Privacy: after reading Adam Shostack’s weblog posting about private/anonymous blogging, I’ve been driven to think about that, and would up writing up a case study of Cogair, which was an influential anonymously-published proto-weblog in Ireland in the ’90s.
Now, quinn at ambiguous.org quotes a review of EFF’s recent ‘anonymous blogging’ guidelines, which largely comes up with one conclusion: it’s a usability nightmare. The problem is, the EFF report recommends using invisiblog.com, which in turns uses the Mixmaster remailers. Those things are awful, and I doubt anyone but their authors could possibly know how to use them ;)
Here’s an easier way to blog anonymously. I haven’t tried it (honest ;) but from keeping up on this stuff, it should work…
- First off, install Firefox. No point giving your identity away through an MSIE security hole. Clear out all cookies in Preferences:Privacy:Cookies (or better still — start a new Firefox profile from scratch).
- Visit IPID and note down the IP address noted (this is your own, traceable, IP address).
- Next, install Tor, EFF’s ‘Onion routing’ anonymizer system. This also means installing privoxy as directed in the Tor install guide.
- Set up Tor on your machine, so that Firefox will browse via that software.
- Using Tor, visit IPID and make sure it doesn’t give you the same traceable IP address. This is to make sure you’re browsing securely.
- visit Hushmail and create a new free email account. Obviously, don’t use usernames and passwords that map in any way to your existing ones, and avoid words that may show up under your interests (especially if they’re googleable)…
- Using that Hushmail account as the email address, go to Blogger.com and create yourself a blog, then get publishing.
- Hey presto — anonymous blogging the easy way!
- For safety, don’t use the Firefox anonymous-blogging profile for any sites other than Hushmail and Blogger.com‘s publishing end. (A future Firefox vulnerability could expose personal info directly from Firefox itself.)
This is essentially the ‘TOR to blog server’ method described at the privateblogging wiki.
Now, note that along that chain we have 3 levels of identity — the IP address (hidden by Tor), the email address (traceable to Hushmail, who could conceivably give up the Tor router’s IP), and the Blogger.com weblog site (traceable to Blogger, who could give up the Hushmail address and the Tor router’s IP).
As long as you don’t give it away in your writings on that weblog — and as long as Tor remains safe — your own identity in turn is safe, too; and Tor has proved safe, so far.
There are still problems:
- The weblog site itself could still get taken down, e.g. via a DMCA takedown notice. This could be an issue, depending on what’s being published.
- Tor traffic is identifiable as such as it traverses the internet. For bloggers in countries with a pervasive internet surveillance regime at the local ISP end, the watchers will be able to tell that Tor is in use, and tell who is the person using Tor. (They won’t be able to tell what it’s being used for, just that it’s being used.)