
A Tutorial on Anonymous Email Accounts - Garbage
https://www.eff.org/deeplinks/2012/11/tutorial-how-create-anonymous-email-accounts
======
kibwen
Don't overlook the Google-related footnote at the end:

 _"Google keeps logs of IP addresses for 18 months, after which they keep logs
of three-quarters of the IP address. Three-quarters of an IP address may be
still enough to breach your pseudonymity in the case of an FBI
investigation."_

Contrast this with the explanation from Google's own Privacy FAQ[1]:

 _"We strike a reasonable balance between the competing pressures we face,
such as the privacy of our users, the security of our systems and the need for
innovation. We believe anonymizing IP addresses after 9 months and cookies in
our search engine logs after 18 months strikes the right balance."_

I'm quite surprised to learn that Google equates "anonymizing IP addresses"
with "chopping off an octet". I suppose I'm a bit naive.

[1] <http://www.google.com/policies/privacy/faq/>

~~~
joonix
EFF didn't cite a source regarding the 3/4 claim in their article. I'd be
curious where they got that information since it does conflict with their
privacy policy.

~~~
nl
I believe the chopping of the octet is separate to the anonymization, unless
they haven't updated their docs:

 _What does it mean to anonymize the logs?

We will change some of the bits in the IP address in the logs as well as
change the cookie information. We're still developing the precise technical
methods and approach to this, but we believe these changes will be a
significant addition to protecting user privacy._

[http://static.googleusercontent.com/external_content/untrust...](http://static.googleusercontent.com/external_content/untrusted_dlcp/services.google.com/en/us/blog_resources/google_log_retention_policy_faq.pdf)

Edit: I think I'm wrong about this.

[http://repository.cmu.edu/cgi/viewcontent.cgi?article=1058&#...](http://repository.cmu.edu/cgi/viewcontent.cgi?article=1058&context=jpc)

 _After Google announced its log retention policy update in 2008, C. Soghoian
asked Google for details about the log sanitization process. He then published
the following response from Google [34]:

After nine months, we will change some of the bits in the IP address in the
logs; after 18 months we remove the last eight bits in the IP address and
change the cookie information (emphasis our own). It is dicult to guarantee
complete anonymization, but we believe these changes will make it very
unlikely users could be identi ed."_

------
gesman
Here is the better [and shorter] version of this tutorial: 1\. Download Tor
2\. Signup and use tormail.org 3\. Done.

I surprised eff.org didn't even mention tormail.org - this email _forces_ you
to use Tor, essentially forcing you to _never_ make mistake of using non-Tor
browser.

~~~
rada
And who is to say tormail is not a honeypot?

~~~
sequoia
Use tor+gpg and does it matter?

~~~
SageRaven
If one is using tor+pgp I don't think the venue really matters all that much.
I'd personally use a pastebin-like place (public or .onion, doesn't really
matter) than an email server. Anyone know if there's an active NNTP network in
onion land?

------
driverdan
Use an email provider wholly owned and hosted in a country that's non-
cooperative with your country, preferably one with an official language that
differs from your country's. That alone will help you avoid standard subpoenas
/ legal requests.

Add Tor and encryption on top of that and there is almost no chance of
government interference, unless you're a terrorist / subversive.

------
INTPenis
Why use email? I know some drug dealers who are pretty IT savvy and they
simply setup Pidgin with OTR on their computers. Some had Macs with Adium.

Then they would message each other to go on OTR.

That's all you should send in an e-mail or text message, "go on OTR".

~~~
aes256
If I understand correctly, the key feature of OTR is its plausible
deniability; the messages you send do not have a digital signature that a
third party can use to verify their integrity, but the other party in the
conversation is able to verify them.

Is that really going to hold up in court? Surely by the same token I could
dismiss absolutely everything there is any record of me sending or receiving
over HTTP because it could theoretically have been forged or tampered with in
transit.

~~~
oconnore
The most useful feature (of course, not a unique feature) of OTR is perfect
forward secrecy. This means that, unlike GPG, you can lose your private key
and not give up everything you have ever encrypted.

The plausible deniability stuff is probably not that useful in court, as you
note.

~~~
georgeorwell
If the 'plausible deniability' is not that useful in court, that means it
isn't plausible deniability. It's better to say that OTR doesn't provide
plausible deniability, even though it claims to, if that's what you believe.
(I don't have an opinion either way.)

~~~
aes256
It's plausible deniability, but that alone isn't sufficient to avoid
prosecution in most jurisdictions.

The standard in most jurisdictions is proof beyond reasonable doubt. I don't
think the OTR plausible deniability would be considered reasonable doubt,
especially if the content of the messages is corroborated by other evidence.

~~~
georgeorwell
I always thought the term plausible deniability implied reasonable doubt, and
that if it didn't, it wasn't plausible deniability. I mean, there's not much
point in claiming something offers plausible deniability if it isn't a valid
defense in court. Or is there?

Do you have an example from actual case law? All I have is Wikipedia:

"Plausible deniability is also a legal concept. It refers to lack of evidence
proving an allegation. Standards of proof vary in civil and criminal cases. In
civil cases, the standard of proof is "preponderance of the evidence" whereas
in a criminal matter, the standard is "beyond a reasonable doubt." If an
opponent lacks incontrovertible proof (evidence) of their allegation, one can
"plausibly deny" the allegation even though it may be true."

~~~
stinkytaco
However, deniability becomes less plausible when there's other evidence that
makes deniability harder... i.e. Someone claims to have had a conversation
with you, the logs of the conversation exists and that person can corroborate
that the person on one end was them. Of course you can claim that someone was
impersonating you, but what if later you had a recorded phone conversation
referencing the OTR conversation, etc.

In and of itself, a piece of evidence is plausibly deniable. In the face or
corroborating evidence, it may not be.

Alas, however, I do not have an example from actual case law.

EDIT: I knew I had seen some case law sort of related to this before and it
was in re Boucher and US v. Fricosu. They are not directly related to
"Plausible Deniability", rather they compelled defendents to decrypt their
hard drives. Certainly in the Boucher case there was reason to believe that
the contents of the drive were incriminating (the file names were the
giveaway, I believe) so perhaps this does not fit in to the exact facts we are
trying to recreate, but those are the only two cases that relate that I can
recall.

~~~
georgeorwell
Thanks for elaborating, I better understand the claim that OTR plausible
deniability is not that useful in court now.

------
Derpsec
Holy shit, seriously who is running the EFF these days? I haven't checked in
since the 1990s. This was the absolute WORST article on privacy I've ever read
in my life.

FUUUUUU... did they just advocate for people to use Hushmail? The same
proprietary, for-profit organization that when contacted by the FBI they
present the user with a decoy login screen so they can capture your password
in the clear and then decrypt your entire history to hand over to the feds?

Nobody should be using hushmail in 2012, not after multiple court cases that
have detailed exactly what hushmail has done for the feds. Hushmail has sold
their users out so many times I can't count. It's useless cloud encryption
nonsense.

If you really want to send an anonymous email, you use mixmaster, torrified.
Period.

If you need a method to be contacted by people who are clueless you then sign
up to privacybox.de a free service provided by the German Privacy Foundation
and you upload your public PGP key and have it forwarded to a tormail account.
Reply through mixmaster encrypted

If you're really paranoid you have mixmaster post encrypted emails to
alt.anonymous.messages and skip centralized email servers like tormail all
together

[http://anonymous-proxy-servers.net/en/help-live-cd/jondo-
liv...](http://anonymous-proxy-servers.net/en/help-live-cd/jondo-live-
cd12.html)

This is how send email torrified with Jondo live privacy CD, or just install
mixmaster on your own linux/bsd computer and use full disc encryption + pgp.

Screw the EFF after reading that tutorial. It should be burned to the ground
and an entire new organization built if this article is their best advice.

~~~
SeanDav
I was going to down-vote this, but if you skip out your insults, your
information is likely worthwhile. Your comment would have been far better
without all the extra attacking gumph, which adds nothing and makes you less
likely to be taken seriously.

------
sprash
Much easier to use is Bitmessage:

<http://bitmessage.org>

It works similar to Bitcon, is decentralized and does not rely on trusted
third parties (e.g. for signing).

Whitepaper: <http://bitmessage.org/bitmessage.pdf>

~~~
mike-cardwell
Would like to give this a try, but I don't use Windows. Should it work on
Linux? I imagine a lot of early adopters of such a system would not be using
Windows...

~~~
sprash
It works perfectly fine on Linux. You need Python2, PyQt and Sqlite for it to
use though.

(run: python2 pybitmessagemain.py)

------
bredren
In many cases, hard core security around email isn't necessary. For light
privacy, where you simply don't want the other party to immediately be able to
google your address (i.e. craigslist or online dating) I want to recommend
Gliph Cloaked Email. <https://gli.ph>

I run Gliph and am happy to answer questions about the level of anonymity you
can achieve if anyone has any.

~~~
sneak
> We encrypt data with 256-bit SSL in transit and AES-256 encryption before it
> hits disk.

Your website copy does not inspire confidence in your ability to properly
implement cryptography software.

~~~
iskander
For us crypto-ignoramuses, what's wrong with what you quoted?

~~~
Lanzaa
>> We encrypt data with 256-bit SSL in transit and AES-256 encryption before
it hits disk.

> For us crypto-ignoramuses, what's wrong with what you quoted?

First off, it is very easy to get cryptography wrong. I wouldn't trust most
people with being able to implement cryptography software correctly.

Buzzwords like AES and SSL are used to convey a sense of security. Their
256-bit SSL uses AES-256 to encrypt data in transit. While using AES-256 to
encrypt a file doesn't mean it is secure. The mode of operation is very
important. The following wikipedia page has a picture that was probably
encrypted with something like AES-256. I will let you guess what the original
picture was.

<http://en.wikipedia.org/wiki/Block_cipher#Modes_of_operation>

Another issue not discussed is key management. To encrypt the files with
AES-256 they need to have the key. If someone breaks into their server, the
server will have the key and the files. It becomes easy to break the security.

------
glomph
Of course Petraeus could not exactly have installed tor and started visiting
hushmail.org without instantly being considered suspect.

~~~
pyre
From work maybe, but would that have been the same from home?

------
Xylakant
if all you want is to receive mail, the CCC offers anonymous one-time
adresses: <https://anonbox.net/index.en.html>

------
bstpierre
What about something like mixmaster[1]? Obviously more complex than using tor
browser bundle with a webmail provider, but is it still viable for geeks? What
are the risks?

[1]: <http://www.debian-administration.org/articles/483>

~~~
gnosis
Mixminion[1] is the next generation anonymous remailer that was designed to
fix some problems with mixmaster. You might want to use that instead, if you
can.

[1] - <https://en.wikipedia.org/wiki/Mixminion>

------
forgotAgain
It seems to me that a government sponsored virus would look for a fingerprint
for something like Tor. Whose to say the virus isn't a virus but rather a part
of a retail product placed there in cooperation between industry and
government.

If you want true security you need to use open products.

------
mtgx
What about Opera's FastMail.fm? They are not even based in US, so that might
help. I see it's not free anymore though, but it also has no ads, so no
tracking for that either.

They could've also used RetroShare for both encrypted chats and mail, and it
should've been pretty anonymous as well since it's P2P. This is not something
most people would be willing to do, but for someone like Petraeus, it could've
been useful.

For most people using something like Jitsi for encrypted chats and video-calls
is much more bearable, although you still have to watch-out where you sign-in
from and where you create the account, so you'll probably have to follow the
whole Tor browser part EFF mentioned in the beginning, if you want anonymity
as well.

~~~
andreaso
Regarding FastMail and the US.

* FastMail have their servers in New York City (as well as on Iceland).

* Opera Software do have an office in the US.

I have no idea to what extent that puts FastMail under US juristriction.

(Disclaimer: I work for Opera Software, but not on the FastMail team.)

------
cookiecaper
I2P's mail system may be safer than this (certainly much more anonymous since
you don't have to transfer any money at any point in the process), depending
on the content of your mail and the level of trust you feel for the person
running I2P's mail system.

------
dbz
There is also Tor Mail as an anonymous email service.

~~~
mike-cardwell
Nobody knows who runs the Tor Mail service. This is good because nobody can
order them to give up information about you. However, it's also bad because
you've no idea if it's being run by responsible people, a government agency,
wikileaks, or just a few nosy kids. You should still definitely use PGP
encryption if you're using it.

~~~
glomph
Shouldn't you always be using pgp anyway? Its not like you should trust
someone like hushmail either.

~~~
SageRaven
Speaking of, has a replacement for firepgp (an awesome Firefox pgp plugin from
some years ago) ever cropped up? It was so idiot-proof it was beautiful, and
had the project not closed down, I probably would have rallied friends and
family to use it.

~~~
Torgo
The problem is that it was not reasonably secure. As I understand the
complaint, you can't integrate PGP into an extensible, skinnable interface
securely. There's not firefox or OS support for making that kind of thing
doable. You'd want to have some sort of OS and app support for being able to
encrypt a message in a widget on a GUI layer above the browser and then
transferring it in, so that PGP and Firefox never come into direct contact.
Qubes OS has a rough mechanism for keeping different security-level apps
separated, and identified via a colored window border. I wonder if something
similar to this is the correct solution.

~~~
zokier
I don't think that the problem was that Firefox or the OS weren't secure
enough. Afaik the problem was that FireGPG worked inline with the original
page, and thus a hostile JS on the page could intercept the plaintext.

I think something like the "It's all text!"[1] addon with GPG enabled editor
should be reasonably secure.

[1] <https://addons.mozilla.org/en-US/firefox/addon/its-all-text/>

------
tekknolagi
And I wrote a blog post about something similar, but it hits a lot more bases
than just using Tor. Tor has issues of its own.

<http://bernsteinbear.com/a-quest-for-anonymity>

~~~
cynwoody
Under your Public WiFi heading, you should add a warning about surveillance
cameras, POS credit card trails, and employee memories. These days, cameras
are everywhere, and video storage has gotten very cheap. Assume investigators
will visit each shop from which you surfed and act accordingly.

Best to buy your coffee at coffee shop A and do your surfing from near but
_not_ in coffee shop B.

Also, if, for instance, you are on a book tour to hype your biography of P4,
be aware that, even if you follow WiFi best practices, you will still be
leaving a geographic trail that investigators could find very interesting.

~~~
stinkytaco
It makes me wonder why the government works so hard to get new powers of
investigation. It seems easier to catch someone now than it ever has, despite
the preponderance of new privacy tools. Using good old fashion police work
like warrants, subpoenas, plea bargains, surveillance, etc, police can put
together a lot of pieces that add up to a whole (I make a comment elsewhere in
the thread about the problem of plausible deniability in the face or
corroborating evidence). Why the hell do they need _more_ tools?

Perhaps someone in law enforcement could shed some light on this. After all, I
am looking at this from the outside.

~~~
tekknolagi
Or the inside, depending on how you look at it.

------
holri
Probably easier and more secure to just boot in a tails live system (usb,
cdrom). This system uses tor and has everything installed and configured to
protect your privacy.

<https://tails.boum.org/>

~~~
cookiecaper
You still need to create an email account with a host who is at least semi-
aware of the importance of privacy and cryptography (e.g., not Google). You
can't make new Google Accounts from Tor nodes without additional verification
(your phone number); same is likely to be true of all major email services.

Accessing your Gmail through Tor and thinking that makes you "anonymous" is
just going to tell everyone that you failed at being sneaky.

~~~
belorn
>Accessing your Gmail through Tor and thinking that makes you "anonymous" is
just going to tell everyone that you failed at being sneaky.

Thats a great slogan for a T-shirt :).

Oki, for a bit more seriousness... One could in theory create an account on
google through tor, verify the account with a burn phone, and be rather
unidentifiable. Its just kind of costly, so just bad guys with anonymous cash
that can do this and not journalists.

------
Ruscour
I'd use Tor way more if it wasn't so damn slow. Of course security is a
priority, but it's just not usable for me.

~~~
robinh
If security is a priority, then set up a Tor node! :)

~~~
aes256
Then brace yourself for a flood of DMCA requests and law enforcement attention
in 3.. 2.. 1..

~~~
prawks
Sorry for the perhaps extreme naivety, but does this actually happen to people
who set up Tor nodes?

~~~
Xylakant
In germany some servers were collected by the police but relatively promptly
returned once they figured out that they were tor exit nodes. Still, you're
the first person that the police can get a handle on, so at least expect some
questions once in a while.

I don't know about any other country, but you might just consider hosting the
tor exit node in a country with more friendly laws and then use a VPN to
connect there.

~~~
aes256
Indeed, you're probably protected by safe harbor/mere conduit laws in most
jurisdictions, but you're still liable to become the subject of law
enforcement investigations and have your equipment seized.

More hassle than it's worth.

------
techsupporter
What about running my own e-mail from my residence or contained within a data
center on a computer that I personally own (that is, not leased from the
hosting provider) and connected to the Internet via a subscription in my own
name? I'm rather curious about what legal areas this might fall into.

~~~
kijin
> _connected to the Internet via a subscription in my own name_

I thought the article was about _anonymous_ e-mail. Anonymous as in, nobody
can tell who you are, not even the Feds. Anything you paid for with your
credit card is probably not going to meet that criterion.

~~~
techsupporter
Good point. I was more wondering about this as an alternative to purely
anonymous e-mail in light of one of the reasons why people try to avoid having
e-mail tied to them (government having a peek).

~~~
bstpierre
There was an article on HN a while back about a server removed from a DC by
the feds; that's one risk.

If you have the server at your home sending emails, it will be trivial for law
enforcement to figure out where you are and show up at your door with a
warrant to sieze your computer.

------
runn1ng
They say that Hushmail keeps your mail in plaintext. But does it?

From what I heard, they encrypt your mail even on their servers.

However what kills the service for me is the need to pay if you don't use it
reguralry - and there is no way to pay for hushmail anonymously (read: with
bitcoin).

~~~
yungchin
It doesn't really matter whether they encrypt it on disk: the scenario here
isn't that their disks get stolen, but that law enforcement makes them decrypt
your mail. The only way to get in the way of that is to encrypt it yourself,
see GPG etc.

Also: isn't a bitcoin transaction really difficult to anonymise, with the
global transaction record available to the whole world?

~~~
runn1ng
About bitcoin: It depends.

Yes, it is not fully anonymous, but you can make it reasonably anonymous quite
easily (infinitely more than any credit card). Just trade it for cash with
someone you know in the first place, then send it to MtGox and back, then send
it to something similar with online wallet and back, and the result is
_reasonably_ anonymous.

Also the default client does what it can to obfuscate all the transactions -
with every outgoing transaction, the "change" goes back to you, but at
completely different address. This causes that after a few transactions, it's
_basically_ untrackable.

~~~
cookiecaper
There are some bitcoin launderers that can simplify it, but it should be
clarified that much like PGP, anonymity/security is not just as simple as
downloading a client and using it. You need to understand the model and its
implications, or it's pretty easy to make links in the blockchain that'll give
you away to an interested, resourceful party.

Bottom line: Do NOT think bitcoin is safe for your usage until you've done
sufficient research to ensure that you're using it the correct way. Bitcoin is
NOT private by default, it's up to you to protect the identities behind the
transaction endpoints, _including nearby txs_. If you get bitcoins and then
immediately send them to your brother's public address, or launder these only
lightly, or use a MtGox address that is linked back to a scan of your driver's
license somewhere in the laundering process, or if you buy your bitcoins from
your brother and HE doesn't launder very well, or the guy from LocalBitcoins
got curious and did a bunch of research before your exchange and the feds
contact him because the coins came from an address tied to _his_ identity, or
something else like that happens, you are going to get caught if someone is
interested in catching you.

It's more complicated than just downloading the client and waiting four days
for the blockchain to download. :)

------
josscrowcroft
Is using something like iPredator [0] VPN secure enough for logging into a
pseudonymous email account? If you never (ever) use a different IP address to
log in to that account?

[0] <https://ipredator.se>

~~~
bdkoepke
iPredator is using pptp which is very insecure. (The original authors of the
protocol recommend that you shouldn't use it). It is also considered to be
cryptographically broken as of last month.
([http://en.wikipedia.org/wiki/Point-to-
Point_Tunneling_Protoc...](http://en.wikipedia.org/wiki/Point-to-
Point_Tunneling_Protocol#Security))

A list of reasonable VPN providers is available here:
[http://torrentfreak.com/which-vpn-providers-really-take-
anon...](http://torrentfreak.com/which-vpn-providers-really-take-anonymity-
seriously-111007)

(If you are using a VPN, you have to be aware that there is a lot of snake
oil. Finding a good VPN provider is very difficult, and then purchasing the
VPN anonymously is even more difficult.)

~~~
arnoooooo
Ipredator started supporting OpenVPN a few months ago.

------
ommunist
Well, after reading this I realised that the first thing is to monitor and
tame your outgoing traffic. So I renewed my Little Snitch license. And started
to consider wiping the Skype off the machine.

------
pwniekins
Man, what a weak article. I was expecting some cool tutorial on setting up
tormail or something equivalent.

Hushmail? Seriously? They have no qualms with cooperating with authorities at
the drop of a hat.

------
oron
Plug : If all you need is to receive an email Air Mail is right for the job -
<http://getairmail.com>

------
hayksaakian
You could use one of the several temporary mail boxes to exchange messages.

Presumably you'd save anything important on a flash drive or something remote.

------
JimWestergren
What about sharing secure notes via LastPass?

------
baconhigh
worth mention that hushmail are known to turn over email accounts at the drop
of a hat

------
Devilboy
The EFF is right, this is still way too hard.

~~~
reginaldo
Actually it's a little harder still. For instance, when your browser makes
requests in your behalf, it provides the destination server with a lot of
information which can be used to identify you (at least temporarily)[1]. To
get a better level of anonymity, one should at least use a combination of Tor
and privoxy [2].

[1] <https://panopticlick.eff.org/> [2] <http://www.privoxy.org/>

~~~
mike-cardwell
Your information is out of date. The Tor project no longer advises the use of
privoxy, and advises all users to use The Tor Browser Bundle. This is
specifically configured to make all Tor users look the same, precisely because
of browser fingerprinting.

~~~
reginaldo
Thank you for the heads up. I didn't know that the Browser Bundle also took
care of fingerprinting.

