Thursday, 9 October 2008

How to be pseudonymous online (& off): tips






This summarises (with links) my presentation on practical tips for staying pseudonymous, which I gave at BarCampLondon5 and Social Media Camp London 08.

I was surprised but pleased that Zoe Margolis (Abby Lee / Girl with a One Track Mind) came to my #smclondon08 session, agreed with my key points and said she wished she'd known some of these points before! (See my separate post on her session "Social Media - How Not to Get Fucked".)

Here's an edited version of my slides:

As regular ACE readers know, I'm not really anonymous - just pseudonymous. "Improbulus" is the pen name I use for this blog and also as my nick in the geek community.

So by "pseudonymous" I don't mean "anonymous" or being totally unknown - I just mean, being known by a name other than the name on your birth certificate (aka "real name").

To me, being pseudonymous includes being contactable and available under your pseudonym (phone, email, postal address etc) - but in such a way that, hopefully, your real name isn't revealed or easily discoverable.

This post gives some tips on how to do that, based on my own experience - it's nothing to do with how to surf the Web anonymously, in case anyone was wondering.

Rule no. 1 of staying pseudonymous: Don't go out in person as your pseudonym, except in disguise!

Obviously, I've already broken this rule as I've gone to lots of geek events as "Improbulus"; that's because if my real identity were known it wouldn't be that big a deal to me.

I don't really mind if the geeks I meet know my real name; actually it's the other way round, it would be more of an issue for me if colleagues or family knew I was "Improbulus". But it's not insurmountable, so I choose to socialise, even though it greatly increases the risk of my being identified, rather than just hide behind my computer.

Still, if you don't want to take that risk, don't go out publicly as your pseudonym.

Why be pseudonymous?

Everyone has different reasons for wanting to be pseudonymous.

I've previously detailed my own reasons why I blog anonymously (or pseudo-anonymously) so I won't repeat them here - in a nutshell, for me personally, being pseudonymous gives me the freedom to say what I really think without the risk of being put under pressure to say (or to not say) certain things.

That doesn't mean I'm not accountable for my writings, however. If they don't like or disagree with what I say, other people are entirely free to post comments on my blog; write their own blog posts about it or email me, etc; I've even provided a phone number and postal address in my sidebar (and hopefully I won't get sent anything too nasty; chocolates or nuts count as not nasty!). If really aggrieved, they could always try to lynch me in person at a geek event.

So, in my case at least, being pseudonymous doesn't stop me from being fully responsible and answerable for what I say and do with this blog.

(Do I have authority or authenticity? That's a different matter, and definitely for another post. I'd argue that my content speaks for itself - if my reviews and problem solving tips help someone, they won't care what my name is, just that what I say works. If what I say doesn't work, people will stop following my suggestions or trusting my reviews. If my silly humour makes someone laugh, great. If not, they can stop reading my blog. My identity is irrelevant to those aspects.)

Rule no. 0 of staying pseudonymous: It's impossible!

The most important point to bear in mind about trying to stay anonymous or pseudonymous is: you can't. There is no absolutely foolproof way to guarantee that no one will ever be able to find out your real identity.

If someone, somewhere, knows the real name behind an online pseudonym (e.g. a blogger's ISP could track the blogger down), you can never be sure that they won't give you up. Even if "outing" you would be morally or legally wrong, there'll be someone who can and will do it if enough money is thrown at them or they're offered some other really attractive incentive, especially if they think they're not likely to be found out.

Two examples that spring to mind of anonymous bloggers who were found out (and I really didn't know Zoe was going to come to my session when I picked her as an example!):

  1. sex blogger “Abby Lee” (blog "Girl with A One-Track Mind") - now known to be Zoe Margolis; to this day Zoe doesn't know who it was who outed her; she had even had a lawyer draw up confidentiality agreements.
  2. patents blogger Patent Troll Tracker - Cisco lawyer Rick Frenkel, who outed himself after someone else threatened to do so following the offer of a “bounty” for his identity.

Belle de Jour has maintained her anonymity - so far. Zoe mentioned during my session that this might be because she'd used a company run by her agent to sign the contract, rather than doing so herself.

I agree that there are extra layers of precautions you can add to try to protect yourself, and if anonymity is vital to you then you should get a good lawyer and tell them so, and they should be able to structure something better (using companies incorporated in Mauritius by the way seems pretty good on that front, as it's tough to find out who owns or runs them!)

But at the end of the day, the more people who know your real identity the greater the risk, and you have to be able to trust all those people - in my view that's all it boils down to, ultimately.

If you want to blog pseudonymously, the best that you can do is:

  • make it just that bit harder for people to track you down; and
  • try not to give them any reason to want to out you (at my BarCampLondon5 session, one person remarked about a blog he read that the pseudonymous writer always gave accurate information and didn't try to do down anyone, so he had no reason to care what her real name was, and he didn't!)

Next up: my practical tips on how to (try to) stay pseudonymous.

Remember, it involves effort and hassle - so you may not want to, depending on what you write about, or you may do what I do which is a sort of halfway house (but I don't really try as hard as I could).

Name - pick a pseudonym that sounds like a real name

If I were starting a pseudonymous blog today, I'd use a name that sounds like a real name, e.g. "Jane Smith" (OK, maybe not "Jane Smith" or "Jane Doe"!).

If you give your name as "Susan Jones" (or whatever), 99.99% of the time (particularly at geek events) people will take that as face value; they certainly won't ask for ID to prove that you really are "Susan Jones", not unless they're a bank you're trying to start an account with or the like.

But if you say your name is "Improbulus", then sure as night follows day you'll get asked "So what's your real name then?"

Face

Online - avoid a photo of yourself going on the Web that's associated with your pseudonym.

Don't use a real photo of yourself on your blog, obviously. Use a disguised or tweaked version (as I did when this blog was with the Corante Web Hub) or a cartoon or drawing, etc, like my "photo" in this blog's sidebar. There's a bit of a resemblance to the real me (it's the red eyes, innit), but it's mostly unrecognisable...

In person - see rule no. 1! Safest to avoid going out in person as your pseudonym, but if you have to be seen, it's really not practical going out in disguise (unless it's a masked ball) so try to avoid photos or videos being taken of you and posted online.

I tend to duck or turn my face away when I see photos being taken or videos being shot, but it's really not very realistic and I can't always do it - but as mentioned I'm not as fussed as some about being identified or I wouldn't. Group shots aren't as bad as hopefully you're lost in the crowd. For close ups again I try to avoid being photographed or videoed, and if I know the photographer I'll ask them to blur or cut me out of the published version.

The main thing though is to try to ensure that any photos or videos or movies of you which get uploaded to the Net, especially when you're the only person in the pic, don't get tagged with your pseudonym - because then of course it's much easier for someone who knows your real identity and sees it to say, "But that's not Improbulus, that's X!".

Also, watch out for tags with your pseudonym being added to any photos of you on Facebook, Flickr etc, and try to get them removed ASAP. (You can get notification on Facebook when someone tags a photo with your name.)

Voice

In person - if you're out and about as your pseudonym despite rule no. 1, try to avoid being recorded, especially if you have a distinctive voice as I do.

That's why I didn't give presentations at BarCamps (though I helped out in other ways) till recently, and even so I asked the attendees not to record it though if they wanted to blog it they could.

I thought about going out wearing a Cyberman helmet which has a voice changer built in, as that would solve the "Face" issue too, but y'know you could still hear my real voice through it. So I returned it to the shop.

Online - e.g. public Skype conference calls, or narration for videos - you can use a voice changer or voice morpher. I use Screaming Bee's free MorphVox Junior. That's the voice you hear on a couple of my YouTube videos (BBC iPlayer preview, and How to convert MP3 files to video, if you must know!); and for fun here are demos of the 3 "voices" available with MorphVox Junior (in the 2nd example actually I sound more like Julian Clary than anything else, but that's really meant to be the "man" voice!):

Voice changer demo

Postal address

It's good to have an accommodation address, a physical postal address for people to send you gadgets to review or other goodies. Naturally, you don't want to give out your real home address or you wouldn't stay pseudonymous for long.

Many people have PO Boxes. I don't have a Post Office box from the Royal Mail, because it's a myth that your real name and address will be safe with them. If you look at the small print of the Royal Mail's conditions for PO boxes, you'll see it says:

Disclosure of information
Royal Mail reserves the right to give the address (and title) of the PO Box holder to any enquirers, and this information will be added to the Royal Mail’s national address database – the Postcode Address File (PAF). Information on PAF is used to produce a number of Address Management products that are available to the public.”

So, this means they can give your details to anyone who asks about your postbox number, if they feel like it. There's no requirement at all for them to keep your personal information confidential. They don't have to tell you or ask your permission - they can just give you up.

Contrast providers like British Monomarks, whose terms say:

"British Monomarks Ltd undertakes not to divulge the address of the Subscriber to a third party without the consent of the Subscriber unless legally obliged to do so. "

That's the sort of thing we want. I'd prefer it if they also undertook not to divulge the name of the Subscriber unless forced to by law (e.g. a court order), but then I'm a pedant. Still, it's better than the Royal Mail's terms.

So not surprisingly, I'd say do not use Royal Mail, use another provider. But remember that you'll have to pay for the service - e.g. an annual subscription plus a fee for each item that's forwarded or that you pick up. British Monomarks for instance charge a range but for a year it's currently £76.38 for a private post box (plus set up charge), and 10p per envelope you collect or 50p per parcel (a bit more, plus postage costs, if they forward to you instead of you picking up the item).

You may also have to call them from time to time to check if anything's arrived for you, though some may notify you especially if a big item's arrived.

Domain name

For your address on the Internet, i.e. your domain name (mine is consumingexperience.com for instance), you can use a domain name registrar like GoDaddy which offers what they call "private registration", the equivalent of ex-directory for telephone numbers perhaps.

With a private registration, anyone who does a WHOIS lookup on your domain name (to find out the name of the owner) would only see the name of the domain name registrar - whereas with a standard registration would mean your name, email, phone number and address etc. would be listed against that domain, for anyone to see and search for, including spammers.

Again you have to pay for the domain privacy service - in the case of GoDaddy $8.99 per year on top of the normal registration fee - but I think it's worth it, myself. Of course, as with a PO box you need to check out the registrars and their terms of service: some are more careful and discreet while others (like the Royal Mail) may be willing and able to give your details out to anyone who asks for them.

Phone

In the UK at least, there are 3 options for your telephone number:

  1. Pay as you go SIM / phone - cheap or (for SIMs) even free e.g. from a market stall or phone shop; beware that some e.g. Carphone Warehouse try to get your name, address etc for their database even if you're just buying a £5 SIM card. Needless to say, you can either refuse or well shall we say go there pre-prepared with a name & address & postcode to give them.

    As with other PAYG services you have to remember to top up or use the card / phone (e.g. by sending a text) every few months to keep the number "alive".
  2. Personal number - which diverts calls to your real phone number, and you can in some cases even change the number it diverts to from time to time; works for mobile phone numbers, but only for voice calls not SMS texts as far as I know. Often provided free to the recipient, but the caller pays more than for a call to a "normal" number.

    However if you make calls you can't get them to appear to the recipient be from your personal number. (I just withhold my number when calling from my mobile or landline phone, as standard, anyway.)

    Again, the number has to be called (and answered!) at least once every X months or you'll lose it.

    UK providers include DM Club (can divert to more than one phone, trying each registered number in turn) and Privacy Numbers.
  3. Temporary, virtual or disposable number - pretty much like a personal number, only temporary. It will forward calls to your real phone for a set period, then automatically expires (unless you renew it, which usually costs). Again, only good for voice calls not SMS texts, and it's more expensive for the caller.

    These numbers are useful for more than pseudonymity - they're helpful for privacy, safety and security generally, as you can just go online to get yourself a number which you can then freely publish on the web e.g. when advertising goods online for auction or sale, or to give out to that seemingly hot person you met in a bar or club while keeping your real phone number safely secret till you're sure they're not a bunny boiler.

    UK providers include Call-Safe and Oncetel. I like Call-Safe's flexibility: currently you can pick a number that automatically stops working in 1 hour, 3 hours, 1 day or 1 week! Oncetel claim to enable you to make a call that appears to be from your Oncetel number (you'll be charged a bit more than a normal phone call for that call), but I've not tried that feature myself.

Email

Most people have at least one Webmail address e.g. Google Mail or Yahoo! Mail. Obviously giving out a webmail address helps protect your privacy as far as the person sending you email is concerned, but the Webmail provider still knows your details as you have to give them your name, postcode etc when you register for a Webmail account.

People have been known to give false details to the provider (I'm very uncomfortable about giving out my real date of birth to web services that ask for it unnecessarily , for instance, for security reasons at the very least.) Though as Rachel Clarke pointed out during my SocialMediaCamp session, terms of service usually say that the provider can terminate your account if they find out that you gave them false personal info.

If you have a domain through private registration, e.g. yourblogname.com, then you can of course get email through that domain (you can even set up Webmail for that using Google Apps for free, if you want to).

My personal favourite - using disposable email addresses (see my detailed blog post on that, I won't go into them further here but as you'd expect they expire after a certain number of emails received).

Confidentiality agreements

If you do have to give your real name to someone, e.g. Google for your AdSense payments, Amazon for an affiliate or associates scheme, a manufacturer or their agent in relation to a product lent to you for review, then ideally get them to promise, before you give them your name, that they will keep your personal details confidential and won't disclose them to anyone unless legally required to.

It doesn't have to be a formal agreement, just an email confirmation is better than nothing (and getting something in writing is best to help you prove, if it comes to it, that they did make that promise; it's much harder to prove otherwise) - but if this sort of thing is important to you, then you really ought to consult a suitably qualified lawyer.

Don't forget though that agreements can be broken, and maybe you could sue the pants off whoever was responsible - if you could find out who it was and prove that it was them! (See above - in practice, limiting the number of people who know your true details, and ensuring they're people you can trust, is really the best way.) Zoe had confidentiality agreements drawn up by a solicitor, but all the same she was found out - and she still doesn't know if it was someone who signed an agreement, or someone else altogether.

The key point: limit pieces of the jigsaw

It's easy to find out someone's real identity. If they have enough pieces of the jigsaw, they can put them together.

So limit the pieces of personal info about yourself that you give out, whether online or offline, and even if they're to different people (they could get together to do the jigsaw!).

Example: someone once found my page on my company's website by knowing my job title, the nationality of the company I worked for, and the university I went to. (Plus the fact that I'm female, and another thing you'd see about me if you met me in person.) It was someone with industry knowledge, but still, it wasn't hard.

Another example: another person got my name because I mentioned I had a role in a show at a particular theatre which would be on "soon". She also knew that it had to be a musical or opera, and by checking the website for that kind of show in the near future, she identified me from the cast lists (given again one other piece of information about me).

Which is why on this blog I say no more than that I'm female, live in London, and like singing (and technology, obviously). That's personal info, but lots of people fit that description!

I think Zoe agrees with this point. She remarked at my SocialMediaCamp session that, in terms of lessons learned, she felt the most important thing was "Lie!" - i.e. don't give away too much true (and therefore identifying) information about yourself, which can be pieced together to track you down.

She asked if I'd lied. I try not to lie to people - I may be ambiguous in some of the things I say, but I don't like outright lying. Which is why I don't give out very much personal info at all - I'm not trying to be coy or cagey, I just don't want to lie (e.g. my job title was very, very identifying as it's not a common job). The less you give away, the less likely that you'll be found out.

2 comments:

Anonymous said...

Great post. Couple of points:

@Domain privacy
Having privacy enabled can arouse suspicion for many - also, given sufficient motive, that protection can be broken by registrars. Sure, don't do anything wrong, but still...

@Phone numbers
Hard to find UK providers of landline numbers but there's always TelecomIT; I use Flextel for 070 numbers but landlines are more credible.

@Email
Use Emailias.com with your own domain; I've used this service for 4 years now and beats SG with consummate ease; Use coupon 'coupon3' to get the first year for $3 (Disclosure: I get $3 off my next renewal)

@Miscellaneous
Have you checked out HowToBeInvisible.com for privacy matters? US-biased though.


Jonny B Good

Improbulus said...

Thanks for your helpful comments and suggestions, will check out those sites.

I still like Spamgourmet, and you can of course use Google Apps for free email with your own domain.

Yes I agree, with enough motive, privacy can be broken by anyone.