Perfect Operational Security (OPSEC) Needs to Start From Day One
There are many legitimate reasons to hide your identity when operating online. Among these are anti-fraud investigations, threat intelligence gathering, criminal investigations, and sensitive research. But, you are only protected so long as you maintain your cover. Based on over 20 years of experience with online anonymity, I’ve identified the top 6 mistakes that will blow your cover.
1. Forgetting to Use Your Tools
Failing to consistently use identity hiding technologies is the most common way to blow your online cover. Just one failure to use your misattribution tools can instantly connect your alias to your real identity. Guccifer 2.0, Sabu, and many more aliases have been exposed by this kind of mistake. The hardest part is that the perfect operational security (OPSEC) needs to start from day one — far before you know how important it is to protect this particular alias.
2. Incomplete Separation
Our online identities are made up of many different accounts, including social media, email, chat, and others. Each of these may have account names, recovery email addresses, physical addresses, full names, phone numbers, and passwords. The mistake occurs when the line between alias accounts and real-name accounts starts to blur — you create some alias account that shares a recovery email account with a real-name account, or re-use a phone number, or re-use any other identifying information. There might not even be a single link, but rather a chain of accounts which together can connect your alias with your true identity. This appears to be how Ross William Ulbricht was connected to his criminal alias “Dread Pirate Roberts.”
3. Using the Wrong Account
Once you start managing more than one identity, accounts proliferate like weeds. It quickly becomes possible or even likely that you will accidently use an account associated with one identity to send communications associated with another. If there is someone you only communicate with from your “Joe” alias, then it will cause problems if “Joe” sends an email from “Sarah’s” account. Of course, the worst case scenario is if that other account is under a true name. I know of one example where two law enforcement officers shared a single computer. One configured it to send email in alias, then went to lunch. The other re-configured it to send some internal emails. When the first returned, he did not check the settings and proceeded to email their criminal target from the second officer’s official email account. This, as you can imagine, completely compromised the mission, fortunately without loss of life.
4. Fake Photos
The common availability of reverse photo searches and facial recognition has caused major problem for many people trying to set up alias social media accounts. To look authentic, accounts need to have activity, including personal pictures. Too often these pictures are lifted from other real social media accounts or from stock photography websites. Unfortunately, social media sites may detect and tag photos with the identity of the person whose photo was “borrowed”. If the picture is posted anywhere on the public web, a reverse image search, like tineye.com, will quickly discover the original. I have discovered several fake LinkedIn profiles trying to connect with me using profile pictures from GettyImages.
5. Writing Style
The way you write is like a fingerprint. No two people use language in the exact same way. Word choice, common phrases, sentence structures, and idiosyncrasies all allow programs to recognize samples of your writing. And, it is a surprisingly difficult fingerprint to hide. We are largely blind to what aspects of our writing identify us, so it is hard to know what to change, and it is a tremendous effort to do so consistently. If your alias only writes one paragraph in its whole existence, you can do it almost effortlessly. If it writes frequent or long posts, the problem becomes much worse.
6. Behavior and Location
Finally, you might expose your alias as being fake and reveal your true location and interests simply by the patterns of your online activities. I have seen entire blocks of anonymous IP addresses burned through user activity and improper OPSEC. In one case, a group of users had a block of IP addresses in another country. Because they used those IP addresses for personal purposes in addition to their operational activities, Google quickly started identifying their true location: where the users actually worked. It turns out that Google used their search and mapping activities to learn where they were probably located, and they were right. Sports, politics, news, and other content can similarly reflect your actual identity and location, underlying the realism of your alias.
If you can avoid these top 6 mistakes, you are far more likely to be successful with any online undercover activity. You will access the threat intelligence you need from that hacker IRC room, catch those fraudsters in the act, or make your case against some nefarious criminals.