Correlation Between Communication Time and Behavior Patterns
In anonymity, not only what you sent, but also when you communicated is important.
Even if communication content is encrypted, the time a connection occurred, communication volume, connection intervals, posting time, and real-world activity time become clues.
For example, if an anonymous post appears immediately after an event at a certain site, and communication came from a specific network during that time period, the set of possible people narrows.
This article organizes how communication time and behavior patterns relate to anonymity.
Communication Time Creates the Outline of Behavior
Communication time means the time or time period when communication occurred.
Time relates to web access, posting, login, file sending, message sending, connections, connections, DNS queries, and similar actions.
Time information
What can be seen
Caution for anonymity
Connection start time
When communication happened
Compared with real-world behavior
Communication volume
How much was sent or received
A clue for inferring file sending or video viewing
Connection interval
Regular behavior
Habits or automated processing are visible
Posting time
Public activity
Overlaps with real-name activity or real-world events
VPN connection time
Use of an anonymous environment
The ISP side can see VPN usage time
Time information alone does not identify a person.
However, it becomes an axis for comparing with other logs.
Time Remains Even With Encryption
HTTPS and TLS are important for protecting communication content.
However, they do not completely erase when communication occurred, how much communication there was, or which IP address was connected to.
Information
Hidden by encryption?
Explanation
Page body
Protected in transit
Protected by HTTPS
Form content
Protected in transit
Reaches the destination service
Connection time
Not hidden
The occurrence of communication is observed
Communication volume
Not hidden
Data-volume tendencies are visible
Destination IP
Not hidden
Needed for packet delivery
Encryption and anonymization are different.
Even if communication content cannot be read, the fact and timing of communication become separate clues.
It Connects to Real-World Behavior
Communication time connects to real-world behavior.
When communication occurs in the same time period as commuting, class, work, meetings, events, on-site participation, movement, lodging, payments, or entry and exit records, the set of possible people narrows.
Real-world behavior
Correlation with communication time
Caution
Immediately after a meeting
Looks as if a participant posted anonymously
Wait before posting
At an event site
Being on site overlaps with posting
Also look at location information and photos
Commuting time
A travel route is visible
Watch for posts at fixed times
After a night shift
Work pattern is visible
Combines with job information
After a school class
Students or teachers are narrowed
Do not mention grade level or class names
When posting anonymously, posting immediately after an event is a strong clue.
The more immediate and vivid the writing is, the stronger its link to the time also becomes.
It Overlaps With Real-Name Activity Time
When the activity times of an anonymous account and a real-name account overlap, they begin to look like the same person.
Posting on the anonymous side a few minutes after posting on the real-name side. Reacting to the same topic on the real-name side immediately after writing a long post on the anonymous side. Both accounts moving during the same break time every day.
Overlapping behavior
What can be seen
Countermeasure
Alternating posts
Looks as if the same person is switching accounts
Separate time periods
Simultaneous reactions to the same topic
Interest and time match
Separate topics too
Same idle periods
Daily rhythm matches
Check with long-term history
Posts after the same event
Looks as if the person was in the same place
Put distance from the event
Even if you separate accounts, correlation remains if the behavior times are the same.
Communication Logs and Posting Times
Logs related to communication may remain with web services, VPNs, ISPs, workplace networks, school networks, routers, and DNS resolvers.
Log contents and retention periods differ by environment, but time is an important axis in many logs.
Observation point
Time information that may be visible
Caution
Destination service
Posting, login, request times
Connects to an account
ISP
VPN connection or external communication times
Communication content is a separate issue
VPN provider
Connection times and server-use information
Check policy and log management
Workplace or school network
Device communication times
Watch for administrative logs
DNS resolver
Query times
Clues to destination domains
For anonymity, think not only about one log, but also about multiple logs being compared by time.
Ways to Reduce Time Correlation
Time correlation cannot be completely erased.
However, strong correlation can be reduced.
Countermeasure
Reason
Caution
Do not post immediately after an event
Weakens comparison with real-world behavior
Blur the content timeline too
Do not alternate with real-name activity
Reduces account correlation
Separate topics too
Avoid posts at fixed times
Makes daily rhythm harder to show
Scheduled posting is not a cure-all
Consider the publication destination in high-risk cases
Avoids broad public spread
Choose consultation paths carefully too
Shifting time alone may not be enough.
If only a few people know about the event, candidates remain even if you blur the time. In that case, rethink the content, publication destination, and consultation path.
Limits of Scheduled Posting and Delay
Scheduled posting or posting after waiting can help weaken time correlation.
However, it is not a cure-all. Creation time, draft save time, login time, reply time after posting, and content specificity remain.
Countermeasure
What can be weakened
What remains
Scheduled posting
Match between publication time and daily life time
Creation and reply times
Waiting before posting
Impression of being immediately after the event
Specificity of the content
Changing posting frequency
Fixed rhythm
Long-term topic correlation
Delaying replies
Online state
Personal information in reply content
Time measures should be considered together with content measures.
If you write the details of an event as-is, people involved may understand even if you shift the time.
Be Especially Careful With High-Risk On-Site Activity
In protest activity, reporting, field investigation, preparation for whistleblowing, and similar situations, communication time can easily connect to real-world behavior.
You need checks such as not posting from the site, not reacting immediately after moving, checking photo capture times and backgrounds, and not alternating with real-name behavior.
In high-risk on-site activity, do not decide based only on an article; you may also need to consult trusted support contacts or specialists.
Summary
Communication time and behavior patterns are important clues related to anonymity.
Even if communication content is encrypted, connection time, communication volume, connection intervals, and posting time remain.
These may connect with real-world behavior, real-name accounts, VPN connections, workplace or school logs, and records held by destination services.
If you publish anonymously, check not only what you write, but also when you communicate, when you post, and which behavior it overlaps with.
To reduce time correlation, it is important to avoid posting immediately after an event, avoid alternating with real-name activity, and avoid rushing reactions after publication.
Treat time as part of public information too.
Related articles
Network
Correlation Between Communication Time and Behavior Patterns
Communication time, volume, intervals, posting time, and real-world activity can correlate with logs and narrow anonymity.