Title: Bootstrapping an Online Identity with Phone Verified Accounts
By: Gilgamesh XVII | @gilgameshXVII | gilgameshxvii@tutanota.com
Goal: Create a phone-verified email address and other online accounts in a way that minimizes potential connection to your real identity.
Abstract: Buy a burner phone as anonymously as possible. Use it once to create and verify email and social media accounts. Only access these accounts using anonymizing technologies.
Foreword: What follows is a tutorial for creating an online presence using methods that minimize the ability of an adversary to connect that identity to you. It is geared towards people in the United States. It assumes a law enforcement or similar state adversary with full access to public and private business records. It assumes you will NOT be under targeted surveillance during any of the process.
This guide is neither complete nor perfect, it should serve only as a starting point for your own particular plan of action (which will vary according to your specific needs and threats).
This is by no means the only or best method of accomplishing these goals. In fact, if you are able to establish the accounts you need without any phone number at all, you're probably safer doing that.
Commentary and corrections are welcomed.
Note: While this is a largely non-technical guide, it does reference certain anonymizing technologies (mostly Tor) for the phone activation and ultimate use steps.
While a greater fluency with these technologies will enhance your results, at a bare minimum you must be able to install and use the Tor Browser. A short addendum regarding Tor is offered at the end of the guide, but is by no means exhaustive.
Be aware that simply using or even searching for the words "Tor Browser" has security implications. It is critical that you understand how to safely use the Tor Browser (both technically and in terms of your online behavior), and what threats the software does, and does not, protect you from.
This topic is vast (and largely outside the scope of this guide), but should be firmly understood before you begin. At a minimum, read the addendum and linked resources found there before you begin this process.
Step 1: Get Cash. Get at least $100 in cash, however you would normally do that (ideally, at least a few days in advance).
[Why]: You need cash to buy a burner phone. You want to wait so that an unusual withdraw occurs as far as is practical from the time of purchase.
Step 2: Leave your Phone at Home. At the end of the day on a week day or during the weekend (or whenever you would normally be at home), leave your real phone on and at home. Find a big box store (ideally one not close to your home or work), and prepare to travel there without any GPS navigation.
Do not do a Google search while logged in from your home computer in order to find one. If you must use the web to find a store, use the Tor Browser (see addendum for more).
[Why]: It is possible to determine where and at what exact time a particular burner phone was purchased. The location of any phone at a certain time can be easily determined from cell tower records and GPS data. If your personal cell phone is geolocated as being near the store when the purchase was made, you are now on a very short list of suspects. Since most people carry their phones at all times, leaving your phone at home creates the appearance that you are home too. Turning off your phone can be suspicious as most phones are left on continuously. This is especially true if your phone is only off during the time frame of the purchase.
(Optional Hardmode Step): Change your Appearance.**Ideally, switch your apparent gender (if you can pull that off convincingly, most people can't). Wear a hat or change your hair color. Wear big glasses (but not sunglasses) if you don't normally wear glasses, or leave your glasses at home if you normally wear glasses. Wear clothes you don't wear on a regular basis. Wear a big puffy coat or other bulky items that make it harder to determine your weight. Use a wheelchair or wear wedges/lifts to make your height harder to determine. Use crutches or a cane to disguise your normal stride pattern (which can be used to identify you if compared to footage of your natural stride). Stick pieces of cotton balls under your upper and lower lip area (even a little bit can dramatically alter how your face looks).
[Why]: It is possible to determine the location and date of your phone purchase, and surveillance footage of you buying the phone may be available to your adversary. By disguising yourself, you make it harder for your adversary to use your appearance to narrow down the list of possible suspects based on gender, weight, height, etc. You also make it harder for a picture of your face to be matched to known photos of you using facial recognition software.
Step 3: Big Box Store. Take public transportation or a cab paid with cash if available. Otherwise, park as far from the building as possible, ideally not even in the parking lot.
[Why]: Most stores have cameras on the building which overlook the parking lot, and many have cameras on light poles in the parking lot itself. This footage can be used to identify your license plate or the type of vehicle you arrived in.
Step 4: Electronics Section. Go inside and head straight to the electronics section. Try not to look up or directly at any cameras if possible.
Step 5: Buy a Burner. Purchase a cheap prepaid Android phone and a 1 month refill card (with 3G data) for the same vendor if necessary. You will probably have to get an employee to unlock the case to get the phone for you. You should pay for the phone at the register in the electronics section if you can.
[Why]: The burner gives you a way to access the internet anywhere without having to provide a name. It also gives you a real phone number that can be used to verify any online accounts, which is often required. Using apps to create accounts also generally throws up less red flags and requires less thorough verification than using a web browser.
Step 6: Wait. Wait as long as is practical before activating the phone. Generally you have up to 90 days to activate a phone after purchase. It should tell you the time period somewhere in the phone documentation.
[Why]: Most big box stores keep surveillance footage for at least 30 days. Some probably keep it for much longer, maybe forever. By maximizing the time between buying the phone and that phone coming to the interest of your adversary, you increase the chances that any footage of your purchase will no longer be available.
Step 7: Activation. Before you can use the burner, you either need to call a number or visit a website to activate it. There are many ways you could do this, but you need to make sure you do this using a method that is difficult to associate with you. Some options include: * Using a VM/VPN: Using a virtual machine (Virtual Box, VM Ware, KVM, etc) connected over a domestic VPN service purchased anonymously is probably the best option (see addendum). * Using Tor: Using the Tor Browser to access the activation website is probably an automatic red flag. However, it can be used if necessary (see addendum). * By phone: Assuming you can find one, call from a pay phone or other phone not linkable to you, that has no cameras watching it, that is located in a place that is as far as possible from any place associated with you, and leave your real phone at home when you travel there.
[Why]: How and where the phone was activated is probably stored by the phone company forever. You want to avoid this being linked to you directly or to a place you are known to visit. Using Tor to activate the phone probably triggers some red flags that may raise adversarial interest in that phone much sooner than it otherwise would. (I have no real data to support this claim, but it is trivial to automatically determine if someone activated a burner over Tor, and anyone doing that is almost certainly up to something interesting. I would absolutely be screening for this if I were an adversary).
Step 8: Road trip. Drive to a place you have never been before, that is as far away from any place you are associated with (home, work, school, etc.) as possible. Rural places are less likely to have cameras. Again, leave your real phone at home. Avoid toll roads or pay tolls in cash if unavoidable. Find a spot to park where you won't attract attention.
Step 9: Create your Accounts. This should be the first and last time you turn on the phone. Connect over 3G. Create a new Google account when prompted. Install the apps for accounts you want to create: Facebook, Twitter, Instagram, Pastebin, Tumblr, etc. Use the gmail account you made with the phone for an email. Add the burner phone number to all of your accounts if possible. Verify the number via text or by voice call. When you're done, turn the phone off and pull out the battery. Hide it somewhere other than where you called from, but not your home, work, car, etc.
Remember to bring paper and a pen to write down your newly created credentials.
[Why]: You want to be able to use these accounts later without having them flagged as spam. Creating and verifying them in this way should ensure they are not flagged later if you log in over Tor. The general location of where the phone was used will be trivially discoverable, so you should make sure it is in a random location that won't link back to you. Hiding the phone somewhere else allows you to safely retrieve it later, if necessary.
Step 10: Using the Accounts. Now any time you need to use any of the accounts you created, you will use the Tor Browser to access them anonymously (see addendum).
Addendum:
Tor is an anonymizing network technology that hides the location and activity of a user by encrypting and routing their connection through a series of volunteer computers.
While Tor hides where you are from the services you connect to, and hides what you are doing from your internet provider, it does not hide the fact you are using Tor from anyone.
In the past (and probably still today) people who used Tor, or even just visited the Tor Project's website, have been automatically targeted for increased surveillance: https://motherboard.vice.com/read/how-the-nsa-targets-tor-users
The simple fact that a person used Tor has been sufficient to imply authorship of posts or emails made during that same time period: http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor
Flaws in the Tor Browser have been exploited in the past to reveal the identities of users: https://www.eff.org/deeplinks/2016/09/playpen-story-fbis-unprecedented-and-illegal-hacking-operation
While there is currently no evidence that any adversaries with a global passive view of internet traffic have deanonymized specific Tor users on demand, such a feat is probably well within the technical capabilities of the intelligence agencies of several nations, including the United States.
Tor is not magic and does not automatically make everything you do anonymous. A critical part of remaining anonymous is the completely non-technical imparitive of not revealing information that could be used to profile you. See this video for a good discussion of this principle: https://youtube.com/watch?v=9XaYdCdwiWU
Also be aware that your writing style itself may betray your identity. Stylometry is actively used to correlate anonymous writings with writings of known authorship. While the success rate is largely a factor of the size of possible suspects, success rates of over 90% have been demonstrated with as many as 250 possible authors. There are tools available to help you find the uniquely identifiable characteristics of your own writings: https://github.com/psal/jstylo and to help you reduce the uniqueness of writings you plan to post anonymously: https://github.com/psal/anonymouth
The easiest way to access the Tor network is using the Tor Browser, which is a modified version of the Firefox browser. You can read the Tor Browser User Manual here: https://tb-manual.torproject.org/en-US/ and you can download the Tor Browser here: https://www.torproject.org/projects/torbrowser.html
Okay I deal with phones a lot and I want the top opsec possible because these phones carry a lot of incriminating evidence.
But this shit is fucking retarded. Holy mother of fucking merciful what in gods name are you doing with this phone? Calling in bomb threats on world leaders? Late night phone calls with ISIS? Or you organizing a Saudi Prince's kidnapping and subsequent rape, torture and sale?
Not to mention the glaring omissions of the most basic things.