Originally written in mid-2012 for France’s National Institute for Broadcasting (INA), the following article was updated and republished on Jean-Marc Manach’s blog with the title of How (not) to be the victim of (cyber-)espionage. What applies one day on the Internet, does not always apply the next. The article aims to provide some advice and suggestions on how to establish a window of anonymity online. It is not an exhaustive guide. Readers are urged to verify the validity of the websites and services mentioned in this article.

Fifteen minutes of online anonymity

I have often written or translated instructions for Internet users on how to secure their online communications since 1999 whaen, as a journalist, I began trying to find out how to protect my sources. And I came to realize that it is impossible for non-specialists to secure their computers in such a way as to prevent professionals from being able to get into them. Nonetheless, it is perfectly possible for them to create windows of confidentiality, to disappear for the duration of an online connection, to learn to communicate in a discreet, secure and stealthy manner, and to exchange files without being detected.

The KGB and CIA could not prevent each other’s spies from communicating with their sources, just as the FBI could not prevent Daniel Ellsberg from leaking the Pentagon Papers and the NSA could not prevent WikiLeaks from shedding some transparency on US and international diplomacy. To paraphrase Andy Warhol, the key nowadays is how to get one’s 15 minutes of anonymity. It is not only possible but also essential for journalism and for democracy, and it is not necessarily very complicated.

Whatever the type of computer, operating system or software you use, you can secure your communications – and therefore you sources ­– via the Internet. The methods and services mentioned below are not as secure as using GnuPG, but may prove useful if all you are seeking is a window, or 15 minutes, of anonymity. What they have in common is encryption of information at the browser level, before transmission to the website where it will be shared with the person or persons to whom you want to send it.

Several computer security specialists have recently pointed out the limits of such systems, which are based on the concept of zero-knowledge proof. Their security depends, among other things, on using computers and websites that have not already been hacked into. Given the technical skills needed to properly secure a computer, these services are probably best used only when your need to transmit something – a message, temporary password, article or photo – in a stealthy manner. And better still, if possible, you should use a dedicated computer for this (netbooks can be bought for €200), one that is connected to the Internet only for this purpose and is not used for any of your other activities, during which it could get infected by a Trojan or other form of malware.

Secure chatting

CryptoCat, the best known of these web services, was designed to allow you to chat and to simultaneously send .zip or image files of up to 600 kb in size, as with standard instant messaging software, but in a secure manner. In response to criticism, its developer decided to add an additional layer of security by allowing users to install CryptoCat as an extension in their browsers (Chrome or Firefox).

File exchange

You want to send or receive a file anonymously and securely?

The dead letterbox technique consists of using a webmail service of which the username and password are known by two (or more) people. Messages can be exchanged by leaving them in the Drafts folder. This way, you and another person can communicate with each other without ever actually sending each other emails.

SpiderOak and Wuala are “cloud” storage platforms that encrypt your data at the browser level before you send it. You must create an account linked to a secure email address.

Hushmail.com is an encrypted email service that emphasizes ease of use. There are also dozens of AnonBox, created by the famous German hackers of the Chaos Computer Club (CCC), but remember to always use https and Tor when you connect to them.

RiseUp is an email service maintained by an activist community. The originality of this service is that it does not keep of any log or record of the IP addresses connecting to its servers. RiseUp also stores all email messages in an encrypted form.

Your can also use the Hide My Ass file-sharing service, which is one of the many web proxies (or anonymizers) that are used to circumvent Internet censorship or to browse anonymously. For more information on this subject, see How to circumvent Internet censorship and How to circumvent cyber-surveillance.

Confidential notes

NoPlainText and PrivNote (both accessible securely via https) allow you to create short memos that “self-destroy” as soon as they are read. PrivNote can send you an email alert when a memo is read. It is practical for sending a password or any short confidential message without having to use GnuPG. (The password should of course be temporary. Any password you are sent should always be changed. Passwords are never shared with third parties.)

These services cannot prevent an unauthorized third party from intercepting the link – and therefore the memo – before the intended recipient sees it. But they can, on the other hand, allow you to establish whether your channel of communication is being spied on. You just have to send an initial (anodyne) message and see whether or not your source receives it in order to known whether the channel is secure or compromised.

ZeroBin uses the same principle but also allows you to programme the deletion of the memo (in 10 minutes, one hour, one day, one month, a year or never) and allows the other party to comment on it. CryptoBin allows the memo to be protected by a password, which adds another layer of security but requires sharing the password with your source, for which you could use CryptoCat or PrivNote. In order to add more layers of security, try if possible to combine these services and access them using Tor or an equivalent.

Phone problems

There is no really reliable way for communicating confidentially by mobile phone. To be very clear: NEVER use your mobile phone to call a source’s mobile phone if the source needs to be protected – see the recent “phone records affair” in France.

If you really have to phone your source, go to a public phone far from your office or use the mobile phone or landline of someone who has no direct contact with you. And call your source on a mobile phone or, preferably, landline with which he or she has no direct connection. Or use one of the techniques that have already been explained. And meanwhile, we should follow the development of Whisper Systems encryption software, which does not work on all mobile phones and is still in Beta version.

Use of the increasingly popular Internet telephony software Skype should also be ruled out whenever possible. AFP came in for a lot of criticism when it reported in a dispatch that it interviewed a Syrian dissident via Skype in July 2012. Skype’s so-called “security” has repeatedly been violated since the French authorities advised against its use in 2005. It has since been revealed that Skype not only helps certain law enforcement and intelligence agencies to spy on users but also that booby-trapped versions of Skype have been created in order to enable identification of their users.

Do you want to phone your sources via the Internet? No problem, but use Jitsi, the “open-source Skype” recommended by Jacob Appelbaum, a hacker and Tor developer who supports WikiLeaks and is therefore well up on source protection issues, or Mumble, which is mainly used by video gamers but which encrypts communications by default. The Telecomix hackers, who distinguished themselves by helping Arab Spring Internet users and cyber-dissidents to secure their telecommunications, have set up two secure servers for communicating via Mumble.

IRL

Computer and digital security is a profession. If it is not your profession, operate on the assumption not only that you can easily be (or are being) monitored – ISPs keep records of all your Internet connections and Internet activity, while phone companies keeps records of all the numbers you call or call you – but also that someone could, without too much difficulty, actually be spying on you.

In other words, your preferred method of communication should be “IRL” (In Real Life) meetings, physical meetings in public places or the backrooms of cafés, like 20th century spies. Of course, the meetings can also be compromised if they have been set up by phone or email. It is an irony of history that in this technologically hyper-connected 21st century, we have invented no better way of protecting sources and professional confidentiality than old-fashioned paper mail, which is much less monitored and spied on than phone or Internet communications.

Going further

• Encrypt everything! – a digital security software directory
• How to encrypt your email? – the ABC of privacy protection
• Free.korben.info – the open-source Internet wiki
• The digital self-defence manual guide – should be read and reread, on your own or shared with others. How to fine-tune the art of navigating the digital world’s troubled waters.
• How to circumvent Internet censorship
• Computer and Internet security and privacy – anonymity etc
• Basic protection of sources – by #JHack. Workshops, conferences and meetings between journalist, activists and hackers.
• Security in-a-box – Digital security tools and strategies
• The basics – for any Windows user connected to the Internet

About the author

Jean-Marc Manach has been covering the rise of the “surveillance society” for nearly ten years, both as a journalist and as a defender of human rights, freedoms and privacy. He has participated in:

• The Big Brother Awards, which give “Orwell prizes” each year to those who have distinguished themselves by their violation of privacy.
• Bugbrother.com (to learn about making communications secure and protecting privacy).
• Renseignementsgeneraux.net (to learn how to defend one’s rights against abuses committed by the police in the course of gathering information on the population).
• Vie-privee.org (for its press review on information technology and freedoms).

How a VPN can be used 

A VPN allows data to be moved from one private network to another using a secure Internet tunnel. Your Web browser cannot access www.google.com via a classic VPN connection. Your email client can only connect to your company’s internal email and not to your own email address. You are sheltered but isolated. The VPN has the functionality it needs for us to protect our communications between A and B using legal means. But there is more to it than this. 

Using a VPN as a “virtual escape route” to circumvent censorship

The Internet is a place for communicating and exchanging information, which does not please everyone. Some states monitor and spy on the content of their citizens’ online activities and, where they feel it is necessary, restrict access to some websites or services that they believe to be contrary to their interests.

The diagram below shows an example of a filtering system put in place by a government to prevent the country’s Internet users from posting videos of demonstrations. This is an ideal scenario for using a VPN to circumvent the filter system.

The following diagram shows the use of a VPN as a means of bypassing an existing filtering system.

Your workstation is company A and the VPN provider is company B. The main difference is that your real Internet connection is through the VPN provider, so the Internet sees that you are connected from Sweden and not from your own country. This means the filtering system in place in your own country no longer applies. By using a VPN, a legal tool, you can publish your video on YouTube, read your email, surf any part of the Web securely, etc. Your country will no longer be able to see what you are using the Internet for since you are now accessing it via a tunnel with one end in Sweden, a country where the Internet is outside your government’s control.

Setting up this type of service is no simple matter and requires a level of technical knowledge not available to everyone. Fortunately there are companies that provide such services commercially, making the configuration and use of a VPN on your workstation a fairly simple matter.

Choose a VPN provider carefully

A VPN connection costs about five euros per month. Avoid free offers. One way or another these so-called free services find a way to make you pay. A free VPN may, for example, be set up with the intention of discreetly spying on your communications, known as a “honeypot”. 

Most VPN services provide documentation and software to install on your computer. Once you sign up, you will receive your login information by email, including your username and password (similar to your mailbox details).

Launch the software, enter your username and password and the application will do the rest. It will create a tunnel connecting you to the country you have previously specified. Once the connection is established, you are virtually in another country.

Here is an example of a connection interface:

VPN on your mobile phone

Like any other device that connects to the Internet, your smartphone is subject to restrictions imposed by your telephone provider, if you connect via 3G, or your Internet service provider if you use wifi.

You can install an application on your smartphone, as you can on your computer, to create a VPN tunnel allowing you to connect from your phone. The Android operating system has already launched a VPN client in the menu “Wireless and Networks -> VPN settings”. You can obtain information from your VPN provider that will allow you to set up your Android phone just as easily as your computer.

Text and images kindly provided by Jean Marc Bourguignon / fo0

Image file formats such as TIFF and JPEG are some of the most talkative ones. Created by digital cameras or mobile phones, these files contain metadata in a format called EXIF that may include the image’s date, time and even GPS coordinates, the model and serial number of the device that took it and a thumbnail of the original image. Image processing applications tend to keep this data intact. The Internet has countless cropped or pixelized images whose EXIF thumbnail still shows the original image. So, how do you rid your files of unwanted metadata and restore their virginity before sending them?

Checking and cleaning metadata

When you send a sensitive document, it is vital to ensure that its metadata are not compromising. There are various ways to access the metadata. The easiest way is to check the file properties. A simple right-click will give you a lot of information.

Desktop application files of the Office kind may contain information about the individual or company that that created the file. Whether you are using Microsoft Word or Open Office, you have the possibility of eliminating this information when you create the file.

PDF files can also act as snitches. They often contain the author’s name. It is accessible in the file properties and can be changed by using PDF file editing software. Using Acrobat Writer under Windows or Mac, you just have to go to the “File” menu and then “Properties” in order to modify the document author’s name. For GNU/Linux users, there are free alternatives such as PDF Mod that offer a simply way to edit PDF file metadata.

You can use the Exif Viewer extension for Firefox to display the metadata of JPEG images. It is also available for the Chrome browser. All this extension does is display Exif data.

Advanced control of metadata

There are more sophisticated tools that allow you to edit all kinds of metadata, regardless of the type of file – PDF, JPEG, GIF or anything else: -

• MAT, Metadata Anonymisation Toolkit: an application with a graphical interface available under GNU/Linux
• Metanull: an application with a graphical interface available under Windows
• ExifTool: a command-line application available under GNU/Linux, Windows and Mac OS X.

This document was inspired by the Tails distribution’s official documentation, entitled “The Amnesic Incognito Live System.” Like the original, it is published under the GPL v 3.0 license.

World Conference on International Telecommunications (WCIT)

Different visions of Internet governance and, indirectly, the future of online news and information competed and clashed at the World Conference on International Telecommunications, which the International Telecommunication Union (ITU) staged in Dubai in December 2012. At the end of the conference, fewer than half of the ITU’s member countries (89 out of 193) signed a new treaty revising the International Telecommunications Regulations (ITR).

A coalition of 55 countries, including the United States and European Union countries, refused to sign it on the grounds that some of its provisions on spam management and Internet security, and a separate text that was adopted in a chaotic manner, Internet Resolution PLEN/3, would be used by countries that traditionally control the Internet to justify their censorship, filtering and blocking. The lack of civil society participation and procedural transparency was strongly criticized by many NGOs, with support from UN Special Rapporteur for Freedom of Expression and Opinion Frank La Rue.

The Dubai summit should have been used to defend the Internet as a place of freedom, as a place for the free exchange of views and information. But instead it highlighted the fight between different countries for influence over the Internet. More information: Centre for Technology and Democracy and an analysis of the new ITR by Access.

EU rejects Anti-Counterfeiting Trade Agreement

On 4 July 2012, the European Parliament rejected the Anti-Counterfeiting Trade Agreement (ACTA), which threatened fundamental online freedoms including access, freedom of information, Net Neutrality, innovation, and the sharing of free technology. Its rejection was a victory for citizen campaigning, which was mobilized by advocacy groups such as La Quadrature du Net and Panoptikon.

Netherlands and Slovenia back Net Neutrality, Brazil drags its feet

In December 2012, Slovenia followed Netherlands and Chile in adopting a law that enshrines Net Neutrality and prohibits Internet Service Providers from discriminating against any kind of online traffic.

But adoption of a proposed Internet “Civil Framework” law continues to be postponed in Brazil because of pressure from the film and music industries. Widely supported by Brazilian civil society, which regards it as a model law, the so-called “Marco Civil” would define the rights and responsibilities of the state, Internet Service Providers (and other technical intermediaries) and Internet users as regards Internet usage, copyright and personal data protection, while safeguarding Net Neutrality, privacy and the free flow of information online.

Filtering violates fundamental rights

In a decision against Turkey on 18 December 2012, the European Court of Human Rights ruled for the first time that blocking a website violated article 10 (on freedom of expression) of the European Convention on Human Rights. The Strasbourg-based court said: “The Internet has now become one of the main means for individuals to exercise their right to freedom of expression and information; it offers essential tools for participating in activities and debates on political matters and issues of public interest.” The Court of Justice of the European Union already ruled on 24 November 2011 that generalized content filtering violates fundamental rights.

Internet companies stress transparency

The latest issue of Google’s “Transparency Report,” released in November 2012, points to a big increase in government surveillance. Google said government requests for user data had risen steadily since the publication of its first Transparency Report. In June 2012, Google voiced concern about an increase in requests for the removal of pages with political content. The country by country evolution of user data requests can be seen here and removal requests can be seen here.

Google’s transparency initiative has been adopted by others. Twitter launched its own transparency report in July 2012. It focuses on user data requests by governments (the United States made the most requests) and on content removal requests by governments or copyright holders. Twitter has also undertaken to leave a “Tweet withheld” message whenever a Tweet is removed in response to a complaint from a copyright holder and to send a copy of each takedown notice to the Chilling Effects website.