Privacy and cybersecurity fall into an uncomfortably murky area where entrenched corporate interests, libertarian fantasy, and progressive grassroots activism meet. Efforts to protect the privacy of citizens in the face of corporate and state surveillance often end up reinforcing corporate rights to secrecy, as we saw in the recent Apple-FBI showdown following last December’s shooting in San Bernardino. Similarly, when we talk about privacy and security in cyberspace, the focus often skews towards financial security or identity theft in the property sense, rather than the maintenance of civil liberties and protection of identity in the political sense.
Central to this divide is the distinction between privacy and anonymity. Privacy is an effort to safeguard and protect identity, whereas anonymity is an effort to obscure and conceal identity. You can’t have privacy when someone’s watching, but the anonymous body trudges on regardless of observers. To put it in more hyperbolic terms, privacy and security tools often emphasize the protection of entrenched power, whereas anonymity can be a means of resistance, offering the chance to separate from your legally and physically vulnerable self that can make said resistance so precarious. In this time when the amorphous anxiety of an online presence can be overwhelming, anonymity offers a chance to temporarily sever your human ties and drift unburdened into the ether.
The following is our attempt at a how-to of anonymity — it begins with digital devices and then ventures into analogue meatspace. As you read along, please keep in mind that anonymity is not an excuse to absolve all personal responsibility. Proceed with care and caution.
Seal Up that Leaky Phone
Whether you are using a burner phone or an iPhone, you can encrypt your texts and phone calls with Signal messenger (by Open Whisper Systems). Downloading Signal is by far the easiest thing you can do to significantly enhance your communication security. It’s a free, open-source, auditable messaging app for your phone that encrypts all texts, attachments, and media files sent between other Signal users. The interface resembles most messaging apps, which makes it very straightforward to use. Verification code phrases like “Eaglenest” can be implemented when making Signal phone calls or group texts. Unlike other messengers such as iMessage, Signal is currently the only application to NOT keep a copy of the keys to your messages on its server. For example, Apple and Microsoft generally generate a secondary key with which they can unlock your messages if requested by the government.
For more extreme situations that require you to ditch your phone altogether, so that incoming and outgoing signals from it don’t reveal your location, a great solution is to simply slip it into a faraday pouch. This is more thorough than just putting your phone in airplane mode. We have seen hackers install malware that can either fake a phone shutdown or fake airplane mode, so don’t always trust your device — get physical! We suggest looking at Aram Bartholl’s Kill Your Phone open-source workshop guide, where he outlines how to make a faraday pouch for your phone, computer, or tablet that shields it from incoming or outgoing signals. This can come in handy if you want to keep your phone on your person but don’t want it to be pinged or located by a signal sent from a cell tower. So long as it is in a faraday pouch, your device is basically off the grid.
Your First Anonymous Device
The first step towards anonymity is to create an anonymous device that helps separate your online activities from the myriad of connections that link back to your flesh. Let’s start with your computer. Most likely, the computer you currently use was purchased at a major retailer with a credit card (metadata) and is primarily used from your house (metadata crossed with any logins). One way around these revealing associations is to maintain business as usual on your current computer and to buy a new one exclusively for activities you wish to keep anonymous. We recommend buying a used PC (stay away from Lenovo) off Craigslist in cash, ideally communicating from an internet cafe while sporting big glasses, a baseball cap, and hoodie. For utmost precaution, you should never use this computer from home or work. We recommend setting up at a coffee shop far away from your house. Never log in to any account from your normal life, such as Facebook or Google, and never ever divulge any personal information. Fully enter the mindset that you are someone else when using this new laptop. You are not yourself. You are little more than a pixelated blur.
Tails: The Amnesic Incognito Live System
Tails is the key to anonymizing your new computer. It’s a live bootable operating system that lives on a USB stick you can keep with you (see the Cryptoparty Crew’s recommendation). Simply stick the USB into a laptop, reboot, and poof! You’ve entered a new operating system that forgets everything you were doing as soon as you remove the USB stick. Tails comes packaged and ready for anonymous browsing, with encrypted email and encrypted chat. You can also add an encrypted file storage to it with relative ease.
To make a Tails USB stick, follow the installation procedure here. Once that’s done, you will need to restart your computer with the USB stick plugged in and boot into the Tails operating system. This is a little tricky for first timers. On a PC, you will likely need to modify your BIOS options to get it to boot off the USB stick; generally, hitting F2 or F12 when you see the first logo as the laptop is starting back up will get you into the BIOS. You will then need to set the USB to be the first thing to boot — here is a quick example. On a Mac, it’s a bit easier. Hold down the option button on restart and choose “Windows” as the drive to boot from. If you run into trouble doing this, seek out your friendly neighborhood tech nerd, contact an organization that supports Tails, or go to your local hackerspace, makerspace, or cryptoparty.
Tor: Browsing Anonymously and the Dark Web
Now that you have an anonymous computer, the next step is to connect to the web anonymously. In order to do this, boot into Tails and open TOR (The Onion Routing), which is a web browser that connects to an anonymous sharing network. Think of TOR as BitTorrent, only instead of sharing files, the cloud of anonymous computers obfuscates the location of each user as well as all input information (searches, websites accessed, etc). Tails has TOR embedded within it, so all of your internet traffic moves over this anonymous network.
TOR is first and foremost used for anonymous navigation of the internet. Imagine yourself in a not-so-distant dystopic future in the US, in which you need to reach a dubious website like greenpeace.org that has been blacklisted for being too radical. Not only does TOR grant you access to this forbidden website from a computer in the US, but it does so anonymously, by rerouting your digital trail through a series of other computers and reaching the site through, say, a computer in Europe. All website data is gathered and sent back to you anonymously through this cloud of obfuscation, allowing you and other users to circumvent any firewalls or blacklisting systems such as the Great Firewall of China.
The secondary usage for TOR is to enter the dark web, which is embedded in the TOR anonymous cloud ecosystem. In essence, this haze of anonymous computers that talk to each other makes it possible for another version of the world wide web to exist, one that is completely anonymous. If you have never ventured into the dark web, you might enjoy the Y2K aesthetics, with individually hosted, pre-WordPress websites. Accessing the dark web can be dicey, as there is no fixed jumping-off point. Here are some links that you should get you started:
- DuckDuckGo Search Engine – http://3g2upl4pq6kufc4m.onion/
- TORCH – Tor Search Engine – http://xmh57jrzrnw6insl.onion/
- Uncensored Hidden Wiki – http://zqktlwi4fecvo6ri.onion/wiki/index.php/Main_Page
To ensure that you remain on the dark web, you will want to pay attention to the URLs you visit. All dark websites end in “.onion,” instead of “.com,” “.org,” “.net,” etc. As previously mentioned, the dark web is a shifting topology, and things can be difficult to find. We recommend using TORCH as a search engine. And remember: DO NOT DO THE THINGS YOU NORMALLY DO ON THE WEB ON YOUR ANONYMOUS LAPTOP!!!! You must be vigilant if you do not want to reveal your identity or leave clues about who you are.
Note to Leakers
If you are a leaker or trying to get documents or information to the press anonymously, check out the Secure Drop Directory, which lists backdoors (only available on the dark web) to leak information to a variety of news organizations.
Persistent File Storage
If you would like to create an alternative identity instead of being completely anonymous, you will need to create an email address and have the ability to save documents and images. Tails offers you the option to setup up a “persistent volume,” aka file storage, on your USB stick. This means that an encrypted portion of your Tails USB stick will be dedicated to storing all of your settings and files. Every time you boot up Tails, you will need to enter a strong passphrase, which will unlock the encrypted portion of the USB, allowing you to keep and retrieve files from session to session. To set this up, go to “Applications > Tails > Configure Persistent Volume” in the top left, and a setup wizard will walk you through the rest.
This persistent volume is a helpful tool, but Tails even has a STRONG warning about using persistence, as staying truly anonymous is hard. Be vigilant in your anonymity!
Alternative Email Provider
There are plenty of email providers to choose from, but some care more about protecting your data than others. Our recommended free provider was Riseup, though as of November 23, it appears as if Riseup has received a gag order from the government and has likely been compromised. Some of the LA Cryptoparty Crew uses Kolab Now in Switzerland and has nothing but positive things to say about it. Here are some community sourced recommendations, but do your own homework! Also, sign up in TOR, not on your regular computer! Duh!
With your brand new
Riseup email address, you will want to encrypt your emails by using PGP. To do this, go to “Applications > Settings > Passwords and Keys” in the top left and generate a new PGP key for your email address. While encrypted email only works with folks who are also using PGP, once you enter this shadow world, you might be pleasantly surprised at how many people use encryption. Feel free to test encrypted email communication with the LA Cryptoparty Crew. You can find our email address and PGP key here.
How It Works
Email encryption works by locking emails with really long strings of numbers, called keys. A key and password manager generate a key pair, consisting of a public key and a private key. The public key can be shared widely (journalists often include theirs at the bottom of an article) because you need someone’s public key to send them an encrypted email. The private key is stored on the user’s computer hard drive and is never shared with anyone. To send an encrypted message in Tails, the email app Ice Dove communicates with your password and key manager and seals the message with the recipient’s public key, which is then sent through servers. When it reaches its destination, the recipient unlocks the message using their private key, which is only known to them. It’s important to note that you should only use encrypted email from the email app on your computer itself, e.g. Ice Dove in Tails. This makes it so that if Riseup, Gmail, or any other provider were to try and access your emails, whether to scan for ad words or for something more serious, they would just look like long illegible blocks of numbers and letters. However, metadata, such as the address of the sender and the time at which an email was sent, can still be retrieved.
Next Level $hit
If you don’t mind breaking the law, you can go as far as establishing entirely new fake identities, using tools like anonymous letter boxes and purchasing counterfeit documents on the dark web like phone bills and pay stubs to create proof for obtaining real government-issued documents. This is obviously much riskier and is not advised by the Cryptocrew.
This should be enough to get you started on your new anonymous life. You now have multiple alternative identities, an amnesiac USB bootable operating system that you can access from any cyber cafe or library computer, a pair of keys to encrypt your emails from your new email account, and a brand new hoodie.
When you’ve gotten comfortable with those, check out the other applications available on Tails: it comes with built-in audio/video editing, photo editing, and a suite of office programs called Libreoffice. We’ll end with a final reminder not to establish patterns that might link your alternative identities. This can be as complex as you see fit, but the golden rule to anonymity is that there is no such thing as real anonymity. Become the ruse you craft!
The LA Cryptoparty Crew will host an event at Machine Project (1200 D North Alvarado, Echo Park, Los Angeles) on December 3 at 8pm to discuss the basics of cybersecurity.