Super-injunctions and how not to get caughtMay 29, 2011
The recent super-injunction furore has generated more comment than almost any other issue in Britain recently. As with so many events related to privacy and identity there is a strong flavour of IT. I can’t pretend to understand all the legal implications of the CBT story, but I do understand how the technology works. I can be pretty certain that if I were ever break a super-injunction over the Internet, I wouldn’t get caught through the technology I used.
Before we get into the technology, let’s think about the reason behind why we’ve got to this stage. The British have always had a history of social disobedience for rules that they don’t like. Look at the poll tax riots and the more recent fuel protests. It takes a supremely heavy hand to prevent social disobedience. For example, look at speed cameras. These are all over the place but people still speed because they think the rules are stupid. The super-injunction storm can bee seen in the same way. Once @injunctionsuper tweeted the first six stories, of which at least one (Jemima Kahn and Jermey Clarkson) has been proven to be incorrect the rest were re-tweeted by at least seventy-five thosand people.
People see super-injunctions as tools of the rich to prevent the tabloids from publishing their standard fare of kiss ‘n tell stories. However, there are very many reasons why super-injunctions can be used for much more serious reasons. For example, keeping secret the identity of people prior to trial, whether accused or victims. It seems that this legal tool has been used by people rich enough to afford it in order to keep their identity out of the news. That’s what has caused this massive storm of civil disobedience.
It now seems that Twitter have decided to comply with revealing user data under certain circumstances. An application filed in California on behalf of a British council has resulted in Twitter revealing user data. Whether the same will happen with the CBT case remains to be seen as CBT’s legal team filed in England, not the US. Twitter have no servers in the UK, are incorporated in California and have only just employed a European representative.
It’s not clear how the High Court plans to get a US company like Twitter to comply, though. According to US law, sites like Twitter and Facebook aren’t liable for the postings of their users thanks to Section 230 of the Communications Decency Act, and for most things, users’ speech is protected by the First Amendment anyway. The only way I can see that Twitter would hand over data is if a user’s Tweets were against the Twitter terms of service and had broken the terms of service that users agree to when they sign up to user Twitter.
If Twitter do agree to provide that user data, it then depends on what steps the user took to hide their identity from being traced through computer forensics. Any person with a basic understanding of technology and the ability to follow a set of instructions could do this completely anonymously. Here’s how I’d do it.
- I’d use a laptop instead of a mobile phone. Laptops are far easier than mobiles to anonymise. I’d buy a second-hand laptop for cash. The only requirements would be that it had a CD drive and wireless networking. This is my non-traceable hardware.
- I would boot the computer through a live CD of the Linux operating system. This makes sure that no permanent information of the session is stored on a hard disc or any permanent memory. A computer can be identified by two things: its IP address which is usually allocated by the network it’s connected to and a unique identifier called a MAC address which is written into the hardware of every networkable device. Before I connect to any wireless network I would edit the settings of the wireless card and change the MAC address to something different, probably 01:02:03:04:05:06. Any logs which are kept would only have the spoofed MAC address, not the real one.
- Then I would go to somewhere with open WiFi (e.g., McDonalds) and connect to their network. I could even do this from outside the building to try and avoid CCTV. What we have now is an untraceable laptop connected to the Internet, with no record of the session stored on the computer.
- All the rest is done through the web so I would need to anonymise my web connection. I’d install ToR (The Onion Router) which is a piece of software that bounces an Internet connection through a series of anonymised nodes around the world. Now my Internet connection is untraceable too.
- Now I need an email address to sign up for Twitter or a blogging service. I would use Trashmail or 10 Minute Mail which are disposable email addresses.
- My final step would be to create a Twitter or blog account and verify it using my temporary email address. I could then make a completely anonymous post and then disconnect.
What this means is that the hardware is untraceable, the connection is untraceable, the email address is bogus and any logs kept by the online service would be meaningless because all they contain is junk. If I were ultra-paranoid I would drop the laptop in a recyling centre or just leave it somewhere and wait for it to be stolen.
It might be possible to identify the small group of people who originally broke the super-injunction because its very existence would only be known by a few. However, unless an individual can be identified through actual evidence or someone actually admits to breaking it, how can they be caught? Whether they took steps like the ones I have listed remains to be seen, but I’d be surprised if anyone who decided to take such a serious step as breaking a super-injunction hadn’t also given a lot of thought about how not to get caught.