From Thomas Paine’s Common Sense in the eighteenth century to Russian samizdat in the twentieth, dissidents have had good reasons to publish their ideas anonymously. These reasons continue into the twenty-first century, where governments from Venezuela to Iran to China seek to censor and intimidate.
In many regimes, the Internet user faces two threats: censorship and deanonymization. This double burden makes his task more complex than if he had to face only one or the other.
Before devising a solution, it is important that the user define his threat model. Who are his adversaries, and how might they operate?
At the outset, we will rule out mobile technology, which is notoriously insecure. Use only wired connections to the Internet and never wireless.
Tor may be a part of any solution that aims at anonymity. But do not depend on Tor alone. America’s NSA, Britain’s GCHQ, Germany’s BND, and Russia’s FSB have all worked to deanonymize Tor users. In repressive regimes, it often makes sense to combine Tor with a pre-proxy such as Shadowsocks or V2Ray. This also mitigates the risk of any single technology containing unknown flaws (“zero days”).
If the risk is physical seizure of devices, Tails makes sense. Tails is designed to be booted from a USB storage device and to leave no trace of the user’s activity on either the hard disk or the USB device. It thus defends against scrutiny of the device itself. However, Tails is of limited usefulness in countries where meek-azure bridges are required to bypass censorship. A better choice in this case might be a live CD of a Linux operating system.
If the device is in a physically secure environment, consider virtualization as protection against many deanonymization exploits. Whonix is a prebuilt arrangement of virtual machines designed with anonymity in mind. Qubes provides even stronger protections.
Even with virtualization, the host operating system needs your attention. Set a BIOS password. Install an open-source operating system. Encrypt your hard drive. Linux distributions often make this easy by offering to encrypt your hard drive during installation.
In both host and guest, avoid installing unnecessary software. Use only well-known, well-established, open-source software. Verify the developer signature on software before you install it. Enable and configure your computer’s firewall.
Finally, pay attention to operational security. Do not sign in to any account linked back to you, especially one that stores your phone number or uses a phone number for authentication. Compartmentalize your real identity and your virtual identity. Avoid leaving a money trail that can be traced back to you. Be cautious about people who approach your virtual identity or who email you attachments.
All this is subject to change, so keep learning. You should read much, much more than this article. Stay up to date with emerging technical and social engineering techniques used by governments. Sites such as Citizen Lab report on recent developments. Overcoming censorship, in particular, is often compared with an arms race or a cat-and-mouse game. It is necessary continually to develop new solutions.
- Practical Anonymity for Political and Religious Dissidents
- Simple Censorship Circumvention
- Storing a Sensitive Document
- Telegram Privacy Settings
- Introduction to Tor Browser
- How to Connect to a Proxy Before Tor in Whonix
- Pre-Proxy + Tor + Post-Proxy
- Who Uses Tor in Not-Free Countries
- Tor + OpenVPN
- Tor + Cloak
- How to Install, Configure, and Run Shadowsocks-Libev
- Shadowsocks + Cloak
- How to Install, Configure, and Run V2Ray + WS + TLS + CDN
- Vless Version of Wulabing V2Ray Script
- V2Ray Server with Domestic Relay
- How to Install, Configure, and Run Trojan-GFW
- NaiveProxy + Caddy 2
- IPsec with Libreswan
- L2TP/IPsec with PSK with Libreswan
- IKEv2 with Libreswan
- IKEv2 with strongSwan
- OpenVPN on NAT IPv4 OpenVZ VPS
- OpenVPN + Tunnelblick XOR Patch
- OpenVPN + Obfsproxy
- OpenVPN + Shadowsocks
- OpenVPN + Stunnel
- OpenVPN + Cloak
- Double VPN with pfSense
- Double VPN for Windows Users
- VPN Chains
- Obfuscated SSH
- Iodine DNS Tunnel on Port 53
- Pingtunnel ICMP Tunnel