OPSEC - Protecting Your Privacy (Workshop Outline)

Title: OPSEC: Protecting Your Privacy in a Data-Driven World
Date: Friday, September 19, 2025 10a - 12pm

Location: Building 10C
Summary: In a time when personal data is constantly being collected, shared, and monetized—often without our knowledge—this workshop provides a clear, accessible guide to understanding how data is gathered, how it’s used, and what risks it poses. We’ll explore real-world examples of data misuse, from invasive targeted ads to identity fraud, and examine how individuals can take meaningful steps to protect their privacy. Attendees will learn how to opt out of data collection, secure their devices, and limit their digital footprint. Whether you're new to digital privacy or looking to sharpen your defenses, this session offers practical tools and resources to take back control. Open to any UC Berkeley affiliates.

Short summary for promotion: A workshop that explores how your data is collected, used, and the risks this poses—and what you can do to protect it. Learn how to opt out, secure your devices, and take back control of your digital privacy.

Slides: OPSEC - Presentation Slides

Previous Dates: Friday, April 25, 2025, 10a - 11:30am

QR Code:

Flyers

0. Intro

• The World's most valuable resource is no longer oil, but data (The Economist)

• Types of data brokers:

  • People search services
  • Marketing data brokers: Gather large amounts of data about your online activity and put it into pools of certain behaviors, also called inferred data
  • Financial information data brokers: Credit reporting bureaus, dominated by three companies (Equifax, TransUnion, and Experian)
  • Risk mitigation data brokers: Tracks identity of people, for preventing fraud, performing background checks
  • Personal health data brokers: track health-related data that is not covered by HIPAA, like medical related search history, purchases of over-the-counter medication (very creepy in my opinion)

• Data Broker market size: $252.12 Billion in 2023

• Average person in the US generates $700+ per year (Proton, 2022 numbers)

• Acxiom made $617 million in 2023 (Zippia)

  • Acxiom averages 1500 data points per consumer, and consumers are then places in one of 7018 detailed socioeconomic cluster (visual.ly)

• These statistics do not account for the market size of dark markets

• Data brokers are used for:

  • Selling you things
  • Information research
  • Identity verification
  • fraud prevention
  • background checks
  • targeted political ads

Largest Data brokers as of 2025:

I. Your data trail

Scene: Alex is searches for "running shoes for flat feet"

• They scroll around and try a few sites, eventually landing on a blog
• Each site loads dozens of trackers and cookies that record what you:
  • searched
  • clicked
  • hovered over
  • how long they stayed.
• The blog uses Google Analytics, which logs:
  • Alex’s device type
  • Browser version
  • Location
  • Even how deep you scrolled into the website
• One of the sites has a Facebook pixel, so now Meta knows Alex is looking for running shoes even though Alex never opened Facebook.
• A few minutes later, Alex watches a YouTube video and sees an ad for the same shoes they were just researching.

Without logging into anything, without submitting any form, Alex has already shared:

• their interests
• Their device and location
• Their shopping intent
• And their likely health data (inferred from “flat feet”)
  All of which is tied to their browser fingerprint, a unique ID based on screen size, installed fonts, and system settings.

Scene 2: Alex's smartphone

Their phone is in their pocket, screen off.

• They pass a coffee shop.

  • The phone logs GPS coordinates
  • notes nearby Bluetooth beacons
  • Senses ambient Wi-Fi networksApple devices contribute nearby WiFi access points into a global database, their Wi-Fi Positioning System which can be queried. A cybersecurity researcher found they could use this to track refugee movements, the impacts of the Gaza war, and other surprises.
  • These allow it to triangulate Alex’s exact location within a few feet

• Alex takes a photo of a bagel. The metadata stamped into the photo contains:

  • Time
  • Location
  • Phone model
  • Camera settings

• That photo is backed up into the cloud, where AI scans it to improve future recommendations

• A fitness app is quietly logging data from their:

  • Accelerometer
  • Gyroscope
  • Step counter
  • Even while the app is not active

• Alex presses play on a podcast. Embedded ad tech tracks their:

  • IP address
  • Timestamp
  • Playback data
  • Any ad engagement

All of this happened without Alex unlocking their phone.
All of this builds a fuller picture of who Alex is and what they value.

Scene 3: Alex IRL

• Walk into a bookstore.
  The Wi-Fi access point logs Alex's phone's MAC address even if they don't connect, notes how long they stay - data laters sold to foot traffic analytics firms

• They use a loyalty card at checkout.

  • The system logs their purchase history, brand preference, and time of day - linking to their name, email, and credit card
  • That data may be sold to brokers, who combine it with online behavior to infer Alex’s income, shopping habits, and even dietary preferences.

• Outside, a billboard uses a Bluetooth beacon to detect nearby devices and measure how many people “see” the ad.

  • In some cases, this can correlate the device's presence with their identity if the beacon can access the device's advertising ID

• Later, they get gas using a credit card, which logs the transaction, location, and timestamp - and may be sold by the card processor or gas station for location-based marketing.

• Finally, they attend a concert.
  The ticketing platform (used to RSVP or scan the ticket) logs their attendance. That data is shared with advertisers, sponsors, or even political campaigns.

All this data builds a fuller picture of who Alex is, where they go, and what they value.

The Data

Personal Identifiers

• Names
• Email Addresses
• Phone Numbers
• Social Security number
• Publicly available data (birth certificate, drivers license, marriage certificate, court & bankruptcy records, DMV info, voter registration)
• IP addresses
• Device identifiers More info about the kinds of data tech companies collect and use

Medical and health-related data

• Fitness tracker data
• Status related to certain conditions that can be marketed to (e.g. pregancy, HIV)Grindr admitted to sharing the HIV status of its users with marketing companies.
• Search results related to health

Demographic Information

• Age / Birthdate
• Gender
• Marital status
• Income Levels
• Education
• Occupation Details
• Cars & real estate

Behavioral Data

• Browsing History
• Search Queries
• Online Purchase Activities

Location Data

• GPS CoordinatesLocation data alone was an estimate $21 billion market
• General Location Information
• Foot traffic patternsHow foot traffic data and location data are used

Psychographic Data

• Interests
• Attitudes
• Lifestyle Preferences

Social Media Engagement

• Likes
• Shares
• Comments

Technical Information

• Browser Type
• Operating System
• Device Type

Interaction Data

• Ad Clicks
• Viewing Times

II. How your data are collected

A. Online Activity

• Web browsing (cookies, trackers, fingerprinting)Your browsing history
• Google search queries and clicks
• Social media engagement (likes, follows, comments, quizzes filled out for fun)
• User profile data
• Personal data given when forms are submitted (address, age, social security)

B. Mobile Devices

• GPS/location data from apps
  • Your location can be inferred even when your GPS is off
• App usage & behavior
  • Which apps you open and when
  • Time spent in each app
  • Taps, scrolls, and interactions within apps
  • In-app purchases or subscriptions
• “Permissions” creep (e.g. flashlight apps needing mic access)
• Motion/activity sensors
  • Accelerometer, gyroscope, magnetometer (movement & orientation)
• Bluetooth and Wi-Fi signals
• Media & camera access
  • Photos, videos, and metadata (e.g., geotags)
  • Camera and microphone access
  • Screenshots or screen recordings (in rare or malicious cases)

C. Offline Sources

• Loyalty cards and credit card purchases
• Cars
• Public records (property, voter registration, etc.)
• Data broker aggregation from multiple datasets

D. Devices and IoT

• Smart home devices (thermostats, TVs, speakers, voice assistants)
• Wearables and fitness trackers
• Cars with onboard diagnostics or connected services

🎯 III. Examples

A. Advertising and Marketing

• Targeted ads based on behavior, location, or psychographicsSignal employed these techniques in an Instagram ad campaign to show IG users how granular their metrics were. IG disabled the ad campaign immediately.
• Personalized product recommendationsSendPulse's examples of Targeted Advertising
• Influencing purchasing decisions and emotions
• Evidence of "Active Listening" leaked The Guardian and NY Post reported on this leak of a slide deck advertising software that targets adverts based on what people say near their device microphones

B. Risk Scoring and Profiling

• Insurance premiums
• Loan and creditworthiness evaluationThis has included targeted predatory lending. World Privacy Forum
• Employment screening

C. Political Influence

• Voter profiling and microtargeting The Cambridge Analytica scandal was a well-known example where a Facebook quiz funneled the data of 87 million users to a political marketing company, who then used the data to advertise to people deemed "persuadable" The Brexit part (later AKA Reform UK) used Facebook advertising, breaking electoral laws and used their website to track private data of users without consent
• Disinformation campaigns tailored to psychological profiles
• Examples:
  • Reform UK (Brexit party) tracked private user info without consent (Guardian, 2024)
  • Cambridge Analytica (Guardian, 2018)
  • Facebook-Cambridge Analytica data harvesting

D. Surveillance and Law Enforcement

• Law enforcement purchasing location or facial recognition data
• Protest tracking and dragnet surveillance
• Examples:
  • Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany (WIRED)

IV. Consequences

• Identity Theft and Fraud
  • Dark web markets sell leaked data, hacked accounts, credit card numbers, etc.Privacy Affairs has tracked what "goods and services" go for on the Dark Web markets year by year. Dark Web Price Index for 2023
  • Leaked data is then reused in phishing, synthetic ID creation, or account takeovers
• Stalking & doxxingA Catholic news organization tracked a priest's use of Grindr and outed him Vox
• Surveillance by local law enforcement, federal law enforcement, intelligence agencies
• Surveillance by foreign actors - they have also found ways to collect or purchase this data
• Manipulation of beliefs & behavior
• Loss of autonomy
• ...Oh and better ad recommendations

V. What You Can Do About It

It is impossible to be completely invisible in the digital world and many of these suggestions do take a certain amount of work. However, some of these require little work and have significant effect. It's up to you how much you care about it.

A. Limit Data at the Source

• Identify products you use that have terrible reputations with privacy and stop using them

• Browser:

  • Use a privacy-first browser like Brave.
  • Set your browser's default search engine like DuckDuckGo. It's not always perfect but if you use it most of the time, that's a lot less data you're handing to Google.
  • Install uBlock Origin and Privacy Badger in your browser

• Smartphone:

  • Deny unnecessary app permissions (especially location, contacts)
  • Set up adblocking for your phone. The best way to filter apps and web traffic is to filter traffic through the DNS filtering.
  • Disable ad tracking:
    • iOS: Settings → Privacy & Security → Tracking → UNCHECK Allow Apps to Request to Track.
    • Android: Settings → Privacy → Ads → “Delete advertising ID”
  • Turn Off Analytics & Diagnostics: Opt out of sharing “usage data” with Apple, Google, or the phone manufacturer.
    • iOS: Settings → Privacy & Security → Analytics & Improvements → Share iPhone Analytics
  • Disable location data in smartphone camera so that you don't have to strip metadata when sharing photos on social media:
    • iOS:
      1. Settings → Privacy & Securty → Location Services
      2. Find the Camera app.
      3. Choose Never to prevent the Camera app from recording location data in any new photos.

• Set up traffic filtering (ad & tracker blocking):

  • Set up network-wide filtering: Use a Raspberry Pi, old computer, or server to run a local DNS filter, or choose an external DNS service that supports filtering. Then, configure your Wi-Fi router to use its IP address as the DNS server. Here are two ways:
    • NextDNS - An external DNS service that is configurable. Free for up to 300,000 requests per month. Provides an iOS profile generator so that you can use NextDNS for smartphone traffic filtering no matter where you are.
      • **NextDNS Setup Guide
    • Pi-hole: a local DNS filter that is often installed on a Raspberry Pi. This then acts as the traffic filter for your whole home network.
  • Google is working to make Chrome-based browsers incapable of supporting the best of these plugins, by introducing what is called Manifest V3. At least for the time being, you can still use them even though Chrome will try to disable them.
  • See Adblocking for more detailed recommendations

B. Opt out - Someone has already opted you in

• Find out what information is out there: Once you know where information is you can try to remove it (name, address, where you work, etc.)

  • Searching your name in search engines,
  • Search your name in people search sites (see One Big Privacy Spreadsheet for people search sites).

• Opt out: Use my One Big Privacy Spreadsheet for a list of data brokers and where to go to opt out.

  1. Start with the industry-wide "preference services" like:
     • DMAchoice – direct mail opt-out,
     • Opt out of pre-screened credit offers,
     • Your Ad Choices.
  2. Opt out of the biggest data brokers (labeled Highest Priority in the Big Spreadsheet)
  3. If you're up for it, spend you're time going further through the list of data brokers, people search sites, etc. and see if you are listed in their system. If so, request they remove it.

• If you can't be bothered, pay for a service like DeleteMe, Jumbo, or Privacy Bee to automate this process. I have no idea how complete these services are though.

C. Lock Down Social Media

• Set profiles to private if you can help it

• Whatever you say online, consider: “Would I be okay with this being read by a stranger, employer, or an AI model 10 years from now?”

  • Avoid posting:
    • Basic personal info (details about where you live, phone number, birthdate, a photo that includes your drivers license or credit card)
    • Real-time location
    • Photos of children
    • Names of family members
    • Details about big decisions in your life (buying a house, marriage, etc.)

• Turn off ad personalization in account settings in your most used accounts (Google, Amazon, Facebook, Instagram, TikTok, etc.)

• Limit third-party apps and integrations. Remove or disable them if possible.

• Avoid using single-sign-on (SSO) - Avoid Log in with Facebook or Log in with Google): These often share data between third-party sites/apps and the identity provider (Facebook/Google/etc). This enables Facebook or Google to track your activity across many services and devices. This makes it trivial to tie your activity to your identity, making it much more difficult to compartmentalize

  • Gmail:
    1. Visit https://myaccount.google.com
    2. Open the Security section
    3. Find Third-party apps with account access
    4. Click Manage third-party access
    5. Review the list. Delete anything that does not require it or you do not use.

D. Minimize Digital Footprint

• Compartmentalize. Avoid setting up new accounts when possible. Use burner email (email address you don't really use that is a pseudonym) or a temporary email.
• Obfuscate when real info is not necessary. Use a burner email for signups when possible - a junk email address you never really need to check
• Avoid posting sensitive info (e.g. birth date, location, life milestones)
• Use pseudonyms where possible - Most services don't need your real name
• Delete old accounts that you don't use!
  • Not sure what accounts those are? Use a password manager so that you have a record of what accounts you have!

E. Secure Your Devices

• Enable two-factor authentication (2FA), especially for anything email or money related.
• Audit app permissions on your smartphone
• Keep software and OS updated
• Consider an encrypted messaging app like Signal. It allows you to delete a message from both you and the recipient. It also allows you to have messages delete after a set interval.
• Choose "dumb" devices over "smart" ones. No one needs a refrigerator that connects to the Internet.

F. Make Informed Decisions

• Regularly review privacy policies and app permissions
• Follow orgs like EFF, Privacy Rights Clearinghouse, Consumer Reports Digital Lab
• Use services like Have I Been Pwned to monitor data breaches you may have been in.
  • When data breaches occur, it's helpful to know what kind of data was leaked. If passwords were leaked, change passwords.

Conclusion

We're sold a world of convenience and connection, but the real cost is our autonomy. These systems are designed to erode your autonomy by limiting choices and strip away your agency by obscuring how they operate.

"Data rights are human rights" — Carole Cadwalladr, journalist who exposed Cambridge Analytica

"Politics is technology now" - Carole Cadwalladr

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”
— Edward Snowden, NSA whistleblower

“If we don’t act to protect privacy, we risk living in a world where our lives are governed not by laws, but by corporate terms of service.” — Shoshana Zuboff, author of The Age of Surveillance Capitalism

Links

• Privacy Audit Spreadsheet (Google Sheets)
• Data Privacy Strategies: My recommendations, with a bit more details
• Mozilla's Privacy Not Included: Product reviews from a privacy & security standpoint, which products are "privacy not included", rates them as a little creepy, somewhat creepy, very creepy, and super creepy
• Privacy4Cars' Vehicle Privacy Report
• Safeguarding your data privacy when entering the US border. Customs and Border Protection has the authority to search electronic devices, including phones, laptops, tablets, etc. of anyone entering the US, including citizens and non-citizens. (A WIRED article about the same)
• How to protest safely in the age of surveillance - WIRED
• Five things to avoid saying to ChatGPT (WSJ)
• Privacy.com allows you to create up to 12 "virtual cards" that link to your bank or card for free
• Privacy Guides (privacyguides.org)
• Terms of Service; Didn't Read: Explains the Terms of Service of popular websites and rates how ethical they are

References on Data Privacy, Misuse, and Surveillance

General Data Collection & Use

• What data Big Tech companies collect and why (Google, Apple, Facebook, etc.) – Security.org
• Examining the intersection of data privacy and civil rights – Brookings
• EFF: Steering mobility data to a better privacy regime
• There is a multi-billion dollar market for your phone's location data – The Markup

Data Broker Practices & Civil Liberties

• Closing the data broker loophole – Brennan Center for Justice
• Congress must prohibit government purchases of citizen data – Brennan Center for Justice
• Two-thirds of apps used by preschool-aged children collected and shared persistent identifiers with third parties like Facebook – Michigan Medicine

Identity & Personal Risk

• Dark Market Price Index 2023 – Privacy Affairs
• A federal judge’s son was killed after attacker obtained info from people search sites – NYT
• Trying to remove personal data from people-search sites – Consumer Reports

Health & Genetic Data

• Grindr shared users' HIV status – NPR
• How data brokers monetize medical records – Scientific American
• 23andMe:
  • Potentially selling more than just genetic data – CBS
  • How to delete your 23andMe data – CBS
  • CA Attorney General urges deletion of 23andMe data – CA OAG

Government & Law Enforcement Use

• FTC says data brokers tracked protestors and military personnel – WIRED
• FTC bans two brokers from selling sensitive location data – The Verge
• FTC settles with brokers over political, pregnancy data sales – Reuters
• Military's use of location data from apps, including Muslim prayer app – VICE
• Sale of military personnel data – Duke Sanford
• ShadowDragon: Surveillance tool used by law enforcement – Wikipedia
• Intelligence analysts used smartphone data without warrants – NYT
• How law enforcement tracks and identifies protestors - WIRED (video)
• Police are using AI to automate surveillance of social media - WIRED
• The US intelligence community is building a one-stop-shop for your data - The Intercept (alt link)
• Airlines sold your flight data to Dept of Homeland Security (DHS) - WIRED (alt link)

Targeted Ads, Voice Monitoring & “Active Listening”

• Senator probes Meta & Google on coordination with ad firm over phone monitoring – NY Post
• “Active Listening” ad software exposed by pitch deck – The Guardian
• Follow-up reporting on the same story – NY Post

Political Influence & Cambridge Analytica

• Cambridge Analytica planted fake news – BBC
• Congressional report on Cambridge Analytica – US Congress
• Facebook-Cambridge Analytica data harvesting – UNL

Legal Settlements & Breaches

• Equifax data breach explained – BreachSense
• Google settles incognito mode data collection lawsuit – Winston & Strawn
• Google Chrome incognito data deletion settlement – WIRED

Additional Cases

• Outed priest's story shows risk of location data – Vox
• Privacy risks of dating apps – Brookings

Books

• The Age of Surveillance Capitalism by Shoshana Zuboff
• Data and Goliath by Bruce Schneier