-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Title: Bootstrapping an Online Identity with Phone Verified Accounts

By: Gilgamesh XVII | @gilgameshXVII | gilgameshxvii@tutanota.com

Goal:

Create a phone-verified email address and other online accounts in a way that

minimizes potential connection to your real identity.

Abstract:

Buy a burner phone as anonymously as possible. Use it once to create and verify

email and social media accounts. Only access these accounts using anonymizing

technologies.

Foreword:

What follows is a tutorial for creating an online presence using methods that

minimize the ability of an adversary to connect that identity to you. It is

geared towards people in the United States. It assumes a law enforcement or

similar state adversary with full access to public and private business

records. It assumes you will NOT be under targeted surveillance during any of

the process.

This guide is neither complete nor perfect, it should serve only as a

starting point for your own particular plan of action (which will vary

according to your specific needs and threats).

This is by no means the only or best method of accomplishing these goals. In

fact, if you are able to establish the accounts you need without any phone

number at all, you're probably safer doing that.

Commentary and corrections are welcomed.

Note:

While this is a largely non-technical guide, it does reference certain

anonymizing technologies (mostly Tor) for the phone activation and ultimate

use steps.

While a greater fluency with these technologies will enhance your results, at a

bare minimum you must be able to install and use the Tor Browser. A short

addendum regarding Tor is offered at the end of the guide, but is by no means

exhaustive.

Be aware that simply using or even searching for the words "Tor Browser" has

security implications. It is critical that you understand how to safely use

the Tor Browser (both technically and in terms of your online behavior), and

what threats the software does, and does not, protect you from.

This topic is vast (and largely outside the scope of this guide), but should

be firmly understood before you begin. At a minimum, read the addendum and

linked resources found there before you begin this process.

Step 1: Get Cash.

Get at least $100 in cash, however you would normally do that (ideally, at

least a few days in advance).

[Why]: You need cash to buy a burner phone. You want to wait so that an unusual

withdraw occurs as far as is practical from the time of purchase.

Step 2: Leave your Phone at Home.

At the end of the day on a week day or during the weekend (or whenever you

would normally be at home), leave your real phone on and at home. Find a big

box store (ideally one not close to your home or work), and prepare to travel

there without any GPS navigation.

Do not do a Google search while logged in from your home computer in order to

find one. If you must use the web to find a store, use the Tor Browser (see

addendum for more).

[Why]: It is possible to determine where and at what exact time a particular

burner phone was purchased. The location of any phone at a certain time can be

easily determined from cell tower records and GPS data. If your personal cell

phone is geolocated as being near the store when the purchase was made, you are

now on a very short list of suspects.

Since most people carry their phones at all times, leaving your phone at home

creates the appearance that you are home too. Turning off your phone can be

suspicious as most phones are left on continuously. This is especially true if

your phone is only off during the time frame of the purchase.

(Optional Hardmode Step): Change your Appearance.

Ideally, switch your apparent gender (if you can pull that off convincingly,

most people can't). Wear a hat or change your hair color. Wear big glasses (but

not sunglasses) if you don’t normally wear glasses, or leave your glasses at

home if you normally wear glasses. Wear clothes you don't wear on a regular

basis. Wear a big puffy coat or other bulky items that make it harder to

determine your weight. Use a wheelchair or wear wedges/lifts to make your

height harder to determine. Use crutches or a cane to disguise your normal

stride pattern (which can be used to identify you if compared to footage of

your natural stride). Stick pieces of cotton balls under your upper and lower

lip area (even a little bit can dramatically alter how your face looks).

[Why]: It is possible to determine the location and date of your phone

purchase, and surveillance footage of you buying the phone may be available to

your adversary. By disguising yourself, you make it harder for your adversary

to use your appearance to narrow down the list of possible suspects based on

gender, weight, height, etc. You also make it harder for a picture of your face

to be matched to known photos of you using facial recognition software.

Step 3: Big Box Store.

Take public transportation or a cab paid with cash if available. Otherwise,

park as far from the building as possible, ideally not even in the parking lot.

[Why]: Most stores have cameras on the building which overlook the parking lot,

and many have cameras on light poles in the parking lot itself. This footage

can be used to identify your license plate or the type of vehicle you arrived

in.

Step 4: Electronics Section.

Go inside and head straight to the electronics section. Try not to look up or

directly at any cameras if possible.

Step 5: Buy a Burner.

Purchase a cheap prepaid Android phone and a 1 month refill card (with 3G data)

for the same vendor if necessary. You will probably have to get an employee to

unlock the case to get the phone for you. You should pay for the phone at the

register in the electronics section if you can.

[Why]: The burner gives you a way to access the internet anywhere without

having to provide a name. It also gives you a real phone number that can be

used to verify any online accounts, which is often required. Using apps to

create accounts also generally throws up less red flags and requires less

thorough verification than using a web browser.

Step 6: Wait.

Wait as long as is practical before activating the phone. Generally you have up

to 90 days to activate a phone after purchase. It should tell you the time

period somewhere in the phone documentation.

[Why]: Most big box stores keep surveillance footage for at least 30 days. Some

probably keep it for much longer, maybe forever. By maximizing the time between

buying the phone and that phone coming to the interest of your adversary, you

increase the chances that any footage of your purchase will no longer be

available.

Step 7: Activation.

Before you can use the burner, you either need to call a number or visit a

website to activate it. There are many ways you could do this, but you need to

make sure you do this using a method that is difficult to associate with you.

Some options include:

- Using a VM/VPN: Using a virtual machine (Virtual Box, VM Ware, KVM, etc)

connected over a domestic VPN service purchased anonymously is probably the

best option (see addendum).

- Using Tor: Using the Tor Browser to access the activation website is

probably an automatic red flag. However, it can be used if necessary (see

addendum).

- By phone: Assuming you can find one, call from a pay phone or other phone

not linkable to you, that has no cameras watching it, that is located in a

place that is as far as possible from any place associated with you, and

leave your real phone at home when you travel there.

[Why]: How and where the phone was activated is probably stored by the phone

company forever. You want to avoid this being linked to you directly or to a

place you are known to visit.

Using Tor to activate the phone probably triggers some red flags that may raise

adversarial interest in that phone much sooner than it otherwise would. (I have

no real data to support this claim, but it is trivial to automatically

determine if someone activated a burner over Tor, and anyone doing that is

almost certainly up to something interesting. I would absolutely be screening

for this if I were an adversary).

Step 8: Road trip.

Drive to a place you have never been before, that is as far away from any place

you are associated with (home, work, school, etc.) as possible. Rural places

are less likely to have cameras. Again, leave your real phone at home. Avoid

toll roads or pay tolls in cash if unavoidable. Find a spot to park where you

won't attract attention.

Step 9: Create your Accounts. This should be the first and last time you turn

on the phone. Connect over 3G. Create a new Google account when prompted.

Install the apps for accounts you want to create: Facebook, Twitter, Instagram,

Pastebin, Tumblr, etc. Use the gmail account you made with the phone for an

email. Add the burner phone number to all of your accounts if possible. Verify

the number via text or by voice call. When you're done, turn the phone off and

pull out the battery. Hide it somewhere other than where you called from, but

not your home, work, car, etc.

Remember to bring paper and a pen to write down your newly created credentials.

[Why]: You want to be able to use these accounts later without having them

flagged as spam. Creating and verifying them in this way should ensure they are

not flagged later if you log in over Tor. The general location of where the

phone was used will be trivially discoverable, so you should make sure it is in

a random location that won't link back to you. Hiding the phone somewhere else

allows you to safely retrieve it later, if necessary.

Step 10: Using the Accounts.

Now any time you need to use any of the accounts you created, you will use the

Tor Browser to access them anonymously (see addendum).

Addendum:

Tor is an anonymizing network technology that hides the location and activity

of a user by encrypting and routing their connection through a series of

volunteer computers.

While Tor hides where you are from the services you connect to, and hides what

you are doing from your internet provider, it does not hide the fact you are

using Tor from anyone.

In the past (and probably still today) people who used Tor, or even just

visited the Tor Project's website, have been automatically targeted for

increased surveillance:

https://motherboard.vice.com/read/how-the-nsa-targets-tor-users

The simple fact that a person used Tor has been sufficient to imply authorship

of posts or emails made during that same time period:

http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor

Flaws in the Tor Browser have been exploited in the past to reveal the

identities of users:

https://www.eff.org/deeplinks/2016/09/playpen-story-fbis-unprecedented-and-illegal-hacking-operation

While there is currently no evidence that any adversaries with a global passive

view of internet traffic have deanonymized specific Tor users on demand, such a

feat is probably well within the technical capabilities of the intelligence

agencies of several nations, including the United States.

Tor is not magic and does not automatically make everything you do anonymous. A

critical part of remaining anonymous is the completely non-technical imparitive

of not revealing information that could be used to profile you. See this video

for a good discussion of this principle:

https://youtube.com/watch?v=9XaYdCdwiWU

Also be aware that your writing style itself may betray your identity.

Stylometry is actively used to correlate anonymous writings with writings of

known authorship. While the success rate is largely a factor of the size of

possible suspects, success rates of over 90% have been demonstrated with as

many as 250 possible authors. There are tools available to help you find the

uniquely identifiable characteristics of your own writings:

https://github.com/psal/jstylo and to help you reduce the uniqueness of

writings you plan to post anonymously: https://github.com/psal/anonymouth

The easiest way to access the Tor network is using the Tor Browser, which is a

modified version of the Firefox browser. You can read the Tor Browser User

Manual here: https://tb-manual.torproject.org/en-US/ and you can download the

Tor Browser here: https://www.torproject.org/projects/torbrowser.html

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJYjS4wAAoJEMZAqJGRzM6H5KoIAJGP+xB4bJ4DWOX9mpsck64Z

3w55FGEQFmf2ym3l0Rsku6uP/tnwRQcWQANT8U4skjil5a+3mdaR+Gse8WXywDUO

D1cYIjhEDaIZay3dYCyAAHUrR8x99rJEzW/U99cQ+kZBBtCsPLqH8YuX4uqx/Nm5

qYA9/iNEnJxu/4p1FrGl8XZafbZByuUT+uPjauGNePwcs+WqMUvS8TTX08EW65fE

w8v8upw18UbSO7BU4JemVB9MkgzPHvewzWfDdi+pvN3CrO6SsSEIqSTiHf263/gA

fE+SdU9eOxwStc4BKBM5uXGGT0vHlmlf193WxNiGVD2QB3r4zKxgHODGm0DNid0=

=Z8i4