← Back to Blogs
HN Story

The Futility of Red Herrings: Why Planting Fake Data Online Doesn't Protect Your Privacy

May 12, 2026

The Futility of Red Herrings: Why Planting Fake Data Online Doesn't Protect Your Privacy

In the quest for digital privacy, many users are tempted by the idea of "muddying the waters." The logic seems intuitive: if you plant enough fake jobs, invented cities, and fictional life details across the web, data brokers and OSINT (Open Source Intelligence) investigators will struggle to find the signal amidst the noise. This approach, sometimes associated with "extreme privacy" mindsets, suggests that a dossier filled with contradictions is less useful than a clean one.

However, for the vast majority of users, this strategy is not only ineffective but potentially counterproductive. True privacy is not achieved by adding noise, but by subtracting data.

Why Red Herrings Fail Against Modern Data Collection

Planting fake information on a hobby forum or a social media bio rarely disrupts the machinery of modern data brokerage. There are several structural reasons why "red herrings" fail:

1. Strong Sources Trump Weak Fiction

Data brokers do not rely solely on scraped web content. They aggregate high-fidelity data from government public records, voter files, property deeds, court filings, and professional licenses. A fake bio on a Substack or a forum signature cannot "un-ring" the data found in a property deed or a government-issued license. When a broker's system sees a contradiction between a forum post and a legal record, the legal record wins.

2. The Scale of Automated Correlation

Individual users are outgunned by the scale of automated data refresh cycles. While a user might plant ten lies, the ecosystem possesses years of accumulated transactional data and secondary sites that automatically sync. Furthermore, as noted by the FTC, even after successful opt-outs, information can reappear when public records change or through the data of relatives and neighbors.

3. The Baseline is Already Noisy

Commercial profiles are often inherently inaccurate. Data brokers frequently merge records incorrectly or fail to verify information. Adding more intentional noise to an already sloppy system doesn't necessarily provide a shield; in some cases, it may even help a negligent system "confirm" a wrong story simply because another source repeated it.

4. The Tier of the Adversary

For those facing serious adversaries—such as nation-states, dedicated harassers, or professional investigators—hobbyist disinformation is irrelevant. These actors do not stop at the first page of Google; they utilize financial footprints, interpersonal graph data, and legal processes to establish identity.

The Hidden Costs of Digital Deception

Beyond the failure to protect privacy, maintaining a web of lies creates "identity debt" that can manifest in frustrating ways:

  • Account Recovery Failures: Security questions and identity verification flows are designed for consistency. Randomly scattered fibs can lead to lockouts if you forget which fake answer you provided to which service years ago.
  • Self-Doxxing via Inconsistency: If you reuse patterns, photos, or usernames across "compartments," the fake story and the real one collapse into a single graph. True compartmentalization requires separate emails and distinct browser profiles, not just different stories.
  • Collateral Damage: Invented addresses or phone numbers can accidentally belong to real people or small businesses, effectively trading someone else's peace for your own perceived comfort.

Effective Alternatives for Privacy

Rather than performing a "digital masquerade," privacy experts suggest focusing on subtraction and segmentation:

Data Minimization and Hygiene

  • Less Submission: Every signup is a data event. The most effective way to reduce your footprint is to stop providing data in the first place.
  • Opt-Out Hygiene: Regularly use DIY or paid services to remove your information from people-search sites. While this doesn't erase government records, it removes the low-hanging fruit for casual searchers.
  • Pseudonyms: Use a chosen public name that is not wired to your legal identity for non-essential interactions. This is fundamentally different from maintaining a contradictory trail of facts under your real name.

Structural Compartmentalization

  • Strict Segmentation: Use distinct emails, payment methods, and devices for different spheres of your life (e.g., professional, social, and sensitive).
  • Managed Lies: If you must use fake answers for security questions, store them as random strings in a password manager rather than inventing a narrative you might forget.

When Deception Actually Works

There are specific scenarios where targeted deception is a valid technical tactic, provided it is used for detection rather than identity masking:

Canarytokens and Honeytokens: These are "tripwires." By planting a specific, unique piece of data (like a fake document or API key) that no legitimate user should ever touch, you receive an immediate alert when an adversary interacts with it. This is a signal of breach, not a mask for identity.

Limited Operational Cover: Using a PO Box or a throwaway email for a specific project is a bounded, documented, and consistent tactic. It provides a layer of separation without creating a chaotic trail of contradictory personal facts.

Conclusion

Red herrings are a compelling narrative device in spy novels, but they are a liability in real-world digital hygiene. For the majority of users, the sharpest move is the dull one: fewer accounts, harder linking, and a rigorous commitment to data minimization.

References

HN Stories