Creating Virtual Identities Guide

Introduction to Virtual Identities

Anonymity and non-attribution are key principles for conducting open source research on the Internet given the importance of avoiding the disclosure of identifiable elements of the investigating individual and organization to a third party. As such, students or staff should never use their own personal accounts and profiles to conduct contextual or threat research on social media sites. Instead, they should use virtual identities. You may have heard “virtual identities” being referred to as “burner profiles” or “throwaway accounts.”

We have documented some best practices for creating these identities given privacy, security, and ethical concerns. These practices evolve as platforms change and malicious actors use “fake accounts” to abuse or attack users.

!!! info “Definitions” Members of the open source investigation community, led by UC Berkeley’s Human Rights Center, are attempting to standardize vocabulary for virtual identities and its components. The Human Rights Center uses the following definitions:

  • Virtual identity: A false online identity that is used to conduct secure online activities for intelligence and investigation purposes on social media platforms and other websites that require users to log in to access content.
  • Virtual account: A private account on an email or messaging service, database, application, or website that uses one’s false online identity rather than one’s real life identity.
  • Virtual profile: A public-facing profile on a specific social media platform or website that uses one’s false online identity rather than one’s real life identity.

Before You Begin

You should have a documentation system for managing virtual identities. You will need to create multiple accounts; some of these might not be frequently used yet still require “maintenance.” We offer an example worksheet that describes much of the information you will need to create a new identity.

Risk Assessment

The first step in creating a virtual identity should be performing a risk assessment or conducting a threat modeling exercise. What do you intend for your virtual identity to protect? From which threats?

Will you need to use the profile to engage with content (liking, retweeting, commenting) or accessing semi-public groups? Your answers will affect whether you need a new virtual identity and how much effort you should put into creating and maintaining one for this investigation or in the future.


Here are some guidelines for account creation that we have consolidated from previous work. Again, each of these will depend upon your risk assessment and are subject to change across platforms. You should consider and document these elements of your identity before you start creating a persona on any platform.

  • Do not assume the name or identity of a real person.
  • Select a name that is either very generic or unique.
  • A name may provide clues about the person’s origins.
Personal Information
  • Gender
  • Age (date of birth): Remember not to use your real date of birth.
  • Nationality
  • Birth location
  • Residence
  • Occupation
  • Employer: Avoid using organizations that are easy for others to verify whether an individual works there.
  • Interests: Avoid interests that might make your profile the subject of an investigation such as terrorist or criminal content.
  • Hobbies
  • Most social media platforms and website registration require an email address to set up a profile.
  • While Proton Mail provides more anonymity, some platforms may suspect you are not authentic and ask for more identity verification.
  • The email address can be a variation of your identity’s name or something more random.
  • Create an email account, preferably with a provider known for security.
    • Do NOT give away your real phone or email address if you’re asked.
    • First option (easier): Open an email account on or
    • You may be asked for a second email (recovery email).
    • For added privacy from the email provider, open a ProtonMail account using TOR (https://protonirockerxow.onion/).
Phone Number
  • Using a VPN or TOR during account creation might cause you to be prompted for a recovery phone number. Try instead connecting using commercial or public internet.
  • If you still do need a phone number:
    • Google Voice if in US
    • Twilio has international numbers
    • Don’t ask us about “burner phones” or SIMs – that’s beyond the scope of this document.
  • VPN: What is the appropriate location to gain access to the information you need?
  • Device(s) Used: Does your identity primarily use mobile devices or desktop?
  • Operating System(s)
  • Browser (s): Which browser should your identity use?
  • Browser Plugin(s): Are there certain extensions that would be a “red flag” for some identities?
  • Computer clock: In which timezone should the virtual identity’s computer be? Is this consistent with the VPN?
User Behavior
  • User’s Time Zone: Similar to computer clock, the browser and platform may also need to configured for the appropriate time zone.
  • Time of Day when Active: When would your identity be actively browsing the web?
  • Use of scripts: Should your virtual profile use automation or bots?
Profile Information
  • Usernames: Choose usernames that are a variation of your identity’s name, email address, or something more random.
  • Passwords: Passwords should be long, strong, and unique for each account / profile. Do NOT reuse passwords as tempting as it may seem for a virtual profile. Why not?
  • Security & Privacy settings: Enable 2-Factor Authentication (2FA) for your accounts to keep your investigation data more secure and to possibly protect your account from being deleted by the platform. In general, you should adjust privacy settings to their most restrictive setting.
  • Creation date: Document the creation date for all profiles and accounts.
  • Do not use pictures of real people due to privacy and ethical harms.
  • Do not use your own picture.
  • Avoid human-like images or altered human faces: Even computer-generated images typically offer one angle and are currently easy to detect as fake.
  • Profile pictures can be landscape photographs, sports teams, music bands, or cat photos.
  • Consider banner images as well.

Identity Maintenance

Your intent should be to make your profiles look real upon first glance and a longer second look. Secondly, you should try to keep your profiles alive, especially as realistic profiles take some effort and should look like they’ve existed for some time.

  • Create a regular schedule for logging in, posting content, or changing profile information.
  • Check email accounts for notifications from the social media platforms. These may concern suspicious login activity, requests to change passwords, authentication requests via email or phone, or requests for official ID cards.
  • Recheck your privacy settings regularly.
  • Reassess the needs and risks associated with the virtual identity. If there’s no longer a need for an account which has already beeen used, you might delete the identity and its accounts and profiles for the sake of safety and efficiency.