Check social media
Perhaps one of the biggest ways we leak information is through that which we voluntarily post on social media. Take a look below at this short video from the BBC and CIFAS, the UK's leading fraud prevention agency, to see just how easily we sometimes give information away.
BBC/CIFAS video showing how easily we sometimes give personal information away (source: YouTube)
Reviewing everything you've ever posted can take a while (especially if you're an active user) but can be worth it - hands up everyone who's ever made a drunken post or commented on something whilst angry..!?
For Facebook, perhaps the quickest and easiest way to do this is to download a copy of your entire Facebook profile - everything that Facebook currently store about you! This comes in an easy to read format; see our guide for accessing this. You can also download all your Google data and view your data from the Oath group of companies (which includes Yahoo!).
If there's anything controversial, or which reveals too much personal information, then either delete it or restrict who can see it. Remember that others in the future may not always have the same ideas as us as to what is acceptable - many people have been caught out by old posts they'd forgotten about.
Try reviewing your history for this type of content:
- Personal details: Is your address or phone number visible? Can your date of birth be worked out from all the publicly visible "Happy birthday" messages on your timeline?
- Possible answers to password reset questions: Do you really need to let the world know which High School you went to (eg on LinkedIn)? Many websites use this information as a password reset question.
- Embarassing photos: Have you got any embarassing photos that could come back to haunt you, for example with future employers? If you do but want to keep them, then at least make sure the visibility is restricted to only you and close friends.
- Controversial content: Have you made any angry or drunken posts, or any political comments, that you could be used to embarass you? Could anything be misinterpreted or taken out of context?
- Review your friends list: Go over your friends list and check you still know everyone, and that no strangers have crept in somehow!
It's also worth regularly reviewing your privacy settings (websites do tend to change these periodically) to limit what others can see about you. Take a look at our Facebook privacy page for guidance on this, with the following settings especially being a good idea to check:
- Ensure you have to approve any posts made by others (for example if you're tagged in a photo) before they appear on your timeline;
- Restrict the visibility of future posts to Friends Only. You can change individual posts' visibility later, but a default of Friends Only is the safest;
- Restrict who can look you up with your email address or phone number. If you meet someone who wants to connect in the future then temporarily remove this until they find you, then set it back again.
Old website accounts
How many of us just simply stop using websites without properly unsubscribing? Hands up who had an account with MySpace, Bebo, Friends Reunited, or one of the many dating websites out there? Do you have email accounts you no longer use, or online shops that you've not bought from in years?
Whilst some of those websites don't even exist today, others that we've used still do. What information do they hold? For websites you no longer use it's worth deleting your personal data; for websites you still use then check they're not holding more than they need.
This isn't just a privacy issue but a security one too - many older websites weren't built with security in mind like they are (or should be!) today, and if they've not kept their technology up to date they may be at greater risk of being hacked.
Start by listing all the sites you've ever registered with. Remembering them all can be tricky, so if you're struggling then try the following:
- Search your emails for the word "Unsubscribe": Sites you've registered with will normally have an "Unsubscribe" link within their email newsletters.
- Check linked apps in Facebook: Go to "Settings" and then "Apps and Websites" to view all the websites you've logged in with using your Facebook account.
- Search your emails for the words "Your order": For anything you've ever bought online you should have received an order acknowledgement email.
- Review your credit or bank card statements: This might take some effort but is another useful way of remembering who you've spent money with.
Next prioritise the sites to check, especially those sites with a lot of personal information (eg social media sites, email providers, dating websites, sites with health data, taxi websites with trip history, etc) as well as those who you've given your credit card or bank account details to.
Now work your way through each site, erasing your digital footprint as you go:
For websites you no longer use:
- Login to the site - Go through the password reset process if you need to.
- First delete any data you can - Deleting your account won't always mean your data is deleted, so first scrub any personal information yourself. Go through your profile & erase all you can (eg address, phone number, activity history); if you can't delete something then change it to a junk value.
- Then delete your account - Look through the website's help pages to find out how to delete your account. If it doesn't let you delete it then either contact the website, or if your login or username is your email address, then change this to something random and change your password to a load of random characters too.
For websites you still use, or may use again:
- Login to the site - Go through the password reset process if you need to.
- Check the information in your profile - Is everything accurate still? Do they have the bare minimum they need? Update any errors and erase anything that's excessive and not needed.
- Check your password - Make sure your password is strong and change it if it's not. Whilst here you should also take time to review other security settings too, such as enabling Two Step Verification (2SV) if they offer it.
What about information that others have posted?
Now that we've cleaned up social media and old websites, the next step is to look at what else is out there. This involves a lot of web searching on ourselves - if you want to make sure these searches are kept private and not tracked then the Duck Duck Go search engine might be worth a try.
Begin by searching on your details - use the following as ideas to search for:
- Your name: Full name, short name, maiden name, nicknames;
- Online identifiers: Usernames, email addresses, phone numbers;
- Addresses: Your town, your full address, past addresses;
- Employment: Schools, colleges, employers, speeches given, awards won, conferences attended, or certifications gained;
- Social: Hobbies & interests, clubs or teams you've been a member of;
- Other: Were there any online chat forums or discussion pages that you used to use?
Put search terms in quotes & combine two or more together to focus your searching:
After general web searching you can then try dedicated people finder tools. These are more common in the USA than Europe due to less restrictive data protection laws, with paid-for sites such as ZoomInfo.com aggregating lots of information into one place. Other countries also have their own (often more limited) directories as well, with 192.com in the UK showing certain public information (especially if you've not opted out of the full electoral roll).
So, now you've found content that you want to remove, what can you do about it?
This largely depends on what the content is and who is hosting it - if something is grossly offensive or illegal you should be able to get it removed easily; if it's just something you'd rather wasn't there then it might be more tricky. In general though you can try the following:
- Erase it yourself:
- Contact the webmaster:
If the content is on a website that you can edit or update then do this yourself; if it's on an old website you previously had an account with then follow the guidance above.
Most websites will have an "About" or "Contact" link where you can find how to contact the web owner. Failing this, try looking up the contact details for the site's web address - find the "Whois" records on a site such as this and check if any contact email addresses are shown there.
Links to contacting some of the major websites are here:
Just removing the content won't neccessarily mean it's gone; search engines such as Google and Bing often store copies (known as a "cached copy") of different pages. If, once the original content has been deleted, you can still see it in search results then submit a request to search engine companies for it to be removed - apply here to Google or Bing.
At the time of writing this page Yahoo! don't have a specific cache removal request link, and instead claim that old content is automatically removed after 6-8 weeks.
Even if you're unable to get the content removed from a webpage, if you live in Europe you can use European privacy laws to request that search engines don't show the page up in their search results. Visit Google, Bing, and Yahoo! to make these requests.
EU Subject Access Requests
In addition to all this online searching, it's worth knowing that EU citizens can also make "Subject Access Requests" to any company that targets EU citizens (regardless of where in the world they're based) to ask what information they hold on you - these rights don't specifically relate to information online but to any data they hold.
To ask a company what data they hold on you then contact them and ask what their Subject Access Request procedure is. They may even have details about this online; search their website for any mention of this, or the acronym "SAR". You can't be charged for this request (unless it's "manifestly unfounded" or excessive) & companies must respond within a month.
This is all thanks to strong EU-wide data protection laws (known as the "General Data Protection Regulations", or "GDPR" for short) that came into force in May 2018. Companies who are in scope of GDPR must also not retain data for longer than necessary, so you have a right to request they delete anything they're keeping without good reason.