B3RN3D

Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.

The Importance of Anonymous Email Addresses

Email is dead, so why do we keep having to register for services using an email address? Think of a cloud service that doesn’t use an email address as your identifier. Email has moved from being a communication tool, to an authentication system.

Notice that we are not talking about anonymous communication here, because we know that email is the worst possible option for that at this point. We are talking about anonymously registering for an email account, so that you can also potentially register for other services anonymously.

Here’s an example: Github. In order to create a github account, you need to give them an email address so that you can activate your account.

The Problem

The problem for anonymous privacy concerned peoples of the Internet, is that it’s relatively difficult to get an email address while using something like Tor. Sites will block you in a variety of ways:

  1. Blocking Registration: A site like Hotmail will block all access to register for a new address. You cannot use Tor to create an account.
  2. Blocking Service: The site will let you register, and subsequently block access to webmail from any Tor exit node.
  3. Requiring Extensive Validation: The site allows registration, and access, but will eventually require you to validate your identity through some kind of out-of-band system like an SMS.
  4. The Tease: And then there are sites that seem to allow you to register, access the service, but a few months down the line, you suddenly find out that your account has been blocked or requires a special non-Tor validation mechanism.

In each of these cases, there are probably ways to evade these restrictions. For phone activation, we can use a burner phone. In the case of registration just being blocked, you could probably find an un-attributable computer to borrow just for the registration process. But the conclusion must be the same – these providers do not want anonymous users. This is a network policy as much as it is a political statement. Because of this, even if you’ve “tricked” the mail provider into allowing you to register, you should eventually expect to be blocked from access without notice.

The Solutions

So what options do anonymous users have? Remember, our goal is to eventually register for some other service that requires an email address, but we can’t even register to get an email address in the first place.

Webmail Providers

Gmail, Yahoo, Microsoft, all offer webmail. In an ideal world, you could just register with them, get an email address, and be done with it. If your operation only requires that you hide behind a VPN, this may work for you but if you’re using something like Tor, you are going to be blocked as described above.

Google has an interesting blocking program right now. When a user goes to register, they create a fingerprinted definition of that user – what is the resolution of their computer, what plugins do they have installed, what fonts are supported, etc. Therefore changing IP addresses and clearing out your cookies, will not affect the registation process. Google sets a number for each user so that when you first register for an account, you do not have to activate via SMS or phone call. But your third or fourth will require it. There is a method to the madness but I’ve yet to figure it out (or care enough).

Yahoo is one of those situations where they allow anonymous registration, but after a month or two they will block access with an un-usable CAPTCHA. No mater how many times you attempt to complete it, when using Tor, the result will say that you have entered the CAPTCHA incorrectly.

This is a semi-plausible option, but generally not a good solution for long term operations. Its safe to say that I would almost never recommend using something like Gmail.

Temporary Email Services

Sites like Mailinator provide a temporary email address. You create a random address, sign up for a service using that address and you can check that mailbox whenever you need. Email is cleared out after a certain period of time. It’s great for spam and sites with unnecessary registrations.

There are a couple of problems though. one is that many (most?) service providers block registration from Mailinator addresses. Another is that anyone that knows your mailinator email address, can access your email; the concern here being someone resetting your password.

Want an example? Why not reset the passwords for any of these Skype accounts:

Name Mailinator Address
Merlin merlin@mailinator.com
anbu.mailinator anbu@mailinator.com
wert wert@mailinator.com

The point is, Mailinator works, when it works, but most of the time it doesn’t. For short operations, or something you need temporary access to, this is a good solution.

Other alternatives to Mailinator:

Acquired Accounts

There are a variety of dark market sales that will give you pre-configured email addresses. These are either hacked accounts, or merely registered addresses to save you the hassle. You can buy them in packs of 100 or 1000 (and up) for a small fraction of Bitcoin. (It’s not even worth linking to dark markets at this point but I’m sure you’ll find them.)

Purchasing email accounts from a dark market is relatively legitimate compared to the alternatives of breaking into the accounts yourself. If you have the time and effort, you might be surprised at how easy this is especially when you look at the very simple password reset questions often used.

Self-Hosted Email

One of the most suggested solutions to the email problem is to host email yourself. You purchase a domain anonymously using bitcoin, gift cards, or whatever anonymous method you choose. You spoof or falsify the WHOIS lookup information so that nothing points back to your real identity. Then you purchase a hosting provider using the same anonymous methods. Finally, you run a mail service so you can give yourself an infinite number of email addresses.

This is a viable solution for some operations. If you don’t mind admin'ing a server and walking through the steps, this can be a good option.

The reason I don’t like this is that it increases your attack surface. You are now hosting a mail server that directly points to you. If this server is exploited, every email address you have ever created is now accessible.

And for someone like me, that will compartmentalize identities, this solution doesn’t scale. I would have to build out a new email server, new domain, new hosting provider for each identity. This is not a problem with the solution as much as it is a problem with OPSEC decisions.

Trusted Anonymous Email

The other option, is to find an email provider that you, yourself, trust. Trust is a difficult subject to cover so lets give it an operational definition of a service provider in which you believe won’t sell your emails. (We’ll ignore the possible nation state surveillance and potential legal jurisdiction issues.)

Here are a few providers that are “trusted” in many privacy circles:

  • Riseup.net: This is a provider designed for activitists and community organizers. It is hosted in the U.S. In order to receive an email, you must know two people with an address, or try to request one from an admin on IRC.
  • Autustici: Offer a range of services with privacy and activism in mind. Webmail, web site hosting, blog host, newsgroups.
  • Aktivix: Small site that offers free email addresses if you can convinve them you should have one…via email.

These are a breath of fresh air compared to the other solutions where you’ve had to trick and lie your way into getting an account. These services generally approve of anonymous users and make it a goal to provide privacy-centric services. I can’t highlight enough, the importance of a service provider that respects your privacy, compared to a provider in which you defend your privacy against.

The problem is that these are often volunteer organized services, and community driven. That is to say, each of these providers have a hoop you need to jump through in order to obtain an address. This often means you have to befriend someone online, or give them a reason about how you are improving the world and need to maintain your anonymity.

The Future

The unfortunate truth is, email will be around for a long time. How long it will be around as an authentication system will hopefully be $longtime - n.

What’s replacing email registrations is just as scary though. We now see “Sign in with Google+” and “Login with your Facebook account.” These federated services that were once used for social networking, are now becoming authentication endpoints. The future of an always-authenticated, always-attributed Internet is very close.

Conclusions

This is the current state of email and anonymity from my point of view. Your operation dicates which solution is going to work the best, no single option will unilaterally work. For long operations greater than a year, it may be worth investing some time into a stable email address where self-hosting is the right answer. For operations that last for a month, temporary email address providers might be the right choice.