Am I Actually
Anonymous?

Anonymity and de-anonymisation are always a matter of odds and populations. Every attribute you reveal, even if irrelevant in isolation, adds up to every other to reduce the number of people it could be referring to. This post tries to find out, given only what this website discloses at the time of writing, how many people in the world could actually be me.

What this site discloses

The site does not give you much to play around with: it does not state a surname, a country, a city, an employer, and there is no photo. What it does show, or at least lets you believe (come on, does everyone really lie on their CV?) is the following:

• First name: Victor
• Surname initial: M
• Job: cybersecurity, specifically in product security and compliance
• Education: Master's in Cybersecurity and some Engineering degree (what kind of engineering? that should not be much information, right?)
• Career start: approximately 2016
• Languages: English and Spanish at native or bilingual level. "Others" (possibly more) are mentioned as a hint only. There could be two more, there could be more.
• Technical profile: C, C++, Python, pentesting, LLM security, hardware
• Domain: victorm.eu, implying European registration, as it should only be done from the EU (I am sure this can be faked but why would I?)

Each of these is a variable, a factor that may or may not be statistically independent. But together, they stop talking about a generic profile.

The Probability Funnel

The methodology here is simple compound probability that uses what is called quasi-identifiers in privacy literature. They are not unique identifiers, but each of them narrow down the population enough to become unique identifier, in a process called "re-identification".

All population figures below use either publicly available data or conservative estimates (so the real k-anonymity is likely smaller than calculated here).

What an Adversary Could Do Next

An anonymity set of five is pretty weak. Now, a moderately motivated privacy attacker with some OSINT knowledge could take some small little detail and make that figure collapse to one.

I am not going to give you the details you need to re-identify me. But many things can be done, and they would probably work.

The Paradox of the "Anonymous" CV

There is an inherent contradiction in publishing a professional CV pseudonymously. The entire point of a CV is to let people know what you know, who you are, what you can do. This means every added detail that makes you look more impressive, every uniqueness you share that makes you stand out from the crowd, also makes you more identifiable. The more complete your CV is, the less anonymous you are.

In the k-anonymity model (Sweeney, 2002), a dataset is considered k-anonymous if every individual is indistinguishable from at least k-1 others. A k-value of 1 means you are uniquely identifiable. Based on this analysis, this site likely has a k-value of around 5 or less, and given that adversaries with access to one additional data point would close the gap entirely... yeah, it's me, hello there.

Conclusion

I wrote this analysis about myself - an odd exercise if you ask me. I do not think I made a mistake publishing this site, I would not have pubished it if I did. Pseudonymity serves a legitimate purpose: it reduces exposure to your casual Joe, while still allowing people who have received the link from me to know what I do. And also allowing that to very motivated privacy attackers, which I assume is going to be no one.

What I really wanted to showcase is that the illusion of anonymity is dangerous. If I believed I was truly anonymous here, I might feel safe, make statements or disclosures that I would not want linked to my identity, and end up in a sticky situation. I am not safe, but I know it.

Never mistake pseudonymity for privacy.

Let's now talk about you: How anonymous are you, really? Check out this page. And, probably, do not use "do not track", they use it to track you as "one of those freaks".