Personal Internet Privacy in 2021 — How I Audited My 150+ Online Accounts

My name is Adam and up until last week, I had over 150+ user accounts for different online services. I was a row in over 150+ separate account databases, and had provided personal details of varying (and sometimes questionable) intimacy to a number of (sometimes questionable) online services. In a moment of clarity, I asked myself whether I even needed all of these accounts, and started to worry about the data I had provided. Before we dive into my personal GDPR experience, let me explain how I got to this point.

From my limited understanding, the internet has veered off course and the GDPR is a first attempt to reign it back in. As yesterday’s dark patterns mutate into today’s standard practice, I can’t help but imagine it started out as harmless fun. Maybe we reached the point of no return when legions of amateurs inspired by the likes of Shoemoney started crowding Google’s search results with optimized garbage. Not to be bested, large enterprises rapidly followed suit. We stopped discerning between nuanced essays, how-to guides and news articles: online, everything is content. Copywriters were hired to generate SEO-optimized content, which in turn generated clicks. Backlinks, guest-writers, private blog networks… In a nutshell: money makes people go crazy. The young internet, torn from its cocoon, had become a buzzing metropolis. Its small-town charm was replaced by a harried egoism which makes users queasy and vigilant. Today, we’ve reached the point where Google lies about tracking users in «incognito mode».

Of course, this narrative is hyperbolic and cynical. There are countless positive examples of sites and online communities that bring out the best in all of us. The tendency however is in the opposite direction, towards tracking and click-generation. Not only does this largely degrade the user experience, but the pure disrespect and false freedom («do you want these cookies or just these cookies») makes me angry. So I decided to finally get my online presence under control and make some changes:

1. I changed my main email account to an encrypted email service (in this case protonmail)
2. Set up an easy-to-use and free password manager for comprehensive use (in this case Bitwarden)
3. Requested deletion of accounts I do not need
4. Replaced my personal email of the remaining accounts with anonymized email aliases to prevent any affiliation between different accounts (this is possible using the free version of anonaddy)
5. Escape Google, at least as much as possible

In addition, I use a VPN, in order to privatize my browsing experience as much as possible. So I got to work, slowly working through the passwords saved on my google account, moving them over to Bitwarden and changing the email. And this is how it went:

• From the around 150 accounts I had created (most in haste — «need access to this file? Sure just…»), I opted to keep 76. For 74 I would change my email address. Most of the remaining 50–60 were easily deleted, but for 14 of them I had to request account deletion by email.
• I signed up for anonaddy.com (free version), an open source tool (github) that allows for enhanced email forwarding. You use a unique email address for each account, and anonaddy (be careful not to visit anondaddy, unless you’re into that) forwards them to your main email address.
• Of the 76 emails I wanted to change, I was able to change 74. Of course, it is hard to verify whether the old email was deleted. This may be done by ways of a GDPR data access request, but I left it at that. For 2 services, I was denied a change in email address. Beook in particular denied my request, since ‘there was no reason to change your email’ and I needed a ‘proper reason’.
• For the 14 accounts I wanted to delete, I was able to delete 11. For each company, I sent an email that looked like this:

Dear XXX
I wanted to ask if it were possible to delete my account and all the personal data associated with it.
Cheers,
Adam

• Two of the companies haven’t given me a proper response to this day and one account I was unable to delete, since I no longer had access to the email address linked to it.

Source

In addition, I would like to highlight particularly frustrating experiences:

The well deserved first place goes to Lenovo. Firstly, I was unable to find neither the ‘change email’, nor the ‘delete account’ button. According to the Lenovo support website, these options should exist:

This is nowhere to be found:

And since Lenovo apparently has no support email, I was unable to contact anybody about it (Calling internationally was not an option for me). Then, finally after I changed my VPN location to Switzerland (the country I created my account in), the two buttons decided to show up. But, surprise, surprise! I was unable to verify my password, since the ‘connection failed’.

And just to add the cherry on top, once I was actually able to receive the email to verify the deletion of my account, the code found in the email was full of question mark boxes (wrongly encoded string I would guess).

Number two goes Discord. Originally, I was unable to change my email to an Anonaddy alias, since Discord banned the use of any email address using a subdomain. Instead, I was able to use a randomly generated alias to make it work. Then Discord required me to verify my phone number, which I removed afterwards, since I do not want them associated. But upon removing my phone number, I was required to reverify by phone and I was unable to use the same phone number, which practically locked me out of my account. And upon contacting support, they told me to wait a few days and then try again. Top notch operational security. Coincidentally, that is what my locksmith told me last week when my key got stuck.

And, on the third place we find Orell Füssli (a Swiss book shop). They were ‘unable to find any account linked to my email’, even though I sent them a screenshot of my profile page showing the email. Afterwards they managed to delete the account anyways.

Honorable mentions contain Ultimaker, who forwarded my email internally to the account support sector, only for me to get a reply that it was wrongly forwarded. I appreciate that I was copied into all internal communications. Wesley, I think you might have skipped through the “social engineering and countermeasures” web-based-training session.

Especially concerning was also the fact that only four of the companies actually requested for me to properly identify myself or prove that the account is actually mine. On the other hand, they were linked to the email address I sent the email from, and none of them were 2FA.

But even the solution shown in the post is not perfect. The internet should generally be addressed using a zero-trust policy, but when using services such as Bitwarden and Anonaddy, you have no choice but to trust them. We can verify to some extent, but many of the things I don’t understand. If any of them had a security issue, that could seriously impact your privacy and online presence. So use with caution and at your own risk.

In conclusion, the whole experience was not as bad as I expected, but far from what it should be. I was impressed by Stackoverflow: sending a GDPR deletion request is as easy as pressing one button and verifying your email.

I definitely recommend this to anyone: get your passwords and accounts under control as soon as possible. Since what I showed here is completely free, there is no reason not to do it (well, in this case — not always true of course). Please feel free to point out anything that might not be factually correct. In general, I think it is smart to use unique email addresses, strong passwords, 2FA where possible and manage your accounts with a password manager.

As a final note, I was really glad when I came across Tunnelblick, who do a good job of allowing users to follow a zero-trust policy. They sign their releases and allow for easy verification. Also, I’m aware of the contradiction in my post: I complain about tracking and advertising, but then recommend free tools to circumvent these. Don’t get me wrong: in general I am happy to pay for products. Right now I am a Swiss high-school student on exchange in Ireland and don’t have any money. If you’ve read this far, I’m sure you’ve been waiting for my plug. Here it is: in Irish lockdown, besides reading and cooking, I’ve spent some time honing my design-skills which I’ve been developing for the past couple of years. Since I’m into computer game graphics and aim to pursue a degree in engineering with a focus on my passion, I set up a fiverr page to market my design services (I promise this post is not SEO-optimized). If you need custom pixel-art characters for your business, as a gift or to use as an avatar — I’m your man. If you mention this post, I am happy to add a bonus revision to your purchase.

Thank you for reading and stay safe — offline as well as online.