The Good Kind of Deceit

Alec Harris
7 min readMay 11, 2021

--

Big data is not your friend. You though, my crypto owning compatriot, can turn the information sucking tools of the privacy pirates from the data broker industry against themselves. Their methods are so pervasive and so unscrupulous that its actually somewhat easy to manipulate. If you read the first article in this series (https://chalice-perky470.medium.com/bearer-asset-privacy-4e7d38462df8) then I’ll assume you are already fully on board with the need to separate your digital identity from your physical pattern of life as part of protecting you crypto holdings. That’s the defensive side of the house. This article is about offense. If you execute on defense perfectly then you may not need to run much offense, but you should anyways. Think of it as civil disobedience.

The first step is to recognize the near infinite data collection points under the command of the data broker industry. Some are obvious. When you purchase a home in your name, the transaction is recorded publicly and easily attributed. Data brokers scrape this data and make socio-economic assumptions based on your address. Maybe a little less obvious is the aggregation of your over-the-counter medicine purchases, your insurance history, and your health-related internet searches. Say you increased your purchases of Advil, started making regular visits to a physical therapist, and spent an afternoon googling “hip replacement”, yup, that gets collected by data brokers under the rubric of “health profile” and gets resold to interested parties. Imagine how this could be used against you. Personally, I only search for medical related information behind a VPN, using a specific Firefox container for medical inquiries, with DuckDuckGo as my search engine. It shouldn’t be that hard.

Other examples of data aggregation include how hard you hit your car breaks and whether you look at your phone while driving. I’m in favor of safe driving too, but privacy invasions tend to start with things we can all agree on and end with the unchecked commoditization of your [assumed] preferences. In fact, there’s a growing industry around so-called “Non-Traditional” or “Alternative” credit scoring. Guess who is behind it? The data brokers. They package and resell information such as employment history, criminal history, rental history, online shopping behavior, and cellular plan data including how often you let your cell phone battery die. Apparently if you don’t reliably charge your cell phone you don’t deserve a mortgage. In fact, here’s a quote from data broker Lexis Nexis extolling the virtues of non-traditional credit as if it’s some kind of favor:

Non-traditional credit scoring relies on the detailed analysis of positive and derogatory life events, evidence of assets and address stability, presence of criminal convictions, liens, judgments or bankruptcies, positive identity verification and high-risk pattern recognition [emphasis added].[i]

Wondering what “high risk pattern recognition” actually means? Me too. It sounds a lot like the “Signature Strike” military doctrine defined as:

A military attack by a drone or drones in which people are targeted because their activities are believed to fit a particular behavioral profile, though their individual identities are unknown. [ii]

Unlike UAVs, the data brokers don’t wait until sunny days and warn with low altitude buzzing before striking. They sit behind our entire digital lives, silently collecting, aggregating, parsing, contextualizing, selling our data and delivering shareholder value along the way.

Given how greedily the data brokers ingest data from sources regardless of quality or certainty, we, the David to their Goliath, can take advantage of the asymmetry in the relationship by counting on them not to spend much time checking for accuracy. Since we know where the data brokers look for their data, we can decide what information we leave for them. With a little knowledge and a fair amount of patience we can feed the data brokers a curated data set filled with falsehoods. This is disinformation. Before starting, you should know that a disinformation campaign can create problems for you and those around you. Identity verification will likely become onerous going forward. Everyone has been through some form of identity verification where the verifier asks a question like “Which of these addresses have you lived at in the past 10 years?” Your disinformation addresses may appear on these lists. If your disinformation campaign is successful, you’ll end up confusing some services and probably some people too. That means its working. It’s important to take extremely careful notes as you implement your campaign though, or you risk confusing yourself as well. Write everything down, even if it doesn’t seem important. Also, don’t use these techniques against the Government. Sadly, you can lie to the grocery store but not the IRS.

There are two main efforts to a personal identity disinformation campaign. The first is to make it look like you live somewhere else aka projection. The second is to make it look like someone else lives where you do aka obfuscation.

Some disinformation campaigns include cell phone number disinformation, which, I agree, is important. At Halo Privacy we have hidden cellular numbers and just in time burner lines which obviate cellular disinformation so luckily, I, and you, now that you know me, don’t need to bother with cellular disinformation. If you are relying on traditional cellular the best option is to have one public facing cell phone number which you include sparingly in your projection campaign and one private facing cellular line which you use for things like 2fa.

Ok, let’s make it look like you live somewhere else. There isn’t one correct way to project false addresses. For some it may be better to project an address intentionally far away. If you have a stalker, a faraway projection is best. If your goal is just greater privacy, then project an address in the same state or even county. I like an address that is reasonably within your pattern of life. If you hate the mountains and everyone knows it, don’t pick Vail. Try to pick something consistent with your socioeconomic status as well. It might be fun to pretend you live in a $40 million dollar mansion, but it will be too easily discredited by an adversary. One option is to try to find someone with a similar name, living in a multitenant building and then use that same address with a different apartment number for your campaign. (The similar name helps create more noise around your fake address.) Some quick research will yield the true number of apartments in the target building. Your fake apartment number should be plausible but, ultimately, not a real unit. Here’s your checklist:

1. Pick your new hometown

2. Find someone with a similar name living in an apartment building in your new hometown

3. Identify a fake apartment number in the same building

4. Write down the phone number for the front desk. You’ll need it later.

5. Welcome home

Now that you have a new address, you’ll need a throwaway gift card. Trust me. Head to any grocery store and buy a $50 Vanilla Visa or similar pre-paid gift card. You’ll also need alias emails. I like AnonAddy but there are other services. Now plan to sit down for a couple hours and sign up for every and any mail service you can think of and have them send you mail to your fake address. Some good examples are cruise industry mailing lists, reverse mortgages, ‘free” online sweepstakes, free samples, timeshare information packets, and magazine subscriptions. For magazines you will usually have to pay something, hence the Vanilla Visa card. As you sign up for all of these services, use your fake address, real name, one-time alias email addresses, and if a phone number is required you can put down the number from the apartment building front desk. I realize that’s ethically a gray area so you could also look up “always busy” phone numbers (they exist for many area codes it turns out) and use one of those as your number. The more mailing lists you sign up for, the better.

The next step is easy. Wait. Most, if not all, of these services will gladly mail you promotional junk mail, but they also resell your information to data brokers who start populating it into “tier 2” databases like Spokeo, Whitepages, Axciom, People Finder, etc. It may take a six or more months but eventually you will be able to look yourself up in these databases and find yourself associated with your fake address. Congratulations — you used the data brokers against themselves.

For the obfuscation campaign, the short story is that you take the methods above but instead of a fake address, use your real address. And, instead of your real name, use a fake name. I like to use a couple names to start populating a few possible fake residents at my real address. It’s a slight nuisance to receive a lot of junk mail, but I find it comforting to see mail coming in for my pseudonymous roommates. Eventually you will be able to search for your real address in the data broker databases and you’ll start seeing the fake names pop up as if they are real people living at your address.

The key to all of the above is to make it a hobby. It’s called a disinformation campaign because it’s an ongoing effort. Once you’ve completed the initial push, set aside time every month to continue adding noise to your campaign. Some things you could do over time to make your disinformation more realistic include:

1. Craigslist listings

2. Google business listings

3. Fake family trees (plenty of family genealogy services exist online)

4. “Sock Puppet” social media accounts

5. Wedding registries

The point is to keep pushing out your fake information over time so that it matures and continues to collect. Use your disinformation data to create business cards and drop them in every “free lunch” business card bowl you see. Make disinformation a lifestyle. Treat it like a sport. Eventually there will be data chaos surrounding your online identity and truth will blur with fiction. The blur is your armor.

[i] https://insights.lexisnexis.com/creditrisk/wp-content/uploads/2012/04/Evaluating-Credit-Risk-Non-Trad-Borrowerspdf.pdf_

[ii] https://www.lexico.com/definition/signature_strike

--

--