Data privacy is one of the biggest issues of the 21st century. More than ever, people’s personal information has a monetary value for both corporations and governments. It’s come to a point that it’s even spawned an industry.

Data brokers are companies that collect information on individuals and sell it for profit. They collect information by buying it from other companies, crawling the internet for public sources of information and many other legal methods. Once aggregated, filtered and correlated, this data can have an immense value. In fact, the data brokerage industry is estimated to be worth $200 billion a year.

This data is important because companies use it for marketing and lead generation, ultimately to generate more revenue for their business. But also in the OSINT world, we have data brokers who employ the same methods to make it useful for investigations, threat analysis and more, often exposing the data through APIs for use in tools like SpiderFoot, Maltego and others.

Source: securitymadesimple.org

As an OSINT practitioner, you may have even benefited from having access to such data, but as a privacy conscious individual, there should be alarm bells ringing in your head!

Fortunately there are many things that you can do to reduce your “digital footprint”, which is the amount of information online about any individual person. The first thing you need to do is understand how you may be leaking your data online unintentionally.

In many instances you leak information online just through normal browsing activities without even noticing. Despite what many people may think, most of the time we willingly give away our information by consenting to different services or platforms.

To help raise awareness we have compiled a non-exhaustive list of ways that people unintentionally leak data while online and finally provide some pointers to help you avoid them.

Advertising Cookies

The most prevalent online tool for monitoring users in advertising is through the use of cookies. Cookies are small snippets of text sent by the website(s) you visit, saved by your web browser and stored on your device. Websites use cookies so that your device, IP address, browsing history and other details can be remembered for later use. While we should remember that cookies are stored on your local device, the website that created the cookie in the first place will have access to it. This makes it possible for the website to know you are a repeat visitor, what you previously did on the website and more, even if you haven’t created an account on the website.

Device Identifiers

In addition to cookies companies can also track you based on your individual device. This is done through a technique called device fingerprinting which uses a device’s attributes such as its operating system, web browser, IP address and other characteristics to set it apart from other devices that visit the website. This information can be used to identify you and target you with personalized campaigns.

EXIF Image Data

Details about when, where and how a photo was taken is automatically captured by smartphones and digital cameras. This information is stored as exchangeable image file format (EXIF) data. EXIF data can provide a significant amount of information and is automatically shared with a picture if you post it online or send it to someone.

This includes time the picture was taken, the date, and in some cases GPS location. EXIF is just one type of metadata that can be found whenever you post a picture online. Some other files like PDFs can also carry metadata that can give away information on when and where a file was created. 

DNS Leaks

DNS stands for Domain Name Service and it’s one of the most fundamentally important services for browsing the internet. DNS allows computers to map hostnames such as facebook.com, twitter.com or google.com to their corresponding IP address. The IP address is then used by your computer to locate the exact location of the content you are trying to load.

The problem is that DNS servers typically keep a record of each time this occurs, which means there is a record of every website that you visit and by law in most countries your internet service provider would be required to give this information up to any authorities that legally requests it. Depending on the fine print in the terms and conditions you agreed with your provider, it may even be sold to third parties.

Internet Services

This is a catch-all for any service you access from your personal device over the internet, including but not limited to:

  • Websites
  • Apps
  • Search Engines
  • VPN services
  • Torrents
  • APIs
  • So much more…

Accessing services on the internet most often results in the logging and storage of your device’s IP address on a remote server somewhere. A great example is the IKnowWhatYouDownload service, which analyzes data from torrents to identify what IP addresses have been downloading/sharing certain data.

Even if the service itself isn’t tracking your IP intentionally, system administrators will often have access to system-level log files containing your IP address. Even VPN services, which are there to shield your privacy from your ISP, still keep logs and cooperate with law enforcement if required to by law.

What’s so bad about logging IP addresses? Depending on your internet service provider, your IP address may rarely change, meaning there is a strong link between the data associated with an IP address and you personally. IP addresses can also be traced back to a general area (to the town level, sometimes even to a street or address level) very easily.

Tips for remaining anonymous online

Use a Privacy-Focused Browser

Some browsers are more privacy-focused than others. They come with built in privacy features such as ad tracking protection, malware protection, encryption, protection from cookies and anti-fingerprinting protection. Some browsers such as Firefox not only come with these features but they are open source, which means the code for the browser is open for review by the online community for any signs of misconduct. Some of the most secure browsers when it comes to privacy are Firefox, Waterfox, TOR and Epic. These browsers are well known for protecting users from having their browsing history and device information leaked. 

Use a (trustworthy!) VPN

VPN stands for virtual private network. It is a means to prevent people from tracking your IP address. A VPN intercepts traffic that would normally travel directly from you to the internet, routing it through another system somewhere in the world. It provides a secure connection between your device and the server you’re trying to connect to. It’s a good extra layer of security to have whenever you want to browse the internet anonymously, provided you do your research and pick a provider that doesn’t log your traffic and operates in a legal jurisdiction that doesn’t require it to do so or to hand over your data. 

Source: AT&T Cybersecurity

Use private search engines

The last tip we have for preventing your data from being leaked online is to use private search engines. Some of the more popular search engines have been well known for tracking people’s search history and developing profiles for targeted ad campaigns, among other things. There are other search engines such as Duckduckgo that are well known for not recording people’s search history. By using a search engine that doesn’t retain this information along with a browser that doesn’t store your browsing history you significantly reduce the possibility of companies tracking your activity online.