How can I be truly anonymous while using social media?
November 14, 2020 12:02 PM   Subscribe

Is a combination of secure email and a VPN enough to guarantee privacy?

Where I live, freedom of speech is absent. I feel the need to express my views publicly without the threat of harassment. So I would like to find a way to be active online, on Facebook, YT, Instagram and Twitter, while making sure that my true identity remains concealed. That means I would like to control one online persona that exists on these platforms, but that cannot be traced to me, even by technically resourceful people.

I want the freedom to write emails anonymously and post content. From what I can tell, I'd have to sign up on a service like tutanota or protonmail. In addition, I'd have to use a VPN or Tor.

Assuming speed is not a major issue, which is better - a VPN or Tor? And is there anything else that I'm missing here?

Thank you.
posted by anonymous to Computers & Internet (9 answers total) 13 users marked this as a favorite
I can't advise as to the technological stuff, but depending on your level of concern and the extent to which you think these accounts might be scrutinized, you would also have to be extremely careful as to the content of what you post. Pictures that can be geolocated, mentions of friends or acquaintances, posts that indicate you were at an event or in a certain location at a certain time, social media "friending"/"following" of certain individuals, even writing style or topicality could potentially be part of an effort to trace your identity by actors with sufficient time, resources and will. This would be all the more true if your various social media accounts were linked or linkable under one common online persona. Much more secure for each account to have a different persona.
posted by slkinsey at 12:13 PM on November 14, 2020 [3 favorites]

You should assume that if a major world government wants to find out who wrote a thing on the internet, they can.
posted by potrzebie at 2:25 PM on November 14, 2020 [5 favorites]

Beyond technical tools which are not too hard to find or choose, perhaps more important and tricky is constant personal discipline keeping your two online personas separate. Just takes logging into an email account from the wrong vpn to leave a trail of digital breadcrumbs that could be correlated. Even logging into each account from the same starbucks could be used by sufficiently motivated people to match your accounts up together. And **randomize** do not use the same location with any regularity. Roll physical dice to choose what your location and connection will be that day/session. No patterns.
posted by sammyo at 2:35 PM on November 14, 2020 [1 favorite]

Oh a vpn is probably better than tor as tor is just watched much more carefully.
posted by sammyo at 2:37 PM on November 14, 2020 [1 favorite]

There's no way to be completely anonymous online; encrypted email and VPNs are the basics of internet privacy in this day and age. To get anywhere close, you'd need:

* Mac address randomization
* No-log VPN with anonymous payment options and/or TOR
* No-log DNS
* Protection from browser/device fingerprinting
* Domain level ad-blocker
* Forced https
* No/minimal javascript
* No cookies (which will break most websites that have logins)

Panopticlick is a website maintained by the EFF which can give you an idea of the amount of information you're leaking with your current setup. I make use of most of the above and I'm still considered 1/1800; which is pretty darn distinctive.

The easiest way to achieve semi-anonymity with a laptop/desktop is using Tails (a self-contained, encrypted USB operating system that lives in RAM only) for all activity on the social media account and only activity for that social media account. Even then, you'll have to be vigilant with your usage habits. No posting images (unless you've removed EXIF data), no downloading anything, removing cookies between logins, etc.

Smart phone/tablet stock Android/iOS can't be made anonymous by any amount of tinkering.
posted by givennamesurname at 3:31 PM on November 14, 2020 [11 favorites]

Came in to mention Tails, you also might be interested in Freenet.
posted by SaltySalticid at 5:49 PM on November 14, 2020

Another OS in the same general area as Tails is Whonix. It differs to the extent that it runs in a couple of virtual machines on your existing hardware. Under the cover it’s using Tor, but with a couple of possible Tor vulnerabilities avoided.

The Whonix page that describes behavioural good practices is applicable to any secure browser/network/OS:
posted by rd45 at 2:28 AM on November 15, 2020 [1 favorite]

Hey, I'm sorry to hear that your online experience is part of a wholly-controlled national authoritarian experience. Bringing about change to this state can't just be done on social media. If you're thinking it can, I can't assume you're connected to real people in your circumstances with whom you will need to work for any political change. The sequence is experience injustice, raise awareness, build a coalition, make political change -- if there's injustice to highlight there will other victims with whom you can build a community.

Security is a set of layered things you do, a discipline you follow so that a failure in one area has protection from other areas before everything is lost. By whom or how you're compromised -- the question is 'how might this fail me?' -- has different kinds of answer from lovers, family, friends, acquaintances, colleagues and police or clandestine state agents so this isn't exhaustive and you must keep asking 'how might this fail?'

First it's important to keep thinking the thoughts the undergird your search for justice and an end to state oppression. As at the top, find a community that practises speaking truth to one another and is willing to get beat up speaking truth to power. Be angry at the system, and try your hardest to keep good faith with fellow victims of your state and not to harm your partners in protest.

Second, it's terrible operational security to expose what you consider best practices to internet randoms on a publicly-readable backwater such as here. (You could be trolling us, who knows?) There will be some place where your communities are organising and they'll be able to connect you to their specific platforms and messages. Some of the tools used by The Guardian for its tipoff and anonymous whistleblowing stories will be a good start.

Third, your example social media don't respect reputations and play with messages they highlight to get users scrolling more and interacting with the advertisers who pay for the social network. If your community is to be built on trusted relationships between people, you need to find other channels to organise your messaging and to share with people currently unable to speak freely. Don't get me wrong, international consternation and sanctions need your on-the-ground messaging -- but these social media channels work for dollar-power and not people-power. Again, reputable international news sources such as The Guardian will play an important part in finding an audience for your awareness-raising.

Fourth, expect surveillance and present at least one profile to the online world that's compliant if not above reproach. Make an amount of noise so that anything attributable to you might be lost among the noise of compliant life.

Fifth, expect your hardware and the network to work against you. Check for keyloggers, unwanted dongles or chips, test for persistent malware and keep your software up-to-date for security patches (it's here where TAILS is a useful tool). Buy used gear with cash from people you know, so that the SSID of mobile devices and MAC address of wifi and wired devices isn't immediately attributable to you in whatever database links your bank account, online shopping account, mobile phone subscription or home broadband subscription. The social media services you mention sell information about you too anyone who will give them money, so even if not compelled by state power to snitch on you, they'll take cash to do so.

Sixth, anonymise your network use. State-level budgets and state infrastructure make this hard. The Onion Router (tor) has been mentioned, and it's good for the middle of internet data transfer but has too few entry and exit points to provide absolute privacy. A VPN is another method but doesn't provide absolute privacy because it's point-to-point and has an obvious pattern to its protocol numbers. The giveaway to both of these secured connections if you're tapping the wires is the metadata of which server name is matched to which server address number. This is the domain naming system (DNS) and it's currently in plaintext -- so every web page request and most apps leak information about who is talking to what service. The mitigation is to encrypt your DNS requests, configuration you have turn on in contemporary web browsers. There is a github repo called algo which can start a virtual machine as a VPN endpoint on all of the major cloud providers, as needed, for short-lived and disposable tunnels.

Seventh, use unique sign-in addresses and unique complex passwords for all of your accounts and (as above) be prepared to burn any you think are compromised. Add multi-factor authentication -- not tied to a cellphone that can be spoofed and used outside your control -- to all your accounts but don't utie the same MFA devices to secret and public accounts together. If you're using password managers and security private keys, keep them securely offline in multiple backups.

Eighth, I don't think your preferred social media tools can be used anonymously or with trustworthy messages reliably transmitted to the userbase you seek (I dunno, you could buy adverts but the purchase will be attributable to you). So are there other tools for social networks? Yes, there's signal-protocol used in instant messaging chat rooms, federated timelines and messaging in the Fediverse, private servers for voice and video in Element (formerly Riot, using Matrix protocol), all can be operated on small home hardware or cloud virtual machines with tor's private circuits or algo VPN links.

May you be lucky in your search for justice.
posted by k3ninho at 4:25 AM on November 15, 2020 [6 favorites]

This may go deeper than what you had in mind, but it's a good (and free) resource:
Information Security for Journalists by Silkie Carlo and Arjen Kamphuis.
posted by Too-Ticky at 4:50 AM on November 15, 2020 [2 favorites]

« Older Book suggestions that involve fighting a bear   |   Apparently hospital cleaner threw out essential... Newer »
This thread is closed to new comments.