Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.Edward Snowden
- 1 Privacy and Anonymity
- 2 Anonymous networks
- 3 Don't use a VPN
- 4 Browsers
- 5 E-mail
- 6 DNS
- 7 Operating systems
- 8 Accounts and Passwords
- 9 Tools
- 10 Routers
- 11 Private payment
- 12 Filesharing
- 13 Android and cell phones
- 14 Printers
- 15 OPSEC/Operational Security
- 16 External links
- 17 See also
Privacy and Anonymity
The terms privacy and anonymity have specific meanings.
- Privacy is about the secrecy of information.
- Anonymity is about the secrecy of an identity.
Privacy and anonymity are closely related because information can be identifying and identities are associated with information.
- Tor sets up a SOCKS proxy to the normal internet which allows one to route internet packets without exposing their origin. It does this using a technique called onion routing. Note that Tor does not does encrypt the content of traffic; packets are sent in clear-text unless otherwise encrypted using something like TLS for web browsing or an SSH tunnel.
- In addition, Tor onion services operate without exposing their IP address.
- The Tor Browser is a package designed specifically to visit onion services and to route traffic via the Tor network. It is the safest way to use Tor according to the Tor Project. Yes, you can route arbitrary traffic over Tor so you don't need to use the Tor Browser - but don't be surprised when your DNS leaks or other bad things. It also protects you from fingerprinting.
- I2P is an anonymous network. Communications within I2P are anonymous; a sender cannot identify a recipient and visa-versa. I2P is primarily used for anonymous file-sharing, IRC, forums, etc. I2P's hidden services are called eepsites and end in the .i2p pseudo-TLD. Unlike Tor, I2P is not designed for accessing clearnet resources, but there are a few HTTP proxies nevertheless.
- The official I2P implementation is written in Java. tini2p and i2pd are two alternate routers, both written in C++. tini2p is the successor to Kovri which was forked from i2pd by some Monero developers.
- Two interesting uses of I2P: TAHOE-LAFS and I2P-Bote.
Don't use a VPN
VPNs are not a privacy panacea and you probably shouldn't use one.
- There is no guarantee a provider isn't keeping logs.
- A provider can see your traffic.
- A VPN is a likely place for a honeypot.
- If you still think you need a VPN set one up yourself on a VPS server.
Fingerprinting is the process of using otherwise non-identifying information to identify you. When enough non-identifying information is collected, you will stand out among others.
Here is an overview of the various vectors for fingerprinting. A non-exhaustive extract:
- IP address
- Screen resolution
- User Agent
- System Fonts List
- System Fonts Enumeration
- JS.Navigator Parameter
- Audio Fingerprint
Even worse, attempts to counter fingerprinting are likely to cause fingerprinting. Only "privacy-conscious" users disable vectors for fingerprinting. See how that works?
Use Panopticlick to check for fingerprinting.
The Tor Browser solution
In the end, the approach chosen by Tor developers is simple: all Tor users should have the exact same fingerprint. No matter what device or operating system you are using, your browser fingerprint should be the same as any device running Tor Browser.—Pierre Laperdrix, Browser Fingerprinting: An Introduction and the Challenges Ahead
This "works", but if you use Tor prepare to be treated like a second-class citizen by popular websites which block known Tor outproxies (exit nodes). On top of that, Tor users may find it difficult (impossible?) to fill out CAPTCHA forms, which are near ubiquitous on the internet.
Search engines are middle men between you and the content you're looking for. Search engines should not be used as lazy shortcuts to everything on the internet. The most assured way to use search engines discreetly is to use them for their intended purpose only.
A few techniques can unwean yourself from search engine overuse:
- Website aliases/shortcuts
- Search keywords (i.e. instead of searching Google for a Wikipedia article, define a URL keyword to search Wikipedia directly. This cuts out the middle man. In Firefox, to define a keyword right click on any search-box and the option will appear in the menu.
For times when you actually need to use a search engine, naturally use a one which respects your privacy.
- SearX is a self-hostable meta search-engine.
- Qwant is a European search engine that claims to respect user privacy.
- Disconnect Search
Disposable email addresses are useful for when you need to register for a service but want to avoid linkability. 10minutemail and Guerilla mail (which has an .onion) are two decent options. Disposable Email addresses and their mail are usually deleted after a set time period. Should probably be paired with a password manager as this makes ordinary account recovery impossible.
There are certain privacy conscious email providers:
Encrypted email invites new problems for password security. If the same password is used for decryption and authentication then a mail-server could easily decrypt sensitive email. A solution is to split login and decryption into two separate passwords as Protonmail originally did. However, maintaining two passwords is inconvenient. Tutanota and Protonmail have implemented clever methods to securely unify login and decryption passwords. Tutanota salts and hashes login passwords on the client-side; hashes are transmitted and checked against the hash of a hash on the serverside. In this way not only does Tutanota never see user passwords, but server-side hashes cannot be used for authentication. Protonmail uses a related approach, but derives the keys differently and uses SRP for zero-knowledge password authentication.
For more detailed information see  DNS is a protocol and system by which domain names, e.g., cloveros.ga, are resolved into IP addresses. It is like a phonebook or contact list for the internet.
When a computer resolves a domain name it queries a DNS server called a recursive resolver, by default, one provided by your internet service provider. The recursive resolver returns a DNS record containing the queried domain's IP address back to the computer which requested it. Malicious actors including those controlling the DNS server itself can hijack this process for their own means.
DNS providers may block queries to certain domains or redirect them elsewhere, and many log queries. Queries may be dropped silently to masquerade as a network problem and not overt censorship.
You should look for a DNS server that is nearby that doesn't log your IP address or queries. In addition, you may want to use DNSCrypt for added protection, and a caching DNS server for reduced privacy exposure and minimal latency.
Recommended DNS providers:
- dns-crypt supports DoH, DNSCrypt, and Anonymized DNS.
- Unbound is a high performance validating, recursive, and caching DNS server with a multitude of privacy oriented features. It acts as a local DNS cache which ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC (prevents DNS spoofing and use clever algorithms to harden your DNS queries.
Unbound is undergoing a security audit, courtesy of OSTIF.
- piHole can act as a local DNS cache.
- The OpenNIC Project is a privacy-minded collection of volunteer-run servers that also allow you to use extra TLDs such as .geek etc. Also features DNSCrypt support.
Whonix is a distribution focused on privacy, anonymity and security that uses an isolation model to prevent IP and DNS leaks. It is divided into two virtual machines: the Workstation and the Gateway. The Workstation can only connect to the internet via the Gateway and is unaware of its external IP address. In this way IP and DNS leaks are rendered impossible even if the VM is compromised. Additionally, Whonix uses pre-configured applications with stream isolation to prevents their respective activities from being tied to one identity (see #Privacy and Anonymity).
Subgraph OS is a distribution that focuses on security and anti-surveillance. It uses filesystem by default and creates sandboxed containers using OZ (similar to Firejail) around at-risk software. The sandbox system enforces Seccomp filters, Linux Namespaces, Capabilities, and even isolates X11 using XPRA. It ships with a Linux kernel hardened with grsecurity.
Tails is a live distribution outfitted for secure use of Tor. Tails is a designed to leave no trace of itself on its host computer. Contrary to popular belief Tails does not force all traffic to use Tor. Rather, Tails' network filter drops non-Tor outbound traffic excepting a few cases such as Tor itself. Applications not designed to use Tor (such as Bittorrent) may transmit de-anonymizing information that would compromise the privacy provided by Tor. Tails also bundles a number of useful applications such as Thunderbird (with GPG encyption), a Bitcoin wallet, Pidgin (with OTR for secure messaging), and more. Edward Snowden used Tor when leaking classified documents.
heads is a distribution similar to Tails, based on Devuan. Like Tails, it sends your packets over Tor and leaves the no trace on the computer. Unlike Tails, it is fully Libre, and uses a de-blobbed kernel hardened with grsecurity. Instead of systemd it uses "sysvinit combined with OpenRC". It contains no proprietary drivers, making it run on a limited number of machines.
Accounts and Passwords
Need to scrub some stuff off the internet? We have an article for that. See Account Management.
Insecure passwords can be de-anonymizing. The same password used twice can establish linkability even if the respective accounts are ostensibly unrelated. Make sure you're following good practices by the reading the password etiquette guide. A brief summary of relevant points:
- Never use the same password more than once.
- Don't use slight variations of the same password.
- Use a strong, randomly generated passwords.
Similarly, register different usernames tied to different email addresses.
- Firejail is an application sandbox that uses Linux namespaces, seccomp-bpf and the latest kernel security features to create a virtual isolated filesystem. It comes with a myriad of profiles by default, which are then used on a per-software basis.
It is important to use sandboxes in order to minimize certain exploits in the software that could otherwise be used to identify you. For instance, in Firefox, Firejail limits its data leaks by replacing the standard temporary file directory with a more secure version, which is completely erased when the Firefox session ends.
- MAT2 (Metadata Anonymization Toolkit 2) is an experimental tool to remove metadata froma wide variety of file formats including the major formats for office docs, images, audio and video.
- Exiftool is a multi-functional tool to remove, add or edit metadata in major file formats. It runs as a command-line tool and can be used by programmers as well.
- To remove all metadata from an image, run
exiftool -all= yourimage.jpg
PDF Redact Tools
- PDF React Tools is a toolkit for stripping metadata from PDF files. It also supports an achromatic option to counter printer dots.
- Anonymouth is another experimental tool designed to anonymize writing so that the author cannot be identified by his or her word choice, grammar, theme, tone, etc. Here is an article on anti-stylometry (the scientific study of literary style) discussing it, and here is another article. The anonymouth program has not been updated in over six years but there are some maintained forks.
- Cryptad is a service for private-by-default realtime collaboration. Decryption keys are generated clientside.
A router that supports free software firmware is recommended over one provided by your ISP. ISP routers often come preloaded with software that can compromise your privacy and security. Linux based firmware is available for common routers:
- OpenWrt is a Linux distribution for embedded devices. It is optimized for minimal storage and RAM usage to fit on home routers.
- LibreCMC is a fork of OpenWrt with all non-free software removed.
- DD-WRT is a firmware foccussed on the Linksys WRT54G series routers.
- can be used as a router.
At some point you will have to pay for things. To achieve privacy in doing so you should familiarize yourself with the various anonymous cryptocurrencies by reading the overview at the dedicated article. Important points:
- Bitcoin is not anonymous.
- Monero is anonymous.
- Route Monero over Tor.
- You can use Monero to acquire Bitcoin anonymously.
Android and cell phones
Android (AOSP) Distributions
- Replicant is a distribution that aims to replace all proprietary components of Android. Only works on some old Samsung phones.
- LineageOS is the successor to cyanogenmod and supports a wide variety of devices.
- LineageOS for MicroG is a build of LineageOS modified to support MicroG, a project that reverse engineers Google's proprietary libraries to replace them with free components. MicroG will not work on standard LineageOS.
- Graphene is a distribution focused on security and privacy. Google Pixel is the only supported device at the moment. It is the successor to CopperheadOS.
In order to install a custom ROM you will need a supported phone capable of unlocking the bootloader.
- Librem 5 is a phone developed by Purism that ruins their Linux distribution PureOS. The Librem 5 sports hardware switches for Wi-Fi, Bluetooth, camera and microphone if you really are that paranoid. The developer of GrapheneOS had some negative things to say about it which are worth reading.
- postmarketOS is a non-Android distribution for older phones.
Default applications should be replaced with more privacy-friendly alternatives.
- F-Droid is a software repository that only contains free software and informs users of any "anti-features".
- FOSSdroid is a web-UI for F-Droid's repositories that tries to mimic Google Play.
- Simple Mobile Tools are minimal replacements for stock applications. Available on F-Droid.
- Aurora Store is a replacement for Google Play store app.
- OsmAnd~ OsmAnd+ is a map application that uses OpenStreetMap crowd-sourced data. Supports offline (per-downloaded) maps.
- GApps Browser allows one to use Google web-apps (maps, news, etc) without a logged-in Google account.
All modern printers leave subtle yellow dots or other identifiable information on printed documents so they can be traced. You might be able to buy a thermal printer or an old (1980s or early 90s) dot matrix printer that lacks this anti-feature.
All the software in the world won't help you if ignore the human element. Obvious no-nos:
- Using the same username everywhere;
- Using the same email address everywhere;
- Using the same password everywhere;
- Logging into the same accounts through your real IP and a proxy/VPN/tor;
- Posting photos or images which can be traced back to you via a reverse image search or EXIF meta-data.
Ross Ulbricht was brought down by many of the above points.
More subtle no-nos:
- Discussing personal preferences, or knowledge of specific locations such as a school, shop or town;
Steve Rambam gave an excellent talk at the HOPE hacker conference which summarizes many of the techniques that you/private investigators/LEA can use to determine someone's identity.
To err is human. As clever as you think you are, all it takes is one connection from your real IP address to de-anonymize you. One day when you're distracted/tried/stressed/drunk/high/panicked/surprised or when something out of the ordinary is happening, you will mess up. Putting up many automated layers of anonymity/security will help protect you from yourself.
- Surveillance Self-Defense
- Surveillance under Suveillance