Guide to Online Anonymity (by https://anonymousplanet.org/)

Use at your own risk. Please do not take this guide as a definitive truth for everything because it is not.
​

Spoiler: Table of Contents

• Introduction:
• Understanding some basics of how some information can lead back to you and how to mitigate some:
  • Your Network:
    • Your IP address:
    • Your DNS and IP requests:
    • Your RFID enabled devices:
    • The Wi-Fis and Bluetooth devices around you:
    • Malicious/Rogue Wi-Fi Access Points:
    • Your Anonymized Tor/VPN traffic:
    • Some Devices can be tracked even when offline:
  • Your Hardware Identifiers:
    • Your IMEI and IMSI (and by extension, your phone number):
    • Your Wi-Fi or Ethernet MAC address:
    • Your Bluetooth MAC address:
  • Your CPU:
  • Your Operating Systems and Apps telemetry services:
  • Your Smart devices in general:
  • Yourself:
    • Your Metadata including your Geo-Location:
    • Your Digital Fingerprint, Footprint, and Online Behavior:
    • Your Clues about your Real Life and OSINT:
    • Your Face, Voice, Biometrics and Pictures:
    • Phishing and Social Engineering:
  • Malware, exploits, and viruses:
    • Malware in your files/documents/e-mails:
    • Malware and Exploits in your apps and services:
    • Malicious USB devices:
    • Malware and backdoors in your Hardware Firmware and Operating System:
  • Your files, documents, pictures, and videos:
    • Properties and Metadata:
    • Watermarking:
    • Pixelized or Blurred Information:
  • Your Crypto currencies transactions:
  • Your Cloud backups/sync services:
  • Your Browser and Device Fingerprints:
  • Local Data Leaks and Forensics:
  • Bad Cryptography:
  • No logging but logging anyway policies:
  • Some Advanced targeted techniques:
  • Some bonus resources:
  • Notes:
• General Preparations:
  • Picking your route:
    • Timing limitations:
    • Budget/Material limitations:
    • Skills:
    • Adversaries (threats):
  • Steps for all routes:
    • Get an anonymous Phone number:
    • Get a USB key:
    • Find some safe places with decent public Wi-Fi:
  • The TAILS route:
    • Persistent Plausible Deniability using Whonix within TAILS:
  • Steps for all other routes:
    • Get a dedicated laptop for your sensitive activities:
    • Some laptop recommendations:
    • Bios/UEFI/Firmware Settings of your laptop:
    • Physically Tamper protect your laptop:
  • The Whonix route:
    • Picking your Host OS (the OS installed on your laptop):
    • Linux Host OS:
    • MacOS Host OS:
    • Windows Host OS:
    • Virtualbox on your Host OS:
    • Pick your connectivity method:
    • Get an anonymous VPN/Proxy:
    • Whonix:
    • Tor over VPN:
    • Whonix Virtual Machines:
    • Pick your guest workstation Virtual Machine:
    • Linux Virtual Machine (Whonix or Linux):
    • Windows 10 Virtual Machine:
    • Android Virtual Machine:
    • MacOS Virtual Machine:
    • KeepassXC:
    • VPN client installation (cash/Monero paid):
    • (Optional) allowing only the VMs to access the internet while cutting off the Host OS to prevent any leak:
    • Final step:
  • The Qubes Route:
    • Pick your connectivity method:
    • Get an anonymous VPN/Proxy:
    • Installation:
    • Lid Closure Behavior:
    • Connect to a Public Wi-Fi:
    • Update Qubes OS:
    • Hardening Qubes OS:
    • Setup the VPN ProxyVM:
    • Setup a safe Browser within Qube OS (optional but recommended):
    • Setup an Android VM:
    • KeePassXC:
• Creating your anonymous online identities:
  • Understanding the methods used to prevent anonymity and verify identity:
    • Captchas:
    • Phone verification:
    • E-Mail verification:
    • User details checking:
    • Proof of ID verification:
    • IP Filters:
    • Browser and Device Fingerprinting:
    • Human interaction:
    • User Moderation:
    • Behavioral Analysis:
    • Financial transactions:
    • Sign-in with some platform:
    • Live Face recognition and biometrics (again):
    • Manual reviews:
  • Getting Online:
    • Creating new identities:
    • The Real-Name System:
    • About paid services:
    • Overview:
    • How to share files or chat anonymously:
    • Redacting Documents/Pictures/Videos/Audio safely:
    • Communicating sensitive information to various known organizations:
    • Maintenance tasks:
• Backing-up your work securely:
  • Offline Backups:
    • Selected Files Backups:
    • Full Disk/System Backups:
  • Online Backups:
    • Files:
    • Information:
  • Synchronizing your files between devices Online:
• Covering your tracks:
  • Understanding HDD vs SSD:
    • Wear-Leveling.
    • Trim Operations:
    • Garbage Collection:
    • Conclusion:
  • How to securely wipe your whole Laptop/Drives if you want to erase everything:
    • Linux (all versions including Qubes OS):
    • Windows:
    • MacOS:
  • How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives:
    • Windows:
    • Linux (non Qubes OS):
    • Linux (Qubes OS):
    • MacOS:
  • Some additional measures against forensics:
    • Removing Metadata from Files/Documents/Pictures:
    • TAILS:
    • Whonix:
    • MacOS:
    • Linux (Qubes OS):
    • Linux (non-Qubes):
    • Windows:
  • Removing some traces of your identities on search engines and various platforms:
    • Google:
    • Bing:
    • DuckDuckGo:
    • Yandex:
    • Qwant:
    • Yahoo Search:
    • Baidu:
    • Wikipedia:
    • Archive.today:
    • Internet Archive:
• Some low-tech old-school tricks:
  • Hidden communications in plain sight:
  • How to spot if someone has been searching your stuff:
• Some last OPSEC thoughts:
• If you think you got burned:
  • If you have some time:
  • If you have no time:
• A small final editorial note

 

[HEISENBERG]

Introduction:​

TLDR for the whole guide: “A strange game. The only winning move is not to play”.


Making a social media account with a pseudonym or artist/brand name is easy. And it is enough is most use cases to protect your identity as the next George Orwell. There are plenty of people using pseudonyms all over Facebook/Instagram/Twitter/LinkedIn/TikTok/Snapchat/Reddit/… But the vast majority of those are anything but anonymous and can easily be traced to their real identity by your local police officers, random people within the OSINT (Open-Source Intelligence) community and trolls on 4chan.


This is a good thing, as most criminals/trolls are not really tech-savvy and will be identified with ease. But this is also a bad thing as most political dissidents, human rights activists and whistleblowers can also be tracked rather easily.


This updated guide aims to provide introduction to various de-anonymization techniques, tracking techniques, id verification techniques and optional guidance to creating and maintaining reasonably anonymous identities online including social media accounts safely. This includes mainstream platforms and not only privacy-friendly ones.


It is important to understand that the purpose of this guide is anonymity and not just privacy, but many of the guidance you will find here will also help you improve your privacy and security even if you are not interested in anonymity. There is an important overlap in techniques and tools used for privacy, security, and anonymity, but they differ at some point:

• Privacy is about people knowing who you are, but not knowing what you are doing.
• Anonymity is about people knowing what you are doing but not knowing who you are

Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not … Mossad will be doing “Mossad things” and will probably find you, no matter how hard you try to hide.


You must consider your threat model before going further.

Will this guide help you protect your privacy from OSINT researchers like Bellingcat13, Doxing14 trolls on 4chan15 and others that have no access to the NSA toolbox? More likely. Tho I would not be so sure about 4chan.


Here is a basic simplified threat model for this guide:

Important Disclaimer: Jokes aside (magical amulet…). Of course, there are also advanced ways to mitigate attacks against such advanced and skilled adversaries, but those are just out of scope of this guide. It is crucially important that you understand the limits of the threat model of this guide. And therefore, this guide will not double in size to help with those advanced mitigations as this is just too complex and will require very high knowledge that is not expected from the targeted audience of this guide.


The EFF provides a few security scenarios of what you should consider depending on your activity. While some of those tips might not be within the scope of this guide (more about Privacy than Anonymity), they are still worth reading as examples. See https://ssd.eff.org/en/module-categories/security-scenarios [Archive.org].
There are also quite a few more serious ways of making your threat model such as:

• LINDDUN https://www.linddun.org/ [Archive.org]
• STRIDE https://en.wikipedia.org/wiki/STRIDE_(security) [Wikiless] [Archive.org]
• DREAD https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) [Wikiless] [Archive.org]
• PASTA https://versprite.com/tag/pasta-threat-modeling/ [Archive.org]

And there are quite a few others too, see:

• https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/ [Archive.org]
• https://www.geeksforgeeks.org/threat-modelling/ [Archive.org]

You can find some introduction on these on these projects:

• OWASP https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html [Archive.org]
• Online Operations Security https://github.com/devbret/online-opsec/ [Archive.org]

 

[HEISENBERG]

Understanding some basics of how some information can lead back to you and how to mitigate some:​

There are many ways you can be tracked besides browser cookies and ads, your e-mail, and your phone number. And if you think only the Mossad or the NSA/FSB can find you, you would be terribly wrong.


You might consider viewing this good YouTube playlist as an introduction before going further: https://www.youtube.com/playlist?list=PL3KeV6Ui_4CayDGHw64OFXEPHgXLkrtJO [Invidious] (from the Go Incognito project https://github.com/techlore-official/go-incognito [Archive.org]). This guide will cover many of those topics with more details and references as well as some additional topics, not covered within that series, but I would recommend the series as an introduction, and it will just take you 2 or 3 hours to watch it all.


Now, here is a non-exhaustive list of some of the many ways you could be tracked and de-anonymized:

 

[HEISENBERG]

Your Network:​

Your IP address:​

Disclaimer: this whole paragraph is about your public facing Internet IP and not your local network IP


Your IP address is the most known and obvious way you can be tracked. That IP is the IP you are using at the source. This is where you connect to the internet. That IP is usually provided by your ISP (Internet Service Provider) (xDSL, Mobile, Cable, Fiber, Cafe, Bar, Friend, Neighbor). Most countries have data retention regulations which mandates keeping logs of who is using what IP at a certain time/date for up to several years or indefinitely. Your ISP can tell a third party that you were using a specific IP at a specific date and time, years after the fact. If that IP (the origin one) leaks at any point for any reason, it can be used to track down you directly. In many countries, you will not be able to have internet access without providing some form of identification to the provider (address, ID, real name, e-mail …).


Useless to say that most platforms (such as social networks) will also keep (sometimes indefinitely) the IP addresses you used to sign-up and sign-in to their services.


Here are some online resources you can use to find some information about your current public IP right now:

• Find your IP:
  
  • https://resolve.rs/
  • https://www.dnsleaktest.com/ (Bonus, check your IP for DNS leaks)
• Find your IP location or the location of any IP:
  
  • https://resolve.rs/ip/geolocation.html
• Find if an IP is “suspicious” or has downloaded “things” on some public resources:
  
  • https://www.virustotal.com/gui/home/search
  • https://iknowwhatyoudownload.com
• Registration information of an IP (most likely your ISP or the ISP of your connection who most likely know, who is using that IP at any time):
  
  • https://whois.domaintools.com/
• Check for open-services or open-devices on an IP (especially if there are leaky Smart Devices on it):
  
  • https://www.shodan.io/host/185.220.101.134 (replace the IP by your IP or any other, or change in the search box, this example IP is a Tor Exit node)
• Various tools to check your IP such as blacklists checkers and more:
  
  • https://www.whatismyip.com
  • https://browserleaks.com/
• Would you like to know if you are connected through Tor?
  
  • https://check.torproject.org

For those reasons, we will need to obfuscate that origin IP (the one tied to your identification) or hide it as much as we can through a combination of various means:

• Using a public Wi-Fi service (free).
• Using the Tor Anonymity Network (free).
• Using VPN services anonymously (anonymously paid with cash or Monero).

All those will be explained later in this guide.

 

[HEISENBERG]

Your DNS and IP requests:​

DNS stands for “Domain Name System” and is a service used by your browser (and other apps) to find the IP addresses of a service. It is pretty much a huge “contact list” (phone book for older people) that works like asking it a name, and it returns the number to call. Except it returns an IP instead.


Every time your browser wants to access a certain service such as Google through www.google.com. Your Browser (Chrome or Firefox) will query a DNS service to find the IP addresses of the Google web servers.


Here is a video explaining DNS visually if you are already lost:

[Invidious]


Usually, the DNS service is provided by your ISP and automatically configured by the network you are connecting to. This DNS service could also be subject to data retention regulations or will just keep logs for other reasons (data collection for advertising purposes for instance). Therefore, this ISP will be capable of telling everything you did online just by looking at those logs which can in turn be provided to an adversary. Conveniently this also the easiest way for many adversaries to apply censoring or parental control by using DNS blocking. The provided DNS servers will give you a different address (than their real one) for some websites (like redirecting thepiratebay to some government website). Such blocking is widely applied worldwide for certain sites.


Using a private DNS service or your own DNS service would mitigate these issues, but the other problem is that most of those DNS requests are by default still sent in clear text (unencrypted) over the network. Even if you browse PornHub in an incognito Window, using HTTPS and using a private DNS service, chances are very high that your browser will send a clear text unencrypted DNS request to some DNS servers asking basically “So what’s the IP address of www.pornhub.com?”.


Because it is not encrypted, your ISP and/or any other adversary could still intercept (using a Man-in-the-middle attack) your request will know and possibly log what your IP was looking for. The same ISP can also tamper with the DNS responses even if you are using a private DNS. Rendering the use of a private DNS service useless.


As a bonus, many devices and apps will use hardcoded DNS servers bypassing any system setting you could set. This is for example the case with most (70%) Smart TVs and a large part (46%) of Game Consoles. For these devices, you will have to force them to stop using their hardcoded DNS service which could make them stop working properly.


A solution to this is to use encrypted DNS using DoH (DNS over HTTPS), DoT (DNS over TLS) with a private DNS server (this can be self-hosted locally with a solution like pi-hole, remotely hosted with a solution like nextdns.io or using the solutions' provider by your VPN provider or the Tor network). This should prevent your ISP or some middle-man from snooping on your requests … except it might not.


Small in-between disclaimer: This guide does not necessarily endorse or recommends Cloudflare services even if it is mentioned several times in this section for technical understanding.


Unfortunately, the TLS protocol used in most HTTPS connections in most Browsers (Chrome/Brave/Ungoogled-Chromium among them) will leak the Domain Name again through SNI handshakes (this can be checked here at Cloudflare: https://www.cloudflare.com/ssl/encrypted-sni/ [Archive.org]). As of the writing of this guide, only Firefox-based browsers supports ECH (Encrypted Client Hello previously known as eSNI) on some websites which will encrypt everything end to end (in addition to using a secure private DNS over TLS/HTTPS) and will allow you to hide your DNS requests from a third party. And this option is not enabled by default either, so you will have to enable it yourself.

In addition to limited browser support, only Web Services and CDNs behind Cloudflare CDN support ECH/eSNI at this stage. This means that ECH and eSNI are not supported (as of the writing of this guide) by most mainstream platforms such as:

• Amazon (including AWS, Twitch…)
• Microsoft (including Azure, OneDrive, Outlook, Office 365…)
• Google (including Gmail, Google Cloud…)
• Apple (including iCloud, iMessage…)
• Reddit
• YouTube
• Facebook
• Instagram
• Twitter
• GitHub
• …

Some countries like Russia and China will block ECH/eSNI handshakes at network level to allow snooping and prevent bypassing censorship. Meaning you will not be able to establish an HTTPS connection with a service if you do not allow them to see what it was.


The issues do not end here. Part of the HTTPS TLS validation is called OCSP and this protocol used by Firefox-based browsers will leak metadata in the form of the serial number of the certificate of the website you are visiting. An adversary can then easily find which website you are visiting by matching the certificate number. This issue can be mitigated by using OCSP stapling. Unfortunately, this is enabled but not enforced by default in Firefox/Tor Browser. But the website you are visiting must also be supporting it and not all do. Chromium-based browser, on the other hand, use a different system called CRLSets which is arguably better.


Here is a list of how various browser behave in relation with OCSP: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/ [Archive.org]


Here is an illustration of the issue you could encounter on Firefox-based browsers:

Finally, even if you use a custom encrypted DNS server (DoH or DoT) with ECH/eSNI support and OCSP stapling, it might still not be enough as traffic analysis studies have shown it is still possible to reliably fingerprint and block unwanted requests. Only DNS over Tor was able to demonstrate efficient DNS Privacy in recent studies, but even that can still be defeated by other means (see Your Anonymized Tor/VPN traffic).


One could also decide to use a Tor Hidden DNS Service or ODoH (Oblivious DNS over HTTPS) to further increase privacy/anonymity but unfortunately, as far as I know, these methods are only provided by Cloudflare as of this writing (https://blog.cloudflare.com/welcome-hidden-resolver/ [Archive.org], https://blog.cloudflare.com/oblivious-dns/ [Archive.org]). I personally think these are viable and reasonably secure technical options, but there is also a moral choice if you want to use Cloudflare or not (despite the risk posed by some researchers).


Lastly, there is also this new option called DoHoT which stands for DNS over HTTPS over Tor which could also further increase your privacy/anonymity and which you could consider if you are more skilled with Linux. See https://github.com/alecmuffett/dohot [Archive.org]. This guide will not help you with this one at this stage, but it might be coming soon.


Here is an illustration showing the current state of DNS and HTTPS privacy based on my current knowledge.

As for your normal daily use (non-sensitive), remember that only Firefox-based browsers support ECH (formerly eSNI) so far and that it is only useful with websites hosted behind Cloudflare CDN at this stage. If you prefer a Chrome-based version (which is understandable for some due to some better integrated features like on-the-fly Translation), then I would recommend the use of Brave, instead which supports all Chrome extensions and offers much better privacy than Chrome. Alternatively, if you do not trust Brave, you could also use Ungoogled-Chromium (https://github.com/Eloston/ungoogled-chromium [Archive.org]).


But the story does not stop there right. Now because after all this, even if you encrypt your DNS and use all possible mitigations. Simple IP requests to any server will probably allow an adversary to still detect which site you are visiting. And this is simply because the majority of websites have unique IPs tied to them, as explained here: https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an-ip-address/ [Archive.org]. This mean that an adversary can create a dataset of known websites for instance including their IPs and then match this dataset against the IP you request. In most cases, this will result in a correct guess of the website you are visiting. This means that despite OCSP stapling, despite ECH/eSNI, despite using Encrypted DNS … An adversary can still guess the website you are visiting anyway.


Therefore, to mitigate all these issues (as much as possible and as good as we can), this guide will later recommend two solutions: Using Tor and a virtualized (See Appendix W: Virtualization) multi-layered solution of VPN over Tor solution. Other options will also be explained (Tor over VPN, VPN only, No Tor/VPN) but are less recommended.

 

[HEISENBERG]

Your RFID enabled devices:​

RFID stands for Radio-frequency identification, it is the technology used for instance for contactless payments and various identification systems. Of course, your smartphone is among those devices and has RFID contactless payment capabilities through NFC. As with everything else, such capabilities can be used for tracking by various actors.


But unfortunately, this is not limited to your smartphone, and you also probably carry some amount of RFID enabled device with you all the time, such as:

• Your contactless enabled credit/debit cards
• Your store loyalty cards
• Your transportation payment cards
• Your work-related access cards
• Your car keys
• Your national ID or driver license
• Your passport
• The price/anti-theft tags on object/clothing
• …

While all these cannot be used to de-anonymize you from a remote online adversary, they can be used to narrow down a search if your approximate location at a certain time is known. For instance, you cannot rule out that some stores will effectively scan (and log) all RFID chips passing through the door. They might be looking for their loyalty cards but are also logging others along the way. Such RFID tags could be traced to your identity and allow for de-anonymization.


More information over at Wikipedia: https://en.wikipedia.org/wiki/Radio-frequency_identification#Security_concerns [Wikiless] [Archive.org] and https://en.wikipedia.org/wiki/Radio-frequency_identification#Privacy [Wikiless] [Archive.org]


The only way to mitigate this problem is to have no RFID tags on you or to shield them again using a type of faraday cage. You could also use specialized wallets/pouches that specifically block RFID communications. Many of those are now made by well-known brands such as Samsonite.

 

[HEISENBERG]

The Wi-Fis and Bluetooth devices around you:​

Geolocation is not only done by using mobile antenna's triangulation. It is also done using the Wi-Fis and Bluetooth devices around you. Operating systems makers like Google (Android) and Apple (IOS) maintain a convenient database of most Wi-Fi access points, Bluetooth devices and their location. When your Android smartphone or iPhone is on (and not in Plane mode), it will scan passively (unless you specifically disable this feature in the settings) Wi-Fi access points and Bluetooth devices around you and will be able to geolocate you with more precision than when using a GPS.


This allows them to provide accurate locations even when GPS is off, but it also allows them to keep a convenient record of all Bluetooth devices all over the world. Which can then be accessed by them or third parties for tracking.


Note: If you have an Android smartphone, Google probably knows where it is, no matter what you do. You cannot really trust the settings. The whole operating system is built by a company that wants your data. Remember that if it is free, then you are the product.


But that is not what all those Wi-Fis access points can do. Recently developed techs could even allow someone to track your movements accurately just based on radio interferences. What this means is that it is possible to track your movement inside a room/building based on the radio signals passing through. This might seem like a tinfoil hat conspiracy theory claim, but here are the references with demonstrations showing this tech in action: http://rfpose.csail.mit.edu/ [Archive.org] and the video here:

[Invidious]


You could therefore imagine many uses cases for such technologies like recording who enters specific buildings/offices (hotels, hospitals, or embassies for instance) and then discover who meets who and whereby tracking them from outside. Even if they have no smartphone on them.

Again, such issue could only be mitigated by being in a room/building that would act as a Faraday cage.


Here is another video of the same kind of tech in action:

[Invidious]

 

[HEISENBERG]

Malicious/Rogue Wi-Fi Access Points:​

These have been used since at least since 2008 using an attack called “Jasager” and can be done by anyone using self-built tools or using commercially available devices such as Wi-Fi Pineapple.


Here are some videos explaining more about the topic:

• HOPE 2020, https://archive.org/details/hopeconf2020/20200725_1800_Advanced_Wi-Fi_Hacking_With_$5_Microcontrollers.mp4
• YouTube, Hak5, Wi-Fi Pineapple Mark VII
  [Invidious]

These devices can fit in a small bag and can take over the Wi-Fi environment of any place within their range. For instance, a Bar/Restaurant/Café/Hotel Lobby. These devices can force Wi-Fi clients to disconnect from their current Wi-Fi (using de-authentication, disassociation attacks) while spoofing the normal Wi-Fi networks at the same location. They will continue to perform this attack until your computer or yourself decides to try to connect to the rogue AP.


These devices can then mimic a captive portal with the exact same layout as the Wi-Fi you are trying to access (for instance an Airport Wi-Fi registration portal). Or they could just give you open access internet that they will themselves get from the same place.


Once you are connected through the Rogue AP, this AP will be able to execute various man-in-the-middle attacks to perform analysis on your traffic. These could be malicious redirections or just simple traffic sniffing. These can then easily identify any client that would for instance try to connect to a VPN server or to the Tor Network.


This can be useful when you know someone you want to de-anonymize is in a crowded place, but you do not know who. This would allow such an adversary to possibly fingerprint any website you visit despite the use of HTTPS, DoT, DoH, ODoH, VPN or Tor using traffic analysis as pointed above in the DNS section.


These can also be used to carefully craft and serve you advanced phishing webpages that would harvest your credentials or try to make you install a malicious certificate allowing them to see your encrypted traffic.

 

[HEISENBERG]

Your Anonymized Tor/VPN traffic:​

Tor and VPNs are not silver bullets. Many advanced techniques have been developed and studied to de-anonymize encrypted Tor traffic over the years. Most of those techniques are Correlation attacks that will correlate your network traffic in one way or another to logs or datasets. Here are some classic examples:

• Correlation Fingerprinting Attack: As illustrated (simplified) below, this attack will fingerprint your encrypted traffic (like the websites you visited) just based on the analysis of your encrypted traffic (without decrypting it). It can do so with a whopping 96% success rate. Such fingerprinting can be used by an adversary that has access to your source network to figure out some of your encrypted activity (such as which websites you visited).

Correlation Timing Attacks: As illustrated (simplified) below, an adversary that has access to network connection logs (IP or DNS for instance, remember that most VPN servers and most Tor nodes are known and publicly listed) at the source and at the destination could correlate the timings to de-anonymize you without requiring any access to the Tor or VPN network in between. A real use case of this technique was done by the FBI in 2013 to de-anonymize a bomb threat hoax at Harvard University.

Correlation Counting Attacks: As illustrated (simplified) below, an adversary that has no access to detailed connection logs (cannot see that you used Tor or Netflix) but has access to data counting logs could see that you have downloaded 600 MB on a specific time/date that matches the 600 MB upload at the destination. This correlation can then be used to de-anonymize you over time.

There are ways to mitigate these, such as:

• Do not use Tor/VPNs to access services that are on the same network (ISP) as the destination service. For example, do not connect to Tor from your University Network to access a University Service anonymously. Instead, use a different source point (such as a public Wi-Fi) that cannot be correlated easily by an adversary.
• Do not use Tor/VPN from an obviously monitored network (such as a corporate/governmental Network) but instead try to find an unmonitored network such as a public Wi-Fi or a residential Wi-Fi.
• Use multiple layers (such as what will be recommended in this guide later: VPN over Tor) so that an adversary might be able to see that someone connected to the service through Tor but will not be able to see that it was you because you were connected to a VPN and not the Tor Network.

Be aware again that this might not be enough against a motivated global adversary with wide access to global mass surveillance. Such an adversary might have access to logs, no matter where you are and could use those to de-anonymize you.


Be also aware that all the other methods described in this guide such as Behavioral analysis can also be used to deanonymize Tor users indirectly (see further Your Digital Fingerprint, Footprint, and Online Behavior).


I also strongly recommend reading this very good, complete and thorough guide on many Attack Vectors on Tor: https://github.com/Attacks-on-Tor/Attacks-on-Tor [Archive.org] as well as this recent research publication https://www.researchgate.net/public...ners_of_the_Internet_A_Survey_of_Tor_Research [Archive.org]


As well as this great series of blog posts: https://www.hackerfactor.com/blog/index.php?/archives/906-Tor-0day-The-Management-Vulnerability.html [Archive.org]


(In their defense, it should also be noted that Tor is not designed to protect against a Global adversary. For more information see https://svn-archive.torproject.org/svn/projects/design-paper/tor-design.pdf [Archive.org] and specifically, “Part 3. Design goals and assumptions.”.)


Lastly, do remember that using Tor can already be considered a suspicious activity and its use could be considered malicious by some.


This guide will later propose some mitigations to such attacks by changing your origin from the start (using public Wi-Fi’s for instance).

 

[HEISENBERG]

Some Devices can be tracked even when offline:​

You have seen this in action/spy/Sci-Fi movies and shows, the protagonists always remove the battery of their phones to make sure it cannot be used. Most people would think that’s overkill. Well, unfortunately no, this is now becoming true at least for some devices:

• iPhones and iPads (IOS 13 and above)
• Samsung Phones (Android 10 and above)
• MacBooks (MacOS 10.15 and above)

Such devices will continue to broadcast identity information to nearby devices even when offline using Bluetooth Low-Energy. They do not have access to the devices directly (which are not connected to the internet) but instead use BLE to find them through other nearby devices. They are basically using peer-to-peer short-range Bluetooth communication to broadcast their status through nearby online devices.


They could now locate such devices and keep the location in some database that could then be used by third parties or themselves for various purposes (including analytics, advertising or evidence/intelligence gathering).

 

[HEISENBERG]

Your Hardware Identifiers:​

Your IMEI and IMSI (and by extension, your phone number):​

The IMEI (International Mobile Equipment Identity) and the IMSI (International Mobile Subscriber Identity) are unique numbers created by mobile phone manufacturers and mobile phone operators.


The IMEI is tied directly to the phone you are using. This number is known and tracked by the mobile phone operators and known by the manufacturers. Every time your phone connects to the mobile network, it will register the IMEI on the network along the IMSI (if a SIM card is inserted but that is not even needed). It is also used by many applications (Banking apps abusing the phone permission on Android for instance) and smartphone Operating Systems (Android/IOS) for identification of the device. It is possible, but difficult (and not illegal in many jurisdictions) to change the IMEI on a phone, but it is probably easier and cheaper to just find and buy some old (working) Burner phone for a few Euros (this guide is for Germany remember) at a flea market or at some random small shop.


The IMSI is tied directly to the mobile subscription or pre-paid plan you are using and is basically tied to your phone number by your mobile provider. The IMSI is hardcoded directly on the SIM card and cannot be changed. Remember that every time your phone connects to the mobile network, it will also register the IMSI on the network along the IMEI. Like the IMEI, the IMSI is also being used by some applications and smartphone Operating systems for identification and are being tracked. Some countries in the EU for instance maintain a database of IMEI/IMSI associations for easy querying by Law Enforcement.


Today, giving away your (real) phone number is basically the same or better than giving away your Social Security number/Passport ID/National ID.


The IMEI and IMSI can be traced back to you by at least 6 ways:

• The mobile operator subscriber logs which will usually store the IMEI along the IMSI and their subscriber information database. If you use a prepaid anonymous SIM (anonymous IMSI but with a known IMEI), they can see this cell belongs to you if you used that cell phone before with a different SIM card (different anonymous IMSI but same known IMEI).
• The mobile operator antenna logs which will conveniently keep a log of which IMEI and IMSI also keep some connection data. They know and log for instance that a phone with this IMEI/IMSI combination connected to a set of Mobile antennas and how powerful the signal to each of those antennas was allowing easy triangulation/geolocation of the signal. They also know which other phones (your real one for instance) connected at the same time to the same antennas with the same signal which would make it possible to know precisely that this “burner phone” was always connected at the same place/time than this other “known phone” which shows up every time the burner phone is being used. This information can be used by various third parties to geolocate/track you quite precisely.
• The manufacturer of the Phone can trace back the sale of the phone using the IMEI if that phone was bought in a non-anonymous way. Indeed, they will have logs of each phone sale (including serial number and IMEI), to which shop/person it was sold to. And if you are using a phone that you bought online (or from someone that knows you). It can be traced to you using that information. Even if they do not find you on CCTV and you bought the phone cash, they can still find what other phone (your real one in your pocket) was there (in that shop) at that time/date by using the antenna logs.
• The IMSI alone can be used to find you as well because most countries now require customers to provide an ID when buying a SIM card (subscription or pre-paid). The IMSI is then tied to the identity of the buyer of the card. In the countries where the SIM can still be bought with cash (like the UK), they still know where (which shop) it was bought and when. This information can then be used to retrieve information from the shop itself (such as CCTV footage as for the IMEI case). Or again the antenna logs can also be used to figure out which other phone was there at the moment of the sale.
• The smartphone OS makers (Google/Apple for Android/IOs) also keep logs of IMEI/IMSI identifications tied to Google/Apple accounts and which user has been using them. They too can trace back the history of the phone and to which accounts it was tied in the past.
• Government agencies around the world interested in your phone number can and do use special devices called “IMSI catchers” like the Stingray or more recently the Nyxcell. These devices can impersonate (to spoof) a cell phone Antenna and force a specific IMSI (your phone) to connect to it to access the cell network. Once they do, they will be able to use various MITM (Man-In-The-Middle Attacks) that will allow them to:
  • Tap your phone (voice calls and SMS).
  • Sniff and examine your data traffic.
  • Impersonate your phone number without controlling your phone.
  • …

Here is also a good YouTube video on this topic: DEFCON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

[Invidious]


For these reasons, it is crucial to get dedicated an anonymous phone number and/or an anonymous burner phone with an anonymous pre-paid sim card that are not tied to you in any way (past or present) for conducting sensitive activities (See more practical guidance in Get an anonymous Phone number section).


While there are some smartphones manufacturers like Purism with their Librem series who claim to have your privacy in mind, they still do not allow IMEI randomization which I believe is a key anti-tracking feature that should be provided by such manufacturers. While this measure will not prevent IMSI tracking within the SIM card, it would at least allow you to keep the same “burner phone” and only switch SIM cards instead of having to switch both for privacy.

 

[HEISENBERG]

Your Wi-Fi or Ethernet MAC address:​

The MAC address is a unique identifier tied to your physical Network Interface (Wired Ethernet or Wi-Fi) and could of course be used to track you if it is not randomized. As it was the case with the IMEI, manufacturers of computers and network cards usually keep logs of their sales (usually including things like: Serial number, IMEI, Mac Addresses, …) and it is possible again for them to track where and when the computer with the MAC address in question was sold and to whom. Even if you bought it with cash in a supermarket, the supermarket might still have CCTV (or a CCTV just outside that shop) and again the time/date of sale could be used to find out who was there using the Mobile Provider antenna logs at that time (IMEI/IMSI).


Operating Systems makers (Google/Microsoft/Apple) will also keep logs of devices and their MAC addresses in their logs for device identification (Find my device type services for example). Apple can tell that the MacBook with this specific MAC address was tied to a specific Apple Account before. Maybe yours before you decided to use the MacBook for sensitive activities. Maybe to a different user who sold it to you but remembers your e-mail/number from when the sale happened.


Your home router/Wi-Fi access point keeps logs of devices that registered on the Wi-Fi, and these can be accessed too to find out who has been using your Wi-Fi. Sometimes this can be done remotely (and silently) by the ISP, depending on if that router/Wi-Fi access point is being “managed” remotely by the ISP (which is often the case when they provide the router to their customers).


Some commercial devices will keep record of MAC addresses roaming around for various purposes such as road congestion.


So, it is important again not to bring your phone along when/where you conduct sensitive activities. If you use your own laptop, then it is crucial to hide that MAC address (and Bluetooth address) anywhere you use it and be extra careful not to leak any information. Thankfully many recent OSes now feature or allow the option to randomize MAC addresses (Android, IOS, Linux and Windows 10) with the notable exception of MacOS which does not support this feature even in its latest Big Sur version.

 

[HEISENBERG]

Your Bluetooth MAC address:​

Your Bluetooth MAC is like the previous MAC address, except it is for Bluetooth. Again, it can be used to track you, as manufacturers and operating system makers keep logs of such information. It could be tied to a sale place/time/date or accounts and then could be used to track you with such information, the shop billing information, the CCTV, or the mobile antenna logs in correlation.


Operating systems have protections in place to randomize those addresses but are still subject to vulnerabilities.


For this reason, and unless you really need those, you should just disable Bluetooth completely in the BIOS/UEFI settings if possible or in the Operating System otherwise.


On Windows 10, you will need to disable and enable the Bluetooth device in the device manager itself to force a randomization of the address for next use and prevent tracking.

 

[HEISENBERG]

Your CPU:​

All modern CPUs are now integrating hidden management platforms, such as the now infamous Intel Management Engine and the AMD Platform Security Processor.


Those management platforms are basically small operating systems running directly on your CPU as long as they have power. These systems have full access to your computer’s network and could be accessed by an adversary to de-anonymize you in various ways (using direct access or using malware for instance) as shown in this enlightening video: BlackHat, How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

[Invidious].


These have already been affected by several security vulnerabilities in the past that allowed malware to gain control of target systems. These are also accused by many privacy actors including the EFF and Libreboot of being a backdoor into any system.


There are some not so easy ways to disable the Intel IME on some CPUs, and you should do so if you can. For some AMD laptops, you can disable it within the BIOS settings by disabling PSP.


Note that to AMD’s defense, so far and AFAIK, there were no security vulnerabilities found for ASP and no backdoors eithers: See

[Invidious]. In addition, AMD PSP does not provide any remote management capabilities contrary to Intel IME.


If you are feeling a bit more adventurous, you could install your own BIOS using Libreboot or Coreboot if your laptop supports it (be aware that Coreboot does contain some propriety code unlike its fork Libreboot).


In addition, some CPUs have unfixable flaws (especially Intel CPUs) that could be exploited by various malware. Here is a good current list of such vulnerabilities affecting recent widespread CPUs:


https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability [Wikiless] [Archive.org]

• If you are using Linux you can check the vulnerability status of your CPU to Spectre/Meltdown attacks by using https://github.com/speed47/spectre-meltdown-checker [Archive.org] which is available as a package for most Linux distros including Whonix.
• If you are using Windows, you can check the vulnerability status of your CPU using inSpectre https://www.grc.com/inspectre.htm [Archive.org]

Some of these can be avoided using Virtualization Software settings that can mitigate such exploits. See this guide for more information https://www.whonix.org/wiki/Spectre_Meltdown [Archive.org] (warning: these can severely impact the performance of your VMs).


I will therefore mitigate some of these issues in this guide by recommending the use of virtual machines on a dedicated anonymous laptop for your sensitive activities that will only be used from an anonymous public network.

 

[HEISENBERG]

Your Operating Systems and Apps telemetry services:​

Whether it is Android, iOS, Windows, MacOS or even Ubuntu. Most popular Operating Systems now collect telemetry information by default, even if you never opt in or opted out from the start. Some like Windows will not even allow disabling telemetry completely without some technical tweaks. This information collection can be extensive and include a staggering number of details (metadata and data) on your devices and their usage.


Here are good overviews of what is being collected by those 5 popular OSes in their last versions:

• Android/Google:
  
  • Just have a read at their privacy policy https://policies.google.com/privacy [Archive.org]
  • School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf [Archive.org]
• IOS/Apple:
  
  • More information at https://www.apple.com/legal/privacy/en-ww/ [Archive.org] and https://support.apple.com/en-us/HT202100 [Archive.org]
  • School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf [Archive.org]
  • Apple does claim that they anonymize this data using differential privacy but you will have to trust them on that.
• Windows/Microsoft:
  
  • Full list of required diagnostic data: https://docs.microsoft.com/en-us/wi...indows-diagnostic-data-events-and-fields-2004 [Archive.org]
  • Full list of optional diagnostic data: https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data [Archive.org]
• MacOS:
  
  • More details on https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990/mac [Archive.org]
• Ubuntu:
  
  • Ubuntu despite being a Linux distribution also collects Telemetry Data nowadays. This data, however, is quite limited compared to the others. More details on https://ubuntu.com/desktop/statistics [Archive.org]

Not only are Operating Systems gathering telemetry services but so are Apps themselves like Browsers, Mail Clients, and Social Networking Apps installed on your system.


It is important to understand that this telemetry data can be tied to your device and help de-anonymizing you and subsequently can be used against you by an adversary that would get access to this data.


This does not mean for example that Apple devices are terrible choices for good Privacy but they certainly not the best choices for (relative) Anonymity. They might protect you from third parties knowing what you are doing but not from themselves. In all likelihood, they certainly know who you are.


Later in this guide, we will use all the means at our disposal to disable and block as much telemetry as possible to mitigate this attack vector in the Operating Systems supported in this guide.

 

[HEISENBERG]

Your Smart devices in general:​

You got it; your smartphone is an advanced spying/tracking device that:

• Records everything you say at any time (“Hey Siri”, “Hey Google”).
• Records your location everywhere you go.
• Always records other devices around you (Bluetooth devices, Wi-Fi Access points).
• Records your habits and health data (steps, screen time, exposure to diseases, connected devices' data)
• Records all your network locations.
• Records all your pictures and videos (and most likely where they were taken).
• Has most likely access to most of your known accounts including social media, Messaging and Financial accounts.

Data is being transmitted even if you opt out, processed, and stored indefinitely (most likely unencrypted) by various third parties.


But that is not all, this section is not called “Smartphones” but “Smart devices” because it is not only your smartphone spying on you. It is also every other smart device you could have.

• Your Smart Watch? (Apple Watch, Android Smartwatch …)
• Your Fitness Devices and Apps? (Strava, Fitbit, Garmin, Polar, …)
• Your Smart Speaker? (Amazon Alexa, Google Echo, Apple Homepod …)
• Your Smart Transportation? (Car? Scooter?)
• Your Smart Tags? (Apple AirTag, Galaxy SmartTag, Tile…)
• Your Car? (Yes, most modern cars have advanced logging/tracking features these days)
• Any other Smart device? There are even convenient search engines dedicated to finding them online:
  
  • https://www.shodan.io/
  • https://censys.io/
  • https://www.zoomeye.org/

 

[HEISENBERG]

Yourself:​

Your Metadata including your Geo-Location:​

Your metadata is all the information about your activities without the actual content of those activities. For instance, it is like knowing you had a call from an oncologist before then calling your family and friends successively. You do not know what was said during the conversation, but you can guess what it was just from the metadata.


This metadata will also often include your location that is being harvested by Smartphones, Operating Systems (Android/IOS), Browsers, Apps, Websites. Odds are, there are several companies knowing exactly where you are at any time because of your smartphone.


This location data has been used in many judicial cases already as part of “geofence warrants” that allows law enforcement to ask companies (such as Google/Apple) a list of all devices present at a certain location at a certain time. In addition, this location data is even sold by private companies to the military, who can then use it conveniently.


Now, let us say you are using a VPN to hide your IP. The social media platform knows you were active on that account on November 4th from 8am to 1pm with that VPN IP. The VPN allegedly keeps no logs and cannot trace back that VPN IP to your IP. Your ISP, however, knows (or at least can know) you were connected to that same VPN provider on November 4th from 7:30am to 2pm but does not know what you were doing with it.


The question is: Is there someone somewhere that would possibly have both pieces of information available for correlation in a convenient database?


Have you heard of Edward Snowden? Now is the time to google him and read his book. Also read about XKEYSCORE, MUSCULAR, SORM, Tempora and PRISM.


See “We kill people based on Metadata” or this famous tweet from the IDF [Archive.org] [Nitter].

 

[HEISENBERG]

Your Digital Fingerprint, Footprint, and Online Behavior:​

This is the part where you should watch the documentary “The Social Dilemma” on Netflix as they cover this topic much better than anyone else IMHO.


This includes is the way you write (stylometry), the way you behave. The way you click. The way you browse. The fonts you use on your browser. Fingerprinting is being used to guess who someone is by the way that user is behaving. You might be using specific pedantic words or making specific spelling mistakes that could give you away using a simple Google search for similar features because you typed in a similar way on some Reddit post 5 years ago using a not so anonymous Reddit account.


Social Media platforms such as Facebook/Google can go a step further and can register your behavior in the browser itself. For instance, they can register everything you type even if you do not send it / save it. Think of when you write an e-mail in Gmail. It is saved automatically as you type. They can register your clicks and cursor movements as well.


All they need to achieve this in most cases is Javascript enabled in your Browser (which is the case in most Browsers, including Tor Browser by default).


While these methods are usually used for marketing purposes and advertising, they can also be a useful tool for fingerprinting users. This is because your behavior is most likely quite unique or unique enough that over time, you could be de-anonymized.


Here are some examples:

• For example, as a basis of authentication, a user’s typing speed, keystroke depressions, patterns of error (say accidentally hitting an “l” instead of a “k” on three out of every seven transactions) and mouse movements establishes that person’s unique pattern of behavior. Some commercial services such as TypingDNA (https://www.typingdna.com/ [Archive.org]) even offer such analysis as a replacement for two-factor authentications.
• This technology is also widely used in CAPTCHAS services to verify that you are “human” and can be used to fingerprint a user.

Analysis algorithms could then be used to match these patterns with other users and match you to a different known user. It is unclear if such data is already used or not by Governments and Law Enforcements agencies, but it might be in the future. And while this is mostly used for advertising/marketing/captchas purposes now. It could and probably will be used for investigations in the short or mid-term future to deanonymize users.


Here is a fun example you try yourself to see some of those things in action: https://clickclickclick.click (no archive links for this one, sorry). You will see it becoming interesting over time (this requires Javascript enabled).


Here is also a recent example just showing what Google Chrome collects on you: https://web.archive.org/web/https://pbs.twimg.com/media/EwiUNH0UYAgLY7V?format=jpg&name=4096x4096


Here are some other resources on the topic if you cannot see this documentary:

• 2017, Behavior Analysis in Social Networks, https://link.springer.com/10.1007/978-1-4614-7163-9_110198-1 [Archive.org]
• 2017, Social Networks and Positive and Negative Affect https://www.sciencedirect.com/scien...c077d46&pid=1-s2.0-S1877042811013747-main.pdf [Archive.org]
• 2015, Using Social Networks Data for Behavior and Sentiment Analysis https://www.researchgate.net/public...orks_Data_for_Behavior_and_Sentiment_Analysis [Archive.org]
• 2016, A Survey on User Behavior Analysis in Social Networks https://www.academia.edu/30936118/A_Survey_on_User_Behaviour_Analysis_in_Social_Networks [Archive.org]
• 2019, Influence and Behavior Analysis in Social Networks and Social Media https://sci-hub.do/10.1007/978-3-030-02592-2 [Archive.org]

So, how can you mitigate this these?

• This guide will provide some technical mitigations using Fingerprinting resistant tools, but those might not be sufficient.
• You should apply common sense and try to identify your own patterns in your behavior and behave differently when using anonymous identities. This includes:
  
  • The way you type (speed, accuracy…).
  • The words you use (be careful with your usual expressions).
  • The type of response you use (if you are sarcastic by default, try to have a different approach with your identities).
  • The way you use your mouse and click (try to solve the Captchas differently than your usual way)
  • The habits you have when using some Apps or visiting some Websites (do not always use the same menus/buttons/links to reach your content).
  • …

Basically, you need to act and fully adopt a role as an actor would do for a performance. You need to become a different person, think, and act like that person. This is not a technical mitigation but a human one. You can only rely on yourself for that.


Ultimately, this is mostly up to you to fool those algorithms by adopting new habits and not revealing real information when using your anonymous identities.

 

[HEISENBERG]

Your Clues about your Real Life and OSINT:​

These are clues you might give over time that could point to your real identity. You might be talking to someone or posting on some board/forum/Reddit. In those posts, you might over time leak some information about your real life. These might be memories, experiences or clues you shared that could then allow a motivated adversary to build a profile to narrow their search.


A real use and well-documented case of this was the arrest of the hacker Jeremy Hammond, who shared over time several details about his past and was later discovered.


There are also a few cases involving OSINT at Bellingcat. Have a look at their very informative (but slightly outdated) toolkit here: https://docs.google.com/spreadsheet...NyhIDuK9jrPGwYr9DI2UncoqJQ/edit#gid=930747607 [Archive.org]


You can also view some convenient lists of some available OSINT tools here if you want to try them on yourself, for example:

• https://github.com/jivoi/awesome-osint [Archive.org]
• https://jakecreps.com/tag/osint-tools/ [Archive.org]
• https://osintframework.com/
• https://recontool.org
• https://github.com/jivoi/awesome-osint [Archive.org]

As well as this interesting Playlist on YouTube: https://www.youtube.com/playlist?list=PLrFPX1Vfqk3ehZKSFeb9pVIHqxqrNW8Sy [Invidious]


As well as those interesting podcasts:


https://www.inteltechniques.com/podcast.html


You should never ever share real personal experiences/details using your anonymous identities that could later lead to finding your real identity.

 

[HEISENBERG]

Your Face, Voice, Biometrics and Pictures:​

“Hell is other people”, even if you evade every method listed above, you are not out of the woods yet thanks to the widespread use of advanced Face recognition by everyone.


Companies like Facebook have used advanced face recognition for years and have been using other means (Satellite imagery) to create maps of “people” around the world. This evolution has been going on for years to the point we can now say “We lost control of our faces”.


If you are walking in a touristy place, you will most likely appear in someone’s selfie within minutes without knowing it. That person will then proceed to upload that selfie to various platforms (Twitter, Google Photos, Instagram, Facebook, Snapchat …). Those platforms will then apply face recognition algorithms to those pictures under the pretext of allowing better/easier tagging or to better organize your photo library. In addition to this, the same picture will provide a precise timestamp and in most cases geolocation of where it was taken. Even if the person does not provide a timestamp and geolocation, it can still be guessed with other means.


Here are a few resources for even trying this yourself:

• Bellingcat, Guide To Using Reverse Image Search For Investigations: https://www.bellingcat.com/resource...sing-reverse-image-search-for-investigations/ [Archive.org]
• Bellingcat, Using the New Russian Facial Recognition Site SearchFace https://www.bellingcat.com/resource...ussian-facial-recognition-site-searchface-ru/ [Archive.org]
• Bellingcat, Dali, Warhol, Boshirov: Determining the Time of an Alleged Photograph from Skripal Suspect Chepiga https://www.bellingcat.com/resource...e-alleged-photograph-skripal-suspect-chepiga/ [Archive.org]
• Bellingcat, Advanced Guide on Verifying Video Content https://www.bellingcat.com/resources/how-tos/2017/06/30/advanced-guide-verifying-video-content/ [Archive.org]
• Bellingcat, Using the Sun and the Shadows for Geolocation https://www.bellingcat.com/resources/2020/12/03/using-the-sun-and-the-shadows-for-geolocation/ [Archive.org]
• Bellingcat, Navalny Poison Squad Implicated in Murders of Three Russian Activists https://www.bellingcat.com/news/uk-...icated-in-murders-of-three-russian-activists/ [Archive.org]
• Bellingcat, Berlin Assassination: New Evidence on Suspected FSB Hitman Passed to German Investigators https://www.bellingcat.com/news/202...ed-fsb-hitman-passed-to-german-investigators/ [Archive.org]
• Bellingcat, Digital Research Tutorial: Investigating a Saudi-Led Coalition Bombing of a Yemen Hospital
  [Invidious]
• Bellingcat, Digital Research Tutorial: Using Facial Recognition in Investigations
  [Invidious]
• Bellingcat, Digital Research Tutorial: Geolocating (Allegedly) Corrupt Venezuelan Officials in Europe
  [Invidious]

Even if you are not looking at the camera, they can still figure out who you are, make out your emotions, analyze your gait and probably guess your political affiliation.

Those platforms (Google/Facebook) already know who you are for a few reasons:

• Because you have or had a profile with them, and you identified yourself.
• Even if you never made a profile on those platforms, you still have one without even knowing it.
• Because other people have tagged you or identified you in their holidays/party pictures.
• Because other people have put a picture of you in their contact list, which they then shared with them.

Here is also an insightful demo of Microsoft Azure you can try for yourself at https://azure.microsoft.com/en-us/services/cognitive-services/face/#demo where you can detect emotions and compare faces from different pictures.


Governments already know who you are because they have your ID/Passport/Driving License pictures and often added biometrics (Fingerprints) in their database. Those same governments are integrating those technologies (often provided by private companies such as the Israeli AnyVision, Clearview AI, or NEC) in their CCTV networks to look for “persons of interest”. And some heavily surveilled states like China have implemented widespread use of Facial Recognition for various purposes, including possibly identifying ethnic minorities. A simple face recognition error by some algorithm can ruin your life.


Here are some resources detailing some techniques used by Law Enforcement today:

• CCC video explaining current Law Enforcement surveillance capabilities: https://media.ccc.de/v/rc3-11406-spot_the_surveillance#t=761 [Archive.org]
• EFF SLS: https://www.eff.org/sls [Archive.org]

Apple is making FaceID mainstream and pushing its use of it to log you in various services including the Banking systems.


The same goes with fingerprint authentication being mainstreamed by many smartphone makers to authenticate yourself. A simple picture where your fingers appear can be used to de-anonymize you.


Same goes with your voice which can be analyzed by for various purposes as shown in the recent Spotify patent.


We can safely imagine a near future where you will not be able to create accounts or sign-in anywhere without providing unique biometrics (A good time to re-watch Gattaca, Person of Interest and Minority Report). And you can safely imagine how useful these large biometrics databases could be to some interested third parties.
In addition, all this information can also be used against you (if you are already de-anonymized) using deepfake by crafting false information (Pictures, Videos, Voice Recordings…) and have already been used for such purposes. There are even commercial services for this readily available, such as https://www.respeecher.com/ [Archive.org] and https://www.descript.com/overdub [Archive.org].


See this demo:

[Invidious]


At this time, there are a few steps you can use to mitigate (and only mitigate) face recognition when conducting sensitive activities where CCTV might be present:

• Wear a facemask as they have been proven to defeat some face recognition technologies but not all.
• Wear a baseball cap or hat to mitigate identification from high angle CCTVs (filming from above) from recording your face. Remember, this will not help against front-facing cameras.
• Wear sunglasses in addition to the facemask and baseball cap to mitigate identification from your eye’s features.
• Consider wearing special sunglasses (expensive, unfortunately) called “Reflectacles” https://www.reflectacles.com/ [Archive.org]. There was a small study showing their efficiency against IBM and Amazon facial recognition.

(Note that if you intend to use these were advanced facial recognition systems have been installed, these measures could also flag as you as suspicious by themselves and trigger a human check).