As of April of this year, there were 336,724,945 breached accounts in the Have I Been Pwned? database (yes, I suggest you go to that database and check your email addresses). That number has since jumped to 1,307,907,501. This means almost 1.5 BILLION people/credit card numbers/addresses/email addresses/etc. are available, and not many of them are throwaway email addresses; most of them are people’s actual, log-in-every-day, synced-to-your-phone addresses. Before you raise your nose in the air just slightly and sniff that there’s no way you’re on that list because you are careful, let me ask you the following:
- Do you remember every single site you have ever entered your email address, name, or any other details about yourself, since the first time you ever logged into the internet?
- If by some act of God you could answer “yes” to the above, do you know (and have you kept track of) every business acquisition, re-branding effort, or data sale from every site you’ve ever given your data to, for as long as you’ve been on the internet?
I rest my case. (By the way, here’s a link to answer the question “How is my data in a breach on a site I never gave info to?”) That’s not even counting all the ways that major email providers such as Gmail, Hotmail, and Yahoo already spy on you and use your information.
So what are you supposed to do about all your personal data floating around everywhere? The bad news is, you can’t take that info off the internet completely. The good news, however, is that you can keep them from getting more, and you can change some of the info you have. Enter the throwaway email. When combined with a fake name and even birthdate, you can do a great deal to mitigate the threat there. Before we get into the advanced stuff, however, let’s take a look at one easy way to sign up for things without giving away the proverbial farm.
I happen to think this option is the best for certain situations. The way it works is this: You have a site you need to give an email to in order to sign up; we’ll call that site databuyers.com. You give databuyers.com literally any email address you want, as long as it ends in mailinator.com. It does not matter what mailinator address you give them, because when databuyers.com sends an email to that address, it will create the address at mailinator. This means that if you want to have databuyers.com go to email@example.com you can, without setting up an account at mailinator.
How is this possible? It’s because Mailinator has no privacy. Every single email address is public domain and wide open, and anyone can read any email sent to any address. So, if you tell databuyers.com to send the verification email to firstname.lastname@example.org, you can immediately go to Mailinator and type that address in (no password needed, since it’s public) and hit Check Any Inbox, and boom, there’s the email. Any email sent to mailinator also gets deleted after a few hours, so don’t think you can go back 2 weeks from now and see that email you got, because it’ll be gone. You can, however, still use the email again, simply by putting the address into whatever site you need it for, because mailinator will recreate it as soon as the email is received. Nifty, right? The more intelligent and creative among you can probably think of some other ways to use this as well.
- You don’t have to give any personal information. In fact, I’d advise against using your real name in Mailinator or when signing up for new accounts at all (even when you’re purchasing something, but circumventing the whole “need all personal info” thing when buying online is a whole other article and involves a bit more work).
- No passwords or account setup are needed; you simply make up an address that you plan to use, and give that out.
- Free. We like free.
- Anonymous at the mailinator site (caveats exist; see the Con list for details)
- Very easy to use.
- Anyone can read anything sent to any email address in Mailinator. You can test this by going to the Mailinator site and checking email@example.com. You’ll see all kinds of emails, from spam to account resets. This means you would NOT use this for sending uncoded sensitive messages within your group, for instance (the mailinator website, in fact, points out that if you do, you’re a “stupid head”).
- If you do need to reset your password (you use KeePassX, so this isn’t a problem, right?), you’d have to send your password reset to the public mailbox, which could be a problem. See above point.
- Some sites may not allow you to use these email addresses since they’re known as anonymous. They don’t like when you send them fake data; they want your real data. If you find yourself in this position, you may want to ask yourself if you really need to sign up there.
Overall, Mailinator is a solid way to stop giving your personal information to every site you log into. You may even want to change some of your existing accounts to a mailinator address as well.
GuerrillaMail is another option for those who need a throwaway email. Also free, this works somewhat like Mailinator in that it’s a publicly available email inbox. Where guerrillamail differs, however, is in the scrambling of the email address, which means your email can be something like firstname.lastname@example.org. If someone knows the ID you used on the email inbox, they can access whatever is in there, so it’s best to not use email@example.com or something like that.
Basically, GuerrillaMail has the same pros and cons as Mailinator, but also has address scrambling to help obfuscate your actual email (which may be something like randomname@, but show up as firstname.lastname@example.org).
The Advanced Stuff
If you’re familiar with the dark web, you may want to consider something on the Tor network as well, for sites you need to use there. (Keep in mind that Tor has its own issues, however; best practices for Tor include using a virtual machine–Qubes if you can run it–a VPN, and not using it at home or work.) Same goes for other darknets like i2p or freenet. If this paragraph made no sense to you, that’s okay for the moment; you might want to start learning though.
What NOT to Do
A lot of us have a Gmail account (or Yahoo/Hotmail/MSN etc). In many cases it’s either our name or some identifying characteristic that lets people know it’s us (mine is from back when I was an aircraft mechanic but I have had Gmail accounts that were my name too, from when I didn’t know better). It’s easy and convenient to just use that for the spam and logins but that’s a bad idea. First of all, as we have taught in our Basic Privacy and Anonymity course, the more convenient something is, the less secure it is. Secondly, if you’re using one of those emails to log into everything, then everyone who has access to your email data also has access to everything in it. Gmail, by default, is a “gigantic profiling machine,” and as far back as 2013, Google was quite clear that anyone who emails a Gmail user has “no legitimate expectation of privacy in information” because they “voluntarily” turned over information to “third parties.”
This means that if you decide to get Protonmail (a good choice) for your sensitive emails but then decide to use your Gmail for all the rest of your everyday logins, you’ve just defeated the purpose of the exercise. In fact, if you own a Gmail account, go look at your Google Dashboard and see how much information there is about you.
The Third Option
Staying on top of your privacy is a never ending endeavor. If you’re an activist or involved in liberty work, however, you don’t have another choice. As a society we are conditioned to think in terms of binary options: one, or zero. Republican/Democrat is a classic example. In reality, however, often there’s a third option that we don’t think of. When it comes to being tracked everywhere we go or having all of our purchases cataloged, it seems sometimes like there’s no way out. Either we are getting tracked (in which case, our beliefs and activities draw suspicion and extra attention), or we go all out and drop off the radar, which also draw suspicion and gets us more attention. It’s easy to feel like we’re being funneled into a no-win situation. But we aren’t, if we think smart. There are ways to turn the system back on itself.
Imagine doing any of the following:
- Having your Gmail signed up for updates from the DNC, Hillary, Obama, and every anti-gun group there is (if you paid attention to the article on infiltration, you may already be doing this). Obviously this won’t work if your Facebook looks like a meme shrine, and most people suffer from one very exploitable weakness that will ruin this, which I’ll talk about in a future article.
- Downloading an app that you know tracks your every location when it’s open (such as Pokemon Go or Waze), and establishing a pattern of places and times where you are known to be. Then, send your phone with someone else, in your vehicle, to a place/time in the pattern who will have the app open, tracking “you”—while you go elsewhere to meet with a contact, pick up an anonymous purchase, or check your message drops.
- Sending yourself a lot of encrypted material at Gmail. As in, so much encrypted stuff that they have to spend resources digging into it. I prefer encrypted cat pics, myself. While they’re digging through those, I can send other things elsewhere, through different means. Do not send anything related to your activism through your regular email. Ever. For any reason. I see a lot of emails coming to TOWR, asking for training on various topics or wanting to ask us a question related to the movement somehow. It seems like with very few exceptions, all of them are coming from email addresses hosted at Gmail, MSN, or other open provider. In fact, we’ve gotten a few that were from their actual ISP domain (Comcast, Frontier, etc.) Do not do this.
The list goes on. Be creative.
The bottom line is, you’re being tracked. We know that; it’s old news. Our job is to find ways to either dodge that surveillance, or use it in ways that let us work the system to our own advantage. Throwaway email addresses are just one of the tools we have.