In this article we’re going to be discussing Good Online Operational Security Practices, or How To Prevent Yourself From Being Doxed for anyone who wishes to keep their online activities anonymous. This article is long and has 15 parts, and it has a lot of details and links in it. There's a lot of information contained in this article, so you may want to bookmark it for later use. An archived copy of this article exists at archive.is/RMtH2 if this website ever goes offline. You can use the jump links below to quickly navigate to the section you’re most interested in.
- JUMP TO:
- Overview and Best Practices
- How to Setup Your Email Accounts to Protect Your Identity
- Protecting Your Location and IP With a VPN
- Preventing Doxing
- Cell Phones and Protecting Your Identity
- Password Management
- Using Two-Factor Authentication To Protect Your Accounts
- Recommended Two-Factor Authentication Apps
- Controlling Access To Your Phone
- Protecting Your Name and Personal Information
- Obfuscating Your Physical Address Online
- Keeping Online Transactions Anonymous
- Secret Phrases For Trusted Friends
- Old Tweets and Deleting Tweets
- Damage Control If You’ve Been Identified
- Going Nuclear And Burning It All To The Ground
Overview and Best Practices
Best Practices for maintaining Good Online Operational Security is to isolate your all of your online activities from your real-world life as much as possible. The fewer points of connection between those two worlds the better. The second basic principle is to provide as many obfuscation layers as possible between your online activity and your real life. You are trying to set up a wall that intentionally obscures people from discovering your true personal information and using it against you. For example in a normal situation if someone doxes you or hacks your account, they may be able to discover your true phone number and home address. They can use this information to find your employer and try and get you fired for saying something objectionable or not politically correct. With an obfuscation layer, if someone doxes or hacks you, they only get the number to your burner cell phone and the address of your mail drop location in another state. There’s nothing they can really do with that information, and you can easily abandon those two contact points with no real consequences. The rest of this article goes into the details of how to set up each of those obfuscation layers for things like email, IP address, phone number, passwords, account access, mailing address and credit cards.(Return to Top)
How to Setup Your Email Accounts to Protect Your Identity
For most people an email address is their primary method of online communication. An email address is also the most common way social media accounts are created so it’s important you get this right. You never want to use your real email address to communicate with anyone you meet on social media. You don’t ever want to use your work email as well. Best practice is to use one single isolated disposable individual email address per social media account. If you have a social media account that gets permanently banned, you want to archive any old emails you may need from the account, and then completely delete the email account. If you’re running Multiple Twitter Accounts this can get tricky. You can setup multiple Gmail Accounts but a better solution is a Plus Account from Proton Mail for about $6 per month .
A Proton Plus Account lets you have one master email, and five alias emails that all get delivered into the main account. Each account can send and receive mail from an individual account without revealing the top level account. When you are setting up your primary email account, if your real name is "Patrick Johnson" don’t use anything like [email protected]—.com, [email protected]—.com, or [email protected]—.com. You don’t want to include a the year you were born/married/had kids, you don’t want to include your work/job/profession, you don’t want to include the town you live in/grew up in, or any other information that is an any way significant in your real life. If you were born in "1986" don’t think you’re being clever using "1968" or "6891" in your email address. If you want to include disinformation that’s perfectly fine. For example if you were born in "1986" and wanted to include the random number "7936" that’s ok. Your best bet for choosing a username is to choose something historical, Greek, Roman, Egyptian, fictional character or completely made up name. You can take a fictional character and go with a Roman version of it, like [email protected]—.com or [email protected]—.com. Many of the Founding Fathers of our country used fictional roman names . For your primary email you want to use something that has no significance in your real life and can’t be used to connect you to the email account. If you want to be completely random play around with the Random Fake Name Generator and come up with something you like.
You want to avoid giving out your primary Proton email address if at all possible. Instead, you want to use your five alias email accounts. You should think of these aliases as disposable and not get too emotionally invested in choosing an account name. If your account gets permanently banned, or if someone is trying to dox you and you think they’ve discovered something, you want to completely abandon the alias email account. Proton Mail doesn’t let end users to delete alias email accounts on their own, instead you have to email support and ask them to delete it for you. They’ll email you back confirming that you know once it’s deleted it’s gone forever and can’t be recovered. Once you confirm you want it deleted they’ll take care of it for you. I’ve never had any problems getting alias accounts deleted, but if you’re a "churn-and-burn" person they may be less willing to accommodate you.
You want to enable Two-Factor Authentication on the account. We’ll talk more in-depth about that Two-Factor Authentication later in this article. Proton Mail is one of the few native phone apps I’m not really concerned having on my phone. Just don’t enable "Touch ID" or "Facial Recognition" on the app, we’ll explain why in the Phone Access Section later in this article.(Return to Top)
Protecting Your Location and IP With a VPN
Using a VPN to obfuscate your true IP address and location is one your strongest defenses in remaining anonymous online. It’s so important we have an entire article on Choosing a VPN Provider . We strongly recommend Setting up a VPN Router because it prevents you from logging on and forgetting to enable your VPN software.(Return to Top)
The main goal of creating these obfuscation layers between your online activities and your real life is to prevent someone from doxing you. There have been many attempts to dox us over the years, and all of them have failed. In our Protecting Yourself From Doxing article, we talk about things to be on the lookout for and things that have been tried against us.
Cell Phones and Protecting Your Identity
The only people who should ever have your real cell phone number is your family and your real-world friends. You never want to give anyone else your real cell phone number and you never want to use your real cell phone to verify any of your accounts with a social media service. While I’m hesitant to recommend anyone give too much of their personal information to Google, Google Voice provides a fully featured VOIP service that does everything you’re going to need and is free, so it’s almost a necessary evil. You want to get in the habit of giving everyone your Google Voice number instead of your real number. If you use Google Voice YOU HAVE TO LOG-IN AT LEAST ONCE EVERY 30 DAYS. If you don’t log-in Google will recycle your number and give it to some other completely random person. There’s absolutely no way to get it back once that happens. You have been warned.
If you’re going to use your Google Voice number in your real-world personal life, you don’t want to use that same number to verify your social media accounts. Currently, you can only have one Google Voice number per landline/cell phone. There are ways to request a new Google Voice Number for a fee ($20 ) and you can pay a second fee ($30 ) to keep the old number, but that does get kind of expensive and complicated after a while, so be careful about choosing that path.
It may, make you look like a drug dealer, going the burner phone route solves a lot of problems quickly and easily, and is a great way to keep your information compartmentalized. You want a "Pay-As-You-Go Plan" with the cheapest phone and cheapest fee. The list below links to other websites that will do a much better comparing plans and explaining the differences than we would do:
Pay-As-You-Go Cell Phone Comparison Websites
- Nerd Wallet Pay-As-You-Go Comparrisons
- No Contract Cellular Pay-As-You-Go Comparrisons
- Prepaid Wireless Guide Pay-As-You-Go Comparrisons
- Android Authority Pay-As-You-Go Comparrisons
- GoCompare Pay-As-You-Go Comparrisons
(Editors note we aren't affiliated in any way with the websites listed above, so if you want to be a dick and attack them that's all on you.)
You can use a burner phone to create a new Google Voice account. You do run the risk of losing access to the Google Voice number if the cellular plan on your burner runs out, so use caution.(Return to Top)
If you’re going to perform Adversarial Online Engagement your going to have to start using Strong Passwords because eventually someone is going to try and hack one of your accounts. If you’re running multiple online accounts, you’re going to need multiple strong passwords. The stronger your passwords are the less likely you are to remember it, so eventually you’re going to need a Password Manager just to keep track of everything. Basically speaking a Password Manager is a program that stores all of your different username and password login credentials for all of the different websites you visit and it lets you click a button and automatically fill the information in. You want a Password Manager that has a desktop and mobile version and that keeps the information synchronized across both platforms. The better ones are premium software with an annual fee, but we think it’s a justified expense. We’re big fans of LastPass but any of the Password Managers in the table below are a good choice.
Recommended Password Managers
|LastPass||$2 per month|
|1Password||$2.99 per month|
|DashLane||$4.99 per month|
|Keeper||$2.50 per month|
|Sticky Password||$2.50 per month|
(Editors note we aren't affiliated in any way with the websites listed above, so if you want to be a dick and attack them that's all on you.)(Return to Top)
Using Two-Factor Authentication To Protect Your Accounts
Anyone engaged in online adversarial behavior is eventually going to have someone try to hack their account. Their goal will be to gain access to your personal information, or to use the account to post content/links you may not approve of. A username/password is no longer enough to protect your account, you’re going to need to enable Two-Factor Authentication to protect yourself. Two-Factor Authentication requires a second 6 digit code that is either sent to you via SMS text message, or a 6 digit code that comes from an app on your phone. The 6 digit code is only valid for a short period of time, usually 1-3 minutes, after that it expires and you need a new code. Using Two-Factor Authentication makes it incredibly hard for an unauthorized person to gain access to your account. Services that allow you to turn on Two-Factor Authentication include Google, GMail, Facebook, Twitter, and Proton Mail. You will need to enable Two-Factor Authentication manually, because it’s never turned on by default. You can usually find it in the "Security" section of your account.
The most common Two-Factor Authentication method used is sending a 6 digit SMS text message to your phone. However because you’re likely using a burner phone, or a Google Voice VOIP number this can get tricky. The better option is to use a Token Code Generator App on your phone. Every time you login you’ll need to get a 6 digit code from your phone app and enter it in the website. The code expires after 90 seconds, making it much more difficult for someone to access your account without your knowledge. Google developed a technical standard for Two-Factor Authentication and most technology and social media companies use it. They make an app for you phone (Google 2FA Authenticator ), that being said we really aren’t fans of giving Google access to information unless you absolutely have to. There are a number of other solutions that are compatible with the Google Authenticator standard, our favorite is LastPass 2FA Authenticator it’s easy to use and integrates with the LastPass . Any of the apps in the list below are good choices:
Recomended Two-Factor Authentication Apps
- LastPass 2FA Authenticator
- Google 2FA Authenticator
- Authy 2FA Authenticator
- Microsoft 2FA Authenticator
- Authenticator Plus 2FA Authenticator
(Editors note we aren't affiliated in any way with the websites listed above, so if you want to be a dick and attack them that's all on you.)(Return to Top)
When you are setting up the app and every time you add a new account get in the habit of making sure the app is backing up all of your information. If you drop your phone, or if your phone is stolen/lost, you’re going to need to restore a backup of that data to be able to access your accounts. Without a backup you’re going to have to prove to those companies you are who you claim to be, this is a really difficult and challenging thing to do. We learned this the hard way, and it took three weeks before we finally regained access to everything.(Return to Top)
Controlling Access To Your Phone
For many people their phone has become a centralized location to store most of their personal information, and it’s not something they want the wrong people to have access to. The most secure configuration is to use a passcode of at least 6 digits. Do not use biometric data like Touch ID, fingerprint recognition, or facial recognition to grant access to your phone. The Fourth Amendment which protects you from unreasonable search and seizures gives law enforcement some loopholes to access the data on your phone if you use biometric access. Courts have already ruled the police can compel you to unlock your phone with your fingerprint , without a search warrant. The police can also compel you to unlock your phone using your face . If you don’t enable these features, you close those loopholes and force them to get a search warrant. (Return to Top)
Protecting Your Name and Personal Information
As we stated earlier in this article, you never want to use your real first name or last name in any accounts you setup. There’s almost no good reason for you to share this information with another person online, even if you’re friendly with them. You should be wary of anyone who asks you for your real name, and extremely suspicious of anyone who is persistent that you should share it with them. Most people are doxed online through social engineering . Even if you are careful, if you have shared your personal information with another person, they can be socially engineered to gain access to your information. If no one else knows your real name you won’t have to worry about them ever exposing it.
You want to be careful about how much secondary information you reveal online. Don’t mention the town you live in, the town you work in, or the type of car you drive. Avoid mentioning your spouses name, what industry they work in, and the town where they work. Never reveal exactly how many children you have, their ages or their gender. Avoid posting pictures of the inside or outside of your house, and avoid posting pictures of your car. In many cases it’s even advisable that you mix in some disinformation, because I have seen evidence that some Paid Shills are keeping a dossier of information about some people. If your wife works as an accountant, you can say she works in finance or banking. If you mix the truth with some lies it becomes a challenge to separate the two when someone is trying to dox you.(Return to Top)
Obfuscating Your Physical Address Online
Most people don’t have the need to take extraordinary measure of protecting their physical address. However if you have a situation where you need to have a public facing address, and don’t want to use your home address, there are options. Unfortunately, all of them have yearly fees and aren’t cheap, so don’t spend this money unless you absolutely need to. The easiest solution is to get a PO Box from the USPS . However if you are already using a PO Box you don’t want to use the same one for real life and online life. After 9/11 the Post Office started limiting the number of PO Boxes a single person could have, so you may need to find an alternate solution. The table below lists a few other choices, unfortunately none of them are cheap. If you choose a service with "Mail Forwarding" for an additional fee, they will forward your mail to a different address, like a PO Box or your home address.
|USPS Post Office Box
||$88 per year|
|UPS Store||Price varies by location,|
but average is about $300 per year
|USA2ME Mailbox Service||$10 per month|
(Mail Forwarding Available for an Additional Fee)
|Mail Link||$100 per year|
(Mail Forwarding Available for an Additional Fee)
|Virtual Post Mail||$10 per month|
(Mail Forwarding Available for an Additional Fee)
If you have, the need to REALLY obfuscate your address and you are concerned that one layer of a remote mailbox location isn’t enough protection for you, then you should consider chaining them together. For example you purchase Mailbox A and as a forwarding address you give them the address of your second obfuscation layer you purchased at another company Mailbox B. For Mailbox B you give them the address of your third obfuscation layer at Mailbox C. You can sequentially chain together as many layers as you need to and your budget allows. You can even tell Mailbox C to forward your mail back to Mailbox A, creating a closed loop. You will probably piss off the mailbox companies using this strategy, but it pretty much guarantees that any mail anyone ever tries to send to you at Mailbox A, B, or C will never actually reach you. (Return to Top)
Keeping Online Transactions Anonymous
You want to keep your online adversarial transactions separated from your real-life business or personal transactions. The easiest way to do this is with a dedicated credit card. PayPal offers a no fee debit card that uses any funds you have in the account. Another option for a no fee debit card that doesn’t come with a lot of hassles, is from Chime Banking . You will have to connect both of these to a bank account to fund them, so they are really only isolated and not truly anonymous.
If you really need to make online purchases anonymously, you’re going to go a different route, and start using prepaid credit cards. Decide how much money you think you’re going to spend, then head to your local CVS, Walgreens, or Staples and purchase a prepaid MasterCard or Visa gift card for that amount. Buy the prepaid card using cash, and don’t use any store loyalty or rewards programs when making your purchase. There are a few prepaid credit cards you can reload, like My Vanilla Card , but to reload them you’re going to need connect a bank account, which stops it from being anonymous. (Return to Top)
Secret Phrases For Trusted Friends
If you do become friendly with other people online and you reach a stage where you have some level of trust, you need to establish a protocol for communicating in code that only the two of you will understand. The first protocol you need to establish is a "Challenge Phrase" to verify each other’s identity. The challenge phrase is a question that only the other person will know the answer to. An example of a good challenge phrase would be ‘Who is the best Star Trek Captain‘, the challenge phrase answer would be ‘Captain Janeway‘. No one in their right mind is ever going to guess Captain Janeway, they will guess Picard, Kirk or maybe even Cisco, but never Janeway. If the person gives, the wrong answer to the Challenge Phrase cease all communication with them and consider if you need execute the Nuclear Option.
The second protocol you need to establish is a "Compromised Account" code word. It should be a completely innocent word that you would never use, but lets the other person know you have been compromised and that your communications are being monitored. For example a word like "tea kettle" has no ominous overtones, but isn’t a phrase most people use. If you have been compromised and are being compelled to communicate and extract information from someone else, use the Compromised Account Code Word to warn the other person. Saying something like ‘Hey thanks for that Amazon link last week, my mother-in-law really liked the tea kettle we got her’, lets the other person know what’s happened and they need to act accordingly. If you get the Compromised Account Code Word from someone else, you should cease all communication and decide if you need to execute the Nuclear Option.(Return to Top)
Old Tweets and Deleting Tweets
One of the strategies used by Paid Shills and Attack Agents is to search through your old tweets, looking for something that is against Twitter's Terms of Service, and using it to report you, hoping to get your account suspended are permanently banned. Since Twitter selectively enforces the rules and targets Right Wing Accounts it's a good idea to start using a defensive strategy, and delete your old tweets.
Tweet Delete is a free service that you can schedule to delete your tweets after a certain time period (7 days to 3 months). It claims to delete all of your previous tweets, but that's not really what happens. It will only delete 3,000 of your most recent tweets. If your account has more than 3,000 tweets, all of the other older tweets exist in a limbo state, they won't show on your profile, but they will show up if someone does a search. This will help you delete tweets going forward, but you're going to need another solution for those older tweets that are in a limbo state.(Return to Top)
Twit Wipe is a free service that deletes all of your old tweets. We've tried it a few different times and the results can be hit or miss. Sometimes it deletes everything in a few minutes, other times, the progress bar just limps along and some random subset of your old tweets get deleted. It's free, so if you know going in that it may take a few tries to really delete all of your old tweets it's not a big deal.(Return to Top)
Tweet Deleter is an extremely powerful social media tool, it's designed to be used on BlueCheckMark, celebrity or other high profile accounts. It's more powerful than most people will ever need and is a lot like showing up with a Flamethrower to roast a few marshmallows . It does an extremely good job of letting you decide with surgical precision exactly which tweets you want to delete and which you want to keep. You can only delete 3,000 tweets a day, so if you have a very active account, it may take a few days to delete all of them, but it does a very thorough job and doesn't leave any weird ghost tweets hanging out there in limbo. The downside is this is a premium tool, at the time this article was written it was $9.99 per month. You have to decide if your need to delete your old tweets requires a premium solution of not.(Return to Top)
Damage Control If You’ve Been Identified
If you’ve taken all of the proper precautions, but someone has still managed to pierce your security protocols, you need to change tactics and enter damage control mode.
- Remain Calm And Don’t Make Rash Emotional Decisions: If this happens, you need to remain as calm as possible, angry and emotional responses/actions can end up revealing your weaknesses, and make everything worse.
- How Real A Threat Are Their Claims: Look at what information they claim to know, or what they are threatening to reveal, try and determine if they really know something, or if they are throwing their suspicions out there, and using your reactions to confirm it.
- Don’t Confirm Something They Don’t Know: Even if they do know something that is true, or can be used against you, don’t acknowledge or confirm it, claim it’s not true casually without focusing on it.
- Use Your Disinformation As Camouflage: If you’ve been putting out disinformation regularly, by not reacting you may be able to convince them they were tricked into believing something that was a lie.
- Is The Threat Real: If they do have real information, you know it’s true, and you feel it can be used against you, you need to use the Nuclear Option.
- Blackmail is a Crime: If someone is threatening to blackmail you, they are committing a crime and you should notify law enforcement. If they are demanding money from you to keep secret, you need to know they are never going to stop until you are bankrupt. If they are demanding information from you, or that you give them information on someone else, you should know they are never going to stop until you have alienated everyone you know and have completely socially ostracized yourself. Things will be worse the longer you let it continue.
Going Nuclear And Burning It All To The Ground
This is path of last resort. You should only be considering it if things have gone completely off the rails, and someone is going to expose you to your family, your employer, or your real world social circle.
- Archive and Password Protect Any Necessary Evidence: If the people threatening you have committed a crime, blackmail is a crime, identify any evidence of their actions, extract it and archive it to an offline backup. Storing the information to a Secure Encrypted Password Protected Flash Drive is a great solution, as long as you can remember the passcode.
- Go Full Scorched Earth: Delete any and all accounts that have been compromised. Destroy any cell phones, SIM cards, and VOIP numbers attached to the Compromised information. Do not just pause the accounts thinking you can come back in the future, do everything you can to completely eradicate them. You should never try to revive them or log into them again.
- Keep Your Disappearance A Mystery: Don’t tell anyone what happened, what you’re doing, or why you’re doing it. That person you tell may inadvertently confirm something or unknowingly reveal that information to the people trying to expose you.
- Do Not Give Anyone An Alternate Way To Contact You: Do not give anyone an alternate way to get in contact with you. Someone may try to socially engineer the friend you tell and trick them into revealing your information. Trust me I’ve seen this happen.
- Do Not Try To Get Revenge: It’s completely normal to feel angry an to want to get revenge on someone who tried to screw up your life, resist this temptation.
- Never Engage Again With The People Who Tried To Expose You: If you do decide to come back online, do it as a completely different person, with as few similarities as possible. Never engage with the people who tried to hurt you. The first thing you do when setting up your new account is block everyone you think tried to do you harm. You may think you’re being clever, but saying anything that’s remotely connected to your old account is not a smart move. It’s very likely they’ll put two and two together and figure out who you are and start the entire process over again.
There's a lot of information contained in this article, so you may want to bookmark it for later use. An archived copy of this article exists at archive.is/RMtH2 if this website ever goes offline. (Return to Top)