True anonymity is much harder than you think
- You take your personal laptop out of town with you, completely different state.
- You connect to a free open wifi from another location where you can’t be filmed/on camera.
- You use a new burner email account with all fake information.
- You send the anonymous email.
Please tell me how anyone could trace that back to one’s true identity.
The desire for anonymity is strong for many reasons; some legitimate, others less so. I want to use this as an example to show just how difficult it is these days to stay absolutely anonymous, particularly when it comes to email.
For example, there’s at least one glaring problem with the setup you describe.
There are no absolutes
One of my guiding principles in general is that there are no absolutes. As much as we might (desperately at times) want black-and-white, yes-or-no answers, solutions and situations are always somewhere in between.
So my position is that there is no such thing as absolute anonymity, no matter what steps you take.
What may be possible, however, is to make it difficult — perhaps extremely difficult — to figure out who you are when you’re trying to be anonymous. Call it “pragmatic” rather than absolute anonymity. Depending on your specific situation, pragmatic anonymity may be good enough, as long as it makes it so difficult to identify you that whoever might be looking runs out of time, patience, or resources before they succeed.
Unfortunately, it’s all too easy to leave clues.
Help keep it going by becoming a Patron.
A personal laptop?
The “glaring problem” I referred to above is that you’re using your personal laptop.
Your personal laptop probably has an assortment of software installed on it, perhaps even the OS, that reaches out to various services in a personally identifiable way. For example, perhaps while you’re sending your “anonymous” email, a program like Dropbox is quietly checking to see if there are updates to your files, leaving an identifiable trace on the Dropbox servers. If someone were to put two and two together, they could see that you (your Dropbox account) were at this IP address (of the Wi-Fi hotspot) at the exact same time as the anonymous message was sent.
Now, replace “Dropbox” in that example with any — no, every — service or bit of software on your laptop that might benignly reach out somewhere online. That’s a lot of opportunity to leave a trace of where you were at the time the message was sent.
Accidentally personal information
The email program or interface could include additional information in the headers that could identify you or your computer. In years past, some email programs included the actual name of the Windows machine on which they were running. That would clearly identify the specific machine from which the message was sent.
It turns out that in many cases, browser fingerprints — the combination of an assortment of information that your web browser routinely makes available to the sites you visit and pages you view — can often identify you uniquely — or, if not uniquely, then to such a small number of cohorts that even a little additional information can be used to determine who you are.
Networks you “trust”
The laptop’s MAC address — a number that uniquely identifies every network adapter1 — doesn’t travel further than the first connection. In your case, that would be the Wi-Fi access point or router to which you connect. The problem is, you don’t know the device isn’t logging things. A log including your machine’s Wi-Fi MAC address would prove that your machine was connected to that access point at that time.
Similarly, it’s possible for a machine to read its own MAC address, and for software to include that information not as part of the networking protocol, but just as additional data being sent.
The IP address of the hotspot would locate it, at least, while perhaps local traffic cams and other activity — maybe even your mobile phone pinging its location while in your pocket — could place you in the same area at the same time.
Even your own personal style
Assuming you manage to avoid all those items and everything else I probably haven’t considered, then even issues of personal style can give you away.
I’m told that we each have a style of writing that’s relatively unique. In recent years, particularly with the advent of AI, it’s apparently not impossible to identify you with a high degree of certainty (remember, there are no absolutes) by your writing style alone. I find this absolutely fascinating.
And, of course, the information in the content of your message could also be used to identify you if you’re the only person who could or would have access to it or share it in the way you have.
So what can you do?
As I said, there are no absolutes, but we can stack the deck in favor of making it extremely difficult to identify you.
Use a “burner” email account. As you did, most people think of this, and it’s an important start: create a brand new, free email account, and provide absolutely no personal information when doing so. Lie about everything. Then never use this account again.
Consider “burner” devices. We often hear about “burner phones”, particularly in movies and TV, but the concept is a valid one. It can also apply to an inexpensive Chromebook, for example. Purchasing such a device, ideally with cash, would reduce the chances of any hardware-based identification.
Consider TOR. Using TOR — The Onion Router — makes it impossible for your network connection to be traced to your actual location. A VPN is a less secure alternative, as it relies heavily on the trustworthiness of the specific VPN provider.
Leave your phone at home. Mobile devices can be located, sometimes directly, sometimes approximately, via cell-tower connectivity.
Do this
Anonymity is hard, really hard, particularly in the face of a sufficiently motivated and resourced adversary.
If you need to be anonymous, carefully understand the risks, and take the time to make certain that you’re not accidentally leaving the door open to discovery.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Admittedly, in theory. Every network adapter — Wi-Fi interface, Ethernet port, and so on — is supposed to have a completely unique MAC address, though hardware manufacturers have been known to reuse MAC addresses. In practice, it’s not a problem, but like so many things, it’s neither black nor white.
In practice as far as hardware is concerned there are fool proof ways to send emails completely anonymously and undetectable. Could be a bit costly but.
Not going to tell him how.
His main problem will be, as you alluded to, the numerous CCTV cameras that, once the location and time of the email’s origin is known will reveal his presence.
Also restricted info of the subject is a dead giveaway.
Must be a powerful reason to do this. Why not just write a letter? Still not fool proof but a lot easier to stay under the radar.
One extra layer of security would be to boot the computer from a live Linux USB flash drive. That would eliminate the fingerprint information. I would work under the assumption that the Internet cafe does log MAC addresses. Even my home router does that. The MAC address would uniquely identify your computer but that can be spoofed. You can google that to find out how. It that prefect anonymity? No, but it’s probably good enough for company whistle blowing as they don’t have the resources to get that information. If you are a government whistle blower, that’s another story.
Great idea to boot with Flash drive, you could also use a usb WiFi stick to connect then burn it so MAC is no longer an issue, you would likely also need to set up the email at that point so no previous connection can made to you. a lot of trouble to go to just to send an email.
Is “incognito” the answer?
Incognito wouldn’t help. It only prevents your browser from saving your browsing history and cookies. It offers no protection against anything else.
What Good Is Incognito Mode
No. Not even close. Please read: https://askleo.com/good-incognito-mode/