(Or “How I learned to start worrying and love privacy
anonymity”)
Version v1.1.9, August 2023 by Anonymous Planet
Це послання до народу України. Ми настійно рекомендуємо вам використовувати Briar для спілкування. Ви можете знайти його тут: <https://briarproject.org/ . За допомогою цієї програми ви можете спілкуватися, навіть коли немає Інтернету. Посібник тут: https://briarproject.org/manual/uk/, Швидкий початок: https://briarproject.org/quick-start/uk/
This is a message for the people of Ukraine. We strongly recommend that you use Briar for communicating. You can find it here: https://briarproject.org/ With this application, you can communicate even when there is no internet. The manual is here: https://briarproject.org/manual/, quick-start guide here: https://briarproject.org/quick-start/
This guide is a work in progress. It will probably never be “finished”.
No affiliation with the Anonymous [Wikiless] [Archive.org] collective/movement.
There might be some wrong or outdated information in this guide because no one is perfect.
Your experience may vary. Remember to check regularly for an updated version of this guide.
This guide is a non-profit open-source initiative, licensed under Creative Commons Attribution-NonCommercial 4.0 International (cc-by-nc-4.0 [Archive.org]).
For mirrors see Appendix A6: Mirrors
For help in comparing versions see Appendix A7: Comparing versions
Feel free to submit issues (please do report anything wrong) using GitHub Issues at: https://github.com/Anon-Planet/thgtoa/issues
Feel free to come to discuss ideas at:
Rules for our chatrooms: https://anonymousplanet.org/chatrooms-rules.html
Matrix/Element Room: #anonymity:matrix.org
https://matrix.to/#/#anonymity:matrix.org
Matrix Space regrouping several rooms with similar interests:
#privacy-security-anonymity:matrix.org
https://matrix.to/#/#privacy-security-anonymity:matrix.org.
Follow us on:
Twitter at https://twitter.com/AnonyPla
Mastodon at https://mastodon.social/@anonymousplanet
To contact me, see the updated information on the website or send an e-mail to contact@anonymousplanet.org
Please consider donating if you enjoy the project and want to support the hosting fees or support the funding of initiatives like the hosting of Tor Exit Nodes.
There are several ways you could read this guide:
You want to understand the current state of online privacy and anonymity not necessarily get too technical about it: Just read the Introduction, Requirements, Understanding some basics of how some information can lead back to you and how to mitigate those and A final editorial note sections.
You want to do the above but also learn how to remove some online information about you: Just read the above and add the Removing some traces of your identities on search engines and various platforms.
You want to do the above and create online anonymous identities online safely and securely: Read the whole guide.
Precautions while reading this guide and accessing the various links:
Documents/Files have a [Archive.org] link next to them for accessing content through Archive.org for increased privacy and in case the content goes missing. Some links are not yet archived or outdated on archive.org in which case we encourage you to ask for a new save if possible.
YouTube Videos have a [Invidious] link next to them for accessing content through an Invidious Instance (in this case yewtu.be hosted in the Netherlands) for increased privacy. It is recommended to use these links when possible. See https://github.com/iv-org/invidious [Archive.org] for more information.
Twitter links have a [Nitter] link next to them for accessing content through a Nitter Instance (in this case nitter.net) for increased privacy. It is recommended to use these links when possible. See https://github.com/zedeus/nitter [Archive.org] for more information.
Wikipedia links have a [Wikiless] link next to them for accessing content through a Wikiless Instance (in this case Wikiless.org) for increased privacy. It is recommended to use these links when possible. See https://codeberg.org/orenom/wikiless [Archive.org] for more information.
Medium links have [Scribe.rip] link next to them for accessing content through a Scribe.rip Instance for increased privacy. Again, it is recommended to use these links when possible. See https://scribe.rip/ [Archive.org] for more information.
If you are reading this in PDF or ODT format, you will notice plenty of ``` in place of double quotes (““). These ``` are there to ease conversion into Markdown/HTML format for online viewing of code blocks on the website.
If you do not want the hassle and use one of the browsers below, you could also just install the following extension on your browser: https://libredirect.github.io/ [Archive.org]:
Firefox: https://addons.mozilla.org/en-US/firefox/addon/libredirect/
Chromium-based browsers (Chrome, Brave, Edge): https://github.com/libredirect/libredirect/blob/master/chromium.md
If you are having trouble accessing any of the many academic articles referenced in this guide due to paywalls, feel free to use Sci-Hub (https://en.wikipedia.org/wiki/Sci-Hub [Wikiless] [Archive.org]) or LibGen (https://en.wikipedia.org/wiki/Library_Genesis [Wikiless] [Archive.org]) for finding and reading them. Because Science should be free. All of it. If you are faced with a paywall accessing some resources, consider using https://12ft.io/.
Finally note that this guide does mention and even recommends various commercial services (such as VPNs, CDNs, e-mail providers, hosting providers…) but is not endorsed or sponsored by any of them in any way. There are no referral links and no commercial ties with any of these providers. This project is 100% non-profit and only relying on donations.
Understanding of the English language (in this case American English).
Be a permanent resident in Germany where the courts have upheld the legality of not using real names on online platforms (§13 VI of the German Telemedia Act of 20071’2). Alternatively, be a resident of any other country where you can confirm and verify the legality of this guide yourself.
This guide will assume you already have access to some (Windows/Linux/macOS) laptop computer - ideally not a work/shared device - and a basic understanding of how computers work.
Have patience, as this process could take several weeks to complete if you want to go through all the content.
Have some free time on your hands to dedicate to this process (depending on which route you pick).
Be prepared to read a lot of references (do read them), guides (do not skip them), and tutorials thoroughly (do not skip them either).
Don’t be evil (for real this time)3.
Understand that there is no common path that will be both quick and easy.
This guide is not intended for:
Creating bot accounts of any kind.
Creating impersonation accounts of existing people (such as identity theft).
Helping malicious actors conduct unethical, criminal, or illicit activities (such as trolling, stalking, disinformation, misinformation, harassment, bullying, or fraud).
Use by minors.
TLDR for the whole guide: “A strange game. The only winning move is not to play” 4.
Making a social media account with a pseudonym or artist/brand name is easy. And it is enough in most use cases to protect your identity as the next George Orwell. There are plenty of people using pseudonyms all over Facebook/Instagram/Twitter/LinkedIn/TikTok/Snapchat/Reddit/… But the vast majority of those are anything but anonymous and can easily be traced to their real identity by your local police officers, random people within the OSINT5 (Open-Source Intelligence) community, and trolls6 on 4chan7.
This is a good thing as most criminals/trolls are not tech-savvy and will usually be identified with ease. But this is also a terrible thing as most political dissidents, human rights activists and whistleblowers can also be tracked rather easily.
This guide aims to provide an introduction to various de-anonymization techniques, tracking techniques, ID verification techniques, and optional guidance to creating and maintaining reasonably and truly online anonymous identities including social media accounts safely. This includes mainstream platforms and not only the privacy-friendly ones.
It is important to understand that the purpose of this guide is anonymity and not just privacy but much of the guidance you will find here will also help you improve your privacy and security even if you are not interested in anonymity. There is an important overlap in techniques and tools used for privacy, security, and anonymity but they differ at some point:
Privacy is about people knowing who you are but not knowing what you are doing.
Anonymity is about people knowing what you are doing but not knowing who you are 8.
(Illustration from9)
Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not … Mossad will be doing “Mossad things” 10 and will probably find you no matter how hard you try to hide11.
You must consider your threat model12 before going further.
(Illustration by Randall Munroe, xkcd.com, licensed under CC BY-NC 2.5)
Will this guide help you protect your privacy from OSINT researchers like Bellingcat13, Doxing14 trolls on 4chan15, and others that have no access to the NSA toolbox? More likely. Tho we would not be so sure about 4chan.
Here is a basic simplified threat model for this guide:
(Note that the “magical amulets/submarine/fake your own death” jokes are quoted from the excellent article “This World of Ours” by James Mickens, 2014.16)
Disclaimer: Jokes aside (magical amulet…). Of course, there are also advanced ways to mitigate attacks against such advanced and skilled adversaries but those are just out of the scope of this guide. It is crucially important that you understand the limits of the threat model of this guide. And therefore, this guide will not double in size to help with those advanced mitigations as this is just too complex and will require an exceedingly high knowledge and skill level that is not expected from the targeted audience of this guide.
The EFF provides a few security scenarios of what you should consider depending on your activity. While some of those tips might not be within the scope of this guide (more about Privacy than Anonymity), they are still worth reading as examples. See https://ssd.eff.org/en/module-categories/security-scenarios [Archive.org].
If you want to go deeper into threat modeling, see Appendix B3: Threat modeling resources.
You might think this guide has no legitimate use but there are many17‘18’19‘20’21‘22’23 such as:
Evading Online Censorship24
Evading Online Oppression
Evading Online Stalking, Doxxing, and Harassment
Evading Online Unlawful Government Surveillance
Anonymous Online Whistle Blowing
Anonymous Online Activism
Anonymous Online Journalism
Anonymous Online Legal Practice
Anonymous Online Academic Activities (For instance accessing scientific research where such resources are blocked). See note below.
…
This guide is written with hope for those good-intended individuals who might not be knowledgeable enough to consider the big picture of online anonymity and privacy.
Lastly, use it at your own risk. Anything in here is not legal advice and you should verify compliance with your local law before use (IANAL25). “Trust but verify”26 all the information yourself (or even better, “Never Trust, always verify”27). We strongly encourage you to inform yourself and do not hesitate to check any information in this guide with outside sources in case of doubt. Please do report any mistake you spot to us as we welcome criticism. Even harsh but sound criticism is welcome and will result in having the necessary corrections made as quickly as possible.
There are many ways you can be tracked besides browser cookies and ads, your e-mail, and your phone number. And if you think only the Mossad or the NSA/FSB can find you, you would be wrong.
First, you could also consider these more general resources on privacy and security to learn more basics:
The New Oil*: https://thenewoil.org/ [Archive.org]
Techlore videos*: https://www.youtube.com/c/Techlore [Invidious]
Privacy Guides: https://privacyguides.org/ [Archive.org]
Privacy Tools*: https://privacytools.io [Archive.org]
Note that these websites could contain affiliate/sponsored content and/or merchandising. This guide does not endorse and is not sponsored by any commercial entity in any way.
If you skipped those, you should really still consider viewing this YouTube playlist from the Techlore Go Incognito project (https://github.com/techlore-official/go-incognito [Archive.org]) as an introduction before going further: https://www.youtube.com/playlist?list=PL3KeV6Ui_4CayDGHw64OFXEPHgXLkrtJO [Invidious]. This guide will cover many of the topics in the videos of this playlist with more details and references as well as some added topics not covered within that series. This will just take you 2 or 3 hours to watch it all.
Now, here is a non-exhaustive list of some of the many ways you could be tracked and de-anonymized:
Disclaimer: this whole paragraph is about your public-facing Internet IP and not your local network IP.
Your IP address28 is the most known and obvious way you can be tracked. That IP is the IP you are using at the source. This is where you connect to the internet. That IP is usually provided by your ISP (Internet Service Provider) (xDSL, Mobile, Cable, Fiber, Cafe, Bar, Friend, Neighbor). Most countries have data retention regulations29 that mandate keeping logs of who is using what IP at a certain time/date for up to several years or indefinitely. Your ISP can tell a third party that you were using a specific IP at a specific date and time, years after the fact. If that IP (the original one) leaks at any point for any reason, it can be used to track down you directly. In many countries, you will not be able to have internet access without providing some form of identification to the provider (address, ID, real name, e-mail …).
Needless to say, that most platforms (such as social networks) will also keep (sometimes indefinitely) the IP addresses you used to sign-up and sign into their services.
Here are some online resources you can use to find some information about your current public IP right now:
Find your IP:
https://www.dnsleaktest.com/ (Bonus, check your IP for DNS leaks)
Find your IP location or the location of any IP:
Find if an IP is “suspicious” (in blacklists) or has downloaded “things” on some public resources:
https://iknowwhatyoudownload.com (Take this with a grain of salt, it might not show anything interesting and has limited data sources. This is more for fun than anything serious.)
Registration information of an IP (most likely your ISP or the ISP of your connection who most likely know who is using that IP at any time):
Check for open-services or open devices on an IP (especially if there are leaky Smart Devices on it):
Various tools to check your IP such as block-lists checkers and more:
Would you like to know if you are connected through Tor?
For those reasons, you will need to obfuscate and hide that origin IP (the one tied to your identification) or hide it through a combination of various means:
Using a public Wi-Fi service (free).
Using the Tor Anonymity Network30 (free).
Using VPN31 services anonymously (anonymously paid with cash or Monero).
Do note that, unfortunately, these solutions are not perfect, and you will experience performance issues32.
All those will be explained later in this guide.
DNS stands for “Domain Name System”33 and is a service used by your browser (and other apps) to find the IP addresses of a service. It is a huge “contact list” (phone book for older people) that works like asking it a name and it returns the number to call. Except it returns an IP instead.
Every time your browser wants to access a certain service such as Google through www.google.com. Your Browser (Chrome or Firefox) will query a DNS service to find the IP addresses of the Google web servers.
Here is a video explaining DNS visually if you are already lost: https://www.youtube.com/watch?v=vrxwXXytEuI [Invidious]
Usually, the DNS service is provided by your ISP and automatically configured by the network you are connecting to. This DNS service could also be subject to data retention regulations or will just keep logs for other reasons (data collection for advertising purposes for instance). Therefore, this ISP will be capable of telling everything you did online just by looking at those logs which can, in turn, be provided to an adversary. Conveniently this is also the easiest way for many adversaries to apply censoring or parental control by using DNS blocking34. The provided DNS servers will give you a different address (than their real one) for some websites (like redirecting thepiratebay.org to some government website). Such blocking is widely applied worldwide for certain sites35.
Using a private DNS service or your own DNS service would mitigate these issues, but the other problem is that most of those DNS requests are by default still sent in clear text (unencrypted) over the network. Even if you browse PornHub in an incognito Window, using HTTPS and using a private DNS service, chances are exceedingly high that your browser will send a clear text unencrypted DNS request to some DNS servers asking basically “So what’s the IP address of www.pornhub.com?”.
Because it is not encrypted, your ISP and/or any other adversary could still intercept (using a Man-in-the-middle attack36) your request will know and possibly log what your IP was looking for. The same ISP can also tamper with the DNS responses even if you are using a private DNS. Rendering the use of a private DNS service useless.
As a bonus, many devices and apps will use hardcoded DNS servers bypassing any system setting you could set. This is for example the case with most (70%) Smart TVs and a large part (46%) of Game Consoles37. For these devices, you will have to force them38 to stop using their hardcoded DNS service which could make them stop working properly.
A solution to this is to use encrypted DNS using DoH (DNS over HTTPS39), DoT (DNS over TLS40) with a private DNS server (this can be self-hosted locally with a solution like pi-hole41, remotely hosted with a solution like nextdns.io or using the solutions provided by your VPN provider or the Tor network). This should prevent your ISP or some go-between from snooping on your requests … except it might not.
Small in-between Disclaimer: This guide does not necessarily endorse or recommend Cloudflare services even if it is mentioned several times in this section for technical understanding.
Unfortunately, the TLS protocol used in most HTTPS connections in most Browsers (Chrome/Brave among them) will leak the Domain Name again through SNI42 handshakes (this can be checked here at Cloudflare: https://www.cloudflare.com/ssl/encrypted-sni/ [Archive.org] ). As of the writing of this guide, only Firefox-based browsers supports ECH (Encrypted Client Hello43 previously known as eSNI44) on some websites which will encrypt everything end to end (in addition to using a secure private DNS over TLS/HTTPS) and will allow you to hide your DNS requests from a third party45. And this option is not enabled by default either so you will have to enable it yourself.
In addition to limited browser support, only web Services and CDNs46 behind Cloudflare CDN support ECH/eSNI at this stage47. This means that ECH and eSNI are not supported (as of the writing of this guide) by most mainstream platforms such as:
Amazon (including AWS, Twitch…)
Microsoft (including Azure, OneDrive, Outlook, Office 365…)
Google (including Gmail, Google Cloud…)
Apple (including iCloud, iMessage…)
YouTube
GitHub
…
Some countries like Russia48 and China49 might (unverified despite the articles) block ECH/eSNI handshakes at the network level to allow snooping and prevent bypassing censorship. Meaning you will not be able to establish an HTTPS connection with a service if you do not allow them to see what it was.
The issues do not end here. Part of the HTTPS TLS validation is called OCSP50 and this protocol used by Firefox-based browsers will leak metadata in the form of the serial number of the certificate of the website you are visiting. An adversary can then easily find which website you are visiting by matching the certificate number51. This issue can be mitigated by using OCSP stapling52. Unfortunately, this is enabled but not enforced by default in Firefox/Tor Browser. But the website you are visiting must also be supporting it and not all do. Chromium-based browsers on the other hand use a different system called CRLSets53’54 which is arguably better.
Here is a list of how various browsers behave with OCSP: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/ [Archive.org]
Here is an illustration of the issue you could encounter on Firefox-based browsers: