Is it possible to be truly ‘private’ while still having some sort of online presence? How much sharing is too much? What can the ‘bad guys’ find out about a person online?
These are all reasonable questions to ask. I respect that some people make a conscious choice to be ‘anonymous’ online, and aim to separate certain aspects of their personality from their ‘real’ identity. There can be any number of perfectly valid reasons for having such concerns and working to retain a degree of anonymity.
I read some good thinking on this topic from Lou Plummer and from Vixiss on the Viscissitudes blog a while back. As for myself, I don’t really attempt to hide who I am behind different presences online. I’ve had chats with people over the years who seem surprised that a ‘savvy’ technical person would be so seemingly unconcerned about their personally identifiable details being available on the internet. I’ve tried to explain my thinking with varying degrees of success, and this post is another such attempt.
Distinguishing security tolerance
Being aware of if not concerned about the online disposition of your identifying information is wise. But what is ‘identifying information’? Security wonks have all sorts of terminology relating to the details of a human and how they should be protected. Two key terms are:
- Personally Identifiable Information (PII): information that can be used to identify a specific human being. This can be things like a name, a phone number, or an address
- Sensitive Personal Information (SPI): Information that, if exposed, could be used to harm a specific human. Examples include financial details, health data, security credentials and the like.
Generally speaking, SPI should be more carefully protected than PII. Personally identifiable details might be visible in various circumstances, but sensitive information should always be secured on a ‘need to know’ basis, protected with encryption, and destroyed securely when no longer needed.
One of the big problems with these terms is that they encompass grey areas that can depend very strongly on the individual’s circumstances. For a person who has been abused by a significant other, a phone number or address would be considered “SPI”. Another person might consider their political opinions or union advocacy to be SPI as it might cost them their job.
One of the first things a person venturing online should do is make decisions about that line between PII and SPI. What details can be shared, and which cannot, for their particular circumstances. What is ‘okay’ for me may not be acceptable for someone else: it might even be life-threatening.
The online reality
Having a good idea of your security tolerance is a good starting point. But the reality of the modern internet, particularly in light of social media, is that highly detailed personal information is extremely available without any ‘personal’ details being exposed.
Facebook (which includes Instagram and others), X (Twitter), Amazon, and Google have information on you even if you never create an account on any service. Nearly every website assigns tracking cookies or the equivalent from several (and in some cases dozens) of different vendors to every action you perform. It may not have your name and address, but the sheer volume of data makes it possible to correlate all the disparate elements into amazingly identifiable details.
A visit to Etsy to look at crocheted baby wear, an online purchase of diapers through Amazon, a google search for postpartum depression, a visit to a news site to read about how hard it is for Gen Z to buy their first house: these can all be linked together. An IP address can likely also be tied to this information, narrowing down a geography. Wifi information can often be tied to the IP address to narrow the location down to a small neighbourhood. A profile of a woman between 18 and 27 who has a recently born baby and is experiencing depression in the Parkvale district of Red Deer, Alberta can be assembled. At no point did the person in question intentionally share any of these details.
Collecting and parsing this information is effectively impossible for a human, but child’s play for computers. The final step to link this to a particular person is often trivial even in the absence of any social media presence whatsoever. A person who has taken pains to never reveal who they are, where they live, or what they think can still be uncovered.
I am by no means suggesting that this obviates any effort at privacy, but it does make it fairly clear that being ‘truly’ unidentifiable would require nearly complete isolation from online interaction. VPNs, encryption, cookie blockers, and the like would help but not completely prevent the ability of modern data mining techniques to make the kinds of connections I noted above.
Would a normal business go to such lengths to identify personal details? Well, that’s a fair question: I would say the answer is definitely yes, they would. This kind of data mining no longer requires ‘state level’ (i.e.: government) degrees of technical expertise: it is within reach for marketers wanting to sell a few more widgets to ‘target’ buyers. And if businesses can do it, so can less benign actors.
My personal take away
I don’t try to hide who I am in my blogs or social media posts. My real-world name and location in the world is easily found by anyone who cares to look. It is possible to link me to family members and friends through simple parsing of the words I write. And I don’t take any particular care to disconnect my opinions from my name.
I do make some effort to secure what I consider more ‘sensitive’ details: I don’t share my chequing account, credit card, or the like online, and I practice reasonably good password hygiene. But I will be toast when the Holy State of Trumpistan or similar dumpster fire power decides to purge all non-believers.
Someone who wants to find me can: I’m not exactly ‘okay’ with that, but I know that trying to properly prevent that would mean disconnecting from the internet, relocating, and avoiding contact with anyone who has an electronic presence. Hiding my opinions would be more possible, but I don’t particularly want to consider that level of self-editing either.
I can’t really recommend a ‘best practice’ here other than to be aware and make your own choices. Maybe the wise ones will be those who wear the metaphorical (or actual!) tin foil hats.
I’m not interested in whether businesses can profile me and market to me. I never see what the problem with that is, anyway. If they’re accurate in their assessment then chances are they’ll try to sell you things you might actually buy so why wouldn’t you want to be told about them and if they’re inaccurate then you’re just going to ignore it anyway. Non problem as far as I can see.
The people I don’t want to be able to find me are people I used to know who I made a choice not to go on knowing or even people I have just plain forgotten about. That’s why I don’t use my real name in any social media and mostly don’t use social media at all. I’m just basically anti-social 🙂