Online privacy tricks — which work, and which to avoid?

12 min readFeb 10, 2021

I’ve already blogged about the difficulty of getting your data deleted and how to shop safely online.

This article delves into some of the more esoteric techniques I’ve used to try and stay a step ahead of data breaches while using the web and apps, with an honest account of which ones work, the effort involved and some of the unintended consequences. Feel free to skim — and I hope you will try at least some of them!

This is not intended to be a comprehensive guide to security — you should already be using strong, unique passwords and two factor authentication for example.

Minimising the data you provide

Recommendation: do this as much as possible.

This is straightforward. If providing the data is optional, don’t provide it unless you can see a clear reason related to your situation. To be honest, I don’t even like to enter my title or gender — why do they need this stuff? Likewise for date of birth. Sometimes I get birthday marketing messages, a reminder that my younger self was far less careful with data.

If you’re being asked for too much data, consider going to a competitor.

You could also contact the Data Protection Officer (DPO) citing GDPR Article 5(1)(c) “data minimisation” and ask them to limit the data collection. Find the Privacy link at the bottom of the page, search for the @ symbol. If the address starts with “privacy” or “dpo”, drop them a quick email. If there’s no such address, or if you don’t get a satisfactory reply, move on.

Pitfalls: minimal; you might need to go back and provide more data later.

Providing fake data

Recommendation: proceed with extreme caution.

This option is for when you really want to use a particular service and there’s no good alternative. You didn’t get a good reply from their DPO or — understandably — didn’t have time for that.

So you put fake information into some of the form fields.

I have done this before with my date of birth — why does a shop need to know this sensitive information, this identifier that I cannot change but helps give access to my bank account and healthcare data? This led to a startling exchange in the high street chemist Boots, when my Advantage Card (since destroyed) caused the till to spit out offers aimed at customers several decades older than me. Fortunately I didn’t get escorted from the shop by security for using a “stolen” reward card, but perhaps some random date in 1900 (the first year on the drop-down) wasn’t such a clever choice after all.

Another category of fake data is phone numbers. This can be tricky because you don’t want to provide someone else’s number, resulting in a combined breach of your data and theirs. I have tried the Ofcom reserved numbers recently. This is a list of numbers reserved for TV and radio programmes (a bit like the area code 555 in the USA) so hopefully won’t cause any problems, but the jury’s still out on this one. This won’t work if they try to verify the data.

Needless to say, this should not be used in sectors like finance, healthcare, travel, government services, or anything other than a throwaway account. In fact, any mix of real and fake data is likely to complicate things.

If you use this technique, bear in mind that you could be in breach of the service’s terms and conditions and that some organisations have a genuine reason to collect this data. For dates of birth, use one within a month or two of the real date and make sure to keep accurate records. You’ll probably need it later to identify the account.

Pitfalls: it can make recovering the account harder, could violate terms and could cause unexpected side effects.

Providing the organisation’s own data

Recommendation: proceed with caution.

A narrow variation on the above. If a company makes the phone number field mandatory, I sometimes enter their own phone number. A good side effect is that if I can’t find a phone number, I probably don’t want to do business with them anyway.

Luckily my address is easy to find with no glitches in Google Maps, satnavs and the like, so I can afford to not be contacted about deliveries. However if you often need to guide delivery drivers to your address, or want to be reached when you pop out to the shops, this one isn’t for you.

As with the any fake data, this should not be used on anything “official”.

Pitfalls: make sure there is at least one other way for the organisation to contact you. It could also make it harder for them to verify your identity if you make a data subject request (e.g. for deletion).

Horcruxing

Recommendation: use if you have concerns about password managers.

This one is about your relationship with your password manager. You do use a password manager, don’t you?

If not, perhaps like me you were sceptical of putting all your eggs in one basket. Coming up with this trick gave me the confidence to use a password manager, although I didn’t realise others had thought of it or that a new verb had entered into the lexicon thanks to J. K. Rowling.

Horcruxing is the practice of adding a few secret characters to your password beyond what’s stored in the password manager. How it works:

Pick a random string, perhaps “D913” for example. You’ll be adding the same one to all passwords, so you can take the time to memorise a good one.
Let your password manager generate a password, e.g. “21rHt3bJjlC45fwV”.
Add your own part making “21rHt3bJjlC45fwVD913” and don’t update it in the password manager.
When you log into the website, your password manager fills in the password, you type the extra characters and click “log in”.

This can result in annoying login failures if you don’t use it on every password. To counteract this I am considering adding a suffix such as _to each username as a marker; if my username is me@example.com_ then I can just delete the _ and add the password suffix. In any case it’s fair to say you have to be well organised. Or you can just do it with all your passwords.

Pitfalls: Unless you do it for every password, it’s easy to forget which ones you did it on. Adds a bit more friction to logging in and registering.

Providing random account recovery details

Recommendation: do this, but keep good records.

I can no longer talk about my first cat, or how his name was chosen. This is a result of me blindly following along with the process of setting up account recovery questions and answers when signing up for certain services.

Now when I am asked for the name of my first pet, my first school, my favourite film and so on the answer is more likely to be “5XuUmu8lXYh7v3cr”. This data is then stored in my password manager.

Although this is a hassle, the ease of finding various background information about you makes this form of protection too vulnerable. Therefore if you have bothered to read this far, I recommend you start doing this.

Meanwhile, once I’ve purged all the old accounts, I look forward to talking about my childhood pet once more, and maybe I can even give some movie recommendations…

Pitfalls: If you lose the answers, account recovery is going to be troublesome and potentially impossible.

Alternative: a friend proposed another approach — using a consistent alter ego. He has created a persona with an imaginary first pet, fictitious mother’s maiden name (a concept he points out is not even relevant in his native Spain) and so on. This is more convenient and less likely to result in getting locked out in case of losing access to the password manager. The trade-off is that data breaches on one site could potentially spill over to another. For many, this might represent the sweet spot.

Using disposable email addresses

Recommendation: avoid, except in limited circumstances.

Disposable email services are easy to find in Google. Typically visiting the site will generate a random email address. Emails sent to that address will be displayed within a few seconds. The randomness of the address is treated as a form of password — you have to know the random address to read the mail.

There have been concerns about email addresses being recycled in these systems and given to other users. Even if they don’t do this, there are other issues to consider.

For a start, it requires you to trust some nebulous third party (often in another jurisdiction untroubled by regulations such as GDPR) with any data emailed in. Remember that 99% of the time, the registered email address is key to accessing any online account (thanks to password resets) and all the data contained therein.

I would also be concerned — although I haven’t investigated this — about how long the temporary domains are registered for. Once expired, what’s to stop anyone from scooping up the domain registrations and accessing all the incoming mail?

Lately I used temporary email addresses for testing how password resets work. Some companies will actually create an account as a result of trying to reset my password when all I wanted to do is confirm if my account has already been deleted. If the temporary email gets “registered”, I know that I’m going to have to contact the DPO to get deleted.

You could also use such a service to try out a website or see what data it collects later on. However you need to be disciplined: never enter any personal data and always throw it away if you want to use the account for real. Changing the email address to your real one is insufficient; the account could retain a hidden link to the temporary, insecure email.

Pitfalls: any personal data linked to that email address should be considered compromised. Even if you set up an account without personal data you might inadvertently add some later.

Using a unique email address for every website

Recommendation: do this if you can, but don’t use the + sign.

The aim is to keep track of which companies have suffered data breaches and to provide a means of filtering out the resulting spam when they do (spoiler alert: it happens a lot).

If you gave the address me+somecompany@example.com to Some Company, and later you get spam sent to that exact address, it is a strong indication that something went wrong. You can also change the address and set up filters to delete anything sent to the compromised address.

Gmail offers this for free and I understand now Hotmail/Outlook has it too. If you have <yourname>@gmail.com then <yourname>+something@gmail.com will also route to your inbox.

In practice I’ve struggled with websites that don’t support the + sign. Sometimes they refuse to accept it; or worse, they accept it and then break. Yahoo! mail used to support — and maybe still does. This works better; I have been using — as a separator for over a thousand different websites without any issues.

When setting up anything like this, you need to consider outbound email too. In case you need to contact the organisation, they will expect it to come from the exact address you registered, not the regular one (which you won’t want to give up anyway; chances are it’ll end up in Zendesk or worse). Gmail allows you to set up “send as” addresses (Settings, Accounts), so you can email from <yourname>+something@gmail.com. The From line in your email compose becomes a dropdown.

Pitfalls: A significant minority of websites refuse to use the + sign or, worse, break in unexpected and confusing ways. Takes a bit of effort to set up.

Registering your own domain for email

Recommendation: only if you are comfortable with running a domain for many years.

Even if you don’t have a website, a personal domain for email makes it easier to switch email provider in the future.

You need to organise email hosting or forwarding. Domain registration services usually offer email forwarding in some form. Alternatively, you can pay for an email service that supports custom domains.

One option is to use Google Workspaces (formerly G Suite (formerly Google Apps for Domains)). I am lucky enough to have a free account — if you sign up now there’s a monthly charge per user starting at £4.60/month per user.

This option alone doesn’t do much to change your privacy, but it is a prerequisite for the next one.

Pitfalls: If you fail to renew the domain, someone can register it and set up MX (mail exchange) records pointing to a catch-all email address. Every single email you receive will go to them. Budget for keeping the domain around 10 years after you stop using it.

Using a catch-all address

Recommendation: only if you have time to set this up carefully.

The idea as above is to have a unique email address for each data controller, to detect data breaches and then mitigate them by filtering out the spam. It’s also exceptionally useful for finding all correspondence relating to a company: just put the unique address that you assigned into the search box.

The simplest form of a catch-all is that all email to a domain goes into one mailbox. This is great for spammers, bad for users.

As I had a few users on my website domain, we needed to differentiate anyway. So we had a system including the username and the data controller name, and filters that forward email based on the username. This cut out spam to name@example.com where name is any common name.

After migrating to Google, this is still possible by creating a “catch all” user and setting up forwarding filters in there. The spam just sits in the catch-all mailbox.

Important Google filtering tip: do not filter on the to: address— it won’t catch BCCs/hidden addresses. Instead, filter email on deliveredto:name. This uses the Delivered-To header, which is the authoritative reference to where the email was actually directed to during the SMTP session.

Note: if using Gmail and you want to send from one of these addresses, you might need to purchase an outbound SMTP service. I have been using Mailgun with no issues. Their free tier should be sufficient and outbound message retention is limited to five days metadata and no message body.

Pitfalls: Catch-all addresses can attract a lot of spam. Setting this up properly takes time and depends on the capabilities of your email provider.

Using a random scheme

Recommendation: do this if you’re using a catch-all address.

Companies presented with evidence of a data breach often deny responsibility. One of them told me that in the opinion of their IT department (the same people who were probably careless in the first place), email addresses can easily be guessed. So, let’s call them Company A. They are saying that someone just decided to send spam to me-companya@example.com? And yet, I don’t have all the hundreds or thousands of variations in my spam folder that would result from such guessing.

Nevertheless, I now use a scheme like this:

<constant letters>.<data controller>.<random digits>@example.com

The first part is arbitrary but constant. I might change it anyway after a year or two, or if you are sharing with multiple users you could expand it to include a username. It’s there to help with filtering this group of addresses as a whole (e.g. to make an overall report later). Avoid vowels so as to make it something unlikely to ever clash with a real name, although we only need to search in email addresses, not whole messages.

The second part shows the data controller name and the last part is three random digits generated in the Google Sheet where I keep track of these (such documentation is helpful for deleting unused accounts later on anyway).

I’d like to see a data controller trying to convince the ICO or to argue in court that spammers just guessed pzk.somecompany.923@example.com.

I’m looking for a better solution than Google. It’s cumbersome to have another mailbox just for the filtering, and doesn’t work well with multiple users. The paid edition might be a bit easier, or I might try a dedicated forwarding service (see below). Either way, I plan to stick with the above naming scheme.

Pitfalls: Very little over and above what’s already involved in having a custom domain and catch-all address. Needs a little more discipline to set up.

Other services

I’m lumping these together at the end because, unlike all of the above, I have no personal experience to share.

ProtonMail

This is high on my list of things to try out. Open source, based in Switzerland and well established this is a full, encrypted email service with web UI and mobile apps. However I am not sure if it uses anything other than the problematic + for differentiating email addresses. It would require giving up the Gmail UI which, while not beautiful, is fast, reliable and offline first.

Anonaddy

On the face of it, this could be the perfect add-on to Gmail, Outlook or other preferred provider (even ProtonMail?) as it routes mail into your inbox and anonymises the email address on outbound replies. I like that they charge a very reasonable price for the service rather than relying on advertising. I was more troubled that I couldn’t find their physical address on the website, but it’s open source so you can host your own instance.

Blur by Albine

This company provides a privacy-focused tool for masking email addresses. It also provides virtual cards. Unfortunately it is based in the USA where privacy laws are less strict — “do not sell my data” is setting the bar pretty low.

Security threats are constantly evolving. By 2030 this blog post will look horribly dated and naive. But for now, please leave feedback especially if you find any flaws with the above.