Twitter is in the news again with another security breach in which 235 million users’ email addresses, phone numbers, and Twitter handles were exposed. These seems like a good opportunity to talk about what you can / should do to protect yourself if you need to maintain anonymity online.
The basic rule is this: if you need to be anonymous online, you cannot give enough info to any single service to compromise that anonymity in the event of a breach.
In other words, you can’t give the service a phone number or email address that other people can trace back to you. If the service requires a phone number to set up your account, then use an online service to get a temporary, disposable number, then set up real 2FA (e.g., security key or TOTP; also make sure to generate and save recovery codes!) and remove the phone number.
For the email address, create a new email account somewhere and use it only to sign up for the service, i.e., never send any email from it and never give it out to anyone.
If you follow these steps, then the breach of a single service won’t compromise your anonymity. However, depending on how important it is for you to stay anonymous, that may not be good enough. Here’s how to be even more paranoid if you believe it’s necessary.
From least to most paranoid…
- Don’t use the same anonymous email account for multiple services. Instead, create a separate email account to sign up for each service, so that breaches at multiple services don’t allow anyone to correlate your identities across them.¹
- Don’t configure the email account to forward to your real address, because if you do that, then if the email service provider is breached, the anonymous email account could be linked to your real address. You’ll have to log into the email account directly whenever the service sends email to you that you need to read.
- Don’t log into the temporary phone number service or the anonymous email account from an IP address that can be traced back to you. Use a reputable VPN with privacy guarantees so that the IP address your logins come from is shared by many other people and can’t be traced back to you.
- But of course then if the VPN service is breached, or it’s actually a front for a criminal enterprise or state actor, your anonymity is compromised right there, so maybe only log into the temporary phone number service or the anonymous email account over a public wifi network, not from your home or business.
- But wait, if you’re worried about your IP address being linked to the temporary phone number or anonymous email account you used, then shouldn’t you also be worried about it being linked directly to the service where you’re trying to remain anonymous? Yes, so if you’re this concerned about protecting your anonymity, you may also wish to only log into this service from public wifi.
The last three bullet points above, about preventing your IP address from being used to correlate your identity, are mostly (but not entirely) irrelevant to run-of-the-mill data breaches, since hackers don’t usually steal user IP addresses. They are more relevant if you’re worried about protecting your identity from the government, which can subpoena those IP addresses. Whether that’s something you need to worry about is your call.
One more thing: use an add/tracker blocker in your browser on your computer and phone. uBlock Origin and Blokada are good choices, but there are others.
¹As SpyBlog points out, many free email services have inactivity timeouts, i.e., your account is deleted if you don’t log in for a long time. You therefore probably need to keep a list somewhere secure of the free email accounts you’ve created and log into them and send yourself an email (i.e., send a message from each address to itself) about once every six months to keep them alive.