I spent some time cleaning up old accounts , search engines and emptying social media (filling it up with randomness and renaming user ids).
Also went through 5 years of banking records to see what shops I interacted with, sent them gdpr deletion requests because of the many breaches.
What do to next?
Except for changing online behavior, changing communities and frequently changing browsers and browser variables.
Threat model: anti Big Tech hobby and I have a psychopath stalker who happens to be a hacker , who does social engineering attacks and plays psychological games ever time he gets new data.
Now the cleanup phase is done, is it wise to create fake profiles on various platforms in my real name but with misleading info like work places, travel places, current intererest… basically spread false leads? What would be the pros and cons of this approach?
I would focus on securing accounts that do exist and deleting. Especially if you have reason to believe you’re being actively targeted, even if it’s by someone that doesn’t have much technical capability.
Many online accounts can be secured with Passkeys.
Either the Digital version as generated by Password managers or the (far more costly) physical version as with YubiKey.
Google is by no means great for privacy but it’s advanced protection program is designed to prevent anoyne else from accessing your account and you can activate it by loading a Passkey into more than one Password manager.
Apple supports hardware Passkeys. I don’t quite recall what Microsoft supports and how.
Securing any online accounts that have access to your devices using some form of multi factor authentication is going to be a big step in security here in my opinion.
I would start building out a secure identity for accessing important stuff, especially financials.
At mimimum an email account with multi-factor authentication you don’t share with anyone and if possible a phone number. Never share these with a person and only use them to log in to important accounts. The next step is getting accounts into a password manager and using long randomly generated passwords.
Review the recovery options and information for any account you set up. It’s important to have a recovery plan if you lose your devices or forget your password.
Proton is a potentially convenient platform here given that they have email, password manager and an authenticator app. This can however “put all your eggs into one basket” and you should be cautious to implement high security standards for the account and have local backups on a device you can access even if your own devices stop working.
If you have an Apple device, even the cheapest iCloud+ subscription can be a great investment for the sake of the “Hide My Email” which is very well supported.
Starting to run accounts from Aliases with strong associated passwords doesn’t work for everything but it’s a useful tool where possible.
Regarding the data poisoning.
I don’t think there’s any meaningful evidence that this is useful against the sort of corporate monitoring most people here are trying to protect against.
It might trick the stalker.
But I’ve also seem privacy related forums with regular questions from people who had companies like Facebook request their goverment ID after they tried doing things like this. It can also be an issue if someone you want to know finds it and gets the wrong idea.
Data poisoning might trick the stalker into targeting dummy accounts that don’t give them access to anything useful.
Unless you have something specific in mind for a
“Honeypot”
Something intentionally set up to look like a useful target to a hacker with no access to anything useful that notifies you when it’s accessed.
Securing accounts and keeping them private seems like a more worthwhile effort than trying to leave fake breadcrumbs in my opinion.
Not quite sure how to deal with something like LinkedIn that you might set up specifically to look for a job.
My post will be fully focused on the stalker, as it seems more urgent than protecting yourself from big tech companies, which at least are not a life threatening risk.
I would always keep my personal devices with me and never leave them unattended, especially outside.
If someone has physical access to your device, it’s easy for them to install malware, especially if they have the necessary skills.
Just having access to your device can allow them to bypass security measures and compromise it at a deeper level.
PC
Regarding PCs, if you have a laptop, protect your BIOS with a password and enable secure boot. You can have as many protections as you want at the operating system level, but if the device has malware at the firmware level, it’s a problem.
Secure boot can help you detect malicious code on your PC. I’d also disable the ability to boot from a USB drive in the BIOS because it’s very easy to do malicious things from there.
If you can, also disable USB ports, but it depends if you’re willing to do so. If there are any other security settings available, I would check them out. A power-on password could also be useful.
This is an additional password that, if you don’t enter it, won’t let you even access the operating system. However, if you forget it, it’s not as easy to reset as an OS password.
Encrypt the disks of any OS you use.
If you can prevent physical access to your devices, fortunately, most malware can be removed by formatting the device, but it depends on the attacker’s skill.
Smartphone
Regarding your phone, if you have a Pixel, I would strongly recommend installing GrapheneOS, which has many protections against such attackers.
You can prevent the phone from connecting to a PC, make it auto-reboot after a certain time (the encryption of the phone is stronger once it’s rebooted, and things like the fingerprint don’t work) and many other features.
If you have an iPhone, I’d recommend enabling lockdown mode.
If you use Google accounts, as mentioned earlier, enable advanced data protection and use more passkeys and authentication apps like Aegis/Ente Auth for 2FA, ignoring others like SMS and email.
You could also consider Yubikey for maximum security.
I would put a PIN on the SIM to avoid SIM swapping attacks, where someone pretends to be you, calls your carrier, and has your SIM transferred to another phone.
Since social engineering was mentioned, you should be very cautious against phishing attacks.
If possible, use aliases for each different account or at least use multiple accounts for sensitive things with providers like Proton or Tutanota.
Protect your main emails and any others with very strong passwords in a password manager and 2FA.
If a message or call seems urgent, suspicious, appeals to emotions like fear, curiosity, or anxiety, it’s probably phishing.
If you can, don’t answer unknown numbers, and use anti-spam apps like Spam Blocker (if you want an open-source one) or use integrated features on stock Android like in the Phone app by Google (not as private, but it’s an option).
Regarding suspicious links, if an email seems like a scam, try checking how it’s written or copy and paste it into VirusTotal to see if it’s clean. It doesn’t always catch everything, but it’s better than nothing.
It’s better to avoid uploading personal files to VirusTotal though, as they don’t have great privacy.
If your email provider allows it, disable automatic remote image loading and generally check your security settings.
I’d use a pin for the phone of at least 6 digits or a password of 6-8 characters minimum.
The fingerprint might be a risk, depending on how far you think the stalker is willing to go, whether you think they would physically attack you or force you to use it.
Use browsers like Brave/Firefox with uBlock Origin and check their security settings. I would change the DNS, for example to Mullvad’s, as it could help protect you against malicious sites.
They might not be helpful against new sites created by the stalker, but in that case, there’s NextDNS, which can prevent you from connecting to sites created in the last 30 days.
If you have a VPN like Mullvad or Proton generally you don’t need to worry about DNS, but in the case of NextDNS you should use the custom DNS feature in your VPN.
It could be a privacy issue if set up incorrectly, but I won’t go into detail. I mention NextDNS only because it’s the one I’ve used, but Privacy Guides recommends others too.
Maybe I’ve written too much, but there is a lot of advices, and I haven’t gone into specifics on many things.
Links and ways to counter the asshole
For general advice, I’d recommend guides from EFF, this website, Anonymous Planet (it’s often for higher-threat models compared to other websites), Techlore and Naomi Brockwell yt channels, and the Freedom of the Press Foundation guides, even if you’re not a journalist.
Many parts are treated briefly and without in-depth coverage, but I assume that in that case, Privacy Guides and the sources underneath cover them in detail. There would be too many links, and it would be excessively long.
There are a few links, but you can start wherever you want, and there’s no need to rush because that would only be counterproductive.
How urgent it is, though, I don’t know, as I have no information about the stalker.
If you’ve already gathered evidence, you could go to the authorities and report it or at least tell someone.
We are still strangers on a forum, and we can only help partially. The people close to you, however, can truly make a difference.
I know it’s the classic line, but it’s not a shame or your fault if you’re being stalked. It’s just the asshole’s fault, even if they make you feel like it’s your fault or that you deserve it.
If you need legal assistance, organizations like EFF could help.