Difference between revisions of "Step 1"

From Gender and Tech Resources

m
(updated link)
 
(191 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
__TOC__
 
__TOC__
  
 +
=== Understanding and minimising our digital shadows ===
  
=== '''1. Know our digital shadow and the traces we leave in the internet''' ===
+
The internet is a great space to explore, learn, speak up, listen and communicate with people across the world. Unfortunately, the internet has also become a space where people who challenge the dominant discourse often find themselves under attack. These attacks can be very personal - enabled by the fact that there is often a lot of personal information about us on the internet.
  
''What is the information I leave online, what is my digital shadow? Who can collect or access this information? How can I find out? Can I control the information that is online about me? How can I influence my digital shadow?'' ''If you have one or several of those questions in mind, this how-to is for you!''
+
To strengthen our defences against these kinds of attacks, it’s a good idea to start by our assessing our '''digital shadows'''. These shadows - can tell a story about us: who we are, where we live and hang out, what we are interested in, and who our friends and colleagues are.
  
==== '''Understanding our digital shadow''' ====
+
This can expose us to several threats. In particular, it is the publicly available traces we leave behind that expose us to online harassment.
  
 +
However, there are also many '''strategies''' and '''tools''' we can use to shape or control our digital shadows, to increase our privacy, and ultimately to be more secure, both online and offline - without being less vocal or reducing our activity online. 
  
The internet is an amazing space to explore, learn, speak up, listen and communicating with people across the word. Unfortuntaly, the internet has also become a contentious space. There is a push back against people who speak against, question or challange the dominant discourse. These attacks by people also known as trolls can be very personal, as we, like everyone, are giving out very personal information on the internet.
+
Some examples of these include controlling the amount of data we give away by consciously stripping valuable information from content and metadata; trying the art of self doxxing; and thinking about ways to play with and break up our online identity.
If you are planning to be active on the internet as a feminist or as a woman human rights defender – or if you already are and have suffered attacks by harassers or trolls, or just want to improve your defences against this kind of attacks – it’s a good idea to start from an assessment of your '''digital shadow''' and of your '''social networks '''that are spread across your online and physical activities. These two aspects can tell a very accurate story about you, think of who you are, were you live and hangout, what you are interested in and who your friends are. This can expose us to several threats and can look scary at first sight, as you will see in this booklet there are actually many '''strategies''' you can adopt and '''tools''' you can use in order to shape or control them and to obtain a greater security online.
+
 
+
  
  
 
==== '''What is a digital shadow?''' ====
 
==== '''What is a digital shadow?''' ====
  
Our digital shadows can be defined as the stories and pictures data tells about us. These digital shadows are created by trillions bits of data, digital traces, we leave everyday when we connect to the Internet, our mobile and online services. Our digital shadows have a life of their own, are affected by others and change in unpredictable ways. Rather than as a shadow, which is something impalpable and temporary, our digital shadows grow continiously, are perminant and we have little control over them. We could describe these traces as a spectre of our past and present activities, that melt together in a permanent and ever-changing profile and could potentially haunt us forever.    
+
Our digital shadows can be defined as the stories data tells about us. These digital shadows are created by trillions of bits of data, digital traces we leave everyday when we connect to the Internet, our mobile phone and online services. Our digital shadows have a life of their own, are affected by others and change in unpredictable ways. Our digital shadows grow continuously, can be permanent and we have little control over them. These traces are a spectre of our past and present activities, which melt together in a permanent and ever-changing profile.
  
''How are these trillion bits of data created?'' The devices and the software we use to browse the Internet, access websites, connect to social networks like Facebook or Twitter, publish blog posts, receive phone calls, send SMS messages or emails, chat or buy things online all create specific bits of data on us. These data bits can be our name, location, contacts, pictures, messages, tweets, likes and can be put out there by us and other people either actively or passivly.      
+
''How are these trillion bits of data created?'' The devices and the software we use to browse the Internet, access websites, connect to social networking platforms like Facebook and Twitter, publish blog posts, receive phone calls, send SMS messages or emails, chat, or buy things online, all create specific bits of data about us. These bits of data can include our name, location, contacts, pictures, messages, tweets and likes, but also the brand of our computer, length of our phone calls and information about which websites we visit. These data traces can be put out there by ourselves as well as other people.  
  
''How do we share data?'' In some cases we '''actively''' share data – when we share photos on Facebook, book a flight ticket or contribute to a wiki. Other people can hand over data about us by tagging us in pictures, mentioning us in tweets or simply by communicating with us. In other cases, our data is '''passively''' collected, without our active knowledge or consent. Our browsing habits and IP address are collected while we visit a website by cookies and other tracking technology. These technologies are included in website for a wide range of purposes that these range from website analytics to the selling of advertisement. On our mobile phones apps collect data on us without our active knowledge or consent, think of location data, access to your contact or pictures. Through all such activity, we leave digital traces which result in the creation of our digital shadow.      
+
''How do we share data?'' In some cases we '''actively '''share data – for example when we share photos on Facebook, book a flight ticket online or contribute to a wiki. Other people can also actively share data about us, by tagging us in pictures, mentioning us in tweets or simply by communicating with us. In other cases, we give away data without necessarily realising it, or consenting to it.  
 +
Our browsing habits and IP address are shared when we visit a website by means of "cookies" and other tracking technologies, which are active in the background. These technologies are embedded in the websites we visit, and the information shared is collected for a wide range of purposes, from website analytics to advertising. Our mobile phone apps also collect data on us without our active knowledge or consent – for example, the photos we take usually have location data embedded in them. These tracking technologies enable  web services to identify and follow us as we move from one service to another - from our internet browser to the IM (instant messaging) app in our smartphone, from downloading e-books in our readers to publishing pictures from the latest protest we have covered.
  
''What is data?'' Data can be broken into three parts, content, meta data and noise.''' Content''' is the content of our messages, blogs, tweets and phone calls, it are our pictures and videos. '''Meta data''' is data about data, information that is needed for the infrastructure to work. Meta data enables our email to be delivered, find files on our computer and enable mobile communication. Meta data can be our email address, phone number, location, time and data that a message was send or stored. '''Noise''' is the data that is created by either the manufacturing process or by the workings of the infrastruture. For example, wvery camara has an SD card to record and store pictures. Every SD card has unique scrateches that were created by the machines producing the SD cards. These scratches make small changes to the data that are not visible to the eye but can be recognized by computers.                    
+
''What is data?'' Data can be broken into three parts: ''content'', ''metadata'' and ''noise''. '''Content''' is the content of our messages, blogs, tweets and phone calls; it is our pictures and videos. '''Metadata''' is data about data, information that is needed for the technological infrastructure to work. Metadata enables our email to be delivered, help find files on our computer and permit mobile communication. Metadata can be our email address, phone number, location, time and date when a message was sent or stored. '''Noise''' is the data that is created by either the manufacturing process or by the workings of the infrastructure. For example, every camera has an SD card to record and store pictures. Every SD card has unique scratches that were created by the machines producing the SD cards. These scratches make small changes to the data that are not visible to the eye but can be recognized by computers.
  
==== '''Why are these data collected?''' ====   
+
==== '''Who is collecting our data, and why?''' ====   
  
have particular features that make them '''uniquely identifiable''' in the flow of data that travel across the web. This enables several web services to identify and follow us as we pass from our browser to the IM app in our smartphone, download e-books in our readers, publish photos from the latest protest we have covered, or coordinate the next action with our group of activists.
+
We might wonder about the importance of one picture or one message, or think there is so much data out there that nobody knows what to do with it. However, data collection and data analysis has become very sophisticated.  
  
''When we use the Internet and/or mobile phones, we use digital services through networks. Our digital shadow exists within networks and that makes it vulnerable. In a network, data cannot travel directly from one device to another – it has to go through many other devices which make up the network. This means that all of our digital activity – such as sending an email, accessing a website or making a phone call – travels through multiple servers in a network until it reaches its final destination. The problem is that these third party actors can have access to our digital shadow in transit. ''
+
The data traces you leave are collected, analysed and sorted by various parties to create digital shadows, or '''profiles'''. Every time a new piece of data is collected, it can be identified and added to your profile. These profiles are ever-expanding, and give those who create them or who have access to them an immense insight into who you are.  
  
''Anyone can potentially have access to our digital shadow – including communications service providers, law enforcement agencies and companies, as well as groups and individuals running their own servers. We cannot know precisely what happens to our digital shadow and that itself is a problem.''
+
Data is collected by companies, governments and individuals for a variety of purposes. It can be bought and sold; it can be used to control; or it can be used to create harassment strategies.
 +
 
 +
Our digital shadows or profiles can be used to gain insight into who we are, what we do and where we have been. This data can then be used to make predictions on what we might do or where we might be in future. For example, if someone knows that we are an outspoken blogger on gender issues in country x, they know that we will probably be present at a conference on blogging and women held in that country. Profiles can also give potential harassers the ability to harass us across different platforms. 
 +
 
 +
Anyone could potentially have access to our digital shadow – including communications service providers, law enforcement agencies and commercial companies, as well as groups and individuals running their own servers. We can't know exactly what is happening to our digital shadow, and that itself is a problem.  
 +
 
 +
However, there are tools and tactics we can use to manage our digital shadows and to limit their ramifications in terms of profiling and surveillance. This will be discussed in the rest of this section.
  
 
==== '''Exploring our own digital shadow''' ====
 
==== '''Exploring our own digital shadow''' ====
  
We can explore our digital shadow with Trace My Shadow https://myshadow.org/trace-my-shadow – a tool launched by the Tactical Technology Collective together with a website that offers a lot of tips on how to protect our privacy and control our digital shadow: https://myshadow.org
+
As we mentioned before, anyone can potentially access our digital shadow – including communications service providers, law enforcement agencies and  companies, as well as groups and individuals running their own servers. We cannot know precisely what happens to our digital shadow and that itself is a problem. But there are tools and tactics to manage our digital shadow and to limit its ramifications in terms of  profiling and surveillance.
Identifying and materializing social network across your online and physical activities. John Fass, researcher and designer at the Royal College of Art created activities to materialize our social networks and browser history. [insert link]
+
Seeing through the eyes of our mobile phone. Installing and playing with openpath.cc Some of our apps can see the same things. Read the Terms of Service carefully and explore if you can change the access settings in your phone. On an iPhone we can change the permissions for each app under its privacy setting.
+
  
==== '''Strategies of obfuscating our Digital Shadow''' ====
+
Some good places to start are:
  
Digital Shadows are constructed by the data we and others actively and passively give away. These shadows are used to log our activities and interests on a regular basis by several entities and analysed for profiling us as users and consumers as well as for the sake of surveillance. However, profiling is not limited to commercial companies or governments. As vocal women, most of all if we write about traditionally male-oriented topics such as IT, politics or gaming, it is the publicly available traces we leave behind that expose us to online harassment. Our digital shadows and threat of online harassment should not make us less vocal, and there are several measures we can take to increase our privacy and control our data. We can control the amount of data we give away by consciously stripping valuable information from content and metadata, we can try the art of self doxxing and think about ways to play and break up our online identity depending on our activities or networks.
+
* Exploring our individual digital shadow with '''Trace My Shadow''' – https://myshadow.org/trace-my-shadow – a tool launched by Tactical Tech, accompanied by a website that offers a lot of tips on how to protect our privacy and control our digital shadow: https://myshadow.org
 +
* Identifying and materialising social networks across our online and physical activities: John Fass, researcher and designer at the Royal College of Art, has created some activities to materialise our social networks and browser history <u>' ''[insert link].'''</u>
 +
* Seeing through the eyes of our mobile phone by installing a tool called '''[https://openpaths.cc/ openpaths.cc]'''. Some of our apps can see the same things. Read the Terms of Service carefully and explore if you can change the access settings in your phone. On an iPhone we can change the permissions for each app under its privacy setting.
  
==== '''Hiding parts of our content and metadata''' ====
+
==== '''Control the content and metadata you share''' ====
  
Data consist of content, metadata and noise. Let’s find out how we can partly influence what we give away in the first two. When we publish content on the web, it is always a good idea to ask ourselves if what we are posting is public or personal and who can have access to it. Even if the information is connected to a public event and not to our personal lives, the names we mention or the images we upload may turn out to be dots that can be connected to draw a picture about who we are, what we are doing, where we are doing it and so on. If we or our contacts are being targeted by people who are too curious for whatever reason, this could help them.
+
The good news is that we can partly control what content and metadata we give away.  
  
This does not mean that we should silence ourselves – by taking some easy precautions and adjusting some details in our attitude towards the web and its services, we can limit our risks by increasing the level of the effort that would be required to attack us:
+
When we publish content on the web, it is always a good idea to ask ourselves if what we are posting is public or personal and who could have access to it. Even if the information is connected to a public event and not to our personal lives, the names we mention or the images we upload may contribute to a picture about who we are, what we are doing, where we are doing it and so on. This could be used by people who wish to target us.  
* When writing or posting images about public events in the web and in publicly accessible social network profiles, we should ask ourselves if the information we spread about single individuals, places and other details can be used to identify and/or attack someone. It is always a good idea to ask for permission to write about individuals and perhaps also to post information on public events only after they are finished. A good tool to anonymize faces in pictures that you take with your phone is '''ObscuraCam''', a free camera application for Android devices, created by the Guardian Project, that has the ability to recognize and hide faces: https://guardianproject.info/apps/obscuracam
+
  
* When writing about personal details of our life, it’s better to use '''private profiles''' that can only be accessed by selected contacts (see “Our several small-world networks” below).
+
This does not mean that we should silence ourselves – by taking some basic measures, we can limit our risks by increasing the level of the effort that would be required to attack us or our contacts.
  
* When giving our personal information to a web service, it’s best to check if they offer a secure connection (HTTPS instead of HTTP at the beginning of the URL) and to use that. If they don’t offer it or we don’t use it, this could expose us to attacks: for example someone could sniff our password and own our profile. A good solution to always use a secure connection (if available) without having to remember it is '''HTTPS Everywhere''', a Firefox, Chrome, and Opera extension developed by the Electronic Frontier Foundation that encrypts your communications with many major websites: https://www.eff.org/https-everywhere
+
* When '''sharing personal details about our life''', we can use private profiles that can only be accessed by selected contacts. When using private profiles on commercial social media, we should be aware of the regular changes to the privacy policies of that platform. This can have an impact on how “private” our profiles are. There have been cases where privacy settings have been changed, exposing pictures, content and the conversations of private groups.
  
* We should use '''different passwords''' for each web service we use: if one of the services we access does not provide a secure connection, and we use the same password for stronger services too, someone who sniffs the password when we connect to a weak service may also access our accounts in stronger services and access private data we were trying to keep secret. Since passwords should also be strong to protect ourselves against bruteforce attacks, it’s a good idea to have them generated randomly and remembered by a password manager like KeePassX: https://www.keepassx.org
+
* When '''writing or posting images about public events''' on the web and on publicly accessible social network profiles, we should ask ourselves if the information we spread about single individuals, places and other details could be used to identify and/or attack someone. It is always a good idea to ask for '''permission''' to write about individuals and perhaps also to post information on public events only after they are finished.
  
 +
*  '''Faces in pictures can be anonymised''' with a tool called ObscuraCam, a free camera application for Android devices.  https://guardianproject.info/apps/obscuracam
  
Hiding some of the most telling metadata can be done by:
+
* '''When giving personal information to a web service''', it’s best to use HTTPS so that the communication channel is secure (see the section on security measures for more on this).
  
* Avoiding using our real name when registering a device or copies of software such as Microsoft Office, Open Office, Libre Office, Adobe Acrobat and others. We can also switch off the GPS tracker in our phone or camera, but still other information is generated automatically.
+
* '''Use strong passwords''', and '''use different passwords''' for each web service you use - if you you the same password for multiple services and someone intercepts your password for one of these services, they could use it to access your other accounts.
 +
 
 +
* When '''registering a device''' or software such as Microsoft Office, Libre Office, Adobe Acrobat and others, not usingy our real name can help prevent the metadata created when using this device or software from being connected to you. You can also '''switch off the GPS tracker''' in your phone or camera.
 +
 
 +
* Some file types contain more metadata than others, so '''when publishing contents online''' you can change files from ones that contain a lot of metadata (such as .doc and .jpeg) to ones that don’t (such as .txt and .png), or we can use plain text.
 +
 
 +
*  '''Remove metadata from image files''' by using Metanull for Windows: https://securityinabox.org/en/lgbti-africa/metanull/windows
 +
 
 +
* For '''editing or removing hidden data from PDF files''', Windows or MAC OS users can use programs such as Adobe Acrobat XI Pro (for which a trial version is available). GNU/Linux users can use PDF MOD, a free and open source tool. However, it doesn’t remove the creation or modification timestamp, and it also doesn’t remove the information about the type of device used to create the PDF. 
 +
 
 +
* For more on '''removing metadata from different file formats''', see Tactical Tech's https://securityinabox.org/en/lgbti-mena/remove-metadata.
 +
 
 +
* You can '''prevent the tracking and collection of metadata''' through your browser by installing add-ons like '''Privacy Badger''' or Adblock Plus, as well as by monitoring our privacy settings and deleting cookies on a regular basis.
 +
 
 +
* Using '''Tor''' will '''hide specific metadata like our IP address''', thereby increasing our anonymity online.
 +
 
 +
===='''Social domains'''====
 +
 
 +
As security expert Bruce Schneier explains, “Security is a chain, and a single weak link can break the entire system”.
  
* Some file types contain more metadata than others, so when publishing contents online we can change files from ones that contain a lot of metadata (such as .DOCs and .JPEGs for example) to ones that don’t (.TXTs and .PNGs for example), or we can use plain text.
+
Each of us belongs to several '''social domains''' - our work or advocacy networks, our family networks, friends, and sports teams.  
  
* Another solution is to use programs that anonymize metadata like '''Metanull''' for Windows: https://securityinabox.org/en/lgbti-africa/metanull/windows.
+
Some of these networks may be more secure than others. For example, we may tend to have a more secure communication practices for our work or advocacy activities, but less secure practices for interacting with friends on a social network. Areas where these domains intersect can turn into a threat to our security.  
  
* ''Windows or MAC OS users can use programs such as '''Adobe Acrobat XI Pro''' (for which a trial version is available) to remove or edit the hidden data from PDF files. For GNU/Linux users, '''PDF MOD''' is a free and open source tool to edit and remove metadata from PDF files. However, it doesn't remove the creation or modification time, it also doesn’t remove the type of device used for creating the PDF.'' To learn more on metadata and their anonymization, visit: https://securityinabox.org/en/lgbti-mena/remove-metadata.
+
If we use a single identity in all our domains, it becomes easier to gather information about us and to identify our vulnerabilities. For example, if we reveal in a social network that we like a particular kind of game and that we download files with a p2p program like Emule, an attacker who wants to investigate our work or advocacy activities might trick us into downloading a game which is infected with spyware.  
  
* We can prevent tracking and collection of metadata through our browser by installing add ons like Privacy Badger or Adblock Plus and by changing our privacy settings and delete our cookies on a regular basis.
+
This attacker is interested in our advocacy activities, but knows that we have increased privacy and security measures for that part of our lives. The attacker also knows that our love of games is a digital weak spot as this network is not encrypted. Thus the attacker can exploit this part of our lives to gain access to another, more secure part.  
  
* Tor will hide specific metadata like our IP address, our digital address, and increase our anonimity online (see “'''Anonymizing our connections'''” below).
+
This is only possible, however, if our work identity and our Emule profile can be connected to the same person; and this is why separating our social domains can be useful. More on how to do this will be addressed later on, when we talk about identity management.
  
 
==== '''Self-Doxing''' ====
 
==== '''Self-Doxing''' ====
  
Despite all the measures we may take now, the traces we left behind in the web in the past are still out there, and they can be used against us for tracking us down or for connecting the dots to expose our real identity and personal life (what is generally called “doxing”).
+
'''Doxing''' (also written as "doxxing", or "D0xing", a word derived from "Documents", or "Docx") describes tracing or gathering information about someone using sources that are freely available on the internet. This method depends on the ability of the attacker to recognise valuable information about their target, and to use this information for their own ends.  
  
Doxing (also written as "doxxing", or "D0xing") is a technique of tracing someone or gathering information about an individual using sources that are freely available on the internet. Its name is derived from “Documents” or “Docx”. This method is based purely on the ability of the attacker to recognize valuable information about their target and use this information to their benefit. It is also based around the idea that, as quoted in the Urban Dictionary, "The more you know about your target, the easier it will be to find his or her flaws”.
+
Doxing is premised on the idea that "The more you know about your target, the easier it will be to find his or her flaws”.
  
Harassers and stalkers use several tools and techniques to gather information about their targets, but since these tools and techniques are mostly public and easy to use, we can anticipate them and "self-dox" ourselves in order to make good, informed decisions about our online identity and activities. Of course, these same instruments can be used to learn more than is immediately obvious about someone we have met online before we give them our full trust.
+
Harassers and stalkers use several tools and techniques to gather information about their targets, but since these tools and techniques are mostly public and easy to use, we can also use them ourselves. "Self-doxing" ourselves can help us to make informed decisions about what we share online, and how. Of course, these same instruments can also be used to learn more than is immediately obvious about someone we have met online before we give them our full trust.
  
Methods used for doxing range from exploring archives, yellow pages, phone directories and other possibly useful information made publicly available or from querying common search engines like Google or Duck Duck Go (https://duckduckgo.com), to looking for a person's profile in dedicated services, searching for information in public forums and mailing lists, or looking for images that the target has shared (and for instance may have also shared in another, more personal, account). But it can also simply consist in looking up the public information on the owner of a website that is managed by the target through a simple "whois search" (see "'''Creating a site of one’s own'''" below).
+
'''Methods used for doxing''' include exploring archives, yellow pages, phone directories and other publicly available information; querying common search engines like Google or DuckDuckGo (https://duckduckgo.com); looking for a person's profile in specific services; searching for information in public forums and mailing lists; or looking for images that the target has shared (and for instance may have also published in another, more personal, account). But it can also simply consist in looking up the public information on the owner of a website, through a simple "whois search" (see the section on "Creating a site of one’s own").
  
We can use these same tools to explore what can be easily found out about us, but before we start exploring these web services and looking for our digital self, a good idea is to use anonymization tools like Torbrowser (see "'''Anonymizing our connections'''" below).
+
We can use these same tools to explore what can be easily found out about us by others.  
  
    Many hints on how to self-dox oneself are available here: https://lilithlela.cyberguerrilla.org/?page_id=93870
+
Before we start exploring these web services and looking for our digital self, a good idea is to use anonymisation tools like Torbrowser.
  
    To learn more about (self-)doxxing tools and techniques, visit: https://modelviewculture.com/pieces/investigation-online-gathering-information-to-assess-risk
+
* Useful tips on how to self-dox are available [[self-dox|here]]
 +
* For more about (self-)doxing tools and techniques, visit: https://modelviewculture.com/pieces/investigation-online-gathering-information-to-assess-risk  
 +
* A useful (and creepy!) tool to learn what traces we have left behind in our Facebook account is Ubisoft’s '''Digital Shadow''', a Facebook app which illustrates what third parties can know about us through our Facebook profiles: https://digitalshadow.com
  
    A nice (and creepy!) tool to learn what traces you have left behind in your Facebook account is Ubisoft’s '''Digital Shadow''', a Facebook app which illustrates what third parties can know about us through our Facebook profiles: https://digitalshadow.com
+
==== '''Can we remove our digital past? Creating new identities''' ====
 +
''
 +
"Once something is on the internet it will stay on the internet, as the internet does not forget".''
  
 +
We may think that deleting certain sensitive data from social networks and web services may be enough to protect ourselves, but metadata cannot be deleted as easily.  And using just one identity through our whole life - in all our work and personal domains - creates a bulk of information that could be used to profile or attack us.
 +
 +
One option to avoid this is to leave an old identity behind and create a new one or several new ones - one for each of our social domains. We might also choose to use our real identity in some areas, and our new alternative identities in others.
 +
 +
* When we create a new identity, we should select the contacts for each one carefully, and avoid sharing contacts with other identities we use for different activities. This effectively creates separate social domains, with separate accounts, mail addresses, browser profiles, apps, and possibly even devices.
 +
 +
* It's important to make sure that our various identities are not linked in any way to each other, or to our real identity. Remember that some of these connections can be tenuous: for example, did you sign up for a new, pseudonymous Gmail account using your real phone number?
 +
 +
* Treating each of our extra identities as potentially disposable can be useful, as they can be discarded easily if it is compromised. 
 +
 +
* Disposable identities can be created for new acquaintances where appropriate – introductory profiles we can use to get to know somebody before we include them in a more trusted network.
 
   
 
   
==== '''Social domains: Our several small-world networks''' ====
+
To learn more about how to separate different identities into separate profiles, read the section on “Managing multiple online identities”.
  
As security expert Bruce Schneier explains, “Security is a chain, and a single weak link can break the entire system”.
+
==== '''Deleting identities''' ====
Everyone of us belongs to several '''social domains''' – our work, activism, family, friends and other personal networks – and each intersection among these domains can turn into a threat for our security. Each of these domains is structured as a “small-world network” – a group of not more than few dozens people who are frequently in contact with most of the other members of the group through phone calls, IM, mail messages, etc.
+
In each of these networks we may have a more or less important role, and some of these domains may need to be more secure than others. For instance, we may tend to have a more secure behaviour for our work or activism and a less secure one for leisure and for interacting with friends on a social network. But if we use a single profile for all our social relationships and for all our personal domains, it becomes easier to gather information about us and to identify our vulnerabilities.
+
For example, if we reveal in a social network that we like a particular kind of games and that we download files with a p2p program like Emule, an attacker who wants to investigate our work or activism might inject a virus on our computer by having us download an infected proprietary game. An attacker might be interested in our activism but knows that we have increased privacy and security measures for that part of our lives. The attacker knows that our love of games is a digital weak spot as this network is not encrypted. Thus the attacker exploits this part of our lives to gain access to our activism. This is only possible if our social network profile and our Emule profile can be connected to the same person, and this is why separating our personal domains can be useful.
+
  
==== '''Can we change our identities and our digital past?''' ====
+
If we decide to separate our domains by creating multiple identities, one of the first decisions we should make is whether to delete or keep the identity or identities that we already have. 
  
‘Once something is on the internet it will stay on the internet, as the internet does not forget’. There is a truth in this. We may think that deleting certain sensitive data from social networks and web services may be enough to protect ourselves, but metadata cannot be deleted as easily (or, often, visualized, for that matter) and therefore it is much better to commit a virtual suicide by eliminating the old identity and creating a new one or, better, several new ones for each of our personal domains.
+
To do this, we can start by investigating the traces of our existing identity or identities. (for methods and tools for following your own digital traces, see "Exploring your digital shadow" and "Self-Doxing").
Every identity should be deleted or abandoned whenever we feel it necessary. Using just one identity in our whole life, in all the different work and leisure domains we cross, creates a bulk of information that can only be used to profile or attack us.
+
When we create our new identities, we should select their contacts more carefully for each one and avoid sharing contacts with our other identities we use for different activities, so as to effectively create separate personal domains, with separate accounts, mail addresses, browser profiles, apps, and possibly devices. It can also be a good idea to create disposable identities for new acquaintances – an introductory profile we can use to get to know someone before we include them in a more trusted network.
+
To learn more about how to separate different identities into separate profiles, read “4. Managing various online identities” below.
+
  
 +
If we want to delete existing accounts:
 +
* The '''Suicide Machine''' (http://suicidemachine.org/) is a tool that facilitate the process of deleting social network profiles. The Suicide Machine was forced to stop deleting Facebook accounts, but instructions on how to do this are here: https://www.facebook.com/help/224562897555674
 +
* '''AccountKiller''' (https://www.accountkiller.com) has  instructions on how to remove accounts or public profiles on most popular websites.
 +
* '''JustDelete Me''' (http://justdelete.me) is a directory of direct links to delete accounts from web services.
  
 
==== '''Mapping our social domains''' ====
 
==== '''Mapping our social domains''' ====
 +
To separate our social domains, it's helpful to first map them out and identify which ones could expose us most to cross-domain attacks.
  
When we decide to keep our social domains and identities separate, the first thing we should do is examine our digital activities in order to map our several small-world networks and identify the ones that expose us most to cross-domain attacks. We can do this by observing our several activities and contacts and reflect on the worst-case scenario that could be caused by a loss of data. The answers we give ourselves will help us understand if a certain domain is sensitive or not and to separate the domains that are sensitive from those that are not.
+
We can do this by thinking about our different activities and networks, and reflecting how sensitive each of these is. This will enable us to better separate the domains that are sensitive from those that are not.
  
But partitioning one’s digital life into security domains is certainly not an easy process and requires some thinking. Joanna Rutkowska, a Polish computer security researcher, has developed '''Qubes OS''' (see below), a security-oriented Linux distribution based on the concept of “security by isolation”, where each personal domain is isolated in a separate virtual machine. In her blog, Rutkowska describes how she has divided her domains, and while her scheme is quite sophisticated and focused on her operating system, it can give interesting insights to anyone who wants to start isolating their several domains in order to enhance their security.
+
Partitioning one’s digital life into separate social (or "security") domains requires some thinking.  
  
The three basic domains Rutkowska has identified are “'''work'''”, “'''personal'''”, and “'''red'''” (for doing all the untrusted, insensitive things).
+
Polish computer security researcher Joanna Rutkowska has worked extensively on this, to the point that she developed  a security-oriented Linux distribution based on the concept of “security by isolation” (called Qubes OS). In this system, each social domain is isolated in a separate virtual machine. While Rutkowska's scheme is quite sophisticated and focused on her operating system, it can give us interesting insights on how to start thinking about separating our domains.  
* The '''work''' domain is where she has access to her work email, where she keeps her work PGP keys, where she prepares reports, slides, papers, etc, but she also has a less trusted “'''work-pub'''” domain for other work-related tasks that require some Web access, such as accepting LinkedIn invites, or downloading cool pictures for her presentations. Furthermore, she has isolated other work activities in a '''work-admin'''” and a “'''work-blog'''” domain in order to obtain a further level of security when managing her company’s servers and when writing on her blog or on other work-related web services.
+
  
* The '''personal''' domain is of course the domain where all her non-work related stuff, such as personal email and calendar, holiday photos, videos, etc., are held. Rutkowska says that she is not into into social networking, but if she was, she would probably access the social networks through a secure (HTTPS) connection. Also for her personal life, Rutkowska has decided to create a special domain called “'''very-personal'''”, which she uses for the communication with her partner when she is away from home. The couple uses encrypted mails to communicate, and Rutkowska has separate PGP keys for this purpose: while they don’t discuss any secret and sensitive stuff there, they still prefer to keep their intimate conversations very private.
+
The three basic domains Rutkowska identifies for herself are “work”, “personal”, and “red” (the untrusted, insecure area).
  
* The '''red''' domain, on the other hand, is totally untrusted: this is where disposable profiles belong, because a domain dedicated to untrusted activities can get compromised easily and it should be possible to replace it with a different one. Basically, Rutkowska uses this domain to do everything that doesn’t fit into other domains, and which doesn’t require her to provide any sensitive information.
+
* The '''work''' domain includes her work email, where she keeps her work PGP keys, where she prepares reports, slides, papers, etc. She also has a less-trusted “work-pub” domain for things like accepting LinkedIn invites or downloading pictures for her presentations. To add to this, she has a “work-admin” and a “work-blog” domain, in order to get a further level of security for managing her company’s servers and for writing on her blog.
  
* Besides these three main domains, Rutkowska has several other separate domains. One is dedicated to '''shopping''', for accessing all the internet e-commerce sites. Basically what defines this domain is access to her credit card numbers and her personal address (for shipping). Then there is the '''vault''' domain, the ultimately trusted place where she generates and keeps all her passwords (using KeePassX) and master GPG keys. Finally, she has a domain for all the Qubes development ('''qubes-dev'''), one for '''accounting''', and another one for '''work archives'''.
+
* The '''personal''' domain includes all the non-work-related stuff - such as personal email and calendar, holiday photos, videos, etc. She adds to this with a special domain called “very-personal”, which she uses for the communication with her partner when she is away from home. The couple uses encrypted mails to communicate, and she has separate PGP keys for this purpose.
  
 +
* The '''red''' domain, on the other hand, is totally untrusted. This is where her disposable identities or profiles belong. Rutkowska uses this domain to do everything that doesn’t fit into other domains, and which doesn’t require her to provide any sensitive information.
  
Of course we don’t have to separate our domains in such a complex way, and, as we will see, using Qubes Os to keep them separated is just one solution – that moreover requires a powerful machine to run on. Yet Joanna Rutkowska’s reflections on domain mapping can be an enlightening starting point to analyse our activities and to separate our social domains to enhance our security.
+
* Besides these three main domains, Rutkowska has several other separate domains. One is dedicated to '''shopping''', for accessing e-commerce sites. What defines this domain is access to her credit card numbers and her personal address (for shipping). Then there is the '''vault''' domain, the ultimately trusted place where she generates and keeps all her passwords (using KeePassX) and master GPG keys. Finally, she has a domain for all the Qubes development ("qubes-dev"), one for '''accounting''', and another one for '''work archives'''.
  
Joanna Rutkowska’s article on security domains can be found here: http://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html
+
Of course we don’t have to separate our domains in such a complex way, and using Qubes Os to keep them separated is just one solution – and one that requires a powerful machine to run on. Yet Rutkowska’s reflections on domain mapping can be an enlightening starting point to analyse our activities, and to separate our social domains for enhanced security.
  
 +
* Joanna Rutkowska’s article on security domains can be found here: http://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html
  
 +
=== '''2. Assessing risks and potentials: how to choose which online identity fits our purpose''' ===
  
=== '''2. Assessing risks and potentials and learning how to choose which online identity fits our purpose''' ===
+
==== "'''Real" or virtual identity?''' ====
  
==== '''Real or virtual identity?''' ====
+
Once we have identified our different social domains and the digital activities and contacts that go with them, what we need to do is decide if we want to differentiate our identities accordingly, or if we'd rather stick to our official name and true face for each of them.
  
 +
We may want to keep our work connected to our legal or "real" identity, or think that our activism should be anonymous, but these are decisions that need to be thought about carefully.
  
Once we have identified our different personal domains and the digital activities and contacts that go with them, what we need to do is assign an identity to each of them. Someone may want to keep their work related to their legal or "real" identity, or think that their activism should remain anonymous, but this is not an automatic choice and it should be pondered carefully.
+
For example, a journalist who finds it convenient to use her real identity for her writing may decide to stay in contact with her personal domain through a nickname, so that nobody can connect the two spheres together.  
  
 +
On the other hand, if an activist decides that she wants to use a pseudonym for her online activities, she should consider that she will be showing her face in all her connected activities in the real world, such as speaking at conferences or participating in demonstrations. Her online pseudonym will therefore be linked to her face; but her face could also be linked to her real name on social networks, and her online activist identity unmasked.
  
For instance, a journalist who finds it convenient to write online with her real identity may decide to stay in contact with her personal domain through a nickname, so that nobody can connect the two spheres together. On the other side, if an activist decides that she wants to use a pseudonym for her activities online, she should consider that she will show her face in all her connected activities in the real world, such as speaking at a conference or participating in a demonstration, and this could help possible attackers to link her nickname to pictures of her face that are linked to her real name in social networks.
+
In assessing which identity to use in a given context, it's helpful to consider the following questions:
  
In assessing which identity to use in a given circumstance, it's helpful to consider the following questions that take into account both legal and personal risks to one's livelihood and safety:
+
* Would my job, livelihood or safety be at risk if my real identity were known in this context?
* Would my job or livelihood be at risk if my identity were known in this context?
+
  
 
* Would my mental health or stability be affected if my participation in X were known?
 
* Would my mental health or stability be affected if my participation in X were known?
 +
 +
* Would my family or other loved ones be harmed in any way if my real identity became known in this context?
  
 
* Am I able and willing to maintain separate identities safely?
 
* Am I able and willing to maintain separate identities safely?
  
* Would my safety be at risk if my identity in this context were known?
 
 
* Would my identity becoming known in this context cause harm to my family or other loved ones?
 
 
Once we have '''assessed our risk,''' we can then consider different strategies for separating our identities online. 
 
Once we have '''assessed our risk,''' we can then consider different strategies for separating our identities online. 
  
 +
For more on assessing risk, visit: https://ssd.eff.org/en/module/introduction-threat-modeling  
  
 
==== '''Strategies for separating identities online''' ====
 
==== '''Strategies for separating identities online''' ====
  
Many '''strategies''' have been adopted by women who are active online, ranging from full transparency to full anonymity. For example, writer Kate Harding has [http://kateharding.net/2007/04/14/on-being-a-no-name-blogger-using-her-real-name written about her decision] to start writing under her real name; in doing so, she dismisses the recommendations that are generally given to bloggers, such as: “writing under a pseudonym, making that pseudonym male or gender-neutral if you’re one of them lady bloggers, disabling anonymous comments, masking one’s personal information, being circumspect about publishing identifying details, and not writing anything that might inflame the crazies”. Instead of putting responsibility on women, Harding argues, problems of harassment should be handled by society as a whole and by men, who should understand that only by supporting women and their right to be active and vocal in the internet will anything change. And while she admits that “the only reason I haven’t yet heard I’m a worthless cunt who deserves to be raped is that nobody knows I exist yet”, she also acknowledges that this decision is “dangerous because I use my real name and especially dangerous because it’s a female name”.
+
'''strategies''' for maintaining separate identities can range range full transparency to full anonymity.
  
In "The Girl's Guide to Staying Safe Online," Sady Doyle [http://inthesetimes.com/article/12311/the_girls_guide_to_staying_safe_online writes] that becoming visible "creates a specific vulnerability" and offers a cynical set of recommendations for women to consider when writing publicly:
+
Author Kate Harding talks about her decision to start writing under her real name, dismissing the recommendations that are generally given to bloggers to follow practices like “writing under a pseudonym, making that pseudonym male or gender-neutral if you’re one of them lady bloggers... masking one’s personal information, being circumspect about publishing identifying details, and not writing anything that might inflame the crazies”.  
# "Don't post the wrong photo. Any photo."
+
# "Don't have the wrong name. Any name."
+
# "Don't be good at your job."
+
# "Every photo is the wrong photo. Every name is the wrong name. Any kind of good is too good. Don't go it alone."
+
While Doyle's comments are meant ironically, the fact is that women are disproportionately targeted by hate speech and harassment online. While our first reaction may be to step out of the public eye or censor ourselves, we have other options. Giving up on our online activities is exactly what misogynists and harassers expect from us, as [http://www.gabbysplayhouse.com/webcomics/sexism/ this webcomic by Gabby Schulz] exemplifies. Ultimately, Doyle concludes, “the best way to ‘stay safe’ online may simply be to stay online. After all: If there’s no one left willing to complain about the harassment, what are the odds that it’s going to change?”.
+
  
As such, we have several options available to us: We can attempt to participate online anonymously. We can use a persistent pseudonym.  We can identify fully with our real or legal name, or we can divide our online lives, using our real or legal name sometimes and a pseudonym at other times. The following section will explore the pros and cons of each option and help you determine which options are best for you.
+
Instead of putting responsibility on women, Harding says, problems of harassment should be handled by society as a whole, including men. However, she also acknowledges that the decision is dangerous one.
 +
http://kateharding.net/2007/04/14/on-being-a-no-name-blogger-using-her-real-name
  
 +
In "The Girl's Guide to Staying Safe Online," Sady Doyle writes that while becoming visible "creates a specific vulnerability", giving up on our online activities is exactly what the misogynists and harassers expect from us - and so the best way to ‘stay safe’ online may simply be to stay online. "After all: If there’s no one left willing to complain about the harassment, what are the odds that it’s going to change?”
 +
http://inthesetimes.com/article/12311/the_girls_guide_to_staying_safe_online
 +
 +
As such, we have several options available to us: We can attempt to participate online anonymously. We can use a "persistent pseudonym".  We can identify fully with our real or legal name, or we can divide our online lives, using our real or legal name sometimes and a pseudonym at other times. The following section will explore the pros and cons of each option, so we can determine which options are best for each one of us.
  
 
==== '''Anonymity''' ====
 
==== '''Anonymity''' ====
 +
Total anonymity can be both isolating and difficult to maintain, but is useful in settings where we don't need to gain other people's trust, when there are few or no people we can trust, or when we don't want to expose others in our life to risks.
  
Total anonymity can be both isolating and difficult to maintain, but is useful in settings where we don't need to gain other people's trust, when there are few or no people we can trust, or when we don't want to expose others in our life to risks. Anonymity may be a good choice in certain, specific situations, such as researching or participating in message boards about health issues, or when sharing sensitive information. We may wish to set up a one-time account to comment on a blog or news site, or a one-time email account or chat session for discussing sensitive information with others.
+
Anonymity may be a good choice in certain specific situations, such as researching or participating in message boards about health issues, or when sharing sensitive information. We may wish to set up a one-time account, using a pseudonym, to comment on a blog or news site, or a one-time email account or chat session to discuss sensitive information with others.
  
Vani, a human rights activist, [http://internetdemocracy.in/media/women-bloggers-seek-safety-in-anonymity speaks of their participation on social networks anonymously], saying: “I am a regular social network user. I voice my opinions on a range of topics. But, I remain faceless and nameless”. While anonymity is a good option in many situations, it can also be dangerous in some countries, where it can signal to the state police that the authors think they are doing something wrong. This strategy can also be lonely: “Anonymity also isolates you”, a blogger writes. “Can you have a network to protect you and also be anonymous at the same time? Would '''visibility''' be a better strategy for you?”
+
On anonymity, Vani, a human rights activist, writes: “I am a regular social network user. I voice my opinions on a range of topics. But I remain faceless and nameless”. [http://internetdemocracy.in/media/women-bloggers-seek-safety-in-anonymity speaks of their participation on social networks anonymously]
  
Anonymity differs from persistent pseudonymity in that, while one may use a pseudonym while anonymous, that name is not persistent across different networks and may be for single use only. For more information on how to be anonymous online, see the section on '''Anonymizing our connections.'''
+
But while anonymity is a good option in many situations, it can also be dangerous in some countries, where it can signal to the state police that the author thinks they are doing something wrong. This strategy can also be lonely: “Anonymity also isolates you”, a blogger writes. “Can you have a network to protect you and also be anonymous at the same time? Would visibility be a better strategy for you?”
 +
 
 +
Anonymity differs from "persistent pseudonymity". When we adopt anonymity as a strategy we may use pseudonyms, but these pseudonyms are not used across different networks or social domains, and some may only be used once and then discarded. For more information on how to be anonymous online, see '''Anonymizing tools'''.
  
 
==== '''Persistent Pseudonymity''' ====
 
==== '''Persistent Pseudonymity''' ====
  
The Oxford English Dictionary defines a pseudonym as "a fictitious name, especially one used by an author." In the age of the Internet, a pseudonym may also be referred to as a "nickname" or "handle", though the latter can also be tied to a person's legal identity. 
+
Persistent pseudonymity involves using a pseudonym consistently over a period of time.  
  
In a blog post for the Electronic Frontier Foundation, [https://www.eff.org/deeplinks/2011/07/case-pseudonyms Jillian C. York writes]: "There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a name that’s easier to pronounce or spell in a given culture."
+
The Oxford English Dictionary defines a pseudonym as "a fictitious name, especially one used by an author." In the age of the internet, a pseudonym may also be referred to as a "nickname" or "handle", though the latter can also be tied to a person's legal identity. 
  
Pseudonymous speech has played a critical role throughout history, York explains. "From the literary efforts of George Eliot and Mark Twain to the explicitly political advocacy of Publius in the Federalist Papers or Junius' letters to the Public Advertiser in 18th century London, people have contributed strongly to public debate under pseudonyms and continue to do so to this day."
+
Jillian C. York, in a blog post for the Electronic Frontier Foundation, writes: "There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a name that’s easier to pronounce or spell in a given culture."
 +
https://www.eff.org/deeplinks/2011/07/case-pseudonyms
  
A pseudonym can be name-shaped (e.g., "Jane Doe") or not. Some websites, including Facebook, require that users utilize their "authentic identity," which typically means using one's legal name or the name by which they are commonly known. This policy has caused some users, such as a group of drag performers in California, to [https://www.eff.org/deeplinks/2014/09/facebooks-real-name-policy-can-cause-real-world-harm-lgbtq-community lose their Facebook accounts]. Therefore, if we choose to use a pseudonym on social networks, it is important to understand that a risk of doing so is being reported for using a "fake name" and having one's account deleted. A strategy for avoiding that is using a name-shaped pseudonym.
+
Pseudonymous speech has played a critical role throughout history, says York. "From the literary efforts of George Eliot and Mark Twain to the explicitly political advocacy of Publius in the Federalist Papers or Junius' letters to the Public Advertiser in 18th century London, people have contributed strongly to public debate under pseudonyms and continue to do so to this day."
 +
 
 +
A pseudonym can be name-shaped (e.g., "Jane Doe") or not. At time of writing, some websites - including Facebook - require that users use their "authentic identity," which typically means using your legal name or the name by which you are commonly known. This policy has caused some users, such as a group of drag performers in California, to lose their Facebook accounts. If we choose to use a pseudonym on social networks, it is important to understand that a risk of doing so is being reported for using a "fake name" and having one's account deleted. A strategy for avoiding that is using a name-shaped pseudonym.
 +
https://www.eff.org/deeplinks/2014/09/facebooks-real-name-policy-can-cause-real-world-harm-lgbtq-community
  
 
Persistent pseudonymity also offers us '''visibility'''. Visibility allows us to network with others, and by pinning our voice to a particular name we can develop an '''online reputation'''. An online reputation allows others to decide whether we are worthy of trust, and is therefore a crucial aspect in trust-based online communities. Reputation can be developed by consistently using a nickname or pseudonym that can either be connected to our legal identity, or not. The choice to connect our online reputation to our "real" name should be taken individually, according to needs and context. 
 
Persistent pseudonymity also offers us '''visibility'''. Visibility allows us to network with others, and by pinning our voice to a particular name we can develop an '''online reputation'''. An online reputation allows others to decide whether we are worthy of trust, and is therefore a crucial aspect in trust-based online communities. Reputation can be developed by consistently using a nickname or pseudonym that can either be connected to our legal identity, or not. The choice to connect our online reputation to our "real" name should be taken individually, according to needs and context. 
  
It is also possible to maintain multiple pseudonyms (and reputations) for different purposes. For example, a person involved in the gaming community and LGBTQ rights activism may wish to maintain separate identities for each purpose, and can build trust within each community separately doing so.
+
It is also possible to maintain multiple pseudonyms (and reputations) for different purposes. For example, a person involved in the gaming community and LGBTQI rights activism may wish to maintain separate identities for each purpose, and can build trust within each community separately doing so.
  
 
==== '''Collective Identity''' ====
 
==== '''Collective Identity''' ====
  
One way to preserve anonymity is through collective participation. This could mean any number of things, from a private group or mailing list that puts out collective statements to a shared Twitter account. While the same security concerns apply, working from behind a collective identity means having the power of the crowd behind you and can be a good option for those who don't wish to reveal their identities
+
Another way to be anonymous is through collective participation. This could mean a number of things, from a private group or mailing list that puts out collective statements, to a shared Twitter account. While the same security concerns apply, working from behind a collective identity means having the power of the crowd behind you, and can be a good option if you don't wish to reveal your identity
 +
 
 +
==== Comparing strategies ====
 +
 
 +
Whatever choice we make, what is important is that we keep our domains effectively separated.
  
Whatever choice we make, what matters is that we keep our domains effectively separated and that no matter how many domains we identify in our digital life and identities we create, in the internet every identity, even the one bearing our true name, becomes a “virtual” persona and should be managed carefully. 
+
No matter how many domains we identify in our digital life, and how many corresponding identities we create, on the internet every identity - even the one bearing our real or legal name - becomes a “virtual” persona and should be managed carefully. 
  
 
''The pros and cons of the various identity options:''
 
''The pros and cons of the various identity options:''
Line 207: Line 260:
 
|"-"
 
|"-"
 
|"-"
 
|"-"
|"-"
+
|"+"
 
|-
 
|-
 
|'''Consistent Pseudonimity'''
 
|'''Consistent Pseudonimity'''
Line 221: Line 274:
 
|}                                                                                                                              
 
|}                                                                                                                              
  
'''''[N.B.: The above chart should remain intact, but I would like to incorporate the following text additions somehow and don't really know how]'''''
 
  
 
'''Real name'''
 
'''Real name'''
  
                                 Risk: The risks to using one's real name online are apparent. Using your "real world" identity online means that you are easily identifiable by family members, colleagues, and others and that personal activities can be linked back to your identity.
+
*''Risk'': Using your "real world" identity online means that you are easily identifiable by family members, colleagues, and others, and your activities can be linked back to your identity.
  
Reputation: Using your real name can have benefits, as it allows others to easily identify you, and allows you to more easily gain reputation and trust.
+
*''Reputation'': Others can easily identify you; gaining reputation and trust is easier.  
  
Effort: Using your real name requires little effort.
+
*''Effort'': requires little effort.
  
 
'''Total anonymity '''
 
'''Total anonymity '''
  
         Risk: Total anonymity can be beneficial at times, but can also be very difficult to maintain. Choose this option carefully.
+
*''Risk:'' can be beneficial at times, but can also be very difficult to maintain. Choose this option carefully.
  
Reputation: Maintaining anonymity means few opportunities to gain trust and reputation.
+
*''Reputation'': few opportunities to gain trust and reputation, or to network with others.
  
Effort: Maintaining anonymity is difficult and requires caution.
+
*''Effort'': difficult; requires caution. Might also require the use of anonymisation tools (for example Tor.)
  
 +
'''Persistent pseudonymity'''
  
'''Persistent pseudonymity    '''
+
*''Risk'': Pseudonym could be linked to our real world identity.
  
Risk: One major risk to using a pseudonym for some activities is that it could be linked to your real world identity.
+
*''Reputation'': A persistent pseudonym that others can use to identify us across platforms is a good way to gain reputation and trust.
  
Reputation: A persistent pseudonym that others can use to identify you across platforms is a good way to gain reputation and trust.
+
*''Effort'': Maintenance requires some effort, particularly if we are also using our real name elsewhere.
  
Effort: Maintaining a persistent pseudonym requires some effort, particularly if you are doing so in addition to using your real name elsewhere.
 
  
 
'''Collective Identity'''
 
'''Collective Identity'''
  
        Risk: One major risk to collective participation is the exposure of your real world identity.
+
*''Risk'': possible exposure of our real world identity.
  
Reputation: While not a way to gain individual reputation, one can still benefit from the reputation of the collective.                                                 
+
*''Reputation'': While not a way to gain individual reputation, you can still benefit from the reputation of the collective.                                                
 
+
Effort: Although secure communications are still important, collective participation requires less effort than total anonymity.
+
 
+
=== '''3. Anonymizing our connections''' ===
+
 
+
As mentioned before, when browsing the internet through a normal connection, there are several traces that can give away our real identity even if we are using an alternate persona (most importantly our IP address) and there are several ways to intercept our communications, for example by sniffing our connection when we connect to the web through a free Wi-Fi spot, by accessing our ISP’s data or by monitoring the website we are using.
+
 
+
To add a further level of protection, we can decide to access the internet through a '''VPN''', an encrypted tunnel that hides all services, protocols, and contents. Using a VPN is not difficult: it basically requires downloading a compressed file, extracting it and changing our computer’s connection settings, but it is important to choose a secure one – better if located abroad – because a compromised VPN server could be accessed by an intermediary who could then analyse all our activities. Autonomous servers '''Riseup''' – https://help.riseup.net/en/vpn – and '''Autistici/Inventati''' – https://vpn.autistici.org – both offer a reliable VPN.
+
 
+
But we should consider that from a technical standpoint VPNs have some limitations:
+
* <strong>An insecure connection is still insecure</strong>: Although a VPN will anonymize our location and protect us from surveillance from our ISP, once our data is securely routed through the VPN server, it will go out on the internet as it normally would. This means we should still use TLS when available (ie. (HTTPS to browse websites, pop-ssl/imaps/smtp-tls for mail exchange, and so on).
+
* <strong>VPNs are not a panacea</strong>: although they accomplish a lot, they can’t fix everything. For example, they cannot increase our security if our computer is already compromised with '''viruses '''or '''spyware'''. If we give '''personal information '''to a website, there is little that a VPN can do to maintain our anonymity with that website or its partners. For more information, see Riseup’s webpage on VPN anonymity: https://help.riseup.net/en/vpn/security-issues.
+
* <strong>The connection might get slower</strong>: the VPN routes all our traffic through an encrypted connection to the server before it goes out onto the normal internet. This extra step can slow things down.
+
 
+
If what we need to do with our alternative identity only needs a browser, we might consider to use the '''Torbrowser''' rather than a different profile in our usual browser. The Torbrowser is a software tool designed to increase the privacy and security of our Internet activities and habits. It masks our identity and our on-line browsing from many forms of internet surveillance.
+
 
+
The <strong>Torbrowser Bundle </strong>consists of the <strong>Tor </strong>software and a modified version of the <strong>Firefox </strong>web browser, which is designed to provide extra protection while using it. To stop scripts from running without us knowing and to force secure SSL connections whenever available, the browser bundle also includes <strong>NoScript </strong>and <strong>HTTPS-Everywhere </strong>add-ons.
+
 
+
<strong>Tor </strong>protects our <em>anonymity </em>by routing communications through a distributed network of servers run by volunteers from all over the world. Using <strong>Tor </strong>hides the sites we visit from potential onlookers, and hides our location/identity from those sites. The software is designed also to make sure servers in the <strong>Tor </strong>network <strong>don't know </strong>both our location <strong>and </strong>the sites we are visiting.
+
 
+
<strong>Tor </strong>also takes steps to encrypt the communication to and through its network, <strong>but </strong>this measure cannot extend all the way to a website which is sending or receiving content over non-encrypted channels (i.e. not providing HTTPS access). Nevertheless, the advantage of using Tor when accessing such sites is that <strong>Tor </strong>can secure our communication up to the step between the last of the <strong>Tor </strong>servers and the non-secure site. This confines the chance to intercept the content to that last step.
+
 
+
As with VPNs, there is a trade-off between anonymity and speed. Because Tor facilitates anonymous browsing by bouncing our traffic through volunteers’ computers and servers in various parts of the world, it will definitely be slower than using other web browsers on our computer.
+
 
+
What we should remember when using the Torbrowser is that '''it makes us anonymous, but not private'''. Although our web requests are anonymous, if we are posting on Facebook or sending an email through Gmail, that activity is still identifiable as “us”. While this is acceptable if we are using the Torbrowser with our virtual persona, we should be careful not to use the same instance of the Torbrowser with more than one identity. If we want to browse the web anonymously with more than one identity, we can do so by creating each time a '''new identity''' for our browser, so that a new set of random Tor proxy servers is selected and we appear to come from a new location to the web servers. To do this, we just need to click the onion icon in the upper left of our browser and to select “New identity” from the menu. The Torbrowser will briefly close, clearing our browsing history and cookies and then restart. After that, we can safely browse the internet with a different identity.
+
  
 +
*''Effort'': Although secure communications are still important, requires less effort than total anonymity.
  
 
=== '''4. Creating a new online identity''' ===
 
=== '''4. Creating a new online identity''' ===
  
==== '''Virtual suicide?''' ====
+
==== '''What’s in a name?''' ====
  
When we decide to separate our domains, one of the first decisions we should make is whether to delete or keep using our existing identities. Let's assume for the sake of this discussion that we have chosen to use our real identity sometimes, and at other times, use different pseudonyms.  
+
The practice of naming varies greatly from one culture to another. While names, in one form or another, have existed across cultures for milennia,  the concept of a "legal name" is a fairly new one.  
  
It is a good idea to consider each of our other identities as potentially disposable so that, in the case of it being compromised, it can be discarded easily. Before creating new identities, we should assess our existing ones and determine whether or not they are linked in any way to each other, or to our real identity. Remember that some of these connections can be tenuous: For example, did you sign up for a new, pseudonymous Gmail account using your real phone number? Follow the traces of each online identity to determine whether or not you should reuse, or discard them.
+
Different countries regulate the practice of naming in different ways; for example, in Morocco, names must be chosen from a government-approved list, while in Germany a name must be clearly reflective of the baby's gender.  
  
As we described before, when we use the Internet, we scatter our traces all over. Managing the traces that we have left behind over the years is a complex task, so if we're planning to embark on high-risk activities but still want to use our old identity or identities, it is a good idea to create new ones that have nothing to do with our existing identities and contacts.  
+
On the internet, platforms that have "real name" policies tend to base this judgement on an individual's legal name, rather than allowing them to identify as they choose. This can be problematic, not only for individuals trying to remain anonymous, but also for transgender individuals, individuals with mononyms, and others.
  
There are a few ways to get rid of existing accounts:
+
Because of such restrictions, it can be beneficial to select a "name-shaped" name when choosing a pseudonym. If we want to use commercial social networks, it is better to use a credible name and surname rather than more imaginative ones. Many companies will require that we use both a first name and surname, or a name that doesn't contain any slang terms or profanities.
* A nice tool to facilitate theprocess of deleting social network profiles is the '''Suicide Machine''': http://suicidemachine.org/. Unfortunately, the Suicide Machine was forced to stop deleting Facebook accounts. Instructions on how to delete Facebook accounts are here:https://www.facebook.com/help/224562897555674
+
* '''AccountKiller''' – https://www.accountkiller.com, with instructions to remove accounts or public profiles on most popular websites
+
* '''JustDelete Me''' – http://justdelete.me, a directory of direct links to delete accounts from web services.
+
  
 +
Once we have decided on a name, a surname, and a username for our virtual persona, we should do thorough research - perhaps also using doxing tools and techniques (see the section on Self-Doxing) - to find out if someone else is already using that name. After all, if we wish to develop our own reputation, we don’t want to be confused with someone else, especially if they don’t share our views of the world!
  
===='''Disposable email and mail aliases''' ====
+
==== '''Writing our own story''' ====  
  
While some domains require some sort of identity management in order to gain a strong reputation and trust from other members of the community, in some cases all we need is a '''disposable email address''' that we only need to use once or few times, for example for opening an account in a fishy website. Even if we decide to just have one identity online, this is always a good practice that prevents sites from building a history of our activities and ensures that, even if that account gets compromised, we can simply delete it and create a new one, keeping our digital life unscathed.
+
The practice of “story telling” (and of creating a social mask, for that matter) is an old one, and creating a new persona with a story makes it a lot easier to maintain the role.  
  
Another option is to create a '''mail alias''',a different email address that is connected to your main mailbox. The advantages of this approach are that this email account does not expire as disposable email addresses, and that if it gets compromised we can just dispose of it and create a new one, as with temporary mailboxes. But of course if the alias receives a lot of spam, it will fill our main mailbox.
+
We can base our story on a “known” person’s story, a superhero, a fictional character from our favourite novel, or adopt a “group identity” like Anonymous/Anonymiss or the Guerrilla Girls. If we feel particularly inspired, we can invent a new story.
  
There are many services that offer disposable email addresses. Some of the most privacy oriented are:''' '''https://anonbox.net'''<nowiki/>''', offered by the Chaos Computer Club, a historical hacker organization, and '''https://www.guerrillamail.com'''
+
The main point is that when we create an identity we should conceive a whole virtual persona, an avatar that needs to be nurtured and developed in order to become credible.  
  
In some cases, we don’t even need to create a disposable email account, because someone has already done this for us and shared the user name and password online. This is allowed by '''BugMeNot''', a site – http://bugmenot.com – where anyone can publish their new account data for sites with free registration. And there is also a Firefox extension: https://addons.mozilla.org/en-US/firefox/addon/bugmenot
+
This page offers some helpful tips for inventing a new identity: [[Roleplay]]
  
If we can’t be bothered with thinking up a new name and other data every time we want to create an account with a website we don’t really trust, https://fakena.me is a privacy-oriented '''fakename generator''' that provides all we may need, from a credible name and surname with birth date and (US-based) address to a user name and password, up to a link to the connected guerrillamail mailbox. Another similar service called called '''Instant Internet Decoy''' – https://decoys.me – creates convincing but entirely fictional people who have birthdays, locations in several countries, families and even answers to common security questions.
+
==== '''Creating a credible persona''' ====
  
While not every mail service allows users to create mail aliases, this service is offered to every mail user both by '''Riseup '''(https://we.riseup.net) and '''Autistici/Inventati '''(https://www.autistici.org), two secure, autonomous servers that are particularly focused on the right to privacy and anonymity and that are recommended for general security too.
+
A virtual persona or identity can't be just a name with a mail address and a series of web accounts. If we keep all our normal identifying traits - such as our gender, job, attitude or the way we write - it might be possible for someone to connect the dots and connect our pseudonymous personas with our real identity.  
  
 +
* ''Linguistic fingerprint'': One of the things to consider is our '''linguistic fingerprint'''. This could be identified through a so-called "stylometric analysis" using tools that are increasingly usable, even for non-experts, that make it possible to identify the author of a particular text.  We can, for example, give away our real identity through our particular way of writing certain words, our typical typos, and our style and tone.  To change this, we can start by using a spell-checker in our word processor to check for consistent typos. We could also think about adopting a different writing attitude. To keep it simple, we could adopt one simple rule for each persona, e.g. making them shout by only using capital letters, or be a low-talker with a lower-case style, or very excitable, with a lot of exclamation marks, or a spelling criminal, always putting apostrophes in the wrong place or mistyping words. What we decide to do with our writing style should match the character we choose for our new identity.
  
==== '''What’s in a name?''' ====
+
* ''Work'': To be sure that our pseudonymous avatar cannot be tracked back to us, our persona should have a job that is different from ours, but not so different that we don’t know anything about that field: for example, they shouldn’t be a surgeon if we don’t know anything about anatomy!
  
The practice of naming varies greatly from one culture to another. While names, in one form of another, have existed across cultures for milennia,  the concept of a "legal name" is a fairly new one. Different countries regulate the practice of naming in different ways; for example, in Morocco, names must be chosen from a government-approved list, while in Germany a name must be clearly reflective of the baby's gender. On the Internet, companies that have implemented "real name" policies have often based their judgement on an individual's legal name, rather than allowing them to identify as they choose. This can be problematic, not only for individuals trying to remain anonymous, but also for transgender individuals, individuals with mononyms, and others.
+
*''Skills and interests'': Similar considerations should be made to select our persona's skills and the main topics they focus on and write about. These can, of course, overlap - for example a journalist who writes about national politics may have an alternative identity that talks about national politics as well, but only casually (and their main interest will be something different, like carpentry or feminism or food).
  
As Jillian C. York [http://www.theguardian.com/technology/2015/mar/06/facebook-internet-fake-name-authentic-self writes]: "Are legal names – usually the names given to us at birth – truly representative of our authentic selves? Surnames are a fairly modern phenomenon in many societies, required and in some cases even created by governments to keep track of citizens. Legal names allow government to track property ownership, collect taxes, maintain court records, and perform police work, among other  things. With the advent of international travel, governments around the world standardized their practice, issuing passports that, in most cases, contain a first name and a surname."
+
*''Psychological attitude'': As for psychological attitude, a good rule of thumb is to give our persona depth by creating some "weak spots" - but choosing them carefully so that, if the weak spot is attacked, we are able to weather the strikes and even have some fun in the process. For example, if we have a very strong sense of humour, we could choose a severe lack of humour as our persona's biggest weakness, so that if that weakness comes under attack we can enjoy impersonating a humourless persona without really being psychologically harmed.  
  
Because of such restrictions, it can be beneficial to select a "name-shaped" name when choosing a pseudonym. If we want to use commercial social networks, it is better to use a credible name and surname rather than more imaginative ones. Many companies will require that we use both a first name and surname, or a name that doesn't contain any slang terms or profanities.
+
What is most important is to remember that on the internet, each one of our identities - even the one connected to our real name - is a “virtual” identity, and it is always better to decide what character traits we want to expose in each of them. Creating a somewhat fictional character can be a good idea even for our “real” online identity.
  
==== '''Writing our own story''' ====  
+
More about how to create a rounded character for our identities here: https://lilithlela.cyberguerrilla.org/?page_id=94049
  
An increasing number of psychologists argue that people living in modern societies give meaning to their lives by constructing and internalizing self-defining stories. In fact, the practice of “story telling” (and of creating a social mask, for that matter) is much older, and starting a new avatar with a story makes it a lot easier to maintain the role. We can  use a “known” person’s story, or a god or goddess, a superhero, a fictional character from our favourite novel, or adopt a “group identity” like Anonymous/Anonymiss or the Guerrilla Girls. Otherwise, if we feel particularly inspired, we can just invent a new story we like, but the main point is that when we create an identity we should conceive a whole virtual persona, an avatar that needs to be nurtured and developed in orderto become credible, so it is better to start from the choice of our nickname.
+
==== '''Creating online profiles''' ====
  
This page offers a lot of cues and links for inventing a new identity: http://anonymissexpress.tumblr.com/post/117939311235/you-may-have-noticed
+
Once we have created several personas, it's important keep them separate in both our physical and digital lives. While keeping notes on our identities might help ensure that we remember our story, there are technical measures we can take to make sure that our profiles stay separate.  
  
Having found a name, a surname, and a username we like for our virtual persona, and having generated or invented all the fake data we need for creating accounts with it, we should do thorough research, perhaps also using doxxing tools and techniques (see Self-Doxxing above) to find out if someone else is already using that name. After all, if we wish to develop our own reputation, we don’t want to be confused with someone else, especially if they don’t share our views of the world!
+
A good start is to create different '''browser profiles''', '''mailboxes''' and '''social network accounts''' for each of our identities. A good rule of thumb is to always use different apps for each account/identity and, if possible, to separate our identities per device or operating system (see '''6. A different machine for each identity''').
  
==== '''Creating a site of one’s own''' ====
+
==== Creating separate browser profiles and mailboxes ====
  
Some of us may be content with the tools we have discussed so far, and writing in our social network accounts, especially if we have found a more privacy-friendly option (see “'''Alternative social networks”), may be all we need to voice our opinions and to'''interact with a network of people (or with several networks, if we are using different identities when writing online). On the other hand, we may want a more independent platform to spread our ideas, plans or creations, and to do that we need to create a website or a blog.
+
''Browser profiles:'' To create multiple profiles with Firefox, visit: https://developer.mozilla.org/en-US/docs/Mozilla/Multiple_Firefox_Profiles  . For Google Chrome, visit: https://support.google.com/chrome/answer/2364824
  
Creating a blog is as easy as signing up in a web service and choosing a name and a nice theme for our blog, and there are several blogging platforms around that are both user-friendly and free, like'''Wordpress.com'''. Equally based on the free and open-source blogging tool Wordpress, but with some tweaks for additional user privacy, there are two security-oriented platforms that are managed by autonomous servers: Autistici/Inventati’s (A/I)'''Noblogs'''–[http://noblogs.org/ http://noblogs.org]– and Nadir’s'''BlackBlogs'''–[http://blackblogs.org/ http://blackblogs.org]. To open them, all that is needed is to have an email account hosted in an autonomous server (see<nowiki/>https://www.autistici.org/en/links.html<nowiki/>and<nowiki/>https://blackblogs.org/policy<nowiki/>respectively for a complete list).
+
''Mailboxes:'' When creating a new mailbox, it is always a good idea to connect to the server’s website with '''Torbrowser''' and, if a contact email address is required, to think about using a disposable email address instead.
  
All these platforms offer enough space for normal blogging activities and are very easy to use, but if we want to actively create our site from scratch, perhaps because we want a complex graphic layout or need to install particular tools that are not offered by Wordpress and its plugins, what we really should do is find some space in a server for our website and perhaps to associate it to our domain of choice.
+
===='''Disposable email addresses''' ====
  
Webhosting services are many, but since they generally aren’t free, the options to stay completely anonymous are reduced to creating a website with'''A/I''', which by default does not connect the users of its services with real identities.
+
For some activities and social domains we need to manage rounded personas, in order to gain a strong reputation and trust from other members of the community. In some cases, however, all we need is a '''disposable email address''' that we only need to use once or few times, for example for opening an account in an untrusted platform.
  
To learn more about Autistici/Inventati’s webhosting service, visit:https://www.autistici.org/en/services/website.html
+
Even if we decide to have just one identity online, using disposable email addresses prevents sites from building up a history of our activities and ensures that if that account gets compromised we can simply delete it and create a new one, keeping our digital life intact.
  
If we want to have our own'''domain''', bypassing payments and identifications may get difficult unless we use Bitcoin or another anonymous payment system, and the personal data we will provide will not only be stored in the registrar’s internal archives, but by default will also be recorded in a database that can be easily queried by anybody through a simple command (whois) or on several websites such as Gandi: Whois (https://www.gandi.net/whois). To avoid this, we can register our domain giving the data of an association and using a prepaid credit card that is not connected to our data (if available in our country), or else we can use a registrar like Gandi.net ([https://www.gandi.net/ https://www.gandi.net]), that offers private domain registration for individuals whenever possible.
+
* ''Creating a disposable email address'': There are many services that offer disposable email addresses. Some of the most privacy-oriented are:''' '''https://anonbox.net'''<nowiki/>''', offered by the Chaos Computer Club, and '''https://www.guerrillamail.com'''
  
==== '''A credible persona''' ====
+
* ''Tools to generate personal details'': Making the process of creating a disposable account easier, '''Fakena.me''' (https://fakena.me) is a privacy-oriented '"fake name generator" that provides everything for you - from a credible name, birth date and (US-based) address, to a user name and password and a link to the connected guerrillamail mailbox.  Another similar service, called '''Instant Internet Decoy''' (https://decoys.me) creates convincing but entirely fictional people who have birthdays, locations in several countries, families and even answers to common security questions.
  
Technology isn’t everything, and now that we have chosen our favourite tools for securing our multiple identities, we should dedicate some time to''imagination''and''impersonation''.
+
* ''Using existing disposable email addresses'': We can also make use of existing fake or disposable email accounts. '''BugMeNot'''(http://bugmenot.com) allows people to share their email logins and passwords created for platforms with free registration, for anyone to use.
  
A virtual persona cannot be just a name with a mail address and a series of web accounts. If we keep all our main identifying traits, such as our gender and job, our attitude or the way we write, we will leave the possibility open to connect the dots and identify our fake personas with our true selves.
+
==== '''Mail aliases''' ====
  
One of the first things we should consider is for instance our'''linguistic fingerprint''', which can be examined through a so-called stylometric analysis with tools that are increasingly usable, even for non-experts, and that make it possible to identify the author of a particular text. We can for instance give away our identity through our particular way of writing certain words, our typical typos and our style and tone. To change this, one of the first steps can be to use a spell-checker in our word processor in order to immediately visualize mistyped words. Besides, we could think of a different writing attitude. To keep it simple, we can adopt one simple rule for each persona, e.g. making hir shout by only using capital letters, or be a low-talker with hir lower-case style, or very excitable, with a lot of exclamation marks, or a spelling criminal, by always putting apostrophes in the wrong place or by mistyping words a lot more than we would normally do.
+
Another option is to create a '''mail alias''' - a different email address that is connected to our main mailbox. The advantages of this approach are that this email account will not expire, and if it gets compromised we can just dispose of it and create a new one. But of course if the alias receives a lot of spam, it will fill our main mailbox.
  
What we decide to do with our writing style should match with the character we choose for our new identity, which we should take some time to develop carefully. To be sure that our pseudonymous avatar cannot be tracked back to us, s/he should have a job that is different from ours but not so different that we don’t know anything about that field: s/he shouldn’t be a surgeon if we don’t know anything about anatomy! Similar considerations should be made to select hir skills and the main topics s/he focuses on and writes about, but since each of our personas should be dedicated to one particular domain of our digital life, it will likely be easy to make each of them experts in different, if slightly overlapping, fields. So for example a journalist who writes about national politics may have an alternative identity that talks about national politics as well, but only casually, while hir main interest is something completely different like IT or feminism.
+
While not every mail service allows users to create mail aliases, this service is offered to every mail user of '''Riseup '''(https://we.riseup.net) and '''Autistici/Inventati '''(https://www.autistici.org), two secure, autonomous servers that are particularly focused on the right to privacy and anonymity.
  
As for the psychological attitude, a good rule of thumb is not to think up just a general character, but to give it further deepness by finding some weak spots for our personas, choosing them carefully among our psychological strengths so that, if the weak spot is attacked, we can safely weather the strikes and even have some fun in the process. For example, if we have a very strong sense of humour, we could choose a severe lack of humour as our alternative identity’s biggest weakness, so that if that weakness is under attack we can enjoy impersonating a humourless persona without really being harmed because our real weak spots are carefully hidden. For the same reason, we may decide to give our alternative identity some other kinds of weaknesses, like knowing nothing about mail encryption while in real life we are digital security nerds.
+
==== '''Managing our identities on social networks''' ====
  
What is most important, though, is to remember that when we are in the internet each one of our identities, even the one connected to our true name, is a “virtual” identity, and it is always better to decide what character traits we want to expose in each of them, that is to say that creating a somewhat fictional character is a good idea even for our “true” online identity.
+
Note: When we use social networking platforms, we should always access them with a secure HTTPS connection.  
  
To read more about how to create a whole rounded character for our identities, visit this page:https://lilithlela.cyberguerrilla.org/?page_id=94049
+
* When creating an account for a new persona on a '''social networking platform''', use the browser profile you have created for that persona. Make sure to check the '''privacy settings''' so that you know what you are making public, who can see what you post, who can contact you, who can look you up and what your contacts can do (can they tag you in pictures? can they write on your "wall"?)
  
=== '''5. Managing multiple online identities''' ===
+
*Also be very careful about the''' profile information''' you provide, as well as the profile picture and cover photo you use, as these are generally publicly available to anyone who looks for us in that social network, regardless of our privacy settings.
  
==== '''Securing our identities''' ====
+
* Make sure your contacts do not overlap with your other identities, and to make sure your different identities don't "follow" one another. It is particularly not a good idea to follow your pseudonymous personas with your real identity. If someone is looking to unmask one of these personas, the first thing they will look for is who the account follows, and who follows the account. For the same reason, we should avoid reposting posts or other content published by one account with another account.
  
Once we have chosen a name for our new identity, we can start creating a contact email, accounts with web services, and so on. Yet, separating our digital life into multiple identities is not enough. What we need to do is to keep them '''technically separated''', that is to avoid that our identities scatter identical traces that can be linked together.
+
* Most social networking platforms will display your location where they can. This function is generally provided when we interact with the platform using a GPS-enabled phone, but it can also happen if we are connecting from other devices - for example the network our computer is connected to may also provide location data. It's always a good idea to double-check your settings - particularly on photo and video sharing sites.  
  
To do this, some precautions on the security side are definitely necessary, and to start, a good idea is to always hide our IP, the number that identifies our connections, through '''Tor''', an anonymity network that conceals both the location of our connection and what we do in the internet. By consistently using Tor, no one can link our IP (and therefore our alternative identity) to us, not even the mail server we use. For further information on how to use Tor, see “'''Anonymization'''” below.
+
* Photos and videos can also reveal a lot of information without you realising it. Many cameras will embed metadata into your photos, which can include the date, time and location of the photo, camera type, etc. Photo and video sharing sites may publish this information when we upload content to their sites.
  
Also the choice of the '''mail''' server we use for our contact mail address is important. While there are several secure servers that offer a good service – e.g. the Swiss commercial service '''Kolab Now''' (https://kolabnow.com) and the autonomous servers '''Riseup''' (a site used by activists with [https://help.riseup.net/en/about-us/politics a clear set of political principles]: http://riseup.net) and Autistici/Inventati (https://www.autistici.org) – the main point is to find a service that offers a secure connection (HTTPS instead of HTTP) and that is compatible with our virtual persona. If, for instance, we are creating an identity that doesn’t know much about digital security, it may be better to use a more widespread service like Gmail, and the possibility of two-factor authentication is always a plus. If the mail address we are creating is connected to our work and hosted by our firm’s mail server with its own domain, it is a good idea not to include our surname in the address and to keep just the name followed by the domain (e.g. ''jane@businessname.com''). Of course, if a mail address is required when registering a new mail account, we shouldn’t give our usual address and it is much better to use a disposable account for this purpose.
+
* If we access social networking platforms via mobile apps, it is better to use a different app for each separate account, so as not to post something to the wrong account by mistake. There are several apps which can be used to manage your social networking platforms - it is, however, a good idea to use a different one for each identity, to reduce the risk of giving away your real identity.
  
==== '''Creating and using strong passwords''' ====
+
* Publish from your various identities at different times of the day. Some social networking platforms, like Facebook, allow users to schedule the publication time of their posts. To learn how to do this, read:https://www.facebook.com/help/389849807718635  . Buffer (https://buffer.com) and Postcron (https://postcron.com) enable you to schedule a post on Twitter and other platforms.
  
Managing passwords is also a crucial part of maintaining our identities and our security online. Using the same password over and over again is risky, as are passwords that connect us to our identit(ies). If we are using different identities, the number of our passwords will increase accordingly. There is no way to remember so many secure passwords unless we have some mental magic powers that allow us to memorize dozens of long random strings of letters, numbers and symbols. Since a password is only as secure as the least secure service where it's been used, it's good practice to maintain separate passwords for each of our accounts. For more information on the importance of strong passwords and how to store them, read Security in a Box's chapter on passwords. https://securityinabox.org/en/guide/passwords
+
*  It can be a good idea to follow, from our pseudonymous profiles, other people who might reasonably be considered the real owners of that profile. To further distance our real identity from our pseudonymous identities, we can also write (and hashtag on Twitter) posts under our pseudonymous profiles about events that we are not attending, especially if they are taking place far away from us. It can also be fun to publish and then delete posts that look like we have exposed our identity, so as to further confuse anyone who may try to unmask us.  
  
To keep multiple secure passwords, you can use a password safe. '''KeePassX is '''a cross-platform free and open-source password manager that is very easy to use and creates files with passwords that can also be exported and used in other devices. It can generate random passwords and store them securely.
+
* Whatever social networking platform we decide to use, you should always read its terms of service to check if they suit your purposes. To get a summary of the terms of service of many social networking platforms (and other web services), go to the website Terms of Service; Didn’t Read (https://tosdr.org).
* To learn how to use '''KeePassX''', read this how-to: https://securityinabox.org/en/guide/keepass/windows
+
* To learn how to use '''KeePassDroid''', the correspondent tool for Android, read this how-to: https://securityinabox.org/en/guide/keepassdroid/android
+
But some passwords—like the one we use to decrypt our KeePassX file or lock our device—need to be easy to remember and strong at the same time. A good solution is to create passphrases that are formed by a random group of words that don’t make any sense together, separated by spaces. One way to do this is to use the '''Diceware''' techique (this requires six-sided dice and the Diceware word list: http://world.std.com/~reinhold/dicewarewordlist.pdf [PDF]. By rolling the dice five times, we will come up with a five-digit number that corresponds to a word on the Diceware word list; this word is the first word of our passphrase. If we repeat this at least six times, we can create a strong passphrase formed by six words that together make a strong, random passphrase. It can be memorized just as we did when we had to learn poems by heart at school and will be so long that it would take an average of 3500 years to crack it with brute force at a speed of one trillion guesses per second.
+
* To learn more about the '''Diceware''' technique, read this article published by Micah Lee in ''The Intercept'': https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess.
+
  
* To learn more about two-factor authentication and security questions, read Surveillance Self Defense's "[[Creating Strong Passwords]]": https://ssd.eff.org/en/module/creating-strong-passwords
+
==== '''Alternative social networks''' ====
  
==== '''A different profile for each persona''' ====
+
Mainstream commercial social networking platforms like Facebook or Twitter can be extremely useful if our aim is to publicise as widely as possible an event we are organizing or a project we are launching.
  
So now we have created several identities, but
+
However, if you're using one of these platforms it is important to be aware that:
 +
* these platforms have very strict terms of service that could justify their decision to close our accounts if they find that our contents go against their rules (for more, read: http://www.aljazeera.com/indepth/opinion/2013/05/20135175216204375.html)
 +
* users of these platforms are profiled, and information is sold to advertisers. If we add to this the ever-changing terms of service and the interactions with other apps and features that make it very difficult to understand clearly what actually happens to our data, the best solution is to limit the use of commercial social networking platforms to specific projects we want to publicise to a wide audience.
  
but the risk that someoneconnects them together unwittingly or to harm us is still very highif we don’t take some simple precautions that can be summarized ina sentence: keep each profile apart from the others, both in yourdigital and physical life.
+
There are also alternatives available - social networking platforms that give much more freedom to their users and don't profile them.
 +
* Social networking platform '''Ello''' explicitly states in its manifesto that “You are not a product”. It also does not require "real names" - a rarity amongst commercial social networks. It's important to be aware, however, that Ello is still a commercial project
 +
*  There are alternatives that are community-based, distributed rather than centralized, based on free and open-source software and privacy-friendly. Among these, '''Diaspora '''(https://joindiaspora.com), '''Friendica '''([https://friendica.com)and https://friendi.ca)] and '''Crabgrass '''(https://we.riseup.net) are especially worth mentioning.
 +
* Other similar sites may be popular in different regions, so we way wish to explore other options.  
  
A good start to separate our activities into domains is creatingdifferent '''browser profiles''', '''mailboxes''' and '''socialnetwork accounts''' for each of our identities.
+
Before choosing to use a social networking platform, we should ask:
 +
* Does it provide connection over '''SSL''' (like ''HTTPS'') for all uses of the site, rather than just during login? Are there any problems related to encryption (eg related to encryption certificates)?
 +
* According to the platform's End User Licence Agreement, Privacy Policy and/or Data Use Policy, How is your content and personal data treated? With whom are they shared?
 +
* What privacy options are provided for users? For example, can we choose to share our videos securely with a small number of individuals, or are they all public by default?
 +
* Is the geographical location of the servers known? Under which territorial jurisdiction do they fall? Where is the company registered? How does this information relate to the privacy and security of our activity and information?
  
To create multiple profiles with''' Firefox''', visit: https://developer.mozilla.org/en-US/docs/Mozilla/Multiple_Firefox_Profiles
+
==== '''Creating a blog or website''' ====
 +
Writing from our social networking accounts - especially if we have found a more privacy-friendly option - may be all we need to voice our opinions and to interact with a given network of people (or with several networks, if we are using different identities online). On the other hand, we may want a more independent platform to spread our ideas, plans or creations. For this we can create a website or a blog.
  
To create multiple profiles with Google '''Chrome''', visit: https://support.google.com/chrome/answer/2364824
+
* Creating a '''blog''' can be as easy as signing up to a blogging platform and choosing a name and a "theme" or visual template. There are several blogging platforms that are both user-friendly and free, including the open-source Wordpress (Wordpress.com).
  
When creating a new '''mailbox''', it is always a good idea to connect to the server’s website with'''Torbrowser''' and, if a contact mail address is required, not togive one that is connected to another identity and to use a disposable email address instead.
+
* Based on Wordpress, but with some tweaks for additional user privacy, are two security-oriented platforms that are managed by autonomous servers: Autistici/Inventati’s (A/I) '''Noblogs ''' (http://noblogs.org/ http://noblogs.org) and Nadir’s '''BlackBlogs '''– (http://blackblogs.org/ http://blackblogs.org). To create a blog on either of these platforms, all that is needed is to have an email account hosted on an autonomous server (see <nowiki/>https://www.autistici.org/en/links.html <nowiki/>and <nowiki/>https://blackblogs.org/policy <nowiki/>respectively for a complete list).
  
A good rule of thumb is to always use different apps for each account/identity and, if possible, to use adifferent profile in our computer or Android device or even different devices.
+
* If we want a complex graphic layout or need to install particular tools that are not offered by Wordpress and its plugins, we can create our own website. For this we need to get some space in a server through a webhosting service. There are many webhosting services out there, but since they generally aren’t free, the options to stay completely anonymous are reduced to creating a website with '''A/I''', which by default does not connect the users of its services with real identities. To learn more about Autistici/Inventati’s webhosting service, visit: https://www.autistici.org/en/services/website.html
  
 +
* If we want to use our own '''domain''' name, bypassing payments and identifications may get difficult unless we use Bitcoin or another anonymous payment system. The personal data we will provide will not only be stored in the registrar’s internal archives, but by default will also be recorded in a database that can be easily queried by anybody through a simple command in a search engine (whois) or on several websites such as Gandi.net (https://www.gandi.net/whois). To avoid this, we can register our domain with the data of an association and use a prepaid credit card that is not connected to our own data (if available in our country). Alternatively, we can use a registrar like Gandi.net ([https://www.gandi.net/ https://www.gandi.net]) that offers private domain registration for individuals whenever possible.
  
==== '''Managing our identities on social networks''' ====
+
=== '''5. Managing collective online identities''' ===
  
When we use social network websites, we should always access them with a secure HTTPS connection. To do this consistently, it is best to install the '''HTTPS Everywhere '''extension in our browsers.
+
==== '''Collective virtual personas''' ====
  
When creating a new account on a '''social network''', we should use the browser profile we have created for the relevant identity, and check the '''privacy settings''' to be well aware of what we are making public, who can see what we post,who can contact us, who can look us up and what our contacts can do(for example tagging us in pictures or writing in our personal page).
+
General Ludd, Captain Swing, the Guerrilla Girls, Luther Blissett, Anonymous - for centuries groups and like-minded people have participated anonymously in historic protest movements, or have created ground-breaking and provoking artworks or pranks under a collective pseudonym. Besides hiding the identities of the individuals involved, these collective personas have shrouded their feats in an aura of myth and almost magical power.
  
We should also be very careful about the''' profile information''' we provide and about the profile '''picture '''and '''cover photo '''we use, because they are generally publicly available to anyone who looks for us in that social network even if they are not our contacts and regardless of our privacy settings.
+
If we want to adopt a collective identity, we can adopt one that already exists, like Anonymous/Anonymiss, or create a new one that we can then share.
 +
 +
* A very interesting study on collective identity is anthropologist Gabriella Coleman’s book ''Hacker, Hoaxer, Whistleblower, Spy. The Many Faces of Anonymous ''(2014), based on an anthropological research on how Anonymous became a well-known and powerful collective identity with multiple faces and attitudes.
  
Another crucial precaution is that our social network '''contacts '''do not overlap among our several identities, and that we don’t follow our account with other accounts associated to anotheridentity. In particular, '''it is not a good idea to follow our pseudonymous accounts with our personal account''': if someone is looking to unmask our anonymous identity, the first place they willlook is whom the account follows, and who follows it back. For the same reason, we should avoid reposting posts or other content published by one account with another account.
+
* In her PhD dissertation ''Networked Disruption. Rethinking Oppositions in Art, Hacktivism and the Business of Social Networking ''(2011), Tatiana Bazzichelli describes how multiple identities have been used to disrupt the fundamental notions of power and hegemony on which Western culture is based, and how this works in the web today.
  
Most social networking sites will display our location if possible. This function is generally provided when we use a GPS-enabled phone tointeract with a social network, but we should not assume that this is not possible if we aren’t connecting from a mobile. The network ourcomputer is connected to may also provide location data. The way tobe safest about it is to double-check our settings. We should be particularly mindful of location settings on photo and video sharing sites, and not just assume that they are not sharing our location.
+
==== '''Managing collective identities... or simple collective accounts''' ====
  
Photos and videos can also reveal a lot of information unintentionally. Many cameras will embed hidden data ('''metadata''' tags), that reveal the date, time and location of the photo, camera type, etc. Photo and video sharing sites may publish this information when we upload content to their sites.
+
While the collaboration of many individuals can help create a rich collective identity, managing a collective project may have some security and technological challenges we should keep in mind.
  
If we use apps on mobile devices to access our social networks, it is better to use different apps for each account, so as not to post by mistake revealing contents with the wrong account. There are several apps to manage social networks: we just need to pick up one for each of our identities to reduce the risk of giving away our true identity.
+
Since a single weak link in a security chain can break the entire system, our security and anonymity depend on the precautions each member of our group takes. We may decide that we don’t want to be absolutely anonymous; that our close friends can know about our collective activities. The degree of security we may want to attain for our group depends on the possible threats we face and on our adversaries’ power and skills.  
  
Another trick to hide our trails is to publish from our various accounts at different times of the day. Some social networks, like Facebook, allow users to schedule the publication time of their posts, while for others, like Twitter, there are several apps that can do the job for us.
+
Nonetheless, there are some important things we don't want want to lose, like the password to our collective mailbox or to our group’s social networking accounts. If we decide that we are going to share those passwords with the whole group, each member needs to be trained on how to store a password securely.  
  
To schedule a post on Facebook, read:https://www.facebook.com/help/389849807718635
+
To minimise this kind of risk, we should try to use services that provide for different accounts and passwords whenever possible. For example, instead of using a single mailbox, we may create a mailing list that all the group members subscribe to. If we allow non-subscribed people to write to it, each group member will be able to read that e-mail in their own mailbox rather than in a collective one with a dangerously shared password.  
  
There are several apps to schedule a post on Twitter and other social networks, like Buffer – https://buffer.com – or Postcronhttps://postcron.com
+
Similarly, if coordination really needs to happen through Facebook, it is much better to share information in a dedicated group rather than do everything within a collective account.
  
Two further good hints for using social networks with multiple identities are to follow other people who could reasonably be considered the owners of our fake account, and to write (and hashtag on Twitter) posts about events that we are not attending, especially if they are taking place faraway from us, to further distance our personal identity from our pseudonymous identities. It may also be fun to publish and then delete posts that look like we have exposed our identity, so as to further confuse anyone who may try to track us down.
+
=== '''6. A different machine for each identity''' ===
  
Finally, whatever social network you decide to use, always read its terms of service to check if they suit your purposes well. And if you find them too complicated, you can check the website Terms of Service Didn’t Read (https://tosdr.org), where terms of service of many social networks and web services are easily summarized for common mortals.
+
If we use the same operating system for our several identities, no matter how carefully we separate our profiles we can still make a human mistake by, for example, connecting to a pseudonymous account through the browser profile we have assigned to our true identity, or get infected by a malware that allows our attacker to monitor everything we do online, with all our identities.
  
==== '''Alternative social networks''' ====
+
Both risks can be limited by using a virtual machine for each of our domains, and by reserving yet another virtual machine to opening untrusted attachments in order to avoid a malware infection.
  
For the sheer number of their users, mainstream commercial social networks like Facebook or Twitter are extremely useful if our aim is to publicize as widely as possible an event we are organizing or aproject we are launching. Nevertheless, when we advertise ourinitiatives, we should remember that these platforms have very strictterms of service that could justify their decision to terminate ouraccounts if they find that our contents infringe their rules.
+
As the name suggests, a virtual machine (VM) is basically a simulated computer with its own operating system, which runs as software on our physical computer. We can think of a VM as a <em>computer within a computer</em>. Installing and running a virtual machine is not very complicated, and there is very good documentation around. For our purposes of anonymisation, the best available option is to install '''Virtualbox''', an open-source, cross-platform virtual machine monitor (https://www.virtualbox.org). Using Virtualbox, you can create a virtual machine, and then run an operating system on it called Whonix.
 
+
Moreover, as is well known, with commercial social networks users are not the costumers, but the product, because they are profiled and sold to advertisers. If we add to this the ever-changing terms of service and policy and the interactions with other apps and features that make it very difficult to understand clearly what happens to our data, the best solution is to avoid commercial social networks as much as possible, and to limit their use to specific projects we want to publicize as much as possible.
+
 
+
But fortunately there are alternatives that give much more freedom to their users and don’t profile them in any way.
+
 
+
On of these, '''Ello''',explicitly states in its manifesto that “You are not a product” and has become famous, particularly in the trans community, for not requiring real names while Facebook started to strictly implement its “real name” policy.Consequently, its number of users has grown and this can be a good alternative to mainstream commercial social networks for achieving the critical mass of readers we need to spread our ideas and initiatives. Nevertheless, Ello is still a commercial project, and there are alternatives that are community-based,distributed rather than centralized, based on free and open-sourcesoftware and privacy-friendly. Among these, '''Diaspora'''(https://joindiaspora.com), '''Friendica '''(https://friendica.com)and '''Crabgrass'''(https://we.riseup.net) are especially worth mentioning.
+
 
+
 
+
 
+
Other similar sites may be popular in different regions, so you way wish to explore other options. Before choosing one you should consider the following points:
+
* Does        it provide connection over '''SSL'''        (like ''HTTPS'')        for all uses of the site, rather than just during login? Are there        no problems related to encryption, such as problems related to encryption certificates?
+
* Read        the End User Licence Agreement and Privacy Policy or Data Use Policy        carefully. How are your content and personal data treated? With whom        are they shared? For a useful add-on which helps users undestand the        Terms of Service of many popular sites, see '''Terms        of Service; Didn't Read'''        – https://tosdr.org
+
* What        privacy options are provided for users? Can you choose to share your        videos securely with a small number of individuals, or are they all        public by default?
+
* Do you know        the '''geographical        location of the servers''',        under which territorial jurisdiction they fall or where the company        is registered? Are you aware of how this information relates to the        privacy and security of your email activity and information?
+
 
+
=== '''6. A different machine for each identity''' ===
+
  
 
==== '''Whonix: compartmentalizing our identities through a secure virtual machine''' ====
 
==== '''Whonix: compartmentalizing our identities through a secure virtual machine''' ====
  
If we use the same operating system for our several identities, no matter how carefully we separate our different profiles, we can still make a human mistake, for example connecting to a pseudonymous account through the browser profile we have assigned to our true identity, or get infected by a malware that allows our attacker to monitor all we do online, with all our identities, and connect dots together.
+
'''Whonix '''(https://www.whonix.org) is an operating system that aims at protecting our anonymity, privacy and security by helping you to use your applications anonymously. A web browser, IRC client, word processor and more come pre-configured with security in mind. Whonix is a complete operating system designed to be used in a virtual machine. It is also free software, based on '''Tor''', '''Debian''' GNU/Linux and '''security by isolation'''.  
 
+
Both risks can be limited by using a virtual machine for each of our domains, and by reserving yet another virtual machine to opening fishy attachments in order to avoid a malware infection.
+
 
+
As the name suggests, a virtual machine (VM) is basically a simulated computer with its own OS which runs as software on our physical computer. We can think of a VM as a <em>computer within a computer</em>. Installing and running a virtual machine is not very complicated, and there is very good documentation around. For our purposes of anonymization, the best available option is to install '''Virtualbox''', an open-source, cross-platform virtual machine monitor (https://www.virtualbox.org), and to run Whonix in a virtual machine created with Virtualbox.
+
 
+
'''Whonix '''(https://www.whonix.org) is an operating system that aims at protecting our anonymity, privacy and security by helping us use your applications anonymously. A web browser, IRC client, word processor and more come pre-configured with security in mind. It is a complete operating system designed to be used in a virtual machine. It is Free Software and based on '''Tor''', '''Debian''' GNU/Linux and '''security by isolation'''.  
+
  
 
Whonix’s website offers a wide documentation, ranging from very clear installation and usage instructions to thorough recommendations on security and the risks we may run: https://www.whonix.org/wiki/Documentation
 
Whonix’s website offers a wide documentation, ranging from very clear installation and usage instructions to thorough recommendations on security and the risks we may run: https://www.whonix.org/wiki/Documentation
Line 460: Line 474:
 
A particularly secure live distribution focused on security and anonymity is '''Tails''', or '''The Amnesic Incognito Live System''', a free and open-source Debian-based Linux distribution that can be started on almost any computer from a DVD, USB stick, or SD card and forces all its outgoing connections to go through Tor, blocking direct, non-anonymous connections.
 
A particularly secure live distribution focused on security and anonymity is '''Tails''', or '''The Amnesic Incognito Live System''', a free and open-source Debian-based Linux distribution that can be started on almost any computer from a DVD, USB stick, or SD card and forces all its outgoing connections to go through Tor, blocking direct, non-anonymous connections.
  
When we launch Tails, we have a complete operating system that, just as Whonix, comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc. We can access the internet, communicate, and do all we need anonymously and securely and, after the computer is shut down, the system will leave no traces on the machine unless we ask it to do so.
+
When we launch Tails, we have a complete operating system that, just as Whonix, comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc. With Tails, we can access the internet, communicate, and do all we need anonymously and securely and, after the computer is shut down, the system will leave no traces on the machine unless we ask it to do so.
  
As with Torbrowser, it is not advisable to use the same Tails session to perform two tasks or endorse two contextual identities that we really want to keep separate from another, for example hiding our location to check our personal email and publishing a document on our pseudonymous blog.
+
When using different identities, it is not advisable to use the same Tails session to perform two tasks or endorse two contextual identities that we really want to keep separate from another, for example hiding our location to check our personal email and publishing a document on our pseudonymous blog.
  
 
The first reason is that Tor tends to reuse the same circuits, for example amongst a same browsing session, making it easier for a powerful adversary to correlate the several browsing requests as part of a same circuit and possibly made by a same user. Second, in case of a security hole or a misuse in using Tails or one of its applications, information about our session could be leaked. That could reveal that the same person was behind the various actions made during the session.
 
The first reason is that Tor tends to reuse the same circuits, for example amongst a same browsing session, making it easier for a powerful adversary to correlate the several browsing requests as part of a same circuit and possibly made by a same user. Second, in case of a security hole or a misuse in using Tails or one of its applications, information about our session could be leaked. That could reveal that the same person was behind the various actions made during the session.
  
''The solution to both threats is to shut down and restart Tails every time we are using a new identity'', if we really want to isolate them better.
+
T''he solution to both threats is to shut down and restart Tails every time we are using a new identity''.
 
+
  
 
==== '''Security by isolation: Qubes OS''' ====
 
==== '''Security by isolation: Qubes OS''' ====
Line 477: Line 490:
 
But while Whonix needs a virtual machine to run on and its main focus is anonymization, there is an operating system that has security by isolation as its main purpose and that can make life a lot easier to someone who manages several social domains and/or identities in her digital life.
 
But while Whonix needs a virtual machine to run on and its main focus is anonymization, there is an operating system that has security by isolation as its main purpose and that can make life a lot easier to someone who manages several social domains and/or identities in her digital life.
  
Called '''Qubes OS''' – https://www.qubes-os.org – and developed by computer security researcher Joanna Rutkowska, Qubes is a free and open-source security-oriented operating system based on '''Fedora''', a Linux distribution, and '''Xen''', a virtual machine monitor (or hypervisor), that allows us to separate the various parts of our digital life into securely isolated virtual machines. Qubes keeps the things we do on our computer securely isolated in these different VMs so that if one virtual machine gets compromised, the other won’t be affected. This way, we can do everything on a single physical computer without having to worry that one successful cyberattack harms our whole computer, potentially revealing all the connections among our several identities.
+
Called '''Qubes OS''' – https://www.qubes-os.org – and developed by computer security researcher Joanna Rutkowska, Qubes is a free and open-source security-oriented operating system based on '''Fedora''', a Linux distribution, and '''Xen''', a virtual machine monitor (or hypervisor), that allows us to separate the various parts of our digital life into securely isolated virtual machines. Qubes keeps the things we do on our computer securely isolated in these different VMs so that if one virtual machine gets compromised, the other won’t be affected. This way, we can do everything on a single physical computer without having to worry that one successful cyberattack harms our whole system, potentially revealing all the connections among our several identities.
  
 
A plus of Qubes OS for the purposes of multiple identities management is its user-friendly window manager, that assigns a different colour to each domain. Thus, the colour of the frame makes each window clearly recognizable as belonging to the domain corresponding to that colour and prevents potential human mistakes in the management of our identities.
 
A plus of Qubes OS for the purposes of multiple identities management is its user-friendly window manager, that assigns a different colour to each domain. Thus, the colour of the frame makes each window clearly recognizable as belonging to the domain corresponding to that colour and prevents potential human mistakes in the management of our identities.
Line 483: Line 496:
 
==== '''Tails, Whonix, Qubes OS: how to choose''' ====
 
==== '''Tails, Whonix, Qubes OS: how to choose''' ====
  
The three tools we have described in the last few paragraphs – Whonix, Tails and Qubes OS – all allow us to use a completely separate operating system for managing our alternate identities, and can be quite useful to make sure that we don’t reveal our true identity while we use the anonymous one(s). Still better, if we can afford it, would be to have a different machine for each of our identities, as well as an air-gapped one to store our most sensitive data. Of course, the choice depends on the resources we can dedicate to securing our digital life and on our threat-model, especially on the adversaries we expect to face: if we are pretty sure that in our country harassers work together with the regime to slander (or worse) people like us, we may want to be absolutely sure that none of our data is leaked and – if we have enough funds or are connected to a network of hacktivists – we may decide to ask for an expert’s help to check that we have taken all the necessary measures to keep doing an efficient work and to stop any ill-intentioned actors from tampering with our data; on the other side, if we feel sufficiently protected by our community and/or by our government, and we expect our adversaries not to be very skilled in technological matters, perhaps all we need is to separate our browser profiles and mailboxes and to keep developing a network of support for vocal women online.
+
The three tools we have described in the last few paragraphs – Whonix, Tails and Qubes OS – all allow us to use a completely separate operating system for managing our alternate identities, and can be quite useful to make sure that we don’t reveal our true identity while we use the anonymous one(s). Still better, if we can afford it, would be to have a different machine for each of our identities, as well as an air-gapped one to store our most sensitive data. Of course, the choice depends on the resources we can dedicate to securing our digital life and on our threat-model, especially on the adversaries we expect to face: if we are pretty sure that in our country harassers work together with the regime to slander (or worse) people like us, we may want to be absolutely sure that none of our data is leaked and – if we have enough funds or are connected to a network of hacktivists – we may decide to ask for an expert’s help to check that we have taken all the necessary measures to keep doing an efficient work and to stop any ill-intentioned actors from tampering with our data. On the other hand, if we feel sufficiently protected by our community and/or by our government, and we expect our adversaries not to be very skilled in technological matters, perhaps all we need is to separate our browser profiles and mailboxes, to use a secure HTTPS connection and some basic common sense and to keep developing a network of support for vocal women online.
  
 
If we think that using a different operating system is really necessary, or that it can be helpful to keep things logically and graphically separated (or we just want to explore all the possibilities we have for the fun of it!), we should assess our resources and our needs in order to identify the best solution for us.
 
If we think that using a different operating system is really necessary, or that it can be helpful to keep things logically and graphically separated (or we just want to explore all the possibilities we have for the fun of it!), we should assess our resources and our needs in order to identify the best solution for us.
Line 532: Line 545:
 
|"nice selection"
 
|"nice selection"
 
|"not many"
 
|"not many"
|"not many"
+
|"not many, and some, like Tor or Virtualbox cannot be installed at all"
 
|-
 
|-
 
|'''Persistence'''
 
|'''Persistence'''
Line 541: Line 554:
 
|}
 
|}
  
As we can see in the table above, '''Tails''' just needs a normal computer and a DVD or a bootable device to launch the system, but installing the system in this device, as well as having the DVD, USB stick or SD card actually boot in the computer we are using, can be tricky, and we may need some external advice. After that, though, using Tails is pretty easy, and if what we need to do with our alternate persona needs a focus on ''anonymization'', then it may be worthwhile to overcome the initial obstacle. Tails is a good option also if we have few resources, if we don’t have a computer of our own, or if we often use computers at internet cafes and want to be safer. One particular advantage of Tails is that after we have switched the computer off, we leave no traces and everything we have done vanishes into thin air. But if on the other hand we need ''persistence'', i.e. we want to keep some files we have created or downloaded in our USB stick or we have changed some system settings and want to keep them also in the future, we need to enable this option when we start the system. Furthermore, Tails is an established, respected project that has been developed for many years and is used by a wide community of people.
+
As we can see in the table above, '''Tails''' just needs a normal computer and a DVD or a bootable device to launch the system, but installing the system in this device, as well as having the DVD, USB stick or SD card actually boot in the computer we are using, can be tricky, and we may need some external help. After that, though, using Tails is pretty easy, and if what we need to do with our alternate persona needs a focus on ''anonymization'', then it may be worthwhile to overcome the initial obstacle. Tails is a good option also if we have few resources, if we don’t have a computer of our own, or if we often use computers at internet cafes and want to be safer. One particular advantage of Tails is that after we have switched the computer off, we leave no traces and everything we have done vanishes into thin air. But if on the other hand we need ''persistence'', i.e. we want to keep some files we have created or downloaded in our USB stick or we have changed some system settings and want to keep them also in the future, we need to enable this option when we start the system. Last but not least, Tails is an established, respected project that has been developed for many years and is used by a wide community of people.
  
If what we need is both anonymity and security by isolation and we have a good machine – https://www.whonix.org/wiki/System_Requirements – where we can run Virtualbox, installing '''Whonix''' in one or more virtual machines, according to the number of our alternative identities, seems a good solution that caters to all our needs and also offers an excellent documentation: https://www.whonix.org/wiki/Documentation. Nevertheless, Whonix, like Qubes Os, is a relatively recent project and the community using it is still rather small.
+
If what we need is both ''anonymity'' and ''security by isolation'' and we have a good machine – https://www.whonix.org/wiki/System_Requirements – where we can run Virtualbox, installing '''Whonix''' in one or more virtual machines, according to the number of our alternative identities, seems a good solution that caters to all our needs and also offers an excellent documentation: https://www.whonix.org/wiki/Documentation. Nevertheless, Whonix, like Qubes Os, is a relatively recent project and the community using it is still rather small.
  
'''Qubes OS''' is a good choice if we want to keep all our activities in our own computer without having to install anything else and if what we are trying to do is to effectively separate our identities rather than anonymize our activities in the web. It requires a very powerful computer – http://qubes-os.org/trac/wiki/SystemRequirements – and this can be a hindrance, but if we feel that we really need to protect ourselves against possible cyberattacks, the investment may be worth its while.
+
'''Qubes OS''' is a good choice if we want to keep all our activities inside our own computer without having to install anything else and if what we are trying to do is to effectively ''separate'' our identities rather than anonymize our activities in the web. It requires a very powerful computer – http://qubes-os.org/trac/wiki/SystemRequirements – and this can be a hindrance, but if we feel that we really need to protect ourselves against possible cyberattacks, the investment may be worth its while.
  
Finally, none of these tools protects us from every threat, and we shouldn’t look at them as a magic potion that will make us invulnerable. Nevertheless, by using any of them, according to our needs and resources, we will raise the level of effort that an attacker will need to harm us.
+
To sum up, none of these tools protects us from every threat, and we shouldn’t look at them as a magic potion that will make us invulnerable. Nevertheless, by using any of them, according to our needs and resources, we will raise the level of effort that an attacker will need to harm us, thus making an attack less likely.
  
 
For a wider comparison among these and other systems, go to: https://www.whonix.org/wiki/Comparison_with_Others
 
For a wider comparison among these and other systems, go to: https://www.whonix.org/wiki/Comparison_with_Others
 
=== '''7. Creating and maintaining a collective identity''' ===
 
 
==== '''Collective virtual personas''' ====
 
 
From General Ludd to Captain Swing, from the Guerrilla Girls to Luther Blissett to Anonymous, several groups and like-minded people have participated anonymously in historic protest movements or have created ground-breaking and provoking artworks or pranks attributing them to a collective pseudonym that, besides hiding their identity, has shrouded their feats in an aura of myth and almost magical power.
 
 
Several essays have been written on the topic, and the fascination of pseudonymity and shapeshifting has perhaps its roots in the dawn of humanity, but what counts is that we can choose to adopt a collective identity that already exists, like Anonymous/Anonymiss, or create a new one that we want to share with our own group or with the rest of the world.
 
 
A very interesting study on multiple identities online is anthropologist Gabriella Coleman’s book''Hacker, Hoaxer, Whistleblower, Spy. The Many Faces of Anonymous''(2014), based on an anthropological research on how Anonymous has become a well-known collective identity with multiple faces and attitudes.
 
 
In her PhD dissertation''Networked Disruption. Rethinking Oppositions in Art, Hacktivism and the Business of Social Networking''(2011), Tatiana Bazzichelli also describes how multiple identities have been used to disrupt the fundamental notions of power and hegemony on which Western culture is based, and how this works in the web today.
 
 
==== '''Managing collective identities... or simple collective accounts''' ====
 
 
While the collaboration of many individuals can help creating a rich collective identity that is even more credible, given the many character traits we can think up with an enthusiastic, imaginative group of people, managing a collective project may have some further security and technological challenges we should keep in mind.
 
 
As we stressed above, security is a chain, and a single weak link can break the entire system. Therefore, our security and anonymity depend on the precautions each member of our group takes. We may decide that we don’t want to be absolutely anonymous, that our close friends can know about our collective activities, and the degree of security we may want to attain for our group depends on the possible threats we face and on our adversaries’ power and skills. Nonetheless, there are some important assets we would certainly not want to loose, like for instance the password to our collective mailbox or to our group’s social network accounts. Therefore, if we decide that we are going to share that password with the whole group, we’d better train each member on how to store a password securely or make sure that they have learnt the password by heart and don’t keep it on a post-it next to their desk at work.
 
 
Whenever possible, we should try to use services that provide for different accounts and passwords. For example, instead of using a single mailbox for contact, we may create a mailing list that allows non-subscribed people to write to it and have all the members of the group subscribe to it, so that if someone writes to the group they can all read the e-mail in their own mailbox rather than in a collective one with a dangerously shared password. Similarly, if coordination really needs to happen through Facebook, it is much better to share information in a dedicated group rather than do everything within a collective account (which also risks to be deleted due to violation of the terms of service...).
 
 
Mailing lists are also very useful for communicating among many people without having to add all the addresses every time we write a new email in the hidden recipients (Bcc) or, worse and more dangerous, in the visible addressees (To or CC) fields. They are a versatile tools that is very user-friendly for those who subscribe (even if it requires some attention and basic knowledge on part of the list administrator). There are several services that offer mailing lists around the web, and we can open one or more also with autonomous servers'''Riseup'''([https://lists.riseup.net/ https://lists.riseup.net]) and'''Autistici/Inventati'''(https://www.autistici.org/en/services/lists.html<nowiki/>– also offering a dedicated newsletter service for groups that want to send regular news to a high number of recipients).
 
 
To learn more about how to manage a collective mailing list as a safe space, read "'''How to set up a Safe Space Mailing list?"'''in Part 2 of this booklet.
 
 
Another good tool for communicating with a group is the IRC chat, which has been used for a long time to coordinate projects online and is available in many different networks, like'''Freenode'''([https://freenode.net/ https://freenode.net]) or'''Indymedia’s IRC'''network (http://docs.indymedia.org/view/Sysadmin/IrcHowTo) and'''Mufhd0''', a network run by several autonomous servers including A/I (https://www.autistici.org/en/stuff/man_irc). The latter two also allow us to anonymize our connections through Tor.
 
 
==== '''Crabgrass: a social network for managing groups''' ====
 
 
But the most versatile tool for managing groups and collective projects is by all means[https://we.riseup.net/ https://we.riseup.net], a social network tailored specifically to meet the needs of bottom up grassroots organising that is based on the software libre web application'''Crabgrass'''and is hosted by the grassroots autonomous server'''Riseup'''.
 
 
Riseup’s Crabgrass platform offers both a secure HTTPS connection and encrypted data storage, and users and groups are free to choose what information they reveal about themselves. The offered tools include an email like messaging system for personal messages, public or private forums, wikis, task lists, decision making tools, a system for uploading and managing images, audio, and documents, and a customized home page where a group can list their event calendar, blog postings, and other public content.
 
 
Besides creating a common network among users, Crabgrass also allows group networking, as well as the possibility of creating subgroups and committees that correspond to the group’s organizational structure.
 
 
To learn more about the numerous possibilities offered by Crabgrass, visit the project’s page:https://we.riseup.net/crabgrass/about<nowiki/>and read this howto:https://info.securityinabox.org/default/communities/01/crabgrass-online-collaboration
 
  
 
[[Category:Resources]]
 
[[Category:Resources]]

Latest revision as of 15:01, 19 April 2018

Understanding and minimising our digital shadows

The internet is a great space to explore, learn, speak up, listen and communicate with people across the world. Unfortunately, the internet has also become a space where people who challenge the dominant discourse often find themselves under attack. These attacks can be very personal - enabled by the fact that there is often a lot of personal information about us on the internet.

To strengthen our defences against these kinds of attacks, it’s a good idea to start by our assessing our digital shadows. These shadows - can tell a story about us: who we are, where we live and hang out, what we are interested in, and who our friends and colleagues are.

This can expose us to several threats. In particular, it is the publicly available traces we leave behind that expose us to online harassment.

However, there are also many strategies and tools we can use to shape or control our digital shadows, to increase our privacy, and ultimately to be more secure, both online and offline - without being less vocal or reducing our activity online.

Some examples of these include controlling the amount of data we give away by consciously stripping valuable information from content and metadata; trying the art of self doxxing; and thinking about ways to play with and break up our online identity.


What is a digital shadow?

Our digital shadows can be defined as the stories data tells about us. These digital shadows are created by trillions of bits of data, digital traces we leave everyday when we connect to the Internet, our mobile phone and online services. Our digital shadows have a life of their own, are affected by others and change in unpredictable ways. Our digital shadows grow continuously, can be permanent and we have little control over them. These traces are a spectre of our past and present activities, which melt together in a permanent and ever-changing profile.

How are these trillion bits of data created? The devices and the software we use to browse the Internet, access websites, connect to social networking platforms like Facebook and Twitter, publish blog posts, receive phone calls, send SMS messages or emails, chat, or buy things online, all create specific bits of data about us. These bits of data can include our name, location, contacts, pictures, messages, tweets and likes, but also the brand of our computer, length of our phone calls and information about which websites we visit. These data traces can be put out there by ourselves as well as other people.

How do we share data? In some cases we actively share data – for example when we share photos on Facebook, book a flight ticket online or contribute to a wiki. Other people can also actively share data about us, by tagging us in pictures, mentioning us in tweets or simply by communicating with us. In other cases, we give away data without necessarily realising it, or consenting to it. Our browsing habits and IP address are shared when we visit a website by means of "cookies" and other tracking technologies, which are active in the background. These technologies are embedded in the websites we visit, and the information shared is collected for a wide range of purposes, from website analytics to advertising. Our mobile phone apps also collect data on us without our active knowledge or consent – for example, the photos we take usually have location data embedded in them. These tracking technologies enable web services to identify and follow us as we move from one service to another - from our internet browser to the IM (instant messaging) app in our smartphone, from downloading e-books in our readers to publishing pictures from the latest protest we have covered.

What is data? Data can be broken into three parts: content, metadata and noise. Content is the content of our messages, blogs, tweets and phone calls; it is our pictures and videos. Metadata is data about data, information that is needed for the technological infrastructure to work. Metadata enables our email to be delivered, help find files on our computer and permit mobile communication. Metadata can be our email address, phone number, location, time and date when a message was sent or stored. Noise is the data that is created by either the manufacturing process or by the workings of the infrastructure. For example, every camera has an SD card to record and store pictures. Every SD card has unique scratches that were created by the machines producing the SD cards. These scratches make small changes to the data that are not visible to the eye but can be recognized by computers.

Who is collecting our data, and why?

We might wonder about the importance of one picture or one message, or think there is so much data out there that nobody knows what to do with it. However, data collection and data analysis has become very sophisticated.

The data traces you leave are collected, analysed and sorted by various parties to create digital shadows, or profiles. Every time a new piece of data is collected, it can be identified and added to your profile. These profiles are ever-expanding, and give those who create them or who have access to them an immense insight into who you are.

Data is collected by companies, governments and individuals for a variety of purposes. It can be bought and sold; it can be used to control; or it can be used to create harassment strategies.

Our digital shadows or profiles can be used to gain insight into who we are, what we do and where we have been. This data can then be used to make predictions on what we might do or where we might be in future. For example, if someone knows that we are an outspoken blogger on gender issues in country x, they know that we will probably be present at a conference on blogging and women held in that country. Profiles can also give potential harassers the ability to harass us across different platforms.

Anyone could potentially have access to our digital shadow – including communications service providers, law enforcement agencies and commercial companies, as well as groups and individuals running their own servers. We can't know exactly what is happening to our digital shadow, and that itself is a problem.

However, there are tools and tactics we can use to manage our digital shadows and to limit their ramifications in terms of profiling and surveillance. This will be discussed in the rest of this section.

Exploring our own digital shadow

As we mentioned before, anyone can potentially access our digital shadow – including communications service providers, law enforcement agencies and companies, as well as groups and individuals running their own servers. We cannot know precisely what happens to our digital shadow and that itself is a problem. But there are tools and tactics to manage our digital shadow and to limit its ramifications in terms of profiling and surveillance.

Some good places to start are:

  • Exploring our individual digital shadow with Trace My Shadowhttps://myshadow.org/trace-my-shadow – a tool launched by Tactical Tech, accompanied by a website that offers a lot of tips on how to protect our privacy and control our digital shadow: https://myshadow.org
  • Identifying and materialising social networks across our online and physical activities: John Fass, researcher and designer at the Royal College of Art, has created some activities to materialise our social networks and browser history ' [insert link].'
  • Seeing through the eyes of our mobile phone by installing a tool called openpaths.cc. Some of our apps can see the same things. Read the Terms of Service carefully and explore if you can change the access settings in your phone. On an iPhone we can change the permissions for each app under its privacy setting.

Control the content and metadata you share

The good news is that we can partly control what content and metadata we give away.

When we publish content on the web, it is always a good idea to ask ourselves if what we are posting is public or personal and who could have access to it. Even if the information is connected to a public event and not to our personal lives, the names we mention or the images we upload may contribute to a picture about who we are, what we are doing, where we are doing it and so on. This could be used by people who wish to target us.

This does not mean that we should silence ourselves – by taking some basic measures, we can limit our risks by increasing the level of the effort that would be required to attack us or our contacts.

  • When sharing personal details about our life, we can use private profiles that can only be accessed by selected contacts. When using private profiles on commercial social media, we should be aware of the regular changes to the privacy policies of that platform. This can have an impact on how “private” our profiles are. There have been cases where privacy settings have been changed, exposing pictures, content and the conversations of private groups.
  • When writing or posting images about public events on the web and on publicly accessible social network profiles, we should ask ourselves if the information we spread about single individuals, places and other details could be used to identify and/or attack someone. It is always a good idea to ask for permission to write about individuals and perhaps also to post information on public events only after they are finished.
  • When giving personal information to a web service, it’s best to use HTTPS so that the communication channel is secure (see the section on security measures for more on this).
  • Use strong passwords, and use different passwords for each web service you use - if you you the same password for multiple services and someone intercepts your password for one of these services, they could use it to access your other accounts.
  • When registering a device or software such as Microsoft Office, Libre Office, Adobe Acrobat and others, not usingy our real name can help prevent the metadata created when using this device or software from being connected to you. You can also switch off the GPS tracker in your phone or camera.
  • Some file types contain more metadata than others, so when publishing contents online you can change files from ones that contain a lot of metadata (such as .doc and .jpeg) to ones that don’t (such as .txt and .png), or we can use plain text.
  • For editing or removing hidden data from PDF files, Windows or MAC OS users can use programs such as Adobe Acrobat XI Pro (for which a trial version is available). GNU/Linux users can use PDF MOD, a free and open source tool. However, it doesn’t remove the creation or modification timestamp, and it also doesn’t remove the information about the type of device used to create the PDF. 
  • You can prevent the tracking and collection of metadata through your browser by installing add-ons like Privacy Badger or Adblock Plus, as well as by monitoring our privacy settings and deleting cookies on a regular basis.
  • Using Tor will hide specific metadata like our IP address, thereby increasing our anonymity online.

Social domains

As security expert Bruce Schneier explains, “Security is a chain, and a single weak link can break the entire system”.

Each of us belongs to several social domains - our work or advocacy networks, our family networks, friends, and sports teams.

Some of these networks may be more secure than others. For example, we may tend to have a more secure communication practices for our work or advocacy activities, but less secure practices for interacting with friends on a social network. Areas where these domains intersect can turn into a threat to our security.

If we use a single identity in all our domains, it becomes easier to gather information about us and to identify our vulnerabilities. For example, if we reveal in a social network that we like a particular kind of game and that we download files with a p2p program like Emule, an attacker who wants to investigate our work or advocacy activities might trick us into downloading a game which is infected with spyware.

This attacker is interested in our advocacy activities, but knows that we have increased privacy and security measures for that part of our lives. The attacker also knows that our love of games is a digital weak spot as this network is not encrypted. Thus the attacker can exploit this part of our lives to gain access to another, more secure part.

This is only possible, however, if our work identity and our Emule profile can be connected to the same person; and this is why separating our social domains can be useful. More on how to do this will be addressed later on, when we talk about identity management.

Self-Doxing

Doxing (also written as "doxxing", or "D0xing", a word derived from "Documents", or "Docx") describes tracing or gathering information about someone using sources that are freely available on the internet. This method depends on the ability of the attacker to recognise valuable information about their target, and to use this information for their own ends.

Doxing is premised on the idea that "The more you know about your target, the easier it will be to find his or her flaws”.

Harassers and stalkers use several tools and techniques to gather information about their targets, but since these tools and techniques are mostly public and easy to use, we can also use them ourselves. "Self-doxing" ourselves can help us to make informed decisions about what we share online, and how. Of course, these same instruments can also be used to learn more than is immediately obvious about someone we have met online before we give them our full trust.

Methods used for doxing include exploring archives, yellow pages, phone directories and other publicly available information; querying common search engines like Google or DuckDuckGo (https://duckduckgo.com); looking for a person's profile in specific services; searching for information in public forums and mailing lists; or looking for images that the target has shared (and for instance may have also published in another, more personal, account). But it can also simply consist in looking up the public information on the owner of a website, through a simple "whois search" (see the section on "Creating a site of one’s own").

We can use these same tools to explore what can be easily found out about us by others.

Before we start exploring these web services and looking for our digital self, a good idea is to use anonymisation tools like Torbrowser.

Can we remove our digital past? Creating new identities

"Once something is on the internet it will stay on the internet, as the internet does not forget".

We may think that deleting certain sensitive data from social networks and web services may be enough to protect ourselves, but metadata cannot be deleted as easily. And using just one identity through our whole life - in all our work and personal domains - creates a bulk of information that could be used to profile or attack us.

One option to avoid this is to leave an old identity behind and create a new one or several new ones - one for each of our social domains. We might also choose to use our real identity in some areas, and our new alternative identities in others.

  • When we create a new identity, we should select the contacts for each one carefully, and avoid sharing contacts with other identities we use for different activities. This effectively creates separate social domains, with separate accounts, mail addresses, browser profiles, apps, and possibly even devices.
  • It's important to make sure that our various identities are not linked in any way to each other, or to our real identity. Remember that some of these connections can be tenuous: for example, did you sign up for a new, pseudonymous Gmail account using your real phone number?
  • Treating each of our extra identities as potentially disposable can be useful, as they can be discarded easily if it is compromised.
  • Disposable identities can be created for new acquaintances where appropriate – introductory profiles we can use to get to know somebody before we include them in a more trusted network.

To learn more about how to separate different identities into separate profiles, read the section on “Managing multiple online identities”.

Deleting identities

If we decide to separate our domains by creating multiple identities, one of the first decisions we should make is whether to delete or keep the identity or identities that we already have.

To do this, we can start by investigating the traces of our existing identity or identities. (for methods and tools for following your own digital traces, see "Exploring your digital shadow" and "Self-Doxing").

If we want to delete existing accounts:

Mapping our social domains

To separate our social domains, it's helpful to first map them out and identify which ones could expose us most to cross-domain attacks.

We can do this by thinking about our different activities and networks, and reflecting how sensitive each of these is. This will enable us to better separate the domains that are sensitive from those that are not.

Partitioning one’s digital life into separate social (or "security") domains requires some thinking.

Polish computer security researcher Joanna Rutkowska has worked extensively on this, to the point that she developed  a security-oriented Linux distribution based on the concept of “security by isolation” (called Qubes OS). In this system, each social domain is isolated in a separate virtual machine. While Rutkowska's scheme is quite sophisticated and focused on her operating system, it can give us interesting insights on how to start thinking about separating our domains.

The three basic domains Rutkowska identifies for herself are “work”, “personal”, and “red” (the untrusted, insecure area).

  • The work domain includes her work email, where she keeps her work PGP keys, where she prepares reports, slides, papers, etc. She also has a less-trusted “work-pub” domain for things like accepting LinkedIn invites or downloading pictures for her presentations. To add to this, she has a “work-admin” and a “work-blog” domain, in order to get a further level of security for managing her company’s servers and for writing on her blog.
  • The personal domain includes all the non-work-related stuff - such as personal email and calendar, holiday photos, videos, etc. She adds to this with a special domain called “very-personal”, which she uses for the communication with her partner when she is away from home. The couple uses encrypted mails to communicate, and she has separate PGP keys for this purpose.
  • The red domain, on the other hand, is totally untrusted. This is where her disposable identities or profiles belong. Rutkowska uses this domain to do everything that doesn’t fit into other domains, and which doesn’t require her to provide any sensitive information.
  • Besides these three main domains, Rutkowska has several other separate domains. One is dedicated to shopping, for accessing e-commerce sites. What defines this domain is access to her credit card numbers and her personal address (for shipping). Then there is the vault domain, the ultimately trusted place where she generates and keeps all her passwords (using KeePassX) and master GPG keys. Finally, she has a domain for all the Qubes development ("qubes-dev"), one for accounting, and another one for work archives.

Of course we don’t have to separate our domains in such a complex way, and using Qubes Os to keep them separated is just one solution – and one that requires a powerful machine to run on. Yet Rutkowska’s reflections on domain mapping can be an enlightening starting point to analyse our activities, and to separate our social domains for enhanced security.

2. Assessing risks and potentials: how to choose which online identity fits our purpose

"Real" or virtual identity?

Once we have identified our different social domains and the digital activities and contacts that go with them, what we need to do is decide if we want to differentiate our identities accordingly, or if we'd rather stick to our official name and true face for each of them.

We may want to keep our work connected to our legal or "real" identity, or think that our activism should be anonymous, but these are decisions that need to be thought about carefully.

For example, a journalist who finds it convenient to use her real identity for her writing may decide to stay in contact with her personal domain through a nickname, so that nobody can connect the two spheres together.

On the other hand, if an activist decides that she wants to use a pseudonym for her online activities, she should consider that she will be showing her face in all her connected activities in the real world, such as speaking at conferences or participating in demonstrations. Her online pseudonym will therefore be linked to her face; but her face could also be linked to her real name on social networks, and her online activist identity unmasked.

In assessing which identity to use in a given context, it's helpful to consider the following questions:

  • Would my job, livelihood or safety be at risk if my real identity were known in this context?
  • Would my mental health or stability be affected if my participation in X were known?
  • Would my family or other loved ones be harmed in any way if my real identity became known in this context?
  • Am I able and willing to maintain separate identities safely?

Once we have assessed our risk, we can then consider different strategies for separating our identities online. 

For more on assessing risk, visit: https://ssd.eff.org/en/module/introduction-threat-modeling  

Strategies for separating identities online

strategies for maintaining separate identities can range range full transparency to full anonymity.

Author Kate Harding talks about her decision to start writing under her real name, dismissing the recommendations that are generally given to bloggers to follow practices like “writing under a pseudonym, making that pseudonym male or gender-neutral if you’re one of them lady bloggers... masking one’s personal information, being circumspect about publishing identifying details, and not writing anything that might inflame the crazies”.

Instead of putting responsibility on women, Harding says, problems of harassment should be handled by society as a whole, including men. However, she also acknowledges that the decision is dangerous one. http://kateharding.net/2007/04/14/on-being-a-no-name-blogger-using-her-real-name

In "The Girl's Guide to Staying Safe Online," Sady Doyle writes that while becoming visible "creates a specific vulnerability", giving up on our online activities is exactly what the misogynists and harassers expect from us - and so the best way to ‘stay safe’ online may simply be to stay online. "After all: If there’s no one left willing to complain about the harassment, what are the odds that it’s going to change?” http://inthesetimes.com/article/12311/the_girls_guide_to_staying_safe_online

As such, we have several options available to us: We can attempt to participate online anonymously. We can use a "persistent pseudonym".  We can identify fully with our real or legal name, or we can divide our online lives, using our real or legal name sometimes and a pseudonym at other times. The following section will explore the pros and cons of each option, so we can determine which options are best for each one of us.

Anonymity

Total anonymity can be both isolating and difficult to maintain, but is useful in settings where we don't need to gain other people's trust, when there are few or no people we can trust, or when we don't want to expose others in our life to risks.

Anonymity may be a good choice in certain specific situations, such as researching or participating in message boards about health issues, or when sharing sensitive information. We may wish to set up a one-time account, using a pseudonym, to comment on a blog or news site, or a one-time email account or chat session to discuss sensitive information with others.

On anonymity, Vani, a human rights activist, writes: “I am a regular social network user. I voice my opinions on a range of topics. But I remain faceless and nameless”. speaks of their participation on social networks anonymously

But while anonymity is a good option in many situations, it can also be dangerous in some countries, where it can signal to the state police that the author thinks they are doing something wrong. This strategy can also be lonely: “Anonymity also isolates you”, a blogger writes. “Can you have a network to protect you and also be anonymous at the same time? Would visibility be a better strategy for you?”

Anonymity differs from "persistent pseudonymity". When we adopt anonymity as a strategy we may use pseudonyms, but these pseudonyms are not used across different networks or social domains, and some may only be used once and then discarded. For more information on how to be anonymous online, see Anonymizing tools.

Persistent Pseudonymity

Persistent pseudonymity involves using a pseudonym consistently over a period of time.

The Oxford English Dictionary defines a pseudonym as "a fictitious name, especially one used by an author." In the age of the internet, a pseudonym may also be referred to as a "nickname" or "handle", though the latter can also be tied to a person's legal identity. 

Jillian C. York, in a blog post for the Electronic Frontier Foundation, writes: "There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a name that’s easier to pronounce or spell in a given culture." https://www.eff.org/deeplinks/2011/07/case-pseudonyms

Pseudonymous speech has played a critical role throughout history, says York. "From the literary efforts of George Eliot and Mark Twain to the explicitly political advocacy of Publius in the Federalist Papers or Junius' letters to the Public Advertiser in 18th century London, people have contributed strongly to public debate under pseudonyms and continue to do so to this day."

A pseudonym can be name-shaped (e.g., "Jane Doe") or not. At time of writing, some websites - including Facebook - require that users use their "authentic identity," which typically means using your legal name or the name by which you are commonly known. This policy has caused some users, such as a group of drag performers in California, to lose their Facebook accounts. If we choose to use a pseudonym on social networks, it is important to understand that a risk of doing so is being reported for using a "fake name" and having one's account deleted. A strategy for avoiding that is using a name-shaped pseudonym. https://www.eff.org/deeplinks/2014/09/facebooks-real-name-policy-can-cause-real-world-harm-lgbtq-community

Persistent pseudonymity also offers us visibility. Visibility allows us to network with others, and by pinning our voice to a particular name we can develop an online reputation. An online reputation allows others to decide whether we are worthy of trust, and is therefore a crucial aspect in trust-based online communities. Reputation can be developed by consistently using a nickname or pseudonym that can either be connected to our legal identity, or not. The choice to connect our online reputation to our "real" name should be taken individually, according to needs and context. 

It is also possible to maintain multiple pseudonyms (and reputations) for different purposes. For example, a person involved in the gaming community and LGBTQI rights activism may wish to maintain separate identities for each purpose, and can build trust within each community separately doing so.

Collective Identity

Another way to be anonymous is through collective participation. This could mean a number of things, from a private group or mailing list that puts out collective statements, to a shared Twitter account. While the same security concerns apply, working from behind a collective identity means having the power of the crowd behind you, and can be a good option if you don't wish to reveal your identity. 

Comparing strategies

Whatever choice we make, what is important is that we keep our domains effectively separated.

No matter how many domains we identify in our digital life, and how many corresponding identities we create, on the internet every identity - even the one bearing our real or legal name - becomes a “virtual” persona and should be managed carefully. 

The pros and cons of the various identity options:

Risk Reputation Effort
Real Name "+" "+" "-"
Total Anonymity "-" "-" "+"
Consistent Pseudonimity "-" "+" "+"
Collective Identity "-" "+" "+"
                                                                                                                              


Real name

  • Risk: Using your "real world" identity online means that you are easily identifiable by family members, colleagues, and others, and your activities can be linked back to your identity.
  • Reputation: Others can easily identify you; gaining reputation and trust is easier.
  • Effort: requires little effort.

Total anonymity 

  • Risk: can be beneficial at times, but can also be very difficult to maintain. Choose this option carefully.
  • Reputation: few opportunities to gain trust and reputation, or to network with others.
  • Effort: difficult; requires caution. Might also require the use of anonymisation tools (for example Tor.)

Persistent pseudonymity

  • Risk: Pseudonym could be linked to our real world identity.
  • Reputation: A persistent pseudonym that others can use to identify us across platforms is a good way to gain reputation and trust.
  • Effort: Maintenance requires some effort, particularly if we are also using our real name elsewhere.


Collective Identity

  • Risk: possible exposure of our real world identity.
  • Reputation: While not a way to gain individual reputation, you can still benefit from the reputation of the collective.
  • Effort: Although secure communications are still important, requires less effort than total anonymity.

4. Creating a new online identity

What’s in a name?

The practice of naming varies greatly from one culture to another. While names, in one form or another, have existed across cultures for milennia, the concept of a "legal name" is a fairly new one.

Different countries regulate the practice of naming in different ways; for example, in Morocco, names must be chosen from a government-approved list, while in Germany a name must be clearly reflective of the baby's gender.

On the internet, platforms that have "real name" policies tend to base this judgement on an individual's legal name, rather than allowing them to identify as they choose. This can be problematic, not only for individuals trying to remain anonymous, but also for transgender individuals, individuals with mononyms, and others.

Because of such restrictions, it can be beneficial to select a "name-shaped" name when choosing a pseudonym. If we want to use commercial social networks, it is better to use a credible name and surname rather than more imaginative ones. Many companies will require that we use both a first name and surname, or a name that doesn't contain any slang terms or profanities.

Once we have decided on a name, a surname, and a username for our virtual persona, we should do thorough research - perhaps also using doxing tools and techniques (see the section on Self-Doxing) - to find out if someone else is already using that name. After all, if we wish to develop our own reputation, we don’t want to be confused with someone else, especially if they don’t share our views of the world!

Writing our own story

The practice of “story telling” (and of creating a social mask, for that matter) is an old one, and creating a new persona with a story makes it a lot easier to maintain the role.

We can base our story on a “known” person’s story, a superhero, a fictional character from our favourite novel, or adopt a “group identity” like Anonymous/Anonymiss or the Guerrilla Girls. If we feel particularly inspired, we can invent a new story.

The main point is that when we create an identity we should conceive a whole virtual persona, an avatar that needs to be nurtured and developed in order to become credible.

This page offers some helpful tips for inventing a new identity: Roleplay

Creating a credible persona

A virtual persona or identity can't be just a name with a mail address and a series of web accounts. If we keep all our normal identifying traits - such as our gender, job, attitude or the way we write - it might be possible for someone to connect the dots and connect our pseudonymous personas with our real identity.

  • Linguistic fingerprint: One of the things to consider is our linguistic fingerprint. This could be identified through a so-called "stylometric analysis" using tools that are increasingly usable, even for non-experts, that make it possible to identify the author of a particular text. We can, for example, give away our real identity through our particular way of writing certain words, our typical typos, and our style and tone. To change this, we can start by using a spell-checker in our word processor to check for consistent typos. We could also think about adopting a different writing attitude. To keep it simple, we could adopt one simple rule for each persona, e.g. making them shout by only using capital letters, or be a low-talker with a lower-case style, or very excitable, with a lot of exclamation marks, or a spelling criminal, always putting apostrophes in the wrong place or mistyping words. What we decide to do with our writing style should match the character we choose for our new identity.
  • Work: To be sure that our pseudonymous avatar cannot be tracked back to us, our persona should have a job that is different from ours, but not so different that we don’t know anything about that field: for example, they shouldn’t be a surgeon if we don’t know anything about anatomy!
  • Skills and interests: Similar considerations should be made to select our persona's skills and the main topics they focus on and write about. These can, of course, overlap - for example a journalist who writes about national politics may have an alternative identity that talks about national politics as well, but only casually (and their main interest will be something different, like carpentry or feminism or food).
  • Psychological attitude: As for psychological attitude, a good rule of thumb is to give our persona depth by creating some "weak spots" - but choosing them carefully so that, if the weak spot is attacked, we are able to weather the strikes and even have some fun in the process. For example, if we have a very strong sense of humour, we could choose a severe lack of humour as our persona's biggest weakness, so that if that weakness comes under attack we can enjoy impersonating a humourless persona without really being psychologically harmed.

What is most important is to remember that on the internet, each one of our identities - even the one connected to our real name - is a “virtual” identity, and it is always better to decide what character traits we want to expose in each of them. Creating a somewhat fictional character can be a good idea even for our “real” online identity.

More about how to create a rounded character for our identities here: https://lilithlela.cyberguerrilla.org/?page_id=94049

Creating online profiles

Once we have created several personas, it's important keep them separate in both our physical and digital lives. While keeping notes on our identities might help ensure that we remember our story, there are technical measures we can take to make sure that our profiles stay separate.

A good start is to create different browser profiles, mailboxes and social network accounts for each of our identities. A good rule of thumb is to always use different apps for each account/identity and, if possible, to separate our identities per device or operating system (see 6. A different machine for each identity).

Creating separate browser profiles and mailboxes

Browser profiles: To create multiple profiles with Firefox, visit: https://developer.mozilla.org/en-US/docs/Mozilla/Multiple_Firefox_Profiles . For Google Chrome, visit: https://support.google.com/chrome/answer/2364824

Mailboxes: When creating a new mailbox, it is always a good idea to connect to the server’s website with Torbrowser and, if a contact email address is required, to think about using a disposable email address instead.

Disposable email addresses

For some activities and social domains we need to manage rounded personas, in order to gain a strong reputation and trust from other members of the community. In some cases, however, all we need is a disposable email address that we only need to use once or few times, for example for opening an account in an untrusted platform.

Even if we decide to have just one identity online, using disposable email addresses prevents sites from building up a history of our activities and ensures that if that account gets compromised we can simply delete it and create a new one, keeping our digital life intact.

  • Tools to generate personal details: Making the process of creating a disposable account easier, Fakena.me (https://fakena.me) is a privacy-oriented '"fake name generator" that provides everything for you - from a credible name, birth date and (US-based) address, to a user name and password and a link to the connected guerrillamail mailbox. Another similar service, called Instant Internet Decoy (https://decoys.me) creates convincing but entirely fictional people who have birthdays, locations in several countries, families and even answers to common security questions.
  • Using existing disposable email addresses: We can also make use of existing fake or disposable email accounts. BugMeNot(http://bugmenot.com) allows people to share their email logins and passwords created for platforms with free registration, for anyone to use.

Mail aliases

Another option is to create a mail alias - a different email address that is connected to our main mailbox. The advantages of this approach are that this email account will not expire, and if it gets compromised we can just dispose of it and create a new one. But of course if the alias receives a lot of spam, it will fill our main mailbox.

While not every mail service allows users to create mail aliases, this service is offered to every mail user of Riseup (https://we.riseup.net) and Autistici/Inventati (https://www.autistici.org), two secure, autonomous servers that are particularly focused on the right to privacy and anonymity.

Managing our identities on social networks

Note: When we use social networking platforms, we should always access them with a secure HTTPS connection.

  • When creating an account for a new persona on a social networking platform, use the browser profile you have created for that persona. Make sure to check the privacy settings so that you know what you are making public, who can see what you post, who can contact you, who can look you up and what your contacts can do (can they tag you in pictures? can they write on your "wall"?)
  • Also be very careful about the profile information you provide, as well as the profile picture and cover photo you use, as these are generally publicly available to anyone who looks for us in that social network, regardless of our privacy settings.
  • Make sure your contacts do not overlap with your other identities, and to make sure your different identities don't "follow" one another. It is particularly not a good idea to follow your pseudonymous personas with your real identity. If someone is looking to unmask one of these personas, the first thing they will look for is who the account follows, and who follows the account. For the same reason, we should avoid reposting posts or other content published by one account with another account.
  • Most social networking platforms will display your location where they can. This function is generally provided when we interact with the platform using a GPS-enabled phone, but it can also happen if we are connecting from other devices - for example the network our computer is connected to may also provide location data. It's always a good idea to double-check your settings - particularly on photo and video sharing sites.
  • Photos and videos can also reveal a lot of information without you realising it. Many cameras will embed metadata into your photos, which can include the date, time and location of the photo, camera type, etc. Photo and video sharing sites may publish this information when we upload content to their sites.
  • If we access social networking platforms via mobile apps, it is better to use a different app for each separate account, so as not to post something to the wrong account by mistake. There are several apps which can be used to manage your social networking platforms - it is, however, a good idea to use a different one for each identity, to reduce the risk of giving away your real identity.
  • It can be a good idea to follow, from our pseudonymous profiles, other people who might reasonably be considered the real owners of that profile. To further distance our real identity from our pseudonymous identities, we can also write (and hashtag on Twitter) posts under our pseudonymous profiles about events that we are not attending, especially if they are taking place far away from us. It can also be fun to publish and then delete posts that look like we have exposed our identity, so as to further confuse anyone who may try to unmask us.
  • Whatever social networking platform we decide to use, you should always read its terms of service to check if they suit your purposes. To get a summary of the terms of service of many social networking platforms (and other web services), go to the website Terms of Service; Didn’t Read (https://tosdr.org).

Alternative social networks

Mainstream commercial social networking platforms like Facebook or Twitter can be extremely useful if our aim is to publicise as widely as possible an event we are organizing or a project we are launching.

However, if you're using one of these platforms it is important to be aware that:

  • these platforms have very strict terms of service that could justify their decision to close our accounts if they find that our contents go against their rules (for more, read: http://www.aljazeera.com/indepth/opinion/2013/05/20135175216204375.html)
  • users of these platforms are profiled, and information is sold to advertisers. If we add to this the ever-changing terms of service and the interactions with other apps and features that make it very difficult to understand clearly what actually happens to our data, the best solution is to limit the use of commercial social networking platforms to specific projects we want to publicise to a wide audience.

There are also alternatives available - social networking platforms that give much more freedom to their users and don't profile them.

  • Social networking platform Ello explicitly states in its manifesto that “You are not a product”. It also does not require "real names" - a rarity amongst commercial social networks. It's important to be aware, however, that Ello is still a commercial project
  • There are alternatives that are community-based, distributed rather than centralized, based on free and open-source software and privacy-friendly. Among these, Diaspora (https://joindiaspora.com), Friendica (https://friendi.ca) and Crabgrass (https://we.riseup.net) are especially worth mentioning.
  • Other similar sites may be popular in different regions, so we way wish to explore other options.

Before choosing to use a social networking platform, we should ask:

  • Does it provide connection over SSL (like HTTPS) for all uses of the site, rather than just during login? Are there any problems related to encryption (eg related to encryption certificates)?
  • According to the platform's End User Licence Agreement, Privacy Policy and/or Data Use Policy, How is your content and personal data treated? With whom are they shared?
  • What privacy options are provided for users? For example, can we choose to share our videos securely with a small number of individuals, or are they all public by default?
  • Is the geographical location of the servers known? Under which territorial jurisdiction do they fall? Where is the company registered? How does this information relate to the privacy and security of our activity and information?

Creating a blog or website

Writing from our social networking accounts - especially if we have found a more privacy-friendly option - may be all we need to voice our opinions and to interact with a given network of people (or with several networks, if we are using different identities online). On the other hand, we may want a more independent platform to spread our ideas, plans or creations. For this we can create a website or a blog.

  • Creating a blog can be as easy as signing up to a blogging platform and choosing a name and a "theme" or visual template. There are several blogging platforms that are both user-friendly and free, including the open-source Wordpress (Wordpress.com).
  • If we want a complex graphic layout or need to install particular tools that are not offered by Wordpress and its plugins, we can create our own website. For this we need to get some space in a server through a webhosting service. There are many webhosting services out there, but since they generally aren’t free, the options to stay completely anonymous are reduced to creating a website with A/I, which by default does not connect the users of its services with real identities. To learn more about Autistici/Inventati’s webhosting service, visit: https://www.autistici.org/en/services/website.html
  • If we want to use our own domain name, bypassing payments and identifications may get difficult unless we use Bitcoin or another anonymous payment system. The personal data we will provide will not only be stored in the registrar’s internal archives, but by default will also be recorded in a database that can be easily queried by anybody through a simple command in a search engine (whois) or on several websites such as Gandi.net (https://www.gandi.net/whois). To avoid this, we can register our domain with the data of an association and use a prepaid credit card that is not connected to our own data (if available in our country). Alternatively, we can use a registrar like Gandi.net (https://www.gandi.net) that offers private domain registration for individuals whenever possible.

5. Managing collective online identities

Collective virtual personas

General Ludd, Captain Swing, the Guerrilla Girls, Luther Blissett, Anonymous - for centuries groups and like-minded people have participated anonymously in historic protest movements, or have created ground-breaking and provoking artworks or pranks under a collective pseudonym. Besides hiding the identities of the individuals involved, these collective personas have shrouded their feats in an aura of myth and almost magical power.

If we want to adopt a collective identity, we can adopt one that already exists, like Anonymous/Anonymiss, or create a new one that we can then share.

  • A very interesting study on collective identity is anthropologist Gabriella Coleman’s book Hacker, Hoaxer, Whistleblower, Spy. The Many Faces of Anonymous (2014), based on an anthropological research on how Anonymous became a well-known and powerful collective identity with multiple faces and attitudes.
  • In her PhD dissertation Networked Disruption. Rethinking Oppositions in Art, Hacktivism and the Business of Social Networking (2011), Tatiana Bazzichelli describes how multiple identities have been used to disrupt the fundamental notions of power and hegemony on which Western culture is based, and how this works in the web today.

Managing collective identities... or simple collective accounts

While the collaboration of many individuals can help create a rich collective identity, managing a collective project may have some security and technological challenges we should keep in mind.

Since a single weak link in a security chain can break the entire system, our security and anonymity depend on the precautions each member of our group takes. We may decide that we don’t want to be absolutely anonymous; that our close friends can know about our collective activities. The degree of security we may want to attain for our group depends on the possible threats we face and on our adversaries’ power and skills.

Nonetheless, there are some important things we don't want want to lose, like the password to our collective mailbox or to our group’s social networking accounts. If we decide that we are going to share those passwords with the whole group, each member needs to be trained on how to store a password securely.

To minimise this kind of risk, we should try to use services that provide for different accounts and passwords whenever possible. For example, instead of using a single mailbox, we may create a mailing list that all the group members subscribe to. If we allow non-subscribed people to write to it, each group member will be able to read that e-mail in their own mailbox rather than in a collective one with a dangerously shared password.

Similarly, if coordination really needs to happen through Facebook, it is much better to share information in a dedicated group rather than do everything within a collective account.

6. A different machine for each identity

If we use the same operating system for our several identities, no matter how carefully we separate our profiles we can still make a human mistake by, for example, connecting to a pseudonymous account through the browser profile we have assigned to our true identity, or get infected by a malware that allows our attacker to monitor everything we do online, with all our identities.

Both risks can be limited by using a virtual machine for each of our domains, and by reserving yet another virtual machine to opening untrusted attachments in order to avoid a malware infection.

As the name suggests, a virtual machine (VM) is basically a simulated computer with its own operating system, which runs as software on our physical computer. We can think of a VM as a computer within a computer. Installing and running a virtual machine is not very complicated, and there is very good documentation around. For our purposes of anonymisation, the best available option is to install Virtualbox, an open-source, cross-platform virtual machine monitor (https://www.virtualbox.org). Using Virtualbox, you can create a virtual machine, and then run an operating system on it called Whonix.

Whonix: compartmentalizing our identities through a secure virtual machine

Whonix (https://www.whonix.org) is an operating system that aims at protecting our anonymity, privacy and security by helping you to use your applications anonymously. A web browser, IRC client, word processor and more come pre-configured with security in mind. Whonix is a complete operating system designed to be used in a virtual machine. It is also free software, based on Tor, Debian GNU/Linux and security by isolation.

Whonix’s website offers a wide documentation, ranging from very clear installation and usage instructions to thorough recommendations on security and the risks we may run: https://www.whonix.org/wiki/Documentation

Tails: a live system that leaves no traces

Using virtual machines, Whonix in particular, is a good idea if we have our own computer where we are free to install whatever we want, especially if it is a powerful machine. But if we use an older box or just connect to the internet from cybercafes, installing a virtual machine becomes unsustainable. In this case, we may turn to a live Linux distribution, a USB-stick with a Linux operating system installed on it that runs in the computer we are using as soon as we switch it on.

A particularly secure live distribution focused on security and anonymity is Tails, or The Amnesic Incognito Live System, a free and open-source Debian-based Linux distribution that can be started on almost any computer from a DVD, USB stick, or SD card and forces all its outgoing connections to go through Tor, blocking direct, non-anonymous connections.

When we launch Tails, we have a complete operating system that, just as Whonix, comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc. With Tails, we can access the internet, communicate, and do all we need anonymously and securely and, after the computer is shut down, the system will leave no traces on the machine unless we ask it to do so.

When using different identities, it is not advisable to use the same Tails session to perform two tasks or endorse two contextual identities that we really want to keep separate from another, for example hiding our location to check our personal email and publishing a document on our pseudonymous blog.

The first reason is that Tor tends to reuse the same circuits, for example amongst a same browsing session, making it easier for a powerful adversary to correlate the several browsing requests as part of a same circuit and possibly made by a same user. Second, in case of a security hole or a misuse in using Tails or one of its applications, information about our session could be leaked. That could reveal that the same person was behind the various actions made during the session.

The solution to both threats is to shut down and restart Tails every time we are using a new identity.

Security by isolation: Qubes OS

There are three approaches to digital security: the first one is security by obscurity, which is based on encryption, strong passwords and similar measures and acts as a first line of defence, as a deterrent that will discourage random attacks but is not likely to stop someone who is directly targeting us; then there is security by correctness, whereby software developers try to get rid of bugs that make their code vulnerable. But modern software is very complex, and it is almost impossible to do this job perfectly. Therefore, the most pessimistic, and realistic, approach is security by isolation, which gives for granted that security measures can be vulnerable and focuses on harm reduction by stopping possible attackers from accessing the whole system that we want to secure.

In order to implement security by isolation, for instance, Whonix is divided into two parts: Whonix-Workstation, which is the system we access for our work, and Whonix-Gateway, which routes all internet traffic through Tor and, by being isolated from the workstation, averts many threats posed by malware, misbehaving applications, and user error.

But while Whonix needs a virtual machine to run on and its main focus is anonymization, there is an operating system that has security by isolation as its main purpose and that can make life a lot easier to someone who manages several social domains and/or identities in her digital life.

Called Qubes OShttps://www.qubes-os.org – and developed by computer security researcher Joanna Rutkowska, Qubes is a free and open-source security-oriented operating system based on Fedora, a Linux distribution, and Xen, a virtual machine monitor (or hypervisor), that allows us to separate the various parts of our digital life into securely isolated virtual machines. Qubes keeps the things we do on our computer securely isolated in these different VMs so that if one virtual machine gets compromised, the other won’t be affected. This way, we can do everything on a single physical computer without having to worry that one successful cyberattack harms our whole system, potentially revealing all the connections among our several identities.

A plus of Qubes OS for the purposes of multiple identities management is its user-friendly window manager, that assigns a different colour to each domain. Thus, the colour of the frame makes each window clearly recognizable as belonging to the domain corresponding to that colour and prevents potential human mistakes in the management of our identities.

Tails, Whonix, Qubes OS: how to choose

The three tools we have described in the last few paragraphs – Whonix, Tails and Qubes OS – all allow us to use a completely separate operating system for managing our alternate identities, and can be quite useful to make sure that we don’t reveal our true identity while we use the anonymous one(s). Still better, if we can afford it, would be to have a different machine for each of our identities, as well as an air-gapped one to store our most sensitive data. Of course, the choice depends on the resources we can dedicate to securing our digital life and on our threat-model, especially on the adversaries we expect to face: if we are pretty sure that in our country harassers work together with the regime to slander (or worse) people like us, we may want to be absolutely sure that none of our data is leaked and – if we have enough funds or are connected to a network of hacktivists – we may decide to ask for an expert’s help to check that we have taken all the necessary measures to keep doing an efficient work and to stop any ill-intentioned actors from tampering with our data. On the other hand, if we feel sufficiently protected by our community and/or by our government, and we expect our adversaries not to be very skilled in technological matters, perhaps all we need is to separate our browser profiles and mailboxes, to use a secure HTTPS connection and some basic common sense and to keep developing a network of support for vocal women online.

If we think that using a different operating system is really necessary, or that it can be helpful to keep things logically and graphically separated (or we just want to explore all the possibilities we have for the fun of it!), we should assess our resources and our needs in order to identify the best solution for us.

Comparison between Tails, Whonix and Qubes Os:

Tails Whonix Qubes OS
Required hardware/software "x86 compatible and/or Virtual Machines; DVD, USB stick, or SD card for booting the system" "x86 compatible pc with VirtualBox" "a powerful pc capable of running Qubes OS"
System requirements "lowest" "high" "highest"
Difficulty to install "medium" "medium" "easy"
Difficulty to configure "low" "medium" "high"
Learning curve "low" "low" "high"
Anonymization by default "yes" "yes" "no"
Security by isolation "no" "yes" "yes"
Pre-installed applications "nice selection" "not many" "not many, and some, like Tor or Virtualbox cannot be installed at all"
Persistence "no (available option)" "yes" "yes"

As we can see in the table above, Tails just needs a normal computer and a DVD or a bootable device to launch the system, but installing the system in this device, as well as having the DVD, USB stick or SD card actually boot in the computer we are using, can be tricky, and we may need some external help. After that, though, using Tails is pretty easy, and if what we need to do with our alternate persona needs a focus on anonymization, then it may be worthwhile to overcome the initial obstacle. Tails is a good option also if we have few resources, if we don’t have a computer of our own, or if we often use computers at internet cafes and want to be safer. One particular advantage of Tails is that after we have switched the computer off, we leave no traces and everything we have done vanishes into thin air. But if on the other hand we need persistence, i.e. we want to keep some files we have created or downloaded in our USB stick or we have changed some system settings and want to keep them also in the future, we need to enable this option when we start the system. Last but not least, Tails is an established, respected project that has been developed for many years and is used by a wide community of people.

If what we need is both anonymity and security by isolation and we have a good machine – https://www.whonix.org/wiki/System_Requirements – where we can run Virtualbox, installing Whonix in one or more virtual machines, according to the number of our alternative identities, seems a good solution that caters to all our needs and also offers an excellent documentation: https://www.whonix.org/wiki/Documentation. Nevertheless, Whonix, like Qubes Os, is a relatively recent project and the community using it is still rather small.

Qubes OS is a good choice if we want to keep all our activities inside our own computer without having to install anything else and if what we are trying to do is to effectively separate our identities rather than anonymize our activities in the web. It requires a very powerful computer – http://qubes-os.org/trac/wiki/SystemRequirements – and this can be a hindrance, but if we feel that we really need to protect ourselves against possible cyberattacks, the investment may be worth its while.

To sum up, none of these tools protects us from every threat, and we shouldn’t look at them as a magic potion that will make us invulnerable. Nevertheless, by using any of them, according to our needs and resources, we will raise the level of effort that an attacker will need to harm us, thus making an attack less likely.

For a wider comparison among these and other systems, go to: https://www.whonix.org/wiki/Comparison_with_Others