Who Am I? A guide to online identity management.
Living on the internet is a difficult task. Being yourself on the internet is an even harder task to accomplish safely. Sometimes you do not know who you are yet, and other times you want to try something new. So how do you explore your identity online without jeopardizing who you already are?
You become multiple people on the internet.
I know many people who have tried. Almost all of them have failed. I know from experience that it is no trivial task. With fifteen years of experience of being more than one person on the internet at any given time, I am going to tell you that there is probably less work involved than you think.
I believe that the internet is vital to exploring your identity in the modern world, and I believe that the social power of the internet is having access to the knowledge of people who have already solved problems you are facing. To that end, I am going to share my collected knowledge about managing one’s multiple identities on the internet.
Before my advice, I am going to take a moment to discuss threats. The advice presented is personal security advice and is widely applicable. It is not comprehensive and is not a silver bullet to the threats everyone faces. I will contextualize my advice and it is up to you to decide how much it applies to your situation.
I have found that the quickest way to understanding a process is to do it. I suggest that you grab a notepad and walk through creating a new identity as you read.
Who am I?
The first thing is to decide who you want to be. Typically a new identity is connected to an abstract concept we wish to explore about ourselves. Whether that concept is gender, sexuality, or a new form of expression. So we will start with those concepts.
I have chosen to be confident, well-spoken, and professional. These are the defining character traits to my new identity. My new identity will focus on exploring how I can be those things.
I need a name. I can use my concepts to help these concepts. I have thought some about my new alias and what circles I wish to be a part of before I put pen to page.
- I want to explore my concepts in the presence of information and computer security professionals. This means that I can lean on some jargon in my handle to enforce my association to technology. Using buzzwords will discredit me.
- I want to appear professional. Surveying the technology industry I notice that many companies enjoy names that contain hard consonants to give themselves a bite. The words they choose often have little to do with security, but they are careful to choose names that are not used conversationally.
I choose MalachiteOS, since Malachite is not a word used conversationally, contains a hard consonant, and I like the color. OS serves a dual purpose since it has multiple meanings within the technology industry, and it disassociates Malachite from other circles that use the word more frequently. It is unique enough that it can be found and recognized but is also disconnected from everything else I do.
Next we will need to decide upon some arbitrary information. We need a real name, date of birth, and location. The security industry understands operational security (opsec) and privacy, so I can choose anything for these values and they will not be interrogated in depth.
It is good practice to choose a general location close to where you are from and a date of birth within a year of your actual birthday. This preserves your cultural touchstones like your media exposure or regional slang that slips into your speech patterns. As long as you pick a name that sounds real, you should be fine. If someone tries to look up your ‘real name’ you can inform them that it is fake, and decline to provide an alternative.
If someone attempts to press you for information, you can just disengage and burn your identity — it is designed to be disposable.
What does my identity look like so far?
MalachiteOS, Tasha Riley, Canada (West Coast), 1993–04–16. Confident, well-spoken, professional.
I need to set up my new identity and create a way to track its exposure so that I can burn it if I have to. This is where my applicable security advice comes in.
- Each identity should have three email addresses: personal communications, social communications, and services
Personal communications: Memorable. Associated to your account name. Used for email communications. Never signed up to websites or newsletters.
Social communications: Random. Dissociated from handle. Used to sign up to social media and forums.
Services: Random. Dissociated from handle. Used to sign up for services that do not involve inter-user communication (amazon, netflix, youtube, etc.).
- A list of websites and services each email is signed up to
- Strong, unique passwords on all accounts
- Non-SMS two-factor authentication on all accounts
There is a reason why we split up the email accounts in this fashion. Your personal communications account is forward-facing, and will only receive mail that is directed at it by other people. If you are targeted for harassment your personal communications address will likely be the first address used in attempted brute-forcing attacks against any social media accounts linked to your alias.
I have a small notebook, sized A5, that contains a page dedicated to this identity. I keep notes on what I have revealed along with a few details for keeping my identity consistent. The record below is an example to demonstrate what kinds of information I keep.
MalachiteOS. Tasha Riley. Canada (West Coast). 1993–04–16. Confident, well-spoken, professional. Note, language: no contractions, soda, roommate. Note, background: previously adjacent to tabletop game design, current contract work. Note, other: A5 records notebook
- Twitter: MalachiteOS
- Mastodon: MalachiteOS@infosec.exchange
- Medium: MalachiteOS
Here are a few further tips about identity management.
- Most of operational security (opsec) is about keeping your head down. Learn to read the room and be aware of how much attention you are drawing. The key to maintaining an identity is to have as few people as possible question it.
- It is better to be vague than specific.
- If you are vague then people will make assumptions and fill in the blanks. If someone attempts to call you out on an assumption, inform them that they made an assumption.
- Anything specific you say must be consistent and backstopped. If you mention presence at an event then you must be able to speak about that event as if you were there. If you say you contributed to a project then you must have your name associated with that project.
- Lie as little as possible. Even though small lies are rarely scrutinized, other people will notice inconsistencies if you cannot keep track of them and people will get curious. Complex lies will always fall apart under scrutiny.
- Turn off location services on any services and social media you can.
- Do not post any pictures that may reveal your location, or that contain objects or details from pictures you have posted elsewhere. Clear EXIF data before you share.
Identity creation and management is fairly simple. Most of maintaining an identity is not saying more than you need to. Depending on what services you plan on using you might need more tools than what are discussed here. Spend time looking into what threats you might face before you jump into this.
This introduction will give you enough to explore identity on many forums and on social media. Happy hiding, or exploring.