Confirming identities online

How to inspect who you’re expecting

Staying private, secure, and anonymous online is important for everyone — but for some, it can be crucial. However, total anonymity can also introduce some problems. When you’re communicating anonymously, how do you know you’re talking to the person you think you’re talking to? If a whistleblower is sending a journalist some confidential info, the whistleblower needs to know beyond a shadow of a doubt that they’re really talking to their contact, not an imposter.

So how can you stay private — and anonymous — while verifying someone else’s identity?

In person, there are lots of ways that you might try to do this, like using code phrases, secret meeting places, and disguises.

But things are very different when you’re online. Everything you do can leave a trail, and there’s lots of information about you that could betray your true identity. IP addresses, digital fingerprinting, and information linked to your real identity — like phone numbers — can all be used to work out who you are.

So, what can you do? Well, for starters, it’ll come in handy to know about something called PGP. PGP stands for Pretty Good Privacy, and it’s a kind of encryption that can be used to put a lock on otherwise unprotected information.

PGP allows you to encrypt a message so that only one person, with the exact digital key that matches the message, can ever read it. PGP is often used to encrypt e-mails, messages, and files. But PGP doesn’t always provide total security and anonymity. For example, if you send an email encrypted using PGP, the sender, receiver, and subject line of the email are left unencrypted — making them visible to the email provider, and possibly others.

Alternatively, you can use an encrypted messenger. Some encrypted messengers will allow you to stay totally anonymous while you talk. In any good encrypted messenger, only the person you’re chatting to has the key to unlock (and read) the messages you send them — just like PGP.

Some messengers might try to get you to tie a piece of personal information to the account — like your name or phone number — so that others can confirm your identity. But this is risky, because phone numbers introduce serious privacy threats — and they’re definitely not anonymous.

However, there are encrypted messengers that won’t expose your identity. Some allow you to use keys (similar to PGP keys) as your account ID or ‘username’. These kinds of account systems let you avoid tying your real-life identity to your account ID.

This type of system has a number of benefits for staying safe, secure and anonymous. But this anonymity sword cuts both ways. If you’re using an encrypted messenger with a key-based account system — like Session — there is no way to be completely sure that an account you’re chatting with belongs to the person you think it belongs to.

This is by design — after all, the goal is secure, anonymous communication. However, if you also need to be doubly, triply sure that you’re talking to the right person, you may need to use a secondary channel of communication to verify that the account you’re chatting to actually belongs to the person you’re trying to contact.

This might involve communicating with your desired contact via a secondary means to trade keys. When in-person contact isn’t an option, one of the safest alternatives is Secure Drop. If you want to send information this way, here’s how you can do it safely.

When you want to communicate anonymously, it’s really hard to ever be 100 per cent sure who you’re talking to. But, then again — that’s kind of the point. Verifying who you’re communicating with online is still super important — encryption won’t always protect you from sending something to the wrong person. Make sure you always verify who you’re talking to online before you start sending sensitive information!