At a small, teller-like window, I filled out the paperwork using fake information. Unwisely, I wrote down my name as Aaron Brown— thus creating one of the links to my real identity I should have been avoiding. As a result, my receipt had “Aarow Brown” printed on it. It seemed fitting that the first physical evidence of Aaron’s existence was a misspelled name on a receipt from a computer shop.
When I got home, 10 bitcoin were there waiting for me in my virtual wallet, stored on an encrypted flash drive. I made the necessary contacts and ordered a counterfeit driver’s license, a student ID, a boating license, car insurance, an American Indian tribal citizenship card, a social security card scan (real social security cards were a bit out of my budget), and a cable bill for proof of residency. The final bill came out to just over 7 bitcoin, roughly $400 at the time.
As I waited for my pile of documents, I began crafting Aaron’s online presence. While exploring message boards on the darknet, I came across the contact information for a self-proclaimed hacker called v1ct0r who was accepting applications to host hidden services on a server he managed. I messaged him with a request to host Aaron’s website. He was happy to offer a little space, under two conditions: “no child porn nor racism; Respects the rules or i could block/delete your account.”
I also set up a simple web proxy so that anyone could contribute to Aaron’s online presence. The proxy serves as a middleman for browsing the Internet, meaning any website you visit is first routed through the proxy server. Anyone who browses using the proxy is funneling traffic through that one node—which means those web pages look like they’re being visited by Aaron Brown.
Aaron’s Twitter account worked much the same way. There was a pre-authenticated form on the project website, allowing anyone to post a tweet to Aaron’s feed. As Aaron’s creator, it was fascinating to see what happened once strangers started interacting with it regularly. People would tweet at their friends, and then Aaron would received confused replies. Under the guise of Aaron, people tweeted out, jokes, love messages, political messages, and meta-commentaries on existence. I even saw a few advertisements. Ultimately, the account was suspended after Spanish political activists used it to spam news outlets and politicians.
In a sense, I was doing the opposite of astroturfing, a practice that uses fake social media profiles to spread the illusion of grassroots support or dissent. In 2011, the Daily Kos reported on a leaked document from defense contractor HBGary which explained how one person could pretend to be many different people:
Using the assigned social media accounts we can automate the posting of content that is relevant to the persona. … In fact using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise ... There are a variety of social media tricks we can use to add a level of realness to all fictitious personas.
Aaron Brown turned that concept inside out. With a multitude of voices and interests filtering through one point, any endeavor to monitor his behavior or serve him targeted ads became a wash. None of the information was representative of any discrete interests. The surveillance had no value. I’d created a false human being, but instead of a carefully coordinated deception, the result was simply babble.
“The Internet is what we make it,” wrote security researcher Bruce Schneier in January 2013, “and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.”
For those of us who feel confident that we have nothing to hide, the future of Internet security might not seem like a major concern. But we underestimate the many ways in which our online identities can be manipulated. A recent study used Facebook as a testing ground to determine if the company could influence a user’s emotional disposition by altering the content of her or his News Feed. For a week in January 2012, reseachers subjected 689,003 unknowing users to this psychological experiment, showing happier-than-usual messages to some people and sadder-than-usual messages to others. They concluded that they had “experimental evidence for massive-scale contagion via social networks” because users responded by publishing more positive or negative posts of their own, depending on what they saw in their own feeds.
The U.S. Department of Defense has also figured out how influential Facebook and Twitter can be. In 2011, it announced a new “Social Media in Strategic Communication” (SMISC) program to detect and counter information the U.S. government deemed dangerous. “Since everyone is potentially an influencer on social media and is capable of spreading information,” one researcher involved in a SMISC study told The Guardian, “our work aims to identify and engage the right people at the right time on social media to help propagate information when needed.”
Private companies are also using personal information in hidden ways. They don’t simply learn our tastes and habits, offering us more of what want and less of what we don’t. As Michael Fertik wrote in a 2013 Scientific American article titled “The Rich See a Different Internet Than the Poor,” credit lenders have the ability to hide their offers from people who may need loans the most. And Google now has a patent to change its prices based on who’s buying.
Is it even possible to hide from corporate and government feelers online? While my attempt to do so was an intensely interesting challenge, it ultimately left me a bit disappointed. It is essentially impossible to achieve anonymity online. It requires a complete operational posture that extends from the digital to the physical. Downloading a secure messaging app and using Tor won’t all of a sudden make you “NSA-proof.” And doing it right is really, really hard.
Weighing these trade-offs in my day-to-day life led to a few behavioral changes, but I have a mostly normal relationship with the Internet—I deleted my Facebook account, I encrypt my emails whenever I can, and I use a handful of privacy minded browser extensions. But even those are steps many people are unwilling, or unable, to take. And therein lies the major disappointment for me: privacy shouldn’t require elaborate precautions.No one likes being subliminally influenced, discriminated against, or taken advantage of, yet these are all legitimate concerns that come with surveillance. These concerns are heightened as we increasingly live online. Digital surveillance is pervasive and relatively cheap. It is fundamentally different than anything we’ve faced before, and we’re still figuring out what what the boundaries should be.
For now, Aaron’s IDs and documents are still sitting inside my desk. Aaron himself actually went missing a little while ago. I used Amazon’s Mechanical Turk marketplace to solicit descriptions from strangers, and then hired a forensic artist to draw a sketch. He resurfaced on Twitter. (You can go here to try tweeting as Aaron Brown.) But other than that, no word. I have a feeling he’ll probably pop up in Cleveland at some point.
Everyone always seems to get sucked back home.