Patrick Walsh

A security expert's data privacy checklist

As a security professional, the top question I get is, “what do you do to protect your own privacy?” Here’s what I recommend, along with a checklist at the end.

As the CEO of a company focused on privacy enhancing technologies, I get this question, or some variation of it, all the time. And it can be a hard question to answer. Everyone has a different level of comfort with technology and a different level of privacy sensitivity. There are trade offs inherent in increasing your privacy and security and you may have to forego services and features that you enjoy.

But when I get asked about personal privacy, I often find myself covering much of the same ground: why social media and free email accounts are awful, why most of our private data is actually out of our control, how we can minimize issues from our vendors, the best things to do to stop identity theft, what to do about facial recognition, and what steps I recommend most people take for their personal data security (digital and otherwise). I’ve covered each of these topics below, including a section for anyone who wants to go a step beyond the basics as a power user.

The top 6 privacy actions you can do today

1. Delete free services and social media

If you care about privacy, you should avoid apps like Facebook, Instagram, and TikTok and turn off location for apps like Uber when they’re not in use. It doesn’t matter whether you are an active poster or just a lurker. These apps make money by tracking your every move and learning as much about you as they possibly can. They rent or sell that knowledge to those who want to manipulate you including companies who want to sell you stuff you don’t need,political groups, and foreign countries.

If you’re okay with all that, that’s fine. I won’t judge you. Perhaps you have to have accounts at these places for work purposes. I get it. I haven’t deleted 100% of mine, either (though Twitter might go soon). Trade-offs are difficult. But my recommendation is to delete your accounts if you can.

2. Do what you can to address the third-party problem

You should know going into this that the privacy and security of most of your data is outside of your control. It’s far more likely to leak from one of your service providers than directly from your computer or phone.

My data has been stolen numerous times now, but never directly from me. My bank was hacked. My previous health insurer was hacked years after I stopped using them. I’ve received breach disclosure notices from my doctor’s office, my cell phone provider, and numerous online services that I use.

No one can operate in society today without a bank, credit card, mobile phone, health insurance provider, employer, email provider, and so on and so forth. These places hold our data and when they’re breached, so are we.

Aside: my company actually focuses on this part of the problem — the problem of leveling up the data security of organizations so we can slow the constant drumbeat of breaches. We help software companies encrypt their data meaningfully and create layers of protection that are sorely needed and mostly lacking today. We need systemic change that will drive this more broadly, though, and I hope for all of our sakes that some of the ideas around liability from the White House’s cyber security strategy come to fruition in the near future.

There isn’t a lot you can do about these threats other than vetting and monitoring your partners with limited public information. But you have to try. Here’s what I do:

  1. Check security track record: When choosing a service provider of any kind, attempt to evaluate their privacy and security as part of your criteria. Look at their track record of breaches. Due to breach notification laws, state AG offices are a good place to go and search for these. I often start with the California database even though I don’t live in that state. Note: just because a company has been breached doesn’t mean they have bad security or they haven’t fixed the problems. But it’s worth a look and deeper dive to see what was stolen. If a company shows up with multiple breaches, though, consider that a red flag. T-mobile is a prime example.
  2. Monitor for problems: Register your email address with ”have i been pwned” to see what services you’re already registered with that have been breached and to get alerted if a new hack compromises your data.
  3. Score vendor security using public info: Review security and privacy marketing. I’ve previously written a security evaluation guide on what to look for that includes a scorecard that’s mostly suited to software-as-a-service companies, but that can get you started.

3. Prevent identity theft

Here’s the thing: it’s extremely likely that your name, address, and social security number have already been stolen(hell, the Equifax breach basically guarantees it for anyone over 25 and idiocy from Experian and others doesn’t help). That’s all that’s needed to steal your identity and seriously damage your finances and your life for years.

Adding insult to injury, half of the people who’ve had their identity stolen have had it happen multiple times (per the ITRC). In other words, your chances of having your identity stolen a second time go up substantially after it happens the first time.

The best thing to protect yourself by far is to freeze your credit at Equifax, TransUnion, Experian, and Innovis.Also at NCTUE (link goes to an article describing what this is). I recommend this to everyone. It can be a real pain to have your credit frozen, but it’s absolutely worth it. The cost: every time I buy a mobile phone or apply for a credit card I have to temporarily unfreeze my credit. The benefit: it’s substantially more difficult for someone with my social security number to open up credit lines, take out mortgages, or get credit cards in my name.

The other thing to worry about is tax identity theft. This is a process where someone with your info goes and files a bogus tax return claiming a refund and sets up an account to receive the refund. Most people find out about this when their e-Filed return is rejected since from the IRS’s point of view, a return has already been filed. The way to proactively stop this is to get an identity protection PIN from the IRS.

The things that I don’t recommend are the credit reporting and identity theft protection programs from companies like LifeLock and Equifax. I find these to be mostly useless. I do recommend getting an annual credit report for free though.

4. Opt out of facial recognition

Imagine walking into a store and realizing that they immediately know your name, your background, your credit spending limits, what you’ve spent with them in the past, and much more. Creepy, right? It’s happening already today. Businesses are using facial recognition to screen people from events, to track their location and habits, and to falsely arrest them.

Sadly, we don’t have federal privacy laws to protect us from these invasions.

To combat this, I try pretty hard not to post photos of myself online and to keep others from putting photos of me up on social media. But at the same time, I do speaking engagements and other events where it’s inevitable. Sadly, I also use a real photo on LinkedIn. I plan to experiment with Fawkes to subtly change these photos to foil facial recognition, but I haven’t attempted that yet.

For the rest of my online accounts, I use cartoon-like avatars for my profile picture. I got my first one by looking through fiverr for an artist whose style I liked and then paying $5 to get my own. Just search for “avatar.”

Additionally, you can try to opt out. One of the main companies selling this tech to police and private industry is a company called Clearview AI. They’re pretty horrible, frankly. They make it difficult to remove yourself and only allow delisting if you’re able to take a “public” photo and make it private and then give them the exact URL.

For a lucky few, you can opt out further. But you have to be in a state that has an active privacy law. Right now, that means you can fully opt out of Clearview only if you live in California, Virginia, or Illinois. Starting June 2023, Colorado residents should also be able to opt out.

5. Opt out of data brokers

There’s a huge industry of “data brokers” including credit score companies like Experian who are busy trying to gather every possible detail they can on you to sell to the next person. And they’re not the only ones. There are hundreds of other companies you’ve never heard of.

In the past, I’ve followed lists like this one and manually opted out of the top fifteen or so data brokers. I’ve seen more comprehensive lists as well, but it’s time-consuming.

More recently, I’ve been trying out a service called Incogni, which acts as my agent and sends opt out requests to 142 different data brokers (at time of writing).

I’m not sure if I’m recommending this yet as I don’t have enough experience with it. It’s a paid subscription service that requires you, ironically, to give them a bunch of personal information. But so far I like what I’ve seen. Because I’m not in a state with privacy protections (yet!), some of my requests are getting rejected, which is extremely maddening, though not Incogni’s fault.

6. Address your digital security

Level up: becoming a data privacy power user

If you don’t consider yourself a power user, just skip past this section to the conclusion.

I’m not going to go super deep, but I want to share some of the things I do for those who really want to keep tight control over their technology. I run both Apple and Linux machines, but MacOS is my daily driver so I’m going to focus on that here. If you use Windows or Linux, you probably want to skip to the Conclusion.

Note: huge shout out to Patrick Wardle, the king of MacOS security, for publishing so many amazing and free open-source security tools through Objective-See. I gladly support his Patreon. Several of his tools are mentioned below.

Conclusion

To be truly comprehensive, this would have to be even longer than it already is. It’s easy to be fearful of being hacked or having your identity stolen and a little fear is healthy. A lot of fear is not. Don’t be overwhelmed. Make a list of the things you want to tighten up and chip away at it. Do the best you can for your situation a little bit at a time and hopefully ahead of really needing it.

There’s no perfect privacy in this day and age unless you’re prepared to cut yourself off from most of society. Even then it would be difficult. Privacy is important and the natural barriers we enjoyed for hundreds of years (like physical walls or talking with no one nearby) have eroded as cameras and microphones become pervasive. Safeguards in our laws in the U.S., to the extent they exist at all, have enormous loopholes. The harms from this normalization of privacy invasions are heavy for each of us individually and also for our society.

But you have agency to opt out of certain apps, to remove yourself from certain databases, to vote with your wallet, and to use security to thwart anyone who might target you whether by convenience or malice.

I hope this helps you to stay safe and to take control of your digital life.


Bonus: I created a Google Sheet (sorry — but at least you don’t need an account to view it) with a personal privacy checklist that captures most of the items above with direct links for opt out, etc. Feel free to copy and work from it if that helps. Leave a comment with suggestions to make it better.