Posted on 31 December 2016.
Maintaining online anonymity is no easy task. Today’s ad-driven and heavily surveilled internet ecosystem endeavors to accomplish the exact opposite result. Be it for national security or to sell you a smartphone, governments and companies want to know everything they can about you. To make them lose your trail is not a simple matter.
It is possible to be remain anonymous online, but it’s getting more difficult as time progresses. No measure you take will ever be perfect, but unless you’re a high profile criminal, you can make it more difficult than it’s worth for anyone to expose you.
Being anonymous has its benefits. Certain freedoms come with being unrecognizable and untraceable. It also requires sacrifice. Many of the conveniences of the modern web were built around profiling, tracking, and analyzing user behavior.
Bearing that in mind, these are the steps you can take and the tools you’ll need to stay anonymous and hidden online.
No anonymity checklist would be complete without Tor. This network of volunteer nodes around the world is synonymous with anonymity. Tor, short for “the onion router”, allows you to encrypt your internet traffic and, each time you connect to a web server, route that traffic through a random array of nodes before heading to the final destination.
There are dozens of ways to use Tor from many different devices. The Tor Browser is the most popular. Simply installing this Firefox-based application on your Mac or PC will allow you to anonymously browse the web. For Android devices, try Orbot. iOS users don’t have any official support from the Tor project, but the Onion Browser seems like a decent option.
Tor does have a few downsides. For one, it’s slow. Tor isn’t suitable for streaming video or torrenting files. You can browse the web and that’s pretty much it due to the lack of volunteer resources and competing traffic from other users.
Secondly, even though your internet traffic is encrypted and untraceable, an internet service provider can still detect whether or not you are using Tor. This alone might be enough to raise suspicions, as Tor is often used for criminal activity online. Your ISP could choke your bandwidth, send you a cease and desist letter, or report you to the authorities even if you haven’t done anything wrong.
For this reason, we advise Tor users to use an obfuscation tool like Obfsproxy, turn on a VPN when using Tor, or both. Obfsproxy is a Tor project that makes encrypted Tor traffic look like normal un-encrypted traffic so that it doesn’t draw undue attention. More on VPNs further down.
Finally, there’s considerable speculation that the US government successfully used traffic analysis on Tor on at least a few occasions that led to arrests, including that of the infamous Dread Pirate Roberts of the Silk Road illicit goods marketplace. Rumor has it that governments also operate and monitor activity on several Tor exit nodes. None of these allegations come with concrete evidence, so take it with a big grain of salt.
A browser is suitable for escaping targeted advertisements and occasional visits to the DarkNet, but those who require complete anonymity will need a more nuclear option. While no one can track your browsing activity on Tor Browser, for instance, chances are you’ve still got multiple applications running in the background. These applications–word processors, video players, update managers–send data to the web. Rumor has it that authorities have used unencrypted error reports from the Windows operating system to find people. Windows 10 includes a litany of tracking software that’s enabled by default.
You could disable all of those settings and uninstall all of your applications, but that’s not very practical. Instead, we recommend a live operating system. Live operating systems can be installed on USB drives or DVDs. By tweaking a few settings in your computer’s bootloader, you can launch an entirely independent operating system from a thumb drive on your everyday laptop.
Tails is the official live OS from the Tor Project. All internet traffic–not just web browsing–goes through the Tor Network. The OS leaves no trace on your computer and all instant messages, emails, and files are encrypted. It’s simple to use and is designed to be idiot proof.
If Tails doesn’t seem suitable for whatever reason, another option is Whonix. Whonix isn’t an independent live OS. Instead, it runs in a virtual machine on your existing operating system. It has all the advantages of Tails (it also uses the Tor Network) plus it is designed so that IP address leaks–which can be used to track users–are impossible. The downsides are that it takes a reasonably powerful computer to run a virtual machine and it’s rather complicated to set up.
Other options are also on the table. Kali, Qubes, and ZeusGuard are all alternatives to Tails and Whonix worth considering. Do your research and figure out what’s best for you.
A VPN, or virtual private network, encrypts all of a device’s internet traffic and then routes it through an intermediary server in a location of the user’s choosing. The end result is that the device’s IP address is masked and third parties–including ISPs–cannot monitor traffic.
Most VPN providers utilize shared IP addresses on their servers. Multiple users–dozens, hundreds, and even thousands–are assigned a single IP address. This makes it nearly impossible to trace the activity of a single person in the pool.
VPNs are built for privacy and not anonymity, however, so we caution against using them alone if you want to truly remain hidden. Privacy and anonymity often go hand in hand, but remember this important distinction: anonymity means no one can identify you, but privacy implies no can see what you’re doing.
Using a VPN requires a certain degree of trust in your VPN provider and the entities that host their servers. Very few VPN providers own their own physical server infrastructure. Your traffic is encrypted on your local device and remains encrypted until it arrives at the VPN server. It is then decrypted before being sent onto its destination. For a brief moment, your activity is visible to the VPN provider.
This is why we highly recommend “logless” VPNs. Branded with a “logless”, “no-logs”, or “zero-logs” policy, this means that the VPN provider does not store any information about the content of users traffic. Assuming the VPN provider is telling the truth, that’s a good thing.
Even the few true zero-logs VPNs out there require customers to trust them. There’s no way of knowing whether they are being honest and how they will react when faced with a government subpoena. For the highest level of anonymity, then, try combining your VPN with Tor. Avoid VPNs based in the United States and Europe, where data retention laws and government intelligence agencies could put your data at risk.
Simply running Tor Browser while connected to the VPN makes tracing the user twice as difficult. VPNs can also be configured manually in live operating systems like Tails.
When a URL is entered into a browser, a request is sent to a DNS server to lookup the IP address that matches the URL. Even when using a proxy like a VPN, these DNS requests can be sent outside the encrypted tunnel to the default server. By default, DNS requests usually go to and are recorded by a nearby server operated by the user’s ISP.
If this happens when using a VPN, it’s called a DNS leak. Many VPN providers offer DNS leak protection, which ensures that all internet traffic, including DNS requests, are directed through the VPN. These VPNs typically operate their own DNS servers, which won’t record which websites you visit if they meet the logless criteria outlined above.
Even if a VPN advertises DNS leak protection, that statement often only applies to IPv4 DNS leaks. IPV6 DNS requests can still travel on the default network and be picked up by both web servers and ISPs. It would be great if more VPNs would set up IPv6 DNS servers to handle this situation, but at the moment the best solution is simply to disable IPv6 in the device’s internet settings.
If the VPN you use lacks DNS leak protection, or you aren’t using a VPN at all, try opting for a public no-logs DNS server. You can change your device’s DNS settings so that requests aren’t sent through your ISP. We recommend DNS.WATCH or OpenNIC.
It goes without saying that remaining anonymous online means not logging into any of your existing accounts. But since many apps and websites require users to sign up, you’ll need an email address or two.
Several services offer free fake and burner email accounts. For one-off registrations and messages, we recommend Guerilla Mail. No registration is required and it includes a password manager to help remember the passwords associated with those accounts.
For a more long-term untraceable email account, the best option is probably ProtonMail. This end-to-end encrypted service is open-source and uses zero-knowledge apps for web and mobile. Unfortunately, new users must apply for an invite due to limited server capacity. ProtonMail is donation-based.
If you don’t want to wait around for an invite, Zmail is another alternative. It allows you to send emails from fake addresses.
Never use your own email account when trying to be anonymous. Don’t even read your email or log into the account. If you want to send encrypted email from a burner account, you’ll have to set up new PGP or S/MIME keys.
If you want to make an anonymous purchase or donation, cryptocurrencies are superior to PayPal and obviously credit cards. That doesn’t mean that you can just open up a Bitcoin wallet with a big exchange like Coinbase and start spending, though.
There’s a big misconception that bitcoin is always anonymous, when in fact the very nature of blockchain technology means every transaction is tracked and verified. This publicly available ledger can be analyzed so that the wallets you use and the transactions you make could be linked to your identity.
By analyzing the activity which is visible to anybody on the public blockchain an observer may well be able to link your personal identity with all of the wallets you use and therefore your entire transaction history. In a way, this makes Bitcoin even less private than a bank account.
To get around this, use wallets that change your bitcoin address after each transaction. This makes you harder to trace. Use a bitcoin mixing service, which pools your bitcoins with other people’s and mixes them up before making a payment to the receiver.
Perhaps the most difficult part is anonymously buying bitcoins in the first place, as doing so requires fiat currency. Private deals and peer-to-peer exchanges like LocalBitcoins are not for the careless, but they are the best means of anonymously getting your hands on coins.
Remember that Bitcoin isn’t the only player in town, although it is the biggest. Litecoin, DarkCoin, and Dogecoin are popular as well.
Google keeps track of every search query and link you click on. If you’re using Tor, this doesn’t matter so much, but it’s still a good idea to opt for an alternative.
DuckDuckGo is perhaps the most popular search engine that doesn’t track or profile users. It can be set as the default search engine in your browser.
DuckDuckGo is a fully independent browser, so, let’s be honest, the results won’t be as good as Google’s. Luckily, there’s a way to get Google results without Google.
StartPage removes all your identifying information and submits a search query to Google on your behalf. It doesn’t log or track user activity. All search results are displayed with a proxy link beneath them, allowing you to click through to any site while retaining your privacy through a proxy.
The moment might arise when you need to anonymously send a file that’s too big for an email attachment. If you’re a whistleblower who wants to leak a large trove of damning documents to the public, uploading the files to Dropbox just won’t do.
FileDropper is a simple and convenient solution that allows uploads of up to 5GB with no registration required. WeTransfer is another option that allows files up to 2GB without signing up. For these types of services, just upload a file and then send the link to whoever you want to receive it.
Remember to access the site using Tor and share the links using a burner email or some other anonymous method, as the website might well be gathering information on site visitors despite the fact that registration isn’t required.
Choose your browser extensions carefully
The Tor Browser has very little support for extensions, and there’s a good reason for that. Advertising companies are getting smarter about how they track users. One of the most advanced methods is called fingerprinting. By gathering information about your web browser–what extensions are installed, what device you use, what language you read in, etc–ad tech companies can create a “fingerprint” that identifies a user. Fingerprints are superior to IP addresses because they don’t change if a user switches wifi networks or connects to a VPN.
Many extensions can help maintain your privacy–ABP, Disconnect, Privacy Badger, HTTPS Everywhere, etc–but they also contribute to a more well-formed fingerprint. This is one of several reasons it’s so difficult to be anonymous on a popular browser like FireFox or Chrome.
If you want to test how well your browser protects you from tracking, head over to the Panopticlick website. This tool made by the Electronic Frontier Foundation (EFF) can show you in excruciating detail how an ad agency can identify your browser using a unique fingerprint.
Besides fingerprinting, browser extensions can communicate with servers in the background without your knowledge, potentially logging metadata that could help identify you and your online activity.
Read more: 75+ free tools to protect your privacy online
Besides email, you’ll also want to cover your tracks when sending messages and making calls. Encryption is more focused on privacy than anonymity; even if a message is encrypted, a snoop still knows who the sender and receiver is. But if you’re going through the trouble of being anonymous, you might as well take every precaution.
Signal is the premier app for encrypted voice calls on smartphones. It also includes instant messaging. Users can verify the identities of their contacts by comparing key fingerprints.
For encrypted text and media messaging, there’s a wealth of free and private options. TorChat uses peer-to-peer encrypted messaging on the Tor network. It requires no installation and can be run from a USB drive. Other alternatives include Pidgin, and CryptoCat.
Even anons need to back up and store large files, and sometimes allow other people to access them. Stay away from Google Drive and Dropbox, as these contain no real privacy protections such as encryption and aren’t anonymous at any rate.
Backups are best done locally to an encrypted external hard drive. Crashplan offers a free version of its software that makes this easy.
If you want a cloud solution, it will require trusting a provider. Seek out a “zero knowledge” service that allows you to set your own encryption key. SpiderOak, iDrive, BackBlaze, and Crashplan all offer this option, which prevents the provider from decrypting your files.
If you insist on using Google Drive, Dropbox, or some other un-encrypted storage provider, you can always encrypt your files before uploading them to the cloud.
Secure your webcam
It’s been proven that webcams can be remotely activated and used to spy on users. The head of the FBI and Mark Zuckerberg both go so far as to put tape over their webcams for this very reason.
Webcams are usually remotely activated through malware, so a real-time virus scanner and regular system scans can prevent this from happening. If your laptop has an LED light that turns on whenever the webcam is active, make sure it’s enabled. If you don’t want to put tape on your webcam, make sure you close the laptop when not in use.
Learn more about securing your webcam here.
Secure your wifi router
Many of us never bother changing the settings that our wifi routers came with from the factory. Unsecured routers can make users extremely vulnerable to nearby snoops. Routers can be used to intercept, read, and modify internet traffic. If you’re on someone else’s wifi network, be sure to use a VPN.
If you want to remain anonymous, it’s important to change the router’s login credentials, update the firmware, set the strongest level of encryption (usually WPA2), restrict inbound and outbound traffic, turn off WPS, disable unused services, check port 32764, enable and read logs, and log out of your router when finished.
You can learn more about how to take all of these steps and more in our guide on securing wireless routers.
iOS and Android are not optimal for anonymity
If you’re choosing between iOS and Android based on which is more anonymous, go with Android. But don’t get comfortable and think you can be totally anonymous on either.
It is far more difficult to be anonymous on a smartphone than on a computer. Anonymity tools for Tor just haven’t matured to a point where they work well on mobile, yet. Apple and Google are too deeply embedded in these devices. You might be able to browse an onion site with Orbot on Android, but that’s about as far as you’ll get. There are no official Tor browsers for iOS.
There are no live operating systems that can be utilized by smartphones like TAILS for desktops.
Smartphones have IMEI numbers, MAC addresses, and possibly vulnerable firmware that cannot be altered and can be used to identify a specific device when connected to the internet. Because Android is usually modified by manufacturers, it’s difficult to audit and keep up with each device’s potential vulnerabilities. Apple and Google have the power to track almost every iOS and Android phone, respectively.
Apps constantly communicate with servers over the internet, passing data back and forth that could be used to track users. Even something as basic as a keyboard could be used to monitor activity. Cameras and microphones can be hacked into to spy on users. Any time a device receives a signal from a cell tower, their device’s location can be traced. Simply put, there’s just too much that could go wrong on Android and iOS that the user cannot see.
While making smartphones completely anonymous might be a futile effort, they can be made significantly more private. Android devices can be encrypted and iPhones are all encrypted by default. Use VPNs to encrypt internet traffic, and set up a self destruct sequence if the passcode is entered incorrectly too many times.
Finally, companies like Silent Circle make Android-based smartphones with security first in mind. The Blackphone, for instance, is fully encrypted and runs several “virtual phones” to compartmentalize data. Silent Circle also has a subscription service to make iPhones private. Again, the key difference is that this phone is focused on privacy, not anonymity. While the contents of the phone are protected, the same isn’t necessarily true for the identity of the user.
Be wary of the Internet-of-Things
The internet of things presents a whole new wave of opportunity for hackers and snoopers. Security has unfortunately been an afterthought for many IoT manufacturers. A simple log of when your smart air conditioner is activated, for example, can tell a lot about a person’s daily routine. Critics have warned against devices like the Amazon Echo, which are always listening for input even when deactivated.
Depending on your online activity, this can be a threat to a user’s anonymity. Use IoT devices with caution.
Make a checklist
No anonymity tool, even Tor, is perfect. But that doesn’t mean they aren’t effective. While a well-funded corporation or government agency could spend huge amounts of time and money running traffic analysis on the Tor network to eventually find the person they are looking for, it’s much more likely that person will make a mistake and drop a clue somewhere along the way.
So how do you avoid making mistakes? The same way surgeons and other high-risk occupations do: with lists. Every time you want to be anonymous online, start from the beginning of your checklist. Write it down on a piece of paper, but don’t include any login credentials or other identifying information. Here’s what one might look like based on everything discussed:
- Connected to a logless VPN
- Connected to the internet through Tor Browser/Tails
- DNS settings are configured to use a logless DNS
- Logged out of all online accounts
- Closed all apps and background services connected to the web
- All tracking in my browser and OS are turned off and blocked
- Emails are sent using burner accounts
- New accounts registered and logged in with burner emails
- Search with DuckDuckGo or StartPage
- Bitcoins are properly mixed and using a third-party wallet
With a standard protocol in place, you can drastically reduce the chances of making mistakes. Don’t be overconfident. Anonymity is something you can get right 100 times, but it only takes one misstep for it all to crumble.