Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is there any point in trying to clear your online footprint
61 points by xupybd on Sept 16, 2019 | hide | past | favorite | 34 comments
I'm starting to get worried about online privacy. I'd like try and remove some of my online identity. I'm not sure if there is any point. My plan is to shutdown all social media accounts and email. Re-opening new more anonymous ones.

Is this going to actually do anything or will Google and other marketers figure out I'm the same person and I'll be tracked all the same?

My concern comes from tools like this https://github.com/Greenwolf/social_mapper. Given this sort of thing it seems too easy for online blackmail/extortion scams to get hold of my information.

I have successfully done this, so you probably can too. Some things are hard to get rid of, and someone who already knows my identity could probably at least find my github. But nobody is going to be able to link my full name to any of my current accounts without a fair bit of biographical information. On the main sites (Facebook, Twitter, etc.) it's very easy to make all your data private, or to just share with friends.

Nowadays I try to follow the practice I have on this site of using an entirely meaningless username. Like passwords, I don't reuse, and so the links between sites become even more tenuous.

Now, someone might still be able to link this account to my real identity if they had a lot of writing samples of mine, but at some point you have to consider the threat model. I'm no one important. There isn't a foreseeable circumstance where someone would want to link my accounts on various social media sites, and even if they did, in the worst case scenario it would be mildly embarrassing. So, for example, I haven't yet deleted my github, even though you could probably find it if you knew my name or email address.

Now, I'm most interested in hiding my identity from natural people. But it sounds like you have different concerns. I think it's almost impossible to hide your identity from corporations, supposing they are motivated to link you to your economic identity. The credit card companies, phone companies, and retail companies are all building dossiers. And your economic identity is basically impossible to unlink from your private identity, unlike non-economic website accounts. Google should be the least of your worries on that front.

Might be worth using a more "normal" username. There's probably more information in a name like the one you've chosen since most people don't choose usernames like that. Probably an over-optimisation for the average person but it sounds like you're trying to decorrelate your accounts.

You're right, as far as it goes. To be optimal, it might be good to pick from a certain class of common username (different on each site) and use that. For example, maybe I could be "cardinals59" on one site and "I|1II||1II" on another site.

However, that would offer limited anonymity benefit. With the full firehose of Reddit and HN data, you could probably correlate my accounts on each site to a moderate degree of confidence just by when I post. But, I'm not too worried about that, as long as a third party can't easily link that to my real life identity. And you can see by my post history that even in that case, I'm not trying to make it impossible. Just difficult for the casual harasser. With access to the biographical information I've posted on this account, you could probably guess my employer. With access to that entity's internal databases, you could probably narrow me down to one of about 5k people. With access to other information I've posted and public records, you could probably narrow down to one of hundreds of people. Maybe if you had a lot of skill you could do more.

But, why? It's all about risk management. As long as it's hard enough to do that it's lower than other risks I face, I'm fine. If I were higher profile (e.g. if I were an SVP at my employer, or were likely to become one someday), I might be even more discreet. It would be most sensible not to post at all in that case. But I'll probably never be that important, and that's how I like it. As it is, the risk of my online identity being used to hurt me is (I estimate) lower than the risk of being killed in a traffic accident. I don't worry too much about the latter risk, so I really shouldn't worry much about the former.

For me, it's good enough that if you Google for my full name, you don't see me. Even if you google my name + employer, or my name + hometown or current location, you can't find any information on me. That's the extent of the threat model I'm trying to actively defend.

Correlating accounts is fine so long as they cant link that to a person.

Personally I limit what information I post but indent try to completely hide myself.

It hide you need to look like everyone else.

> I think it's almost impossible to hide your identity from corporations, supposing they are motivated to link you to your economic identity.

I agree that it's very difficult to hide meatspace personas that use corporate services. Basically because corporations are not at all friendly to ~anonymity. I mean KYC, for example.

You have a chance if you pose as someone with a horrible credit record. Who buys doesn't have bank accounts etc, and uses cash for everything. But even then, there are so many ways to get linked.

Online, however, it's possible to be as anonymous as you like, and not at all linked to anything in meatspace.

Have you checked how much info can be found by just googling your first and last name in quotes? For many people their home address will show up thanks to whitePages.

Hrmph. I had done this search before and nothing came up, but when you know what city I live in you can find my address. That is annoying. Next time I buy a house I'm using a trust.

Unless there is something unique about you I don't see the point and it's a lot of work. The other way to approach this would be to craft the persona you want to show. Strategically, use information you would like to be public to build a profile that you'd like others to see, do other stuff in protected ways so they don't affect your public persona. Be the Grey Man [1].

[1] https://www.ribbonfarm.com/2018/02/01/dont-be-the-gray-man/

> The other way to approach this would be to craft the persona you want to show. Strategically, use information you would like to be public to build a profile that you'd like others to see

Isn't that what everyone is doing though ?

Unconsciously, yes. You could be more strategic about it.

Well it couldn't hurt. It depends more on what specific threats you are worried about though.

It's not too tough to drastically limit the amount of information that any non-privileged people online can find about you. Just make sure all accounts are either deleted, or locked so that only approved people can see any info. Post few to no pictures, and no job info. If you really want an account on some service, start a new one with a fake name that you haven't used anywhere else before. Don't link any accounts to any other accounts on other services.

Highly privileged people are a different matter. Meaning police/government investigators and any internal investigators or algorithms at any of the big tech companies. It's much harder to really be private from them. Doing all of the above, plus being super-vigilant about only accessing new accounts from VPN or Tor, and never doing anything that could associate it with your old account. May require separate hardware to have a decent shot.

My specific worry is that given a little information about me a criminal could access enough information to do me harm.

We live in a time where decades old tweets get celebrities in trouble. Who knows what opinions I hold now will be considered taboo in 20 years time?

I get regular calls from scammers trying to tell me to invest in online trading or that my internet connection has been compromised. As poor parts of the world come online it's only natural they would find ways to extract money from the wealthier parts. There is often little ability and incentive for these countries to police such activities.

As it stands my details are out there an public and there are more and more ways people are finding to abuse this information.

Google knows every website I've visited. Facebook knows every ex I've looked up in a moment of weakness. All of this is on stored and could be used against me. Once the minor details of our pasts were forgotten, this is no longer the case and as I'm getting older I feel less and less comfortable about this.

I've made mistakes, said things I'm not proud of, I'd like to avoid being tied to my online past.

With the growing ability of facial recognition system I fear any online service that knows my face will easily be tied to me in real life. All a malicious actors will need is a camera and a system to scrap public facing systems for my data.

What's out there is no longer under your control. It's best to just forget about it. Better than shutting accounts down, just stop using them.

And yes, create new ~anonymous accounts. But here's the thing. If you just use the same social media with the same peers about the same topics, they'll figure it out.

To my family and friends, I'm that guy who burned out on the online world. I'm just gone. And I'm only reachable via old school channels.

None of them know about Mirimir. And nobody who knows me as Mirimir knows anything specific about my meatspace life.

Basically just work in VMs, and use VPNs and Tor. And remember the first rule of Fight Club.

Can you expand on "just work in VMs"? I've wondered before if, for instance on my mac laptop, if I could have multiple VMs of my same mac OS. But it sounds really complicated and I doubt it'd be able to "reach through" the vm boundary to use my peripherals.

As much as I'm impressed with Apple's public stance about privacy, I don't recommend using your current setup for establishing ~anonymous personas. It's just too connected to "you".

I run VMs on VirtualBox in Linux. Mostly Linux VMs. And I use nested VPN chains, implemented using virtual networks of pfSense VMs as VPN-gateway routers.[0] That guide is pretty old, but the basics are still OK. Specifics about pfSense configuration etc have changed a little.

You could probably do pretty much the same thing in MacOS. But I don't know for sure. I have some vague memories about VM sluggishness in MacOS, but I could be misremembering.

One cool think about Apple is that their online store is privacy-friendly. Just for fun, I managed to create a persona with an Apple account, funded through Bitcoin giftcards. And I managed to buy software for a Hackintosh VM.

0) https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano...

Edit: The most secure way I know is using Qubes. But that may be more than you need. Unless you're already a target. Or you work with malware, or with people who work with malware, and/or are into exploits.

Do you firewell VirtualBox telemetry? I have read multiple times (on HN) that VBox phones home. It just doesn't strike me as the privacy oriented VM solution.

KVM (or perhaps virt-manager on top of KVM) seems more appropriate.

Thanks, I hadn't heard that. I'll look into it.

I'm not too worried. I do firewall everything that's not necessary, at every level. That is, the host machine runs a VPN client, and iptables only allows traffic to the VPN server. So any VirtualBox traffic is using that VPN service.

All of the pfSense VMs in my nested VPN chains have pf rules that do the same. And I doubt that VirtualBox would be routing traffic through them. But I'll check.

I'll probably use KVM for my next VM host. The tools have improved a lot in recent years. And I've become a lot more comfortable managing stuff in terminal.

I think OP is saying “just use VMs” as a metaphor for segregating your identity across multiple services. But literally using VMs could make fingerprinting easier or harder.

No, I mean using a separate VM for each persona. And if it really matters, different hardware. The goal is preventing all cross-talk between personas. That is, compartmentalization.

Edit: Now that I think of it, I basically use VMs like applications. On a machine with SSDs, Linux VMs come up in just a few seconds.

I did a big project to remove myself. It’s a slog. You do a ton of passes, each time you get a little more and escalate your approach with lazy vendors. GPDR can help on the last couple of ones. There are 1-2 spots that I can’t ever remove, public records etc. But generally now the bottom line is if you google my name, no pictures come up, no articles about me come up on page 1. I’m just looking to be incredibly unremarkable to a quick google search of a kidnapper, hotel staff selling the names of guests to criminals, etc.

I had a similar experience, going from about a hundred results for my name, and showing up before many other people with the same name, to just a handful spread among the first 10 pages of search results. The last 10 or so took some persistent emailing and calling.

It’s beneficial for the same reason a cheap Home Depot door lock is worth installing; it stops a lot of casual prying.

Any tips on how to do this?

Just set aside time. I got about a dozen listings claimed and/or taken down in an afternoon and did a couple more followup rounds. I wrote a couple of DMCA takedown requests, which took a bit of time to be sure I was communicating effectively. LinkedIn took awhile as I had an interest in maintaining my profile with the right level of privacy, requiring some writing work. After search results update, you’ll probably find new listings to investigate that weren’t ranking highly before. Like wittyusername said, it takes multiple passes. Also, don’t forget to check Internet Archive results. And don’t be afraid to use the phone; a couple of sites were more reachable that way.

You'd be better off obfuscating your existing online data by adding much larger amounts of random rubbish to it. There are browser plugins for that.

> There are browser plugins for that.


https://adnauseam.io/ is an adblocker that "clicks" on every ad (without actually doing so). Notable certification that it works is that Google removed the Chrome version from the store.

Short of getting a new identity in the real world and start from scratch whole being very careful, I think erasing yourself is going to be really hard because there are no guarantees that your data will actually be removed.

Exactly! Once you leave an online trail, its hard to undo.

Like a digital tattoo. That's what they're teaching kids at some schools: http://www.mydigitaltat2.org/

i have done that in the past. In fact, this is one of those anonymous accounts which I ocassionally use.

some data mining companies were quite stubborn in removing my data even though they had instructions on their website on how to request a removal. Once I brought up COPPA they immediately complied with my request. This is ridiculous. I should not resort to such moves to remove data that should not be there in the first place

if you are interested in clearing your footprint take a look at this site: https://inteltechniques.com/index.html

they host a weekly podcast where they discuss all things privacy including how to remove your data from the net and how to do it the right way. They also used to have list of links where you could go one by one and request opt-out but cant find it right now.

one note of caution. Your anon identity can be traced back to you by your writing patterns. There was a ddiscussion on hn about it some time ago. I think about it just as I type ...

I do it. It's almost impossible to find anything about me online, even if you know quite a bit about me already.

Maybe one day you'll say something on twitter that offends a mob. Then they'll trawl through your entire internet history to find some post you made when you were 15 and expressed a dumb view you haven't held for 20 years.

Clearing footprint IS a footprint. The best strategy — a lot of fake/irrelevant information and data.

Some argue that it's better to obfuscate and muddle the waters because wiping off one's footprint entirely is nearly impossible.

First, review your threat model [0].

Then I recommend this podcast [1] for some ideas on how to scrub yourself from the internet. Realistically you’re not going to be able to remove anything close to all your footprints, but things like using GDPR can help.

The amount of information on you also depends on the country you reside in. I think Americans in particular will have a tough time due to the number of people search websites and a laissez-faire attitude towards selling PII that IMHO should not be sold (DMV and voting data)

[0] https://ssd.eff.org/en/module/your-security-plan

[1] https://inteltechniques.com/podcast.html

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact