Protecting Your Identity as a Sex Worker

2016-08-20 12:46:50 +0000

Note: I was asked to make this guide by my girlfriend to help her and my sex worker friends stay safe by staying anonymous both online and off.

Intro

I've seen a number of guides designed to help people protect their identities while online. These usually recommend using Tor and setting up private email servers. I've also seen a number of guides for sex workers about how to stay safe by protecting their real identity, but often they don't go much beyond common sense. This article is designed to merge these two into something that is useful and practical.

In short, this guide will teach you how to keep people from finding out your real identity: your real name, your home or work address, or anything else you haven't explicitly chosen to link to your life as a sex worker. To keep things clear, when I write "your identity," I mean you the individual with parents, siblings, and a day job. When I say "your persona," I mean the person you are on camera or on the job.

Because this guide is meant to be for everyone, it may cover information that you find obvious. However, what's clear to you may not be for others. Likewise, to help you get a more full understanding of some of the privacy best practices, it's important that everyone has a bit of an understanding of how web technologies work. It is long, and can be complicated at times, but it is worth reading in detail. People in high risk groups might learn something here that makes them reevaluate whether or not sex work is safe for them. Even veterans who are experienced could find things here to help them keep their identity safe.

As for my credentials, I've done camming and porn, and my past and current partners and my friends have been pornographers, nude models, escorts, strippers, and professional dominatrices or slaves. For my day job, I work at a security research company where we educate people how to stay safe online, and in my spare time I work on privacy and anonymity software.

This guide isn't perfect. Even if you follow it exactly, there is no guarantee that you will be able to keep your identity separated from your persona. Even the best designed software and practices have flaws, and if someone is hell bent on learning who you are, it is unlikely even the best countermeasures will stop them.

To paraphrase part of the MIT license, this guide is provided "as is" without warranty of any kind, express or implied, including but not limited to fitness for a particular purpose. In no event shall I, the author, be liable for any claim, damages, or other liability arising from usage of this guide in whole or in part. Simply put, follow this at your own risk.

This guide is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 license. This means, more or less, that you can freely share and modify it, but not use it to make money, as long as you cite me as the author and keep a link to this license.

A Privacy Primer

A common mistake is to think that privacy and security are either "on" or "off." People are not secure or insecure; there are degrees to both. A locked door is better than an unlocked one, but a door with a strong deadbolt is better still. Even so, if someone is determined to break into your house, there is little you can do to stop them. The same applies to digital security and identity protection. There are many things you can do or combine to achieve "more" or "less" security and anonymity. In fact, a guiding principle in the world of digital security is that it's impossible to avoid being hacked. The assumption is that it will happen eventually, and the best thing to do is make it as hard as possible for someone to do so. You should assume that eventually someone you don't intend will learn your identity.

Protection falls loosely into two tags: digital security and operational security. Digital security is what stops hackers and scammers from getting your credit card number or passwords. Operational security is what keeps your roommate from finding out that your dates are actually clients. In most cases, good operational security is more likely to keep you anonymous, but good digital security prevents the largest number of people from learning who you are.

When considering what level of security or privacy you want, you will have to build what people in the security industry call a threat model. Who are you concerned about learning your identity? How likely is it that these people are going to find out who you are? What are the consequences if they do? A gay, male escort in Saudi Arabia is going to have a very different threat model than an American cam girl. This guide will try to cover the gains and risks as well as the presumed threat models they address.

Common Threats

Sex workers can face many threats as a result of their work. These can range from a family member or friend shaming them for their work to physical violence. Sometimes it can be a combination of these. For example, most of the pornographers I know are relatively unconcerned with stalkers or being assaulted while on the job, but they go to great lengths to keep family and certain friends from learning about their persona. On the other hand, I know some escorts who proudly talk about their job among strangers but do make an effort to keep information about their identity away from clients.

All the threats here will vary in likelihood and severity of consequences depending on many factors. This could be the religion or cultural identities of your family, friends, or community. Your gender identity and sexual orientation could impact the problems you face if your identity is public revealed alongside your persona. Clearly members of the trans* community will, on the average, face a harsher reaction than cisgendered heterosexuals. There is too much depth and complexity to enumerating all possible threats any group of people will face, and only you know exactly what to be cautious of.

Operational Security

What is OPSEC?

Operational Security, sometimes called OPSEC, has its roots in militaries and intelligence agencies of WWII. The idea behind OPSEC can be summed up nicely by the phrase "Loose lips sink ships." This was meant to capture the idea that carelessly talking about military plans could lead to enemies gaining knowledge that would lead to a tactical advantage. OPSEC refers to all activities that related to keeping information secret, so by this definition it includes digital security. However, in our context we'll use the term operational security to refer to all the habits and practices that you apply day to day to keep your identity separate from your persona.

Basics

The first step is likely very obvious. You should have a fake name with fake personal details. This includes a fake birthday, a fake hometown, and a fake back story. Doing this is most useful for escorts and live cam workers since these are the jobs where you'll end up doing the most talking with strangers.

Whatever back story you make up should be written down somewhere so you can keep track of what you've said. When you add new details, add them to this document. After a long enough time, you may forget things or get things mixed up. If you have it written down, it can help keep your story straight. An incomplete or inconsistent backstory will lead to more questions which could lead someone to figuring out that your persona has lots of things made up. A large number of the people you interact with will not question whether or not your fake life is truthful, and if they do, it doesn't take much to convince most of them.

The depth of your persona's backstory comes down to personal preference. Most sex workers have a fake name and at least a little bit of misdirection with a fake age or home town. However, there are some who simply use their real name. I personally wouldn't recommend this for most people, but this comes down the principle of not making it easy for someone to access your information.

Something else that you should avoid is the presence of anything identifying in your photos or videos. Jerseys or scarves for local sports teams could identify the city you live in. Landmarks or recognizable buildings in the background of photos or out your bedroom window could let people know exactly where you are. Even wrappers from restaurants or bags from grocery stores can narrow down the range of places you might live. If you're working from home, you should quickly check the room for anything that identifies where you grew up or where you live.

Real Lies

Another somewhat common tactic is having a second persona. When you build a rapport with a client, sometimes they will feel like they have earned the right to know who you really are. If you are uncomfortable with this, having a second persona lets you "cave in" and tell them who you are without revealing your identity.

An example would look like this. Your name is Alice and you're from Atlanta. You've invented a persona whose name is Cassidy from Charlotte. When a client asks your real name, you can tell them you're really Bethany from Birmingham. Bethany is your fake "real" name with your fake "real" background.

Just like before, keep these details written down so you can refer back to them later. Clients might talk with each other about you, or someone might go on a binge and decide to read everything you've ever posted over the last three years. It would be best to keep your story straight so that they have little reason to believe they have been decieved.

Trust

Most people want to share details of their life with those around them. You may want to share some details, like that you strip a few nights a week, or you might want to go as far link your friend to your photos and videos. There are some things to consider when deciding what to share with whom. This is generally considered to be common sense, but to new or potential sex workers, this might be new information.

If you want your identity or persona to stay private, it is very important that you trust the people with whom you talk about your work. You may be careful about not discussing your work with some people or coworkers at your day job, but your friend may not. I don't mean this as a slight against your friends, merely that since this isn't their life on the line, they might accidentally let certain things slip. They also might not be aware of who they can or can't share this information with, or what information can be shared.

If you tell someone about your work, or if you go further and tell someone about your persona, you should clearly communicate your expectations of secrecy. This includes who they can or can't tell, or what details they can share. You should also emphasize how this could impact your life. If you work in a field where you can lose your job over allegations of being a sex worker, such as a teacher, tell them of these exact consequences to help them understand the risk if this information becomes too public. If some of your friends are sex workers and they know your name, you should make sure they know what level of privacy you want. If you don't want other sex workers or members of the production teams to know your real name, ask you friends to only use your persona's name while on the job.

While writing this post, I had a conversation with one of my pornographer friends about someone she is dating. She said that he is very excited by the fact that she does porn, and he liked to take photos of her and them during sex. The exact phrase she used was, "sometimes I feel like his trophy."

This is not an uncommon line of thinking. Friends and dates can feel like their status is elevated by associating with you in much the same way that people like to associate themselves with famous athletes or entertainers. This can take the form of bragging, and your friends or dates may share more information about you than you have expected.

Humans also enjoy gossip, so between this and bragging, there is more risk of someone you tell talking about your work or your persona than there is of them talking about other aspects of your life. There are a few questions you can ask yourself to help decide if this friend can keep your secrets.

  • Could this person keep my or my partner's pregnancy secret?
  • Would I tell this person about that I plan to ask my partner to marry me? And could they avoid telling anyone?
  • Would I tell this coworker that I'm actively looking for a new job?
  • Has this person told me other people's secrets?
  • Has this person shared any secrets with me?

Even if you are perfectly careful, when you share information that links your identity with your persona, each person you share it with becomes a potential way for information to leak.

Cross Posting

All the sex workers I know seem to have great love for social media, especially Twitter. They constantly post updates and photos for their fans, or announce when they will be online for camming or in certain cities to take on clients. Similarly, they also love posting to their personal social media accounts.

You should avoid posting a photo to an account belonging to your identity and an account belonging to your persona. Things can go viral for seemingly no reason, and there's also the random chance that someone stumbles on to both. You also don't know who will re-share your content. Even if you only have a total of 200 followers between all your accounts, your "reach," or the total number of people who see content you've posted, can be in the tens of thousands.

A tempting way around this would be to take two photos from the same set and post one to your persona's account and one to your identity's account. This should also be avoided. Tools like Google Reverse Image Search exist and are quite good at finding photos that are similar. Someone might use a tool like this to try to find your identity.

The problem is bigger than just two similar photos from a set. A Russian art student named Egor Tsvetkov took photos of people on a subway and found most of the subjects on social media. An article describing this can be found on PetaPixel and the original work can be found on Bird In Flight. This is only one example, but it is very easy for someone who is determined to look up photos of you.

A good first step against is making your identity's accounts as private as possible. This limits the number of photos and posts out on the internet that contain identifying information about you.

If your threat model only includes stalkers or angry fans, it's easy to keep your identity and persona separate, but if your threat model includes the government of countries where you live, work, or travel, you need to be very careful. Facial recognition software is very accurate, so if your work is considered illegal or immoral, the government of the country may identify you based off the photos you post online.

Another sex worker I know in the last week had a problem with cross posting. She went out with friends and took a group photo. She later posted that to one of her persona's social media accounts. Before this, a friend in the photo had asked for her to text it to her so she could have a copy. This friend later posted it to a public social media site and tagged her. Eventually, everything was sorted out, but because of tools like The Internet Archive, anything that goes on the internet might be there forever. This goes beyond photos of people and includes objects as well. Double posting a photo of a an article of clothing or a sunset can be enough for someone to track your identity down through your friend's post.

To prevent this, you should talk to your friends about what they can and can't post about you. If they know you are a sex worker, tell them not to tag you in photos, and tell them why. If you have kept this secret, a good approach is to ask them to never tag you in photos. It's a good idea to not post photos of friends who don't know you're a sex worker online for a number of reasons.

For most people none of this is a problem. The internet is a large place with a lot of data, and chances are no one is going to do anything if they find your identity. However, for some people this is a very real concern, and they should be aware of all potential risks.

Sneaky Habits

Being careful about how you conduct yourself while on the job is not enough. Just like the child who cleans their room only after breaking something or the roommate who only plays music in the shower while they're masturbating, your habits may give away more thank you realize. The daily and weekly habits you develop will primarily keep details about your persona and your sex work away from roommates, dates, and friends.

Sex work can be very lucrative, and it may be a give away that you are involved in something clandestine if you suddenly have a great deal more money. If the people close to you know you are a barista or waiter, yet you are able able to afford designer clothes or luxurious trips, they may start asking questions. If you are a stripper, you should avoid carrying large sums of money in small bills. I have seen two girls do this. They thought this would go unnoticed, but it was immediately obvious what their night job was.

If you are often leaving the house at night for work, only wearing half of your outfit and keeping the other half in a hand bag can make your evening seem more casual which would prompt fewer questions. A friend told me she used to say she was going on dates until her roommates figured out she was an escort because she couldn't remember details about her made up dates. If you're going to use a cover story, pick something you can stick to. Another strategy someone used was getting a job at a bar and working nights. She'd work a couple of nights per week and strip the rest. This ruse lasted over three years, and no one ever suspected anything.

This is again something where there are far too many situations for me to be able to give specific advice. The only thing I can say is that a good question to ask yourself while developing these habits is, "if I do this for 3 months will it invite questions?"

Obvious Correlations

Part of what rounds out your persona is posting a bit about your day to day life. Things like concerts, workshops, or film premiers are common things you might want to share. You should keep in mind that it is trvially easy to identify the city you live in based off the things. Granted, if you say you saw a band on a Friday night, and someone looked them up to see that they were playing at the Filmore in San Francisco that night, the only detail they would learn is that you happen to live in the top half of California. If you post something about having a great time seeing the same band in a tiny town with a popluation of 4000, it would be easy to assume you live there.

Digital Security

Note: Most of what is said here about websites equally applies to apps. What is said about computers often equally applies to phones.

In the physical world, if you don't want someone to find out about your sex work, a little discretion can often be all you need. If no one saw it happen, there's no evidence and you can deny any allegations. In the digital world, there's almost always a record of where you've been and who you've talked to. Websites often keep logs of who has been to what pages so they can analyze traffic later. There is an entire industry that revolves around tracking users on both their computers and phones in an attempt advertize more effectively. On top of that, banks and public health organizations often must keep records, and your internet and phone companies are very interested in how you use the internet as well.

The safest assumption to make is that if it happened on the internet, someone knows about it, and that data is going to be around for people to stumble upon for a very long time.

The Bare Minimum

Before we get into the details about how to be very careful about having someone link your persona to your identity, there are a few things you can do.

First, you should use a separate email address for accounts tied to your identity and accounts tied to your persona. If you use Gmail for your personal mail, a second Gmail works just fine. This second email address should not include any details about you. For example, if you were born in 1992, don't use porn-name-92@gmail.com. All the accounts you make should be tied to this second email address: your Twitter, your Instagram, etc. All of the correspondences you have about business with producers or clients should be done with this account as well.

Keeping your computers and browsers updated is the next best step. Old software can be hacked more easily, and if you get hacked, someone can learn everything about you.

The Internet: A Series of Tubes

To understand how to protect yourself online, we first need to review how the internet works. This is meant to be a simple overview and not a perfect technical explanation that will turn you into an expert hacker, so keep in mind that there is much more to it than this.

The internet is a really just a network made of many smaller, connected networks. When you print a document over WiFi at home, you're using the same protocols and technologies that you use when you do a Google search. The main difference is that these signals never leave your flat; they just bounce between your laptop, router, and printer.

Just like the router in your flat knows how to send signals between your different devices, there are larger routers that help traffic on the internet get between different networks. The most obvious case is that when you viewed this article, your WiFi router knew that it wasn't hosted somewhere in your flat and that the location was somewhere in a different network. The way computers and routers keep track of this is with IP addresses, or Internet Protocol addresses. These are usually four numbers separated by periods. They look something like 54.28.199.6.

Your computer doesn't know exactly how to reach every address, and it is the responsibilty of all the routers in between any two devices to get communications between them. For example, if I wanted to try to reach google.com from my office, there are 8 hops to get there. You can see the route below, but don't worry if you can't understand it.

heartsucker@pythagoras:~$ traceroute google.com
traceroute to google.com (216.58.208.46), 30 hops max, 60 byte packets
 1  fritz.box (192.168.203.254)  2.965 ms  2.947 ms  2.934 ms
 2  217.0.119.68 (217.0.119.68)  19.325 ms  19.443 ms  20.106 ms
 3  217.0.77.62 (217.0.77.62)  21.410 ms  25.343 ms  25.340 ms
 4  217.239.49.250 (217.239.49.250)  30.187 ms  30.627 ms  31.227 ms
 5  72.14.196.17 (72.14.196.17)  31.700 ms  37.462 ms  37.460 ms
 6  216.239.46.63 (216.239.46.63)  37.455 ms  34.674 ms  34.636 ms
 7  66.249.94.135 (66.249.94.135)  34.625 ms  28.409 ms  28.277 ms
 8  fra15s12-in-f14.1e100.net (216.58.208.46)  27.369 ms  28.216 ms  28.215 ms

Why this is important is that you can see that there are 7 computers between me and Google, and all 7 of these computers can see my communications unless they are encrypted. In the most basic sense, encryption is a way of scrambling messages so only the intended recipient can read them. We consider routers to be computers. Even though they are specialized to do a small number of things, they still can be accessed by humans and record information in a way that makes them no different from your internet traffic first going through your friend's laptop.

The addresses above are the locations in the super network that we call the internet, but memorizing these numbers would be very annoying for reaching webpages. No one is going to remember that google.com is really 216.58.208.46. There may be several servers that run a given website, or servers might also be physically moved. We need to be able to talk to one of many servers that run a website, and we need an address that is independent of where the server is in the network. This is called DNS, or Domain Name System. The "address" google.com is the domain name of the servers that Google owns, and this name points to the IP address of the server or the several IP addresses of several servers. When you navigate to google.com, first you computer looks up what IP address is attached to that domain name, then it sends and recieves information from the IP address it found.

Let's make an analogy to the physical world. If you want to send a letter to your friend Alice, the first thing you'd do is look up her address. This might be by asking her or a friend. You'd write it on an envelope and put your letter inside. The letter goes in your mail box, and from there your local mail service transfers it to another mail service and so on until a final mail service drops it off at her door. When you looked up Alice's address, you turned a common name, "Alice's address," into a location. This is like a DNS look up that turns google.com into an IP address. Each mail service is like a router on the internet. The German mail service might not know exactly how to find an American address, but they know how to pass along a letter to the American mail service so that it eventually reaches it's final destination.

When you're browsing the internet through Firefox, Chrome, Safari, or whatever your browser of choice is, you're using only a tiny fraction of what the internet is capable of. The internet is made of many protocols, or ways of transferring information. Your web browser uses HTTP, Hyper Text Transfer Protocol, and HTTPS, which stands for HTTP Secure. Your mail clients, like Thunderbird or Outlook, use SMTP and IMAP. If you download files, sometimes you use FTP. There are many more, but for now the only two you need to care about are HTTP and HTTPS.

The routing of all the information on the internet is done invisibly to most users. What you can see is the HTTP and HTTPS requests you make that tell servers what information to give you and how to process information you give them. This could mean what language to serve the pages in, or it could mean to serve a different page because you're on a phone with a small screen instead of a high resolution laptop. Below is an example HTTP request and response. Again, you don't have to understand what exactly is happening here. This is only to help give you an idea of what is going on.

Request:

GET / HTTP/1.1
User-Agent: curl/7.38.0
Host: example.com
Accept: */*

Response:

HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 16 Aug 2016 10:37:01 GMT
Etag: "359670651+gzip+ident"
Expires: Tue, 23 Aug 2016 10:37:01 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (iad/182A)
Vary: Accept-Encoding
X-Cache: HIT
x-ec-custom-error: 1
Content-Length: 1270

<!doctype html>
<html>
<head>
  <title>Example Domain</title>
  <meta charset="utf-8"/>
  <meta http-equiv="Content-type" content="text/html; charset=utf-8"/>
  <meta name="viewport" content="width=device-width, initial-scale=1"/>
</head>
<body>
<div>
  <h1>Example Domain</h1>
  <p>This domain is established to be used for illustrative examples in
    documents. You may use this domain in examples without prior
    coordination or asking for permission.</p>
  <p><a href="http://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

Your web browser knows how to turn this HTML into a pretty page, and all the underlying lookups, routing, and information exchanging stays invisible to you.

That's all for the technical stuff. If it seemed like a lot to take in, all you really need to know is that computers have to look up each others' addresses all the time, and that there are many computers between you and your favorite website.

HTTP vs. HTTPS

Now that you understand how information gets from your computer to the servers running the website you want to visit and back, we can talk about how this affects your privacy. Let's look at a simple and very common scenario: logging into one of your persona's online accounts. Since this guide was written for some friends at God's Girls, we'll use godsgirls.com as the example.

The first step is to get to godsgirls.com. You type this into you address bar and hit enter. Your browser looks up the IP address attached to godsgirls.com. At the time this was written, this happens to be 64.38.209.233. Once your computer knows where the godsgirls.com server is located on the internet, it makes an HTTP request to load the home page. This request travels across many networks that make up the internet to reach the server. The server responds with some HTML. The HTML tells your web browser to load some images and fonts as well as some CSS and JavaScript to make it look pretty. This is all sent back over the internet to your laptop where the page renders. The last step would be to login. You type your username and password into the form and hit enter. You browser makes another HTTP request with your credentials, and the server responds with a cookie that authorizes you to load whatever content your account is allowed to access.

Something common to look out for is whether or not the pages are HTTPS (and not just plain HTTP). Back when I worked with KinkLive in 2014, everything was in plain HTTP including logins, credit card payments, and where we sent our tax forms. I know for certain other major sites out there currently have missing, incomplete, or poorly implemented HTTPS.

Using HTTP is problematic. When you talk to the server, every computer and router in between can see and modify the content. You have no way of knowing if someone was able to intercept your username and password. You also don't know that the page that loaded actually belongs to the site you requested. HTTPS solves this by using encryption. When you make a request to a page, your browser first does a check for an encryption certificate. Your computer uses this to encrypt your data so that only the server you're talking to can read it. Once you've gotten a response from the server, you can be sure that the information wasn't seen by anyone else, and your browser can verify that the information wasn't modified.

Many web pages automatically redirect you from a plain HTTP page to an HTTPS page. You can see this in all popular browsers quite easily. To the left of the address bar, there is usually a lock. It's green when pages are in HTTPS and grey when pages are in HTTP. Sometimes the lock is yellow if a page serves mixed HTTP and HTTPS content. Red indicates a security and encryption error. You've probably seen all of these at some point.

The rule you should follow when using websites that you log in to or use with your persona is that every page should always have a green lock or green message saying who owns the page.

There are some minor exception to the above, but they involve a rather advanced understanding of how internet traffic works. The one exception that you should be aware of is how proxies work. If your school or work has a proxy that you have to connect to, the proxy can see all of your traffic unencrypted. A very simple way to think of this is that your computer connects securely to the proxy as the proxy immitates godsgirls.com, and the proxy connects securely to godsgirls.com. The proxy then relays the traffic between you and the site, but while it passes through the proxy, the proxy can read all of it. It can be set up to log traffic with certain terms, and porn is a common red flag. It can also be set up to log traffic based on certain users. Most proxies are deployed ethically, but they are also quite capable of helping someone figure out your identity.

In short, this means you should never access anything tied to your persona either on your computer or phone through a school or work proxy.

The use of HTTPS over HTTP has obvious security implications. It stops you from getting hacked and having your account taken over. It also stops someone from sending you fake pages with fake content in place of the real pages you were looking for. However, all of this was primarily meant to explain how HTTPS helps hide your identity.

With HTTPS, your ISP, or Internet Service Provider, will still see that you used DNS to look up the IP address of godsgirls.com. They and all the servers along the route will see your traffic going to and from the God's Girls servers, but they won't know what pages you accessed. Most importantly, they won't see you see your login information or cookies.

With plain HTTP, it is more likely that someone will be able to tie your identity to your persona. First, if someone was able to steal your persona's credentials or cookies, they could access the site as if they were your persona. Chances are there is some private information there that could identify you. Maybe you talked with other models or site admins about travel plans, or maybe you have tax forms with your real name.

There is a lot good to say about HTTPS, but it doesn't solve all your problems. Because your ISP sees your DNS look ups, and because many of the servers along the way can see that you were sending messages back and forth between godsgirls.com, it is possible for a rouge employee to tie your street address to your IP address. This is likely illegal and also likely something that would get them fired, but that's only if they get caught. This is not uncommon, and even has the name LOVEINT, as coined by the NSA.

This comes back to the idea of threat models. It is safe to guess the vast majority of sex workers do not have someone who wants to stalk them employed by an ISP or other infrastructure provider. This means that even with poor security, no one is going to look at your internet traffic to identify you. However, some countries make collection and scanning of internet mandatory. This can be done publically or privately and either legally or illegally. In the USA, the NSA illegally collects information, so if there is a very good chance that they can tie your persona to your identity, even if you're not American and don't live in the USA. However, this same collection could have much worse consequences if you're in a country where sex work is illegal or punishable. Even with HTTPS, you can be identified. If your sexuality being public could lead to your harm, you should be very careful about using the internet as a sex worker.

If you don't want your DNS look ups or HTTP and HTTPS traffic to identify you, a simple solution is to use public WiFi for everything you do. Using your mobile network, like 3G or 4G, to carry out your sex work can make it even easier to identify you. When using public WiFi, you should avoid open networks that don't require a password. If you use pubic WiFi at a coffee shop or library, you should make sure it asks for a password.

Another thing you can do to help hide your information with HTTPS is installing the browser plugin HTTPS Everywhere. In short, this makes sure you're using the HTTPS version of a site if it's available.

Registering a Website

Most of the sex workers I know have a bought a domain name for themselves. There are many services that you can use to purchase and manage domain names, but two of the ones that have the best policies and are the easiest to use are NameCheap and Gandi. These will both let you set up domains, subdomains, email forwarding, and many of the other thing you need to manage the DNS records for your websites.

Like with every other service you use, you should use your persona's name and contact information when registering. This is especially important with domain registrars because of a protocol called WHOIS. This protocol allows users on the internet to find out information about the owners and operators of a website. This information is all public and easily accessible.

For example, I can quite easily look up who runs Kink.com.

Registrant Name: Peter Acworth
Registrant Organization: Cybernet Entertainment
Registrant Street: 1800 Mission Street
Registrant City: San Francisco
Registrant State/Province: California
Registrant Postal Code: 94103
Registrant Country: US
Registrant Phone: +1.4158560771
Registrant Email: dnsregistrations@kink.com

You can fake the information in the WHOIS, but be wary that the ICANN needs to be able to contact you via whatever information you provide, otherwise you could lose control of your domain. Depending on the registrar, this could also be a violation of the TOS which could forfeit your account. There are some services that provide fake (proxy) contact information and then forward all inquiries to you.

Tracking Via Advertisers

HTTPS helps stop anyone between you and the website you want to visit from seeing your private information. Even if you are careful and don't write anything personal or identifying on these websites, people and companies are still able to learn a great deal that can link your idenity and your persona.

When you make an HTTP request, a lot of information about you is sent along with the request. Here's an example of some of the information my web browser sends when I visit godsgirls.com.

GET / HTTP/1.1
Host: www.godsgirls.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5

Just from looking at this one piece of data, you can tell a lot about me. It says I am using Firefox version 45.0. It says I'm running some type of Linux as my operating system on a laptop that has a CPU with x86_64 architecture. It also says I speak American English. This narrows down who I am from the many people who visit God's Girls to just a handful.

All browers send this information, and they have to in order to get you the right content. If you only spoke German, a website would need to know that in order to serve you pages auf Deutsch.

Beyond those few lines that my web browser sent, websites can use JavaScript to extract additional information about my browser. It can see how big my screen is, what my phone's battery level is, or what plugins and extensions my browser has installed. Websites can even request your location. All of these things together amount to what is called fingerprinting. Even if you never log into a website, it's possible for them to know when you come back and how long you visited. They might not know your identity or persona, but there is somewhere an anon-user-12345678 in a database.

Many times all this data is tracked to help the business decide if it's making good decisions or not. Are people using chat? Did the new layout help people find the content they wanted? Are users using the site more or less after a new feature was added? This sounds quite innocuous, but as an engineer with access to the servers that ran my companies' websites, I can say that there is a huge amount of data that is very identifying. This data is rarely encrypted, and there are rarely measures in place to ensure employees don't access it without authorization.

This is a relatively minor threat to your anonymity since rouge employees are rare and if you're careful, there won't be anything that ties your identity to your persona. Your biggest concern is that a government of law enforcement agency will request this data from the company that runs the website. If this is turned over, they have the resources to correlate IP addresses with physical locations as well as correlating internet traffic with server logs. A hypothetical example of this would be if a Turkish escort service was forced to turn over all their user data as part of a crackdown on sex workers. If you only ever visited such a site securely over HTTPS and only ever used your persona while there, you could still be deanonymized.

If you try to calculate the risk of any one website, you might think you can say "I live in country X, and the website has servers in country Y, so I am safe from having my data turned over." This is only partially correct. It is very common for websites to partner with companies that specialize in advertizing. These companies make money buy buying and collecting data, and then using it to figure out who you are so that they can serve ads to you or so that they can tell other companies what your interests are.

Back in 2012, I worked for a company that specialized in this. At that time, they were able to connect multiple different laptops and phones to the same user as well as identify if multiple people were using one shared device. We had a list of something like 80 direct competitors, and hundreds of indirect competitors. The ecosystem of tracking and advertising is very large and the flow of shared data between these companies can be convoluted.

This means that visiting one website can leave traces of your visit with 20 companies, all of which specialize in figuring out who you are through fingerprinting or data mining.

Luckily, there are ways around this, and you can do a bit to protect yourelf. There are two browser extensions you can install that will block a lot of this tracking. The Electronic Frontier Foundation released something called Privacy Badger which helps stop trackers. Second is uBlock Origin, which should not be confused with the product uBlock which is entirely unrelated. These addons help minimize how much you can be tracked, but like everything in this guide, they are not a guarantee that all advertisers will be completely unable to track you.

Installing these still leaves you vulnerable to a bit of fingerprinting, so a better tactic would be install two browers. I recommend Chrome and Firefox since they both have the two extensions I mentioned above. Everything you do with you identity should be done on one, and everything you do with your persona should be done with another. If you have two Twitters, only use one for your personal tweets and the other for your work. The same would go for other social media sites, photography sites, or blogging platforms. This is not necessary for everyone, but some people may find it necessary.

There are some advanced ways to hide your traffic, and you can read about that below in the section titled "VPNs and Tor."

Photo and Video Metadata

Most digital files, like photos, videos, or Word documents, have metadata that tells a bit about the contents of the file. When you play an mp3 file, your audio player knows the artist and track name. Photos have something caled EXIF data that contains the type of camera used.

Phones with cameras sometimes even include location data from the internal GPS in the EXIF of photos they take. You should check in your phone's settings that that this feature is disabled.

Photos you edit and submit to websites may contain metadata as well. You should check with your software what is generated. You can check what content a photo has by using the site ExifData to see what a photo contains.

Because this is a known problem, many websites strip metadata when photos are uploaded. On the downside, sometimes software has bugs. You can rely on websites doing this for you, but it is not a 100% guarantee.

The biggest risk to metadata leaks comes from dealing with clients directly. I know a number of sex workers who send photos they take to clients via WhatsApp, email, or SMS text messages. This is where the biggest risk lies.

Because every device, piece of software, and file format is different, I can't go into detail here about how to strip metadata from everything. You can do an internet search to see what tools are available for your device if this is something that concerns you.

Several sex workers I know use the imgur app with anonymous galleries to share photos. The app strips the metadata, and then they send the link via their favorite messaging app. This has the downside that the photos are already on the internet, though hidden, which could make the person you shared them with more likely to forward them to other people or repost them.

Passwords

Many people have only a few passwords they reuse for all of their online accounts. Maybe your Facebook, bank, and email all have the same password. In general, this is a bad practice for a number of reasons, but in regards to protecting your identity, reusing passwords can help people discover your identity.

First, when people reuse passwords, they are limited to what they can memorize easily. A lot of people pick words like their pet's name, a favorite band, and their birthday with a random character thrown in. The password DaveRatm90 is a pretty bad password. Someone might be able to guess this.

Even if someone doesn't guess this, websites get hacked and passwords get leaked on occasion. Without going into details, a longer password is harder to reuse after it has been leaked in a hack. A different, but unlikely possibility is if two websites you used were hacked at the same time. If your password appears in both leaks, someone could guess that you're the same person. Since people keep passwords for many years and use them on many sites, this is a possibility.

You should use a password manager like LastPass. It will generate hard to guess random passwords for you and synchronize them to all your computers and phones. There are other options out there as well. I personally use KeePass because it's free, but I have to handle syncing it to my phone from my laptop myself.

Phone and Apps

One of the nicest things about modern phones is that they integrate everything together. A downside is that many times apps ask for every possible permission without needing it. Other times, apps may import all your contacts thus mixing the contacts for your identity with the contacts for your persona. Another convenience apps add is the ability to have multiple accounts on one device. The downside is that this might make your identity searchable by the email addresses tied to the accounts for you identity and your persona.

On iOS and to some extent on Android, you can disable these permission on a per-app basis, and sometimes inside the apps themselves you can choose what to import or not. However, a good practice is to have two phones. One for your identity, and one for your persona. You can get very cheap Android devices and very cheap pay as you go mobile plans in most countries. This cheap device should be tied to your persona. All your social media apps for your persona and all your persona's contacts should stay on this phone. This is a also a good habit because it will force you to consciously think about what you're doing each time you tweet or post. Accidentally posting a photo to your personal account could instantly undo many months of careful work you've put in at keep your identity and your persona separate.

Secure Communications

When we discussed HTTPS, we made it clear that, unless there is a very skilled hacker around, if you talk to a server, only you and that server can see the communication. What happens if you use a chat client through a server? Your chat is safe on the way to the server, and it's safe on the way from the server to the recipient, but the server can still read the content.

There is an idea called "end to end encryption." This is the idea that a message is scrambled in such a way that only the intended recipient can read the message. No matter what, a company that owns the servers you used when using an end to end encrypted chat will not be able to read you messages.

WhatsApp recently partnered with the privacy group Open Whisper Systems to integrate this technology into their app. You can read about it on their blog. WhatsApp is used by a lot of people and has a lot of features, so it is a great choice for securely chatting with clients and other people in the industry. A better choice is the app Signal. It is a bit more secure, but it is less commonly used and it is a little less user friendly.

What should be avoided are SMS text messages. Your mobile network provider can read the contents of you messages, and law enforcement and hackers have access to devices called stingrays that can imitate cell phone towers. Someone operating a stringray can read your text messages and listen to your phone calls. If you really are worried about someone getting too much information on your persona, WhatsApp, Signal, or plain email are your best bets.

VPNs and Tor

For people who are more technical, you can use a VPN, or Virtual Private Network, to help obfuscate your web traffic. A VPN will encrypt all traffic from your phone or computer and send it to a server somewhere before it ever reaches the public internet. An analogy would be putting a letter inside another letter, and telling the first recipient to open it and send the letter inside to the address on it. VPNs cost money and are something like 100 EUR per year, but they can offer a lot of protection against people or companies tracking your IP address or hackers sniffing you traffic while on public WiFi. VPNs are generally fast enough that you can stream video, so they are usable for people who do live camming. You should beware of any VPN services or browser extensions that are free, like Hola, for example. If you're not paying to use it, then you are the product and your data is being collected and sold.

Another solution is using Tor. Tor, which stands for The Onion Router, is something like a VPN, but it bounces the traffic around the internet between Tor servers to anonymize it even more. Using Tor for near perfect anonymity is hard, but it is doable. However, it is not suitable for video streaming, and some websites block people who use Tor. Tor is free to use. If you want to read more about it, you can look up The Tor project. If you want to try it out, you can use the Tor Browser.

Using a VPN or Tor will decrease the likelihood that someone can identify you based off your internet traffic.

Physical Security

Discussing how to protect yourself when acting as your persona out in the world is a bit outside the scope of this guide. However, someone may find this before finding guides that specialize in safety from physical harm, so there will be only a short bit here.

Trust Your Gut

When you're dealing with producers, other pornographers, and clients, you should always trust your gut. If you feel uneasy or unsafe, you should extract yourself from the situation as quickly as possible or call for help. This instinct has kept your ancestors alive for hundreds of thousands of years, so follow it.

When money is tight, you can get desperate, and it might be tempting to change what behavior you find creepy or scary. If you find yourself saying something like "I really need to make rent, so just this one time" or "they don't seem that bad, so it should be ok," then you probably shouldn't follow through with your plans.

A trick to help you with this is to write down what is and is not ok and what makes you uncomfortable. Do this when money isn't a problem and your standards are very high. Be specific about what you don't like. If you find yourself wondering whether or not you should follow through with a client, refer back to this list to help you get your bearings.

The Buddy System

Even if you want to keep everyone in your private life in the dark about the fact that you're a sex worker, you should try to find at least one person you trust enough to be your emergency contact. This is someone you can call if you ever need to be picked up or if you want someone to wait in a cafe near by while you work. If you don't have a friend who can do this, reach out to other sex workers in your area either through social media or through organizations that support sex workers.

If you're an escort, you should always have a buddy who knows when you're working and the details of where you'll be or with who. If you arrange clients beforehand, you should tell them who your client is in case the worst should happen. You should also arrange a schedule of times to check in. Tell your buddy that you'll text them every hour until you're home safe. The most important part of this is to tell your clients that you have a buddy and to let them know that you need to check in every hour. This could be enough to dissuade them from trying to do anything unsavory to you.

For your check-ins, you should pick a secret phrase that means "I need help" and share it with your buddy. This phrase should be something that sounds like a valid check in, but you wouldn't accidentally say. An example would be "all is well" or "everything is peachy." The reason for this is that if someone wants to harm you and they know you have to do a check in, they might force you to text someone saying you're ok.

Under no circumstance should you ever tell a client that you do not have a buddy. Always tell clients that you have someone waiting. Fake sending texts to check in. If you don't have a buddy, lie and pretend you do.

Closing Remarks

In summary, there are a lot of things you can concern yourself with if you want to keep your identity separate from your persona. On the other hand, the world is the safest it's ever been, and sex work is becoming increasingly destigmatized. Chances are you could follow none of the advice in this guide, and you'd still be safe and anonymous. However, with a small amount of effort, you can make it drastically more difficult for someone to identify you.

If you disagree with anything here, if you have additions or suggestions, or if you want clarification, you can email me at heartsucker@autistici.org.

In the mean time, have fun and stay safe.