonomy, or at least inform you “how they found you”.
- Minimize your social media presence. Facebook and Instagram are the worst, but any social media site is a ticking time bomb. The more time and content you’ve put in, the more information potential attackers have access to. Even if this sounds like it may potentially impact your daily habits, consider deleting your accounts whenever possible.
- Don’t use your real and/or full name. If you are not an established (or wannabe) artist, an influencer, or any other type of public figure – you really don’t need to use your real name on social media. Nobody will think that you’re “inauthentic” – nobody cares. Just stay safe and use a screen name like the rest of us. Facebook are making this increasingly difficult by only allowing users to use their real names, but read the previous point again on how to solve this.
- Use different screen names and avatars for different sites. This one is so simple and effective, yet it’s so under-utilized. Experienced stalkers will easily track you across different sites if you use the same username and/or avatar; sometimes, even using the same first letter may suffice. You should also note that generally, unless your profile is hidden/private, your list of friends or followers is available to third parties too, and you could be cross-referenced using them. Thanks, friends.
I started using the Internet at a time when IRC was the dominant chat platform, and one of the things I appreciated the *most* was that every time I logged on, I could use a different screen name – which may or may not have impacted how I still look at social media today.
- Coming off of that last one, and this is also pretty obvious, but whenever possible, make your social media private/hidden.
- You should also prioritize your social media in terms of privacy. No one really posts a lot of personal information on their Goodreads or Last.fm accounts, but they do so on Facebook, Instagram and Linkedin – so secure them first. Linkedin is an especially tricky site as people tend to be very specific about when and where they studied and worked; as an added bonus, it has extended search functionality that borders on creepy.
- Stay far away from aggregate sites such as about.me and linktr.ee. If you’re making a link page for your entire online presence, you’re basically doing the stalkers’ work for them.
- Be careful if you ever incorporate any businesses or organizations. In some countries, especially in Europe, your data will be preserved forever, and it will be publicly accessible to anyone, and you won’t be able to hide it.
- If your personal information is already on the web, you can try contacting G**gle and other search engines about hiding it. They don’t have to oblige to every request, but they might – YMMV.
- If your name is on someone’s website and not Facebook, you can try reaching out to the owner or webmaster directly. Normal people are much more likely to care about your request than faceless evil corporations. I once asked a museum to scrub my name from an article about a school project from over a decade ago, and they did it in a day with no further questions.
Some tips on security
Security of your online presence is not the same as privacy, but it is closely related, and it is always a good idea.
- Use good passwords, and use distinct passwords across different sites and services. A no-brainer.
- Use a password manager. You can then remember a single strong password; the rest will be remembered for you.
- Use decent, up-to-date hardware and software. This includes your router, phone, and computers. If your hardware stops receiving security updates, change it.
- Use HTTPS. This is signified by the padlock in the address bar of your browser, and it means that any data that is passed between you and the server is encrypted; most modern browsers already make sure that any unencrypted connections are pretty visible and scary for users.
- Double-check the URL in the address bar and the email address in the From/Return-path field of the email. People will try to make you click on nasty links; they will craft realistic pages and messages, and they will send them from spoofed addresses that look like your contacts, so always look twice.
- Use networks that you trust. At the very least, make sure that the wireless network is password-protected, or don’t connect to it at all. If you absolutely have to use a public or otherwise untrusted network, this might be a very good time to use a VPN. You don’t need any expensive subscriptions or advanced skills for this – most consumer-level routers now come with a VPN server built-in, you just have to enable it and then spend five minutes to set it up on your phone.
- Watch for data leaks. Technical news sites will write whenever a major site or service is broken into and user data is leaked, but if it’s a really big site, you will hear about it from your local news station. When (not if) you find your username or email in such a leak, change your password for that site, but also for any other site where you may have used the same user/password combination.
- Keep backups and redundancies. My personal method of choice is this.
- Carry a knife. A no-brainer.
This article is non-exhaustive; more may be added to it in the future. Know that even if you follow every good practice there is, someone may one-up you or find you on the street by sheer chance. Stay vigilant, stay safe.