Ask HN: Is it still conceivable to remain an anonymous developer nowadays?
I am a seasoned systems architect and developer, now retired. While I was tempted in the first few weeks of my retirement to just turn the page and let it go, I remembered how much I used to enjoy writing small utilities for my own daily workflows. A year ago, I asked my fellow forum members (a Mac-dedicated one) if they would like to beta test some of my applications (and oh, they did). I got high quality feedback I would not have gotten elsewhere. I kept striving to answer their feature requests and today many of my first beta testers are insisting that my applications have outgrown the private beta.
I was caught completely off guard by FinderFix (https://synappser.github.io/apps/finderfix/), the first application I'm opening to public beta, making the top row on Reddit a couple of weeks ago. This sudden limelight is both an opportunity and a challenge.
I am not complaining. Any publicity is good publicity and I got this kind of genuine enthusiastic feedback: "OH MY GOD! Bro you’re a god sent. Thanks man I love this app. Also that Cmd + X for cut/paste. Oof so good!".
I however cherish anonymity and I laud the Internet for allowing me to enforce it. I am thus publishing my software under a pseudonym (a pen name, if you prefer) with a free Apple Developer Certificate. How long will I be able, with Apple's current Gatekeeper policy, to preserve my anonymity if I were to turn this hobby into a real business, albeit a small one?
For more context, please refer to a couple posts of mine (a manifesto of my core ethos):
http://synappser.github.io/blog/
I guess this is a tough question to answer, unless you're an Apple insider, but I'd really appreciate any guidance you could give me.
Thank you
152 comments
[ 2.7 ms ] story [ 234 ms ] thread(Oh, you said "trustworthy". My bad...)
12 years ago doesn't really qualify as "nowadays".
The only way you could remain (externally) anonymous and comply with all the AML/KYC and other legal, corporate and service requirements (including taxation, etc) would be to have a company with a nominee director.
The jurisdiction is better because it has more features, and those features are applicable to a broader audience. Additional features = better, less features = worse. You don't have to chose any specific feature of the jurisdiction yourself, like forming an anonymous corporate entity. You can [typically] form one that gives out all of your information in those places too.
EDIT: seems you still have to disclose UBOs for IRS, banks, subpoenas, etc with these "anonymous LLCs" - unless you also use a nominee
There are about 3 or 4 levels
1) anonymity to the public and search engines
2) anonymity to the app store platform and most of the private sector
3) anonymity to the state, banking and legal
4) anonymity to intelligence community
the business entity as I described satisfies 1) and 2).
its not really clear to me that a nominee director legally satisfies 3), AML has always required decision makers and ultimate beneficial owners (UBO) to be the ones that financial institutions have records of, and the IRS requires that the UBO report it on their tax. If your criteria for 3) does not require strict adherence to legal, then there are plenty of other things you can do as well.
and if you aren't needing to list on "App stores" or use financial institutions, then 3) isn't necessary at all
Anonymity to the general public is very easy, incorporate a company behind some of the shell corporation mumbo jumbo that any corporate lawyer can prep for you, it will cost $ but it will be easy.
Anonymity from Apple could probably be pulled off by incorporating in a country with fairly weak transparency and having the company owned by an offshore trust.
Anonymity from a state level actor would be pretty hard. You'd have to have a shell corp in a foreign country owned by a shell corp in another foreign country and even that might not be enough.
Compromised windows computers are listed by postal code on some market places.
This will pass practically all flagging on the transactional side.
(You can still use a company you formed as well, and DUNS number, for the public listing on the app store)
Not really that complicated.
to: developer@gmail.example.org
from: billy-joe@3rd-grade.nowheresville-elementary-schoole.edu.us
subject: FinderFix
I demand you integrate FinderFix with TikTok and Discord IMMEDIATELY - or I'll come over there and rape your family and pets!!!llII!!1!!
However, many professionals in the tech space and elsewhere have online work that is intimately connected with their day job--and may even be part of their day job. In that case, anonymity is not really an option.
https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/
SQLite developers were receiving phone calls in the middle of the night, so decided to change temporary files prefix:
https://github.com/mackyle/sqlite/blob/3cf493d/src/os.h#L52-...
In both cases, their libraries were used in some other software, which upset users.
Suddenly he got accusations and threats from a person from a completely different country, because that person thought he was the brain behind the crypto scam where they lost some money. He had to take it to the police to get that person stop threatening and harass him.
My information is pretty locked down, but my family was less so. They started to get threatening phone calls. Very unpleasant stuff.
Anyway, that's when I learned that credit isn't worth the hassle of harassment.
So if multiple thousand folks know you exist, prepare for some stalking.
I'd say "totally impractical/impossible for regular individuals".
As James Mickens so eloquently put it:
If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. -- https://www.usenix.org/system/files/1401_08-12_mickens.pdf
Some of us enjoy cosplaying extreme privacy nuts, or engaging in recreational paranoia. But don't for a minute kid yourself into believing you stand a chance against the NSA (or your jurisdiction's equivalent).
The best way to be anonymous to those agencies is to be irrelevant to them
And to make sure that everybody who has the same name as you also stays irrelevant to them... And that nobody ever uses your name as an alias and does anything "relevant" to them.
"“A senior administration official who spoke on condition he not be identified said Kennedy was stopped because the name ‘T. Kennedy’ has been used as an alias by someone on the list of terrorist suspects.” A number of media outlets carried the same version of the story.
Of course, “Ted” Kennedy’s real first name is Edward, and would appear as such on any ticket or identification documents, so why the senator’s name should set off alarms, even if a ‘T. Kennedy’ appeared on a “no fly” list, is a mystery that has not been explained.
The New York Times reports a different story: “The alias used by the suspected terrorist on the watch list was Edward Kennedy, said David Smith, a spokesman for the senator, who uses his full name, with a middle initial, of Edward M. Kennedy.”"
https://www.wsws.org/en/articles/2004/08/kenn-a21.html
I think (but am not sure) that you can use them (for now) to sign a macOS app that you distribute from your own download somewhere, and Mac uses can download your apps and click through the "Yes, I trust apps signed with that Satoshi Nakamoto certificate" dialog and install them.
[0] https://synappser.github.io/downloads/ [1] https://support.apple.com/en-gb/guide/mac-help/mh40616/mac
Opening a small company could probably be ok to preserve some sort of basic anonymity (meaning, it takes a variable but not negligible amount of effort to understand who the owner is).
You can then get a business checking account (Mercury works well) with your newly registered business.
You can then create a business account on Apple and Google (and anywhere else).
All of the public facing information will be your company name. If you want more details or help, just ask here.
Congress passed a bill with rider a that now makes the creation of anonymous LLCs difficult.
https://thehill.com/policy/finance/467017-house-passes-bill-...
https://maloney.house.gov/media-center/in-the-news/congress-...
https://corpgov.law.harvard.edu/2021/02/04/the-end-of-the-an...
[1] https://www.propublica.org/article/the-secret-irs-files-trov...
Making money completely anonymously, without reporting this to the IRS and state tax authorities, at least in the US as a US citizen, is and should be illegal. But still seems pretty straightforward to stay anonymous on the front end.
Making it so no one can make the connection is much harder (as in close to impossible) and probably illegal in many cases especially if money is changing hands.
All for-profit companies doing business in the United States have always been required to report to the IRS and state tax authorities. There's never been a way to make money anonymously short of simply not filing with IRS (definitely illegal). This new law doesn't change or improve upon that in any way.
Prior to the bill being passed, one could set up a shell company in Nevada without giving away one's name. With the passage of this bill, one's ownership in an LLC is kept in a registry by a government agency for the sole purpose of surveillance. There's only as much "privacy" from the general public as there is the likelihood that the Treasury's servers are secure. And there's absolutely none from the members of the US government.
There are purposefully installed concessions that were requested by certain entrenched interest groups. For example, a company employing at least 12 people won't have to report anything. And the fact that the bill was a rider on a veto-proof legislation shows the substance of it wasn't quite popular enough to devote a legislative session towards the issue. It's little more than a privacy buster under the guise of an anti-corruption bill.
What have you tried that didn't work?
Basically the lawyer is the CEO/“Owner” but since you pay them to do exactly as you say, they delegate everything back to you and just sign forms occasionally that you put in front of them.
A guy who writes utilities to make his Mac work exactly the way he wants it to, should avoid Apple.
Brilliant!
:facepalm:
Then if you would want to accept donations or payments, anonymity is only possible with cryptocurrencies and cash-by-mail. The easiest one (anonymity wise) is Monero and the most popular one is Bitcoin.
Can we just stop with the "Bitcoin is anonymous" bullshit here?
Anybody here is smart enough to know better, so it just earmarks you as another fucking crypto-shill.
bitcoin is losing value. It's really not a hedge against inflation as you propose. As more people need what little money they have leftover from losing it in bitcoin, they'll pull the remaining fraction of their savings out and reduce the price of bitcoin. The price is just barely above $20,000 now. Most miners are running on fossil fuels consuming electricity greater than that of countries. You need to get a grip because your ponzi scheme is collapsing.
https://www.nbcnews.com/tech/crypto/bitcoin-falls-fresh-18-m...
For a period of record low inflation excluding 2021 and the current year? Sure. During 2021 and 2022? Only price falls for Bitcoin.
> Most miners are running on stranded, excess renewable energy that can't be used for anything else.
Bullshit. There is opportunity cost to this electricity use, and it keeps fossil fuel power plants open longer than they would have otherwise been. I don't think you need me to tell you how big of a crisis climate change is.
https://www.nbcnews.com/tech/tech-news/bitcoin-miners-align-...
https://www.wsj.com/articles/bitcoin-miners-are-giving-new-l...
https://www.theguardian.com/technology/2022/feb/18/bitcoin-m...
https://hbr.org/2021/05/how-much-energy-does-bitcoin-actuall...
https://news.climate.columbia.edu/2022/05/04/cryptocurrency-...
https://abcnews.go.com/Technology/wireStory/bitcoins-puzzle-...
https://www.washingtonpost.com/business/energy/bitcoin-is-re...
Sounds like you have a problem with fossil fuels and the subsidies that exist for them. I suggest you direct your anger there instead of trying to police what calculations people choose to do.
And don't work. They were revealed to be useless way back when the Magic The Gathering Online Exchange crypto grifters pulled the first high profile scam, and they got hounded through all the "mixers" anyway. Chainalysis has been able to see straight through "crypto mixers" for almost a decade. (Yeah, there are probably way that right now you can't track bitcoin through other crypto currencies and back into bitcoin, maybe... But we are now a long long way from "good advice to an old guy who want to sell macOS utilities anonymously")
Pretty irrelevant here but for your fucking information, with significant expert effort, Bitcoin *can* be also anonymous against big actors.
Each address is a random pseudonym. A wallet is a collection of pseudonyms but it's secret that they belong together. Except network analysis can infer that some of them do. Pseudonyms are persistent, can't "change them", only transfer coins out of the pseudonym to a different one, i.e. log a transaction.
Care to point to Satoshi’s real identity since anonymity in Bitcoin is bullshit?
The only weak points are exchanges. The OP can decide how anonymous they want to be - complete anonymity would imply not exchanging to fiat at all.
I don't disagree that most of them are not practical for a rando developer who wants to be anonymous, but I'm still annoyed at "the only weak point is...".
Anybody can start a new crypto wallet and receive funds into it, and then make transactions and keep that value on-chain to remain anonymous. There are a number of anon devs in the Ethereum ecosystem doing just this.
With enough effort your IP might be traceable if you do something like mint a token from a compromised website. But advanced methods also exist to break anonymity in systems like Tor, VPNs and cash which we often consider to have strong properties of privacy and anonymity, and to this nobody would refute as “bullshit.”
It's a common misconception that macOS forces all software to be signed by Apple. It doesn't. ARM Macs require all software to be signed, but crucially, any signature is OK at the kernel level. It's only at the first-run-from-finder level that Gatekeeper gets involved. This has been true from the start and I've seen over the years scattered comments from Apple developers that they view the Mac as a true general purpose computing device, and thus have no plans to change this. The ramped up signing requirements on ARM are more to do with simplifying the core OS by ensuring all code has an identity than stopping non-Apple approved software.
If you think users should trust you despite your anonymity then you can simply point them to Apple's official documentation on how to work around Gatekeeper:
https://support.apple.com/guide/mac-help/open-a-mac-app-from...
The process is straightforward if you know about it:
1. Download a self-signed or unsigned app.
2. Locate it in the finder.
3. Hold down the control key and right click it, then choose open.
4. Click open when the security alert appears.
Most people think you have to use the command line to open non-signed apps on macOS but it's not actually the case.
To self-sign an application you can generate certs using the Certificate Assistant in the Keychain Access app, or use OpenSSL from the command line. Then sign as normal. The fact that the cert doesn't come from Apple means Gatekeeper will ignore it, but, allows the app to run on ARM and ensures the OS has a stable identity it can use for assigning permissions across upgrades.
It's actually either Ctrl-click or right-click.
I don't understand your absolutist viewpoint here. Can you really not imagine a non-nefarious situation in which someone might not want to associate themself publicly with their work?
Let's say your side project is for a political party. Then, two years later, you apply for a job and the hiring manager is from a different political party, and has strong views on the matter. You don't get the interview.
Just fucking wow. There are whole bunch of totally valid reasons why one would want to be anonymous. It is ok to refuse to deal with such person / entity but to blame them in such terms is highly insulting and totally incompetent.
</rant_on> Just as an aside, if you see a person on the internet, it is incredibly rude and infantile to comment on their physical appearance, unless those comments are specifically solicited. Comment on their profession, hobby, art, or whatever else the business or site is about, but nobody gives a crap about your opinion on their looks, their clothes, their eyes, etc... Grow up and keep your teenage fantasies to yourself. </rant_off>
I launched on HN yesterday and it went #1. You might find that discussion [2] interesting as people were discussing the feasibility of working pseudonymously.
[1] https://anonfriendly.com
[2] https://news.ycombinator.com/item?id=31755025
I wanted to create a fully digital individual. My goal was to go from end to end. I bought (in cash) a prepaid credit card. I used said prepaid credit card to sign up to the VPN, paying for 3 years - under the assumption the card is burned. With said VPN I created a paid for email account with a trusted service (not gmail or office). I used said email to sign up with a VOIP provider, to receive a telephone number that could receive SMSes.
Then, I signed up for a twitter, and a domain. Use the above to set up a corporation with nominee shareholders in the jurisdiction of your choice, same with bank account. Congratulations - you can now buy your certificate.
Now, using the funds of the corporation do everything above again - such that you're able to tie the corporation's CC to the outcomes.
There's a lot more - but this is a reasonable start.
This may be illegal where you live. At the very least, depending on how you use the above there are tax implications.
I'll caveat this by having only experience of this from my own European country of residence, which had to put this regulation in place due to EEA requirements.
https://developer.apple.com/forums/thread/91459
A debit card debits from your account. A credit card requires the bank to extend you credit.
How are you anonymous in this case? It doesn't seem like the VPNs are gonna make any difference if the government still knows exactly who you are when the tax man comes knocking.
It all comes down to what you mean by anonymous/pseudonymous. Do you mean that a determined investigator/the government couldn't track you down? Or do you mean that a casual user doesn't know your real name? The latter is pretty easy. The former is almost certainly quite a bit harder (and more expensive) depending on jurisdiction--and may not even be possible if the government in particular is serious enough.