Recent events have raised conversation about the necessity for operational security in relation to social media. Discussions about how to maintain an online presence while protecting one’s private life and personal identity are cropping up in communities who had previously never felt the need to exercise operational security, and who had never considered the possibility of falling prey to compromised security and data breaches.
In the age of social media, there are a myriad ways our online presence may be used against us by a multitude of adversaries. From stalkers to prosecutors, any public information that can be attached to our identities may be used to their advantage and our detriment. It is important that we are mindful of the resources we make available to potential attackers.
In the interest of making practical operational security accessible to more people, I have composed a list of basic strategies for helping to mask the link between a social media account and one’s true identity. This list is by no means exhaustive, and it is important to keep in mind that an adversary with enough resources will likely be able to circumvent this obfuscation, given enough time. That said, it is nearly always worthwhile to make these connections more difficult, especially when they come at very little cost to us in terms of implementation.
1. Use a unique email address.
When attempting to mask connections between social media profiles, including dating sites, it is important to use a dedicated email address that does not relate back to other profiles, our legal name, or, ideally, any of our public associations. Usingfirstname.email@example.com is a bad idea; using firstname.lastname@example.org is a great idea. Creating new email addresses is easy, so there is no need to reuse one for accounts you’d like to keep separate.
Pro-tip: you can use a service like 10minutemail.net to generate a temporary email for creating a new Gmail account.
2. Choose a unique handle.
Do not re-use handles across platforms you’d like to keep separate. Do not use firstnamelastname69 for accounts you do not want to have connected to your legal identity. Pick something else. Anything else. It doesn’t matter.
3. Don’t use the same photos.
Do not use the same photos on profiles you’d like to keep separate. Reverse image search is a thing, and it will fuck your shit up. Ideally, you would not use images of your face at all on a profile you did not want tied to you, but if you must, make sure they can’t be linked back to your Twitter or Facebook accounts simply by using a quick drag-and-drop search.
4. Your tabs are YOUR business.
Give no indication that you’re using a site you don’t want people to know you’re using: if you’re trying to keep your private account private, make sure you’re not hinting at its existence by means of open tabs. Ensure you’re not being shouldersurfed while interacting with that account, and never post screencaps that show tabs. EVER.
5. Scrub your browsing history.
Religiously. As with the above point, if you don’t want people to know you’re using a site or service, it’s best not to leave evidence around and available to the casual observer. Deleting your browsing history is easy. Using Chrome in incognito mode and closing your tabs after every session is even easier.
6. When possible, pay in cash.
When making purchases connected to your private persona, pay in cash. When cash isn’t possible, consider paying with a pre-paid card. Purchased with cash. You do not need bank statements or credit card statements establishing a link between you and places you never were, or sites you do not use.
7. Don’t use your legal name.
Pick a name. Any name. There is no need whatsoever for you to use your legal name on social media. You certainly CAN if you feel comfortable with it, but it is absolutely not mandatory. DO pick a name you will actually respond to, though.
8. If you want to keep a secret, KEEP QUIET.
Don’t talk about it. Don’t brag, don’t discuss it anonymously. Don’t tell your best friend, don’t tell your workmates, don’t tell that stranger at the bar. Just SHHHH. Stop talking.
9. Use strong passphrases.
「Password,」 「Passw0rd,」 「password123,」 etc. are not good enough. Use strong unique passwords for each site or service. Better yet, use a password manager with a strong master password.
10. Don’t share identifying information.
If you’re trying to keep a profile secret, don’t share personally-identifying details on it. Keep your workplace, alma mater, tattoos, and the freckle on your left butt cheek private; there is no benefit to sharing these details on an account you don’t want to have linked back to you.
11. 「Plausible deniability」 is a terrible failsafe.
If your operational security is poor enough that you have to rely on plausible deniability, you are almost definitely not capable of pulling off plausible deniability. It’s far better to share false information from the start than it is to put honest information out there, and then try to lie to cover up its connection to you. If you are relying on plausible deniability to keep you safe, you are fucked.
12. Being recognized will fuck your shit up.
Don’t conduct clandestine meetings in places you frequent in your normal life. It only takes one staff member, regular patron, etc. to recognize you, call you by the wrong name, and totally blow your cover. It only takes an innocuous comment to someone in your normal life to make your secrets known. Pick somewhere you are unlikely to be recognized, dress differently than you normally do, and don’t go to that place in your day-to-day life if you can avoid it.
13. Alibis can be helpful, but they’re hard.
Use your credit card to buy a movie ticket or pay for food somewhere you frequent often. The problem with many alibis is that they involve having someone else lie on your behalf, which in turn requires violation of rule number 8. If you are going to construct an alibi, make sure you’re fabricating evidence, rather than relying on false testimony.
14. Strict compartmentalization.
The first rule of Fight Club is, do not talk about Fight Club. The second rule of Fight Club is DO NOT TALK ABOUT FIGHT CLUB. This rule actually goes both ways; just as you should not be discussing your secret life within your mundane existence, there is also no reason to discuss your day-to-day life within your secret life. Just don’t. Keep it completely separate; no overlap, no allusion, nothing.
15. Maintain composure.
If you want to get away with keeping a secret, you must keep your cool. Be mindful of being fidgety. Don’t giggle every time someone says the word 「secret.」 Be aware of your facial expressions and your reactions to the people around you. Be aware of what names you’re responding to, when. Stay calm.
16. Don’t get cocky.
Persona maintenance requires constant vigilance. Personal security is never assured, and one should never forget this. Cockiness breeds sloppiness, sloppiness leads to discovery.
17. Perfection takes practice.
None of these skills are innate. All of them require extensive practice. You may find that you need to start over and start clean over and over again. There is no shame in failure, but it is important to remember that the internet never forgets; it is best to always err on the side of caution and add additional information as you go, after having properly assessed the risk.
Again, while this is by no means an exhaustive list of all possible precautions one might take, and while these precautions may not be as helpful against adversaries with a lot of time and resources, they are absolutely an easy way to minimize risk from stalkers, dangerous family members, nosy employers, and potentially even low-level state adversaries. Social media can very well be a point of vulnerability for many of us, but through careful persona management, it is possible to negate some of that insecurity while maintaining a robust online presence.
Reposted from: http://blog.totallynotmalware.net/?p=15