Surveillance capitalism oligarchs FATBAG (Facebook Amazon Tencent Baidu Alibaba Google) — along with countless other intermediaries — track and analyze the vast majority of our online behavior for marketing purposes to manipulate our actions.
⚠️ Unless you are very proactive about privacy, most of your online activities can be collected, analyzed, sold, and resold. Even if you are a citizen of the EU, ⚠️ GDPR offers almost no real protection against this intrusive data collection.
The ability of tech companies and governments to collaborate in collecting data about you and your devices means that any efforts to maintain a pseudonym can easily be overturned.
If you log into your Facebook sock puppet account, then log out and switch to your personal account (or another sock puppet account) — the entire process is completely transparent to Facebook, and then Facebook can establish a connection between your real and fake identities. You are exposed.
The rest of this article will explain how to mitigate the dangers of this exposure. (Some of this content we have introduced before, now targeting them as a system and linking them together.)
This article assumes you know nothing about self-protection, so the following content will apply to any user encountering this knowledge for the first time: there is no threshold.
- IP Address
When you connect to the internet, your computer has a unique public IP address that is exposed to the websites you visit.
This is well-known, and a common Opsec practice is to use Tor or a VPN to disguise your real IP address. We have also introduced this multiple times (search "Who Will Cry Over the Onion").
From a technical perspective, this is effective, but it has many limitations: using the Tor browser restricts the functionality of many websites, and ⚠️ Tor does not disguise the fact that you are using Tor — everyone can see that you are using Tor, even if they don’t know who you are.
Investigators know that due to the enormous amount of data Google scrapes, Google applications are very effective for deep-dive open-source intelligence.
However, it is difficult to use Google applications while concealing your true identity, as you will frequently be asked to complete silly self-verifications like the one below:
VPNs are another option, although they also have some limitations.
And like TOR, many VPN IP addresses are well-known and often blacklisted, so you must fill out endless captchas before accessing.
A good VPN service is an important tool for Opsec operational security, but neither Tor nor VPNs are completely magical tools; "completely magical" means you don’t have to pay attention to other areas and just using them is enough — absolutely not enough.
I also believe that IP addresses are not necessarily very important to data monitoring companies like Google or Amazon.
Depending on how and where you access the web, your IP address may change regularly or may be shared with many others, so its value is limited for monitors who want to know exactly who you are and what you want to do online.
However, this does not mean you should not consider how your IP address might reveal your identity, but it is important to note that it is not a complete life panorama.
It only truly exposes you when combined with other information about you.
- Cookies and Cookie Auto-Delete
Cookies are also a well-known tracking method.
There are different types of cookies, but the main threat to your sock puppet activities is that cookies can track you online after you visit a website.
Aside from privacy concerns, the threat to opsec operational security is very obvious.
⚠️ Cookies do not care how many queries you have completed or if you just want to do some personal browsing; they will continue to track you across the web to build your behavioral profile.
The following uses LinkedIn as an example, ⚠️ LinkedIn is one of the most aggressive websites for tracking surveillance online.
Before visiting the site, I cleared my cookies and then tried to access it again. LinkedIn did not like this because it could no longer recognize who I was (even though my IP address remained the same):
As I continued to log in, my browser plugins lit up like a Christmas tree:
From left to right: UBlock Origin, Privacy Badger, and Cookie Auto-Delete
⚠️ Note that even if you do not click on anything on the webpage, LinkedIn will attempt to load a large number of scripts and cookies, primarily to track your behavior and try to learn as much as possible about your online activities.
If I switch from my real LinkedIn account to a sock account used for investigation, then for LinkedIn, ⚠️ it can see everything and extend to any other site running similar tracking functions.
This is why the marketing companies where you buy groceries also know what kind of porn sites you have visited.
You can use the three plugin tools shown above to mitigate this situation.
UBlock Origin (for Firefox and Chrome) filters requests that display ads and prevents your browser from retrieving and displaying marketing content.
Privacy Badger (Firefox and Chrome) is used to identify and block trackers. In this case, it detected and blocked no less than 10 different tracking scripts on my LinkedIn homepage.
If I switch from my real LinkedIn account to a sock account used for investigation, then for LinkedIn, ⚠️ it can see everything and extend to any other site running similar tracking functions.
This is why the marketing companies where you buy groceries also know what kind of porn sites you have visited.
You can use the three plugin tools shown above to mitigate this situation.
UBlock Origin (for Firefox and Chrome) filters requests that display ads and prevents your browser from retrieving and displaying marketing content.
Privacy Badger (Firefox and Chrome) is used to identify and block trackers. In this case, it detected and blocked no less than 10 different tracking scripts:
My preferred tool for handling intrusive tracking via cookies is Cookie Auto-Delete.
It does not prevent the browser from downloading cookies, but it ensures that any cookies associated with that tab are deleted when the browser tab is closed.
This can prevent cookies from tracking you during your browsing session, disguising your web activity. Cookie Auto-Delete is available for Firefox and Chrome.
- Browser Fingerprinting
Browser fingerprinting is a tracking concept that is more updated than IP addresses or cookies. It is not well-known, but it is more invasive. Therefore, it poses a greater challenge for any investigator wishing to remain cautious. There is a great academic paper outlining some research in this area (https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf).
The basic premise of browser fingerprinting is that the unique features of a browser and computer can be combined and assembled into a unique value that can then be used to track your every move online.
Specifically, by looking at information such as browser software version, operating system, system fonts, graphics card, screen resolution, and many other variables, a unique browser "fingerprint" can be constructed and then used to track you across the web.
In terms of tracking effectiveness, ⚠️ browser fingerprinting is more effective and persistent than IP addresses or cookies.
💡 There are several good tools available to analyze your own browser fingerprint. My two favorites are EFF's Panopticlick tool and the BrowserLeaks website.
To demonstrate how this process works, I will view my own browser fingerprint "as is" without any interception plugins, and then I can see how to successfully obscure a person's online fingerprint to avoid being recognized.
Here are the first results from Panopticlick scanning a fresh Chrome on Linux Mint 18.3:
Using a clean Chrome with default settings, the results are as follows:
It is simply astonishing.
Note that here, not only is there no protection, but my browsing has a unique fingerprint that can easily identify me.
For a more detailed introduction to what this means, see
Panopticlick shows how my browser settings are displayed on websites and then calculates the likelihood that others have exactly the same settings.
The identifying information is based on some fairly complex mathematics that assesses the probability that any given fact about a person is correct.
In simple terms, this is a score from 1 to 33, where 33 represents completely unique — that is, "absolutely you."
The third column expresses the same information in different ways: by looking at how many browsers typically share the same information.
In this case, it shows that 1 out of 19.51 browsers is in the same time zone as me, 1 out of 1.19 has cookies enabled, but only 1 out of 204,955 browsers has the same canvas fingerprint as me.
⚠️ This means that my canvas fingerprint is very unique for anyone wanting to identify me, regardless of which account I log into.
From an OSINT perspective, this means: no matter what my IP address is, or even if I clear cookies, as long as my hardware and browser settings remain the same, I can easily be identified by my real identity.
⚠️ No matter how many sock puppet anonymous accounts you create, they will be exposed.
This is not new. This is one of the ways Facebook, Twitter, and other sites can quickly identify multiple accounts running from the same machine — Twitter has already blocked many users with multiple accounts — because they suspect they are bots or sock puppets.
💡 Fortunately, with some tools and adjustments, you can change how your browser is displayed online.
I installed and enabled UBlock Origin to block ads/trackers, used Privacy Badger to block tracking scripts, and NoScript to disable any unnecessary JavaScript running.
Here are the new results after doing this:
Clearly, some progress has been made — my browser now blocks tracking ads and trackers.
One point to note is that even though I sent a "Do Not Track" request in Chrome settings, the results showed no difference. Google's "Do Not Track" is just a scam.
Not just Google, evidence shows that most companies completely ignore this "Do Not Track request," so they cannot be considered privacy settings.
But what about other fingerprint results? Here they are:
It correctly states that I am running Chrome 75.0.3770.100 on a Linux x86_64 system.
Other browser technologies mentioned in the UA string are about compatibility rather than the actual browser I am using — references to AppleWebKit and Gecko provide information about the type of software my browser is compatible with, so that websites know how to display content correctly.
Correct display is the main reasonable reason for the user agent string's existence, but from a privacy perspective, they can also be used as another data point to identify you.
To address this, a simple User Agent Switcher plugin can be used.
This will trick websites into thinking you are using a different browser than the one you are actually using, thus obscuring your real browser details.
Once installed in Firefox or Chrome, the User Agent Switcher allows your browser to effectively impersonate other browsers or operating systems.
After installing in Chrome, I selected the Android User Agent string and checked it on whatismybrowser.com:
⚠️ This emphasizes the important point of online anonymity and pseudonymity. When conducting deep investigations, you can never be truly anonymous.
Because you must provide some sort of User Agent string to websites. Therefore, it is better to provide a false user agent than to expect to not provide one at all.
The most effective aspect of browser fingerprinting is canvas fingerprinting.
The list of websites known to use canvas fingerprinting is long and outdated, so the actual number of websites using canvas fingerprinting may be much larger.
Canvas fingerprinting works by gathering information about how the browser displays fonts and graphics, then combining them into a unique hash that can be used to identify your identity.
The combination of your operating system, graphics card and drivers, system fonts, screen resolution, and other variables is very unique and can be combined into a hash.
This hash is a unique digital fingerprint of your computer, and websites use this to identify you.
⚠️ Even if you have created very good sock puppets, if you run all accounts from the same machine, they will be easily recognized by monitors as your operations. Your identity will be exposed.
Panopticlick can show what a canvas fingerprint hash looks like.
I ran the test again (with NoScript disabled) and the results were as follows:
When I loaded the page, Panopticlick provided a small image for my browser and then observed what happens when my browser attempts to render it.
The value of this computation is displayed as a hash: 2eaaa026e19b958c09debc6d23f6a64c.
This means nothing to humans, but for anyone running a website with canvas fingerprinting capabilities, this is my only identifiable thing.
My browser no longer presents a unique hash value to the website but presents random values, making it difficult to track me online.
I also tried Canvas Defender, which made no difference compared to Panopticlick or BrowserLeaks.
For Firefox, I recommend using CanvasBlocker, Canvas Fingerprint Defender, or Canvas Blocker.
- Conclusion
I hope this article clearly explains: to create a truly effective OSINT sock puppet account, or to protect your real identity in any case, you need more than just a VPN, a pseudonym, and random photos (fake faces). You must also consider how the websites and the massive data companies behind them are watching you.
Of course, there are many resources related to solutions that you can try, including:
BrowserLeaks
Am I Unique?
Pixel Privacy
BrowserPrint
Good luck! Everyone deserves the freedom to be free from surveillance.