Personal Security After Data Breaches

Apparently that’s a real place in Alaska. I scored a nice place in an apparently upscale neighbourhood in California, so I think I’ll stick with that. :wink:

1 Like

Don’t be so quick to write off Outer Mongolia! :thinking:

There really ought to be an International Data Obfuscation Day.

3 Likes

Some U.S. databrokers with easy online opt-outs (some of these may also have operations in other countries):


https://datacloudoptout.oracle.com/


https://www.aristotle.com/

See also: Voter Data Exploitation
3 Likes

Looks like there’s a state-level similar bill recently introduced in the California legislature:

California legislature site: Bill Text - SB-362 Data broker registration: accessible deletion mechanism.

Good news for us Californians, and maybe it will trigger some action on the Federal bill, which has seen no movement in over a year (apparently).

As it’s written, the California bill would call for a single opt-out point applicable to every data broker that operates in the state.

3 Likes

So, how is your personal security now? What has been “patched”, and what still has vulnerabilities?

My personal security practices are more about removing dependencies/trust rather than protecting my data, but they happen to align very well. I have a strong interest on becoming unbanked in the near future, and reducing the amount of ISO/IEC 7810 cards I possess to as close to zero as possible. In practice, that means as low as three cards:

  • Identity card
  • Costco membership
  • Prepaid credit card (for paying Costco membership/groceries, annual phone plan, etc.)

Due to this, I do not care about credit bureaus or credit ratings. My endgame is cash, Monero, and the prepaid credit card mentioned above for compatibility reasons (subject to change).

I have two password databases: public and private. One of them is on my Librem 5 USA, and the other is on the Librem 14 in a “Vault” AppVM, so I always know what role each device and database is intended for.

I have one email address, but use tons of ephemeral email address services for most purposes. Otherwise, I carefully provide my email address for services requiring “reputation”.

For online accounts, I went through a very intense purge over the last few years and requested deletion of them. If the service did not comply, I randomized as many values as I could so that even if the account was breached, the information would be garbage to anyone accessing it.

I do not subscribe to services that remove my information, as that is pointless for my public identity, and useless for my private identity. I also do not use Android. I did change telecommunication carriers within the last few years and received a new phone number, but that was more about completing my public identity and saving costs ($100 CAD a year).

I’ve closed a lot of the gaps in both security and privacy protection, I think - as listed above, and in other threads. Of course, it’s necessary to stay vigilant. Whenever I’m faced with a new potential point-of-failure, I assess all the options for mitigation before committing to any new account, app, service, etc., and if I do commit, I make sure all the “sharing” of my data is turned off.

1 Like

The US postal service appears to have created a new database that is going in to common use by most businesses. All valid addresses in the US are catalogued there. And there appear to be at least two levels of addresses found there.

I’ll explain. I get all of my mail from a private mail box service. All mail sent to my home gets “Return to Sender”. That’s how I set things up. When I make purchases online, I can enter the address of the mail box service company as my shipping and billing address. That general address to the mail box store has a suite number in it as a part of the general business address of the mail box service company. Therefore, I have to use a personal mail box (PMB number) in the second address line as a means to identify which box my mail should be delivered to. Increasingly, I am getting error messages with suggestions of valid addresses that I can pick from when I enter my mailing address online. None of those suggestions allow anything extra like my PMB number, in any part of the address. Typically, my added PMB number turns red with a warning that it is not valid. So clearly, some database is in use that lists, all addresses everywhere that are considered to be valid and that doesn’t allow for anything that is not already in that database. Over time, in many cases (more often over time) I can’t put the PMB number in to address input fields. So I have to rely on the people who sort the mail, to remember my name and which box my mail goes in.

Also, occasionally I do business with the Federal Government. They have told me that my private mail box address is not a valid address for their purposes and that they need a “real” business address. I have made the arguement that my private mail box address is a valid business address. They have told me outright that private mail box addresses are not considered to be valid for their purposes and that they require a “real” business address (frusterating that they get to decide what the definition of “real” is when it comes to my business).

So first, someone has catalogued every address everywhere and have decided that any address that is not in their database exactly as they show it, is not valid. In addition, this database tracks which addresses are at private mail box services, so that for certain purposes, other businesses and the government can chose to not do business with those private mail box addresses.

Also, I hate the political junk mail. Since I don’t use my home address to receive any mail what-so-ever, the only way to get my voting ballots is to regester my voting address at my private mail box. So technically, the state can toss out my ballot after it is cast, because they do not allow private mail box addresses. And, the state only allows people to vote if and only if you subject yourself to relentless political junk mail as the voting season approaches. If they can’t send you junk mail, then you don’t get a ballot. There is no way to opt-out of the political junk mail while keeping your ability to vote. You are forced to give your mailing address to every political candidate as a valid address through which they can harass you. The state gives them your address whether or not you want them to. The only way to opt out is to not register to vote. I will never look at a political postcard and decide from the information on that card, to change my vote.

So clearly, business and government is cataloging every corner of the world in which you might possibly choose to be anonymous, or to establish a wall behind which you might choose to hide your identity as they routinely assault your right to not share your private information or to simply avoid being harassed by people you don’t want to hear from.

3 Likes

I use a standard P.O. box for my wargaming newsletter so gamers who subscribe and DON’T use paypal can at least write me a check.

But I use it also in a pique of privacy. It also prevents the very same subscribers from knocking on my door on a weekend road trip.

1 Like

Just for “fun”…
See if your address and phone number are publicly associated with your name (or co-habitants, or relatives). These are just a few sites that traffic in this stuff; you should be able to opt out on most of them directly, if your data is there:

(Remove the superfluous spaces. Probably applicable to US only, maybe also Canada.)

whitepages . com
neighbor . report
spokeo . com
thatsthem . com
freecallerlookup . com (no opt-out?)
numlookup . com
unitedstatesphonebook . com

How well are your privacy measures working?

1 Like

Or: the USPS uses electronic sorting and expediting, and having the addresses written a certain way speeds up the process and precludes unnecessary human intervention. (Although they probably do maintain a database of all valid mailing addresses, of course, as they have to deliver mail to them.)

I think it’s probable that lots of mail-box-service addresses, in general, are catalogued somewhere as “non-residential.” Those services have to interact with the USPS, after all.
[EDIT: https://postalpro.usps.com/address-quality-solutions/residential-delivery-indicator-rdi , and check out the other products listed in the margin.]

Not registering, as you point out, would probably prevent some of that, although many campaigns might just do a shotgun blast to all residential addresses in certain areas.

Another way to cut down on the junk is to vote as early as possible, or so I’ve read, as campaigns that do use voter lists can and do also get periodic updates from the Registrar(s) of Voters. I’ve thought of getting a P.O. box so I could change my voter mailing address, but I imagine campaigns would then just have two places to spam me.

P.S. I believe some U.S. states allow the general voting public to keep their residential addresses private, even if they’re not in a risk group. Time to move?

2 Likes

The political junk mail makes good kindling but it ends beginning of November. Then the open enrollment for Medicare Advantage Plans junk mail stops the first week of December. (Pardon me if you don’t have a fireplace). The Summer season of Primary political junk mail I save until it gets cold again.

And the Disabled Veterans deliver monthly a new trash can liner bag for free in the mail. You’re supposed to fill them with old clothes and leave them on your front porch, but I repurpose them for the outer kitchen can liner. For the inner trash bag I use paper grocery store bags, they fit my kitchen trash can perfectly.

1 Like

I tend to do both. Randomise first then request deletion.

If the service actually deletes then props to them but it was a small amount of my time wasted. If the service hides so that login no longer works but the data is retained “forever” by them then it’s a win for me. If the service ignores so that login continues to work “forever” then it’s a win for me.

There are gaps in my strategy.

1 Like

I’m sure that the USPS does do that but that doesn’t really, um, address the point being made, which is: you enter your address on a web form and the web form rejects the address up front because the address is not in “a database”.

Wouldn’t you put the PMB number in the name? The name is typically not considered part of the address and therefore will not be validated against the address database. The only challenge is that the web site in question would need to support two name fields viz. the delivery name field (will hold the PMB number) and the billing name field (would want to match the credit card being used to pay).

1 Like

Why not stop using online websites registration? I have a few but only to receive my electric, and waters bills on email. One thing I notice after I stopped using online websites, especially those to buy things online is that I buy much less things, only what I truly need.

2 Likes

Behavioral changes are not easy to implement for most people. Quite often, convenience is king.

2 Likes

The website could be simply enforcing the preferred format used by the USPS, but the site could be checking it against a list of known USPS addresses in real time, I suppose. That would probably require either some ad hoc link to a USPS database (possibly visible in, e.g. NoScript, so that would be one way to confirm), or the site itself maintaining its own updated national (or international?) list(s), periodically updated.

The only thing I’ve ever seen is that if I enter a street address by splitting it over 2 lines, the form then presents me with the option of consolidating it on a single line (a la the approved USPS format). It also converts my all-caps to dual case letters.

I do this, too.

2 Likes

This might work for some things, but unless one plans to withdraw from the modern world and live in a cave, one will have to complete some actions online. An alternative might be to only conduct business by telephone, with hours spent on hold, talking to bots, or uninformed customer service reps, but for me, … hell no!

I’ll just continue to protect and secure my digital interactions as usual.

1 Like

The convenience factor doesn’t affect how many purchases I make anyway. My brain is still largely wired for how things used to be. I still make more Amazon purchases from inside of various retail stores, than I do from home. So I drive to the local hardware or electronics store as a first step to making the average purchase. Upon arriving there and not finding what I came for anywhere on the store shelf, I bring up the Amazon app, as I stand in the store aisle, disappointed that I can’t make many purchases the same way I used to buy things. After I swipe the “Buy” button in the Amazon app, I leave the store, telling myself that maybe one day I’ll learn to not bother to even drive to the store when I want to buy something.

1 Like

So the former in your case.

Generally, I only use Amazon for online purchases. Even if the price for a given item is higher on Amazon, I use Amazon. Rather than risking my credit card information and having the added burden of maintaining multiple online accounts at different places. But unavoidably, that strategy is not fullproof. The water company has its own logins. The power company has its own logins. Everyone who wants you to conform to their automated electronic system, requires their own logins. Often, if you don’t go along with their requirements, you will never be able to reach a real person who will help you. But if there are two providers and one does not force me to login, I always pick the one that does business the old fashioned way.

1 Like