Have you actually tried to set up an anonymous gmail account recently? Because I think you'll find that it is borderline impossible. Gmail's algorithms end up requiring SMS authentication when you're working over tor, which essentially deanonymizes you or requires the additional step of getting a burner phone for SMS; neither of which is good and probably will get you on all sorts of lists...
You still need to create an email account with a host who is at least semi-aware of the importance of privacy and cryptography (e.g., not Google). You can't make new Google Accounts from Tor nodes without additional verification (your phone number); same is likely to be true of all major email services.
Accessing your Gmail through Tor and thinking that makes you "anonymous" is just going to tell everyone that you failed at being sneaky.
It is extremely easy to create an anonymous number already, let alone a gmail account. A friend of a friend daisy chains anonymous numbers with physical burners for a "proxy" effect.
I've tried before to set up even somewhat anonymous identities online before -- not for law-evasion purposes, just for things like working on anti-spam tools.
It's difficult, and I've noticed recently that it's getting worse.
It used to be you could open a hotmail (or gmail) account pretty trivially without using any real personal info.
But lately these email services have started requiring you to link a phone number, and/or an alternative email address... in theory these are to reduce lockouts, account hacking, etc. -- and they really can help -- but they also mean it's far easier to connect those email addresses with a real person.
I had a gmail address that was "anonymous", linked to some content I was hosting on Google Pages and participation in discussion lists, etc..
Then one day YouTube accounts were merged into Google accounts; and I happened to be logged into the anon google account (and youtube) simultaneously. The was one prompt that I didn't read carefully... and then my public YouTube account that was obviously me was permanently, irrevocably linked to the anon gmail account.
Whoops.
I don't have any pressing need nowadays for an anonymous persona online, but I'm inclined to try again at some point, just because it's something I feel should be still possible.
Tor is amateur hour. The Feds can easily deanomymize things where a server is up 24/7 servicing requests.
The author of this article is also very wrong: Anonymity is not on a spectrum. It’s all or nothing. Like a Mario game where any mistaken encounter makes you start over (and that’s if you don’t get in trouble for what you did).
First step is to understand that any system could be bugged. Every IRL confidant could sell you out. Every keyboard could have a keylogger, etc. Every store could have a security camera. Phones are giving out their MAC numbers to every cell tower and wifi radio. They now have chips you can’t turn off, and so forth.
You should also assume there is no such thing as an “anonymous” account and that every service COULD sell out whatever information you gave it. (Yes, even Telegram or ProtonMail, however unlikely that may be.)
The below is a playbook for how to become truly anonymous. Continue to live your everyday life but the below is only for your “anonymous” identities, which you can gradually bootstrap as a hobby:
The first thing you do, therefore, is bootstrap your identity by taking advantage of unlinkability that is available to you. Buy a bunch of Android phones on Craigslist for cash, for example. (Or pay a homeless guy to buy a phone in a store for you.) Do not use SIM cards at all, only WiFi. Never take photos, etc. Keep your phone off or in a faraday cage until you use it. For extra points, always use it through a VPN on WiFi at home, which you purchased using the accounts below:
Then make an anonymous google account on the Android phone. Make some ProtonMail accoung usinf such an anonymous Google account. Now you can bootstrap from email addresses.
Buy some Google Play gift cards and download some apps to get a second number. Now you can bootstrap from a phone number. Sign up to Telegram, Signal and other accounts using this. Now you have end to end encrypted messaging.
Frankly, though, realtime messaging is a bit of a luxury to continue to stay in normie world. To stay truly anonymous, you should continue to:
1. Schedule posts and mail send/receive at random times. Do not ever use realtime audio or video because it might be recorded. You might make an exception for early days of your projects when people would have no reason to go out of their way to record you — just to give them confidence you’re a real person. But afterwarss, stop doing that. Let the people build your movement for you.
2. Never mention your anonymous identity or projects from your real one, and vice versa. This means your anonymous identity MUST NEVER have confidants or colleagues IRL. Build up a network of colleagues who are “fronts” for what you do. Eventually you can step back and let the movement do things for you.
3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).
4. You will only ever be able to spend the crypto on paying people for services and DeFi protocols. You can never cash out to fiat, because the IRL purchases catch up with you when they follow the money. There is a surprising amount of online services you can spend $97 million dollars on, while staying anonymous ;-) If you really do need to spend money IRL (because you went broke somehow in your everyday life) then you can cashout using cross-chain bridges and Monero to pay for goods. But still, never get ostentatious wealth IRL!
5. The weakest link then becomes your writing or coding style. Never publish any code or writing, let others do it for you. Make your communication to others from your anonymous identity sufficiently different than anything saved later would not identify you (this is the weakest link, but you can consider “playing a character” when speaking to others).
6. Any private keys that you used to sign your messages can be periodically published in some conspicuous place, effectively giving you plausible deniability about all your previous and future posts. It’s hard to prove a negative (that no one else has access to your private keys before your public disclosure.)
I imagine the challenge is that there are plenty of people who would use Tor to create hundreds, if not thousands accounts not personally linked to them, if they are able.
Whereas if you wanted just one anonymous Twitter account badly enough, you could get a burner prepaid cell phone using cash (make sure to not turn it on at home or at work).
It's even worse - simply using the same wifi point as your other Google accounts or even your friends will deanonymize you.
Trustable local software (so not GApps/Android) and a mix network is the only way to get anonymity.
I'd personally like to see communication apps that use TOR for messaging, with the option to explicitly break anonymity for voice calls - leaving your location untracked most of the time.
If you want anonymous mails setting up a normal server isn't good enough. You'd need an anonymous remailer like Mixminion to get even a basic level of privacy. But development on anonymous mail software has stalled ten years ago. There doesn't seem to be much interest.
Ooof, yeah. I was trying to make a new, purely anonymized identity. Went through an anonymized bitcoin VPN with TOR on top. Registered an email through Protonmail.
Pretty much no social media platform will accept Protonmail as an address without also having a phone number.
Got banned from Discord within 3 hours, literally all I'd done was send three friend requests and join one discord. My IP was rotating and I then needed to have 2-factor authentication (and protonmail wasn't allowed, I needed that phone number).
So, I went out and bought a burner phone, cash, with a 1-year prepaid account. Got it setup over a wired proxy with all radios turned off. Now at least I had a Google account! (they also require a phone number)
And Discord proceeded to reject it, because I needed to have a 'real' phone number from a major carrier.
I essentially needed to craft an entirely new identity if I wanted to be truly anonymous. It was eye-opening how invasive and pervasive the 'track you down to a real identity' accounts have become.
You can create anonymous accounts with Tuta through Tor and they don't ask for a phone number or contact email address. They even made a tutorial video on YouTube a few weeks ago for how to do it: https://youtu.be/oXv3llPIfvo
If you continued using the account only through Tor, there wouldn't be any traceable info.
Twitter as well. Try to make a new account in an incognito window without providing your phone number and you'll either be stopped from completing initially or find the account blocked before you've interacted in any way.
And if we're talking about real anonymity, lots of the internet is blocked off if you use TOR, whether by the site itself or some cloudflare or whatever CDN or hosting service.
There is no bulletproof way to be anonymous online. Though we’re here to help protect you from the malicious websites, data collection and exploitation that exist in our online world, the fact that you’re using the internet means that you can’t be safe from everything.
How can you become anonymous in the Internet?
1. Use an encrypted messaging app
Instead of sending a text message to a friend on your Android, use an encrypted messaging app like Signal.
2. Use an encrypted browser
Instead of using Chrome or another browser from a large tech, use safe google alternatives and protect your data.
3. Use a VPN
VPNs hide your browsing history so your internet service provider (ISP) can’t see any of your online activity.
4. Use secure email services
Since we’re so used at Google ecosystem, that we use Gmail as our personal email provider. Google keeps all of our private emails on its servers. Better watch out for better alternatives.
5. Use a temporary email
Use a temporary email address or use a safe email services like Fastmail, Zoho mail, and Tutanota.
6. Use encrypted storage
We store all of our documents, photos, and files in Google Drive, which certainly isn’t a good choice in terms of privacy. There are definitely plenty of trustworthy cloud storage services like Internxt, Box, and SyncThing.
7. Check app permissions
We’re all guilty of mindlessly accepting an app’s terms and conditions, but before you do, see what permissions the app has.
8. Read privacy policies
Check what data a website or app collects, shares, and/or sells before you use it. Many companies sell users’ personal information to third parties for marketing and advertising purposes, which is not conducive to privacy, let alone anonymity.
9. Use ad blockers
Adware is the software that places ads across your computer, phone, or tablet, but even if you don’t have adware, most websites and apps have some form of advertising, which can get annoying.
10. Don’t use voice assistants
Amazon employees have admitted to listening to Alexa recordings, and there was a hidden, undisclosed microphone in the Google Assistant-compatible Nest Secure security system4. Your best action is to manage devices and its feature manually.
11. Stay off social media
Although this is essential to socialize and connect with our friends. Social media is a platform that can collect your information and may use it against you.
12. Use a proxy
Unlike VPNs, proxy servers encrypt only your device’s IP address, not your web traffic, making them less secure.
13. Check for HTTPS
Only go on websites whose URLs start with “HTTPS” rather than “HTTP.” HTTPS, which stands for “hypertext transfer protocol secure,” uses a secure sockets layer (SSL) to encrypt all of the communication between your browser and the websites you visit, while HTTP does not.
14. Disable cookies
Cookies are the data about your online activities that shape targeted ads; sometimes they’re anonymized and aggregated, but sometimes they’re not. It is important to disable it to avoid these data farmers.
15. Don’t use Google
Google tracks everything you search online, which can be very personal information. Use search engine like DuckDuckGo, Startpage, and Neeva which doesn’t harvest your personal information to create targeted ads.
16. Use a password manager
Create a unique and secure password for all of your online accounts. You may also use Roboform to safely encrypt your password.
17. Avoid spam
Avoid clicking on any unfamiliar messages, emails, or websites.
18. Use private instances
Private instances can be used by a select group of people that you are close with.
The internet was created to be a place where people could search for information freely, without fear of repercussions. However, with the monetization of our attention comes a total lack of privacy, as we’re surveilled online constantly.
First off, I totally get the abuse angle. Most of my specific complaint with my own experience wasn't over Google's challenge process to my attempted Tor access. Rather, it was over the company's policies and procedures for account recovery. Multi-factor auth is well and good, but I've yet to find a way to activate an option other than phone-based auth without providing Google with a phone number. Which for a number of valid reasons I cannot or will not do.
(Grosse states that "you should not even have to give us a phone number", and that there are internal debates on the subject. Yay.)
More specifically, the problem is that the question "Who are you?" is proving to be the most expensive operation in all of computing. Because you're fucked either way you get it wrong. Lock someone out when you should let 'em in, and you're fucked. Let someone in when you should've locked 'em out, and you're fucked. And all you get to look at is 1s and 0s on the wire.
I detail that in more length in this comment to my dreddit post:
(I'll also note that Grosse specifically notes that PKI works great, ahem, Yonatan Zunger....)
So: first, Google's really got to revise and fix its account recovery processes.
But that identity thing: Grosse goes on at length noting that Tor exit nodes aggregate a lot of traffic activity, and that Google effectively relies strongly on IP address as an indicator of identity.
The fair, and anonymous, reputation systems mentioned above are specifically intended to work over Tor. Which is to say, people are tackling the problem. Nothing in Grosse's presentation gave any indication that he's aware of this fact. For sheer technical competence reasons, he should be.
You actually can't use Craigslist over Tor, so it's not anonymous. Also, your contact details can be leaked in their email relay system. If your name in your Gmail account is Jane Doe, the other person will receive an email from a Craigslist domain with your name as the sender... so just be careful.
Here’s my plan: Tor browser inside a Linux VM running on a computer that is connected to Mullvad VPN. No private messaging on Twitter whatsoever. With anonymous account, I plan to not provide any personal details, so even if someone has access to “my” data it won’t do anything. Still think it’s a bad idea? Curious to know your thoughts. Thanks!
reply