Getting Expendable Accounts

The amount of information we need to give out to Google or Apple (or Twitter or Facebook) to create an account is shocking, but you wouldn’t even notice. That is until you try to do so without a smartphone. This post is a summary of my experience trying to open alternate accounts that do not lead back to me in any way. Spoiler: this has mostly failed.

Alternate email (easy)

This is probably the easiest one to get. A burner email for a limited time is excellent when you want to register for online services. Considering the amount of junk we all get in our email accounts, it’s probably a good idea to always use one1.

One popular service is maildrop, but its popularity is also its weakness. Most services block it and will not allow an email from the .cc domain. Maildrop does not create unique email addresses either, so anyone fishing for popular email addresses on this service might end up with your emails.

Another service and long time favorite of mine has been fake mail generator, which creates a legitimate looking email with different domains. This website yields mixed results; some online services work fine with it while others block the generated email addresses. It is quick to use however and can produce better results than maildrop.

A popular service I’ve had a high success rate with is temp mail. This one seems to generate a unique email address each time including a domain, and it filters bots with a captcha (if you’re behind a VPN, expect it to test you with an annoying “find all the airplanes” kind of thing) so it seems to be more resilient to be blocked by online services. The problem with this one is that you can’t go back to an email you’ve used. Each email exists only as long as the browser is open. If you’re locked out of an account you’ve used this service with, you’re out of luck. Keep this in mind.

Alternate Google/Facebook/Twitter Account (medium difficulty)

Alternate email addresses are easy, but creating an account with one of the big ones out there (Google, Facebook, Twitter, etc.) is more challenging. These services are designed to detect bots and spammers, and they place privacy seekers in the same bracket. Simply put, if you’re trying to hide your identity by using a VPN, changing your MAC address, and logging from different locations, you’re going to have a hard time.

I’m going to focus on Google here since this has been a primary target in my research. Creating a new account from a computer is not that easy, and it seems that Google filters users based on operating systems as well as IP addresses. For example, I could not create a new Google account on my Debian VM without phone verification, but creating one from ChromeOS was easy.

Google will end up insisting on a phone number verification sooner or later. Unless I wanted to give it my real number or a Google Voice number it failed to work, even with a valid VoIP number that works for calls and texting otherwise. As it turns out, it’s quite easy to filter out VoIP numbers vs. carrier phone numbers. To my surprise, even “landlines” (since the vast majority of these are also VoIP these days) are disqualified. Google, as well as Apple, Twitter, Facebook and the big other ones are interested specifically in your cellphone number, but thanks fully, with one exception.

When you use a mobile device2 to create a Google account, Google lets you go ahead without a valid phone number. This is by design: after all if you never had a cellphone before, how are you supposed to get one? The solution then is to use a mobile device from a legitimate, non-VPN-protected WiFi. Your local Best Buy, Target, Walmart, etc. are perfect for this. Just approach the new Android phone section with confidence and create an account using the phone’s browser (do not attempt to register a Google Account with the Google App. This will not work, as the device does not have a sim and is stuck in “demo” mode). Be prepared that the helpful salespersons will be interested in what you’re doing, so be swift and confident. After all, they’re just doing their job. Make sure you switch between phones, alternate between different apps like the camera or YouTube, and don’t look suspicious3.

A (good) alternate phone number (hard)

Getting a good alternate phone number is hard. There are services out there that will give you a free-to-use VoIP for voice calls and text outside of Google Voice (a favorite one is text now, which allows you to create an account with Facebook, Apple, or Google accounts), but it seems Google Voice numbers are better than others. I got to this conclusion after some services that did not allow me to register with my text now number were fine accepting a freshly created Google Voice one.

But getting a Google Voice number is harder than getting almost any other account. I was able to open a Facebook account without a number verification (using a phone), but this seems to be impossible to do with Google Voice4. You must have a valid number to verify, and that number can’t be another VoIP from what I’ve seen.

For Google Voice to grant you a number, it must be verified with another number to which it will send a verification code. When I tried that with my text now number, I got the verification code, both in text and in a phone call, but the code failed to register back with Google Voice. It seemed Google Voice simply ignored it. I tried to register with Google Voice off VPN and other large public WiFis but without success. The nature of this lack of authentication, where Google Voice simply “ignores” my input, have me believe that I need to keep trying with different WiFis.

Up until now, my Google Voice number is tied to my real phone, and that means apps I use it with can track it back to me.

Methodology

I wrote the above headers from easiest to hardest based on my experience. This is also the order I believe these alternative accounts should be created to remain anonymous:

  1. Create a Google Account from an Android phone that you do not own (or perhaps a virtual one).

  2. Open the Google account from a WiFi you do not own (such as a public WiFi in a public library, or a coffee shop). Do not use VPN. Change your laptop’s Mac address if possible (this is known as spoofing, pretty easy to do). Send some emails to people who you don’t know (this sounds crazy but it helps “training” the account and make it more authentic. Remember that Gmail scans your emails for ads, this will help ensure it all looks valid).

  3. Now from behind a VPN (and possibly TOR browser, depending on your level of paranoia) Use the Gmail account associated with this account to register with services such as Twitter, Facebook and text now. Keep in mind Google will probably throw a bunch of captchas at you and you might lose your account at this point.

  4. Authenticate the Twitter and Facebook accounts with the number from text now, if possible. If they don’t accept it at one point, they might accept it at another - this has been my experience with Twitter a couple of times.

  5. Try to “upgrade” the text now account with Google Voice if possible using the same Google account you have.

Ending Thoughts

I published this post about two months after I started experimenting with what I wrote here. In the meantime, a couple of things came to light.

One of the obvious conclusions here: just get a damn burner phone.

As long as it’s possible to walk into a carrier store and get a phone paid fully in cash, this makes things much easier. The key to remember is to not turn on the phone or use it anywhere near your home, and when you do use it, use it only to enable Google Voice and the accounts you need, and then turn it off and remove the battery if possible (there are other options like faraday bag). This way if you lose access to your accounts in the future you can attempt to verify with the phone again, or probably walk back to the carrier store and ask for a new number/exchange phone/exchange sim.

The next thing worth mentioning is if you find that you’re jumping through all these hoops to get a fake number or a fake account, slow down and ask yourself why you’re doing it. This is not easy and can be highly frustrating. Are there easier to use, free (free as in freedom) applications you can utilize instead? Google, Facebook, Apple - they give you high-quality services and they’re in their rights to ask you to pay up (the fact that you don’t know how much you pay and for how long is a different story though). This will also make it harder for you to stay in touch with friends and will mark you as paranoid. Do you really want that? Why? Keep having these arguments with yourself and make sure you have good answers.

Be safe, be responsible, and be smart.

Footnotes


  1. Keep in mind that burner emails are highly unprotected and should not be used long term. If you don’t use a password manager like Keepass or LastPass, this would be a good time to consider. Not only it will generate a strong password, it will also save the random email address you just received to use when you log in. Another advantage of the password manager is that you can use it to also create a random unique user name. As humans, we like patterns, and you’d be surprised how those random names you come up with are actually not random at all. ↩︎

  2. In my attempts to run an Android VM I was still encountering difficulties, probably because I was still behind a VPN. For privacy sake, I didn’t want to use a public WiFi near my home. Technically speaking though, I think you could get a number if you were to use a naked WiFi and an android VM. ↩︎

  3. By the time I got this post ready to be published, the gmail account I created from a phone in a store got blocked, and Google prompted me to verify the account from a generic device name I’ve never heard of before. It looks like that even though I used the Chrome browser inside the phone when creating the account, Google got the phone info and is now asking me to verify that account with the particular phone I used - even though it wasn’t mine and didn’t have a sim card. Creepy. ↩︎

  4. Interestingly and Fortunately, one of the best apps is fine receiving Text Now authentication: Signal. I was able to register a new account with signal using the Text Now number, which means my Signal identity is not tied to any of my real accounts. If you use Signal this way from an Android VM, you can effectively have a truly anonymous and encrypted communications (you can download and installed the apk from the Signal website, no need to go through the Play Store) ↩︎


Comments