Achieving comprehensive personal privacy is a complicated goal involving a lot of complex, discrete steps. On this blog I (and on the podcast we) spend a lot of time focusing on the highly specific, individual steps. Often we fail to provide a lot of context for why we’re doing them, or how they fit into the bigger picture. This was called to my attention recently when an old friend contacted me. He has a legitimate safety reason to wish to be more private, and asked me for advice. Unfortunately, I don’t have a single blog post or podcast episode I could offer him that effectively introduces the basic steps of protecting your home address.
Protecting Your Home Address
Today I hope to fix that with a very quick primer on protecting your home address. This won’t get into many (if any) specific tools, techniques, or procedures. This also assumes the reader is adopting the “stay in place” model: he or she is staying in the same apartment/house/whatever rather than moving. This article also assumes the user is a DIY-er and doesn’t have access to any special resources. All of these steps are covered in very specific detail in The Complete Privacy & Security Desk Reference. There are a few sub-steps to this guide but I’ve tried to streamline it and make it as user-friendly as possible.
1. Refine Your Threat Model
Who is going to be looking for you and how hard are they going to try to find you? These are the first questions you have to ask and answer. While we’d all theoretically like to be Jack Reacher (“…you don’t find this guy unless he wants to be found”), getting there requires a ton of time, effort, and expense. Sadly, while working within the constraints of real life (and finite amounts of time, energy, and money), “getting there” isn’t a very real possibility for most of us. Fortunately, privacy can exist on a spectrum. This spectrum is influenced by how much you are willing to put into it.
Your threat model should be tightly tailored to your specific situation and your specific adversaries. Are you just looking to lower your exposure a little? Do you have a crazy (but not physically dangerous) ex? Do you have a physically dangerous ex? Are you a law enforcement officer or federal agent? Are you a juror in El Chapo’s trial? Some of these threat models will indicate that you drop everything and pursue privacy as if your life depends on it…because it very well might. Some of them will dictate you take reasonable precautions in protecting your home address. Some will recommend you pursue privacy casually as your free time and extra money permit. Ultimately this decision is up to each individual.
In addition to my articles that I linked to in the previous paragraph, EFF offers an excellent primer on threat modeling, available HERE. Though it is written specifically for digital threats, the principles are broadly applicable. Once you have a assembled a meaningful threat model, you can proceed with the steps below. Regardless of your threat model you will need to take all of these steps, but your threat model should drive how deeply you go into each.
2. Assess Your Exposure
The second step in this process is to discover what personally sensitive information is exposed. This discovery process ranges from the very simple to the very complex. Though I’m leaving a lot out, the following three “levels” are a good place to start:
Simple Google Searches: The first thing you should do is what most “bad guys” will do: Google yourself. Anything that instantly appears in a Google search result should be your top priority for removal in the next step. There are a number of tricks you can use to make these results more relevant and refined, like putting your name in quotation marks, and searching your address rather than your name.
“People Search” Sites: There are scores if not hundreds of low-level “people search” sites like Spokeo, BeenVerified, et al. These sites typically allow you to search by name/city/state. Some, like SpyTox.com, also allow you to search phone numbers, email addresses, and usernames. Combing through all of these will take some time, but it will be well worth it. The Complete Privacy & Security Desk Reference contains a massive list of these sites.
Credit Bureaus and Top-Tier Data Brokers: Since the credit reporting agencies (ChexSystems, Experian, Equifax, Innovis, and Transunion) have all of your financial data, it is in your best interest to know what they know. This requires nothing more than requesting a credit report from each agency.
Data-brokers like Axciom, LexisNexis, and Westlaw maintain much richer profiles about you that are dozens of pages long. Querying these systems can be more challenging and may require a small fee ($5-10). Unless you are a protected person (law enforcement officer/agent, officer of the court, identity theft victim, etc.) suppressing this information may be difficult. Regardless, you should know what information they possess about you because this is the data that is bought and sold and ends up on the open internet.
During the discovery process, you should take time to carefully catalog each site that publicizes your information. You can do this on paper, browser bookmarks, or whatever works best for you, but you have to do it. This will allow you to quickly and easily find these pages when you move on to the next phase.
My friend Drew has written an excellent primer on “self-stalking”, available HERE. It discusses the process briefly, and offers some excellent free tools to help you out. I highly recommend it as this is a key step to protecting your home address.
3. Remove or Suppress What You Can
Once you have found all the sites and services that publicize your personally identifiable information (PII), you can begin removing it. Your threat model will determine how far down this path you need to go. Again, I’m leaving a lot out and only hitting highlights, but the following are three of the biggest areas that require your attention.
“People Search” Sites: Your basic people-search sites will require very little effort to opt-out of. Typically these require nothing more than filling out a simple online form, or sending in an email (I recommend politeness if you are required to email directly).
Top-Tier Data Brokers: Most readers won’t be able to do much about these without significant effort. The Complete Privacy & Security Desk Reference discusses some novel techniques for preventing these companies from selling your information, however. Law enforcement officers and other protected individuals will have an easier time getting results from this sector.
Credit Bureaus: Like the top-tier data brokers, you cannot opt-out of the credit bureaus’ data collection systems. I personally find this offensive, as these services cannot be trusted to maintain control of the massive amounts of data they hold. However, you can suppress the information they still possess and prevent it from being traded as a commodity. This requires you sign up for a credit freeze (or security freeze) with all five credit reporting agencies. I explained how to do this in this post.
This step requires more or less constant maintenance. The online databases are constantly updated as new information enters the system. New people search sites pop up every week. Data breaches happen with shocking frequency. All of this means that you need to search yourself occasionally, and remove any discovered results immediately. I would recommend monthly at first, and gradually phasing to bi-annually as the deluge slows to a trickle.
4. Obfuscate What You Can’t Remove
You cannot opt-out of everything. Do your best to muddy the water of everything that is left.
Use a P.O. Box: Some services will require a mailing address at which you can actually receive mail. Instead of giving out your home address, use a P.O. Box. For the services you already have, update this change of address with them. This won’t make you invisible, but it will obfuscate your physical location. I have written about the benefits of using a P.O. Box here before.
Control Your Mail: My friend Drew has another excellent article on junk mail control. The gist of it is to find every place that has your address, and change it. Drew’s article contains a ton of helpful links and goes into the process in greater detail.
Use Disinformation: If you can’t hide your location totally, you can create instances of your name at multiple other locations. Though somewhat counter-intuitive, creating records of your name all over town can help you in protecting your home address by creating chaff to sort through.
Creating disinformation is done by “gaming” the system that put your name online in the first place. This might require doing things like signing up for a CVS card in your name, but listing another apartment building across town as your address. Another option is to sign up for free magazine subscriptions, or requesting more information from ADT, again using your real name but a false address. IMPORTANT NOTE: don’t endanger someone else by using a specific house or apartment number!
5. Altering Your Behavior
This is perhaps the hardest part, and the part I tend to focus on the most: maintaining your hard-won privacy. Maintenance isn’t a checklist you can run through, it’s an ongoing, day-to-day, implied task. Some of the changes in behavior necessary to prevent this information from being repopulated online include:
Never Giving Out Your Home Address: Going forward, protecting your home address hinges around not giving it out. There is an important caveat to this, however: never give out your home address in association with your real name. Adopting this change is absolutely necessary if you are serious about protecting your home address. Data brokers will quickly aggregate this information and undo all your hard work. You can still get packages and food deliveries at home…as long as you use a false name and tools to protect your credit card information. You should even be careful with friends and family who will store this information in data-sharing contact lists.
Using Privacy-Enhancing Tools: Tools like Privacy.com, Sudo, and Blur facilitate protecting your home address. They allow you to use virtual credit cards, forwarding email addresses, and masked phone numbers. All of these pieces of information become single points of failure in the mass data collection machine. Guard your “real” credit card number, SIM card phone number, and email address jealously.
Changing or Eliminating Social Media Habits: This is perhaps the hardest step to take for many. If you have the Facebook app (or any other Facebook-owned apps like WhatsApp, Instagram, etc.) it knows where you live. It has access to all the Wi-Fi hotspots your devices connects to, their SSIDs, IP addresses, and more. Facebook cannot be trusted to take care of you; they have proven this repeatedly. If you absolutely cannot delete your Facebook account, at least remove the app from your device.
As I mentioned at the beginning, this is but a rough outline and leaves a lot out. Each bullet in this list requires many individual steps. Feel free to weigh in below if I’ve missed something major.