2023-05-04

Patrick Walsh

A security expert's data privacy checklist

As the CEO of a company focused on privacy enhancing technologies, I get this question, or some variation of it, all the time. And it can be a hard question to answer. Everyone has a different level of comfort with technology and a different level of privacy sensitivity. There are trade offs inherent in increasing your privacy and security and you may have to forego services and features that you enjoy.

But when I get asked about personal privacy, I often find myself covering much of the same ground: why social media and free email accounts are awful, why most of our private data is actually out of our control, how we can minimize issues from our vendors, the best things to do to stop identity theft, what to do about facial recognition, and what steps I recommend most people take for their personal data security (digital and otherwise). I’ve covered each of these topics below, including a section for anyone who wants to go a step beyond the basics as a power user.

The top 6 privacy actions you can do today

1. Delete free services and social media

If you care about privacy, you should avoid apps like Facebook, Instagram, and TikTok and turn off location for apps like Uber when they’re not in use. It doesn’t matter whether you are an active poster or just a lurker. These apps make money by tracking your every move and learning as much about you as they possibly can. They rent or sell that knowledge to those who want to manipulate you including companies who want to sell you stuff you don’t need,political groups, and foreign countries.

If you’re okay with all that, that’s fine. I won’t judge you. Perhaps you have to have accounts at these places for work purposes. I get it. I haven’t deleted 100% of mine, either (though Twitter might go soon). Trade-offs are difficult. But my recommendation is to delete your accounts if you can.

2. Do what you can to address the third-party problem

You should know going into this that the privacy and security of most of your data is outside of your control. It’s far more likely to leak from one of your service providers than directly from your computer or phone.

My data has been stolen numerous times now, but never directly from me. My bank was hacked. My previous health insurer was hacked years after I stopped using them. I’ve received breach disclosure notices from my doctor’s office, my cell phone provider, and numerous online services that I use.

No one can operate in society today without a bank, credit card, mobile phone, health insurance provider, employer, email provider, and so on and so forth. These places hold our data and when they’re breached, so are we.

Aside: my company actually focuses on this part of the problem — the problem of leveling up the data security of organizations so we can slow the constant drumbeat of breaches. We help software companies encrypt their data meaningfully and create layers of protection that are sorely needed and mostly lacking today. We need systemic change that will drive this more broadly, though, and I hope for all of our sakes that some of the ideas around liability from the White House’s cyber security strategy come to fruition in the near future.

There isn’t a lot you can do about these threats other than vetting and monitoring your partners with limited public information. But you have to try. Here’s what I do:

Check security track record: When choosing a service provider of any kind, attempt to evaluate their privacy and security as part of your criteria. Look at their track record of breaches. Due to breach notification laws, state AG offices are a good place to go and search for these. I often start with the California database even though I don’t live in that state. Note: just because a company has been breached doesn’t mean they have bad security or they haven’t fixed the problems. But it’s worth a look and deeper dive to see what was stolen. If a company shows up with multiple breaches, though, consider that a red flag. T-mobile is a prime example.
Monitor for problems: Register your email address with ”have i been pwned” to see what services you’re already registered with that have been breached and to get alerted if a new hack compromises your data.
Score vendor security using public info: Review security and privacy marketing. I’ve previously written a security evaluation guide on what to look for that includes a scorecard that’s mostly suited to software-as-a-service companies, but that can get you started.

3. Prevent identity theft

Here’s the thing: it’s extremely likely that your name, address, and social security number have already been stolen(hell, the Equifax breach basically guarantees it for anyone over 25 and idiocy from Experian and others doesn’t help). That’s all that’s needed to steal your identity and seriously damage your finances and your life for years.

Adding insult to injury, half of the people who’ve had their identity stolen have had it happen multiple times (per the ITRC). In other words, your chances of having your identity stolen a second time go up substantially after it happens the first time.

The best thing to protect yourself by far is to freeze your credit at Equifax, TransUnion, Experian, and Innovis.Also at NCTUE (link goes to an article describing what this is). I recommend this to everyone. It can be a real pain to have your credit frozen, but it’s absolutely worth it. The cost: every time I buy a mobile phone or apply for a credit card I have to temporarily unfreeze my credit. The benefit: it’s substantially more difficult for someone with my social security number to open up credit lines, take out mortgages, or get credit cards in my name.

The other thing to worry about is tax identity theft. This is a process where someone with your info goes and files a bogus tax return claiming a refund and sets up an account to receive the refund. Most people find out about this when their e-Filed return is rejected since from the IRS’s point of view, a return has already been filed. The way to proactively stop this is to get an identity protection PIN from the IRS.

The things that I don’t recommend are the credit reporting and identity theft protection programs from companies like LifeLock and Equifax. I find these to be mostly useless. I do recommend getting an annual credit report for free though.

4. Opt out of facial recognition

Imagine walking into a store and realizing that they immediately know your name, your background, your credit spending limits, what you’ve spent with them in the past, and much more. Creepy, right? It’s happening already today. Businesses are using facial recognition to screen people from events, to track their location and habits, and to falsely arrest them.

Sadly, we don’t have federal privacy laws to protect us from these invasions.

To combat this, I try pretty hard not to post photos of myself online and to keep others from putting photos of me up on social media. But at the same time, I do speaking engagements and other events where it’s inevitable. Sadly, I also use a real photo on LinkedIn. I plan to experiment with Fawkes to subtly change these photos to foil facial recognition, but I haven’t attempted that yet.

For the rest of my online accounts, I use cartoon-like avatars for my profile picture. I got my first one by looking through fiverr for an artist whose style I liked and then paying $5 to get my own. Just search for “avatar.”

Additionally, you can try to opt out. One of the main companies selling this tech to police and private industry is a company called Clearview AI. They’re pretty horrible, frankly. They make it difficult to remove yourself and only allow delisting if you’re able to take a “public” photo and make it private and then give them the exact URL.

For a lucky few, you can opt out further. But you have to be in a state that has an active privacy law. Right now, that means you can fully opt out of Clearview only if you live in California, Virginia, or Illinois. Starting June 2023, Colorado residents should also be able to opt out.

5. Opt out of data brokers

There’s a huge industry of “data brokers” including credit score companies like Experian who are busy trying to gather every possible detail they can on you to sell to the next person. And they’re not the only ones. There are hundreds of other companies you’ve never heard of.

In the past, I’ve followed lists like this one and manually opted out of the top fifteen or so data brokers. I’ve seen more comprehensive lists as well, but it’s time-consuming.

More recently, I’ve been trying out a service called Incogni, which acts as my agent and sends opt out requests to 142 different data brokers (at time of writing).

I’m not sure if I’m recommending this yet as I don’t have enough experience with it. It’s a paid subscription service that requires you, ironically, to give them a bunch of personal information. But so far I like what I’ve seen. Because I’m not in a state with privacy protections (yet!), some of my requests are getting rejected, which is extremely maddening, though not Incogni’s fault.

6. Address your digital security

Cameras and Mics: I refuse to have any internet-connected devices in my house that are always listening to me or recording video. I’m okay with pressing a button to tell Siri something so I can get the benefit of voice commands, but I’m not okay with it always listening for “hey siri.” I understand that some people just like the convenience too much to give it up, but I’ve read dozens of stories about people’s private conversations or activities being shared around after someone in QA or Ops found it, usually after it was triggered accidentally, and for me, the privacy loss just isn’t worth the convenience. Separately, I put tape over cameras and mics on devices that don’t have a visual indicator that tells me when they’re on.
Home Network: For wifi, secure your network using WPA-2 or WPA-3 with a password that’s not found in the dictionary. Your privacy and security really do depend on a secure home network so opt for that slightly longer multi-word passphrase with some symbols mixed in. Don’t use any reference to your home’s address.
Password manager: The most common things that are stolen in data breaches are emails and passwords. Passwords are usually encoded in a one-way process called a hash. But hackers can reverse those hashes by exhaustively guessing possible passwords against all of the stolen credentials. To guard against this, you need to use different passwords on every site and random passwords each time. The best way to do this is to use a password manager like 1Password to generate and store your per-service passwords. Note: I recommend that things like scans of driver’s licenses, digital copies of birth certificates, etc., are also kept in here along with your passwords.
Software Updates: It’s a pain, but always be updating. Turn on automatic updates anywhere you can. Get your software from trusted sources like the Apple App Store on MacOS whenever possible so you can get the benefit of background updates and some basic vetting. [Note: I no longer do this myself, but I do believe this is the best approach for most people. I explain how I manage updates in the power user section below.]
Ad blockers: Every device and browser you use should have an ad blocker. It’s really the best thing you can do to stop companies from tracking you on the web. More and more often, this sort of capability is built into browsers (eg, Orion, Brave, and Safari), but it doesn’t hurt to use the built-in option together with a third-party extension. I like Ghostery for Safari on MacOS and iOS and I like uBlock Origin for Firefox and Chrome. (Actually, I use Brave when I need a Chrome-like browser, but the same extensions apply.) But there are a lot of good options so pick what works for you.
Search browser: I’ve historically used DuckDuckGo as a free privacy-oriented search engine. Under the hood it’s using Microsoft Bing search data, but they aren’t learning about you from your searches. These days though, I prefer to pay to use the subscription-supported search engine Kagi. I like the results and prefer an experience that isn’t warped by advertising and a business model that marginalizes users.
Multi-factor authentication: Use two-factor / multi-factor whenever possible. And if possible, avoid the SMS text message approach (see SIM swapping in next bullet) if other options exist. Power users should use Yubikeys whenever possible, but others should use an app like Authy to track the rotating codes that serve as a sort of second password on login. If you only set this up in one place, make sure it’s on your email account. If someone gets that, you’re hosed, because they can reset your passwords at all your banks, credit cards, etc., and lock you out of everything. Also, although I recommend 1Password to people, I would not personally put my two-factor codes in the same place as my passwords. Best to keep those things separate.
SIM swapping: Taking over your mobile phone number is a great way for an attacker to take over your life. And it happens pretty often (link is one example, but stats are embedded in there too). Each of the main mobile carriers in the U.S. have programs to help you prevent this attack: Verizon Number Lock lets you set up an Account PIN and a Number Transfer PIN. T-Mobile has an Account Takeover Protection program. AT&T lets you add a Number Transfer PIN as well. Also: if you get strange text messages from your carrier confirming things that you didn’t do, call them directly and right away.
Backups: Make sure you’re backing things up from all your devices. I have an extremely over-the-top multi-layered backup strategy, but for most people, just use a service like Backblaze for desktop and configure regular device backups over wifi to your computer. What does this have to do with privacy? Not a ton, but it will help you in case your system ever gets hit with ransomware or a hacker starts messing with you in other ways. Just do it.
Privacy preferences: This is important, but I don’t have time to pull together the settings I use today. Sorry. Try searching for something like, “best privacy settings ios” (or Android or macOS or Windows or whatever) for each of your devices and get to work putting things in line. Do this for Google, too, and any other core services you use. Maybe I’ll write another blog at some point with better fidelity.
Email services: Free email isn’t generally free. Google mines your email for receipts and keeps records of everything you’ve ever bought that showed up in your inbox. That’s not even all they do. As an alternative, I recommend Proton. They have more private email and they now have encrypted files and calendars as well. To get the most out of it, you have to pay, which is certainly not ideal when you’ve been used to free email for years, but in a capitalist society without privacy protections, voting with our dollars sends the clearest signal. Companies go where the money is even when there are fines for doing so. And yes, people with money can afford better privacy than people without, which is f’ing awful.

Level up: becoming a data privacy power user

If you don’t consider yourself a power user, just skip past this section to the conclusion.

I’m not going to go super deep, but I want to share some of the things I do for those who really want to keep tight control over their technology. I run both Apple and Linux machines, but MacOS is my daily driver so I’m going to focus on that here. If you use Windows or Linux, you probably want to skip to the Conclusion.

Note: huge shout out to Patrick Wardle, the king of MacOS security, for publishing so many amazing and free open-source security tools through Objective-See. I gladly support his Patreon. Several of his tools are mentioned below.

Manage software and updates: I try extremely hard to not have anything installed that I don’t need and that isn’t tracked. I use Nix to control everything installed on my system and my system configuration (including privacy and security settings). This is probably the most intense of the things I do and is best suited for super power users. I update my system via Nix once or twice a week, but I keep an eye on what’s being updated so I can understand what’s changing. I also install OS updates as early as I can after being notified. On my laptop, I’ve configured it to check for updates daily instead of the default of weekly. And I manually update my mobile phone apps multiple times per week, looking at change logs to keep an eye on what’s happening there. I also use the vulnix app to understand what’s installed on my system that has known vulnerabilities, which is a disappointingly long list even with up-to-date software, but at least I can know exactly where I’m weak and who to harass about fixing things.
Networking: I use Little Snitch to monitor network connections and to deny outbound connections that I don’t expressly authorize. I’m pretty granular in my permissioning. I also like LuLu, but I’m pretty invested in Little Snitch after years of using it. Although I have all of these measures, I also keep an updated /etc/hosts file that blackholes any known malicious hosts and quite a few tracking sites as well. Redundant to both Little Snitch and my ad blockers, but I like the layers.
Wifi and VPNs: If I must use public wifi, I use a VPN. And because I don’t trust other people’s VPNs, I have my own WireGuard setup on a Digital Ocean droplet that costs $5/month.
Startup programs: Although MacOS is getting better at warning you when something installs itself to run on startup, I’ve found BlockBlock to be invaluable in knowing when something is trying to worm its way into my system and, importantly, I can stop it. Generally, this is catching things I legitimately want on my system, but that I don’t want to automatically run at startup.
Custom tripwires: I have a custom system that I’ve built to help me detect when things change in my system. It basically signs over system preferences, startup items, kernel extensions, cron jobs, and more and does diffs across versions.
Antivirus: I regularly run chkrootkit and osquery (which uses yara signatures among other things). I also occasionally run KnockKnock which checks startup binaries against VirusTotal. MacOS has built-in anti-virus as well. I’m not fond of the available commercial anti-virus solutions available for Mac.
System monitoring: I use PeakHour to keep an eye on my internet connection quality and iStat Menus to keep an eye on everything else including when a process is eating CPU or memory without my blessing.
Throw away emails: Rather than just have a unique password per site, I frequently also use a unique email address as well. It makes it harder for hackers to match me across services and allows me to shut down addresses that have turned into spam magnets.
Password manager: I was previously a happy user of 1Password and I still recommend it for most people. I don’t recommend LastPass (because reasons). But 1Password now forces you to store your vault with them, which is unacceptable to me. Encrypted or not, I don’t want a third party to have it. So I now use KeepassX on Linux and Strongbox on MacOS. They interoperate and share a synced password vault. I sync the vault using Tailscale and Syncthing for peer-to-peer encrypted goodness (although beware if you use the encryption feature in syncthing, the password is stored in plaintext on your disk). I’m a pretty big fan of KeepassX/Strongbox because I can make my password/passphrase nearly impossible to brute force by combining something my brain can memorize with a fully random secret on a Yubikey. Unlocking my password database, therefore, requires someone to be physically on one of my devices with my Yubikey plugged in and activated via touch. Theft of my vault or remote access to my machine do not grant access to my passwords (though my browser cookies are still at risk).

Conclusion

To be truly comprehensive, this would have to be even longer than it already is. It’s easy to be fearful of being hacked or having your identity stolen and a little fear is healthy. A lot of fear is not. Don’t be overwhelmed. Make a list of the things you want to tighten up and chip away at it. Do the best you can for your situation a little bit at a time and hopefully ahead of really needing it.

There’s no perfect privacy in this day and age unless you’re prepared to cut yourself off from most of society. Even then it would be difficult. Privacy is important and the natural barriers we enjoyed for hundreds of years (like physical walls or talking with no one nearby) have eroded as cameras and microphones become pervasive. Safeguards in our laws in the U.S., to the extent they exist at all, have enormous loopholes. The harms from this normalization of privacy invasions are heavy for each of us individually and also for our society.

But you have agency to opt out of certain apps, to remove yourself from certain databases, to vote with your wallet, and to use security to thwart anyone who might target you whether by convenience or malice.

I hope this helps you to stay safe and to take control of your digital life.

Bonus: I created a Google Sheet (sorry — but at least you don’t need an account to view it) with a personal privacy checklist that captures most of the items above with direct links for opt out, etc. Feel free to copy and work from it if that helps. Leave a comment with suggestions to make it better.