Physical Interaction

Anonymous interaction with the physical world is the holy grail. If you can fully interact with the real world through the Internet anonymously, you practically cease to exist as far as the Matrix is concerned. Unfortunately, doing this effectively typically requires capital on the order of at least $1000 USD. Not out of reach of business owners, but your clients may have some difficulty justifying the expense. However, some low cost alternatives do exist and will be provided. FIXME: I do not have the resources to investigate many of these options, particularly the expensive ones. If you do, please don't hesitate to contact me with results.

As a word of caution, any of these techniques that require the use of a local brick and mortar store should not be carried out near where you live, lest someone recognize you. Go to an adjacent town/suburb and work from there. Yahoo Yellow Pages is your friend (of course, its cookies are NOT your friend).

Using Anonymous Money

In the physical world, anonymous cash is a redundant term. Cash is anonymous. Unfortunately on the Internet, money is typically tied to an identity. However, some services do exist to allow you to bend or break this rule.

  1. Money Orders

    Money orders are available from the post office or Western Union, and do not typically require any form of ID for amounts less than $3000.00 USD. Some online merchants and most offshore banks will accept money orders. Unfortunately, money orders are typically the most frequent choice of scammers. Many western unions will cash money orders without ID.

  2. Pre-Paid Debit Cards

    Pre-paid debit cards are available over the Internet from all of the major credit card companies, marketing to individuals with poor credit. Note that all of them seem to require some proof of identity and valid mailing address (and will not ship to PO boxes).

    However, in some areas of the USA these cards are actually available for sale in convenience stores, grocery stores, malls, Walgreen's, Radio Shacks, etc. You pay cash, and you get what is essentially a debit card. Non-reloadable cards are usually available over the counter. Reloadable ones typically must be mailed to you. Neither type requires ID. Major vendors include the major credit card companies themselves, along with GreenDot and Simon Malls. The latter two have store/merchant locators to help you find a store that carries their products. Additionally, most Western Union locations offer named pre-paid debit cards. They do require ID and a mailing address, so you will need to use one of the techniques described below. In Europe, 3V Vouchers are also becoming available. ID requirements are unknown. It seems impossible to get them online without some form of identification chain, unfortunately. Perhaps walk-in to stores is different?

    If you cannot get anything reasonable locally, various independent providers will offer you prepaid "virtual" credit cards (sometimes called "Gift Cards") at various rates. Unfortunately, PayPal (and possibly some other online merchants?) can be a bit picky about accepting these cards. The best place to find information about which card providers are trustworthy and widely accepted are various online forums, and of course searching for the company name and "fraud", "scam", "sting", or "paypal". In particular, I've seen good things about Money Around The World, whose cards supposedly will work with Paypal IF you ask them for that feature ahead of time. They do not require ID. Similarly, SloGold advertises debit cards that can be used with paypal and even can be the recipient of wire transfers and direct deposits. XLCard.com has similar features, but their Paypal status is unknown. I've also heard reports that prepaid "Gift Cards" are being sold over the counter at stores such as Safeway, Sunoco, Walgreen's, and Rite Aid in amounts up to $500.

    Using the anonymous email address you created in an earlier section, you can then bind these card to a Paypal or StormPay account, and conduct small purchases on ebay or anywhere else anonymously (modulo shipping). Be careful to differentiate between no-name debit cards an anonymous credit cards. Paypal and online merchants may not accept cards with no name on them. No-name debit cards are typically only good at ATMs.

  3. Offshore Banking (Theoretical: Feedback Requested)

    Several companies on the web allow you to create anonymous credit cards and bank accounts funded via wire transfer, gold, or money order. Obviously a fully functional offshore bank account would be more useful than just a debit card. Unfortunately, many of these require a shipping address, a photocopy of some form of ID (for their records only, or so they claim), and/or are prohibitively expensive. A few that looked most promising were E-Fidex, Unitrust Capital, Offshore, Etc, and Cheung & Siu. Unitrust and C&S offer several services including "virtual office space" (with mailing address) as well as the ability to incorporate overseas. They do not mention an ID requirement, though they do mention additional fees if they file the ID documentation for you. Supposedly the Patriot Act has somehow made it an international requirement to produce some form of ID to open a bank account. It's not clear exactly how these institutions skirt this requirement, if they do at all.

  4. E-Gold (Theoretical: Feedback Requested)

    There are a couple companies that will keep track of gold electronically, and transfer it to and from certain parties. The most popular (and presumably the most trusted to have actual gold on hand) is E-Gold.com.

    E-Gold is purchased from one of their escrow agents who actually buy and sell the gold from E-gold's holdings. In particular, Goldage.net will accept money orders for e-gold and also provides anonymous credit cards. Alternatively, you may face less regulation purchasing e-gold in one of the ad-hoc e-currency exchange forums or one of their corresponding topsites such as MoneyDuck or PaysGold. Your chances of being scammed do go up when you do this, however, so be careful.

    Many of the offshore banking institutions also accept transfer to and from E-gold. E-gold has been used (presumably successfully) by the Source Code Club to conduct sales of corporate source to those wishing to evaluate it. E-Gold issued a statement that it will do its best to track down these guys, but so far the Source Code Club seems to remain in operation.

Anonymous Snail Mail

Many people who accept E-gold and many of the Offshore banking companies suggest mailing items to a local shipping agency, post office, or mail box provider with instructions for "Hold for Pickup". In this way is possible for a package to be delivered to their location in the name of a fictitious company for some holding fee. You can tell them a salesman traveling through town will be by to pick up the package. A variation on this technique is to use General Delivery in combination with a made up business card and legitimate ID to pick up mail at the Post Office itself. Since the only record of delivery will be to the business name (and not the ID shown), it is supposedly OK to use your real ID.

A far less cumbersome option is to rent a mailbox at a privately owned mailbox rental company (Commercial Mail Receiving Agency - CMRA). Unfortunately, most of these are bound by postal fiat that requires them to enforce ID requirements that may be verified at the post office. Since it has been reported that the Post Office sells consumer's addresses to marketing agencies, this is not very comforting.

The form you have to fill out is Form 1583 and is universal among all CMRAs. It requires two forms of ID, one of them photo. The Privacy Statement is riddled with exceptions to allow the agent to provide information to "contractors", "financial entities", USPS auditors (who appear to be under no privacy obligation themselves), and for purposes of "identifying addresses... used to deliver mail to other persons". Valid ID includes state ID, armed forces, government, corporate, or university identification cards, passport, alien registration card or certificate of naturalization, current lease, mortgage or Deed of Trust, voter or vehicle registration card, home or vehicle insurance policy. According to this contract, it is *not* mandatory that a photocopy of this identification be taken, but it must be written down on lines 8a and 8b by the clerk who accepts this application. If you are providing state ID with personal information on it, you would do well to insist that a photocopy not be made to avoid identity theft.

It is possible to avoid the regulatory hassle involved with CMRAs by instead leasing a "virtual office" from an Office Business Center (OBC). A "virtual office" typically consists of a mailing address, some amount of office time per month, a phone line and answering service, and access to conference rooms. Providers who offer this service are not subject to registration with the post office. Numerous virtual office providers can be found in any major metropolitan area, and rates are usually around $50-150/mo for basic service. I personally find it amusing that so long as you have sufficient money to pay for better service, you don't have to be stamped, branded, and tracked by the USPS, but people who cannot afford these extra services have to be watched with utmost scrutiny.

Your last method for anonymous snail mail is to usurp a "dead" mailbox. This is a mailbox that still has a postal address, but is not being used. Examples include vacant lots, empty office rooms, etc. Empty office rooms and janitorial closets typically will require permission of the building manager, of course. Vacant lots and unused street mailboxes can probably be easily "borrowed". In some cases, setting up a whole new mailbox with a "1/2" or "A" address out in the country is a very nice option as well (but may be noticed by neighbors). A completely new address may be noted less, but the flip side to that is the postal carrier may take issue with this.

Along these lines, at least one book reports success in searching/posting on online bulletin boards/classified ad servers for already registered mailboxes, either postal, UPS or unused office space. There may be many people who purchase mailboxes then simply move out of the area. The same book also mentions that it may be possible to receive mail at a Salvation Army or YMCA for a donation.

Ideally, the physical location that you ultimately have to go to to pick up your mail should change every 12 months. If your budget and need for anonymity was high enough, one way to increase the length of this window is to attempt an SSH Hopping-like technique by chaining virtual office forwarding systems together to attempt to obfuscate your location by crossing many international boundaries. That is, until a tor-like mixed network for mailing packages arises. I have not tried this out yet, but it would seem like Unitrust Capital has a decent offering, as does ABCN. Another option is to open a New Mexico LLC and then sign up for a Ghost Address. You can also try browsing this directory or the DMOZ/Google Directory entry for more options. Let me know how things work out for you if you decide to go this route.

Note

One last important thing to note about the mail (and physical interaction in general) is to be extremely careful with things you handle, especially if a fingerprint is on file with the local DMV, or if you purchased your printer with a credit card. The EFF maintains an excellent page about printers that encode identifying information in printouts, and how to detect if your unlisted printer is also bugged in this fashion. I have been told that printing to transparency film works even better than the techniques the EFF suggest, as the transparency will make the layered dots visible to the naked eye without the use of a blacklight or microscope.

Anonymous Telephony

Anonymous telephony is a tricky feat to accomplish: seemingly easy to do, but also easy to make mistakes that ruin your anonymity. Basically the goal is to obtain a cell phone that is untraceable to your physical identity. This in and of itself has recently become possible, but there is a steady stream of subtle information leakage from any phone that will eventually point to its owner.

Obtaining an Anonymous Cell Phone

In the US, anonymous cell phones have recently come available in truck stops, discount retail stores (Wal-mart, RadioShack, etc), and at cell carrier outlet stores. The main carriers that offer anonymous pre-paid service are T-Mobile, Cingular, Net10, and the ominously named TracFone. Note that some retail stores will ask you for your name and address, so you should have one ready.

For some reason, pre-paid cell phones are subject to a very bizarre price structure. The same phones offered on the web by the carriers are typically $100 more when you visit your carrier's local store. While it may be tempting to order these phones directly from the web using an anonymous debit card because of this, you probably are better served by going to a retail store and purchasing with cash, just to keep a distance between your debit card and your phone line (though sometimes this binding is required anyway for other reasons). Walmart, Costco, Radio Shack, etc typically have the phones for web prices or cheaper.

Another detail you should be aware of is that cell phones typically come "locked" to a given carrier, preventing you from switching carriers in the future. When selecting a phone, you probably want to try to obtain a model that is easy to unlock, so that if you need to switch cell phone carriers, you can. Nokia phones are usually easiest to unlock, typically by entering in a "secret key". The Nokia 6010 offered by T-Mobile in particular is readily unlockable, and is available at Walmart. To unlock it, use the DCT4 form, Network: T-Mobile, Gen: v2, Model: 6100 and use the first code. If the first code fails, try the 7th.

Information Leakage

There are a couple of things you need to be aware of when using an anonymous cell phone. If you are not careful, your anonymity can be reduced to zero in a hurry, and you can easily reveal your identity and location with a couple simple mistakes. In particular, here are a few things you should be aware of:

  1. IMEI Numbers

    Each phone has a unique, semi-permanent serial number called the IMEI number. These numbers are actively tracked in databases that are becoming international in scope. Note that this number is a property of the phone itself, and does NOT change if you pop out your SIM card to change carriers. As such, changing carriers with the same phone buys you no extra anonymity, and placing a SIM that is easily traceable to you into your anonymous pre-paid phone kills any anonymity you had, potentially even retroactively.

    Note that the converse is also true. If you have an old phone previously registered under your name and decide to try to use it with a pre-paid carrier, you have no anonymity.

  2. E911 Service

    E911 is a standard set forth by the US FCC that essentially specifies how accurate cell phone carriers have to be when tracking their users under various conditions. Cell phone providers can meet the accuracy requirements however they see fit, and the major carriers have adopted a couple of different technologies.

    While there have been some frightening uses of this technology by spyware installed on phones, what is most frightening about E911 is that there is no law that governs location-data privacy. This means nothing stops The Man from watching the location movements of any and every cell phone user he feels like. E911 location information is transmitted at all time while the phone is on, and no warrants are needed to obtain this information.

    The FCC has mandated that E911 be present on every cell phone sold after Dec 31, 2005. However, several models of phones do allow you to disable the E911 location information. For other models, your only option is to keep the phone turned off with the batteries out. FIXME: Specifics on how to disable it while the phone is on?

  3. CALEA and Relevant Surveillance Law

    The CALEA is the US law that governs obtaining warrants for wiretap on electronic communications. Much like E911, it merely specifies requirements that industry must follow in granting the federal government access to communications. The problem with this system is twofold. First off, obtaining a wiretap warrant is pretty much a rubber-stamp process with little real oversight; and second the fact that the mass-surveillance infrastructure built to support CALEA is easily subverted to criminal and even rogue-state ends.

    FIXME: At this point in time, it is unclear as to whether recent expansions in wiretap law make it easier to obtain a warrant for arbitrary pre-paid customers before their identity has been revealed through other means. It seems as though The Man has to at least have a vague idea that the phone number in question is being used for Unapproved activity, but as the warrant statistics indicate, even this may be at best a symbolic gesture. As such, it is recommended that even after obtaining a prepaid cell phone, you not put full faith in its anonymous and private nature.

  4. The Social Network

    Once again the Social Network rears its ugly head. If there is one thing you can be sure of, it's that EVERY PHONE NUMBER YOU CALL OR THAT CALLS YOU IS LOGGED, even if you are not currently under surveillance. The call logs are indexed by IMEI, so switching phone numbers and carriers does you no good. This means that it is possible to automatically determine that your anonymous phone and your nonymous phone share many of the same numbers and thus are operated by the same person, or at least two people that know each other. Avoid calling the same people on your anonymous phone as you do on phones that can be traced back to you, and instruct them not to call you either. The more numbers are shared (either outgoing or incoming), the greater your risk of being uncovered. When a phone starts to be contaminated in this way, toss it and get a new one. People have been caught this way.

Assuming an Identity

Unfortunately for most interactions with the physical world, you typically need at least some form of ID. You basically have five options:

  1. Employ a Homeless Person or Post to Online Classifieds

    If you live in an urban area, you might be able to find a reasonably coherent homeless person (or someone willing answer a classified ad posted on a community bulletin board or website) to assist you for a small fee. It turns out that the international nature of craigslist can make it possible to operate in geographical contexts far distinct from your physical location (though Craigslist seems to have decided to block Tor, so you may need to put a special line in your privoxy config to access them anonymously).

    This can get sticky, and probably requires a good judge of character to pull off. You should definitely make sure the money you give them for the institution is in the form of a money order written out to the intended recipient, to minimize their chances of running off. You should only pay them for the job after they complete it.

    Make sure that it is not possible for them to obtain access to the account or mailbox after they create it. Obviously keep any keys/cards to yourself, and make sure that it is difficult for them to get any replacements immediately. Possibly use two different people for mailbox creation and account creation. Ideally, you should use a service where replacement cards are mailed to a mailbox you control, and not to them. You may wish to bring a friend along, to make it clear that if there's trouble, "more than one person" will be looking for them.

    Even after all of this, it is still possible they might flake out, or worse, attempt to blackmail you by threatening to call the authorities. Give them a decent cover story, such as you are trying to hide from an obsessive ex-lover, or have a job where people might seek revenge on you personally (meter maid, tow truck operator, judge, lawyer, etc). Have a story ready about how some friend of yours or someone on the news was harassed because of their job. Even if you believe your reasons for seeking privacy are legally safe, you should limit what you tell your courier about your exact circumstances, since this can weaken your privacy (it's a small world).

    Ideally, you should be using them for one-shot deals, like courier service or to set up an overseas account, or to open an account whose card and number will only be given via mail (ie to you, not them). The less information they have about what they are doing, and the less they see of the end result, the better off you are. Don't work local to your home (or theirs). Ideally, you should never see this person again.

    Even with all the hassle, unfortunately this is the safest method to use with respect to US law. If you are doing ANYTHING that might attract the attention of or otherwise annoy an FBI agent (which in these troubled times is just about anything), acting by proxy is the only way to go.

  2. Manufacture ID for Yourself

    Unfortunately, making a fake governmental ID can bring a lot harsher penalties than is worthwhile to risk, depending on your threat model. US Title 18, 1028 criminalizes any interstate production/use of government issued identification with penalties of up to 15 years in jail. Simply using fake state ID is considered a misdemeanor and is punishable by a maximum of 3 years, though first-offense misdemeanors almost never receive jail time. This means that it is usually simply not worth making state ID for most people, since you will likely have to destroy (or sell) most of your equipment if you don't want to spend time in federal prison for being caught using it.

    However, it is possible to obtain a CMRA mailbox with two non-governmental forms of ID (such as an employee ID and a local city/community college ID), so "novelty" ID creation is still an option. As far as I know, presenting "novelty" non-governmental identification is not criminalized. There is slim possibility of charges of mail fraud, but from reading USC 18-63 and the DOJ prosecution policy, it would seem that mail fraud is only applicable if someone has actually been deprived of money/property via the mail. After all, are they going to prosecute every author that publishes under a pseudonym who has ever sent something through the mail? That would be a bit excessive, even for the US government.

    If you invest a bit of money (around $200-$500) you should be able to make a variety of ID yourself. There are a couple of text files that describe the process (along with some supplementary material I found on usenet). Alternatively, you can check out this book for a detailed overview of how to create a wide variety of ID.

    Also, beware of cheap template collections you might obtain via P2P networks. These almost all suck and are dangerously out of date. The reason for this is that even electronic transfer of ID is criminalized just the same as physical ID in USC 18-1028. It is possible that templates may begin showing up on anonymous P2P networks, but you should focus on cloning local (ideally non-governmental) ID anyways. If you are still dead-set on creating state ID, the 2004 US ID Checking Guide (FIXME: anyone have 2005/2006?) contains information on all the security features present in the IDs of all 50 states, so that if you decide to go the template route, you can verify what you have is current, and you can use it to cross-check to make sure you don't miss anything. Alternatively, local copy shops typically have high quality scanners you can use to save yourself some money. As far as printer, the above book recommends the ALPS MD series, but those are discontinued and prone to breaking (meaning buying a used one is probably a bad idea). You're probably better off using an Epson C82 or 740 (the 840 tends to print too fast and is prone to smudging), which have been reported to work well on alt.2600.fake-id. Use the Photo-EZ trick mentioned in the above text files for stenciling patterns for UV/metallic inks.

    Lastly, it should be noted that some places (especially the offshore banks) require only photocopy/fax of ID, which should be especially easy to spoof. However, some outfits may actually query your driver's license number at the appropriate DMV. If they are operating overseas, they are less likely to have the capability to do this, but in any case, I have not tried it, so attempt at your own risk. My guess is that due to recent events, companies will have less freedom to query these databases, since this just opens the door up for rampant abuse. However, if you do try it out, take proper precautions for ensuring the fax phone line can't be traced back to you (use a local copy shop), and use all the digital precautions we've discussed thus far. This way, at worst you get rejected immediately, and no harm is done.

    Note

    As mentioned previously, make sure not to purchase your printer with a credit card. The EFF maintains an excellent page about printers that encode identifying information in printouts, and how to detect if your unlisted printer is also bugged in this fashion. I have been told that printing to transparency film works even better than the techniques the EFF suggest for detecting identifying markings, as the transparency will make the layered dots visible to the naked eye without the use of a blacklight or microscope.

    If your printer does print identifying dots, you will want to sell it/dispose of it if you created state ID, because the identifying information can be used to prove that you produced your own ID instead of obtaining it elsewhere (the difference between a misdemeanor with typically no jail time and a maximum of 3 years, and a felony with a maximum of 15).

  3. Manufacture ID for Another

    The previous technique is not without its weaknesses either. For instance, it is not ideal that a photocopy of your picture and ID is on file with an account. While it is presently not implemented (at least not as far as I know), assume that within the decade it will be possible to use face recognition to quickly match drivers license records to other pictures of individuals. Even this aside, there still is the slim but real chance of human recognition, or recognition after an investigation begins.

    For protection against this, you can take the extra step of creating the ID for the homeless person/courier and keeping it to yourself until you need their services. That solves both the recognition risk, and the risk of the them trying to use the ID to obtain access to your account/mailbox. Unfortunately, it does not solve the blackmail problem. For this reason I strongly recommend against making state ID to give to another, as this is instant leverage for blackmail, independent of the nature of the use.

    However, since "novelty" non-governmental ID is not criminal in and of itself, blackmail is much less possible. There are a myriad of reasons someone might desire anonymous banking and mail delivery without them necessarily being guilty of any crime (again, jealous lover, dangerous job, etc). Invent one and tell it to your courier before they agree to help you out. Preferably not the real reason, since this can be used to determine who you are.

  4. Attempt to Build a Government Recognized Identity

    This is an extremely complicated process that is easy to screw up and can land you in jail. The process typically starts with some form of fake ID created as discussed above, and uses that to obtain legit secondary documents from the government, which can then be used to get you into the DMV and other databases with legit ID. If you are seriously considering this, you should have a look at the books in the print media resource section.

    Also be aware that the long-term danger of face/biometric recognition technology still applies to this method, especially if your face exists as two different people in the DMV database. Many states already implement this type of technology using electronic fingerprints to verify no two licenses have the same thumbprint. In this case, the clever folks at the Chaos Computer Club have a mechanism through which you can borrow the fingerprints of another. Another hack that I've been told works well is to use a red felt-tip marker to obscure identifying marks on your finger before it is scanned. The red ink messes up the red laser light from optical scanners.

  5. Identity Theft

    Identity theft for the purposes of stealing equity, reputation, and credit from other human beings is morally wrong, and since this is the predominant reason that identity theft occurs, I do not wish to discuss it. This HOWTO is about taking your freedom back from the institutionalized oppression that is the Matrix, not stealing from your fellow man. If this isn't enough to discourage you, note that ID theft is more dangerous than creating an identity since the victim may notice additional accounts on his credit report or elsewhere, and may report them at any time. It is likely that the penalties for ID theft will soon skyrocket in the typical "tough on crime" reactionary fashion as well.

    However, that being said, it is becoming apparent that at some point in the future, bureaucratic governmental arrogance and momentum will push for mandatory national database verification of identification. When this regrettable time comes (and in some places it has already arrived) identity theft may become a necessary measure in protecting one's privacy. The upshot is that the ubiquity of these data checkpoints will increase the vulnerability surface of the bureaucracy tremendously, making identity theft considerably easier. In that case, both moral and practical considerations dictate that those using identity theft for privacy should strive to conduct this activity with as minimal an impact on the host identity as possible. This means of course no monetary theft, and typically avoiding any actions that would alter the credit ratings or otherwise appear on the credit reports of the host (such as the creation or use of credit cards and bank accounts).

Protecting Yourself from Fraud

The most risky aspect of interacting with the Anonymous Economy isn't being caught by The Man, it's being ripped off. The best way to protect yourself from fraud is to always scroogle search for the merchant you intend to do business with and add the terms "fraud", "scam" or "sting". If nothing comes up, try to post to a relevant forum and ask. In the unfortunate event that you are ripped off, do complain loudly and vocally on as many forums as possible. Sometimes informing a merchant that you are about to smear their reputation all over the Internet can 'jog their memory' into remembering to ship your purchase after all, so you might want to contact them first.

Be ware that some merchants will gladly honor smaller purchases only to defraud on larger ones, so unfortunately conducting smaller transactions with a merchant might not guarantee that they are safe for larger transactions. Luckily there is a solution. Escrow services can help you conduct larger purchases without fear of the merchant defrauding on delivery. Essentially, the way they work is that you pay the service the amount of the purchase price plus a small fee, and take a shipping tracking number from the merchant, and hold your money until the shipping carrier reports received the product, at which point the escrow agent release the funds to the merchant. Unfortunately, some escrow sites themselves are scams. It is probably best to use one of the services listed on this ebay page.

If you are a merchant, remember that when conducting business your reputation is your bond. All you need to do is mishandle a single customer and your sales will plummet as word spreads like digital lightening that you are a fraud. You want to avoid this like the plague, since ruining a rep typically means you have to rebuild your entire anonymous cover.

You should also allow payment via as many options as possible, particularly escrow services. You want to ensure that any level of anonymous client is capable of transacting with you, and you offer redundancy in payment options. Most likely Paypal is not going to take a particularly fond eye of you (and has other problems, as well), so sometimes a backup plan can be helpful. You should also go through the trouble of setting up your own website anonymously, so you don't have to deal with ebay's rules on what items can be sold (though craigslist is one alternative to ebay with minimum restrictions). It is also easier to build up a widely commented upon and easily verifiable reputation if you set up your own website.

For information on the reputability of various online currencies, you might want to consult The Gold Pages Online Currency Journal and the Global Digital Currency Association.