The law firm of choice for internationally focused companies

+263 242 744 677

admin@tsazim.com

4 Gunhill Avenue,

Harare, Zimbabwe

How To Control Your Digital Footprint Without Losing Your Mind

Posted on by TSA Press

In a digital world where the lines between a personal and professional persona emulsify, a glut of personal information floating around the internet can lead hackers to sensitive data about an organization or an individual, creating undue and immeasurable risk.  

Borrowing from principles of the intelligence community, understanding the information that exists about oneself is sometimes just as valuable as collecting information about one’s adversaries.   Therefore, being more proactive about security from a counterintelligence standpoint — whether as counsel or as a client — can begin by taking a long hard look at your digital footprint. The goal is to adopt defensive practices that guard against malicious actors who are conducting their own open source intelligence (OSINT) gathering (industry-speak for “internet searching”).  

Information security professionals seek help from outside experts to understand whats out there” about their company and its top executives, so that the information can be scrubbed or at least assessed from a risk perspective. This knowledge helps a company determine full risk from a personally identifiable information (PIIvantage point, developing the basis for a thorough assessment and remediation.

The following steps and considerations, curated by Rob Volkert, VP of Information Operations at Nisos, a leading cyber investigations firm, are useful for reducing and hardening digital footprints on an individual basis (disclosure: I work at Nisos).  Organizational, large-scale, or deep-dive executive OSINT assessments require more manpower and strategies than those outlined here.  But this type of bottom-up approach will have broad beneficial effects for employers, especially since data breaches in 2019 alone cost U.S.-based firms an average cost of $8.19 million per cyberattack. Note that this is not a one-time exercise, but a digital hygiene process which should be rinsed and repeated at regular intervals.

1. Discover and assess your footprint: Start by conducting online searches of your name (including former names) as well as personal address in a search engine to see where and how your information appears, including personal or sensitive images that others may have posted about you. Log into all social networking sites and forums which you belong to as part of the discovery process.  Drink some coffee and take deep breaths.

2. Clean up and remove your data: Remove any photos, content, accounts, and links that may be inappropriate, reveal too much information, or are no longer relevant.  Consider deactivating or canceling social media accounts which you no longer or rarely use.  You can contact the company and ask them to remove your data permanently from their servers; legitimate companies will usually comply, but data brokers may prove harder to pin down.  You can also request that street photos of your home be removed or blurred on the major map sites, such as Google, Bing, and Yahoo.  When visiting these sites, look for the links “report a problem” or “report image,” and then follow the instructions for removal or obfuscation.

3. Check your privacy settings: Keep personal accounts, such as Instagram or Facebook, as private as possible, allowing access only to trusted family members or associates — people you actually know.  Consider using different email addresses and phone number combinations for login and registration on all personal communications and social media sites. Some sites, like Twitter, require a public profile.  In that case, limit discussion to general business-related activities, keep posts clean and non-discriminatory, and post photos of professional activities only after leaving the event. Cite general locations such as city or country and limit references to individuals’ true names by instead referring to their social media handles.

 

4. Create “layered” contact information: Popular services such as Google Voice, Sudo, and Sideline offer the ability to create and manage multiple new email addresses and phone numberscreating a layer of identity protection while automatically forwarding communications to the primary accounts.  You can manage these online or through smartphone apps and use them for everyday accounts such as utility companies and other home service providers, e-commerce, and social media. More accounts mean more passwords, so consider using a password manager such as 1Password or Dashlane.

5. Be smart and watchful on social media:  By now, most professionals know to be careful about what they post on personal social media accounts since once the content is online, an employer, prospect, customer, or future employer can find and potentially hold the information against you. It’s also wise to monitor comments on your own postings for slanderous or inappropriate remarks, according to the Center for Internet Security.  You can and should delete those or delete the post altogether, if needed. Be aware that web archive sites may have already captured and permanently retained these posts.  
6. Opt-out on being overexposed: Take the time to remove personal information from free “people finding sites” such as Peoplefinders. These sites have a legal obligation to remove PII upon request; the optout links are usually located in the privacy section of the site. Many of these sites are simply aggregators of other site databases, so a best practice is to start by removing data from the core aggregator sites — Radaris, Intelius, Pipl, Spokeo, Beenverified, and Mylife — before requesting withdrawal on the other sites.  You may need to supply minimal information to remove data such as URL and email address, while others require official identification, such as a driver’s license. Be sure to black out personal information on the driver’s license (face, license number, and any other physical details). You should only need to supply proof of address, DOB, and real name to verify your identity.
7. Consider anonymous payments:  Using prepaid debit cards offers a nice layer of identity protection since they are temporary and not linked to any PII. Consumers can purchase these cards in denominations up to $500 and the cards offer protection in the event of theft, up to the face value of the card. Privacy.com also offers the ability to generate virtual cards for online purchases. Virtual cards provide a layer of protection between your funding source and the merchant and allows the user to use any name or address for the purchase which minimizes identifying data. Cash is always good too.
8. Be safe abroad: When traveling outside of the country, the Office of the Director of National Intelligence (DNI) recommends leaving personal devices at home and instead buying a throw away or pay-as-you-go phone — so-called “burner devices.” Additional DNI recommendations include avoiding logging into social media accounts and creating a new email and Skype address for communicating while abroad.

9. Limit what you share and with whom: In general, avoid the disclosure of identifying information to any merchant or business, even if it means passing up on four feet of couponsStore loyalty programs, periodical subscriptions, utility providers, and credit card companies can and will sell PII to data brokers or fail to adequately protect it.

10. Get a little paranoid: Assume that any time you provide your PII to a business or institution, it will be entered into a database that will make its way into the hands of data brokers and/or hackers. This results in headaches and exposure that quite frankly are just not worth the free rewards.  After all, your privacy is worth more than that.

Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm.  She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years.  You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.