On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Friday, 16 November 2012

How to remain as untraceable as practically possible on Twitter

I've thought long and hard about whether this post is irresponsible or in the public interest.  I decided to publish, due to the numerous issues it raises.

The first thing to remember is that online, at a transaction level, there is no guaranteed way to ensure your online behaviour is untraceable.  There's always a chance that someone with sufficient access to enough of the network might be able to link your actions to you.

No method of so-called online anonymisation is foolproof.  In addition, your behaviour over time when using Twitter might give you away.

To use Twitter with minimum chance of being traced you need at least two things:
  1. Access to the internet that cannot be linked to you, or anonymisation software such as TOR
  2. A Twitter account that can't be linked to you
This may sound like stating the obvious but it's vital not to forget that a Twitter account you created using e.g. your home internet connection or an email address you used for other purposes can probably be linked back to you.

So you may be forced to start by creating a "clean" email address in order to register with Twitter, not forgetting to do this using robust anonymity software or an internet connection that can't be traced to you.  If you're in an internet cafe, check for cameras and don't pay by plastic!

This itself is getting increasingly difficult. Gmail along with some other email providers now require you to supply a telephone number or secondary email account. Ostensibly to prevent spam, such checks also make it far harder to create an untraceable email account.

So you're in. You now have a shiny new Twitter account... with zero followers!

No, you can't take your existing healthy Twitter following with you. You're starting from scratch, tweeting to an empty chamber.  Whether you want to get up to mischief of some description or protect yourself whilst blowing the whistle on misbehaviour, you face an uphill struggle to get an audience.

No, you can't simply re-tweet the information you put on the hidden account using your real account, as this will be a dead give-away.  Any investigator would question how the tweet came to your attention? A twitter search is plausible but would be a big coincidence, especially if you become a major cheerleader for your hidden self. 

In any case this might not be practical, if your aim is to release information without getting sued.  In most cases re-tweeting doesn't shield you from liability for the content.

And anyway you might want to release information about your employer that you couldn't possibly re-tweet into your own stream without getting fired.

It's also risky to start @-mentioning your existing followers.  Being familiar with the Twitter API it is possible for a skilled programmer to build up a network diagram of who follows whom.  

If I was tasked to investigate such a case I would start by looking at the followers and followees of each of the tweeters mentioned.  I speculate that as few as a dozen data points might narrow a list of suspects to less than 10 in many cases.

Of course you could blow some smoke by mentioning people at random, but it will still be a challenge to build an audience using an untraceable account in order to get your message out.

If you're lucky you might be able to catch the attention of someone willing to take up your cause. But this largely assumes you're attempting to do the right thing with your anonymous presence, because others are unlikely to propagate your message if your motives are suspicious.  Of course the right thing here is highly subjective.

Maybe, as the law threatens to get to grips with online content, you decide it is worth the effort, and you decide to use your "anonymous" twitter account at all times to build a completely new following.  Now the fun and games really start.

Want to tweet on the go?  Does your phone and network support your choice of anonymity software?

Want to upload a picture?  Can you be sure your camerphone is not embedding information about your location, or even your identity?

Want to live tweet from an event? Forget it. Talk about your real-life experiences? Risky. Follow the same people you had previously followed? A dead give-away.

Will anyone even follow you? And even if they do, will they treat your output as credible?

I personally prefer to follow names and faces, people who stick their head above the parapet, simply because the only badge of trust you have in the online scrum is your identity.

How do I know real people sit behind these names and faces? That's another challenge, but to date I'm yet to be surprised.

In reality, truly untraceable communications for anything more than a one-hit wonder is practically impossible.

But that's not to say some or all of the above methods aren't legitimately useful, depending on your circumstances. 

The conclusion for lawmakers though, when they're tempted to come down hard on technology they don't understand, is that there are already plenty of safeguards to prevent abuse of the system.  It's just that these safeguards are largely determined by the participants themselves, not Parliament or the courts.



  1. Sure this is all well and correct from a theoretical standpoint but practically who's able or willing to go to the lengths needed to trace you, assuming all you want to do is smear the odd innocent politician?

  2. (Comment moved over from wrong post)

    The security services of various nation states (as well as large corporations) use networks of sockpuppet social media accounts to inject misinformation.

    The account is farmed, semi-automatically posting drivel and gradually building up plausible looking random followers/friends. Once it looks like it has a healthy reputation it is then ready to be used as part of a misinformation campaign.

    I would not be surprised if there's a market in such accounts, using payment methods such as Bitcoin.

    You wouldn't start with a cold account - not enough noise to hide traceable links back to yourself.


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.