Originally written in mid-2012 for France’s National Institute for Broadcasting (INA), the following article was updated and republished on Jean-Marc Manach’s blog with the title of How (not) to be the victim of (cyber-)espionage. What applies one day on the Internet, does not always apply the next. The article aims to provide some advice and suggestions on how to establish a window of anonymity online. It is not an exhaustive guide. Readers are urged to verify the validity of the websites and services mentioned in this article.
Fifteen minutes of online anonymity
I have often written or translated instructions for Internet users on how to secure their online communications since 1999 whaen, as a journalist, I began trying to find out how to protect my sources. And I came to realize that it is impossible for non-specialists to secure their computers in such a way as to prevent professionals from being able to get into them. Nonetheless, it is perfectly possible for them to create windows of confidentiality, to disappear for the duration of an online connection, to learn to communicate in a discreet, secure and stealthy manner, and to exchange files without being detected.
The KGB and CIA could not prevent each other’s spies from communicating with their sources, just as the FBI could not prevent Daniel Ellsberg from leaking the Pentagon Papers and the NSA could not prevent WikiLeaks from shedding some transparency on US and international diplomacy. To paraphrase Andy Warhol, the key nowadays is how to get one’s 15 minutes of anonymity. It is not only possible but also essential for journalism and for democracy, and it is not necessarily very complicated.
Whatever the type of computer, operating system or software you use, you can secure your communications – and therefore you sources – via the Internet. The methods and services mentioned below are not as secure as using GnuPG, but may prove useful if all you are seeking is a window, or 15 minutes, of anonymity. What they have in common is encryption of information at the browser level, before transmission to the website where it will be shared with the person or persons to whom you want to send it.
Several computer security specialists have recently pointed out the limits of such systems, which are based on the concept of zero-knowledge proof. Their security depends, among other things, on using computers and websites that have not already been hacked into. Given the technical skills needed to properly secure a computer, these services are probably best used only when your need to transmit something – a message, temporary password, article or photo – in a stealthy manner. And better still, if possible, you should use a dedicated computer for this (netbooks can be bought for €200), one that is connected to the Internet only for this purpose and is not used for any of your other activities, during which it could get infected by a Trojan or other form of malware.
CryptoCat, the best known of these web services, was designed to allow you to chat and to simultaneously send .zip or image files of up to 600 kb in size, as with standard instant messaging software, but in a secure manner. In response to criticism, its developer decided to add an additional layer of security by allowing users to install CryptoCat as an extension in their browsers (Chrome or Firefox).
You want to send or receive a file anonymously and securely?
The dead letterbox technique consists of using a webmail service of which the username and password are known by two (or more) people. Messages can be exchanged by leaving them in the Drafts folder. This way, you and another person can communicate with each other without ever actually sending each other emails.
Hushmail.com is an encrypted email service that emphasizes ease of use. There are also dozens of AnonBox, created by the famous German hackers of the Chaos Computer Club (CCC), but remember to always use https and Tor when you connect to them.
RiseUp is an email service maintained by an activist community. The originality of this service is that it does not keep of any log or record of the IP addresses connecting to its servers. RiseUp also stores all email messages in an encrypted form.
Your can also use the Hide My Ass file-sharing service, which is one of the many web proxies (or anonymizers) that are used to circumvent Internet censorship or to browse anonymously. For more information on this subject, see How to circumvent Internet censorship and How to circumvent cyber-surveillance.
NoPlainText and PrivNote (both accessible securely via https) allow you to create short memos that “self-destroy” as soon as they are read. PrivNote can send you an email alert when a memo is read. It is practical for sending a password or any short confidential message without having to use GnuPG. (The password should of course be temporary. Any password you are sent should always be changed. Passwords are never shared with third parties.)
These services cannot prevent an unauthorized third party from intercepting the link – and therefore the memo – before the intended recipient sees it. But they can, on the other hand, allow you to establish whether your channel of communication is being spied on. You just have to send an initial (anodyne) message and see whether or not your source receives it in order to known whether the channel is secure or compromised.
ZeroBin uses the same principle but also allows you to programme the deletion of the memo (in 10 minutes, one hour, one day, one month, a year or never) and allows the other party to comment on it. CryptoBin allows the memo to be protected by a password, which adds another layer of security but requires sharing the password with your source, for which you could use CryptoCat or PrivNote. In order to add more layers of security, try if possible to combine these services and access them using Tor or an equivalent.
There is no really reliable way for communicating confidentially by mobile phone. To be very clear: NEVER use your mobile phone to call a source’s mobile phone if the source needs to be protected – see the recent “phone records affair” in France.
If you really have to phone your source, go to a public phone far from your office or use the mobile phone or landline of someone who has no direct contact with you. And call your source on a mobile phone or, preferably, landline with which he or she has no direct connection. Or use one of the techniques that have already been explained. And meanwhile, we should follow the development of Whisper Systems encryption software, which does not work on all mobile phones and is still in Beta version.
Use of the increasingly popular Internet telephony software Skype should also be ruled out whenever possible. AFP came in for a lot of criticism when it reported in a dispatch that it interviewed a Syrian dissident via Skype in July 2012. Skype’s so-called “security” has repeatedly been violated since the French authorities advised against its use in 2005. It has since been revealed that Skype not only helps certain law enforcement and intelligence agencies to spy on users but also that booby-trapped versions of Skype have been created in order to enable identification of their users.
Do you want to phone your sources via the Internet? No problem, but use Jitsi, the “open-source Skype” recommended by Jacob Appelbaum, a hacker and Tor developer who supports WikiLeaks and is therefore well up on source protection issues, or Mumble, which is mainly used by video gamers but which encrypts communications by default. The Telecomix hackers, who distinguished themselves by helping Arab Spring Internet users and cyber-dissidents to secure their telecommunications, have set up two secure servers for communicating via Mumble.
Computer and digital security is a profession. If it is not your profession, operate on the assumption not only that you can easily be (or are being) monitored – ISPs keep records of all your Internet connections and Internet activity, while phone companies keeps records of all the numbers you call or call you – but also that someone could, without too much difficulty, actually be spying on you.
In other words, your preferred method of communication should be “IRL” (In Real Life) meetings, physical meetings in public places or the backrooms of cafés, like 20th century spies. Of course, the meetings can also be compromised if they have been set up by phone or email. It is an irony of history that in this technologically hyper-connected 21st century, we have invented no better way of protecting sources and professional confidentiality than old-fashioned paper mail, which is much less monitored and spied on than phone or Internet communications.
- Encrypt everything! – a digital security software directory
- How to encrypt your email? – the ABC of privacy protection
- Free.korben.info – the open-source Internet wiki
- The digital self-defence manual guide – should be read and reread, on your own or shared with others. How to fine-tune the art of navigating the digital world’s troubled waters.
- How to circumvent Internet censorship
- Computer and Internet security and privacy – anonymity etc
- Basic protection of sources – by #JHack. Workshops, conferences and meetings between journalist, activists and hackers.
- Security in-a-box – Digital security tools and strategies
- The basics – for any Windows user connected to the Internet
About the author
Jean-Marc Manach has been covering the rise of the “surveillance society” for nearly ten years, both as a journalist and as a defender of human rights, freedoms and privacy. He has participated in:
- The Big Brother Awards, which give “Orwell prizes” each year to those who have distinguished themselves by their violation of privacy.
- Bugbrother.com (to learn about making communications secure and protecting privacy).
- Renseignementsgeneraux.net (to learn how to defend one’s rights against abuses committed by the police in the course of gathering information on the population).
- Vie-privee.org (for its press review on information technology and freedoms).