Practical privacy and simple cybersecurity.
TheNewOil.org

Disinformation Part 2

If you haven't read my last post you probably should. As the title suggests, I'm going to build heavily from it. In that post, I primarily wrote about “disinformation” – how to define it, when to use it, etc. But for many, knowing what to use can be an agonizingly difficult and confusing decision. In this post, I'll share my strategies for developing effective disinformation and hopefully give you a framework on how to do so yourself.

Identifying What You Need

The best place to start is by identifying your needs. This comes in two forms: the actual information (addresses, phone numbers, etc) and the context. By “context” I mean the kind of information you need. Does the address need to be local to confirm a story, or can it just be any random address? Does the name have to be one you'll use a lot or never again?

For example, in a prior blog post, I mentioned the idea of not using your real name when dating. But in this context, your fake name is one you'll have to reuse frequently. You'll need to respond to it when people call you from across the room, or you'll eventually have to explain that it's not your real name. There's numerous ways to handle this – some of which I discussed in that post – but ultimately you'll have to think in advance about it so you know the drawbacks and how to handle them.

Consider another scenario, one I've actually encountered many times: online ordering. I'm pretty vocal about my privacy.com usage. Privacy.com is a service that offers you digital debit cards where you can put in any billing information you want, allowing you to be John Doe at 123 Main Street, Smalltown USA. The problem, I quickly discovered, is that there are three parties involved in an online transaction: you, the bank (in this case, Privacy.com), and the vendor. While Privacy.com doesn't really care what information you put in the billing form, the vendor probably does. “John Doe at 123 Main Street” raises more red flags than a Chinese Communist Party rally on most vendor anti-fraud systems. I soon found that it was much, much easier to pick a generic sounding name – like Nathan Bartram – and an actual street address. This almost never flags the anti-fraud systems anymore.

Finally, you'll need to identify what information you actually need. This is based on your lifestyle and threat model. Perhaps you only ever buy physical goods online and never really buy software or other non-tangible services. In this case, you don't need to bother coming up with a fake address because you'll always need goods delivered to your actual address (PO Box or otherwise). Or perhaps you tell people that you’re from a certain part of town, so you’ll need an address in that town as a billing address to confirm your story and hide your real address.

Ultimately it’s important to think about what kinds of disinformation you’ll need and what the context for it will be. Once you’ve figured that out, it’s time to prepare.

Preparing Your Story

If you’re not prepared in advance with disinformation, you’ll probably end up folding every time and handing over real information. It’s just human nature. Therefore it’s important to pick your cover stories now. First off, you probably won’t remember your fake information – at least not at first. So when you’re digging through your notes app looking for it, you’ll feel compelled to explain why you don’t know your phone number or address.

Let me pause right here and deliver some wonderful news: most people don’t care. If you say “hold on, let me find it” and start scrolling your phone, most people will accept that and leave it at that. I’m willing to bet that for most readers, most of the people you interact with in day-to-day life (that you’ll be giving disinformation to) are underpaid and overworked employees. They don’t get paid enough to wonder why you can’t remember your information, and frankly they’ll probably forget about you about ten seconds after you walk out of sight. A lot of people get social anxiety over the idea that if they do anything “unusual” that people will somehow be suspicious of you. Let me reassure you: nobody cares. Everyone has their own lives, their own problems, their own boss constantly reminding them to do inventory after the registers slow down or their own fight with the significant other at home. Trust me, you are the last thing on their minds. Even if they did find you suspicious, what are they going to do? Refuse to sell you that coffee? Call the cops on you for not having your phone number memorized?

All you need to say when looking up your information is “one second, let me find it.” This lets them know you’re looking for the information they’ve asked for and you’re not just ignoring them and reading your text messages. If you feel compelled to say anything to explain, then just say “I just moved and I haven’t memorized the new address yet” or “I got a new phone and I can’t remember the number.” Again, however, this is almost never an issue.

With that handled, let’s turn to actually finding the information. Names and addresses are the easiest, so I recommend starting there. For names, I prefer to use Behind the Name’s Random Name Generator because you can narrow it down by sex (including “ambiguous”), how many names you need (first only or first and middle or more), and even ethnicity. Generate several options until you find one that sounds generic that you’re okay using.

For addresses, my preferred method is to use a local hotel. They already get tons of junk mail and they are a real, valid address so you’ll encounter less resistance from places that actually verify the address. If I need something sent to me, I use my PO Box.

Email addresses are a little tricky, but not much. For starters, I strongly encourage the use of an email forwarding service. If you pay for a premium subscription with either of the two I recommend and link a custom domain to them, you’ll be able to make up “wildcard” or “on-the-fly” addresses. So for example, I could make up “petstore@mydomain.com” at the register for my e-receipt and as soon as the store emails me the receipt, the forwarding service will automatically create it and forward the email to my inbox – no work needed on my end. If you’re unable to afford one of these services, you could try generating a few “junk” email addresses and writing them down in advance to hand out if you need to on the fly. Truthfully I’m rarely in a position where I must give someone a fake email address, but it never hurts to be prepared if you think it may happen.

Phone numbers get kind of tricky. If you just need to give them any kind of number, there’s lots of options. There’s the classic “867-5309” (this is from a hit 80’s pop song, in case you’re unaware), you can find an automated phone number online – something like a tech support number that leads to a phone tree, you can use Michael Bazzell’s “619-364-0090” through “0099,” and there’s tons of prank or false numbers online. My personal favorite is “248-434-5508.” Call it if you can. If you live in other countries, just do some research online. You’ll find tons of options. But what if it’s a number where you do need someone to reach you? Voice-over-IP is going to be your best bet by a wide margin, but again options are relatively limited if you live outside the US or other certain areas. There’s also the fact that most of these services don’t work if you need to verify a phone number for an account, like Twitter for example. In this case, your simplest bet is a second SIM card you only use for this purpose. There’s actually a few options here, but that’s going to be the most direct and simple. I could write an entire blog post about phone numbers alone, but if you ask around on some forums and do your research you should come up with some options that work for you.

Finally, you may be in a situation in which you need to invent a “backstory.” I’ve been known to frequent hobby-based meetup groups in the past – the kind where you find the posting online to get together to do nerd trivia with a bunch of strangers in a bar, stuff like that. This means I don’t know if the person next to me is my new best friend or secretly plotting to wear my skin and stash my body under their crawlspace. I’ve discussed in other blogs – namely the dating one I linked earlier – the idea of being vague when you disclose information. I tell people all the time that I work in audio-video, but not the company. I tell people I grew up in another state, but I don’t always say the city. If your threat model is high enough, you may wish to lie entirely and say you grew up in a state you never did or a city you never did. My only advice here is to make sure it’s a place you’re at least somewhat familiar with. I have visited Seattle, but I haven’t spent enough time there to be familiar with it. I would have a hard time saying I grew up there because I don’t know it well enough. If I ever met anyone else from Seattle, they’d be able to poke holes in my story instantly. On the other hand, I’ve visited San Diego multiple times for various reasons, and I could reasonably say I grew up in that area and be able to pass it off.

Conclusion

It’s pretty common to see people struggle with disinformation: how to come up with it, when to use it, etc. I hope this blog post has been helpful and given you a starting point, presented the right questions to ask yourself so you know what you need, the pitfalls to watch out for, and given you some ideas on where to go to find information to use. Now get out there and start protecting your privacy on a new level.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...