Reproduction

How to: Shop Untraceably, Online

Collection of Amazon gift cards
Amazon gift cards, purchased in cash, to facilitate traceless online shopping. Janet Vertesi, 2014

When I got pregnant in 2013 I started a dedicated Amazon account just for baby stuff. I set it up with a dedicated email address hosted on mail.com, not my typical server. I only accessed Amazon and mail.com over Tor, which obscured my IP address and other identifying information. I stuffed the account with cash-purchased gift cards. And I sent purchases to a locker in New York City under a pseudonym.

At first it seemed extreme. Now it's just everyday.

Since then, some things have gotten easier, others harder. But I've kept up the practices I developed, of firewalling every child-related purchase from the rest of my online life.  Below is what my personal purchasing landscape looks like today.

Of course, cash is the ultimate untraceable medium. But I recognize that sometimes you just can't get what you need in an in-person store. And you may not be at liberty to obscure your identity in person the way you can online. Either way, untraceable shopping and purchasing is a must when you are trying to keep some information to yourself.

I offer the following because it is what I do, but your mileage may vary. I don't endorse any of these products, nor do they endorse me. Follow at your own risk: at least, hopefully, this will give you some ideas.

1. Just Browsing

You need to be sure that your browser isn't giving you away. If you use Chrome, you're dead in the water. It's a Google product, and if you're logged in as a Google user then Google knows everything you are doing, instantly. Remove Chrome. If you really think you have to use Chrome, you can install its open source code base, Chromium. But Google Chrome is a no go, full stop, end of story.

Also, change your installed search engine. Google, Bing, and Yahoo! remember everything you do on their search sites. Duckduckgo does not. Neither does Startpage, which lets you search Google untraceably.

Personally, I like to have several browsers on standby, to spread my traces around online and offer various levels of resistance. I alternate between Firefox and DuckDuckGo's new browser, to spread my traces about. Firefox hosts many of my privacy-oriented plugins, and allows me to have containerized or private tabs: this means that what I do in one tab can't be detected by other tabs, or it means that certain aspects of my browsing are less identifiable. Note that this is not entirely foolproof: educate yourself on what "private browsing mode" actually means.

I also have Opera, Safari, and Tor at the ready. I keep these installations pretty clean so that the sites I visit can't tell much about me other than my browser, device, and sometimes IP address (not always). I often uninstall and reinstall them so that they stay fresh, with little to no information stored.

I use Safari for the few websites that don't recognize Firefox. I use Tor if I really want to be untraceable, although websites often break when I use it. In those cases I use DuckDuckGo, a private Firefox window, or a VPN (I like Mozilla's VPN) depending on how untraceable I need to be. On my phone I also have the French Google alternative, Quant, and my phone's native Sailfish browser, just in case.

Turn off your ad blocker.  Ads are the only mechanism we currently have to detect what other companies know about you. You need things that block the information flow from your computer to the ad companies, not the other way around. So choose blockers that stop your information from moving without your knowledge. My favorites are Ghostery, Disconnect.me, uBlock Origin, and DuckDuckGo Privacy essentials, but there are many more out there.

While you're at it, install Lightbeam on Firefox. It records the cookies and tracers you have visited and shows the connections between the various websites you've visited. There's no better way to visualize how your data is moving behind your back.

Oh, and clear your cache. Often.

2. Credit card purchasing

Entering a real credit card will give you away. So I have an account on Privacy.com. It sets up one-time-use or dedicated debit cards. The advantage is that you have a fresh credit card number every time you use it, and also you can input ANY address or Zip code. 

I have been using Privacy.com now for years. Yes, it links to your US bank account, which seems like a no-no. But what I like about it is how it provides a buffer between your online purchases and your actual accounts. On your bank statement, a purchase will show up as PRIVACY.COM--AMAZON or whatever, so you can track expenses. That extra layer of buffer keeps your shopping information away from the site you're buying from, and the site information away from your financial info. Bonus: you can set up dedicated cards with spend limits, so it's useful for budgeting purposes.

Before using Privacy.com, I used to buy online gift cards or gift debit cards using cash. I still do that sometimes, but I find Privacy just as effective. So far, I haven't experienced any data leaks: and as soon as I do, I'll leave and find another option.

3. Shipping address

You can enter any zip code for a purchase using a privacy.com card, but what about actually receiving your supplies?

I use a different spelling of my name, creative middle names, or unusual address spellings every time I order something online. I've used Amazon's locker services for pickup as well. If I give everyone the same mailing address, I won't know who gave me away! But if everyone gets a slightly different name (fortunately the USPS doesn't look twice at addressee names for domestic mail) or a creative address spelling, I'll know when that information travels.

This happened once when my partner found a super cute kids' clothing store online. He made a privacy.com purchase with a unique spelling of our address. A few weeks later, a catalog showed up at our door for a different kids' company altogether--using that same spelling. We wouldn't have known who gave us away without that clue.

We moved a few weeks later and the catalogs didn't follow us.

Other options include short term PO Box rentals, which I suspect you could do with a Privacy card online but I haven't tried it. Otherwise there would be a trail of your information associated with the rental. You can also send to a friend's house, to a business address, or another address where you can pick up the stuff.

I have been doing this for years. With one or two exceptions (the kids' clothes company was one) I have seen nothing yet to indicate that my shipping address is being used to identify me, nor that it is migrating along with other user data.  But when that happens, my alternative addresses will let me know.

4. Dedicated accounts

I do the same thing for required accounts and email addresses on online sites. Some sites, if I know I'm just buying something once, I use 10minutemail.net to set up a quick temporary email address. Beware: it expires after ten minutes (unless you click to extend) so don't expect a long-term relationship. But for things like a confirmation email buying tickets to a show or something, it's perfect.

In other cases, I set up a dedicated email address or alias that includes the company's name in some creative way. Much like the unusual address spellings, I can more easily track how some spamming company got my information based on which email address they use. I think of these addresses as something like canaries in the coal mine: they'll ping me and let me know when my data has moved.

This has now gotten a whole lot easier with Firefox Relay and DuckDuckGo Email Protection. Both services will help you set up a one-time-use or dedicated email address. Duckduckgo will even strip the email of its tracking tech so that it doesn't report back to a mothership when it lands in your inbox. Get both of these tools and use them often!

I use ionos.com's email hosting services as I like their alias options; fastmail.fm and protonmail.ch also allow you to make a limited number of aliases. Note that you will have to pay for these options, but in my opinion it is worth the subscription to have your privacy (and, in ProtonMail's case, the added security of encryption). Gmail is free but it gives you away. Add this to the ridiculous expense it now costs private consumers to keep some data to themselves.

What about other people shopping for you?

Get them to at least, at the very very least, enter a pseudonym or strange spelling of your address. And at best, to buy what they want for you, send it to their house, and then mail it to you by hand. It's not impossible. My mum has gotten pretty good at this by now.

Bonus Question: Why Amazon?

I've had people question my use of Amazon so I want to make a few things clear about that choice. Surely if the point is to leave Big Tech, I should go by now?

My goal wasn't always to leave Big Tech: it's to thwart the personal data economy. Dividing my data up, making it impossible to pinpoint me or to bring together everything about me into a single coherent data picture: these are other ways to dismantle their power. That's a key distinction when it comes to the Opt Out arsenal of tools I've developed. Sometimes I do entirely avoid a Big Tech player, but when I don't leave entirely, I make it so that whatever data they get about me just won't amount to much.

With that in mind, when I first chose Amazon for baby purchases, the ads were terrible. I used to joke about the "You Might Like..." suggestions beacuse they were so bad. I got the sense that their preferences team just wasn't very good at their job. That honestly gave me a little more confidence that my data wasn't going to be mined in some unusual, cutting-edge way. After all, they were still busy trying to sell me things I'd looked at months ago--sometimes even stuff I had already bought. When it came to personalization, I made a bet that Amazon was way, way behind the curve.

Over the years, I noticed that my data never moved. In nine years I haven't seen a single unauthorized use of my address, email or snail mail. That includes when Amazon opened up their partnership program to other sellers. I just haven't seen the data go anywhere else. That kept me around as a customer.

Now that the big tech companies are consolidating, though, I'm not convinced that this kind of data corralling is a good thing any longer. At first when I visited websites they were chock full of third party trackers from companies I'd never heard of. Now those same sites are populated with very few trackers from the big names--Meta and Google, mostly.

Originally, I was worried about my data moving without my consent. Now that the giants are consolidating, though, their stranglehold on the data economy gives them much more power.

I have noticed in the wake of this shift that other big companies like Netflix, Amazon, and Disney are more likely to try to create their own consolidated datasets. Certainly they're not selling that data or access to your eyeballs to others: they are keeping that information proprietary and close to their chests.

Certainly, I'm not exclusive in my use of Amazon. I don't use them too often: just for some kinds of purchases related to children online, when I can't find what I need in a store or elsewhere. And when I do use them, it's just for kids' stuff.

Either way, I'm watching to see where this path leads next. When I've decided it's time to leave, I'll jump ship--and post about it when I do.

 

Related posts