In June 2009, during my black-hat days, I had someone in my hacking group whom I’d appointed to manage my digital footprint. The idea was that if I ever found myself in legal trouble, I could call on them to help sanitize all the incriminating evidence of my hacking activity.
The only problem? When it really mattered, it was already too late.
That is the most extreme example of what happens when your digital footprint falls into the wrong hands, unwittingly. In a more practical sense, most of us aren’t lawbreakers, at least not in a practical sense.
For example, the United Kingdom is still criminalizing free speech. This broad criminalization surpasses social media content and also encompasses journalistic content and public commentary.
For example, in the UK last year alone, there were approximately 12,000 arrests made under Section 127 of the Communications Act 2003 and Section 1 of the Malicious Communications Act 1988, laws often applied in cases related to free speech. This amounts to an average of over 30 arrests per day, according to custody data.
What does your digital footprint say about you to potential employers? To investigators? Criminals? Or data brokers who monetize your browsing history, clicks, and likes? More importantly, what price might you have to pay if something you posted is deemed offensive by someone?
Welcome to the new world, where just powers are no longer derived from the consent of the governed. This isn’t just about government overreach anymore; it’s about data overreach, too. That is the reality of the new world, which whistleblowers like Edward Snowden tried to warn us about, yet here we are.
Whether you're a free speech advocate, an activist living under an oppressive government, a job seeker concerned about how past social media activity might cost you opportunities, or simply someone who wants to reclaim control over your personal data, this article lays out some practical steps to navigate and resist a world where humans have become metaphorical chattel in the age of surveillance capitalism and data commodification.
Steps to sanitizing your digital footprint
Since everyday internet users often reuse email addresses and logins across multiple accounts, it becomes easy for Open Source Intelligence (OSINT) investigators, and even easier for law enforcement, to connect the proverbial dots and form a broader picture of your online activity and associated digital identities.
When a social media user creates a separate account to voice unpopular political beliefs and registers it under a pseudonym, but uses the same email account or phone number used in other personal accounts, this alternate account is inherently tied to their identity.
This can even extend to reusing passwords across accounts. Even if the accounts appear completely separate, with the only common factor being the same password, a competent OSINT investigator can search data breach databases, find those shared credentials, and determine that the accounts belong to the same individual.
This means that keeping track of all your accounts and subscriptions is fundamental to taking the first steps in controlling your data. After all, what's the point of using privacy browsers and a VPN if the accounts you use all point back to your identity anyway?
Are you ready to see what kind of digital breadcrumbs you’ve left behind?
- Subscribe to a professional-grade OSINT platform like OSINT Industries (£19/month for the basic plan, which includes 30 monthly credits).
- Start by running a search on any of your email addresses or phone numbers. The platform will then aggregate data from a broad range of sources to begin “connecting the dots” from a wide array of sources to build a comprehensive digital profile.
- Repeat this process for all your accounts to map out your online exposure.
- Review the compiled data to identify any exposed logins, linked accounts, and any personal information leaks. Close down outdated accounts.
Oftentimes, when you perform this reverse OSINT osmosis process, you'll uncover digital artifacts dating back to your Myspace days, or even earlier. Just because something is old doesn’t mean it’s irrelevant to an investigator, especially when an old account has published personal information.
Data breaches: If you find your information reported in a data breach database, you can opt to have the information removed without having to jump through hoops. Dehashed makes this relatively easy.
Geolocation leaks: Among the worst offenders of geolocation leaks are Google services, namely Google Maps. This means, any time you’ve left a review, you’ve left a timestamp and a GPS coordinate. Furthermore, to see what your settings show, go to Manage Your Google Account, and then click on Data & Privacy. Ensure your settings reflect the level of privacy you want, because you might be surprised by what you find. Let’s be honest, pretty much every Google service is designed to log or leak something you’re doing, and there are plenty of potential leak vectors.
Reputation cleanup
I have had potential employers crawl my online content before. It initially caused me a bit of anxiety when the topic turned to my past hacking activities. After I fell into serious legal trouble over it, the digital footprint surrounding my name widened, to put it lightly.
While I do not have much control over what others do with my name without paying out-of-pocket, I have total control over what I want others to see. This means sensitive or controversial content that I post on social media can be set to Private. If making your content private isn’t an option, users can opt to separate personal content from public content, which is what the real scope of this article is.
Google offers a removal tool for outdated cached content. It’s actually a pretty underutilized resource, most people don’t know about it for reputation cleanup. It lets you request Google to remove old versions of web pages and search result snippets that no longer reflect the current state of a website, although it may still show damaging or sensitive content in Google’s index.
Data Brokers & Aggregators
The more you understand the purpose of data brokers and aggregators, the more likely you will see your online life as raw material being farmed and profited by these companies. While there’s no one-hit wonder when having your data redacted from these companies in one go, you can follow these steps below.
Some brokers may use your email address to create a shadow profile during the data removal process since you are usually required to submit some kind of personally identifying information to confirm your identity.
If a broker is less regulated than others, they may use newly submitted information to update their database, or create a “shadow profile” under a different internal flag, or associate more identifiers with you for future sale of data. Use a burner email account.
Whitepages publishes names, phone numbers, relatives, relationships, home addresses, and maps. However, if you want to opt out, there is a way, since the company offers a way for you to request to have your information be suppressed from their records. You must show proof of identity and provide an email and phone number.
BeenVerified bundles up your information from a multitude of brokers, such as names, jobs, social media, and criminal records. They also offer an opt-out feature, which you can use for redaction. This requires email confirmation.
Spokeo aggregates data from a variety of records databases, such as public social media, court filings, and real estate. To request removal, you must provide the exact URL of the listing you want them to remove.
MyLife assigns “Reputation Scores” to search records and also shows background report teasers. They do not offer a direct link for record removal requests, however, this is handled by emailing [email protected] or by phoning them at +1 (888) 704-1900. You must provide your full name, current/previous address, and the link to your profile. Yes, I know. Processes like this seem like a double-edged sword.
PeopleFinder offers access to public records, contact information, and court data. To request record removal, just navigate to their opt-out form. This requires email verification.
Intelius aggregates contact information, social media profiles, education, family connections, criminal records, and some financial data. To have your record removed, they will require the listing URL and email confirmation.
There’s also Radaris, TruthFinder, FastPeopleSearch, PeekYou, and others. Just search for their out-of or removal form, and follow the process they provide.
Final thoughts
When you employ these methods to seize control of your privacy, it will become easier to insulate your identity behind the social media accounts you use. However, there’s literally no point to scrubbing your data from public records if you don’t practice good anonymity hygiene like using a VPN, because IP addresses also land in data leaks.
I use NordVPN because it has never failed me, and the servers aren’t black-listed by the websites I frequent, and the company operates under a strict no-logs policy. This means they do not track, collect, or share users’ online activities, let alone monetize it.
For the political dissident, the whistleblower trying to release information from war zones, the individual working to minimize their digital footprint to protect against cyberstalkers, and even the poor bloke struggling to land a decent job because of things expressed online, I hope this has been helpful.
For everyone else…
Stop posing so much on Facebook.
Your email address will not be published. Required fields are markedmarked