OPSEC - Protecting Your Privacy (Workshop Outline)

Title: OPSEC: Protecting Your Privacy in a Data-Driven World
Date: Friday, September 19, 2025 10a - 12pm

Location: Building 10C
Summary:

Personal data is constantly being collected, shared, and monetized—often without our knowledge. This workshop aims to explain what data is gathered, how it’s used, and what risks it poses. We’ll explore real-world examples of data misuse, from invasive targeted ads to identity fraud, and examine how individuals can take meaningful steps to protect their privacy. Attendees will learn how to opt out of data collection, secure their devices, and limit their digital footprint. Whether you're new to digital privacy or looking to sharpen your defenses, this session offers practical tools and resources to take back control.

Open to ALL!

Short summary for promotion: This workshop explores how our data is collected, sold, what risks this poses, and what one can do to prevent this.

Slides: OPSEC - Presentation Slides

Previous Dates: Friday, April 25, 2025, 10a - 11:30am

QR Code:

Flyers

Privacy Random Facts for advertisement

0. Intro

• The World's most valuable resource is no longer oil, but data (The Economist)

• Types of data brokers:

  • People search services
  • Marketing data brokers: Gather large amounts of data about your online activity and put it into pools of certain behaviors, also called inferred data
  • Financial information data brokers: Credit reporting bureaus, dominated by three companies (Equifax, TransUnion, and Experian)
  • Risk mitigation data brokers: Tracks identity of people, for preventing fraud, performing background checks
  • Personal health data brokers: track health-related data that is not covered by HIPAA, like medical related search history, purchases of over-the-counter medication (very creepy in my opinion)

• Data Broker market size: $252.12 Billion in 2023

• Average person in the US generates $700+ per year (Proton, 2022 numbers)

• Acxiom made $617 million in 2023 (Zippia)

  • Acxiom averages 1500 data points per consumer, and consumers are then places in one of 7018 detailed socioeconomic cluster (visual.ly)

• These statistics do not account for the market size of dark markets

• Data brokers are used for:

  • Selling you things
  • Information research
  • Identity verification
  • fraud prevention
  • background checks
  • targeted political ads

Largest Data brokers as of 2025:

I. Your data trail

Scene: Alex is searches for "running shoes for flat feet"

• They scroll around and try a few sites, eventually landing on a blog
• Each site loads dozens of trackers and cookies that record what you:
  • searched
  • clicked
  • hovered over
  • how long they stayed.
• The blog uses Google Analytics, which logs:
  • Alex’s device type
  • Browser version
  • Location
  • Even how deep you scrolled into the website
• One of the sites has a Facebook pixel, so now Meta knows Alex is looking for running shoes even though Alex never opened Facebook.
• A few minutes later, Alex watches a YouTube video and sees an ad for the same shoes they were just researching.

Without logging into anything, without submitting any form, Alex has already shared:

• their interests
• Their device and location
• Their shopping intent
• And their likely health data (inferred from “flat feet”)
  All of which is tied to their browser fingerprint, a unique ID based on screen size, installed fonts, and system settings.

Scene 2: Alex's smartphone

Their phone is in their pocket, screen off.

• They pass a coffee shop.

  • The phone logs GPS coordinates
  • notes nearby Bluetooth beacons
  • Senses ambient Wi-Fi networksApple devices contribute nearby WiFi access points into a global database, their Wi-Fi Positioning System which can be queried. A cybersecurity researcher found they could use this to track refugee movements, the impacts of the Gaza war, and other surprises.
  • These allow it to triangulate Alex’s exact location within a few feet

• Alex takes a photo of a bagel. The metadata stamped into the photo contains:

  • Time

  • Location

  • Phone model

  • Camera settings

• That photo is backed up into the cloud, where AI scans it to improve future recommendations

• A fitness app is quietly logging data from their:

  • Accelerometer
  • Gyroscope
  • Step counter
  • Even while the app is not active

• Alex presses play on a podcast. Embedded ad tech tracks their:

  • IP address
  • Timestamp
  • Playback data
  • Any ad engagement

All of this happened without Alex unlocking their phone.
All of this builds a fuller picture of who Alex is and what they value.

Scene 3: Alex IRL

• Walk into a bookstore.
  The Wi-Fi access point logs Alex's phone's MAC address even if they don't connect, notes how long they stay - data laters sold to foot traffic analytics firms

• They use a loyalty card at checkout.

  • The system logs their purchase history, brand preference, and time of day - linking to their name, email, and credit card
  • That data may be sold to brokers, who combine it with online behavior to infer Alex’s income, shopping habits, and even dietary preferences.

• Outside, a billboard uses a Bluetooth beacon to detect nearby devices and measure how many people “see” the ad.

  • In some cases, this can correlate the device's presence with their identity if the beacon can access the device's advertising ID

• Later, they get gas using a credit card, which logs the transaction, location, and timestamp - and may be sold by the card processor or gas station for location-based marketing.

• Finally, they attend a concert.
  The ticketing platform (used to RSVP or scan the ticket) logs their attendance. That data is shared with advertisers, sponsors, or even political campaigns.

All this data builds a fuller picture of who Alex is, where they go, and what they value.

The Data

Personal Identifiers

• Names
• Email Addresses
• Phone Numbers
• Social Security number
• Publicly available data (birth certificate, drivers license, marriage certificate, court & bankruptcy records, DMV info, voter registration)
• IP addresses
• Device identifiers More info about the kinds of data tech companies collect and use

Medical and health-related data

• Fitness tracker data
• Status related to certain conditions that can be marketed to (e.g. pregancy, HIV)Grindr admitted to sharing the HIV status of its users with marketing companies.
• Search results related to health

Demographic Information

• Age / Birthdate
• Gender
• Marital status
• Income Levels
• Education
• Occupation Details
• Cars & real estate

Behavioral Data

• Browsing History
• Search Queries
• Online Purchase Activities

Location Data

• GPS CoordinatesLocation data alone was an estimate $21 billion market
• General Location Information
• Foot traffic patternsHow foot traffic data and location data are used

Psychographic Data

• Interests
• Attitudes
• Lifestyle Preferences

Social Media Engagement

• Likes
• Shares
• Comments

Technical Information

• Browser Type
• Operating System
• Device Type

Interaction Data

• Ad Clicks
• Viewing Times

II. How your data are collected

A. Online Activity

• Web browsing (cookies, trackers, fingerprinting)
• Google search queries and clicks
• Social media engagement (likes, follows, comments, quizzes filled out for fun)
• User profile data
• Personal data given when forms are submitted (address, age, social security)

B. Mobile Devices

• GPS/location data from apps
  • Your location can be inferred even when your GPS is off
• App usage & behavior
  • Which apps you open and when
  • Time spent in each app
  • Taps, scrolls, and interactions within apps
  • In-app purchases or subscriptions
• “Permissions” creep (e.g. flashlight apps needing mic access)
• Motion/activity sensors
  • Accelerometer, gyroscope, magnetometer (movement & orientation)
• Bluetooth and Wi-Fi signals
• Media & camera access
  • Photos, videos, and metadata (e.g., geotags)
  • Camera and microphone access
  • Screenshots or screen recordings (in rare or malicious cases)

C. Offline Sources

• Loyalty cards and credit card purchases
• Cars
• Public records (property, voter registration, etc.)
• Data broker aggregation from multiple datasets

D. Devices and IoT

• Smart home devices (thermostats, TVs, speakers, voice assistants)
• Wearables and fitness trackers
• Cars with onboard diagnostics or connected services

🎯 III. Examples

A. Advertising and Marketing

• Targeted ads based on behavior, location, or psychographicsSignal employed these techniques in an Instagram ad campaign to show IG users how granular their metrics were. IG disabled the ad campaign immediately.
• Personalized product recommendationsSendPulse's examples of Targeted Advertising
• Influencing purchasing decisions and emotions
• Evidence of "Active Listening" leaked The Guardian and NY Post reported on this leak of a slide deck advertising software that targets adverts based on what people say near their device microphones

B. Risk Scoring and Profiling

• Insurance premiums
• Loan and creditworthiness evaluationThis has included targeted predatory lending. World Privacy Forum
• Employment screening

C. Political Influence

• Voter profiling and microtargeting The Cambridge Analytica scandal was a well-known example where a Facebook quiz funneled the data of 87 million users to a political marketing company, who then used the data to advertise to people deemed "persuadable" The Brexit part (later AKA Reform UK) used Facebook advertising, breaking electoral laws and used their website to track private data of users without consent
• Disinformation campaigns tailored to psychological profiles
• Examples:
  • Reform UK (Brexit party) tracked private user info without consent (Guardian, 2024)
  • Cambridge Analytica (Guardian, 2018)
  • Facebook-Cambridge Analytica data harvesting

D. Surveillance and Law Enforcement

• Law enforcement purchasing location or facial recognition data
• Protest tracking and dragnet surveillance
• Examples:
  • Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany (WIRED)

IV. Consequences

• Identity Theft and Fraud
  • Dark web markets sell leaked data, hacked accounts, credit card numbers, etc.Privacy Affairs has tracked what "goods and services" go for on the Dark Web markets year by year. Dark Web Price Index for 2023
  • Leaked data is then reused in phishing, synthetic ID creation, or account takeovers
• Stalking & doxxingA Catholic news organization tracked a priest's use of Grindr and outed him Vox
• Surveillance by local law enforcement, federal law enforcement, intelligence agencies
• Surveillance by foreign actors - they have also found ways to collect or purchase this data
• Manipulation of beliefs & behavior
• Loss of autonomy
• ...Oh and better ad recommendations

V. What You Can Do About It

• It is impossible to be completely invisible in the digital world and many of these suggestions do take a certain amount of work. However, some of these require little work and have significant effect. It's up to you how much you care about preventing further damage.

Data Privacy Strategy

Conclusion

We're sold a world of convenience and connection, but the real cost is our autonomy. These systems are designed to erode your autonomy by limiting choices and strip away your agency by obscuring how they operate.

"Seize the means of computation" — Cory Doctorow

"Data rights are human rights" — Carole Cadwalladr, the journalist who exposed Cambridge Analytica and Facebook

"Politics is technology now" - Carole Cadwalladr

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”
— Edward Snowden, NSA whistleblower

“If we don’t act to protect privacy, we risk living in a world where our lives are governed not by laws, but by corporate terms of service.” — Shoshana Zuboff, author of The Age of Surveillance Capitalism

Links

My Resources

• Privacy Audit Spreadsheet (Google Sheets) is a spreadsheet version of my recommendations. It formatted as a customizable checklist so you can decide which steps are appropriate for you. It also contains a list of data brokers one can use to opt out and remove your data from public view

Other Resources

• Mozilla's Privacy Not Included: Product reviews from a privacy & security standpoint, which products are "privacy not included", rates them as a little creepy, somewhat creepy, very creepy, and super creepy
• Privacy4Cars' Vehicle Privacy Report
• Safeguarding your data privacy when entering the US border. Customs and Border Protection has the authority to search electronic devices, including phones, laptops, tablets, etc. of anyone entering the US, including citizens and non-citizens. (A WIRED article about the same)
• How to protest safely in the age of surveillance - WIRED
• Five things to avoid saying to ChatGPT (WSJ)
• Privacy.com allows you to create up to 12 "virtual cards" that link to your bank or card for free
• Privacy Guides (privacyguides.org)
• Terms of Service; Didn't Read: Explains the Terms of Service of popular websites and rates how ethical they are

References on Data Privacy, Misuse, and Surveillance

General Data Collection & Use

• What data Big Tech companies collect and why (Google, Apple, Facebook, etc.) – Security.org
• Examining the intersection of data privacy and civil rights – Brookings
• EFF: Steering mobility data to a better privacy regime
• There is a multi-billion dollar market for your phone's location data – The Markup

Data Broker Practices & Civil Liberties

• Closing the data broker loophole – Brennan Center for Justice
• Congress must prohibit government purchases of citizen data – Brennan Center for Justice
• Two-thirds of apps used by preschool-aged children collected and shared persistent identifiers with third parties like Facebook – Michigan Medicine

Identity & Personal Risk

• Dark Market Price Index 2023 – Privacy Affairs
• A federal judge’s son was killed after attacker obtained info from people search sites – NYT
• Trying to remove personal data from people-search sites – Consumer Reports

Health & Genetic Data

• Grindr shared users' HIV status – NPR
• How data brokers monetize medical records – Scientific American
• 23andMe:
  • Potentially selling more than just genetic data – CBS
  • How to delete your 23andMe data – CBS
  • CA Attorney General urges deletion of 23andMe data – CA OAG

Government & Law Enforcement Use

• FTC says data brokers tracked protestors and military personnel – WIRED
• FTC bans two brokers from selling sensitive location data – The Verge
• FTC settles with brokers over political, pregnancy data sales – Reuters
• Military's use of location data from apps, including Muslim prayer app – VICE
• Sale of military personnel data – Duke Sanford
• ShadowDragon: Surveillance tool used by law enforcement – Wikipedia
• Intelligence analysts used smartphone data without warrants – NYT
• How law enforcement tracks and identifies protestors - WIRED (video)
• Police are using AI to automate surveillance of social media - WIRED
• The US intelligence community is building a one-stop-shop for your data - The Intercept (alt link)
• Airlines sold your flight data to Dept of Homeland Security (DHS) - WIRED (alt link)

Targeted Ads, Voice Monitoring & “Active Listening”

• Senator probes Meta & Google on coordination with ad firm over phone monitoring – NY Post
• “Active Listening” ad software exposed by pitch deck – The Guardian
• Follow-up reporting on the same story – NY Post

Political Influence & Cambridge Analytica

• Cambridge Analytica planted fake news – BBC
• Congressional report on Cambridge Analytica – US Congress
• Facebook-Cambridge Analytica data harvesting – UNL

Legal Settlements & Breaches

• Equifax data breach explained – BreachSense
• Google settles incognito mode data collection lawsuit – Winston & Strawn
• Google Chrome incognito data deletion settlement – WIRED

Additional Cases

• Outed priest's story shows risk of location data – Vox
• Privacy risks of dating apps – Brookings

Books

• The Age of Surveillance Capitalism by Shoshana Zuboff
• Data and Goliath by Bruce Schneier