Not long back we discussed how you can access the dark alleys of the internet through Tor, but we largely left off on the part about keeping yourself safe. The subject is more relevant than ever with Congress recently passing an amendment to Rule 41 of the Federal Rules of Criminal Procedure, allowing law enforcement to target users of encryption, VPNs, Tor etc. for hacking and surveillance.
Of course, for every criminal using these technologies to temporarily shield themselves from justice, there's a law-abiding journalist communicating with a crucial source. Given the new legislation, privacy advocates who plan to continue using encryption and anonymization software ought to double-down on their security.
Here's a brief overview of tips and services for keeping yourself safe while surfing the seedy underbelly of the web. And given the same principles apply, these recommendations can also serve as a general guide to anonymizing yourself in the normal (a.k.a. surface) web, too.
Get off your personal computer
Starting from the top, if you're serious about the security of whatever it is you're doing on the dark web, it's worth running an entirely separate environment from your main computer and internet connection (we'll get to the second one shortly).
You have two main choices for changing your operating system environment: a virtual machine or a Linux 'Live CD'. The former is convenient because you can run a virtualized OS inside your primary active OS without changing hardware or rebooting (just download virtualization software and an ISO), while the latter is perhaps more attractive for its portability.
Installing a Linux distro on a bootable USB drive will let you plug it into any computer you come across to load up your custom environment and your session is stored in the machine's random access memory which gets dumped when rebooted. You can save content to the USB drive and you could always carry a laptop instead of seeking out random PCs.
Creating a bootable thumb drive is as simple as downloading the ISO of your preferred flavor of Linux (Tails, Kali or Mint are good choices for this project) and using a utility such as Rufus to install it on a USB drive that's plugged in. Linux GUIs have improved to the point where you may get away without opening the terminal, but in the event that you must, here's a beginner's guide to the Linux command line.
Don't connect from your internet address
This is what Tor, VPNs and other such proxies are meant to aid with, but depending on your level of paranoia, you may want to make your initial connection from a public Wi-Fi network or consider investing in a pay-as-you-go burner device with mobile data access and a swappable SIM. Here are the FTC's own tips on safely using public Wi-Fi.
Layering your location by starting at a random Wi-Fi hotspot and then connecting to a VPN before loading Tor will greatly increase your odds of anonymity.
Relying on Tor alone may be a gamble given the efforts to deanonymize its users and the fact that some of its exit nodes are presumed to be compromised, which is why it should only be one tool in your toolbox. Using Tor correctly could make or break your success at anonymity so consider reading a full rundown on how it works if you aren't familiar.
Once on the dark net, you would defeat the purpose of all this proxying by logging into your usual accounts. It's wise to use random throwaway names and to store the credentials locally with KeePass instead of an online account manager that could be more easily compromised, at which point your all your throwaways might become a lot less random.
*Tip: Don't blindly click links. Hover over them and check the status bar at the bottom of your browser to see where you're going.
Encrypt your storage
Operating systems including most Linux distros and even Windows have native drive encryption at this point and if you're not using that then check out VeraCrypt, a fork of TrueCrypt that has become the defacto open-source encryption software for securing drives and partitions, such as the USB drive containing your live Linux install or the directory where you keep your virtual machine.
It goes without saying that storing your data locally on encrypted drives is infinitely safer than uploading it to the cloud, but it should also be mentioned that there are security-conscious file hosts:
- Mega: 50GB free and paid options starting at ~$5/mo
- Tresorit: A more secure Dropbox, 1TB for $30/mo
- ExpireBox: Unencrypted but supports files up to 150MB and auto-deletes them after two days
Use private search engines
If you're coming from Google, StartPage might be the best alternative as it fetches Google's results but interacts with the company's servers without logging your IP address or downloading tracking cookies. Conveniently, StartPage provides a proxy link next to each search result, which not only improves your anonymity but also helps avoid some of the captchas you'll run into on Tor.
Searx.me also deserves to be mentioned for its features including integrated proxy and cache links next to your results as well as tabbed searches for files, maps, videos, social media and more.
The EFF offers a great starting point for brushing up on the subject of communicating with others securely, which includes an intro to PGP and a guide on setting it up. If you'd rather not jump through those hoops, there are communication platforms with firm privacy policies, integrated encryption and features that resemble familiar services:
- ProtonMail: Free accounts get 500MB of storage, plans start at €4/mo for 5GB, a custom domain and five aliases.
- Tutanota: Free users get 1GB of storage, €1/mo opens custom domains and aliases, €2/mo expands to 10GB storage.
- StartMail: Free seven-day trial, plans start at $59.95/yr ($4.99/mo) for 10GB of storage and 10 aliases w/ unlimited disposable aliases.
Image credit: Ricky Montalvo on flickr
- RetroShare: Software akin to Skype except it's decentralized and encrypted. Features include file-sharing, multi-user chat and video calls.
- Jitsi: Rivals RetroShare in functionality but uses Off-the-Record (OTR) for encryption and touts extras such as support for IRC, MSN etc.
- Pidgin+OTR: A cleaner, more conventional multi-protocol IM client with support for OTR, but you'll have to download and install the plugin.
- Signal: Open Whisper System's solution for encrypted texting/VoIP and self-timed expiring messages on Android/iOS/Chrome app for PC.
- Confide: Self-deleting text/voice messages, pics and docs with support for multiple recipients, end-to-end encryption and screenshot protection.
- Lockify: A Chrome app to create expiring messages that can be sent via link or QR code. The recipient verifies their identity by your chosen method.
As we said in our Dark Web 101 article, there's no such thing as being 100% anonymous or secure and your biggest shortcoming is going to be human error, but you can still make it more difficult to track your identity by taking advantage of a few free services.