I once suggested to a senior political commentator to use a nickname when writing in an environment heavily scrutinized by censorship. He responded that he would not change his name or surname, and would only write under his real name. I admire the integrity of this senior figure, fully respect his choice, and say no more, continuing to silently support his transparency and consistency.
However, I have a different view about using real names.
Being upright and transparent does not mean you have to expose everything
I have previously spent a lot of ink discussing money, even publishing an entire book on it. In everyday language, "real money" refers to "flat currency", but most people's understanding is confined by the system, unaware of the possibilities beyond flat currency.
The same goes for "real name". What most people mean by this term should actually be referred to as the "legally registered name", i.e., the name of a person in the database of their jurisdiction. We say Jin Yong's "real name" is Cha Leung Yung, but Jin Yong is the name he chose for himself, which best represents him, is associated with his works, and embodies his spirit. When he identifies as Jin Yong, no one would think he's deceiving; in the legal and administrative system, he is called Cha Leung Yung, and that's it.
x.com/VitalikButerin/status/1535211774697414660
A scene from 2019 is etched in my mind. A protester in full black bloc attire was interviewed by the media, claiming to be upright and transparent. The TV screen was screenshot, captioned with mockery, and blue supporters ridiculed and insulted in various ways.
"If you're upright and transparent, you wouldn’t have to wear a mask!"
Such statements are frustrating. I completely oppose this notion, not because I stand with the protester, but purely because the concept is absurdly naive, similar to "not being afraid of a knock on the door in the middle of the night". Please, in this world, there are thieves and those who, upon learning your identity, will seize the chance to harm you.
Being upright doesn't mean one should be entirely exposed; one still needs to protect oneself. Moreover, failing to protect one's privacy often brings trouble not just to oneself but also to those around. Think of the consequences when someone's WhatsApp account is compromised; is it the owner or their contacts who suffer the most? When children mock elderly family members for falling for scam calls, it might be their own leaked personal data that enabled the scammer to impersonate them convincingly.
Let's discuss how to register for online services without revealing frequently used email addresses, and how, through identity management, one can protect oneself.
Email addresses are far more practical than phone numbers
Many internet services offer both email addresses and phone numbers as registration options. From a user's perspective, given a choice, one should always opt to use an email address to represent their identity for numerous reasons.
Setting aside principles, if you purely consider the scenario where a service provider might spam you or even sell your personal information to others in the future, it's clear that receiving junk emails is less bothersome than junk calls or text messages.
Email service providers automatically filter spam for users. The widely used Gmail even offers basic categorization, such as grouping promotional emails. While I personally don't rely on these features, fearing a misjudgment might cause me to miss important emails and disliking automated categorization (which often classifies emails I send to readers as promotions, leading them to be overlooked), when used appropriately, AI email filtering can undoubtedly save users a lot of time.
Another advantage of email addresses is that you can freely register multiple ones without revealing personal data (remember, even an IP address is basic online personal data, so always use a VPN when registering and using services). More importantly, you can choose overseas email providers. While this may seem trivial to those in smaller countries, remember that in some authoritarian states, even registering for an overseas email service is challenging. Domestic email services are often required to cooperate extensively with the government, with every email treated like a postcard that the government can freely read. Moreover, in such states, all online registrations require a phone number, which in turn requires an ID. In essence, it can always be traced back to your legal identity regardless of your registration method. If this becomes the future of Hong Kong, I wouldn't be surprised. If some still have a semblance of freedom to protect, yet choose not to cherish and willingly give it up, no one can help them.
Additionally, a popular little tip (though not privacy-enhancing) that I'd like to recommend: when registering for different services, even if you only have one email address, with services like Gmail or Protonmail, you can append a +tag after your username to generate a unique email address for a specific provider or scenario.
For instance, Alice, when registering for different travel services, could use alice+agoda@gmail.com, alice+expedia@gmail.com, alice+kayak@gmail.com, etc. All emails sent to these addresses will land in alice@gmail.com. While this won't reduce spam, since each email address corresponds to a specific service provider, Alice can filter emails precisely based on the source and establish appropriate workflows. Moreover, if a particular address starts receiving promotional emails from an unknown vendor, Alice will know who sold her data.
From my backend, I've seen subscribers use addresses like bob+reader@gmail.com to subscribe to "Blockchain Sociology." This is a smart move, allowing easy preset commands to manage newsletter emails, such as automatically skipping the inbox, adding a must-read tag (smug 🤮), and taking the time to read them later.
Monkey King's "Outlaw Doppelgänger Technique"
While adding tags to existing email addresses helps determine the source, it doesn’t enhance privacy. Continuously registering new email addresses is too cumbersome. Is there a way to have the best of both worlds?
You've probably seen in "Journey to the West" where the Monkey King plucks a hair, throws it into the air, blows on it, and conjures a horde of doppelgängers to combat powerful enemies. But you might not know that this duplication magic could be translated literally as Outlaw Doppelgänger Technique (法外分身). The use of the term "法外" (Outlaw) in ancient Chinese texts is quite intriguing. What I'm about to introduce is the "Outlaw Doppelgänger Technique" for emails.
Maxim’s Group’s “Outlaw Doppelgänger Technique”
Last week, I mentioned ProtonVPN. The company, Proton, focuses on information security and privacy protection. Apart from VPN, it also offers Mail, Calendar, and Drive services, similar to Google's early product line. However, there's a significant difference. Google can access user data, which allows them to serve relevant ads and offer free services. In contrast, Proton emphasizes end-to-end encryption for all its products, meaning even the service provider cannot access user data. As a result, they only offer limited free services, and advanced features come with a cost.
Recently, Proton introduced its fifth product, ProtonPass, a password manager. Typical password managers provide password generation, recording, and auto-fill functionalities. While a password manager itself requires a password, as long as you remember this master password, all other passwords can be handled through the password manager.
As a newcomer to the market, besides open-sourcing the product and providing third-party security audit reports, ProtonPass also incorporates the unique "Outlaw Doppelganger Technique". The official name of this feature is "hide-my-email aliases." It allows users to generate random email alias names when registering accounts on various websites and then forwards any emails received to their main Proton mailbox. Positioned as a "password + identity manager," ProtonPass is ingenious. I've switched from Bitwarden to ProtonPass and have been quite satisfied so far.
When users register on any website, the ProtonPass browser extension displays a small icon next to the email field. If I don't want the service provider to know my identity, I can click on this icon, and ProtonPass will automatically generate an email alias for me. From the service provider's perspective, this alias is your email, oblivious to the fact it's just one of your many doppelgangers. As long as you don't reveal other clues like IP address, name, credit card, etc., the website will find it challenging to associate the alias with your true identity. This feature is particularly handy when registering on unfamiliar websites or when you're unsure about using a site in the long run.
You might think, "Why not just use a single email alias for all websites where you don't want to disclose your identity?" Doing so is certainly better than sticking to a single "unchangeable" email address for everything, but it won't help you determine the source of junk mail. Moreover, it doesn't effectively prevent conglomerate operations from connecting your various aliases, thus obtaining a more comprehensive profile of your personal data.
The free version of ProtonPass allows users to generate 10 hide-my-email aliases. This is sufficient for casual users who occasionally need specialized aliases. The premium version, priced at $5 a month, provides unlimited hide-my-email aliases, integrates 2FA, among other features. It's not cheap, but if bundled with other Proton services and paid annually, it becomes much more affordable.
Ultimate Branding: DYOR
I'd like to especially point out that the above end-to-end technologies do not use blockchain and have little to do with web3. On the contrary, most blockchains and their recorded transactions don't utilize end-to-end encryption, which is why I tend to avoid using the term "cryptocurrency." Structurally speaking, services like ProtonPass and ProtonVPN are centralized, with Proton being the central entity of these services.
Though I consistently advocate for decentralized services, I don't believe one should entirely avoid centralized ones. Conversely, unreliable services, even if decentralized, won't automatically become reliable. Whether it's web2 or web3, don't blindly trust brands. The only “brand” truly worthy of our unwavering trust is DIOR DYOR - "Do Your Own Research."
web3dom - of web3 and freedom is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
