Skip Navigation | Sheffield IMC | UK IMC | Editorial Guidelines | Mission Statement | About Us | Contact | Help | Support Us

UK Indymedia UK Indymedia Sheffield Indymedia Sheffield Indymedia

A Technical Guide to Anonymous Posting

Zuckerman | 13.02.2009 16:32 | Indymedia Server Seizure | Indymedia | Repression | Technology | Sheffield | World

Recent events have got people talking and thinking about security implications of using indymedia or other online publishing outlets. Below is a guide to how to implement security measures for hiding your identity online.



This guide has been modified from an article that originally appeared on Global Voices Online, a nonprofit global citizens' media project sponsored by and launched from the Berkman Center for Internet and Society at the Harvard Law School. For additional information on blogging anonymously, you may also want to download Reporters Without Borders' Handbook for Bloggers and Cyber-Dissidents.

In April of 2005, the Electronic Frontier Foundation (EFF) posted its How to Blog Safely About Work and Anything Else. While the guide is rich in tips to ensure you don't reveal too much personal information while blogging, it doesn't look very closely at the technical issues associated with keeping a blog private. I decided to write a quick technical guide to anonymous blogging, trying to approach the problem from the perspective of a government whistle-blower in a country with a less-than-transparent government.

The Risks of Blogging

Sarah works in a government office as an accountant. She becomes aware that her boss, the deputy minister, is stealing large amounts of money from the government. She wants to let the world know that a crime is taking place but is worried about losing her job. If she reports the matter to the minister, she might get fired. She calls a reporter at the local newspaper, but he says he can't run a story without lots of additional information and documents to support her claims.

So Sarah decides to start a blog share her story with the rest of the world. To protect herself, she wants to make sure no one can find out who she is based on her blog posts. She needs to blog anonymously.

There are two main ways a blogger can get caught when he or she is trying to blog anonymously. One is if she reveals her identity through the content she publishes. For instance, if Sarah writes, "I'm the Assistant Chief Compliance Accountant to the Deputy Minister of Mines," there's a good chance that someone reading her blog is going to figure out who she is pretty quickly. (EFF's "How to Blog Safely" guide offers some great advice on how to avoid revealing your identity through the content of your blog.)

The other way Sarah can get caught is if someone can determine her identity from information provided by his or her Web browsers or email programs. Every computer connected to the Internet has — or shares — an address called an IP address, which consists of a series of four numbers from zero to 255 separated by dots (for example, 213.24.124.38). When Sarah uses her Web browser to make a comment on the minister's blog, the IP address she was using is included on her post.

With a little work, the Minister's computer technicians may be able to trace Sarah's identity from this IP address. If Sarah is using a computer in her home, dialing into an Internet Service Provider (ISP), the ISP likely has records of which IP address was assigned to which telephone number at a specific time. In some countries, the minister might need a subpoena to obtain these records; in others (especially ones where the ISP is owned by the government!), the ISP might give out this information very easily, and Sarah might find herself in hot water.

Security Measures for Hiding Your Identity Online

There are a number of ways Sarah can hide her identity when using the Internet. As a general rule, the more secure Sarah wants to be, the more effort she needs to expend hiding her identity. Sarah — and anyone else hoping to blog anonymously — needs to consider just how paranoid she wants to be before deciding how hard she wants to work to protect her identity. As you will see, some of the strategies for protecting identity online require a great deal of technical knowledge and effort.

1. Pseudonyms

One easy way Sarah can hide her identity is to use a free Webmail account and a free blog host outside her native country. (Using a paid account for either email or Web hosting is a bad idea, as the payment will link the account to a credit card, a checking account, or a Paypal account that could easily be linked back to Sarah.) She can create a new identity — a pseudonym — when she signs up for these accounts, and when the Minister finds her blog, he'll discover that it belongs to "Ann Onimous," with the email address  anonymous.whistleblower@hotmail.com.

Examples of free Webmail account providers:

MSN Hotmail
Yahoo Mail
Hushmail
Examples of free blog-hosting providers:

Blogsome
Blogger
Seo Blog
The problem with pseudonyms, however, is that when Sarah signs up for an email or blog service, the server she's accessing logs her IP address. If that IP address can be traced to her — whether at home or to her computer at work — and if the email or blog-hosting provider is forced to release that information, her true identity could be revealed. It's not a simple matter to get most hosting providers to give away this type of information — to get Hotmail to reveal the IP Sarah used to sign up for her account, for instance, the Minister would likely need to issue a subpoena, probably in cooperation with a U.S. law enforcement agency — but Sarah may not want to take that risk.

2. Public Computers

One additional step Sarah could take to hide her identity is to post to her blog from computers that are used by lots of other people. Rather than setting up her email and blog accounts from her home or work computer, Sarah could set them up from a computer in an Internet café, a library, or a university computer lab. When the Minister traces the IP used to post a comment or a post, he'll discover that the post was made from a public location where any number of people might have been using the computers.

There are flaws in this strategy as well. If the Internet café or computer lab keeps track of who is using what computer at what time, Sarah's identity could be compromised. She shouldn't try to post in the middle of the night when she's the only person in the computer lab — the geek on duty is likely to remember who she is. And she should change Internet cafés often. If the Minister discovers that all the whistleblower's posts are coming from Joe's Cyber Café on Main Street, he might get someone to monitor that location to see who's posting to blogs in the hopes of catching the author.

3. Anonymous Proxies

Sarah's tired of walking to Joe's Cyber Café every time she wants to post to her blog. With some help from the neighborhood geek, she sets up her computer to access the Web through an anonymous proxy. Now when she uses her email and blog services, she'll leave behind the IP address of the proxy server, not the address of her home machine — which will make it very hard for the Minister to find her.

First, Sarah finds a list of proxy servers online, by searching for "proxy server" on Google. She picks a proxy server from the Publicproxyservers.com list, choosing a site marked "high anonymity." She writes down the IP address of the proxy and the port named on the proxy list.

Some reliable lists of public proxies:

Publicproxyservers.com : Lists anonymous and identifiable proxies.
Samair : Only lists anonymous proxies and includes information on proxies that support SSL.
Rosinstrument Proxy Database : A searchable database of proxy servers.
Sarah then opens the Preferences section of her Web browser. Under General, Network, or Security, she will usually find an option to set up a proxy to access the Internet. (On the Firefox browser, which I use, this option is found under Tools > Internet Options > Connections > Settings.)

She turns on Manual Proxy Configuration, enters the IP address of the proxy server and port into the fields for HTTP proxy and SSL proxy, and saves her settings. She restarts her browser and starts surfing the Web.

Sarah notices that her connection to the Web seems to be a bit slower. That's because every page she requests from a Web server takes a detour. Instead of connecting directly to Hotmail.com, she connects to the proxy, which then connects to Hotmail. When Hotmail sends a page to her, it goes to the proxy first, then to her. She also notices that she has some difficulty accessing Web sites, especially sites that want her to log in. But at least her IP isn't being recorded by her blog provider!

Yet unfortunately, proxies aren't perfect either. If the country Sarah lives in has restrictive Internet laws, many Web surfers may be using proxies to access sites blocked by the government. The government may respond by ordering certain popular proxies to be blocked. Surfers move to new proxies, the government blocks those proxies, and so on, making using a proxy very time consuming.

Sarah has another problem if she's one of very few people in the country using a proxy. If the comments on her blog can be traced to a single proxy server, and if the Minister can access logs from all the ISPs within a country, he might be able to discover that Sarah's computer was one of the very few that accessed a specific proxy server. He can't demonstrate that Sarah used the proxy to post to a blog server, but he might conclude that because the proxy was used to post to the blog and Sarah was one of the few people in the nation to use that proxy, this was enough evidence that Sarah made the post. Sarah would do well to use proxies that are popular locally and to switch proxies often.

4. Circumventors

Sarah starts to wonder what happens if the proxy servers she's using are compromised. What if the minister convinces the operator of a proxy server — either legally or illegally — to keep records on whether anyone from his country is using the proxy and the sites they're visiting? Sarah is relying on the proxy administrator to protect her, and she doesn't even know who the administrator is or if he or she is trustworthy. Though the proxy administrator may not even know she's running a proxy, proxies are often left open by accident.

Sarah has a friend in Canada — a country less likely than Sarah's to censor Internet content — who might be willing to help her maintain her blog while protecting her identity. Sarah phones her friend and asks him to set up Circumventor on his system. Circumventor is one of dozens of proxy servers a user can set up to allow people to use his computer as a proxy.

Sarah's friend Jim downloads Circumventor from Peacefire.org and installs it on his Windows system. It's not an easy process — before installing Circumventor, he must first install programming language Perl on his system, then install OpenSA. And he now needs to keep his computer connected to the Internet constantly, so that Sarah can use it as a proxy without asking him to turn it on first. He gets the software set up, calls Sarah's cell phone, and provides a URL she can use to surf the Web or post to her blog through his proxy. This is especially convenient, because Sarah can use the proxy from home or from an Internet café, and doesn't have to make any changes to her system.

While Sarah is very grateful for Jim's help, there's a major problem with the arrangement. Jim's computer — which runs Windows — reboots quite often. Whenever it does, his ISP assigns a new IP address to the machine. Each time this happens, the proxy stops working for Sarah. Jim needs to contact Sarah again and tell her the new IP that Circumventor is associated with. This rapidly becomes expensive and frustrating. Sarah also worries that if she uses any one IP address too long, her ISP may succumb to government pressure and start blocking it.

5. Onion Routing

Jim suggests that Sarah experiment with the relatively new onion-routing system Tor , which provides a high degree of anonymity for Web surfing. Onion routing takes the idea of proxy servers — a computer that acts on your behalf — to a new level of complexity. Each request made through an onion routing network goes through two to 20 additional computers, making it hard to trace which computer originated a request.

Each step of the Onion Routing chain is encrypted, making it harder for the government of Sarah's country to trace her posts. Furthermore, each computer in the chain only knows its nearest neighbors. In other words, router B knows that it got a request for a Web page from router A, and that it's supposed to pass the request on to router C. But the request itself is encrypted — router B doesn't actually know what page Sarah is requesting, or what router will finally request the page from the Web server.

Given the complexity of the technology, Sarah is pleasantly surprised to discover how easy it is to install Tor. She downloads an installer to install Tor on her system, then downloads and installs Privoxy , a proxy that works with Tor and has the pleasant side benefit of removing most of the ads from the Web pages Sarah views.

After installing the software and restarting her machine, Sarah checks anonymous remailer service Noreply.org and discovers that she is, in fact, successfully "cloaked" by the Tor system — Noreply thinks she's logging on from Harvard University. She reloads, and now Noreply thinks she's in Germany. From this she concludes that Tor is changing her identity from request to request, helping to protect her privacy.

This has some odd consequences. When she uses Google through Tor, it keeps switching languages on her. One search, it's in English — another, Japanese, then German, Danish, and Dutch, all in the course of a few minutes. Sarah welcomes the opportunity to learn some new languages, but she's concerned about some other consequences. Sarah likes to contribute to Wikipedia, but discovers that Wikipedia blocks her attempts to edit articles when she's using Tor.

Tor also seems to have some of the same problems Sarah was having with other proxies. Her surfing slows down quite a bit, as compared to surfing the Web without a proxy — she finds that she ends up using Tor only when she's accessing sensitive content or posting to her blog. And she's once again tied to her home computer, since she can't install Tor on a public machine very easily.

Most worrisome, though, she discovers that Tor sometimes stops working. Evidently, her ISP is starting to block some Tor routers — when Tor tries to use a blocked router, she can wait for minutes at a time, but doesn't get the Web page she's requested.

Which Is the Best Solution?

Is the solution Sarah chose to publish her blog anonymously right for you? Or is some combination of security measures one, two, and three sufficient for your needs? There's no one answer: Any anonymous blogging plan needs to take into account local conditions, your technical competence, and your level of paranoia. If you have reason to be worried that what you're posting could endanger your safety, a combination of the security measures outlined above is probably not a bad idea.

Zuckerman

Additions

HTML Version...

13.02.2009 19:07

Chris


Comments

Hide the following 2 comments

We welcome debate and... operate no political censorship?

14.02.2009 09:39

Will this be part of the indy guidlines, will indy no be open to saying they do log info at times how this has compermised some people, a little to late in some circumsatnce.. But wellcome.. Can it be added to the articals about what has happen over the last weeks?

http://underclassrising.net/
mail e-mail: http://underclassrising.net/
- Homepage: http://underclassrising.net/


they dont want debate

14.02.2009 22:59

they just want to silence anyone who speaks out about the IP logging.

of course not


Kollektives

Birmingham
Cambridge
Liverpool
London
Oxford
Sheffield
South Coast
Wales
World

Other UK IMCs
Bristol/South West
London
Northern Indymedia
Scotland

Sheffield Topics

Afghanistan
Analysis
Animal Liberation
Anti-Nuclear
Anti-militarism
Anti-racism
Bio-technology
Climate Chaos
Culture
Ecology
Education
Energy Crisis
Fracking
Free Spaces
Gender
Globalisation
Health
History
Indymedia
Iraq
Migration
Ocean Defence
Other Press
Palestine
Policing
Public sector cuts
Repression
Social Struggles
Technology
Terror War
Workers' Movements
Zapatista

Sheffield [navigation.actions2016]

Sheffield [navigation.actions2015]

Sheffield [navigation.actions2014]

NATO 2014

Sheffield Actions 2013

G8 2013

Sheffield Actions 2012

Workfare

Sheffield Actions 2011

2011 Census Resistance
August Riots
Dale Farm
J30 Strike
Occupy Everywhere

Sheffield Actions 2010

Flotilla to Gaza
Mayday 2010
Tar Sands

Sheffield Actions 2009

COP15 Climate Summit 2009
G20 London Summit
Guantánamo
Indymedia Server Seizure
University Occupations for Gaza

Sheffield Actions 2008

2008 Days Of Action For Autonomous Spaces
Campaign against Carmel-Agrexco
Climate Camp 2008
G8 Japan 2008
SHAC
Smash EDO
Stop Sequani Animal Testing
Stop the BNP's Red White and Blue festival

Sheffield Actions 2007

Climate Camp 2007
DSEi 2007
G8 Germany 2007
Mayday 2007
No Border Camp 2007

Sheffield Actions 2006

April 2006 No Borders Days of Action
Art and Activism Caravan 2006
Climate Camp 2006
Faslane
French CPE uprising 2006
G8 Russia 2006
Lebanon War 2006
March 18 Anti War Protest
Mayday 2006
Oaxaca Uprising
Refugee Week 2006
Rossport Solidarity
SOCPA
Transnational Day of Action Against Migration Controls
WSF 2006

Sheffield Actions 2005

DSEi 2005
G8 2005
WTO Hong Kong 2005

Sheffield Actions 2004

European Social Forum
FBI Server Seizure
May Day 2004
Venezuela

Sheffield Actions 2003

Bush 2003
DSEi 2003
Evian G8
May Day 2003
No War F15
Saloniki Prisoner Support
Thessaloniki EU
WSIS 2003

Server Appeal Radio Page Video Page Indymedia Cinema Offline Newsheet

secure Encrypted Page

You are viewing this page using an encrypted connection. If you bookmark this page or send its address in an email you might want to use the un-encrypted address of this page.

If you recieved a warning about an untrusted root certificate please install the CAcert root certificate, for more information see the security page.

IMCs


www.indymedia.org

Projects
print
radio
satellite tv
video

Africa

Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia

Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela

Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney

South Asia
india


United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester

West Asia
Armenia
Beirut
Israel
Palestine

Topics
biotech

Process
fbi/legal updates
mailing lists
process & imc docs
tech