[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Measuring on-line anonymity

On 08/13/2018 07:52 PM, panoramix.druida wrote:
> Hi, is there a way to measure the level of anonymity on a system?

Sure. There's some literature. Check out
<https://www.freehaven.net/papers.html>.

> For example Signal es a very good keeping secret on communications, but is very bad for anonymity as it need a real phone number to work. Using a real phone number to communicate makes an association of all your chats with your real identity. In many countries in latinamerica you need to give you document id to get a phone number.[1] It is also a centralized service so that the sysadmins and the people behind Signal can have a look at the metadata if they want.

Micah Lee's article has some good suggestions. And you can also use
hosted SIMs. For example, https://speedyverify.com/. Before creating
your messaging, social media, etc account, you login at SpeedyVerify,
and start a chat with support. You tell them which SIM / mobile number
you'll be using. Then you create the account, with mobile
authentication. SpeedyVerify support will give you the authentication code.

There's also an API, which can handle bulk authentication. I suspect
that services like this facilitate bot networks and scamming on Twitter,
Facebook, and so on.

It's true that the SIM host sees your activation code. But that process
isn't really secure, in any case. And I don't believe that it lets them
hack your account, because it's a one-time code. And they don't know
your password.

It's also true that you must provide email and contact information to
SpeedyVerify, including a telephone number. But they don't seem to
verify that stuff, and they accept Bitcoin.

> Ricochet is way better to protect anonymity. I don’t need a phone number, not even a name, I just use the onion service hostname. With Richochet I am anonymous all the time unless I identify myself.
> 
> Email may not be as good as Signal for end to end encryption (even with pgp), but it can be way better for anonymity. For instance, this email account was created using Tor in Protonmail, and there are other mail providers that allow me to this. If I always use Protonmail with Tor, it is very hard for Protonmail to learn who am I and where I live, doing that with Signal is harder. However with Ricochet is way easier.

Well, there's a huge metadata issue with email. Using .onion webmail
mitigates much of it. But everyone needs to watch their OPSEC, to avoid
deanonymization.

And why do you say that deanonymization is way easier with Ricochet?
It's all via .onion instances. But I gather that Tor Project no longer
actively supports the work.

> Is there a way to measure the “level o anonymity”. I am very interested in comparing email, chat and voip tools to find out witch tool is better for anonymity. For instance in email is hard to be anonymouse to the server provider and in Signal is even harder, however in Ricochet is very simple as there is no service provider.
> 
> [1] Actually you don’t need to use your real phone number, advance users can do tricks. That is not for everyone. https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/
> 
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk