Your best bet is distributing trust among multiple parties, such that no one of them can compromise you. VPN use is common, so start with nested VPN chains. Then Tor. If either the VPN chain or Tor resists compromise, then you're still safe.
After that, you can use any PM or email that you like. Because it's not connected to your meatspace identity. If content is end-to-end encrypted, the provider has nothing useful to share with adversaries. You and correspondents must, of course, avoid leaking metadata through account names and subject lines.
At least on DigitalOcean, it’s possible to create an anonymous account (no name required, not even by their TOS) connected to an anonymous email provider and funded by a cash-purchased Visa gift card. And a $5/mo droplet running IKEv2 VPN traffic (see Algo) is very secure and provides more than enough bandwidth/throughput for several people.
That would only leave the traffic itself (particularly the IP address(es) that initiate connections to your droplet). DO has a policy of not logging traffic unless an abuse alert is triggered.
I'd be willing to bet they log all the info about the signup process though, including the IP address used. It's how you prevent abuse.
The question then becomes, how do you hide your IP address from the DO signup process. I know, used a VPN! Wait a second...
To be clear, my own goal in all of this is primarily to get through residential ISP snooping -- I don't trust them not to sell my personal info. Staying out of the state dragnets is also a plus (I don't like the idea of snoops in a building somewhere reading my personal emails; same reason I close the living room curtains in the evening).
But even with all that, there's the risk of logging. I don't get how DO differs from whatever "no logging" VPN service, in that regard.
I bought a prepaid debit card at a grocery store with cash. I tried to sign up for a few VPS providers using coffee shop WiFi. All wanted additional verification or wouldn't allow me to use the card. All providers use 3rd party services (eg MaxMind) to prevent fraud and prepaid cards is one of the things they look for.
Has anyone had luck doing this?
Are you saying that
- Google’s policy could unmask users behind a VPN, via an IP+time correlation attack
- VPN providers who say they don’t keep logs, are actually keeping logs in secret, because of what you’ve seen at Google
I’m straining to make the connection you’re hinting at.
 You can now basically buy these from telcos as an identity verification measure, so a VPN seems useful here.
The law inforcement officers or prosecutors can simply ask for the history of your traffic.
As it does not contain the content of your communication, in most legal systems they do not need any warrant to request this data.
What jurisdictions are you speaking of? Cites would be cool too.
As far as I know the EU does have data retention laws on the books for ISPs.
> On 8 April 2014, the Court of Justice of the European Union declared the Directive 2006/24/EC invalid for violating fundamental rights. The Council's Legal Services have been reported to have stated in closed session that paragraph 59 of the European Court of Justice's ruling "suggests that general and blanket data retention is no longer possible". A legal opinion funded by the Greens/EFA Group in the European Parliament finds that the blanket retention data of unsuspicious persons generally violates the EU Charter of Fundamental Rights, both in regard to national telecommunications data retention laws and to similar EU data retention schemes (PNR, TFTP, TFTS, LEA access to EES, Eurodac, VIS).
I'll have to look them up on Eurlex, I'll post them here if I find the time.
DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 15 March 2006
on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
On 13 July 2005, the Council reaffirmed in its declaration condemning the terrorist attacks on London the need to adopt common measures on the retention of telecommunications data as soon as possible.
Given the importance of traffic and location data for the investigation, detection, and prosecution of criminal offences, as demonstrated by research and the practical experience of several Member States, there is a need to ensure at European level that data that are generated or processed, in the course of the supply of communications services, by providers of publicly available electronic communications services or of a public communications network are retained for a certain period, subject to the conditions provided for in this Directive.
Article 3 para. 2 (data necessary to trace and identify the source of a communication):
The obligation to retain data provided for in paragraph 1 shall include the retention of the data specified in Article 5 relating to unsuccessful call attempts where those data are generated or processed, and stored (as regards telephony data) or logged (as regards Internet data), by providers of publicly available electronic communications services or of a public communications network within the jurisdiction of the Member State concerned in the process of supplying the communication services concerned. This Directive shall not require data relating to unconnected calls to be retained.
concerning Internet access, Internet e-mail and Internet telephony:
(i)the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any communication entering the public telephone network;
(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
concerning Internet access, Internet e-mail and Internet telephony:
(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
(ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
 Link to the directive: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
 Link to the reddit thread: https://www.reddit.com/r/VPN/comments/7x07am/if_a_vpn_doesnt...
 Decision of the anulment of the directive: http://curia.europa.eu/juris/liste.jsf?language=en&num=C-301...
I looked into this fairly carefully some months ago, consulting with Nick Pestell, IVPN's CEO. In writing for their blog. And I got from him that data retention requirements are now rare in the EU.
As we import our laws from other European countries (for example criminal procedure law was imported from Germany) I thought that this must've been the case in many law systems.
This discussion has been eye-opening for me.
> in most legal systems they do not need any warrant to request this data.
From a quick read of your law extract, it doesn't seem to cover that aspect of your original claim (and if it does, I'd warmly suggest you highlighted the controversial bit for those who like me have a hard time grokking through such a long text)
Law enforcement is generally allowed to request just about anything just like everyone else.
I think a VPN provider in this case is still obliged to keep logs, albeit only hand them over if the necessary conditions are met.
Coming from Turkey, I could not imagine a state, where the communication logs are not saved. But it seems the US does this only through intelligence agencies and does not force the ISPs to keep logs.
Furthermore, at least here in Turkey, communication records are also used in civil cases. For example, in a divorce case, the parties sometimes request the phone log through a judge and prove disloyalty by showing call history and duration of each call.
Everything on the internet (and really in life) is a chain of trust - there are going to be weak links however far down the rabbit hole you go.
A better option is to use technology that might be better able to provide some verifiable anonymity guarantees, like Tor.
Preferably use a VPN for the host machine's connection too, at least to first download the tor client (the subset of IPs which have downloaded a recent tor bundle is quite small). At the very least, firewall the VM so traffic can only go to a tor bridge IP; even then, https (non tor) from a compromised host can identify the tor user, as all tor entry point traffic is logged and possibly has active mitm boxes (varying packet timing, fingerprinting tor versions).
Given the overall complexity of getting it right, and the enduring consequences of a single opsec failure, I'm not sure tor is a great option. Sending USB sticks through the mail would probably be safer. (Even then, encrypt them, use a dedicated laptop, don't lick the stamp or leave fingerprints, don't be observed/CCTVed posting them, purchasing the USB sticks, etc.)
> all tor entry point traffic is logged and possibly has active mitm boxes
That's a broad claim. You need cites for that. Tor relays are run by a large collective of volunteers, and keeping something like that secret would be quite some achievement.
This is yet another reason to hit Tor through a VPN service. Or better, a nested chain of VPN services.
Edit: I do recall a post by Virgil Griffith about the situation in Singapore. He says nothing explicitly about logging, but does note that Singapore's "love of anti-corruption exceeds its apprehension about human-rights-laden privacy enhancing technologies." And I don't find anything about logging of Tor relays there. But then, I'm searching in English :(
It's better, as in closer to trust-no-one, but of course it's not perfect. Especially when we're talking about endpoint security concerns.
That "hypothetical" the OP referred to is the VPN provider keeping logs (or more logs than they advertise) and providing them when asked to the authorities.
It's not really that hypothetical. There was a link here today about a "no log" VPN service that apparently did that.
> I understand that sentiment but a technological work around (that probably also has captured data points)
Tor is a technology that specifically answers the issue the OP brought up, which is over-trust in a single entity to preserve anonymity. Nothing's perfect, but Tor is better than both the "VPN provider" option the OP was warning people away from and from your snarky "what and use Comcast?" option.
> but a technological work around ... seems at best naive to this layman.
You'll have to elaborate why the use of better (if imperfect) technology is "at best naive."
But imagine instead that your friend was connecting to Tor through a VPN service. Even if CMU attackers had been running your friend's entry guard, they would have just seen the VPN exit IP address.
Better yet, your friend could have been connecting to Tor through a nested chain of VPN services. Then the FBI would have needed to do lots more work to get your friend's ISP-assigned IP address.
The Tor Project, I note, will not agree with my assessment. But so it goes.
Sure. But Ms. Watkins could have used better OPSEC, and trained her sources to do the same.
Edit: You can't "promise confidentiality" if you're depending entirely on the behavior of third parties.
Consider this statement from Watkins' lawyer:
“It’s always disconcerting when a journalist’s telephone records are obtained by the Justice Department — through a grand jury subpoena or other legal process. Whether it was really necessary here will depend on the nature of the investigation and the scope of any charges.”
It'd look different if MacDougal were confident that the DOJ had violated process or law, including constitutional rights. As it reads, it sounds like he recognizes that right now, there's no apparent violations, and it's plausible that actions like this, disconcerting or not, may well be fully legal and justified.
Nonetheless. In this case the reporter had a years-long relationship with the alleged leaker, that makes it much harder to cover all of your digital tracks vis-a-vis casual exchanges. We don’t know what exactly they have on this guy, but apparently it’s enough to establish that he lied to the FBI about his contact, if not anything pinning the leaks on him squarely. From the sounds of it, prudence may not have been sufficient.
Yes, that's likely the key issue. Once the FBI etc are asking questions, it's already too late. So it's crucial to avoid attention. But that's very hard for leakers like this, where there are few possibilities, and all will likely be questioned.
Damn, I missed that.
So I wonder if Ms. Watkins can be prosecuted for lying to the FBI. Or is she immune because she's a reporter?
Shortly before she began working at The Times, Ms. Watkins was approached by the F.B.I. agents, who asserted that Mr. Wolfe had helped her with articles while they were dating. She did not answer their questions.
But when the government manages to plug a leak that happened to hand things to the media (compared to leaks that handed things to, say, foreign governments), people are surprised that the Constructionally guaranteed freedom of the press doesn’t actually include a right for the media to keep sources confidential. That’s why Judith Miller ended up in jail (and the story I heard was that her first legal team thought she had a right to keep sources confidential, which is why she spent so long in jail).
Is this really true? As opposed to the right getting trumped occasionally through some technicality? If it's true, why do reporters so commonly expect to keep sources private?
But maybe I've missed the point. To remain private, the source must not share their identity with the reporter. Is that it? That's why the NYT etc have Tor-based leak drops.
According to Wikipedia ( https://en.wikipedia.org/wiki/Reporter%27s_privilege ) there is some kind of legal privilege, in some cases. But since reporters do end up in jail for contempt of court, it certainly doesn’t go as far as they seem to believe.
People on the left were screaming that GWB was violating the constitution. People on the right were screaming that Obama was violating the constitution. Globalists et al are screaming that Trump is violating the constitution. But it literally means nothing until the highest court rules on it.
So, the Supreme Court only has power as long as people respect the Constitution in the first place.
(I don't understand your point about the left and right; it's certainly possible that all of Bush, Obama, and Trump violated the Constitution. The article specifically calls out the Trump administration for "continu[ing] the aggressive tactics employed under President Obama." It's not true that Democrats and Republicans are the same, but it's also not true that they're dualistic opposites, where every virtue and every vice belongs to exactly one. Sometimes they both possess the same vice.)
>People on the left were screaming that GWB was violating the constitution. People on the right were screaming that Obama was violating the constitution. Globalists et al are screaming that Trump is violating the constitution. But it literally means nothing until the highest court rules on it.
Best to say it was the US highest court that has violated the constitution during all three administrations.
> The former aide, James A. Wolfe, 57, was charged with lying repeatedly to investigators about his contacts with three reporters. According to the authorities, Mr. Wolfe made false statements to the F.B.I. about providing two of them with private information related to the committee’s work. They did not say whether it was classified.
Ah interesting. They definitely have metadata but they don't have (or don't admit to having) all the data. So they know who talked to who and when and caught him in a lie which can end up badly. But it seems they don't know the content so they can't say "on this day, in this message you divulged this classified information". They disclose a few Signal messages but they were simple like "Great job" or "I am glad I made your career" etc.
Lying to FBI is not good but disclosing classified information is even worse. It seems in this case he is only charged with lying.
I wonder had he refused to talk to the investigators what would have happened? Given he was an employee with clearance, did he even have a choice in saying "I am not answering your questions, talk to my lawyer"...
> Under Mr. Obama, the Justice Department prosecuted more leak cases than all previous administrations combined.
I wonder if there were simply more leaks because there were more dissenters, more media channels, more disappointed employees or those in charge ordered more resources allocated on finding and stopping the leaks.
It is scary that they are going after and collecting all of reporter's communication going back for years. I can imagine that would be very scary.
However, you also have no right to a security clearance so simply refusing to answer probabbly kills your career / clearance right there, and suddenly you're the focus of the investigation.
When asked I wonder if it was just the FBI "casually" asking everyone a bunch of questions. Then you have to decide, do I lie (not a good idea) and maybe keep my job... or end my job outright?
Most people's choice likely has to do with how likely they think they're the focus of an investigation and how much the FBI already knows or doesn't know.
No, Obama had a personal thing against leakers. None was too many for him. I followed it in the news, but couldn't tell if it was motivate by being a lawyer, so some kind of omerta.
OTOH, previous administrations used leaks as trial balloons, so had a more balanced approach.
Funny enough he did promise transparency https://www.washingtonpost.com/lifestyle/style/obama-promise...
Background on FOIA: Basically, in 1966 the US Government created the Freedom of Information Act that allowed people to ask for records from federal agencies. In theory, it was supposed to create transparency. Unfortunately, it's a bit outdated and in many areas it's turned into many in the Government thinking requestors are just out to get them (and a lot of it is also commercial requesters). Under Obama, the USG denied more requests than ever. In their defense though, it's got really easy to do a FOIA request online and flood the government with requests (it only applies at the federal level, states have their own version of public information laws).
>During President Barack Obama’s first term, then-EPA Administrator Lisa Jackson came under fire for maintaining a separate agency email under the alias “Richard Windsor” — a name that derived from Jackson’s family dog when she lived in East Windsor Township, N.J.
That said, Obama was notorious for his crackdown on leakers. If you at all kept up with the news then, you'd be aware. One of his darker qualities (though he had many positive ones as well).
Yes. The trick is that most likely he needs a lawyer with a security clearance. Yes, those exist for exactly this purpose.
Sounds like a script from House of Cards.
 - https://www.nytco.com/ali-watkins-joining-washington-bureau/
But unencrypted email certainly isn't the right way to go if you're leaking.
Granted, sharing an account with a co-writer turned out to be suspicious behavior, but apparently the government was able to get access to the draft emails that were under Google’s control (and I haven’t heard of any changes to Gmail that would make it more secure now).
Leaking state secrets isn't supposed to be easy and convenient; there's not an app for that.
They weren't exactly being super careful.
Edit: I hope she does not have the same character arc of Zoe Barnes, which I won't spoil.
Many users of these apps don't realize that they are opening themselves up to security issues by performing certain behaviors. Are there any guides to good messenger OPSEC available for the general public (or even at-risk people like journalists or politicians?)
What he was trying to get at is, how does a democracy function properly when it has no idea what it's leadership is doing, because the leadership makes everything secret and classified? It's a good question and I don't really have an answer.
I'm not sure I accept the metaphor - visibility is not participation. Too-large meetings are useless because they have too many participants, and everything falls to bike-shedding. Plenty of organizations, from public companies to the Federal Reserve, get things done with visible meetings where interested parties can't speak but do see the minutes. In my version of the metaphor, non-secrecy is totally consistent with small-meeting democracy: we elect people to go and represent us, but demand information about how they did so in order to hold them accountable. (If Congress voted by secret ballot, do you think it would represent us better or worse?)
(The question of information which is harmful to share is a fundamentally different one than a general argument for privacy, and a much harder one. Those cases are real, but it's also true that there's a long track record of government claiming information is harmful to release when it's actually embarrassing or unethical.)
> If we dont trust who we elect to office then thats a seperate issue that we need to tackle on its own.
Great, we haven't tackled it, and without clear information about what officials do it's not clear how we can.
There's never been an era of declassification and leaks where we looked around and said "yep, everything in there looks like it was done in good faith". I'll embrace an end to leaks around the same time they stop containing evidence government bodies knowingly classifying horrible misdeeds.
Hell, I'd even settle for "no war crimes lately", but we haven't managed that yet.
I was about to reply with exactly this point. Transparency does not entail everyone gets their say, merely that the factors and interests considered in a decision are ultimately disclosed with no secrecy. Then perhaps there can be a public commentary period before proceeding so there is some participation, but participation at every step isn't necessary for engendering trust via transparency.
This obviously gets trickier on national security matters, but the judiciary is supposed to judge what is and isn't too sensitive here. Secret court proceedings are skirting dangerously close to crossing that line though.
No, this is not a universal absolute truth.
It's not an easy problem to solve.
Leakers are one way we can learn how the sausage is really made, and in most cases that knowledge is in the public interest.
Perhaps, if you implicitly trust the government
If you try that, don't forget about the Mail Covers  program.
If you're mailing a reporter at the NY Times, you're at risk if you use your own handwriting. You might also be at risk if you use a printed label .
There's also the risk that your mail will be intercepted, and I wouldn't be too shocked to discover that government agencies were selectively (or not-so-selectively) reading our mail .
It's probably a better idea than email, but not by all that much.
(The replies to the reporter's pinned tweet, meanwhile, are people gleeful about her messages being seized. I don't recommend reading them, except perhaps as a way of pondering whether a society where literally everyone feels encouraged to send sentence-long invective to literally everyone else has really done good things with communication.)
Note that what was used shouldn’t matter from the POV warrant vs no warrant. Follow on with: there is no claim that there was anything found in those emails. All we have is an acknowledgement that the government is undertaking warrantless surveillance of a reporter,. It doesn’t have to find anything, it just needs to be threatening enough to ensure that no one talks again.
Hence “chilling effect on journalism”
One would hope that serious whistleblowers would heed these instructions.
It doesn't matter how competent you are, if your blowing the whistle then you not want the slightest chance of making a mistake - got to be a high stress situation, someone holding your hand through a critical portion makes sense to me.
Those emails are notorious for leaking information - especially when you loop someone external in and forget to scrub the long 3 month-long trail at the bottom.
I'd prefer that way to any long chain of online trusted systems of which only one needs to leak. To me digital OpSec feels more difficult to maintain.
Add a printed PGP key and the reporter can post more questions online on their homepage (could the NSA detect cut&paste? JS-events with injected JS?).
What is the correct way for the USG to behave in this manner? Some people are upset that they seized her communications, but what other choice is there? Just let leaks go unpunished? Or should senate aides et al sign a 'no privacy' agreement, where the USG can do whatever they want to intercept their communications at all points?
Are you suggesting leaking details of something like the EPA heads abuses of position should be prosecutable?
> “Freedom of the press is a cornerstone of democracy, and communications between journalists and their sources demand protection,” said Eileen Murphy, a Times spokeswoman.
> Ms. Watkins’s personal lawyer, Mark J. MacDougall, said: “It’s always disconcerting when a journalist’s telephone records are obtained by the Justice Department — through a grand jury subpoena or other legal process. Whether it was really necessary here will depend on the nature of the investigation and the scope of any charges.”
> Ben Smith, the editor in chief of BuzzFeed News, said in a statement, “We’re deeply troubled by what looks like a case of law enforcement interfering with a reporter’s constitutional right to gather information about her own government.”
It's not as simple as that; a few points:
1. The Constitution's protection of freedom of the press can outweigh any laws on classification, though the courts haven't said that.
2. The unauthorized release of classified information has many times been important for democracy to function, for government to be held accountable, and that is exactly the role and function of the press.
3. The classification of information is believed by many to be excessive. Much that is classified is not dangerous and doesn't need to be classified. I've read several examples of information classified to cover up government activities.
4. Classification obviously could be used to intentionally reduce accountability to the public. It's not hard to imagine a scenario where the President commits a crime, and it's covered up by classification. Arguably, this happened with NSA spying and CIA torture.
5. Until the Obama administration, Presidents did not prosecute leaks regularly, indicating that they were not viewed as dangerous. Generally, not nearly all laws are enforced; 'it's illegal' is not a threshold, or it seems almost everyone could be prosecuted for something.
> Had the reporter engaged in murder or theft while reporting, would there be any outrage?