Privacy: What you write, save, listen to, visit is to be known only to you and those with whom you share. 3rd parties are excluded unless by invitation.
Anonymity: Someone may know A Person wrote, saved, listened to, or visited something, but do not know who it was.
Security: The stuff you save and the systems you use, are protected against compromise or intrusion.
There’s a 4th leg to this stool, but it’s usually not the main point, so often ignored. Policing, detection, and characterization of failures in maintaining Privacy, Anonymity and Security. Intrusion Detection tells you when you need to fix things, and what risks you now have on you. It will come after everything else.
Many folks confound Privacy with Anonymity. They are VERY different things, and the methods used to attain them are also very different. Just be aware of that for now. I’ll attempt to flag just which thing is achieved at each step, and which thing is compromised to some extent. I won’t always be complete or accurate, as things change.
Clearly, if your Security is breached, your Anonymity and Privacy are out the window. For that reason, the most emphasis goes into a Secure System and Secure Operations. The most secure system is worthless if folks do dumb things like leave the password written next to the terminal, or run an insecure application on top of it.
For example, many Web Pages are just full of things to suck information about you out of your computer or phone. So be very sure that you just don’t do Dodgy Things on them. Note that some of THE most common applications run are in the business of spying on you, violating your privacy, and preventing anonymity. Log in to read news? It is stealing your identity information to some extent. Use Google Maps? It is tracking where you are interested in going, and possibly even when. Use WiFi at a Starbucks 1/2 way down that trip, to get a google map update? You just confirmed you are on that trip. Your behaviour matters more than anything else.
Changing habits and behaviour is not easy. It will be the most trying thing about all of this.
There are some “Chicken & Egg” problems in gaining Anonymity, especially. To do just about anything, you need some form of payment, or a physical address, or an email address. ALL of these attempt to track you, often by law. In some countries it is illegal to do some of the things that are legal where I am, so be aware of your laws.
I ran through trials of some of these steps as I have, for a long time, been a White Hat doing various security functions with computers and networks. In order to know how to catch Black Hats, it is helpful to know what they do (and where they might fail). So yes, I’ve done some of this myself. I’ve also found that in several cases I did them in a less than optimal order, or flat out screwed it up in some way. Don’t be afraid to have a “Do Over”. Sometimes a 2nd pass not only fixes mistakes, it provides an opportunity to clean up the trail even more.
Realize, too, that as I was doing this to find those places where I could “Catch A Bad Guy”, my purpose had me doing things as much as possible in the way that a criminal might want to do them. I did find many opportunities to ‘catch folks’ in the errors I made. But then didn’t really care about the errors for my own personal use. For you, you might care a great deal so will benefit from my observations, or more likely, I’m doing “way overkill” and all you really need is 1/5 what I did.
Realize, too, that I was “on the road” living out of a hotel for 1.6 years, so some of this was needed just to function locally. Like a mail box and a local bank. Since I was doing it anyway, why not make it fun?
Choose your level of action to match your actual needs.
A Mail Box
Having an address at a mail service foils folks doing a “Google Street View” of your home. It provide some address anonymity for you. Also some physical security as folks can’t read your Facebook post from your vacation, look at the check you wrote to them, pick off the address, and have some friends go boost your place. They wind up looking at a mail box service store.
This also matters later for things like getting a DNS record for your own “Dot Com” address or other IP Address Registration. At least at one time the address you used was in the public record and anyone with Linux could find it. (I hope that has changed, but I’ve not looked in decades).
OK, one example screw up. I opened a Mail Box. You must give a form of payment, and a phone number, and a real residential address. It was not always this way, but a law some decades back changed that. I had a pre-paid debit card and cash for payment, but was not ready for the phone number. Handed over my real one (as it was a learning experience, NOT a real need). The physical residence address thing is hard to get around. Even if you do it in two steps, one box, then another one using the prior address, then drop the first box, there’s a paper trail with the USPS. I suppose you could rent a room in a flop house for cash for a month, but I wasn’t willing to go that far. Already having a “burner phone” at this point would help a little.
Pre-Paid Debit Card
Note the statement about pre-paid debit card. I got mine at Walmart for cash. It had an option to get one with my name on it, mailed to me, so I did. During that process it plays “20 Questions” with you to prove up your identity. (Where you lived before, prior work history or similar things that might be in public records). At that point, your form of payment has lost Anonymity. OK, I’m not THAT worried as I’m not dealing drugs nor a fugitive from the law. Just realize a Pre-Paid Debit Card will either have no information and be harder to use in some places (where they want to see a name on the card), or it will finger you. So, pre-paid card in hand, but NOT telling them who you are, you can buy some stuff with the payment trail incognito. Though if an online site asks for “name on the card” or your zip code, that kind of kills the buzz.
I use mine for small scale buys at places that might have the data stolen, and only load it up with maybe $200 at a time (and usually promptly spend at least half…) So for gas pumps and fast food joints, it’s great. IFF ever compromised, I might be out $20 to $100. My “main card” is only used at the Bank. There I use it only to take out cash. That cash is either spent directly, or put on the pre-paid card. In this way my bank history is separated from my purchase history AND any compromise of the buying card does not reach to the bank account. Annoying? A little, but not much.
After I got the Mail Box, I then also opened a bank account with that address. Now that Bank Account knows that address and it knows who I am (as you must show ID at the bank to get an account). However, now I can get that bank card with the box address. I also have a “Bank Statement” with that address which some folks accept as proof of address. FWIW, I also swapped the pre-paid card address to the box. At this point, more of my public record is showing me living in a box…
As my regular phone was slowly dying, battery good for a few minutes, power plug loose… I wanted a newer phone, and decided to play with the idea of a “Burner Phone”. I chose a “Tracfone”, partly as it was very cheap and partly for the pun of a non-tracking phone named “Tracfone” ;-) It is owned by a Mexican megabucks guy (Carlos Slim, I think…) and popular with drug dealers… You can get them at many places, from Walmart to Best Buy and more. There are other carriers too.
A ‘refill’ card can be bought at most drug stores and lots of other places too. I tend to get the $19 / couple of months card as I don’t talk or text much.
I’d intended to get the dumb ‘flip phone’ for $20, but they were all sold out everywhere when I was looking. Instead, for something like $58, I got a Samsung lower end ‘smart phone’ running Android.
Issue here is showing up on cameras in the store when you buy it, and if you don’t pay cash, your payment method will finger you. I was not particularly careful, so I’m on camera at a Best Buy using cash. (This will be easier with the mask mandate ;-)
They repeatedly try to get you to set up an account with automatic payments. I repeatedly decline.
Errors on my part:
I use this when my other phone craps out, or when in Florida as I selected a Florida number. Since I call the same “Family & Friends” with it, that calling pattern will identify me as me. To be really secret with Burner Phones, BOTH parties must have burner phones and they must not be used to call “your usual” contacts.
I often have them both on, and with me, at the same time. This creates a pattern of connections to cell towers and GPS locations that shows they are on the same guy. To do this right, when one is on, the other is off (but don’t switch them at the same moment. Old one off, go somewhere else, new one on).
Android “Fingerprints” on things like WiFi SSIDs (names) you are around. I leave the WiFi on, even at home. I’m certain nearly nobody on the planet (with the possible exception of my spouse) have the SSIDs of my home WiFi AND my Florida Friend WiFi in their fingerprint. To properly use this, one ought to NEVER EVER activate the WiFi at home, work, or any other of your usual haunts. ONLY turn on WiFi when “on the road” somewhere far far away.
To do it all really really well, like for actual illegal stuff, you would use a Flip Phone, not the Smart Phone, and replace it with a new one every few weeks. But that wasn’t my goal. So I still have mine several years later.
The Next Steps
So, now that you have a Mail Box to hide your physical address, and a burner phone to hide your real phone number and location when using it, and a Pre-Paid Debit Card to isolate your banking information from your physical self and your real banking goods:
Now you are ready to do things like buy a computer, open accounts for VPNs, get a DNS registration and all the other Tech Stuff that will want a Payment Method, an Address, and often a phone number.
They will also want an email address. So your next step is to get what is essentially a “burner email” account. I use a free one from AOL. Why? Because AOL for a very long time (and probably still) had a reputation as being THE most non-tech address in the world. Used by Noobs and folks who were clueless. Where better to hide? So sign up for one of them.
DO NOT use it for anything at all that matters. Not family. Not friends. Not financial stuff. This is your SPAM Collector and JUNK Address. Have some other email address for real things.
Use this address for signing up for things like a VPN account or for places that demand you have an email to log in. (In theory, it would be better to have a few of these and isolate uses between them. So one used ONLY for ‘public comments’, another for “log in to account” where you don’t really want to log into an account, a third for VPNs and other accounts you care about, but want to isolate from your private self, and then a truly private email used ONLY with family and friends. I’ve not gone that far as I’m lazy. But I likely will in my next address recycle. (My ‘open address’ is now so clogged with SPAM, Alumni notices, Political Party Nags (from both parties as I donated to both at one time or the other… Bernie and Trump.. go figure…) etc. that it’s about time to diverge again.
With email accounts in hand, and a pre-paid Debit Card, you can now move on to the next steps.
Get A VPN Account
To some extent, all the prior stuff was just building up to this point. Getting a VPN account. It is likely to want an email address, a form of payment, and perhaps even some kind of other contact information (address or phone number to validate payment method…). But now you have all those in hand. They just are not where you actually live, bank, or get email. 8-)
So sign up for that VPN account and move on.
Why a VPN? Because all the other on-line things you do will try to finger your location, harvest your IP Address, and more. The VPN will hide much of that, and your Pseudo-Me banking, mail address, and payment method will hide a lot of the rest.
Just WHICH VPN will be a subject for a future study / investigation. I was “in a park” in a coach so was, effectively, already ‘hidden’ and didn’t actually get a VPN at this step. Between my Hot Spot (bought cash at Walmart) and the RV Park net, I already had a couple of obfuscations. Then I also used Starbucks WiFi and the local library WiFi. Yeah, you could peg me to about a 50 mile radius, but just where?… So I need to do some digging. Reviews I’ve read so far put Express VPN up at good marks, and Bongino has them as an advertizer, so they are my #1 probable at this time.
What good is a VPN without a computer?
Well, you CAN use it with your phone, but I don’t treat my phone like a computer. One of my key behaviour things is to isolate usages. Do Not put a bunch of functions on one device. Too easy to then have a Bad Guy (perhaps even a TLA Officer who is acting as a Bad Guy) get all of it in one go.
So my phone does texts, phone calls, and weather reports and not much else. Oh, and Solitaire… I have other Apps on it, but really don’t do much else. Flashlight of a sort sometimes. A weather radar app.
For the Computer, a lot of folks are stuck on PCs. Intel & Windows. THE big problem with them is that the cost is so damn high. We’re talking $100s to $1000s of bucks. SO you only get ONE and you put EVERYTHING on it. Then hook it up to ONE network with ONE ISP and then wonder why it is so easy to finger you and what you do.
In the coach in Florida about 15? years ago was when I first got a Raspberry Pi. The original B+ model. Single processor, 700 MHz. Not a lot of memory. I hooked it up to the TV in the coach at the RV park with an HDMI cable, and used the park WiFi with it (via a dongle). I did, also, have an HP Laptop that was used at Starbucks, and at work, and on the road with the Hot Spot (an old G2 that was slow but worked – also bought with cash at Walmart and with a ‘data load card’ not an account).
That was when I started my slow path to Divergent Uses on different systems.
Over the years, the laptop died and I bought an HP ChromeBox (again, mostly just to learn about them and because I was in need of something QUICKLY as the laptop died and for cheap helped). The Chromebox has now hit EOL on support and moved to the “Someday put linux on it” pile. But what really took off was SBCs (Single Board Computers). I’ve got an unknown number of them now. Really. I’m just not sure. They are so damn cheap, I’ll buy one just to play with it. Some end up Daily Drivers for a while and used a lot. Others Hanger Queens, played with for a while, then set aside. What I THINK I may have:
2 x Raspberry Pi B+ (one of which died due to an unfortunate static experience. The ONLY death so far).
2 x Raspberry Pi Model 2 (prior to the processor upgrade). Still in use as proxy server and more.
2 x Raspberry Pi Model 3 used as desktops. This was the first one to actually be fast enough for use as a desktop for things other than most videos.
Odroid XU4 8 cores of 32 bits and in some ways my favorite.
Odroid N2 6 cores and faster ones, of 64 bits. A real hot board.
2 x Orange Pi One (a minimalist approach at $15 or so each, and not really that useful)
Somehow I think I’ve forgotten one or two… maybe…
The key point here is simple. For about $35 for the SBC, or about $50 all up, you can get a very usable desktop. Only if you want video is the Pi M3 not enough. At the $60 price point, you get more than enough performance. (I’m using the Odroid N2 right now and loving it. A72 cores are fast!)
Then, you can change “personas” (and system fingerprints) with a swap of an $8 uSD card. Even cheaper, you can use the same card and just save one image to a USB disk, restore a different one. One of my ToDo things is to just sort out all the system images I’ve used and saved. I’ve got 3 or 4 for each of my boards. Call it 15 x 3 and you get 45 of them. Then 3 on the PC and the tablet and the phone and… So somewhere on the order of “Fifty Me’s” exist as “fingerprints”.
If I can’t keep track of all of them, think Google or Amazon can?
Then I every so often do a complete re-install of the operating system and all that prior “Me” is lost. (Not to mention I have at least 2 logins on each of those systems…)
So “Good Luck” to anyone trying to find The Real Me.
My advice would be to not go that crazy. Get ONE SBC to start, likely a Raspberry Pi M4 as it is good enough for video and is a nice starter at about $35. Get comfortable with Linux. Buy a couple of 16 GB uSD cards so you can swap images easily and move on.
Now you have a simple and cheap computer that’s more than enough for email, web stuff, and even videos. You can have one “chip” (uSD card) for things like banking, another for buying stuff, a third for watching those videos the spouse doesn’t know about, another for blog visits, etc. 9-) of course.
But really, it’s easy. It’s cheap. It’s effective. AND, if you hide the “other” uSD cards well, during a TLA raid, they are not usually looking for uSD cards in the camera bag or under the begonia flower pot (or in a hole in the back yard, or on the dog’s collar, depending on what you do…)
Is this a bit of a workload and a PITA for some folks? Likely yes. For me, it was mostly playing and diversion but with some “work related learning” as I was doing Penetration Testing and similar cyber security work at that time. So was wondering “IF I find someone, how do I know who that someone is? How effectively can they hide?”, so went looking.
I’d relatively strongly suggest avoiding Microsoft anything, and Intel chip based computers. I’m pretty sure that they were compromised during the PRISM program years (when the USA Feds were trying to get backdoors into everything tech) and likely never stopped cooperating even after PRISM was outed and supposedly ended.
The Open Software Community has fought hard to maintain some degree of Privacy, Security (even against Government Agents and TLAs), and Anonymity. I’m still fighting that battle for myself, though at a low level as I’m mostly “out of the business” now. It is VERY hard to fight BOTH the Government TLAs and their laws (while complying with them), while also keeping the Black Hats out. Yet that is what we must do to have Anonymity, privacy, and security.
This is the first of many postings to come on this theme. I’m going to move, step by step, through a re-implementation of all of it (with the possible exception of the Mail Box and Pre-Paid card steps) with the intent of giving enough detail that a Noob can be relatively secure in things like buying a VPN, ordering a pizza, and maybe even leaving a conservative comment on a blog… without fear of a horrible reprisal.
Also realize that systems like TOR (The Onion Router) are not needed for The Basics. They may be needed after next week, but “We’ll see” what the future holds when it gets here. My general approach is NOT to defeat Law Enforcement. (Heck, I’m a Law Enforcement Eagle Scout…) But rather to provide insight into how a normal person, not violating laws or subject to investigation by TLAs, can have some modest protection against the Bat Shit Crazy nutbars like Antifa and others looking to “Dox” you and cause you grief for simply wanting to embrace the values that were the norm in 1960.