Recently we've built anonymous service for tracking and reporting petty bribery around the world [Web http://bribespot.com , Android http://bit.ly/11dCsIh ].<p>Our contributors mostly come from developing countries, and since law-enforcement agencies in some of those countries are corrupt, we designed our service to provide maximum anonymity for our contributors, e.g. no personal details are collected and no open IP logging taking place (IP addresses associated with submissions are stored in the DB in an encrypted format).<p>The problem is that anonymity opens the door to all sorts of nasty surprises - from spam and abuse to fake reports and blackmail campaigns.<p>How are you guys coping with problems that arise from running anonymous services? Anyone wants to share their experience?
You might look to something like the silkroad for a case study; the guy(?) who runs that site is pretty active on the forums and would likely give you some time if he agreed with your mission (he has a strong anarcho leaning, I suspect he would, in this case).<p>Spam can be relatively easily avoided with some captchas; but I don't know how you can avoid fake reports; or how being anonymous even helps or hinders the likliehood that reports would be fake.<p>I agree with other posters that recommending, teaching, or even requiring them to use Tor is a good idea. tormail for example is reachable from the clearnet, but to actually use their <i>service</i> you are required to connect to their hidden service, which has the added benefit that they are basically impossible to shut down; even if they get your clearnet server (which really just has instructions and metainfo on it); the actual server doing the work is nearly impossible to find, and if it is found but the key is kept safe you can just pop it up again.<p>It's worth considering protecting not only your clients but your selves; running as a Tor hidden service can go a long way toward this.
For a start, you could remove the 6 or so 3rd party scripts from the homepage that record IP address and other personally identifiable information. The social media scripts may be useful for spreading word of mouth but unfavorable to true anonymity.
While it doesn't directly answer your question, keep in mind the best thing you can do for maintaining your client's security is teaching them to use Tor. Nothing server-side will protect them because you may make mistakes, you may be compromised, or they may be MITMed.
Why do you log ip addresses at all? What happens when you get a subpoena, you have to turn it all over, right? Wouldn't it be safer not to store that info at all?
Protect your sources by all means necessary if you want to built trust, the technology is in place to do this, the legal footing on the other hand can be tricky. You should host your servers in a country that has a solid legal framework in place to protect your data, Iceland for example. Honestly consult a lawyer who specializes in this, it is a legal issue and not a tech one.<p>The real problem is vetting your material, you will need to analyse and verify submissions before posting using <i>real people</i>, there is really no alternative when lives are at stake. This is the reason wikileaks collaborates with researchers and journalists, and there is an entire approval process. I must stress this point, you MUST have due diligence on your sources or else don't even bother.<p>Also keep in mind that several countries make anonymous services very difficult to use and even so they still might be monitored, you need to enable multiple avenues of submission and do a really good job at informing your user base on which is best.<p>You should have a very solid and dynamic server setup that can withstand attacks/DDos and domain name/ISP related takedowns.<p>tl;dr Learn from all the issues wikileaks had with tech and submissions and how they overcame these challenges.
> no open IP logging taking place (IP addresses associated with submissions are stored in the DB in an encrypted format).<p>Given how small the IP space is, does that actually add anything?
Try instituting an expiration policy on your logs. Have addresses expire after some set amount of time. It might be a few hours, days, or weeks - whatever you determine to be the necessary time to prevent abuse.
Regarding the IP addresses, we use bcrypt algorithm, obviously with salt, to obfuscate IPs and since we're hosted in Germany, gettings hands on these entries the legal way is a long process.<p>To address the problem of spam, we have already implemented a combination of selective captchas and Akismet filter running in the background.<p>We also use name entity extraction algorithm to obfuscate any names we identify in the submitted reports. It takes a couple of minutes and is not 100% proof, but at least reduces the risk of names being called.<p>The major problem that we are thinking about, however, is how do we structure the "vetting", given that reports are sometimes hard to verify without first hand knowledge of situation.<p>So far we tried to analyze how one goes about these things in real life and recreate natural constraints in the virtual space. The fact that we require every report to be geo-tagged works to our advantage in this situation.<p>As a practical example, ordinary people usually do not have access to president's palace, so if someone claims to be paying a petty bribe there, it is obviously a fake and we would automatically suspend such report.
The real way to solve this problem is to make it distributed so that everyone can contribute and anyone can read all of the posts from a single node. Then there is no single way to get a list of IP addresses
When you're dealing with bribery, you can't prevent blackmailing/fake reports at all.<p>What you can do, though, is to provide HTTP, HTTPS and TOR access to your webservice to allow everyone to submit stuff at his/her own security choice.<p>If possible, change your IP address(es) and domain names on random intervals; you can use free domains like .de.vu and friends to have reliable "entry points" (an example is canna.cu.to).<p>If you have an android app anyway, try building a "distributed" service like BitTorrent or Bitcoin for information exchange.
It seems to me, that for your particular problem domain, the solution is simply to be hosted in a country that is unlikely to serve you a subpeona for the kind of information you're dealing with - ie. most western European countries and the US. Iceland seems to be on a data protection binge lately. You "no names" policy further protects you in this regard.
Here is some tutorial about how to run Tor's Onion hidden service inside Linux VPS: <a href="http://torforum.org/viewtopic.php?f=5&t=18268" rel="nofollow">http://torforum.org/viewtopic.php?f=5&t=18268</a><p>Both you and your visitors will always stay anonymous. Not your hoster nor their ISP's will never have a chance to reveal someones identity.
Possibly relevant. I wrote this few months ago regarding some of the challenges with crowdsourcing crime reporting in the Mexican Drug War: <a href="http://readwrite.com/2012/08/14/the-problem-with-crowdsourcing-crime-reporting-in-the-mexican-drug-war" rel="nofollow">http://readwrite.com/2012/08/14/the-problem-with-crowdsourci...</a>