Privacy Journey by John
Guest article with great privacy insights
[Note to Reader: Today’s article has been written by a guest writer John. I have never met John but he asked if he could write a guest blog and I was thrilled. The Privacy Society is about building a community, so if any of you have an article you like for us to publish, please send it to us for consideration. I really enjoyed reading John’s insights and I know you will too. Thanks John.]
Preface from John
Thanks to William for letting me write this guest article for the Privacy Society. I have been at this since the late 1980s, which gives me a different perceptive than most. The focus of this article is specific privacy techniques I use so that you can consider adding these to your tactics.
In the beginning…
What got me interested in privacy was realizing how little personal information we need to divulge before the floodgate opens. I regret doing what I am about to tell you.
It was 1988, I met a girl I was smitten with. She gave me her first name and phone number. I wanted to know a bit more about her so I called a public (but not well known) service with the phone company that did reverse lookups of phone numbers, I now had her last name.
With this, I looked up her listing in the white pages phone book. I now had her address. I worked as a loans officer for a financial institution and ran a credit bureau on her (with neither her knowledge nor her consent, which I really regret). I now had her full name, previous addresses, employment history, social insurance/security number, credit history, her divorce decree, and her bankruptcy history. She never knew I did this … and I regret doing it. My point is that all I needed to unlock this information was her first name and phone number!
It made me realize that there is no benefit to putting my personal information “out there.” There was just downside. This was the beginning of my privacy journey!
In those days, all I needed was an unlisted phone number and a post office box to stay mostly “under the radar”. It was an era when most organizations were not trying to monetize their customers’ personal data. It was a simpler time.
Like William, I am in Canada. The tactics I am going to describe might be different for readers elsewhere.
Phone Techniques
William has done a great job in articulating the threat from modern cell phones (I refuse to call them “smart phones”) invading our privacy by generating a data stream on their users, transmitting this data to their “home base)” and re-selling it. My basic premise is to minimize and disrupt this data stream as much as possible.
Do you really need to have your phone on all the time?
I do have a complex phone system. What I am sharing here is a limited part of it.
For my ‘house-phone’, I rely on an old Pixel 4 running CalyxOS (the best OS for security) without a SIM card that connects to my home Wi-Fi. As I leave, my house, I turn off the phone’s wi-fi manually. I connect this phone to my car’s stereo via Bluetooth begrudgingly. My previous car had an analog mini-jack. I don’t use my car’s phone app, so my car has no way to transmit data to its manufacturer.
My “away-phone” is also a Pixel with GrapheneOS (the best OS for privacy). When I get to the next town, I can take this phone out of its faraday bag and turn it on. However, it typically remains turned off and in a faraday bag most of the time. Again, why turn it on if you don’t need to? This way, its location is untraceable. I have neither had this phone turn on while I am home nor within range of the closest cell tower to my house.
I neither use Wi-Fi nor Bluetooth with this phone. I use a VOIP over the phone’s data plan with a VPN to hide my location. I have never used the actual SIM card phone number. The phone service is a pay as you go that I bought in another alias name using a fake address in a faraway city. This method allows me to have several phone numbers that all ring to the same device.
My main phone number with voice mail that does not identify me in the outgoing message
My old “legacy” phone number - no voicemail
My main alias phone number - no voicemail
My secondary alias phone number - no voicemail
I simply answer my phone by saying “hello.” I do not identify who I am until I know who is the caller.
My main mode of telephone communication was a 1990s style paging service. (In Canada http://www.pagenet.ca/ - currently $10/month) With pagers, the service provider does not know your physical location the way cell providers do. I recently discontinued this service because I do not get many phone calls anymore.
Post Office (PO) Box
With my Canadian PO Box, I have some latitude to disguise my PO Box as a regular address by implying than my PO Box is an apartment/unit number. That is, the structure of my mailing address is
PO Box 10023
Centerville, AB
A1B 2C3
Some services (i.e., PayPal) will not accept a post office box as an address. I simply changed it to
12 Main Street (the physical address of the postal outlet)
Unit #23
A1B 2C3
The Canada Post PO boxes allow you to specify several names per post box. This is a great way to get a mailing address for your main alias name. I did not want my alias name and my real name on the same form (particularly a government organization). Thus, I ‘transitioned’ my alias by sending ‘test letters.’ When the post outlet manager asked, I just said “he gets mail here too.”
Canada Post has franchise “postal stores” that are typically in pharmacies. These give more “latitude” to social engineer than a government-controlled post office.
Alias Name Ghost Address
It is becoming common for apartment buildings with security buzz entrances to not list the tenant’s names (for privacy reasons). I found such an apartment building, which I use as a Ghost Address for my secondary alias name. If someone tries to send postal mail to this address, it will be returned as an incomplete address (as an apartment number is necessary). If someone tries to visit me there, they will not be able to get through the door buzzer as neither my name nor any names are listed. The only way someone can reach me through this alias is in my specific VOIP phone number or matching Proton Mail email for this alias.
Former Address
Canada Post lets you forward postal mail from your old address and seems to let you renew indefinitely. I deliberately did not notify a MasterCard about my new address. This credit card notifies the credit bureau if you run a balance. Thus, I perpetuate the use of my old address to the public domain. Even though I can and do pay off my credit cards every month, I deliberately miss the occasional payment to invoke them to report to the credit bureau.
Obfuscation
With my old address, ghost address, my post office box. My actual physical address has been obfuscated. I live in a rural area where I de-commissioned my end-of-laneway mailbox. Postal mail sent to my real residential address is returned to sender as undeliverable. In rural areas in Ontario Canada, there is a green and white “fire number” sign at every address. My fire number sign was knocked over when I bought my property. I did not fix it. As a result, Google maps displays the wrong location for my physical address. I made a stand to hold this sign. I put it up for the rare times I have a delivery or service call (for which I use an alias name).
Laptop
For remote use, what most people use a cell phone for, I use a laptop. I keep a mini-laptop running Linux in my everyday carry bag (albeit, I have less and less use for or it). Typically, this is for email and my VOIP phone over public Wi-Fi. I use a VPN for security and to obfuscate my location.
I could just use my home-phone to connect to public Wi-Fi anonymously. My phones are set to randomize their MAC address, once I connect to public Wi-Fi, I invoke the VPN app. My rationale is that my away-phone has more layers of privacy than my home-phone.
Use Cash
William wrote a great article on using cash, which I do not want to re-iterate. I make it a point of paying cash wherever possible. The more we use cash, the less merchants will want to discontinue its use. Cash eliminates any ‘paper trail’ linking you to a transaction.
Use Credit Cards Tactically
Privacy aside, sometimes you must use a credit or bank card to do a transaction. As I mentioned, I have a MasterCard that still has my old address in another city. (My main bank has my PO Box as an updated address.) When I visit this city weekly, I use this card. If MasterCard is data-mining me, everything looks normal. I normally pay this off fully every month. Occasionally, I will skip a month, which invokes them to report this to the credit bureau … under my old address.
Third party Credit Card
Many credit card providers will permit you to add a 3rd party to your credit card. I have such a VISA card in the name of my main alias. This can add credibility to your alias name. All I keep in my wallet is cash, this alias name VISA and a bank card that does not have a name on it. This is all you need to ‘social engineer’ more ID.
For example, when I joined a health club, I used my alias name. They took my picture and put it on an entry card. This entry card also had my alias name on it. With two pieces of ID, one with a picture and a credit card, I can adequately use my alias name.
I keep my other ID (i.e. driver’s license, VISA in my real name, etc.) hidden in my car. If I lose my wallet, I am out a day’s supply of cash, my bank card and VISA card, which I can cancel and get replaced with phone calls. Losing government ID is more complex to replace so why carry it with you? Occasionally, I will need to go back to my car to fetch it, but this happens infrequently. It also gives me time to question why the organization needs to see my government ID.
Reflectables
Facial recognition AI technology is a growing concern. When I am out in public, I normally wear a hat and Reflectacles glasses. Before you say, “I don’t want to be that guy who wears sunglasses inside like move star”, consider how intrusive it is becoming.
Facial recognition is being aggressively used in North Americans airports in the boarding process. Retailers are understandably adopting this technology to reduce shoplifting. Wal-Marts now have cameras in their self-checkout payment machines.
AI Abuse: Shopping mall landlord Cadillac-Fairview using cameras, 5 million customers captured. - Read more
AI Abuse: Invenda vending machine company was caught using secret imbedded cameras connected to facial recognition technology. - Read more
What is to prevent them from tracking who you are, what you buy, how often you visit? What if they sell this data on you? What if government buys this data and uses it to track where you go and what you buy?
Mini-Faraday Bag for Key Fob + RFID Wallet
As Canada has become the top country in the world for car theft, I have a mini-Faraday bag that I keep my car key fob in. In addition to being a theft protection measure, there is a privacy measure to this. I have noticed an increasing number of one-way gates in stores to prevent theft. What if there is an RF scanner in these gates that scans your key fob and/or your credit-card’s tap-chip … as it records your facial recognition of you entering? I have an RFID wallet to prevent my credit/bank cards from being scanned.
At this point, I am virtually undetectable. I am neither emitting a phone signal nor a credit-card signal, facial recognitional technology is thwarted. I am a greyman who is not being tracked.
Broken Cell Phone
I wish I was making this up. I have an obsolete and broken cell phone. I smashed the screen with a hammer for added effect. Sometimes, I get into a position where a vendor wants a cell phone for something. For an example, a restaurant wanted my phone number to page me when my table was ready. I just show this broken cell phone and accommodations are made, no needless giving out my cell phone number.
Non-Address ID
If an organization insists seeing government ID, my first go to is ID that does not have my address. In Canada, this is my gun license, passport or health card. I kept my old driver’s license with my previous address, which I can use to create disinformation as to where I live.
Conclusion
We have seen those ominous pictures or videos of the monitor screen for AI surveillance cameras.
The image implies that if the user monitoring the screen selects a person, then the system will identify who this person is. I want to be the “greyman” that such systems can’t identify.
[Note: Privacy Society is working hard on an app that gives you a virtual phone number on your phone with just requiring Wi-Fi. I hope John will need be a beta tester when we are ready.]
[From William: Thanks John for this insight and I appreciate you writing this guest article. Very insightful. Stay private everyone.]
I'm newly awakened by how deep we are being surveilled. Been enjoying this substack. I very much enjoyed learning about your journey John. I learned lots and have more more to-do. Thank you
Fantastic piece John. You obviously have deep experience and expertise in this area and I learned a lot of new techniques from this article, many of which I plan on implementing into my daily routine, but I was also happy to read that I am already using some of the techniques that you mentioned. The sharing of knowledge and past/current experiences through articles like yours (and Williams) will help us all learn and get better, while also growing this community.
Again very well written piece, I enjoyed it a lot.
Thanks,
~K