Anonymous blogging made simple

Privacy: after reading Adam Shostack’s weblog posting about private/anonymous blogging, I’ve been driven to think about that, and would up writing up a case study of Cogair, which was an influential anonymously-published proto-weblog in Ireland in the ’90s.

Now, quinn at quotes a review of EFF’s recent ‘anonymous blogging’ guidelines, which largely comes up with one conclusion: it’s a usability nightmare. The problem is, the EFF report recommends using, which in turns uses the Mixmaster remailers. Those things are awful, and I doubt anyone but their authors could possibly know how to use them ;)

Here’s an easier way to blog anonymously. I haven’t tried it (honest ;) but from keeping up on this stuff, it should work…


  • First off, install Firefox. No point giving your identity away through an MSIE security hole. Clear out all cookies in Preferences:Privacy:Cookies (or better still — start a new Firefox profile from scratch).
  • Visit IPID and note down the IP address noted (this is your own, traceable, IP address).


  • Next, install Tor, EFF’s ‘Onion routing’ anonymizer system. This also means installing privoxy as directed in the Tor install guide.
  • Set up Tor on your machine, so that Firefox will browse via that software.
  • Using Tor, visit IPID and make sure it doesn’t give you the same traceable IP address. This is to make sure you’re browsing securely.


  • visit Hushmail and create a new free email account. Obviously, don’t use usernames and passwords that map in any way to your existing ones, and avoid words that may show up under your interests (especially if they’re googleable)…


  • Using that Hushmail account as the email address, go to and create yourself a blog, then get publishing.
  • Hey presto — anonymous blogging the easy way!
  • For safety, don’t use the Firefox anonymous-blogging profile for any sites other than Hushmail and‘s publishing end. (A future Firefox vulnerability could expose personal info directly from Firefox itself.)

This is essentially the ‘TOR to blog server’ method described at the privateblogging wiki.

Now, note that along that chain we have 3 levels of identity — the IP address (hidden by Tor), the email address (traceable to Hushmail, who could conceivably give up the Tor router’s IP), and the weblog site (traceable to Blogger, who could give up the Hushmail address and the Tor router’s IP).

As long as you don’t give it away in your writings on that weblog — and as long as Tor remains safe — your own identity in turn is safe, too; and Tor has proved safe, so far.

There are still problems:

  • The weblog site itself could still get taken down, e.g. via a DMCA takedown notice. This could be an issue, depending on what’s being published.
  • Tor traffic is identifiable as such as it traverses the internet. For bloggers in countries with a pervasive internet surveillance regime at the local ISP end, the watchers will be able to tell that Tor is in use, and tell who is the person using Tor. (They won’t be able to tell what it’s being used for, just that it’s being used.)

PS, for the future: the guys behind Tor are working on a replacement for Mixmaster anonymous remailer software, called Mixminion. There’s also a wiki for discussion of ‘private blogging’ here.

This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. Posted August 18, 2007 at 17:29 | Permalink

    Hi. I’ve being doing a series of posts at Blooking Central on blookers (blog+book=blook) that got fired. One of my readers made a comment that led to me to write about anonymous blogging. I have recommended that my readers check out your solution above. I realize that 2 years have elapsed – do you have any updated info to add?

    I wrote another post after that in which Belle du Jour talks about using encrypted email. I was wondering if you would care to comment on that.

    Lastly, any advice for a blogger with a decent readership who wants to kick it up a notch and fears retribution? I suggested starting over with a new blog. Thanks.

  2. Posted August 19, 2007 at 11:50 | Permalink

    That post is still pretty much correct, I think. Hope it helps!

    Regarding Belle du Jour’s advice — HushMail is a pretty good encrypted email system, as far as I know. But I’d say the most important thing is to ensure that, if the mail is being read, it won’t trace back to you, the original author — since in today’s internet, there are many places it can be read. In particular, most of the people you’d be emailing wouldn’t be able to use encryption themselves, so you’d wind up using unencrypted mail to deal with them.

    ‘Lastly, any advice for a blogger with a decent readership who wants to kick it up a notch and fears retribution? I suggested starting over with a new blog. Thanks.’

    Definitely the right advice, in my opinion.

  3. Posted September 11, 2007 at 11:26 | Permalink

    Ah, here’s something very important: when using Tor, always make sure that when logging in with a username and password, you do this over HTTPS. Otherwise you could run into this kind of problem.

  4. Anon
    Posted September 20, 2008 at 00:21 | Permalink

    I want to start an anonymous blog about depression.

    I don’t think I’ll need total anonymity. My main goal is for the blog not to come up in a search for my name (so employers won’t find it). I won’t be doing anything illegal.

    Everybody I know knows I’m really depressed, so there’s nothing to lose there.

    Do I need to take all these precautions, or will a pseudonym be enough?

  5. Posted September 22, 2008 at 10:55 | Permalink

    hi Anon — I would suggest opening a new webmail account on or similar, using a pseudonym, and then create a blogspot or weblog using that gmail account as the contact address. That’s perfect for the use case you describe, IMO. Good luck!

  6. Bill
    Posted November 1, 2008 at 16:59 | Permalink

    Great post, but I wondered if you’d stumbled across the Tor/javascript issue reported here. It got me thinking that maybe blogger uses Javascript in a similar way, and could track my real IP address.

  7. Posted November 2, 2008 at 13:25 | Permalink

    nice hack! It can be evaded by turning off the vulnerable subsystems, ie. Java and Flash; no blogging platform nowadays requires them. Javascript can be left on, though.

  8. Posted April 30, 2011 at 04:42 | Permalink

    ????????? ??????? ????????? ?????????????? ????? ?????????????????? ?????????????? ??????????

  9. stanley dcunha
    Posted May 17, 2011 at 17:58 | Permalink

    dear friends:

    will try to download tor and read your instructions. will revert