Operational privacy hygiene

You can't defend what you haven't listed. Most first responders underestimate their online surface by half. The first habit is the inventory itself.

Open a notes app or a sheet of paper. Write down every one of these you currently have, with the email tied to it.

• Email accounts. Every address you've ever used. Personal Gmail, the Yahoo from 2008, the work email, the Hotmail you forgot.
• Phone numbers. Personal cell, work cell, landline if you still have one, any Google Voice or MySudo numbers.
• Social-media accounts. Active and dead. Facebook, Instagram, X, TikTok, LinkedIn, Snapchat, Reddit, every gaming handle, every old MySpace and LiveJournal. See scrubbing old social media for how to find what you've forgotten.
• Financial accounts. Bank, credit card, Venmo, Cash App, PayPal, Zelle. Each ties your name to a phone or email.
• Subscriptions and shopping. Amazon, the streaming services, the meal kits, the supplement subscriptions. Each one has your address.
• Loyalty and rewards. Grocery cards, gym, airlines, hotels. Each one is a small leak.
• Voter registration, professional licenses, business filings. Voter records and business registrations are public by default.
• Real estate. Property records, Zillow alerts you set up, the realtor app you used during your last move.

Run haveibeenpwned.com against every email. The breach hits will surface accounts you completely forgot. Add them to the list.

The inventory takes two hours and replaces "I don't know what's out there" with a finite list. Defense gets easier when the surface is finite.

One email and one phone for everything is the most common mistake. The fix is three buckets, not one.

• Work bucket. Department-issued email, department-issued phone or radio. Department business only. Never used for personal accounts. Never used to reset a personal password.
• Personal bucket. Your real personal email and your real personal phone. Used for family, doctor's office, school, banking. Tightly held. Never given to a website that doesn't strictly need it.
• Exposed bucket. A throwaway email and a Google Voice or MySudo number you give to anything that asks. Online shopping, loyalty cards, rental car counter, anyone who hands you a clipboard. If it leaks, you change it without disrupting your real life.

The exposed bucket is the one that does the heavy lifting. Every form you've ever filled out at a counter is feedstock for a broker. Filling them out with a number that isn't yours breaks the chain.

Habits to lock in:

• Default to the exposed bucket whenever someone asks for an email or phone number in person or online. The waiter doesn't need your real number for the waitlist. The pharmacy doesn't need it for the rewards program.
• Use a password manager and a different password on every site. Bitwarden and 1Password both work. The free tier is fine.
• Turn on 2FA everywhere it's offered. App-based (Authy, the password manager's built-in, or a hardware key) — not SMS, because SIM-swap is a real attack against officers.
• Check the privacy settings on social media every six months. They rot. Defaults change. New features open up old data. A check-in on the calendar twice a year catches it.

None of this is exotic. It's just the default mode after you've internalized that your work and your home need to stay disconnected.

Brokers don't invent your address. They scrape it from places that publish it. Cut the upstream sources and the broker pages get thinner.

Specific habits, in priority order:

• Use a PO box or UPS Store address for everything non-government. Bills, packages, voter registration where state law allows, professional licenses. Your home address goes to your employer, the IRS, and your driver's license. Almost nothing else needs it.
• Title your house through a trust or LLC where allowed. Property records are public, but if "Smith Family Trust" owns the house instead of "Officer John Smith," the trail breaks. Talk to a real-estate attorney; the cost is usually a few hundred dollars.
• Opt out of the major data brokers proactively, not reactively. TruePeopleSearch, Spokeo, Whitepages, and the rest republish constantly. Doing it once doesn't stick. Doing it monthly does.
• Don't use your real birthdate on social media or shopping sites. Birthdate is one of the strongest broker linkers. The shoe site doesn't need it. Lie or skip the field.
• Lock down voter registration where your state allows it. Many states have address-confidentiality programs for first responders. See if yours does and use it.
• Mute your kids' school directory. Most districts publish a directory by default. Opt out at the start of every school year. Re-check after every transfer.
• Watch what you confirm on the phone. HR calls asking to verify your address are common pretexts. The rule is verify-out-of-band: hang up and call HR back on a known number. See social-engineering defense.

Each of these is a five-minute fix. Stacked together, they collapse the broker network's input pipeline.

We handle the broker layer — the largest, most-republished, hardest-to-keep-clean piece. Doing it monthly across hundreds of sites by hand is the part that breaks people. We do that for you and re-check.

What we don't handle is the habits. We can't pick your password manager, separate your buckets, or talk to your spouse about the school directory. Those stay on you, and they're the ones that prevent the next round of broker pages from being possible in the first place.

A free scan shows you what's on the broker network right now. Pair the scan with the inventory above and you have a working picture of your online identity. Once both are clean, the defense becomes maintenance, not crisis response.

Next reads: threat-model yourself for who you're defending against, and OPSEC for first responders for the shift-work-specific habits.