Chi Nul » Privacy » Using Tails for online privacy

Using Tails for online privacy

This document describes how to use the Tails operating system to achieve a degree of privacy online that can be "good enough" in many cases. The necessary concepts to understand how Tails works and how to use it will be introduced as needed, with no assumptions beyond general technology skills.

An important note here is that you should not use any of the services you sign up for within a Tails session from a regular OS. For example, if you signed up for a private email address, do not log into it from any other computer or OS.

Tails stands for "the amnesic incognito live system", and is an operating system that's designed to protect your privacy while being fairly easy to use. By default, no data stored in a session of using the device persists between reboots, and it should be very hard or impossible to link the same device between sessions.

The installation docs at https://tails.boum.org/install/index.en.html guides you through the process of creating a live USB that Tails can be booted from. You can reboot your device from this USB and do work in general, or do work requiring higher levels of privacy.

MAC address randomization

You're likely connected to the Internet via Ethernet or Wi-Fi. The interface that allows your device to communicate with other network equipment has a value identifying it called a MAC address. Since this value is a stable, unique identifier for your device, it can be used to track you.

Wikipedia says:

According to Edward Snowden, the US National Security Agency has a system that tracks the movements of everyone in a city by monitoring the MAC addresses of their electronic devices.

Tails randomizes the MAC address each time it's booted, so your access point only sees a plausible but short-lived identifier before handing out an IP address so you can get online. The documentation at https://tails.boum.org/contribute/design/MAC_address/ describes the assumptions of the design in great detail.

IP address shielding with the Tor network

In order for your device to connect to others on the Internet, e.g in order to retrieve a web page such as this one, your device needs to have an IP address. In a typical home setup, this IP address is shared between all devices connected to the same Wi-Fi hotspot via NAT.

All network devices on the route between your device and the target device (e.g web server) can see and record the source and destination IP address. The Tor Project uses onion routing to add a privacy-preserving layer on top of TCP/IP. The way this works is that the connections made from your device to a SOCKS5 proxy on the local device, which then is routed through several nodes on the Tor network before exiting the network and being sent to the destination server.

The end result is that any attempt to track your traffic across the Internet is made very difficult or impossible; it's no longer the default that all network devices can see everything you do.

Create a private email address

The root of many services assumptions about identity is that you have an email address. Creating a private email address is thus likely going to be a necessary step to get anything done.

There's a list at riseup.net of email providers. I am using disroot.org, which is working well so far, and free for a basic account.

Manage changes to documents with Git

More to come here..

Persist data between sessions

Since a Tails session by design forgets all information when the device is rebooted, extra steps need to be taken in order to persist data.

Identification and encryption using GPG

The GPG software is infamously difficult to use, but despite this does allow you to encrypt a message that can be stored in text format and not decrypted by anyone not in possession of the private key, as well as signing messages that can be verified by others as coming from you.

More to come here..

Authentication for servers with SSH

More to come here..