Limit Your Digital Footprint

The Bottom Line

Your activity on your device and applications (apps) generates data that tells a lot about your interests, associations, and pattern of life. Data brokers compile this data into user profiles that can be bought and sold by virtually anyone, meaning threat actors can use this information to develop a targeted cyber campaign. Disabling your advertising identifier (Ad ID) is one step that will help to minimize your digital footprint.

The Problem

Phones, laptops, smartwatches, and other mobile devices collect a staggering amount of information about their users.

Ad IDs play a central role in aggregating information about individuals. Most operating systems, including Windows, macOS, iOS, and Android, assign unique Ad IDs to devices to facilitate the collection of user data, including location data, your browser activity, and information your apps collect. Data brokers compile this data into detailed user profiles.

These detailed user profiles can be bought and sold by virtually anyone.

They can be used to deduce information about your interests, activities, and whereabouts. For example:

• Your location data may reveal information about your schedule and routine, people you regularly associate with, and areas you frequently visit, such as your workplace, home, or place of worship.
• Your activity on apps can reveal information you believe to be private if it monetizes your use. For example, a web search for prenatal vitamins could indicate that you are pregnant. Meanwhile, an app for at-home blood pressure monitoring could reveal indicators of certain health conditions.

Indeed, your interactions with your devices and apps allow companies to learn about your favorite shopping venues, health status, hobbies, and other personal data―all without you directly telling them.

While this information can be used to enhance products and services, and even allow companies to offer many apps for “free,” threat actors can also exploit these troves of information.

Threat actors can use these tools to learn enough about you to carry out a targeted cyber campaign, using tactics such as spear phishing. They could also use this information to carry cause reputational damage or threaten the physical safety of high-risk targets.

The Solution

Disable your device’s Ad ID.

The following guides from the four major operating systems will allow you to disable or limit the collection and sharing of information associated with ad IDs and other tracking data.

• Windows OS
  • To disable your Ad ID and control app access to your location, see General privacy settings in Windows - Microsoft Support. Pay attention to the section on “Advertising ID.” 
• macOS and iOS
  • To turn off personalized ads and block location-based ads on your computer or mobile device, see Control personalized ads on the App Store, Apple News, and Stocks - Apple Support. 
  • To manage tracking permissions and prevent an app from tracking your activity across other apps and websites, see If an app asks to track your activity - Apple Support.
• Android
  • To disable your Ad ID, see Advertising ID - Play Console Help (google.com)

Follow Project Upskill guidance for additional measures to limit your digital footprint, including:

• Deny apps access to categories of data that they do not require for functionality. (See Project Upskill Topic 1.3 for additional guidance.) Given the sensitivity of location data, here are guides from the four major developers on how to limit app access to location data:

Windows OS: See “Manage Location Settings” in General privacy settings in Windows - Microsoft Support.

macOS and iOS: To manage which apps on your computer or mobile device have access to your location, and when, see Manage Location Services settings - Apple Support.

Android: To control which apps can access your location, see Choose which apps use your Android phone’s location - Android Help (google.com).

• Vet apps that you plan to install on your device to ensure they do not collect or share information with third parties. (Project Upskill Topic 1.4 for more information on vetting applications.)
• Adjust your browser settings for better privacy and security. (Project Upskill Topic 4.1 for guidance.)
• Understand and mitigate the risks of using social media by checking out Project Upskill Topic 6.1.

Manage information from data brokers and other sources.

While it may be harder to remove other sources of public data from the internet, here are some steps that you can take to minimize your online presence through opt-outs or data removal:

• You may be able to request removal of your information from certain platforms. In some situations, the organization or company may be legally obligated to honor your request based on the laws of the country or state in which they are headquartered.
• Data brokers hosting your information may also be legally obligated to remove your data when requested. Some records, such as property taxes or addresses, can be removed from online access through requests to the proper authority.
• There are also companies and organizations that can help you with data broker protection. 

Takeaways

Do

• Disable your device’s Ad ID.
• Deny apps access to categories of data that they do not require for functionality.
• Vet apps before you download them to ensure they do not collect or share information with third parties.
• Adjust your browser settings for better privacy and security.
• Understand the risks of using social media.

Do Not

• Provide apps access to categories of information they do not need.

Project Upskill is a product of the Joint Cyber Defense Collaborative.

• Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
• Module 2: Protecting Your Accounts from Compromise
• Module 3: Protecting Data Stored on Your Devices
• Module 4: Protecting Your Data in Transit
• Module 5: Securing Your Home Wi-Fi
• Module 6: Managing Your Privacy and Security Online