CHAPTER TWO

Who Else Is Reading Your E-mail?

If you’re like me, one of the first things you do in the morning is check your e-mail. And, if you’re like me, you also wonder who else has read your e-mail. That’s not a paranoid concern. If you use a Web-based e-mail service such as Gmail or Outlook 365, the answer is kind of obvious and frightening.

Even if you delete an e-mail the moment you read it on your computer or mobile phone, that doesn’t necessarily erase the content. There’s still a copy of it somewhere. Web mail is cloud-based, so in order to be able to access it from any device anywhere, at any time, there have to be redundant copies. If you use Gmail, for example, a copy of every e-mail sent and received through your Gmail account is retained on various servers worldwide at Google. This is also true if you use e-mail systems provided by Yahoo, Apple, AT&T, Comcast, Microsoft, or even your workplace. Any e-mails you send can also be inspected, at any time, by the hosting company. Allegedly this is to filter out malware, but the reality is that third parties can and do access our e-mails for other, more sinister and self-serving, reasons.

In principle, most of us would never stand for anyone except the intended recipient reading our mail. There are laws protecting printed mail delivered through the US Postal Service, and laws protecting stored content such as e-mail. Yet in practice, we usually know and probably accept that there’s a certain trade-off involved in the ease of communication e-mail affords. We know that Yahoo (among others) offers a free Web-mail service, and we know that Yahoo makes the majority of its money from advertising. Perhaps we’ve not realized exactly how the two might be connected and how that might affect our privacy.

One day, Stuart Diamond, a resident of Northern California, did. He realized that the ads he saw in the upper-right-hand corner of his Yahoo Mail client were not random; they were based on the contents of the e-mails he had been sending and receiving. For example, if I mentioned in an e-mail an upcoming speaking trip to Dubai, the ads I might see in my e-mail account would suggest airlines, hotels, and things to do while in the United Arab Emirates.

This practice is usually carefully spelled out in the terms of service that most of us agreed to but probably never read. Nobody wants to see ads that have nothing to do with our individual interests, right? And as long as the e-mail travels between Yahoo account holders, it seems reasonable that the company would be able to scan the contents of those e-mails in order to target ads to us and maybe block malware and spam, which is unwanted e-mail.

However, Diamond, along with David Sutton, also from Northern California, began to notice that the contents of e-mails sent to and received from addresses outside Yahoo also influenced the ad selection presented to them. That suggested that the company was intercepting and reading all their e-mail, not just those sent to and from its own servers.

Based on the patterns they observed, the two filed a class-action lawsuit in 2012 against Yahoo on behalf of its 275 million account holders, citing concerns around what is essentially equivalent to illegal wiretapping by the company.

Did that end the scanning? No.

In a class-action suit, there is a period of discovery and response from both parties. In this case that initial phase lasted nearly three years. In June of 2015, a judge in San Jose, California, ruled that the men had sufficient grounds for their class-action suit to proceed and that people who sent or received Yahoo Mail since October 2, 2011, when the men filed their initial request, could join in the lawsuit under the Stored Communications Act. Additionally, a class of non–Yahoo Mail account holders living in California may also sue under that state’s Invasion of Privacy Act. That case is still pending.

In defending itself against another e-mail-scanning lawsuit, this one filed early in 2014, Google accidentally published information about its e-mail scanning process in a court hearing, then quickly attempted and failed to have that information redacted or removed. The case involved the question of precisely what was scanned or read by Google. According to the plaintiffs in the case, which included several large media companies, including the owners of USA Today, Google realized at some point that by scanning only the contents of the inbox, they were missing a lot of potentially useful content. This suit alleged that Google shifted from scanning only archived e-mail, which resides on the Google server, to scanning all Gmail still in transit, whether it was sent from an iPhone or a laptop while the user was sitting in Starbucks.

Sometimes companies have even tried to secretly scan e-mails for their own purposes. One well-known instance of this happened at Microsoft, which suffered a huge backlash when it revealed that it had scanned the inbox of a Hotmail user who was suspected of having pirated a copy of the company’s software. As a result of this disclosure, Microsoft has said it will let law enforcement handle such investigations in the future.

These practices aren’t limited to your private e-mail. If you send e-mail through your work network, your company’s IT department may also be scanning and archiving your communications. It is up to the IT staff or their managers whether to let any flagged e-mail pass through their servers and networks or involve law enforcement. This includes e-mails that contain trade secrets or questionable material such as pornography. It also includes scanning e-mail for malware. If your IT staff is scanning and archiving your e-mails, they should remind you each time you log in what their policy is—although most companies do not.

While most of us may tolerate having our e-mails scanned for malware, and perhaps some of us tolerate scanning for advertising purposes, the idea of third parties reading our correspondence and acting on specific contents found within specific e-mails is downright disturbing. (Except, of course, when it comes to child pornography.1)

So whenever you write an e-mail, no matter how inconsequential, and even if you delete it from your inbox, remember that there’s an excellent chance that a copy of those words and images will be scanned and will live on—maybe not forever, but for a good long while. (Some companies may have short retention policies, but it’s safe to assume that most companies keep e-mail for a long time.)

Now that you know the government and corporations are reading your e-mails, the least you can do is make it much harder for them to do so.

Most web-based e-mail services use encryption when the e-mail is in transit. However, when some services transmit mail between Mail Transfer Agents (MTAs), they may not be using encryption, thus your message is in the open. For example, within the workplace a boss may have access to the company e-mail system. To become invisible you will need to encrypt your messages—that is, lock them so that only the recipients can unlock and read them. What is encryption? It is a code.

A very simple encryption example—a Caesar cipher, say—substitutes each letter for another one a certain number of positions away in the alphabet. If that number is 2, for example, then using a Caesar cipher, a becomes c, c becomes e, z becomes b, and so forth. Using this offset-by-two encryption scheme, “Kevin Mitnick” becomes “Mgxkp Okvpkem.”2

Most encryption systems used today are, of course, much stronger than any basic Caesar cipher. Therefore they should be much harder to break. One thing that’s true about all forms of encryption is that they require a key, which is used as a password to lock and open the encrypted message. Symmetrical encryption means that the same key is used both to lock and unlock the encrypted message. Symmetrical keys are hard to share, however, when two parties are unknown to each other or physically far apart, as they are on the Internet.

Most e-mail encryption actually uses what’s called asymmetrical encryption. That means I generate two keys: a private key that stays on my device, which I never share, and a public key that I post freely on the Internet. The two keys are different yet mathematically related.

For example: Bob wants to send Alice a secure e-mail. He finds Alice’s public key on the Internet or obtains it directly from Alice, and when sending a message to her encrypts the message with her key. This message will stay encrypted until Alice—and only Alice—uses a passphrase to unlock her private key and unlock the encrypted message.

So how would encrypting the contents of your e-mail work?

The most popular method of e-mail encryption is PGP, which stands for “Pretty Good Privacy.” It is not free. It is a product of the Symantec Corporation. But its creator, Phil Zimmermann, also authored an open-source version, OpenPGP, which is free. And a third option, GPG (GNU Privacy Guard), created by Werner Koch, is also free. The good news is that all three are interoperational. That means that no matter which version of PGP you use, the basic functions are the same.

When Edward Snowden first decided to disclose the sensitive data he’d copied from the NSA, he needed the assistance of like-minded people scattered around the world. Paradoxically, he needed to get off the grid while still remaining active on the Internet. He needed to become invisible.

Even if you don’t have state secrets to share, you might be interested in keeping your e-mails private. Snowden’s experience and that of others illustrate that it isn’t easy to do that, but it is possible, with proper diligence.

Snowden used his personal account through a company called Lavabit to communicate with others. But e-mail is not point-to-point, meaning that a single e-mail might hit several servers around the world before landing in the intended recipient’s inbox. Snowden knew that whatever he wrote could be read by anyone who intercepted the e-mail anywhere along its journey.

So he had to perform a complicated maneuver to establish a truly secure, anonymous, and fully encrypted means of communication with privacy advocate and filmmaker Laura Poitras, who had recently finished a documentary about the lives of whistle-blowers. Snowden wanted to establish an encrypted exchange with Poitras, except only a few people knew her public key. She didn’t make her public key very public.

To find her public key, Snowden had to reach out to a third party, Micah Lee of the Electronic Frontier Foundation, a group that supports privacy online. Lee’s public key was available online and, according to the account published on the Intercept, an online publication, he had Poitras’s public key, but he first needed to check to see if she would permit him to share it. She would.3

At this point neither Lee nor Poitras had any idea who wanted her public key; they only knew that someone did. Snowden had used a different account, not his personal e-mail account, to reach out. But if you don’t use PGP often, you may forget to include your PGP key on important e-mails now and again, and that is what happened to Snowden. He had forgotten to include his own public key so Lee could reply.

With no secure way to contact this mystery person, Lee was left with no choice but to send a plain-text, unencrypted e-mail back to Snowden asking for his public key, which he provided.

Once again Lee, a trusted third party, had to be brought into the situation. I can tell you from personal experience that it is very important to verify the identity of the person with whom you are having a secure conversation, preferably through a mutual friend—and make sure you are communicating with that friend and not someone else in disguise.

I know how important this is because I’ve been the poser before, in a situation where it worked to my advantage that the other party didn’t question my real identity or the public key I sent. I once wanted to communicate with Neill Clift, a graduate student in organic chemistry at the University of Leeds, in England, who was very skilled at finding security vulnerabilities in the Digital Equipment Corporation’s VMS operating system. I wanted Clift to send me all the security holes that he’d reported to DEC. For that I needed him to think that I actually worked for DEC.

I started by posing as someone named Dave Hutchins and sending Clift a spoofed message from him. I had previously called Clift pretending to be Derrell Piper from VMS engineering, so I (posing as Hutchins) wrote in my e-mail that Piper wanted to exchange e-mails with Clift about a project. In going through DEC’s e-mail system, I already knew that Clift and the real Piper had previously e-mailed each other, so this new request wouldn’t sound all that odd. I then sent an e-mail spoofing Piper’s real e-mail address.

To further convince Clift this was all on the up-and-up, I even suggested that he use PGP encryption so that someone like Kevin Mitnick wouldn’t be able to read the e-mails. Soon Clift and “Piper” were exchanging public keys and encrypting communications—communications that I, as Piper, could read. Clift’s mistake was in not questioning the identity of Piper himself. Similarly, when you receive an unsolicited phone call from your bank asking for your Social Security number or account information, you should always hang up and call the bank yourself—you never know who is on the other side of the phone call or e-mail.

Given the importance of the secrets they were about to share, Snowden and Poitras could not use their regular e-mail addresses. Why not? Their personal e-mail accounts contained unique associations—such as specific interests, lists of contacts—that could identify each of them. Instead Snowden and Poitras decided to create new e-mail addresses.

The only problem was, how would they know each other’s new e-mail addresses? In other words, if both parties were totally anonymous, how would they know who was who and whom they could trust? How could Snowden, for example, rule out the possibility that the NSA or someone else wasn’t posing as Poitras’s new e-mail account? Public keys are long, so you can’t just pick up a secure phone and read out the characters to the other person. You need a secure e-mail exchange.

By enlisting Micah Lee once again, both Snowden and Poitras could anchor their trust in someone when setting up their new and anonymous e-mail accounts. Poitras first shared her new public key with Lee. But PGP encryption keys themselves are rather long (not quite pi length, but they are long), and, again, what if someone were watching his e-mail account as well? So Lee did not use the actual key but instead a forty-character abbreviation (or a fingerprint) of Poitras’s public key. This he posted to a public site—Twitter.

Sometimes in order to become invisible you have to use the visible.

Now Snowden could anonymously view Lee’s tweet and compare the shortened key to the message he received. If the two didn’t match, Snowden would know not to trust the e-mail. The message might have been compromised. Or he might be talking instead to the NSA.

In this case, the two matched.

Now several orders removed from who they were online—and where they were in the world—Snowden and Poitras were almost ready to begin their secure anonymous e-mail communication. Snowden finally sent Poitras an encrypted e-mail identifying himself only as “Citizenfour.” This signature became the title of her Academy Award–winning documentary about his privacy rights campaign.

That might seem like the end—now they could communicate securely via encrypted e-mail—but it wasn’t. It was just the beginning.

In the wake of the 2015 terrorist attacks in Paris, there was discussion from various governments about building in back doors or other ways for those in government to decrypt encrypted e-mail, text, and phone messages—ostensibly from foreign terrorists. This would, of course, defeat the purpose of encryption. But governments actually don’t need to see the encrypted contents of your e-mail to know whom you are communicating with and how often, as we will see.

As I mentioned before, the purpose of encryption is to encode your message so that only someone with the correct key can later decode it. Both the strength of the mathematical operation and the length of the encryption key determine how easy it is for someone without a key to crack your code.

Encryption algorithms in use today are public. You want that.4 Be afraid of encryption algorithms that are proprietary and not public. Public algorithms have been vetted for weakness—meaning people have been purposely trying to break them. Whenever one of the public algorithms becomes weak or is cracked, it is retired, and newer, stronger algorithms are used instead. The older algorithms still exist, but their use is strongly discouraged.

The keys are (more or less) under your control, and so, as you might guess, their management is very important. If you generate an encryption key, you—and no one else—will have the key stored on your device. If you let a company perform the encryption, say, in the cloud, then that company might also keep the key after he or she shares it with you. The real concern is that this company may also be compelled by court order to share the key with law enforcement or a government agency, with or without a warrant. You will need to read the privacy policy for each service you use for encryption and understand who owns the keys.

When you encrypt a message—an e-mail, text, or phone call—use end-to-end encryption. That means your message stays unreadable until it reaches its intended recipient. With end-to-end encryption, only you and your recipient have the keys to decode the message. Not the telecommunications carrier, website owner, or app developer—the parties that law enforcement or government will ask to turn over information about you. How do you know whether the encryption service you are using is end-to-end encryption? Do a Google search for “end-to-end encryption voice call.” If the app or service doesn’t use end-to-end encryption, then choose another.

If all this sounds complicated, that’s because it is. But there are PGP plug-ins for the Chrome and Firefox Internet browsers that make encryption easier. One is Mailvelope, which neatly handles the public and private encryption keys of PGP. Simply type in a passphrase, which will be used to generate the public and private keys. Then whenever you write a Web-based e-mail, select a recipient, and if the recipient has a public key available, you will then have the option to send that person an encrypted message.5

Even if you encrypt your e-mail messages with PGP, a small but information-rich part of your message is still readable by just about anyone. In defending itself from the Snowden revelations, the US government stated repeatedly that it doesn’t capture the actual contents of our e-mails, which in this case would be unreadable with PGP encryption. Instead, the government said it collects only the e-mail’s metadata.

What is e-mail metadata? It is the information in the To and From fields as well as the IP addresses of the various servers that handle the e-mail from origin to recipient. It also includes the subject line, which can sometimes be very revealing as to the encrypted contents of the message. Metadata, a legacy from the early days of the Internet, is still included on every e-mail sent and received, but modern e-mail readers hide this information from display.6

PGP, no matter what “flavor” you use, does not encrypt the metadata—the To and From fields, the subject line, and the time-stamp information. This remains in plain text, whether it is visible to you or not. Third parties will still be able to see the metadata of your encrypted message; they’ll know that on such-and-such a date you sent an e-mail to someone, that two days later you sent another e-mail to that same person, and so on.

That might sound okay, since the third parties are not actually reading the content, and you probably don’t care about the mechanics of how those e-mails traveled—the various server addresses and the time stamps—but you’d be surprised by how much can be learned from the e-mail path and the frequency of e-mails alone.

Back in the ’90s, before I went on the run from the FBI, I performed what I called a metadata analysis on various phone records. I began this process by hacking into PacTel Cellular, a cellular provider in Los Angeles, to obtain the call detail records (CDRs) of anyone who called an informant whom the FBI was using to obtain information about my activities.

CDRs are very much like the metadata I’m talking about here; they show the time a phone call was made, the number dialed, the length of the call, and the number of times a particular number was called—all very useful information.

By searching through the calls that were being placed through PacTel Cellular to the informant’s landline, I was able to obtain a list of the cell-phone numbers of the people who called him. Upon analysis of the callers’ billing records, I was able to identify those callers as members of the FBI’s white-collar crime squad, operating out of the Los Angeles office. Sure enough, some of the numbers each individual dialed were internal to the Los Angeles office of the FBI, the US attorney’s office, and other government offices. Some of those calls were quite long. And quite frequent.

Whenever they moved the informant to a new safe house, I was able to obtain the landline number of the safe house because the agents would call it after trying to reach the informant on his pager. Once I had the landline number for the informant, I was also able to obtain the physical address through social engineering—that is, by pretending to be someone at Pacific Bell, the company that provided the service at the safe house.

Social engineering is a hacking technique that uses manipulation, deception, and influence to get a human target to comply with a request. Often people are tricked into giving up sensitive information. In this case, I knew the internal numbers at the phone company, and I pretended to be a field technician who spoke the correct terminology and lingo, which was instrumental in obtaining sensitive information.

So while recording the metadata in an e-mail is not the same as capturing the actual content, it is nonetheless intrusive from a privacy perspective.

If you look at the metadata from any recent e-mail you’ll see the IP addresses of the servers that passed your e-mail around the world before it reached its target. Each server—like each person who accesses the Internet—has a unique IP address, a numerical value that is calculated using the country where you are located and who your Internet provider is. Blocks of IP addresses are set aside for various countries, and each provider has its own sub-block, and this is further subdivided by type of service—dial-up, cable, or mobile. If you purchased a static IP address it will be associated with your subscriber account and home address, otherwise your external IP address will be generated from a pool of addresses assigned to your Internet service provider. For example, a sender—someone sending you an email—might have the IP address 27.126.148.104, which is located in Victoria, Australia.

Or it could be 175.45.176.0, which is one of North Korea’s IP addresses. If it is the latter, then your e-mail account might be flagged for government review. Someone in the US government might want to know why you’re communicating with someone from North Korea, even if the subject line reads “Happy Birthday.”

By itself, you still might not think the server address is very interesting. But the frequency of contact can tell you a lot. Additionally, if you identify each element—the sender and the receiver and their locations—you can start to infer what’s really going on. For example, the metadata associated with phone calls—the duration, the time of day they’re made, and so on—can tell you a lot about a person’s mental health. A 10:00 p.m. call to a domestic violence hotline lasting ten minutes or a midnight call from the Brooklyn Bridge to a suicide prevention hotline lasting twenty minutes can be very revealing. An app developed at Dartmouth College matches patterns of stress, depression, and loneliness in user data. This user activity has also been correlated with student grades.7

Still don’t see the danger in having your e-mail metadata exposed? A program created at MIT called Immersion will visually map the relationships between the senders and receivers of all the e-mail you have stored in your e-mail account just by using the metadata. The tool is a way to visually quantify who matters to you most. The program even includes a sliding time scale, so you can see how the people you know rise and fall in importance to you over time. Although you might think you understand your relationships, seeing them graphically represented can be a sobering experience. You might not realize how often you e-mail someone you don’t really know or how little you e-mail someone you know very well. With the Immersion tool you can choose whether to upload the data, and you can also delete the information once it has been graphed.8

According to Snowden, our e-mail, text, and phone metadata is being collected by the NSA and other agencies. But the government can’t collect metadata from everyone—or can it? Technically, no. However, there’s been a sharp rise in “legal” collection since 2001.

Authorized under the US Foreign Intelligence Surveillance Act of 1978 (FISA), the US Foreign Intelligence Surveillance Court (known as FISC, or the FISA Court) oversees all requests for surveillance warrants against foreign individuals within the United States. On the surface it seems reasonable that a court order would stand between law enforcement and an individual. The reality is somewhat different. In 2012 alone, 1,856 requests were presented, and 1,856 requests were approved, suggesting that the process today is largely a rubber-stamp approval operation for the US government.9 After the FISA Court grants a request, law enforcement can compel private corporations to turn over all their data on you—that is, if they haven’t already done so.

To become truly invisible in the digital world you will need to do more than encrypt your messages. You will need to:

Remove your true IP address: This is your point of connection to the Internet, your fingerprint. It can show where you are (down to your physical address) and what provider you use.

Obscure your hardware and software: When you connect to a website online, a snapshot of the hardware and software you’re using may be collected by the site. There are tricks that can be used to find out if you have particular software installed, such as Adobe Flash. The browser software tells a website what operating system you’re using, what version of that operating system you have, and sometimes what other software you have running on your desktop at the time.

Defend your anonymity: Attribution online is hard. Proving that you were at the keyboard when an event occurred is difficult. However, if you walk in front of a camera before going online at Starbucks, or if you just bought a latte at Starbucks with your credit card, these actions can be linked to your online presence a few moments later.

As we’ve learned, every time you connect to the Internet, there’s an IP address associated with that connection.10 This is problematic if you’re trying to be invisible online: you might change your name (or not give it at all), but your IP address will still reveal where you are in the world, what provider you use, and the identity of the person paying for the Internet service (which may or may not be you). All these pieces of information are included within the e-mail metadata and can later be used to identify you uniquely. Any communication, whether it’s e-mail or not, can be used to identify you based on the Internal Protocol (IP) address that’s assigned to the router you are using while you are at home, work, or a friend’s place.

IP addresses in e-mails can of course be forged. Someone might use a proxy address—not his or her real IP address but someone else’s—so that an e-mail appears to originate from another location. A proxy is like a foreign-language translator—you speak to the translator, and the translator speaks to the foreign-language speaker—only the message remains exactly the same. The point here is that someone might use a proxy from China or even Germany to evade detection on an e-mail that really comes from North Korea.

Instead of hosting your own proxy, you can use a service known as an anonymous remailer, which will mask your e-mail’s IP address for you. An anonymous remailer simply changes the e-mail address of the sender before sending the message to its intended recipient. The recipient can respond via the remailer. That’s the simplest version.

There are also variations. Some type I and type II remailers do not allow you to respond to e-mails; they are simply one-way correspondence. Type III, or Mixminion, remailers do offer a full suite of services: responding, forwarding, and encryption. You will need to find out which service your remailer supplies if you choose this method of anonymous correspondence.

One way to mask your IP address is to use the onion router (Tor), which is what Snowden and Poitras did.

Developed by the US Naval Research Laboratory in 2004 as a way for military personnel to conduct searches without exposing their physical locations, the Tor open-source program has since been expanded. Tor is designed to be used by people living in harsh regimes as a way to avoid censorship of popular media and services and to prevent anyone from tracking what search terms they use. Tor remains free and can be used by anyone, anywhere—even you.

How does Tor work? It upends the usual model for accessing a website.

Usually when you go online you open an Internet browser and type in the name of the site you want to visit. A request goes out to that site, and milliseconds later a response comes back to your browser with the website page. The website knows—based on the IP address—who the service provider is, and sometimes even where in the world you are located, based on where the service provider is located or the latency of the hops from your device to the site. For example, if your device says it is in the United States, but the time and number of hops your request takes to reach its destination suggest you are somewhere else in the world, some sites—gaming sites, in particular—will detect that as possible fraud.

When you use Tor, the direct line between you and your target website is obscured by additional nodes, and every ten seconds the chain of nodes connecting you to whatever site you are looking at changes without disruption to you. The various nodes that connect you to a site are like layers within an onion. In other words, if someone were to backtrack from the destination website and try to find you, they’d be unable to because the path would be constantly changing. Unless your entry point and your exit point become associated somehow, your connection is considered anonymous.

When you use Tor, your request to open a page—say, mitnicksecurity.com—is not sent directly to that server but first to another Tor node. And just to make things even more complicated, that node then passes the request to another node, which finally connects to mitnicksecurity.com. So there’s an entry node, a node in the middle, and an exit node. If I were to look at who was visiting my company site, I would only see the IP address and information from the exit node, the last in the chain, and not the first, your entry node. You can configure Tor so it uses exit nodes in a particular country, such as Spain, or even a specific exit node, perhaps in Honolulu.

To use Tor you will need the modified Firefox browser from the Tor site (torproject.org). Always look for legitimate Tor browsers for your operating system from the Tor project website. Do not use a third-party site. For Android operating systems, Orbot is a legitimate free Tor app from Google Play that both encrypts your traffic and obscures your IP address.11 On iOS devices (iPad, iPhone), install the Onion Browser, a legitimate app from the iTunes app store.

You might be thinking, why doesn’t someone just build an e-mail server within Tor? Someone did. Tor Mail was a service hosted on a site accessible only to Tor browsers. However, the FBI seized that server in an unrelated case and therefore gained access to all the encrypted e-mail stored on Tor Mail. This is a cautionary tale showing that even when you think your information is safe, foolproof, it probably isn’t.12

Although Tor uses a special network, you can still access the Internet from it, but the pages are much slower to load. However, in addition to allowing you to surf the searchable Internet, Tor gives you access to a world of sites that are not ordinarily searchable—what’s called the Dark Web. These are sites that don’t resolve to common names such as Google.com and instead end with the .onion extension. Some of these hidden sites offer, sell, or provide items and services that may be illegal. Some of them are legitimate sites maintained by people in oppressed parts of the world.

It should be noted, however, that there are several weaknesses with Tor:

image You have no control over the exit nodes, which may be under the control of government or law enforcement13

image You can still be profiled and possibly identified14

image Tor is very slow

That being said, if you still decide to use Tor you should not run it in the same physical device that you use for browsing. In other words, have a laptop for browsing the Web and a separate device for Tor (for instance, a Raspberry Pi minicomputer running Tor software). The idea here is that if somebody is able to compromise your laptop they still won’t be able to peel off your Tor transport layer as it is running on a separate physical box.15

In the case of Snowden and Poitras, as I said, simply connecting to each other over encrypted e-mail wasn’t good enough. After Poitras created a new public key for her anonymous e-mail account, she could have sent it to Snowden’s previous e-mail address, but if someone were watching that account, then her new identity would be exposed. A very basic rule is that you have to keep your anonymous accounts completely separate from anything that could relate back to your true identity.

To be invisible you will need to start with a clean slate for each new secure contact you make. Legacy e-mail accounts might be connected in various ways to other parts of your life—friends, hobbies, work. To communicate in secrecy, you will need to create new e-mail accounts using Tor so that the IP address setting up the account is not associated with your real identity in any way.

Creating anonymous e-mail addresses is challenging but possible.

There are private e-mail services you can use. Since you will leave a trail if you pay for those services, you’re actually better off using a free Web service. A minor hassle: Gmail, Microsoft, Yahoo, and others require you to supply a phone number to verify your identify. Obviously you can’t use your real cell-phone number, since it may be connected to your real name and real address. You might be able to set up a Skype phone number if it supports voice authentication instead of SMS authentication; however, you will still need an existing e-mail account and a prepaid gift card to set up a Skype number.16 If you think using a prepaid cell phone in and of itself will protect your anonymity, you’re wrong. If you’ve ever used a prepaid phone to make calls associated with your real identity, it’s child’s play to discover who you are.

Instead you’ll want to use a disposable phone. Some people think of burner phones as devices used only by terrorists, pimps, and drug dealers, but there are plenty of perfectly legitimate uses for them. For example, a business reporter, after having her garbage gone through by private investigators hired by Hewlett-Packard, who was eager to find out who might be leaking critical board-of-directors information, switched over to burner phones so that the private investigators would have a harder time identifying her calls. After that experience she only spoke to her source on that burner phone.17

Similarly, a woman who is avoiding an abusive ex might gain a little peace of mind by using a phone that doesn’t require a contract or, for that matter, a Google or an Apple account. A burner phone typically has few or very limited Internet capabilities. Burner phones mostly provide voice, text, and e-mail service, and that’s about all some people need. You, however, should also get data because you can tether this burner phone to your laptop and use it to surf the Internet. (Here I tell you how to change the media access control—MAC—address on your laptop so that each time you tether with a burner phone it appears to be new device.)

However, purchasing a burner phone anonymously will be tricky. Actions taken in the real world can be used to identify you in the virtual world. Sure, I could walk into Walmart and pay cash for a burner phone and one hundred minutes of airtime. Who would know? Well, lots of people would.

First, how did I get to Walmart? Did I take an Uber car? Did I take a taxi? These records can all be subpoenaed.

I could drive my own car, but law enforcement uses automatic license plate recognition technology (ALPR) in large public parking lots to look for missing and stolen vehicles as well as people on whom there are outstanding warrants. The ALPR records can be subpoenaed.

Even if I walked to Walmart, once I entered the store my face would be visible on several security cameras within the store itself, and that video can be subpoenaed.

Okay, so let’s say I send someone else to the store—someone I don’t know, maybe a homeless person I hired on the spot. That person walks in and buys the phone and several data refill cards with cash. That would be the safest approach. Maybe you arrange to meet this person later away from the store. This would help physically distance yourself from the actual sales transaction. In this case the weakest link could still be the person you sent—how trustworthy is he? If you pay him more than the value of the phone, he will probably be happy to deliver the phone as promised.

Activation of the prepaid phone requires either calling the mobile operator’s customer service department or activating it on the provider’s website. To avoid being recorded for “quality assurance,” it’s safer to activate over the Web. Using Tor over an open wireless network after you’ve changed your MAC address should be the minimum safeguards. You should make up all the subscriber information you enter on the website. For your address, just Google the address of a major hotel and use that. Make up a birth date and PIN that you’ll remember in case you need to contact customer service in the future.

There are e-mail services that don’t require verification, and if you don’t need to worry about authorities, Skype numbers work well for Google account registration and similar stuff, but for the sake of illustration, let’s say that after using Tor to randomize your IP address, and after creating a Gmail account that has nothing to do with your real phone number, Google sends your phone a verification code or a voice call. Now you have a Gmail account that is virtually untraceable.

So we have an anonymous e-mail address established using familiar and common services. We can produce reasonably secure e-mails whose IP address—thanks to Tor—is anonymous (although you don’t have control over the exit nodes) and whose contents, thanks to PGP, can’t be read except by the intended recipient.

Note that to keep this account anonymous you can only access the account from within Tor so that your IP address will never be associated with it. Further, you should never perform any Internet searches while logged in to that anonymous Gmail account; you might inadvertently search for something that is related to your true identity. Even searching for weather information could reveal your location.18

As you can see, becoming invisible and keeping yourself invisible require tremendous discipline and perpetual diligence. But it is worth it in order to be invisible.

The most important takeaways are: first, be aware of all the ways that someone can identify you even if you undertake some but not all of the precautions I’ve described. And if you do undertake all these precautions, know that you need to perform due diligence every time you use your anonymous accounts. No exceptions.

It’s also worth reiterating that end-to-end encryption—keeping your message unreadable and secure until it reaches the recipient as opposed to simply encrypting it—is very important. End-to-end encryption can be used for other purposes, such as encrypted phone calls and instant messaging, which we’ll discuss in the next two chapters.