How do you lock down your personal information?
July 1, 2023 1:31 PM   Subscribe

[Fiction filter] A character is about to blow the whistle on something very big and public, in the US. Folks will be angry about this, might raise a furor online, might threaten them or their family, might try to dox them, etc. -- all the classic bad crap that might happen nowadays. How could they guard against this before they go public? What could they do on their own, and what might they hire a security or IT professional to do?

For the purposes of this story, let's say that "move to a remote corner of the world and entirely disconnect from society" isn't a solution. This person needs to stay in their home and be public re: the thing they're whistleblowing about. The whistleblowing isn't government-sized -- it's not the CIA or foreign spies who will be coming for them. It's a corporate thing that might affect/attract your rando "angry dude on the internet" person. (Which is bad enough for sure.)

Our character has all the typical social stuff: FB, Insta, etc. They use Gmail. They have a house with a mortgage in a big city. They're married, with a kid. So assume their name is already on public records and the most visible social media spaces. Their name isn't wildly unique but also isn't "Jane Doe" so they probably can't hide in a sea of similarly named people.

They're not wealthy enough to make "hire personal security 24/7/365" an option. But they can probably spend some money on this, hence the idea that a security consultant or IT person might be hired to assist.

Lastly, the key with this is that they do have the opportunity to try to do all of this stuff in advance of blowing the whistle. Which I'm assuming leaves them in a slightly better position than if they wait until afterward.
posted by BlahLaLa to Grab Bag (25 answers total) 28 users marked this as a favorite
 
Response by poster: Should have added: I understand that none of this will be entirely foolproof, and it's not possible to achieve 100% lockdown. I just want to know what the likely steps would be.
posted by BlahLaLa at 1:39 PM on July 1, 2023


Best answer: First, there are some basic precautions that are easy to take for your character:
  • Make all social media profiles private, and delete any you aren’t using. Make sure you’re only friends with people you actually know and trust on them
  • Take down contact information on any websites they control. For example, do they have a resume online that lists their phone number? Get rid of it!
  • Make sure they don’t have any accounts with easily-guessable passwords lying around. E.g., wouldn’t it suck to have an angry Internet dude get into their bank website?
  • Make sure all their devices are up to date, and delete any sketchy apps they don’t need
  • If they have a smartphone, turn on the “advanced protection” features offered by the provider. Both Apple and Google have these.
Moving up the scale in cost and paranoia…
  • If they want to be active on social media, invest in a service that manages blocklists and offers help with harassment. (A real example of this is a company called “Tall Poppy”.)
  • There are services out there that offer to “scrub” your personal information, basically by contacting lots of the common data brokers and paying them to take down your data. I’ve never used one of these; my understanding is that they can help but are not fully effective.
  • As a short term measure, they may want to hire a “virtual personal assistant” service to screen calls and manage email so they don’t need to deal with high-volume harassment
  • Right around the time they plan to go public, they may want to consider temporarily staying with a friend or going to a hotel, for (say) a week or two
  • Many local police departments now understand “SWATting”, and you can call them to warn that someone might try it on you. This can prevent a dangerous mishap. (I don’t know how these conversations go, but I’m acquainted with a couple people who have had to do so)
It’s also worth emphasizing that, as you mentioned, this isn’t foolproof. I’ve known IT security folks who had stalkers or offended cranky Internet people, and did everything right… and still eventually had to move to be safe.
posted by learning from frequent failure at 2:00 PM on July 1, 2023 [8 favorites]


Best answer: all of what lf³ said, plus locking your credit to prevent people trying to take out loans and credit cards in your name
posted by scruss at 2:14 PM on July 1, 2023 [1 favorite]


On social media, delete (best) or at least lock down (not as good) your profiles- make them private, hide friend lists, make a fake display name that doesn't align with any other account names, and profile pic something anonymous like a pic of a cloud.

Do extensive google searches on yourself from other browsers to see what comes up (bc your own google shows specific results). Delete or overwrite anything.

Google all your usernames to see if anything important can be cross-referenced. I once tracked down a guy who trolled something I wrote because his throwaway gmail username was the same as his YouTube username which led me to his real name.

Try to get anyone who's been publicly linked to you to also lock down their profiles. Especially boomer relatives who might post identifiable photos of things like the front yard of your home, license plate, kids' schoolyard, etc.

Often a lot of info comes up if searching obituaries (spouse, kids, etc) so check those and try to get them deleted.

Make sure the school knows to be on alert in case anyone comes to check on the kids. Make the kids as generic-looking as possible, for instance, boring haircuts, generic sun hats, generic backpacks, etc, so they don't stand out in the schoolyard.

Give the kids a password to ask adults for, in case of someone trying to trick them. If they're little, it could be the name of a pet goldfish or a stuffie, or a close friend's middle name, or something like that.

Tint car windows, take different commute routes, don't park in the same space every day.

Install a mail slot so mail goes into the house instead of sitting in a box on the porch where it could be taken. Get a PO box for packages.

Use a fake name or relative's name for packages, reservations, etc when possible.
posted by nouvelle-personne at 2:32 PM on July 1, 2023 [1 favorite]


Best answer: - Apple devices have something called lockdown mode for people at high risk of being hacked. Android phones have a feature of the same name, but it doesn't do the same thing (it's equivalent to "emergency mode" on an iPhone).
- Enable two-factor authentication on every service that supports it, preferably not using SMS, which is vulnerable to hacking.
- Get a mailbox at a commercial mail-receiving service (like the UPS Store) and change your address on anything publicly discoverable to that (these services will re-mail your mail; I don't think you can do that with a PO box).
- If they have any pets or kids, board them with a friend or family member (this is especially paranoid, but not crazy-paranoid).
- Create decoy personas on social networks.
posted by adamrice at 2:32 PM on July 1, 2023


Best answer: Personally? Before any whistleblowing can be had, move to a random location. Have a friend book AirBnB and live there, basically remove one's name from it, so it's not easily traced.

Then configure the internet so one can VPN from the new location to the old house, so you can stay online and randos who somehow traced you from social media will be decoyed.

Invest in a good alarm system, cameras, and good monitoring and security response, along with a SECONDARY independent camera system AND redundant wireless ISP and power if someone is sophisticated enough to try to cut your power (your existing monitoring and alarm needs a battery backup as well)

Obviously your existing lights and whatnot will need to have a random on/off features to look to be lived in as well.Some sort of IoT smarthome switches ought to handle that. Probably won't fool a professional, but you are guarding against mostly amateurs in your fiction, I assume.
posted by kschang at 2:34 PM on July 1, 2023 [2 favorites]


Best answer: Take a look at the resources on Crash Override Network.
posted by matildaben at 2:47 PM on July 1, 2023 [1 favorite]


For the purposes of fiction writing, a twist you may wish to dive into: when doxxing, a lot of amateur sleuths can and will get it wrong and doxx the wrong person, which could lead the story down other interesting paths. An innocent third party could get caught up in things. You could have this character potentially try to feed false information to people who try to doxx them. There are a lot of ways this can backfire as well, depending on how its done (which is one of the reasons it's not regarded as an especially good strategy IRL), but it might be useful for the kind of storytelling you want to do.
posted by Aleyn at 4:23 PM on July 1, 2023 [5 favorites]


Best answer: The Electonic Frontier Foundation has some guides to start.

You will probably also want to look into personal operational security (OPSEC). Here’s an online course for Department of Defense employees that might be a good start.
posted by Ookseer at 4:34 PM on July 1, 2023 [1 favorite]


If they have a house with a mortgage, the deed and mortgage documents may be available to anyone with an internet connection depending on the jurisdiction.

The owner could potentially create a company, naming trusted friends as organizer/incorporator and managers/directors, and transfer ownership of the house to that company, although the mortgage company would have to agree to that transfer. A lawyer might be retained to make this happen and the total cost could be less than a thousand dollars (although that's just a guess, as this is not my area of law).
posted by Handstand Devil at 4:36 PM on July 1, 2023


The best answer is (if it is possible for the story): never be associated with the whistleblowing at all, in any way. This would entail at a minimum:

*Burner/disposable laptop, purchased with cash at an out-of-the-way location, preferably a mom and pop store if at all possible and while staying out of sight of cameras.
*Said laptop is never turned on in any location known to be associated with the person. Definitely NEVER connected to a network with any connection to the person (home, work, local coffeehouse, whatever)
*Information is loaded onto the laptop using direct cable/data connection (not wireless) or via USB (which is immediately shredded/reduced to powder once transfer has occurred)
*Individual drives to another state, preferably one without tolls/bridges that would tag car.
*Find out of the way public location with public wifi (library would be good for this).
*Use Secure Drop (and ONLY Secure Drop) to send the information in question to the various media orgs on that page.
*After the info is sent, turn off computer, remove the battery. As soon as possible, remove the hard drive/ssd in the computer and physically destroy it. Toss it off a bridge into a quick moving body of water on the drive home.
posted by griffey at 5:36 PM on July 1, 2023 [3 favorites]




Depending on your story it may be interesting for your character to have to remember long forgotten things like classroom message boards from college, screen names from chatrooms 20 years ago, yelp reviews, etc.
posted by kapers at 11:04 PM on July 1, 2023 [1 favorite]


Turn off location history in their Google Account -- useful if you want to retrace your steps but a hazard if someone gets into your Google Account. You can also set Google to delete past history it's recorded.

Add non-SMS multi-factor authentication to logins, using a hardware token like a Ubikey or apps like Google and Microsoft Authenticator, for rolling six-digit additional have-a-trusted-device on top of know-a-password. (SMS in the USA can be cloned easily by people ringing up the cellphone company and pretending to be you.)

Have a throwaway gmail account get Google Alerts set to show when their names, aliases, history is added to the Google Search index and might become searchable, a tripwire that someone might find their new info in a search result.

If they're going to change everything after whistleblowing, they may as well change before:
- don't reuse an email address across multple logins, instead create new accounts from throwaway addresses
- keep no state on your laptop or desktop computer and use and encrypted thumb-drive with TAILS, the thoroughly anonymous incognito live system.
- use VPN tunnels to appear where you're not, creating them for yourself on rented cloud-computing servers.
- don't leave a pattern-of-life record with the internet provider you use, setup DNScrypt or DNS-over-HTTPS to hide the conversion of host names to IP addresses from people keeping records of all your online life or listening to the unencrypted requests of regular DNS.
- a change of city or jurisdiction needs a change of phone, bought in cash without being attached to your name
posted by k3ninho at 12:38 AM on July 2, 2023


Every password anywhere should be unhackable - 10 characters or more. Anything involving money should have passwords of 15 random characters. That means credit cards, bank accounts, etc. If you have a credit card for which you have never visited the issuing company online, do so just to put the password on the account.

This also includes accounts of vendors, e.g. Amazon that hold your CC information.

Companies,like Venmo and PayPal that facilitate sending sums here and there seem especially subject to hacking, so you might consider canceling those accounts.
posted by SemiSalt at 5:09 AM on July 2, 2023


Note that security against third party hacking attempts is different than trying to obscure who you are as versus the platform owner and/or a government with subpoena power (or sub-rosa data sharing agreements).

So some of the more elaborate advice above and in links and etc. may be a little overboard if its truly only independent corporate actors and vigilantes the character is worried about.
posted by snuffleupagus at 5:14 AM on July 2, 2023


Best answer: One point to remember when deleting social media: in many cases, deleting your account will free up the username for someone else to use, which could be a problem when bad actors are involved. There's often a delay involved, I think it's 30 days on Twitter, not sure about other apps.

So if in this scenario the protagonist deletes their social media presences but the crisis goes on longer than a couple of weeks, there's a risk that someone might show up and impersonate them on social media.
posted by Two unicycles and some duct tape at 4:03 PM on July 2, 2023 [1 favorite]


Mod note: [btw, this post has been added to the sidebar]
posted by taz (staff) at 2:58 AM on July 3, 2023 [1 favorite]


Best answer: So I used to be an oppo researcher for a legal and political consulting firm. With Lexis/Nexis, if I have someone's name and any other single piece of info, I can get:

- DOB
- City of birth
- Every place you've ever lived in the US
- Every car and boat you've ever owned
- The last four of your SSN
- ID numbers for about half the US states
- Marriage records
- Divorce records
- Any criminal record for any of the 50 states
- A bunch of miscellaneous stuff
- All of your relatives (including parents, siblings, spouses, children) and former roommates
- All of the above for all of your relatives and former roommates

Further, if you've ever filed for bankruptcy, that'll be on there too, and that's great, because while most places use the last 4 of your ssn, bankruptcies show the first five, so now I have your whole SSN.

That's about 15 minutes' worth of work, and it only takes that long if I need to confirm you're the Hiro Protagonist in question, and not some other Hiro Protagonist. And then, it's obviously harder to pin down someone with the last name Brown than the last name Cortado or something.

And I haven't even started in on social media, zillow, LinkedIn, the SEC, etc. So now I can put together a file on you that includes pictures of your home, the value of that home, job history, pics of you on vacation, what your salary is if you're c-suite of a publicly traded company, including your bonuses, donations you've made, boards you're on, not to mention email addresses, phone numbers, etc. etc.

All of this is completely legal and above-board, and I haven't even had to hire a private investigator yet. So while hiding your data seems like a good idea, it doesn't matter. It's all there already. You cannot hide digitally. You can scrub your social media, but often I can find a lot of that stuff in comments you made on other people's social media, so keep in mind that you're never completely invisible.

So. You have two real options here. Option 1 is build fake personas. There is this not very good novel called The Old Man that got turned into a tv show recently. In the book the protagonist did a good job building fake personas over years. He'd use dead people's SSNs to get credit cards, which he would use to get subscriptions that he would pay off from separate bank accounts like clockwork, to build up histories for them. This is great but requires a level of foresight and planning that most people don't do, but then again, second-best time to plant a tree and all that.

The other option is, you will not be able to hide any of this personal info, so then what you can do is control the narrative. You hire a consulting firm that can build out a "grassroots" campaign against whatever people/companies are going to come after their client. You keep them so busy in the press with whatever dirt you can dig up about their execs (and keep in mind, execs are usually in SEC filings so it's way, way easier to get numbers for them than most people) that they're too busy to bother smearing you. And then you can be very very selective with how you tell your own story: you can pick particular venues, or just post on youtube, whatever you (and your consultants) think is best.

All of this assumes that they're going to go after you in the press. If they're going to go after you physically? Different story. There are a zillion movies and books about this. If you want your story to go down that route, I can send some recommendations your way.
posted by nushustu at 12:18 PM on July 3, 2023 [6 favorites]


All of this is completely legal and above-board

There are supposed to be restrictions on what you can use SmartLinx (Lexis) PeopleMap (TR/West) for, but it's essentially on the honor system once you obtain access.
posted by snuffleupagus at 3:36 PM on July 3, 2023 [1 favorite]


I also wouldn't be shocked if there are quieter but still commercial database offerings based on greyer data than public records, like that purchased from aggregators of commercial data and compiled from data leaks. At this point, I'd be more surprised if there weren't.
posted by snuffleupagus at 3:54 PM on July 3, 2023


There are supposed to be restrictions on what you can use SmartLinx (Lexis) PeopleMap (TR/West) for, but it's essentially on the honor system once you obtain access.

Yes but what I mean is, this is all public information. Before Lexis, you had to call the offices in question, but they'd still give you this info.
posted by nushustu at 8:25 PM on July 3, 2023


In many states, you can get your voter registration and tax information made confidential, meaning only certain government officials have access to your name and address and other public government information. Unfortunately, this usually involves a court order so might not work before the whistleblowing...
posted by schyler523 at 5:14 AM on July 5, 2023


Best answer: Depending on how you think they might go after you / the character, buy your own name's URL - or at least the .com / .net domains (if they're affordable). You can't stop crazy people with money from creating hate sites that use your name, but you can at least lock down the embarrassment of them using your own name to attack you.
posted by Mchelly at 8:12 AM on July 6, 2023


Response by poster: Thank you for these great answers - I could have marked them all best!
posted by BlahLaLa at 8:13 AM on July 21, 2023


« Older Book ID: Girl wants a house with a tower—and gets...   |   Processing donations Newer »
This thread is closed to new comments.