Who are you trying to confuse into keeping your identities separate? Governments and big businesses use a LOT of data in their identity graphs to link accounts for things like fraud detection and ad delivery—the actual account name isn’t all that important. But the results of such linking isn’t that horrific either.
If you just don’t want to be noticed by regular humans across sites, you don’t need much beyond deniability or a bit of doubt, which you get by default if you use a somewhat common username (say, Dagon, though the additional knowledge that I’ve been using it online since before the Internet existed is identifying to some). And easily by using a minor variant on sites.
Or, as you seem to have done here, make throwaways whenever you want to dissociate from your “real” identity(ies).
I agree that deniability from a technical perspective (such as absence of a direct link from the account on one platform to the account on the other platform and vice versa) doesn’t necessarily make it much harder to identify that it’s the same person. On the other hand, even if the username, profile picture, etc. are exactly the same, one needs to be careful about associating the accounts too quickly, especially in the case of some common/simple username—it could just be a coincidence.
It seems that things like behavior and writing style are more important to keep similar or distinct—it would take a little while longer to pick them up for an outside observer, but they seem to be much more reliable signals for linking accounts; even if the user in question denies that both accounts belong to them, I think it’s more likely that the observer just wouldn’t believe them if they know the user’s writing style.
On the other hand, even if the username, profile picture, etc. are exactly the same, one needs to be careful about associating the accounts too quickly, especially in the case of some common/simple username—it could just be a coincidence.
I agree with you. Unfortunately, many of the actors in my threat model wouldn’t.
Style and behaviour[1] can leak a bunch of info, agreed. One approach that can mitigate this to an extent is to come up with a character that is a reasonable proxy for you on the subject, and have said pseudonym consistently attempt to emulate that character[2]. This is a good skill to have anyways[3].
This is one reason to be cautious of rich text editors on websites. Leaking keystrokes as you are composing a post leaks far more info than the final text[4]. Typing in an external application and pasting in once you are done is less terrible.
Who are you trying to confuse into keeping your identities separate?
This is a good question, I don’t really have a specific threat model in mind. Obviously, I want “the bad guys” to know as little about me as possible, but I can’t seem to easily define who they are and how I would identify someone as belonging to them before I had a chance to talk with that someone or at least observe their behavior for a while. Regarding the quiz idea in my question, them having similar interests (or knowing mine) doesn’t guarantee that they aren’t part of “the bad guys” either.
Who are you trying to confuse into keeping your identities separate? Governments and big businesses use a LOT of data in their identity graphs to link accounts for things like fraud detection and ad delivery—the actual account name isn’t all that important. But the results of such linking isn’t that horrific either.
If you just don’t want to be noticed by regular humans across sites, you don’t need much beyond deniability or a bit of doubt, which you get by default if you use a somewhat common username (say, Dagon, though the additional knowledge that I’ve been using it online since before the Internet existed is identifying to some). And easily by using a minor variant on sites.
Or, as you seem to have done here, make throwaways whenever you want to dissociate from your “real” identity(ies).
Depends.
If you mean ‘some other random user on the site figuring out who you are’, yes.
If you mean ‘someone who knows you digging up dirt to toss the Twitter hoard at you’, not so much.
I agree that deniability from a technical perspective (such as absence of a direct link from the account on one platform to the account on the other platform and vice versa) doesn’t necessarily make it much harder to identify that it’s the same person. On the other hand, even if the username, profile picture, etc. are exactly the same, one needs to be careful about associating the accounts too quickly, especially in the case of some common/simple username—it could just be a coincidence.
It seems that things like behavior and writing style are more important to keep similar or distinct—it would take a little while longer to pick them up for an outside observer, but they seem to be much more reliable signals for linking accounts; even if the user in question denies that both accounts belong to them, I think it’s more likely that the observer just wouldn’t believe them if they know the user’s writing style.
I agree with you. Unfortunately, many of the actors in my threat model wouldn’t.
Style and behaviour[1] can leak a bunch of info, agreed. One approach that can mitigate this to an extent is to come up with a character that is a reasonable proxy for you on the subject, and have said pseudonym consistently attempt to emulate that character[2]. This is a good skill to have anyways[3].
This is one reason to be cautious of rich text editors on websites. Leaking keystrokes as you are composing a post leaks far more info than the final text[4]. Typing in an external application and pasting in once you are done is less terrible.
(And, to be clear, don’t emulate said character otherwise!)
It is useful for writing dialogue, and it is useful for modelling others in general.
...though even just the final text leaks a lot of info.
This is a good question, I don’t really have a specific threat model in mind. Obviously, I want “the bad guys” to know as little about me as possible, but I can’t seem to easily define who they are and how I would identify someone as belonging to them before I had a chance to talk with that someone or at least observe their behavior for a while. Regarding the quiz idea in my question, them having similar interests (or knowing mine) doesn’t guarantee that they aren’t part of “the bad guys” either.