Anonymity for Political and Religious Dissidents

From Thomas Paine’s Common Sense in the eighteenth century to Russian samizdat in the twentieth, dissidents have had good reasons to publish their ideas anonymously. These reasons continue into the twenty-first century, where governments from Venezuela to Iran to China seek to censor and intimidate.

In many regimes, the Internet user faces two threats: censorship and deanonymization. This double burden makes his task more complex than if he had to face only one or the other.

Before devising a solution, it is important that the user define his threat model. Who are his adversaries, and how might they operate?

At the outset, we will rule out mobile technology, which is notoriously insecure. Use only wired connections to the Internet and never wireless.

Tor may be a part of any solution that aims at anonymity. But do not depend on Tor alone. America’s NSA, Britain’s GCHQ, Germany’s BND, and Russia’s FSB have all worked to deanonymize Tor users. In repressive regimes, it often makes sense to combine Tor with a pre-proxy such as Shadowsocks or V2Ray. This also mitigates the risk of any single technology containing unknown flaws (“zero days”).

If the risk is physical seizure of devices, Tails makes sense. Tails is designed to be booted from a USB storage device and to leave no trace of the user’s activity on either the hard disk or the USB device. It thus defends against scrutiny of the device itself. However, Tails is of limited usefulness in countries where meek-azure bridges are required to bypass censorship. A better choice in this case might be a live CD of a Linux operating system.

If the device is in a physically secure environment, consider virtualization as protection against many deanonymization exploits. Whonix is a prebuilt arrangement of virtual machines designed with anonymity in mind. Qubes provides even stronger protections.

Even with virtualization, the host operating system needs your attention. Set a BIOS password. Install an open-source operating system. Encrypt your hard drive. Linux distributions often make this easy by offering to encrypt your hard drive during installation.

In both host and guest, avoid installing unnecessary software. Use only well-known, well-established, open-source software. Verify the developer signature on software before you install it. Enable and configure your computer’s firewall.

Finally, pay attention to operational security. Do not sign in to any account linked back to you, especially one that stores your phone number or uses a phone number for authentication. Compartmentalize your real identity and your virtual identity. Avoid leaving a money trail that can be traced back to you. Be cautious about people who approach your virtual identity or who email you attachments.

All this is subject to change, so keep learning. You should read much, much more than this article. Stay up to date with emerging technical and social engineering techniques used by governments. Sites such as Citizen Lab report on recent developments. Overcoming censorship, in particular, is often compared with an arms race or a cat-and-mouse game. It is necessary continually to develop new solutions.


Articles

  1. Practical Anonymity for Political and Religious Dissidents
  2. Simple Censorship Circumvention
  3. Storing a Sensitive Document
  4. Telegram Privacy Settings
  5. Introduction to Tor Browser
  6. How to Connect to a Proxy Before Tor in Whonix
  7. Pre-Proxy + Tor + Post-Proxy
  8. Who Uses Tor in Not-Free Countries
  9. Tor + OpenVPN
  10. Tor + Cloak
  11. How to Install, Configure, and Run Shadowsocks-Libev
  12. Shadowsocks + Cloak
  13. How to Install, Configure, and Run V2Ray + WS + TLS + CDN
  14. Vless Version of Wulabing V2Ray Script
  15. V2Ray Server with Domestic Relay
  16. How to Install, Configure, and Run Trojan-GFW
  17. NaiveProxy + Caddy 2
  18. IPsec with Libreswan
  19. L2TP/IPsec with PSK with Libreswan
  20. IKEv2 with Libreswan
  21. IKEv2 with strongSwan
  22. OpenVPN on NAT IPv4 OpenVZ VPS
  23. OpenVPN + Tunnelblick XOR Patch
  24. OpenVPN + Obfsproxy
  25. OpenVPN + Shadowsocks
  26. OpenVPN + Stunnel
  27. OpenVPN + Cloak
  28. Double VPN with pfSense
  29. Double VPN for Windows Users
  30. VPN Chains
  31. OpenConnect
  32. WireGuard
  33. Obfuscated SSH
  34. Iodine DNS Tunnel on Port 53
  35. Pingtunnel ICMP Tunnel

Resources