How to (actually) be anonymous online

We’ve all heard the myth furthered by most VPN companies that all you need to be 100% anonymous online is a VPN. That is simply not true. Being truly anonymous online is nearly impossible unless you take extreme measures.

That being said, since the Internet is inherently a platform built for people, and you’re going to be interacting with people, so you cannot be truly faceless. Each time you create an account on some service you create an identity, usually it’s the one that’s linked to you (through a name, email phone number, etc). However in this case we want to create a whole new identity (or a set of them rather) which are completely disconnected from your own. I’ll refer to these identities as an alter-ego for the purposes of this article.

For most people, some of the steps below will be massive overkill and will be a major hindrance on day to day online activity, especially in existing social contexts. By illustrating the daunting requirements for online anonymity, I hope to shed light on the grim reality that you have no anonymity online, and how little you’re probably doing to achieve it.


Section 1: Prerequisites — Hardware

Computer

To use the Internet you will obviously need a computer. You may use your existing one (provided you install the recommended software below), but its a much better idea to get a dedicated machine that you would be using for all your alter-ego activities. If you don’t care about performance, a cheap $300 netbook may do just fine, however if you plan to be using it a lot, it’s recommended you get something with at least 8GB of RAM, 128GB SSD and a decent CPU (Modern Core i3 or better). Make sure you pay cash for the machine.

Phone

Many online services require phone verification in order to get an account, while others may require it for 2 factor authentication, which is always a good idea. While there are many websites that allow you to receive SMS, they are typically used by thousands of people and you will have a hard time finding one that will work with popular services, so it’s best to get your own. You can get a cheap pre-paid phone, put $100 on it, which should last you almost a year. You will buy it with cash. Many providers will allow you to pick a number and area code, so be sure to pick one that’s different from the state/province that you are in.


Section 2: Prerequisites — Software

Veracrypt

Veracrypt is a full disk encryption software which is the de facto successor to TrueCrypt (which ceased development in 2014 under very suspicious circumstances). Like TrueCrypt, Veracrypt is open source, and has been recently audited so it’s your best bet.

VirtualBox

VirtualBox allows you to run a different operating system inside a virtual machine.

TOR/VPN

You will need a way to hide your ISP assigned IP address. The free option, TOR, is open source and is actively maintained by hundreds of developers world wide. However, TOR usage is easily detected so you may have a hard time accessing some services and the speeds are going to be less than stellar.

Alternatively, you can invest a few dollars per month into a privacy conscious VPN provider. TorrentFreak keeps an excellent list of these providers, which is updated every year. Things to look out for include lack of logs, built in firewall, acceptance of Bitcoin and a proven history of not turning over subscriber data when asked for it. HideMyAss for example is a popular provider, however you may want to stay away from it, even if you don’t plan on having your data being subpoenaed by the FBI.


Section 2: Setup

Step 1 — Setup your computer

OS Encryption

This is the first step is also your last line of defense in a worst case scenario. Use VeraCrypt to encrypt your OS. For the extra paranoid, you can also setup a hidden operating system where you essentially have 2 completely separate operating systems, depending on which password you enter during the decryption process, and its nearly impossible to prove the existence of the other.

Virtual Machine

Whether you’re using your existing computer, or a dedicated device, I strongly recommend running a VM (virtual machine) on it, and restricting your alter-ego activities to it. This has the extra benefit of containing most malware inside the VM itself, which could also deanonymize you if you’re sharing the same OS for your regular and alter-ego activities. Think of it as a quarantine zone, and everything inside has space AIDs. You don’t want anything going in it (personal information), and more importantly out of it.

Never use this VM to access any of your existing accounts including but not limited to your bank, Gmail, Twitter, Facebook, Yahoo, Instagram, Pornhub, your local church’s message board, etc.

Don’t open the browser inside the VM until you get a VPN, as you run the risk of getting fingerprinted and tracked while on your ISP IP address.

Step 2 — Get some Bitcoin

Contrary to popular belief, Bitcoin is not anonymous. All transactions and wallet (account) balances are public information. Bitcoin does hide the identity of the wallet holder. Unfortunately, simply spending the Bitcoins on products/services in your name nullifies this. You can watch a video on this subject here.

There are many exchanges online where you can buy Bitcoin, all of which will require personal identification, which sometimes goes above and beyond what you need to provide to trade on the stock market. You have plenty of opportunity to expose yourself as you use Bitcoin, so at the very least try not to do that at the very beginning.

The best thing to do is buy Bitcoin with cash. You can use LocalBitcoins for this purpose. Alternatively you could use a Bitcoin ATM if one is available in your city. Keep in mind some of them require extreme measures like providing your ID, palm scanning, DNA samples and first born child sacrifice in order to use them. Only use the ones that don’t require any of these things, unless you hate your kids.

You will also need a wallet. I’m not talking about getting another highly fashionable Bacon Wallet you may be carrying around already, but a Bitcoin wallet, which is unfortunately not bacon flavored.

When it comes to storing your Bitcoins you have 3 options: online wallet, computer wallet and cold storage. We’ll ignore cold storage for the purposes of this article.

There are many online wallets being provided by various companies, but they suffer from the same issues mentioned above (need to provide private information). I personally like having the wallet on my computer since I’m the only one truly in possession of my Bitcoins, and I don’t have to rely on any 3rd party which has my private information or is constantly at a risk of getting robbed. Here is a good list of wallets you could use. Make sure you’re looking at the “Desktop” category. The downside to using these is that if your hard-drive crashes, and you made no backups, all your money is gone.

Step 3 — Get a VPN

Now that you got your computing environment setup, and acquired Bitcoins, it’s time to get a good VPN for situations where TOR is blocked, or you must change your IP to a specific country in order to access a service.

Fire up your TOR Browser, and head over to your favorite VPN provider’s website. Most will ask you for an email, you can use a disposable email provider for this purpose. Some providers don’t even ask you for an email, which is a good sign of their commitment to privacy.

Firewall

Make sure the provider you choose has a proper firewall built into the client, not just a “kill switch”, which is basically snake oil, since it’s a reactive measure that simply shuts off the processes of your choice if the VPN connection drops. Between the connection dropping, and your browser being forcibly closed by the app, there is no guarantee that packets will not leak, not to mention all the other applications running on your computer, including the OS itself, which make random requests to random servers at random times. With a kill switch you won’t be able to protect yourself from leaks.

A firewall on the other hand is a proactive measure, which if properly implemented, fails closed, meaning all activity outside of the tunnel is firewalled at all times, by default, so if your connection drops, there is nothing for the application to do, and you can guarantee that not a single packet will leak revealing your ISP assigned IP address to the outside world. Windscribe, IVPN and AirVPN all have excellent firewalls which use Windows Filtering Platform and pf to block all activity outside of the tunnel.

Those who don’t trust the application level firewall, can setup Whonix, which uses a separate VM which functions as a router for the VM where your activity takes place. If connectivity drops for any reason, packets cannot go out to the Internet.

Protocols

Of the 3 commonly used protocols, I strongly encourage using the open source OpenVPN protocol. PPTP is entirely broken and unsafe to use, and IPSec/L2TP is easily detected and arguably already exploited by the NSA.

Now that you chose your VPN provider, pay for the account with Bitcoin and connect to a server of your choosing.

Step 4 — Setup your browser

Unless you plan to use TOR exclusively, you will need another browser that you will use in conjunction with the VPN you just got.

I don’t recommend using Google Chrome or Firefox, as they have tracking built in. I recommend getting the latest stable version of Chromium (what Chrome is based on), with no Sync or WebRTC support. Alternatively you can use Palemoon, but the extension support is very limited.

Then install the following browser extensions:

Step 5 — Get a password manager

Weak and reused passwords are usually the number one cause of accounts getting hijacked, and a compromised account on any 3rd party service may assist an adversary in deanonymizing you. You can’t prevent or foresee security issues which may exist in the service itself, but at least you can do your part by generating strong and unique passwords for all the services you use. There are many password managers out there, LastPass, KeePass and Dashlane are just some of them.


Section 3: Op-sec (Operational Security)

This is probably the hardest part. Its easy to frak up, and once you do, there is not much you can do to undo the damage. Here are some guidelines, the list is by no means exhaustive and is meant to get you to think about your online activities in a critical way.

  1. Don’t use the same usernames, or nick names as you normally would. If you go by xxSexyBoi69xx, guess what, that stops now, not just because it’s permanently attached to your real identity, but because its stupid and shame on you. Use a unique username, name, etc for every service you use. If you’re super unimaginative, there is FakeNameGenerator that will do all the work for you.
  2. Don’t reuse passwords, use a password manager that will generate strong and unique passwords for every service you may want to use.
  3. Never make a direct connection between your alter ego and your real identity. This includes sending emails to and from yourself, mentioning yourself as the alter-ego and vise versa, etc. Just pretend that your true identity does not exist.
  4. Never leave your unlocked computer unattended unless you live alone in a locked bunker. Other members of your household, friends, hamsters, are not aware of your split personality aspirations, and its best for it’s to remain that way since they may (unknowingly or maliciously) undo all the work you just did.
  5. Use your head. Critically analyze the implications of your actions from the perspective of your imaginary (or not so imaginary) adversary. If you were in their shoes, how would you use JohnDoe125’s Pinterest account that posts geo-tagged photos of a cat that belongs to your girlfriend in order to unmask you?

Section 4: Use Cases

Accessing Content

Contrary to popular belief, the Internet was not made to share cat pictures. It’s a research tool that allows anyone to have nearly infinite access to the sum of all human knowledge. Unfortunately, political climate drastically impacts and inadvertently censors some topics, even in the so called “free world.” Being truly anonymous frees you to use the Internet as it was meant to be used.

Paying for things

Some places online only accept credit cards, and if you choose to sign up to these services using your credit card, you’re essentially throwing away your anonymity. Fortunately, you can get a disposable credit card and fund them with Bitcoin in order to make purchases. You can use services like Cryptopay, Wirex and countless others to issue you a virtual credit card which you can use online. You can even get a physical card, however that requires you to provide identification. Stick with the virtual card, which has a lifetime limit of ~$2000, and it’s simple to generate new ones.

Communicating

Forget Gmail, Skype and Facebook Messenger. These centralized, non-encrypted communication tools owned by the Internet giants are not your friends. They exist for a single reason: to collect as much data on you as possible. Meet your new friends:

Email

  • Tutanota — End-to-End encrypted email provider out of Germany
  • Protonmail — End-to-End encrypted email provider out of Switzerland
  • Lavabit — Snowden’s infamous email provider.

Voice + Video Calling

  • TOX — Open source encrypted video, audio, and chat software
  • Jitsi — Open source encrypted video chat

Mobile Messaging and Calling

  • Signal — Encrypted instant messaging and voice calling application

Keep in mind your Signal “account” is tied to your phone number, and metadata is not encrypted. Your communications are private, but not anonymous. If you wish to remain anonymous, this should only be done on a disposable phone.


Conclusion

Anonymity is hard. Even if you follow the steps above there are still ways you can be deanonymized if someone wants it bad enough, so don’t consider this to be a carte blanche to commit crimes online. To be truly anonymous, you have to stop using the Internet entirely, and that’s something very few of us would be willing to do.