Extreme Privacy 3rd Edition Now Available

The 3rd edition of Extreme Privacy is now available. Details and purchase links can be found on my site at https://inteltechniques.com/book7.html. Overall, 30% of the book is brand new content, 25% has been updated, and 45% is recycled from the previous edition. The new book is 635 pages, but the retail price has only increased $1.50. I will have many more details on my podcast this Friday, but here are some excerpts from the preface about the changes.

The first four chapters now focus solely on digital privacy and security. There is no longer an “Advanced” technology chapter later in the book. All technology methods and tutorials are presented right away, as these were the most applied techniques from the previous editions. These are also the most affordable privacy strategies which offer immediate protection and contain a large number of updates from the previous text. The methods are globally applicable and can benefit anyone who desires privacy. I believe your digital life must be properly secured before you should proceed with the remaining strategies.

This book is more extreme. The previous editions accepted the fact that most of my clients demand Apple products, iCloud accounts, overt payment methods, and easy communications. I accommodated this realization and tried to offer steps which could increase privacy while settling for inferior options. This is no longer the case. In this edition, I assume you want maximum privacy and security. I do not cut corners or pull punches. Together, we will embrace Linux on our computers; possess mobile devices without embedded Apple or Google software; create masked payment options; sanitize our past public lives; never associate our names with our homes; and rely on completely encrypted communications from open-source projects. I have no regrets from my previous writings, as I believe they served a valuable purpose at the time. Today, we must take our privacy and security to another level. After all optimal solutions are presented, I still provide alternative options for those who do not want to commit to an extreme level of privacy and security. However, I always encourage you to push your comfort level and force yourself to make the best long-term decisions.

I offer several new strategies to combat “anti-privacy” measures. Many of the techniques in the previous editions surrounding anonymous purchases, private shipping, and ghost addresses are quickly becoming blocked by companies demanding your accurate personal information. This edition presents several layers of strategies which can be customized for each specific need. Together, we will respond to various privacy invasions with a stronger defense.

I now conclude most chapters with a “Typical Client Configuration” or summary page which outlines the steps most commonly taken when a client needs the services discussed in that chapter. A valid criticism of the previous editions was that I provided too many options without clear guidance of the best path toward privacy. While I can never navigate every reader through their own unique situations, I can summarize the typical strategies for most clients. I believe this may simplify the decisions required during your own application of the content. In the previous edition, I presented numerous recommended products and services and encouraged the reader to conduct their own research to identify options most appropriate for them. In this edition, I have specified the exact products and services obtained for myself and clients.

On a personal note, this title represents my 20th published book over the past fifteen years, and a departure from writing. I will not say that I will never write another book, but I currently have no plans to publish any future editions associated with my titles about privacy, security, and OSINT. It has been a fascinating experience, but it must come to an end in order to tackle other opportunities and projects which require my full attention. I plan to continue the weekly podcast, which should be used as a resource for all future updates to these topics. I sincerely thank all of the readers who have supported my unconventional ideas and joined me during this ride. Monitor my website if you want to follow my future projects.

Finally, I have poured every tactic, method, and experience I have into this final edition. I hope you find something valuable here which will protect you from a growing number of digital threats. I am truly excited to introduce yet a new level of privacy and security. ~MB

My Experience with PrivacyBot

Several people forwarded me a new site called PrivacyBot which claims to automate various online data removal requests per the California Consumer Privacy Act (CCPA). This would technically only be beneficial to California residents, but let's wait to discuss that. This activity has always interested me because I have yet to find any reliable way to automate this process. I jumped in, but immediately had issues which prevented me from using their automated service.

Their software requires you to clone their Github code, activate a virtual Python environment, install all dependencies, and launch the app via Terminal. I had no issues there. I then realized that PrivacyBot forces you to authorize a Gmail account and send all sensitive data (and followup interactions) through Google. That was a deal-breaker for me and anyone else who wants to remove data associated with a non-Gmail account. However, there is still much value within this project.

My biggest concern is that the project encourages users to send their name, email, home address, DOB, phone number, and other sensitive details over non-encrypted (Gmail) email to hundreds of data-mining services. I find this to be reckless unless you are absolutely confident that this information is already present within all of these sites. During my own manual process, I encourage people to identify the details present within a site and provide ONLY that information. This new automated process blindly sends all information to hundreds of companies, which can be easily abused. However, I played along.

I abandoned the self-install requirements and took a manual approach. PrivacyBot is simply automating the process of sending emails to 471 accounts associated with various people search websites. I don't need a Gmail account to do that. Further, the content of their automated emails is visible within their open-source code. Therefore, I conducted the following.

First, I created a new email alias and composed a new message. I did this through Protonmail, but any email provider would work. Note that free Protonmail accounts have a message send limit which would prevent this, so you may need to break the emails up over a few days. I created a new unique address in order to prevent spam from hitting my primary accounts. I also created a rule which forwarded any incoming email to that address into a new folder (optional).

I then BCC'd the 471 email addresses into a new email. For simplicity, I have copied all of these addresses from the PrivacyBot code at https://inteltechniques.com/data/privacybot.txt. I included the following in the body of the email.

I wish to exercise my rights under the California Consumer Privacy Act (CCPA). I request that your business complies with the following requests which are granted to me by the CCPA:

Right to Delete
Right to not sell my information

My details are:
Name: Michael Bazzell
Email: (My new email address)
Former Addresses: (Two old addresses which are publicly visible all over the web)
Current Address: 7101 South Central, Los Angeles, CA 90001-9999

Please remove any stored information about me within your systems. Please let me know if you have any questions. In the case that no email or user name information exists in your records, under the CCPA the above information can only be used for verification purposes and you may not collect it.

The Los Angeles address is the General Delivery USPS option for the greater LA area. It is legal to use this address for incoming packages if you are not a California resident. I believe this COULD pacify the requirements to qualify for the California Consumer Privacy Act (CCPA), however, your mileage may vary. I immediately received over a hundred automated messages confirming that my request was received. I then waited for replies.

The problems:

Most of the requests simply responded with directions for an online opt-out process. This accomplished nothing and I had to return to the manual process described in my workbook.

Many services only query the email address provided within their records. Since this was a new account, I received dozens of "we have no records about you" responses. I never provide a valid personal address for these requests, so that did not help.

Many services generated a new customer account portal for my address and asked me to log in to their services in order to complete the tasks. This returns us to a manual process. There is value in this, but I caution people on providing their true Gmail account. In my experience, whatever email you provide to them will be abused later with spam (hence the new email account I created which can be deleted).

Over fifty responses required additional information, all of which could have been better executed with a manual deletion request.

I have now sent my personal details via email to numerous websites which likely possessed no information about me. If (when) one of these companies suffers a data breach and their emails are published online, my data is exposed. I knew this going in, but I present it here for serious consideration. Manually removing these entries through various opt-out portals does not leave a permanent email trace which will be exposed eventually.

I have received emails from three people asking me to try PrivacyBot. All three of them believed that submitting the request was a one-time task and that all of their data was removed without any other requirements. This false sense of privacy may lead many users to think they no longer need to identify and remove information still present.

Successes:

Only twenty services responded that they had removed any information from their site. This is a "win", but such a small number compared to the 471 submissions.

Summary:

This is an extremely ambitious project and I am impressed with the amount of work put into it. The list of email addresses is most valuable to me. Any time people explore new possibilities with online privacy, we all win. For that, I thank the team who made this tool. However, it simply can not replace the manual removal process at this time. I have hopes that this initial release turns into something which we can all use to reclaim our privacy later, but it currently generates more work with followup emails when an online submission would have been enough the first time around. For now, I believe the manual removal process is a better way to go. For those who are dedicated to extreme privacy, the direct email method explained in this post might be an appropriate compliment to the manual removal process. Many hardcore readers may think this is an awful violation of operational security. I respect both.

Any automated process, including paid premium services which remove some content, can never complete the process as well as you can yourself.

The Privacy, Security, & OSINT Show – Episode 216

EPISODE 216-The Consequences of Extreme Privacy

This week I present my own credit reports and data broker profiles in order to explain my successes and failures while trying to disappear, while offering steps to avoid during your own pursuit of privacy. Please learn from my mistakes.

Direct support for this podcast comes from sales of my books, services, and online video training. More details can be found at IntelTechniques.com. Your support eliminates any ads, sponsors, endorsements, Patreon, donations, or commercial influence on this show.

SHOW NOTES:

INTRO:

None

UPDATES:

American Family DL Attack
Proton Calendar Beta Open to Everyone
Proton Import Open to Everyone
FBI Safety Deposit Box Raid

THE CONSEQUENCES OF EXTREME PRIVACY:

https://annualcreditreport.com/
https://www.annualcreditreport.com/manualRequestForm.action
https://consumer.risk.lexisnexis.com/request
https://inteltechniques.com/links.html

OSINT:

https://rocketreach.co
site:rocketreach.co "michael bazzell"

Next Week: EXTREME PRIVACY 3

 

Free Workbooks: https://inteltechniques.com/links.html

Affiliate Links:
ProtonVPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=282
ProtonMail Encrypted Email: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=267
Fastmail Business Email: https://ref.fm/u14547153
SimpleLogin Masked Email: https://simplelogin.io?slref=osint
Silent Pocket: https://silent-pocket.com/discount/IntelTechniques
Amazon: https://amzn.to/2B5svbH

Credit Report Failures

I like to check my credit reports annually to make sure that no unauthorized accounts have been opened in my name. While I prepare for a podcast episode about the content of various credit reports and consumer data profiles, I went to annualcreditreport.com to pull my report from the three major credit bureaus. For the first time, I received the following general error declining my reports.

While I have previously had problems confirming my identity with two of the three credit bureaus, I have never been blocked from the entire annualcreditreport.com website. I proceeded to manually request the reports from each bureau within the site, but received resistance from each, as follows.

I consider this a "win". The only single aggregated website for requesting free credit reports can no longer confirm I exist. If I can't access them, neither can a malicious adversary. However, this presents a problem. How do I check my reports? I can still submit a request via postal mail at the following link, but that can take 30 days.

https://www.annualcreditreport.com/manualRequestForm.action

Fortunately, I have already "Planted My Flag" with all three bureaus which provided direct login credentials to each service's website. Equifax and Experian allowed me immediate access to my reports, but TransUnion is still unable to confirm my identity, with the following error.

I have submitted this final request via postal mail. Hopefully it arrives in time for the show. My plan is to provide a summary of the data which various credit and data broker services possess about me after five years of Extreme Privacy. I also want to provide warnings about the restrictions applied when we go to the extreme and the lessons I have learned from my mistakes. I will announce everything soon on the podcast. My CLEAR and LexisNexis reports were a bit surprising.