“I don’t always need to be anonymous online, but when I do, I use Tor.”
–The Most Anonymous Man in the World, 2006-present
As tracking and monitoring systems used by governments, hackers, and corporations grow ever more advanced, online anonymity can sometimes feel like a fleeting goal. But the core infrastructure and protocols of the internet haven’t evolved much in the past decade, so the methods and tools I use to stay anonymous haven’t changed much, either.
No tool or service can guarantee me 100 percent anonymity without fail, but if I’m smart and cautious, I can get pretty close. So long as I’m not running a drug cartel or committing acts of terrorism, this guide should be enough for me and the vast majority of people to use the internet without leaving a trace.
This article is for novices, so let’s assume I just want to browse the web anonymously and not do anything too complicated. Let’s get started.
Tor
Download and install Tor Browser. This will be the foundation on which I build my invisible fortress. Tor Browser looks and functions similar to any other web browser, like Chrome, Edge, and Firefox. But look closer, and I’ll point out a few key differences.
First and foremost, Tor Browser isn’t connected directly to the World Wide Web. All internet traffic, both incoming and outgoing, first goes through the Tor Network. An amazing grassroots achievement in its own right, the Tor Network is made up of thousands of relays, called nodes, located all over the world. All of these relays are operated by volunteers who support the Tor Project and keep it open to everyone, free of charge.
Every time I visit to a website, all the data that gets uploaded and downloaded in the process is encrypted and sent through a random sequence of nodes, making it next to impossible to trace back to my computer. This process is called onion routing, from which Tor’s name is derived:The Onion Network.
To further protect my identity, Tor Browser comes with a few other tweaks and limitations not found on today’s more popular browsers:
- When you quit Tor Browser, cookies and browsing history are deleted
- HTTPS Everywhere is baked in, which loads the HTTPS version of a website if available
- NoScript is baked in, which stops executable scripts from running on web pages until I explicitly allow it. That includes JavaScript, Java, Flash, Silverlight, and other plugins
- TorButton disables many types of “active” content at the application level, including many security and privacy concerns inherited from the Tor Browser’s ancestor, Firefox
- Most extensions and plugins are not supported
It’s important to remember that the Tor Browser only shields traffic to and from itself. It won’t anonymize activity carried out by other programs like BitTorrent managers and media players. It’s possible to route those programs through the Tor network, but that’s beyond the scope of this article.
Unfortunately, the official Tor Browser is not available on mobile devices. Android users can try Orbot, but iPhone users will need to jailbreak their devices if they want anything resembling the real Tor Browser. For now, I’ll stick to the desktop version.
Once I have the Tor Browser up and running, you can safely assume everything I do for the rest of this article occurs within the Tor Browser.
Don’t log in
I can now access the web anonymously via Tor. I’m now free to browse around, but whatever you do, I never log in. I don’t check my email. I don’t go on Facebook or Twitter. I don’t buy stuff on Amazon. Just to be safe, I don’t even use Google.
Even though my internet traffic is anonymized by Tor while it’s in transit, logging into an account that I created while off the Tor network is just the sort of slip up a snooper is looking for. The website or service that I log into can easily track everything I do on its site, even with the Tor Browser enabled. Let’s put it this way, if I wear a mask to my local gym but sign in with my real name, what’s the point of wearing a mask in the first place?
If I want to anonymously access a website or service that requires me to sign in, then I first need to create an entirely new account while connected to the Tor Network. With a fresh account created while inside the Tor Browser, I can avoid any activity being corroborated with my other, identifiable account.
Which brings me to the next important precaution: if I create an account on the Tor Network, I only access it on the Tor Network. I don’t go through the trouble of creating accounts on the Tor Network and then spoil my efforts by logging into those same accounts later on Chrome. What happens on Tor stays on Tor.
In the same vein, I don’t post anything that could be even remotely traceable to me. Don’t use any usernames or passwords that have been used in the past. I don’t try to be clever by making up fun ambigrams of my real name to use as usernames. I don’t create passwords with my dog’s name or favorite band. For every account I create on the Tor Network, my username is unique and my password is random.
Likewise, I keep my mouth shut. I don’t write comments or social media posts. When I communicate with people, I keep it as brief as possible. By restricting speech to a minimum, I can avoid being recognized through my writing style—something anonymous bloggers should take into consideration. Stylometric analysis tools are capable of identifying people by how they write.
Bridges and VPNs
While I’m browsing the web on Tor, no one can track who I am or what I’m doing. However, my internet service provider will be able to see that I’m using the Tor Network. That’s because Tor relays are listed in a publicly-available directory, and I can assume my ISP has a list of all of them. Even though my ISP can only see encrypted traffic going to the first of many Tor nodes, it’s still enough for them to know that I’m using the Tor network. Sometimes, just that is enough to raise eyebrows.
Understand that Tor, while free and open to everyone, is a favorite avenue for criminals to conduct their business on the DarkNet. The DarkNet consists of websites and services only available through an anonymity network, of which Tor is by far the largest. So even if I’m just using Tor Browser to look at dinner recipes, I can draw undue attention to myself by using it. In some cases, the ISP I’m using might block Tor connections altogether.
So what can I do about my pesky ISP trying to look over my shoulder? Two possible solutions can be used: bridges and VPNs.
Bridges
Bridges are Tor relays not listed in the main Tor directory. I can configure Tor Browser to send all my HTTP traffic through the bridge first, before continuing on to the Tor network. Even if my ISP has a list of some Tor bridges, it probably doesn’t have them all, and I should always be able to find one to access.
The most recent upgrade to Tor Browser made using and troubleshooting bridges much easier. To set up a Tor Bridge, do the following:
- Click the onion icon with a drop-down menu next to the URL bar
- Select Tor Network Settings
- Check Tor is censored in my country
- Assuming you don’t have a particular bridge in mind, keep the default option to Select a built-in bridge
- Click the dropdown and select obsf4. I can try the other types if obsf4 doesn’t work
- Click OK
You are now connected to Tor through a bridge! Note that even if your connection isn’t blocked, your ISP might still know about the bridge you’re using. If that’s a concern, either try a more obscure (but trusted) bridge or use a VPN instead.
VPN
Short for Virtual Private Network, a VPN encrypts all of a device’s internet traffic and routes it through an intermediary server in a location of the user’s choosing. In many ways, a VPN is similar to a Tor bridge.
VPNs are not affiliated with Tor bridges in any way. They are privately operated services, which means your ISP is much less likely to blacklist them or monitor access to them. The best VPNs are paid services with their own apps and centralized servers. I wouldn’t trust a free VPN services as far as I could throw it.
Unlike Tor Browser, a VPN encrypts (or should encrypt) all the internet traffic to and from your entire device, not just the web browser. When you connect to a VPN and fire up the Tor Browser, your HTTP traffic is encrypted by both Tor and the VPN application. It’s then sent through the VPN’s secure tunnel to the VPN server. From there, it goes through the Tor network. This setup is called Tor over VPN.
Due to the extra “hop” to the VPN server, using these two tools in combination will further slow down my connection. But because of the VPN’s secure tunnel, my ISP can only see encrypted traffic going to a server. It cannot see that I’m using Tor.
Another possible combination routes traffic first through the Tor network and then through the VPN tunnel, a setup called Tor over VPN. Tor over VPN has its uses, but it’s generally considered less secure and is more difficult to configure, so we’ll ignore it for now.
Bear in mind that the VPN provider—the company that operates the VPN servers—can see my traffic as it leaves their servers. In this case, they could only see that I’m using the Tor browser, and not the contents of my internet traffic. Still, I recommend only signing up for VPN providers that don’t monitor connections and log your activity.
Additionally, only use VPN providers that operate their own private DNS servers. Otherwise DNS traffic, including what websites I visit, end up in the hands of my ISP or a public DNS provider like Google. As an alternative, I could find and configure a logless DNS server to use with my VPN. DNS.WATCH and OpenNIC are good options.
Search
Google’s business model depends on collecting as much information about its users as possible, and a big part of that includes keeping track of who searches for what. So long as you’re in the Tor browser, Google shouldn’t be able to identify you, but just in case, the Tor browser’s search bar uses DuckDuckGo instead of Google.
DuckDuckGo is a search engine that emphasizes privacy. It doesn’t gather data about who uses it or what they search for. It’s fully independent and the search results are usually the same as what you’d find on Google.
If I find that DuckDuckGo isn’t turning up the results I’m expecting, my alternative search engine StartPage. StartPage removes identifying information and tracking info from my search query before submitting it to Google on my behalf. The search results come from Google, but each has a proxy link that allows me to access a site without leaving a trace.
Cryptocurrencies
It’s pretty much impossible to spend fiat currency online without leaving behind identifying payment information. So if I want to make an anonymous purchase, donation, or just send someone some money, I use cryptocurrency.
Bitcoin is the most widely accepted, but the assumption that bitcoin is actually anonymous is false. All bitcoin transactions are recorded in the blockchain, each record consisting of the wallet addresses of the sender and receiver and how much bitcoin was transferred. While bitcoin wallets aren’t necessarily tied to someone’s identity, many are. And because I buy my bitcoin from an exchange like most people, any bitcoin I spend can be traced back to me.
So if I want to spend bitcoin anonymously, I have to tumble it first. Bitcoin tumbling—also called mixing or laundering—is the process of pooling your bitcoin with a bunch of other people’s bitcoin, mixing it up, and withdrawing it to make it impossible to trace, allowing me to spend bitcoin anonymously. The process is complex and would take an entire article on its own to explain, but here’s a solid tutorial.
A fast-emerging alternative to bitcoin are cryptocurrencies with anonymity features built in. These include Monero and Zcash. They aren’t as widely accepted, but you won’t have to spend time and money on mixing your coins to spend them anonymously.
Communication
If I want to anonymously communicate with someone, I prefer to use services that technically offer less privacy but do not require registration.
Note that privacy is not the same as anonymity, and in this article I’m focusing on anonymity. So when it comes to communication, I don’t really care if someone can snoop on my conversations, so long as they can’t identify me. In contrast, a privacy-focused communication offers more security so that no one can see what I’m writing, but setting up that encrypted channel almost always requires setting up an account.
With all that in mind, I’ll recommend a few of my favorite anonymous email and chat services.
Burner emails
For email, I like to use Mailinator and Guerrilla Mail, each for different purposes.
Mailinator can only receive email, not send it. It’s most useful for anonymously signing up for stuff. I can invent any email address I want so long as it ends with “@mailinator.com”. I don’t have to create the account in advance, and no registration is necessary. Let’s say I need an email address to create a bitcoin wallet. I could sign up using the email address [email protected]. Then I can go to Mailinator and check that inbox to verify the account. All emails are part of the public record and deleted after roughly eight hours.
Reminder: Only access Mailinator from the Tor browser, otherwise the site could log your IP address or add a tracking cookie to your browser. You will have to deal with some annoying CAPTCHAs, but that’s the price of anonymity.
Guerilla Mail works in much the same way as Mailinator, but I can send and receive email. A randomized email address is created for you as soon as you open the site, and you can change it whenever you like. The email addresses are permanent, but the emails themselves are deleted after about an hour. For two-way communications, this is my preferred tool.
Messaging
Like email, chat apps tend to veer toward privacy rather than anonymity. You can get end-to-end encryption in plenty of chat apps today, including Signal, WhatsApp, and Telegram. But these apps require accounts; accounts require registration; and registration means handing over info. In some cases, you might just need an email, in which case you could use Tor browser plus one of the email services above to create and verify your account. But others will require a second form of authentication, such as a phone number, or other additional information.
So instead, I recommend TorChat. TorChat is a native chat client that generates and assigns a random ID to you. Messages are sent over the Tor network. There’s no signup necessary. Of course, you’ll need to know the ID of the person you’re chatting with, and that’s not as simple as just looking up their name within the app. You and the other party must first arrange an exchange of IDs outside TorChat. I don’t recommend communicating with people you actually know if you want to remain anonymous, but one way of doing this is to exchange the ID with someone using PGP-encrypted email.
Stay secure and up to date
I didn’t focus much on security in this article as the emphasis is more on how I maintain anonymity. However, a gap in security could expose my activity to a third party.
- Use antivirus. Regular scans and real-time monitoring will go a long way in protecting you from malware.
- Enable my firewall. A firewall is the best defense against unsolicited connections from snoopers.
- Secure my wifi router. I change the default username and password, disable WPS, use WPA2 encryption, and enable the NAT firewall.
- Secure my webcam. Just put tape over it.
It’s important to keep all of your apps and operating system up to date at all times. Don’t put off updates because most of them include security patches. Once a security update is released, that signals to hackers that there’s a vulnerability on all the systems that haven’t updated yet, making you a target if you don’t get with the program.
Finally, remember that these tools won’t protect you from yourself. If someone is actively trying to track or monitor your online activity, they are much more likely to find you as a result of human error, not by cracking encryption or running traffic analysis on the Tor network. Just ask Ross Ulbricht, AKA Dread Pirate Roberts.
Image credit: Mask, Javier Pais, CC BY 2.0