I’ve often wondered why more people don’t send anonymous emails in order to air thoughts or grievances they’d be afraid to air publicly.
Is there something I don’t know about how easy it is to get caught?
Is there some easier-than-I-know-about way to track down the author of an anonymous email?
For example, if I went somewhere that offers free no-sign-up Wi-Fi, and grabbed myself a gmail account, and forwarded emails that were sent to everyone in my company to some authority who might have something to say about the content of those emails, then once my company knew they had a “leak” of this kind would there be some way they’d be able to trace it back to me? I’d have thought this was foolproof.
That’s not to speak of more trivial examples just involving interpersonal relations between people on an everyday level.
This may be a horrible way to solve a problem, but I’ve always wondered why people don’t do it very often (in fact I’ve never heard of a case of someone doing this, though I’m sure it does happen). Something’s being a horrible way to solve a problem has not typically stopped people from doing it before. So what’s stopping them?
ETA: Just in case you’re worried, the trigger for this post has not been an actual plan on my part to do anything like what I’ve described, though I’ll fess up to it having been triggered by fantasies of doing something like this.
Emails can be sent using anonymous mail accounts through the TOR network or other proxies. Since it’s not coming from you or your computer, it is not traceable. I think the chances of a company taking a guess at disgruntled workers is much more likely.
All emails can be tracked, but may have to do a lot of back tracking.
For instance, you can send an email from A to B. Or you can send it to A who sends it to C who sends it to D, who sends it to E, who sends it back to C, who sends it to F, who sends it back to A, who sends it G and so forth for tens of thousands of times before it’s finally routed to B.
OK so there is a clear line of responsibility. The problem is tracing it. You’d have to contact each ISP and get their records, usually involving a subpoena. Then some ISP don’t keep records or keep them very well, etc etc.
You can trace it, but it’s not worth the effort or you could trace it back 9,000 times and find a broke link.
A broke link could be something like, you walk up to a teenager and give him $20 to go into the library and use his card to type the email and send it. Since he doesn’t know you, there’s no way, even if the authorities caught him, he’d be able to finger you.
Anonymous programs use a thing called plausible deniability. For instance, the P2P program Perfect Dark you are constantly downloading and uploading. Since it’s all encrypted you have no idea what you’re downloading or uploading. It’s bits of rubbish for the most part but the file you want is also in that pile of rubbish and eventually will get decoded.
People don’t like such programs as you don’t know what you’re uploading or downloading and it could be anything from a copyrighted movie to child porn. And you may have to download 20gb to get a half gb file. But then if you’re caught, you can always say, "I am constantly downloading and uploading, I didn’t know. And you didn’t thus plausible deniability
Many spam and phishing emails are effectively untraceable. You can find the computer and email account that sent the messages, but they are sent under control of a botnet, so the actual originator of the email is very difficult to identify.
Anonymous chained proxys.
There are also free temporary email address services . The accounts last from a few minutes to whenever. Not sure if any or all log source ip.
As already described, there are technical methods available right now that make tracing the source of the email practically impossible. Yes, given enough time, resources and authority an anonymous email can probably be traced back to its technical source of origin. Unless the damage is of extraordinary value, one can surmise even the largest private corporation will not invest the time, money and personnel.
Not so with the government.
However, while a technical trace is practically impossible (government notwithstanding), a social engineering trace may yield results in a shorter time and more accurate results. The specific nature of the content, the language used in writing the email, and the accessibility of the content can trace its origin quite easily, relatively speaking.
On preview I see that Duckster already mentioned how much easier it is to track the content of the email rather than the source. At a previous employer I had a senior vp that was instituting policies that violated federal laws. I could have blown the whistle, but since I was one of only a handful of people who was present for these conversations and receiving these emails it wouldn’t have taken long to figure out the source of the leak. I chose to resign instead.
Seems easy enough to me, but the responses so far don’t indicate how this could be traceable. (I wouldn’t forward the emails to this account, though. That could be archived by gmail. Cut & paste instead.) You can create a gmail address that would be untraceable to you, and send emails that would seem untraceable except to whatever network you happen to be on. Fly to the city of your choice, find a place with free WiFi, and how could your email ever be traced? Can a web site capture a MAC address or information that identifies your hardware?
I would question the “fly to the city of your choice” part because that would likely be the thing that got you caught.
Free Wi-Fi isn’t a terrible idea… especially if you go to a crowded place…
I would really, really not use my own computer for this. I’d be too worried that a cookie would get me. I would simply buy a super-cheap computer at Best Buy, go to the closest free wifi place, do my business, drop el cheapo in the nearest garbage.
You can be traced several ways:
The originating IP address of an email is buried in the header. (View properties -source of the mail).
You may use an anonymous remailer, but that can be traced then; so if the right authorities care to track things down, they may have the means to look at connection logs to see who was connected (what IP) when the mail was sent. If they already suspect you, they may look at your logs via an ISP or look at your browser history. This would be where even a private lawsuit would result in your computer being seized for forensic analysis.
I recall reading that the combination of info that a browser presents to a website - version, service packs, versions of java and flash, etc. - may be a pretty unique “fingerprint” that can identify a specific PC.
If you use anonymous Wifi, the hard-wired MAC address of your wifi card may be logged by the system; even something as innocuous as an 8-day DHCP lease (usually wifi would be an hour or so) means the MAC is kept in the DHCP table for a while. If you plan on doing anything horribly illegal, find a program that falsifies your MAC or use a disposable Wifi card (as long as it’s not trackable to the store that sold it…)
It depends how long various records are kept and who uses them. If you use your old PC and then put it in the crusher - maybe someone different groups have ways to survey the logs of asorted locations to determine where and when the MAC last showed up; or look at an anonymous email account and say “what other computers logged into this account”?
This is similar to the tricks used by the NSA to find Al Queda; one call to a cel phone means they then get a dump of all other calls to/from that second phone and so on until they build a list of all calls that do not have a logical explanation. This is then correlated with other data.
Similarly, IIRC in one file-sharing trial the RIAA countered the “I ripped them myself” by showing that many of the files were identical to ones shared from several other sources all over the Napster and torrent sites, but the tags were not computer-generated. They had a long database history of who was trading what files when and could show the provenance of many files.
It depends how badly someone wants to track you down and what resources they have. Your Average Joe victim of a prank email is more likely to simply assume whodunnit based on content, while a prosecutor determined to nail someone has a lot more tools at his disposal and you only have to make one mistake. I.e. - as someone mentioned, fly to a different city and it won’t take a rocket scientist to match your travel to the event once they suspect you.
I forgot to mention that whichever wifi you choose to email from make sure that you don’t travel there in a car that has GPS and you leave your cell phone at home. Many police departments have been known to request GPS data from wireless companies, some of which happily provide it without a warrant.
Cars in general would present a problem. I wouldn’t want to drive my own car because some camera will get the plate. Renting a car would be dumb and car service/cabs come with their own set of problems.
One thing about computer crime is that investigators can tie precise times to events. you don’t want to be caught on camera walking into the pizza place at 10:58, then at 11:00 you pop open a laptop, then at 11:02 (according to the headers) that email gets sent, then at 11:04 you leave.
A disguise doesn’t sound like a terrible idea to fool the camera, but alot people you know will see those pictures, so make it a good one.
Finding help from another person only doubles your chances of getting caught.
I would think twice about the I’m going to travel to a part of town where nobody knows me idea, because when you’re caught on camera there you’ll have a hard time explaining.
The Mixmaster anonymous remailer network has been around for over a decade. It’s specifically designed to allow sending untraceable emails. It uses multiple layers of cryptography to bounce an email through several servers in such a way that none of them can link the sender to the receiver. You don’t have to trust the server operators for it to work - it’s still secure even if most of them have been compromised or are run by the bad guys.
Inventing your own security protocols pretty much guarantees you’ll get it wrong.
Duckster is correct of course - even with a system that allows perfect technical untraceability, the content of the email can still trip you up.
The OP is not talking about using a computer to commit a crime, which would subsequently be investigated by law enforcement agencies with big budgets. It’s talking about corporate whistle-blowing.
How a company could get my phone records, credit card records, GPS tracks, etc., without evidence that I committed a crime, I don’t know. Not saying it’s impossible, because I don’t doubt there are some very creative private detectives, just that we’re talking about being found by fairly garden-variety means available to the general public.
Of course, if you didn’t commit a crime, then so what? In most of the USA, they can fire you with no reason, no notice, and pretty minimal separation pay. If it’s not a crime, there’s not much more they can do to you. So once they suspect you, they may as well toss you over the side.
I guess if it’s a matter of “which one of our 30 IT staff did this?” then they want to start investigating and this is where this discussion becomes relevant.
In the late 90’s, IIRC the church of scientology sued an anonymous remailer in Finland (which eventually shut down, once they realized they could not guarantee anonymity) in a copyright suit over distribution of documents relating to the church’s activities.
So there’s a question for the lawyers. What right does someone have to subpoena records from a third party in a civil suit? Can I demand that Verizon turn over it’s relevant records regarding Joe Schmoe because I’m suing him?