Keeping track of pseudonyms

Privacy and Security Get Advice
1

How do you keep track of your pseudonyms accounts?
For example, is VPN or tor required, which browser, any special accounts or systems used for which particular pseudonym I need to access.

I’ll start first. Using Henry’s classification below my threat model most revolves around Exclusive Accounts, Browser Profiles, and Browsers for digital separation.

Currently, I use mostly browser containers to separate general activities and don’t worry too much if they cross populate with google (at the moment) then use my email address aliasing service to create the emails for those. This is done by just remembering this account goes with this browser/ profile.

In the future, I may be these in an encrypted file that has this configurations or create some sort of automation that allows me to enter that pseudonym with IoC (maybe vagrant to spin up VMs) and Ansible to automate the services.

But also just seeing how you technically store these configurations to recall for later?

4 Likes
2

I’d heavily encourage editing your post to refer to your accounts as pseudonyms, as the term “sock puppets” doesn’t just have a nefarious/negative connotation, but is actually the standard definition.

The use of the term has expanded to now include other misleading uses of online identities, such as those created to praise, defend, or support a person or organization, or to circumvent restrictions, such as viewing a social media account that they are blocked from, suspension, or an outright ban from a website. A significant difference between a pseudonym and a sock puppet is that the latter poses as a third party independent of the main account operator. Sock puppets are unwelcome in many online communities and forums.

2 Likes
3

The way I tend to break this down for clients I coach…

One of your first steps is to figure out what your pseudonym is for. Ask yourself why this pseudonym is required and what it actually accomplishes for your privacy & security. Less hypotheticals and theories, but verifiable advantages offered. This generally requires at least a broad understanding of what your own threat model is, so I’d start there if you haven’t yet.

Once you understand what a particular pseudonym can provide, let’s say their name is Taylor, then you have to think about the environment to create for Taylor. I generally have the following breakdown from lowest to highest degrees of safety:

  • Exclusive Account(s) for Taylor
  • Exclusive Browser Profile for Taylor
  • Exclusive Browser for Taylor
  • Exclusive OS User Account for Taylor
  • Exclusive OS on a VM for Taylor
  • Exclusive OS via Dual Boot/LiveOS for Taylor
  • Exclusive Device(s) for Taylor

On the easiest side of the spectrum, Taylor can just be a second Reddit account of yours that’s registered with a different SimpleLogin alias. On the most extreme side, Taylor is an entire identity with their own exclusive devices, phone numbers, VPN etc.

Aside from understanding your threat model and how much protection you actually need, a good indicator of how extensive your pseudonym needs to be is how many accounts they need to have. The more accounts and the larger their digital footprint is, generally the more extensive their environment needs to be - hence more time/energy/effort required to maintain.

I give this background because when you ask how to keep track of a pseudonym, it actually greatly depends on how extensive these pseudonyms are. If you’re just creating a secondary reddit account under Taylor because you want to privately receive support about a sensitive topic, then Taylor can just live in a folder in your password manager and some private windows in your browser and that’s it. In short, it generally helps to step back and reflect on your pseudonyms, because many of the questions you asked are naturally answered based on the environments that make the most sense for a use-case. Example: If you feel it’s best to have a separate user account on your computer just for your pseudo, then it naturally makes sense to have its own exclusive VPN, browsers, and maybe even password manager.

The rabbit hole is literally endless when it comes to pseudonyms, so the best advice I can give is to spend more time reflecting on what the pseudonym even provides, and then structuring your workflow around how sensitive it needs to be. When you’re asking if they should be Tor-routed or using exclusive VPNs, this is a hard question for the community to reasonably answer based on the information you provided, as there are no universal answers and we need more info.

I personally found for myself and a lot of my clients that pseudonyms are a super easy place to go overboard.

If you need more direct/specific assistance, it’d help a lot to get more details on your specific situation. One more thing, these are just some of my experiences with pseudos, other people here may have other suggestions which may align more with other people’s goals and use-cases

6 Likes
4

That was super comprehensive, thank you!

I just edited my original post to hopefully clarify that I’m more interested in how pseudonym’s configurations are stored, and not looking for advice on what configurations a pseudonym should have (i.e. vpn or tor).

5

As recommended using a password manager has helped me.
Most of my pseudonyms which require this level of management are connected to a real world address, have a phone number, shipping address, etc… I store this information in my contacts. All these contacts have a Signal account so I can share (transfer) information, most all of these pseudonyms have a separate main device which “they” use.
With out going down a rabbit hole, I could see myself treating each pseudonym (which in my notes I refer to as aliases) and going through a checklist just as I would treat myself.
My biggest concern is cross contamination where I am the problem.

6

I would put a different spin on this, though Henry’s framework is super helpful work within.

In my opinion, if your alias is one where you’re fine with someone finding out about it from your real identity, then you could just use your main password manager and identify how you will contain that alias. Your main threat is someone pushing from your alias to find your real identity, not that someone from your regular life will find that alias. That’s personally the case for me where I don’t do anything with my aliases that I couldn’t explain to someone IRL.

However, that’s not always the case. If you need to hang on to an account but would feel compromised if it was discovered through your real identity, then consider a separate password manager where the two don’t mix. There may be sensitive topics or communities for people where they don’t want people in real life to find out about it. An example could be someone who is in the closet about their sexual orientation not wanting a family member to know about communities they are a part of. You could have your main password manager on your phone, but the other password manager is one you log into online for those specific instances.

Hopefully that provides another dimension you can use for choosing where to store credentials.

2 Likes