How can I keep my identity anonymous as a website owner/administrator?

Question

My question looks touchy, but I'll do my best to explain. You see, I live in country where democratic rules are quite, well, delusive.

In theory, there is freedom of speech, democratic elections and so on, but in practice trying to do anything in opposition to the current government's political course leads to many problems.

For example, the police can say that you are suspected of breaking copyright laws and take away you computer for months, then return it, saying "Okay, we've checked it out, looks like everything is normal," But your time will be completely wasted.

That is a reason I want to create a political site, but I want it to be anonymous. I mean, anonymous in reference to who is supporting it in technical sense. It will be a public area though, where anyone across the country who has something important to say will have the ability to do so.

So my question is, what I should keep in mind to be as unreachable as possible? For example, remote deployment/development is not a problem; I can use ssh forwarding to encrypt all my traffic.

What I'm most concerned about is getting domain name and paying for hosting; is there anything else that I should be concerned about?

Answer 1

• Buy gift cards in cash.
  • Bonus points for extra cloak & dagger shenanigans like buying cards in distant cities.
  • More bonus points for paying in advance to use up the card's value so you don't keep it.
• Use a Live CD for all website activity. Don't mount any permanent storage devices.
• Via anonymous proxy services (probably TOR) to establish a VPS or other hosting system.
  • Bonus points for buying it in a country that probably won't hand over info to your hostile country.
• Register your domain via anonymous proxy.
• Only access your system via the proxy.

That leaves no trace on your computer and no financial ties unless the card is found. If TOR traffic is suspicious to authorities, you might be able to use Amazon EC2 instances that are terminated after each session.

Answer 2

First off all, leaving no traces on your equipment is paramount. And there "live CDs" or "live USB drives" (same idea) are your friend. If the government finds an actual physical live CD in your possession then that can attract further scrutiny. Putting it instead on, say, an SD card might help your chances a bit. Store the card in a camera with a few innocent pictures and you should be in better shape.

Using encrypted tunnels is helpful, but be sure to do take multiple hops before visiting your destination. If the police know that you send a lot of encrypted traffic to 1.2.3.4, and there's posts to a seditious site from 1.2.3.4, then you're caught red-handed, without them even knowing what 1.2.3.4 is.

SSH tunneling, including dynamic SSH tunneling (which sets up a SOCKS server) makes covert web traffic surprisingly easy to send. Just use IPtables to block out all outbound traffic to any port other than 22 to make sure you don't accidentally leak any traffic over regular channels.

Finally, anonymous hosting is easy to come by if all you want to host is story content. Blogger.com, for example, is a great place to host your counter-culture propaganda assuming the U.S. is friendly to your cause. This also frees you from the need to register a domain. Though be careful to "keep your guard up" when posting to these services, and continue to use tunneling techniques, etc.

[edited to add]
Note that you have to simply assume that any third party you work with will be compelled to hand over information to the state, no matter who that state is and no matter who the third party is. This includes hosting companies, ISPs, commerce sites, twitter, facebook, google, and anyone whom you might do business with. No hosting situation should be considered "safe" even if you trust who's running it. It's just as important to shield your identity from your hosting provider, be it Blogger, Rackspace, or HavenCo, as it is to shield from any other organization.

Answer 3

Use open/free wifi, and use a live CD-ROM/DVD on a laptop to conduct all your online activity related to your website. I'd suggest randomizing your wireless MAC address every time you boot as well, if your NIC/driver/OS support it.

Use https://www.nearlyfreespeech.net ... Use their privacy registration service, and use a pre-paid credit card you purchased with cash in a near-by city, and have everything directed to a new email address specifically for this purpose, and used for nothing else. :D

If you want to be REALLY paranoid, skip the laptop/live-cd, and use a pre-paid blackberry that you throw away after however many times you can afford, and buy a new one... And take the battery out of it when you're off-line, and never ever ever turn it on anywhere near where you live or work.

Answer 4

One big one. You will definitely want to get a private domain name or registration by proxy. Most registrars should offer this.

See: http://en.wikipedia.org/wiki/Domain_privacy

Answer 5

You should learn about Tor and Tor hidden services.

In principle, your server could interact with the wider world only through Tor hidden services, i.e. your users must run Tor and access your .onion address and you only ever access the server via ssh connections routed over Tor hidden services. In this way, your website looks like nothing but a Tor router externally. Your hosting provider could obviously determine that the server ran code besides Tor, but probably they'd never check. Please note that BitTorrent has proven extremely incompatible with Tor.

In reality, you've asked about more public facing web hosting, meaning your users aren't using Tor and the authorities can easily find the server. In this case, you should still connect using ssh over Tor anyways. You could increase security by running a Tor node and accessing the server via ssh over Tor, but obviously you'll spend slightly more money running that Tor node.

In either case, you should choose the hosting provider carefully, paying attention to national privacy laws. There are anonymous hosting services that accept payments as concealed cash in various countries. Prepaid visa card should work for most other hosting providers.

Answer 6

Properly used, Tor and Bitcoin are all that you need. The most problematic issue is your Internet connection. While I agree with Ryathal that hardwired Internet connections are more secure than WiFi, you may not want your uplink to be associated with Tor. VPNs are an option if they would attract less attention. Otherwise it may be best to, for example, connect via public WiFi access points, and use Tor via VPNs.

Many hosting providers now accept Bitcoins. However, Bitcoins are not inherently anonymous, so it's crucial to anonymize them thoroughly before use. Start by purchasing them as anonymously as you can. Then transfer them via mixing services (such as the Blockchain.info wallet, BitLaundry and Bitcoin Fog) from one anonymous wallet to another. For each mix, use Blockchain.info to test the receiving wallet for taint from the sending wallet. Once you have two successive mix transfers with no taint, you're good to go.

Use a diskless notebook, boot from Tails LiveCD and store essentials on encrypted micro SD cards. They're thin enough that you could quickly chew and swallow one in an emergency.

Answer 7

First, you should use a disk encryption like TrueCrypt and encrypt your system. There are also a few a Linux distributions geared towards extreme security/privacy. Using Tor and Proxies for doing anything with your site is also important. It would also be a good idea to use an online storage site to keep all the information for the site so its not on your machine.
There are anonymous was to pay for things over the internet, like for example Bitcoin, when it is used right (caveat: When used wrong, Bitcoin can be traced quite good!). Covering the money trail is the hardest part. The goal is to make it as hard as possible to have any evidence found, and minimize the evidence that can be directly linked to you. One final note: Use hardwired internet connection only, as wireless is much easier to monitor.