This is more about avoiding having a digital identity. I recently created a second Twitter account to create some separation between personal and business interests, conversations, etc.<p>Not that I want to have two identities, but I would like to be able to distinguish between them. It was not difficult, but required some effort to create separation (I didn't want twitter suggesting my "business" account to my friends I already followed on my personal account).<p>Facebook was another story. I have never had a Facebook account until a couple of weeks ago. I took on a new hobby recently, and the most active community around this topic is exclusively on Facebook. I joined and immediately disabled the ability to be seen to the extent I saw possible. But then Facebook disabled my account within 24 hours – the irony! They allowed a review process, which required a selfie (they clearly know my identity through facial recognition, despite having never supplied a picture myself). They let me back in fairly quickly. But I hate having to "support" the ecosystem. And it turns out I cannot friend anybody without allowing their friends to view my account.
For a less romanticised, more practical resource on the topic, I recommend The Hitchhiker’s Guide to Online Anonymity <a href="https://anonymousplanet.org/guide.html" rel="nofollow">https://anonymousplanet.org/guide.html</a><p>(also, Monero > bitcoin)
This is a topic I think a lot about. I don't have a lot of time this morning so I will just say a few things ...<p>First, the OP describes an eSIM for his mobile phone - in this case with a provider named "silent.link". In my experience, eSIMs provide "voip" numbers and not actual "mobile" numbers. This is an important distinction since <i>most</i> 2FA verifications[1] come <i>not</i> from a phone number, but from a "short code"[2] and voip numbers cannot receive SMS from a short code. So you are quite limited in what services you can sign up for and maintain with just an eSIM.<p>Second, the term "threat model" does not appear in the article. This is important because if your threat model is "everyone except state level actors" or "everyone but state level actors AND my bank" the possibilities open up <i>dramatically</i>. I think there is a tremendous amount of benefit in remaining anonymous in relation to your carrier and the FAANGs and (various vendors) that is realistic to achieve - but anonymity in relation to state level actors is practically impossible.<p>Third, there is a big, giant blind spot in the entire chain of identity and that is the following: VISA/MC <i>do not validate name and address</i>[3]. It seems like they do - and merchants believe that they do - but they do not. This means you can use your bank card with <i>any name you like</i> and the minimal address match (which, in the US, is zip code). I'm not going to diagram this out for you but if your threat model is (everyone except bank and state level actors) you now have the basis for a working pseudonym.<p>Fourth, a second blind spot in the chain of identity is a business tax ID (which you can get for free at[4]). Many providers (like mobile carriers) ask for things like SSN, etc., but if you say "business" and give them a tax ID, it's like their brains turn off. They typically don't even ask for ID. You can initiate service over the phone. You <i>may</i> be forced to pay a higher rate for "business service".<p>[1] gmail, your bank, even twilio (ironically).<p>[2] <a href="https://en.wikipedia.org/wiki/Short_code" rel="nofollow">https://en.wikipedia.org/wiki/Short_code</a><p>[3] AMEX does.<p>[4] <a href="https://sa.www4.irs.gov/modiein/individual/index.jsp" rel="nofollow">https://sa.www4.irs.gov/modiein/individual/index.jsp</a>
This is a form of blue team hacking, and instead of doing offense, you are doing defense. It's worth remembering how it can all come crumbling down due to bad OPSEC. Read this for more information: <a href="https://blogsofwar.com/hacker-opsec-with-the-grugq/" rel="nofollow">https://blogsofwar.com/hacker-opsec-with-the-grugq/</a><p>The covert lifestyle can be mentally taxing, and you <i>will</i> make mistakes (if you're not <i>consistently</i> careful). Here's a good quote from that Grugq article:<p><pre><code> As I phrased it in my “The Ten Hack Commandments” — be proactively paranoid, it doesn’t work retroactively.</code></pre>
>[...] but instead opt for a free Protonmail account<p>Protonmail faces a lot of spammer signups for their free plan and require a reCaptcha, Email, or SMS to create a free account[0]. In practice I've always been asked for a email or SMS.<p>They do clarify:<p>>We don’t save reCaptcha results. If you are presented with Email or SMS verification, we only save a cryptographic hash of your email or phone number which is not permanently associated with the account that you create.<p>so it seems okay, but there is a temporary trail (I remember reading that they delete these after some time) to your original email/mobile to maintain rate-limits.<p>Something to keep in mind.<p>[0]: <a href="https://protonmail.com/support/knowledge-base/human-verification/" rel="nofollow">https://protonmail.com/support/knowledge-base/human-verifica...</a>
I would think that true digital hiding requires a good bit of misdirection. If you go completely off the grid, then you leave a hole where a person should be. But if you have a legitimate house, credit card, phone, facebook account, etc. then you have plausible deniability when it comes to hiding.<p>The person looking into you might shrug and be like, "this is all we have on them."
A "digital identity" should be easy enough, using the steps mentioned or by other means.<p>I have sometimes thought it would be (more) interesting doing this with a real identity. I suspect it wouldn't actually be that hard to find an identity / birth certificate for someone from an obscure county, perhaps with poor / lost records and try to build up a paper trail from there, as much as a sport as anything else.<p>I have a suspicion that it would be fairly doable to get quite far with it, but of course one slip-up and you could end up in prison.
Leading an identity-less life will not protect you from having your business intruded upon. It requires a lot of effort and setup, which means a lot of possible trails to leave behind. And if people look into you and see nothing where you should be, that's immediately suspicious.<p>Criminals have been doing it for ages though, by keeping a low profile. You cannot reliably hide from the state, but if you seem insignificant you can go unnoticed for a long time. Low-level dealers in many countries just use WhatsApp, some straight up text and call, despite knowing police could always be listening. If you're selling to a couple dozen people, the police won't bother tracking you down. They have bigger fish to fry. Higher-level dealers engage in much more OPSEC: using fake names, not letting anyone not involved see them, meeting in person etc. This is a consequence of the fact that they are more likely to be noticed.
I can see some logic in buying second hand devices, but wouldn't be better to buy new ones with cash since second hand devices already have a history of usage that could lead to locate you?