How do I protect my identity when creating a pseudonymous email address?

Obviously I must create an alias which is different from my real name and use a private email provider and a VPN recommended by PrivacyGuides. But I think there are more levels to this. I need an email account which can send and receive mail.

Below I list the various options, ranging from more convenient to more private:

1. Setup pseudo-ID email alias within my main real-ID email account.
2. Setup a separate email account dedicated to my pseudonymous identity.
3. Setup a separate email account and a separate email client dedicated to my pseudo-ID (or rely on accessing email through a (different) browser)
4. Block non-Tor network traffic from separate pseudo-ID email client. (or rely on Tor browser to access email)
5. Setup new Tor-only device for pseudo-ID email account.

I will now explain why I think each level may provide an enhanced buffer against de-anonymization. I am no privacy expert, so hope that people here can correct me if I am wrong. Really, I hope that 1 or 2 will be enough, but I’m afraid that may not be the case.

1. Setup email alias from my main email account.

2. Setup a separate email account dedicated to my pseudonymous identity.

a. If I create an email alias from my main email account, then anyone who works for the email provider of my choosing, or anyone who hacks into their data, will be able to link my pseudonymous account with my real ID account.

b. Even if I use only my initials in my real ID account, my email provider has access to any emails except for those which are transmitted between the same provider, for example, Proton to Proton or Tuta to Tuta. Personal details will be included in these emails.

c. In addition, I am concerned that there is metadata transmitted when I send emails, which could be used by recipients to link an email from my real-ID and pseudo-ID to the same account? I do not understand the technology underpinning email, but wonder if the same pieces of metadata which allow email providers to exchange emails and to analyze them for in the spam-detection process, would also allow an adversary (an external party, not my email provider) to tie my real and pseudo ID accounts together?

3. Setup a separate email account and a separate email client dedicated to my pseudonymous identity.

Following from 2c, except the logic applies to the metadata required for email client communication, rather than email provider communication. In other words, I am concerned that it is possible to associate my real-ID account and pseudo-ID account through some kind of identifier transmitted when I send/receive mail from a shared email client?

4. Block non-Tor network traffic from separate email client.

Following from 2c and 3, I read that email providers can see the IP address of incoming mail. I do not understand if this is the IP address of the sender (me), or the IP address of the email provider (e.g., Proton). If it is the IP address of the sender, then Tor seems necessary to ensure the IP address of real-ID and pseudo-ID mail does not correspond to the same location.

5. Setup new Tor-only device for separate email account.

To prevent the real-ID and pseudo-ID from being tied together, if the device is hacked.

The function of my pseudo-ID is a legal one, so I am not concerned about a court order requiring the email provider to de-anonymize me to the authorities, nor do I need to consider option 5. But I do want to protect myself from de-anonymization from either rogue hackers or staff in the company wanting to identify me. Must I avoid option 1? If I do go ahead with option 1, does one email provider have an advantage over others in ensuring an association between my real and pseudo ID is not leaked? Is anything further than option 2 overkill/paranoid?

Regards,

First off very well thought out post you’ve clearly put a lot of thought into this which I applaud. Main flaw I see here is you seem to be thinking about things in terms of “more protection” vs “less protection” which isn’t the best way to go about things, you should define a threat model like PG recommends and then tailor your email strategy to suit that threat model.

For number 1, this is mainly to prevent correlation between different accounts by the services themselves. So let’s say you make a Walmart.com account and an Amazon.com account. They’re not going to be able to tell you are the same person if you use email aliases bc they don’t have access to your email provider, all they have is the address itself.

For number 2, this would prevent both your email providers from likely being able to tell you’re the same person (as long as there’s no links to each other like a recovery email for example)

Number 3 we’re trying to prevent the email clients now from being able to correlate your email accounts, I’d say an alternative would be to simply use a client that doesn’t sync anywhere or just use the browser clients that most email providers have.

Number 4 you’re trying to prevent correlation based on ip address, or potentially prevent someone like a government entity that could subpoena your ISP from being able to correlate your real identity with your email accounts.

Number 5 you’re looking at completely separate devices so anyone that could potentially have physical access to your devices might be your threat here. Or malware like you said.

I disagree with your identification of my flaw. I do have a threat model: I’m trying to protect my real identity from people interested in my public pseudo identity. I must operate a publicly available email address for this pseudo-identity. My potential adversaries are people who do not like my pseudo-identity, and I do not know who these people may be. It is possible they will include hackers who will use the metadata tied to my email account to de-anonymize me, or staff members of my email provider who will use their access to my account data to leak my identity. Extremely unlikely, but possible.

I am in the process of tailoring my strategy in response to these possibilities. But I am missing the following information to make an informed decision:

1. Are there safeguards within email provider companies to prevent employees from accessing and/or leaking the relevant account data, namely the various alias’ operated under a single account? Is there a particular company I can trust more than others in this regard.
2. Is it true that all email content is stored with zero access encryption, meaning it is impossible for staff to access the contents? I am unsure how it is possible to do these and filter out spam.
3. Is it possible for a random member of the public (who does not work for an email provider and/or government) to exchange emails with a (pseudo-ID) email address, and thereby collect metadata which could be used to link the target (pseudo-ID) email address with another (real-ID) email address, which is operated by the same individual. For example, they may share encryption keys, or an identifier associated with a shared email client. In other words, I need to know the comprehensive different between an email account alias and a different email account, from a privacy standpoint.
4. Are IP address relayed whenever an email is sent, as suggested here (https://www.wikihow.com/Trace-an-Email)(I don’t understand this webpage in the context of private providers, but it is hugely relevant) and in various email providers info pages who say they use IP address info to identify spam. Well, they must be considering this. But which IP address? The IP address of my email provider, or the IP address of me (or my VPN)? Seems like an important privacy threat, particularly in my situation.