Shhhhhh! This post is for RSS subscribers only. Look here for more information (and to join in on the fun).
I've been thinking a lot about identity lately. Not in the existential sense, but the literal one: my name, my face, my contact information; all of the things that don't tell you who I am, but still sort of tell you who I am.
Being anonymous on the internet isn't impossible, but it sure as hell isn't easy either. You have a name, a face, and email address, a phone number... these things, and more, are being asked of us all the time to prove our legitimacy on countless websites.
You have to put something down, even if it's a lie, but how do you come up with a new name and face for every website you use? And how the hell do you keep track of all of them?
After watching more paranoia-driven YouTube videos about privacy and the Internet than I care to admit, I've come up with a few websites and services that have helped me generate random pseudonyms—also known as aliases—for every service I sign up for.
Some of these tools help take the cognitive load off of making up random information, while others actually help you hide your identity at a deeper level. That said, it's important to remember that any service you use becomes a bottleneck in and of itself, so just because you use a different email for every website, app, and service, if you generated those emails using a single tool, then that tool still knows who you are.
These tools aren't a pancea, but at the very least they can reduce your blast radius in the event of a data breach or other compromising incident.
There's something about random identity generation that I absolutely love. It's not a particularly difficult problem, but the output is a fascinating one. I've been playing around with https://www.fakenamegenerator.com/ for years as a software developer, diligently generating new names for every demo application I use.
What makes FNG (that's right, I used a cool initialism) so interesting is that it goes far beyond just generating fake names. For the (very free) click of a button, you can generate a name, an address, a social security number, a username, a password, a credit card number, physical characteristics, and just about anything else that could be used to fill out an online form you really don't want to fill out.
While I sometimes skip FNG and use the name of a fictional character, celebrity, or the tried-and-true "John Smith," it is a great way to override my own biases and ensure that I'm not falling into the trap of adhering to a pattern I'm not aware of.
Artificial intelligence has come a long way in recent years. One particularly interesting use is https://thispersondoesnotexist.com/, a website that generates a photo of a 100% real looking person that 100% does not exist. While you can always use the default avatar (or even a non-human one, like an animal or cartoon character), there's something satisfying about selecting a picture of what looks like a real human being to go with your randomly generated aliases.
Even if you never intend to use a pseudonym for your online accounts, there is a good case to be made for using a different email address for every service. Credential stuffing is the act of taking leaked emails and passwords from one data breach and attempting to use those same combinations on other websites, which means that if you use the same email and password for multiple services, when one gets compromised, they all get compromised.
"Why not just use the Gmail
firstname.lastname@example.org address trick," you ask?
Well, for one, appending
+keyword to the end of your email address is trivial to programmatically remove, which means that it doesn't anonymize you at all. In addition, there are plenty of email validators that simply won't accept an email with a
+ sign in it, in which case you're back to square one.
To help combat this, I'm a big fan of https://anonaddy.com/, an open source service (with helpful browser extensions and mobile apps) that allows you to generate a brand new email address on the fly that automatically forwards to the destination email you choose.
What makes it particularly great is that, if a service gets compromised or that email address gets shared around to other service providers for
SPAM marketing purposes, you can simply shut the email off and wash your hands of the whole thing. Easy peasey.
Now, the previous sections focused on the basics of online identity, the things that are asked for most often. But they aren't the only things used to identify you. The next few sections outline some more advanced (and, potentially pricey) ways to present yourself as a "completely unique individual" for every service you sign up for.
A not-insignificant number of apps and websites have decided that emails and passwords are "bad," so they've moved to using pin-based logins that get texted to your phone number—nevermind the fact that SIM swapping makes using a phone number as a login method a laughable instance of security theater.
While you can always generate a single pseudonymous phone number using Google Voice, a more "on rails" solution is https://www.burnerapp.com/, a mobile app that can be used to generate (and destroy) multiple temporary phone numbers at once. I don't personally use this service, but I like the idea behind it.
Sometimes you have to pay for stuff, and despite popular belief, Bitcoin is not a privacy-based coin. After all, if someone finds your wallet address, then every purchase you've made is available for the whole world to see.
If, like me, you want to use a regular old, regulated credit card, then https://privacy.com/ is the way to go. What I like about Privacy is that you can generate a new credit card for every online merchant you purchase from (and even a new card for every single purchase). By specifying a maximum amount per charge (or month, or year, or ever), you can protect yourself from overbilling (or, you know, forgetting to cancel that free trial you signed up for).
But, if you'd like to reinforce your privacy (no pun intended), Privacy can be configured to use a generic billing description when charging your underlying bank account. This means that you can buy a subscription to 2600 magazine, and all your bank will see is something like
NSA Gift Shop.
Let's be clear: I'm not a privacy expert. I have no idea what the hell I'm doing, and I can guarantee that the vast majority of the "influencers" on YouTube and elsewhere don't either. But, some effort is better than no effort, right? If you're reading this, and have any services or ideas to share, please send them my way.
This is post 015 of #100DaysToOffload