The Limits of Security Theatre
July 17, 2024•940 words
Despite my formal training and academic credentials in corporate security, I find privacy, anti-censorship and security for the individual more stimulating subject areas.
The question of how a journalist, blogger, activist or whistleblower could remain anonymous online, indefinitely, makes for some interesting thought experiments. It's possible in theory, because the tools and methods for that do exist, but we fail at it in the real world because of the human element. Most of us don't have the expertise, solid endpoint security and meticulous OPSEC discipline for that.
This post is more about giving a few pointers for those who simply want enough anonymity to maintain a healthy separation between their public identity and what they publish or discuss on the Web, and enough anonymity to avoid the harvesting of personal data by corporations and the systems of mass surveillance that had developed over the last couple of decades.
This post is inspired by my learning that Proton acquired SimpleLogin and Standard Notes. Combined, they potentially gives us a decent layer of privacy. It pays to be slightly cynical when it comes to privacy-enhancing tools, though.
VPNs and Tor
A common misconception is that VPN services are essential privacy tools, or they confer some degree of anonymity. This is incorrect for several reasons. Basically, unless you're using Tor, an intermediary will know your IP address and which sites you're accessing, and that intermediary is liable to disclose that information to a third-party.
Almost all VPN service providers, regardless of what they claim, will turn over their users' IP addresses if/when they need to. A company operating a commercial VPN service definitely will comply with a court order, and someone operating a non-commercial VPN definitely won't risk going to prison to protect someone else.
Does it matter where the VPN service is based? Probably not. Switzerland, for example, might have stronger privacy laws, but the Swiss authorities do issue court orders in response to requests from governments and law enforcement organisations outside of Switzerland. There are many formal and informal international agreements for the sharing of data.
One thing that gets overlooked is that, while a VPN masks your actual IP address, it still relays whatever identifying data your browser's sending, and likely what several other applications are sending in the background. That's also the case with Tor, which definitely won't protect someone who's still logging into accounts associated with their real identity, has very bad OPSEC and isn't using it in conjunction with something like Privoxy.
The main thing that distinguishes ProtonMail from other email services is that message content is encrypted in storage, and also between two ProtonMail accounts. ProtonMail is objectively more secure than most email services, because encryption can be a strong layer of protection against data breaches, and the content of users' emails is protected if an adversary gets access to them, either through hacking or through a court order. Most people should worry about being a victim of a data breach, more than anything.
ProtonMail's security model also means that two or more people with ProtonMail accounts can securely communicate with each other.
However, that encryption, aside from TLS sessions between mail relay servers, doesn't provide any security for emails sent from ProtonMail to recipients using a different email service. Emails are almost always relayed entirely in plain text, by multiple mail servers, between two domains. If you're sending an email from example@protonmail.ch
to example@gmail.com
, Google will have access to the entirety of the email.
ProtonMail also is definitely not an anonymous email service, unless you're registering and accessing your account over Tor. The fact is that Proton did log users' IP addresses, and they did provide that information to assist in the arrest of activists, outside of Switzerland, who were not engaged in serious crime.
Mail Aliases
If you registered a ProtonMail address over Tor, and it can't immediately be attributable to your offline identity, you're pretty much anonymous enough to begin with. You could communicate with multiple other people with their own ProtonMail addresses, and your communications would be secure and anonymous.
The thing is anonymity would depend on that email address being single-use. If you registered a blog, a forum and a messaging account with that address, an adversary could piece together more information about you - for example, your choice of forum, your choice of username, the type of forum posts you're responding to, what times you're active, what you disclose about yourself... If you're maintaining a blog with that same email address, each blog post is also going to reveal several more pieces of information about you. All that information will eventually develop into a fairly detailed profile.
This is why SimpleLogin can be very useful, as it enables us to create multiple email aliases, and each alias can be used for something different. This makes it much harder to attribute something like a blog and a forum account to the same identity. Obviously, it's important to remember that SimpleLogin can, in response to a court order, or through a data breach, reveal the email address communications are being forwarded to.
Notes and Blogging
The security model for Standard Notes is quite good. Notes are end-to-end encrypted, and their also encrypted on the local device if the client application is used. A note can be published from Standard Notes to the Listed.to blogging platform.
This is a bit trickier to use with Tor, but the layer of privacy Standard Notes provides does give us freedom to express our thoughts and opinions without having to worry about others reading our stuff before we decide whether to publish.