When thinking about anonymity, people often focus on IP addresses and s.
However, login state can become an even stronger clue.
Using . Using a VPN. Deleting cookies. Using a separate browser.
Even then, if you log in to a real-name account, that activity connects to the account.
Login state can weaken anonymity very quickly.
Login is a state that identifies the user
Login means that, from the service side, the user is treated as "the person who owns this account."
Many kinds of information are connected to an account.
Email address. Phone number. Past posts. Payment information. Shipping address. Contacts. Login history. Device information.
Even an account that does not display a real name may have information behind it that connects to the person.
Information
Effect on anonymity
Email address
Connects with a real name or other services
Phone number
Becomes strong identity-verification information
Payment information
Connects with personal information
Past usage history
Behavior patterns are visible
Contacts
Relationships are visible
Login history
Connects with IP addresses and time
Login is not just a convenience feature. It is a state of identity verification.
A service you are logged in to does not only see the name displayed on the screen. It handles the account ID, registration email, phone number, login history, device, cookies, session, payment, and past usage history. Even if you think you are browsing anonymously, if you are logged in, that activity is recorded as account activity.
Searches, browsing, likes, saves, follows, inquiries, purchases, and form submissions are especially tied to accounts. Even if you do not write your real name, login state itself is strong identifying information.
VPNs and Tor do not remove it
VPNs and Tor change how the source IP address appears.
However, they do not remove the account you are logged in to.
For example, suppose you log in to a real-name social media account in Tor Browser. To the destination, the connection appears to come from a Tor exit node IP. However, the service side knows that "this account logged in."
The same applies to VPNs. Even if the source IP changes to a VPN server, the service you log in to can see the account information.
Hiding an IP address and removing the connection to a person are different things.
This is a very important distinction for anonymity. VPNs and Tor change how the communication route appears. However, if you present your account to the destination service yourself, that service recognizes the account.
For example, if you log in to your usual email in Tor Browser, the email service treats it as a login by that account. If you log in to a social network through a VPN, the social network still retains account activity. Hiding the communication route and cutting service-level identity are separate measures.
Switching in the same browser is dangerous
Switching between a real-name account and an anonymous account in the same browser is dangerous.
s, , history, saved passwords, extensions, and browser settings mix.
Operational mistakes also happen.
Posting from the real-name account by mistake. Searching for anonymous activity from the real-name account. Opening real-name email in the anonymous browser.
Anonymity failures happen through these everyday mistakes.
In the same browser, both technical mixing and operational mistakes happen. Technically, cookies, localStorage, cache, extensions, saved logins, notification permissions, and download history remain. Operationally, mistakes happen such as choosing the wrong posting destination, using the wrong account for a search, or selecting a real-name account from a share menu.
For activity where anonymity matters, separating only browser tabs is weak. At minimum, separate browser profiles. For high risk, also separate OS users, devices, networks, and usage times. Decide the depth of separation according to the risk.
Logout alone may not be enough
Logging out does not necessarily make things safe.
Even after logout, cookies, localStorage, browser history, cache, and saved extension information may remain.
Depending on the service, some identifying information may still be used after logout to recognize the same browser.
When anonymity is needed, do not rely on logout. Separate real-name and anonymous environments.
Logout is the operation that ends the current session. However, it does not necessarily delete every identifier or history item left in the browser. If you conduct anonymous activity in the same browser after logout, saved passwords, autofill, extensions, and notifications may expose information from the real-name side.
In anonymous activity, look not at "whether you logged out," but at "whether you are handling it in the same environment in the first place." Not mixing environments becomes the most basic defense.
Operations to avoid
During anonymous activity, avoid the following operations.
Opening real-name email in the browser for anonymous use
Logging in to your usual social media in the browser for anonymous use
Logging in to an anonymous account in the browser for real-name use
Leaving notifications enabled on the same device
Switching between multiple personas in the same browser
Searching for information about anonymous activity from a real-name account
Login state is a central risk for anonymity.
Basic separation rules
To reduce failures caused by login state, make the boundary between real-name use and anonymous use clear.
What to separate
Reason
Browser
To avoid mixing cookies, history, and saved logins
Email address
To avoid connecting through recovery or notifications
Phone number
To avoid sharing strong identity-verification information
Cloud
To avoid mixing files, photos, and sharing history
Notifications
To avoid showing real-name notifications on the anonymous screen
Search behavior
To avoid linking real-name history with anonymous activity
If you operate an anonymous account separated from the real-name side, simply changing the account name is not enough. Separate the services you log in to, recovery methods, notifications, file storage, browser, and device use. How far to separate them depends on the threat model, but keeping real-name login and anonymous activity out of the same flow is a basic requirement.
Build a habit of stopping before login
If a login screen appears during anonymous activity, you need the habit of not entering information immediately. Is that account on the real-name side or the anonymous side? Where do the recovery email and phone number connect? If you log in, is it acceptable for browsing or posting to remain on the account?
Many failures happen when people are in a hurry. They want to view a document, check a DM, retrieve a file from the cloud, or react on social media. If you log in to your usual account on the spot, anonymous activity and the real-name side connect.
What to check
Reason
Which environment it is
Do not mix the real-name browser and anonymous browser
Which account it is
Check whether it will be recorded as real-name-side behavior
Recovery destination
See whether email or phone number connects to the real name
Notifications
Check whether real-name notifications will appear on the anonymous screen
Storage destination
See whether files or history will remain in the real-name cloud
Login is a convenient operation, but for anonymity it is an operation that crosses a boundary. Stopping before login can prevent many kinds of mixing.
Summary
Login state greatly weakens anonymity.
Even if you change the source IP with a VPN or Tor, logging in to a real-name account connects the activity to the account.
Email addresses, phone numbers, payment information, past history, contacts, and login history are connected to accounts.
To protect anonymity, it is important not to mix real-name accounts and anonymous activity in the same browser, on the same device, or during the same time period.
Do not rely only on logout. The environment itself needs to be separated.
Related tools
WebRTC Leak Test
BrowserLeaks WebRTC
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.