After reading this far, you might be thinking about your level of experience and how easy (or hard) it will be for you to disappear online. Or you might be asking yourself how far you should go or whether any of this is for you. After all, you may not have state secrets to share! You might, however, be fighting your ex in a legal dispute. Or you might be in a disagreement with your boss. You might be contacting a friend who is still in touch with an abusive family member. Or you might want to keep some activities private and unobservable by a lawyer. There are a variety of legitimate reasons why you might need to communicate with others online or to use the Web and other technology anonymously. So…
What steps do you really need to take to go all-in? How long will it take? And how much will it cost?
If it’s not abundantly clear by now, to be invisible online you more or less need to create a separate identity, one that is completely unrelated to you. That is the meaning of being anonymous. When you’re not being anonymous, you must also rigorously defend the separation of your life from that anonymous identity. What I mean by that is that you need to purchase a few separate devices that are only used when you are anonymous. And this could get costly.
You could, for example, use your current laptop and create what’s called a virtual machine (VM) on your desktop. A virtual machine is a software computer. It is contained within a virtual machine application, such a VMware Fusion. You can load a licensed copy of Windows 10 inside a VM and tell it how much RAM you want, how much disk space you need, and so on. To someone observing you on the other side of the Internet, it would appear that you are using a Windows 10 machine even if in fact you are using a Mac.
Professional security researchers use VMs all the time—creating and destroying them easily. But even among professionals there exists the possibility of leakage. For example, you might be in your VM version of Windows 10 and, for some reason, log in to your personal e-mail account. Now that VM can be associated with you.
So the first step of being anonymous is purchasing a stand-alone laptop that you will only use for your anonymous online activities. As we have seen, the nanosecond that you lapse and, say, check your personal e-mail account on that machine, the anonymity game is over. So I recommend a low-priced Windows laptop (Linux is better, if you know how to use it). The reason I’m not recommending a MacBook Pro is that it’s much more expensive than a Windows laptop.
Previously I recommended that you buy a second laptop, specifically, a Chromebook, to use only for online banking. Another option for online banking would be to use an iPad. You must sign up for an Apple ID using your e-mail address and a credit card, or by purchasing an iTunes gift card. But since this device is only used for your secure personal banking, invisibility is not the goal.
But if your objective here is invisibility, a Chromebook is not the best solution because you don’t have the same flexibility as using a laptop with Windows or a Linux-based operating system like Ubuntu. Windows 10 is okay as long as you skip the option that asks you to sign up for a Microsoft account. You do not want to create any links from your computer to Microsoft whatsoever.
You should purchase the new laptop with cash in person, not online—that way the purchase cannot easily be traced to you. Remember, your new laptop has a wireless network card with a unique MAC address. You do not want anyone possibly tracing the equipment to you—in the event your real MAC address is somehow leaked. For example, if you’re at a Starbucks and power up the laptop, the system will probe for any previously “connected to” wireless networks. If there is monitoring equipment in the area that logs the probe request, it could possibly result in revealing your real MAC address. One concern is that the government may have a way of tracing the purchase of your laptop if any link exists between the MAC address of your network card and the serial number of your computer. If so, the feds would only need to find who purchased the specific computer to identify you, which probably isn’t so difficult.
You should install both Tails (see here) and Tor (see here) and use those instead of the native operating system and browser.
Do not log in to any sites or applications under your real identity. You already learned the risks based on how easy it is to track people and computers on the Internet. As we have discussed, using sites or accounts under your real identify is a very bad idea—banks and other sites routinely use device fingerprinting to minimize fraud, and this leaves a huge footprint that can identify your computer if you ever access the same sites anonymously.
In fact, it’s best to turn your wireless router off before you boot your anonymous laptop at home. Your service provider could obtain your anonymous laptop’s MAC address if you connect to your home router (assuming the provider owns and manages the router in your home). It’s always best to purchase your own home router that you have full control over, so the service provider cannot obtain the MAC addresses assigned to your computers on your local network. As such, the service provider will only see the MAC address of your router, which is no risk to you.
What you want is plausible deniability. You want to proxy your connections through multiple layers so that it would very, very hard for an investigator to ever tie them back to a single person, let alone you. I made a mistake while still a fugitive. I repeatedly dialed up to modems at Netcom—a ghost of Internet service providers past—using a cellular phone modem to mask my physical location. Since I was at a fixed location it was child’s play to use radio direction-finding techniques to find me—once they knew what cellular tower my mobile phone was using for data connections. This allowed my adversary (Tsutomu Shimomura) to find the general location and pass it along to the FBI.1
What this means is that you can’t ever use your anonymous laptop at home or work. Ever. So get a laptop and commit to never using it to check your personal e-mail, Facebook, or even the local weather.2
Another way you can be traced online is through the tried-and-true method of following the money. You will need to pay for a few things, so prior to taking your anonymous laptop out and finding an open wireless network, the first step is to anonymously purchase some gift cards. Since every store that sells gift cards most likely has surveillance cameras at the kiosk or counter, you must exercise extreme caution. You should not purchase these yourself. You should hire a randomly chosen person off the street to purchase the gift cards while you wait a safe distance away.
But how do you do that? You might approach, as I did, someone in a parking lot and say that your ex works in that store over there and you don’t want a confrontation—or offer some other excuse that sounds plausible. Perhaps you add that she has a restraining order against you. For $100 in cash, making a purchase for you might sound very reasonable to someone.
Now that we’ve set up our cutout to go inside the store and purchase a handful of prepaid cards, which cards should he or she purchase? I recommend purchasing a few prepaid, preset $100 cards. Don’t purchase any of the refillable credit cards, as you have to provide your real identity under the Patriot Act when you activate them. These purchases require your real name, address, birth date, and a Social Security number that will match the information about you on file with the credit bureaus. Providing a made-up name or someone else’s Social Security number is against the law and is probably not worth the risk.
We’re trying to be invisible online, not break the law.
I recommend having the cutout purchase Vanilla Visa or Vanilla MasterCard $100 gift cards from a chain pharmacy, 7-Eleven, Walmart, or big box store. These are often given out as gifts and can be used just as regular credit cards would be. For these you do not have to provide any identifying information. And you can purchase them anonymously, with cash. If you live in the EU, you should anonymously order a physical credit card using viabuy.com. In Europe they can ship the cards to the post office, which requires no ID to pick up. My understanding is that they send you a PIN code, and you can open up the drop box with the PIN to anonymously pick up the cards (assuming there is no camera).
So where can you use your new laptop and anonymously purchased prepaid cards?
With the advent of inexpensive optical storage devices, businesses providing free wireless access can store surveillance camera footage for years. For an investigator it is relatively easy to get that footage and look for potential suspects. During the time of your visit, the investigator can analyze the logs—searching for MAC addresses authenticated on the wireless network that match your MAC address. That’s why it’s important to change your MAC address each time you connect to a free wireless network. So you need to find a location near or adjacent to one that offers free Wi-Fi. For example, there may be a Chinese restaurant next door to a Starbucks or other establishment that offers free wireless access. Sit at a table near the wall adjoining the service provider. You might experience slightly slower connection speeds, but you will have relative anonymity (at least until the investigator starts looking at all the surveillance footage from the surrounding area).
Your MAC address will likely be logged and stored once you authenticate on the free wireless network. Remember General David Petraeus’s mistress? Remember that the times and dates of her hotel registrations matched the times and dates of her MAC address’s appearance on the hotel’s network? You don’t want simple mistakes like these to compromise your anonymity. So remember to change your MAC address each time you access public Wi-Fi (see here).
So far this seems pretty straightforward. You want to buy a separate laptop from which you will do your anonymous activity. You want to anonymously purchase some gift cards. You want to find a Wi-Fi network that you can access from a near or adjacent site to avoid being seen on camera. And you want to change your MAC address every time you connect to a free wireless network.
Of course there’s more. Much more. We’re only getting started.
You might also want to hire a second cutout, this time to make a more important purchase: a personal hotspot. As I mentioned before, the FBI caught me because I was dialing up to systems around the world using my cellular phone and modem, and over time my fixed location was compromised because my mobile phone was connected to the same cellular tower. At that point it was easy to use radio-direction finding to locate the transceiver (my cell phone). You can avoid that by hiring someone to go into a Verizon store (or AT&T or T-Mobile) and purchase a personal hotspot that allows you to connect to the Internet using cellular data. That means you have your own local access to the Internet, so you don’t have to go through a public Wi-Fi network. Most important, you should never use a personal hotspot in a fixed location for too long when you need to maintain your anonymity.
Ideally the person you hire won’t see your license plate or have any way to identify you. Give the person cash: $200 for the hotspot and another $100 when the person returns with the hotspot. The mobile operator will sell the cutout a personal hotspot that carries no identifying information. And while you’re at it, why not purchase a few refill cards to add more data? Hopefully the cutout won’t abscond with your money, but it’s a worthwhile risk for anonymity. Later you can refill the burner device using Bitcoin.3
Once you have anonymously purchased a portable hotspot, it is very important that, as with the laptop, you never, never, never turn the device on at home. Every time the hotspot is turned on, it registers with the closest cellular tower. You don’t want your home or office or anyplace you frequent to show up in the mobile operator’s log files.
And never turn on your personal phone or personal laptop in the same location where you turn on your anonymous laptop or burner phone or anonymous hotspot. The separation is really important. Any record that links you to your anonymous self at a later date and time negates the whole operation.
Now, armed with prepaid gift cards and a personal hotspot with a prepaid data plan—both purchased anonymously by two very different people who wouldn’t have any information about you to identify you to the police—we’re almost set. Almost.
From this point on, the Tor browser should always be used to create and access all online accounts because it constantly changes your IP address.
One of the first steps is to set up a couple of anonymous e-mail accounts using Tor. This was something that Ross Ulbricht neglected to do. As we saw in the previous chapter, he used his personal e-mail account more than once while conducting his Silk Road business on the Dark Web. These unintentional crossovers from Dread Pirate Roberts to Ross Ulbricht and back again helped investigators confirm that the two names were associated with one person.
To prevent abuse, most e-mail providers—such as Gmail, Hotmail, Outlook, and Yahoo—require mobile phone verification. That means you have to provide your mobile number and, immediately during the sign-up process, a text message is sent to that device to confirm your identity.
You can still use a commercial service like the ones mentioned above if you use a burner phone. However, that burner phone and any refill cards must be obtained securely—i.e., purchased in cash by a third party who cannot be traced back to you. Also, once you have a burner phone, you cannot use it when you’re close to any other cellular devices you own. Again, leave your personal phone at home.
In order to purchase Bitcoin online, you are going to need at least two anonymously created e-mail addresses and Bitcoin wallets. So how do you create anonymous e-mail addresses like those created by Edward Snowden and Laura Poitras?
In my research, I found I was able to create an e-mail account on protonmail.com and one on tutanota.com using Tor, both without any requests to verify my identity. Neither of these two e-mail providers asked me for verification upon setup. You can conduct your own research by searching for e-mail providers and checking to see whether they require your mobile phone number during the sign-up process. You can also see how much information they need to create the new accounts. Another e-mail option is fastmail.com, which is not nearly as feature rich as Gmail, but because it is a paid service, there is no mining of user data or displaying of ads.
So now we have a laptop, with Tor and Tails loaded, a burner phone, a handful of anonymous prepaid gift cards, and an anonymous hotspot with an anonymously purchased data plan. We’re still not ready. To maintain this anonymity, we need to convert our anonymously purchased prepaid gift cards to Bitcoin.
In chapter 6 I talked about Bitcoin, virtual currency. By itself Bitcoin is not anonymous. They can be traced through what’s called a blockchain back to the source of the purchase; similarly, all subsequent purchases can be traced as well. So Bitcoin by itself is not going to hide your identity. We will have to run the funds through an anonymity mechanism: converting prepaid gift cards into Bitcoin, then running the Bitcoin through a laundering service. This process will result in anonymized Bitcoin to be used for future payments. We will need the laundered Bitcoin, for example, to pay for our VPN service and any future purchases of data usage on our portable hotspot or burner phone.
Using Tor, you can set up an initial Bitcoin wallet at paxful.com or other Bitcoin wallet sites. Some sites broker deals in which you can buy Bitcoin with prepaid gift cards, such as those preset Vanilla Visa and Vanilla MasterCard gift cards I mentioned earlier. The downside is that you will pay a huge premium for this service, at least 50 percent.
Paxful.com is more like an eBay auction site where you find Bitcoin sellers—the site just connects you with buyers and sellers.
Apparently anonymity has a high cost. The less identity information you provide in a transaction, the more you’ll pay. That makes sense: the people selling the Bitcoin are taking a huge risk by not verifying your identity. I was able to purchase Bitcoin in exchange for my anonymously purchased Vanilla Visa gift cards at a rate of $1.70 per dollar, which is outrageous but necessary to ensure anonymity.
I mentioned that Bitcoin by itself is not anonymous. For example, there is a record that I exchanged certain prepaid gift cards for Bitcoin. An investigator could trace my Bitcoin back to the gift cards.
But there are ways to launder Bitcoin, obscuring any link back to me.
Money laundering is something that criminals do all the time. It is most often used in drug trafficking, but it also plays a role in white-collar financial crime. Laundering means that you disguise the original ownership of the funds, often by sending the money out of the country, to multiple banks in countries that have strict privacy laws. Turns out you can do something similar with virtual currency.
There are services called tumblers that will take Bitcoin from a variety of sources and mix—or tumble—them together so that the resulting Bitcoin retains its value but carries traces of many owners. This makes it hard for someone to say later which owner made a certain purchase. But you have to be extremely careful, because there are tons of scams out there.
I took a chance. I found a laundering service online and they took an extra fee out of the transaction. I actually got the Bitcoin value that I wanted. But think about this: that laundering service now has one of my anonymous e-mail addresses and both Bitcoin addresses that were used in the transaction. So to further mix things up, I had the Bitcoin delivered to a second Bitcoin wallet that was set up by opening a new Tor circuit, which established new hops between me and the site I wanted to visit. Now the transaction is thoroughly obfuscated, making it very hard for someone to come along later and figure out that the two Bitcoin addresses are owned by the same person. Of course, the Bitcoin laundering service could cooperate with third parties by providing both Bitcoin addresses. That’s why it’s so important to securely purchase the prepaid gift cards.
After using the gift cards to purchase Bitcoin, remember to securely dispose of the plastic cards (not in your trash at home). I recommend using a cross-cut shredder that’s rated for plastic cards, then disposing of the shreds in a random dumpster away from your home or office. Once the laundered Bitcoin has been received, you can sign up for a VPN service that makes your privacy a priority. The best policy when you are trying to be anonymous is simply not to trust any VPN provider, especially those that claim not to retain any logs. Chances are they’ll still cough up your details if contacted by law enforcement or the NSA.
For example, I cannot imagine any VPN provider not being able to troubleshoot issues within its own network. And troubleshooting requires keeping some logs—e.g., connection logs that could be used to match customers to their originating IP addresses.
So because even the best of these providers cannot be trusted, we will purchase a VPN service using laundered Bitcoin through the Tor browser. I suggest reviewing a VPN provider’s terms of service and privacy policies and find the one that seems the best of the bunch. You’re not going to find a perfect match, only a good one. Remember that you cannot trust any provider to maintain your anonymity. You have to do it yourself with the understanding that a single error can reveal your true identity.
Now, with a stand-alone laptop, running either Tor or Tails, using a VPN provider purchased with laundered Bitcoin, over an anonymously purchased hotspot, and with a supply of even more laundered Bitcoin, you have completed the easy part: the setup. This will cost you a couple of hundred bucks, perhaps five hundred, but all the pieces have been randomized so that they can’t easily be connected back to you. Now comes the hard part—maintaining that anonymity.
All the setup and processes we’ve just gone through can be lost in a second if you use the anonymous hotspot at home, or if you power on your personal cell phone, tablet, or any other cellular device linked to your real identity at the physical location where you are using your anonymous identity. It only takes one slip by you for a forensic investigator to be able to correlate your presence to a location by analyzing the cellular provider’s logs. If there is a pattern of anonymous access at the same time your cellular device is registered in the same cell site, it could lead to unmasking your true identity.
I’ve already given a number of examples of this.
Now, should your anonymity be compromised and should you decide to engage in another anonymous activity, you might need to go through this process once again—wiping and reinstalling the operating system on your anonymous laptop and creating another set of anonymous e-mail accounts with Bitcoin wallets and purchasing another anonymous hotspot. Remember that Edward Snowden and Laura Poitras, both of whom already had anonymous e-mail accounts, set up additional anonymous e-mail accounts so they could communicate specifically with each other. This is only necessary if you suspect that the original anonymity you’ve established is compromised. Otherwise you could use the Tor browser (after establishing a new Tor circuit) through the anonymous hotspot and VPN to access the Internet using a different persona.
Of course, how much or how little you choose to follow these recommendations is up to you.
Even if you follow my recommendations, it is still possible for someone on the other end to recognize you. How? By the way you type.
There is a considerable body of research that has focused on the specific word choices people make when writing e-mails and commenting on social media posts. By looking at those words, researchers can often identify sex and ethnicity. But beyond that they cannot be more specific.
Or can they?
In World War II the British government set up a number of listening stations around the country to intercept signals from the German military. The advances that led to the Allies decrypting these messages came a bit later—at Bletchley Park, the site of the Government Code and Cypher School, where the German Enigma code was broken. Early on, the people at Bletchley Park intercepting the German telegraph messages could identify certain unique characteristics of a sender based on the intervals between the dots and the dashes. For example, they could recognize when a new telegraph operator came on, and they even started giving the operators names.
How could mere dots and dashes reveal the people behind them?
Well, the time interval between the sender’s tapping of a key and the tapping of the key again can be measured. This method of differentiation later became known as the Fist of the Sender. Various Morse code key operators could be identified by their unique “fists.” It wasn’t what the telegraph was designed to do (who cares who sent the message; what was the message?), but in this case the unique tapping was an interesting by-product.
Today, with advances in digital technology, electronic devices can measure the nanosecond differences in the way each person presses keys on computer keyboards—not only the length of time a given key is held but also how quickly the next key follows. It can tell the difference between someone who types normally and someone who hunts and pecks at the keyboard. That, coupled with the words chosen, can reveal a lot about an anonymous communication.
This is a problem if you’ve gone through the trouble of anonymizing your IP address. The site on the other side can still recognize you—not because of something technical but because of something uniquely human. This is also known as behavioral analysis.
Let’s say a Tor-anonymized website decides to track your keystroke profile. Maybe the people behind it are malicious and just want to know more about you. Or maybe they work with law enforcement.
Many financial institutions already use keystroke analysis to further authenticate account holders. That way if someone does have your username and password, he or she can’t really fake the cadence of your typing. That’s reassuring when you want to be authenticated online. But what if you don’t?
Because keystroke analysis is so disturbingly easy to deploy, researchers Per Thorsheim and Paul Moore created a Chrome browser plug-in called Keyboard Privacy. The plug-in caches your individual keystrokes and then plays them out at different intervals. The idea is to introduce randomness in your normal keystroke cadence as a means of achieving anonymity online. The plug-in might further mask your anonymous Internet activities.4
As we have seen, maintaining the separation between your real life and your anonymous life online is possible, but it requires constant vigilance. In the previous chapter I talked about some spectacular failures at being invisible. These were glorious but short-term attempts at invisibility.
In the case of Ross Ulbricht, he didn’t really plan his alter ego very carefully, occasionally using his real e-mail address instead of an anonymous one, particularly in the beginning. Through the use of a Google advanced search, an investigator was able to piece together enough information to reveal the mysterious owner of Silk Road.
So what about Edward Snowden and others like him who are concerned about their surveillance by one or more government agencies? Snowden, for example, has a Twitter account. As do quite a few other privacy folks—how else might I engage them in a round of feisty conversation online? There are a couple of possibilities to explain how these people remain “invisible.”
They’re not under active surveillance. Perhaps a government or government agency knows exactly where its targets are but doesn’t care. In that case, if the targets aren’t breaking any laws, who’s to say they haven’t let their guard down at some point? They might claim to only use Tor for their anonymous e-mails, but then again they might be using that account for their Netflix purchases as well.
They’re under surveillance, but they can’t be arrested. I think that might very well describe Snowden. It is possible he has slipped regarding his anonymity at some point and that he is now being actively tracked wherever he goes—except he’s living in Russia. Russia has no real reason to arrest him and return him to the United States.
You’ll notice I said “slipped”: unless you have amazing attention to detail, it’s really hard to live two lives. I know. I’ve done it. I let my guard down by using a fixed location when accessing computers through a cellular phone network.
There’s a truism in the security business that a persistent attacker will succeed given enough time and resources. I succeed all the time when testing my client’s security controls. All you are really doing by trying to make yourself anonymous is putting up so many obstacles that an attacker will give up and move on to another target.
Most of us only have to hide for a little while. To avoid that boss who is out to get you fired. To avoid that ex whose lawyers are looking for something, anything, to hold against you. To evade that creepy stalker who saw your picture on Facebook and is determined to harass you. Whatever your reason for being invisible, the steps I’ve outlined will work long enough to get you out from under a bad situation.
Being anonymous in today’s digital world requires a lot of work and constant vigilance. Each person’s requirements for anonymity differ—do you need to protect your passwords and keep private documents away from your coworkers? Do you need to hide from a fan who is stalking you? Do you need to evade law enforcement because you’re a whistleblower?
Your individual requirements will dictate the necessary steps you need to take to maintain your desired level of anonymity—from setting strong passwords and realizing that your office printer is out to get you all the way to going through the steps detailed here to make it extremely difficult for a forensic investigator to discover your true identity.
In general, though, we can all learn something about how to minimize our fingerprints in the digital world. We can think before posting that photo with a home address visible in the background. Or before providing a real birth date and other personal information on our social media profiles. Or before browsing the Internet without using the HTTPS Everywhere extension. Or before making confidential calls or sending texts without using an end-to-end encryption tool such as Signal. Or before messaging a doctor through AOL, MSN Messenger, or Google Talk without OTR. Or before sending a confidential e-mail without using PGP or GPG.
We can think proactively about our information and realize that even if what we’re doing with it feels benign—sharing a photograph, forgetting to change default log-ins and passwords, using a work phone for a personal message, or setting up a Facebook account for our kids—we’re actually making decisions that carry a lifetime of ramifications. So we need to act.
This book is all about staying online while retaining our precious privacy. Everyone—from the most technologically challenged to professional security experts—should make a committed practice of mastering this art, which becomes more essential with each passing day: the art of invisibility.