Ask HN: How do you manage your digital footprint in 2023?

[ffgh]

In the recent months I've become more aware of my digital footprint and have been doing a lot digital spring cleaning. Of course we all know nothing really gets permanently deleted from servers but anything I'm able to remove from the public such as reddit/forums submissions and posts I have been doing so. What I'm currently doing is attempting to sign-in into any website where I supplied my real name, phone number and attempting to change/update it to a different name, remove phone number, billing details (example: LiveNation, Regal Cinemas, Retail stores)

[bm3719]

Keep as much local as possible. Do anything involving money or your personal info inside a dedicated VM running a secure OS, or use QubesOS. Use a dumb phone instead of a smart phone. Keep your passwords in a local encrypted text file. If you need a password or other data on the road, SSH into your home machine from your laptop (which has an encrypted disk). Go back to using fake nick names instead of your real name whenever you post online. If some service requires a phone number, other personal info, or an app install, don't use it unless you have absolutely no choice. Use FLOSS and don't pay for software with your money or by viewing ads.

Reject the notion that you NEED these BigTech services and don't let them hold your life, well-being, or friends hostage.

[ffgh]

I'm in the process of trying to de-Google my life. Apart from being forced to use Google at my workplace I want nothing to do with them other than google searches. I have 4 Gmails though, a few personal and a few for etc sites. I was thinking about setting up a forwarder for all to 1 email account. Any recommendations for a dumb phone? I know Google and Android phones go hand in hand.

[theshrike79]

It's a long process, but I did it about 5 years ago (moved to Fastmail).

Buy your own domain, attach it to Fastmail (or use your direct @fastmail address if you don't want to own the domain). Then have Fastmail IMAP fetch the mails from your gmail addresses.

Create a filter that shows you which mails come from gmail-sourced accounts and go through it every once a while, visit those sites and change the addresses. It's a slow process but that way you won't lose any important emails.

I think my Gmail address is used by one store that refuses to give users the option of changing the email :D And they have loyalty bonuses that carry over between years so I can't be bothered to create a new account.

[bm3719]

Currently using a Kyocera DuraXE. It's great and still has a very inconvenient to use subset of the functionality you might miss from a smart phone. I bought it because I needed hotspot tethering for work. However, I've recently read that the Light Phone II has that feature and is even dumber of a phone, so might switch over to that.

Previously I was getting by fine with a pre-paid LG flip phone and buying around $100/yr of minutes/service from TracFone.

[paraph1n]

GrapheneOS for phone

[steponlego]

Different account names for everything. I never use my real name and usually browse over Tor or with a VPN. If I watch a video it’s after I liberated it with yt-dlp. Reset my home Internet connection to get a different IP daily. I long ago deleted all my posts to Reddit and Facebook. I also ditched my gmail I had for over 20 years, I don’t trust those weasels.

[chirau]

Sounds like a lot of effort for very minimal gains. Is there anything that important about you that you have to go these extremes?

And you don't have a cellphone? Kudos to you but I, for one, do not envy you.

[lukeasch21]

Minor nitpick, but why are you adamant that you've had your Gmail for "over 20 years"? Gmail was made public in 2004.

[AtlasBarfed]

Gmail was invitation only for a solid, what, year or two?

But if you were remotely in IT, you could get an invite. I did, and I was peanuts.

[steponlego]

Did it exist before 2004? I bet you know!

[lukeasch21]

Wouldn't that imply that you were an employee at Google sometime between 2002-2004? :P Unless I'm not getting the full picture (I was not old enough to be fully aware of Gmail's existence in 2004)

[steponlego]

2001? Could be the '90s really...

[blisterpeanuts]

These are very good suggestions. Do you use a smartphone? I was wondering if calling-over-wifi is less trackable than using a tower.

[steponlego]

I have never owned a cell phone. My Librem 5 is “coming soon” LOL!

[72deluxe]

VoWiFi for LTE is what carriers (in the UK at least) try to encourage if you have poor signal at home. It still relies on your SIM being in the phone and actually makes a L2TP or SIP connection through to the carrier's server. I know because I disabled all these NAT passthroughs on my router and VoWiFi didn't work at all for me on EE with an Android phone (but did for my wife with her iPhone on Virgin). So you can still be tracked since the connection to the carrier's server requires an identity - it won't carry calls for just anybody!

[expertentipp]

> calling-over-wifi is less trackable than using a tower.

Not if using whatsapp/messenger for calling over wifi and the probability that the other person has an app capable of calling over wifi different than whatsapp/messenger is rather low.

[blisterpeanuts]

My Samsung with T-Mobile is capable of connecting to cellular networks via wifi, which is useful in my neighborhood where T-mo is a weaker signal.

[MattDemers]

A reminder that if you pay for ProtonMail, you get a free SimpleLogin account to go with it.

[2fast4you]

Do you really get a new IP every day? Every ISP I’ve had usually gives me the same IP after a restart

[steponlego]

You should change the MAC address of your router. That'll trigger the cable or fiber modem to give you a new IP address usually.

[miked85]

For me at least, that means calling support and giving them the new MAC address.

[xp84]

At least in some systems, assuming you have a separate modem device and router, only the modem is involved in the authentication/billing which is where they care about the modem's MAC to identify you. If your router's MAC changes, DHCP would issue it a new IP.

My modest understanding is that the modem is operating at a lower layer of the networking stack, so the DHCP server involved in actually issuing you an IP, higher up in the stack, doesn't need to worry about identifying you -- it's happy to give anybody an IP because it knows that if it can see you, the modem-level authentication has confirmed you're someone who is paying your Internet bill.

I used to run an open source router a long time ago, which made changing your router WAN MAC something you could easily script.

[zamnos]

Who's your ISP? That would make me worried.

https://xkcd.com/463/

[miked85]

Cox. At least in the past when I upgraded a modem, it required me calling support to give them the MAC address.

[mfcl]

Is the CIA after you?

[steponlego]

Snowden leaks proved they’re after everybody.

[scarface74]

And if you fly, drive, use credit cards, use cellphones, etc the government already knows enough about you.

[steponlego]

Heh, I see people like you pop up every time there's a discussion about privacy online. My guess is you work for the US government or a contractor, the messaging is always the same: "Don't bother trying for more privacy."

But it's a lame, weak gambit. If the collective you weren't terrified of privacy you wouldn't try this every time there's a discussion about privacy online.

[scarface74]

Where I work is not hard to find from my posting history on HN and under my same user name on Reddit.

It’s a company I know you have heard of

Where’s the lie in my statement? Do you fly? Use credit cards? Use a cell phone? Have a bank account? Ever applied for credit? Go to a doctor?

I’ve worked with both payment processors and integrated with EMR/EHR systems. I’m well aware of the information captured. No one cares about your Reddit history.

[expertentipp]

these are very "low hanging fruit" measures TBH

[nfriedly]

I'm not exactly a public figure, but I freelanced for a while, so I tried to "get my name out there" to drum up business. So, I've accepted that my information is mostly available if you're looking for me.

There's another guy with the same first name and last name as me, and I feel a little bad for him that any time folks go looking for him they get me. For example: I had a short conversation with his mom on instagram whey she tried to add me as a friend (to be fair to her, my profile picture is kind of silhouetted). He presumably has a similar gmail address - I got a few emails from the military about the blended retirement system; I replied to explaining things and they apologized and straightened it out right away. I also get some occasional emails from his apartment complex and I've never been able to get them to recognize that I'm not their tenant.

Things that I post on hn/reddit/etc are generally meant for the world to see, so it's rare for me to delete a post.

I do run a pi-hole and ublock origin to cut down on various forms of tracking.

[dzek69]

Removing comments from exising conversations if they don't contain sensitive data is rude IMO.

Somebody may want to read the conversation in the future and now they will experience missing comments

[72deluxe]

But in real life there are not transcripts of all daily conversations, and we survive fine without that. The preservation of all online conversations isn't necessary. Just look at some old archived USENET posts to discover how irrelevant they are, and this has only been amplified 10000% by everyone coming online and generating "content" through banal conversations about trivial things, pictures of their cat, food etc.

[derwiki]

What’s the bar for “sensitive”? Anything that reveals something about yourself? This reply reveals that I’m more interested in privacy than many. Should or shouldn’t I be able to delete it?

I’ll concede that it may be rude, but given the trade-offs, I’m ok with being rude in this respect.

[ydnaclementine]

Generally I google my name for those directory data broker type websites every so often and see if any of the listings match up with my name/addresses I've been at (I have a fairly unique ethnic last name). Then I go through the process to get my info deleted (usually it involves giving them a link to the profile on their site, and an email to confirm delete. Use a temporary email, something like https://10minutemail.com/) Here's a list to get started: https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-Li...

I've had the idea of auto scrubbing yourself from these websites as a side project idea, but never really committed to it

[edent]

It depends who you are trying to defend against.

General spammers? Get a cheap / free SIM card every few months to rotate your number. Per domain email (hn@yourdomain.biz) makes it harder for people to match your emails between services.

Firefox containers, adblock, cookie control stops general tracking.

If you don't care about the longevity of an account, just sign up for a new one. Reddit makes that pretty easy, for example. That'll stop most people tying your Bigfoot Erotica to your political campaign.

If you want to defend against a nation state tracking you... Well, you can try using cryptocurrency, VPNs, disposable VMs, and solar-powered batteries from your cabin in the woods - but you only have to slip up once.

[peruvian]

I sometimes go through my 1Password logins by oldest and see what I can delete. Otherwise, nothing. I don't post that often any more.

[derwiki]

I do that but pair the deletion with a CCPA deletion request

[a13o]

Use guest checkout whenever possible.

If you do need to sign up, give fake info, or highly redacted info. If I decide later they actually need it, I can update it in the account settings. Nobody's ever cancelled my account because I said I was born Jan 1 over 120 years ago.

Do digital purchases via some middleman, like a PayPal account backed by a credit card, Apple Pay, etc. Lots of sites have PayPal checkout flows and it saves you having to share your CC directly.

Come up with site-specific usernames and store them in your password manager. That way you don't build a stable cross-site identity unless you're doing it intentionally for branding.

[hnbear]

Recently on calls asking to verify my birthday I've stopped saying the full 4-digit year. Being born in the 80's it's pretty clear I'm neither 140 years old, nor unborn.

I've been forced to actually say the "19" part for compliance/safety/security reasons multiple times.

They've not cancelled by account, but it's weird the things companies insist on hearing.

[tilsammans]

It's solid advice for sure, but I've been doing the opposite in recent years. Sign up for everything, confirm accounts, setup MFA if possible, and consistently use the account. Then, when I want to terminate the relationship, request permanent account deletion. (I'm in EU, so GDPR applies)

This way I can be reasonably sure they've tied all my activity to my singular account. Instead of my shipping address, IP etc being all over the place. When they don't have a delete account button, I request it via email. Seems to work fine. Obviously can't be sure it's actually gone, but that's okay. Ever since Adobe leaked my PII, it's out there anyway.

[theshrike79]

I've had automatic deletion of all my tweets older than a few months enabled for a few years now. I wish I could do the same for Facebook.

(I did go through the FB history one night manually and deleted some of the edgier shit I posted well over a decade ago - I'm not that person any more).

Fastmail masked emails for all mailing lists and random sites. It's easy to sort them when the address is used only by one location - and as easy to drop if they start spamming.

1Password generated passwords for everything has been the standard for a decade now.

I use my real name only on sites where linking the content I create being linked to my person isn't a bad thing. (Books I've read, a few social media sites where I curate what I post etc).

I'm lucky because young me picked a really popular book with a cool character to choose my nickname from, so that's another way of obfuscating which account is mine and which are someone completely different.

[hnbear]

My primary email is on my domain that's firstlast.com, so I purchased a random one and use that. Used with Fastmail I typically register as company@company.domain.com and it all forwards automatically.

1Pass+Fastmail will automatically generate forwarding random emails, as will Apple now. I prefer it coming to my own domain though to retain control.

Other details I frequently just make up (name, age, address), unless they're necessary for the service. eg. shipping needs my real address.

I wish there was a phone forwarding service that could randomize the number, similar to the Hide My Email that Apple does. I have a Google Voice, but that's a single number that can't be easily changed.

For things like supermarket rewards that just need a 10 digit number, I've thought about changing them all to 111-111-1111 or something similar. All I want is the real price of goods, but that needs an account of some sort.

[rodolphoarruda]

I manage it by not getting into any political discussions online. I live in a country which government oppression is so strong now that whatever you say online can potentially put you in a short list for public prosecution. So it's not worth it. Living in silence is a blessing that I actually enjoy.

[AtlasBarfed]

The biggest impediment to personal security is probably linkedin, followed by facebook.

Facebook you can reasonably hide. Linkedin still seems to have some expectation of openness by companies... but I haven't interviewed in a while. My linked in no longer has my name. Is that a big deal with companies?

[bb123]

I’ve been loving iCloud Hide My Email. Every site gets a different disposable address.

The fun part is when I do get spam I know exactly which site has sold my info. It is a handy way to know who to never do business again with.

[sacnoradhq]

Cleared github this year.

Ended LinkedIn 5 years ago.

Don't use social media. Irony, considering employer.

Use throw away email addresses and phony names wherever possible.

Anywhere that asks for employer or social security number, I just laugh.

Don't give out your deets. I use ad blockers and am not interested in being some corporation's product.

[supriyo-biswas]

In the case of retail stores, they typically maintain a history of all changes and transactions for a few years for abuse prevention, so it won’t have the effect you’re hoping for.

[zamnos]

As if https://xkcd.com/979/ wasn't bad enough, people are deleting posts and submissions now? Am I old and getting out of touch, or are kids these days not just not thinking through things before they post?

[ffgh]

FWIW, I've never posted anything on SO and none of my GitHub comments/issues are going to be deleted. It's not so much what I post, it's more of a conscious thing, knowing I have stuff online for the world to see. It just doesn't sit well with me anymore. I'm not by any means a public figure or popular it's just tinhat things I guess.

[scarface74]

Exactly. My earliest still available posts on the internet are from 1994 on Usenet. You can still find them.

I can confidently say that nothing I’ve ever posted on the internet would be ruinous to my career or personal life.

My spending time on *.advocacy in the 90s would be more embarrassing in a teenage high school picture type of way.

[ffgh]

Shout out to my teenage self for not using real names back in SMF and phpBB forum days

[kkfx]

I have most of my services at home:

- email on a personal domain name, local IMAPs/SMTPs relay to a third party ones for crappy antispam practice by giants, but having anything at home migrating the domain to another third party is easy and almost no one have my real mails addresses only dedicated or spare aliases easy to drop being just a third party an alias;

- homeserver with most of my services, so no need for third party stuff by well-known name (let's say Alphabet/Microsoft etc) so not so many nor much used accounts;

- I have, again, a craphone (Android-based macro-spy [1] device) since I have an EV as a primary vehicle now and I can't manage public recharge on the go properly without... BUT it's just for limited usage, and as for email most do not have my mobile number, just VoIP accounts on a home PBX;

- not much social (HN, Reddit) just because Usenet is almost full only of spam...

My biggest digital footprint is mandated de facto by:

- government, who push connected services who happen to be crappy stockpiled crap, I can't do much for them beside annotate and diffuse any bad design and issue;

- crappy surveillance capitalism crap built-in modern vehicles, again I need a car, I do not strictly need a new one but it's still useful for some aspects so...

- crappy IoT crapware, I normally confine it, it's just domestic p.v. and hot water heater, managed in a separate network by my homeserver and operated via Home Assistant WITHOUT internet access for them except for rare crapware updates needed here and there...

No smart dumbwatches, spy environmental mic called typically "digital assistant" devices, no video spying tools commonly know as IP cameras (ok I have some, but again managed via the homeserver, with no direct internet access to them) or smart TVs, ...

So far it does work a bit...

[1] because in the past such information-munging devices was smaller and typically paid by those who spy, now are bigger, apparent and maintained and paid by those spied on, and apparently most of them like that...

[ravenstine]

Privacy.com helps in terms of online payments. Generates credit card numbers that will accept any name or billing address when charged.

[gigantino]

Unfortunately it's available only in the US...

[theshrike79]

There are EU-based companies like N26 and Revolut that (I think) give you the ability to generate multiple card numbers.

Both might require you to get the paid account instead of the "free" one though.

[gigantino]

I've been using Revolut and their disposable cards for over two years now, but I never liked it as much as Privacy.com since they didn't allow you to set a spending limit. And well, if it wasn't for your comment I would have never discovered that Revolut actually implemented said feature. Thank you!

[steponlego]

You’re just giving your data to them though.

[derwiki]

It’s not perfect but it’s better than the alternatives. Last four of CC are often used for identity verification, but if I use a unique card number for every site, losing or leaking my Visa card won’t be as harmful.

[steponlego]

My bank has this feature so I just use it without an additional service. But they probably sell all my info anyways. LOL

[theusus]

I use resources mentioned on privacytools.io

[kwhitefoot]

Why?

[fuzzfactor]

What digital footprint?