This guide is simply for people who want to be able to speak their mind anonymously and avoid unjust persecution by an increasingly paranoid and totalitarian government or malicious political groups.
A lot of this may seem too complicated, and it is because there are so many potential avenues of weakness, but the more you learn the better you will get. Quickly, it will become second nature to be aware of your usage habits, which is half the battle.
Remember that it’s your responsibility to vet everything yourself for privacy. Word of mouth and trust (even of things like this article) is dangerous. The Internet, unfortunately, is not a high-trust society.
Virtual Private Networks (VPN) and Proxies
Use a VPN or proxy as much as possible (see here for a video introduction to VPNs). It’s not a sure thing but it helps eliminate many risks. For example, what if you clicked a link in a comment thread that went to a site set up by the SPLC or something similar to track IP addresses of thought criminals? If you’re not using a proxy and a prosecutor can argue to a standard of probable cause that you committed a crime, you’re easily identifiable through your Internet service provider (ISP). What’s more, your ISP might reveal your personal details by caving to pressure from organizations like the SPLC, intentionally allowing themselves to be ‘hacked’, or unintentionally allow it to be released through weaknesses in their security processes. If you’re using a VPN or proxy, your enemies will be unable to identify you directly. Their only recourse would be to demand logs from the proxy or VPN service. Some companies, HideMyAss being a well known example, will give up this information if forced to by warrant but many more will not, either because they do not keep logs or are based in jurisdictions with highly favorable privacy laws.
While using a proxy is important for everyone, this is only basic practice and there is more to do to remain secure online. Seven proxies is probably overkill, unless you’re doing highly illegal things. But connecting to evil racist hatesites directly is probably not a good idea.
Your ISP is the first serious point of tracking, which you'll need a VPN or proxy service to bypass. VPN prices have collapsed in recent years (from ~$10-15 a month several years ago to ~$3-10 a month now) as normal Internet users began to use them for piracy, so there’s no good reason not to have one.
I recommend Tutanota, a secure email client, or Mailinator. Tutanova has built-in, end-to-end encryption for people using the service and a simple asymmetric cryptography system for all outgoing email. To encrypt your messages, simply establish a password beforehand with the person you want to contact, then send your mail and tell the webmail client that you want the message to be encrypted. The other user will get an email with a link to their site that requires them to enter the decryption key. Otherwise it’s all open just like any other email service, as email is inherently insecure.
Tutanota claims that emails from one of their accounts to another are automatically encrypted. There are many other comparable websites, such as confidesk.com, which offers encrypted email, contacts, and file storage.
Mailinator is a simple throwaway email service. Mailinator works by making any email address accessible without a password. Everything is public and the email addresses don’t expire so technically someone could read your emails if they know the address and visit within a day or two of the email arriving (the system automatically deletes older messages). The benefit is using a mailinator address is extremely quick, with no captchas or registration. The website also provides an automated service whereby email will be automatically redirected from one address to another, allowing you to keep private your inbox from those you give your email address to. You cannot use Mailinator to send email, but only to receive. Other similar services include 10minutemail.com and guerrillamail.com.
Many major social media websites, such as Twitter and Facebook, will automatically block email addresses known to be disposable. Major email services, such as Gmail, Yahoo, and AOL, have highly advanced anti-spam systems and often require phone verification. Because of this, it is probably easiest to use uncommon or obscure email services.
In general, it doesn't matter what email services people use as long as they're sock accounts and they don't dox themselves. The services listed above are somewhat more secure and offer extra safety with regards to tracking and man in the middle attacks, but doxing is still a substantial threat.
You should always inspect links before clicking on them. While a properly secured web browser should not be at risk of security exploits, a link that is sent only to you could be potentially used to harvest your IP address and other browser information. If you’re not familiar with the site being used, take the root domain part of the URL and read up on it first. Be especially wary of link shorteners, since you cannot determine the end address before clicking. If you must click on a link shortener be sure to do it through a proxy or VPN to mask your IP address.
Protecting Your Voice
Creating alt-right podcasts, both on The Right Stuff and elsewhere, is becoming increasingly popular. With this, however, runs the risk of real-life identification as a result of someone recognizing your voice. For most of us using our voices won’t become an issue because we’ll stay obscure, but at the same time no one knows what the future holds. Be aware that your voice can be used to identify and attack you. It’s probably not legally admissible evidence but it’s more than enough to convince people. Our voices and ways of speaking are very unique.
Anonymizing your voice is possible but quite complicated. As explained here, you pretty much lose all quality so forget about doing it for content others enjoy. Basically, don’t publish your voice unless you accept the risk of being identified. If you want to disguise your voice to prevent identification by friends or family, the best thing to do is use hardware to change the pitch slightly. This will throw any casual person off but still preserve quality and not sound fake or distracting.
Be aware that you can be identified through your writing as well. Just like every poker player has a tell, every writer has tics and habits that make their writing unique. I’ve seen someone get identified online because a passerby happened to notice the similarities between their anonymous writing and their public writing elsewhere. The best thing you can do is to not publish anything online under your real name and to be aware of your writing style and mannerisms. Watch out for social engineering attacks as well.
Don’t use edgy social media or websites at work at all. It’s quite easy for them to see URLs and timestamps and trace them back to you. If you must, only use mobile data or remote access through other networks. Avoid not just sites like The Right Stuff directly but also Facebook pages, Soundcloud pages, and even download links. When listening to podcasts, avoid having files on a device that can be on external speakers. Get a cheap mp3 player with no external speakers and load your listening material outside the office. Listen with earbuds instead of full headphones. If you must access something at work do it through your phone on mobile data (being sure to turn Wi-Fi off). Always assume you are being monitored at work or at any public access points.
Keep your online life and your real life as separate as possible, especially with work. Don’t talk politics at all, don’t browse troublesome sites, and don’t leave things on your computer.
Windows is a liability. Try to get acquainted with open source software. The most secure option is likely Tails, a Linux distro run off a USB drive, DVD, or SD card where everything is completely wiped after every session. Tails software forces you through the Tor network and comes preloaded with encryption tools and other security software, like Noscript. Even still, just taking a look at the frequent security updates on their website will show you that absolute security is impossible. However, best practices like Tails minimize the risk of identification.
For more protection, look into a remote or native virtual machine. This will essentially “simulate” a computer inside another computer, affording you greater protection from hacking or other attacks.
Social Media and Maintaining Your Identity Online
Completely start over every year or so if you can. Back up and burn down everything and start fresh with new knowledge, fresh accounts, and better habits. It is difficult to maintain social capital when you are moving through social media profiles, but here are some tips to ease the process. First, the less personal information you divulge the less necessary it will be to refresh things, so you can reduce the number of times you abandon an identity and create a new one. Even so, it’s best practice to start over once a year or so. Doing so gives you a chance to audit your content as well as your contacts. Start a new profile, tell people you’ll be switching and hint to them your name will be. Once you’ve reconnected with most of your contacts start erasing everything and letting people know who haven’t re-added you that you’ll be shutting down and to meet you elsewhere. If you upload similar content and have a similar name on the new profile people should understand fairly easy. At the same time, create one or more other profiles and put them on the backburner. In the future, when you need to jump ship again, you’ll have accounts ready to move to. This is an especially important step because account longevity is given preferable status on several websites, and because accounts have gotten consistently more difficult to create anonymously over time.
To the extent possible, avoid using social signups. If you can’t, be sure to use sock accounts for these kinds of signups and nothing else.
Finally, you can use two-factor authentication to increase the security on some social media accounts. 2FA protects solely against malicious agents attempting to crack the password on your account. It is most commonly offered by major corporations or privacy-oriented services, like Dropbox.
Deleting your information is a huge hassle. Even if you have all your account information saved somewhere, like Lastpass, you’ll come across many sites that do not allow you to delete your account yourself. Websites that do not have automated account deletion systems, but require you to send them an email, will often not reply or refuse to delete your information. Forums are especially poor because they often refuse to delete stuff to protect the integrity of the archives and databases. I would venture to guess it’s a 50/50 bet that a given website will permanently delete anything in a way that it can’t be easily recovered. As was seen in the Ashley Madison leak, there is a significant risk that websites that claim to delete your user information will not actually do so. The lesson, given that information is extremely difficult to remove, is to never use your real name and use throwaway emails to sign up for things whenever possible. Once your enemies have your personal information or even an email address or username, it’s basically impossible to clean it up completely afterwards.
If you need help getting started with account deletion, use the web guide justdelete.me.
Once you’ve deleted or cleaned up your accounts, you should also delete the associated email account. If anyone in the future tries to email they’ll get an error and hopefully clean you off their systems eventually.
Deleting things is hard but learn to let go. You can always back things up. Only feel personally attached to greater works that you want to be up for posterity. Find alternate ways to gain reputation such as taking things to decentralized platforms, including meeting in real life! If you gain connections with people you can let them know when you’ve changed something and ask them to delete previous info if need be. They’ll know you’d do the same for them.
The single most important point that I’d like to make is to be conscious of what you’re doing online – of who you’re talking to and of what information you’ve given away. More than using a proxy, shutting down your accounts, locking up your web browser, conscientiousness is key to security. At the same time, remember that subversives will try to stifle communities by overplaying the risk of participation and creating a culture of fear. Keep participating, make gradual improvements to your online safety, and soon being as paranoid as a JIDF agent will be second nature.
Take care, and stay safe.