To keep an online identity separate from, and unconnected to, a legal identity, it’s important to understand which identifiers are commonly used to de-anonymize a person.
Pseudonyms are great privacy tools, but the steps required to protect them—and your anonymity—vary.
- 1 IP addresses
- 2 Cookies
- 3 Browser fingerprinting
- 4 Metadata in documents and images
- 5 Device IDs
- 6 URL shorteners
- 7 Interpersonal relationships
- 8 Plugins, add-ons, extensions, apps
- 9 Writing style
- 10 Phishing, malware, hacking
- 11 Text message verification
- 12 Making online payments
- 13 Shipping products bought online
- 14 Receiving online payments
- 15 Public records
- 16 How to protect your secret identity
- 17 Seek help securely
- IP addresses
- Browser fingerprinting
- Metadata in documents and images
- Device IDs
- URL shorteners
- Interpersonal relationships
- Plugins, add-ons, extensions, apps
- Writing style
- Phishing, malware, hacking
- Text message verification
- Making online payments
- Shipping products bought online
- Receiving online payments
- Public records
- How to protect your secret identity
- Seek help securely
ExpressVPN has compiled a list of where online pseudonyms might be exposed. The assessments in color refer to the risk that an averagely funded and tech-savvy individual could use the method to de-anonymize you.
Your home, your mobile phone, and your office are all assigned unique identifiers by your internet service provider (ISP). Your ISP may, from time to time, allocate a new one, but over a short period, two requests from separate accounts over the same IP address is a good indicator that the accounts are related.
- Every online service you interact with will see your IP address
Protect yourself with a VPN, and switch server locations when changing your accounts. Alternatively (or even additionally), use the Tor Browser and initiate a new circuit for each account.
A cookie is a file stored on your computer by the websites you visit. Cookies identify you to sites, making it possible to visit them without having to log in every time you start your computer.
Clear all cookies before switching accounts, or open an incognito window. Even better, use different browsers for each identity. If you’re using the Tor Browser, you can simply close and reopen the browser to clear the cache when switching accounts.
Some advertisement and tracking networks do not limit themselves to just cookies to identify users. A technique called browser fingerprinting will allow a person to be identified across separate sites, even if cookies are deleted.
Don’t customize any browser used for multiple identities, such as with add-ons or by changing screen size. Consider using separate browsers for different accounts, or the more privacy conscious Tor Browser.
Metadata in documents and images
Microsoft Word, cameras, and most other software leave significant amounts of information, called metadata, in your files. Metadata can easily identify you and could include information such as the version of your operating system, your GPS coordinates, or even your name.
Use the Metadata removal tools described here to scrub metadata from your documents and files before you upload or share them.
Pro tip: The preceding solutions can also be easily applied by setting up different user accounts on your computer, or even by using separate machines–one for each account.
Most devices, but especially mobile ones, are uniquely identifiable through a device ID. Multiple app developers will have access to the ID, and their intentions are often unknown.
On top of this, each network card has its own separate identifier, the MAC address. When you log into a Wi-Fi network, your MAC address will be communicated to the router and could be used to link multiple accounts.
Some operating systems, like iOS and TAILS, randomize the MAC address. Do not download apps from unknown sources, as they could be used to harvest your device ID.
A URL shortener turns a long and bulky web address into a short address using a simple redirect. Third parties usually run URL shorteners, and it’s relatively easy for anyone to set up such a service.
While not every shortening service or link is malicious, people do use shortened URLs to direct you to sketchy sites, carry out phishing attacks, place cookies on your computer, and obtain personal information (such as the version of your browser, operating system, and your IP address).
- URL shorteners often breach targets without suspicion, as they redirect to a legitimate site after the attack is carried out
Don’t click on shortened links without good reason. Use services like unshorten.it to see where a shortened URL leads to.
If a link is unshortened, the creator of the original link will only see information obtained from the unshortening service, rather than your information. They will, however, see when you unshortened the link.
Who you know is an indicator of who you are.
When multiple chat service accounts are created and given access to a contact list, the service is easily able to link the accounts together–even if the device ID and IP address are distinct.
Some platforms, like Twitter and Facebook, will make your account information available to others. If you follow very similar feeds with two Twitter accounts, someone might be able to link them together.
Be conscious of what access you allow for apps. Never mix the contacts of separate identities together, and avoid making them available to third party services.
Plugins, add-ons, extensions, apps
Be careful with plugins for browsers or email clients, as well as any apps built on sensitive platforms. While some extensions, such as the Privacy Badger, uBlock Origin, or https everywhere can help protect you, some could be used against you.
Plugins sit directly on top of email clients and browsers and can read your emails, see what you are browsing, and even change web content.
Never install applications from unknown sources, and only use well-known applications from the original maintainer. Also, leave the beta testing to someone else!
Your writing style can be used to identify you. The frequency with which you use certain words, emoticons, or spelling errors may signal to your readers who you are.
While there is no definite way to prove that two texts come from the same person just from the style, it may give enough necessary hints to lead a stalker into conducting a more thorough investigation.
Write in clear, consistent language and use a spell checker, avoid slang.
Phishing, malware, hacking
A public figure, or those with personal enemies, will likely face an increased threat from phishing and malware.
Malware tools can be bought on the internet by anybody and customized for various uses. Malware tools are easily deployed, and the more targeted they are, the more efficient they become.
Put a sticker on your camera and stick a dead cable into your microphone jack, like Mark Zuckerberg does. Always keep your software up to date and be careful where you enter passwords, and what links you click.
3 things about this photo of Zuck:
Camera covered with tape
Mic jack covered with tape
Email client is Thunderbird pic.twitter.com/vdQlF7RjQt
— Chris Olson (@topherolson) June 21, 2016
Text message verification
It has become incredibly common for services to demand phone numbers from their customers. Phone numbers can be useful for features like two-factor authentication, but will also make it easier to link identities together, particularly since many services allow search-by-phone number, or may be planning to introduce such a feature soon.
Use an anonymous, prepaid, SIM card for all your pseudonyms. Make sure it has enough balance to prevent expiration.
Making online payments
Many services, like hosting platforms, freelance portals, or shops require payment. Every time you use your credit or debit card, the merchant can see both your legal name and your card number.
Obtain a prepaid debit card that you can top up with cash. Each of your identities will need a separate card, as using the same one for multiple accounts will make you identifiable. Alternatively, pay for things online with cryptocurrency.
Shipping products bought online
If you want to keep your location, a secret online shopping becomes difficult, especially if you cannot trust the online merchant due to a poor information security record.
Use reshippers to disguise information from retailers, or have products shipped to a false name. Keep an authorization slip handy to receive packages on behalf of this fake name, just in case someone asks.
Receiving online payments
You might depend on receiving payments and donations through your pseudonymous accounts.
Maintaining pseudonymous financial accounts can be difficult, and while some providers will allow you to open accounts without much identification, they might at any point in the future freeze your funds.
Unfortunately, cryptocurrencies like Bitcoin are your only option to receive donations and payments pseudonymously.
Risk: LOW to HIGH
Access to records varies greatly. Depending on which state and country you’re in, voter, home, or vehicle registration or might be publicly available.
When you file a police report, it might become a public document, and will include your name and address. Do not risk giving up your “cover”–even to law enforcement–and make use of PO boxes or reshippers whenever you can.
Incorporating a company is cheap and some countries and will protect the identity of its shareholders and directors (you). You can incorporate a company to legally hide the ownership of your house or car from virtually everyone but your local tax authority.
How to protect your secret identity
- Separate your accounts: Setting up a second user account on your computer will prevent accidental mixing of files, cookies, or other activity.
- Don’t maintain multiple identities at the same time. For even stronger protection, set up each identity on a separate TAILS stick, and administer them from there.
- Keep your systems up to date and only install well-trusted and popular programs from official sources.
- Only open suspicious links in the Tor Browser. Use Tor for your regular browsing as much as possible. Additionally, always stay connected to your VPN.
- Be conscious of what identifying information you submit. Think how the data could be used against you.
Seek help securely
- Be aware that organizations that specialize in helping victims of harassment are not necessarily experts in information security.
- Maintain a pseudonym when contacting help. To help you efficiently, nobody needs to know who your true identity.
- Be aware that some communication channels are more private than others. Make use of prepaid SIM cards and online VoIP providers when placing calls.