PRIVACY RECIPE: Creating an online persona

matt mitchell
18 min readJun 15, 2019

--

How To Create a Private Online Identity with An Anonymous Email Address and a Virtual Phone.
Research & writing by @geminiimatt
Edited by Sage C.

First published: June 15, 2019
Last updated: October10, 2020

Privacy Recipe, is a creative commons , series based on the security research, projects, and field work i have done. It is for educational purposes only.

INGREDIENTS:
1 visa/mastercard gift card or credit card not linked to you. ($25 USD)
1 new/used smartphone thats not already linked to you (optional, but recommended)
1 internet connected device, laptop, or computer.
0 previous knowledge.
2 hours of your time.

CALORIES (difficulty):
Low to moderate.

NOTE: this article is not complete and is still a work in progress. it is currently safe enough to use. non technical content is being edited. more soon….

There are times when you need to create a new identity on the internet. For instance, if you are targeted by harassers online, to prevent them from stalking or doxxing you, you may want an account that they cannot trace so you can stay safe on and off line. This was once easy to do when the internet allowed you to be anyone you wanted. Fast forward to now, it seems online services are trying to find every way to collect your personal information, profile you, track what you do, and make money out of your data and behaviors. This is especially true with apps. Almost all chatting apps or social media platforms ask you for your mobile phone number to create or verify an account. Phone numbers are very unique and can make it easier for bad actors to find you online.

Pseudonymous is difference from anonymous. With anonymous no one knows who you are. With pseudonymous, who they know you to be is false. Think of it as how celebrities use stage names and authors use pen names. (For example Eric Arthur Blair is better known as George Orwell). A guide focused on anonymity would be a lot more complex. For most people pseudonymity is enough.

Your online alias should have a name, mailing address, date of birth, email address, phone number and perhaps a profile photo. For the name, consider a popular name that comes up frequently in search engines, if you need inspiration look at popular names by country. For mailing address, consider the address of a public library. For date of birth, doesn’t matter that much, the most common USA birhdate is September 9th. For email address, phone number, and profile photo. we will create a new information below. Keep all these pieces of information in one secure place.

In this guide, you will find how to create untraceable online accounts and protect your real identity: This is achieved in three simple steps:
1) get a phone number disconnected from your personal information,
2) create a secure email address detached from your real identity, and
3) use them to get a Twilio number for any new pseudonymous accounts you want to make.

New Yorker Magazine

Step 1: Get a phone number that is not tied to your personal information.

In creating a new online account, you often need a number to receive a verification text or call before you can use the account. Because you need this number to control the account, you can’t use a public phone or a friend’s cell phone number. You want a dedicated number with which only you can make or receive text messages. This number needs to be really hard to trace despite all the tracking methods online services use these days. For this privacy recipe, to generate this number we recommend using a tool called Twilio. Twilio numbers check all the boxes above, and compared to other services are less expensive to maintain. To set up Twilio we need a phone number and an email address. We will walk you through a way to sign up that most preserves your privacy. Let’s start with phone number. There are two ways to get a number: buy a SIM card or get a virtual number. We recommend buying a SIM card as it leaves the least digital trace.

IMAGE SOURCE: “My Phone Bought This” by oliver t is licensed under CC BY-NC-ND 4.0.

SIM cards that you can buy with cash and without ID verification are a good option for your privacy. This is what we will call a “privacy-enhancing SIM card.” Why? Because a normal phone number may be linked to a lot of information about you, including your physical location. Unfortunately this information has proven to be easy to obtain. Phone numbers can be very dangerous. On the contrary, a “privacy-enhancing SIM card” contains nearly no publicly identifiable information about you. Here are the pros and cons of a privacy-enhancing SIM card.

Pros:

  • You can get a SIM card with cash and without ID in many places.
  • Cash payment allows for anonymity.
  • You can maintain the number by recharging or topping up regularly in cash.

Cons:

  • Physical purchase means the seller or CCTV cameras can capture your face.

In fact, with this SIM card’s number and a new / used phone that doesn’t connect to your identity, you can already make accounts that are not tied to your personal identifiable information on services such as as Telegram, Signal, Whatsapp, Gmail, and more. However, maintaining this SIM card could be expensive. It would be better to use it only for creating aTwilio account. In the following steps you can find how to set up, use, and maintain your Twilio numbers without relying on this SIM card.

Important notes on your device

There are a few important things to know before you use this SIM card on a phone, or use the phone for your online activities. First, you want to avoid using the same phone for both your everyday SIM card number and the “privacy-enhancing SIM card”’s number. If you are doing so, there are at least two ways others can link the “privacy-enhancing SIM” card back to your identity.

  • One way is to look for behavioral patterns in the phone network that can connects numbers. Telecommunication companies (telcos) monitor all kinds of behavior of numbers in their networks for various reasons. When you switch to the privacy-enhancing SIM card on the same phone, they can tell that a new SIM went online right after your SIM went offline at the same location (or vice-versa). As this pattern repeats, telcos can identify the new, unknown SIM by looking for the number that went offline right before this new number goes online. This is not hard for telcos as they have been using algorithms to spot the patterns, such as The Hemisphere Project.
  • Another way is to track your phone’s IMEI number. Every phone comes with an IMEI number. This number can be deemed as the serial number of your phone. Same as the behavior between numbers, telcos can use a phone’s IMEI number to connect ALL SIM cards used on that phone.

App developers can also link your new identity back to you if you use the same phone for everything. All smartphones have unique identifiers that developers can access for use in their apps. App developers can use this ID on your phone as an anchor to trace the link between your pseudonymous and real identity.

Here’s more about android and iOS device IDs. This may be an issue for you depending on what apps you are using with the new identity and how/why you use them.

Mitigations:

  • Get a new phone in cash, just for this purpose. (best)
  • Use an old phone that was previously used by someone else. (ok)
  • Use your new online profile only on an app you haven’t already used on this phone. (meh/better than nothing)

Virtual Numbers are services you can use if you are not able to get a “privacy-enhancing SIM card”. Although, using virtual numbers is not ideal because it is hard to completely detach your personal information from them. We also don’t recommend you use them for sensitive conversations. Below are a few virtual number services. If you are using virtual numbers to set up Twilio, choose carefully as some of them may not be usable. You should only consider using these numbers for your new online profile when other options become impossible.

  • Google Voice app: If you live in the United States, voice.google.com may work on your cell phone to send & receive calls/sms. The account is connected to a google account. Whenlooking to receive app verification text, Google Voice works without issue with the most apps/site in my tests.
  • Burner app: The smart phone app, Burner works as an alternative phone number. The app can make/receive calls and send SMS. Using a US or Canada number.
  • CoverMe app: Works like Burner but claims to secure your messages so the staff at CoverMe can not read them. Includes a few other tools and features besides a virtual number.
  • Hushed app: Works like Burner but offers international numbers and calling. Not all numbers offer the same functionality. Most have SMS and Voice call as an option.
  • Skype in/Skype out: Offers international numbers and calling. High quality audio.

Virtual numbers dont have IMEI attached to them so location tracking isn’t possible. Because they are software not physical devices this means cell site simulators, cell grabbers, stingrays are not immediate threats. However some online services and registration pages block or flag accounts that are attached to a virtual number.

Step 2: Get an email address detached from your real identity

Another important step in creating a new online persona is to have an email address that doesn’t trace back to you — a “privacy-enhancing email address”. We will need it regardless of which path we take to set up new private accounts. Registration on most services requires proof of email and SMS verification.

Important preparation: use a VPN to protect your privacy online

The steps below involve visiting web pages. We recommend visiting these websites with a privacy enhanced browser like Tor browser. If you can not use Tor we recommend using Brave in a ‘Private Tab with Tor’ or Firefox in ‘Private browsing’ mode with Privacy Badger & Https Everywhere extensions for Firefox installed. We also recommend you use a Virtual Private Network (VPN) that is not linked to your identity by name or payment style. BITMASK is a free VPN available for android, pc, mac. Another option is to install PSIPHON, a Canadian based free VPN-like tool. Caution that some “free VPN” services are not free or horde your logs and data instead of flushing them. You may want to look into a reputable commercial VPN that allows you to mail them cash, such as Mullvad, or accepts Visa gift card. To learn more about VPNs, read this article on Wirecutter. For the purpose of this guide, if you have trouble visiting a site via VPN or the recommended VPNs don’t work in your country, visit the sites from a public wifi at a busy location (park, mall, popular cafe, etc).

Now we can go ahead and create an email address on a secure email platform. For this we recommend tutanota.com.

REMEMBER: Tutanota terms of service says ONE free account per individual.

I really like the Tutanota project. It is a modern, forward-thinking approach to rethinking how we encrypt email. It has features like “forward secrecy” because it isn’t using GPG/PGP email encryption in the background. However, this also means you don’t get the traditional private key/public key pair that you can share with non-Tutanota users. Once you create an email address on Tutanota you can move on to the next step. Make a calendar reminder to login every 5 months. If your free account goes without use for 6 months IT WILL BE DELETED.

About gift cards

Gift cards and the rules around their sale and use are different depending on what country you are in and what area you live. As a general rule you want as simple a gift card as possible. Do NOT buy a reloadable gift card. Do NOT buy a cash supported bank card. Try to find something like this Vanilla Gift brand birthday gift Visa card. They allow you to assign a zip code to purchase items online by logging in at https://balance.vanillagift.com

Step 3: Set up a Twilio number for creating untraceable online accounts

Twilio virtual numbers are my recommended way to set up a virtual number. Using the phone number you got from step 1 and the email address you got from step 2, you can create as many virtual numbers as you want with Twilio. It is a technical tool for developers that allow apps to send/receive massive texts. This makes Twilio numbers inexpensive and low-maintenance compared to SIM cards and other virtual numbers. You can purchase an account with a credit card not linked to you or a visa/master gift card that was purchased with cash. Since Twilio is quite technical, I will outline how to create an account and how to use it to receive verification texts.

Creating an account on twilio.com

Browse over to twilio.com and click on “sign up” you will see the registration page. Remember not to put any personally identifiable information when you fill out the form. You can use alias for the first and last name, and the privacy-enhancing email address from step 2.

After you hit “start the free trial” button, it will ask you to verify your account with email.

Email verification is designed to prevent automated and fake email sign ups.

Because Twilio is offering a free trial with no credit card sign up they use phone numbers as another way to verify accounts and limit sign ups. Here you can use the phone number you got from step 1.

Once you verify your email and then your phone number you will likely be taken to a screen like this one. You can answer “NO”, to questions like “Do you write code?”, if given an option you can just click ‘SKIP TO DASHBOARD’

Log into Twilio.com
At this point you will be asked to login to Twilio using the email address you used to register, and your password.

Create your trial number on Twilio.com
When you log in you should see a button to “Get a Trial Number”, click on that.

You will be offered a new number or the choice to search from available numbers. You can go ahead and “Choose this Number”. (You may want to click on “Search for a different number” if you want to search through available trial numbers to find one you like). Remember some countries have very strict verification laws when it comes to phone numbers. For the purpose of this guide we recommend a number in the United States (+1 country code).

Once you have a Twilio number you can use it to receive SMS verification codes for the service you are setting up. In this example we will be creating a Telegram account. So we can run a broadcast channel. Be sure to write down your Twilio number, username, and password. It’s recommended that you store them in a password manager. It is also recommended you set up 2FA (two factor authentication) on this Twilio account. We will get into how to set up 2FA later. We recommend using the Authy App as directed by Twilio.

Create your trial number on Twilio.com
Twilio will send you a message congratulating you on creating your phone number. You are now ready to use it on an app.

YOU DID IT!

Upgrade your trial number to a paid account
For the next steps you need to upgrade your Twilio account from trial to a paid account. This might be called “Upgrade Project”. At the time of this article the least you can start an account with was $20.00 USD. The payment method is always credit card. If you prefer to remain anonymous we recommend using a gift card that was purchased with cash. This is easier to do in some locations than others. In the United States most pharmacies (Walgreens, CVS, etc.) and convenience stores (711, Family Dollar, etc) offer gift cards. You do NOT want a refillable gift card. I wrote a separate article about other ways to make credit card payments.

You need to upgrade your TWILIO account to do anything else.

Twilio may ask you for an address. The address of a real world public library is always recommended for alias accounts.

Now, now that you have paid Twilio you can start using your Twilio number and privacy-enhancing email to create online accounts that won’t reveal your real identity!

Bonus step: Start a Telegram account with Twilio number

Setting things up on the Telegram (or other app or website) side.
Install the app on your phone (you can go back to Step 1 for the detailed tips on phone device). In this example we will set up a TELEGRAM account and use it to make a broadcast message. The same steps work for Signal, Whatsapp, etc.

In the TELEGRAM app, it will ask you to enter your number to receive a verification code. Type in your Twilio number.

Checking in Twilio for your verification code.
TELEGRAM will now ask you for the code that it texted your number. You will need to know where in Twilio you can find the code to enter.

Log into your Twilio account
Once you log in to the Twilio account with your username and password you will be taken to the main DASHBOARD.

You will start here

Click on the cirlce with the three dots in the center (…) This will take you to the “All Products & Services” options.

All Products and Services (…)

We will need to get to the API EXPLORER which allows you to see data flowing in or out of your Twilio account without writing any code. To access the API EXPLORER click on the icon of a folded map.

API EXPLORER allows you to see the data flowing in or out of your TWILIO account.

In the API EXPLORER click on the dropdown that says ‘Programmable Voice’ change it to ‘PROGRAMMABLE SMS’.

PROGRAMMABLE SMS is the screen that shows all things related to text messages.

Now that you are looking at all the API endpoints that have to do with PROGRAMMABLE SMS. Click on MESSAGES to show a list of all the API endpoints that have to do with MESSAGES. When you do this, you should see a list of POST, DELETE, GET actions. Create a Message, Delete a Message, View a Message, View Messages List, Modify a Message, etc.

MESSAGES can be found under PROGRAMMABLE SMS is the area that lets you handle SMS text and images.

Click on ‘View a Message’ so you can open up the controls on viewing messages and take a look for our verification code.

Above the red button that says ‘Make a Request’ is a dropdown called MESSAGE SID. There should be a MESSAGE SID for each text message you have received to your Twilio number. They are listed from most recent to oldest. There could be a ‘Hello From Twilio’. This is different from the ACCOUNT SID, ‘My First Twilio Project’. If the MESSAGE SID field is blank then you haven’t received any text messages yet. If you don’t see a MESSAGE SID please wait. It can take up to 15 minutes for many apps to get a message through. Once the MESSAGE SID you want is shown in this box click the red ‘Make a Request’ button.

MAKE A REQUEST to find the message from TELEGRAM and retrieve our verification code.

The format of the data is human readable by default. We can clearly see a message. The first line in RESPONSE reads:

“body”: “Telegram code: 48560\n\nYou can also tap on this link to log in:\nhttps://t.me/login/48560\n\noLeq9AcOZkT",

Our verification code is 48560. Now we just need to enter that into our TELEGRAM app and we are done!

When using TELEGRAM, its important to understand you probably want to use CHANNELS, this isn’t encrypted end-to-end but its a good way to get a message out to a large number of people with your “secret” pseudonymous account.

important to note: It may be a good idea to use an alias when using this account. you just worked so hard to create a pseudonymous number. if a friend puts this number in their phone contacts under your actual name, apps can take this contact info and store it. For example anyone with ‘True Caller’ installed will see the number as the way it was stored by your friend if they install TrueCaller and let it pull their contacts.

A 100% computer generated face using the ROSEBUD.AI tools at Generative Photos.

your beautiful new alias might need a face! you might want to add your face to your social profile so you look like everyone else. if you use an image from the internet or stock footage it can be revealed using a “reverse-look-up” or “image search” by clicking a camera. Tineye, Google images, and Yandex images are good examples of these tools. A better option may be to use a face that doesn’t belong to a human being. Examples of this are the algorithmically computer generated faces at https://www.thispersondoesnotexist.com/ ( although at this point a lot of services will defend against this website’s faces). Refresh the page, find a face you like, click SAVE. If you need a more diverse model pool and dont mind the search engine/reverse-image-search hits then check out these AI generated models of royalty-free “human” faces that don’t exist. https://generated.photos/faces/black-race/female Even better their AI editor to change a models apparent ethnicity and or gender https://generated.photos/faces h̶t̶t̶p̶s̶:̶/̶/̶a̶p̶p̶.̶g̶e̶n̶e̶r̶a̶t̶i̶v̶e̶.̶p̶h̶o̶t̶o̶s̶/̶ It might make sense to combine the two tools for a more unique face.

You can now begin using your pseudonymous account. Enjoy and be safe and secure out there!

Frequently Asked Questions…

I was able to set everything up but never got a text from the app I want to use, what can i do?
The app you are using may be sending you the activation code from a “shortcode” service, and not an actual long number/phone number. Twilio can accept shortcodes but this is a feature that support must turn on for you. What is a shortcode? Twilio defines them as “A short code is a special 5 or 6 digit telephone number that’s shorter than a full phone number. Short codes are used to send and receive SMS and MMS messages to and from mobile phones.” . Log in and use this form to create request that support, “enable your account(s) to receive incoming messages from short codes”. This has effects on how your twilio account will work from that point forward. You may want to read more about this before making the request. I recommend it if you need to use that app. Try again and see if you now receive an activation code.

I was able to set everything up but I need to receive or even make a call from my twilio number is that possible?
Twilio is a tool for software engineers to enable telephony on their apps and tools. If you are a developer you may want to look at the twilio iphone & android sdk and the sample apps. There are ways to do this coding python/django, ruby, and other languages. For a non-coder there is still hope, twilio comes with the excellent web based tool you can use from a browser called twilio studio. You may be interested in forwarding your twilio calls to a phone you can answer. The exact steps are beyond the scope of this document however here is a video. You can also learn from twilio, how to make and receive calls using twilio studio.

Why use this guide? what about just using services like privacy.com, abine.com, mysudo.com, ?
These services and others like them, offer an easy way to create “throwaway” personas. Some of the above services are for payments only while other include additional features like virtual and temporary phone number and email addresses. One of these may be exactly what you are looking for! I recommend you check them out first starting at their privacy policy. It is important to keep in mind these are not “zero-trust” / “zero knowledge” services, they collect information about your true identity and offer a mask to use on other sites and services. In the privacy policy for these sites they give the reasons they would or could ever breach that trust and break the agreement. Furthermore depending on the country the service you use is in, there are often many rules around the information you must provide to use financial services like the virtual credit card/payment features of these services. Also to protect the service from abuse enough data needs to be collected to investigate abuse. Therefore for these services collection of personally identifiable information is unavoidable. They must know something about your true identity.

I am having trouble finding a gift card I can purchase with cash, are there other options?
In some countries this may be easier to do than others, for example the first version of this guide was written for folks inside the United States, where it is trivial to get gift cards. There are services and apps that offer virtual payment cards, some of them require linking your real identity to the service. While it is out of scope of this guide to review them all here is a list of online gift cards, like getsbygift.com. Also online wallets like revolut.com, cashapp.com, zelle.com, apple pay & google pay. Last there are services that require id and a facial recognition registration, these are not recommended so they will not be listed here.

Additional reading on this subject:

Creating Research Accounts for OSINT Investigations" https://osintcurio.us/2020/08/17/creating-research-accounts-for-osint-investigations/

--

--

matt mitchell
matt mitchell

Written by matt mitchell

technology fellow @Ford Foundation

Responses (1)