Well, that is question.
This is a response to the continued overreach of the federal government. Including certain three letter agencies such as the: CIA, NSA, FBI, etc.
There are basic ways you can protect yourself and your privacy online from state surveillance and prosecution.
From the original creator of this document:
"I am writing this from the perspective of someone has been the target of doxxing, coordinated surveillance, and law enforcement."
This is pretty close to who I am. I've been targeted unfairly by three letter agents my whole life. Additionally, I run the filehaus.top filesharing service, which mobs and three letter agents have falsely accused of distributing CSAM simply because I am a proponent of free speech.
This guide is meant to be used as a general introduction to important aspects of online security.
You can freely distribute this document. It is a public work available to be edited and distributed.
Enjoy!
Right to remain silent: Most Western countries have the concept of the right to remain silent. Essentially this is a right against self-incrimination. USE IT. 98% of people questioned in the United States do not invoke their right to remain silent because they think it will make them look more suspicious or law enforcement might "give a better deal".
The simple fact is LAW ENFORCEMENT IS NOT YOUR FRIEND. They are building a case and anything you say can and will be used against you. Law enforcement in the United States can legally lie to you. If they promise a good deal or they will "go to bat" for you with the prosecutor it's a fucking lie. Unless you have a lawyer present to help you and a paper to sign do not believe it for a second.
How to invoke your right to remain silent: To the United States, it is not enough to say "I should have a lawyer", "I don't want to talk", "I'm going to stay silent." The legal system is so fucked up that you have to specifically say something like "I invoke my right to remain silent." Any good lawyer will tell you this. They likely WILL try to get you to talk even after this, so just shut the fuck up and keep silent.
The same also applies to asking for a lawyer. The government can ignore "I think I need a lawyer", but it is against the law to talk to you after you say a sentence along the lines of "I want my lawyer, allow me to contact them."
The only questions you should potentially ask:
1. "Why am I here?"
2. "Am I being detained or under arrest?"
3. (if no to both of the above) "Am I free to leave?"
If the answer to the above is yes, LEAVE.
Biometrics are not safe from law enforcement. However, you can "forget" your password and remain silent, and your security devices can also "go missing" in an accident.
Passwords should be
Weak passwords consist of:
If you are storing sensitive information nobody else should ever have access to the password should be far longer (mine tend to be 30+ characters). You can remernber multiple sets of srnaller passwords and chain them together. I tend to use passwords in the "Fort Knox" section at https://randomkeygen.com if not generating them from within a password manager like KeePassXC. ex. ixH—g—@ZA8#L—XXHSUgY(02=AaUes DO NOT WRITE YOUR PASSWORDS DOWN! (unless it is to store in a remote location unknown to everyone else as a physical backup). If this is a master password or another important password DO NOT SAVE IT IN THE BROWSER. Use a password manager like KeePassXC which is an open source password manager. The master password to this database should be 30+ characters following the guideline above and preferably other factors like Multi Factor Authentication. The database is encrypted with AES-256.
Authentication factors include the following:
If you are using a password storage database (or even not) I recommend the use of a hardware security device such as a YubiKey or OnlyKey. This can be done easily by setting these devices in One Time Password Mode. Combine this with something you know, and now you have 2FA.
YOUR SECURITY IS ONLY AS GOOD AS YOUR OS ENCRYPTION: If you do not fully encrypt your operating system drive and or leave on your computer without shutting it off when you leave, even if the drive is fully encrypted, then you are making a mistake. Law enforcement and others could access your device when you are away and plant viruses, keyloggers, remote access software, or incriminating material to frame you. I find Linux Unified Key Setup (or LUKS) to be decently trustworthy as a full disk encryption method.
VeraCrypt: This program allows you to create encrypted volumes, or in the case of Windows you can also encrypt the entire OS. https://www.veracrypt.fr/
If you have anything extremely sensitive use an encrypted storage container. You can set and change the master password (2FA recommended) and also choose the encryption algorithms and hashing algorithm.
Encryption algorithms: AES, Camellia, Kuznyechik, Serpent, Twofish, Cascades (I use Kuznyechik-Serpent-Camellia. Each cipher in the cascade uses its own key, and all keys are mutually independent).
Hash algorithms (recommended): SHA-512, Whirlpool (I use Whirlpool).
For plausible deniability, use hidden volumes. Use one password for some data and another for another set. Until decrypted, VeraCrypt volumes have no signature. This means it cannot be proven your container is a VeraCrypt container.
At this point you should be using some kind of encrypted file system or container which was described above for desktops and laptops. Simple deletion does not work: If a file at any point touches your hard drive without it being encrypted, and you delete that file, IT IS NOT ACTUALLY GONE. The data is still 100% fully retrievable which will be taken advantage. If you are going to delete a sensitive file, or moved it to an encrypted device or volume but at one point it touched your unencrypted drive, use a free space eraser or secure eraser tool.
A popular tool for this job on windows is Eraser. https://eraser.heidi.ie/ By overwriting the free space of the drive you are making it FAR harder to ever retrieve that deleted information. Be aware that destroying storage counts as evidence.
To be fair, why would you still be using Windows anyways? If you're just getting into Linux, I reccomend Linux Mint Debian Edition.
For maximum privacy and security, burn a Tails or Whonix ISO onto a CD or DVD (or usb). Tails routes all traffic through the TOR network and automatically deletes all data when you power off your computer.
If you use iPhone: don't store sensitive material on that ever, if law enforcement is motivated enough they will get into it and it is not a secure device in my opinion. iOS is proprietary software and Apple is more than happy to cooperate with LEA.
If you use Android there is significantly more you can do:
If you cannot root the device the rest of this advice will likely still be fine, however you are more vulnerable to being spied on by having your phone become compromised or backdoored.
An often overlooked privacy detail when it comes to phones are mobile networks, plans of which are often purchased alongside when you get a new phone. This can be detrimental to your privacy: your SIM card has an IMSI which, in most networks, cannot be changed. Your IMSI is a unique, usually 15-digit number used for identifying customers subscribed to a cellular network. Since connectivity is based on location and signal strength, your IMSI leaves a location history which can be used to track presence and activity in a given location.
Your best option would be to ditch cellular altogether, but unfortunately, that oftentimes isn't an option. Instead, I would reccomend going with one of the following:
These services often do not include a phone number or SMS capability. If you need to use SMS or a phone number, do one of the following:
If you are sharing sensitive information over platforms like Discord, Twitter, Facebook, etc. STOP for the love of god. All of that can be easily subpoenaed by law enforcement. These platforms have data retention policies that will keep any photos, files, or texts you post for up to 90 days or more. Privating your Twitter accounts doesn't work either, anyone including the police can use an exploit to gain access to your private Twitter, Instagram, etc etc. I've seen it happen before to multiple people.
Any of the following messaging platforms are a free, open source, and much better alternative:
When using e-mail, always encrypt your messages with PGP. Using PGP encryption prevents the owner of your mail service from looking at anything you have sent and what you've recieved.
You should also strip all metadata from a file before you transmit it over the internet. You should never send any media over the internet without first removing it of any metadata (e.g. EXIF data)
I always use a VPN to conceal my IP when I'm not using Tor/I2P. AVOID USING PROTONMAIL/PROTONVPN. Maybe for brief moments on a throwaway basis, but not as your main. Using free public WiFi is a good way of not being able to trace internet traffic back to you, but it depends massively on which place you get the WiFi from.
If you use a debit or credit card to purchase a VPN, that information is likely stored and with that information the government can monitor you. If you want to buy an anonymous VPN, use Monero. Keep in mind that most VPN providers are not trustworthy and sell your data behind your back. I trust and reccomend Mullvad and Cryptostorm, but I hear IVPN is also good.
Tor and I2P are fundamentally different from a VPN. A VPN is somewhat of a centralized entity, and your data is tunneled through that entity. TOR and I2P are decentralized networks operated by volunteers that provide anonymity and access to hidden services (referred to as the dark web).
TOR: TOR is more mature and larger, focuses on accessing the clearnet anonymously and hidden services secondary.
I2P: Far higher security threshold and not as exploitable, no central directory servers, focuses on hidden services primarily and clearnet secondarily.
Under no circumstance should you use Tor or I2P with JavaScript on. When using the clearnet, use the NoScript extension to whitelist JavaScript functions as needed. Remember: JavaScript runs on your device, and can be used to deanonymize you!
Depending on your situation there are a few routes you should be aware of. If you are fully doxxed consider going to a state where you can get a sealed name change and do so, or change your name when heat dies down in roughly ~6 months or less when people get bored. Using that new name should be done with new accounts, and a new phone number (like a burner)
DON'T BE RETARDED. Are you being accused of an act that is illegal? You are truly shooting yourself in the foot if you ever make an admission to anything of the sort. Admissions and confessions are golden standards for law enforcement and also the hate mob.
Just let people cry about you. Let stupid people whine and cry about you, doctor screenshots and falsify evidence, run around with their heads cut off with conflicting doxxes and evidence reporting to law enforcement. The longer this goes on, the less there is a chance of any serious investigation and people ruining any kind of evidence if it does exist.
Screenshots do not equal guilt. For this to have any weight at all law enforcement will need to subpoena the social media provider for information. If this information is deleted or unavailable, screenshots are absolutely meaningless. Even archives can be doctored, but is much better than screenshots. Luckily most people are too retarded to realize that.
Disappear for a while. People tend to get bored after a few months of you being quiet, and by the 6 month mark people usually completely forget who you are anyway.