How to Stay Anonymous Online

As opponents of the mass hysteria and corrupt institutions which are propagating it, it is critically important that we stay anonymous online. The topic of protecting your identity online is very broad, and it is impossible to cover everything, however, in this article, we at the COVID Anti-Hysterics League do our best to give you a good primer on the subject. However, it is vital that you also do your own research and if you really want to retain your anonymity then you must act as though you are paranoid.

With that said, in the cyber security community it is oft repeated that all security is traded off against convenience. It is up to you to decide where the balance point is for you. For the lay person it is difficult to make an informed decision because you may not be fully aware of what is possible to do with identity tracking technology so we will do our best to educate you on this as well.

How Companies and Countries Track You

Tracking cookies, social media accounts, IP addresses, screen resolution, font fingerprinting, and mouse movement analysis are just some of the ways that you can be tracked online. On their own, none of these methods are able to perfectly track you, however, tracking does become almost prefect by cross-correlating vast amounts of data. In other words, when combining all of these methods it is possible for companies and institutions to identify you even if you use your browser’s privacy mode.

The best way for you to understand this is to see it in action. Go to the website https://coveryourtracks.eff.org and your internet browser will be tested to see how easily you can be tracked online. You may be surprised by the results. Keep in mind also that this website does not have access to your social media accounts. To get a feel for what can be accomplished with this, you can request the information that google retains about you by going to https://support.google.com/accounts/answer/3024190?hl=en (Warning: you may find this disturbing).

IP Address

Your IP address is a number which your computer, phone or tablet uses to connect to the internet. Any website or computer on the internet which you connect to will see your IP address. With most internet service providers (ISPs) your IP address will change occasionally (somewhere between every few hours and ever few months, depending on the ISP) and so it is not, on it’s own, a perfect way for companies to track a person however a government may be able to identify you using only your IP address if they can subpoena or otherwise obtain the records from your ISP.

There are two options for protecting your IP address:

  1. Use a reputable VPN which doesn’t keep logs.
  2. Use the tor browser.
  3. Coffee Shop or Other Public Wifi

VPN

A VPN works by routing your traffic first through the VPN provider’s servers and then to the website that you are trying to connect to. This way, the IP address which is seen by website’s you are connecting to is just one of hundreds or thousands (depending on the popularity of the VPN provider) of IP addresses all coming from the same VPN server.

Upsides of using a VPN:

  • Your IP address cannot be used to identify you (unless the VPN provider is not very popular, in which case you can be identified anyway).
  • Most major sites do not block reputable VPN servers.
  • Your ISP cannot see which sites you are connecting to.
  • Protects all of your internet traffic, not just browser traffic.

Downsides of Using a VPN:

  • Many users of VPNs have a false sense of security that their identity is protected online no matter what they do. This is not true. If you log into a social media or email account through your VPN, use your usual web browser without privacy enabled, use an insecure operating system, use a website which has no encryption, or are otherwise careless then you can be identified just as easily as anyone else.
  • If your VPN provider keeps logs, then you can still be identified if those logs are subpoenaed or otherwise released by the VPN provider. In fact, this could make it even easier to track you if the VPN provider keeps more detailed logs than your ISP. This is why it is important to do your research, and ensure that your VPN provider does not keep logs. I personally recommend private internet access after the company was tested in court and it was confirmed that the company does not keep logs (you might also try a provider based in Scandinavia or another country not a member of the five eyes).
  • Even a VPN provider which does not normally keep logs may be coerced to make a specific exception to track you personally.
  • Some VPN servers are blocked by major websites or will become very inconvenient to use.
  • Your identity could still be revealed using sophisticated statistical techniques by an adversary (such as a government) who is able to cross-correlate your upstream ISP traffic with the downstream VPN traffic.
  • VPNs are becoming very cheap, but still they are not free.

TOR

TOR (the onion router) works by taking your internet traffic on a random path over many different routers on the internet. By taking a random path and using sophisticated encryption techniques, none of the individual routers will be able to identify both where your traffic originated from, where it is going, or what it contains.

Upsides of using TOR:

  • Due to the sophisticated encryption technology there is zero risk that any individual router on the network is malicious and is trying to keep logs or reveal your identity (if many of the routers are compromised, however, then this is no longer true).
  • Although, like VPNs, it is possible for a government to defeat TOR by taking over servers, or using sophisticated statistical techniques in practice is is unlikely for a government to risk using these techniques on a low priority target (such as what you probably are). The reason being, that if a government decided to prosecute you using evidence collected using such techniques then it would be revealing to the entire world that is is both able and willing to use these techniques to defeat TOR. The end result, then, would be that high priority targets (such as legitimate national security threats) might stop using TOR, or the developers of TOR may fix the issue that led to your prosecution.
  • According to the Snowden Leaks, the United States government had been unsuccessful in compromising TOR (however this was many years ago, and by now they may be able to compromise TOR).
  • If you are not concerned about governments tracking you, then TOR will be extremely effective at defeating tracking by corporations or individuals.
  • Beyond using the TOR network the TOR browser contains many privacy protecting technologies which are not available in Firefox (which the TOR browser is based on).
  • Using TOR, you can access hidden services on the TOR network (websites which can not be censored and which cannot be accessed from the internet without TOR).

Downsides of using TOR:

  • You may attract additional attention by using TOR. Although they may not be able to see your IP address, or your traffic, it will be pretty obvious to your ISP that you are using TOR (although use of a TOR bridge may help with this) and this may be enough to make you into a target.
  • Use of TOR slows down your internet traffic significantly.
  • A great deal many sites block TOR traffic or will become very inconvenient to user over TOR.
  • TOR cannot protect all of your internet traffic (unless you really know what you’re doing).
  • TOR is subject to the same sophisticated statistical techniques to reveal your identity as a VPN although these techniques may be more effective on TOR considering the relatively low number of users.
  • It is critical to use only HTTPS encrypted websites when using TOR because your TOR exit node (the final router in the TOR network path) will be able to view all of your traffic unless it is HTTP encrypted. This is harmless if the unencrypted traffic contains no identifying information (and remember that the exit node does not see your IP address) but instantly reveals your identity otherwise. Malicious exit nodes are an unfortunate reality of using TOR and so you must always be vigilant in ensuring that your traffic is HTTPS encrypted.

An additional note about using the tor browser:

Please respect the warnings about using the default window size. These are actually quite important!’

Coffee Shop or Public Wifi

With coffee shop or public wifi, your IP address is protected because your address will appear as the address of the establishment that you are visiting. If you are a regular to the establishment, however, and there are not many customers, then you may be identified nonetheless.

Upsides of Public Wifi

  • Convenient
  • Difficult to track if used only once or a few times.

Downsides of Public Wifi

  • Your geographic area will still be revealed. Because IP addresses can be traced back to general geographic areas, it will be possible to trace you back to your rough geographic area if you use the Wifi of a nearby coffee shop.
  • With repeated use of the same public WiFi network your identify will probably be revealed anyway.

Web Browsers

Do not use Google Chrome or Internet Explorer, period. Do not use Safari unless you are on IOS (although you should try to stay away from mobile devices when security is important). My personal recommendation is to use Firefox. Although the developers of Waterfox or the Brave Browser have a stronger ideological commitment to privacy and freedom their development teams are much smaller and you are therefore more susceptible to security vulnerabilities which may get you hacked (and thereby reveal your identity). You should also use the private browsing mode whenever possible, although keep the following in mind:

  1. Private browsing mode does not protect you if you log in to your social media accounts. If you log in to one social media account (or google) in your private browsing mode browser then you will be logged in (and therefore trackable) until you close the private mode window.
  2. Even with the private browsing mode, you are still subject to some privacy defeating techniques such as: font fingerprinting, mouse movement fingerprinting, browser resolution fingerprinting. Note that the TOR browser (which is based on Firefox) is able to mitigate or defeat these techniques.
  3. Private browsing mode helps to minimize tracking cookies and other tracking techniques, but if you don’t close the browser (every tab) and restart is every now and again then it will being to accrue tracking cookies like any browser.

Encryption/HTTPS

Encrypted data is data which cannot be viewed by anybody who does not have the proper decryption key. So, naturally, you want your internet traffic to be encrypted and only the intended recipient (the website you are connecting to) should have the key. HTTPS accomplishes this. You can tell if your connection is HTTPS encrypted by the little padlock icon beside the URL in your browser. If the padlock is not present (or is crossed out) then anybody located between you and the website (such as your ISP or VPN provider) can see everything that you are sending to and reviving from, the website that you are connected to. It is extremely important that your traffic is HTTPS encrypted when you are sending or receiving any sensitive information and especially when using TOR or a VPN (because otherwise the TOR exit node or your VPN provider will be able to log all of your traffic).

You may also want to try out the add-on https everywhere to minimize the risk of having your identity revealed by way of failing to use adequate encryption.

In addition to encrypting your internet traffic, it is also a good idea to use full disk encryption of the data stored on the computer or mobile device (I leave it up to you to research how to do this) which you are using to engage in sensitive activities so that your data cannot be read without your encryption key. You should also favor services which use “client side encryption” for data that you upload because this means that not even the company which you are sending your data to can read your data.

Add Blockers and Privacy Add-ons

Browser plugins which block adds (such as UBlock origin) or scripts (such as NoScript) can be very useful at blocking unwanted content, reducing page download times or circumventing hackers, however, they can also be used to fingerprint you. Because not everyone uses these add-ons, it is possible to reveal your identity by testing your browser for which adds or scripts are blocked. If you are the only one, or one of very few people who blocks a certain set of adds or scripts then it will be possible to know your identity.

The use of add-blockers is becoming more and more common and so it is becoming less and less of a risk that you will be fingerprinted by your use of an add-blocker. However, if you do decide to use an add, or script blocker in order to maintain your anonymity you should always use the default settings so that you cannot be fingerprinted by way of a unique host block profile.

Email

Most free email providers can and do read the contents of your emails. Gmail, for instance, scans your emails in order to better target you with advertisements. Google claims that it is only automated systems, and not individual people, who will have access to your emails. Regardless Google, and social media in general, have shown that they are more than willing to violate people (by censoring, covertly manipulating etc.) so long as they feel that it is for a good enough cause. And judging by their actions, these people certainly do feel that covid is a good enough reason to justify basically anything. Nonetheless, Google will certainly give up all of your information (including your emails) if it is subpoenaed (or in some cases just if the government asks nicely).

Thankfully, Protonmail is a free email service (with optional paid services which you may purchase if you wish to support the company) which takes your privacy seriously. All mail going through Protonmail is encrypted end to end. Your emails are still stored on Protonmail’s server, however, so that it can be read by governments with a subpoena. However, this problem is resolved if you opt to provide Protonmail with a second password to be used to encrypt your mailbox (which we highly recommend that you do) so that not even the government or Protonmail themselves will ever be able to see your email. You can get started switching to Protonmail today by forwarding your email to a Protonmail account which you can make now for free (or you could set up a separate Protonmail account to use for sensitive activities).

As an aside, it is good to be stingy with you email address because your email address can be used to link together virtual identities in order to track you. Don’t give out your main email address to advertising or social media companies or to anyone who might want to sell your information or use it for marketing purposes. If it’s for something that you really need, use a second email address instead.

Social Media Accounts

Your social media accounts, including but not limited to Youtube (i.e. google), Facebook, Instagram, Twitter and Reddit are used to track you online. In fact, these companies can and do track you even when you are logged out of social media or are using private browsing mode (by using the techniques we discussed earlier in this article). In fact, these companies may be tracking you even if you don’t use any social media at all because somebody who knows you may have, knowingly or unknowingly, uploaded your information to a social media company. For instance, Facebook (who also owns Instagram) famously got caught harvesting phone numbers from the contact book of any uses who installed the Facebook app on their mobile phone (which means that Facebook probably has your phone number).

To protect yourself from this, it is best to simply not use social media if you can help it but if you decide that you must use social media anyway, then please read on. If you are uploading information about yourself which you know that can be used to identify you (such as photos of yourself) then you need to understand the risks, and be very careful. First of all, you should understand that in addition to advertising companies building up a detailed psychological profile of you, you are opening up yourself to the possibility of being identified by facial recognition technology for anyone with access to a social media photo database (although realistically this may not be something that you can avoid). This means that you should try to minimize and be very selective about what you post online. And also, although it is by no means sufficient to protect you, it is important to thoroughly research the privacy settings of your social media provider (because often, these settings are hidden or deliberately difficult to understand) and then restrict what the company can do with your data as much as you can. If you do not intend to post identifying information, however, then you should always use a, separate, private email address to signup, always use TOR or a VPN and private browsing mode to access social media sites and never install the mobile app on your phone or give out your phone number.

Search Engines

Don’t use google search. Google is an advertising company who’s entire business model is to profit from your data. Best is to use DuckDuckGo (other search engines may not be trying to profit from your information but, aside from Startpage which is also excellent, they do not take your privacy as seriously as DuckDuckGo and are willing to censor information for political purposes).

DuckDuckGo is not as good as good as Google search for finding some things however, so if you really must use Google, however, only use after first trying to search with DuckDuckGo and only use it to search for innocuous things which are in no way politicized. By using the other privacy protecting measures in this article, you are minimizing the chances that you will be tracked.

Also keep in mind that you can (and should) change the default search engine used by your browser. When you type anything other than a website URL into your browser’s address bar you are sending what you type to a search engine (and you don’t necessarily even have to hit ‘enter’). Usually this search engine is google, but in most major browsers you can fix this, and change your default search engine to DuckDuckGo.

Mobile Phone (SMS) Verification

Increasingly, websites ask for your phone number when signing up for their services. They claim that this is for your security, but in reality it is only very naive companies who use your phone number exclusively for this purpose (because SMS is a very weak form of second factor authentication). Primarily, companies ask for your mobile phone number for one (or both) of two reasons:

  1. For whatever reason, they want to prevent people (or bots) from being able to create more than one account (or at least, the company will know that you have done this and be able to tie the accounts back to you).
  2. To directly track you and obtain more information about you (by cross-correlating your phone number with other services or looking up any publicly available information about your phone number such as your name or address).

In either case, you are losing a portion of your privacy.

To protect your identity, use a service such as Text Verified to purchase a cheap phone number which can be used to signup for a website. Note that all of the legitimate services do, unfortunately, cost money.

Payment

Wherever you use your credit card (or PayPal) to purchase anything online, you are creating an undeniable record of your activities. Fortunately, this information cannot normally be legally shared between companies in most democratic countries (although you are still giving up your real name and address to the companies which you are paying), but a government who wants to target you will be able to obtain these records (and given the trend this year, it is entirely conceivable that this process is made continually more easy and convenient).

Your options to address this are, however, unfortunately quite limited. You might try paying using prepaid credit cards although it is increasingly difficult to obtain these cards without giving your personal information in the process and it is increasingly common that these cards are blocked online. You might also try crypto currency, however with crypto currency, due to the use of blockchain technologies and (purportedly) anti-money-laundering legislation, it is often even easier for people to trace your purchases back to you. With a considerable effort it is possible to use crypto currencies anonymously (this is something which changes over time and varies across the various crypto currencies so we leave it up to you to research the details yourself) although you must be very careful not to accidentally draw extra attention to yourself in the process. What crypto currency is very useful for, however, is avoiding financial censorship, because with crypto currencies you are able to maintain a greater deal of control over your money because it is possible (although not very convenient) to keep your own personal crypto wallet (and if you keep your crypto in an online wallet you always have the option to transfer your money to a private wallet later if you need to pay for something politically sensitive).

Operating System

Simply do not use Windows, Mac for anything politically sensitive if you can avoid it. Not even if you are merely storing the information on your harddrive. Like with social media, you should do your research to learn about the various settings that you can tweak to improve your privacy (and for an operating system there are usually many such options) but in the end, simply do not use Windows or Mac (although Mac is likely better than Windows) for anything of a politically sensitive nature if you could not tolerate what happens when your data leaks out. The Snowden leaks, along with the companies’ own EULA’s show that these companies are perfectly willing to collect your data, sell it, and/or share it with the authorities. They do not work hard to protect your privacy. Instead you should use a flavor of Linux (such as Linux Mint which comes preinstalled with Firefox). Although it may not be as convenient as using Windows or Mac, you do not need to be an IT nerd to install and use Linux (just keep in mind that Linux may not be able to run all of the software that you need and so you may need to have multiple devices or use dual boot. Because Linux is 100% free and open source it is also (mostly) free from the influence of the institutions which want to track you and also has a reputation of being more secure than either Windows or MAC.

For mobile, you should prefer IOS over Android. Google owns Android and goolgle has a vested interest in collecting your data which Appple does not share. With that said, Apple is still not a company which you should be trusting with your data if you can help it. It is unfortunately true, however, that there are some things which simply must be done on a mobile device so if you must do something sensitive on Apple: install and run a VPN app, check your privacy settings, and minimize the sensitive data which goes through your phone.

Finally, if you are really paranoid, or if you like the idea of being able to use Linux for privacy without installing it to your hard-drive you might try out Tails Linux. Tails is a flavor of Linux which you do not install, but instead run directly from a USB stick. Tails comes with the TOR browser preinstalled and is entirely built from the ground up for the purpose of protecting your security. For alll the upsides of using Tails, there are also considerable downsides, however, in that Tails limits your computer’s performance and storage capacity forces you to use TOR (which, as discussed, is not always appropriate for protecting your security) and potentially paints you as a target (it is rumored that you will be put on a government list for even searching for Tails).

Password Managers

If you are handling your privacy well, you will be in need of a good password manager such as KeePass or LastPass. A password manager helps you to pick very strong passwords (which are a must for protecting your encrypted data and online accounts) while also never reusing a password (which can also be used as a way to identify you) and ensuring that you can never forget your passwords so long as you always remember the master password. This last point is very important because, if you are doing a good job of protecting your identity, then you will have no way to verify your identity in the event that you forget a password (unless perhaps you still know the password of the email account you used for signup).

Password managers also encrypt the passwords that they store which means that if you lose your master password then your information is gone forever. So, unless you are very confident that you can remember your password, or you can tolerate the loss of all of your anonymous accounts, you should write your master password down and store it in a (very) secure location. If you are using an offline password manager you should also backup your password database (since it is encrypted it is fine to backup to an online service as long as you pick a strong master password). If you are using an online manager be sure that you trust them with your data and make sure that they use client side encryption.

Finally, you will still need to have a strong but memorable master password in case your password database falls into the wrong hands. Humans are notoriously bad at picking passwords so it is best to use a method such as Dice Ware to pick a strong password which is also memorable and not too difficult to type.