How to Run a Rogue Government Twitter Account With an … – The Intercept

Posted: February 22, 2017 at 3:53 am

For this exercise, I decided to pick a highly controversial political topic: Facts. I believe that what we know about reality is based on evidence that can be objectively observed. Thus, I created the completely anonymous (until publishing this article, of course) Twitter account @FactsNotAlt. Heres how I did it.

Threat model

Before we begin, it helps to define a threat model, that is: what we need to protect; who we need to protect it from; what their capabilities are; and what countermeasures prevent or mitigate these threats.

Basically, its impossible to be completely secure all the time, so we need to prioritize our limited resources into protecting what matters the most first. The most important piece of information you need to protect in this case is your real identity.

Law enforcement or the FBI might launch an investigation aimed at learning your identity. It may be to retaliate against you getting you fired, charging you with crimes, or worse. Your Twitter account might also anger armies of trolls who could threaten you, abuse you with hate speech, and try to uncover your identity.

If the FBI opens an investigation aimed at de-anonymizing you, one of the first things theyll do is simply ask Twitter and every other service that they know you use for information about your account. So a critically important countermeasure to take is to ensure that none of the information tied to your account phone numbers, email addresses, or IP addresses youve used while logging into your account lead back to you.

This is true for all accounts you create. For instance, if you supply a phone number while creating your Twitter account, the phone service provider associated with that number shouldnt have information that can lead back to you either.

Another concern: The FBI also might go undercover online and try to befriend you, to trick you into revealing details about yourself or to trick you into clicking a link to hack you. They might make use of informants in the community of people who follow you on Twitter as well. Organized trolls might use the same tactics.

Hiding your IP address with Tor

An IP address is a set of numbers that identifies a computer, or a network of computers, on the internet. Unless you take extra steps, every website you visit can see your IP address. If youre using Twitter while connected to your home or office Wi-Fi network, or your phones data plan, Twitter can tell. If they hand these IP addresses to the FBI, you will very quickly lose your anonymity.

This is where Tor comes in. Tor is a decentralized network of servers that help people bypass internet censorship, evade internet surveillance, and access websites anonymously. If you connect to Twitter while youre using Tor Browser, Twitter cant tell what your real IP address is instead, theyll see the IP address of a random Tor server. Tor servers are run by volunteers. And even if any of the servers bouncing your data around are malicious, they wont be able to learn both who you are and what youre doing.

This is the primary benefit that Tor has over Virtual Private Network, or VPN, services, which try to help users hide their IP addresses. The FBI can go to a VPN service to learn your real IP address (assuming the VPN keeps a record of its users IP addresses, and cooperates with these requests). This isnt true with Tor.

To get started with Tor, download Tor Browser. Its a web browser, like Chrome or Firefox, but all its internet traffic gets routed over the Tor network, hiding your real IP address.

Using Tor Browser is the easiest way to get started, but its not perfect. For instance, a hacker who knows about a vulnerability in Tor Browser can discover your real IP address by tricking you into visiting a website they control, and exploiting that vulnerability the FBI has done this in the past. For this reason, its important to always immediately update Tor Browser when you get prompted.

You can also protect yourself from Tor Browser security bugs by using an operating system thats designed to protect your anonymity, such as Tails or Qubes with Whonix, (Ive written about the latter here). This is more work for you, but it might be worth it. Personally, Im using Qubes with Whonix.

Getting an anonymous email address

Before you can create nearly any account online, you need an email address. While popular email services like Gmail or Yahoo Mail let anyone make an account for free, they dont make it easy to do so anonymously. Most of them require that you verify your identity with a phone number. You can in fact do that anonymously (more on that below), but I prefer using an email provider that is happy to give addresses to anonymous users.

One of these providers is SIGAINT, a darknet-only service that forces all its users to login using Tor to read or send email. The people who run it are anonymous and it contains ads for (sometimes very sketchy, sorry) darknet websites. However, you do end up with a working, anonymous email address.

Update: Feb. 20, 3:10 p.m. ET The SIGAINT service appears to be down right now. Whileits down, you can try Riseup, or set up a burner phone and then tryProtonMail, Gmail, or some other service instead.

If you prefer not to use SIGAINT, another good choice is Riseup, a technology collective that provides email, mailing list, VPN, and other similar services to activists around the world. Accounts are free, and they dont ask for any identifying information, but you do need invite codes from two friends who already use Riseup in order to create an account.

Yet another option is ProtonMail a privacy-friendly email provider based in Switzerland that asks for minimal identifying information and works well over Tor. However, to prevent abuse, they require Tor users to provide a phone number (that they promise not to store) to receive an SMS during account creation. So, if youd like to use ProtonMail instead (or any other email service that requires a phone number when creating an account over Tor), follow the steps below to create an anonymous phone number first.

I decided to use SIGAINT. In Tor Browser, I went to SIGAINTs onion service address, sigaintevyh2rzvw.onion, which I found on their public website. This is a special type of web address that only works in Tor Browser, and not the normal internet. From there, I filled out the form to create a new account.

Thats it. Ive now created a brand new anonymous email address: factsaretrue@sigaint.org.

Getting an anonymous phone number

While attempting to create a Twitter account, I quickly hit a snag. Even if I provide my (anonymous) email address, Twitter wont let me create a new account without first verifying my phone number. (You might get lucky and get the option to skip entering your phone number it doesnt hurt to try but if youre coming from a Tor node that isnt likely.)

This is a problem, because I obviously cant use my real phone number if I want to remain anonymous. So to proceed, I needed to figure out how to get a phone number that isnt tied to my actual identity. This is a common problem when trying to stay anonymous online, so you can follow these instructions any time you need a phone number when opening an account.

There are other ways to do it, but I chose a conceptually simple option: Buy a burner phone anonymously, use it to verify my new Twitter account, and then get rid of it. I wandered around downtown San Francisco looking in convenience stores and pharmacies until I found what I was looking for in a 7-Eleven.

Using cash, I bought the cheapest TracFone handset I could find (an LG 328BG feature phone as in, not a smartphone) as well as 60 minutes worth of voice service, for a total of $62.38 after tax. You might be able to find cheaper cell phone handsets if you look long enough.

If youre going to get a burner phone and want to maintain your anonymity, here are some things to keep in mind:

After buying phone service, youll need to activate the phone. This process will be different with different phone companies. TracFone requires you to activate your handset either by calling their phone number from a different phone obviously not a good option for someone trying to remain anonymous or by activating online at their website. I activated my burner phone online using Tor Browser.

Once youve activated your phone, you can use the phones menu system to learn what your new phone number is. On my LG 328BG, I pressed Menu, selected Settings, and finally Phone Information to find it.

Creating a Twitter account anonymously

Finally, armed with an email address and phone number that arent in any way connected to my real identity, I could create a Twitter account.

Before making an account, grab your laptop and burner phone and go to a public location that isnt your home or office, such as a coffee shop. When you get there, power on your burner phone. Keep in mind that this location is now tied to your burner phone, so you might wish to do this step when youre traveling in another city.

Using Tor Browser, I navigated to https://twitter.com/signup and signed up for a new account. The new account form asked for my full name (Facts Are True), my email address (factsaretrue@sigaint.org), and a password.

After clicking Sign up, I was immediately prompted to enter my phone number. I typed my anonymous phone number and clicked Call me. A Twitter robot called my burner and read out a six-digit number, which I typed into the next page on Tor Browser. It worked great.

With the phone number verification step complete, I powered off my burner phone. Once youre sure you dont need your burner phone anymore, its a good idea to get rid of it.

Toward the end of the signup process, Twitter prompted me to come up with a username. After many tries, I found one I liked: @FactsNotAlt. After clicking through the welcome screen, I was finally logged into my new anonymous account.

I went ahead and confirmed that I control my factsaretrue@sigaint.org email address.

And there you have it. I set up my new account and began tweeting about things that are true.

Maintaining the Twitter account over time

If youre following along, youve now created a completely anonymous Twitter account as well. Congratulations! But your work has only just started. Now comes the hard part: Maintaining this account for months, or years, without making any mistakes that compromise your identity. I wont be following these tips myself with the @FactsNotAlt account Ive already outed myself as the owner. But for anyone who is trying to anonymously maintain a popular Twitter account, here are some things to keep in mind.

Be careful about how you interact with people:

Compartmentalize:

Many successful Twitter accounts have a team of people who run them instead of a single individual. If youre part of such a team, or thinking of sharing access to your existing account with someone new:

And finally, keep in mind that after all this, Twitter can always kick you off for their own reasons. And if your account gets hacked and the email address associated with it is changed, youll have no way to recover it.

Good luck!

More:
How to Run a Rogue Government Twitter Account With an ... - The Intercept

Related Posts