Updated: Resources for Online Anonymity, Encryption, and Privacy

Last year, Herdict profiled some of the best ways to keep your digital self and data safe. Since then, a lot has changed both in terms of what you can do to protect your data and the ways various governments or agencies (i.e. PRISM) are trying to get to your data. No system is foolproof or totally undetectable, and maybe you think you’re already secure, but that’s no reason not to sharpen your digital security Kung Fu.  Here’s an updated tutorial of resources and explanations for tools you can use to keep your data private online and safe while traveling. We have not tested all of these tools, and they may change after this article is published, so be sure to do your own research before trusting any third party with your data.


Make Better Passwords and Use Two-Factor Authentication

Studies have shown that people continue to use easy-to-guess passwords for even their most important digital services. In fact, the most popular passwords in 2012 were “password,” “123456,” and “12345678.”  Try to come up with passwords that use a variety of letters, numbers, and special symbols whenever possible.  Or use the Diceware approach to generating passphrases.  TotalDefense also has some useful tips for creating strong passwords that are easy to remember.

Avoid using the same password for several devices or online services. Almost every week we learn about a data breach at large Internet companies.  If the breach exposes your username and password, criminals may try to use those same credentials on other services that you might use.  Using different passwords limits the damage a criminal can inflict if they figure one out. If you have a hard time remembering all of your passwords, consider using a password manager like LastPass or 1Password to keep track of them all and generate new passwords. If you use a password manager, be sure to create a master password for the password manager you don’t use anywhere else and that no one will ever guess.  If you don’t want to use a password manager that keeps your data on remote servers, there are several alternatives which allow you keep the passwords as secure files on your own computers.

Even the best password doesn’t guarantee your accounts’ security. Two-factor authentication means that it takes more than just a password to access your account. Two-factor authentication requires both a password and a physical device like a phone to prove you are who you say you are. Many web services and devices are offering two-factor authentication and you should use it whenever possible, even if it adds an extra step. Click on the name of the service below to get instructions on enabling two-factor authentication:


“Private Browsing” Mode in Web Browsers

How It Works: All of the major web browsers offer a “Private Browsing” function. When this function is activated, everything that the browser usually stores on the local computer—browser history, caches, cookies, download lists, form data, passwords, and other temporary files—is deleted when the browser is closed or the function is turned off. Private browsing limits what files are saved to your system so that it is more difficult for someone with physical access to your computer to trace your steps. It also makes it harder for sites to track you because their cookies are deleted.

Limitations: People mistakenly believe that “private browsing” anonymizes them to the websites they visit and makes their communications private. Unfortunately, that’s not true. Even with private browsing mode on, anyone intercepting or handling your traffic can see what you’re doing. For instance, ISPs can still record what sites you visit. And if you log into a site like Gmail, Google will still be able to associate all your actions on the site with your username, even if private browsing is enabled. Moreover, private browsing may not even stop sites from tracking you. A 2010 Stanford study determined that some sites can both determine information about visitors as well as leave behind traces on users’ systems. For instance, plug-ins installed in the browser can still track users through an independent system of cookies and temporary files. Thus, private browsing only protects you against someone who is using your computer and snooping through your browsing history. And someone with that kind of access to your computer could install a keylogger or other hidden program that records your keystrokes. Despite these limitations, private browsing can be a helpful way of reducing the amount of information that is recorded on your computer when browsing.


Your Guide to Private Browsing | HuffPost Tech: menu commands and keyboard shortcuts to launch a private browsing session in IE, Firefox, Chrome, Safari, and Opera.
Private Browsing: Activating Private Browsing Mode in Your Favorite Browser | About.com: graphic tutorials on launching private browsing sessions in IE, Firefox, Chrome, Safari, Opera, and Flock; tips for private browsing on iPad, iPhone, and iPod touch.

Secure Browsing (through HTTPS) and Avoiding Third Party Tracking

How It Works: HTTPS is a way for users to protect the content of their communications from eavesdropping. When browsers don’t use HTTPS and transmit data openly, anyone along the path between the browser and the destination can view what is transmitted (that includes the ISPs that carry your traffic, or individuals surreptitiously intercepting the data). By encrypting the data, you make it much harder for anyone other than the intended recipient to see the content. Most major sites that require you to log-in (Google, Facebook, Twitter) and sites that transfer sensitive information (banking sites) now offer an encrypted connection. (Instead of http://www.google.com, your address bar will read https://www.google.com).

Limitations: Many sites don’t offer HTTPS, and some that do default to unencrypted HTTP or go back to unencrypted pages after the log-in process. Because of that, users must keep an eye on when they are encrypted and when they are not. Using a resource like HTTPS Everywhere can at least ensure that you connect using HTTPS for those sites that have that option. It’s important to remember that even if you connect to a site like Gmail using HTTPS, you are not hiding the destination only the content; an ISP or a government can still know you’re visiting Gmail. HTTPS is also not foolproof, as it is possible for a determined party to pretend to be the destination, in what is a called a man-in-the-middle attack.

One of the easiest things you can do to surf the web privately is to make sure you log out of accounts once you’re done with them.  If you stay logged in, it becomes possible to track your browsing across many sites, even if they are unrelated to the services you are logged into.  Browser extensions like Disconnect or TrackMeNot can automatically sign you out of services you’re not actively using and can block third party tracking cookies.


HTTPS Everywhere is a Firefox and Chrome extension from the Electronic Frontier Foundation. It will automatically switch sites from HTTP to HTTPS whenever possible and warn users about web security holes.
Disconnect (Firefox/Chrome/IE/Safari) is a browser extension that blocks third party tracking cookies and gives you control over all site scripts and elements from a simple-to-use toolbar menu.
TrackMeNot (Firefox/Chrome) is a browser extension that helps web searchers avoid surveillance and profiling from search engines by generating a random series of search queries to confuse services interested in tracking or filtering content.

Circumvention & Anonymity

Among the greatest threats to Internet freedom are filtering and surveillance. These related issues either prevent you from accessing the content you want or allow third parties to keep track of what content you do access. Many of the tools to evade one also help with the other, so we discuss them together below. In most cases, these tools will help disguise your IP address, the sites you’ve visited, and technical information about your device, while possibly helping you access censored content.

Proxy Servers

How They Work: A proxy server is a machine that stands as an intermediary between your machine and the content you are trying to reach. Proxies can help evade censorship or filtering when connections to the proxy aren’t filtered but the desired content is. When you connect to censored content through a proxy, the censor will see only your connection to the proxy, not the verbotten content. Proxies also provide some anonymity because to the destination server, you look like you’re coming from the proxy server, not your actual origin. Web-based proxies are the easiest way to use a proxy server. Simply visit a proxy website with your prefered browser, enter your target URL, and the proxy site will then relay the request and deliver the site content back to you. There are also a number of downloadable clients for both Mac and Windows that connect your system to a proxy server.

Limitations: There are several downsides to using proxies, ranging from annoyances to serious security threats. On the annoyance side, because your data is passing through a single, fixed (and likely overloaded) point, it is not uncommon to experience slow load times and connection errors. On the security side, because all of your data is passing through a single, fixed point, it is easy for nefarious individuals to intercept any unencrypted data (using HTTPS or VPNs in addition to a proxy may address these concerns, but they have their own limitations described elsewhere in this post). In fact, sometimes hackers set up proxies with the express purpose of collecting user details, so it is important to carefully choose a trusted proxy. Using proxies can often be a game of cat and mouse; countries that filter sites often block known proxies, forcing users to move to a new, lesser known proxy. In some cases these same governments may create proxies specifically so they can monitor all the traffic and identify users.

Regularly updated lists of web-based proxies:
Web-based proxies (via Techlicious):
Downloadable proxy clients:
              • Alkasir (Windows – English, Arabic) Learn more about Alkasir.
              • Freegate (Windows – English, Chinese, Persian, Spanish) Learn more about Freegate.
              • JonDo (Mac, Windows, Ubuntu, Linux, Android – English, German, Czech, Dutch, French, Russian) Learn more about JonDo.
              • proXPN (Mac, Windows, and iPhone – English)
              • Psiphon (Various configurations, including a lightweight web proxy that runs on Windows and Linux plus a cloud-based solution) Learn more about Psiphon.
              • SabzProxy (Mac, Windows, Linux – Persian) Learn more about SabzProxy.
              • Simurgh (Windows – English) Learn more about Simurgh.
              • Ultrasurf (Windows – English) Learn more about UltraSurf. Also note Tor’s recent report detailing Ultrasurf security holes and Ultrasurf’s response.
              • Your-Freedom (Mac, Windows, Linux – 20 languages) Learn more about Your-Freedom.



How They Work: Like proxy servers, Virtual Private Networks (VPNs) route users’ traffic through their own servers. What makes VPNs different from a standard open proxy is that VPNs authenticate their users and encrypt data. Additionally, because of how VPNs are configured, they are more likely to work with software on your computer that you use for email, instant messaging, and Voice over IP (VoIP).

Limitations: VPNs share some of the same risks as proxy servers. Because all of your traffic is passing through a single point, your security is only as good as that of your VPN. Some VPN services keep traffic logs, and free services in particular may be disposed to sell your information to advertisers or turn it over under pressure from authorities. Free ad-supported VPNs may limit your bandwidth; paid VPN services are generally more reliable and come with a much higher bandwidth. It is important to keep in mind that the VPN provides a secure connection between you and the VPN, but not between the VPN to your ultimate destination. The use of HTTPS and other standard measures are still necessary to secure your connection your destination.


There are hundreds of VPN services online. What follows is a list of several popular services, both free and paid (via AnonymissExpress, How to Bypass Internet Censorship, and Techlicious.) View this wiki for a longer list of free and paid VPN providers, including monthly fees and technical characteristics. Note that some services are known to log IPs, but there are also many helpful ways to decide if a VPN is trustworthy. Also, if you’re worried that a VPN or proxy isn’t hiding your DNS requests (or the way your computer translates “Herdict.org” into numbers that your computer understands like “”) you can also use  DNSCrypt to handle that by following these detailed instructions.

Free VPN Services:
Paid VPN Services:AirVPN (English)



Tor (“The Onion Router”) is free, downloadable software for online anonymity, recommended by the Electronic Frontier Foundation (EFF). However, it was recently discovered that the FBI had exploited a JavaScript security vulnerability affecting Firefox and Tor. Users interested in connecting with Tor should first update Firefox to version 22.0 or above, Thunderbird 17.07 or above, and SeaMonkey 2.19 or above. Additionally, the Tor Bundle needs to be updated following these instructions to remain anonymous and patch the JavaScript vulnerability.

How It Works: Like proxies, Tor hides your IP address and location by routing your requests through another server. Tor, however, goes through multiple intermediary servers, a series of machines operated by volunteers all around the world. To the destination site, it looks like you are coming from the computer that was the last stop in the Tor journey, not from your computer. The Tor Browser Bundle works with Firefox and is available for for Mac, Windows, or Linux. It can also be stored on a memory stick for use on public computers.

Limitations: As with proxies, using Tor can be rather slow due to the number of servers between you and your destination. Furthermore, while data is encrypted between servers, it is unencrypted when the final server communicates with your destination. Those operating this “exit node” can see your log-ins, passwords, and other data (unless you have a secure “HTTPS” connection with the website you’re visiting), and it is “widely speculated that various government agencies and hacker groups operate exit servers to collect information” (Techlicious). If following Tor on Twitter won’t get you in trouble with the authorities, it’s one of the fastest ways to find out about potential vulnerabilities or reports of security breaches.

Emerging Technologies

Telex is a work-in-progress that is intended “to help citizens of repressive governments freely access online services and information.” The concept is this: when you request a website blocked in your country, Telex software on your computer changes your request to an allowed, decoy site. At the same time, it adds a hidden cryptographic tag to your request that only Telex can see. Telex will deploy boxes to locations along the Internet backbone and these boxes will use deep packet inspection to locate the cryptographic tag. The box will decode the tag to get your original intended destination, and will route your request to that site. Using that approach, Telex would enable people to access blocked content by making it appear that they are trying to access allowed content instead.

Offline Data Encryption

Private data encryption encodes information on a hard drive, memory stick, cloud locker, or other storage media so that without a proper “key” all the data appears as gibberish. Encrypting your local and remote drives is a very good way to protect your data from prying eyes. Mac OS comes with built-in encryption called FileVault which is easy to use and Windows 7 and 8 Professional comes with Bitlocker which is also pretty easy to setup. Additionally, TrueCrypt is an excellent free program that hides your data on a virtual encrypted drive. TrueCrypt isn’t as easy to use as FileVault and Bitlocker, but it’s also very well documented and gets updated with the latest security fixes often. You can also use TrueCrypt to securely store data on the  cloud or on mobile devices. TrueCrypt also has an advantage over other encryption programs because it can create hidden volumes, which means that people attempting to access your data won’t know that it’s there and can’t force you to give up the password.

Sources and Further Reading

Moderation of Iran’s Online Media Landscape

New websites emerge, and moderates and reformists become active online

Since the June 14 presidential elections, a number of new, more moderate Iranian news and analysis sites have launched, and we’ve seen a resurgence in activity on many existing reformist websites.

Following the election of Hassan Rouhani, Omid, Ayandeh Online, Rooz-e No, Khordad News, Bahar News, Tadbir 24, Salam-e No, and Faryadgar all emerged.  These sites are all politically moderate and have close ties to Rouhani and the reformist camp.

Two existing sites, Aftab and Puyesh, have also stepped up their activities since the formation of the 11th government. The emergence of these sites may be seen as the liberalization of Iran’s online media landscape, following a long period in which conservatives dominated Iran’s media landscape. Whether these sites thrive over the coming weeks and months remains to be seen.  Herdict will be tracking the accessibility of these sites here:  http://www.herdict.org/explore/indepth#fl=39

This blog post examines these new sites, and assesses what it may mean for online news in Iran over the coming years.

A brief summary of moderate and reformist websites

Aftab, the website closest to the Iranian President, was founded in 2003 when, with Hassan Rouhani as the Secretary of Supreme National Security Council, debate over Iran’s nuclear program first surfaced. Aftab’s offices were initially located at the Expediency Council’s Center for Strategic Research, which Rouhani has led since 1992.

Aftab cut back on its publications during the post-2009 election unrest, shutting down its publications for a week following protests on June 12th.  But now it is now considered the website with the closest relationship to the head of the Iranian government.

Puyesh belongs to the youth branch of Islamic Labour Party, a party with ties to reformist politicians. In addition to news, Puyesh publishes research and analysis on social change in Iran. Ali Rabiee, one of the party founders, serves as the managing editor of Puyesh and is the Minister of Cooperatives, Labor, and Social Welfare.  Previously, Rabiee served as a deputy to Rouhani at the Supreme National Security Council. Rabiee was famously involved in the committee that former president Mohammad Khatami formed to investigate the ‘chain murders’ case, involving the deaths of notable liberal intellectuals, writers, journalists, and activists who were critical of the government in some way.  Two years ago, Puyesh began at puyesh.org and focused only on news related to the Islamic Labour Party.  But prior to the election it moved to Puyesh.net and begun covering a wider range of news.

Omid was launched during the recent presidential elections by the office of Mohammad Reza Aref, a 2013 presidential candidate, and has continued its activities since then. Omid’s publications are considered reformist in nature.

Ayandeh Online is one of the websites established by the media team associated with Hashemi Rafsanjani in the months prior to the recent elections. Two of the site’s network administrators were arrested a day before the official launch of Ayandeh Online. Foad Sadeghi and Ali Ghazali, former administrators for Baztab Emrooz and Ayandeh, were released after Rafsanjani was disqualified as a presidential candidate.

While Foad Sadeghi initially worked for Baztab, a news source closely aligned with presidential candidate Mohsen Rezaei, conflicts within the fundamentalist party caused him to lean toward more moderate candidates and Hashemi Rafsanjani in particular.

Like their previous news organizations, Ayandeh Online often exposes incidents of financial corruption among top conservative figures. The website was filtered in Iran throughout the election, however users have experienced unfiltered access to this website since that time.

Rooz-e No is another site close to Rouhani’s administration, which in addition to news and social events, publishes unofficial reports on government decisions. This website was launched upon Rouhani’s election.

Faryadgar is affiliated with the Mardomsalari Party and is managed by Mirza Baba Motaharinejad, a member of the party’s core committee. The Mardomsalari Party believes in “minimized reforms,” and was a supporter of Green Movement leader Mir Hossein Mousavi in 2009. The website’s associated newspaper, Mardomsalari Newspaper, stopped publishing news related to Mousavi and Karroubi after authorities ordered aggressive guidelines during 2009 unrest. This website was launched in the days leading up to the 2013 election.

Bahar News is managed by Mansoor Ghanavati, and was a supporter of Mohammad Reza Aref throughout the 2013 election. Ghanavati, a known figure in Iran’s cultural domain, is also the manager and chief editor of Karoon newspaper. Bahar News takes a moderate reformist approach to the news.

Tadbir 24 was launched before the elections and is currently working closely with Rouhani’s government. Tadbir 24 aims to “display [political] moderation in the realm of media and cyberspace as the fourth principle of democracy.” Tadbir 24 has adopted a supportive and “hopeful” approach when publishing news related to Rouhani’s government.

Salam-e No is run by a number of reformist media activists, and according to its website follows “a moderate approach, away from extremists.” This website was launched after the elections.

Change of media landscape in favor of moderates

When the 11th government formed in recent months, moderates took over government websites, including not only those of government ministries and affiliated organizations, but more importantly the official website of the Iranian president and that of the government. In addition, the directors of both official government news agencies, the Islamic Republic News Agency (IRNA) and the Iranian Students’ News Agency (ISNA), have been jointly appointed by Rouhani’s Minister of Culture and Minister of Science. As a result, IRNA and ISNA have become more moderate in tone and direction.

This editorial shift in Iran’s online media ecosystem is particularly salient given that reformist websites were heavily targeted following the 2009 presidential elections. At that time, almost all sites close to and affiliated with reformists figures, including Ghalam, Kaleme, Jomhouriyet, Norouz, and Emrooz, were attacked by government security forces and intelligence agencies. In some cases these sources were filtered, in other cases journalists and staff were arrested. Some of those journalists are still imprisoned or out on temporary release.

From 2001 to 2009 the online media landscape had a strong, albeit restricted, reformist presence. During this period, Iran’s Internet “Blogistan,” which grew until crackdowns and filtering began in 2009.  Starting in 2009, security and intelligence bodies ended the competition between the reformist and conservative media in favor of conservatives through what reformists called an “electoral coup d’etat.”

Four years after the disputed 2009 election, individuals and media teams affiliated with Mohammad Khatami, Mir Hossein Mousavi, and Mehdi Karroubi are still prohibited from establishing websites in Iran. While the landscape has become more open for moderate and reformist media outlets, conservative media still exists in Iran. The new administration faces a delicate balancing act of finding consensus between reformists, moderates, and conservatives. The conservatives, often associated with the Supreme Leader, will always have a dominant presence within Iran’s media landscape. Iran’s Committee Charged with Determining Offensive Content operates under the Supreme Council of Cyberspace, with a membership appointed by the office of the Supreme Leader. Despite conservatives’ strong influence over the media, it seems that sites close to Mohammad Reza Aref and Hassan Rouhani are gradually making inroads in the online media space.

This post was written by ASL19 and is cross-posted on their blog.

KTVU and the DMCA

What happens when an embarrassing clip about a local television station goes viral and the station wants to stop it?

When the KTVU Fox News Affiliate botched the names of the Asiana Flight 214 pilots, the video of the broadcast quickly went viral – collecting millions of views as multiple copies of the video appeared on YouTube. The local news affiliate then tried to pull the plug on the content by invoking the Digital Millennium Copyright Act (DMCA) in an effort to force YouTube to remove the videos.

The Digital Millennium Copyright Act is a powerful tool for content owners, often used to protect copyrighted material from becoming pirated. However, in this instance the news organization admitted that copyright claims weren’t the reason for employing the DMCA at all. KTVU station manager and vice president Tom Raponi told Mediabistro the reason for exerting the copyright claim was to take responsibility for and end the “thoughtless repetition of the video by others” as a way of apologizing to those who found the clip insensitive and offensive.

The move was met with criticism from the Electronic Frontier Foundation as well as the broader media blogosphere, who viewed the action as a stretch of the US copyright law that the DMCA may allow but that it was never meant to cover – as well as being acutely out of step for a news organization meant to be a “bastion of democratic discourse.”

This isn’t the first time a news organization has employed the DMCA to pull potentially-embarrassing content offline. Last month, NBC Universal cited the DMCA in an attempt to remove a clip from Senator Elizabeth Warren’s YouTube page.

The use of the DMCA has not been successful for these news organizations; both instances evoke the so-called Streisand Effect, whereby the organizations find themselves generating more attention to their foibles in the process of trying to get content taken down.  But more generally these situations also highlight the powerful abilities granted to copyright owners under the DMCA to selectively exercise control over the content that is allowed to exist online.

« Older posts       Newer Posts »