Data Privacy Week Spotlight: Disinformation

This week is Data Privacy Week. To celebrate, this week I will be making a series of short blog posts highlighting tools, services, products, and techniques that I feel are underrated to help improve your privacy.

Today I want to talk about disinformation. This is something that deserves a whole blog post itself, as I’ve said before, and I still plan to honor that at some point, but in the meantime I want to discuss some basics. Disinformation is – simply put – intentionally spreading false information to throw off tracking of any kind. There’s a few important caveats before you start using disinformation. First off, never ever lie to government or law enforcement figures. Do not give a cop a fake ID, do not put a fake name on your tax returns, etc. Second, on that note, don’t forge government IDs. Making a fake workplace or gym ID is totally fine. Making a fake driver’s license can land you in some really hot water. Finally, don’t commit fraud. The goal of disinformation is not to cheat anyone out of money or evade any legally-binding agreements, the goal is prevent companies from collecting data about you that they don’t actually need.

The amount of disinformation you employ will vary based on the situation. Are you buying a physical product online that will be shipped to you? Then you need to give them a real address you have access to, like a PO Box or workplace. Are you buying a digital product that will be downloaded, like an ebook, digital album, or video game? Then they don’t have any reason to know your address. You can use disinformation here. Whenever asked to give up information, ask yourself “does this person actually need this information?” If they don’t have a legitimate use for this data – like the aforementioned “sending you a product” – then find a way to not give it to them. Sometimes you can simply say “no thanks” or leave the spot blank. If that’s not an option, then this is where disinformation comes in.

In my experience, there are two main pieces of disinformation pretty much everybody will need to have ready to go, and three optional ones for those who wish to take it further. The main two are physical address and phone number. For physical address, I recommend a hotel. Whether that’s a hotel in town or in another town depends on your threat model and preferences. The reason for this is because some websites will demand a real, verified address or may flag you for using “123 Main Street” for looking suspicious. “28 N Franklin St” looks legitimate though, and that’s because it is. It’s the Hyatt in downtown Chicago. This is much more likely to pass in my experience. The second piece of disinformation to memorize is a phone number. My favorite is (248) 438-5508 – which plays “Never Gonna Give You Up” by Rick Astley – but Michael Bazzell also recommends (909) 661-0001 through (909) 661-0090 and (619) 364-0003 through (619) 364-0090.

The other three optional pieces are name, date of birth, and personal details. These are optional depending on your threat model or personal preferences. Date of birth is easy: Michael Bazzell recommends swapping the month and day and then adding or subtracting a year or two. For example, if your real date of birth is February 5, 2000 you can make it May 2, 1998, 99, 01, or 02. For name, I recommend using a shortened nickname or a middle name. If your real name is Alexandra Ashley, you can go by Alex or Ashley (Alex has the advantage of being gender-ambiguous). This is especially useful if you have a really unique, foreign name. I’ve met a few Indian people with names like “Raj” who Americanize it as “Ron” for simplicity. I don’t know if that’s common but it really helps to completely hide their real, unique names. Finally, for personal details, I recommend “fuzzing.” Instead of full-out lying and risking getting caught by someone who’s an area expert, just be vague or change small details. If you’re the head of the finance department at Sunshine Technologies Inc, say you work in accounting, or you work at a tech company. If you spent a few years in Seattle recently, say you grew up there. This ensures you don’t get caught in your lie (ex – claiming you’re a biologist then meeting a biology professor) and doesn’t give away anything too personally identifying in terms of details or timelines.

Again, this is a subject that warrants an entire blog post, and that will come. In the meantime, I hope you’ll look into this and start giving some thought to your own disinformation preparedness. Using disinformation can help protect you from spam, data breaches, and other forms of tracking. Happy Data Privacy Week!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.