Digital Privacy Manual
Digital Security and Privacy for Human Rights Defenders.
Digital Security and Privacy for Human Rights Defenders.
JakeS • March 13, 2007 6:45 AM
Be warned that the linked-to document is a monstrous 9.2 Mb.
Rob Mayfield • March 13, 2007 7:10 AM
9.2Mb is monstrous in which decade?
monstrous • March 13, 2007 7:19 AM
And 164 pages because it is in 4096-point type.
Clive Robinson • March 13, 2007 8:20 AM
A brief look through the contents and some of the authors names makes it look interesting enough to download > print out > read irespective of the size and download time.
Alex • March 13, 2007 8:46 AM
Hmmm, nothing there what the frequent visitor of this blog wouldn’t already know. And not all advice given is correct:
“Be aware that using a computer in an Internet cafe?? is more insecure than using a home computer.” (p.9)
Well, that would depend on many issues and the possibility to ‘go below the radar’ should be always an option when working in an hostile environment.
Anonymous • March 13, 2007 8:59 AM
Can you clarify your point? I would always trust my home PC more than one in an internet machine. I would (in some cases) be more willing to trust a corporate machine than my home PC (after all the corporate IT guys should know more than me).
Alex • March 13, 2007 9:15 AM
Indeed a PC in an Internet cafe is usually less trustworthy with higher chances of keyloggers etc. (this is not always true, however, as some more professional internet cafes after each user clear and re-install the workstation with a clean OS). However, if you are working in a hostile environment (as for instance a human-rights activist in Russia) you can be pretty sure that efforts are undertaken to ‘control’ your home PC and communication departing from there (the attacker can easily focus his energy).
Using an internet cafe could be an effective option to let your communications disappear in the mass. Of course an internet cafe could be controlled but with innumerable options to choose from it would be hard for the attacker to focus his energy. Of course using the same cafe twice or more severly decreases your security.
Skeptic (aka anonymous) • March 13, 2007 10:51 AM
Thanks for your reply.
“you can be pretty sure that efforts are undertaken to ‘control’ your home PC and communication departing from there”
This is a fair point. But my home PC is still in my control, the network connection once it leaves my property is not. The external connection should not be trusted. I may use Tor for example.
Stephan Samuel • March 13, 2007 10:52 AM
While you’re right about Internet cafes being safer than offices and homes, it only takes a police inquisition to coerce the cafe owner to finger you as having been at that place at that time.
The paper’s a little paranoid and a lot useless. They seem to promote using an office computer. Most offices I’ve worked in have centrally administered password stores (Active Directory) and proxied external Internet connections. The level of privacy on that system: zero.
There are still only two untraceable ways to communicate: acoustic coupler on a pay phone to a stolen dialup account and open WiFi. You still need to forge your MAC address, shut off the unique microprocessor serial number reporting, make sure anything with your fingerprint (email login, IM, etc.) is off, and probably avoid Windows, especially Vista. There used to be anonymous packet forwarders, but that’s no longer secure.
It would be interesting for some hacking group (possibly ethical hackers) to try an anonymous login and for some security experts to try to close the holes.
Matt from CT • March 13, 2007 10:59 AM
I glanced at it (will save read it when I’m not at work later…)
But one thing that struck me, while the author asked questions like whether the Internet Cafe knew your name/address/payment card type stuff…
At least a “search” on the PDF didn’t mention items like video surveillance.
It would amaze me if a store, say Panera Bread in the U.S. which provides free wi-fi at most of it’s restaurants, doesn’t have a security surveillance system. And knowing many of these systems aren’t videotapes anymore, but hard disks that can store months of information (I commonly see 9 months in the catalogs).
Sure, the system is there to protect their interests in case someone holds them up, or an employee is helping themselves to the till. But as a side effect, it’s recording the movements of customers in and out and what times they’re present.
Ok, so you’ve fully anonymized yourself with tools like encrypted drives, bootable browsers on a pen drive that don’t leave traces on your PC, a payment card that was bought anonymously for cash somewhere else, etc.
Browsing from your car over wi-fi in the parking lot may not be enough; again to look at an average shopping plaza today and you’ll see many of the bulging black bubbles that hide security cameras. Again, they’re there to catch vandalism or people holding up drive-thru windows…but they’re also recording what’s happening in the background.
Still, they have a specific time stamp to a specific place — look up the surveillance tapes. Even if there isn’t a name yet, they the “faces” of the suspects.
Alex • March 13, 2007 11:28 AM
I’m only referring to secure communications for human-rights activist, not to untraceable hacking. As for acces through an open WiFi: why forge MAC address etc. ? As if your MAC address is logged (which is very rare especially in home-routers), try to trace the MAC address of a $30 USB WiFi adaptor sold over the counter to a person….
really, you can be sufficiently secure without becoming paranoid
I don’t know about the MAC address being logged; but IF it is, the reason for wanting to avoid using it would not be to avoid tracking it back to you, but rather to prevent it being provably associated with you at a later time if some inquisitors got hold of the device. This is a much less likely scenario, which can be mitigated by disposing of the device; but who’s to say that paranoia is entirely a bad thing?
Paul • March 13, 2007 11:54 AM
Copy the link into a downloader like FlashGet and download at your convenience from the site overnight.
Skeptic • March 13, 2007 12:07 PM
w.r.t. “MAC address being logged,” one should also be concerned about linkability.
Bill • March 13, 2007 12:10 PM
There are still only two untraceable ways to communicate: acoustic coupler on a pay phone to a stolen dialup account and open WiFi.<<
Would not TOR be another way to engage in untraceable Internet communications? What do you think of TOR?
Stephan Samuel • March 13, 2007 12:15 PM
I considered your point, which led me to this line of reasoning:
I’m glad that I don’t do illegal or even questionable things that would have the FBI after me. There’s a tight gray area of people who do things that are questionable but not illegal. They’d have to commit a crime just to prevent inquisition.
The better solution for terrorists: just find a country where the government won’t chase you. American citizens are suing the country of Sudan in a VA court because they supposedly assisted in actions which led to the USS Cole attack in 2000. Sudan is innocent until proven guilty, but there’s gotta be some country out there which will help.
Tremaine • March 13, 2007 1:40 PM
Actually the MAC address is a key point. Having worked for a very large ISP, I can assure you MAC addresses are frequently recorded along with the DHCP request and time. How long those logs are kept depends on the provider.
There were more than a few instances where we assisted (after a warrant) in investigations involving stolen laptops where the owners had recorded the MAC and we were able to tie them back to user accounts based on checks through our DHCP logs.
Get the mac, tie it to an IP. Check which modem that IP was assigned to on the date in question, tie the serial of that modem to a customer account…
Stating the Obvious • March 13, 2007 2:10 PM
What’s interesting about human rights defenders is that this is a class of people whose need for anonymity from the state on the internet is very real.
There is a history of actual harassment, jailing, torture, and killing of many of these people in the states they operate in.
Yet the same freedoms they need can be abused by terrorists, spies, or criminals.
There’s an entertaining tidbit on page 47 — a list of “words that would trigger a response should they be found in your email by ECHELON.”
The footnote for the list source says:
“these tests were done by including words in email and recording the time difference in the hops taken to the destination”.
[Just reading this, and fearing what kind of list I might now be on for allowing it to cross my DSL connection, makes me feel unfree.]
Clive Robinson • March 13, 2007 2:22 PM
“Would not TOR be another way to engage in untraceable Internet communications? What do you think of TOR?”
The Onion Router (TOR) protocol is possibly (now) a bad idea for a number of reasons,
1, Can you trust the TOR system is compleatly honest?
2, Can you say that the TOR nodes are not susceptable to evesdroping?
3, Can you say that the TOR nodes inputs and outputs are indipendant and cannot be cross corelated?
4, Can you say that a part of your PC is not acting as a spy on your actitivies and leaking the information through timing differences on the network?
Point 1, is usually addressed by the way the network is configured, the design spec indicated that if you go through just one honest node you should be all right. However there has been stuff published on subverting even honest nodes.
Point 2, is of more concern see,
Point 3, is of even more concern, in that you can identify each and every network port on a computer even if they are attached to different networks. See,
I made several relevant comments and also amplified on the attack proposed by Steve Murdoch to a generalised remote enumeration attack that could be used against HoneyNet machines using VMware or other virtulisation software.
Point 4 is a real concern as your PC could in many ways anounce who you are by simple timming latency. TOR is a low latency network (which is it’s achelies heal). Worse you might not be able to detect it as your PC’s low latency can be used to make it transparent to an input device such as your keyboard that has been bugged. See,
Having read the above make your own mind up as to how untraceable TOR and your own PC is…
Stephan Samuel • March 13, 2007 3:17 PM
I’ll defer to Bruce on an authoritative answer on TOR, but I’ll venture my opinion since you asked. I haven’t completely read all the documentation, but it appears to be a collection of ages-old methods that hackers use.
These days, you need to make the assumption that everything logs. You may increase your chance of evading someone who’s looking, but this will never make you completely untraceable to someone who’s intent on finding you. I wrote more detail of my opinion on one of my personal web sites:
Tremaine • March 13, 2007 3:32 PM
Tor would actually be a poor choice for use on any machine not under your own direct control courtesy of appliances like Bluecoat.
Copied from a reply I made on focus-ids on SecurityFocus:
“you prevent this generating a warning to the user is by creating a CA for your domain and ensuring all machines have this set as a trusted CA. If you are using something like Bluecoat, you then intercept and re-sign the certs with that CA or a subsidiary of the CA. The users machine automatically trusts that re-signed certificate because of these previous steps, and allows you to inspect the SSL traffic”
So if the machine you are on is administered by anyone but yourself (and you aren’t in the habit of checking every individual cert) your ssl traffic can be inspected.
Alex • March 13, 2007 3:39 PM
Try it the other way around. A person with a laptop with an uknown MAC is using different unsecured WiFi connections (different ISPs) to communicate. If you do not known the MAC you are looking for you need physical surveillance to find him
Paranoia is possibly the worst advisor on security. Stay rational, calculate your risks and take some otherwise life isn’t worth living 😉
Tremaine • March 13, 2007 4:06 PM
Fair, but how hard is it really to obtain the mac address of a system if the person is already under some measure of scrutiny by the state?
Given that it’s a relatively easy step to take, why not a script that changes the mac randomly at boot?
Mike • March 13, 2007 6:23 PM
I go to the university library. I can use the Internet without logging in. I just walk in and use it. I’m surprised they still allow this.
Stating the Obvious • March 13, 2007 6:36 PM
Free wifi is no guarantee of anonymity. For one thing, the university may log your wireless card’s MAC address, which is a unique identifier. Your MAC address is very likely sitting in a Microsoft database along with the rest of your Windows registration information. It may also be stored with your laptop vendor.
Aside from that, the AOL Search data incident showed that even without a logged username or IP address, a user’s traffic alone can often reveal that user’s identity.
Further, if you use the same email address as at home, where you are known by your DSL subscription, then your “anonymous” wifi session could be correlated with your non-anonymous activity. (I haven’t seen any allegation that this is being done, but NSAT&T certainly has the bits if they want to use them that way.)
Clive Robinson • March 13, 2007 11:15 PM
@Stating the Obvious
“Further, if you use the same email address as at home, where you are known by your DSL subscription, then your “anonymous” wifi session could be correlated with your non-anonymous activity. (I haven’t seen any allegation that this is being done, but NSAT&T certainly has the bits if they want to use them that way.)”
It has been done by “amature sluths” who where looking at who was stealing their WiFI connections. The actual method by which you do it has been writen up more than a couple of times both in computer magazines and on the web (I just wish I could remember a URL). I think it’s in Bruce’s Blog here somewhere and even 2600 mag had an artical as well as a series of related articals (to do with being cautious about getting free Hotel WiFi).
They also mentioned other “tracing” methods such as Cookies, MACs etc. which are considered unreliable individualy but when combined in sufficient numbers become worth considerably more than “the sum of the parts”.
On an even more way out point there have been a number of academic papers that show it is possible to track a laptop across the Internet by its clock drift rate as seen by network time stamps (see my posting above).
Oh and Microsoft store all sorts of interesting stuff not just in it’s database (a.k.a the registry) in all sorts of other places as well. For instance some versions of MS Office have been found to put MAC and other info into documents. Again this has been publicized a number of times both in the general press and on the web.
I wonder how long it is before the “Serious People” start looking realisticaly at DRM artifacts as a forensic tracking aid / tool, for things other than the odd proposel for copyright violation. If you think about it your iTunes files could “rat you out” very very effectivly.
You can read more about DRM forensic tracking as used in copyright protection in Digimarc Corporation’s paper to the U.S. Patent and Trademark Office (USPTO) at,
Mike • March 13, 2007 11:23 PM
@Stating the Obvious
It’s not WiFi, just regular terminals I can access the Internet on without entering my student card number. I’ve setup completely anonymous yahoo email accounts using the the library’s Internet connection. I’ve also setup Internet sites using Geocities that can only be traced to the school. The school lets me upload and download to a thumbdrive with total anonymity. Too bad they don’t have file sharing software installed!
the other Greg • March 14, 2007 2:42 AM
Remember too that the security agencies of freedomloving democracies have “understandings” with the security agencies of freedomhating dictatorships.
Dmitri Vitaliev • March 14, 2007 9:27 AM
Just wanted to say thanks to Bruce for posting the link and hoping to answer some of the comments, questions I read from this post, as the author of the book in question. All in all when writing for a non-technical and high risk group such as human rights defenders, I realised that just about anything I say, I could refute myself 🙂 The biggest task was to describe something quite technical and tricky (e.g. Man-in-the-Middle attack) to an audience that has never been exposed to such topics before, yet could suffer from not knowing anything about it. I did make some assumptions in the text, like stating that an Internet cafe is less secure than a home connection because this has been my experience of working with the audience in over 20 countries around the world. Internet cafes in Uzbekistan, Syria, Burma, Cuba often require people to register with their passport before they could use a computer and have sophisticated surveillance on the computers themselves to make sure that visitors are not browsing to banned sites or using any type of circumvention/anonymity software like TOR. A home computer, while often easier for the surveillance to pinpoint, can be self configured to use security software and methodology to prevent surveillance or bypass censorship. My research has shown that targeted surveillance of home computers on human rights defenders has been applied only in China and Iran. The majority of other countries who persecute human rights defenders for their Internet activities do so from a national surveillance, filtering architecture.
These and other results of my research and experience of working with this target group has lead me to make certain omissions, summaries and possibly arguable statements in the text. The overall purpose is to make sure the reader is not frightened away by the contents of the manual and takes some practical lessons that have been written specifically for him/her.
I don’t know if this will appease the security specialists out there, but I must stress that if you wish to be understood by an audience who needs the advice but not the details, some sacrifices are to be made in the presentation of the material.
I am interested to see what other readers think about this.
Anonymous • March 14, 2007 10:00 AM
“I have many different passwords and no two are the same. Some of them are
in my head (you must get used to creating and remembering good
passwords), but most are stored in my password program. When I cannot
recall a password or need one of great complexity, I ask the password
program to create and store it for me. But I never write them down anywhere!”
This is great, but the reader isn’t told that the password program itself is protected by a password (stored in the head). This is the kind of thing the average user needs to know, otherwise writing a password in a file is equivalent to writing a password on a piece of paper.
Stating the Obvious • March 14, 2007 12:09 PM
Dmitri Vitaliev said:
“My research has shown that targeted surveillance of home computers on human rights defenders has been applied only in China and Iran. The majority of other countries who persecute human rights defenders for their Internet activities do so from a national surveillance, filtering architecture.”
That’s very interesting. Practical experience is a better guide than theory, I guess.
Pat Cahalan • March 14, 2007 12:13 PM
@ Stating the Obvious
For one thing, the university may log your wireless card’s MAC address,
which is a unique identifier.
It’s supposed to be. However, it’s pretty trivial for anyone to change their MAC address.
Popping from one open wifi connection to another and spoofing your MAC address will give you a pretty reliable anonymous connection. You’re still vulnerable to traffic analysis, of course, unless your traffic destination(s) also change, which is sort of counterproductive.
You could however create a number of one-time use free email accounts, split the list in half, give one half to another party off-net, and send messages to each other using an incremental method.
But then, of course, the email traffic itself isn’t encrypted with free email services, so you’d also have to have some sort of code or some other way to embed information in the mail that wouldn’t be subject to flag by those Narus machines the NSA uses to eavesdrop on the backbone…
Stating the Obvious • March 14, 2007 3:56 PM
You’re right, the MAC address can be spoofed.
Of course that’s only one of the unique-ish identifiers that you may broadcast unsuspectingly. Most of these you can know about and be careful of, like email addresses, or browser cookies.
Other things that could de-anonymize you are automatic software updates which transmit any kind of unique identifier unencrypted. I suspect that Windows Update/Windows Genuine Advantage and the anti-virus program on my XP laptop send uniquely identifying information to verify subscription status. I haven’t checked to see if it is encrypted, it should be.
And then there’s the question of whether the encryption is just false privacy. At this point I’d be surprised if Microsoft hasn’t seen it’s share of NSLs.
It’s all speculation on my part, I don’t know how much Narus and whatever back-end stuff the govn’t has is currently capable of in practice. But I do know that most people don’t realize how much theoretically de-anonymizing stuff is going on in their computers right now.
Clive Robinson • March 17, 2007 6:30 AM
@Stating the Obvious
As I said further up, think about DRM as well.
Your iTunes on your iPod and on your PC are directly related to each other and are supposedly unique to you and your selected players.
So “they” (theoreticaly) trace your TOR connection and get onto your PC that you have to the best of your ability (by standard forensic tools) sanatised of all personal info.
However you (or a family member) have inadvertantly pluged in your iPod or other USB audio system with DRM on it and it syncs files in both directions….
They only have to pick you up with your iPod to know the PC is used by you…
The only way I can think of to avoid such probs is a PC with no mutable memory and a CD OS like Knoppix etc, but don’t forget to flash out the Bios of serial numbers etc,
But wait one moment didn’t Intel put serial numbers in their CPU’s and other chips…
Dmitri Vitaliev • March 22, 2007 10:18 AM
The monstrous pdf is now also accessible as a website. All comments are very welcome.
Dmitri Vitaliev • March 22, 2007 2:43 PM
The stated manual is now available as a website. Please go to:
All comments welcome
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment