Practical
privacy &
security

Protecting your identity, data, and digital life

Why it matters

1 in 3

Americans affected by a data breach in 2024

$10K+

Average cost of identity theft per victim

FREE!

If the product is “free”, you are the product

Most attacks succeed because of simple, preventable mistakes.

What is identity theft?

Someone uses your personal information — name, SSN, birthdate, or account credentials — to impersonate you, open accounts, or commit fraud without your knowledge.

Financial damage
Thieves open credit cards, take out loans, or drain bank accounts in your name. Victims spend an average of 200+ hours resolving fraudulent accounts and disputing charges.
Medical identity theft
A thief uses your insurance to receive medical care, leaving false records in your medical history that can affect future diagnoses and coverage.
Credit score impact
Unpaid fraudulent debts tank your credit score, which can affect your ability to rent an apartment, get a car loan, or even pass an employer background check.
Tax fraud
Someone files a tax return in your name to claim your refund before you do. You find out when the IRS rejects your legitimate return as a duplicate.
How it usually starts
Data breaches, phishing emails, reused passwords, and oversharing personal details online are the most common entry points — all largely preventable.
It takes years to recover
Disputing fraudulent accounts and restoring your identity is a slow bureaucratic process — not a one-time fix. Prevention is far cheaper than recovery.

Passkeys: easy & secure

If a passkey is an option, take it: it's easier and more secure than a password.

1
You register
Your device creates a unique cryptographic key pair — one stays on your device, one goes to the site
2
You log in
Tap to approve with Face ID or Touch ID — your device does the rest
3
You’re in
No password transmitted — nothing to steal, nothing to phish
  • Easy: approve with Face ID or Touch ID — no password to type or remember
  • Synced automatically via iCloud Keychain across all your Apple devices

Works today on: Google, Apple, GitHub, Microsoft, PayPal, and many more

Passwords done right

The problem
  • Average person reuses passwords across 5+ accounts
  • One breach exposes ALL your reused accounts
  • “Password123” is cracked in under 1 second
  • Security questions are easy to guess from social media
The fix: password manager
  • Generates & stores a unique password per site
  • You only memorize ONE strong master passphrase
  • Apple Keychain syncs across all devices
  • Use fake answers for security questions — store them in the manager

Tip: A strong master passphrase = 4 random words, e.g. “correct-horse-battery-staple”

Two-factor authentication (2FA)

Even if your password is stolen, 2FA keeps attackers out.

Yes, it’s annoying but… Required for high-value accounts (financial, medical, identity). Use it if available for other accounts.
Easiest
Passkey Replaces both your password and your 2FA code. Approve with Face ID or Touch ID — nothing to type, nothing to intercept.
Great
Auth app Apple Passwords, Authy, or built-in app codes. Phishing-resistant but a bit of a hassle.
OK
Email code Code sent to your email. Better than nothing, but email can be compromised.
Weakest
SMS text Code sent via text. Vulnerable to SIM-swap attacks. Avoid when possible.

Guard your personal data

Alternate emails
Give commercial email to businesses. Protect your personal address from spam and breaches.
App permissions
Deny location and microphone permissions. Audit regularly: why does a flashlight app need your contacts? Revoke anything that doesn’t make sense.
Phone number
Only give your real number if you want calls or texts. Use a fake number (408 555-1212) for non-essential accounts. Get a disposable number from SMS Pool or Google Voice for one-off verifications.
Photo metadata
Photos carry GPS coordinates by default. Disable location metadata per-app under Settings > Privacy & Security > Photos.
Birthdate
Use Jan 1 unless absolutely necessary (doctor, school, bank, etc). Combined with other data, it enables identity theft.
Social media profiles
Employers and strangers can infer a lot. Review what’s public — location, employer, daily routines.

When to share real info

Your real phone number and birthdate are only needed in a few specific situations.

Yes — give your real info
  • Government agencies (DMV, SSA, passport)
  • IRS and tax filings
  • Banks, credit unions, and financial institutions
  • Healthcare providers and insurance
  • Schools and universities
  • Address: only when shipping something to you
No — use a fake or skip it
  • Retail stores and loyalty programs
  • Merchants and e-commerce checkouts
  • Activity waivers and event sign-ups
  • Any site where it’s not legally required
Beware: looks legitimate but isn’t
  • Health & wellness apps (symptom checkers, weight loss) — not the same as your healthcare provider
  • Insurance comparison sites — they collect your data to sell leads, not to insure you
  • Credit score & financial wellness apps — feel like banking but are ad platforms that monetize your financial profile

Account setup: limit sharing

Targeted advertising
Turn off personalized/targeted ads immediately. Look under “Privacy,” “Ads,” or “Data & Personalization” — it’s rarely off by default.
App tracking (iOS)
Deny “Allow Tracking” when the App Tracking Transparency prompt appears. If you missed it, go to Settings > Privacy & Security > Tracking.
Third-party data sharing
Opt out of sharing with partners. Labels vary: “Share with partners,” “Improve our products,” or “Personalized experiences” all mean the same thing.
Location access
Set to “Never” or “While Using” — not “Always.” Almost no app has a legitimate reason to track your location in the background. On desktop, set your browser to Deny location access by default; don't hand over your precise location to companies.
Telemetry & analytics
Disable crash reporting and usage analytics if the option exists. These send behavioral data back to the company continuously.
Camera, mic & contacts
Deny access unless the app’s core function requires it. You can grant permissions later; defaulting to no costs you nothing.

Data brokers & your rights

Data brokers collect and sell your name, address, income, relatives, and habits — without asking you.

What they sell about you
  • Full name & home address
  • Phone number & email
  • Relatives & associates
  • Estimated income & net worth
  • Purchase history & interests
  • Political & religious affiliation
California privacy rights
California CCPA You have the right to know what data is collected about you, delete it, opt out of its sale, and be free from discrimination for exercising these rights. Submit requests at oag.ca.gov/privacy/ccpa. California DELETE act — DROP (2026) DROP (privacy.ca.gov/drop) lets you submit one request to delete your personal data from all 500+ registered data brokers at once, rather than contacting each company individually. Brokers are legally required to comply.

Tools to help: haveibeenpwned.com · privacy.com · your state AG website

Keep devices & software updated

60%
of breaches exploit vulnerabilities with an existing patch

Enable automatic OS updates on phone and computer

Keep apps updated — updates often include security fixes

Enable screen lock (PIN/biometric) — not just swipe

Full-disk encryption is on by default on modern phones — verify it’s enabled. On a Mac, check FileVault: System Settings > Privacy & Security > FileVault

Enable Find My Device in case of loss or theft

Protect your credit

What is a credit report?
Your credit report is a detailed record of every loan, credit card, and debt in your name — maintained by three bureaus: Equifax, Experian, and TransUnion. Lenders, landlords, and employers use it to evaluate you. Credit bureaus also sell your data to lenders.
What a credit freeze does
A freeze locks your credit file so no one — including you — can open new credit accounts in your name. It’s free, reversible, and the single most effective way to prevent new-account identity theft.
Unfreezing is easy
You can lift a freeze temporarily (for a specific lender or date range) online in minutes. It does not affect your existing accounts, credit score, or ability to use current cards.
How to freeze
Freeze your credit at all three bureaus separately. Do it now, before your data is compromised:
equifax.com/personal/credit-report-services
experian.com/freeze/center.html
transunion.com/credit-freeze
Prescreened offers & data sales
Even with a credit freeze, bureaus can legally sell your information to lenders, insurers, and debt collectors for marketing purposes. Opt out at optoutprescreen.com to stop this separately from your freeze.

New threats

AI chatbots & privacy
  • Conversations may be used to train future models
  • Never enter SSN, passwords, or financial details
  • Don’t paste private emails or medical records
  • Deepfake voices/video used in scams — verify calls from unknown numbers claiming to be family or banks
  • Check each tool’s privacy settings and data retention policy
Public Wi-Fi risks
  • “Coffee shop Wi-Fi” can be spoofed — attackers create fake hotspots with convincing names
  • Avoid banking or sensitive logins on public networks
  • HTTPS protects most traffic, but not all apps use it
  • iCloud Private Relay hides your IP and encrypts Safari traffic so neither Apple nor your ISP can see your browsing — enable in Settings > [your name] > iCloud > Private Relay
  • Your phone’s cellular data is safer than public Wi-Fi

Spotting scams & phishing

Modern phishing is powered by AI — messages are personalized, grammatically correct, and convincing.

Urgency
“Act NOW or your account will be closed” — pressure is a manipulation tactic
Unexpected link
Hover over links before clicking. Real companies don’t email you unexpected login links
Wrong sender
Check the actual email address, not just the display name. support@amaz0n-help.com ≠ Amazon
Request for credentials
No legitimate company asks for your password via email, text, or DM
“Too good to be true”
Free gifts, prize notifications, unexpected refunds — classic bait

Social media & credential sharing

Research shows young adults often share passwords with friends to stay connected — here’s why that’s risky.

Sharing credentials with friends
  • If they get hacked, so do you
  • Breakups and falling-outs happen — change passwords immediately
  • One account = gateway to password resets on other accounts
What your profile reveals
  • Home city + employer + daily schedule = stalking risk
  • Birthdate + phone = account recovery answers
  • Travel posts = you’re not home right now
Safer alternatives
  • Set social profiles to private; audit followers
  • Use “Friends only” for location and personal posts

Quick-win checklist

Do these today — each takes under 5 minutes

Set up a password manager and change your top 5 most-used passwords

Review app permissions on your phone — revoke what’s unnecessary

Enable 2FA on email, bank, and social accounts (use an app, not SMS)

Turn on automatic updates for your OS and apps

Enable passkeys on Google, Apple, and all supported accounts

Set your social profiles to private and audit your followers

Delete your info from data brokers: privacy.ca.gov/drop

Freeze your credit: Experian, Equifax, TransUnion

References & resources

EFF surveillance self-defense ssd.eff.org/module-categories/basics
FTC — Using a password manager consumer.ftc.gov/articles/using-a-password-manager
NIST password guidelines pages.nist.gov/800-63-4
California CCPA consumer rights oag.ca.gov/privacy/ccpa
Have I been pwned (breach checker) haveibeenpwned.com
California delete from data brokers privacy.ca.gov/drop
Passkeys.dev — how passkeys work passkeys.dev
ProtonVPN (free VPN) protonvpn.com
Pew Research: public & privacy (2023) pewresearch.org
ProtonVPN (free VPN) Source content on GitHub