According to surveys done by password manager companies (NordPass, Dashline) in 2017 and 2020, the average Internet user had between 100 and 150 online accounts. That's a relatively big number (not really a surprise since you need an account for pretty much anything nowadays) and a lot of personal information that we are recording on the Internet...
Do you know by how much the number of data breaches rose in 2021 compared to 2020? According to the ITRC, by 68%, for a total of 1,862 data compromise events. Still according to the ITRC, 2021 saw 23% more data compromises than the all-time high in 2017. When it comes to your data, the question is not if it will leak, but when it will leak.
In this article, I will offer some stratagems that you can use to try to keep your data safe, and some things to think about when putting personal data online.
To Register, or not to Register
The first question that you need to ask yourself when you create an account is a simple one: "Do I really need that account?" Some things to consider:
- Maybe you can achieve what you want without the account; for example by calling the restaurant to book a table rather than going through the website
- Maybe the account does not provide tangible benefits; sure, if you create an account and connect your air humidifier to the Internet, you might have a graph of the humidity in your apartment depending on the time. Then what?
- Is the account easy to remove later, and is the company known for bad data management practices?
At the end of the day, there is no good answer, and you need to think about what you care about before making a decision. Maybe you consider that the convenience of registering for a service offsets the privacy implications, and the burden of managing an extra account, and this is fine.
What Data to Fill In
If you decided that you need to create an account, the next question you need to ask yourself is how to fill the various data required. At this point, you want to decide what are the things you want to answer truthfully. A couple of examples:
- If you register a new bank account and provide false information, you are probably committing a couple of felonies that can have bad consequences
- If you subscribe to insurance, fill wong information, and have an accident, they might be able to avoid compensating you
- If you book a restaurant, your name and such don't matter, but if you fill in a wrong phone number, and if they try to call you, you can say goodbye to your reservation. Also, bad phone numbers can have a handful of bad consequences with services that allow resetting passwords via SMS
Basically, what you want to ask yourself is "What is the service potentially going to do with this information, and what are the consequences if I give something false?", and from there, choose what you want to do. Also, don't volunteer information when it is not needed. If the website allows filling a phone number but doesn't make it mandatory, then don't give one.
If you are going to fill in incorrect data, the goal is to not draw attention to yourself. For example:
- Don't fill your name as "John Smith" or "Jane Doe". Try to find something common, but not obviously fake
- If you need to fill a physical address that you know will not be used, use a real address but put an apartment number that doesn't exist. Depending on the use case, just filling trash (e.g.
00000as a ZIP code) is fine as well.
Finally, be aware that the data you fill in might allow someone to track you by making relationships between your different accounts. For example, by using your email address. To avoid that, here are some things to consider, and strategies that you can use (email addresses management, identities management and such are big enough to deserve a dedicated article; maybe I will write it in the future):
- Try to use a unique email address each time you have to give one
- It is not realistic to give a different phone number each time, but you could create some VoIP ones, and make groups. For example, you use number A for deliveries, number B for important things such as your banks, number C for things not related to your address/real name, such as restaurant bookings
- A lot of services offer you to log in using a third party, such as Google or your Apple ID. You should avoid it, not only because of privacy issues but also because losing access to your Google account will mean losing access to a bunch of other accounts
- Data as simple as a profile picture can be used to find other accounts that you own
Monitoring and Record Management
Once you have created your account, you should properly record it into a password manager. Not only because that's a good practice as far as security is concerned, but also because it will allow you to monitor to who you gave what information.
One thing that I personally do is create tags for the different addresses and phone numbers that I use (in addition to categories depending on the identity). Each time I use one of them with an account, I add the tag to its entry. This allows me to:
- Know what identifiable information I gave to a service, so if it is hacked, I know that this information is available in the wild
- If I change phone numbers or such, I know what account I need to update
- I know what accounts can be linked together by a third party
In addition to the tags, I have another field to enter the planned expiration date. I often review my accounts ordered by this to find out the accounts I want to remove. We will discuss some good practices of accounts removal in the next part, but my point is that you should always try to remove your accounts when they become useless (or even - depending on the account - regularly to avoid storing too much data in them. For example, if you use Uber eats, a new account each time you move out is good) this way, you reduce your personal information exposure.
Finally, and I won't go into details in this article, you also might want to consider using services such as haveibeenpwned and regularly Googling yourself to check which of your private information can be found online.
This part could also have its dedicated article because there are a lot of things to say, but I will try to summarise the most important points.
These days, thanks to GDPR and such laws, a lot of websites are offering an option to remove your accounts by yourself, or at least an email address to contact to ask for the removal. This is good, but now always perfect. For example:
- Some forums will remove your account, but they will not remove your posts. Instead, they will only see them as posted by "Anonymous" or something, but if they had PII, the PII will still be there
- Some websites will technically only disable your account, so it isn't visible to users, but the information is still in the database
- Some information (related to billing mostly) must legally be kept to comply with the law, so it will not be possible to have these removed
All of this is to say that when you remove an account, you should try as much as possible to remove data by yourself first. Edit and then delete your posts manually, enter a false fake phone number, change your nickname, ... and then, delete the account.
Sometimes, it is hard to know where to go to have your information deleted. These two websites list the procedures for a good number of online services: