So, you want to be anonymous online.
Cool. But first, what exactly does it mean to be anonymous online?
I distinguish anonymity from privacy in the post about controlling communication channels. Privacy is about controlling access to sensitive information. Online, that’s typically about what we communicate. We use end-to-end encryption (such as HTTPS, Signal and GnuPG) to protect our traffic from adversaries. But it’s also about protecting what we have, using full-disk encryption to protect our devices.
1) What Is Anonymity?
Anonymity is an aspect of privacy. And it’s about controlling access to our identities. That is, it’s about who we are. With anonymity, we can express ourselves more freely, with less concern about consequences and coercion. And if we’re anonymous enough, adversaries can’t piece together information about us, and so distinguish us from everyone else. So anonymity helps protect privacy, and circularly, it also helps protect against deanonymization.
But anonymity isn’t all or nothing. There are degrees of anonymity. I mean, it’s the goal of Tor browser for all users to be more or less indistinguishable. And so, in theory, anonymous. But in practice, that’s not possible, given that people use Tor browser on different hardware. But Tor browser is very proactive about updating itself, so everyone is at least using the same version. And there are just a few security levels, to limit diversity. And it’s also pretty aggressive about window size, installing additional add-ons, and so on.
But even with Tor browser, anonymity is toast as soon as we create online identities. Such as email addresses, and accounts on sites. I mean, Mirimir is not anonymous. And neither are any of the personas that I use via Tor. They’re all sort of anonymous, or pseudonymous.
Some of them are a lot like Mirimir, do similar stuff, and write in English. So they just hinder search-based linking, and provide some more or less plausible deniability. But others are very different, and never write in English. Or at least, only after a few cycles of Google Translate, through multiple languages.
In other words, anonymity, pseudonymity and privacy are distinguishable in the context of data and metadata. Privacy is about protecting data, and some metadata. To be anonymous, we must protect all data and metadata. And the degree of anonymity depends on both our goals, and our operational security (OPSEC).
Some metadata is impossible (or at least, very difficult) to hide. Local adversaries can see that we’re using the Internet, if not what we’re doing. But they can also see when we’re online, and the traffic patterns (bits/second vs time). That itself is metadata about us, that we’re people who hide what we do online. But that can’t be helped, unless we use some undetectable channel.
Still, remote adversaries ideally just see activity, with metadata that’s not associated with anyone in particular. At least, as long as we don’t create online identities, and so become pseudonymous.
2) Why Be Anonymous Online?
It helps to be clear about why you want to be anonymous online. And whether you can live with the requirements, and the consequences. Indeed, after I’ve gone on about this stuff on Hacker News, someone occasionally asks why I go to all the trouble. Sometimes I just say that it’s a hobby, or a game. And that’s true. It’s fun, and a challenge.
But fundamentally, I do all this because I value freedom.
Given all the authoritarian threats, freedom depends on privacy. And ultimately, privacy depends on anonymity, or at least pseudonymity. But still, it’s useful to keep in mind that it’s a game, where freedom is how we keep score.
3) What Does It Take to Be Anonymous Online?
Always keep in mind that it’s extremely difficult — and perhaps impossible — to be totally anonymous online. Or at least, for very long. That’s because the NSA (and some other national intelligence agencies) can intercept and manipulate traffic at so many points, throughout the Internet. After all, that’s why they’re called global adversaries.
At least some global adversaries can very likely gather basic information from traffic intercepts about all 4.5 billion Internet users. Stuff like IP addresses, ISPs, traffic logs, the use of encryption, and so on. But I doubt that they can retain all of that data for very long, or even analyze all of it substantively. Because there’s arguably just too much, and it’s distributed across too many thousands of interception devices.
So it’s likely that they must select what to retain and analyze, based on various criteria. Such as IP addresses, names, email addresses, language and keywords. Also the use of particular encryption protocols, such as Signal, GnuPG, Tor and VPNs. But not likely HTTPS, however, because it’s become too common. I recall reading that the NSA hasn’t been happy about increased use of VPNs for torrenting and streaming georestricted content, because dealing with it wastes resources that they’d rather reserve for serious work.
But here’s the thing. Even if they’ve retained everything required to deanonymize someone, actually doing it requires analyzing and correlating data from multiple intercepts. So it’s unlikely that they do that routinely for all information that they’ve retained. Also, it’s unlikely that they can retain even that filtered sample for very long. And so they must filter out what to keep long term, which reduces the chance that they’ve retained enough to deanonymize someone who wasn’t interesting enough, for long enough.
So if you want to be totally anonymous online on a long term basis, you want to avoid becoming too interesting to global adversaries.
And if you do want to do something that might attract their attention, or the attention of other Three Letter Agencies (TLAs, such as the FBI) that can get their help, you need to be especially careful. You must compartmentalize that activity rigorously from your meatspace (real life) identity.
Using online personas doesn’t provide anonymity, just pseudonymity. However, you can use multiple personas, which are well compartmentalized from each other, and shift usage over time. But the longer you use a persona, the less pseudonymous (and more dangerous) it becomes.
It’s essential, of course, to effectively hide your ISP-assigned IP address, without needing to trust the discretion of some third party, such as a VPN provider, or even the Tor Project. But there’s much more to being anonymous online than accessing the Internet anonymously.
All sorts of government agencies and service providers know who we are. And many identifiers interlink all parts of our lives, meatspace and online:
- passports and driving licenses
- postal addresses and landline numbers
- mobile numbers and email addresses
- bank accounts
- credit and debit cards
- social media accounts
And then there’s all the stuff we share on social media (assuming we use social media). We display our interests, and express our opinions. Also, our families and friends know us both online and in meatspace. And most of them don’t care much about anonymity, or even about privacy.
I’ve written at length about how online privacy depends on OPSEC and compartmentalization. That series covers those issues in greater detail, and contains many interesting links — but do finish this post first.
Anyway, let’s say that I gave you a box that lets you access the Internet anonymously, perfectly anonymously, against any global adversary. If you kept doing what you’re doing now — and I mean whatever it is, pretty much, unless you’re truly hardcore about anonymity — you’d likely remain anonymous (or even pseudonymous) for no more than a few minutes. Maybe a day or two, if you were careful. It might take years to catch up with you, however. For example, the former LulzSec celebrity Sabu had outed himself on IRC, many years ago, when he was first learning to hack. But it didn’t come out until he pissed off the guy who had retained logs of those chats.
Most people aren’t really aiming for total anonymity, however. For more than just reading, it’s limiting. And once you start doing stuff, it’s really hard to remain anonymous. It’s tedious to write without having a consistent style. You can’t have meaningful conversations. Once you’ve registered somewhere, or leased a VPS or server, you’ve created an identity.
So anyway, my focus here will be on “anonymous” online personas, and how to use them.
4) First Secure Your Uplink, and Hide Your Location and IP Address
Bottom line, there are three key criteria:
- your setups must be effective and secure
- they shouldn’t attract attention
- there should be plausible cover stories
As @thegrugq says:
VPNs provide good cover that Tor simply cannot – “I was using it to watch Hulu videos” is much better than – “I was just trying to buy illegal drugs online”
That doesn’t necessarily mean that you shouldn’t use Tor. It’s just that local adversaries shouldn’t see that you’re using Tor or I2P. And nobody local should have any clue that you’ve ever even thought about using Freenet. Indeed, even if your OPSEC is impeccable, I recommend against using Freenet. It’s not at all hard to see stuff that you’ll never forget, no matter how much you wish you could.
5) Compartmentalization Is Key for Online Anonymity
In order to have an anonymous online persona, you must compartmentalize that persona’s stuff from the rest of your life. Any overlap creates a link. And with enough links, that persona is no longer anonymous. Obviously, you can’t use the same email addresses and online accounts. It’s risky to even frequent the same sites, unless they’re widely popular. For example, Reddit is OK, but not particular subreddits. You can be identified by your language, your writing style, and your use of slang.
It’s even risky to display the same interests, or express the same opinions. Especially if they’re uncommon. Finally, no matter what you do, don’t play sockpuppet games with yourself, because people are good at detecting that.
It’s also prudent to compartmentalize each online persona from the others. That way, if one persona gets into trouble, the damage will be limited. And so it may be enough to just stop using it. But if information about multiple personas can be connected, that can make you more interesting, and there’s a greater chance that you’ll be fully deanonymized. And even if you’ve done nothing too iffy, there’s the risk that you’ll be monitored thereafter. Some years ago, I published a series of guides about compartmentalization for IVPN.
For example, let’s say that you’re leasing a VPS, and running a Tor onion site. And let’s say that you’ve leased and managed the VPS anonymously via Tor. But you want to provide a contact email, or post to social media about the site, or whatever. If that persona can be linked to the one that you used for leasing the VPS — by email address, Bitcoin wallet, or whatever — that might be enough for an adversary to identify the VPS. Then they might compromise the site, collect data about users, go on to target them, and so forth. And that might eventually lead them to you, in meatspace. I do plan to write at length here about anonymous web hosting, with detailed instructions on GitHub.
It’s also crucial to compartmentalize operating systems. Many years ago, I published a series of guides on IVPN about using VPN-router VMs and Whonix (Tor) VMs to create nested chains, for greater anonymity. I’m now in the process of updating it, and it will include detailed instructions for new approaches that I outlined in this Restore Privacy guide.
I’ve mostly used VirtualBox for this, because it’s both straightforward and reasonably secure. There’s no doubt that Qubes is far more secure against attack, but it’s arguably no less likely to passively leak than VirtualBox, when configured properly. And it is much harder to learn.
Still, all virtualization approaches are more or less vulnerable to breakouts from VMs to host machines. And once attackers or malware can reach the host, all bets are off. If that’s a substantial risk, you can employ hardware compartmentalization. Instead of using VMs in host machines, you can use multiple physical machines, such as Raspberry Pi or whatever. You can also use multiple host machines, and segregate VMs based on desired isolation level.
6) But Lying All the Time Can Be Hard
Sharing about your anonymous online stuff with your family, or with meatspace friends and associates, is risky. So is sharing about your meatspace life with those who know you as some anonymous online persona. Both are dangerous, because people often gossip. So you may acquire a reputation, or even get doxxed.
In my experience, keeping secrets and lying is the hardest part. We all have secrets. And we all lie about them, at least sometimes. But this would be many secrets. And it’s hard to resist sharing what we enjoy with those we’re close to. We might feel dishonest, or even disloyal, in keeping secrets. People may be hurt that we don’t trust them enough to be honest. Also, we’re sometimes proud, and we crave recognition.
But that’s part of getting clear about why you want to be anonymous online. And you can at least be straight about it online. You can just blame it on your OPSEC.
However, that doesn’t work in meatspace. Because there, you want to come off as someone who doesn’t even know what OPSEC is. Because that in itself would be an OPSEC fail. But still, you need a plausible cover story, because others will wonder what you’re up to online.
7) Email Accounts and Web Browsers
Back in the day, when I was still using Windows, I worried about locking it down, to prevent excessive logging, and to prevent exfiltration of data to Microsoft. I even installed extra RAM, and ran Windows swapfiles in ramdisks. I used router rules to prevent Windows from reaching addresses for Microsoft and associated firms.
And then I gave up on Windows, and switched to Linux, which for the most part respects users’ privacy. So I no longer needed to worry about Windows and Microsoft.
But I was still concerned about using secure email providers, and securing browsers against exploits, cookies, fingerprinting and tracking. I used some Tor-based email providers, which are all gone now (along with Freedom Hosting and Freedom Hosting II). And of course, I’d never use Gmail or Chrome. I also modified Firefox a bit, and installed several add- ons. This is my current version:
- AdBlock Plus
- Canvas Defender
- Disable WebRTC
- Privacy Badger
- Smart Referer
But then I got seriously into compartmentalizing my activity into multiple host machines and VMs, and using combinations of VPN services and Tor to compartmentalize their Internet activity. And once I had done that, I no longer cared so much about preventing fingerprinting and tracking at the browser level. I still use most of what I’ve learned, but I haven’t been very interested in learning new alternatives, such as uMatrix.
For example, everything that Mirimir does is correlated, and I have no problem with that. I have a Gravitar associated with my email address. If I want to do something that won’t get associated with Mirimir, I use a new persona, in a new VM, which hits the Internet through a new nested VPN chain and Tor. That’s what keeps stuff unassociated, not some set of add-ons in Firefox.
I’ve had probably over 100 email accounts, and most are dead or abandoned. I maybe have a couple dozen that I check at least somewhat regularly. Mirimir uses Riseup, of course, and I love them like family. Otherwise, I end up using email providers who play well with Tor, such as Cockmail, Protonmail, and Tutanota. Cockmail admittedly has quite the chan vibe, and that may offend some. But they do offer some email hostnames that are safe enough in polite company (such as airmail.cc, tfwno.gf and firemail.cc).
8) Anonymity in Meatspace Is Dead
Basically, privacy and anonymity in meatspace are dead. There’s just too much surveillance.
- physical environment
- postal mail
- voice and data communications
- financial transactions
- social media activity
- government informants
We’re surrounded by cameras and microphones.
- surveillance cameras
- vehicle tag scanners
- electronic toll collection systems
- smartphones and other devices
In many cities now, pedestrian surveillance cameras are pervasive. Vehicle tags are scanned on the street, and also for toll collection on highways and bridges. There are surveillance cameras in many indoor environments: at work, in commercial establishments, and now in many homes. Also, there are cameras overhead, in drones, airplanes, dirigibles and satellites. And indeed, most of us now carry smartphones and other devices with cameras and microphones, which may be controlled by remote adversaries.
There’s also surveillance of postal mail. All mail and packages are imaged, and many are subjected to X-ray inspection. And international mail is subject to full physical inspection by customs.
All voice and data communications are likely monitored by the NSA, which may pass on leads to domestic agencies (such as the DEA, DHS, FBI, IRS and USCIS) under the SOP program. And financial transactions are subject to particular scrutiny, given concerns about money laundering and tax evasion.
And then there’s social media, where people overshare, both about themselves and their associates. Also, increasingly since 9-11 , government agencies encourage people to report suspicious behavior, criminal activity, and suspected terrorism. It’s become like postwar East Germany, where about 1% of the population were reportedly informants for the secret police (Stasi).
So really, we have privacy only where we control the physical environment, and can exclude surveillance devices, and where we don’t tell others what we’re doing.
But that could get a little boring, just sitting in our bunker.
There is one option, however. Perhaps bizarrely enough, it’s only online where we can interact with others and do stuff privately, and perhaps even anonymously.
It’s true that being online requires connecting to some ISP. But at least we can use VPN services to hide content and remote IP addresses from the ISP and other local adversaries. Using unauthorized VPNs is illegal in some countries. But otherwise, it’s common enough that we won’t attract much attention.
And once you have an innocuous VPN connection, we can route stuff through it that provides stronger privacy and anonymity.
I mean, there’s nothing like anonymity networks in meatspace. We can’t routinely disguise ourselves in public. That’s illegal in many places. And in any case, it attracts attention.
But even that is limiting. Say that we luck out speculating in cryptocurrencies, or through some anonymous online business, and want some of that money to live well in meatspace. Or maybe we want a Twitter account, and need to do SMS verification. Maybe we want to buy something from a Tor darknet market. Or we want to buy some equipment in meatspace, to use anonymously online.
Any of those actions could create an additional association between our online anonymous activity and meatspace, and that’s risky. Or at least, they could flag us as particularly interesting, and lead to increased scrutiny of our Internet connectivity. And conversely, if we were already flagged as interesting, based on our Internet connectivity, that could lead to increased scrutiny of our physical and financial activity.
Moving Money Anonymously
It’s also crucial to pay for stuff anonymously. The best option is arguably still anonymized Bitcoin, because it’s so widely accepted. First you need a wallet. I recommend using the Electrum Appimage in Whonix. Each persona should have its own wallet, in its own Whonix instance.
But first, make sure to get the Electrum Appimage from
electrum.org, and not from some other site, which may be serving malware. Also get the signature file, and Thomas Voegtlin’s public GnuPG key. Typically, they’ll all be in
/home/user/Downloads. So open a terminal there.
First verify the signature:
gpg --verify electrum-3.3.8-x86_64.AppImage.asc electrum-3.3.8-x86_64.AppImage
You should see this:
gpg: Signature made Thu 11 Jul 2019 07:26:15 AM MST using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <email@example.com>"
gpg: aka "ThomasV <firstname.lastname@example.org>"
gpg: aka "Thomas Voegtlin <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
Now verify that the GnuPG key indeed belongs to Thomas Voegtlin. Browse to his 2016 presentation about Electrum and pause the video when his GnuPG fingerprint is on the screen. You will see that it matches the “Primary key fingerprint” in the above gpg output:
6694 D8DE 7BE8 EE56 31BE
D950 2BD5 824B 7F94 70E6
If you plan to own substantial amounts of Bitcoin or other cryptocurrencies, you might want to use hardware wallets. I don’t use them, and so I can’t be of much help. But the Bitcoin Forum has a subforum about them.
Each of my personas has its own Whonix instance, containing its own Electrum wallet, and its own Bitcoin, which has been mixed multiple times, through a different series of mixing services. So basically, the Bitcoin in each of those wallets is unrelated to the Bitcoin in any of the other wallets. Also, generally only one Whonix instance is running, at any given time. And in any case, they’re arguably well enough isolated from each other, and not so easy to compromise. Keeping all that straight is hard enough, and I don’t want to add the complication of hardware wallets, which I’d need to keep track of and protect.
Anyway, privacy in meatspace is basically dead, given increasingly pervasive surveillance. So it’s arguably pointless to seek substantial anonymity while purchasing Bitcoin. And in any case, you can anonymize Bitcoin after purchase. But even so, it’s creepy to purchase from exchanges, given government reporting requirements.
However, it’s easy to find Bitcoin traders (sellers and buyers) in your country using LocalBitcoins. You can check traders’ reputations, and there’s an escrow service to reduce the risk of fraud. Interesting payment methods include:
- Other Remittance: Cash in person in public location
- Cash [deposit] at ATM
- Cash deposit: [bank]
- Cash deposit: bank deposit / in person
Another (riskier) option for finding private sellers is the Bitcoin Forum /…/ Currency exchange. And then there’s bitcoin-otc. It’s a chat (IRC) based system for negotiating trades, involving Bitcoin, other cryptocurrencies, cash, or whatever.
But then, Bitcoin is by design totally not anonymous. However, you can mix multiple times through Tor, using different mixing services. The following mixers were working in January 2020. But never mix more in one go than you can stand to lose. Even if a mixer works with a few mBTC, there’s no guarantee that it won’t steal a few hundred mBTC. At least, occasionally.
- BitCloak: Tor (five confirmations before mix)
- Bitcoin Fog: Tor, Twitter (needs account; six confirmations for deposits; withdrawals instant)
- Blender: clearnet, Tor (three confirmations before mix)
- CryptoMixer: clearnet, Tor (0-1 confirmations before mix)
Do not trust other URLs, as long as the ones listed above work. Bitcoin Fog is the oldest mixer still in operation. It mixed Bitcoin from at least two large thefts, and apparently did that successfully. Some have claimed that it steals, or at least that it’s unreliable. However, I’ve had only one delayed deposit, a couple years ago, and that was resolved within a couple days.
Bitmixer shut down in late 2017, and BestMixer was seized in late 2019 by police. GhostMixer was purchased in late 2019 by BitWhisk, but I didn’t test that. I also didn’t test Grams Helix light. It was stealing in 2018, but is supposedly OK now.
Another option is exchanging through Etherium currencies, which are supposedly anonymous by design. Although the Etherium ecosystem is heavily smartphone-centric, there are browser-based wallets. But still, there’s also considerable dependency on Chrome.
Anonymous SMS Authentication
Online accounts more and more require mobile numbers for identity verification, especially if you’re using VPN services or Tor. And smartphones are a privacy/anonymity nightmare. So using one for verification may destroy your anonymity.
Virtual SMS services work for some providers. Using free ones is risky, because messages are public. But in my experience, even paid ones don’t work for Twitter. There are also SIM leasing services, but typically the SIM and account country must match.
None of this seems to work for Google. And generally, if you’re using Tor. So I’ve ended up buying Gmail addresses and accounts on /r/BitMarket. Quality sellers also provide secondary email addresses, in case the account gets locked. However, it’s impossible to be certain that sellers can’t take accounts back, so it’s unwise to risk anything that really matters.
Receiving Packages Anonymously from Darknet Marketplaces
Darknet marketplaces are arbitrarily anonymous. But receiving stuff requires a shipping address.
From a recent academic discussion:
Silk Road participants neither viewed themselves as immune to, nor passively accepting of, the risk of detection and arrest. Rational choice theorists have viewed offending decisions as constrained by limited access to relevant information. Cryptomarkets as ‘illicit capital’ sharing communities provide expanded and low-cost access to information enabling drug market participants to make more accurate assessments of the risk of apprehension. The abundance of drug market intelligence available to those on both sides of the law may function to speed up innovation in illegal drug markets, as well as necessitate and facilitate the development of law enforcement responses. [emphasis added]
So yes, darknet marketplaces are also the best source for tradecraft information.
Using legitimate postal delivery services is iffy. The basic approach is simply to not attract attention. Vendors employ stealth packaging, to blend in and hide odors from dogs, and customers rate them on their methods. Vendors recommend that customers use real names, because fake names attract attention. That is, postal authorities maintain records of who receives mail at each address. That’s pretty creepy.
To remain anonymous, you must somehow interpose an intermediary. A proxy, so to speak. One common option is having stuff sent to another person, and pick it up before they do. Perhaps someone who’s on vacation, but hasn’t stopped mail delivery. Or someone who just doesn’t check their mail promptly. Maybe even a recently vacant apartment or house that’s still receiving mail.
However, there’s still the risk that investigators discovered the package, and so would be observing its delivery. And regardless, there’s the pervasive surveillance. You could perhaps pay someone to pick up stuff for you, and then meet somewhere neutral. Or indeed, you could just pay them to receive mail, or lease a post office box. However, even that is vulnerable to surveillance. In any case, you’d need to trust them. And if they got nailed, they’d likely give you up.
Dead drops are another option. That’s standard tradecraft for spies. And it’s far easier now, given GNSS/GIS based geocaching. And perhaps even drones, for popup dead drops. You could find a darknet marketplace or vendor that offers that option, or perhaps a group that offers the service more or less locally. Or simply setup a dead drop to isolate yourself from an intermediary.
Buying Stuff Anonymously in Meatspace
Buying stuff anonymously in meatspace is similarly limited by pervasive surveillance. We can certainly travel to distant stores, and pay cash. And we can of course turn phones off, and put them in Faraday bags.
But with cameras everywhere (even overhead) and vehicle tag scanners, there will likely be records. And in any case, all stores have surveillance cameras, given the risks of shoplifting and robbery.
Even so, the alternative is typically buying online, and paying with a credit card. Which is far worse.
9) Anonymous Tor Onion Sites
I’ll cover this in the next guide. But here’s the bottom line:
- Local hosting is very easy and private, but it’s also very dangerous. If adversaries manage to locate your site, they’ve also located you.
- Avoid shared onion hosting. It’s easy, but it’s very vulnerable to compromise. Read about Freedom Hosting and Freedom Hosting II.
- Hosting on anonymously leased remote VPS is easy enough. Although it’s less private, you can remain anonymous, even if it’s located.
- Hosting on anonymously leased remote dedicated servers, with full-disk encryption, is the most secure option. But it’s expensive.
This post is part of the ongoing Advanced Privacy Guides series.