How to hide from the State’s Big Brother? Snowden’s method to use

 Image source - news.cgtn.com

The article also discusses Edward Snowden's methods to help you stay anonymous on the Internet. For example — using the Whonix distribution kit ensures user anonymity.

This article also:

• a practical guide for computer users;
• a practical guide for political activists and public figures on how to preserve their data and anonymity on the Internet.

Disclaimer

The article discusses the technologies used to protect your data and confidential information on the Internet. All presented information here is to inform PC users and political activists about information security measures. The author of the article does not in any way intend to harm or offend users and politicians.

If you suddenly need to hide from the state, there will be no time to think. How should you proceed to guarantee yourself complete anonymity on the Internet and in life? Read more about the methods of successful disappearance and the methods of Edward Snowden in our article.

“The issue of privacy is a serious problem because only privacy allows us to freely decide who we are and who we want to be.

Edward Snowden.

There is a common opinion that one cannot trust anonymous people because they do not risk their reputation, which means they can be provocateurs and aggressors. That could be indeed the case. However, the world has sunk into the era of totalitarian states, and freedom of speech is now increasingly punishable.

Political activists, public figures, and any not indifferent people cannot fully talk about their rights; therefore, they have to hide behind the mask of an anonymous person. For getting their freedom back, people are forced to act not according to the rules. Security prevention is an opportunity to preserve your dignity and the right to self-expression.

Techniques for hiding from the public

Right now, you are holding in your hands a thing that can be your assistant and, at the same time, an executioner — your smartphone.

The phone knows everything about you: your location, interests, hobbies, correspondence, bank accounts, Face ID, and even how your dog looks. These are a kind of beacon that records your every step. It is naive to believe that your data is not on the Internet.

What you see on search engines is just the peak of the iceberg. For an additional fee, all information about you can be found in the DarkNet databases. Law enforcement agencies and government services have free access to the “black” Internet, where you can find almost any information about anyone.

Smartphone and SIM card use

Possessing equipment that supports Internet access and cellular communication, you can forget about anonymity. Therefore, the first thing you should do if you want to disappear without a trace is to get rid of your smartphone.

Better yet, send it by courier to the other end of the country, as far away from you as possible. The next step is to purchase a new "clean" SIM card that has nothing to do with you or your environment.

It is better to purchase such a SIM card in advance because, in emergencies, you will not waste time looking for a new number.

• Do not insert a SIM card into a smartphone that you have already used before.
  Any phone has a unique IMEI code.
  When you insert a SIM card into the phone, this code is registered in the base of the cellular operator. Direct connection between the owner of the phone number and the smartphone creates additional traces of you.
  It doesn't matter how many times you change your SIM card — the phone will always be associated with you.
• Do not switch on your new smartphone with a new SIM card at home or in places where you are most often.
• Do not, under any circumstances, turn on your new phone next to your primary smartphone or people with whom you communicate in everyday life. Otherwise, law enforcement agencies will quickly find you.
• Don't use Face ID and Touch ID as a way to unlock your phone.
  In this case, you leave your biological footprints, which are easy to replicate under specific conditions. Better to use the old but reliable method of locking your phone — a password.
• You shouldn’t use your date of birth as a password.
  Even such little things can betray your personality. Better to use a random set of numbers.

Bank account security

The next thing that you urgently need to get rid of is a credit card.

With the help of a bank card can also find out geolocation, track payment for public transport, and your usual route.

Remember that any transaction records your exact location. Stop paying Masterсard Contactless and shopping online. If you need to hide from the public, use only cash. To reach a highest level of paranoia, you can check banknotes for any non-typical markings and signs.

Any place where you do present documents is a threat to your anonymity.

Buying plane tickets, train tickets, or checking into a hotel room, you inform the state of your location. Don't make such obvious mistakes. If you want to become elusive, consider changing your passport details.

Data encryption

The third dangerous thing is your laptop, desktop, tablet or whatever else you are using to get an access to Internet. It is impossible to remain completely anonymous in the digital 21st century, but you can follow several rules to protect yourself from increased attention from government services.

• The first thing to look out for is data encryption.
  Do not forget that the password you used to log in does not protect your data at all. It is much more reliable to encrypt the whole disk because you can protect yourself from leakage of confidential information.
  If you are using Windows, use VeraCrypt for full-disk encryption. If you are using Linux, you hardly need additional protection, as the system's built-in tools are pretty good and reliable.
• Your computer password must be unique. Do not use dates of birth, phone numbers, or too light combinations of numbers for your password (for example, 111 is a weak password).
  Remember that each of your passwords must be unique. Otherwise, hacking into your mailbox, attackers will be able to gain access to the disk or messenger.
  One of a good choice is password manager application. The one popular in public community and commercial sector as well is KeePass.
  It is available on all operating systems, encrypts your data with open, proven algorithms, and stores keys locally. Never use the cloud to store passwords and personal information — it is non-secure.

A Whonix distribution that provides anonymity on the Internet

So you've encrypted your computer. What to do next? If you are coordinating on a network, then it is better to use two different computers: one for your daily work, the other for activities that can be used against you.

Regardless of the purpose of your computer, install Whonix, a special Linux distribution designed to compartmentalize Internet traffics through the Tor browser. It is one of the systems that Edward Snowden used when he was hiding from the NSA. Thanks to Whonix, even the indirect fingerprint you leave on the web will be confusing enough.

To use this system, you first need to install Virtual Box, a visualization program for operating systems.

Image source – virtualbox.org

Whonix installation process

1. To do this, go to the official VirtualBox website. The installation process will take about a minute: you need to unpack the downloaded archive and follow the further instructions of the installer.
2. Next, you need to download Whonix by selecting the appropriate operating system.
   
   

   Image source – whonix.org

   Image source – virtualbox.orgThe peculiarity of Whonix is that the program presented not as an installation file, which is used to install the operating system, but as an image of a fully configured virtual machine with the operating system installed. And there are two such images: the first is Whonix-Workstation, the second is Whonix-Gateway.

   Whonix installation is virtually the same across operating systems as the VirtualBox software is identical across all platforms. We will demonstrate installing Whonix on macOS; however, Windows or Linux users can easily install Whonix by following our instructions.

   Whonix is installed in two steps: installing Whonix-Gateway and Whonix-Workstation.

3. As you have downloaded the Whonix installer file, do not open it immediately. First, start VirtualBox and select the File — Import Configurations option.
   
   

4.  Next, specify the path to the installer file.
   
   

   Since the downloaded image file is a ready-made virtual machine with an installed operating system, all the virtual machine parameters (allocated RAM, disk size, etc.) have already been set.

   The program will only inform you about the number of allocated resources.

5. You need to activate the Generate new MAC addresses for all network adapters option. This function allows you to make any settings of the main PC network card without losing the connection of the virtual operating system with the Whonix-Gateway.
6. Then click Import. You need to accept the terms of use and wait for the import to finish.
   
   

   Whonix-Gateway and Whonix-Workstation will appear in the list of virtual systems.

   

   First, you need to connect the server machine — Whonix Gateway. It is the server machine that connects you to the Internet.

7. Before connecting, the application will notify you of the terms of use. The second, Whonix-Workstation, is the workstation that you will be using. Each connection will take a little over two minutes on average — this is normal.
   

   After connecting to the Tor network, before using the server, we recommend opening a terminal and updating the internal files with the sudo apt-get update command.

   

8. You can use the default password “change me”. Next, we recommend changing the password with the passwd command, choosing a certain combination of letters.

   Please note that characters are not displayed in the terminal as you type — this is normal. This password needs to install software and make changes to system settings. You will rarely use this password, but your system becomes vulnerable to attackers if you do not change it.

   Never use a server virtual machine to access the network!

9. When connecting to a workstation, you need to follow the same recommendations for the server machine: start the terminal, update internal files and change the password.

After completing all the instructions, you will find yourself in an anonymous environment: not only the browser but all your connections are protected in the Whonix system through Tor. You will become as anonymous as trivial methods can achieve.

To maintain this anonymity, in no case connect to personalized accounts from an anonymous environment.

What does it mean?

Let's say you logged into your work mail and anonymous channel from the general Whonix session. It is the point of association. Now all the traffic that you with such difficulty hid can be analyzed. The mail you just entered can be tied to your real identity.

Please note: this rule also needs to be observed offline — in your real life. If your real and virtual personalities touch at some point, expect trouble.

So, the main rule of identity protection is not to confuse your real and fictional identity. But what if you need to be pseudonymous for your work? Anonymity and pseudonymous activity differ in several ways. So, anonymity assumes that it is enough for you to commit some one-time act.

Pseudonymous activity is creating an alter ego, in other words, an alternative personality to which you plan to return for an extended period. This is much more difficult because the human factor significantly increases the likelihood of making a mistake.

Practical application of the ProtonMail mailbox

The most apparent mistake when creating pseudonymous accounts is renaming your old accounts. As stated earlier, a phone number required when creating social media accounts. Even if you rename your Twitter or Facebook profile, it is the phone number that will reveal your real identity.

To go unnoticed, you need to start from scratch: create a new mail for a pseudonymous account. We are recommending to use ProtonMail.

Image source – protonmail.com

For essential registration, ProtonMail asks for a small Bitcoin donation or activation via another mailbox. There is a wide variety of disposable mailboxes, some of which are blocked by Proton, but new mailboxes appear every day.

It is safer to use a disposable e-mail account to receive activation codes.

Follow our instructions to use your ProtonMail inbox.

1. When registering, choose a free plan.
   
   

   Image source - protonmail.com

2. When registering a new mailbox, we recommend using the Swiss prefix (photomail.ch).
   
   

   Image source - protonmail.com

3. When registering, in any case, do not specify a spare e-mail to restore your account. When you create a mailbox, you will be asked to verify your identity.
4. To do this, you need to select a temporary mailbox for yourself in the DuckDuckGo search engine.

   We advise you moving to the second line of the search engine, as the mailboxes offered on the first page may be blocked.

   A confirmation code will be sent to the specified mailbox.

5. If you followed our instructions, you are going to have a secure mailbox for conducting pseudonymous accounts.

   This mailbox is in no way tied to your real identity, computer, IP address, and social networks. You are going to confuse any system trying to follow you!

Next, you need to create an account on a social network or messenger, for example, on Telegram. Most of the existing social networks ask for a phone number when registering: you use your real SIM card under no circumstances! Some services are anonymously selling phone numbers to receive activation codes.

Contrary to the myths about the anonymity of Bitcoin, it is completely insecure. Moreover, every Bitcoin transaction is permanently recorded on the blockchain and is easily traceable.

By using Bitcoin, you are very much at risk of your anonymity. To be on the safe side, transfer Bitcoin to Monero. It is an open-source cryptocurrency created exclusively for anonymous monetary transactions.

Unlike Bitcoin, Monero uses the CryptoNote protocol, which obfuscates transactions. You will pay just a little for transaction, but you will be able to protect yourself.

Today, only Monero is a virtually invulnerable cryptocurrency, as its transactions cannot be traced. You can create a pseudonymous account on Twitter, Telegram, or any other social network by purchasing a number.

General guidelines for the protection of personal data

On the technical side, you have entirely secured yourself and your anonymity. The only risk that can threaten you is yourself. Do not forget about the human factor because it is mostly just ridiculous mistakes that lead to negative consequences.

To protect yourself from potential problems, follow these simple guidelines:

• do not answer secret questions with any real set of data – they can be easily hacked, if the service was breached. If the online service insists on using secret questions, enter a random set of letters and numbers into the line;
• cover your laptop when entering a password or any other confidential information;
• we do not recommend using the Google search engine — use DuckDuckGo instead. Remember that absolutely everything that you have entered into Google at least once will remain there forever;
• do not use two-factor authentication if you need to bind to a phone number because anyone who gets access to the number will be able to log into your account. It is a little bit controversial, but anonymity is not always easy and goes along with generic security recommendations;
• do not log into a pseudonymous account from your public IP address. Buy a good VPN, e.c. NordVPN, and use it together with kill switch on all your devices;
• remove metadata if you upload photos, videos, or other data to the network;
• do not disclose your passwords, CVV-codes of bank cards, and any confidential information to any of your friends as a backup;
• bank employees and other authorities will never ask for your data by phone or SMS;
• do not react to fraudsters' tricks and immediately delete such spam;
•  do not follow suspicious links from the Internet and do not visit sites with expired SSL certificates. 

We recommend using the MAT: Metadata Anonymisation Toolkit to remove metadata.

Remember that your anonymity is only in your hands. Some attackers can use social engineering.

Conclusion

It can be difficult for people to keep up with technology, but if we aren’t holding our fingers on the pulse, the consequences can be disastrous. Tens of thousands of people fall victim to hacker attacks and fraudsters every year.

Phone numbers, bank accounts, and other personal information can be made public in no time if you doesn’t take good care of your cyber hygiene.

We urge you to know and respect your rights, take care of your information security and, if possible, protect your loved ones — older people who find it more challenging to preserve their confidential information in the digital age. Share basic guidelines with your parents and older relatives.

We wish you to remain anonymous and elusive!

Dear readers, we hope that this article was informative and valuable for you. Share if you use any methods to protect your data on the Internet?

If you think, some anonymity methods were missing here, please let us know in comments.

Author

Darina Shramko

Cybersecurity specialist and researcher.