Protecting Your Secret Identity: Everyday Privacy

Let’s talk about Wonder Woman and Diana Prince for a minute. Pretty much every comics geek has asked the same question since the character’s inception: “How is it that no one realizes that she’s just wearing a pair of glasses to hide her identity?”

If you think about it, the answer is really about misdirection and privacy. Wonder Woman consistently misdirects people about her true identity, and she never (or rarely) shares information that could be used to link her to her alter ego.

In the real world, that level of misdirection and privacy is incredibly important to our daily lives, especially when we share information on the internet or through applications. The more you do online, the more information you leave behind. This information, your digital footprint, is a way that people who wish you harm can track you down to your real, in-person, identity.

While it may feel hopeless if your data has already been stolen in a data breach, reducing your digital footprint is the online version of those Diana Prince glasses. To be a data superhero, you don’t need a lot of fancy tools, you just need a little information and some time.

Know Your Threat Model: Who Should Know Your Alter Ego?

Just like Wonder Woman or Superman, you don’t want everyone on the planet to know who you really are or to track you down. First, that’s creepy. Second, it could be dangerous. However, what you consider dangerous may be different from someone else.

Your threat model is basically a list of the bad things that can happen to you in person or online. Everyone has a different threat model and a different risk tolerance, even if some of the potentially bad things would overlap.

Consider the following examples:

• A woman being stalked: a violent partner or ex-partner finding her home.
• A journalist: an anonymous contact being traced
• A teenager posting on social media: cyberbullying over their fit

While these examples may seem too different from each other, they’re an excellent example of the different threat models that people face.

In the technology world, threat modeling is a system for identifying bad things and finding ways to fix them. It typically asks the following four questions:

• What are we working on? 
• What can go wrong?
• What can we do about it?
• How well did we do?

What are we working on? Protecting Personal Information

Where everyone knows who Wonder Woman and Superman are, most of the people in the comics don’t know their alter egos, Diana Prince and Clark Kent. Online, your personal information is anything that can identify who you are in the physical world. Some examples of personal information are things you’ve probably already received a data breach notification about:

• Home address
• Birthday
• Social security number
• Health insurance information

We all have personal information floating around on the internet. We know about some of it because we put it there, like social media accounts or healthcare provider portals. We don’t know about some of it because we didn’t put it there, like those people finder websites. Some threats come from sharing information with people while you were friends with them, only to have them use it against you, like sharing photos sent to a partner.

You can’t control the data that you don’t know about.

To figure out how much information is available on the internet, also called your digital footprint, you may can start by:

• Creating a list of all social media accounts you know about 
• Googling yourself to see what’s out there that you don’t remember
• Looking through social media accounts to see what they’re sharing with other companies (Did you use your Facebook as a login to some game app?)
• Reviewing any Google or Microsoft accounts you have to see what they’re sharing

What can go wrong? Listing the threats 

So, the first thing we need to do is identify all the different potential threats that come from having our data out in the wide world of the internet. For Superman and Wonder Woman, the threat is people finding out who they really are. Many of the side plots involve their covers almost being blown, adding to the tension.

In your world, you need to think about the different ways that your “digital alter ego” could be compromised in a way that can cause you harm, either personal or financial.

Some threats to consider might include:

• Identity theft when a cybercriminal steals data
• Someone searching through your data to find you in real life
• Someone sharing pictures without your consent
• Someone sharing all your information on the internet with the intent to cause physical or cyber harm (also called doxxing)
• Account takeover, when someone steals login information to use an online account like social media or payment app

You can find a more detailed list of threats and more threat modeling discussion here.

Once you list all the different threats, you can start organizing them based on how harmful they would be if they really happened. To use the original examples, a woman worried about a violent ex-partner might find having her physical address identified as much more harmful than a teenager posting a fit pic to the ‘Gram.

Just like the threats facing everyone are different, the harm that they have are different.

What are we going to do? Actions that remove threats or reduce impact

Our superheroes spend a lot of time hiding behind walls or quick-changing in telephone booths. In the digital world, you want to do something similar to prevent people you don’t know from figuring out your real identity.

Taking control over your information isn’t easy, and the process can feel really overwhelming. If you start by looking at the bad things that would cause the most harm, you can group the activities more easily.

Physical

If you’re worried that someone can use your information to hurt you in person, then some steps you can take include:

• Opt out of having your data shared
• Ask to have data removed from “people finder” sites
• Look for any websites you own that might have information about your physical location
• See what’s available through public records so you know what’s there
• Look through social media accounts to see where you’ve tagged locations near your home

While you can’t ask to have public records deleted (like property records), you can ask to be removed from data sharing sites. If you want some more detailed resources, you can read this blog post.

Social Media

The list of actions to help you protect against digital harm gets a lot longer. Since this can get overwhelming really fast, let’s break this up into a few different categories.

First up, we can look at the things you can do to get rid of your social media accounts. Some of these steps include:

• Downloading all information you shared on all the different social media websites. This primer can help you with that.
• Review and delete any websites or applications that you don’t want to use your social media as a login for anymore. This primer can help you find those. 
• Delete your social media accounts if you don’t trust the companies that run them to protect your information. This primer can help you with that. 

If your threat model means you want or need to keep your social media accounts, you can still reduce the amount of information out there for everyone to see. Some actions you can take include:

• Taking down photos that have your face
• Removing any indication of where you live – even if that means taking down a lot of posts 
• Looking at photos to see if they have location identifiers that someone can use, like landmarks near your home that would be easily identifiable and traced
• Reviewing all the connections or followers you have to make sure you can verify them as either real people or people you know in real life
• Reviewing your privacy settings to control who sees your posts
• Remove any personal information, like your birthday, email address, or even your real name

The less information you have on the internet, the less likely you are to have your information stolen or someone finding you.

After limiting the information you already shared, you can take the following steps to keep protecting yourself:

• Only share vacation photos after you get home 
• Share as few selfies as possible
• Review any new friend requests and accept them (even on LinkedIn!) after looking into the account
• Announce life events after they happen so no one can trace things like birth or marriage certificates to an actual date
• Use a separate email for account logins, one that isn’t your regular, everyday email
• Create a fake birthday for everything from gaming accounts to the Starbucks app (you can still get that birthday cup of caffeine but they don’t need to know the real day)

Account Information

The biggest problem a lot of people face is that protecting information takes energy. Everything that helps keep information private means doing extra work and knowing how to do the extra work.

Some of the things you can do to protect your accounts include:

• Creating a special email that’s just used to log into apps that isn’t your personal one 
• Using a single sign-on when possible, like using a Google account to log into apps 
• Using multi-factor authentication, like requiring the app to send a code before letting you log in
• Getting a password manager so you can make a new password for every account, like LastPass, Bitwarden, or 1Password
• Keeping your passwords to yourself and not sharing them, even when you really want to
• Checking out Have I Been Pwned to find any passwords or account information that has been stolen in a data breach

Conversations and Documents

Depending on what you’re talking about and what documents you’re storing online, you can also take a few more steps to keep the wrong people from finding them. The more important your information is to you, the more protection you want to put around it. If you have digital copies of birth certificates, social security cards, or driver’s licenses, you don’t want some rando on the internet being able to steal them – and that includes anyone who’s storing things for you. For example, Google the Company may be able to see or read information stored on the Drive, including emails. Plus, all the AI things they offer use the information that’s stored on your Drive or in emails to help you, which means it may not be as private as you need it to be.

To protect stored information, documents, and conversations, you can:

• Use an end-to-end encrypted messaging app, like Signal, for really private conversations, yes even your text messages can be found or shared if someone gets to your cell phone provider
• Store documents in an end-to-end encrypted app (Google and OneDrive are not that), like Proton or Tresorit
• Use an end-to-end encrypted email service, like Proton or Zoho

How well did we do? Checking your work

So, how do you know how well you did? Well, you may never have a real answer, but you can go back to “what are we doing” and run through that checklist again. Depending on how much anonymity you want, you can review whether your information is still available.

If you still don’t feel safe, you can reach out to professionals who can help you.