That is really different from one case to another. It depends on how long, on which platforms and in how many different places you have used a specific alias. I don't think there is any general answer to this.
posted by Too-Ticky at 6:54 AM on October 22, 2016 [3 favorites]

It's not necessarily a question of "hackers". Mackey's sockpuppet was revealed by Whole Foods itself, in disclosure filings it made to the FTC as part of an acquisition.

Most of this stuff doesn't require anybody to break into your email or anything. It's usually more a matter of using identifying details about you that are public record to figure out any emails or handles you may have posted under. If I know your name and where you went to college or where you worked, for example, it'a pretty easy to search for your email. If that turns up in the body of a forum post, I can then read though those posts for other clues; if you go by a distinctive handle on that forum I can search for it, people often re-use nicknames on different sites.
posted by Diablevert at 7:12 AM on October 22, 2016 [2 favorites]

In general, the answer is "not that hard, if you know what you are doing." Essentially what you can do is just look for various things that are available online, and work backwards and forwards, cross-indexing metadata until you have something useful. It is amazing what taking advantage of things like file type operators in Google can turn up, or going into page 30 or 40 of search results.

I don't actually do the doxxing thing, but I am really good at finding things on the internet
posted by rockindata at 7:14 AM on October 22, 2016 [9 favorites]

I tried this as an experiment once. I picked out several people on public forums who were lecturing other people about how not to get doxxed, and I found almost all of the know it alls' real identities. I think the longest one took me about 20 minutes.

This was just a proof of concept, and I didn't do anything at all with their personal information after I found it, but I just searched their comments on public forums, looking for personal details, searched for their usernames and obvious variations on it, things like that. One I found based on interactions with someone else they knew in real life who had all their information out there, so I was able to narrow things down through that friend.

So it did seem pretty easy, and there was no single trick. It was just trying out a bunch of different things. The common elements were that they were all on Reddit, and most had had their accounts for a while, so they had posts in their histories on their local subreddits, or they'd tell stories mentioning where they worked or went to school or something. And most of them reused their usernames or slight variations elsewhere. There was at least one I couldn't find because their account was new and only had a few posts to start from.

So if you're worried about things like that, I'd suggest flitting around, using different, unrelated usernames, and when possible, if you post on places like Reddit, obliterating your old accounts and making new, unrelated ones.

From what I read about the Ken Bone thing, he actually posted an AMA on Reddit using his own account that he'd been using all along. He doxxed himself.
posted by ernielundquist at 7:52 AM on October 22, 2016 [6 favorites]

It really depends on how careful the target is and how much access the investigator has. In most cases like the Whole Foods one it turns out the target was sloppy, posting on the wrong handle occasionally or using the exact same phrase on multiple identities.

It's much easier keeping a pseudonym secure if you don't use it often. It becomes harder if you get committed to the personality and use it regularly. For instance your account (Jon44) has 66 posts on AskMe. I haven't looked, but I'm guessing reading through those I can get a pretty good idea what your interests are, where you live, etc.

As an investigator, the simplest way to catch someone is if you have access to the IP addresses of potential targets. 99% of normal folks will use their same computer to log in with multiple identities. While IP addresses are not completely unique identifiers they are pretty close. However, accessing the IP address on a random site is difficult. For instance the Metafilter moderators probably have access to them but we ordinary users don't.

You can protect your IP address by using a VPN, although that leaves traces law enforcement can discover with effort. Or to be more secure only ever log in at a public library. But even that didn't work for the Dread Pirate Roberts. (He, also, was sloppy about keeping identities separate; you can learn a lot from how that investigation proceeded.)
posted by Nelson at 8:03 AM on October 22, 2016 [2 favorites]

I think the general answer is that if there's anything on the internet about you that's in the least embarrassing, and a sufficiently high number of people know who you are, its coming out, 100%.
posted by Huck500 at 8:11 AM on October 22, 2016 [2 favorites]

Oh, but here's a very important thing. It is likely that, on a main, longstanding account like the one here, someone could figure out who you were in real life. However, that doesn't mean that they could discover all of your accounts just using regular person tools.

So say I connect your account here to your full name and address and stuff, I still don't have a way to connect that to your other online identities unless you're posting enough of the same information there for me to identify you. I just remembered an example: A friend of mine once "doxxed" me because my thieving husband told her a joke he got from me, and she fucking Googled it for some reason and found me telling the same joke, which hinged on a turn of phrase, on a forum where I had an account that was none of anyone's business. So if I had reused the same username on other accounts, she could have found those too. Once you suspect that someone is attached to an account, you can go through all their previous comments just to confirm that yeah, this sounds like them, even if none of the details are explicitly identifying.

But that's not a super big deal to me, because I'm not really talking about anything I wouldn't stand behind. I'm just compartmentalizing. If I were to, hypothetically, have another account somewhere where I talk about all the flora and fauna living in and on my butt or something else I don't want people to know about, I'd create a totally random, totally unrelated account on a totally different site from the ones I post on already, using a username that is dissimilar to any of my other usernames, I would sign up with a throwaway email if I need an email for it, and I would only talk about the specific butt things, and not disclose any other details about anything else. Someone who had access to my physical computer or who got a subpoena for my ISP's records could probably still find it, but it would not be easily discoverable by a creepy friend or internet rando.
posted by ernielundquist at 8:51 AM on October 22, 2016 [1 favorite]

Depends entirely on how hard you're trying to hide it.
posted by humboldt32 at 9:05 AM on October 22, 2016

It's all about tying information together, and how hard it is to do that.

Most people will not take any steps to hide themselves, and this makes it easy to tie things together. You may be posting from your home broadband or work Internet, which can be fairly easily tracked by a determined adversary. You might be using the same username, or compose your messages using certain quirks, or any of the other things people have suggested.

On the other hand, you can pack up your laptop and go to a free public wifi at a McDonald's in the next state, pull up a copy of TAILS OS, make sure you don't buy anything or get caught on any security cameras at the McDonald's (or ideally on your way to/from there either), making sure to leave your cell phone and other trackables at home. Then you can create a one-time set of accounts to use to post something, and it's going to be very difficult to track that back to you. Still... did you drive? Did anything capture your license plate? There are many angles to this.

The problem is that people find the convenience factor of being able to pull out their ${device} and just go at things without worrying about the tracks they're leaving. The normal person has no reason to think about this sort of paranoia, so most of the time it is varying degrees of fairly practical to identify a poster.
posted by jgreco at 9:55 AM on October 22, 2016

In the case you're dancing around, that of Ken Bone, the problem was that he did a reddit AMA using his main reddit username. Which then made it trivially easy for anyone who knows how the internet works to find everything he'd ever said on reddit. So... don't do that.

To me, something like "famous person uses a pseudonym but still gets found out" is more of an edge case where they probably pissed off someone with more skills than the average netizen (are we still saying netizen?). Avoid getting into internet flame wars, especially about highly specific topics that have to do with what you are known for or might be known for in the future. Or worse, taking up a position opposite what you claim to stand for IRL. Jon44 thinks Apple is better than PC is not something that is going to invite doxxing, because nobody cares. Tim Cook is revealed as an Android user after someone doxxes him following an IOS vs. Android flame war, now that would be a story.

On your followup:

I once realized a friend of mine is also a Mefite when she posted an Ask and then crowdsourced the same question on Facebook. It was a very specific question, and it seemed unlikely to me that different people would be asking the same very specific question on two sites on the same day. Recently, someone in a high school alumni Facebook group I'm in realized I'm a Mefite for similar reasons. None of these things have resulted in hard feelings, because they were all about nice things, or at least inoffensive things. I think doxxing after an online conflict is a much scarier prospect, and one easily avoided by not getting into arguments online.
posted by Sara C. at 11:46 AM on October 22, 2016 [1 favorite]

I tracked down a random person on a dating site once (who was trying to stay anon) and he asked me how I did it. There are a lot of ways, but this is what I did.

- I noticed he had a pro head shot with some distinct styling
- I did a reverse image search for it
- found the photographer's site where they had an archive of images they'd taken
- the photographer used his name as the image name
- Googled the name with some location stuff I knew from his profile
- found a page on his employer's website where he was listed so I knew where he worked
- checked phone listings for that town and then got phone numbers for his home by triangulating

I wasn't going after the guy, he had provided a geeky profile that indicated that he might find this sort of approach appealing (he did, sort of, it didn't work out for other reasons)
posted by jessamyn at 12:16 PM on October 22, 2016 [4 favorites]

In both these cases, Ken Bone and the Whole Foods CEO revealed this info themselves. If you're worried about being hacked, I guess the question is, why would anyone want to hack you? I try to keep all my screen names different, keep separate email addresses for personal use, business and then online stuff I do fairly anonymously. (Although I am sure I am have been sloppy and there is overlap.) If you use the same screen name everywhere across the web, you are at a real risk of being figured out even without anyone hacking into you, in my opinion.
posted by AppleTurnover at 8:18 PM on October 22, 2016

If you're looking for examples, there was that whole deal here on Metafilter with Scott Adams.
posted by MsMolly at 9:08 PM on October 23, 2016 [1 favorite]

This thread is closed to new comments.