Could you anonymously upload a file on the internet if the threat model was the entire world trying to find your identity after you do so?

Question

Thought experiment: You need to upload a file, and the threat model is the entire world trying to find out who you are after you do so.

I know this is absurd, but bear with me, it's a thought experiment, where the scenario is the following:

You are a normal citizen, and you have a file (assume that you just have it, and the file doesn't have metadata or information related to you) that is somehow so compromising/critical that, if uploaded on the internet, the entire world would actively try to find out who you are. Everyone, military, every country's agencies, civilians, the grandma going to the grocery store, yes, her too, to the best of her ability. People who run TOR relays too, everyone.

Your mission is to upload it on the internet without your identity being revealed. How would you go about it?

Update: File is in your pendrive, has a size of few MB, it's ok if it just shows up eventually. No-one should really guess what country you might live in. We can think of the uploader as average-citizen, with average knowledge of technology, and can follow instructions (for example, setting up Tails). Assume that no-one had access to this data before. The thought experiment is not realistic, because one could argue that no upload could be so critical as to motivate the entirety of humanity to find the identity of the uploader, and I would agree with that argument, but the thought experiment is aimed at exploring fairly reasonable routes of action if that was the case.

Especially that last line really makes it sound like this question was taken from /r/askreddit — Luc, Nov 19 '19 at 11:06
I don't think this question is not realistic enough to actually care about this constructed problem. Assuming that you have the file or information from somewhere the whole world would not concentrate on who did the actual upload but who had access to this information and might have leaked it. This will quickly narrow down the field. And if the file would not contain some secret information but instead some made up stuff most would simply not care. — Steffen Ullrich, Nov 19 '19 at 11:17
@SteffenUllrich good point. Assume that who had access to this information was not relevant, because no-one had access to this data before. We can invent an unrealistic scenario for this, for example, you have material that prove the existence of aliens or something. — Tom, Nov 19 '19 at 11:22
If no one had access to this data before then this means that these data are made up by the one who did the upload. I find it very unlikely that somebody has created absolutely critical information all by its own without anybody else being involved which means I still find your question not realistic enough. — Steffen Ullrich, Nov 19 '19 at 11:28
@SteffenUllrich it is realistic enough, see Yitang Zhang break through on the twin prime conjecture. The man single handedly published a proof out of nowhere, when he was not even a full time professor at the time. It was also his first publication since 2001. https://en.wikipedia.org/wiki/Yitang_Zhang — Betcheg, Nov 19 '19 at 11:35
@Betcheg: And it was such important that *"the entire world would actively try to find out who [he was]"* and he was actively trying to prevent this? And that nobody in the world did knew what he was doing? Look, I'm not saying that every tiny part of the story is unrealistic but that the whole story in total is. — Steffen Ullrich, Nov 19 '19 at 11:44
@SteffenUllrich the scenario was not meant to be realistic, but a thought experiment, in order to explore possible routes of action in such scenario. Thought experiments (even containing elements of absurdity) are not uncommon in scientific fields. — Tom, Nov 19 '19 at 12:00
@Tom: In a world where such a scenario is possible, what else is possible or different? I don't find it useful to make unrealistic assumption on one side but then require realistic assumption everywhere else. — Steffen Ullrich, Nov 19 '19 at 12:05
I have to agree with Steffen. If we go outside the bounds of normal reality, we stop being able to model the world accurately. i.e. "Assume the world doesn't work the way it actually does". Thought experiments in science are more specific. i.e. "what if conservation law X wasn't true in circumstances Y". I don't know how you can model a world where everyone is oddly concentrated on finding one guy, but the WHY we're trying to find him isn't specified. The question is both too specific, and too vague at the same time. — Steve Sether, Nov 19 '19 at 21:57
It might be better to re-state the question as something along the lines of "An unknown person has revealed a secret via the internet. What are the plausible ways someone could find this person? Even that is likely not specific enough. — Steve Sether, Nov 19 '19 at 21:59
The parameters of the thought experiment are far too broad for a Q&A site. — schroeder, Nov 19 '19 at 22:10
I am thinking that if the entire world is against you, then a possible attack is that everyone gives depositions about their recent activities. Perhaps the best possible use of a prisoner is as a deposition taker. Should the wardens know to open the prison gates to allow prisoners to be used to their fullest potential? — emory, Nov 19 '19 at 22:12
@SteveSether It seems that some replies are willingly uncharitable, seemingly out of a forgotten history of great discoveries and inventions directly attributable to having those thought experiments in the first place. Einstein, for instance, used to imagine chasing beams of light, or an elevator falling freely in space. If Einstein posed that thought experiment here, in this context, Einstein would be forced to explain how the observer in the elevator doesn't pass out and die in the elevator, clearly missing the point. — Tom, Nov 19 '19 at 22:58
@Tom Thought experiments need the criteria clearly defined, and should be limited in scope. "What if everyone wanted to find one person for some undefined reason?" meets neither of those criteria. — Steve Sether, Nov 20 '19 at 02:34
@Tom you are absolutely correct about that. But that just means that Einstein and you have posed the question in the wrong forum. As I clearly said, this is too broad for a Q&A site. — schroeder, Nov 20 '19 at 08:46

MonkeyZeus · Answer 1 · 2019-11-20T21:07:06.857

8

Tl;DR

Time is on your side.

Note: leave your own phone at home and preferably own a car without GPS.

Drive 100 miles from home and buy a cheap used laptop/Android device with functioning Wi-Fi in cash from any source with bad/non-existent record-keeping
- If laptop then make sure it has the most common OS such as Windows 10
- Make sure to park your car about 1-2 miles away from the transaction
- If you can grow out your hair and a large beard then do so before this transaction; when the seller gets interrogated then they won't have a clear idea of your facial features. Just try not to make yourself look disheveled or sketchy
- Re-format the device to factory settings if possible. Do not install your own copy of the OS
- Don't try to install Linux thinking that it's more secure or anonymous because that would narrow down the search criteria to finding people with the knowledge to do such a thing unless of course you are not a person that knows how to do such a thing but were given explicit instruction for achieving such a task. In the latter case you should install Linux to further distance yourself from the main suspect.
Put a piece of tape over the webcam if laptop
Shave your face and cut your hair if applicable
Wait at least one year
Grow out your hair and a large beard again if applicable
Go find some free public Wi-Fi at least 100 miles from both you and the transaction location of the laptop/Android device and connect while outside the actual building; preferably with no surveillance cameras nearby. Park 1-2 miles away.
- Alternatively, you could hide in plain sight in a heavily populated mall; in which case an android device would be less conspicuous than a laptop.
Upload the file
- You may wish to pass through one or more VPNs
Shut down the laptop/Android device
Get back to your car and drive another 50 miles, remove the hard drive if laptop, and destroy it physically and dispose of it.
- Destroy and dispose the laptop/Android device in a different location and drench it in bleach to remove fingerprints
Return home using a different route

edited Nov 20 '19 at 21:07

answered Nov 19 '19 at 20:02

MonkeyZeus

507
3
10

2

This is a decent answer, but #3 is hard and is the weak link. License plate readers, unanticipated surveillance cameras, etc. will all link you to the location. Stashing the laptop and scripting it to perform the upload might work better there, but requires an unconspicuous way to dispose of it later or having it dispose of any record that it was involved in the upload and just leaving it as trash. A cheap used Android phone is probably better for that than a laptop. – R.. GitHub STOP HELPING ICE Nov 19 '19 at 20:24
1

I'd go for a burner phone and prepaid SIM instead. You should easily find them in some 2nd/3rd world country. Also, plenty of places with GSM signal, but without any surveillance. The phone can even be a 10yo model literally from trash if only it supports (at least) GPRS and tethering. – Marandil Nov 19 '19 at 20:55
@Marandil I've never acquired a burner phone. Don't you need to provide your personal details to obtain one? If this requires meeting a shady dealer in the ghetto then I don't know if the average person is willing to do that. – MonkeyZeus Nov 19 '19 at 20:59
@MonkeyZeus usually no. At least it depends on country. I have never provided any info to anyone when I bought any of my phones. Similar with SIM cards, although many "civilized" (if we can call them that) countries now require registration of SIM before use as a mean of "preventing terrorism" ;) (and massive surveillance of course) – Marandil Nov 19 '19 at 21:04
@R.. Thanks, I've updated my answer to use a laptop or Android. – MonkeyZeus Nov 19 '19 at 21:08
1

@Marandil: Using mobile internet is a pretty bad idea. It introduces TWO components (phone and SIM card) that are potentially trackable to you. – Michael Borgwardt Nov 19 '19 at 21:40
@MichaelBorgwardt not if you use a burner phone bought 2nd hand (maybe on a bazaar or something) and an unregistered sim card bought in a kiosk or convenience store. Like I said, you can find many of them in the "underdeveloped" world. A few years ago, this was still very easy even in the central Europe, but the "anti-terrorist" legislation is doubling down on unregistered SIM cards :(. – Marandil Nov 19 '19 at 23:53
In addition to all of the above: Leave your cell phone at home, and wear a burka. – mti2935 Nov 20 '19 at 01:26
@Marandil: sorry, but you are completely wrong here. People at the bazaar might remember you. There might be a camera somewhere that you didn't notice. The kiosk or convenience store will *very likely* have one. And it's not just the buying that is problematic. The phone and SIM card produce a history of when and where they connected to the mobile towers, every second of which could lead to you. Simply avoiding these concerns altogether by using Wifi instead is a no-brainer. – Michael Borgwardt Nov 20 '19 at 07:51
@MichaelBorgwardt why would you turn on the phone before sharing the secret at all? You don't have to care about the history, if you only use them once, for the event. Also, you are completely wrong as to how easy it is to get a phone and SIM. Hell, you could even steal them if we allow criminal activities in this thought experiment. – Marandil Nov 20 '19 at 09:26
@Marandil: If they are new, there's going to be a setup procedure that will take some time to go through - increasing your risk of being seen at the point that will soon be investigated. If they are pre-used, that leads back to the person and place where you got them, which could give clues leading to your discovery. So for the third time: why not simply avoid all these risks completely by using Wifi? – Michael Borgwardt Nov 20 '19 at 11:37
@MichaelBorgwardt what setup procedure are you talking about? If you're reffering to the dumb click-through for Android - if that takes you more than 1 minute, most likely something's wrong with you ;). You could even try using a privacy-oriented ROM distribution. Initially I wasn't even talking about an Android, but a Symbian (or sth else from that era) from SonyEricsson, Nokia, etc. The main advantage is that GSM has much higher range and is not restricted to cities - you could literally make your upload from the middle of nowhere. – Marandil Nov 20 '19 at 11:53
@MichaelBorgwardt also, maybe ask criminals why they use burner phones instead of public WiFi ;) – Marandil Nov 20 '19 at 11:54
@Marandil Hah, yes to the former but the latter would invite suspicion. – MonkeyZeus Nov 20 '19 at 12:47
Bleach might be effective enough for removing fingerprints from surfaces... but how would you destroy the data stored on the hard drive and in ROMs that hold identifiable data, like the MAC address on a NIC? (Might I suggest reducing the media to dust using a grindstone?) – Ghedipunk Nov 20 '19 at 21:14

Lie Ryan · Answer 2 · 2019-11-19T13:42:19.177

You can get away with it at least once. The keyword here is plausible deniability.

If it is plausible that you can deny that you are the source of the information, and that there's no way the adversaries can prove that, then you're successful.

What you can do is that you should run a large, busy Tor node, without any logging. As a relay, users of the network and other nodes will be sending traffic through your node, and you can send out your critical packet by hiding your packets among that crowd of traffics. Even if the adversary can trace the packet back to you, they would have no way to prove that you're not just relaying traffic from another node. You can just say that you don't keep logs, so you don't know where the packet came from. This excuse is plausible, and they cannot prove that you've lied.

Even if the adversary figured out who you were connected to during the time the sensitive packet got published, and they interviewed all of the Tor users and the node operators who connected to your relay, they'd never be able to prove it specifically at you. They'll have suspects numbering in at least the hundreds or thousands of people and they'll have no way to tell who is lying and who is telling the truth.

After you've done this once though, it's likely the adversary will increase their surveillance on you (and all the nodes that are directly or indirectly connected to you at the time) and they might require that you must log traffic, so it'll become much harder to plausibly deny sending another packet because if the sensitive packets always comes via nodes that you operate and you are the only node that keeps failing to keep logs after being ordered to do so, it'll become more and more harder to plausibly deny that you haven't actually been sending out the packet.

I think these are the two keys: plausible deniability and the fact that you can probably get away with it once. If you are being specifically targeted/tracked then it becomes much, much, much more difficult (probably impossible) — Conor Mancone, Nov 19 '19 at 13:17
If the "whole world" is against you, this wouldn't work. You don't have log your traffic, but your ISP does. And it can correlate that the packet you send does not correspond to any packet that you receive as a relay. — Marandil, Nov 19 '19 at 20:43
Now, you *could* technically drop other packets to make up for it, but the senders of those packets could also provide proofs that their packets were not properly relayed by your Tor node and so directly disclose your involvement. — Marandil, Nov 19 '19 at 20:44
@Marandil I am certain ISPs do not log traffic on a packet-by-packet basis and keep records of same. It's hard enough to provide decent bandwidth, and infeasible to write every packet to a log. The size of such a log would be astronomical within seconds — ig-dev, Nov 19 '19 at 22:22

Betcheg · Answer 3 · 2019-11-19T11:27:46.630

I would send an Ethereum(*) transaction including the file encoded in hexadecimal in the "input" field of the transaction (which is kind of a "free text" field).

Ethereum nodes (servers running the ethereum blockchain) are all over the world, the information on the network is available publicly, and a particular node receiving the transaction will forward it to each nodes it knows, without any flagging if it is the original sending node or a forwarding node.

Thus, as long as there are more than 2 "sane" nodes of the network( ** ), a particular node can not be aware of who is the sender of a particular transaction, and as long as the transaction is correct, it will be forwarded to the rest of the network, before being included in the next "block" of the blockchain, becoming public.

The data would now be accessible from any web blockchain explorer, and it would be trivial to recover the original file from the hexadecimal "input" field.

Now, someone mentioning this specific transaction in the flood of transaction that occur each seconds would be very suspicious, but nothing could technically tie this person to the transaction.

(*) or any public blockchain ran by individual all over the world with thousands of nodes

(**) An evil company possessing all nodes on the network could create custom rogue nodes associating ip to each transaction, and could hence reverse the route taken by the transaction, recovering the original sender (and its ip)

Does this still protect you if you assume that all nodes are logging everything, and the operators of the nodes are collaborating to catch you? — Anders, Nov 19 '19 at 11:31
Of course not, as we can expect that the operators are keeping full trace of the whole network at each event, thus isolating the moment when the transaction has been emitted without any node having seen it before. But in a realistic scenario based on our current technology, it is your best bet. — Betcheg, Nov 19 '19 at 11:42
The question is a realistic scenario which is not handled by this. — ximaera, Nov 19 '19 at 18:16
Blockchain is the exact opposite of an answer to this question. You want ingredients with no recordkeeping whatsoever, not permanent append-only ledgers. — R.. GitHub STOP HELPING ICE, Nov 19 '19 at 20:21

score 0 · Answer 4 · edited Nov 19 '19 at 22:46

0

No need to use complicated techniques:

To upload it without your identity being revealed to the internet, give that file to someone else and tell them to upload it once you've left the room. Their identity will be shown on the internet, and from there, it's their words against yours that you're the original source (in short: human proxy).

If you consider that the entire world trusts each other, your proxy's words are considered truth against yours, then the problem is biased: the only person in the world that the rest of the world does not trust is the information uploader, so you could never hide yourself. So there will always be this side-channel attack to identify you, no matter what you do. Hence I have excluded this option.

And you said the world is looking for you after the upload, so your human proxy cannot catch you when you give them the file nor when you leave the room, because the file wasn't uploaded yet.

edited Nov 19 '19 at 22:46

xxx

167
8

answered Nov 19 '19 at 13:26

Xenos

1,331
8
16

I had almost the same idea: you submit the document to some random person via physical mailbox. it can lead the world to know where you probably live but they won't know who you are. – MrHeliose Nov 19 '19 at 13:52
1

You are fully identified from the start and the whole world is trying to catch you. Great – ig-dev Nov 19 '19 at 22:19
You can make this idea even better if you somehow managed to hand it to a person known to release stuff on Wikileaks without that person knowing you gave it to them. Something like hiding it in one of the balloons during a balloon release event and them accidentally stumbling across it. – Nzall Nov 19 '19 at 22:25
@ig-dev No, because the world is against you *after* the upload: when giving the file to someone, it's not already on the internet so the world is not chasing you. After the upload, the world is not chasing you, but the one you gave your file to. They will get them, but they won't trust them when they'll say you gave them the file in first place. If they do, claim the same and say someone else give you the file and must now be chased. – Xenos Nov 20 '19 at 19:54
@Xenos I think your imagination is far removed from reality. Imagine somebody ("you") committed a murder, and you are an immediate suspect (second in line). There were witnesses that saw you at the time, fingerprints, cameras, wifi and server logs from your phone activity (including GPS), all types of evidences. All you say is "No, I didn't do it! This other guy did." Pointing at someone who actually did nothing. Well, good luck. You wouldn't even need the whole world to chase you down, it would still be a clear case – ig-dev Nov 20 '19 at 22:45
@ig-dev We're not talking reality here, it's a thought experiment. And don't point at random people, just point back at the one you give the file since all evidences are against *them* not you. – Xenos Nov 21 '19 at 08:35

score 0 · Answer 5 · answered Nov 19 '19 at 17:18

Yes if you manage to steal someone else digital identity.

The most hard piece of everything to get is someone else digital identity. Then use it to send the file.

If you do not wish to be tracked to your country go to another and use a public hotspot, if you do not wish to be tracked after destroy and dispose the computer and the wifi usb pen.

Speaking of computer buy a second hand one in cash converter.

If you have afraid of getting recognized organize the deliver outside the store in an non existing address and wait for the deliver person... normally you can choose a number between 2 existing numbers in a street anywhere if it is paid you just need social eng. to convince the delivery person to give you the package to you in the middle of the street. break the complexity in small problems that you can action...

Paul Draper · Answer 6 · 2019-11-19T20:32:12.343

0

The computer geek's answer is Tor, which is made exactly for this problem.

You say that even Tor operators would like to know your identity, but there is still a significant logistical problem because everyone has to share their information.

Suppose you upload your file to a public file-sharing site (e.g. Github) over HTTPS over Tor. To find your identity, Github would have to identify the Tor exit node, the Tor exit node would have to identify the Tor middle node, the Tor middle node would have to identify the Tor entrance node, the Tor entrance node would have to identify you.

You could further decrease the availability of access logs by uploading an encrypted file, setup a Github Action to wait a month, then trigger Travis CI to decrypt it using a stored secret and re-upload it.

You could even edit and recompile Tor for much higher numbers of hops and escalate this even further; but this is already enormously private. A real world example is Satoshi Nakamoto, the unidentified inventor of Bitcoin, who used Tor for years without detection. (And damn if he would not be an attractive ransom target...)

The traveler's answer is to go to another location, use a public computer (e.g. at a library), wear gloves/disguise, and upload your file.

edited Nov 19 '19 at 20:32

answered Nov 19 '19 at 20:26

Paul Draper

958
8
18

1

Actually, all you have to do is to correlate Github traffic w/ your ISP traffic. This is a common attack on Tor, that doesn't involve compromising any nodes. All you have to do is to compromise recipient (or recipient's ISP) and sender's ISP. Given in question "the whole world is looking for you", Tor is definitely not an answer. – Marandil Nov 19 '19 at 20:51
But tor is originally a government project, surely they slide a backdoor somewhere in there – DatsunZ1 Nov 19 '19 at 22:54
1

@DatsunZ1 they didn't have to backdoor it. The structure of the Tor itself makes it vulnerable to sufficiently strong adversaries ;) – Marandil Nov 20 '19 at 00:02
@Marandil are you suggesting going through Github traffic (which is large) and matching it to records from every ISP on the planet? This seems extremely infeasible. – Paul Draper Nov 20 '19 at 06:41
@PaulDraper has already happened, the tor network is compromised as revealed by edward snowden. Plenty of people sitting in jail cells because they thought they were safe on tor... – DatsunZ1 Dec 16 '19 at 16:48
@DatsunZ1, reference? – Paul Draper Dec 17 '19 at 16:58
@PaulDraper https://edwardsnowden.com/docs/doc/tor-stinks-presentation.pdf – DatsunZ1 Dec 18 '19 at 20:57

ig-dev · Answer 7 · 2019-11-19T22:19:56.207

0

It doesn't have to be too complicated.

Make a cup of tea
Connect and chain a few reputable privacy VPNs. Use highly frequented servers. As a bonus, pay the providers anonymously with crypto-currency.
From your cozy home, upload your file using a protocol that doesn't carry identifying metadata about your OS / software.

You can keep your beard.

The key is that the reputation of those privacy VPNs depends on the fact that they don't keep logs. VPN servers have been successfully hacked in the past, and if logs would exist, privacy would have been compromised, and the reputation of the VPN provider killed - bad for business. So the privacy VPN providers have to make sure that not even themselves can reconstruct who did what. Use more than one provider in case, by chance, one of the providers is currently compromised.

Step 3) is the hardest. You could use a protocol such as HTTPS for a file upload to a public service, as long as you use a tool that gives you full control over what meta-data (headers) are submitted. Either spoof the information, or set the meta-data to blank/default values. It might reveal that the uploaded is someone with enough technical skills to do this, but it is by no means identifying.

So the evidence could then be traced back up to the point of the VPN provider. From there, even the VPN provider doesn't know more than "it was one of our many customers of any country of the world".

edited Nov 19 '19 at 22:19

answered Nov 19 '19 at 22:02

ig-dev

1,118
5
13

Typical timing-based attacks on Tor hold for VPNs as well. No matter how many VPNs you tunnel through, if sender ISP and recipient (or recipient's ISP) are compromised, you can deanonymize the traffic via timing patterns. I can guarantee you that state-level adversaries can do that. – Marandil Nov 20 '19 at 00:00
@Marandil But you would have to be subject to such an attack prior to the upload, so it doesn't apply, correct? Since ISPs can keep logs for later analysis of every individual packet of the astronomical amount of data that they relay. – ig-dev Nov 20 '19 at 00:48
@igdev I'd assume they cannot log every single packet, however they can (and should) log every initiated (and closed) connection, with a precise timestamp. That in itself should be enough to at least put you in a suspect circle. – Marandil Nov 20 '19 at 01:06
@Marandil I'd be happy to hear your counter-argument, but I think this does not help at all, because VPN connections stay open. There is no correlation between the time the VPN connection is established, and the time the file is uploaded. You'd come no closer than "anyone worldwide who was connected to the VPN server at that time" – ig-dev Nov 20 '19 at 01:19

Could you anonymously upload a file on the internet if the threat model was the entire world trying to find your identity after you do so?

7 Answers7