Online Anonymity for Researchers - The Simple Edition

Here is a simple guideline for researchers to establish a basic level of online anonymity for the purpose of disconnecting identity and physical location from research activity. 

Screen Shot 2016-04-08 at 17.53.04

What do you need? 

  • a prepaid credit card
  • an anonymous prepaid sim card

What level of anonymity will this guidance provide?

  • basic level, yet sufficient for most research activity
  • not at all suitable against state-level surveillance

What will this tutorial cover? 

  • creating both client-side and server-side anonymity
  • basic ideas about maintaining anonymity in online research

1) Getting a prepaid credit card

In some countries you can get prepaid cards from grocery stores, pharmacies and such. This includes US. If you can’t get one in your country, you can get one online. You find many options from Google. You should not put much more money in to the card than you know you will need. You might have to discard it. Once you have the card, it might be  good to buy some bitcoin using it (for paying VPN and other services where you want more complete anonymity).

2) Getting an anonymous sim card

You can get one easily from many countries. If you travel frequently, you can get it from a country where you can get it if yours don’t allow it. Many will work abroad as long as you activate it before you leave the origin country. Don’t ask others to do it. Never mix others to your activities.

3) Choosing the VPN that is right for you 

Choose one that is not known for spying on its users, data brokering, easily giving data to authorities, etc. Also make sure that it has a choice for the country where your Sim card is.  Don’t tell to others which VPN you use.

4) Use a random name generator to create your alias (name)

http://www.behindthename.com/random/
http://random-name-generator.info/

or for a little more fun:

http://character.namegeneratorfun.com/

5) Create an avatar for you new alias 

Most people use some kind of image as their avatar, which is usually a photo of a person, or something else “personal”. Profiles that follow this idea seem more legitimate. One way is to pixelate a photo of someone:

http://www.facepixelizer.com/

The other is to create an anime / game character:

http://avachara.com/avatar/
http://www.rinmarugames.com

The most important point is to NEVER USE SOMEONE ELSE’S PHOTO without making it completely obscure first. Never. Also don’t just take images online and then reuse it. Otherwise you expose yourself to reverse image searches with tools like:

https://www.tineye.com/

If and when you use an image, do make sure to use a meta-data scrubber. While it may be better to have a more comprehensive system designed for your operating system, you can get started with an online tool such as:

http://www.verexif.com/en/

6) Setting up your Browser

You can’t use Google Chrome because at the time of writing this, it still has the problem of WebRTC leak i.e. it will leak your actual IP under any condition, including one where you use a VPN. If you can make it work so that it doesn’t, then you could use it.

Once you’ve setup your browser with ad blocker (uBlock Origin seems to ok), check that your WebRTC does not leak:

https://www.browserleaks.com/webrtc#webrtc-disable

AdBlock Plus is not really an ad blocker, but adware, so don’t use that.

Very importantly, uninstall flash, java and silverlight. And no, you can’t replace the instructions on this guide by using Tor. Forget Tor, it just means you’re going to be flagged everywhere you go.

7) Creating an anonymous Google account 

Turn on your VPN to the country of your SIM card and create a gmail account with your new alias. Gmail account is a major trust factor in the internet. I can’t imagine why, but it is.

Usually the name you choose is not available as it is because somebody else is already using it. Extend it with the birth year you select, or something else that you would if you were really creating an email address for actual use.

Verify the account with your anonymous SIM card. Do not add an alternative email address.

8) Some additional points about anonymity 

Your cover can be blown at various levels:

  • network level > use VPN and WebRTC leak
  • router level > use strong password and keep your router up-to-date
  • device level > keep everything up-to-date, use strong passwords and change mac address
  • browser level > WebRTC leak block, ad blocking and uninstall java, flash and silverlight
  • persona level > read the guide again if its unclear
  • identity level > keep alias disconnected from persona

Network level in some cases leads to precise location, which is as bad as identity level. So using a VPN and preventing WebRTC leak is VERY IMPORTANT.

You can find the right way to change the mac address in your system from Google. Do that frequently.

If you think your persona and identity is mixed, drop the persona and create a new one.

9) Setting up anonymous server

AWS has many advantages for this kind of use,  but you could use any hosting provider. Some accept bitcoin, but are mostly the kinds of hosts that get flagged easily. If you have servers already, you can use AWS for tunneling or proxy between your target hosts and your own servers.

About the Author

botlab.io research team consist solely of volunteer cybersecurity, cybercrime and privacy researchers, and works tirelessly for the betterment of the internet.