After you have taken basic yet important steps to increase present privacy, carefully thought about your threat model, and identified where and how you can harden your privacy and security, you can begin the identity creation process.
It is important to define the scope of your new identity. As you've completed the steps above, think about how your identity will interact with the world. More precisely, what will your identity do, through which mediums, with which tools, and when? Having that clear (and often written down) will help you along the way to prevent you from getting distracted.
For the following steps, use the setup you selected in 3.1: Technical Choices. At the very least, use the Tor Browser going forward in an internet connection that is not your home's and that has no video footage. All the following steps will assume you're using Tor.
Note: The following steps seem small and simple, however, it may take you a considerable amount of time to go through each one. You should take your time to complete them right! Each tip or mention is worth considering and going through, so be calm and do it right rather than quick.
On downloads: Always download through Tor, and always verify your downloads. Below download buttons for software products there is usually a "Verify Signature" or "GPG signature" little icon (or something similar). Always click on that and go through the steps to verify your download, otherwise you won't know if you downloaded the correct software or if it was tampered with. Download pages will also usually have instructions on how to verify that download, so follow them through to have it all verified.
-
Get clean bitcoin. Find ways to put your hands on some clean BTC through KYC-free sources. Find more about it and ways to get it here and here. The Hitchhiker's Guide to Online Anonymity cited in 3.1 also has a section on this. Take your time to get clean BTC because this is essential to the remainder steps. Bitcoin itself is not anonymous, but it can be privacy-preserving if you use it with good practices in mind.
- Buy it in batches to different addresses, because you don't want to deal with change too much, as it can hurt your privacy.
- Use a good wallet such as Samourai or Wasabi that uses Tor by default.
- Both wallets above will enforce some good practices for Bitcoin addresses and transactions, as well as let you CoinJoin your coins, increasing your anonymity (if you do it right). If you're using Samourai you can also make your spend a CoinJoin to increase spending privacy –– which will be important in the next step.
-
Purchase a good VPN service. Head over to Mullvad's onion website and create a new account. This will generate an account number; then, select the amount of time you want to fund your account for and pay with your clean bitcoin. It will help your anonymity to use the full contents of one UTXO for paying Mullvad, because then you wouldn't receive any change. But that may be hard to coordinate, so if not possible to match, just having your change a large amount instead of a negligible one will make it harder for chain analysis companies to spot which is the payment and which is the change.
- After you have paid, download the Mullvad app only to the devices your new identity will be using. Note that it may take a while for your account balance to update and see your payment, due to blockchain confirmations, so be patient.
- When Mullvad is fully set up on your devices and working, always connect to it for all of the remaining steps. Also connect to it first, then connect to Tor / Tor Browser.
- You can also go in Mullvad app's
Settings > Advanced > Always Require VPN, so that if your connection goes down the app will block internet access.
-
Pick an email provider, but don't create your account just yet. ProtonMail is my personal advice, and should be the best choice for most people. But there are other good alternatives as well. You can reference this page for choosing a privacy-preserving email provider that best fits your needs.
-
Search for and pick a pronounceable handle. Whilst doing everything over Tor (connecting to your VPN first), start thinking on what your new identity's name would be like. Focus on readibility, and it should be pronounceable as well. Search for and pick a handle that:
- Is not already in use by ProtonMail (or the email provider you chose in the previous step).
- Is not already in use by GitHub.
- Is not already in use by Twitter (optional).
- Is not already in use by Gmail (optional).
- Has a cheap domain name available. Use Namecheap to search for and buy the domain if you wish to do so, since it accepts bitcoin and has some privacy-preserving features enabled automatically as well as some policies for protecting customer rights. This will be especially useful if you need to set up a website for advocacy, a donation page, or something of the sorts.
Alternatively, you can use a full name, instead of a simple handle, with more complete personal details to create a full identity (reference Fake Name Generator for help with this).
-
Get a new phone number. You will need it for creating some accounts later on, so do it anonymously if you can: buy a prepaid SIM with cash. That is not possible in some parts of the world, however, since KYC information may be required either to buy it or to set it up. So analyze what is best in your circumstances and considering your threat model. In either case, do not use your real identity's phone number going forward.
- If your budget allows it, also get a new phone. In most cases, and to make your identity's Operational Security (OpSec) easier, you can buy an affordable Pixel 4a with cash and de-google it with a security- and privacy-conscious OS, such as Graphene or Calyx. But that may be hard to find in some areas or your skill level may not be there yet, so reference the Android-iOS discussion fleshed out in 3.1 to decide if you haven't already.
-
Buy a WebAuthN key (SmartCard) for security. Purchase a YubiKey in person with cash. You can find resellers near you in their website. If there are none, adjust and purchase by revealing the least amount of personal information you can; notably, you can use a private mail box to prevent disclosing your home address.
-
Create your email account. Go to the email provider you selected and create your email account. If they have an onion hidden service, Tor Browser will automatically redirect you so maybe wait a minute after the site has loaded to begin the account creation process.
-
Generate new GPG keys. Remember to use your pseudonymous handle and its email as your key's user ID.
- Follow this guide for creating your own keys and establishing a hardened setup with your new YubiKey.
- Alternatively, if technical skills become a bottleneck, save your YubiKey for later and have your email provider create GPG keys for you (ProtonMail supports this). Although not perfect, it is functional and may be acceptable for some threat models –– and you can generate a new GPG keypair for your identity later when you're more comfortable using it.
-
Create your GitHub account. Of course, this assumes you'll need a GitHub account; if you won't, you may skip it. But it doesn't hurt to create one, as you might need it some day. So, create one, at least for securing your handle.
-
[Optional] Create other accounts. Your new identity might need additional accounts depending on its required activities. Go ahead and create them. Remember to use VPN and Tor for everything and provide the least amount of private information possible. Most service providers will prompt you for many pieces of information but most of it is not truly necessary for account creation. Just beware of that and create it attentively.
- Note: some of your identity needs can be accomplished with similar, more private and secure tools than mainstream ones. For example, you might need a document editing tool and Google Docs might jump out in your head as the go-to service, but often you could use CryptPad instead. Refer to Privacy Tools every time you realize you need to sign up for a new service and evaluate if there's a more private alternative that suits your needs.
Phew! If you performed each and every step with caution and attention, your new identity should now be set and ready to be used. You have a pronounceable handle, a new phone number, an email address, maybe a domain, GPG keys, a YubiKey, and a GitHub account with GPG-commit signing enabled.
Now, move on to discover the correct ways for you to Operate Your New Identity.