By
Ethan Zuckerman
REPORTERS
WITHOUT BORDERS
This
is a quick technical guide to anonymous blogging that tries to
approach the problem from the angle of a government whistleblower in
a country with a less-than-transparent government. It's not intended
for cypherpunks, but for peoplein developing nations who are worried
about their safety and want to take practical steps to protect their
privacy. The Electronic Frontier Foundation's guide,
“How
to Blog
safely”(http://www.eff.org/Privacy/Anonymity/blog-anonymously.php),
also offers some verygood advice on this
Introducing
Sarah
Step
1 - Pseudonyms
Step
2 - Public computers
Step
3 - Anonymous proxies
Step
4 - This time it's personal!
Step
5 - Onion Routing through Tor
Step
6 - MixMaster, Invisiblog and GPGHow much anonymity is enough? How
much hassle is too much?
INTRODUCING
SARAH
Sarah
works in a government office as an accountant. She becomes aware that
her boss, the deputy minister, is stealing large amounts of money
from the government. She wantsto let the world know that a crime is
taking place, but she's worried about losing her job. If she reports
the matter to the minister (if she could ever get an appointment!),
she mightget fired. She calls a reporter at the local newspaper, but
he says he can't run a story without lots more information and
documents proving her claims. So Sarah decides to put up a weblog to
tell the world what she knows about what'shappening in the ministry.
To protect herself, she wants to make sure no one can find out who
she is, based on her blog posts. She needs to blog anonymously.
There
are two major ways she can get caught when trying to blog
anonymously. One is if she reveals her identity through the content
she posts – for instance, if she says: "I'm the assistant
chief compliance accountant to the deputy minister of mines, "
there's a goodchance that someone reading her blog is going to figure
out who she is pretty quickly. The other way Sarah can get caught is
if someone can determine her identity from information provided by
their web browsers or email programs. Every computer attached to the
internet has – or shares – an address called an IP address - it's
a series of four numbers from 0-255, separated by dots – for
instance: 213.24.124.38. When Sarah uses her web browser to make a
comment on the minister's blog, the IP address she was usingis
included on her post. With a little work, the minister's computer
technicians may be able to trace Sarah'sidentity from this IP
address. If Sarah is using a computer at home, dialing into an
Internetservice provider, the ISP likely has records of which IP
address was assigned to which telephone number at a specific time. In
some countries, the minister might need asubpoena to obtain these
records; in others (especially ones where the ISP is owned bythe
government), the ISP might give out this information very easily, and
Sarah might find herself in hot water. There are a number of ways
Sarah can hide her identity when using the Internet. As ageneral
rule, the more secure she wants to be, the more work she needs to do
to hide heridentity. Sarah - and anyone else hoping to blog
anonymously – needs to consider justhow paranoid she wants to be
before deciding how hard she wants to work to protect her identity.
As you will see, some of the strategies for protecting identity
online require a great deal of technical knowledge and work.
STEP
ONE – PSEUDONYMS
One
easy way Sarah can hide her identity is to use a free webmail account
and free bloghost outside her native country. (Using a paid account
for either email or webhosting is apoor idea, as the payment will
link the account to a credit card, a checking account or Paypal
account that could be easily linked to Sarah.) She can create a new
identity – a pseudonym – when she signs up for these accounts,
and when the minister finds herblog, he'll discover that it belongs
to “A. N. Ymous”, with the email address
anonymous.whistleblower@hotmail.com.
Some providers of free webmail accounts: Hotmail Yahoo Hushmail -
free webmail with support for strong cryptography Some providers of
free weblog hosting: Blogsome
free WordPress blogsBlogger Seo Blog
Here's
the problem with this strategy. When Sarah signs up for an email
service or aweblog, the webserver she's accessing logs her IP
address. If that IP address can be tracedto her - if she's using her
computer at home or her computer at work – and if the email or
weblog company is forced to release that information, she could be
found. It's not a simple matter to get most web service companies to
reveal this information to get Hotmail, for instance, to reveal the
IP Sarah used to sign up for her account, the minister would likely
need to issue a subpoena, probably in cooperation with a US law
enforcement agency. But Sarah may not want to take the risk of being
found if her government can persuade her email and weblog host to
reveal her identity.
STEP
TWO - PUBLIC COMPUTERS
One
extra step Sarah could take to hide her identity is to begin using
computers to make her blogposts that are used by lots of other
people. Rather than setting up her webmail and weblog accounts from
her home or work computer, Sarah could set them up from acomputer in
a cybercafé, library or university computer lab. When the minister
traces the IP used to post a comment or item, he'll find the post was
made from a cybercafé, where any number of people might have been
using the computers. There are flaws in this strategy as well. If the
cybercafé or computer lab keeps track of whois using what computer
at what time, Sarah's identity could be compromised. She shouldn'ttry
to post in the middle of the night when she's the only person in the
computer lab the geek on duty is likely to remember who she is. And
she should change cybercafés often. If the minister discovers that
all the whistleblower's posts are coming from “Joe'sBeer and Bits”
on Main Street, he might stake someone out to watch the cybercafé
and see who's posting to blogs in the hope of catching Sarah.
STEP
THREE - ANONYMOUS PROXIES
Sarah's
getting sick of walking to Joe's cybercafé every time she wants to
post to her blog. With some help from the neighborhood geek, she sets
up her computer to access the webthrough an anonymous proxy. Now,
when she uses her webmail and weblog services, she'll leave behind
the IP address of the proxy server, not the address of her
homemachine... which will make it very hard for the minister to find
her. First, she finds a list of proxy servers online, by searching
for “proxy server” on Google. She picks a proxy server from the
public roxyservers.com list, choosing a site marked“high
anonymity”. She writes down the IP address of the proxy and the
port listed on theproxy list. Some reliable lists of public proxies:•
publicproxyservers.com
- anonymous and non-anonymous proxies.• Samair
(http://www.samair.ru/proxy/)
- only anonymous proxies, and includes information on proxies that
support SSL.• rosinstrument
proxy database (http://tools.rosinstrument.com/proxy/)
- searchabledatabase of proxy servers.
Then
she opens the “preferences” section of her web browser. Under
“general”, “network” or “security” (usually), she finds
an option to set up a proxy to access the Internet. (On the Firefox
browser, this option is found under Preferences – General –
Connection Settings.) She turns on “manual proxy configuration”,
enters the IP address of the proxy server and port into the fields
for HTTP proxy and SSL proxy and saves her settings. She restarts
herbrowser and starts surfing the web. She notices that her
connection to the web seems a bit slower. That's because every page
she requests from a webserver takes a detour. Instead of connecting
directly to hotmail.com, she connects to the proxy, which then
connects to Hotmail. When Hotmail sends a page to her, it goes to the
proxy first, then to her. She also notices she has some trouble
accessing websites, especially those that want her to log in. But at
least her IP isn't being recorded by her weblog provider. A fun
experiment with proxies: Visit noreply.org,
a popular remailer website. The site willg reet you by telling you
what IP address you're coming from: “Hello
pool-151-203-182-212.wma.east.verizon.net 151.203.182.212, pleased to
meet you.”Now go to anonymizer.com, a web service that allows you
to view (some) webpages through an anonymous proxy. In the box on the
top right of the anonymizer page, enter the URL for
http://www.noreply.org (or just click
[http://anon.free.anonymiz-er.com/http://www.noreply.org this link].)
You'll note that noreply.org now thinks you'recoming from
vortex.anonymizer.com. (Anonymizer is a nice way to test proxies
without needing to change your browser settings, but it won't work
with most sophisticated webservices, like webmail or weblogging
servers.) Finally, follow the instruction above to set up your web
browser to use an anonymousproxy and then visit noreply.org to see
where it thinks you're coming from. Alas, proxies aren't perfect
either. If the country Sarah lives in has restrictive Internet laws,
many websurfers may be using proxies to access sites blocked by the
government. The government may respond by ordering certain popular
proxies to be blocked. Surfersmove to new proxies, the government
blocks those proxies, and so the circle continues. All this can
become very timeconsuming. Sarah has another problem if she's one of
very few people in the country using a proxy. If the comments on her
blog can be traced to a single proxy server, and if the minister can
access logs from all the ISPs within a country, he might be able to
discover that Sarah'scomputer was one of the very few that accessed a
specific proxy server. He can't demonstrate that Sarah used the proxy
to post to a weblog server, but he might conclude that the fact that
the proxy was used to make a weblog post and that she was one of the
few people in the nation to use that proxy constituted evidence that
she made the post. Sarah would do well to use proxies that are
popular locally and to switch proxies often.
STEP
FOUR- THIS TIME IT'S PERSONAL
Sarah
starts to wonder what happens if the proxy servers she's using get
compromised. What if the minister convinces the operator of a proxy
server - either through legal meansor bribery - to keep records and
see whether anyone from his country is using the proxy,and what sites
they're using? She's relying on the proxy administrator to protect
her, and she doesn't even know who the administrator is. Though the
proxy administrator may not even know she's running a proxy –
proxies are often left open by accident. Sarah has friends in Canada
- a country less likely to censor the Internet than Sarah's own
country - who might be willing to help her maintain her blog while
protecting her identity. Sarah phones her friend and asks him to set
up “Circumventor” on his system. Circumventor is one of dozens of
proxy servers a user can set up to allow people to use his computer
as a proxy. Sarah's friend Jim downloads Circumventor
(http://www.peacefire.org/circumventor/simple-circumventor-instructions.html)
from Peacefire.org and installs it on hisWindows system. It's not an
easy install - he needs to install Perl on his system, then install
OpenSA, then Circumventor. And he now needs to keep his computer
connected to the Internet constantly, so that Sarah can use it as a
proxy without previously asking him toturn it on. He gets the
software set up, calls Sarah's cellphone and gives her a URL she can
start using to surf the web through his proxy, or post to her blog.
This is especially convenient, because Sarah can use the proxy from
home or from a cybercafé, and doesn'thave to make any changes on her
system. While Sarah's very grateful for Jim's help, there's a major
problem with the arrangement. Jim's computer – which runs Windows –
reboots quite often. Whenever it does, his ISP assigns a new IP
address to the machine. Each time this happens, the proxy stops
working for Sarah. Jim needs to contact Sarah again and tell her the
new IP that Circumventoris associated with. This rapidly gets
expensive and frustrating. Sarah also worries that, if she uses any
one IP address too long, her ISP may succumb to government pressure
andstart blocking it.
STEP
FIVE - ONION ROUTING THROUGH TOR
Jim
suggests that Sarah experiment with Tor, a relatively new system that
provides a high degree of anonymity for websurfing. Onion routing
takes the idea of proxy servers – acomputer that acts on your
behalf – to a new level of complexity. Each request made through an
onion routing network goes through two to 20 additional computers,
makingit hard to trace what computer originated a request. Each step
of the Onion Routing chain is encrypted, making it harder for the
governmentof Sarah's country to trace her posts. Furthermore, each
computer in the chain only knows
its nearest neighbors. In other words, router B knows that it got a
request for a web-page from router A, and that it's supposed to pass
the request on to router C. But therequest itself is encrypted -
router B doesn't actually know what page Sarah is requesting, or what
router will finally request the page from the webserver. Given the
complexity of the technology, Sarah is pleasantly surprised to
discover how easyit is to install Tor
(http://tor.eff.org/cvs/tor/doc/tor-doc-win32.html), an onion routing
system. She downloads an installer which installs Tor on her system,
then downloads andinstalls Privoxy, a proxy that works with Tor and
has the pleasant side benefit of removing most of the ads from the
webpages Sarah views. After installing the software and restarting
her machine, Sarah checks noreply.org anddiscovers that she is, in
fact, successfully “cloaked” by the Tor system – noreply.org
thinks she's logging on from Harvard University. She reloads, and now
noreply thinks she's in Germany. From this she concludes that Tor is
changing her identity from request to request, helping to protect her
privacy. This has some odd consequences. When she uses Google through
Tor, it keeps switching language on her. One search, it's in English
– another, Japanese. Then German, Danishand Dutch, all in the
course of a few minutes. Sarah welcomes the opportunity to learn some
new languages, but she's concerned about some other consequences.
Sarah likes to contribute to Wikipedia, but discovers that Wikipedia
blocks her attempts to edit articles when she's using Tor. Tor also
seems to have some of the same problems Sarah was having with other
proxies. Her surfing slows down quite a bit, as compared to surfing
the web without a proxy – she finds that she ends up using Tor only
when she's accessing sensitive content or postingto her blog. And
she's once again tied to her home computer, since she can't install
Toron a public machine very easily. Most worrisome, though, she
discovers that Tor sometimes stops working. Evidently, her ISP is
starting to block some Tor routers – when Tor tries to use a
blocked router, she can wait for minutes at a time, but doesn't get
the webpage she's requested.
STEP
SIX - MIXMASTER, INVISIBLOG AND GPG
Surely
there's a solution to the blogging problem that doesn't involve a
proxy server, evenone as sophisticated as Tor. After spending quite a
long time with the local geek, she explores a new option: Invisiblog
(http://www.invisiblog.com/). Run by an anonymous group of
Australians calledvigilant.tv, it’s a site designed for and by the
truly paranoid. You can't post to Invisiblog viat he web, as you do
with most blog servers. You post to it using specially formatted
email, sent through the MixMaster remailer system, signed
cryptographically.
It
took Sarah a few tries to understand that last sentence. Eventually,
she set up GPG (http://www.gnupg.org/) - the GNU implementation of
Pretty Good Privacy, a public-keyencryption system
(http://en.wikipedia.org/wiki/Public-key_cryptography). In two
sentences: Public-key encryption is a technique that allows her to
send messagesto a person that only she can read, without her needing
to share a secret key with you that would let you read messages other
people send to her. Public key encryption also allows people to
“sign” documents with a digital signature that is almost
impossible to forge. She generates a keypair that she will use to
post to the blog – by signing a post with her“private
key”, the blog server will be able to use her “public key” to
check that a post iscoming from her, and then put it on the blog.
(see also the chapter on “How to ensuree-mail is truly private”)
She then sets up MixMaster,
a mailing system designed to obscure the origins of an email message.
MixMaster uses a chain of anonymous remailers – computer programs
that strip all identifying information off an email and send it to
its destination – to send email messageswith a high degree of
anonymity. By using a chain of 2 to 20 remailers, the message is very
difficult to trace, even if one or more of the remailers is
“compromised” and is recordingsender information. She has to
“build” MixMaster by compiling its source code, a project that
requires a great deal of geek assistance. She sends a first MixMaster
message to Invisiblog, which includes her public key. Invisiblog uses
this to set up a new blog, with the catchy name
“invisiblog.com/ac4589d7001ac238” - the long string is the last
16 bytes of her GPG key. Then she sends future posts to invisiblog,
by writing a text message, signing it with her public key and sending
it via MixMaster. It's not nearly as fast as her old style of
blogging. The misdirection of MixMaster mailersmeans that it takes
anywhere from two hours to two days for her message to reach
theservers. And she has to be very careful about looking at the blog
– if she looks at it too often, her IP address will appear in the
blog's log frequently, signaling that she's likely tobe the blog
author. But she's reassured by the fact that the owners of Invisiblog
have noidea who she is. The main problem with the Invisiblog system
is the fact that it's incredibly difficult for most people to use.
Most people find GPG a challenge to set up, and have difficulty
understanding the complexities of public and private keys. More
user-friendly crypto tools, like Ciphire, have been set up to help
the less geeky of us, but even they can be tricky to use. As aresult,
very few people – including those who might really need it – use
encryption formost of their email. MixMaster is a true technical
challenge for most users. Windows users can use an early DOS version
of the program by downloading it here: http://prdownloads.
sourceforge.net/mixma er/mix204b46.zip?download. I downloaded and
tested it, and it doesn't appear
to work... or perhaps my email is still being remailed back and forth
between remailers. Anyone wanting to use the newer version, or
wanting to use the program on Linux or Mac, needs to be able to
compile the program themselves, a task beyond many expertusers. It's
possible that Invisiblog would become more useful if it accepted
messages from web-accessible remailers, like riot.eu.org but for now,
I can't see it as being particularly helpful for the people who need
it most.There are other problems with strong encryption in repressive
countries. If Sarah'scomputer is seized by the government and her
private key is found, it would constitute strong evidence that Sarah
had authored the controversial blog posts. And, in countries where
encryption is not widely used, simply sending out MixMaster messages
– mailmessages wrapped in strong encryption – might be enough to
cause Sarah's Internetactivity to be watched closely.
HOW
MUCH ANONYMITY IS ENOUGH? HOW MUCH HASSLE IS TOO MUCH?
Is
Sarah's solution – learning enough about cryptography and software
to use MixMaster your solution? Or is some combination of steps 1-5
enough to let you blog anonymously? There's no single answer. Any
path towards anonymity needs to consider local conditions, your own
technical competence and your level of paranoia. If you’re worried
that what you're posting could put you at risk and you're capable of
installing it, posting to a blog through Tor is a very good idea. And
remember not to sign your blog posts with yourreal name !
Ethan
Zuckerman is a fellow at the Berkman Center for Internet and Society
at Harvard Law School where his research focuses on the relationship
between citizen journalism and conventional media, especially in the
develop-ing world. He's a founder and former director of Geekcorps, a
non-profit organization that focuses on technology training in the
developing world, and was one ofthe founders of webhosting company
Tripod
Nessun commento:
Posta un commento