In the movie Citizenfour, Jake Appelbaum is seen briefly giving a security primer to activists. He’s talking about linkage: what happens when you supply two pieces of identity at the same time, and how that means they’re forever linked. Identity doesn’t have to be an ID card; it could be a subway card or a cellphone.
The danger to privacy doesn’t primarily lie in when you identify yourself using one method – MAC address (your network card’s unique address), IP address, credit card, login, IMEI (your phone’s unique identity), et cetera. The danger lies in when two of those are linked together.
It’s not the tracks you leave behind. It’s the combination of different tracks you leave behind, and the intersections of those tracks.
If you’re ever using your laptop on a wi-fi network, that network knows when it’s you coming back, for example, because the wi-fi component on your laptop is presenting itself with a unique name. That unique network component name (called a MAC address) can be shared across networks, and only one of them need to know something more about you, for all of them to know that about you. Did you ever use a credit card somewhere to get access to a public wi-fi, for example? That’s enough for every public wi-fi to know you by name – not just going forward, but historically as well.
This is why it’s crucial to not link accounts together. Don’t use your primary email when signing up for an anoymization service. Don’t use your regular credit card, or a credit card with your name on it at all, or a credit card in the first place, when signing up with an anonymization service. (Four years ago, I wrote that you should never trust a VPN service that doesn’t accept bitcoin. PIA accepts bitcoin, of course.)
Even more importantly, the cross-referencing doesn’t have to be automatic, nor does it have to happen at the same time.
Let me take a tangible example from the Swedish Pirate community to illustrate this in practice. Some five years ago, there was a new person in the comments field who claimed to be 20-something female pirate sympathizer, but who was rather aggressive and adamant things had to change radically. Overall, this person was acting rather abrasive and demoralizing in the comment field on a number of blogs.
We didn’t know who this was, but we had a feeling something just wasn’t quite right – that this person was not who they claimed to be. So a bunch of us used the only thing we had – the IP address of the comments – and just typed it into the WordPress search field on some two dozen different blogs, each on their own, a considerably larger scope than where this person had been demoralizing the community.
Bingo. The same IP had been used almost a year prior on a different blog entirely, for two random snarky comments. Now, that wouldn’t normally be enough to claim it was the same person – if it weren’t for the identical language style and that this person was actually a 50-something male with the copyright industry.
That’s what we were able to do using nothing but a stock WordPress install, no web server logs, no nothing.
(How we used that information? One of us asked in a response to a snarky comment, “Ohai again, Y. You’re using the same computer that a person named X used a year ago. Do you two know each other?” The so-called 20-something female was never seen again after that.)
Now, this was a real life example from something that’s not built for surveillance at all, merely using some two dozen different websites in a nonprofit community. Consider then for a moment what IMSI catchers, boxes that record and timestamp the identity of every passing mobile phone within a 500-meter range, are able to do when deployed by the tens of thousands. (Changing your phone is not enough – if you repeat the same pattern you performed with your previous phone, any pattern such as travel schedule or company or similar, you’re most likely re-identified.)
Privacy remains your own responsibility.