At the height of internet censorship in 2021, I published a popular essay titled ‘Opsec for Noobs.’ It’s extremely in-depth, but much of it is outdated. This is a more practical and up-to-date guide. The full original essay is posted at the end.

Anthropic recently built an AI model called Claude Mythos that is apparently so sophisticated at detecting and exploiting vulnerabilities in browsers, operating systems, and other critical software that they decided it shouldn’t be released. They were so convinced that if it ended up in the wrong hands, it could pose major risks to the economy, public safety, and national security. Its release remains on hold until tech behemoths like Microsoft, Google, Apple, and Amazon give Anthropic the green light.

I take dystopian AI narratives with a grain of salt. But given the rapid speed at which AI is progressing — it’s feasible that AI could find security loopholes across multiple websites and social media platforms that ultimately expose everyone’s information. It could even create a public database of everyone who has ever used the internet. If someone were to look up your name in this scenario, they would see everything you’ve ever said online. Yes, everyone would be fucked. But given this risk — people should take the proper precautions to reduce potential damage.

If you post under your real name, then you’re probably willing to muffle your true beliefs to protect your reputation. But if you post anonymously, then you still have to worry about your identity being exposed. Everyone should be concerned about the major security risks posed by AI.

Protecting your identity means more than just using an anonymous name and profile picture. It means completely severing your online life from your personal life. You must also ensure you aren’t leaving “breadcrumbs” — small pieces of information that can connect the two. Plenty of people are great at picking up these breadcrumbs. AI will be even better at it.

There’s a wide range of precautions you can take to protect your identity. The most extreme option is to not use the internet at all or delete all of your social media accounts. But that’s unrealistic. I prefer a more grounded approach while still being hypervigilant. In this post I will talk about the apps, methods, and common sense I use to have tight internet security and remain completely anonymous.

Assess Your Threat Model

If you live in the real world, it’s impossible to use the internet without revealing your identity. If you have a credit card, use Amazon, or shop online — your information is out there. Just Google your real name with your city and state. There’s thousands of data brokers who collect this information and sell it.

There’s also different risk levels. I’m a well-known anonymous account with controversial opinions, so I have to be more diligent than average. If you’re a small account who doesn’t attract much attention, then you probably have less to worry about. Regardless, in the case of an untamable AI security breach, I recommend taking the below precautions.

Disconnect Your Double Life

I strongly advise against posting under your real name on Instagram or Facebook while running anonymous accounts. This significantly raises your risk. That being said, if you’re already doing this, there’s no need to panic. Run through the below list to make sure your anonymous account and real life accounts aren’t connected in any way.

Interacting with other people online is inevitable. Stay extremely cautious anyway. Even your closest mutuals can become compromised, leak details, or turn on you. I’m also not suggesting you shouldn’t make friends online. But regardless of how trustworthy someone seems, you should remain skeptical, lean on the side of caution, and use your best judgement. Trust your gut.

Your anonymous account should also be completely clean. If it fails any of the below criteria, then it isn’t clean. Here are the basics of account hygiene:

• Account is linked to an email address that doesn’t include your name (yourname@gmail.com). You can create burner emails for free.

• Your anonymous account has been completely anonymous from the beginning. Which means:

  • Your original username didn’t include your real name or other information about you. Many people have been doxxed this way. They started with an anonymous account that was originally their real-life account. The username was something like “@realname” or something equally revealing. If you fall into this category, I strongly recommend deleting your anonymous account.

  • You weren’t posting things that could be linked to your identity (posting about where you went to school, where you work, etc.).

    • Keep in mind - if you’ve posted that you live in NYC, then it isn’t catastrophic. A city of 9 million people is too broad to pinpoint anyone. But it becomes dangerous when combined with other details.

  • If you’ve only been posting privately under a locked account but were being loose about your information in your posts or DMs, I recommend deleting the account, regardless of how much you may trust the people who follow you. If nobody follows you, your level of risk is significantly lower.

  • You’ve never cross-posted the same photo, opinion, or story on both accounts. If you’re unsure whether you’ve done this, review your old posts or use a tool like tweetdelete.net to wipe everything and start clean.

Some of above suggestions might be seen as extreme. How much you’re willing to deviate from them is up to you and how you assess your risk level.

Tight Internet Security

Hackers are getting more sophisticated at phishing schemes. Just look at what happened to Yuri Bezmenov’s Substack and X accounts recently.

This is where having very tight internet security comes into play, which is different than having tight OPSEC (Operational Security). Internet security is making sure your accounts are as hack-proof as possible. OPSEC is making sure your identity is as un-doxxable as possible. You can have the tightest OPSEC in the world, but if someone can easily log into your accounts — they can dox you.

VPN

In general, it’s wise to use a VPN to mask your IP address. However, this can slow your connection and sometimes certain sites won’t allow you to access it with a VPN turned on. It’s not the end of the world if you don’t have it on at all times, but to reduce risk, you should have a VPN on as often as possible.

Passwords

What’s more important is making sure nobody can log into your accounts except you. First and foremost, you must use a Password Manager. If you’re using the same password for everything, or have a little system in your mind, it’s extremely exploitable. Password Managers will create a long string of numbers, letters, and symbols as your password, and makes it easy to use a different complicated password for each site.

I also strongly recommend using 2FA (2 Factor Authentication) for all of your logins. You should use the 6 digit authenticator codes linked to an authenticator app, which is pre-installed in most password managers.

Tip: if the password manager you use isn’t supported by the site’s 2FA policy, select “enter code manually”, and it will give you a long string of letters. Enter that into your password manager, and the 2FA codes will appear.

Never link 2FA to your phone number. It creates a serious vulnerability — if an attacker hijacks your SIM card, they can receive all your codes. Most sites offer 2FA now. If the only option is to use a phone number, create a free burner number online instead.

The above guide for passwords is mandatory.

Remove Yourself From Internet Archives + Google Yourself

If you want to delete your social media history, beyond merely deleting accounts, you should search for the URL of your account on the Wayback Machine. If a bad actor wanted to clip something you said for future use against you, they posted it here. If you send them an email with a legal notice requesting the takedown, they usually don’t ask many questions and take it down promptly. Ask AI to write this up for you.

Also, and I admit this is extreme — reach out to companies you have logins with but no longer use and request they delete your data. That’s different than merely deactivating your account. If you send them a legal notice, they will respond in a few days and confirm deletion.

Lastly, and most importantly — Google yourself. If there’s websites that have written things about you, request they be taken down. I’m not suggesting you need to have a completely empty Google search, but keep in mind that it’s a vulnerability risk.

I strongly recommend using Incogni. If you provide it with your name, phone number, and previous addresses, it will scour the internet for all of the data brokers that sell your data and legally request they take it down on your behalf. I’m not being paid to promote this.

Conclusion and AI’s Feedback

As I mentioned earlier, this post contains two essays: the one you just read, and the second I published 4 years ago. The second goes into more depth, and you can tell from the language it’s a bit outdated.

I wrote this to help people who might be concerned about future AI risks and want to better protect their identity. To have minimum viable OPSEC, aside from password protection, you can use your best judgement as to how far you’re willing to go based on your risk level.

To make this guide as robust as possible, I even ran it by Grok (yes — I asked AI for help protecting myself from AI). I will never publish anything I know nothing about or don’t have strong opinions on, so I copy and pasted exactly what it fed back to me.

I hope you found this helpful.