Guide to Online Anonymity (by https://anonymousplanet.org/)

Use at your own risk. Please do not take this guide as a definitive truth for everything because it is not.
​

Spoiler: Table of Contents

• Introduction:
• Understanding some basics of how some information can lead back to you and how to mitigate some:
  • Your Network:
    • Your IP address:
    • Your DNS and IP requests:
    • Your RFID enabled devices:
    • The Wi-Fis and Bluetooth devices around you:
    • Malicious/Rogue Wi-Fi Access Points:
    • Your Anonymized Tor/VPN traffic:
    • Some Devices can be tracked even when offline:
  • Your Hardware Identifiers:
    • Your IMEI and IMSI (and by extension, your phone number):
    • Your Wi-Fi or Ethernet MAC address:
    • Your Bluetooth MAC address:
  • Your CPU:
  • Your Operating Systems and Apps telemetry services:
  • Your Smart devices in general:
  • Yourself:
    • Your Metadata including your Geo-Location:
    • Your Digital Fingerprint, Footprint, and Online Behavior:
    • Your Clues about your Real Life and OSINT:
    • Your Face, Voice, Biometrics and Pictures:
    • Phishing and Social Engineering:
  • Malware, exploits, and viruses:
    • Malware in your files/documents/e-mails:
    • Malware and Exploits in your apps and services:
    • Malicious USB devices:
    • Malware and backdoors in your Hardware Firmware and Operating System:
  • Your files, documents, pictures, and videos:
    • Properties and Metadata:
    • Watermarking:
    • Pixelized or Blurred Information:
  • Your Crypto currencies transactions:
  • Your Cloud backups/sync services:
  • Your Browser and Device Fingerprints:
  • Local Data Leaks and Forensics:
  • Bad Cryptography:
  • No logging but logging anyway policies:
  • Some Advanced targeted techniques:
  • Some bonus resources:
  • Notes:
• General Preparations:
  • Picking your route:
    • Timing limitations:
    • Budget/Material limitations:
    • Skills:
    • Adversaries (threats):
  • Steps for all routes:
    • Get an anonymous Phone number:
    • Get a USB key:
    • Find some safe places with decent public Wi-Fi:
  • The TAILS route:
    • Persistent Plausible Deniability using Whonix within TAILS:
  • Steps for all other routes:
    • Get a dedicated laptop for your sensitive activities:
    • Some laptop recommendations:
    • Bios/UEFI/Firmware Settings of your laptop:
    • Physically Tamper protect your laptop:
  • The Whonix route:
    • Picking your Host OS (the OS installed on your laptop):
    • Linux Host OS:
    • MacOS Host OS:
    • Windows Host OS:
    • Virtualbox on your Host OS:
    • Pick your connectivity method:
    • Get an anonymous VPN/Proxy:
    • Whonix:
    • Tor over VPN:
    • Whonix Virtual Machines:
    • Pick your guest workstation Virtual Machine:
    • Linux Virtual Machine (Whonix or Linux):
    • Windows 10 Virtual Machine:
    • Android Virtual Machine:
    • MacOS Virtual Machine:
    • KeepassXC:
    • VPN client installation (cash/Monero paid):
    • (Optional) allowing only the VMs to access the internet while cutting off the Host OS to prevent any leak:
    • Final step:
  • The Qubes Route:
    • Pick your connectivity method:
    • Get an anonymous VPN/Proxy:
    • Installation:
    • Lid Closure Behavior:
    • Connect to a Public Wi-Fi:
    • Update Qubes OS:
    • Hardening Qubes OS:
    • Setup the VPN ProxyVM:
    • Setup a safe Browser within Qube OS (optional but recommended):
    • Setup an Android VM:
    • KeePassXC:
• Creating your anonymous online identities:
  • Understanding the methods used to prevent anonymity and verify identity:
    • Captchas:
    • Phone verification:
    • E-Mail verification:
    • User details checking:
    • Proof of ID verification:
    • IP Filters:
    • Browser and Device Fingerprinting:
    • Human interaction:
    • User Moderation:
    • Behavioral Analysis:
    • Financial transactions:
    • Sign-in with some platform:
    • Live Face recognition and biometrics (again):
    • Manual reviews:
  • Getting Online:
    • Creating new identities:
    • The Real-Name System:
    • About paid services:
    • Overview:
    • How to share files or chat anonymously:
    • Redacting Documents/Pictures/Videos/Audio safely:
    • Communicating sensitive information to various known organizations:
    • Maintenance tasks:
• Backing-up your work securely:
  • Offline Backups:
    • Selected Files Backups:
    • Full Disk/System Backups:
  • Online Backups:
    • Files:
    • Information:
  • Synchronizing your files between devices Online:
• Covering your tracks:
  • Understanding HDD vs SSD:
    • Wear-Leveling.
    • Trim Operations:
    • Garbage Collection:
    • Conclusion:
  • How to securely wipe your whole Laptop/Drives if you want to erase everything:
    • Linux (all versions including Qubes OS):
    • Windows:
    • MacOS:
  • How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives:
    • Windows:
    • Linux (non Qubes OS):
    • Linux (Qubes OS):
    • MacOS:
  • Some additional measures against forensics:
    • Removing Metadata from Files/Documents/Pictures:
    • TAILS:
    • Whonix:
    • MacOS:
    • Linux (Qubes OS):
    • Linux (non-Qubes):
    • Windows:
  • Removing some traces of your identities on search engines and various platforms:
    • Google:
    • Bing:
    • DuckDuckGo:
    • Yandex:
    • Qwant:
    • Yahoo Search:
    • Baidu:
    • Wikipedia:
    • Archive.today:
    • Internet Archive:
• Some low-tech old-school tricks:
  • Hidden communications in plain sight:
  • How to spot if someone has been searching your stuff:
• Some last OPSEC thoughts:
• If you think you got burned:
  • If you have some time:
  • If you have no time:
• A small final editorial note

 

[HEISENBERG]

Financial transactions:​

Simple and efficient, some platforms will require than you perform financial transaction to verify your account sometimes under the pretext of verifying your age. This could be a credit card verification or a very small amount bank wire. Some will accept a donation in a main crypto like Bitcoin or Ethereum.


While this might seem innocent, this is obviously an ID verification and de-anonymization method. This is just indirectly relying on third party financial KYC regulations.


This is for instance now the case on YouTube for some European Users but also used by services like Amazon that requires a valid payment method for creating an account.

 

[HEISENBERG]

Sign-in with some platform:​

Why do this user verification ourselves when we can just ask others to deal with it?


You will notice this and you probably already encountered this. Some apps/platforms will ask/require you to sign-in with a well-known and well-used reputable platform instead of their own system (Sign-in with Google/Facebook/Apple/Twitter).


This option is often presented as the “default one”, hiding away the “Sign-in with e-mail and password” with clever Dark Patterns and unfortunately sometimes required.


This method will delegate the verification process on those platforms instead assuming that you will not be able to create an anonymous Google/Facebook/Apple/Twitter account with ease.


Fortunately, it is still possible to this day do create those.

 

[HEISENBERG]

Live Face recognition and biometrics (again):​

This is a common method used on some Crypto trading platforms and some dating Apps.


Some platforms/apps will require you to take a live picture of yourself either doing something (a wink, holding an arm up …) or showing a custom piece of information (a hand written text, a passport or ID) within the picture. Sometimes the platform/app will require several pictures to increase their certainty.

This guide will not cover this one (yet) as it is mainly used on financial platforms (that will be able to identify you with other means anyway) and some dating apps like Tinder. Unfortunately, this method is now also sometimes being used on Facebook and Instagram as part of their verification methods (tho I did not face it yet so far).

In some cases, these verifications must be done from your Smartphone and with an “in-app” camera to prevent you from sending a previously saved (edited) image.


Recently even platforms such as PornHub decided to implement similar measures in the future.


This verification is very hard to defeat but possible. A method to possibly defeat those would be to use “deep fake” technology software such as the open-source FaceSwap https://github.com/deepfakes/faceswap [Archive.org] to generate the required verification pictures using a randomly computer-generated face that would be swapped over the picture of a complicit model (or a stock photo).


Unfortunately, some apps require direct access to a smartphone camera to process the verification. In that case we will need to find a way to do such “face swaps” on the fly using a filter and another way to feed this into the camera used by the app.

Manual reviews:​

These can be triggered by any of the above and just means someone (usually specialized employees) will review your profile manually and decide if it is real or not based on their subjective opinion.


Some countries have even developed hotlines where you can report any subversive content.


Pros: Usually that verdict is “final” and you will probably avoid further issues if you are good.


Cons: Usually that verdict is “final” and you will probably be banned without any appeal possibility if you are not good. Sometimes those reviews end up in the platform just ghosting you and cancel you without any reason whatsoever. Any appeal will be left unanswered, ignored, or will generate some random dark pattern bug when trying to appeal that specific identity (this happens on Instagram for instance where if your account gets “suspended” obviously by some manual review, trying to complete the appeal form will just throw an error and tell you to try again later (I have been trying this same appeal for that identity for the past 6 months at least).

 

[HEISENBERG]

Getting Online:​

Now that you have a basic understanding of all the ways you can be de-anonymized, tracked and verified. Let us get started at evading these while remaining anonymous. Remember:

• You cannot trust ISPs
• You cannot trust VPS providers
• You cannot trust public Wi-Fi providers
• You cannot trust Mobile Network providers
• You cannot trust VPN providers
• You cannot trust any Online Platform
• You cannot trust Tor
• You cannot trust your Operating systems (especially Android and Windows).
• You cannot trust your Laptop
• You cannot trust your Smartphone (especially Android).
• You cannot trust your Smart devices
• Above all, you cannot trust people.

So what? Well instead of not trusting anyone or anything, I would advise to “Trust but verify” (or alternatively “Never trust, always verify” if you are more hardcore about it and want to apply Zero-Trust Security) instead.


Do not start this process unless:

• You consulted your local law for compliance and the legality of your actions.
• You are aware of your threat model.
• You are in a safe place with a public Wi-Fi without your smartphone or any other smart device on you. And preferably in a place without CCTV filming you (remember Find some safe places with decent public Wi-Fi and Appendix Q: Using long range Antenna to connect to Public Wi-Fis from a safe distance)
• You are fully done and preparing one of the routes.
• Again, it is crucially important to understand that you will be unable to create most accounts without a valid phone number. Therefore, most of your anonymity on mainstream platforms depends on the anonymity of your online phone number and/or the burner phone with its pre-paid SIM card (if you use one). If your phone number is not anonymous or your burner phone can be traced back to you then you can be de-anonymized. If you cannot get this anonymous phone number and/or a physical SIM with a Burner phone, then you will have to restrict yourself to platforms not asking for phone number verification.

Remember see Appendix N: Warning about smartphones and smart devices

 

[HEISENBERG]

Creating new identities:​

This is the fun part where you will now create your identities from thin air. These identities do not exist but should be plausible and look “organic”. They should ideally have a story, a “legend” (yes this is the real term for this).


What is a legend? Well, it is a full back-story for your character:

• Age
• Sex
• Gender
• Ethnicity
• Place of Birth and date of Birth
• Place of residence
• Country of origin
• Visited Countries (for travels for instance)
• Interests and hobbies
• Education History
• Work experience
• Health information
• Religion if any
• Goals
• Family history
• Family composition if any (Children? Spouse? Husband?)
• Relationship Status if any (Married? Single?)
• Spoken Languages
• Personality traits (Introvert, Extrovert …)
• …

All these should be crafted carefully for every single identity and you should be very careful to stick to the details of each legend when using those identities. Nothing can leak that could lead to your real persona. Nothing could leak that could compromise the consistency of your legend. Everything should always be consistent.


Now is also the moment where you could finally consider getting an online phone number as explained in the Online Phone Number (less recommended) section.


I will help you bit by listing a few tips I learned while doing research over the years (disclaimer: this is based on my personal experiences alone):

• “Some animals are more equal than others”.
  
  • Ethnicity is important and you will have less issues and attract less attention to verification algorithms if your identity is Caucasian/East-Asian than if it is Arabic/Black (yes, I tested this extensively and it is definitely an issue).
  • Age is important and you will have less issues if you are young (18-22) than if you are middle-aged or older. Platforms seem to be more lenient in not imposing restrictions on new younger audiences.
  • Sex/Gender is important and you will have fewer issues if you are a female than if you are a male.
  • Country of origin is important and you will have fewer issues if your identity is Norwegian than if it is Ukrainian, Nigerian, or Mexican.
  • Country of residence is important and you will have fewer issues if your identity has its residence in Oslo or Paris than if you decide to reside in Kiev or Cairo.
  • Language is important and you will have fewer issues if you speak English or the language of your Identity than if you use a non-related language. Do not make a Norwegian born Arabic 20-year-old female that speaks Ukrainian or Arabic.
• Identities that are “EU residents” with an “EU IP” (VPN/Tor Exit IP) will benefit from GDPR protections on many platforms. Others will not. GDPR is your friend in most cases and you should take this into account.
• Similarly, origin IP geolocation (your IP/location when you go to “whatsmyipaddress.com”) should match your identity location as much as possible (You can pick this in the VPN client if you use the 3 layers approach or just create a new identity in Tor Browser or Brave Tor Tab until you get the appropriate Exit node, or alternatively configure Tor to restrict your Exit Nodes). You could exclude any exit IP that is not located in Western Europe/US/Canada/Japan/South Korea/Australia/New Zealand as you will have less issues. Ideally, you should get a European Union IP to get additional GDPR protection and if possible, a German exit IP due to their legal stance on using anonymous accounts on online platforms.
• Brave Browser (Chromium based) with a Private Tor Tab has (IMHO) a better acceptance level than Tor Browser (Firefox based). You will experience less issues with captchas and online platforms if you use Brave than if you use Tor Browser (feel free to try this yourself).
• Every identity you should have a matching profile picture associated to it. For this purpose, I recommend you just go to https://thispersondoesnotexist.com/ [Archive.org] and generate a computer-generated profile picture. You can also generate such pictures yourself from your computer if you prefer by using the open-source StyleGan project here https://github.com/NVlabs/stylegan2 [Archive.org]. Just refresh the page until you find a picture that matches your identity in all aspects (age, sex, and ethnicity) and save that picture. It would be even better to have several pictures associated to that identity but I do not have an “easy way” of doing that yet.
  
  • Bonus, you could also make it more real by using this service (with an anonymous identity) https://www.myheritage.com/deep-nostalgia [Archive.org] to make a picture more lifelike. Here is an example:
    
    • Original:

• Result (see Online because PDFs do not work well with embedded media):

https://anonymousplanet.org/media/after.gif

Slight issue tho: MyHeritrage.com bans Tor Exit nodes so you might have again to consider VPN over Tor for this.


You could also achieve the same result without using MyHeritage and by doing it yourself using for example https://github.com/AliaksandrSiarohin/first-order-model [Archive.org] but this will require more manual operations (and requires an NVIDIA GPU).


Note: If you make several pictures of the same identity using some of the tools mentioned above, be sure to compare the similarities using the Microsoft Azure Face Verification tool at https://azure.microsoft.com/en-us/services/cognitive-services/face/#demo.

• Create in advance and store in KeePassXC each identity details that should include some crafted details:
  
  • Date of Birth
  • Country of Birth
  • Nationality
  • Country of Residence
  • Address of Residence
  • Languages spoken
  • Occupation (Job Title, University…)
  • Various Interests (Art, Politics, Tech…)
  • Phone number (this is your pre-paid SIM card phone number on your Burner phone or your online number paid with Monero)
• Do not pick an occupation at a well-known private corporations/company as they have people in their HR departments monitoring activities in platforms such as LinkedIn and will report your profile as being fake if it does not match their database. Instead pick an occupation as a freelancer or at a very large public institution where you will face less scrutiny due to their decentralized nature.
• Keep track (write down) of the background stories of your Identities. You should always use the same dates and answers everywhere. Everything should always match up. Even the stories you tell about your imaginary life should always match. If you say you work as an intern at the Department of Health one day and later on another platform, say you work as an intern at the Department of Transportation, people might question your identity. Be consistent.
• Use a different phone number each identity. Online platforms do keep track of phone number usage and if one identity/number gets flagged for violating Community Guidelines or Terms of Services, it might also get the other identities using the same number flagged/banned as well.
• Adapt your language/writing to the identity to not raise suspicions and lower your chances of being fingerprinted by online platforms. Be especially careful with using pedantic words and figures of speech/quotes that could allow some people to guess your writing is very similar to that person with this Twitter handle or this Reddit user.
• Always use TOTP 2FA (not SMS to prevent Sim Swapping attacks and to keep your identity working when your pre-paid card expires) using KeePassXC when available to secure your logins to various platforms.
• Remember Appendix A2: Guidelines for passwords and passphrases.

Here is also a good guide on this specific topic: https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual#.22Real.22_names [Archive.org]


Note: If you are having trouble finding an Exit node in the country of your choice you can force using specific countries for Exit Nodes (and therefore exit countries) on Tor by editing the torrc file on the Whonix Gateway or even the Tor Browser:

• Whonix/Tails: Create/Edit a file /usr/local/etc/torrc.d/50_user.conf.
• On Tor Browser: Edit the torrc file located at Browser/TorBrowser/Data/Tor.

Once you are in the file, you can do the following:

• Specify the Exit Nodes by adding those two lines (which will require an Exit Node in China/Russia/Ukraine:
  
  • ExitNodes {CH},{RU},{UA}
  • StrictNodes 1
• Exclude specific Exit Nodes by adding this line (which will exclude all Exit Nodes from France/Germany/USA/UK):
  
  • ExcludeNodes {FR},{DE},{US},{UK}

Always use uppercase letter for any setting.


Please note that this is restricting Onion Routing could limit your Anonymity if you are too restrictive. You can see a visualized list of available Exit Nodes here: https://www.bigdatacloud.com/insights/tor-exit-nodes [Archive.org]


Here is the list of possibilities (this is a general list and many of those countries might not have Exit nodes at all): https://web.archive.org/web/https://b3rn3d.herokuapp.com/blog/2014/03/05/tor-country-codes/

 

[HEISENBERG]

The Real-Name System:​

Unfortunately, not using your real identity is against the ToS (Terms of Services) of many services (especially those owned by Microsoft and Facebook). But don’t despair, as explained in the Requirements, it’s still legal in Germany where the courts have upheld up the legality of not using real names on online platforms (§13 VI of the German Telemedia Act of 2007). Fortunately, ToS cannot override laws (yet).


This does not mean that it is illegal in other places but that it might be a breach of their Terms of Services if you do not have the law on your side. Remember this guide only endorses this for German users residing in Germany.


On my side, I strongly condemn this type of real-name policy. See for instance this Wikipedia article giving some examples: https://en.wikipedia.org/wiki/Facebook_real-name_policy_controversy [Wikiless] [Archive.org]


Here are some more references about the German case for reference:

• https://slate.com/technology/2018/0...for-taking-on-facebooks-real-name-policy.html [Archive.org]
• https://www.theverge.com/2018/2/12/17005746/facebook-real-name-policy-illegal-german-court-rules [Archive.org]
• https://www.pcmag.com/news/german-court-rules-facebooks-real-name-policy-is-illegal [Archive.org]
• https://www.vzbv.de/sites/default/files/downloads/2018/02/14/18-02-12_vzbv_pm_facebook-urteil_en.pdf [Archive.org]
• https://www.pcmag.com/news/german-court-rules-facebooks-real-name-policy-is-illegal [Archive.org]
• https://www.reuters.com/article/us-...ok-use-of-personal-data-illegal-idUSKBN1FW1FI [Archive.org]

Alternatively, you could be an adult resident of any other country where you can validate and verify the legality of this yourself. Again, this is not legal advice and I am not a lawyer. Do this at your own risk.


Other countries where this was ruled illegal

• South Korea (see https://en.wikipedia.org/wiki/Real-name_system#South_Korea [Wikiless] [Archive.org])
• If you know any other, please let me know with references in the GitHub issues.

Some platforms are by-passing this requirement all-together by requiring a valid payment method instead (see Financial transactions:). While this does not directly require a real-name through their ToS, this has the same results as they usually only accept mainstream (not Monero/Cash) payment methods (such as Visa/MasterCard/Maestro or PayPal) which do require a real-name legally as part of their KYC213 regulations. The result is the same and arguably even better than a simple real-name policy you could ignore in some countries such as Germany.

 

[HEISENBERG]

About paid services:​

If you intend to use paid services, privilege those accepting cash payments or Monero payments which you can do directly and safely while keeping your anonymity.


If the service you intend to buy does not accept those but accepts Bitcoin (BTC), consider the following appendix: Appendix Z: Paying anonymously online with BTC.

Overview:​

This section will show you an overview of the current various requirements on some platforms.

• Consider using the recommended tools on https://privacytools.io/ [Archive.org] for your better privacy instead of the usual mainstream ones.
• Consider using the recommended tools on https://www.whonix.org/wiki/Documentation [Archive.org] as well instead of the usual mainstream ones such as E-mail providers: https://www.whonix.org/wiki/E-Mail#Anonymity_Friendly_Email_Provider_List [Archive.org]

The following overview does not mention the privacy practices of those platforms but only their requirements for registering an account. If you want to use privacy-aware tools and platforms, head on to https://privacytools.io/ [Archive.org]


Legend:

• “Unclear”: Unclear due to lack of information or confusing information.
• “Maybe”: It did happen in a minority of my tests.
• “Likely”: It did happen in most of my tests.
• “Yes” or “No”: This either happened or never happened systematically in all my tests.
• “Easy”: The overall experience was straightforward with little to no obstacles.
• “Medium”: The overall experience has some obstacles but it is still doable without too much hassle.
• “Hard”: The overall experience is a painful struggle with many obstacles.
• “N/A”: Not Applicable because it was not possible to test within the context of this guide
• “Indirectly”: This means they do require something but indirectly through a third-party system (Financial KYC for example).

Service	Against ToS	Requires Phone	Requires E-Mail	VPN Sign-up	Tor Sign-up	Captchas	ID or Financial Checks	Facial Checks	Manual Checks	Overall difficulty
Amazon	No	No	Yes	Yes	Yes	No	Yes*	No	Unclear	N/A
Apple	Yes*	Yes	Yes	Yes	Yes	No	No	No	No	Medium
Briar	No	No	No	Yes	Yes	No	No	No	No	Easy
Discord	No	No	Yes	Yes	Yes	Yes	No	No	No	Medium
Element	No	No	No	Yes	Yes	Yes	No	No	No	Easy
Facebook	Yes*	Yes	Yes	Maybe	Maybe	Yes	Maybe	Maybe	Maybe	Hard
GitHub	No	No	Yes	Yes	Yes	Yes	No	No	No	Easy
GitLab	No	No	Yes	Yes	Yes	Yes	No	No	No	Easy
Google	No	Likely	Likely	Yes	Yes	Yes	Maybe	No	Maybe	Medium
HackerNews	No	No	No	Yes	Yes	Yes	No	No	No	Easy
Instagram	Unclear	Likely	Yes	Yes	Yes	Yes	No	Maybe	Maybe	Medium
Jami	No	No	No	Yes	Yes	No	No	No	No	Easy
iVPN	No	No	No	Yes	Yes	No	No	No	No	Easy
LinkedIn	Yes*	Yes	Yes	Yes	Yes	Yes	Maybe	Maybe	Maybe	Hard
MailFence	No	No	Yes	Yes	Maybe	Yes	No	No	No	Medium
Medium	No	No	Yes	Yes	Yes	No	No	No	No	Easy
Microsoft	Yes*	Maybe	Maybe	Yes	Yes	Yes	No	No	No	Medium
Mullvad	No	No	No	Yes	Yes	No	No	No	No	Easy
Njalla	No	No	No	Yes	Yes	No	No	No	No	Easy
OnionShare	No	No	No	Yes	Yes	No	No	No	No	Easy
ProtonMail	No	Maybe	Likely	Yes	Yes	Yes	No	No	No	Medium
ProtonVPN	No	No	Yes	Yes	Yes	No	No	No	No	Medium
Reddit	No	No	No	Yes	Yes	No	No	No	No	Easy
Slashdot	Yes*	No	No	Yes	Yes	Yes	No	No	No	Medium
Telegram	No	Yes	No	Yes	Yes	No	No	No	No	Easy
Tutanota	No	No	No	Maybe	No	Yes	No	No	No	Hard
Twitch	No	No	Yes	Yes	Yes	Yes	No	No	No	Easy
Twitter	No	Likely	Yes	Yes	Yes	Yes	No	No	Maybe	Medium
WhatsApp	Yes*	Yes	No	Yes	Yes	No	No	No	No	Medium
4chan	No	No	No	No	No	Yes	No	No	No	Hard

• See The Real-Name System for important information.

Amazon:​

• Is this against their ToS? No but yes https://www.amazon.com/gp/help/customer/display.html?nodeId=202140280 [Archive.org]

“1. Amazon Services, Amazon Software


A. Use of Amazon Services on a Product. To use certain Amazon Services on a Product, you must have your own Amazon.com account, be logged in to your account on the Product, and have a valid payment method associated with your account. “


While it does not technically require a real-name. It does require a valid payment method. Unfortunately, it will not accept “cash” or “Monero” as a payment method. So instead, they are relying on financial KYC (where a real-name policy is pretty much enforced everywhere).

• Will they require a phone number? No
• Can you create accounts through Tor? Yes

Because of this valid payment method requirement, I could not test this. While this is seemingly not against their ToS, it is not possible within the context of this guide unless you manage to obtain a valid KYC payment method anonymously which AFAIK is pretty much impossible or extremely difficult.

Apple:​

• Is this against their ToS? Yes https://www.apple.com/legal/internet-services/icloud/en/terms.html [Archive.org]

“IV. Your Use of the Service


A. Your Account


In order to use the Service, you must enter your Apple ID and password to authenticate your Account. You agree to provide accurate and complete information when you register with, and as you use, the Service (“Service Registration Data”), and you agree to update your Service Registration Data to keep it accurate and complete”.

• Will they require a phone number? Yes
• Can you create accounts through Tor? Yes

Briar:​

• Is this against their ToS? No https://briarproject.org/privacy-policy/ [Archive.org]
• Will they require a phone number? No, they do not even require an e-mail
• Can you create accounts through Tor? Yes

Note that this app requires an Android emulator for all features. There is no stable desktop client yet. However, you can install a beta version (with some limited features) on Linux following this guide: https://code.briarproject.org/briar/briar-gtk

Discord:​

• Is this against their ToS? No https://discord.com/terms [Archive.org]
• Will they require a phone number? No but they do require an e-mail
• Can you create accounts through Tor? I had no issues with that so far using the Desktop Client

You might encounter more issues using the Web Client (Captchas). Especially with Tor Browser.


I suggest using the Discord Client app on a VM through Tor or ideally through VPN over Tor to mitigate such issues.


Steps after creating: Enable 2FA authentication with KeePassXC TOTP

Element:​

• Is this against their ToS? No https://element.io/terms-of-service [Archive.org]
• Will they require a phone number? No, they do not even require an e-mail
• Can you create accounts through Tor? Yes

Expect some Captchas during account creation.

Facebook:​

• Is this against their ToS? Yes https://www.facebook.com/terms.php [Archive.org]

“1. Who can use Facebook


When people stand behind their opinions and actions, our community is safer and more accountable. For this reason, you must:

• Use the same name that you use in everyday life.
• Provide accurate information about yourself.
• Will they require a phone number? Yes, and probably more later
• Can you create accounts through Tor? Yes, but it is very difficult and their onion address will not help. In most cases you’ll just have a random error at sign-up and your account suspended after sign-in.”

But this clause of their ToS is illegal in Germany (see Requirements).


Facebook is one of the most aggressive platforms in identity verification and is pushing hard their “real name policy”. It is why this guide is only advised to German residents.


Over my tests tho I was able to pinpoint a few tips:

• It will be easier if you have an Instagram account first.
• Signing-up through Tor is almost impossible and will only succeed if you are “lucky” (I assume if you are using an exit Node that is not yet known by Facebook verification systems). It will not allow registration at all and will just fail with “An error has occurred during registration”.
• Signing-up through VPNs is more likely to succeed but might still result in the same error. So, you must be ready for a lot of trial and errors here.
• My previous entry in the guide about the Orwellian quote from Animal Farm is in full effect on Facebook. You will experience huge variation in acceptance depending on age/sex/ethnicity/nationality/… This is where you will have far less issues if you are making an account of a Young European Caucasian Female. You will almost certainly fail if you try making a Middle-Aged Male where my other accounts are still unsuspended/unbanned to this day.
• Logging-in (after you sign-up) however works fine with VPN and Tor but might still get your account suspended for violating Community Guidelines or Terms of Services (despite you not using the account at all for anything else than signing-up/logging-in).

I also suspect strongly based on my test that the following points have an impact on your likelihood of being suspended over time:

• Not having friends
• Not having interests and an “organic activity”
• Not being in the contacts of any other user
• Not being on other platforms (such as Instagram/WhatsApp)
• Restricting your profile privacy settings too soon after signing-up

If your account gets suspended, you will need to appeal the decision through a very simple form that will require you to submit a “proof of ID”. However, that proof of ID verification system is more lenient than LinkedIn and will allow you send various documents which require far less Photoshop skills.


It is also possible that they ask you to take a selfie video or picture making certain gestures to prove your identity. If that is the case, I am afraid it is a dead end for now.


If you do file an appeal, you will have to wait for Facebook to review it (I do not know if this is automatic or human) and you will have to wait and hope for them to unsuspend your account.

GitHub:​

• Is this against their ToS? No https://docs.github.com/en/free-pro-team@latest/github/site-policy/github-terms-of-service [Archive.org]
• Will they require a phone number? Nope, all good
• Can you create accounts through Tor? Yes, but expect some captchas

GitHub is straightforward and requires no phone number.


Just Sign-up with e-mail and password and enable two-factor authentication (TOTP in KeePassXC). By default, your e-mail will be private.


Be sure to go into Settings > E-Mail and make your e-mail private as well as block any push that would reveal your e-mail.

GitLab:​

• Is this against their ToS? No https://about.gitlab.com/handbook/legal/subscription-agreement/ [Archive.org]
• Will they require a phone number? Nope, all good
• Can you create accounts through Tor? Yes, but expect captchas

GitLab is straightforward and requires no phone number.


Just Sign-up with e-mail and password and enable two-factor authentication (TOTP in KeePassXC). By default, your e-mail will be private.

Google:​

• Is this against their ToS? No https://policies.google.com/terms [Archive.org]
• Will they require a phone number? Yes, they will. There is no escape here.
• Can you create accounts through Tor? Yes, but expect some captchas and your phone number will be required

ProtonMail is good … but to appear less suspicious, it is just better to also have a mainstream Google Mail account.


As ProtonMail, Google will also most likely require a phone number during sign-up as part of their verification process. However contrary to ProtonMail, Google will store that phone number during the sign-up process and will also limit the number of accounts that can be created during the sign-up.


From my experience during my research, this count is limited to 3 accounts / phone number. If you are unlucky with your number (if it was previously used by another mobile user), it might be less.


You should therefore use again your online phone number OR your burner phone and pre-paid SIM card to create the account. Do not forget to use the identity details you made up earlier (birthdate). When the account is created, please do take some time to do the following:

• Log into Google Mail and Go into the Gmail Settings > Go into the mail Forwarding options > Set up a mail forwarding to your ProtonMail Address > Verify (using ProtonMail) > Go back to Gmail and set the forwarding to forward and delete Google copy > Save. This step will allow you to check your Google Mail using ProtonMail instead and will allow you to avoid triggering Google Security checks by Logging in from various VPN/Tor exit IP addresses in the future while storing your sensitive e-mail at ProtonMail instead.
• Enable 2FA within the Google account settings. First, you will have to enable 2FA using the phone number. Then you will see the option appear to enable 2FA using an Authenticator app. Use that option and set it up with a new KeePassXC TOTP entry. When it is done, remove the phone 2FA from the Google account. This will prevent someone from using that phone number in the future (when you do not have it anymore) to recover/gain access to that account.
• Add ProtonMail as a recovery e-mail address for the account.
• Remove the phone number from the account details as a recovery option.
• Upload a Google profile picture you made earlier during the identity creation step.
• Review the Google Privacy settings to disable as much as you can:
  
  • Activity logging
  • YouTube
• Log out and do not touch it unless needed (as mentioned, you will use ProtonMail to check your Gmail).

Keep in mind that there are different algorithms in place to check for weird activity. If you receive any mail (on ProtonMail) prompting about a Google Security Warning. Click it and click the button to say “Yes it was me”. It helps.


Do not use that account for “sign-up with Google” anywhere unless necessary.


Be extremely careful if you decide to use the account for Google activities (such as Google Maps reviews or YouTube Comments) as those can easily trigger some checks (Negative reviews, Comments breaking Community Guidelines on YouTube).


If your account gets suspended (this can happen on sign-up, after signing-up or after using it in some Google services), you can still get it unsuspended by submitting an appeal/verification (which will again require your Phone number and possibly an e-mail contact with Google support with the reason). Suspension of the account does not disable the e-mail forwarding but suspended account will be deleted after a while.


After suspension, if your Google account is restored, you should be fine.


If your account gets banned, you will have no appeal and the forwarding will be disabled. Your phone number will be flagged and you will not be able to use it to sign-up on a different account. Be careful when using those to avoid losing them. They are precious.


It is also possible that Google will require an ID check through indirect financial KYC or ID picture check if you attempt to access/publish mature content on their platform.

HackerNews:​

• Is this against their ToS? No https://www.ycombinator.com/legal/#tou [Archive.org]
• Will they require a phone number? No, they do not even require an e-mail
• Can you create accounts through Tor? Yes

 

[HEISENBERG]

Instagram:​

• Is this against their ToS? Maybe? I am not sure https://help.instagram.com/581066165581870?ref=dp [Archive.org]

“You can’t impersonate others or provide inaccurate information. You do not have to disclose your identity on Instagram, but you must provide us with accurate and up to date information (including registration information). Also, you may not impersonate someone you are not, and you can’t create an account for someone else unless you have their express permission”.


This one is a bit of an Oxymoron do not you think? So, I am not sure if it is allowed or not.

• Will they require a phone number? Maybe but less likely over VPN and very likely over Tor
• Can you create accounts through Tor? Yes, but expect some captchas and your phone number will be required

It is also possible that they ask you to take a selfie video or picture making certain gestures to prove your identity (within the app or through an e-mail request). If that is the case, I am afraid it is a dead end for now.


It is no secret that Instagram is part of Facebook however it is more lenient than Facebook when it comes to user verification. It is quite unlikely you will get suspended or banned after signing-up. But it could help.


For instance, I noticed that you will have less issues creating a Facebook account if you already have a valid Instagram account. You should always create an Instagram account before attempting Facebook.


Unfortunately, there are some limitations when using the web version of Instagram. For instance, you will not be able to enable Authenticator 2FA from the web for a reason I do not understand.


After sign-up, do the following:

• Upload a picture of your generated identity if you want.
• Go into your Settings
• Make the account private (initially at least)
• Do not show activity status
• Do not allow sharing

Jami:​

• Is this against their ToS? No https://jami.net/privacy-policy/ [Archive.org]
• Will they require a phone number? No, they do not even require an e-mail
• Can you create accounts through Tor? Yes

iVPN:​

• Is this against their ToS? No https://www.ivpn.net/tos/ [Archive.org]
• Will they require a phone number? No, they do not even require an e-mail
• Can you create accounts through Tor? Yes

LinkedIn:​

• Is this against their ToS? Yes https://www.linkedin.com/legal/user-agreement [Archive.org]

“To use the Services, you agree that: (1) you must be the “Minimum Age” (described below) or older; (2) you will only have one LinkedIn account, which must be in your real name; and (3) you are not already restricted by LinkedIn from using the Services. Creating an account with false information is a violation of our terms, including accounts registered on behalf of others or persons under the age of 16. “


But this clause of their ToS is illegal in Germany (see Requirements).

• Will they require a phone number? Yes, they will.
• Can you create accounts through Tor? Yes, but expect some captchas and your phone number will be required

LinkedIn is far less aggressive than twitter but will nonetheless require a valid e-mail (preferably again your Gmail) and a phone number in most cases (tho not always).


LinkedIn however is relying a lot on reports and user/customer moderation. You should not create a profile with an occupation inside a private corporation or a small startup company. The company employees are monitoring LinkedIn activity and receive notifications when new people join. They can then report your profile as fake and your profile will then be suspended or banned pending appeal.


LinkedIn will then require you go through a verification process that will unfortunately require you to send an ID proof (identity card, passport, driver license). This ID verification is processed by a company called Jumio that specializes in ID proofing. This is most likely a dead end as this would force you to develop some strong Photoshop skills.


Instead, you are far less likely to be reported if you just stay vague (say you are a student/intern/freelance) or pretend you work for a large public institution that is too large for anyone to care of check.


As with Twitter and google, you should do the following after signing-up:

• Disable ads
• Disable notifications
• Disable lookup by phone/e-mail
• Upload a picture of your identity

MailFence:​

• Is this against their ToS? No
• Will they require a phone number? No but they require an e-mail
• Can you create accounts through Tor? Maybe. From my tests, the signing-up verification e-mails are not sent when using Tor to sign-up.

Medium:​

• Is this against their ToS? No unless it is about crypto https://policy.medium.com/medium-terms-of-service-9db0094a1e0f [Archive.org]
• Will they require a phone number? No but they require an e-mail
• Can you create accounts through Tor? I had no issues with that so far

Signing-in does require an e-mail every time.

Microsoft:​

• Is this against their ToS? Yes https://www.microsoft.com/en/servicesagreement/ [Archive.org]

“i. Creating an Account. You can create a Microsoft account by signing up online. You agree not to use any false, inaccurate or misleading information when signing up for your Microsoft account”.


But this clause of their ToS is illegal in Germany (see Requirements).

• Will they require a phone number? Likely but not always. Depending on your luck with you Tor exit node, it is possible that they will only require e-mail verification. If you use a VPN over Tor, they will likely only ask an e-mail.
• Can you create accounts through Tor? Yes, you can but expect captchas, at least e-mail verification, and likely phone verification.

So yes, it is still possible to create an MS account without a phone number and using Tor or VPN but you might have cycle through a few exit nodes to achieve this.


After signing-up you should setup 2FA authentication within security and using KeePassXC TOTP.

Mullvad:​

• Is this against their ToS? No https://mullvad.net/en/help/terms-service/ [Archive.org]
• Will they require a phone number? No, they do not even require an e-mail.
• Can you create accounts through Tor? Yes.

Njalla:​

• Is this against their ToS? No https://njal.la/tos/ [Archive.org]
• Will they require a phone number? No but they do require an e-mail or an XMPP (Jabber) account somewhere.
• Can you create accounts through Tor? Yes, they even have an “.onion” address at http://njallalafimoej5i4eg7vlnqjvmb6zhdh27qxcatdn647jtwwwui3nad.onion/

OnionShare:​

• Is this against their ToS? No, they do not even have Terms of Services
• Will they require a phone number? No, they do not even require an e-mail
• Can you create accounts through Tor? Yes (obviously)

ProtonMail:​

• Is this against their ToS? No https://ProtonMail.com/terms-and-conditions [Archive.org]
• Will they require a phone number? Maybe. This depends on the IP you are coming from. If you come from Tor, it is likely. From a VPN, it is less likely.
• Can you create accounts through Tor? Yes, but very likely that a phone number will be required when only an e-mail will be over a VPN. They even have an “.onion” address at https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/.

You obviously need an e-mail for your online identity and disposable e-mails are pretty much banned everywhere.


ProtonMail is a free e-mail provider based in Switzerland that advocates security and privacy.


They are recommended by privacytools.io. Their only apparent issue is that they do require (in most cases) a phone number or another e-mail address for registration (when you try to register from a VPN or Tor at least).


They claim they do not store/link the phone/e-mail associated with the registration but only store a hash that is not linked to the account. If their claim is true and the hash is not linked to your account, and that you followed my guide regarding the phone number, you should be reasonably safe from tracking.


Create this e-mail account first using the phone as verification if necessary.


When you are done creating the account, please go into the settings and enable 2FA (Two Factor Authentication). You will use KeePassXC TOTP feature (create a new entry “Identity ProtonMail TOTP” and just use the TOTP menu to set it up). Save the rescue codes within your KeePassXC entry.


This e-mail account will be used in the next step for creating a Google/Gmail account.

ProtonVPN:​

• Is this against their ToS? No https://protonvpn.com/terms-and-conditions [Archive.org]
• Will they require a phone number? No but they do require an e-mail.
• Can you create accounts through Tor? Yes

Reddit:​

• Is this against their ToS? No https://www.redditinc.com/policies [Archive.org]
• Will they require a phone number? No, they will not.
• Can you create accounts through Tor? Yes

Reddit is simple. All you need to register is a valid username and a password. Normally they do not even require an e-mail (you can skip the e-mail when registering leaving it blank).


You should still enable 2FA in the settings after signing-up. I had no issues whatsoever signing-up over Tor or VPN besides the occasional Captchas.

Slashdot:​

• Is this against their ToS? Yes https://slashdotmedia.com/terms-of-use/ [Archive.org]

”

1. Registration; Use of Secure Areas and Passwords

Some areas of the Sites may require you to register with us. When and if you register, you agree to (a) provide accurate, current, and complete information about yourself as prompted by our registration form (including your e-mail address) and (b) to maintain and update your information (including your e-mail address) to keep it accurate, current, and complete. You acknowledge that should any information provided by you be found to be untrue, inaccurate, not current, or incomplete, we reserve the right to terminate this Agreement with you and your current or future use of the Sites (or any portion thereof)”.

• Will they require a phone number? No
• Can you create accounts through Tor? Yes

Telegram:​

• Is this against their ToS? No https://telegram.org/tos [Archive.org]
• Will they require a phone number? Yes unfortunately
• Can you create accounts through Tor? Yes, but sometimes you randomly get banned without any reason

Telegram is quite straightforward and you can download their portable Windows app to sign-up and login.


It will require a phone number (that can only be used once) and nothing else.


In most cases I had no issues whether it was over Tor or VPN but I had a few cases where my telegram account was just banned for violating terms of services (not sure which one?). This again despite not using them for anything.


They provide an appeal process through e-mail but I had no success with getting any answer.


Their appeal process is just sending an e-mail to [email protected] [Archive.org] stating your phone number and issue and hope they answer.


After signing-up you should do the following:

• Go into Edit profile
• Set a Username
• Go into Settings (Desktop App)
• Set the Phone Number visibility to Nobody
• Set Last Seen & Online to Nobody
• Set Forwarded Messages to Nobody
• Set Profile photos to Contacts
• Set Calls to Contacts
• Set Group & Channels to Contacts

Tutanota:​

• Is this against their ToS? No https://tutanota.com/terms/ [Archive.org]
• Will they require a phone number? No but they do require an e-mail.
• Can you create accounts through Tor? Not really, almost all Tor Exit nodes are banned AFAIK

Twitter:​

• Is this against their ToS? No https://twitter.com/en/tos
• Will they require a phone number? They might not at sign-up but they will just after sign-up or later.
• Can you create accounts through Tor? Yes, but expect some captchas and your phone number will be required after a while.

Twitter is extremely aggressive in preventing anonymity on their network. You should sign-up using e-mail and password (not phone) and not using “Sign-in with Google”. Use your Gmail as the e-mail address.


More than likely, your account will be suspended immediately during the sign-up process and will require you to complete a series of automated tests to unlock. This will include a series of captchas, confirmation of your e-mail and twitter handle or other information. In some cases, it will also require your phone number.


In some cases, despite you selecting a text verification, Twitter verification system will call the phone no matter what. In that case you will have to pick up and hear the verification code. I suspect this is another method of preventing automated systems and malicious users from selling text receiving services over the internet.


Twitter will store all this information and link it to your account including your IP, e-mail, and phone number. You will not be able that phone number to create a different account.


Once the account is restored, you should take some time to do the following:

• Upload the identity profile picture.
• Enable 2FA from the security settings using a new KeePassXC TOTP entry, save the security codes in KeePassXC as well.
• Disable Photo tagging
• Disable E-mail lookup
• Disable Phone lookup
• Disable all personalized advertising settings
• Disable geolocation of tweets
• Remove the phone number from the account
• Follow some people based
• Log out and leave it be.

After about a week, you should check the twitter again and the chances are quite high that it will be suspended again for “suspicious activity” or “violating community guidelines” despite you not using it at all (not even a single tweet/follow/like/retweet or DM) but this time by another system. I call this the “Double tap”.


This time you will need to submit an appeal using a form, provide a good reason and wait for the appeal to be processed by Twitter. During that process, it is possible that you will receive an e-mail (on ProtonMail) asking you to reply to a customer service ticket to prove that you do have access to your e-mail and that it is you. This will be directed toward your Gmail address but will arrive on your ProtonMail.


Obviously do not reply from ProtonMail as this will raise suspicions, you must sign-in into Gmail (unfortunately) and compose a new mail from there copy pasting the E-Mail, Subject and Content from ProtonMail. As well as a reply confirming you have access to that e-mail.


After a few days, your account should get unsuspended “for good”. I had no issues after that but keep in mind they can still ban your account for any reason if you violate the community guidelines. The phone number and e-mail will then be flagged and you will have no other option but to get a new identity with a new number to sign-up again. Do not use this account for trolling.

Twitch:​

• Is this against their ToS? No https://www.twitch.tv/p/en/legal/terms-of-service/ [Archive.org]
• Will they require a phone number? No but they do require an e-mail.
• Can you create accounts through Tor? Yes

Note that you will not be able to enable 2FA on Twitch using only e-mail. This feature requires a phone number to enable.

WhatsApp:​

• Is this against their ToS? Yes https://www.whatsapp.com/legal/updates/terms-of-service-eea [Archive.org]

“Registration. You must register for our Services using accurate information, provide your current mobile phone number, and, if you change it, update your mobile phone number using our in-app change number feature. You agree to receive text messages and phone calls (from us or our third-party providers) with codes to register for our Services”.

• Will they require a phone number? Yes, obviously they do.
• Can you create accounts through Tor? I had no issues with that so far.

4chan:​

• Is this against their ToS? No
• Will they require a phone number? No, they will not.
• Can you post there with Tor or VPN? Not likely.

4chan is 4chan … This guide will not explain 4chan to you. They block Tor exit nodes and known VPN IP ranges.


You are going to have to find a different way to post there using at least seven proxies that are not known by 4chan blocking system (hint: Anonymous VPS using Monero is probably your best option).

Crypto Wallets:​

Use any crypto wallet app within the Windows Virtual Machine. But be careful not to transfer anything toward an Exchange or a known Wallet. Crypto is in most case NOT anonymous and can be traced back to you when you buy/sell any (remember the Your Crypto currencies transactions section).


If you really want to use Crypto, use Monero which is the only one with reasonable privacy/anonymity.


Ideally, you should find a way to buy/sell crypto with cash from an unknown person.

What about those mobile only apps (WhatsApp/Signal)?​

There are only three ways of securely using those anonymously (that I would recommend). Using a VPN on your phone is not among those ways. All of those are unfortunately “tedious” to say the least.

• Use an Android Emulator within the Windows VM and run the App through your multi-layer of Tor/VPN. Drawback is that such emulators are usually quite resource hungry and will slow down your VM and use more battery. Here is also an (outdated) guide on this matter: https://www.bellingcat.com/resource...ating-android-open-source-research-device-pc/ [Archive.org]. As for myself I will recommend the use of x86 Android on Virtualbox (see https://www.android-x86.org/documentation/virtualbox.html [Archive.org]) that you can also set-up easily.
• Use a non-official app (such as Wassapp for WhatsApp) to connect from the Windows VM to the app. But at your own risk as you could get banned for violating the terms of services by using a non-official App.
• (Not recommended and most complicated) Have a burner Smartphone that you will connect to the VM layered network through Tethering/Sharing of the connection through Wi-Fi. I will not detail this here but it is an option if you really want to.

There is no way to reliably set this multi-layered connectivity approach easily on an Android phone (it is not even possible on IOS as far as I know). By reliable I mean being sure that the smartphone will not leak anything such as geolocation or anything else from booting up to shutting down.

Anything else:​

You should use the same logic and security for any other platform that with these mentioned in this guide.


It should work in most cases with most platforms. The hardest platform to use with full anonymity is Facebook.


This will obviously not work with banks and most financial platforms (such as PayPal or Crypto Exchanges) requiring actual real official and existing identification. This guide will not help you there as this would be illegal in most places.

 

[HEISENBERG]

How to share files or chat anonymously:​

There are plenty of messaging apps everywhere. Some have excellent UI and UX and terrible Security/Privacy. Some have excellent Security/Privacy but terrible UI and UX. It is not easy to pick the ones that you should use for sensitive activities. So, this section will help you do that.


Before going further, there are also some key basic concepts you need to understand:

End-to-end Encryption:​

End-to-end Encryption (aka e2ee) is a rather simple concept. It just means only you and your destination know each-others public encryption keys and no one in between that would be eavesdropping would be able to decrypt the communication.


However, the term is often used differently depending on the provider:

• Some providers will claim e2ee but forget to mention what is covered by their protocols. For instance, is metadata also protected within their e2ee protocol? Or is just the content of the messages?
• Some providers do provide e2ee but only as an opt-in option (disabled by default).
• Some providers do offer e2ee with 1 to 1 messaging but not with group messaging.
• Some providers will claim the use of e2ee but their proprietary apps are closed-source where no one can actually verify the claim and the strength of the encryption used.

For these reasons, it is always important to check the claims of various apps. Open-Source apps should always be preferred to verify what kind of encryption they are using and if their claims are true. If not open-source, such apps should have an openly available independent (made by a reputable third party) report validating their claims.

Roll your own crypto:​

See the Bad Cryptography section at the start of this guide.


Always be cautious of apps rolling their own crypto until it has been reviewed by many in the crypto community (or even better published and peer reviewed academically). Again, this is harder to verify with closed-source proprietary apps.


It is not that rolling your own crypto is bad in essence, it is that good cryptography needs real peer reviewing, auditing, testing… And since you are probably not a cryptanalyst (and obviously I am not one either), chances are high we are not competent to assess the cryptography of some app.

Forward Secrecy:​

Forward Secrecy363 (FS aka PFS for Perfect Forward Secrecy) is a property of the key agreement protocol of some of those messaging apps and is a companion feature of e2ee. This happens before you establish communication with the destination. The “Forward” refers to the future in time and means that every time you establish a new e2ee communication, a new set of keys will be generated for that specific session. The goal of forward secrecy is to maintain secrecy of past communications (sessions) even if the current one is compromised. If an adversary manages to get hold of your current e2ee keys, that adversary will then be limited to the content of the single session and will not be able to easily decrypt past ones.


This has some user experience drawbacks like for instance a new device could not be able to conveniently access the remotely stored chat history without additional steps.


So, in short, Forward Secrecy protects past sessions against future compromises of keys or passwords.


More on this topic on this YouTube video:

[Invidious]


Some providers and apps claiming to offer e2ee do not offer FS/PFS sometimes for usability reasons (group messaging for instance is more complex with PFS). It is therefore important to prefer open-source apps providing forward secrecy to those that do not.

Zero-Access Encryption at rest:​

Zero-Access Encryption at rest is used when you store data at some provider (let us say your chat history or chat backups) but this history or backup is encrypted on your side and cannot be read or decrypted by the provider hosting it.


Zero-Access encryption is an added feature/companion to e2ee but is applied mainly to data at rest and not communications.


Examples of this issue would be iMessage and WhatsApp, see the Your Cloud backups/sync services at the start of this guide.


So again, it is best to prefer Apps/Providers that do offer Zero-Access Encryption at rest and cannot read/access any of your data/metadata even at rest and not only limited to communications.


Such feature would have prevented important hacks such as the Cambridge Analytica scandal if it was implemented.

Metadata Protection:​

Remember the Your Metadata including your Geo-Location section. End-to-end Encryption is one thing but it does not necessarily protect your metadata.


For Instance, WhatsApp might not know what you are saying but they might know who you are talking to, how long and when you have been talking to someone, who else is in groups with you, and if you transferred data with them (such as large files).


End-to-end Encryption does not in itself protect an eavesdropper from harvesting your metadata.


This data can also be protected/obfuscated by some protocols to make metadata harvesting substantially harder for eavesdroppers. This is the case for instance with the Signal Protocol which does offer some added protection with features like:

• The Sealed Sender option.
• The Private Contact Discovery.
• The Private Group System.

Other Apps like Briar or OnionShare will protect metadata by using the Tor Network as a shield and storing everything locally on-device. Nothing is stored remotely and all communications are either direct using proximity wi-fi/Bluetooth or remotely through the Tor network.


Most apps however and especially closed-source proprietary commercial apps will collect and retain your metadata for various purposes. And such metadata alone is enough to figure out a lot of things about your communications.


Again, it is important to prefer open-source apps with privacy in mind and various methods in place to protect not only the content of communications but all the associated metadata.

Open-Source:​

Finally, Open-Source apps should always be preferred because they allow third parties to check actual capabilities and weaknesses vs claims of marketing departments. Open-Source does not mean the app should be free or non-commercial. It just means transparency.

Comparison:​

Below you will find a small table showing the state of messaging apps as of the writing of this guide based on my tests and data from the various sources below:

• Wikipedia, https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_protocols [Wikiless] [Archive.org]
• Wikipedia, https://en.wikipedia.org/wiki/Comparison_of_cross-platform_instant_messaging_clients [Wikiless] [Archive.org]
• Secure Messaging Apps https://www.securemessagingapps.com/ [Archive.org]
• ProtonMail Blog, https://protonmail.com/blog/whatsapp-alternatives/ [Archive.org]
• Whonix Documentation, Instant Messenger Chat https://www.whonix.org/wiki/Chat [Archive.org]

App0	e2ee1	Roll Your Own Crypto	Perfect Forward Secrecy	Zero-Access Encryption at-rest5	Metadata Protection (obfuscation, encryption…)	Open-Source	Default Privacy Settings	Native Anonymous Sign-up (no e-mail or phone)	Possible through Tor	Privacy and Security Track Record ***	De-centralized
Briar (preferred)	Yes	No 1	Yes	Yes	Yes (strong)	Yes	Medium (disable wi-fi and Bluetooth)	Yes	Natively2 (Disable wi-fi and BT) or Virtualization	Good	Yes (peer to peer)
Discord (avoid)	No	Closed-source6	No	No	No	No	Bad	E-Mail Required	Virtualization	Bad	No
Element / Matrix.org (preferred)	Yes (opt-in)	No	Yes	Yes	Poor2	Yes	Good	Yes	Via Proxy2 or Virtualization	Good	Partial (federated servers)
Facebook Messenger (avoid)	Partial (Only 1to1 / opt-in)	Closed-source6	Yes	No	No	No	Bad	E-Mail and Phone required	Virtualization	Bad	No
OnionShare (preferred)	Yes	No	TBD7	TBD7	Yes (strong)	Yes	Good	Yes	Natively	Good	Yes (peer to peer)
Apple Messages (aka iMessage)	Yes	Closed-source6	No	Partial	No	No	Good	Apple device Required	Maybe Virtualization using real Apple device ID	Bad	No
IRC		No	No	No	No	Yes	Bad	Yes	Via Proxy2 or Virtualization	Good	No
Jami (preferred)	Yes	No3	Yes	Yes	Partial	Yes	Good	Yes	Virtualization and only text8	Good	Partial
KakaoTalk (avoid)	Yes	Closed-source6	No4	No	No	No	Bad	No (but possible)	Virtualization	Bad	No
Keybase	Yes	No	Partial (exploding message)	No	No	Yes	Good	E-Mail Required			No
Kik (avoid)	No	Closed-source6	No	No	No	No	Bad	No (but possible)	Virtualization	Bad	No
Line (avoid)	Partial (opt-in)	Closed-source6	No	No	No	No	Bad	No (but possible)	Virtualization	Bad	No
Pidgin with OTR (avoid)	Yes (OTR5)	No	Yes	No	No	Yes	Bad	Yes	Via Proxy2 or Virtualization	Bad6	No
qTox	Yes	No	No	No	No	Yes	Good	Yes	Via Proxy2 or Virtualization	Medium7	Yes
Session	Yes	No	No	Yes	Yes	Yes	Good	Yes	Natively	Good	Yes
Signal	Yes	No	Yes	Yes	Yes (moderate)	Yes	Good	Phone Required	Virtualization	Good	No
Skype (avoid)	Partial (Only 1to1 / opt-in)	Closed-source6	No	No	No	No	Bad	No (but possible)	Virtualization	Bad	No
SnapChat (avoid)	No	Closed-source6	No	No	No	No	Bad	No (but possible)	Virtualization	Bad	No
Teams (avoid)	Yes	Closed-source6	No	No	No	No	Bad	No (but possible)	Virtualization	Bad	No
Telegram	Partial (Only 1to1 / opt-in)	Yes (MTProto8)	Partial (secret chats only)	Yes	No	Partial4	Medium (e2ee off by default)	Phone Required	Via Proxy2 or Virtualization	Medium9	No
Viber (avoid)	Partial (Only 1to1)	Closed-source6	Yes	No	No	No	Bad	No (but possible)	Virtualization	Bad	No
WeChat (avoid)	No	Closed-source6	No	No	No	No	Bad	No	Virtualization	Bad	No
WhatsApp (avoid)	Yes	Closed-source6	Yes	No	No	No	Bad	Phone Required	Virtualization	Bad	No
Wickr Me	Partial (Only 1to1)	No	Yes	No	Yes (moderate)	No	Good	Yes	Virtualization	Good	No
Gajim (XMPP) (preferred)	Partial (Only 1to1)	No	Yes	No	No	Yes	Good	Yes	Via Proxy2 or Virtualization	Good	Partial
Zoom (avoid10)	Disputed11	No	TBD7	No	No	No	Bad	E-Mail Required	Virtualization	Bad12	No

1. Briar Documentation, Bramble Transport Protocol version 4 https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md [Archive.org]↩︎
2. Serpentsec, Matrix https://serpentsec.1337.cx/matrix [Archive.org]↩︎
3. Wikipedia, GnuTLS, https://en.wikipedia.org/wiki/GnuTLS [Wikiless] [Archive.org]↩︎
4. KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING, A Security and Privacy Audit of KakaoTalk’s End-to-End Encryption www.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.pdf [Archive.org]↩︎
5. Wikipedia, OTR https://en.wikipedia.org/wiki/Off-the-Record_Messaging [Wikiless] [Archive.org]↩︎
6. Pidgin Security Advisories, https://www.pidgin.im/about/security/advisories/ [Archive.org]↩︎
7. Whonix Forum, Tox Integration https://forums.whonix.org/t/tox-qtox-whonix-integration/1219 [Archive.org]↩︎
8. Telegram Documentation, MTProto Mobile Protocol https://core.telegram.org/mtproto [Archive.org]↩︎
9. Wikipedia, Telegram Security Breaches, https://en.wikipedia.org/wiki/Telegram_(software)#Security_breaches [Wikiless] [Archive.org]↩︎
10. TechCrunch, Maybe we shouldn’t use Zoom after all, https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/ [Archive.org]↩︎
11. The Incercept, Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing https://theintercept.com/2020/03/31/zoom-meeting-encryption/ [Tor Mirror] [Archive.org]↩︎
12. Serpentsec, Secure Messaging: Choosing a chat app https://serpentsec.1337.cx/secure-messaging-choosing-a-chat-app [Archive.org]↩︎

Legend:

• 0, the mention “preferred” or “avoid” refers to the use of those apps for sensitive communications in my opinion. This is just my opinion and you can make your own using the resources above and others. Remember “Trust but verify”.
• 1, e2ee = end to end encryption
• 2, Additional steps might be needed for securing Tor Connectivity
• 3, Their ability and willingness to fight for privacy and not cooperate with various adversaries
• 4, Only the client apps are open-source, not the server-side apps
• 5, This means the data is fully encrypted at rest (and not only during transit) and unreadable by any third party without a key you only know (including backups)
• 6, Unverifiable because it is proprietary closed-source.
• 7, To Be Determined, unknown at the time of this writing
• 8, Jami Media Protocol needs UDP at this time which is not supported by Tor (supports only TCP)

Some apps like Threema and Wire were excluded from this comparison due to not being free and not accepting anonymous cash methods such as Cash/Monero.

Conclusion:​

I will recommend these options in that order (as also recommend by privacytools.io except for Session):

• Native Tor Onion Routing Support (preferred):
  
  • Briar (https://briarproject.org/ [Archive.org])* (Android/Linux only)
  • OnionShare version >2.3 (https://onionshare.org/ [Tor Mirror] [Archive.org])* (Desktop multiplatform only)
• Non-Native Tor Support (needs additional steps for ideal anonymity):
  
  • Jami (https://jami.net/ [Archive.org])
  • Element/Matrix.org (https://element.io/ [Archive.org])
• Note that these options (Briar and OnionShare) do not support multi-devices yet. Your information is strictly stored on the device/OS where you are setting it up. Do not use those on a non-persistent OS unless you want ephemeral use.

Note that all the non-native Tor options must be used over Tor for safety (from Tails or a guest OS running behind the Whonix Gateway such as the Whonix Workstation or an Android-x86 VM).


While I do not recommend most of those platforms for the various reasons outlined above (phone number and e-mail), this does not mean it is not possible to use them anonymously if you know what you are doing. You can use even Facebook Messenger anonymously by taking the necessary precautions outlined in this guide (virtualization behind a Tor Gateway on a non-persistent OS).


The ones that are preferred are recommended due to their stance on privacy, their default settings, their crypto choices but also because they allow convenient anonymous sign-up without going through the many hassles of having a phone number/e-mail verification method and are open-source.


Those should be privileged in most cases. Yes, this guide has a discord server, and a twitter account despite those not being recommended at all for their stance on privacy and their struggle with anonymity. But this is about me acting appropriately in making this guide available to the many and conveniently using my experience and knowledge to do so as anonymously as possible.


I do not endorse or recommend some mainstream platforms for anonymity including the much-praised Signal which to this date still requires a phone number to register and contact others. In the context of this guide, I strongly recommend against using Signal if possible.

 

[HEISENBERG]

Redacting Documents/Pictures/Videos/Audio safely:​

You might want to self-publish some information safely and anonymously in the form of writing, pictures, videos, …

For all these purposes here are a few recommendations:

• Ideally, you should not use proprietary software such as Adobe Photoshop, Microsoft Office…
• Preferably, you should use open-source software instead such as LibreOffice, Gimp…

While the commercial alternatives are feature rich, they are also proprietary closed-source and often have various issues such as:

• Sending telemetry information back to the company.
• Adding unnecessary metadata and sometimes watermarks to your documents.
• These apps are not free and any leak of any metadata could be traced back to you since you had to buy these somewhere.

It is possible to use commercial software for making sensitive documents but you should be extra-careful with all the options in the various Apps (commercia or free) to prevent any data leak from revealing information about you.

Here is a comparative table of recommended/included software compiled from various sources (Privacytools.io, Whonix, Tails, Prism-Break.org and myself). Keep in mind my recommendation considers the context of this guide with only sporadic online presence on a need basis.

Type	Whonix	Prism-Break.org	Privacytools.io	Tails	This guide
Offline Document Editing	LibreOffice	N/A	LibreOffice*	LibreOffice	LibreOffice; Notepad++
Online Document Editing (collaboration)	N/A	Cryptpad.fr	Cryptpad.fr; Etherpad.org; Privatebin.net	N/A	Cryptpad.fr; Etherpad.org; Privatebin.net
Pictures Editing	Flameshot (L)	N/A	N/A	GIMP	GIMP
Audio Editing	Audacity	N/A	N/A	Audacity	Audacity
Video Editing	Flowblade (L)	N/A	N/A	N/A	Flowblade (L) Olive (?) OpenShot (?) ShotCut (?)
Screen Recorder	Vokoscreen	N/A	N/A	N/A	Vokoscreen
Media Player	VLC	N/A	N/A	VLC	VLC
PDF Viewer	Ristretto (L)	N/A	N/A	N/A	Browser
PDF Redaction	PDF-Redact Tools (L)	N/A	N/A	PDF-Redact Tools (L)	LibreOffice; PDF-Redact Tools (L)

Legend: * Not recommended but mentioned. N/A = Not Included or absence of recommendation for that software type. (L)= Linux Only but can maybe be used on Windows/MacOS through other means (HomeBrew, Virtualization, Cygwin). (?)= Not tested but open-source and could be considered.


In all cases, I strongly recommend only using such applications from within a VM or Tails to prevent as much leaking as possible. If you do not, the you will have to sanitize those documents carefully before publishing (See Removing Metadata from Files/Documents/Pictures).

 

[HEISENBERG]

Communicating sensitive information to various known organizations:​

You might be interested in communicating information to some organization such as the press anonymously.


If you must do so, you should take some steps because you cannot really trust any organization to protect your anonymity371:

• Check the files for any metadata: see Removing Metadata from Files/Documents/Pictures
• Check the files for anything malicious: see Appendix T: Checking files for malware
• Check the files for any watermarking: see Watermarking
• Assess carefully the potential consequences and risks of communicating any sensitive information for you and others (legally, ethically, and morally). Remember … Do not be evil. Legal is not necessarily Good.

After curating the files for anything you want to leave out. Double check and even Triple check them. Then you could consider sending them to an organization such as a press organization or others.


For this, I strongly recommend the use of SecureDrop (https://securedrop.org/ [Archive.org]) which is an open-source project from the Freedom of the Press foundation.

• Ideally you should use SecureDrop over Tor and you will find a curated list of those here https://github.com/alecmuffett/real-world-onion-sites#securedrop [Archive.org]

If not SecureDrop is not available, you could consider any other mean of communication but you should privilege those that are encrypted end to end. Do not ever do this from your real identity but only from a secure environment using an anonymous identity.


Without SecureDrop you could consider:

• Using e-mail with GPG encryption provided your recipient has published a GPG key somewhere. You can look this up here:
  
  • On their verified Social Media accounts (Twitter) if they provided it.
  • On https://keybase.io (Tor address http://keybase5wmilwokqirssclfnsqrjdsi7jdir5wy7y7iu3tanwmtp6oid.onion)
  • On open PGP directories such as: (be careful as those are public directories and anyone can upload any key for any e-mail address, you will have to cross-check the signature with other platforms to be sure it is theirs).
    
    • https://pgp.mit.edu/
    • https://keyserver.ubuntu.com/
    • https://keys.openpgp.org
• Using any other platform (even Twitter DMs) but again using GPG to encrypt the message for the recipient.

What you should avoid IMHO:

• Do not send physical materials using the post due to the risk of leaving DNA/Fingerprints or other traceable information (see Cash-Paid VPN (preferred)).
• Do not use methods linked to a phone number (even a burner one) such as Signal/WhatsApp/Telegram.
• Do not use any kind of voice/video communication.
• Do not leak any clues about your real identity when exchanging messages.
• Do not meet people in real life unless you have absolutely no other option (this is a last resort).

If you intend to break your anonymity to protect your safety:

• Assess the risks very carefully first.
• Inform yourself carefully on the legality/safety of your intent and the consequences for you and others. Think about it carefully.
• Possibly reach out to a trusted lawyer before doing so.

 

[HEISENBERG]

Maintenance tasks:​

• You should sign-up carefully into your accounts from time to time to keep them alive.
• Check your e-mail regularly for security checks and any other account notification.
• Check regularly the eventual appearance of compromise of any of your identities using https://haveibeenpwned.com/ [Archive.org] (obviously from a safe environment).

 

[HEISENBERG]

Backing-up your work securely:​

Do not ever upload encrypted file containers with plausible deniability (hidden containers within them) to most cloud services (iCloud, Google Drive, OneDrive, Dropbox) without safety precautions. This is because most cloud services keep backups/versioning of your files and such backups/versioning of your encrypted containers can be used for differential analysis to prove the existence of a hidden container.


Instead, this guide will recommend other methods of backing up your stuff safely.

Offline Backups:​

These backups can be done on an external hard drive or an USB key. Here are the various possibilities.

Selected Files Backups:​

Requirements:​

For these back-ups, you will need an USB key or an external hard drive with enough capacity to store the files you want to back-up.

Veracrypt:​

For this purpose, I will recommend the use of Veracrypt on all platforms (Linux/Windows/MacOS) for convenience/security and portability.

Normal File containers:​

The process is fairly simple and all you will need is to follow Veracrypt tutorial here: https://www.veracrypt.fr/en/Beginner's Tutorial.html [Archive.org]


In this container, you can then store sensitive data manually and or use any backup utility you want to backup files from the OS to that container.


You can then store this container anywhere safe.

Hidden File containers with plausible deniability:​

The process is also fairly simple and similar to the previous tutorial except this time you will use the Veracrypt wizard to create a Hidden Veracrypt Volume instead of a Standard Veracrypt Volume.


You can create a Hidden volume within an existing Standard Volume or just use the wizard to create a new one.


Let us say you want a container of 8GB, the Wizard will first create an “outer volume” where you will be able to store decoy information when prompted. Some decoy files (somewhat sensible, plausible but what you really want to hide) should be stored in the decoy volume.


Then Veracrypt will ask you to create a smaller hidden container (for instance 2GB or 4GB) within the outer volume where you can store your actual hidden files.


When you select the file for mounting in Veracrypt, depending on which password you provide, it will mount the Outer decoy volume or the Hidden volume.


You can then mount your hidden volume and use it to store sensitive files normally.


Be careful when mounting the Outer decoy volume to update its content. You should protect the hidden volume from being overwritten when doing this as working in the decoy volume could overwrite data in the hidden volume.


To do this, when mounting the Decoy Volume, select Mount Options and Check the “Protect hidden volume” option and provide the hidden volume password on the same screen. Then mount the decoy volume. This will protect the hidden volume from being overwritten when changing the decoy files. This is also explained here in Veracrypt documentation: https://www.veracrypt.fr/en/Protection of Hidden Volumes.html [Archive.org]


Be extremely cautious with these file containers:

• Do not store multiple versions of them or store them anywhere where some versioning is being done (by the file system or the storage system). These file containers should be identical everywhere you store them. If you have a backup of such containers somewhere, it needs to be absolutely identical to the one you are using. If you do not take this precaution, an adversary could compare two different versions of this container and prove the existence of hidden data. Follow carefully the recommendations here https://www.veracrypt.fr/en/Security Requirements for Hidden Volumes.html [Archive.org]. Remember the Local Data Leaks and Forensics: section.
• I strongly recommend storing such containers on external USB keys that you will only mount from your guest VMs and never from your Host OS. After each modification to the files, you should clean the free space on the USB disk and make sure that any backup of such containers is absolutely identical on each key and your computer. See the How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives section of this guide for help on doing this.
• If you have time, I would even recommend you delete wipe the keys completely before making any modification on such containers on your computer (if you do not work from the USB key directly). This is to prevent an adversary that would seize your assets before you could update the keys from having multiple versions of the containers that could lead to proving the existence of hidden data using forensics techniques.
• Do not ever store such containers on cloud storage platforms that have backups and where you have no direct control over permanent deletion. They might keep “old versions” of your files which can then also be used by forensics to prove the existence of hidden data.
• If you are mounting the hidden volume from your Host OS (not recommended), you should erase all traces of this hidden volume everywhere after use. There could be traces in various places (system logs, file systems journaling, recent documents in your applications, indexing, registry entries…). Refer to the Some additional measures against forensics section of this guide to remove such artifacts. Especially on Windows. Instead, you should mount them on your Guest VMs. With Virtualbox for instance, you could take a snapshot of the VM before opening/working the hidden volume and then restore the snapshot prior to opening/working on it after use. This should erase the traces of its presence and mitigate the issue. Your Host OS might keep logs of the USB key being inserted but not of the hidden volume usage. Therefore, I do not recommend using these from your host OS.
• Do not store these on external SSD drives if you are not sure you can use Trim on them (see the Understanding HDD vs SSD section).

 

[HEISENBERG]

Full Disk/System Backups:​

TLDR version: Just use Clonezilla as it worked reliably and consistently with all my tests on all operating systems except for Macs where you should probably use native utilities (Time Machine/Disk utility instead) to avoid compatibility issues and since you are using Native MacOS encryption. When using Windows, do not backup a partition containing a hidden OS in case you use Plausible Deniability (as explained before, this backup could allow an adversary to prove the existence of the hidden OS by comparing the last backup to the current system where data will have changed and defeat plausible deniability, use file containers instead).


You will have two options here:

• (Not recommended) Doing your backup from the live operating system using a back-up utility (commercial utilities such as EaseUS Todo Free, Macrium Reflect…) or native utilities like MacOS Time Machine, QubesOS Backup, Ubuntu Déjà Dup or Windows Backup…).
  
  • This backup can be done while the Operating System is running.
  • This backup will not be encrypted using the disk encryption but using the Backup utility encryption algorithm (which you will have to trust and cannot really control for most). Alternatively, you could encrypt the backup media yourself separately (for instance with Veracrypt). I am not aware of any free or non-free utility that natively supports Veracrypt.
  • Some utilities will allow for differential/incremental backups instead of full backups.
  • These backup utilities will not be able to restore your encrypted drive as-is as they do not support those encrypted file systems natively. And so, these restore will require more work to restore your system in an encrypted state (re-encryption after restore).
• (Recommended) Doing it offline from a boot drive (such as with the free open-source Clonezilla).
  
  • This backup can only be done while the Operating System is not running.
  • This backup will back up the encrypted disk as-is and therefore will be encrypted by default with the same mechanism (it is more like a fire and forget solution). The restore will also restore the encryption as-is and your system will immediately be ready to use after a restore.
  • This method will not allow incremental/differential back-ups (meaning you will have to re-do a full back-up every time).
  • This method is clearly the easiest to manage.

I made extensive testing using live backups utilities (Macrium Reflect, EaseUS Todo Reflect, Déjà Dup…) and personally I do not think it is worth it. Instead, I would recommend that you periodically back-up your system with a simple Clonezilla image. It is much easier to perform, much easier to restore and usually works reliably without issues in all cases. And contrary to many beliefs, it is not that slow with most backups taking about an hour depending on the speed of your destination media.


For backing up single files while you work, I recommend using file containers or encrypted media directly and manually as explained in the previous section.

Requirements:​

You will need a separate external drive with at least the same or more free space available than your source disk. If your laptop has a 250GB disk. You will need at least 250GB of free disk space for the full image backup. Sometimes this will be reduced significantly with compression by the backup utility but as a safety rule you should have at least the same or more space on your backup drive.

Some general warnings and considerations:​

• If you use Secure Boot, you will need a backup utility that supports Secure Boot which includes Clonezilla AMD64 versions.
• Consider the use of exFAT as file system for your backup drives as those will provide better compatibility between various OSes (MacOS, Linux, and Windows) vs NTFS/HFS/ext4…

Linux:​

Ubuntu (or any other distro of choice):​

I will recommend the use of the open-source Clonezilla utility for convenience and reliability but there are many other native Linux utilities and methods you could use for this purpose.


So, you should follow the steps in Appendix E: Clonezilla

QubesOS:​

Qubes OS recommends using their own utility for backups as documented here https://www.qubes-os.org/doc/backup-restore/ [Archive.org] . But I think it is just a hassle and provides limited added value unless you just want to back-up a single Qube. So instead, I am also recommending just making a full image with Clonezilla which will remove all the hassle and bring you back a working system in a few easy steps.


So, you should follow the steps in Appendix E: Clonezilla

Windows:​

I will only recommend the use of the open-source and free Clonezilla utility for this purpose. There are commercial utilities that offer the same functionality but I do not see any advantage in using any of them vs Clonezilla.


Some warnings:

• If you use Bitlocker for encryption with TPM enabled, you might need to save your Bitlocker Key (safely) somewhere as well as this might be needed to restore your drive if your HDD/SSD or other hardware parts changed. Another option would be to use Bitlocker without the use of TPM which would not require this option. But again, I do not recommend using Bitlocker at all.
• You should always have a backup of your Veracrypt rescue disk at hand somewhere to able to resolve some issues that might still appear after a restore. Remember this rescue disk does not contain your passphrase or any sensitive information. You can store it as is.
• If you changed the HDD/SSD after a failure, it is possible that Windows 10 will refuse to boot if your hard drive ID changed. You should also save this ID prior to backing up as you might need to change the ID of the new drive as Windows 10 might require a matching ID before booting. See Appendix F: Diskpart
• In case you are using Plausible Deniability on Windows. DO NOT back-up the hidden OS partition as this image could be used by Forensics to prove the existence of the hidden volume as explained earlier. It is okay to back-up the Decoy OS partition without issues but you should never backup the partition containing the Hidden OS.

Follow the steps in Appendix E: Clonezilla

MacOS:​

I would recommend just using the native Time Machine backup with encryption (and a strong passphrase that could be the same as your OS) as per the guides provided at Apple: https://support.apple.com/en-ie/guide/mac-help/mh21241/mac [Archive.org] and https://support.apple.com/en-ie/guide/mac-help/mh11421/11.0/mac/11.0 [Archive.org].


So, plug in an external drive and it should prompt you to use it as a Time Machine backup.


You should however consider formatting this drive as exFAT to that it is also usable by other OSes conveniently (Windows/Linux) without added software using this guide: https://support.apple.com/en-ie/guide/disk-utility/dskutl1010/mac [Archive.org]


It is just simpler and will work online while you work. You will be able to recover your data on any other Mac from the recovery options and you will be also able to use this disk for backing up other devices.


It is possible to also use Clonezilla to clone your Mac Hard Drive but it could bring hardware compatibility issues and probably will not add much in terms of security. So, for MacOS I am not specifically recommending Clonezilla.

 

[HEISENBERG]

Online Backups:​

Files:​

This is a tricky one. The problem is that it depends on your threat model.

• TLDR: Do not store file containers with plausible deniability (Veracrypt) online. If you use containers with plausible deniability, you should never ever store them on any platform where you do not have full control over the deletion process as the platform will most likely have backups of previous versions for some time. And again, these previous versions could allow forensics to prove the existence of hidden data and defeat plausible deniability. This includes platforms like DropBox, Google Drive, OneDrive, or others. The only acceptable online storage of those could be “cold storage” (meaning you will never change those files again and just keep them away untouched compared to any local version).
• If you use normal encrypted backups without plausible deniability, you could store them pretty much anywhere if they are properly encrypted locally before uploading (for example with Veracrypt, using strong passphrases and encryption). Do not ever trust encryption of any online provider. Only trust your own local encryption (using Veracrypt for instance). For these cases, you could store your backups pretty much anywhere in the accounts of your online identities (iCloud, Google Drive, DropBox…) if they are strongly encrypted locally before uploading. But you could also prefer privacy caring services such as Cryptpad.fr (1GB).

Obviously do not ever do/access those backups from unsecure/unsafe devices but only from the secure environments you picked before.

Self-hosting:​

Self-hosting (using Nextcloud for instance) is also a possibility provided you do have an anonymous hosting


Please see Appendix A1: Recommended VPS hosting providers.


Please also consider this Monero Disclaimer.

Cloud-hosting:​

For smaller files, consider Cryptpad.fr as recommended by Privacytools.io at https://privacytools.io/providers/cloud-storage/ [Archive.org] (limited to 1GB total).


I am currently not aware of any online storage/hosting platform accepting cash payments unlike providers mentioned before.


If you do intend to store sensitive data on “mainstream platforms” (Dropbox, Google Drive, OneDrive…), remember not to ever store plausible deniability containers on those and remember to encrypt anything locally before uploading there. Either with a software like Veracrypt or with a software like Cryptomator (https://cryptomator.org/). Do not ever upload non-encrypted files on those platforms and repeating myself, only access them from a secure shielded VM.

Information:​

If you just want to save information (text), I will recommend the use secure and private pastebins. Mostly I will stick to the ones recommended by privacytools.io (https://privacytools.io/providers/paste/ [Archive.org] ):

• https://privatebin.info/
• https://cryptpad.fr/pad/

On these providers you can just create a password protected pad with the information you want to store.


Just create a pad, protect it with a password and write your info in it. Remember the address of the pad.

 

[HEISENBERG]

Synchronizing your files between devices Online:​

To that the answer is very simple and a clear consensus for everyone: https://syncthing.net/ [Archive.org]


Just use SyncThing, it is the safest and most secure way to synchronize between devices, it is free and open-source, and it can easily be used in a portable way without install from a container that needs syncing.

Covering your tracks:​

Understanding HDD vs SSD:​

If you intend to wipe your whole HDD laptop, the process is rather simple and straightforward. The data is written at a precise location on a magnetic (hard) platter (why it is called a hard drive) and your OS knows precisely where it is on the platter, where to delete it and where to overwrite it for secure deletion using simple processes (like just overwriting that location over and over until no traces are left).


On the other hand, if you are using an SSD drive, the process is not as simple as the drive uses several internal mechanisms to extent its lifespan and performance. Three of those processes are of particular interest when it comes to us in this guide. SSD drives are divided themselves into 2 main categories:

• ATA Drives (usually SATA and usually 2.5” format as the image above).
• NVMe Drives (usually M.2 format as the illustration below).

Here are examples of the most common formats:

All of these are sold as internal and external drives within enclosures.


The methods and utilities to manage/wipe them will vary depending on the type of drive you are using. So, it is important you know which one you have within your laptop.


On most recent laptops, chances are high that it will be one of the middle options (M.2 SATA or M.2 NVMe).

 

[HEISENBERG]

Wear-Leveling.​

These drives use a technique called wear leveling. At a high level, wear leveling works as follows. The space on every disk is divided into blocks that are themselves divided into pages, kind of like the chapters in a book are made of pages. When a file is written to disk, it is assigned to a certain set of pages and blocks. If you wanted to overwrite the file in an HDD, then all you would have to do is tell the disk to overwrite those blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a limited number of times before that block just will not work anymore (the same way if you keep writing and erasing with a pencil and paper, eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the number of times each block has been erased and rewritten is about the same, so that the drive will last as long as possible (thus the term wear leveling). As a side effect, sometimes instead of erasing and writing the block a file was originally stored on, the drive will instead leave that block alone, mark it as invalid, and just write the modified file to a different block. This is kind of like leaving the chapter in the book unchanged, writing the modified file on a different page, and then just updating the book’s table of contents to point to the new location. All of this occurs at a very low level in the electronics of the disk, so the operating system does not even realize it has happened. This means, however, that even if you try to overwrite a file, there is no guarantee the drive will actually overwrite it, and that’s why secure deletion with SSDs is so much harder.


Wear-leveling alone can therefore be a disadvantage for security and an advantage for adversaries such as forensics examiners. This feature makes classic “secure deletion” counter-productive and useless and is why this feature was removed on some Operating Systems like MacOS (a as from version 10.11 El Capitan) where you could enable it before on the Recycle Bin.


Most of those old secure deletion utilities were written with HDD in mind and have no control over wear-leveling and are completely pointless when using an SSD. Avoid them on an SSD drive.

 

[HEISENBERG]

Trim Operations:​

So, what now? Well here come the Trim operation. When you delete data on your SSD, your OS should support what is called a Trim operation command and could (should) issue this Trim command to the SSD drive periodically (daily, weekly, monthly…). This Trim command will then let know the SSD drive controller that there are pages within blocks containing data which are now free to be really deleted without deleting anything itself.


Trim should be enabled by default on all modern Operating Systems detecting an SSD drive covered in this guide (MacOS, Windows 10, Ubuntu, Qubes OS…).


If Trim operations are not done regularly (or at all), then the data is never deleted pro-actively and at some point, all the blocks and pages will be occupied by data. Your OS will not see this and will just see free space as you delete files but your SSD controller will not (this is called Write Amplification). This will then force the SSD controller to erase those pages and blocks on the fly which will reduce the write performance. This is because while your OS/SSD can write data to any free page in any bock, erasure is only possible on entire blocks therefore forcing your SSD to perform many operations to write new data. Overwriting is just not possible. This will defeat the wear-leveling system and cause performance degradation off SSD over time. Every time you delete a file on an SSD, your OS should issue a Trim command along with the deletion to let the SSD controller know the pages containing the file data are now free for deletion.


So, Trim itself does not delete any data but just marks it for deletion. Data deleted without using Trim (if Trim has been disabled/blocked/delayed for instance) will still be deleted at some point by the SSD garbage collection or if you want to overwrite what the OS sees at free space. But it might stick around for a bit longer than if you use Trim.


Here is an illustration from Wikipedia showing how it works on an SSD drive:

As you can see in the above illustration, data (from a file) will be written to the 4 first pages of Block X. Later new data will be written to the remaining pages and the data from the first files will be marked as invalid (for instance by a Trim operation when deleting a file). As explained on https://en.wikipedia.org/wiki/Trim_(computing) [Wikiless] [Archive.org]; the erase operation can only be done on entire blocks (and not on single pages).


In addition to marking files for deletion (on reputable SSD drives) Trim usually makes those unreadable using a method called “Deterministic Read After Trim” or “Deterministic Zeroes After Trim”. This means that if an adversary tries to read data from a trimmed page/block and somehow manages to disable garbage collection, the controller will not return any meaningful data.


Trim is your ally and should always be enabled when using an SSD drive and should offer sufficient reasonable protection. And this is also the reason you should not use Veracrypt Plausible deniability on a Trim enabled SSD as this feature is incompatible with Trim.

 

[HEISENBERG]

Garbage Collection:​

Garbage collection is an internal process running within your SSD drive that looks for data marked for erasure. This process is done by the SSD controller and you have no control over it. If you go back to the illustration above, you will see that Garbage collection is the last step and will notice that some pages are marked for deletion in a specific block, then copy the valid pages (not marked for deletion) to a different free destination block and then will be able to erase the source block entirely.


Garbage collection in itself does NOT require Trim to function but it will much faster and more efficient if Trim is performed. Garbage collection is one of the processes that will actually erase data from your SSD drive permanently.

Conclusion:​

So, the fact is that it is very unlikely and difficult for a forensic examiner to be able to recover data from a Trimmed SSD but it is not completely impossible either if they are fast enough and have access to extensive equipment, skills and motivation.


Within the context of this guide which also uses full disk encryption. Deletion and Trim should be reasonably enough on any SSD drive and will be recommended as the standard method of deletion.

 

[HEISENBERG]

How to securely wipe your whole Laptop/Drives if you want to erase everything:​

So, you want to be sure. To achieve 100% secure deletion on an SSD drive, we will need to use specific SSD techniques (If you are using an HDD drive, skip this part and go to your OS of choice):

• Easy options for less experienced users:
  
  • If available, just use the Secure Erase option available from your BIOS/UEFI (ATA/NVME Secure Erase or Sanitize).
  • Just re-install a fresh operating system (delete/quick format the drive) and re-encrypt it. The full disk encryption process should erase all previous data from the disk.
  • Buy PartedMagic for 11$ and use it to erase any disk.
• Technical options for more advanced users:
  
  • ATA/NVMe Secure Erase: This method will remove the mapping table that keeps track of allocated data on the storage Blocks but does not destroy the actual data.
  • ATA/NVMe Sanitize Crypto Scramble (aka Instant Secure Erase, Crypto Erase), which applies to self-encrypting SSD drives: This method will change the encryption key of the self-encrypting SSD drive and render all the data stored in it unreadable.
  • ATA/NVMe Sanitize Block Erase: This method performs an actual block erase on every storage block and will destroy the data and change the encryption key if present.
  • ATA/NVMe Sanitize Overwrite (very slow, could be dangerous and not recommended): This method performs a block erase and then overwrite every storage block (it is the same as Block Erase but will overwrite data in addition). This method is overkill and not necessary IMHO.
• Physical Destruction:
  
  • HDDs:
    
    1. Open the drive (with a screwdriver, usually Torx T8)
    2. Remove platters (with a screwdriver, usually Torx T6)
    3. Rub the platters with a rare earth magnet
    4. Break/Deform/Crush the platters
    5. Burn them
    6. Separate the debris
    7. Throw away in separate places
  • SSDs:
    
    1. Open the drive
    2. Break/Crush the board and memory cells
    3. Burn them
    4. Separate the debris
    5. Throw away in separate places
  • Bonus: See
    [Invidious]

For maximum overkill paranoia security, Sanitize Block Erase option should be preferred but Secure Erase is probably more than enough when considering your drive is already encrypted. Unfortunately, are no free easy (bootable with a graphical menu) all-in-one tools available and you will be left with either going with drive manufacturers provided tools, the free manual hdparm and nvme-cli utilities or going with a commercial tool such as PartedMagic.


This guide will therefore recommend the use of the free utilities hdparm and nvme-cli using a Live System Rescue system.


If you can afford it, just buy Parted Magic for 11$ which provides an easy-to-use graphical tool for wiping SSD drives using the option of your choice.


Note: Again, before proceeding, you should check your BIOS as some will offer a built-in tool to securely erase your drive (ATA/NVMe Secure Erase or ATA/NVMe Sanitize). If this is available, you should use that and the following steps will not be necessary. Check this before proceeding to avoid the hassle, see Appendix M: BIOS/UEFI options to wipe disks in various Brands).