As we build up our series of ‘5 Best VPNs for’ different counties articles, one thing becomes very clear – for many people across the world, VPN’s most important function is to hide the identity of bloggers whose online views can lead to them being harassed, arrested, assaulted, and even murdered – be they political dissidents, human rights activists, LGBT campaigners or whatever.
The internet is a fantastic tool for facilitating free speech, even when it is otherwise discouraged or suppressed, and VPN, Tor, and other privacy/anonymity technologies can make it very hard to trace an online persona back to a real individual using technological means (when using VPN, always ensure you that are using both a service and servers based outside the legal jurisdiction and political sphere of influence of the authorities you are concerned about finding you).
There are however, because we are all human, more mundane method that can be used to deduce an online posters’ real-world identity. We therefore present some tips for maintaining your anonymity when posting on the internet…
1. Don’t supply information that only you would know
It may sound obvious, but human stupidity nature is the primary way people allow themselves to be identified (see the Ross Ulbricht example below). Even revealing information that is privileged to a group of people will likely narrow the list of suspects down considerably, something whistleblowers have to be particularly careful about, since the mere fact that they are revealing ‘inside’ information includes them in a small circle of people who have access to that sensitive information. Witnesses should likewise be extremely cautious about what they reveal if they wish to hide their identity.
2. Use multiple online personas
Having multiple online logins and usernames makes it difficult to piece together your online life. Most importantly of course, keep your posting identity (or identities) completely separate from any usernames, logins etc. you use for your ‘real’ life – don’t post under the same name you use for your regular Facebook account!
Even on a single website it may be useful to maintain separate identities when posting to different sections of the website. For example, if you buy Bitcoins through LocalBitcoins.com then you can make it more difficult for adversaries to identify you by using 3 completely different identities – one as a buyer, one as a seller, and one for posting on the forums. If you use another Bitcoin exchange, you could set up a whole new set of identities!
This can of course get very complex very quickly, but using a password manager such as the free and open source KeePass should make things manageable.
3. Tidy up you writing style
Everyone has a unique writing style, and the more unique it is the easier it is for an adversary to connect posts written under different pseudonyms together and connect them to a real world identity.
While it is very difficult to change your writing style (and in the case of bloggers who enjoy popularity precisely because of that writing style, undesirable), continued use of certain phrases, slang, the same number of periods after etc…, messy typing, repeating the same grammar or spelling mistakes, etc., are easy ways to identify you.
You should always therefore carefully proofread anything you post online, and try to remove as many personal writing quirks as possible.
4. Consider all factors
Do not underestimate your attackers – government agencies the world over are expert at analyzing targets’ online behavior, and will use all sorts of inference and lateral thinking to identify targets. Even if you follow all the advice above, the personality you project online may give you away, and the times you post at (even if masked using a VPN server located geographically elsewhere, for example) may provide clues as to your physical location. If the stakes are high, it pays to never be paranoid enough!
Ross Ulbrect – A case study
Ross Ulbricht was identified by the FBI as Dread Pirate Roberts, founder of Silk Road (‘the most sophisticated and extensive criminal marketplace on the Internet today’) thanks to a simple, and oh-so-easy-to-do mistake when forum posting.
On January 27, 2011, a poster going by the username ‘Altoid’ made a post on a forum for magic mushroom users,
‘I came across this website called Silk Road. I’m thinking of buying off it… Let me know what you think.’
A simple piece of self-promotion. Two days later ‘Altoid’ made another self-promoting post on the Bitcoin Talk forum,
‘Has anyone seen Silk Road yet? It’s kind of like an anonymous Amazon.com. I don’t think they have heroin on there, but they are selling other stuff’.
It was not until eight month later, however, that Ulbricht made the goof which led the FBI to his door when ‘Altoid’ made another (unrelated) posting on Bitcoin Talk looking for ‘an IT pro in the Bitcoin community’ to hire in connection with ‘a venture backed Bitcoin startup company’. Interested parties were asked to contact email@example.com.
Bang. Game over. Do not underestimate your opposition when you believe they may be out to get you, and do not make silly mistakes.
Interestingly, the court indictment shows that the Feds had also noticed the similarity between Ulbricht linking his public Google+ account to YouTube movies featuring the libertarian theories of Austrian School economist Ludwig von Mises, and Dread Pirate Roberts’ repeated crediting of von Mises for ‘providing the philosophical underpinnings for Silk Road.’
Furthermore, although ‘Dread Pirate Roberts’ used a VPN to hide his true IP address, records obtained by the FBI from his VPN provider allowed them to correlate the fact that Dread Pirate Roberts regularly used the internet at a café around the corner from where Ulbricht was staying, and that Ulbricht also signed into his regular Gmail account at approximately the same time, and from the same café as Dread Pirate Roberts.*
*Note that this is why we always recommend using a ‘no logs’ VPN provider, and if you are political dissident or similar, using a provider outside you country’s legal jurisdiction and political influence. Hong Kong is a great choice if in doubt, although (for example) an Iranian blogger should be fine using any European VPN provider (and servers located in Europe).