Personal Security After Data Breaches

I really like JMP.chat. I’m glad forum members brought it up.

So as of now I’ve got a new home number (VOIP), a new mobile number, an alternate mobile phone number, and the JMP number (on every device), all compartmentalized for different types of accounts and activities, as well as compartmentalized email addresses.

Also, I’ve ported my old mobile number to my VOIP account where, along with my former home number, I will keep it dormant for a year or so to prevent its being used against me. Soon, I’ll set both it and my former home number to play a “Number Disconnected” error to every caller.

I continue to subscribe to a “delete me from people lookup websites” service.

Hopefully all of this will eventually befuddle the data brokers enough to pollute their data. I also think I might start subscribing to a bunch of catalogs, using fake addresses and personal info that is just slightly off from my actual identifiers.

If only the state registrar of voters and the Department of Motor Vehicles would stop releasing my personal info to all and sundry!

This looks like fun:
https://www.fakepersongenerator.com/random-address

I’m thinking of “moving” to Utqiagvik.

Or maybe McMurdo Station.

Apparently that’s a real place in Alaska. I scored a nice place in an apparently upscale neighbourhood in California, so I think I’ll stick with that.

Don’t be so quick to write off Outer Mongolia!

There really ought to be an International Data Obfuscation Day.

Some U.S. databrokers with easy online opt-outs (some of these may also have operations in other countries):

Looks like there’s a state-level similar bill recently introduced in the California legislature:

California legislature site: Bill Text - SB-362 Data broker registration: accessible deletion mechanism.

Good news for us Californians, and maybe it will trigger some action on the Federal bill, which has seen no movement in over a year (apparently).

As it’s written, the California bill would call for a single opt-out point applicable to every data broker that operates in the state.

So, how is your personal security now? What has been “patched”, and what still has vulnerabilities?

My personal security practices are more about removing dependencies/trust rather than protecting my data, but they happen to align very well. I have a strong interest on becoming unbanked in the near future, and reducing the amount of ISO/IEC 7810 cards I possess to as close to zero as possible. In practice, that means as low as three cards:

• Identity card
• Costco membership
• Prepaid credit card (for paying Costco membership/groceries, annual phone plan, etc.)

Due to this, I do not care about credit bureaus or credit ratings. My endgame is cash, Monero, and the prepaid credit card mentioned above for compatibility reasons (subject to change).

I have two password databases: public and private. One of them is on my Librem 5 USA, and the other is on the Librem 14 in a “Vault” AppVM, so I always know what role each device and database is intended for.

I have one email address, but use tons of ephemeral email address services for most purposes. Otherwise, I carefully provide my email address for services requiring “reputation”.

For online accounts, I went through a very intense purge over the last few years and requested deletion of them. If the service did not comply, I randomized as many values as I could so that even if the account was breached, the information would be garbage to anyone accessing it.

I do not subscribe to services that remove my information, as that is pointless for my public identity, and useless for my private identity. I also do not use Android. I did change telecommunication carriers within the last few years and received a new phone number, but that was more about completing my public identity and saving costs ($100 CAD a year).

I’ve closed a lot of the gaps in both security and privacy protection, I think - as listed above, and in other threads. Of course, it’s necessary to stay vigilant. Whenever I’m faced with a new potential point-of-failure, I assess all the options for mitigation before committing to any new account, app, service, etc., and if I do commit, I make sure all the “sharing” of my data is turned off.

The US postal service appears to have created a new database that is going in to common use by most businesses. All valid addresses in the US are catalogued there. And there appear to be at least two levels of addresses found there.

I’ll explain. I get all of my mail from a private mail box service. All mail sent to my home gets “Return to Sender”. That’s how I set things up. When I make purchases online, I can enter the address of the mail box service company as my shipping and billing address. That general address to the mail box store has a suite number in it as a part of the general business address of the mail box service company. Therefore, I have to use a personal mail box (PMB number) in the second address line as a means to identify which box my mail should be delivered to. Increasingly, I am getting error messages with suggestions of valid addresses that I can pick from when I enter my mailing address online. None of those suggestions allow anything extra like my PMB number, in any part of the address. Typically, my added PMB number turns red with a warning that it is not valid. So clearly, some database is in use that lists, all addresses everywhere that are considered to be valid and that doesn’t allow for anything that is not already in that database. Over time, in many cases (more often over time) I can’t put the PMB number in to address input fields. So I have to rely on the people who sort the mail, to remember my name and which box my mail goes in.

Also, occasionally I do business with the Federal Government. They have told me that my private mail box address is not a valid address for their purposes and that they need a “real” business address. I have made the arguement that my private mail box address is a valid business address. They have told me outright that private mail box addresses are not considered to be valid for their purposes and that they require a “real” business address (frusterating that they get to decide what the definition of “real” is when it comes to my business).

So first, someone has catalogued every address everywhere and have decided that any address that is not in their database exactly as they show it, is not valid. In addition, this database tracks which addresses are at private mail box services, so that for certain purposes, other businesses and the government can chose to not do business with those private mail box addresses.

Also, I hate the political junk mail. Since I don’t use my home address to receive any mail what-so-ever, the only way to get my voting ballots is to regester my voting address at my private mail box. So technically, the state can toss out my ballot after it is cast, because they do not allow private mail box addresses. And, the state only allows people to vote if and only if you subject yourself to relentless political junk mail as the voting season approaches. If they can’t send you junk mail, then you don’t get a ballot. There is no way to opt-out of the political junk mail while keeping your ability to vote. You are forced to give your mailing address to every political candidate as a valid address through which they can harass you. The state gives them your address whether or not you want them to. The only way to opt out is to not register to vote. I will never look at a political postcard and decide from the information on that card, to change my vote.

So clearly, business and government is cataloging every corner of the world in which you might possibly choose to be anonymous, or to establish a wall behind which you might choose to hide your identity as they routinely assault your right to not share your private information or to simply avoid being harassed by people you don’t want to hear from.

I use a standard P.O. box for my wargaming newsletter so gamers who subscribe and DON’T use paypal can at least write me a check.

But I use it also in a pique of privacy. It also prevents the very same subscribers from knocking on my door on a weekend road trip.

Just for “fun”…
See if your address and phone number are publicly associated with your name (or co-habitants, or relatives). These are just a few sites that traffic in this stuff; you should be able to opt out on most of them directly, if your data is there:

(Remove the superfluous spaces. Probably applicable to US only, maybe also Canada.)

whitepages . com
neighbor . report
spokeo . com
thatsthem . com
freecallerlookup . com (no opt-out?)
numlookup . com
unitedstatesphonebook . com

How well are your privacy measures working?

Or: the USPS uses electronic sorting and expediting, and having the addresses written a certain way speeds up the process and precludes unnecessary human intervention. (Although they probably do maintain a database of all valid mailing addresses, of course, as they have to deliver mail to them.)

I think it’s probable that lots of mail-box-service addresses, in general, are catalogued somewhere as “non-residential.” Those services have to interact with the USPS, after all.
[EDIT: https://postalpro.usps.com/address-quality-solutions/residential-delivery-indicator-rdi , and check out the other products listed in the margin.]

Not registering, as you point out, would probably prevent some of that, although many campaigns might just do a shotgun blast to all residential addresses in certain areas.

Another way to cut down on the junk is to vote as early as possible, or so I’ve read, as campaigns that do use voter lists can and do also get periodic updates from the Registrar(s) of Voters. I’ve thought of getting a P.O. box so I could change my voter mailing address, but I imagine campaigns would then just have two places to spam me.

P.S. I believe some U.S. states allow the general voting public to keep their residential addresses private, even if they’re not in a risk group. Time to move?

The political junk mail makes good kindling but it ends beginning of November. Then the open enrollment for Medicare Advantage Plans junk mail stops the first week of December. (Pardon me if you don’t have a fireplace). The Summer season of Primary political junk mail I save until it gets cold again.

And the Disabled Veterans deliver monthly a new trash can liner bag for free in the mail. You’re supposed to fill them with old clothes and leave them on your front porch, but I repurpose them for the outer kitchen can liner. For the inner trash bag I use paper grocery store bags, they fit my kitchen trash can perfectly.

I tend to do both. Randomise first then request deletion.

If the service actually deletes then props to them but it was a small amount of my time wasted. If the service hides so that login no longer works but the data is retained “forever” by them then it’s a win for me. If the service ignores so that login continues to work “forever” then it’s a win for me.

There are gaps in my strategy.

I’m sure that the USPS does do that but that doesn’t really, um, address the point being made, which is: you enter your address on a web form and the web form rejects the address up front because the address is not in “a database”.

Wouldn’t you put the PMB number in the name? The name is typically not considered part of the address and therefore will not be validated against the address database. The only challenge is that the web site in question would need to support two name fields viz. the delivery name field (will hold the PMB number) and the billing name field (would want to match the credit card being used to pay).

Why not stop using online websites registration? I have a few but only to receive my electric, and waters bills on email. One thing I notice after I stopped using online websites, especially those to buy things online is that I buy much less things, only what I truly need.

Behavioral changes are not easy to implement for most people. Quite often, convenience is king.

The website could be simply enforcing the preferred format used by the USPS, but the site could be checking it against a list of known USPS addresses in real time, I suppose. That would probably require either some ad hoc link to a USPS database (possibly visible in, e.g. NoScript, so that would be one way to confirm), or the site itself maintaining its own updated national (or international?) list(s), periodically updated.

The only thing I’ve ever seen is that if I enter a street address by splitting it over 2 lines, the form then presents me with the option of consolidating it on a single line (a la the approved USPS format). It also converts my all-caps to dual case letters.

I do this, too.

This might work for some things, but unless one plans to withdraw from the modern world and live in a cave, one will have to complete some actions online. An alternative might be to only conduct business by telephone, with hours spent on hold, talking to bots, or uninformed customer service reps, but for me, … hell no!

I’ll just continue to protect and secure my digital interactions as usual.