Ask HN: Starting an Anonymous Blog in 2019?

Well, if you&#x27;re willing to accept my paranoia - here&#x27;s what I did for a reasonable test. Again, it&#x27;s only a start - there&#x27;s more fun and paranoia to be had. At the end of the day it&#x27;s about having an identity, not a blog.<p>1. Buy a credit card in cash from somewhere without cameras.<p>2. Use that credit card to buy a phone number through many of the real voip providers.<p>3. Buy a used laptop on CL&#x2F;Kijiji in cash, making sure the pickup is someone&#x27;s house. Bonus points if you make a friend do it.<p>4. Go to a Starbucks with your new laptop, sign up for gmail or protonmail using your new phone number.<p>5. Nuke your laptop and reinstall. It&#x27;s a burner. Make sure you change the MAC address, just for profit.<p>6. Sign up for free VPN (500MB start) with something like TunnelBear, using your new email address.<p>7. Connect to your VPN from the laptop. Now use TOR.<p>8. Remember that credit card? Time to buy another one - this time so that you can pre-fund Amazon credits (or DO). They&#x27;ll both accept prepaid credit cards.<p>9. Blog, do your thing - but only ever publish from a dedicated VM on the laptop. Make sure you&#x27;re using firefox (or something else) in your VM to test your blog - through the SOCKS proxy you establish (ssh -D) to the host.<p>10&#x2F;11. Nuke and rebuild VM and machine at will.<p>12. Every ~3 months, do a Kijiji exchange for a new laptop.<p>The above is in no way foolproof. But it&#x27;s a reasonable start. For the record I don&#x27;t consider this anonymous or paranoid enough.

&gt; 1. Easier case: how to prevent being de-anonymized by curious individuals and specific corporations (e.g., multiple ISP&#x27;s colluding together may be able to de-anonymize you, but for example a specific company like Google can&#x27;t).<p>GitHub is Tor-friendly, so you can piggyback off GitHub pages with Tor&#x2F;proxies and get something out of that at no cost. Occasionally, they may automatically determine you to be a bot account, but support is responsive and reinstates it within at most days if you seem human enough. Censorship remains an issue, but shoving the pages manually into archive.org should help build some resilience at least.<p>Maybe mirroring on BitBucket and GitHub will also work.<p>&gt; 2. Harder case: ensuring anonymity even from state-level actors.<p>This is a very, very hard problem. Your best bet would probably be compromising a few poorly-secured websites outside the sphere of influence you&#x27;re trying to hide from, doing this from a public hotspot in a foreign country and then connecting to them only via Tor. Of course, if Tor is enough of a red flag in and of itself, you&#x27;ll always have to travel to post, which is just as suspicious.

Lots of good technical advice has been given and I won&#x27;t rehash that, but I think there are lots of other methods you&#x27;ll need to consider, too.<p>1) Time of publish. You&#x27;ll want to make sure the times you publish entries are random and can&#x27;t be correlated with things you are doing. If you take a vacation, you&#x27;ll need entries going up.<p>2) How you write. You&#x27;ll want to ensure your writing isn&#x27;t too similar to your own. Either have others write it, excessively use synonym dictionaries, or introduce writing styles and elements exclusively to the posts you write.<p>3) What you write about. It should be as diverse as possible. If you only write about one topic, or clearly have a bias for one topic, then it is easier to pin down your interests and focus searches against you to that. Write about cooking, about programming, about art, about politics, etc. Even if you hate or aren&#x27;t good at it.<p>4) Fabricate entries. You&#x27;ll want to write about topics you dislike, or topics you don&#x27;t believe in or about places you have never been. Reference dates and times that would be impossible with your schedule, your income, your skills, or your connections. For areas you are most versed in, introduce simple errors to reduce your apparent expertise. In areas you are most ignorant, plagiarize from experts in a non-obvious way to fake expertise.<p>5) Write in only your native language so as to not giveaway where you learned some other language. If this isn&#x27;t enough, then run your writing through an automatic translator each time into some other language you might know and only do a light touch up of the most egregious errors.<p>You kind of get the drift. Lots of people here can give technical advice, but that is always one slip-up from going wrong and you getting caught. Having lots of disinformation and mixed information in the blog itself can help provide cover and deniability.

You have to blend in with the crowd to avoid sticking out. This means not buying a domain name (since domain registrations, even with contact information hiding, require real addresses in many cases for the registrar to process).<p>Then you use Tor to create a couple of ProtonMail and Tutanota addresses. Use these email addresses to create accounts on sites like GitHub while using Tor (make sure you link multiple addresses so that you have ways to get back in if one of them doesn’t work or you get kicked out).<p>Mirror all the writings on archive.org and another free site so that you have a backup to point people to (list the address of the other site in each site). Never trust any provider not to kick you out for “violating their terms and conditions” without telling you what you did or how you can fix it. When you get locked out, it’s usually with vague statements and no way to get back in. You’re at the mercy of bots and other people who may make it their mission to shut you down (depending on what you write).<p>Create multiple throwaway accounts without a lot of history to share the posts elsewhere.<p>Use Tor for everything related to the blog.<p>Edit: Building on what zelly said on translating from one language to another and back to reduce the chances of being identified by your writing. Somewhat similar in nature to hashing iterations, use one service to translate from X to Y, another to translate from Y to Z, and then yet another service to translate from Z to X. Then post X after making any necessary corrections. This could be automated with simple scripts. Using simple and short sentences could also help against any language analysis. Write, then feed it into something like Hemingwayapp, simplify it, then process it further with translation rounds.

Upvoted because this is a super important topic. I don&#x27;t feel comfortable shining a spotlight on my industry because I don&#x27;t trust that I could keep my identity secure. I imagine many feel the same way.

This is a very simple question to a very complex problem&#x2F;issue. Simple answer it isn&#x27;t possible. The current way the internet, law, and society works it is impossible to start a anonymous blog. You can create hurdles and do simple things that would stop the easy to find things. But, if someone or corporation really put any effort into finding you they could.<p>The internet was not design for people to be anonymous. Our law&#x27;s weren&#x27;t made to keep you anonymous. Our society doesn&#x27;t allow for people to be anonymous.

Realistically the only way I could see this being possible on the standard internet and not some service like Tor, etc. is to register multiple corporations and hire multiple lawyers.<p>For instance register an LLC in your country or somewhere like St. Nevis, that owns a LLC in New Mexico, that owns another LLC in New Mexico that pays for hosting, then using ideally another chain of LLC&#x27;s pay a lawyer to actually post the content on the blog.<p>Basically following the same standards as money laundering but with content publishing. That way anyone who wants to find out who actually published the content would have to track down the owners of multiple corporations and the legal barriers with that, especially with cross jurisdiction challenges this can be effective.<p>It wouldn&#x27;t be cheap, and nothing is 100% bullet proof. However this would largely protect you against private corporations and individuals from tracking your postings.

People have already given the advice of hosting your blog entirely on a platform like Github.<p>Spitball idea: Host your data in the script portion of bitcoin transactions. Now the part you host on Github or other platforms is just the JS script that fetches your transactions from online blockchain explorers.<p>Use localbitcoins.com to trade cash for bitcoin face to face. Just trade $10.<p>The idea being that it&#x27;s easier to pass around a JS script than the corpus of a blog. And platforms like Github are probably less likely to remove your pages if the potentially-troublesome plaintext of your blog isn&#x27;t actually in their database. And the purpose of storing the data on the blockchain is so you don&#x27;t have to keep rehosting content as it gets taken down.<p>I&#x27;ll admit this is more of a fun weekend project (storing stuff on the blockchain with a JS script that can fetch and present it) that I&#x27;ve repurposed as an answer.

#2 is not a good idea. Do not attempt to publish information that could get you in trouble with any governments.<p>Instead, get connected with a tech-savvy media outlet via SecureDrop or Signal. They can publish the information, have experts on hand to help you stay anonymous, and can likely connect you to legal resources should that become necessary.<p><a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;securedrop" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;securedrop</a><p><a href="https:&#x2F;&#x2F;www.washingtonpost.com&#x2F;securedrop&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.washingtonpost.com&#x2F;securedrop&#x2F;</a><p><a href="https:&#x2F;&#x2F;theintercept.com&#x2F;source&#x2F;" rel="nofollow">https:&#x2F;&#x2F;theintercept.com&#x2F;source&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.nytimes.com&#x2F;tips" rel="nofollow">https:&#x2F;&#x2F;www.nytimes.com&#x2F;tips</a>

1. Login to a hosted blogging platform with Tor Browser.<p>2. Put Tails on a live USB drive. Only ever do your blogging on Tails. Purchase hosting for a hidden service with Monero. Watch out for people tackling you in libraries.

1) Don&#x27;t run your own infrastructure<p>2) Don&#x27;t buy a domain name<p>3) Deploy a static blog (gatsby, jackyll, etc...) to Github or Netlify<p>4) Done<p>Now you just need a VPN every time you log into these accounts and publish your content.<p>You might also want to randomize the times you access these services and publish content. That further obscures where you are in the world.

Off the top of my head:<p>1. Use all free technology since payments are a great way to figure out who you are. (So gitlab&#x2F;github pages, blogger etc)<p>And then the usual info hygiene:<p>2. Always use a VPN to log in<p>3. Don&#x27;t use the same username or password anywhere else<p>One final thing:<p>4. If you put out enough samples of your writing anywhere else tied to your identity (email archives, a non-anonymous blog, publications), people can probably use ML to figure out who you are. I don&#x27;t know if there is a &quot;style obfuscation&quot; engine to help with this.

Previous discussion:<p>&quot;OnionShare makes it easy for anyone to publish anonymous, uncensorable websites&quot;<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21253668" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21253668</a>

Some great answers here, but if you&#x27;re doing anything that involves going out and about (e.g. buying phones &#x2F; cards &#x2F; starbucks etc) - Don&#x27;t forget to leave your regular registered phone(s) at home or office, and never allow burner and registered phones to be active (powered on) near each other.

This is a sore spot with me, because here in Germany you just can&#x27;t. At least not legally. And more than that you have to openly announce your name and address on your website. It&#x27;s called &quot;Impressumspflicht&quot;. Theoretically it doesn&#x27;t apply to &quot;private&quot; websites but there is enough ambiguity there that not including an &quot;Impressum&quot; is considered too much of a risk.<p>Some try to render the &quot;Impressum&quot; as a picture so that it doesn&#x27;t get indexed by search engines but it&#x27;s not clear wether that is sufficient.<p>You also can&#x27;t just rent a post box somewhere to get around announcing your address. The address has got to be a &quot;ladungsfähige Anschrift&quot; which means that it has to be the place where you live.

For the former, just having a private domain registration, not putting any personal information on the site and avoiding any type of presence in media posted there (like face&#x2F;voice in videos) will often be enough. Most people and companies aren&#x27;t that technically inclined, nor motivated to try and track down anonymous creators. Unless you&#x27;re being specifically targeted by a dedicated group of obsessives, no one would even bother looking into things like writing styles and background trivia.<p>For the latter case (or when dealing with said obsessives deliberately targeting you), then things get trickier. The challenge with infosec is that messing up even once compromises everything, and most people&#x2F;groups mess up multiple times.<p>Some advice there:<p>1. Don&#x27;t try and be a &#x27;ghost&#x27;, throw people off with fake identities. Manufacture social media accounts&#x2F;history to send people barking up the wrong tree.<p>2. Use burner equipment wherever possible, or at least computers&#x2F;phones that aren&#x27;t used for real life activities.<p>3. Get an anonymous email account, use it for a VPN, use Tor, etc.<p>4. Access the internet from a variety of places under said conditions, maybe with different online identities each time<p>5. Use services based in countries your current one have no treaties with<p>6. Deliberately vary your writing style so it can&#x27;t be linked to previous work (may be difficult)<p>Plus a whole bunch more steps that would make anyone writing them seem super paranoid when posting.

Several things to think about, weak points could be:<p>Domain name, since the registrar will probably have your information. Namecheap allows bitcoin payment, but I think they still require contact information. Going with an onion url would limit that impact.<p>Hosting, again, they will almost certainly have your information. Swisslayer allows bitcoin payments, but contact info might still be required. Could be mitigated by going with Tor or some other service, but that limits discoverability.<p>Server software -- you would want to limit the ability to be compromised, so something like OpenBSD with the built in httpd and raw html files would be a reasonable bet for preventing intrusion. Keeping it simple would leave less attack surface, and less potential to leak information.<p>Using Tor to connect would mean less logs between.<p>Any information you gave in content could be used to trace, but that is difficult and would require being careful in the writing style, and what information is leaked in that channel.<p>EDIT: As beefhash points out, piggybacking on an already accessible public endpoint negates a lot of the leaking of your information through your own services.

If you&#x27;re trying to beat top tier state actors, and you&#x27;re posting content of high enough profile, you&#x27;re going to lose. There are too many fingerprints and timing attacks that will give you away. The way you construct sentences, the types of words you hyphenate, the way you spell words, the words you select, etc.

Id look into crypto space. Buy a unique blogging computer and connect to free wifi. These may not be the solutions, but possibly.<p><a href="https:&#x2F;&#x2F;www.cryptovibes.com&#x2F;blog&#x2F;2019&#x2F;01&#x2F;02&#x2F;iota-introduced-the-next-generation-private-chat-app-chat-ixi&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.cryptovibes.com&#x2F;blog&#x2F;2019&#x2F;01&#x2F;02&#x2F;iota-introduced-...</a><p><a href="https:&#x2F;&#x2F;zeronet.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;zeronet.io&#x2F;</a>

One route you could go down is sharing with a newspaper. Several newspapers have projects where they want to be able to accept stories anonymously.<p>E.g.: <a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;help&#x2F;ng-interactive&#x2F;2017&#x2F;mar&#x2F;17&#x2F;contact-the-guardian-securely" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;help&#x2F;ng-interactive&#x2F;2017&#x2F;mar&#x2F;17&#x2F;...</a>

Don&#x27;t get your own domain. Use a service like Wordpress.com. Register with them using a outlook.com alias. Use one VPN to set the account up then cancel that VPN. Then use another VPN to post new content. When administering the blog don&#x27;t use your own machine and everyday browser - instead, spin up a clean VM.

If you were able to find someone, somewhere, who you otherwise have no relationship with, perhaps you could get that person to setup the blog, and post the messages that you send to them via some other (offline) method.<p>While clearly difficult, I&#x27;m not sure this is really any harder than the other technical solutions listed here.

Case 2 probably involves some (and likely a _significant_) amount of identity theft, and even then I don&#x27;t think you can do better than pseudonymous - if you want your intended audience to reliably know which sources of information comes from you, then any and all adversaries can know the same.

0. Visit a library or starbucks in a nearby town using a computer that has no association to you (wiped or loaner)<p>1. Use TOR or some kind of proxy service<p>2. Sign up for Proton Mail<p>3. Use Proton Mail to sign up for wordpress.com blog<p>4. PROFIT!!!

Great thought experiment that I’d like to expand to the question of how to send a single anonymous packet on the Internet?

Use ZeroNet.io with Tor And fork ZeroBlog or use ZeroMe