For some, online anonymity is just fun. We can redefine who we are, pretend to be a dolphin, or vent into the void without having to worry what our conservative parents or restrictive boss would think.
For others, being anonymous online is the only way to show their true self to the world. Their family or society might not be accepting of who they are or what they think. Adopting a virtual persona might be the only way to exercise free speech and interact with like-minded people online.
[Keep up with the latest news in online freedoms. Sign up for the ExpressVPN blog newsletter.]
To keep an online persona separate from, and unconnected to, a legal identity, it’s important to understand which identifiers are commonly used to de-anonymize a person.
To keep your online identity separate, look at how you might be at risk of being anonymized online. Each risk is ranked low, medium, or high, and presented alongside a solution to mitigate it.
Your home, mobile phone, and office are all assigned unique identifiers by your internet service provider (ISP). Your ISP may, from time to time, allocate a new one, but over a short period, two requests from separate accounts over the same IP address is a good indicator that they are related. Depending on your country and ISP, it may be possible to find out what ZIP code belongs to each IP address, or purchase other personal information directly from your ISP or an advertising company.
Use the Tor Browser. Each tab is automatically assigned a new circuit, meaning it has its own IP address. It’s always a good idea to use a VPN additionally. If you don’t have access to Tor or the sites you are using don’t work in Tor, you should switch your VPN server location when changing your accounts.
Metadata in documents and images
In your files, Microsoft Word, cameras, and most other software leave significant amounts of information, called metadata. Metadata can easily identify you and could include information such as the version of your operating system, your GPS coordinates, or even your name.
Use the Metadata removal tools described here to scrub metadata from your documents and files before uploading or sharing them.
A URL shortener turns a long and bulky web address into a short address using a simple redirect. Third parties usually run URL shorteners, and it’s relatively easy for anyone to set up such a service.
While not every shortening service or link is malicious, people use shortened URLs to direct you to sketchy sites, carry out phishing attacks, place cookies on your computer, and obtain personal information (such as the version of your browser, operating system, and your IP address).
Don’t click on shortened links without good reason. Use services like unshorten.it to see where a shortened URL leads to.
If a link is unshortened, the creator of the original link will only see information obtained from the unshortening service, rather than your data. They will, however, know when you unshortened the link.
Plugins, add-ons, extensions, apps
Be careful with plugins for browsers or email clients and any apps built on sensitive platforms. While some extensions, such as the Privacy Badger, uBlock Origin, or HTTPS Everywhere, can help protect you, others could be used against you.
Plugins sit directly on top of email clients and browsers and can read your emails, see what you are browsing, and even change web content.
Never install applications from unknown sources, and only use well-known applications from the original maintainer. Also, leave the beta testing to someone else when your privacy and security are at stake!
Phishing, malware, hacking
Malware tools are traded on the internet and can be customized for various uses and targets. Malware tools are easily deployed, and the more targeted they are, the more efficient they become.
Put a sticker on your camera and stick a dead cable into your microphone jack, as Mark Zuckerberg does. Keep your software up to date, be careful where you enter passwords, and what you click. Make sure to enable two-factor authentication on your accounts (ideally through an app or hardware token).
3 things about this photo of Zuck:
Camera covered with tape
Mic jack covered with tape
Email client is Thunderbird pic.twitter.com/vdQlF7RjQt
— Chris Olson (@topherolson) June 21, 2016
Text message verification
It has become disappointingly common for services to demand phone numbers from their customers. Phone numbers can be useful for features like two-factor authentication. They also make it easier to link identities together, particularly since many services allow search-by-phone number, or maybe introduce such a feature anytime.
Use an anonymous, prepaid, SIM card for all your pseudonyms. Make sure it has enough balance to prevent expiration.
Risk: LOW to HIGH
Access to records varies greatly. Depending on which state and country you’re in, voter, home, or vehicle registration or might be publicly available.
When you file a police report, it might become a public document and include your name and address.
Incorporating a company is cheap and some countries and will protect the identity of its shareholders and directors (you). You can incorporate a company to legally hide the ownership of your house or car from virtually everyone but your local tax authority.
A cookie is a file stored on your computer by the websites you visit. Cookies identify you to sites, making it possible to visit them without having to log in every time you start your computer. Some cookies are set by third-party advertisers, making it possible to track you across various sites, and ensuring that your alternative personality will quickly be associated with you.
If you’re using the Tor Browser, you can simply close and reopen the browser to clear the cache when switching accounts. At the very least, you can set your browser to ‘forget’ all cookies whenever it is restarted or open an incognito window for your alternative identity. Even better, use different browsers for each persona, or configure your browser to work with different ‘profiles.’
Who you know is an indicator of who you are. When multiple chat service accounts are created and given access to a contact list, the service can easily link the accounts together–even if the device ID and IP address are distinct.
Some platforms, like Twitter and Facebook, will make your account information available to others. If you follow very similar feeds with two Twitter accounts, someone might be able to link them together.
Be conscious of what access you allow for apps. Never mix the contacts of separate identities, and avoid making them available to third party services.
Your writing style can be used to identify you. The frequency with which you use certain words, emoticons, or spelling errors may signal to your readers who you are.
While there is no definite way to prove that two texts come from the same person just from the style, it may give enough necessary hints to lead a stalker into conducting a more thorough investigation.
Write in clear, consistent language, and use a spell checker, avoid slang.
Making online payments
Many services, like hosting platforms, freelance portals, or shops, require payment. Every time you use your credit or debit card, the merchant can see your legal name and your card number.
Obtain a prepaid debit card that you can top up with cash. Each of your identities will need a separate card, as using the same one for multiple accounts will make you identifiable. Alternatively, pay for things online with Bitcoin.
Receiving online payments
You might depend on receiving payments and donations through your pseudonymous accounts.
Maintaining pseudonymous financial accounts can be difficult. While some providers will allow you to open accounts without much identification, they might, at any point in the future, freeze your funds.
Unfortunately, cryptocurrencies like Bitcoin are your only option to receive donations and payments pseudonymously.
Some advertisements and tracking networks do not limit themselves to just cookies to identify users. A technique called browser fingerprinting will allow a person to be identified across separate sites, even if cookies are deleted.
Don’t customize any browser used for multiple identities, such as with add-ons or by changing screen size. Consider using separate browsers for different accounts, or the more privacy-conscious Tor Browser.
Most devices, but especially mobile ones, are uniquely identifiable through a device ID. Multiple app developers will have access to the ID, and their intentions beyond advertising are often unknown.
On top of this, each network card has a separate identifier, the MAC address. When you log into a Wi-Fi network, your MAC address will be communicated to the router and could be used to link multiple accounts.
Shipping products bought online
If you want to keep your location, a secret online shopping becomes difficult, especially if you cannot trust the online merchant due to a poor information security record.
Use reshippers to disguise information from retailers, or have products shipped to a false name. Keep an authorization slip handy to receive packages on behalf of this fake name, just in case someone asks.
How to protect your secret identities
A comprehensive solution exists but needs to be tailor-made to your needs. Properly maintaining separate identities can also be expensive, such as if you dedicate a spare laptop to your online persona.
The options below present “better than” scenarios. Ideally, follow the advice in point 1. If that’s not possible, follow the advice in point 2, 3, and so on. Depending on how important it is for you to keep your identities separate, you may also opt for one of the following options for convenience.
- Set up a dedicated device for your alter ego and make sure it is configured from the ground up for this persona. Install an operating system, create a log-in, install a browser, set up email, social media, and a password manager. This is the strongest solution to segregating your identities. Use separate VPN locations for each device.
- Use an operating system like TAILS for your separate identity. You can install it on a USB stick and run it on your regular computer. It makes it hard to switch between your primary and secondary accounts, as you will have to restart your computer every time, but it will also ensure that no data is saved where it shouldn’t be, and metadata will be far easier to clean.
- Create a separate account on your computer for this identity, complete with a separate username and password. That should also guarantee that your browser profiles are distinct, cookies aren’t shared, and you will be able to use a different password manager profile. When logging in and out of each account, use separate VPN locations.
- Use a separate browser exclusively for your alternate identity. This will make sure your browser can’t be fingerprinted, and cookies aren’t shared. All your browsing, however, will still be done through the same IP address. Using a VPN ensures that this IP cannot be easily tracked back to you, but it may be enough to correlate two accounts. Switch server locations when you have to.
- Use a separate browser profile for each identity. You can configure these identities in your browser’s settings, and even give them different looks to remind yourself which one you are using.
What do do if your secret identity has been found out
Inevitably, no measures can guarantee your anonymity. However, you can take some precautions to make it easier for you to ‘reappear’ into the dark. A portion of your identity might become known, and if enough puzzle pieces emerge, your cover is blown.
- Periodically clear all cookies from your browser. This will sign you out of all your accounts, but it will also purge any dormant information that you might be unnecessarily giving away.
- If you are using a prepaid SIM card, get a new phone number from time to time. Be careful to allow for a bit of grace time in which you still keep your old number handy, just in case.
- If your home ISP has assigned you a static IP, you can request to be assigned a new one from time to time.
- Don’t stay on the same VPN location forever.
Seek help securely
- Be aware that organizations that specialize in helping victims of harassment are not necessarily experts in information security.
- Maintain a pseudonym when contacting help. To help you efficiently, nobody needs to know your real identity.
- Be aware that some communication channels are more private than others. Make use of prepaid SIM cards and online VoIP providers when placing calls.