This is a form of blue team hacking, and instead of doing offense, you are doing defense. It's worth remembering how it can all come crumbling down due to bad OPSEC. Read this for more information: https://blogsofwar.com/hacker-opsec-with-the-grugq/
The covert lifestyle can be mentally taxing, and you will make mistakes (if you're not consistently careful). Here's a good quote from that Grugq article:
As I phrased it in my “The Ten Hack Commandments” — be proactively paranoid, it doesn’t work retroactively.
The covert lifestyle can be mentally taxing, and you will make mistakes (if you're not consistently careful).
Catch the flu or a cold, get shorted on sleep for one or more nights or have one distracted moment for any random reason and that can make the whole thing fall apart. People seem to vastly underestimate this reality.
Also: In practice, people who are in earnest on the run are often identified based on things like subscribing to their favorite magazines related to their hobby.
I think for most people that's the harder thing to address: How do you just stop being yourself and develop entirely new interests?
Trying to just not do X because it's closely associated with who you are is amazingly hard and can rapidly start making people actually crazy. This is much harder to do than breaking a bad habit which is infamously hard for most people under the best of circumstances.
>How do you just stop being yourself and develop entirely new interests?
Furthermore, no contact with people from prior life. Access to healthcare. Access to money if you didn't take a big pile out (and then where do you keep it?) Where do you live without a bank account? Driving is a big risk. The list goes on.
> I think for most people that's the harder thing to address: How do you just stop being yourself and develop entirely new interests?
But why? There's countless people that enjoy the same things you do. Unless you're into very niche activities, it should dilute in the noise. Maybe drop the least popular activities/subscriptions/toys?
I read an article on people who work for life insurance companies that track down “missing presumed dead” people. The most common trip up was that they did not fully cut ties from their old life. Including friends, family, and hobbies and such.
There are lots of people who like cars, and lots of people who like avocados, and lots of people in your ZIP code, but the intersection of those sets is... you.
The pseudonym a person selects and uses to sign his or her postings to websites, blogs, etc. so as to create a unique online identity without revealing their actual name/identity.
"With his most recent idiotic post, Little_Brain really lived down to his nym."
I can see some logic in buying second hand devices, but wouldn't be better to buy new ones with cash since second hand devices already have a history of usage that could lead to locate you?
Might not be an option for the phone as it takes a while for alternative OSes to add support for particular hardware, so generally only older models are compatible.
What's your threat model? That new phone's serial number has records of being shipped to the store you bought it at. The store has cameras and sales receipts.
Would make sense if he withdrew small amounts from an ATM incrementally, but if he withdrew say $5k and then his web footprint went dead it draws a lot of red flags.
Although it depends who your adversary is at the end of the day.
People commonly withdraw thousands of dollars and then disappear from online banking or bank-card use, if they leave to travel for some months in e.g. sub-Saharan Africa or Andean villages where all transactions will be made in cash.
> People commonly withdraw thousands of dollars and then disappear from online banking or bank-card use
In fairness, using contactless payments is super convenient and although it leaves a data trail, the sheer convenience of being able to buy a beer without fumbling around in my pockets is great. It's the old privacy versus convenience argument. But then, here in the EU you can compartment your card use with things like Revolut, and you can even secure your card by setting a limit on how much you can spend with contactless (no affiliation with Revolut, I just enjoy their app).
Of course in an ideal world, there would be no such (transparent) data trail and you would pay for everything with Monero, over Tor lol
Was I not clear in my post above? People sometimes take out cash before traveling because cash is the only way to pay for things in certain parts of the developing world.
Sorry, I skipped that part where you meant the developing world. I'm referring to how I spend my money in the EU. Revolut has all these 'neobank' features of limiting contactless spend, creating a virtual disposable card for e-commerce purchases, and also being able to send money to others, etc.
Well, I’d be extremely surprised if Revolut kept all that juicy data for themselves. The net privacy benefit of their disposable cards is most likely negative over using a more privacy-respecting single card bank.
I had the same dirty feeling whenever I paid with my Revolut cards as I do when someone I legit want to connect with adds me on Facebook.
"cash" implies physical currency. my guess is that he doesn't want to get the notes from an ATM because those serial numbers can be traced to him (not sure whether banks actually do that). That said, doing a bunch of odd jobs to get $1000 seems excessive. You'd probably have better luck getting change from random shops. something like a farmers market would be ideal because they deal in cash, probably don't have facilities to record serial numbers, and probably don't have cameras around.
This is a topic I think a lot about. I don't have a lot of time this morning so I will just say a few things ...
First, the OP describes an eSIM for his mobile phone - in this case with a provider named "silent.link". In my experience, eSIMs provide "voip" numbers and not actual "mobile" numbers. This is an important distinction since most 2FA verifications[1] come not from a phone number, but from a "short code"[2] and voip numbers cannot receive SMS from a short code. So you are quite limited in what services you can sign up for and maintain with just an eSIM.
Second, the term "threat model" does not appear in the article. This is important because if your threat model is "everyone except state level actors" or "everyone but state level actors AND my bank" the possibilities open up dramatically. I think there is a tremendous amount of benefit in remaining anonymous in relation to your carrier and the FAANGs and (various vendors) that is realistic to achieve - but anonymity in relation to state level actors is practically impossible.
Third, there is a big, giant blind spot in the entire chain of identity and that is the following: VISA/MC do not validate name and address[3]. It seems like they do - and merchants believe that they do - but they do not. This means you can use your bank card with any name you like and the minimal address match (which, in the US, is zip code). I'm not going to diagram this out for you but if your threat model is (everyone except bank and state level actors) you now have the basis for a working pseudonym.
Fourth, a second blind spot in the chain of identity is a business tax ID (which you can get for free at[4]). Many providers (like mobile carriers) ask for things like SSN, etc., but if you say "business" and give them a tax ID, it's like their brains turn off. They typically don't even ask for ID. You can initiate service over the phone. You may be forced to pay a higher rate for "business service".
> In my experience, eSIMs provide "voip" numbers and not actual "mobile" numbers
Are you conflating eSIMs (which are just equivalent to physical SIMs) with "burner phone" apps? I guess it's possible that the MVNO uses voip numbers rather than "real" phone numbers, but several large mobile providers (eg t-mobile) use eSims.
> This is an important distinction since most 2FA verifications[1] come not from a phone number, but from a "short code"[2] and voip numbers cannot receive SMS from a short code
jmp.chat is a voip service and supports short codes just fine.
"Are you conflating eSIMs (which are just equivalent to physical SIMs) with "burner phone" apps? I guess it's possible that the MVNO uses voip numbers rather than mobile numbers"
I am thinking specifically of eSIM providers like truphone who do all kinds of nice and interesting things, but the numbers are voip numbers. Yes, you do get a physical SIM from truphone but the numbers terminate to (non-mobile) numbers. You can't get SMS from shortcodes with truphone.
"jmp.chat is a voip service and supports short codes just fine."
I'm not so sure ... the issue here is receiving SMS from shortcodes (which is how gmail, for instance, sends 2FA auth to you) and I don't see that jmp.chat can receive SMS from shortcodes ... see[1] which says:
"Unfortunately it did not. I was not consistently able to receive short code SMS. I've since fallen back to using cellphone service from Telus which allows me to receive shortcodes."
> I don't see that jmp.chat can receive SMS from shortcodes
Hi there! One of the lead devs at JMP.chat here -- our service definitely supports receiving SMS from short codes. We cannot currently support Canada-only short codes (only north-america-wide short codes).
I personally use my JMP number for receiving 2FA codes all of the time (and I have not had another phone number in 4 years).
It's hard to say without more information. The context there looks Canadian so it's possible their providers were using Canada-only short codes. Sometimes providers change strategies on a retry also (I always have to click "retry" for Google 2FA but it always works on second try)
> I am thinking specifically of eSIM providers like truphone who do all kinds of nice and interesting things, but the numbers are voip numbers.
That has nothing to do with eSIM though? That’s just the operator terminating VoLTE to VoIP numbers. eSIM is the equivalent of OTA flashing in good old CDMA2000, just in LTE.
I opened a mobile account with T-Mobile once, and they asked for my SSN (in fact, they even took a copy of the card). Then, somehow, they mistyped the SSN in their records.
It was a special kind of hell getting them to fix that, because of course any discussion about it, or changing anything else on the account would take the form "what's your SSN to verify your identity?" / "Well, I can tell you my real SSN, but I don't know what wrong SSN you have there...", etc, etc.
Eventually I sat down with some poor staff member at a retail location who spent an hour or two getting transferred around at the head office to fix it.
No. I'm sure I could have, I didn't want a new phone number, and I guess I would have have run into much the same problem closing the old account anyway.
I had the same problem with a car insurance company and my birth date (was off by a year). I ended up navigating the call labyrinth ("It's mm/dd/yyyy but I think you have yyyy-1... ok, I'll hold") just enough to cancel the policy.
> First, the OP describes an eSIM for his mobile phone - in this case with a provider named "silent.link". In my experience, eSIMs provide "voip" numbers and not actual "mobile" numbers. This is an important distinction since most 2FA verifications[1] come not from a phone number, but from a "short code"[2] and voip numbers cannot receive SMS from a short code. So you are quite limited in what services you can sign up for and maintain with just an eSIM.
You are right but this issue is even bigger as many smaller providers too use something that is more VOIP than anything else. My actual phone number gets redflagged ~80% of the time. Meaning i use shady SMS verification services most of the time.
>[...] but instead opt for a free Protonmail account
Protonmail faces a lot of spammer signups for their free plan and require a reCaptcha, Email, or SMS to create a free account[0]. In practice I've always been asked for a email or SMS.
They do clarify:
>We don’t save reCaptcha results. If you are presented with Email or SMS verification, we only save a cryptographic hash of your email or phone number which is not permanently associated with the account that you create.
so it seems okay, but there is a temporary trail (I remember reading that they delete these after some time) to your original email/mobile to maintain rate-limits.
>In practice I've always been asked for a email or SMS.
I suspect it depends on your IP reputation. A VPN or tor exit code would definitely get hit with those measures, given how much abuse emanate from them. The IP reputation of a local library would be relatively clean.
A "digital identity" should be easy enough, using the steps mentioned or by other means.
I have sometimes thought it would be (more) interesting doing this with a real identity. I suspect it wouldn't actually be that hard to find an identity / birth certificate for someone from an obscure county, perhaps with poor / lost records and try to build up a paper trail from there, as much as a sport as anything else.
I have a suspicion that it would be fairly doable to get quite far with it, but of course one slip-up and you could end up in prison.
Remaining anonymous in the physical world is much tougher--although, again, it depends on your threat model. I think you'd almost have to have a fake ID which you wouldn't want to use in circumstances where it might actually be checked against databases, such as driving.
>an identity / birth certificate for someone from an obscure county
That would not get you a driver's license in the US. You're also required (probably in all states--certainly to get a REAL ID-compliant card), you need proof of citizenship or lawful presence.
This is more about avoiding having a digital identity. I recently created a second Twitter account to create some separation between personal and business interests, conversations, etc.
Not that I want to have two identities, but I would like to be able to distinguish between them. It was not difficult, but required some effort to create separation (I didn't want twitter suggesting my "business" account to my friends I already followed on my personal account).
Facebook was another story. I have never had a Facebook account until a couple of weeks ago. I took on a new hobby recently, and the most active community around this topic is exclusively on Facebook. I joined and immediately disabled the ability to be seen to the extent I saw possible. But then Facebook disabled my account within 24 hours – the irony! They allowed a review process, which required a selfie (they clearly know my identity through facial recognition, despite having never supplied a picture myself). They let me back in fairly quickly. But I hate having to "support" the ecosystem. And it turns out I cannot friend anybody without allowing their friends to view my account.
One thing that helped me a lot with this is Firefox containers. I started using it just to separate work and personal, but now I have Work, Personal, School, my professional blog, and my DND sessions and it is great, it really promotes separation and helps me manage all of them seamlessly and independently.
That's a good tip. Thanks. Twitter actually makes it easy to switch between accounts in their app, but I do have a mangled mess of folders, files, bookmarks, etc.
I think OP's point was: Nobody is forced to use Facebook. People choose to use it even though they hate supporting the ecosystem, because it makes some things convenient. Pretty obvious point but some people here (not you) claim that participation is something you are essentially forced to do, for whatever reason.
There are existing, well-established online communities outside of Facebook for this particular topic I am interested in. And now that I have found out about the Facebook group, I see why they appear to be slowly dying. OP seemed to imply it's Facebook or nothing. I disagree with that.
And I think there are many examples of communities outside of Facebook that do it well in a privacy-friendly way that are well supported by its members.
I am definitely making an un-forced choice to join to have access to their content. The trade-off, of course, is that I have to agree to their terms and offer my pseudo "support."
I created a fake Facebook account two years ago (no photo, no friends, fake name and random profile informations) just to be able to see the events around me.
Ironically I never got banned, while I hear all those stories about legitimate users getting blocked...
By starting with a more relatable premise. Even within this very tech-minded and privacy-conscious audience, only a microscopic minority will be interested in actually taking such measures.
For a less romanticised, more practical resource on the topic, I recommend The Hitchhiker’s Guide to Online Anonymity https://anonymousplanet.org/guide.html
If you're not bothered by having a conversation with the homeless, indigent, or hard-up, then it's more doable than you think. You're not just subject to the chance of happening upon someone already in the business of providing these services. You can be a job creator.
With mandatory (and otherwise widespread) masking policies right now, it's even easier than under normal circumstances.
At least where I live, there is simply no option for voice/SMS SIM cards other than a subscription drawing from your credit card or bank account etc. So it would take the proxy person to also hold a bank account or credit card and be on the hook for any charges to the SIM card. Even with government ID etc they can't just go to a shop and pick up a prepaid for cash.
Theoretically possible, yes, but in practice, I think the only option is if you have the "right" connections with organized crime. I don't think you'd be able to solicit on the streets, even in the capital.
"desirable illegal thing isn't available on the black market" is wrong. Not even worth saying it. No, that horrific thing you're thinking of isn't a counterexample but you probably can't afford it.
same in germany. fortunately there are services like digitalcourage where you send your card and get another random
back - easy to deflect the legal issues you‘ll be confronted with because it’s not illegal to exchange.
Why has this loophole not been closed? It seems really easy to ban exchanging personal SIMs.
Mexico already tried something like this in 2008 IIRC, and it was aborted because the database was leaked and sold for like 20-30 USD a copy. That database empowered fraudsters then, and I fear this new one, having recent biometric data, would be even worse if passed, as our government is an even less capable digital steward now. If this law gets enforced, an loophole like the one DigitalCourage uses would be closed quickly.
They're suggesting you buy cryptocurrency then buy an eSIM online (which comes in the form of a QR code you scan) from a particular, kind of sketchy service. Don't need to worry about country restrictions unless the country you're in somehow bans roaming.
Writer of the guide here. I actually do tell you what to do in that case:
- Take the cost and go physically to such a country
- Use online services such as dtmf.io and pay with Monero (there are others but I didn't test them and some are "sketchy" to say the least)
But you could also just ask someone you trust in such a country to buy one for you (carefully) and mail it to you including a top-up voucher paid by cash.
Otherwise well just don't use services that require phone numbers for verification. No other way I'm afraid.
I would think that true digital hiding requires a good bit of misdirection. If you go completely off the grid, then you leave a hole where a person should be. But if you have a legitimate house, credit card, phone, facebook account, etc. then you have plausible deniability when it comes to hiding.
The person looking into you might shrug and be like, "this is all we have on them."
Leading an identity-less life will not protect you from having your business intruded upon. It requires a lot of effort and setup, which means a lot of possible trails to leave behind. And if people look into you and see nothing where you should be, that's immediately suspicious.
Criminals have been doing it for ages though, by keeping a low profile. You cannot reliably hide from the state, but if you seem insignificant you can go unnoticed for a long time. Low-level dealers in many countries just use WhatsApp, some straight up text and call, despite knowing police could always be listening. If you're selling to a couple dozen people, the police won't bother tracking you down. They have bigger fish to fry. Higher-level dealers engage in much more OPSEC: using fake names, not letting anyone not involved see them, meeting in person etc. This is a consequence of the fact that they are more likely to be noticed.
The covert lifestyle can be mentally taxing, and you will make mistakes (if you're not consistently careful). Here's a good quote from that Grugq article:
reply