- You take your personal laptop out of town with you, completely different state.
- You connect to a free open wifi from another location where you can’t be filmed/on camera.
- You use a new burner email account with all fake information.
- You send the anonymous email.
Please tell me how anyone could trace that back to one’s true identity.
The desire for anonymity is strong for many reasons; some legitimate, others less so. I want to use this as an example to show just how difficult it is these days to stay absolutely anonymous, particularly when it comes to email.
For example there’s at least one glaring problem with the setup you describe.
Become a Patron of Ask Leo! and go ad-free!
There are no absolutes
One of my guiding principles is that there are no absolutes. As much as we might (desperately at times) want black-and-white, yes-or-no answers, solutions and situations are always somewhere in between.
So my position is that there is no such thing as absolute anonymity, no matter what steps you take.
What may be possible, however, is to make it difficult — extremely difficult — to figure out who you are when you’re trying to be anonymous. Call it “pragmatic” rather than absolute anonymity. Depending on your specific situation, pragmatic anonymity may be good enough, as long as it makes it so difficult to identify you that whomever might be looking runs out of time, patience, or resources before they succeed.
Unfortunately, it’s easy to leave clues.
A personal laptop?
The “glaring problem” I referred to above is that you’re using your personal laptop.
Your personal laptop probably has an assortment of software installed on it, perhaps even the OS, that reaches out to various services in a personally identifiable way. For example, perhaps while you’re sending your “anonymous” email, a program like DropBox is quietly checking to see if there are updates to your files, leaving an identifiable trace on the Dropbox servers. If someone were to put two and two together they could see that you (your Dropbox account) were at this IP address (of the Wi-Fi hotspot) at the exact same time as the anonymous message was sent.
Now, replace “Dropbox” in that example with any — no, every — service or bit of software on your laptop that might benignly reach out to some service online. That’s a lot of opportunity to leave a trace of where you were at the time the message was sent.
Accidentally personal information
The email program or interface could include additional information in the headers that could identify you or your computer. In years past, some email programs included the Windows machine name on which it was running, for example. That could clearly identify the specific machine from which the message was sent.
It turns out that in many cases, browser fingerprints — the combination of an assortment of information that your web browser routinely makes available to the sites you visit and pages you view — can often identify you uniquely — or, if not uniquely, then to such a small number of cohorts that even a little additional information can be used to determine who you are.
Networks you “trust”
The laptop’s MAC address — a number that uniquely identifies every network adapter1 — doesn’t travel further than the first connection. In your case, that would be the Wi-Fi access point or router to which you connect. The problem is, you don’t know the device isn’t logging things. A log including your machine’s Wi-Fi MAC address would prove that your machine was connected to that access point at that time.
Similarly, it’s possible for a machine to read its own MAC address, and for software to include that information not as part of the networking protocol, but just as additional data being sent.
The IP address of the hotspot would locate it, at least, while perhaps local traffic cams and other activity — maybe even your mobile phone pinging its location while in your pocket — could place you in the same area at the same time.
Even your own personal style
Assuming you manage to avoid all those items, and everything else I probably haven’t considered, then even issues of personal style can give you away. I’m told that we each have a style of writing that’s relatively unique.
And, of course, the information in the content of your message could also be used to identify you, if you’re the only person who could or would have access to it or share it in the way you have.
Anonymity is hard
Anonymity is hard, really hard, particularly in the face of a sufficiently motivated and resourced adversary.
If you need to be anonymous, carefully understand the risks, and take the time to make certain that you’re not accidentally leaving the door open to discovery.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Footnotes & References
1: Admittedly in theory. Every network adapter — Wi-Fi interface, Ethernet port, and so on — is supposed to have a completely unique MAC address, though hardware manufacturers have been known to re-use MAC addresses. In practice it’s not a problem, but like so many things, it’s neither black or white.