Living Under the Radar in a Digital World
Due to my line of work, I take some pretty strong precautions to stay hidden. I’ve talked about this before a bit on Twitter, but I thought it would be useful to share some of my methods to a larger audience, as many at-risk individuals might find the information helpful.
I go above and beyond what most people would consider standard precautions, but a large part of that has to do with my threat model sometimes involving people in infosec. I also have external resources helping make this possible. I know that not everyone has those resources, so what I do may not be possible for everyone. There are likely things that I haven’t thought of, or organizations that might exist to help with this kind of thing. If you’ve got information to share, please do so. Not everything I do here is strictly legal, but frankly, I care more about my safety than living to the letter of laws that are not structured to protect the privacy of individuals.
A little over a year ago, I was sitting down for tacos with a friend in Oakland, talking about a possible move to Portland. I had left engineering to do my own thing as an anti-abuse tech activist & developer, so the bay area was a bit outside my budget.
At that point, I was living openly. I hadn’t done anything to hide where I was, and this had consequences that had gone beyond the usual harassers ordering 50 pizzas and sending them to my address. I had to tell my apartment complex to stop accepting packages, because people had discussed sending me explosives. I had been SWATed, and you can read more about that experience here. Local people had been threatening to show up at my address with guns. One guy had taken a selfie outside the office of my former employer while I was working there and threatened to come back with a knife, so these threats weren’t something I could shrug off. Anytime I stepped outside my door, I had to be vigilant.
I didn’t like the idea of going into hiding, because to me, it felt like that was letting the people harassing me win. However, my friend convinced me that it was the reasonable thing to do, and she was right. I sleep a lot better at night now that I’ve put all of these precautions into place.
I don’t do things half-assed. I knew that if I wanted to hide, it was going to take a lot of planning and work. I hadn’t done anything like this before, so I started thinking about different methods of ingress that I’d seen used by abusers as well as worst-case infosec scenarios.
I changed my phone so it wasn’t in my name. It’s on someone else’s plan, and very few people have that number. I use a Google Voice number if I have to hand out a phone number at all, and that does not forward to my phone. Instead, all voicemails get sent to my email. I’ll often call people through my computer instead of my actual phone. Does it matter? I have no idea. That’s the point: if I don’t know if something’s secure, I don’t use it.
I’ve got multiple bank accounts, all in a different state, but I pay for everything in cash when it’s possible. I use different bank accounts to pay for different bills, and I never use physical checks. While the whole US banking system of routing/account numbers is bullshit and awful, it does allow you to often pay for things without tying your name to it in the bill pay system, as opposed to a debit card which can use the name as part of the verification process. A lot of that is guesswork, because I’ve never worked in the banking industry. I could be wrong, but I do the best I can with the information available to me.
I often use tor or proxies when I’m browsing the internet. I’m not going to click on some random link and expose my IP address.
Don’t use Skype. Never use Skype. Google Hangouts, Slack, or Discord is safer.
My internet account isn’t in my name. It’s in the name of someone that isn’t obviously closely connected to me. We have few public interactions. It’s relatively easy to social engineer the account information out of an internet service provider if you’ve got the name of an account holder, despite what you may have been told. You only have to get the right agent on the phone. There are security organizations that have proved this many times.
That’s actually true of most utility companies as well. Even if you’ve got a pin or some form of security on your account, there are rarely restrictions that require a customer service representative to enter that pin before viewing your account information. Human beings are the first and most easily breached point of failure when it comes to security. Even if you assume that every person working at your utility or phone company is competent and safety aware, I’ve seen a case of a mobile phone company employee posting a customer’s account information on a website dedicated to doxing & harassment. Yes, this happens. Your information is not safe.
I do have a legal address, but it’s in a different state. It’s where one of my relatives lives. My car is registered to that address. I probably could have registered my car in that relative’s name instead of my own, but that could send up a red flag if I was ever pulled over by a police officer for any reason. This seemed the safer option. Because an out-of-state license plate can draw attention to a car, I live in a city that is on the state border. It’s not uncommon for people to live in Washington and work in Oregon, or vice versa.
Housing is by far the most difficult part of staying hidden. I do not have a lease on my housing. I pay my rent in cash. The person I am renting from is aware of my situation, so some trust is required. As an alternative, a friend can rent an apartment in their name for you. Again, some of these are resources that not everyone has, and they might not precisely be legal, depending on where you live. If you go that route, I’d recommend a large apartment complex where it’s relatively easy for a leasing office to not recognize every tenant. Pay your rent online or with a money order in the rent drop-off box. Avoid interacting with management. Pick a complex that allows for maintenance requests to be made online. Don’t be home if there’s an inspection or maintenance is required.
I have no utility bills in my name. All utilities are in a friend’s name. It’s way too easy to social engineer that information out of a utility company.
I don’t receive mail at my address. Instead, I use Amazon’s locker service if I want to buy something, or I get it sent to my relative’s house or the house of one of many local friends (always use a pseudonym) and drive up there to pick it up. I’ve got several pseudonyms for receiving packages, even at those locker locations. I don’t just use lockers close to me, but all over the city.
I don’t have a regular grocery store, gas station, laundry place, or any other store that people tend to visit repeatedly. Again, I go to stores all over the city. I keep my schedule as random as possible.
If I have to request an Uber or Lyft, I don’t have it pick me up or drop me off at home, ever.
If I’m at an event, I never tweet about it until I’m gone. I ask that if people take pictures that I’m in, they wait until I’ve left to post them.
I don’t keep my address in my GPS. I use Waze, so I just set the Home location to an address that puts me in a place I recognize.
I never give my address to my friends digitally. My address has never been linked to my name using a computer. Not even over Signal. Very few friends know where I live, and if they receive that information, it’s handed to them physically on a piece of paper. They are instructed to not enter it directly into their GPS, but instead to pick something nearby. Is this overkill? Maybe. Waze is owned by Google, and the likelihood of that information getting compromised on Google’s servers is slim, but it could happen. The likelihood of a friend leaving their phone unlocked is much higher. Overkill is OK when it comes to personal security.
I do not have an Oregon ID. Oregon started automatically registering everyone to vote if they had an Oregon ID. I am not registered to vote. I cannot vote, because in the majority of states, voter registration databases are public. In most states, if you have registered to vote, it is possible for anyone to get your home address. These databases are publicly searchable, either through state websites or 3rd party vendors. I gave up my right to vote so I could live in safety. It is possible to get yourself removed from the state database, but 3rd party vendors are often a few years out of date. It’s also often very difficult to get yourself removed from the database unless your reasons have been documented by the police. Every state has different restrictions on having this information withheld.
I don’t even trust the police with my home address. While a lot of police officers are great people, there’s a huge number of bad actors, and we hear about it in the news every day. I don’t know what their computer security is like. I’m not going to trust the state with it at all.
It’s required by law that dogs are registered in the state of Oregon. I wouldn’t give the state my address, and after I explained the reasons why, they told me that I could just list myself as being homeless.
It’s possible to get a P.O. Box, but that’s not affordable for everyone. That does solve the problem of receiving personal mail if you don’t have a nearby relative, and it’s the best option for you if you’re a person that gets state benefits. I do not have a P.O. Box, largely due to not wanting to be tracked to a single location. If a persistent stalker was to gain knowledge of that P.O. Box, he could wait outside for me to show up.
I often change my wireless SSID. I don’t know if it matters, but I do it anyways. I wouldn’t even use wireless if I didn’t have an IoT coffeepot (my coffee pot connects to the internet because reasons). Come to think of it, IoT probably isn’t the best idea for anyone that’s trying to stay hidden. IoT security is generally horrible. I wonder if it’s possible for an end-user to set that up to go through a proxy. I haven’t looked.
I’ve got a dating NDA. Yes, that’s a real thing, and a lawyer drew it up for me. I’ve got an NDA specifically for working with the media & photographers. I’ve only used it once, and it was for a very special circumstance. I’ve always turned down interviews that involve TV because I don’t want to be any more recognizable than I already am.
It’s a good idea to disable geotagging on every form of social media you’re using. If you use Twitter via web, you can set the geotag to any location you want. This is why all of my tweets appear to be coming from the lovely town of Goose Butts in the UK. Because butts.
When I drive home, I always take a slightly different route. I know every car that parks on my street. I rarely drive directly home, but often drive to a street that I know is a dead-end, because the internet isn’t the only way people can find you. There’s a lot of articles written about subverting physical surveillance. Google is your friend.
I use a different password for every website. I use password management systems like 1password or lastpass to manage my passwords. I have a small USB drive that I wear as a necklace that contains these databases, as well as another physical backup device in an undisclosed location. I use 2FA (2-Factor Authentication) on every site that lets me do so. If you’re using SMS as a form of 2FA, set up a google voice number, because many sites will expose the last 4 digits if someone is attempting to gain access to your account.
If you are trying to stay anonymous on social media, register a separate email account with a name that cannot be tied to you at all. If someone attempts password recovery, the first few & last few characters are shown. Microsoft even shows the first character plus entire domain name. This can be enough to help confirm someone’s suspicion if you’ve got it pointing to an email address that is known as being linked to your real identity.
If you own a website, ensure that you’re using a domain privacy service.
This is a huge list of things, and I’m sure I’ve missed a lot. I’m not always as vigilant as I should be, but I try, and I’ve had cause. With my blue hair, I’m pretty recognizable, but I’m not ready to give up my style. ;) I’ve been recognized randomly before, and if not for that, I probably wouldn’t be as careful about how I drive home and my physical surroundings. A lot of what I do is probably overkill for a lot of people, but it works out well for me. Is it perfect? Nope. I know there’s a lot of I’ve missed. Some of the assumptions I’ve made might not be true. But I’m new to this, and I’m doing the best I can. If you’re at-risk and trying to stay hidden, it’s safer to be overly paranoid. Whatever lets you sleep at night.