Speaker 1: Using the internet is kind of like walking to a mall, but much creepier. A mall is a private business that's open to public to do their shopping and to businesses to set up stores. When you use a website, it's kind of like walking to that store at the mall, except the store will now know your home address, whether or not you decide to buy anything. They will know your identity and employ agents to track down who you meet with and where you go as soon as you leave the store. The internet is a giant network of privately owned spaces open to public, where every participant knows the exact identity and location of one another, and where corporate stocking is perfectly legitimate business model. Somehow the society decided this was completely fine. So now it is okay for insurance companies to raise your premiums based on what you buy at a local grocery store, or consider you a low-value customer based on the neighborhood you live in. If you're not okay with automated decisions being made about your every move, you should consider getting an anonymous identity. Anonymity is the most powerful mitigation strategy on a publicly observable network such as the internet. It is the most direct path towards privacy. Anonymity isn't necessarily concerned with keeping your activities confidential, rather it is to hide the link between whatever activities you do with your real-life identity. This guide will tell you exactly what you need to know and do in order to create and maintain your very own anonymous identity. The internet is a privacy nightmare because every action is by default identifiable and linkable. That means actions always lead to a unique location and or account on the network, and actions can build a profile over time. Linkability and identifiability are your biggest privacy and anonymity threats on the internet. For maximum anonymity, both of these threats need to be mitigated to the fullest extent possible. This means in order for us to achieve anonymity, every action we take and service we sign up for must meet very specific criteria according to our threat model. In order for a service to be unlinkable, it must allow us to use one-time credentials and we must never reuse these credentials. The credentials must not be used by the provider to track or log our behavior, especially tracking of our behavior outside of our anonymous identity. No real personal data should be submitted throughout the entire use of the service. The service must work even on an anonymous overlay network such as Tor. Providers of our services shall not share our data with third parties in a way that can lead to our identity. They should retain as minimal data as possible and keep no identifiable logs. It must be impossible for a future party to retrieve targeted data. Linkability can lead to identifiability, which can lead to severe privacy violations. To mitigate identifiability on the internet, you have to know and do the following. One-time credentials are not enough if they can identify us. The service we use has to support anonymous credentials. Pseudonyms, nicknames, aliases, random strings that have nothing to do with our real name or location. The service should not have any prior knowledge about us. If it does, we need to be extremely cautious and compartmentalize our identities. Account creation and use of the service must not require personal information and all content has to be encrypted with a key only the user can access. The service must be fully functional over an anonymous overlay network or by the very least a reputable VPN. The provider must not share our data with third parties nor acquire additional data from external sources that can help them link our profile to our real identity. The service should retain as minimal data as possible, keep no identifiable logs, and any retained data must be sufficiently de-identified. This is a very hard assumption to make, so we should give the services as little functional information about us as legally permissible. And lastly, it must be impossible for a future party to retrieve identified data, which means we have to carefully read privacy policies of our services to know how much of the harvested data could lead to our identity. Don't worry, I am here with no life and friends and I love nothing more than spending a portion of my life reading privacy policies to bring you this tutorial for free. Speaking of which, I am going to lay out some very specific services I recommend for this setup. I am not affiliated with or sponsored by any of these, so there is no financial interest that could taint my advice. YouTube, on the other hand, has rewarded my efforts with the lowest ad revenue yet and in a community guideline strike as a bonus. They deemed my new private tutorial, out of all things, dangerous and harmful with no reason as to why. It was a video that taught people how they can watch YouTube videos with Google ads and trackers completely for free. Now that video was deleted by YouTube. Think of that whatever you will. It is extremely rare to find content that isn't sponsored or affiliated. I think relying on a direct user support is a much more ethical business model. So if you find any value in what I am doing here, please support me on Patreon.com slash the hatey one. I know these self-promotion plugs are annoying, so if you do sign up for my Patreon page, you will be rewarded with over 100 Patreon-only podcast episodes and will get text versions of all of my new videos and tutorials. Thank you. So now let's mitigate all of the linkability and identifiability threats to our anonymous identity. Our first step with any service will be to dissociate our account details from our personal information. Most common account identifiers are phone numbers and email addresses. We need to count them into threat hotspots, even if they are used just to confirm human verification to prevent spam accounts. I'd advise against using any service that requires a phone number because it is going to be very difficult to create and burn new anonymous identities on as-needed basis. Phone numbers can be obtained anonymously, but you have to be in the right jurisdiction and know how to get an anonymous phone. If you live in a country where you can't get a prepaid SIM card without submitting a government ID, you should avoid a service that requires a phone number. We will talk about those in a bit. If you can't obtain a SIM card without an ID registration, you need to purchase not only a new SIM card, but also a new phone device. The purchase, activation, and all use of this anonymous phone is only allowed to happen far enough away from your home or work address. If you insert a new SIM card into your personal phone, your phone's carrier will immediately recognize your phone's unique IMEI and it will associate the new SIM card with your personal identity and location. This is why you need both a new SIM card and a new device. Any cheap one will work as long as you pay in cash in a physical store. I have an in-depth tutorial on how to be anonymous in the streets that is extremely relevant to this scenario if you need to obtain an anonymous phone number. Don't trust voice-over IP services as these aren't anonymous nor private. They're mostly good at preventing spam abuse, but the voice-over IP providers don't allow anonymous accounts with numbers that actually work. For pretty much any service that we're going to recommend here, voice-over IP numbers won't work for account verification. An anonymous email address, on the other hand, will serve us extremely well for multiple use cases. For our benchmark, we want a provider that allows us to create a service with no identifiable credentials, no personal data, and permits account creation over the anonymous Tor network. This is necessary to prevent our ISP from knowing the websites of our service providers and to prevent the websites from knowing our true location. The most often recommended free private email is ProtonMail, unfortunately too many times with an affiliate link. This is a problem because if you attempt to create a ProtonMail account over Tor, you'll be slapped with a request for human verification by an SMS or an external email address in a lucky scenario. A third-party catch request or an external email will likely be required even if you use a VPN. For this reason, I actually don't recommend that you start with a ProtonMail account for anonymity. We should start with another free email provider that is much more suitable for our intentions and use it to sign up for other accounts, even ProtonMail. This other private email is Tutanota. Based in Germany, this much less known email provider is also encrypted but permits account creation over Tor. The only caveat is that you might get your account suspended for 48 hours if you exit from a node that got flagged for abuse. However, in most cases, you should just be able to wait it out and your account should be fully functional then. I have tested this many times and I always got my account automatically approved. If you create an account over a reputable VPN, it is very rare to get the 48-hour suspension. You can create your anonymous account in one of two ways. Both of these matter depending on your setup. If you want to create an anonymous account on your personal device, I recommend doing it through the Tor browser. First, download Tor into your phone or laptop from the official app store or torproject.org. Then go to mail.tutanota.com and follow the instructions to create an account. To make unidentifiable and unlinkable credentials, I recommend creating a unique username-password combination with a password manager. I use KeePassXC because it doesn't need an account to create a database. It is not advised to use a proprietary password manager, especially those that come with your platform such as Apple or Google or your web browser, because you don't want these platforms to track what websites you create accounts for. Use your private password manager to generate a unique string for the username as well as for the password to create credentials that are truly random and unlinkable to you. When you finish this setup, your account will either be opened immediately or you will be slapped with the 48-hour suspension. If you don't want to wait that long, I recommend creating an account over a VPN that you purchased anonymously. The only two I'd recommend are Mulvat or iVPN. You can speed up the registration process if you opt for a paid account and use Bitcoin or Monero to obtain an anonymous gift card for Tutanota. Now with your account created, before you do anything else, set up second-factor authentication. Go to settings and add a new 2FA method. If you have a FIDO authentication key, this is a superior method. Alternatively, you can use an authenticator app such as Aegis to generate one-time passcodes for your second-factor. I'm going to mention 2FA here only, but remember to enable second-factor authentication for all of your current or future accounts. Now we can use our Tutanota account to sign up for other services anonymously. If you want to get an anonymous ProtonMail account, just follow the steps for account creation and use your anonymous Tutanota email address for human verification. There is a more secure way of creating these email accounts, but this is where you really need to walk the extra mile to protect your anonymous identities. If you use a native mobile app on an up-to-date phone, you will be in a much more secure environment than a browser on a laptop. There isn't enough space to discuss all the details why that's the case, but what's most important is that apps on your phone are properly signed and trusted on first use. This means it will be impossible for a threat actor to serve you a malicious client to decrypt your messages unless they send you a malicious update. That will be extremely difficult to do without full compliance from the provider. On a web browser, a website will send you code unsigned dynamically, which means every time you sign in, you are trusting the server isn't compromised or malicious, and there is no accountability even in case of malevolence. The problem with mobile apps is that you have to do a lot more to anonymize your account creation. By the very least, you should route your app traffic through Tor. This can be done with Orbot. When you install Orbot, launch it in select VPN mode and choose your Titanota and Protonmail apps. This will route their traffic through the anonymous Tor network and hide your location. You should Torify the traffic for all of your anonymous accounts you will later intend to create. If your intention is to create an anonymous account that can't be linked to your personal activities, you should create a separate user profile where you install these apps from scratch. I recommend doing this on GrapheneOS because this setup is the most secure and private, and user profiles are more isolated on GrapheneOS than anywhere else. Your phone will also be completely de-googled, giving you total control over what apps have access to what types of your data. The second best option is to create a separate user profile on a stock Android phone, but this isolation isn't going to be as strong as on GrapheneOS. The third best option is through work profiles, which can be done with an app like Shelter, but that's again on Android. iPhones don't offer profile separation features, and it is virtually impossible to verifiably isolate profiles on iOS with any tool. I recommend getting a new device or switching to GrapheneOS. A mobile setup is actually recommended if you also need to maintain high security and could have your anonymous identities targeted. It is important that you download these apps as anonymously as possible. Strong anonymity can only be achieved on Android by downloading apps from the Aurora Store or FDroid instead of the original Google Play Store app. Aurora will let you download Android apps without a Google account, and if you do this in a separate user profile over Tor or a VPN connection, it can actually be completely anonymous. Now that we have anonymous email accounts, we can take this to another level by creating one-time email aliases. There is a range of options to choose from, both paid and free ones. With your anonymous Tutanota and or Protonmail accounts, you can sign up for a free email alias service. You have two options again, AnonAddy or SimpleLogging. They are both similar in their offering of free and premium accounts. Here is an important note about email aliases. Service providers will have access to your email metadata and message content. That means they will be able to correlate what you use each email alias for. If there is any personal data flowing through these email aliases, the providers will be able to see it. The point of email aliases is not to use them for confidentiality, but rather as throwaway addresses you can give to services you don't care about in the long term. If you want to go for a paid option, it might be most useful to purchase email aliases directly from Tutanota and Protonmail. You will have to subscribe to a paid plan for a monthly fee to get more aliases. If you are going to do this, don't provide any personal billing details. This means no PayPal, debit card, or bank transfers. They are completely out of the question here. Protonmail accepts cash, and Tutanota accepts Monero, an anonymous cryptocurrency. I recommend Tutanota with Monero as this is the fastest way to upgrade your anonymous account. I don't recommend Bitcoin for anonymous payments as Bitcoin is actually publicly traceable and companies are paid money for chain analysis. Chain analysis means they can track down movements of every single Bitcoin transaction. It is more private to send cash or use Monero. You can generate a new email alias for every specific use case. All the emails you receive will be in one unified inbox. This setup is useful if you want to compartmentalize your online accounts that you intend to run for the long term. What you can do with an email alias service is to have a unique alias for each new anonymous account you create for other services. There is a number of services worth trying to create an anonymous account for. Some services will meet all of the prerequisites to mitigate all linkability and identifiability threats. Commonly anonymous accounts for real-time communication are Briar and OnionShare. It is unlikely your contacts will already use any of these, so you will need to find a secure way to communicate your new details with them. For Briar, you can send your address to your contacts in an encrypted message with your anonymous encrypted email address. If you and your contacts both have Signal, then you can send your Briar address in a disappearing Signal message too. OnionShare is interesting because it allows you to create ephemeral chatrooms that will be hosted anonymously on the Tor network and will completely disappear once you close them. All you need is to start a chat server and share your public address and a private key with your contacts. Your contact only needs to open this link and enter the private key from the Tor browser. No accounts are needed for OnionChat. Wire is another messenger that can be downloaded and used anonymously. It is available on Android, which means no Google Play is required, and it allows email aliases as well as anonymous sign-up over the Tor network. Wire is targeted primarily for corporate clients, but if you intend to use it individually, then it is highly recommended to use it completely anonymously, always over the Tor network with a randomly generated username-password combination in the password manager and with anonymous email alias. Matrix is another great service that can be used for messaging, voice calls, group chats, or chatrooms. There is a popular Matrix client called Element that can be fetched from any popular app store, including Android, which means it can be installed anonymously. The whole account creation and usage process work with no issues over Tor. This makes Element a very solid choice for anonymous encrypted communication. When it comes to social media accounts, using Tor or a VPN for account creation might get your accounts flagged and suspended before you even get to use them. You might try your luck and score occasionally, but in many cases, you just won't be let through without providing a phone number. If you need to create an anonymous social media account and no VPN connection works without asking you for a phone number, then try a public Wi-Fi somewhere that's not associated with your work or home address. I tested the fully anonymous setup, which includes routing full device traffic through Tor and using anonymous email aliases, and I've had my success with Twitter, Reddit Wire, Matrix, and Nextcloud. Google and Facebook will be a lot more cautious, but you might get lucky. Apple ID is now impossible to get without a real phone number, period. Dissociation and isolation of your anonymous identities are not the only steps to keep your anonymity. Be extremely cautious of what types of data you submit to these services while using them. Always think of the linkability and identifiability threats when using these accounts. You must not give these organizations any reason to think your anonymous accounts can be linked to your personal identity. That goes for the patterns of behavior, such as the times you're logging in and log off, as well as any data they collect. How you use pseudonymous accounts will over time build up a reputation. Be prepared to burn your pseudonyms whenever necessary. That means completely deleting your accounts and sending a request to delete associated data. In cases of extreme sensitivity, you might even need to wipe or destroy your whole devices. But for now, this will have to conclude the chapter on anonymous identities online. This tutorial would not exist without the help of my direct supporters on Patreon.com slash TheHatedOne. If you just donate any dollar amount monthly, that will already help tremendously. Share this tutorial with your friends, and until next time, have a good one.