134 comments

[ 4.3 ms ] story [ 368 ms ] thread
> I usually delete comments, threads, or other content I put up on the internet after it has served its purpose. That means for example deleting my Reddit comments after a month or two, keeping my email inbox near empty (in case it gets hacked), deleting old accounts, and similar things.

This seems a bit extreme to me.

Why keep things around that serve no purpose? Companies have retention policies for this reason - anything that is retained is a potential liability, so unless it’s legally required it’s better to delete and destroy as soon as it is not needed.
They serve a purpose. You may never have as many eyes on it besides the few days after it was posted but it breaks a lot of historical conversation, especially on sites with useful information/solutions.
The sooner the public loses faith in Reddit and Twitter, the better. Making their archives seem deserted or abandoned helps. I was not going to leave over a decade's worth of my content on those sites to benefit them.
Deleting comments, ugh, please don't do this :( If you must, make a throwaway account instead. It sucks to find a thread that promises to solve a problem you have, but when you go there critical context is missing due to deleted comments.
Looking at you, Reddit...
stylometry is far too strong
Deleting protects you against stylometry (and further identity detection)?

Ha! Wishful thinking with all of the auto-archivers. If you post on reddit, it's likely already crawled and archived somewhere.

It is not great, but it is better (if you wish to not be identified) to keep it in fewer perhaps non-public or poorly indexed archives. The internet does forget, sometimes.
That the internet never forgets is a myth. It forgets surprisingly quickly and I think will only accelerate. Sure, someone may have a copy of something somewhere, but discovering it via any search engine is impossible.

Personally I put a lot of PHP and VB code out ~20 years ago that I could find easily until I couldn't. There's Myspace profiles I've tried to pull up, images posted by friends 15 years ago in random places. Early video. All gone.

I generally agree. It depends how Internet famous you were, how hard a person looks, how common your name is, whether there's something specific you're looking for about a person. But, yeah, I'm willing to bet that a lot of random casual searches wouldn't turn up some Internet scandal/controversy around a non-famous person unless you really knew what to look for.
I agree, although trends for whether this is becoming more or less the default is not quite as clear in my mind. On one hand, the sheer mass of content being generated every day has become exponentially larger (I wonder if this has begun leveling off at all?), so there’s more to index and presumably more noise with which to conceal a signal. On the other hand, data science has progressed, storage media is cheaper, and everything is much more accessible; As a result creepy services like LexisNexis, Palantir, and TLOxp have all become vastly more sophisticated in their ability to retain and analyze data that they can pretty effectively associate with specific people/organizations.

I’m not sure which factor is more influential—the ability for data to persist, or the ability for it to then be found and interpreted. Would it matter if the content was still available in some forgotten corner of the internet if there weren’t effective tools available for finding it and connecting it back to its author?

It’s actually sort of entertaining to test the limits of this on yourself. I tried to find original media and references from a band I played with circa 2002. We were being ambitious with our publicity efforts, and consistently pumping audio, video, and images onto whatever nascent services were available at the time (from memory I can recall CD Baby, LastFM, Craigslist, miscellaneous forums, and towards the end, MySpace). I had already been designing websites for several years by that point, so we had a website, one that wasn’t just a Geocities/Anglefire template. That said, I am pretty sure that was at the height of my career with Macromedia’s Flash and ActionScript, so no real surprise that it didn’t get Archived in any functional form.

One strategy that my own experience has found quite effective is to avoid using unique or unusual identifiers. If you’re named something like Arthur Dent it is going to be considerably more difficult to find and associate information than if you’re name is Zaphod Beeblebrox. That’s obvious, but it extends to everything else, from usernames to product brand preferences—if you stick to the middle of every given bell curve then your needle will necessarily reside in a much larger haystack. The few things that tend to be unique, at least when correlated with things like timelines or location—things like telephone numbers, email addresses, usernames, account numbers, etc.—can usually be effectively obscured one way or a another. The things that can’t (government ID numbers) then become crucial to keep private. Except, at least one of those creepy services (TLOxp) was built by one of the three main credit rating agencies and so almost definitely has your social security number already, and has been attaching it to all manner of data for several years, all while also selling it off to anyone with a budget (not to mention losing it outright to hackers), so any concerted efforts to conceal oneself seems almost certainly doomed. It’d be an ideal problem for national governments to address using consumer protection laws and privacy regulations if it wasn’t also in our best interests to protect ourselves from said governments.

Sorry for the essay, this line of thought evidently yanked a pretty intertwined thread for me.

I agree with your critique that stylometry overrides throwaway accounts.

The issue is "deleting."

AFAIK, nobody's disagreeing that the internet can forget and deleting is "better" for privacy.

The question is "how much" better.

Here we're talking about the false sense of privacy through erasure when archivers should be assumed to be running everywhere and at all times. The latter weighs in favor of the parent's critique that deleting is not constructive.

launder your style through ChatGPT

I wonder if one could hook up a browser extension to do this

Launder it by freely giving it to a large-scale data vacuuming/surveillance operation?
(comment deleted)
Using a local LLM could work just as well if all you are doing is asking it slightly change existing text. The concept itself paired with a throwaway account(s) seems to be better than other alternatives like just deleting everything.
>> stylometry is far too strong

> launder your style through ChatGPT

> I wonder if one could hook up a browser extension to do this

It seems totally feasible. Though I think it would be far more interesting to make a purpose built anti-stylometry tool, that explicitly tries to analyze for and mute the signals stylometry uses.

Edit: what I'm talking about is apparently called "adversarial stylometry":

https://en.wikipedia.org/wiki/Stylometry#Adversarial_stylome...

https://en.wikipedia.org/wiki/Adversarial_stylometry

> All adversarial stylometry shares the core idea of faithfully paraphrasing the source text so that the meaning is unchanged but the stylistic signals are obscured

Having an LLM rewrite a comment would do this entirely, no?

Are you just interested from an academic perspective how one might build something more surgical, that only changes some words in a comment?

> Having an LLM rewrite a comment would do this entirely, no?

> Are you just interested from an academic perspective how one might build something more surgical, that only changes some words in a comment?

Yes and no. ChatGPT seems like a blunt instrument, and given it's not purpose built, it could miss certain characteristics that could enable identification.

Also LLMs kind of have their own style, and adopting that particular style is likely self-defeating to getting a message out (e.g. I would tend to ignore something that sounded like it was written by ChatGPT). Manual correction then be needed, but it would be hard with such a system, because I think that would tend to re-introduce the author's style.

"... purpose built anti-stylometry tool, that explicitly tries to analyze for and mute the signals stylometry uses."

Just mention a "devil strip" in every post and call it a day.

Stylometry can link long-lived identities, but can't do much if every throwaway only posts a couple of comments. There needs to be enough content to analyze. Especially if the overall community is large, like Reddit.
assuming that you don't accidentally use a totally unique idiosyncrasy of yours in one of those comments
Is there no automated way to defeat stylometry? Software that rewords and restructures writing so that it becomes unattributable? AI should be able to do it.
[deleted]
I can't overstate how much this reflects my thoughts. Perhaps a bit wordy in your response, but the points are spot on. The internet stops here!
One of the best internet's comment and I can't read it, because it has been deleted
[deleted while explicitly holding all other thread participants with perpetual contempt]
Users should own their comments and should be able to delete them as they see fit. Sites like Reddit should not be used as a permanent or reliable source of information.
The person you're replying to didn't say they aren't allowed to, they asked them to please not because the comment might be useful to others.
I'm making a tangential statement only somewhat related to the comment above it. Personally I don't like that sites like Reddit claim ownership of and make profit from user generated content. I think people should delete their comments and move to a more open and free platform.
The user should be free to move and delete anything

The problem is while the user is moving the comments are not, only deleted

Which will probably damage another user more than hurt reddit

Besides the user might delete things that would be interest read years later

>Reddit claim ownership

Should be mentioned the rights are retained by the user. Reddit only gets license to reproduce that content and allow others to do the same. Although also being perpetual, irrevocable, it's similar to ownership cannot say they're the same thing.

Still up to the writer
Useful to others because they search reddit is fine (even though I disagree with Reddit's app policy). Useful to OpenAI to train ChatGPT and dispense as wisdom people pay for?

I can totally respect someone trimming all their online footprint to avoid that.

Despite the hubris and stupidity of Reddit's management, it's still a longer lived repository of information than most people's blogs or web forums. It's also more accessible than mailing lists, Discord, or other social media sites. It's far from perfect but at least it exists.
A lofty ideal, but unpragmatic if you actually care about privacy. You have no control over how information disseminates once you publish it. You must assume it'll remain on the Internet forever. Even if you assume the existence of first-party deletion tools, third parties like Internet Archive or (in Reddit's case) PushShift can choose to preserve it.

If you want to retain your online anonymity, you have to be thoughtful about what you share online.

There's one kind of privacy where someone has an archive of all reddit comments ever and looks you up.

There's another kind of privacy where your cousin sees your reddit user id and looks up your comment history and finds out you are [_____insert secret here___].

Deletion of your history is a protection against the second kind.

Welcome to HN where you can't delete your comments after a very short grace period.
I can't imagine Voltaire claiming any right to be able to delete a pamflet. I think we need to have forgiveness baked into our social layer more, so that forgetting isn't the default.
I delete my comments on reddit because it's such a toxic place. Trolls will read through past comments and twist them to harass even more. I purge all my comments that have low upvotes and leave the ones other people find useful. But a lot of the time downvotes don't mean you are wrong or said something mean, it's the just stupidity of the masses or other people being mean. It's a love/hate relationship with that site.
Somehow, I can't imagine how HN is any better. Reasonable comments are mass-downvoted when people disagree with you on seemingly hot button topics - blm, vaccines, musk, trump, immigration, lgbtq etc. I know many people who had to create new accounts because of this.
Merely being downvoted isn't a form of harassment. The worst people on Reddit will DM you vile shit/threats and stalk you across various subreddits if they think you're a person worth targeting (particularly if you belong to one of those so-called "hot button" marginalized groups). Meanwhile HN doesn't even have a DM feature.
If you express a reasonable opinion that is even mildly positive, or even ambivalent about musk or trump you get mass downvoted, and people assume you completely lack integrity. I have seen this exact behaviour on HN for years, and the mods do nothing, and the bad-actors are often the long-term users with tons of karma. I'm not into conspiracies so I won't speculate as to the reasons.

Anyway, that in and of itself doesn't bother me - The parent was trying to present a "holier than thou" attitude towards Reddit. I merely pointed out that HN is not all that great when it comes to that.

I assume people downvote you about Musk and Trump because they disagree with your takes and think you're not contributing anything interesting to the discussion. People are allowed to downvote. What would you propose mods do in that situation?
Honestly, "everyone" knows there are acceptable boundaries of opinion in a lot of circles generally--including this one--that even nuanced takes cannot cross without bring out the knives. By and large, it makes sense to accept that and move on. You likely won't change anyone's mind and you'll just get upset.
Sure, someone could have a bad take, could be simply wrong, or simply have a different opinion. Why do you assume that I cannot differentiate between them?
>mildly positive, or even ambivalent about musk or trump you get mass downvoted, and people assume you completely lack integrity

With the amount of time musk and trump have had in the spotlight and the awful shit they've objectively actually done, it should make people question your integrity if you are writing positively about them. Like it or not, downvotes are an expression of disapproval.

Most elections are about electing the least-bad person. Bush started wars, Biden/Obama dropped bombs on civilians (even US citizens), tortured detainees, trump.. well we all know what trump did. Most voters either voted for biden or trump, both have done "awful shit". Every politician has done "awful shit".

If you can't find a single positive impact of trump's (or any politician) policies or a single positive thing musk has done, consider that you maybe be in an echo chamber yourself, or you're just deluding yourself into thinking you have some kind of moral high-ground.

Love how you oversell "Biden/Obama" as having dropped bombs on civilians while just handwaving away "we all know what trump did". Be more specific, maybe? Trump created an insurrection and tried to dismantle democracy itself, which seems far worse than accidentally dropping bombs on US citizens - let's be clear, Biden was VP at the time, not president, but you put Biden first? lol, you're so clearly trying to skew everything you wrote in all kinds of ways.

You're practicing whataboutism here.

>If you can't find a single positive impact of trump's (or any politician) policies or a single positive thing musk has done

A broken clock is right twice a day. So let's let broken clocks rule and profit as much as they want regardless of the consequences, I guess? That's what you're advocating for. trump and musk have very dubious ideologies, they are both awful businessmen that treat their employees like shit. They've proven this over and over. And yes, there is moral high ground and these two are not in the same category morally as many other politicians and business people. Your whataboutism doesn't make them seem any better than they actually are to anyone but yourself.

lol I also like when people trot out the "Obama did bad stuff too!" talking point as if the non-establishment left isn't in full agreement there.

Like, yeah dude. You think me being pissed that Obama didn't close Guantanamo is a sign that I'm going to be more sympathetic about Trump's policies? Come on now.

exactly this, well said. If Obama actually committed crimes while in office I'll listen to the evidence with an open mind, sure go after him. The right want to give trump a free pass for insurrection. There's a huge difference between the two mindsets, and I can't not call out anyone for still supporting him that happens to cross my social-media path. I'll use downvotes, too. I'm not going to do nothing while actual US fascism creeps upward, not sure what the parent commenter expects.
Thanks for proving my point. Goodbye.
trump was absolutely the biggest "we told you so" in the entirety of human history. Everyone paying attention knew how that would end.

But sure, he did nice things for the most wealthy and practically nobody else but himself. There, I said he did a good thing. lol

In alot of reddit you're can't post with a throwaway
Really? Only thing I've noticed is you appear to be auto-shadow banned when using a VPN.
There are subreddits with karma requirements (for good reasons, sometimes, like preventing brigrading or trolls.)
The valuable lifetime of a comment to me is short. If someone else sees value in it, then surely they would pay me to keep it around longer?
sounds like your note-taking & web-clipping need an update. spend some time figuring it out.
I'm sorry but those things will not help when you discover a thread after the person deleted it
Just use a name and username of someone else that's well known enough. Not like famous, but someone that shows up in enough search results.

So that if someone tries to search about you, they are buried in all the noise and data of the other person.

Or take it one step further and use a PURDAH

https://www.reddit.com/r/nealstephenson/comments/czw5og/fall...

You mean the pre-election period in the United Kingdom between the announcement of an election and the formation of the new elected government? Or a religious and social practice of female seclusion prevalent among some Muslim and Hindu communities?
That's sort of security by obscurity though. As soon as someone gets a few IRL data points, anonymity can break down pretty quickly.

Personally I mostly don't bother and will use a throwaway if I really feel compelled to post some comment I wouldn't want to be linked to me. (I know even that isn't foolproof but the threat model is mostly not wanting a statement attributed to me professionally--not hiding a crime.)

Another tip: for online purchases, use privacy.com virtual credit cards.

(Did you know when you use PayPal, sites can see your email, name and address?)

I kind of want the site to have my name and address so they know where to send my goods.

Of course, for digital purchases, your point is completely valid.

Are you saying that privacy.com also creates fake names and addresses for the purpose of charging? I always assumed it was just another number in your name. (never used this service, but it does seem useful)
You can type any name or address and privacy.com will accept the transaction.

Security rests more on pausing/resuming cards, locking them to vendors, or setting price limits.

Well, yes. How else will they mail the <useless junk> you ordered to you?

It does annoy me that paypay doesn't let me enter custom email addresses to give the merchant. I've had to change my paypal email address several times now due to stores selling it to spammers.

I haven't seen spam in decades. What are you doing wrong?
Shopping at scummy web stores that accept PayPal.
Besides that, make sure - your systems are not hackable (at least not easily). Use firewall, proxy server, vpn, or something like that.

Is your phone trackable with something like Pegasus? Although, an average Steve does not have to worry about that.

> Temporary credit cards With privacy.com, Revolut, Klarna, and similar services one can generate virtual credit cards. This is mostly for when you don't trust the website owner or the payment provider.

There are other reasons, unless you construe "trust" very broadly. Services that make it unreasonably difficult to cancel your account: you just cancel their credit card (and of course stop using the service).

You can also force an annual renewal, to prevent them from automatically renewing you.

And lastly, you can set a dollar limit on it, to avoid mistakes and "automatic" increases.

> you just cancel their credit card (and of course stop using the service).

IANAL, but I have always heard that when you do this you have not broken the legal contract obligating your payment. In practice, especially for modestly priced services, the strategy will usually work. But in theory they could come after you legally for the money if you do this. It might be a real concern for very expensive services.

I would like to have this confirmed by a lawyer, though.

This always comes up when I mention privacy.com. It's always a theoretical possibility. No one's ever shown a case where that actually happened (and it's never happened to me). People also say, "oh, but they'll ruin your credit rating."

You couple the card cancellation with a message to them demanding they cancel your account. Just imagine a credit card collection company agreeing to come after you, when you made a good faith attempt to close the account.

Merchants can apparently do a "force post". Privacy.com's help page [1] says:

> Broadly speaking, merchants only resort to force posts when they are faced with the potential for serious loss as a result of fraud. For instance, if you rent a car and don't return it, having a limit on a card or closing the card does not absolve you of the responsibility to return or pay for the car, and the merchant can force post the charge.

[1] https://support.privacy.com/hc/en-us/articles/360012288214-F...

Unless they can levy your income or put a lien on your assets, they can "come after you legally" all they want, but can't force you to pay. I think this is the general problem with small claims court as well -- you may win your case, still doesn't magically collect your money.
Asking a lawyer if there's a risk is like asking a barber if you need a haircut.
AFAICT, here's what actually happens if your credit card is declined. I'd love to have someone who works on that type of software correct me:

They send you an email saying, "please update your payment information." Because this happens every day. Hey, sometimes the restaurant tells you your credit card was declined, when it's perfectly good.

That email is followed by another, saying your account is suspended. At that point, they might give you an option to cancel, OR they might forward you to the same impenetrable UI that led you to do this in the first place.

In any case, you'll most likely be cancelled with no further repercussions. Yes, bad things could happen, but they don't. YMMV.

I do most of the same things. My "randomized emails" all use my personal domain, so it's trivial for people who have access to the email to know it's me, but probably not trivial for dumb ad networks to link my accounts back to me.

The one bit of leaked identity that really bugs me is my phone number. So many services require a phone number for text notifications and 2-factor auth and there's not good way (that I know of) to generate a random phone number that still works.

Google Voice?
Most services can detect and block VOIP numbers like Google Voice.
I've had my number with GV for years and get plenty of SMS delivered and sent, even with services where I never explicitly asked to use SMS as a 2FA or a method of contact. I guess my service providers don't care enough to block it.
Did you get the number from GV, or port into GV from a standard carrier?

If the former, then you're the first one I've come across who's able to do so. Facebook/Google/Twitter/Microsoft etc. all block VOIP numbers. The providers you use probably aren't hit with enough malicious activity for them to care about it.

Firefox Relay offers "randomized" phone numbers along with its emails: https://relay.firefox.com
This is fantastic, thanks for sharing
I was under the impression that relay's phone number masking is voip (similarly to google voice). In my experience, many signups do not allow voip numbers.
"join the wait-list"
> My "randomized emails" all use my personal domain, so it's trivial for people who have access to the email to know it's me, but probably not trivial for dumb ad networks to link my accounts back to me.

This bothered me as well, so I bought a completely unrelated domain to create a new trust ring. I'm sure you could link that domain back to me if you are buying information from a data aggregator, but at least that way I have the satisfaction of knowing people had to pay for the privilege ;)

> The one bit of leaked identity that really bugs me is my phone number. So many services require a phone number for text notifications and 2-factor auth and there's not good way (that I know of) to generate a random phone number that still works.

Ugh, yes. I had an old phone number that I moved to Twilio & set up SMS forwarding that used to work, but everyone seems to use phone verification APIs to block VOIP numbers.

Mandatory phone number has become the latest plague. Not only the phone number is mandatory but many sites now pretend to 2FA without user enabling the setting - or even worse, don’t use password and only send codes via SMS.
Most services that require a phone number don't use it for anything. Unless I know they're going to be texting me about something, I just type random digits.
That hasn't been my experience. Most services that demand a phone number lock you out if you don't cough one up, and reject VoIP and temporary service numbers. Some of them even reject prepaid numbers now.

Microsoft recently extorted my cell number out of me so I could keep using my paid for minecraft account.

The plague of banking and financial instutions ONLY allowing/forcing the use of SMS 2FA should be illegal. It's way more common than it should be.
It's amazing how quickly 4chan often doxes someone who believes they are operating online anonymously. I think most of us remain anonymous online, only because nobody cares enough to figure out who we are.
(comment deleted)
They way 4chan normally doxes are pretty much thwarted by the basic methods mentioned here. 99% of the time it’s to trace the same username/email address across sites and link that to a person aggregator or Facebook/LinkedIn.
(comment deleted)
I think this can lull people into a false sense of security, and I don't think the author realizes how easy and powerful stylometrics is. E.g. the author says this:

> Spelling/grammar/phrasing > If there are words you often misspell, people can Google it to find other sources where you make the same error (if it's uncommon enough) and potentially identify your other accounts. Use spell checking and maybe Grammarly or similar to minimize this risk, but I tend not to worry about this too much.

It's not just about misspellings, it's that we all basically leave fingerprints in the way we write.

You're not wrong and I assume it will become even more powerful--but it's almost certainly way more effective if you have reason to believe that throwawayxyz is so and so IRL.
Time to start laundering all of our online posts through GPT I guess.
I wonder if privacy conscious people will eventually start feeding their posts into locally-run LLMs or something, and posting the output.

Or better yet, replace social media with LLM’s, instead of reading individual posts you discuss topics with a sort of artificial gestalt average user. Maybe let people “join” a gestalt by tagging their discussions.

Then we can let the gestalts argue amongst themselves!

I assume any anonymous surveys at work that roll up through my management chain aren’t anonymous at all. My manager will get responses from only ~10 people and my writing style will be unique within that small sample size.
Password managers help a lot. Site asks for a birthdate? Whatever I choose to enter goes in the password manager. My mother's maiden name? I guess I can reveal publicly: it's fgjlh%ngf9, so into the password manager it goes.

My password manager offers to generate a password for me; I wish it would offer to generate those other fields as well.

Turns out you can fuzz your address too when validating a credit card. Autofill should handle that.

>Turns out you can fuzz your address too when validating a credit card.

My experience is that only your ZIP code is used, not your street address or city.

There are levels. To authorize usually only billing zip is required. For a full ACH or a “full authorization”, you need the full billing address and name to match name on card. PCI-DSS.
It depends entirely on the merchant and what checks they have enabled. Some people like authorize.net may even lower your fees/bills if you require stricter address verification for example.
> My mother's maiden name? I guess I can reveal publicly: it's fgjlh%ngf9, so into the password manager it goes.

Echoing: never actually answer security questions. Always treat them as additional (super annoying) passwords.

If you do, at least give them a misleading but coherent response (my first pet: grandma).

I've bypassed my own bank's security questions by telling them "the answer to 'my favorite ___' is a bunch of gibberish letters and numbers."

Good tip, thanks
KeepassDX allows you to create and copy/paste custom fields which could be used for security questions (on Android).... It doesnt generate random strings for them thought
A password manger helps with keeping up with which fake names/DOBs you used if you need to reset the password/recover the account or whatnot.
The one thing I don't see mentioned in this article is using encrypted DNS. Right now I use firefox on my PC and Opera on my phone because both browsers have a setting to use encrypted DNS. I just turn it on and forget about it. I tend to use a lot of networks other people own and I like making sure my DNS queries are encrypted.
Getting a commercial mailbox (e.g. UPS Store) in the same zip code as your primary residence can be helpful. I've had one long enough that on my credit report it is listed as an alternate residence address. Whenever I'm asked for an address online, that is usually the one I provide.
that serves no purpose in anonymity whatsoever
Yes it does. It muddies the waters with false positives.
Wouldn't this be a true positive?
Semantically speaking, I guess so. It's just a proxy address. Maybe it's you, maybe it's someone else with your name. Who can tell?

The point is to not be found. People showing up at any address that isn't your actual home address aligns with that goal. Registering it in the same ZIP code is self-doxxing though.

It's an innocuous form of synthetic identity fraud. If you really want to be anonymous, do pre-applications for credit cards and utilities in your name at other people's addresses then abandon them. One case I worked had a guy doing this using AirBNB hosts' addresses. His profile had him supposedly living everywhere all at once. This had the benefit of mapping to actual homes instead of The UPS Store when Googled.

Throwaway accounts and fake names for everything as much as possible, as well as a fake address or a paid PO Box if a real one is needed.

Not using the same accounts between services, and distorting real details like city.

Seems to work pretty well. I'm pretty invisible based on my own research.

1. do not use any extension, believe me they acquire all your browsing history from all tabs, no extension no worry, only use those that have higher users but review their permission 2. use enhances protection this will save you from most of the time. makes sure do not store password on google , write them on paper no social media login from same computer. do not click on any ad and website, especially in email do not use your email to sign up on different sites, use disposable
I don't know to what extent this person goes to hide their legal name, but with public records, its fairly easy to find your residence if you own a home or some other property.
Tor, Tails, surfing from an open WiFi, VPN, encrypted emails, etc These things are usually outside my threat model.

Can anyone break this down? If a person were concerned enough to follow all of the steps listed in the article to stay anonymous, why not also use a VPN or Tor as an additional layer that can thwart many types of tracking and provide additional risk mitigation?

tor/vpn/proxy by itself does not provide adequate anonymity. creepjs proves that ALL browsers are unique (even TBB) if someone just probes the right bits.
I don't disagree with you, except browsing creepjs from Tor Browser it says there have been hundreds of visits with my fingerprint since June (when the 12.5 series was released).
creepjs proves it is absolutely impossible to be anonymous when visiting more than one site from the same browser, regardless of your IP/network/VPN/proxy/etc.

Even the Tor Browser doesn't fully mask your OS (javascript functions still return the real thing), making anything but Windows (what the majority uses) impossible to use for any real privacy if you're trying to blend in.

This entire list will soon be obsolete as AI will link all your accounts by just giving it some of your text input.

I believe I saw an experiment of somebody doing this for HN content with a pretty high accuracy? Project that idea into the future.