A technical guide to anonymous blogging – a very early draft

The Electronic Frontier Foundation posted an excellent guide to safe blogging a few days back. While the guide is quite rich in tips to ensure you don't reveal too much personal information while blogging, it doesn't look very closely at the technical issues associated with keeping a blog private. I decided to write a quick technical guide to anonymous blogging, trying to approach the problem from the perspective of a government whistleblower in a country with a less-than-transparent government. What follows is a first draft – I'll be posting it on the wiki as well (in a day or two) and will be grateful for comments, corrections and input.


Sarah works in a government office as an accountant. She becomes aware that her boss, the deputy minister, is stealing large amounts of money from the government. She wants to let the world know that a crime is taking place, but she's worried about losing her job. If she reports the matter to the Minister (if she could ever get an appointment!), she might get fired. She calls a reporter at the local newspaper, but he says he can't run a story without lots more information and documents proving her claims.

So Sarah decides to put up a weblog to tell the world what she knows about what's happening in the ministry. To protect herself, she wants to make sure no one can find out who she is based on her blog posts – she needs to blog anonymously.

There are two major ways a blogger can get caught when she is trying to blog anonymously. One is if she reveals her identity through the content she publishes – for instance, if Sarah says, “I'm the assistant chief compliance accountant to the Deputy Minister of Mines,” there's a good chance that someone reading her blog is going to figure out who she is pretty quickly. The Electronic Frontier Foundation's guide, “How to Blog Safely”, offers some great advice on how to avoid revealing your identity with the content of your blog.

The other way Sarah can get caught is if someone can determine her identity from information provided by their web browsers or email programs. Every computer attached to the internet has – or shares – an address called an IP address – it's a series of four numbers from 0-255, separated by dots – for instance: 213.24.124.38. When Sarah uses her web browser to make a comment on the Minister's blog, the IP address she was using is included on her post.

With a little work, the Minister's computer technicians may be able to trace Sarah's identity from this IP address. If Sarah is using a computer in her home, dialing into an Internet Service Provider, the ISP likely has records of which IP address was assigned to which telephone number at a specific time. In some countries, the Minister might need a subpoena to obtain these records; in others (especially ones where the ISP is owned by the government!), the ISP might give out this information very easily, and Sarah might find herself in hot water.

There are a number of ways Sarah can hide her identity when using the Internet. As a general rule, the more secure Sarah wants to be, the more work she needs to do to hide her identity. Sarah – and anyone else hoping to blog anonymously – needs to consider just how paranoid she wants to be before deciding how hard she wants to work to protect her identity. As you will see, some of the strategies for protecting identity online require a great deal of technical knowledge and work.

Step one – psuedonyms

One easy way Sarah can hide her identity is to use a free webmail account and free blog host outside her native country. (Using a paid account for either email or webhosting is a poor idea, as the payment will link the account to a credit card, a checking account or paypal account that could be easily linked to Sarah.) She can create a new identity – a psuedonym – when she signs up for these accounts, and when the Minister finds her blog, he'll discover that it belongs to “A. N. Ymous”, with the email address anonymous.whistleblower@hotmail.com.

Some providers of free webmail accounts:

  • Hotmail
  • Yahoo
  • Hushmail – free webmail with support for strong cryptography

    Some providers of free weblog hosting:

  • Blogsome – free WordPress blogs
  • Blogger
  • Seo Blog
  • Here's the problem with this strategy – when Sarah signs up for an email service or a weblog, the webserver she's accessing logs her IP address. If that IP address can be traced to her – if she's using her computer at home, or her computer at work – and if the email or weblog company is forced to release that information, she could be found. It's not a simple matter to get most web service companies to reveal this information – to get Hotmail, for instance, to reveal the IP Sarah used to sign up for her account, the Minister would likely need to issue a subpoena, probably in cooperation with a US law enforcement agency. But Sarah may not want to take the risk that she could be found if her government can persuade her email and weblog host to reveal her identity.

    Step two – public computers

    One additional step Sarah could take to hide her identity is to begin using computers to make her blogposts that are used by lots of other people. Rather than setting up her webmail and weblog accounts from her home or work computer, Sarah could set them up from a computer in a cybercafe, a library, or a university computer lab. When the Minister traces the IP used to post a comment or a post, he'll discover that the post was made from a cybercafe, where any number of people might have been using the computers.

    There are flaws in this strategy as well. If the cybercafe or computer lab keeps track of who is using what computer at what time, Sarah's identity could be compromised. She shouldn't try to post in the middle of the night when she's the only person in the computer lab – the geek on duty is likely to remember who she is. And she should change cybercafes often. If the Minister discovers that all the whistleblower's posts are coming from “Joe's Beer and Bits” on Main Street, he might stake someone out to watch the cybercafe and see who's posting to blogs in the hopes of catching Sarah.

    Step three – anonymous proxies.

    Sarah's getting sick of walking to Joe's cybercafe every time she wants to post to her blog. With some help from the neighborhood geek, she sets up her computer to access the web through an anonymous proxy. Now, when she uses her webmail and weblog services, she'll leave behind the IP address of the proxy server, not the address of her home machine… which will make it very hard for the Minister to find her.

    First, she finds a list of proxy servers online, by searching for “proxy server” on Google. She picks a proxy server from the publicproxyservers.com list, choosing a site marked “high anonymity”. She writes down the IP address of the proxy and the port listed on the proxy list.

    Some reliable lists of public proxies:

  • publicproxyservers.com – lists anonymous and non-anonymous proxies
  • Samair – only lists anonymous proxies, and includes information on proxies that support SSL
  • rosinstrument proxy database – searchable database of proxy servers
  • Then she opens the “preferences” section of her webbrowser. Under “general”, “network” or “security” (usually), she finds an option to set up a proxy to access the Internet. (On the Firefox browser, which I use, this option is found under Preferences – General – Connection Settings.)

    She turns on “manual proxy configuration”, enters the IP address of the proxy server and port into the fields for HTTP proxy and SSL proxy and saves her settings. She restarts her browser and starts surfing the web.

    She notices that her connection to the web seems to be a bit slower. That's because every page she requests from a webserver takes a detour. Instead of connecting directly to Hotmail.com, she connects to the proxy, which then connects to Hotmail. When Hotmail sends a page to her, it goes to the proxy first, then to her. She also notices that she has some difficulty accessing websites, especially sites that want her to log in. But at least her IP isn't being recorded by her weblog provider!

    A fun experiment with proxies:
    Visit noreply.org, a popular remailer website. The site will greet you by telling you what IP address you're coming from: “Hello pool-151-203-182-212.wma.east.verizon.net [151.203.182.212], pleased to meet you.”

    Now go to anonymizer.com, a web service that allows you to view (some) webpages through an anonymous proxy. In the box on the top right of the anonymizer page, enter the URL for http://www.noreply.org (or just click this link.) You'll note that noreply.org now thinks you're coming from vortex.anonymizer.com. (Anonymizer is a nice way to test proxies without needing to change your browser settings, but it won't work with most sophisticated web services, like webmail or weblogging servers.)

    Finally, follow the instruction above to set up your webbrowser to use an anonymous proxy and then visit noreply.org to see where it thinks you're coming from.

    Alas, proxies aren't perfect either. If the nation Sarah lives in has restrictive internet laws, many websurfers may be using proxies to access sites blocked by the government. The government may respond by ordering certain popular proxies to be blocked. Surfers move to new proxies, the government blocks those proxies, and so the circle of life continues. All of this can become very time consuming.

    Sarah has another problem if she's one of very few people in the country using a proxy. If the comments on her blog can be traced to a single proxy server, and if the Minister can access logs from all the ISPs within a country, he might be able to discover that Sarah's computer was one of the very few that accessed a specific proxy server. He can't demonstrate that Sarah used the proxy to post to a weblog server, but he might conclude that the fact that the proxy was used to make a weblog post and that she was one of the few people in the nation to use that proxy constituted evidence that she made the post. Sarah would do well to use proxies that are popular locally and to switch proxies often.

    Step four – MixMaster, Invisiblog and GPG

    Sarah starts to wonder what happens if the proxy servers she's using get compromised? What if the Minister convinces the operator of a proxy server – either through legal means or through bribery – to keep records and see whether anyone from his country is using the proxy, and what sites they're using. She's relying on the proxy administrator to protect her, and she doesn't even know who the administrator is!

    Spending quite a long time with the local geek this time, she explores a new option: Invisiblog. Run by an anonymous group of Australians called vigilant.tv, Invisiblog is a site designed for and by the truly paranoid. You can't post to Invisiblog via the web, as you do with most blog servers. You post to it using specially formatted email, sent through the MixMaster remailer system, signed cryptographically.

    It took Sarah a few tries to understand that last sentence. Eventually, she set up GPG – the GNU implementation of Pretty Good Privacy, a public-key encryption system. (In two sentences: Public-key encryption is a technique that allows you to send messages to a person that only she can read, without her needing to share a secret key with you that would let you read messages other people send to her. Public key encryption also allows people to “sign” documents with a digital signature that is almost impossible to forge.) She generates a keypair that she will use to post to the blog – by signing a post with her “private key”, the blog server will be able to use her “public key” to check that a post is coming from her, and then put it on the blog.

    She then sets up MixMaster, a mailing system designed to obscure the origins of an email message. MixMaster uses a chain of anonymous remailers – computer programs that strip all identifying information off an email and send it to its destination – to send email messages with a high degree of anonymity. By using a chain of 2 to 20 remailers, the message is very difficult to trace, even if one or more of the remailers is “compromised” and is recording sender information. She has to “build” MixMaster by compiling its source code, a project that requires a great deal of geek assistance.

    She sends a first MixMaster message to Invisiblog, which includes her public key. Invisiblog uses this to set up a new blog, with the catchy name “invisiblog.com/ac4589d7001ac238″ – the long string is the last 16 bytes of her GPG key. Then she sends future posts to invisiblog, by writing a text message, signing it with her public key and sending it via MixMaster.

    It's not nearly as fast as her old style of blogging. The misdirection of MixMaster mailers means that it takes anywhere from two hours to two days for her message to reach the servers. And she has to be very careful about looking at the blog – if she looks at it too often, her IP address will appear in the blog's log frequently, signalling that she'l likely to be the blog author. But she's reassured by the fact that the owners of invisiblog have no idea who she is… and she now knows more about open-source software than she'd ever wanted to know.

    The main problem with the Invisiblog system is the fact that it's incredibly difficult for mere mortals to use. Most people find GPG a challenge to set up, and have difficulty understanding the complexities of public and private keys. More userfriendly crypto tools, like Ciphire, have been set up to help the less geeky of us, but even they can be tricky to use. As a result, very few people – including people who might really need it – use encryption for most of their email.

    MixMaster is a true technical challenge for most users. Windows users can use an early DOS version of the program by just downloading it. I downloaded and tested it yesterday, and it doesn't appear to work… or perhaps my email is still being remailed back and forth between remailers. Anyone wanting to use the newer version, or wanting to use the program on Linux or Mac, needs to be able to compile the program themselves, a task beyond many expert users. It's possible that Invisiblog would become more useful if it accepted messages from web-accessible remailers, like riot.eu.org – for now, I can't see it as being particularly helpful for the people who need it most.

    There's an additional set of problems with strong encryption in repressive nations. If Sarah's computer is seized by the government and her private key is found, it would constitute strong evidence that Sarah had authored the controversial blog posts. And, in countries where encryption is not widely used, simply sending out MixMaster messages – mail messages wrapped in strong encryption – might be enough to cause Sarah's internet usage to be watched closely.

    Is Sarah's solution – learning enough about cryptography and software to use MixMaster – your solution? Or is some combination of steps 1,2 and 3 sufficient to let you blog anonymously? There's no one answer – any path towards anonymity needs to consider local conditions, your own technical competence and your level of paranoia. If you have reason to be worried that what you're posting could endanger your safety, a combination of steps 1, 2 and 3 is probably not a bad idea.

    Oh, and remember not to sign your blog posts with your real name!

    93 comments

    • anonymous

      I would sure like to know how good TOR is at anonymity.

      • powerbase

        I don’t know. It was invented by the US Navy. Which is Used by hackers to Hack the US Navy and Everybody else, for that Matter. I wrote the Cloud to become a Trillionaire! But because My Teacher not put up a Firewall Between Our Class and the Internet the NSA got my Code in 2001. Aw! And I’ve been doing damage control ever since. I hate TOR because it is too slow. I am the guy in the 24 foot Uhaul Moving Van that tail gates Your ass on the twisty I-40 doing 80 at 11PM+. With my Dad’s green Sonoma and Trailer in tow. Slower Traffic Move Right! Slower Traffic Move Right! Slower Traffic Move Right! And there you are. Doing 55 mph in My Fast Lane! Just because You can read the signs doesn’t make You smart! You Hear Me North Carolina and Tennessee? Nowhere Else in the Appalachians, Right? From what I can tell. TOR is It. Or something Like It. But I will tell You. The Internet is Microsoft Data Center and the Cloud is my Algorithms. Not Java. But Is Java because that is what the NSA Uses. I always assume that when it comes to the Internet. That the NSA can See EVERYTHING! So it Keeps me Honest and Hopefully You Out of Trouble! Anything You get away with Is Gravy! I was sure that some of My Blogs Would have gotten me Assassinated. But then Anonymous Shows Up at Occupy and Hates my Mortal Enemies! Such as Scientology! Cali Gang Stalked me with my Own Algorithms till the day I left CA in 2003! So I wrote Code in Ruby to Atone for their Foo! I could rewrite New Algorithms but I can’t post it in an open forum like I did with Code. Can I?

    • […] [9] Zuckerman, Ethan. “A Technical Guide to Anonymous Blogging – A Very Early Draft.” April 13 2005. http://cyber.law.harvard.edu/globalvoices/?p=125. (14 August 2005) […]

    • […] I am glad I found Blogsome. Now I can have my free WordPress blog. I found this site while browsing the Electronic Frontier Foundation website which had a linked to a page on Global Voices Online. I even found a way to post pictures on this free blog. That’s great! Comments » […]

    • An Onion a Day Keeps the Speech Free

      I don’t want to be overly dystrophic, but these are dark days for free speech. Internet filtering is becoming increasingly common in the world, the regimes are getting better at it and the schemes harder to circumvent.

      This is where Tor, an EFF su…

    • […] Good info: A technical guide to anonymous blogging […]

    • Pingback: FreedomSight

      […] A while ago, the EFF published a guide to anonymous blogging. Global Voices expands on the concept, adding in some more techie stuff. At the moment, I don’t really feel a lot of need to be anonymous. But it’s good to keep these sorts of references around, for when I, or you, do. (Via Brad Spangler, from the LibertyFilter RSS feed.) […]

    • Seo is dead

      When I was in San Jose last summer at the SES convention, I attended a session which dealt with contextual advertising. In the panel was Jason Calcanis and when asked about SEO he said to the audience that he thought “seo was dead”. I w…

    • […] A technical guide to anonymous blogging – a very early draft […]

    • […] A technical guide to anonymous blogging – a very early draft […]

    • sarah

      in your case #3, how often are high anonymity or anonymous proxies “forced” to “trace” the IP address who had accessed website through that proxy? why don’t servers disclose their retention policies? if that is the case, there is no real security in using a high anonymity proxy b/c presumbly coercion of some sort (money, law, etc.) can reveal the tracing of the original query. I imagine this is resolved through chaining requests through proxies in different countries? if sarah sets up a proxy chain of 3 servers, each “high anonymity”, isn’t she pretty safe then?

    Join the conversation

    Authors, please log in »

    Guidelines

    • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
    • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.