- We now probably know the final runtime for ‘Avengers: Endgame’ Monday 11:06 PM
- Cardi B says she drugged, robbed men in her past on Instagram Live Monday 8:03 PM
- Twitter thread roasts bathtub tray ads for women Monday 7:21 PM
- Nintendo set to release two new models of the Switch—possibly in 2019 Monday 6:45 PM
- Viral cat video ‘Dear Kitten’ finds new life in TikTok challenge Monday 5:30 PM
- Here’s every show that was announced at the Apple TV+ kickoff Monday 3:53 PM
- ‘Shazam!’ embraces the spectacle and heart of the superhero genre Monday 3:45 PM
- How to mute Twitter’s suggested tweets on your timeline Monday 3:02 PM
- What you need to know about Apple’s new streaming service Monday 2:32 PM
- Text-message fanfiction is taking over Instagram Monday 1:54 PM
- Your Asus computer might have a secret backdoor Monday 1:06 PM
- Trump is already fundraising off the Mueller report—even though no one’s seen it Monday 1:01 PM
- Michael Avenatti charged with trying to extort $20 million from Nike Monday 12:51 PM
- Logan Paul says being a YouTuber is ‘wack’ Monday 12:14 PM
- James Comey posts from a forest in wake of Mueller report Monday 10:35 AM
Even the most privacy conscious leave digital breadcrumbs back to their identity. Here’s how to keep your online trail clean.
This post is brought to you by the Jaguar F-TYPE Coupe. Visit BritishVillains.com to find out why it’s #GoodToBeBad.
My machine is inextricably linked to who I am.
All of us are in the same existential mess. Your identity is now part of your smartphone and laptop. Like a bunch of bumbling criminals, we’ve left countless unique markers and digital fingerprints all over our computers. Websites we’ve visited, usernames we’ve entered, search terms we’ve queried, and files we mistakenly thought were long-deleted all leave clues for nosy advertisers, snooping government spooks, and clever hackers. They can and do use these breadcrumbs to piece together exactly who we are, from our names to our toothpaste preferences.
It doesn’t have to be this way. You can wear a digital mask that can confuse and contradict the massive surveillance and tracking apparatuses aimed at logging your every click. If—hypothetically, of course—I were to set out to create a new, fake identity using purely legal means, it wouldn’t be easy. But it is doable.
A clean computer
The clues and building blocks of my identity are all over my hard drive. And that data leaks like a faucet to nearly every website I visit. If I want to create a new identity for myself, the first step is to buy a new computer.
But that machine needs to be clean.
So I’m going to steer very clear of Amazon and even online classifieds sites like Craigslist. All could reveal links to my real identity. On Amazon, I would likely have used a credit card. And then there’s the fact that the National Security Agency can intercept computers ordered online to install spyware. On Craigslist, I might have to meet the seller in person. Both are unacceptable, because once a link between identities is established, it can almost never be erased.
Lucky for me, there’s a place on the Internet where my identity can be obfuscated: the Deep Web.
As referenced most recently in the new season of House of Cards, the Deep Web is a portion of the Internet accessibly only through the browser Tor, which anonymizes behavior through layers of encryption. Its black markets have a reputation for selling exotic drugs, assault rifles, and troves of illegal documents. But they actually also deal in a modest range of legal products as well, including clean electronics.
Using Bitcoin to purchase a cheap, clean machine from Deep Web sites like Agora Market or Silk Road 2.0 is easier than you might think. The tough part is actually receiving the computer without ever giving away your name or address.
For 0.6 bitcoins, or about $340, I can get an Apple Macbook Pro that would cost me $1,199.00 brand new. That sounds like it fell off the back of a truck.
If you want to go the extra legal mile and actually build your own computer out of untraceable parts, the knowledge is all over the Web and the parts can be had by searching and getting lucky across all the Deep Web black markets.
The dead drop
Here’s the trick. The usual Deep Web purchase is sent via regular post. I want to negotiate with my vendor to secure a “dead drop” in another location.
In a decidedly old-school twist, a dead drop is when the vendor leaves the merchandise in a hidden location—an abandoned home, a hidden tree, or even buried like treasure—so that the seller and buyer never meet.
On black markets like Russia’s RAMP, dead drops in Moscow for the type of products cooked by Walter White are the norm. Other markets vary. But as long as I’m willing and able to be in a major city for the drop, I should be able to engineer the ideal delivery for my new electronics. I’ll have the seller or his errand boy stash the parts on a dim dead end block in Boston, Mass. that I know has no surveillance cameras.
Once the working computer is in my hands, the job is far from done. Before it ever connects to the Internet, I’ll need an operating system far more secure than anything Apple or Microsoft has produced.
Initially, I’ll load up the Amnesic Incognito Live System (TAILS, tagline: “Privacy for anyone anywhere”), a free system designed to protect your anonymity and never leave a trace. It can be loaded with just a USB, SD, or DVD. And it will record no trace of my activity after shutting down.
Using TAILS, I can make sure all of my Internet traffic is routed through anonymity services like Tor or I2P. A virtual private network can add extra layers of protection as well, building more and more walls between me and my new alter-ego.
Even the browser is key. Right now, my browser carries thousands of potentially identifying markers such as resolution, plugins, fonts, and cookies. The Electronic Frontier Foundation has a great tool called Panopticlick to show just how trackable any browser is. The more unique, the more easily trackable. My regular installation of Google Chrome is completely unique, making it exceedingly easy to track. On the other hand, a basic installation of the Tor browser or TAILS blends into the crowd on purpose.
Strong anonymity software like TAILS strongly resists tracking and surveillance. But it doesn’t make me invulnerable to prying eyes. The biggest potential threat to your own security sits just behind the keyboard.
Build a new person
My new machine is finally ready to give birth to my new identity.
When it comes to constructing a new human being, there are many options on the table. On the illegal side, the Deep Web offers a wide range of fake documents. Passports, visas, birth certificates, drivers’ licenses, and bank statements—it’s all just a few clicks away on sites like HackBB. A European visa costs $50, and an expertly forged utility bill from the United Kingdom runs around $75.
But there’s a lot you can do legally as well.
The site Fake Name Generator can instantly offer the building blocks of that new life, spitting out randomly generated names and personal info. Seconds after setting my preferences to American male, I had a new man on my hands.
My alter-ego is James L. Redus of 179 Duke Lane in Parsippany, N.J. 07054. James is 6’2’’, 178 lbs, a general approximation of my own biometrics. He has a phone number, email address, birthday, MasterCard, social security number, school and work history, car, blood type, and favorite color (blue). Of course, none of the info checks out, but that’s hardly the point.
I can set up my own secure email at Enigmabox or Inventati. Alternatively, to continue to blend into the crowd, I can register for a Gmail account using a secure Tor connection. To send encrypted messages, I would use Pretty Good Privacy (PGP). However, PGP messages act as a red flag to organizations like the NSA. They may not be able to crack the message yet. But they will save the message for later purely because of how it is encrypted.
You’ll need to mask a lot more than your name and address to hide your identity, however.
When Edward Snowden first began talking to journalists last year, he knew he’d eventually be exposed. But as long as he was able to stay hidden long enough to pass along thousands of leaked documents and escape the United States, he considered it a fair trade.
Among his many concerns was that the NSA would know who he was by the way he wrote. Snowden knew they had the technology to trace his writing style directly back to him, and that that kind of analysis could undermine the whole effort.
Stylometry is the act of essentially “fingerprinting” writing styles—as well as potentially music and art—so that even anonymous writing can be correlated to a single individual based on previous documents they had written.
The old assumption was that writing styles change over time, but that’s not exactly true. “It’s like a fingerprint,” said Drexel University developers Michael Brennan, Sadia Afroz, and Rachel Greenstadt, creators of the anti-stylometry software Anonymouth. “You can’t really change it.”
This isn’t just an NSA capability. Intelligence agencies around the globe analyze these patterns. Private security firms sell the technology to anyone with sufficient cash.
To avoid being stylometrically tracked, a new generation of document anonymization tools can obfuscate my “writeprint” to build yet another wall between me and James L. Redus.
Anonymouth, designed by Brennan et al’s Privacy, Security and Automation Laboratory (PSAL), has emerged as the leader in the field. Anonymouth looks at common attributes tracked by stylometric programs—vocabulary, sentence structure, paragraph layout, etc.—and tries to substitute out what it can while still retaining meaning.
Using Anonymouth, I can write and engage in online communities under my new identity, but with less worry that I’m giving myself away by my words.
Mask your money
Finally, there’s the key issue of currency. Cash is king when it comes to untraceable transactions, but Bitcoin has a wide range of uses.
To anonymously buy Bitcoins, LocalBitcoins.com has been the seller of choice for many of Silk Road’s wealthiest patrons. Of course, some of them got caught. Worse, large transactions on Local Bitcoins have been targeted by police, resulting in the first-ever Bitcoin money laundering prosecutions.
To avoid unwanted attention, I’ll keep individual transactions below $500 worth of Bitcoin. This is about setting up an identity, after all—not a business.
The key to maintaining all these walls is that I abide by one important rule: One alias, one device. Using alter-egos on different machines contaminates the identities, making un-erasable links that can be ultimately used to connect me and James.
I’ve just created a new person with a thick technological wall between my own identity and his. I can use James to use the Internet without raising unwanted attention about who I am.
However, the battle isn’t over, because the battle never actually ends. I’ll have to continuously take care to never connect myself and James technologically or socially. Creating James was actually the easy part.
Now that he’s alive and surfing the Internet, new technological vulnerabilities will threaten his anonymity.
More than that, my own behavior can trigger my downfall. Logging into the wrong social media account, connecting to the wrong Wi-Fi, accessing the wrong website, giving away identifying details in a conversation, or downloading the wrong software can draw a small link between James and myself.
One little slip is all it takes.
With time, the odds that James L. Redus will survive become increasingly slim. His days are numbered. But when he’s gone, I can always just make someone new to replace him.
Photo by Mr.Thomas/Flickr (CC BY-SA 2.0) | Remix by Jason Reed
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.