I’ve been thinking more about how to be a little more private. In an era where LLMs can automatically deanonymize people from their writing, find zero-days en masse, and may potentially displace jobs, it seems safe to say that the variance of the next few years will be significantly higher than the two decades pre-2025.

Threat model: A casual adversary who asks Grok-5 for “name, phone, and address of all people in [X reference group],” with the intent of causing disruption or harm. I don’t expect the strategies below to work against adversaries that are highly-competent (including but not limited to government actors) or specifically targeting you; it’s very possible they won’t even work against casual adversaries in the future.

The guidelines below are tailored to California residents (and SF in particular), but the spirit of most rules should be pretty universally applicable.

  • Physical security: IMO the biggest value here is making your address harder to find for casual attackers.
    • Remove yourself from California voter registration, since many groups can publicly access your address on voter registration. For example, SF offers a form to remove yourself from voter registration.
    • Sign up for a PO Box ($25/mo in SF). Send your mail here so random e-commerce websites don’t get your address. This doesn’t help if you’ve already given out your address, but it reduces future leakage (and if you ever move it will help your new address from leaking). (Notably a PO Box has several other advantages: they’ll sign for and hold packages for you for a month; you get the coolness factor of going in to a USPS after-hours; and they also accept Amazon/UPS/Fedex via Street Addressing.) Migrate:
      • DMV (mailing address only)
      • Financial accounts (mailing address only)
      • Medical accounts
      • Employer mail
      • Ecommerce (start using your PO Box for online shopping)
    • If a PO Box is too much hassle for you, sending mail to your office is also a good idea if allowed.
    • For property owners, make sure you buy property through a trust. I haven’t looked into this since I don’t own property.
    • Lock down location access on your phone; make sure no untrusted apps are in “Always allow” for your location.
  • Digital hygiene
    • Massively secure your email account, since compromising your email can allow compromising ~everything else. You want to secure your email login (e.g., Gmail), and if you have a custom domain, you must also secure the webhost, DNS provider, and domain name registrar you use.
      • Picking secure providers is important. In an age of LLM-assisted cyberattacks (e.g., the Vercel attack was rumored to be AI-assisted), I feel like nobody really knows how to be most secure; but I bias toward larger providers that are enterprise-grade and incentivized to immediately fix security issues. In the past I might have trusted a startup with my data; now I’m probably just going to go with Cloudflare/Google/Apple/GitHub.
      • Example: I used to use forwardemail.net for my email routing and Porkbun for domain hosting. I moved both of these to Cloudflare (Email Routing + Domains + Pages) and set up 2fa with hardware security keys.
      • For any services that, if compromised, could result in full takeover (email, domain, password manager), use hardware security keys to sign in. Buy two. IMO hardware security keys aren’t worth it for most other services because of the inconvenience (I usually just use digital passkeys in 1Password).
      • Enable Advanced Data Protection and Security Keys on macOS + iOS
      • Enable Advanced Protection Program for Google
    • Enable SIM swap protection on your phone provider, to prevent people from taking over your number and stealing your SMS 2FA codes.
    • Use a data deletion service to reduce the surface area from data people have already collected. TL;DR if you don’t do this, your email, phone number, and address are regularly being resold online by data brokers. I signed up for DeleteMe and DROP (for California residents; should take effect later this year).
    • Ensure your Twitter/personal website don’t contain details that could let people contact you in real life
    • Remove old tweets (Codex can automate this if you ask it to delete your tweets >180 days old), and in general any public statements you’re not sure if you endorse anymore
    • Goes without saying, but use a password manager + 2fa everywhere you can
    • Use Signal when you can with default 4 weeks disappearing messages.
    • Enable Advanced Account Security on ChatGPT

References

  • Karpathy’s Digital Hygiene – I’m a bit less privacy-pilled than he is and generally prefer to use very well maintained software even if it’s from a big tech, due to risks from LLM-assisted vulnerability discovery (e.g., Google Chrome vs. Brave). But it’s a very good resource nonetheless with additional advice.