Guide featuring a step-by-step approach to setting up a new website when privacy is a significant concern.
In 2016, Exposing the Invisible was approached by a group of investigators who needed to launch a new website while hiding their role in its creation and deployment. The question they posed was how to register a domain name for this website without exposing their involvement or putting their investigation at risk.
This request gave us an entry point from which to explore and document the process by which one can obtain commercial services while protecting one's privacy and hiding one's identity. Clearly, domain name registration is not the only transaction that one might occasionally want to keep "off the record". Many of the steps described in this article are relevant to other activities, as well, such as purchasing non-free software, registering for premium services and paying for access to proprietary databases, among others examples.
This article has three main sections. First, a brief primer on the difference between pseudonymity and anonymity. Second, a reasonably brief, step-by-step description of how we obtained a pseudonymous domain name while making it difficult for anyone to figure out that we had done so. And, finally, a not-so-brief presentation of additional challenges, including details on how some of those challenges might be addressed.
Taken together, the steps presented below are probably good enough to hide one's involvement in the purchase of a domain name — at least for a while — from all but the most powerful, competent and patient of eavesdroppers. At the same time, they are meant to tell a cautionary tale about the point of diminishing returns and the impossibility of "perfect" anonymity.
Pseudonymity, anonymity and linkability
It is worth sketching out the difference between pseudonymity, a word we never use for a thing that's pretty common, and anonymity, a word we use all the time but that actually refers to something very rare. These concepts can be made as complicated as anything else in the world of digital security, but the most basic definitions are often the most useful.
Briefly, then, using an assumed name makes you pseudonymous, but in order to be anonymous, you must prevent others from linking that pseudonym to your real identity.
Fortunately, these things are rarely black and white, so you can probably get away with "not very anonymous" and "really anonymous". Or you can do what security people do and talk about "linkability" instead. The important thing is to recognise that anonymity (whatever you choose to call it) is a shades-of-grey type situation. More specifically, it is worth asking, "prevent who from linking my fake name to my real identity"? If the answer is "a tech-savvy billionaire spy who's also my roommate", then you're going to have to be really anonymous. If the answer is "someone who's not very clever and doesn't care all that much", then a cool sounding pseudonym might just do the trick.
Of course, this gradient of linkability is not specific to domain name registration. It pertains to all sorts of transactions, both online and off, including the simple process of choosing an email address.
Suppose your name is Alice Ann Amburgy. If you sign up for an email account with the address alice.ann.amburgy@gmail.com, then send a message to someone who's heard of you, there's a pretty good chance they'll figure out who sent it. In order to achieve pseudonymity, you might instead register an address like toaster2714@gmail.com. But it won't do you much good if your messages actually show up as having been sent by toaster2714@gmail.com
This is a bit like purchasing a domain name for www.privateproject.com while publicly listing alice.ann.amburgy@gmail.com as your email address in the WHOIS registry. The domain is technically pseudonomys, but it provides almost no anonymity.
Public and private linkability
It is common, and sometimes even useful, to differentiate between public and private linkability. Sending your real name along with your pseudonymous email address is one example of public linkability. So is including your real contact information in the WHOIS registry when you purchase a domain name. Anybody who knows where to look can find evidence of your involvement.
Private linkability is more complicated. Even if you are careful about choosing the
- Have been using it as your personal email account for years;
- Linked it to a social networking profile;
- Paid for it with a credit card;
- Provided a "backup address" or mobile phone number when you created the account; or
- Sign into the account primarily from your home and office IP addresses.
While private linkability is only dangerous in the hands of those who occupy some kind of privileged position, the list of such people is significant. It includes, at a minimum, those who know you well, domain registrars, email and social networking services, ISPs, surveillance agencies and anyone with access to your devices.
Hypothetical but feasible threats include:
- The employee of a domain registrar or domain privacy service eager to accept a hefty bribe,
- A data broker looking to sell transaction information made available by a credit card company,
- An Internet Service Provider (ISP) accustomed to sharing IP address data with government agencies, or
- Service providers and mobile phone carriers willing to reveal the owner of a particular phone number or email address.
The full list is much longer, though, and it probably includes anyone with friends, confidants or subordinates who happen to be one of those other things. And, of course, private linkability becomes public rather suddenly when groups like these get hacked and find their inboxes, transaction logs and user databases dumped online for all to see.
Which brings us back to anonymity's many shades of grey and the website our friends were trying to launch. All of the interesting threats they faced were on the private linkability branch of the anonymity side of the simple taxonomy presented above.
So rather than including a section on pseudonymity and one on anonymity — or a section on public linkability and one on private linkability — we settled on a particular shade of grey and called it "probably good enough". (We actually called it 'Obtaining a respectably anonymous domain name').
To make sense of the challenges they faced, it helps to have a basic understanding of the agreement through which domain ownership is assigned.
Domain ownership and the WHOIS registry
The Internet Corporation for Assigned Names and Numbers ICANN) is a US non-profit organisation created in 1998. Among other duties, it manages the agreements through which domain ownership is assigned. For the purposes of this article, the most important aspect of those agreements is their requirement that domain owners:
provide to Registrar accurate and reliable contact details...including: the full name, postal address, e-mail address, voice telephone number, and fax number if available
This agreement further states that:
willful provision of inaccurate or unreliable information...or...failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details...shall...be a basis for cancellation of the...registration.
Domain registrars typically submit this contact information to a publicly accessible, distributed database of domain owners called the WHOIS registry. There are a number of free, online services that allow you to search this database. If you want to have a look:
- Navigate to the ICANN WHOIS page in your browser,
- Enter a domain (such as exposingtheinvisible.org) where it says Enter a domain, and
- Click the [Lookup] button.
Obtaining a respectably anonymous domain name
There are two very different ways to register a domain name while attempting to conceal the fact that you have done so. The first requires paying for a commercial domain privacy service. This approach is probably sufficient for most people and is generally a good idea even if are not trying to hide your involvement. The second requires violating the agreement through which you establish your "ownership" of the domain and is typically not something you will want to do unless you need to.
The following section covers the first method; the rest of this article focuses on the second.
Domain privacy services
The most common way to hide domain ownership information is to sign up with a domain privacy service. For a few Euros each month, in addition to the cost of the domain itself, these companies will collect and store your contact information. Then, rather than submitting it to the WHOIS registry, they will submit their own contact information instead. If someone calls to ask who you are, this guy will presumably stare them down, over the phone, while remaining friendly but firm:
Source: www.perfectprivacy.com
Unless the person calling has convincing documents and $75, in whichcase (according to the "Legal" page of this randomly chosen but representative domain privacy service), they will
respond with reasonable promptness to subpoenas and other legal processes...that seek information, documents or other business records [and] evaluate each request based upon the applicable law and facts. An administrative fee of $75 will be charged for each request
Or if your account has violated their acceptable use policy, in which case they "will not protect your identity".
Or, according to their FAQ, if you ignore their attempts to forward mail that
is legal in nature, concerns a lawsuit against you or your domain name or otherwise requires forwarding, [they] may reveal your identity and/or cancel [the] service...
And some companies are even more explicit. Here is one, for example, that reserves its right to:
Disclose Your Contact Information and Terminate the Private Registration Service [and], as it deems necessary in its sole discretion, without providing notice...to
(i) reveal to third parties the contact information provided by you...
(ii) populate the public WHOIS database with the registrant's name, primary postal address, email address and/or telephone number...
(iii) terminate your subscription to the Private Registration Service
These actions might be taken under the following circumstances:
(i) if any third party claims that the domain name violates or infringes a third party's trademark, trade name or other legal rights, whether or not such claim is valid;
(ii) to comply with any applicable laws, government rules or requirements, ICANN policies or requirements, subpoenas, court orders, requests of law enforcement or government agencies; or
(iii) if any third party threatens legal action... that is related in any way, directly or indirectly, to the domain name, or claims that you are using the domain name registration in a manner that violates any law, rule or regulation, or is otherwise illegal or violative of a third party's legal rights, whether or not such claim is valid
Arrangements like this one do not exactly inspire confidence, particularly in situations where the consequences of exposure are severe. In terms of the lexicon established in section one, domain privacy services offer public unlinkability, but very little in the way of private unlinkability. The anonymity they provide depends almost entirely on the reliability and trustworthiness of some company that was probably chosen for you. While we sometimes have the freedom to give our business to an ISP or a registrar that shares our values, we often know next to nothing about the ethical character and operational security of these domainprivacy services.
As an alternative, then, it is possible to register a domain name using a pseudonym.
Registering under a pseudonym
When thinking about private linkability, it may not be enough simply to ask yourself, "from whom am I trying to hide?". The issues above suggest that, even if your registrar is not explicitly on that list, you might still want to conceal your identity from them. And regardless of whether or not you also choose to sign up with a domain privacy service, it is entirely possible to make up a name and contact information when you register your domain. Which is precisely what we did.
By doing so, however, we violated the terms of our ICANN-mandated agreement with our registrar, so we wanted to create a pseudonym that was internally consistent. To do this, we:
- Used a prepaid "gift card," purchased with cash and registered under a new name and address, to pay for the domain name; and
- Used the Tor Browser or Tails whenever we interacted with our gift card provider, our registrar or the new domain itself.
Limiting financial linkability
First, we bought a prepaid gift card to use when registering the domain. The steps below cover this process for a randomly chosen but representative gift card provider.
Step 1.
Buy a prepaid gift card with cash. There are many to choose from:
Our goal here was to prevent our registrar from noticing a discrepancy between our real name and contact information — which we would have to send them as part of a normal credit card transaction — and the new identity information we wanted to submit for the WHOIS registry.
Step 2.
Using the Tor Browser or Tails, we signed into the account management site for our prepaid gift card:
Using Tor allowed us to avoid exposing our office's IP Address or uniquely identifying the browser used for this transaction.
Step 3.
Still using the Tor Browser or Tails, we provided our pseudonym, email address, phone number and other contact information when registering with our gift card provider:
Some online vendors, including domain registrars, require that you enter a street address, zip code or postal code that matches the information on file for the credit care you use. The documentation for this particular gift card, for example, states that
When you register your Prepaid Gift Card you may also use your card for internet, mail and phone order purchases.
Depending on the domain, the registrar and the gift card provider it is sometimes necessary to:
- Choose an address in the country where the gift card was purchased; and
- Identify a real (or at least realistic) street address, either through trial-and-error or by visiting an online "fake address generator" using the Tor Browser or Tails.
Similarly, we were careful about:
- Choosing a phone number that was valid in the appropriate country, and
- Choosing an email address at which we could actually receive mail, while
- Making sure that email address did not reveal anything about us or our partners.
Have a look at section three for advice on how to obtain a prepaid mobile phone and use it to create a new Gmail account without linking either of them to your real identity.
Step 4.
We made sure to record all of these details in case we needed to reference them later on. (We did.) We used KeePassX — a free and open-source, encrypted password database manager — to store and protect all of our pseudonymous usernames, passphrases and new contact information:
Security-in-a-Box includes step-by-step Tool Guides on how to install and use KeePassX for Windows and Linux.
Purchasing the domain
Next, we found and purchased the domain name itself. The steps below feature a randomly chosen but representative domain registrar.
Step 1.
Using the Tor Browser or Tails, we searched for and requested the domain name we wanted to register.
Step 2.
Still using the Tor Browser or Tails, we created an account on our registrar's domain management site, entering the pseudonymous contact information we established for our prepaid gift card.
Step 3.
Once again, we made sure to record the details in our KeePassX database.
Step 4.
Still using the Tor Browser or Tails, we provided payment information with our prepaid gift-card and the associated contact information.
This took several attempts, and we had to try a few different registrars before we found one that let us complete the transaction. Amongst these were registrars that:
- Requested that we solve CAPTCHAs in order to visit their website through Tor,
- Rejected our newly created contact information,
- Refused payment from our prepaid gift card, and
- Took a long time to refund our money after refusing payment.
Click through this slideshow below to see these attempts.
Step 5.
Our registrar warned us that, if we did not verify our email address, they would revoke our domain. Which makes sense, given that they are required by ICANN to forward along certain information. We verified the address we provided while using the Tor Browser or Tails.
Step 6.
Finally, we used the Tor Browser or Tails to query our own WHOIS entry. The figure below shows a command line WHOIS lookup on Tails, but services like this one can also be used for such queries. In our case, we signed up with a domain privacy service in addition to providing pseudonymous contact information. The information shown corresponds to the former. But, if we were ever dumped by our privacy service, the same query would reveal our pseudonym rather than our true identity.
Obtaining a "really" anonymous domain name
In part because most domain registrars require a verified email address, there were limits to the anonymity we could achieve by following the steps above, which fail to address a few specific private linkability risks. Registering under an email address that had been used for other activities would mean allowing someone to observe a connection between those activities and the new domain name. Depending on how publicly we had used that address — and on how careful we were in other ways — that "someone" might include our email provider, our registrar or our ISP, among other potentially interested parties.
Accordingly, the steps below suggest one way of signing up for a new email account without creating an obvious connection between that address and our real identity. Because many email providers now ask for a mobile phone number, however, doing so requires that we must also take into consideration limiting the linkability of our mobile phone number. All told, then, we rely on the following steps to hide our involvement:
- Limiting the linkability of our mobile phone number,
- Using that number to limit the linkability of our email address, and
- Doing all of this before "Registering under a pseudonym", as described in the previous section.
Limiting the linkability of our mobile phone number
By using cash to purchase and top up a prepaid mobile phone — and by using the Tor Browser or Tails when registering and activating it — we were able to reduce the likelihood that anyone could trace our new phone number back to us. And because we know very little about the software on that phone or the business model that made it so cheap, we decided to remove its battery whenever it was near our office, any of our homes or any of our regular mobile phones.
The steps below cover this process for a randomly chosen but representative prepaid mobile phone provider.
Step 1.
This first sequence of steps adds up to a bit of an excursion. Leaving our regular mobile phones at home, but bringing along laptops and Tails USB sticks, we found a shop that sells prepaid mobile phones and top-up cards. We used cash to buy a phone and enough connectivity ("air time," "minutes," etc.) to receive a few SMS text messages. Because we hoped to keep this phone number for a while, we bought a top-up card that would remain active for a few months.
Step 2.
Using the Tor Browser or Tails, and working somewhere other than our homes or our office, we charged and activated our new prepaid mobile phone:
Step 3.
Still using the Tor Browser or Tails, we then registered our prepaid mobile phone and created an account with the provider:
Step 4.
We added our prepaid mobile phone account details to our KeePassX database.
Step 5.
Still using the Tor Browser or Tails, we finished activating our prepaid phone and and topped it up using our "Airtime" card.
Limiting the linkability of our email address
After jumping through all of the hoops required to get our prepaid mobile phone working, we were able to create an email address to use when registering our new domain. This part went much more quickly.
Step 1.
Using Tails — and without returning to the office or coming anywhere near our regular mobile phones — we chose an email provider and created a new account. We entered the same contact information we provided when registering our prepaid phone, including the number of the phone itself.
Step 2.
As part of this process, we were asked to verify the phone number we provided when creating the account.
When we first began accessing our new Gmail account — which, for us, was to verify our address after purchasing the domain name — we noticed this error appearing below due to our use of Tor. In addition to the usual CAPTCHAs, we saw the occasional authentication error like this one:
We were able to continue working when this happened. Presumably Gmail would eventually make us reauthenticate, but we never stayed signed in long enough to find out. For this reason, among others, Gmail may have been a poor choice for a pseudonymous email account. But given that our goal was to maintain a "normal looking" address that we only intended to check when verifying our new identity, we decided to stick with it.
Step 3.
Once we had verified our email account, we removed the battery from our prepaid phone. We then purchased a prepaid gift card and registered a domain name as described in the previous section.
Step 4.
Before continuing, though, we added the account details for our prepaid mobile phone to our KeePassX database.
Additional considerations and diminishing returns
In a sense, all of this extra work is still part of "Registering under a pseudonym". Reducing the linkability of the phone number used to increase the anonymity of the email address associated with our pseudonymous domain name is really just a way to make a weak deception stronger. It's also the first step toward "hiding" from our email and mobile phone providers — toward mitigating those private linkability threats — but those problems are much more difficult to solve. Mobile phones have GPS trackers, cameras and microphones in them. And Gmail is, of course, administered by Google, which runs a lot of software on our devices and which very much wants to know what we're up to at any given moment.
So, in the example above, if we really want to prevent Google and TracFone (and perhaps some Chinese software company that does business with ZTE) from unmasking the true owner of expungingtheindelible.org, then we probably have a bit more work to do. And as soon as we start using this new domain name, we'll find there are plenty of other people capable of noticing when we do. Examples might include:
- The web hosting, server or VPS provider that runs the infrastructure and provides the IP address to which the domain send traffic;
- Our ISP when we access or edit content that lives at that address; and
- Other online services (the WHOIS registry itself, for example, could easily link our office IP address to the domain name if we forget to use Tor when checking to see if the steps above actually worked).
Rather than trying to determine which of these are legitimate risks, we decided on a few relatively simple precautions that seem worth the effort either way. Some of these (like using Tor) are probably quite important. Others (like putting a sticker over the camera on our prepaid mobile phone) made the list because we only had to do them once. And because they seemed unlikely to make things worse.
To that end, we always use the Tor Browser or Tails when:
- Accessing the account for our prepaid mobile phone;
- Accessing our new email account;
- Accessing the account for our prepaid gift card;
- Making a purchase with our prepaid gift card; or
- Accessing, administering or searching for information about our friends' new domain name.
Maintaining this kind of discipline is harder than it sounds. It has helped that we keep all related passphrases — randomly generated passphrases, mind you, which are nearly impossible to remember — in a KeePassX database that exists only in persistent storage on a Tails USB stick. Habits like this come with a steep learning curve, but in this case the inconvenience is sort of the point.
We also:
- Put a sticker over both cameras on our prepaid mobile phone before inserting the battery;
- Keep the battery out of the prepaid phone whenever it's near our homes, our office or our regular mobile phones; and
- Avoid using our prepaid gift card for unrelated purchases.
One final point before you head out to go burner shopping. Yes, facial recognition technology is better than it used to be. And yes, there are probably cameras in or near most shops that sell such things. And yes, the number of unfriendly people who can turn a prepaid credit card number into a few seconds of grainy CCTV footage is probably greater than zero. We decided that, for our purposes, we did not need to deceive those people. If you do, we will leave it to you to determine whether you should be shopping in another country. Or investing in BitCoin. Or starting a fake mustache collection.
Header image: Dream Sequence,Creative Commons Zero - CC0