This is a WIP guide on keeping your secret identity a secret online, hiding it completely, and how to prevent yourself from being doxxed.
There are many, many ways a person can reveal personal information about themselves and even more ways to do so without even realizing it. This makes it all too easy for an attacker to piece together bits of information about you, pulling them all together to find out your name, where you live, work, go on vacation... Things you do not want out there in this line of work, especially if you have angered the government with political activism (like if you live in Hong Kong and have been protesting), or angered a few too many gang members with your reporting their activities to the police.
So let us begin.
Your secret identity should preferably not have a social media presence at all. Social media like Facebook is one of the prime places someone investigating you would look for your information. Facebook is a biggie, as it can be more difficult for those who aren't familiar with the ever-changing privacy settings to hide their details. So if you want to hide, avoid having your secret identity on Facebook or any other social media. "But, I want to talk with folks about video games or my cat without using my persona! How can I do that?" Well, you could use a fake name or internet handle that has nothing to do with your RL information or your persona. For better privacy, use a different one for each service. Don't link them.
Don't use your Facebook or Gmail account to login to things. Yes, it's convenient, but it's also invasive.
What if you already have social media under that name? Well, you should quite frankly delete them. Not deactivate, completely delete. See if you can use GDPR to your advantage.
And if you still want to keep the social media up? Do not add yourself on your persona's account! Do not let them mix, no common friends, any of that! That would be one of the worst things you could ever do.
First off, always use a VPN. You can get them for free and even on your mobile devices. This will not only hide your IP address but secure your connection if you hook up to public WiFi hotspots. Make sure that it is running at all times. Set it to start running on boot, and if your laptop is set to put apps to sleep in Sleep Mode, be sure to check and be 100% sure it's on and connected before opening a browser window. Do not neglect your mobile device here.
ProtonVPN - This is the best VPN hands-down. Don't bother paying a subscription unless you plan to use P2P like torrenting things, but in that case, you can use the Split Tunneling option in Settings to exclude the torrenting app. Split Tunneling is also good for excluding programs that croak on a VPN connection, but be extremely careful with this.
Never use Skype under any circumstances. It is way too easy to get a person's IP address from just the username.
Okay, so you can't be 100% unhackable, but you can sure as hell make it extremely difficult. You have many options to choose from here, and I'll be listing them below.
Using a password manager can help you big-time. Having a complex and unique password for every online account makes it so that it's A) Hard to guess your password or brute-force it, and B) If one account is breached, they can't get into anything else.
Bitwarden - Free. Has apps on Windows, Mac, Linux, iOS, and Android as well as extensions for most browsers.
2 Factor Authentication
This is a must. Not every service has this, but where available, use it. This way even if your password is leaked, someone can't get in the account without passing that check. Stick with apps or a physical key rather than using a phone number, as phone numbers can be SIM swapped.
There are many options for encryption algorithms. Some of them have been compromised permanently so it is important to do research. Some government agencies like the CIA and NSA participate in the creation of new encryption standards. They are occasionally known to be in possession of backdoors into algorithms that were publicly touted as secure, but they have also participated in the strengthening of some algorithms. The question of whether the general public deserves access to encryption standards that are unbreakable even by governments is a contentious one. Whichever side you fall on, it is important to remember that not everything that is supposed to stay in the hands of the government always does.
Diffie-Hellman is broken. AES 256-bit is the currently accepted unbroken standard. Longer keys are theoretically more secure for any particular algorithm. However, the complexity and logistical cost involved with extremely long encryption keys should be considered as a limiting factor. PGP which is reliant on RSA is also considered secure. A properly configured and used one-time pad should theoretically be unbreakable. Note: 'Theoretical' is the only type of unbreakability that can ever be hoped for with encryption, because the weakest link in any security chain is always the human one.
Advances in quantum computing are promisingly looking to break many different kinds of encryption in the coming years. Hopefully, the researchers that choose to break these algorithms will engage in proper disclosure and notification procedures, and we will retain some kind of strong encryption capabilities in the coming years. An individual's degree of right to privacy is certainly a matter of valid political debate, but the dependence of critical national infrastructures like nuclear, power and water networks on unbroken encryption means that some form of its continued existence is probably an important guardian against major mass extinction events.
This one is more tricky. In order to hide your address, you may need to move entirely. Do not tell anyone this address. Do not have mail sent to this address. Use General Delivery. This is more secure than a P.O. box because it cannot be traced to your exact home location.
Never tell anyone your address or the area where you live. A city is fine but a city should be the only thing people know and it isn't mandatory, and depending on your casework, not preferred.
Never send packages to anyone in the mail. This should be obvious.
Never give out your real phone number and always call the police with a fake phone number. If you can access a voice changer, always use one in calls you feel you may be recorded in. If you have the option then turn off your caller ID.
- Don't tell your friends and family what you do unless they're in on the operation. They don't deserve to know because what they know will make them a target.
- Keep your life separate from your work. Associate with different people and never mix the two under any circumstances.
- Trust absolutely no one with anything you feel could endanger your identity regardless of how trustworthy you feel they could be.
- Keep your circle small.
- If you are part of any fandoms, don't mention them as your persona.
- All the information you give has to be on a need-to-know basis. That includes things ranging from what car you drive to your favorite breakfast cereal. You can't be manipulated into giving more personal data if they can't find a way in. And they will try to find a way in.
- Always use fake names.
- If you've ever used your real name online and people know it then you already aren't safe.
- Never send emails with Gmail, Yahoo, or other social/mainstream email addresses. Always use ProtonMail or other services like it.
- Never click on any links regardless of how official or real they look. Google or otherwise search for the results yourself.
- Always report anonymously.
- Avoid news coverage.
- Avoid getting into trouble with the police. If the police are investigating you while you present them with a tip or during an investigation, cut them off completely. That's why fake phone numbers are so important. You might have to change your phone number.
- Never download any files from anyone.
- Never have anything in any pictures you take that can be used to identify anything about you or where you live. Always check, double-check, and triple-check photos before posting or sharing them anywhere.
- Always process your pictures through other things before uploading them to get rid of the EXIF data. This means send them to yourself on Facebook Messenger or Discord or use a program to scrape away the data that could be used to track you.