Identity is not guaranteed on the Internet

Identity Isn’t Guaranteed

Creating an identity on the Internet or impersonating somebody else is often just a matter of a few clicks. Currently, there is no foolproof way to match a real person with their online identity. This means that you can never be sure with whom you are communicating, and that someone could steal your online identity and impersonate you!

Our Advice

Before you share any information online, consider what you would be risking if the other party wasn’t who you thought they were.

How It Works:

Our trust that we have correctly identified another person in the physical world is based on sophisticated but usually unconscious procedures for matching and verifying behavior, voice, and appearance, developed over eons of evolution. On the Internet, user information is often limited to a name, an email address, and perhaps a photograph, but trust is often given if these forms of identification match our expectations.

However, each of these identifiers is easily forged: photos can be copied and edited, names can be made up, and even email-sender addresses are not guaranteed by the standard email protocol, SMTP — they can be spoofed. Most social-networking sites lack a solid mechanism (like those used by banks) to verify identity, so it is only safe to assume that any identity can be faked. Furthermore, passwords can be stolen, cracked, or coerced out of someone, and accounts can be broken into through “password recovery questions”; this means that an arbitrary person can use that account and thus assume an identity that had previously been verified and deemed trustworthy. A resourceful person or entity can verify an online user’s identity using more complicated mechanisms (see: There’s No Anonymity), but these require specialized technical knowledge and/or time and computing resources that most people don’t have.

Identity theft is thus another example of how you can lose control over information you thought was private (see: Sharing Releases Control), either by someone breaking into one of your accounts, or by you sharing private information over the network with an online persona that you think is held by a close friend.

What Could Happen? Real-World Stories:


Manti Te’o, Lennay Kekua Hoax: Notre Dame Statement Claims LB Was Victim of ‘Cruel Deception’

Are You Also Exposing Your Private Parts to Strangers on Facebook?

‘I Am Not the Person I Was Made Out to Be’: Father-of-Two’s Life Ruined Twice

What You Can Do About It:

Use Your Imagination:

  • Always think about whether an online identity matches the physical person based on their behavior, language, and knowledge of shared context. If something feels wrong, don’t trust that the online identity is (still) who they say they are — even if you’ve previously verified it to your satisfaction.

Get the Facts:

  • When signing up for a new app or service or buying something from an unfamiliar company, do a search for the name first to make sure it’s legitimate. (If it’s not legitimate, an alert will often turn up in the top search results.)

Choose What You Use:

  • Use digital signature mechanisms to check identity for semi-important communications or transactions, and use non-Internet means of communication to verify identity for really important communications and transactions.

Keep Account Information Secure:

  • Use secure passwords, and different ones for different sites. Consider the importance of the information the site has about you. What is the worst-case scenario?
  • Keep credit card numbers, birthdays, social security numbers, and other information that is frequently used to verify identity private.
    • Be especially careful with information like your social security number that is used to verify your identity across different situations. Most credit cards are covered by legal liability limits and/or fraud insurance, and it is relatively easy to get a new credit card number. But it is much more difficult to get a new social security number — or a new birthdate!
  • Be very wary if anyone asks you for identifying information or an account password by phone, email, or instant message; most legitimate services would never contact you out of the blue and demand you verify your identity in this way. Don’t respond to the caller on the phone or by replying to the message. Instead, directly contact the Help or Customer Service department (using the contact information on the service’s public website) to ask about the issue.

How to Better Control Your Privacy — Guides:

How to Devise Passwords That Drive Hackers Away

10 Easy Ways to Protect Yourself on the Web

Where to Learn More — Related Resources and Educational Tools:

Identity Isn't Guaranteed

Our video explores why it’s hard to know who’s who online, and how to avoid getting fooled

The Carnegie Cyber Academy

Internet security lessons and games for elementary schoolers from Carnegie Mellon University

Public Wi-Fi Networks

An introductory video about using wi-fi safely

Cloudsweeper Email Audit Tools

Cloudsweeper tools show how much someone could get if they hacked your email

The Privacy Game

An educational online game from OpenLearn

Cómo usar las redes wifi públicas

An introductory video about using wi-fi safely (Spanish)

What Do You Think? Discussion Questions:

  1. Can you tell if a Facebook or Twitter account with the name of a celebrity is really them? How many Paris Hiltons are there on Twitter? Do dead celebrities really tweet?
  2. Can you tell if a Facebook or Twitter account with the name of someone you know is really them? If you recognize their photo, does that mean it’s them?
  3. How much information do you need to figure out if an online persona is really who they say they are? Are there any aspects of human-to-human communication that aren’t fakeable?
  4. Once you’ve established that someone is who they say they are, does that mean it’s safe to keep communicating with them? How can you tell whether the channels of communication you’ve been using are still secure?
  5. In a peer-to-peer network, is everyone really your “peer”?
  6. How do people create fake identities on the Internet? Why do they do that?
  7. What’s a bot? How can you figure out if some online “person” is actually a bot?
  8. How could someone hack (get into) your accounts? What could they do if they did?
  9. Why do you need to have all those complicated, hard-to-remember passwords, anyway?

What People Are Saying — News, Commentary, and Research:

If You’re Collecting Our Data, You Ought to Protect It

The Manti Te’o Hoax: What Is ‘Catfishing’?

Internet Saint or Online Demon?

Our New Resources for Teachers: "Identity Isn't Guaranteed"