I have a relative who is engaging in behavior that certain companies in my country would like to hear about for legal reasons. That relative is both connected, wealthy, and highly unstable. I would like to join the force of whistleblowers who are making our world a better place, but I know if the groups involved end up using me as a witness, and I and my family will end up dead or worse.
I’ve been using Proton Mail for quite some time now, using aliases to try and anonymize myself on the internet. Would I be able to create an alias in order to email the whistleblower email that this group has? Or even create a new address and send it that way? (I feel like because of how the alias emails look, it might just get marked as spam). If I do this, would it be able to be tracked back to me in any way?
For starters, if this is the level of risk you’re dealing with, you better try to consult qualified experts rather than depending what advice internet strangers have for you. There are various organizations that might be able to help. Ideally use Tails on a device you believe to be safe, preferably one that isn’t shared with anyone else. From there you can try to contact relevant organizations that might be able to assist you. Anyone who deals with press freedom, human rights, or whistleblowing might be able to help. Just be careful with what details you share.
For this level of risk, that’s not nearly enough. As mentioned, you ought to start by setting up Tails. Email is not a secure method for communication, you’re better off using a secure platform. Or better yet, if the organization you’re contacting has it, use SecureDrop.
If you must use email, your best option is to anonymously create a Proton account on Tails. Remember, you cannot give any personal information when creating accounts and Proton might give you a hard time when signing up using Tails, feel free to DM me and I can help you get around it. If you’re stuck using email, you’ll probably want to learn how to use PGP as well.
It might be a good idea to try and clear all your browsing history and delete any accounts you’ve used where you discussed this sort of thing. From now on, only do research in Tails unless instructed otherwise by a information security expert who’s familiar with your needs.
EDIT: This article might be a good start, I suggest you read it using Tails or at least use the Tor Browser.
No it is not fully anon. The final destination for the alias would have to be immune to any OSINT or legal process. The front facing email needs to be immune to IP logging. Only way you’re doing that is custom domain self hosting simple login for each different email.
Why for each different email? Unless you can properly disguise this website as some public/private email service it would be assumed a single entity owns all emails on the domain. So you’ll need multiple domains that aren’t similar.
Every site this email is associated with must have different information top to bottom. Probably easiest to accomplish this in a virtual machine. Avoid phone usage with these emails unless its running GrapheneOS.
Domain(s) will need to be from “bulletproof” host as well as the web host. Purchase with monero. You’d have to do some research on what providers high risk websites are currently using and maybe look thru blackhatforums. Something like https://www.aliasvault.net/ would be useful as well.
If that’s too extreme you could try chaining email aliases providers. Simple login > addy.io > self hosted simple login > real inbox or turn on simplelogin reverse alias feature and other settings to strip metadata.
Most important thing is creating new accounts. Simply changing your Gmail to a proton alias does nothing. Your signup email is stored forever and maybe your email history too.
I may be reading too much into this statement. I thought there were benefits to moving from Gmail (free) to Proton. My assumption was that Gmail is less private and Proton offered a level of privacy/encryption.
What I mean by this is, changing your amazon account email from gmail to proton does not remove the original email from being tied to your account. Same for discord, twitter, etc. Just something to think about
Yeah, source please? Companies aren’t allowed to arbitrarily keep this sort of data once you’ve changed your email. You can also request your data under GDPR to confirm that they don’t still have your previous email address stored.
Most companies will have in their privacy policies “We have the right to retain info for as long as we need to comply with their regulatory requirements”
They maybe also using a third party service for processing emails with different laws that is keeping logs of previous email.
This means you can never be sure, also there have been legal cases where LE were able to get history of changed username or email address.
Well, yes, they are obligated to follow the applicable laws. That shouldn’t be surprising. That is why I recommended getting a data extract and checking whether they still have your previous email address stored. In my opinion, they should have no legitimate reason to store it (legal or otherwise), but it may depend on the industry.
My understanding is that a benefit of changing from a free email (like Gmail) to Proton is that, after a number of years, the Gmail account becomes stale.
If this really is a benefit, it isn’t the immediate “clean up past mistakes of using a free email account”, it at least offers a glimmer of hope to increase privacy?
You think they don’t keep the emails they sent to your old email? When have you ever changed your email on a site and they didn’t send you a verification email that now links both of your emails to the same account. Sure a GPDR request may work but the GDPR request itself is deanonymizing since you are telling them in specifics what you want gone and they are required to store the requests/responses for compliance.