Getting hired can take weeks or months for the average job seeker. That is a lot of organizations that have your detailed information stored somewhere, under who knows what kind of conditions, for who knows how long. Furthermore, the prevalence of data breaches and ransomware attacks means you are exposing your personal information to a significant risk when you look for a job.
The never-ending cat and mouse game where we are constantly trying to protect our right to privacy against creepy corporate marketers watching everything we do on our devices, tech companies have developed a stalking tool called “browser fingerprinting.”.
What is browser fingerprinting?
The point of browser fingerprinting is to enable the tracking company (data controller) to identify unique individuals among a sea of Internet users so that they can be tracked, a behavioral profile can be created, and then targeted advertising can be served to them.
In this way, a site can track your browsing habits without relying on cookies, which we are all now aware of and have learned to block and delete.
However, fingerprinting can be used to recreate tracking cookies that you have already deleted.
Let me repeat that.
In spite of your knowledge and consent, corporate trackers are not only peering into your machine to see its configuration and characteristics, but they are also re-creating trackers that you have deleted.
And this doesn’t just apply to the sites you visit directly. The pervasive inclusion of remote resources, like fonts, analytics scripts, or social media widgets on websites means that the third parties behind them can track your browsing habits across the web, rather than just on their own websites. – source
Browser Fingerprinting for fraud prevention
It’s not all bad. Browser fingerprinting is used to help detect fraud, unauthorized log ins say to your bank account, and even dating apps. I personally have no problem with its use for security purposes. The issue is that everyone is using it and most aren’t using it for your security, they’re using it to track you and your specific characteristics to profit from your data.
There are no rules, industry ethics, or legislative oversight whatsoever.
What can browser fingerprinting detect?
The totality of data that browser fingerprinting can siphon from you specifically is an effective tool in building your individual profile.
- Your user agent header info
- your Accept header
- your Connection header
- you’re Encoding header
- your Language header
- your list of plugins
- your platform
- your cookie preferences (allowed or not)
- your Do Not Track preferences (yes, no or not communicated)
- your time zone
- your screen resolution and its color depth
- your use of local storage
- your use of session storage
- your pictures rendered with the HTML Canvas element
- your pictures rendered with WebGL
- your use of ad blockers
- your operating system and version
- last key pressed
- which browser you are using
- which add-ons you have installed
- your installed fonts
- your microphones
- your webcams
- what kind of graphics card you have installed
- your CPU and # of cores
- how much RAM you have
- Battery level
- Bluetooth status
- accelerometer info
- …and more.
See your browser fingerprint
The following sites allow you to see your browser fingerprint:
Arguments against mitigation
There are some privacy “experts” and enthusiasts that say attempting to mitigate browser fingerprinting with add-ons and tools just makes you stand out more and create an even more unique profile.
I disagree with this position for 2 reasons.
- Stand out to whom? Whom are we afraid of, so much so that we should be scared to use the tools and resources that we want on our own devices as we see fit? And what are we afraid of? That they’re going to track us more?
- Given the specific data browser fingerprinting captures, doing nothing is already a unique fingerprint. I mean, how many people with your IP address use the same version of the same browser, and are on the same devices that use the exact same OS, CPU, GPU, RAM, and Fonts?
Yes, many people across the internet may have that exact same configuration, but this isn’t about averages and weeding through them to find the one that matches you. We are way past that now.They are spying on you through a direct connection to your device, and gathering data specifically to you and your hardware. No matter what consumer level tools you use, unless you’ve created them yourself just for your own usage, you’re not the only one on the planet who is using them.
Arguments for mitigation
In my opinion, you should use whatever tools at your disposal to limit data collection against you without fear that something will anger the data gods and make you even more of a target. We haven’t been able to hide among the crowd for at least five years.
The more of us who make it harder and harder to siphon our data, the more the cat and mouse game continues, the more I can make my data fuzzy, incorrect, uncertain…the more data collectors will have to spend in time and money to keep trying to thwart our efforts to keep their noses out of our private actions and business.
Nothing about all of this is perfect, and we can’t get this right without significant legislation that provides some oversight and protections, or at least limits who can observe and control our activities. Until then, I will do what I want with my device. Isn’t that the point of privacy and freedom in the first place?
What can you do about it?
I do not like reinventing the wheel. Many have done good work on this issue and explaining pros and cons of some “solutions”.
Before I do that, I’ll just tell you what I use and how I use it.
I use multiple browsers for various things, or just to mix it up now and then. But I like that Firefox has some privacy features and controls out of the box and can be tweaked and customized to harden it even further.
Firefox’s add-ons that I use (some may be redundant) to address fingerprinting, cookies, tracking, and social networks.
- Firefox Containers. Containers allow me to put visited sites inside a barrier that prevents that website’s cookies from seeing other cookies and information about my browser or device other than what’s inside its own container. By default, Firefox puts Facebook in a container.
- Privacy Badger (from EFF) “Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser.”
- HTTPS everywhere (from EFF): This is more about general security than it is browser fingerprinting.
“HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.” In short, it forces every website you visit to use its “HTTPS” secure version and warns you when you’re visiting a non-secure website.
- Use a VPN. I will discuss this more later, but if you already have or use a VPN service, you definitely want to use it when you want to throw a misdirect at the websites you visit.
I use other tools such as a Pi-hole, my own VPN and use different operating systems mostly because I just generally like tech and trying different things. Having some variety in how you use your devices, and the internet can make it more difficult to get a clear read on your exact details.
Even if you’ve read this far you may not care about any of this. If you’re using work devices on work networks, whether they’re tracked and fingerprinted may not directly affect you.
If it’s your own fingerprint and it angers you that random websites are peeking at your hardware configurations, you may want to mitigate that.
Below are some guides and solutions put together by privacy organizations that have done a deep dive into possible solutions including using advanced Firefox settings.
More guides, solutions and options
- Browser Fingerprinting – Explanation, Tests, & Solutions
- Browser Fingerprinting – What Is It & How to avoid It
- What You Do Online Is Your Business, Not Ours
- Is your browser safe against tracking?
- Firefox Privacy – The Complete How-To Guide
- How your browser can make your online life a little more private
There are no doubt more options and solutions available to you, but this is enough to get you started in the right direction.
In previous articles, I talk about creating pseudonyms online to keep your real information out of non-official databases. When you’re developing your pseudonyms, sometimes any made up address is good enough. I mean, does that company really need my home address just to allow me to download their white paper? They absolutely do not. Today, let’s talk about some privacy tips for shopping online.
For those times when any address will do, use (what I call) the “Law and Order” method. Watch enough of the TV show “Law and Order” and you’ve undoubtedly seen an episode where the “perp’s” address on file is a vacant lot, abandoned building, or in the middle of the East River.
Do that. I mean, who are you going to get in trouble with? The company offering the white paper? What are they going to do, go to the police and complain that you didn’t give them your home address in order to be able to read their branded, aggrandizing, promotional PDF? Yeah. Sure. Find that statute on the books for me.
You can also use non-familiar public addresses such as a public library, post office, public park, the Washington monument, or some obscure roadside attraction in Iowa. Or just make one up. Google Maps makes it easy to find the location and address of every place on the planet, in turn making it easy to give out a real address that is located anywhere.
When you need a physical address
There are times when you must use a real address. Shopping online and other mail won’t get to you if you tell Amazon that you live in the middle of the Ohio River. Also, official profiles such as work, insurance, the DMV and so on require accurate, truthful information, and in many cases it’s illegal to do otherwise.
Unfortunately every option here isn’t free, and it sucks that we sometimes have to pay for privacy, but in this instance addresses have never been private.
You’ve probably heard me repeat that almost every data breach includes addresses. Of course, that would be the addresses they have on file for you.
As for your mail and packages, there’s also another problem. Theft. According to C+R Research 44% of Americans have some kind of package delivered weekly. 36% of Americans have had a package stolen at least once. 56% know someone who has had a package stolen. 54% of those surveyed said they have some type of worry or fear about buying a product online that will be delivered to their home due to the potential of it being stolen. There is a better way.
We know how to protect ourselves when purchasing online, so how do we get our stuff without giving our real address away or risking package theft?
Get a P.O. Box
The time tested solution is a Post Office box. A PO box allows you to send and receive mail from its address rather than your home address. A letter sized PO box will run you around $99 (more or less) a year at either your local post office location, or any number of UPS stores who offer PO boxes. You don’t necessarily need to get a large box for packages as most will still hold them for you as long as you don’t make it a habit of leaving them there for long periods of time.
Pro: Some states will even allow you to use your P.O. Box as the address on your driver’s license.
Con: Many financial services, insurance, or other accounts won’t let you use a P.O. Box as your address. The workaround for this may be to find a mailbox place where the box addresses are listed as “suites” instead of “P.O. Box”. Another trick get around this restriction by using the address of the post office, and then your box number as if it’s an apartment or unit in the building. T’s not 100%, but it works more times than not.
To find the closet UPS store that offers PO boxes: https://www.theupsstore.com/mailboxes
To find the closet U.S. Postal Service location who offers PO boxes: https://www.usps.com/manage/po-boxes.htm
There are also many independent mailbox type stores all over the world.
Amazon Locker Delivery
If you shop from Amazon, you don’t have to give them your address to receive your packages. Amazon locker delivery has thousands of locations across the country and around the world that allow you to pick up your package from one of their lock boxes. They can also be used for returns as well.
They’re usually located inside or outside a major store or community area, and are self-service. To use delivery lockers instead of your address, you simply choose the option at checkout, and pick the location of your choice. When your package has been delivered you’ll get a code delivered by text/SMS message, go to your locker location, and get your stuff.
For extra a privacy (or anonymity) Amazon also sells and accepts gift cards. You’ll likely find them in the store at the same kiosk as all the other gift cards. Get yourself a gift card (pay with cash), make your order from a device that’s not yours, on an internet network that is not your home, choose lockbox delivery at check out… I’m sure you see where I’m headed here.
Some restrictions do apply, such as size and weight of the package, and you can find them here: https://www.amazon.com/gp/help/customer/display.html?nodeId=201910770
To check if there’s an Amazon locker near you: Amazon Locker Hub
UPS store locations and lockers
UPS also has delivery lockers, and you can request that your UPS deliveries be taken to a UPS store location closest to you. This is not a privacy option since to my knowledge there is no way to request this at check out, you have call and intercept the package when it’s first being processed and request it be directed to one of the locations. But I thought it important to mention if package theft has been an issue for you.
This may come as a surprise, but people didn’t always have mail boxes on their homes, and the post office doesn’t go door to door in every town. The U.S. Postal Service has long offered General Delivery services that lets anyone with ID have mail addressed to their local post office for pickup. The service is typically for anyone without a permanent address, or who needs a temporary mailing address, but it’s open to all.
I’ve used this service years ago when I’d moved to another city. All I had to do was go to my local post office, tell them I was interested in General Delivery for a short time, show them my ID, and that was it. I think I used it for 6 months, checking in every 90 days to let them know I still needed the service. It was actually pretty awesome since the Post Office was in walking distance at the time. God Bless the U.S. Postal Service. More info about signing up for general delivery here: https://faq.usps.com/s/article/What-is-General-Delivery
Simply use someone else’s address
This is more of an option for shopping online and any other non-official deliveries. Most e-commerce sites will let you send your order anywhere, or have a gift option that you can choose which will prompt you to put in the address of where you want the “gift sent”. It’s cheap, it’s crass, but you know what? It works. You still get your stuff without having to give up your home address.
I never use my home address unless I absolutely have to. Even when dealing with companies who currently have great track records for keeping company data secure, nothing is foolproof or un-hackable. Once the information has been stolen, you can’t get it back.
Trust is a crucial factor when shopping online. In order to make a purchase, you must provide accurate information (billing address) and a mailing address for delivery. It’s a lot of information to leave on someone’s server for eternity. Moreover, you have to be confident that the company (and those who are sharing that information) have the knowledge and resources to keep it all safe. The reality of the situation tells us that nothing is invulnerable.
Not a day goes by without some company reporting a data breach of their customer’s data. Most often, the lost data consists of names, addresses, phone numbers, emails, date of birth, and credit card information. In almost every case, the data breach happened weeks or even months before the company informed you, far too late for you to do anything. Essentially, we cross our fingers and hope for the best when we shop online.
If this happens to you, you’ll likely get $8.52 worth of free credit monitoring for a year, backed by a company that’s already lost your information in the past (Equifax). YAY!
I’m sorry, but that’s not good enough. We need to start protecting ourselves against constant data malpractice and mismanagement.
Disclaimer: Companies providing financial services adhere to U.S. and international banking laws and require truthful information. In order to open an account with them. DO NOT attempt to create an account with ANY financial services company using A pseudonym. It is likely that you will not pass the verification process if you have had previous issues with banking, have been on check systems, or have defrauded a financial institution. In such a case, scroll down to Gift Cards.
A virtual credit card provides an extra layer of security for online transactions. It is essentially giving one company your credit card information, however I believe it is preferable to trusting dozens of companies to keep your information forever. When you search “virtual credit cards” you will find a number of options, but I prefer Privacy.com.
You can create virtual cards on Privacy.com that can be used for one-time purchases, or cards with monthly spending limits. With its browser add-ons, you can create cards on the fly, close them when you’re done with them, or set them to expire after a single purchase. Privacy cards are wonderful because they will work with whatever billing address you give the merchant, so that you don’t even have to give them that (we’ll cover how you get a package later). A verified US checking account is required to use Privacy.com, or you can attach a debit or credit card. Privacy.com is PCI-DSS compliant.
Capitol One Eno
If you’re a Capitol One credit card customer they offer a similar service to Privacy.com called Eno. Like Privacy.com Eno allows you to create virtual card numbers to use online, lets you lock or delete cards on the fly, and with the browser extension lets you create new cards right from any check out page, and has many of the same features as Privacy.com. Eno works with U.S. Capitol One credit card customers only. Capital One is FDIC insured.
PayPal is the original e-commerce payment company designed to provide a layer of protection between you and an online merchant. PayPal works a little differently in that you connect your bank account or credit card to your account, and when checking out online you choose the PayPal option. They also offer a variety of other financial services including business accounts, and a debit card for your account. I’ve been a PayPal customer for years and have always been happy with the service. Back in the day when I was just starting out as a freelancer I lived out of my PayPal account.
Pro Tip: Although PayPal does request that you link a bank account or credit card to benefit from all the features, it is possible to have a PayPal account without it and still use it to make purchases, send money to family and friends, receive money, and request a debit card on the account that allows you to spend money from it.
You will still have to fund the account if you want to spend money through it. One way that still works is to just invoice yourself at a different email address. You will be connected as a customer or contact in your PayPal account, but not connected as a source of funding.
Creating a PayPal account is pretty easy, and you generally only need to have not screwed PayPal to qualify. PayPal is not FDIC insured, but uses FDIC insured banks to hold your funds.
By far the easiest and closest thing to e-commerce anonymity is the gift card. Gift cards spend like cash pretty much everywhere. Stores, restaurants, bars, and online. Some even let you withdraw cash from ATMs. They are great for one time purchases, not so much for subscription services but results vary. I’ve paid for a VPN service with a gift card in the past, and they charged it every month until it ran out of money. I keep at least one gift card around for those times when I don’t want to use any of the options above.
To be clear I’m not talking about reloadable debit cards which require adherence to U.S. banking laws, gift cards are purchased in already set amounts and when you’ve exhausted the funds on them, they’re dead.
Visa, MC, and Amex gift cards generally come in $25, $50, and $100 denominations, and you can find them at pretty much any drug store or retailer, usually where the dozens of other TGI Friday’s, XBOX, and iTunes gift cards are.
If you do purchase store/company specific gift cards they can only be used at that store. This can also come in handy when using services such as Uber, which, in my opinion, is extremely creepy with the amount of information they track even when you’re not using Uber. Uber gift cards are now a thing, so you can grab one to use when needed instead of giving Uber your credit card information.
All the above offer some measure of protection, and even anonymity online. While none are perfect solutions for every situation, having a few available in your arsenal to use as needed should provide you with more than enough options to choose from.
Our phone number is one of the most personally identifying pieces of information that we have. With it anyone can find our name, address, track down our social media profiles, and totally dig into our lives with very little effort. Since most of us aren’t international spies with an arsenal of burner phones and throw away numbers we tend to hold on to the same phone number for years so that the people we want to communicate with can still find us, and also recognize us when we call.
Yet with so much on the line (pun intended) when it comes to protecting our privacy and security, anytime we are asked for our phone number to sign up for something, or get $2 off of our purchase we instinctively blow our own OPSEC (Operational Security) and give it up without any resistance.
Additionally, (and related) spam calls are out of control. By some estimates as many as 50% of all calls in the U.S. is spam. It may be virtually impossible to ever stop offshore companies (and the U.S. companies who hire them) from respecting any U.S. laws governing this, and it doesn’t look like any major advancements in IT security is going to ever be able to stop the continuous data breaches that dump personal account information into the public domain. There is a better way.
The first thing you need to do is let go of the notion that you can only have one phone number like it’s 1913 and yours was officially assigned to you by the Wilson administration. Like email addresses, you can have as many phone numbers as you want.
The goal of having alternative phone numbers in your privacy toolkit that you can deploy at a moment’s notice is to be able to provide a layer of protection, and even anonymity, between your real information and who you’re sharing that number with.
How virtual phone numbers work
A virtual phone number is not attached to one line or device. Generally you forward calls to a virtual phone number to a device of your choice that already has phone service. There are ton of virtual phone services out there, and you’ve likely heard of some popular options like Grasshopper, Ring Central and others. It would be impossible to mention them all, so I’ll stick to the services that I have personally used to give you an overview of how they work, and how you can use such services to protect your privacy.
Google Voice virtual phone number
12+ years ago when I started my first web company I needed a free/ cheap way to have a phone number I could use online, that was not my personal phone number. I found Google Voice (https://voice.google.com/about), a VoIP (Voice over IP Protocol) phone service that allows you to create a virtual phone number, and have calls and messages to that number forwarded to an actual phone.
At the time I was able to find a vanity number and still use that number online today. Today available numbers are limited, but in most cases you can still pick your area code. If your alias lives in a different city you may want to see if a number in that area code is available before you create your alias’ address.
Google Voice features
- Free to use for calls and texts in the US.
- Uses VoIP which means you use it online
- Has a companion app which lets you choose whether to call from your Google Voice number of actual carrier number
- It has voicemail with text transcription which you can access through the app or online.
- You can have your Google Voice number ring to multiple devices.
For more info just go to Google Voice, check out the Google Voice article on Tom’s Guide.
If you already have a Google account, you can create a Google Voice number and use the basic service for free. Or you can create a new Google account just for this purpose.
Note: In order to use the calling app and be able to choose which number to use to make calls, your phone needs to be signed in to the same account as your Google voice number.
MySudo virtual phone number
MySudo (https://anonyome.com/)is a pretty neat application that provides more of an all-in-one solution of privacy tools and options. You will see me mention MySudo again but for the purpose of this article we’re going to hit on the phone number feature.
With MySudo you can create distinct profiles with their own phone number, email, and virtual credit card. It offers end-to-end encryption and free, unlimited communication (call, chat, and video chat) between MySudo users. You can create multiple phone numbers for different uses, and all without ads, or tracking. As a matter of fact they don’t even ask for your name.
MySudo is available on the Google Play Store and Apple App Store. The free version is obviously limited but still very useful especially if you just need an alternate phone number with the ability to get incoming calls and messages.
Get a cheap second phone number
One of the issues you may run into when creating online accounts with a virtual number is that some service will not let you verify with a VoIP number. For situations where you don’t want to give up your “real” phone number, I recommend simply getting a cheap second phone.
You can find some good deals on second-hand phones on sites like eBay, at your local pawn shop, or if you have an old device lying around use that. For service, you can use any number of pay as you go services that can be purchased at most major retailers. Use cash.
A while back I picked up a used, dual sim, Xiaomi Redmi Note 7, running Android 10, in great condition off of eBay for $94.
I went to the local Walmart and purchased a TracFone sim kit ($10) which comes with 3 sim cards, and you can pick your network (T-Mobile, Verizon, or AT&T). I also purchased (2) TracFone $20 mo. pay as you go plan cards (2 GB data, unlimited talk, and text). Since I wasn’t using it as a main phone, and it would mostly be connected to my home Wi-Fi, I didn’t need much data. (I’ve since renewed with $10 mo. plans, still unlimited talk and text, and data rollover.)
When setting your service up you can choose your preferred area code. Also, TracFone doesn’t ask for accurate identifying information or credit cards. You can re-up your month-to-month plan by buying renewal cards with cash. This could come in handy if you’re using this to create one of your pseudonym profiles.
Update: It was reported on 6/14/2020 that Verizon wireless intended to purchase TracFone. Not sure how this will affect the flexibility of the service, but I’ll be keeping an eye on it for you.
The goal here isn’t so much anonymity, but to protect my phone number. If you sign up for something using your real name and use your alternate phone number, it will then be associated with your real name.
You could also use this phone as your 2-factor authentication phone. For extra protection from the normal tracking, I also de-Googled it and installed Lineage OS. (We’ll talk about Lineage in future articles)
Yes, you also could just buy an all-in-one burner phone (phone, sim, and reassigned number), but typically the models are cheap (because they are used as disposables) and overpriced. For the same to a few bucks more you can snag a nice used feature phone with decent specs that you may actually want to use.
Virtual phone number pro-tips:
- Check to make sure the phone you’re thinking of buying works on your preferred pay as you go to service before purchasing.
- Make sure it’s unlocked and works on GSM networks to give you more flexibility. AT&T, T-Mobile (and the rest of the world) are GSM. Sprint, Verizon, and US Cellular are CDMA. Phones created specifically for CDMA networks will not work on GSM networks, and visa versa.
- Make sure renewal cards are in stock where you shop most. Nothing worse than not being able to find renewal cards, and end up having to use your credit card to purchase another month of service.
- Walmart has a decent choice of pay as you go plans, and always has renewal cards in stock.
- If you ever get stuck, and can’t find plan renewal cards and have to re-up online or through the phone, go out and pay cash for a $20, $50, or $100 Visa, or MC gift card and pay with that.
- DO NOT use re-loadable cards since they require truthful information to adhere to banking laws.
This is by no means an exhaustive list of solutions and options. If you search for “virtual phone numbers” you will get a crap load of results. I merely wanted to let you know that you do have options, and touch on a few that I’ve used and can recommend.
Do your due diligence, look around, ask questions and find an option that has the features that work best for you and your specific needs.
Virtual or “burner” phone apps are plentiful. Many are not what they seem, are ridiculously overpriced, are just excuses for data tracking, and some are created by companies or developers whose existence I can’t even verify. Proceed with caution when thinking of installing apps on your phone.