With recent disclosures of how extensive and wanton is the federal government's illegal spying on virtually everything we do that uses an electronic device, I thought now would be a good time to offer a primer on how you can reclaim at least a portion of your 4th and 5th Amendment rights and your absolute privacy. This diary provides information on how to obtain truly anonymous email accounts and, furthermore, how you can keep that anonymity and protect your privacy from the illegal prying eyes of Big Brother (be he the federal government or corporate Little Big Brothers).
Though primarily focused on email, the information/tools I discuss below can also be used to gain anonymity in IRC chats and even suggests a means of obtaining privacy, though not anonymity, with VOIP softphones on your computer.
This is an attempt at a (relatively) quick, dirty, and basic primer on obtaining anonymity and privacy in email and a few other online communication tools. It works quite well and can work even better if you and at least a few of your friends and family members can be convinced to do the same things (that is the tough part). If friends and family were to do these things, then you would be able to freely converse with them and Big Brother would never be able to identify who is sending and who is receiving, nor would Big Brother (government or corporate) be able to read the contents of the email. This in itself is a good thing simply because it is resistance to the Surveillance State and will drive the goons crazy - good entertainment and of great intrinsic value.
There are a few rules that you must stick with for this to work. First, you must be diligent in how you make use of your anonymous email accounts. You must always only login via their web interface and only via secure https link. If you setup pop mail access so you can use a local email client then you risk your anonymity because the tools used to make these clients work don't generally play well with the core tool of the system.
OK, the "core tool" of this whole system is Tor, an "onion router" client/server sponsored and supported by the venerable Electronic Frontier Foundation (EFF). You need to follow the above link and read the information there, then download and install Tor. Tor is a nifty little tool that can scrub your electronic identity so that Big Brother cannot identify who you are or where you are. It works best with Firefox on windows, or with Firefox and Konqueror (and perhaps a few others) on Linux. For use with Firefox you will want to install the Torbutton extension which allows you to quickly turn off and on use of the Tor network. Briefly, Tor funnels your net traffic through 3 different Tor servers (called "nodes"), with each node removing all IP information and headers from the packets it receives and substituting its AND encrypting the traffic between Tor servers (nodes). Each server, in normal operation, is random so for any given internet connection session using Tor, your packets will very likely pass through 3 different servers every time. The final server in the triplet, the "exit node", decrypts the stripped data packets and sends them to their final destination (and receives replies and sends them back through the nodes), in this case a webmail provider like Yahoo or Gmail. If it is Yahoo, all the Yahoo servers can see is the IP information and headers originating from the exit node and the exit node has no idea what the original IP was. Tor servers exist all over the world so what Yahoo would be seeing is an IP in China, or in Britain, or Brazil, a random location in the US, etc. That is the short description of what Tor does. What follows is how you use it to get a truly anonymous email account. Additional note: Tor can also be used to anonymize your IRC chats, ssh session, telnet session (do you actually still use telnet?!), etc.
With Tor running and, in this case, Firefox up and running with the Tor button activated, you go to Yahoo or Gmail to sign up for a new email account. Because Tor passes your traffic through 3 different proxies all over the world, it will generally take longer than normal web browsing for a page to load. This actually depends on how many Tor nodes are up and running and, of course, how many people are making use of them at the time. Just something to keep in mind. Also, for security reasons, the Tor button deactivates java and javascript because both can be used to obtain your REAL IP address by bypassing Tor's protective arms so expect some usage issues with certain pages. You will now need to select a username and password. You don't want to select a username that can identify you in the real world and, I find, that if properly selected you can also avoid spam bots from the get-go since some of these will simply go down a list of variations on names and names with numbers tied to an email privider and shotgun send spam. A username like bsmith69 (at yahoo or gmail) is an invitation to receive spam shortly after account activation. To avoid identifying information and spam, choose something along the lines of "bh3210" and the like - nonsensical and non-guessable by a spamming asshole. Your password is up to you but use good password practice.
You may find that after this point, when you are expected to add more information, that the email provider has pre-identified you as being a resident of some other country. This is an indicator of what country your Tor exit node resides within. You may need to alter the language settings to something you can understand. Enter a fake name and other information. It is best now to be from somewhere other than your real location. To do this, you may need to have a zip code or postal code available from that location to enter. I myself have 4 truly anonymous email accounts, 2 at Yahoo and 2 at Gmail. With one of these accounts, for instance, I am from Vancouver Canada (with an appropriate postal code provided too). Do what you will.
After this you have your account. NEVER access this account without using Tor, or be VERY VERY circumspect accessing it from other computers from other locations (NEVER access it from YOUR computer without using Tor). Two or three accesses from a public terminal at a local library or internet cafe and you basically give away the fact that you actual location is likely your current real location.
OK, so now you have a truly anonymous email account. If you now use this willy-nilly to email your parents, sister, or best friend, you will quickly (almost instantly) blow its anonymity. Instead, get at least a few of your desired contacts to do what you've done so that you can anonymously send emails back and forth. There is a danger here, however. In generic, happy-go-lucky emails you will soon provide personal identifying information in your messages that will give your real identities away unless you are all always diligent. That's tough to do. This brings me to the privacy part.
PGP (Pretty Good Privacy) has been around for over a decade. Created by Phil Zimmerman:
Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread worldwide. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc. That company was acquired by Network Associates Inc (NAI) in December 1997, where he stayed on for three years as Senior Fellow. In August 2002 PGP was acquired from NAI by a new company called PGP Corporation, where Zimmermann now serves as special advisor and consultant.
OK, what does PGP do? PGP is public key encryption software. Originally its focus was on encrypting text files and email but has now broadened to also include disk/file encryption as well. We are interested here in the email encryption aspect. It will encrypt text with user-selectable "strength", converting text into indecipherable gibberish. Below is an example. What I have done is taken the current paragraph and encrypted it with the opensource/linux version of PGP called gnupg (they are interoperable):
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (GNU/Linux)
hQQOA72Rq6aJ+41OEA//etnZD+uyi3EDQvzB75FL1EbBr9AUqfoaDmanxdkwoi17
lxh+dWMl/6TyjsMyibNPMgvyqNvxxqmiwZMTtFffmooftj2es1S9pWSaMETh7abF
6JZoEMLXa7D2jXWr4BPWnBLPuCxJQEU+pvI4EAxht3mhWbQR1/87nWGmfdJXER7n
fDVD1G1isTvpsd3PmTNX+P5Fc86yD8vbtRL3cB0yo8BE1p8yj5/spydoA5nz7c2T
wyY8BNJXE2MFt0WP22CSP2ZW34J+c4LMB9rBt1oi1MRqf0AJPlhE0afcWLpgUs0N
bWAMbNwFqKJrImr3mgOxKt87KUPH0CXeEnPd++PvRDquPvaxO4HeAXsTHPCbKj7v
Plx+dPvuWbggyzp+p8CqkjwJmerRgxCFM4t38Mr+g2nyr3s6jQZg+rZwyg2ktPJz
kXnJtyujwsGOtP5VQF7+l/eKxeTnTgqGITd0ApsG8bFr2LECAvzbPhdBZB9EbjXV
PTyiedTC7ejGhKWTZNDF/B4vjtPztlj36bKh1ryU8mTeOijPuA6UJT2gCS2IMlRz
JjNfIw5Vsat7DE8nR+RyDGCR2ocmDSUxLpz/IbxZVo4dMVNDQPBv/BzUqU7REH08
HZYCEhW2ODvIhSnGnzSKOcT5DfmtFSFiCjsTfKvV/5IvoI8ODnML5s/6BQzACuIP
/iBbdhDBGIUKXMvKJOjCgBAg2ezhu55ramH5BumaCE9Y236jsiiRGRptN369FXKc
uyr5BwnWM7VszQAuIkTL4BhuvIwT1MEHBy0WAfq3i28nteqPWMhDQl4CQLIUK+SR
7QAplZa0erIyCi6gzJbYZdmUDePi4IdkvPG+rx09Ghs1vWD//HXIrmqbuSzhsBnV
m0LxV4cC0XHS2MRban+qNxV9LDSKcj7QYY30cNkcIRFESBt3rzV01xRWGPtA4bR+
reQHBiAUuA2qsW4eAw3fcfLfF0pgcv3aOPQA6rHj3o6Nx2H05NqUXIrkC/3Z9WV3
SaGkmlIzfUneSOdsRiuB/QEK0plTxAof6u7yJXToHH7VQAJJXKRDKzdv0MOw8yuM
7b1q7THDuUS9zTH47+Uk6a/xvYxxM8ztZplLoJiBKOGoQea/WEsiDAITFUuhAU+k
d2+Aubyw4A0aEMYAvESyOmaElrzEhoHY9oze5RQMOUfFlVUdxkWVQY+RIDrPBc
5nlh9yC80+m1zwEDiwWNLYHPVT5CG954LYqIZbOGIqoQnLITAT9/BZO80vlc5YWK
HENLc43QoDKr4dts9874F6rNSH3MEO2I6ddkDSD2CJSRkfHPF0gIJZeVdFR/0u0M
ukAEDF5FsE5UtRlRGrcHC/bqXShgz4lXA3kCyd5EwDizyem0LHn4WvICMQZW/sZI
WBdJmZcTRztbeD3oT+y9CX4yF2Bzhn0TrVFJiiVbCTjcgZe549WtDf9P/LlV7M3+
30QR9tHnuQyoRPdSUqezxdLdkb3EDw8D333KJLQBfdnUTT6ZpedVbT3oZuAbC0yu
h06RHhuixVgZKGipEZq5UgjN5LpnPE90P1K3J7xE527pYa7Lhz++HlL03Bq5mIWX
WS2Iz+bAOJuZlAnC3HLNhKy/UAu/b631vECCU2+1zep6ZcmGxjGv3dX6c8NhFu2I
xjutWhLiA4qQIK3LNlbKNvY4NKFurK1gyuWzlq35t0QxqPb89sEb1yyZ9VTrYck+
i/Xj53oIorZwm/fVroeWIkBgbDMROwYkLydTsSbl4OaSTi4O8jt9bXrWEmTWp90P
KQz33+elOVA1NWebWs3ZE+BLnjRXGcY56GmLSDEJNfWp7fcZj4Du7np1RbVSdj48
bShFD05fxMZy3KEUuhfRuf3TANzFM7an8H6MyWFK1lxNZqBNK8aC+u89L457jvE6
Ey0oX3Cvn97CI+GhYDWUXG+hjzI9aOZV3K7uL1yXp1Qrt+Dx/CrJVnWUpThJ9QdD
NGphhu2W9fXsQcyer3Z5Yks70PoZnE1k5tcaGpSRzuD9IEjbafYtCaaTMP4800YA
R2M7zlryGQmY82/PRgaCQ3fIR8BptOE3kaOW15kgyMfgVIrOP7VLfsryMy+fRQNw
5J9BV40yZqQ2LATmsq8YtwshRUzyA1n8boRDAS6KWE5ozxMLtAEb4BuPehwmP6g3
piqEkXsigdUsy3rsbid1zoDZCnJOkjp1NGO6UONq6imlVM2reZ+ery7C3UECU3eM
P3jFXuKoDpBq313m3qG2LMbeAvudapA71EfYSiqPYofvo7xuG/WImP7DWPb/ZdnI
Ane4brrYQKx9AVFXrZnPNTN7iYnEGAXrq3MO7ZslW84ys3wwGwAMU4zldhY5fyW7
nhYic4/F76nxYm6NjAj1x4418/MkXrj+75lqD2D9Ni3l+4dCL8EOGBkBe3zM1JxA
W+ylAofAReDTev+tB0npEC1cXc2ftSgXMA/U8tyT
=EGpM
-----END PGP MESSAGE-----
The foregoing paragraph was encrypted using a 4096-bit encryption key. It is exceedingly difficult for even the NSA to decrypt a message encrypted with a 1024-bit key, and virtually impossible for them to decrypt/crack messages encrypted with a 2048-bit or 4096-bit key (selectable in PGP and gnupg) in any reasonable length of time (years). The larger the key, the harder it is to decrypt even with supercomputers.
PGP is tougher to work with than Tor but it is easier than using anonymous email accounts to communicate back and forth with select persons without ever making a mistake of entering personally identifiable information into your messages.
So, you go to the link above, download PGP desktop after reading the information provided (for Windows...don't know about the Mac, sorry, anyone else?), install it and fire it up. You need to generate a key pair (you will be instructed). One key is the public key that you can publish online with any of a number of so-called keyservers if you wish. This allows someone who wants to send an encrypted message to bh3210 at yahoo dot com to search for and find your public key and send you an encrypted message that only YOU can decrypt, OR you can simply provide your public key via email, usb key, filesharing, etc, to your desired communication partner(s). PGP keys use a passphrase rather than a password. It is much harder to crack a passphrase than a password generally, especially when you choose a good passphrase. It COULD be a stanza from a favorite poem (though not a good idea), the same stanza with some of the "wrong" letters capitalized and some letters replaced by numbers or symbols (better) or it could be a string of random words and numbers (best, though hardest to remember). Every character, every space, every bit of punctuation counts in the passphrase and must be entered exactly the same for encryption and decryption. The other key generated is your secret key. Never ever ever give this out. This is what makes a message encrypted with your public key ONLY decryptable by you and you alone - it is usually stored on your computer in a specific folder.
When you generate a key pair you also decide how long the key pair will live. You can set it to never expire (not a good idea), expire in a couple days, a few months, a handful or years, etc. I usually go for 2 year expiration. When one expires OR if you decide to generate another key pair just for added security and use, do NOT use the same passphrase. That is as bad as using the same password for all your password-protected computer accounts, online accounts, etc. Someone breaks one password, they gain access to everything else.
OK, you've used PGP (or gnupg) to generate a key pair in the size of 2048-bit or 4096-bit (it takes a little longer to generate the bigger keys but your computer is fast and it isn't THAT long - and it gives you a LOT of extra protection). You also want to generate a key revocation. This is a special file of data that is passphrase-tied to a specific key pair that is used to revoke a published PGP key if you publish your public key on a keyserver. You would use it if you suspect a key pair you are using has been compromised or if you generated a never expiring key and decide it is time to kill it and use another for other reasons. Without a revocation key, if you publish a public key on a keyserver with a never expire setting then that key will NEVER expire and cannot ever be expunged from the keyserver. You cannot call someone at a keyserver and tell them you goofed and forgot a passphrase for a key or that a key has been compromised, etc, etc, and have them remove it for you. You MUST use the revocation key to do so. Which brings me to why it is a good idea to generate keys with a set expiration date. I have forgotten the passphrases to a handful of my past keys that I've published on keyservers. I did not have revocation keys for them. Those never expiring public keys are on the keyservers forever and if someone chose to use one to send me an encrypted message, I would be unable to decrypt it. I now only use keys that will expire (again, after 2 years usually) so that if I forget the passphrase then the key will die a natural death on its own in the near future.
PGP can also be used to "sign" messages. OK, you want to send an encrypted message to your friend Joe Blow at gmail dot com. You use his public key to encrypt the message and then you sign the encrypted message with your key. What this does is provide Joe Blow with an encrypted message that only he can decrypt (you can't decrypt it either) AND your signing of the message with your key lets Joe Blow KNOW that it originated from you and only you.
Thus, what you obtain with the above is one or more truly anonymous email accounts and strong privacy to boot via encryption. Once you get comfortable working with PGP/gnupg it is not hard at all and is even kinda fun. For grins and giggles too, you can upset Big Brother's spy software and human goons by simply sending anonymous encrypted nonsense messages back and forth between your own set of anymous email accounts. With you and friends and family members (likely only a few would be willing to do all this...for those that can't be bothered, NEVER use your anonymous email account to email them...use a normal no-privacy email account instead) all sending actual encoded messages to each other AND sending encoded messages back and forth to your own set of anonymous email accounts, you can really give Big Brother fits. The poor babies will see encrypted messages being sent from an IP in Belgium to an account with an IP in China (for only that particular connection) to an account with an IP in Argentina, etc, etc. Good times and set the idiots to wasting effort and time on bullcrap deadends.
Finally, a quick blurb on VOIP softphones. Skype is the most well known and is reasonably decent but...though it includes an encryption system, that system is propriatory and closed. You have NO way of knowing whether or not Skype developers have added a backdoor to their encryption scheme to allow them or the Feds to decrypt and listen to your conversations. With that in mind, for private encrypted VOIP you would be better off without Skype and instead using something like Gizmo, Apple's iChat, X-lite, Xmeeting, Google Talk VOIP client, SJphone, Ekiga, and others with the help of zfone (from the Phil Zimmerman who created PGP). Zfone will not work with Skype because of its propriatory communication and encryption system but it will work with most other VOIP apps. Zimmerman has also released a development library of zfone so that it can be organically integrated into VOIP clients. So long as the person on the other end either has zfone installed and running OR has a client that incorporates the zfone library, you will obtain an encrypted conversation automatically with a one-time-use key (no need to do anything), which is among the most secure kind of encryption key there is. This gives you encryption with no potential backdoor (Skype) and thus protects your privacy with the same level of strength as PGP does without ANY of the "hassle" of using PGP.
Addendum: another fun trick. There is an application available for windows and linux called steghide. For linux, in addition, is a nice GUI for it called SteGUI. With steghide you can encrypt and hide a message inside an image file like a jpeg or bmp or into a sound file (wave, au) with no one being the wiser except, hopefully, your intended recipient. It is protected with a passphrase that you can make up on the fly as you encode the message into the image - your recipient needs to know this passphrase to pull out the message. Below are two identical jpegs. The first one is the starting image and the second is the same image with the current paragraph encoded within it. Nifty eh? Steghide uses a process called steganography, which is the art/science of hiding messages within images or messages. Essentially, the movie The DaVinci Code demonstrated a form of steganography when it covered the painting of "The Last Supper". The "code" was hidden within the painting and was of a non-obvious nature.
This is an image before the above paragraph was embedded within it:
This is the same image with the above paragraph embedded within it: