How I stay reasonably anonymous online
I'm not wanted by the FBI, nor am I worried about my ISP watching me, and I don't care about Google knowing what I search for. What I am worried about is crazy people on the internet I might accidentally piss off, so I don't want to be easy to stalk. I'm also lazy, so I try to balance the effort and stalker risk to get the best bang for the buck. Described in this post are some things I do to be a bit harder to stalk.
Often when registering accounts the first and last names are optional, in those cases just skip them.
Where names are mandatory, I generate them with for example this random name generator. I usually use the settings:
First name only,
avoid rare, only relevant countries, and randomize surname (but I try to switch it up sometimes.)
I want the name to sound legit (so maybe not John Doe) but still be common and give many hits on Google, this makes it more annoying to try to look me up. John Doe works if I don't care if they know it's not my real name, but I try to be inconsistent and don't use the same name for many accounts.
I don't want people to just Google my username and find my users on all other services. So what I do is randomize 1 to 3 words, maybe append a random year at the end of it, use leet speak sometimes, and sometimes use some username generator.
# Get a random word
shuf -n 1 /usr/share/dict/words
Switch it up and don't be consistent.
Don't use the same email on multiple sites. Even if it's often not shown publicly, sites get hacked and if you use
firstname.lastname@example.org for your PornHub account it won't feel great.
If you're using the same email on multiple sites one can connect your different usernames. Finding database dumps of hacked sites with emails and usernames isn't hard, and many people collect them for exactly this reason.
It's tedious to manually create new email accounts for every service, but luckily there are services that can help us with it:
- Firefox Relay (5 free, ~12 USD/year for unlimited)
- Fastmail masked emails (unlimited for 30 USD/year)
- iCloud+ Hide My Email (unlimited for 0.99 USD/month)
With these services, I get something like "aliases" unique to a service. So I still have only one inbox (I only use Fastmail), but I get multiple email addresses connected to it. That means I can have a unique email registered at each website/app I register at but need to monitor only one email inbox.
For throwaway accounts I use temporary email services:
- ... and many others, just search for "temporary email" and you'll get many hits.
The downside with temporary emails is that they're blocked on many services, and there is no password to access the inbox so don't use it for anything sensitive (anyone could do a password reset if you use it for an account somewhere, for example.)
Don't use the same password on multiple sites, not only is it terrible from a security point of view but it's also bad from a privacy perspective.
As I mentioned in the section about emails, sites get hacked. If you use the same password (but different usernames and emails) on different sites people can figure out the accounts belong to the same person if it's leaked. And yes, this technique is used in the wild.
Use a password manager, 1Password is an excellent choice and it's what I use. 1Password integrates with Fastmail's Masked Emails so I can generate both email and password on the fly when signing up on a website.
There is a technique called "reverse image search" which means you search for an image and Google (or Bing, or Yandex, or whatever you use) shows you all other places the same (or similar) image is used. By doing a reverse image search on a profile picture, people can see other places where you use the same image.
If possible, I don't use any profile picture or avatar, or use the default one. If I for some reason need or want a profile picture, I tend to generate one with:
- ThisPersonDoesNotExist, ThisCatDoesNotExist, or similar services
- Dall-E (generates images based on a prompt I give it)
Sometimes I find images by searching for something "random" on Google or similar, but I try to be mindful of copyright and never use a picture of a real person.
Sometimes I use multiple accounts for the same service if possible (e.g. multiple Reddit/Discord accounts for different purposes.) I do this to make it harder for people to profile me.
To avoid having to log in and out when switching accounts, I use Firefox containers, that way I can be logged in to different accounts in different tabs. In some cases I use Chrome profiles but that's a lot more work when using more than a few accounts.
I usually delete comments, threads, or other content I put up on the internet after it has served its purpose. That means for example deleting my Reddit comments after a month or two, keeping my email inbox near empty (in case it gets hacked), deleting old accounts, and similar things.
To some extent, I feel a bit bad about this. Comments I make might be useful for people in the future, but hopefully I can share some useful knowledge on this blog to compensate.
Things I usually don't worry about
There are more things one can do that I don't feel the need to, but I figured I might as well mention some common ones:
- Temporary credit cards
- With privacy.com, Revolut, Klarna, and similar services one can generate virtual credit cards. This is mostly for when you don't trust the website owner or the payment provider.
- Tor, Tails, surfing from an open WiFi, VPN, encrypted emails, etc
- These things are usually outside my threat model. They might be useful if you worry about your ISP watching you or someone wiretapping your network. But honestly, you're probably not that interesting. Sometimes I use Tor or VPNs when traveling for example, but not on a day-to-day basis.
- If there are words you often misspell, people can Google it to find other sources where you make the same error (if it's uncommon enough) and potentially identify your other accounts. Use spell checking and maybe Grammarly or similar to minimize this risk, but I tend not to worry about this too much.
- I don't worry much about metrics in VS Code, the Chrome browser, or general website tracking (though I do use an ad blocker.) That's not the kind of privacy I feel threatened by. It's often annoying from a performance point of view though so I tend to opt out anyway.