It's hard to be an egg sometimes. On Thursday, Gizmodo published an awesome investigation unmasking FBI Director James Comey's likely Twitter account. The piece relied entirely on information available in the public domain, and provides a blow-by-blow account of how to scout out a target online.
However it's not just journalists who can learn from this episode, but anyone who may want to run a pseudonymous identity online too.
Ultimately, many of Comey's problems apparently boiled down to compartmentation; that is, keeping identities in separate compartments, with no links, or at least erecting strong barriers between them. The account's handles include a project that Comey worked on (Project Exile) and the name of a philosopher Comey covered in his senior thesis; he also follows an account related to where he was an undergraduate student. If creating a truly pseudonymous account, no references to the owner's 'real' identity should be included in the username, and its activity probably shouldn't reflect fairly unique things about the user either.
OTHER PEOPLE ARE THE ENEMY
Unfortunately, even if you take your own security precautions pretty seriously, there's always the chance someone else might expose you, even inadvertently. Twitter users seemingly congratulated Comey's son Brien on his father's promotion to FBI director, which provided another breadcrumb of accounts to follow.
At the time of the Gizmodo investigation, only one person followed Comey's suspected Twitter account—Lawfare editor in chief Benjamin Wittes, who is apparently a personal friend of Comey. Even if Comey didn't ask Wittes to follow him (it doesn't really matter for the purposes of this article), it created a solid link between the real Comey and this Twitter egg.
DON'T TALK ABOUT IT, OBVIOUSLY
One of the first clues for the Gizmodo piece was Comey saying in a public conference that he has around nine followers on Instagram. Without that nugget, it's not clear if anyone would have had all that much luck tracking Comey down at all. With online investigations, even the most innocuous sounding clue can be the springboard for a much more substantial discovery.
But, why does this all matter? Sure, you could run a Twitter account totally separated from your real identity in every single way—by not following accounts you're interested in, or maybe deliberately interacting with random people to muddy the waters—but that might not be why you joined the service in the first place; what would even be the point? How much you want to distance your account is dependent on what you're trying to achieve. In Comey's case, it may have just been to quietly engage with tweets or certain users without letting everyone know who was behind that purple egg. If the account was purely to monitor Twitter without liking or following anyone, that would be something else.
Security is always about trade-offs, and isn't a goal in and of itself; it's about achieving your goal, whatever that might be, but, well, securely.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.