Martin McGregor

Privacy Protection: What a tech expert does to protect their data online

In today's perilous digital environment, the importance of keeping personal data secure cannot be overstated. With the rise of cybercrime and data breaches, it is more crucial than ever to take steps to protect your sensitive information.  

To help you navigate the complex world of online security, I am sharing the key steps I take to protect my privacy and data. 

Why does my opinion matter you ask? As a technology expert with over two decades of experience, I have helped numerous businesses build and implement systems to protect their privacy, data, and employee devices. I helped some of Australia's largest corporations defend against cyber attacks and some of the processes and controls I implemented for those businesses; I replicate in my own online interactions. 

Protecting your personal data should not require a degree in cyber security, the strategies I use are simple and straightforward but have enormous potential for protecting your privacy and personal information. 

1. Email address trick “catch all”

I never provide my real email address when creating online accounts, subscribing to newsletters or interacting with websites when asked for my contact details. Instead, I have my own private email domain and provide a unique email address to each. 

I don’t need to create a new account each time, because I’ve configured my domain as a catch-all so any email sent to any address at my domain name will arrive in my inbox. For example, if you own the domain, you can create email address variations by adding characters and names combined with the at sign (''@'') before the domain name and you will receive those emails. 

Say you need to provide an email address for booking an appointment at Smile Dentist, you can provide the email address [email protected] or [email protected] and you will receive emails sent to that address. I do this for every site and every business. I use the name of the business or site in the email variation and this helps me filter out spam and prevents my real email from being shared or sold to third parties. 

More importantly, as I create unique email addresses and use the organisation or website name in the address, I can track if a specific one gets sold or leaked and then easily block the compromised email address.

In cases where an organisation is not meeting its legal requirements to protect my data, I can report them to the authorities. 

Many hosted services including Microsoft Exchange Online allow businesses to achieve the same outcome with sibling email addresses by using a plus sign ("+") in the email address.

For example, [email protected]. This may need to be switched on by your system administrator at work, however many personal email providers allow this by default. 

2. Password manager

I use a password manager to generate and store passwords for all my accounts. This eliminates the need to remember multiple passwords and ensures each account has a unique and strong password.

While this takes some time to get used to and changes the way you manage your passwords, once you are using a password manager on all your devices and for all your accounts, it makes logging in and signing up for services much easier and more efficient. At the same time, a password manager provides tremendous security benefits that will help protect you against some of the most common account takeover cyber-attacks happening in the world right now.

Whenever you sign up for a new service, ensure you use the password manager to generate a strong and unique password, then save those details to the password manager. The only password you will need to remember is the one for the password manager as it saves all your login details for all other services, sites and accounts.

When you buy a new device, installing your password manager should be one of the first things you do as this will allow you to easily set up all the software and web services you need and use.

Many password manager solutions also provide two-factor authentication. It can also be used for securely storing credit card details and other contact details, which is incredibly helpful and efficient when needing to fill out forms or provide that information over the internet.

Another benefit of using a password manager is they provide insights and recommendations on how to improve your security. This includes notifying you when a website is breached and prompting you to update your password, notifying you if your password becomes compromised and notifying you if you are using the same password for multiple accounts and logins.

Using a password manager also removes the need to use an in-browser or operating system password manager, which are do not work on all browsers or all devices, making them much harder to adopt.

Once you have purchased and set up a password manager, I recommend disabling any in-built or browser vaults.

I also do not create accounts or logins on websites that do not allow for complex passwords or do not allow me to use my password manager.

3. Never use a phone number for verification 

I never use my phone number for verification or two-factor authentication. This is because phone numbers can be spoofed or stolen, leading to unauthorised access to my accounts. 

Instead, I use my password manager or other software authenticators for two-factor authentication. 

If services and sites allow authenticator tokens, use this as your preference. If this is not available, use email. Only use SMS authentication as a last resort as it’s still better than nothing. 

Businesses should also follow this authentication method and level of control; it is not enough to use SMS as your only method of two-factor authentication. 

4. Do not share photos of kids or mention location

I am cautious about sharing personal information online, especially when it comes to photos and location mentions. I never share pictures of my kids online or mention their location, as this information can be used to track them or identify them.

For your children's school or any clubs or sports they are involved in, if there is an option to opt out of having their photos taken and shared online, then I recommend doing so.

Parents often share information about their children and location without realising – or give them access to social media where they can do it themselves - and what is incredibly unfortunate and concerning is that since the proliferation of social media, child kidnapping continues to arise as these services make it safer and easier for abductors to operate.

When your share information and photos such as where you regularly go for breakfast or take your kids to swimming lessons, you are creating a trail and a pattern about your movements and location.

If you want to share photos with your family and friends, do not use social media or apps designed for the purpose, do not expose their location or identity over the internet. Instead, use a personal end-to-end encrypted chat service and instruct family members not to reshare.

Lastly, do not create social media profiles for your children. There are age requirements for these services and for good reason. The risk of the internet is always evolving and when social media was first introduced, we were not aware of the dangers or risks it imposed. It is only in retrospect we realise these services can compromise our safety and our children's safety.

5. Avoid using real names, birthdays, and ages unless legally required

Never give your real age or birthday unless legally required as this information can be exploited by cybercriminals and used to identify you.

Instead, I create fake birthdays and store this information in my password manager.

I also strongly advise against sharing your birthday on social media because, again, this can be used by cybercriminals.

Even most of my friends wouldn’t realise they don’t know my actual birthday, and I typically just celebrate it whenever I feel like it.

6. Assume secret questions are not so secret

When it comes to secret questions like providing your mother's maiden name, do not give that information out!

Things like your mother's maiden name, your first pet, the address of the first house you lived in or the high school you attended.

These types of questions ask for sensitive information and deliberately ask for information only you would know. If an organisation or website storing this information was breached or your responses were leaked, cybercriminals could use that information to access some of the most sensitive services you use including your bank account.

This is why I do not accurately respond to secret questions and instead use my password manager to generate and store unique answers and passcodes for these fields. In the event my responses become leaked, they would have no value and would not disclose any personal information.

For example, I can add the mother's maiden name as cEqp*.QP9mwvVfsb!W and I provide a different answer to every site that asks for this information. And, as I save everything in my password manager, I don't need to remember the different responses.

7. Avoid online personality tests and IQ tests

I do not undertake personality tests, IQ tests, or any other survey online, particularly with unreputable sources.

The value of this information is often misunderstood and it could be used to exploit your privacy.

These are tools for gathering very rich information about you. Information that could be sold to other parties and used to build reasonably accurate online profiles about you, which may not work in your best interests. For example, the information you provide in such tests could be used to determine your buyer behaviour or susceptibility to being defrauded.

When it comes to using the internet and what is private and unique about who you are, make sure you only provide that information to reliable services.

8. It is never too early to educate your kids

Teaching children about online privacy and safety from a young age is essential.

At the same time, do not give your children unsupervised internet access until they are mature enough to handle the responsibility of being online.

Do not allow your children to learn about the internet and the dangers of the internet from direct exposure. We do not want our children to be in a situation where they can make mistakes, we want them to have the education and resources needed to understand, recognise, and avoid online dangers.

When it comes to the internet, the entire world is at your children's doorstep and there are no safety mechanisms, there is nothing built into the structure of the internet that prevents them from being exposed to things that could be dangerous and traumatising.

Introduce your children to the internet carefully and responsibly so they can understand appropriate use and behaviour. You will not be able to monitor your children's internet use 24/7 so you want to ensure they can keep themselves safe.

As with internet use, do not allow your children to use social media unless they are old enough and mature enough to understand and manage the dangers. This includes only accepting friend requests from people they know and understanding and managing online bullying and harassment.

It is equally important to educate your kids about not sharing personal information, photos or their location online and particularly how to avoid any interaction with strangers. For example, friend or chat requests from kids they do not know are things your children should immediately decline and report.

9. Watch what your share online and keep a low footprint

When it comes to what you share online, assume it will be exploited, assume it will be seen by the wrong people and assume access to that information is indefinite—because it is and can be.  

This is why I implement the above-mentioned strategies and restrict what I share online. I do not create patterns, I do not share sensitive information and I do not have social media except Linkedin, which is unfortunately important at this stage of my career. I also avoid opportunities to appear on other people's social media.  

For online profiles, private group chats and creating accounts, I do not trust the barriers that are supposed to keep my information safe. I assume the information I share online can and will be exploited, so I avoid opportunities to share accurate information unless explicitly required. 

For work purposes, I do have LinkedIn, but I take measures to act generic. This includes accepting all connections, while this goes against what I mentioned for social media, this means LinkedIn cannot easily identify who I do and do not know in real life. 

10. Read, and I mean read privacy policies

I thoroughly read every privacy policy as they detail extensive information about the specific business, their intentions, why their business model exists and how they intend to interact with me or my information.  

People tend to engage with different sites or create accounts without reading privacy policies. My advice is to read them, do not just accept them without fully understanding what you are accepting or the intentions of that site or business. 

What you will find from reading privacy policies is that some organisations will not align with your best interests, but some will. 

There are some key things to look out for when reading privacy policies, including if it is stated your information will be sold to third parties and what kind of third parties. Make sure you understand what information they intend on sharing, understand why and only proceed if you are comfortable with that information being shared or sold. 

Look for clarity and transparency regarding the types of organisations or parties the business intends to share your information with and ensure it is clearly stated for what purposes. It is a red flag if the privacy policy is unclear or obscured, particularly about sharing your personal information. 

There are also online resources like Terms of Service Didn’t Read, which rates and scores privacy policies.   

Are you ready to protect your privacy?

These are the strategies I use for safeguarding my personal data and privacy. While the steps and approaches are repetitious, these measures allow me to minimise the risk of having my personal information exposed.

By following these tips, you can reduce the risk of identity theft, financial fraud, and other online security threats, and enjoy greater peace of mind in your digital life.

Martin McGregor

Privacy Protection: What a tech expert does to protect their data online

By following these expert tips, you can reduce the risk of identity theft, financial fraud, and other online security threats, and enjoy greater peace of mind in your digital life.

Glyn Geoghegan

Three core privacy mantras for Aussie businesses to live by

In recognition of Privacy Awareness Week, Glyn Geoghegan shares three core privacy mantras for Australian businesses to live by. This comes at a time when consumers are pulling back from sharing personal data and have increased concerns about their privacy.