Social Media Self-Defense

Please consider supporting my writing on Patreon.


español – 

Recent events have raised conversation about the necessity for operational security in relation to social media. Discussions about how to maintain an online presence while protecting one’s private life and personal identity are cropping up in communities who had previously never felt the need to exercise operational security, and who had never considered the possibility of falling prey to compromised security and data breaches.

In the age of social media, there are a myriad ways our online presence may be used against us by a multitude of adversaries. From stalkers to prosecutors, any public information that can be attached to our identities may be used to their advantage and our detriment. It is important that we are mindful of the resources we make available to potential attackers.

In the interest of making practical operational security accessible to more people, I have composed a list of basic strategies for helping to mask the link between a social media account and one’s true identity. This list is by no means exhaustive, and it is important to keep in mind that an adversary with enough resources will likely be able to circumvent this obfuscation, given enough time. That said, it is nearly always worthwhile to make these connections more difficult, especially when they come at very little cost to us in terms of implementation.

1. Use a unique email address.
When attempting to mask connections between social media profiles, including dating sites, it is important to use a dedicated email address that does not relate back to other profiles, our legal name, or, ideally, any of our public associations. Using firstname.lastname@workplace.com is a bad idea; using randomcolor.randomnoun@gmail.com is a great idea. Creating new email addresses is easy, so there is no need to reuse one for accounts you’d like to keep separate.
Pro-tip: you can use a service like 10minutemail.net to generate a temporary email for creating a new Gmail account.

2. Choose a unique handle.
Do not re-use handles across platforms you’d like to keep separate. Do not use firstnamelastname69 for accounts you do not want to have connected to your legal identity. Pick something else. Anything else. It doesn’t matter.

3. Don’t use the same photos.
Do not use the same photos on profiles you’d like to keep separate. Reverse image search is a thing, and it will fuck your shit up. Ideally, you would not use images of your face at all on a profile you did not want tied to you, but if you must, make sure they can’t be linked back to your Twitter or Facebook accounts simply by using a quick drag-and-drop search.

4. Your tabs are YOUR business.
Give no indication that you’re using a site you don’t want people to know you’re using: if you’re trying to keep your private account private, make sure you’re not hinting at its existence by means of open tabs. Ensure you’re not being shouldersurfed while interacting with that account, and never post screencaps that show tabs. EVER.

5. Scrub your browsing history.
Religiously. As with the above point, if you don’t want people to know you’re using a site or service, it’s best not to leave evidence around and available to the casual observer. Deleting your browsing history is easy. Using Chrome in incognito mode and closing your tabs after every session is even easier.

6. When possible, pay in cash.
When making purchases connected to your private persona, pay in cash. When cash isn’t possible, consider paying with a pre-paid card. Purchased with cash. You do not need bank statements or credit card statements establishing a link between you and places you never were, or sites you do not use.

7. Don’t use your legal name.
Pick a name. Any name. There is no need whatsoever for you to use your legal name on social media. You certainly CAN if you feel comfortable with it, but it is absolutely not mandatory. DO pick a name you will actually respond to, though.

8. If you want to keep a secret, KEEP QUIET.
Don’t talk about it. Don’t brag, don’t discuss it anonymously. Don’t tell your best friend, don’t tell your workmates, don’t tell that stranger at the bar. Just SHHHH. Stop talking.

9. Use strong passphrases.
“Password,” “Passw0rd,” “password123,” etc. are not good enough. Use strong unique passwords for each site or service. Better yet, use a password manager with a strong master password.

10. Don’t share identifying information.
If you’re trying to keep a profile secret, don’t share personally-identifying details on it. Keep your workplace, alma mater, tattoos, and the freckle on your left butt cheek private; there is no benefit to sharing these details on an account you don’t want to have linked back to you.

11. “Plausible deniability” is a terrible failsafe.
If your operational security is poor enough that you have to rely on plausible deniability, you are almost definitely not capable of pulling off plausible deniability. It’s far better to share false information from the start than it is to put honest information out there, and then try to lie to cover up its connection to you. If you are relying on plausible deniability to keep you safe, you are fucked.

12. Being recognized will fuck your shit up.
Don’t conduct clandestine meetings in places you frequent in your normal life. It only takes one staff member, regular patron, etc. to recognize you, call you by the wrong name, and totally blow your cover. It only takes an innocuous comment to someone in your normal life to make your secrets known. Pick somewhere you are unlikely to be recognized, dress differently than you normally do, and don’t go to that place in your day-to-day life if you can avoid it.

13. Alibis can be helpful, but they’re hard.
Use your credit card to buy a movie ticket or pay for food somewhere you frequent often. The problem with many alibis is that they involve having someone else lie on your behalf, which in turn requires violation of rule number 8. If you are going to construct an alibi, make sure you’re fabricating evidence, rather than relying on false testimony.

14. Strict compartmentalization.
The first rule of Fight Club is, do not talk about Fight Club. The second rule of Fight Club is DO NOT TALK ABOUT FIGHT CLUB. This rule actually goes both ways; just as you should not be discussing your secret life within your mundane existence, there is also no reason to discuss your day-to-day life within your secret life. Just don’t. Keep it completely separate; no overlap, no allusion, nothing.

15. Maintain composure.
If you want to get away with keeping a secret, you must keep your cool. Be mindful of being fidgety. Don’t giggle every time someone says the word “secret.” Be aware of your facial expressions and your reactions to the people around you. Be aware of what names you’re responding to, when. Stay calm.

16. Don’t get cocky.
Persona maintenance requires constant vigilance. Personal security is never assured, and one should never forget this. Cockiness breeds sloppiness, sloppiness leads to discovery.

17. Perfection takes practice.
None of these skills are innate. All of them require extensive practice. You may find that you need to start over and start clean over and over again. There is no shame in failure, but it is important to remember that the internet never forgets; it is best to always err on the side of caution and add additional information as you go, after having properly assessed the risk.

Again, while this is by no means an exhaustive list of all possible precautions one might take, and while these precautions may not be as helpful against adversaries with a lot of time and resources, they are absolutely an easy way to minimize risk from stalkers, dangerous family members, nosy employers, and potentially even low-level state adversaries. Social media can very well be a point of vulnerability for many of us, but through careful persona management, it is possible to negate some of that insecurity while maintaining a robust online presence.

Documentation Without Incrimination

Please consider supporting my writing on Patreon.

After composing this series of tweets, a friend has asked me to put together a blog post on how to document a demonstration without incriminating its participants.

It is common knowledge that photos and videos of people’s faces may be used by agents of the state to identify, and thus implicate individuals in criminal investigations. To thwart this identification process, many protesters opt to wear masks, and many photographers and videographers take care not to include faces in their documentation. While a good first step, this is not sufficient to prevent law enforcement from using your photos and videos to identify, and thus prosecute, protesters.

Biometric identifiers, which are unique characteristics/traits that may be used to distinguish (and thus identify) individuals, expand far beyond unmasked faces. Some other metrics by which people may be identified include their build, the shape of their eyes and/or ears, the size of their hands and/or feet, their posture, their gait, their voice, and their speech patterns. Additional identifiers may include a person’s attire (clothing, shoes, bags, etc.), piercings, visible tattoos, and scars.

Where this gets complicated is, even if you, personally, do not capture a single face, your camera is never the only camera present. If you capture a distinguishing feature of any kind in an image or video of windows being broken or walls being spray painted, that can be cross-referenced with other footage of the crowd, and used to single out and identify suspects.

A hand with a tattoo on it clutching a hammer as a window shatters, or a sneaker with a pink midsole being captured kicking a police car may be the only thing needed to poke through footage from security cameras as the crowd passed by, high-resolution wide-angle shots of the crowd taken by journalists, or any other source of data that may have captured bits of the action.

To this end, if you care about documentation without incrimination, it is generally best practice to make sure that you do not capture any human body parts in your documentation of bonfires, broken windows, spray-painted walls, or torched police cars. This includes people’s backs, miscellaneous limbs, and reflections caught in windows.

Additionally, if you DO capture human bits in your images or videos, it is a good idea to blur those details, using ObscuraCam or a similar tool, to the point of being indistinguishable before publication. Additionally, it is important to DELETE THE ORIGINAL, UNALTERED PHOTOS AND/OR FOOTAGE. Data stored is data that can later be subpoenaed in a court case, which would defeat the purpose of your editing process.

Finally, when taking photos or video of protestors, it is always a good idea to ask for consent first. Whether or not you condone potentially criminal behavior is irrelevant: it is unnecessary for us to do the work of the State and Police when at an event protesting their actions.