The Hitchhiker's Guide to Online Anonymity

The Hitchhiker’s Guide to Online Anonymity

(Or “How I learned to start worrying and love privacy anonymity”)

Version v1.1.9, August 2023 by Anonymous Planet


Це послання до народу України. Ми настійно рекомендуємо вам використовувати Briar для спілкування. Ви можете знайти його тут: < . За допомогою цієї програми ви можете спілкуватися, навіть коли немає Інтернету. Посібник тут:, Швидкий початок:

This is a message for the people of Ukraine. We strongly recommend that you use Briar for communicating. You can find it here: With this application, you can communicate even when there is no internet. The manual is here:, quick-start guide here:

This guide is a work in progress. It will probably never be “finished”.

No affiliation with the Anonymous [Wikiless] [] collective/movement.

There might be some wrong or outdated information in this guide because no one is perfect.

Your experience may vary. Remember to check regularly for an updated version of this guide.

This guide is a non-profit open-source initiative, licensed under Creative Commons Attribution-NonCommercial 4.0 International (cc-by-nc-4.0 []).

Feel free to submit issues (please do report anything wrong) using GitHub Issues at:

Feel free to come to discuss ideas at:

Follow us on:

To contact me, see the updated information on the website or send an e-mail to

Please consider donating if you enjoy the project and want to support the hosting fees or support the funding of initiatives like the hosting of Tor Exit Nodes.

There are several ways you could read this guide:

Precautions while reading this guide and accessing the various links:

If you do not want the hassle and use one of the browsers below, you could also just install the following extension on your browser: []:

If you are having trouble accessing any of the many academic articles referenced in this guide due to paywalls, feel free to use Sci-Hub ( [Wikiless] []) or LibGen ( [Wikiless] []) for finding and reading them. Because Science should be free. All of it. If you are faced with a paywall accessing some resources, consider using

Finally note that this guide does mention and even recommends various commercial services (such as VPNs, CDNs, e-mail providers, hosting providers…) but is not endorsed or sponsored by any of them in any way. There are no referral links and no commercial ties with any of these providers. This project is 100% non-profit and only relying on donations.


Pre-requisites and limitations:



This guide is not intended for:


TLDR for the whole guide: “A strange game. The only winning move is not to play” 4.

Making a social media account with a pseudonym or artist/brand name is easy. And it is enough in most use cases to protect your identity as the next George Orwell. There are plenty of people using pseudonyms all over Facebook/Instagram/Twitter/LinkedIn/TikTok/Snapchat/Reddit/… But the vast majority of those are anything but anonymous and can easily be traced to their real identity by your local police officers, random people within the OSINT5 (Open-Source Intelligence) community, and trolls6 on 4chan7.

This is a good thing as most criminals/trolls are not tech-savvy and will usually be identified with ease. But this is also a terrible thing as most political dissidents, human rights activists and whistleblowers can also be tracked rather easily.

This guide aims to provide an introduction to various de-anonymization techniques, tracking techniques, ID verification techniques, and optional guidance to creating and maintaining reasonably and truly online anonymous identities including social media accounts safely. This includes mainstream platforms and not only the privacy-friendly ones.

It is important to understand that the purpose of this guide is anonymity and not just privacy but much of the guidance you will find here will also help you improve your privacy and security even if you are not interested in anonymity. There is an important overlap in techniques and tools used for privacy, security, and anonymity but they differ at some point:


(Illustration from9)

Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not … Mossad will be doing “Mossad things” 10 and will probably find you no matter how hard you try to hide11.

You must consider your threat model12 before going further.


(Illustration by Randall Munroe,, licensed under CC BY-NC 2.5)

Will this guide help you protect your privacy from OSINT researchers like Bellingcat13, Doxing14 trolls on 4chan15, and others that have no access to the NSA toolbox? More likely. Tho we would not be so sure about 4chan.

Here is a basic simplified threat model for this guide:


(Note that the “magical amulets/submarine/fake your own death” jokes are quoted from the excellent article “This World of Ours” by James Mickens, 2014.16)

Disclaimer: Jokes aside (magical amulet…). Of course, there are also advanced ways to mitigate attacks against such advanced and skilled adversaries but those are just out of the scope of this guide. It is crucially important that you understand the limits of the threat model of this guide. And therefore, this guide will not double in size to help with those advanced mitigations as this is just too complex and will require an exceedingly high knowledge and skill level that is not expected from the targeted audience of this guide.

The EFF provides a few security scenarios of what you should consider depending on your activity. While some of those tips might not be within the scope of this guide (more about Privacy than Anonymity), they are still worth reading as examples. See [].

If you want to go deeper into threat modeling, see Appendix B3: Threat modeling resources.

You might think this guide has no legitimate use but there are many17181920212223 such as:

This guide is written with hope for those good-intended individuals who might not be knowledgeable enough to consider the big picture of online anonymity and privacy.

Lastly, use it at your own risk. Anything in here is not legal advice and you should verify compliance with your local law before use (IANAL25). “Trust but verify”26 all the information yourself (or even better, “Never Trust, always verify”27). We strongly encourage you to inform yourself and do not hesitate to check any information in this guide with outside sources in case of doubt. Please do report any mistake you spot to us as we welcome criticism. Even harsh but sound criticism is welcome and will result in having the necessary corrections made as quickly as possible.

Understanding some basics of how some information can lead back to you and how to mitigate some:

There are many ways you can be tracked besides browser cookies and ads, your e-mail, and your phone number. And if you think only the Mossad or the NSA/FSB can find you, you would be wrong.

First, you could also consider these more general resources on privacy and security to learn more basics:

Note that these websites could contain affiliate/sponsored content and/or merchandising. This guide does not endorse and is not sponsored by any commercial entity in any way.

If you skipped those, you should really still consider viewing this YouTube playlist from the Techlore Go Incognito project ( []) as an introduction before going further: [Invidious]. This guide will cover many of the topics in the videos of this playlist with more details and references as well as some added topics not covered within that series. This will just take you 2 or 3 hours to watch it all.

Now, here is a non-exhaustive list of some of the many ways you could be tracked and de-anonymized:

Your Network:

Your IP address:

Disclaimer: this whole paragraph is about your public-facing Internet IP and not your local network IP.

Your IP address28 is the most known and obvious way you can be tracked. That IP is the IP you are using at the source. This is where you connect to the internet. That IP is usually provided by your ISP (Internet Service Provider) (xDSL, Mobile, Cable, Fiber, Cafe, Bar, Friend, Neighbor). Most countries have data retention regulations29 that mandate keeping logs of who is using what IP at a certain time/date for up to several years or indefinitely. Your ISP can tell a third party that you were using a specific IP at a specific date and time, years after the fact. If that IP (the original one) leaks at any point for any reason, it can be used to track down you directly. In many countries, you will not be able to have internet access without providing some form of identification to the provider (address, ID, real name, e-mail …).

Needless to say, that most platforms (such as social networks) will also keep (sometimes indefinitely) the IP addresses you used to sign-up and sign into their services.

Here are some online resources you can use to find some information about your current public IP right now:

For those reasons, you will need to obfuscate and hide that origin IP (the one tied to your identification) or hide it through a combination of various means:

Do note that, unfortunately, these solutions are not perfect, and you will experience performance issues32.

All those will be explained later in this guide.

Your DNS and IP requests:

DNS stands for “Domain Name System”33 and is a service used by your browser (and other apps) to find the IP addresses of a service. It is a huge “contact list” (phone book for older people) that works like asking it a name and it returns the number to call. Except it returns an IP instead.

Every time your browser wants to access a certain service such as Google through Your Browser (Chrome or Firefox) will query a DNS service to find the IP addresses of the Google web servers.

Here is a video explaining DNS visually if you are already lost: [Invidious]

Usually, the DNS service is provided by your ISP and automatically configured by the network you are connecting to. This DNS service could also be subject to data retention regulations or will just keep logs for other reasons (data collection for advertising purposes for instance). Therefore, this ISP will be capable of telling everything you did online just by looking at those logs which can, in turn, be provided to an adversary. Conveniently this is also the easiest way for many adversaries to apply censoring or parental control by using DNS blocking34. The provided DNS servers will give you a different address (than their real one) for some websites (like redirecting to some government website). Such blocking is widely applied worldwide for certain sites35.

Using a private DNS service or your own DNS service would mitigate these issues, but the other problem is that most of those DNS requests are by default still sent in clear text (unencrypted) over the network. Even if you browse PornHub in an incognito Window, using HTTPS and using a private DNS service, chances are exceedingly high that your browser will send a clear text unencrypted DNS request to some DNS servers asking basically “So what’s the IP address of”.

Because it is not encrypted, your ISP and/or any other adversary could still intercept (using a Man-in-the-middle attack36) your request will know and possibly log what your IP was looking for. The same ISP can also tamper with the DNS responses even if you are using a private DNS. Rendering the use of a private DNS service useless.

As a bonus, many devices and apps will use hardcoded DNS servers bypassing any system setting you could set. This is for example the case with most (70%) Smart TVs and a large part (46%) of Game Consoles37. For these devices, you will have to force them38 to stop using their hardcoded DNS service which could make them stop working properly.

A solution to this is to use encrypted DNS using DoH (DNS over HTTPS39), DoT (DNS over TLS40) with a private DNS server (this can be self-hosted locally with a solution like pi-hole41, remotely hosted with a solution like or using the solutions provided by your VPN provider or the Tor network). This should prevent your ISP or some go-between from snooping on your requests … except it might not.

Small in-between Disclaimer: This guide does not necessarily endorse or recommend Cloudflare services even if it is mentioned several times in this section for technical understanding.

Unfortunately, the TLS protocol used in most HTTPS connections in most Browsers (Chrome/Brave among them) will leak the Domain Name again through SNI42 handshakes (this can be checked here at Cloudflare: [] ). As of the writing of this guide, only Firefox-based browsers supports ECH (Encrypted Client Hello43 previously known as eSNI44) on some websites which will encrypt everything end to end (in addition to using a secure private DNS over TLS/HTTPS) and will allow you to hide your DNS requests from a third party45. And this option is not enabled by default either so you will have to enable it yourself.

In addition to limited browser support, only web Services and CDNs46 behind Cloudflare CDN support ECH/eSNI at this stage47. This means that ECH and eSNI are not supported (as of the writing of this guide) by most mainstream platforms such as:

Some countries like Russia48 and China49 might (unverified despite the articles) block ECH/eSNI handshakes at the network level to allow snooping and prevent bypassing censorship. Meaning you will not be able to establish an HTTPS connection with a service if you do not allow them to see what it was.

The issues do not end here. Part of the HTTPS TLS validation is called OCSP50 and this protocol used by Firefox-based browsers will leak metadata in the form of the serial number of the certificate of the website you are visiting. An adversary can then easily find which website you are visiting by matching the certificate number51. This issue can be mitigated by using OCSP stapling52. Unfortunately, this is enabled but not enforced by default in Firefox/Tor Browser. But the website you are visiting must also be supporting it and not all do. Chromium-based browsers on the other hand use a different system called CRLSets5354 which is arguably better.

Here is a list of how various browsers behave with OCSP: []

Here is an illustration of the issue you could encounter on Firefox-based browsers: