
Ask HN: Is there any point in trying to clear your online footprint - xupybd
I&#x27;m starting to get worried about online privacy. I&#x27;d like try and remove some of my online identity. I&#x27;m not sure if there is any point. My plan is to shutdown all social media accounts and email. Re-opening new more anonymous ones.<p>Is this going to actually do anything or will Google and other marketers figure out I&#x27;m the same person and I&#x27;ll be tracked all the same?<p>My concern comes from tools like this https:&#x2F;&#x2F;github.com&#x2F;Greenwolf&#x2F;social_mapper. Given this sort of thing it seems too easy for online blackmail&#x2F;extortion scams to get hold of my information.
======
asdfasgasdgasdg
I have successfully done this, so you probably can too. Some things are hard
to get rid of, and someone who already knows my identity could probably at
least find my github. But nobody is going to be able to link my full name to
any of my current accounts without a fair bit of biographical information. On
the main sites (Facebook, Twitter, etc.) it's very easy to make all your data
private, or to just share with friends.

Nowadays I try to follow the practice I have on this site of using an entirely
meaningless username. Like passwords, I don't reuse, and so the links between
sites become even more tenuous.

Now, someone might still be able to link this account to my real identity if
they had a lot of writing samples of mine, but at some point you have to
consider the threat model. I'm no one important. There isn't a foreseeable
circumstance where someone would want to link my accounts on various social
media sites, and even if they did, in the worst case scenario it would be
mildly embarrassing. So, for example, I haven't yet deleted my github, even
though you could probably find it if you knew my name or email address.

Now, I'm most interested in hiding my identity from natural people. But it
sounds like you have different concerns. I think it's almost impossible to
hide your identity from corporations, supposing they are motivated to link you
to your economic identity. The credit card companies, phone companies, and
retail companies are all building dossiers. And your economic identity is
basically impossible to unlink from your private identity, unlike non-economic
website accounts. Google should be the least of your worries on that front.

~~~
rewq4321
Might be worth using a more "normal" username. There's probably more
information in a name like the one you've chosen since most people don't
choose usernames like that. Probably an over-optimisation for the average
person but it sounds like you're trying to decorrelate your accounts.

~~~
asdfasgasdgasdg
You're right, as far as it goes. To be optimal, it might be good to pick from
a certain class of common username (different on each site) and use that. For
example, maybe I could be "cardinals59" on one site and "I|1II||1II" on
another site.

However, that would offer limited anonymity benefit. With the full firehose of
Reddit and HN data, you could probably correlate my accounts on each site to a
moderate degree of confidence just by when I post. But, I'm not too worried
about that, as long as a third party can't easily link that to my real life
identity. And you can see by my post history that even in that case, I'm not
trying to make it impossible. Just difficult for the casual harasser. With
access to the biographical information I've posted on this account, you could
probably guess my employer. With access to that entity's internal databases,
you could probably narrow me down to one of about 5k people. With access to
other information I've posted and public records, you could probably narrow
down to one of hundreds of people. Maybe if you had a lot of skill you could
do more.

But, why? It's all about risk management. As long as it's hard enough to do
that it's lower than other risks I face, I'm fine. If I were higher profile
(e.g. if I were an SVP at my employer, or were likely to become one someday),
I might be even more discreet. It would be most sensible not to post at all in
that case. But I'll probably never be that important, and that's how I like
it. As it is, the risk of my online identity being used to hurt me is (I
estimate) lower than the risk of being killed in a traffic accident. I don't
worry too much about the latter risk, so I really shouldn't worry much about
the former.

For me, it's good enough that if you Google for my full name, you don't see
me. Even if you google my name + employer, or my name + hometown or current
location, you can't find any information on me. That's the extent of the
threat model I'm trying to actively defend.

------
distant_hat
Unless there is something unique about you I don't see the point and it's a
lot of work. The other way to approach this would be to craft the persona you
want to show. Strategically, use information you would like to be public to
build a profile that you'd like others to see, do other stuff in protected
ways so they don't affect your public persona. Be the Grey Man [1].

[1] [https://www.ribbonfarm.com/2018/02/01/dont-be-the-gray-
man/](https://www.ribbonfarm.com/2018/02/01/dont-be-the-gray-man/)

~~~
lm28469
> The other way to approach this would be to craft the persona you want to
> show. Strategically, use information you would like to be public to build a
> profile that you'd like others to see

Isn't that what everyone is doing though ?

~~~
distant_hat
Unconsciously, yes. You could be more strategic about it.

------
ufmace
Well it couldn't hurt. It depends more on what specific threats you are
worried about though.

It's not too tough to drastically limit the amount of information that any
non-privileged people online can find about you. Just make sure all accounts
are either deleted, or locked so that only approved people can see any info.
Post few to no pictures, and no job info. If you really want an account on
some service, start a new one with a fake name that you haven't used anywhere
else before. Don't link any accounts to any other accounts on other services.

Highly privileged people are a different matter. Meaning police/government
investigators and any internal investigators or algorithms at any of the big
tech companies. It's much harder to really be private from them. Doing all of
the above, plus being super-vigilant about only accessing new accounts from
VPN or Tor, and never doing anything that could associate it with your old
account. May require separate hardware to have a decent shot.

~~~
xupybd
My specific worry is that given a little information about me a criminal could
access enough information to do me harm.

We live in a time where decades old tweets get celebrities in trouble. Who
knows what opinions I hold now will be considered taboo in 20 years time?

I get regular calls from scammers trying to tell me to invest in online
trading or that my internet connection has been compromised. As poor parts of
the world come online it's only natural they would find ways to extract money
from the wealthier parts. There is often little ability and incentive for
these countries to police such activities.

As it stands my details are out there an public and there are more and more
ways people are finding to abuse this information.

Google knows every website I've visited. Facebook knows every ex I've looked
up in a moment of weakness. All of this is on stored and could be used against
me. Once the minor details of our pasts were forgotten, this is no longer the
case and as I'm getting older I feel less and less comfortable about this.

I've made mistakes, said things I'm not proud of, I'd like to avoid being tied
to my online past.

With the growing ability of facial recognition system I fear any online
service that knows my face will easily be tied to me in real life. All a
malicious actors will need is a camera and a system to scrap public facing
systems for my data.

------
mirimir
What's out there is no longer under your control. It's best to just forget
about it. Better than shutting accounts down, just stop using them.

And yes, create new ~anonymous accounts. But here's the thing. If you just use
the same social media with the same peers about the same topics, they'll
figure it out.

To my family and friends, I'm that guy who burned out on the online world. I'm
just gone. And I'm only reachable via old school channels.

None of them know about Mirimir. And nobody who knows me as Mirimir knows
anything specific about my meatspace life.

Basically just work in VMs, and use VPNs and Tor. And remember the first rule
of Fight Club.

~~~
tunesmith
Can you expand on "just work in VMs"? I've wondered before if, for instance on
my mac laptop, if I could have multiple VMs of my same mac OS. But it sounds
really complicated and I doubt it'd be able to "reach through" the vm boundary
to use my peripherals.

~~~
mirimir
As much as I'm impressed with Apple's public stance about privacy, I don't
recommend using your current setup for establishing ~anonymous personas. It's
just too connected to "you".

I run VMs on VirtualBox in Linux. Mostly Linux VMs. And I use nested VPN
chains, implemented using virtual networks of pfSense VMs as VPN-gateway
routers.[0] That guide is pretty old, but the basics are still OK. Specifics
about pfSense configuration etc have changed a little.

You could probably do pretty much the same thing in MacOS. But I don't know
for sure. I have some vague memories about VM sluggishness in MacOS, but I
could be misremembering.

One cool think about Apple is that their online store is privacy-friendly.
Just for fun, I managed to create a persona with an Apple account, funded
through Bitcoin giftcards. And I managed to buy software for a Hackintosh VM.

0) [https://www.ivpn.net/privacy-guides/advanced-privacy-and-
ano...](https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-
part-1)

Edit: The most secure way I know is using Qubes. But that may be more than you
need. Unless you're already a target. Or you work with malware, or with people
who work with malware, and/or are into exploits.

~~~
marmaduke
Do you firewell VirtualBox telemetry? I have read multiple times (on HN) that
VBox phones home. It just doesn't strike me as the privacy oriented VM
solution.

KVM (or perhaps virt-manager on top of KVM) seems more appropriate.

~~~
mirimir
Thanks, I hadn't heard that. I'll look into it.

I'm not too worried. I do firewall everything that's not necessary, at every
level. That is, the host machine runs a VPN client, and iptables only allows
traffic to the VPN server. So any VirtualBox traffic is using that VPN
service.

All of the pfSense VMs in my nested VPN chains have pf rules that do the same.
And I doubt that VirtualBox would be routing traffic through them. But I'll
check.

I'll probably use KVM for my next VM host. The tools have improved a lot in
recent years. And I've become a lot more comfortable managing stuff in
terminal.

------
wittyusername
I did a big project to remove myself. It’s a slog. You do a ton of passes,
each time you get a little more and escalate your approach with lazy vendors.
GPDR can help on the last couple of ones. There are 1-2 spots that I can’t
ever remove, public records etc. But generally now the bottom line is if you
google my name, no pictures come up, no articles about me come up on page 1.
I’m just looking to be incredibly unremarkable to a quick google search of a
kidnapper, hotel staff selling the names of guests to criminals, etc.

~~~
1123581321
I had a similar experience, going from about a hundred results for my name,
and showing up before many other people with the same name, to just a handful
spread among the first 10 pages of search results. The last 10 or so took some
persistent emailing and calling.

It’s beneficial for the same reason a cheap Home Depot door lock is worth
installing; it stops a lot of casual prying.

~~~
xupybd
Any tips on how to do this?

~~~
1123581321
Just set aside time. I got about a dozen listings claimed and/or taken down in
an afternoon and did a couple more followup rounds. I wrote a couple of DMCA
takedown requests, which took a bit of time to be sure I was communicating
effectively. LinkedIn took awhile as I had an interest in maintaining my
profile with the right level of privacy, requiring some writing work. After
search results update, you’ll probably find new listings to investigate that
weren’t ranking highly before. Like wittyusername said, it takes multiple
passes. Also, don’t forget to check Internet Archive results. And don’t be
afraid to use the phone; a couple of sites were more reachable that way.

------
pengo
You'd be better off obfuscating your existing online data by adding much
larger amounts of random rubbish to it. There are browser plugins for that.

~~~
AdamJacobMuller
> There are browser plugins for that.

Examples?

~~~
chungus_khan
[https://adnauseam.io/](https://adnauseam.io/) is an adblocker that "clicks"
on every ad (without actually doing so). Notable certification that it works
is that Google removed the Chrome version from the store.

------
gtirloni
Short of getting a new identity in the real world and start from scratch whole
being very careful, I think erasing yourself is going to be really hard
because there are no guarantees that your data will actually be removed.

~~~
rajeshmr
Exactly! Once you leave an online trail, its hard to undo.

~~~
Tempest1981
Like a digital tattoo. That's what they're teaching kids at some schools:
[http://www.mydigitaltat2.org/](http://www.mydigitaltat2.org/)

------
sellingwebsite
i have done that in the past. In fact, this is one of those anonymous accounts
which I ocassionally use.

some data mining companies were quite stubborn in removing my data even though
they had instructions on their website on how to request a removal. Once I
brought up COPPA they immediately complied with my request. This is
ridiculous. I should not resort to such moves to remove data that should not
be there in the first place

if you are interested in clearing your footprint take a look at this site:
[https://inteltechniques.com/index.html](https://inteltechniques.com/index.html)

they host a weekly podcast where they discuss all things privacy including how
to remove your data from the net and how to do it the right way. They also
used to have list of links where you could go one by one and request opt-out
but cant find it right now.

one note of caution. Your anon identity can be traced back to you by your
writing patterns. There was a ddiscussion on hn about it some time ago. I
think about it just as I type ...

------
PinkMilkshake
I do it. It's almost impossible to find anything about me online, even if you
know quite a bit about me already.

Maybe one day you'll say something on twitter that offends a mob. Then they'll
trawl through your entire internet history to find some post you made when you
were 15 and expressed a dumb view you haven't held for 20 years.

------
sigsergv
Clearing footprint IS a footprint. The best strategy — a lot of
fake/irrelevant information and data.

------
factorialboy
Some argue that it's better to obfuscate and muddle the waters because wiping
off one's footprint entirely is nearly impossible.

------
eswat
First, review your threat model [0].

Then I recommend this podcast [1] for some ideas on how to scrub yourself from
the internet. Realistically you’re not going to be able to remove anything
close to all your footprints, but things like using GDPR can help.

The amount of information on you also depends on the country you reside in. I
think Americans in particular will have a tough time due to the number of
people search websites and a laissez-faire attitude towards selling PII that
IMHO should not be sold (DMV and voting data)

[0] [https://ssd.eff.org/en/module/your-security-
plan](https://ssd.eff.org/en/module/your-security-plan)

[1]
[https://inteltechniques.com/podcast.html](https://inteltechniques.com/podcast.html)

