Kit #10. I need to send emails that cannot be tracked back to me
I have to send emails that, if leaked, would put me or my colleagues at risk. How do I send emails that cannot be tracked back to me?
You need to send anonymous messages that you don’t want anyone to be able to link back to you. You might need to work anonymously. You need to take precautions not to expose your and others’ identities in case some messages are intercepted or one of your colleagues’ computers is confiscated.
What you should do
There are many points along the message’s way from you to the recipient that can expose your identity. Nevertheless, you can take some of the following precautions that make it very difficult to link the message back to you:
- Create an email account with a service that is openly committed to user privacy and does not store or disclose user or message details. Every email message travels through the internet with metadata to ensure its recipient receives it. Think of stamps of all the post offices through which a package travels. Some email providers deliberately delete message details about previous servers through which a given email has travelled. This is what you need. If your email provider is based in London, all that can be found from your message about your real physical location is that your messages travelled through London. Note that this is effective only if the email is intercepted after it reaches your email provider. Riseup.net is such an email provider.
- When creating your new email account, make sure you use the Tor browser, or a VPN to hide your location. Obviously, you should also ensure that none of the details you provide in the sign up page (including the passphrase!) can link the account to your real identity.
- If your use is temporary, use a web-based anonymous remailer service but note that you should not have extended correspondence through an anonymous remailer. In fact, not all of them will even deliver messages back to you. Additionally note that even if you trust the service, you should access the remailer website with Tor Browser to anonymise your IP address.
- If you will be checking your email over the web then always do so using the Tor browser.
- If you choose to use a desktop client to check your new email account, you should configure it to connect through the Tor anonymising network. (This can be achieved by using Thunderbird with the TorBirdy extension). If properly configured, it will pass your email communication through a chain of anonymising servers that will obfuscate the message’s route between you and your service provider.
- Consider using an email client as a portable application to send and receive your emails from public computers. For example, you could install the email client Thunderbird on a USB drive. You can then write messages on your (or any other) computer, go to a public computer, plug your memory stick into a computer, open Thunderbird, and send your messages. Sending messages from a public computer has the advantage that the computer and IP address are not associated with you. It is advised in case of using public computers to use VPN or Tor before starting your web activity and communication. In all cases there are physical clues that can identify you even with a public computer such as CCTV footage or computer user logs at libraries.
Keep in mind
While using public computers can be useful to maintain your annonymity, you have generally no control over what kind of software, malware, keyloggers or remote administration applications run on such a computer. Have these possible threats in mind when using a public computer.
Where to find more help
- Read about Riseup’s secure email and internet services.
- Learn about using the Tor Browser.
- Learn about Portable Thunderbird.
- Tips on responding to suspected email surveillance.