My DH diligently considered the problem of broadcasting time-critical messages from a known source to a group of people that wish to remain anonymous. This problem is difficult to solve, and he has been unable to devise an ideal solution. He has tried to avoid excessive detail and only cover the main points. The following is from my DH, starting with a disclaimer:
I take no responsibility for the correctness or incorrectness of the following. I have made a good-faith effort to understand the problem and potential solutions [to secure broadcasting], and to describe my understanding clearly in the following text, but I do not guarantee any of the information I am providing here. I am not a security expert, and there is the distinct possibility that I am lacking critical knowledge which could result in negative consequences if anyone acts on any of this information. I have performed what I consider a thorough online search over a few weeks, and have hit the point where I am not discovering new pertinent information.
The best option I have found is that the agency tweets alerts using Twitter. The “followers” (people that want to remain anonymous) use a dummy/anonymous Twitter account to follow the agency’s account and sign up for push notifications on tweets. A dummy account can be created on Twitter by providing a full name (any name) and an email address. That email address can be acquired from various free email services without providing any information, e.g., www.mailinator.com (though Twitter does some checking of the name & email address to try and reject automated signups.) No phone number is required.
Pros: relatively simple to setup; the followers will get instantly notified of alerts on iOS/Android/PC; since Twitter is used by so many people its use will not be a red flag even though it will be obvious to any snoopers that the followers are using Twitter; dummy/anonymous accounts allow followers to avoid sharing any of their actual information (e.g., phone number, email address, personal connections); follower-to-follower (or fake-follower to real-follower) communication could easily be ignored and would not be mistaken for messages from the agency.
Cons: anyone can find out the followers’ accounts; Twitter will know the followers’ IP addresses (which can then be used to find the physical location); followers that use a non-anonymous account will be connecting their personal info/connections to these tweets (a very public trove of information) so followers that normally use Twitter will have to remember to switch accounts back and forth; the tweets themselves (i.e., the messages from the agency) would be completely public (that doesn’t seem like a big downside based on my understanding of the problem).
So to be completely clear, a powerful government could get the necessary info from the Twitter company to track down the phone equipment/service and physical location of everyone getting notified of the agency alerts. It may be possible for someone to get sufficient info even without Twitter’s support.
The second-best option I found is to use one (or more) of a handful of Instant Messaging programs. A big downside to using an Instant Messaging (aka chat) program is that the problem I am trying to solve is how to *broadcast* messages, and setting up two-way communication between all the members of the group can actually be a negative. For example, what if someone(s) start sending false messages on purpose or by accident? What if they use the chat program to start one-on-one discussions with the other “followers”? For this reason, chat programs are really the wrong tool for the job, but when you don’t have a perfect tool sometimes you have to make do with the wrong one.
Almost any program could work, but they each have pros and cons. For example, Signal is very secure and is the chat program of choice for Indivisible and some other security-conscious groups. The messages are end-to-end encrypted, so one can snoop on your messages (unless they hack the sending or receiving phone). Unfortunately, Signal displays all the users’ phone numbers to the other users in the group which would make it easy for a snooper that breached the group to find the physical locations of all the users. One of the tenets of secure communications is to “assume breach”, which means one should always assume that there’s a snoop/spy/mole that already has access to your systems/groups/messages. For example, someone joins the group, then their phone gets stolen and hacked and now there’s a spy in your supposedly-secure group that can see all your phone numbers….that’s one of the reasons a chat program might not be the right tool because then everyone treats that spy as a trusted member.
Most instant messaging programs are not encrypted end-to-end, which means that the message is decrypted by the server and the server can save the plain-text (i.e., unencrypted) message. So Skype, google chat, etc etc, are bad choices because the company could (be forced to) share the messages to a snooper, while servers/providers for end-to-end encrypted programs don’t have those messages to share in the first place. Unfortunately, of the most popular chat systems, to my knowledge only Facebook Messaging can be encrypted, but encryption is optional and followers couldn’t “add” themselves to a group, so it doesn’t seem like a good option either. Many of the popular chat programs also require more effort to create a dummy account than Twitter…e.g., they want to know phone numbers and track search histories etc. On the other hand, the popular programs are otherwise almost always the easiest to setup/use.
Of the Instant Messaging programs, only a handful are end-to-end encrypted, and those programs are not commonly used. Three examples of the tens that I investigated are ChatSecure, Wickr, and Riot. There is a big problem with using an uncommon internet-based program, which is that snoopers can theoretically just watch all the connections to the servers for whichever program is chosen (in this general geographic area). Then everyone connecting to those servers becomes a target (connections to the server pass either through ISPs or cell phone towers, those connections describe which server the connection is for, and the ISP or cell phone company can at least roughly locate the phone/computer making the connection). The scenario is like watching a building: one knows who goes in the front door and that might be all the info they need even if the inside of the building can’t be observed. Other issues with this small selection of chat programs are: 1) some of them require actual phone numbers for verification (like Signal), 2) few of them work on both Android and iOS (and even fewer also work on PC), 3) they tend to be complicated to setup/use, and 4) they don’t all allow group messages.
Somewhat (but not completely) academically, it is possible to “hide” the connection messages (i.e., come into the building from the alley entrance) via TOR. TOR is a collection of servers that obfuscate where the connections are actually going. Someone using TOR is sending connections to TOR, then something happens inside TOR, and a connection comes out of TOR and goes to the end-point (e.g., a chat program’s server). There’s no direct connection between the connection that went into TOR and the connection that eventually makes it to the end-point. So in the building-watching scenario, the watcher can see people walking into the alley, and knows that those people are going from the alley into specific buildings, but doesn’t know which people go where. This setup is somewhat academic for two reasons: first, the watcher/snooper still knows that the connection is going to TOR which might be enough info to label someone a target, and second, using TOR is complex…too complex to recommend for the general public in my opinion.
The (distant) third option I came up with is for the agency to post messages to an RSS feed. Followers would subscribe to the feed and thus be notified of the messages. RSS feeds are commonly used when someone wants to be updated when a website changes (e.g., a new blog entry is posted). Pros: no user accounts necessary, no logging into anything, no data stored on any server except for the message from the agency that gets posted like a webpage or a blog post.
The one con is a big one; RSS feed readers (the programs that grab the message and provide the notification) would need to continuously poll the RSS feed from the agency. Since RSS feeds are “pull” instead of “push”, the program would have to regularly check to see if there’s a new message. First, that means any snooper can just watch for people polling that specific RSS feed. With SSL (i.e., https) connections that level of snooping is not trivial but is still possible, so the polling is a big weakness. For instance, if the agency used a Wordpress blog, then WordPress would know the IP address of everyone polling the RSS feed. Second, if a follower is using a phone without wifi access, then the RSS feed reader would be continuously using (small amounts of) cell data to check for changes/messages. Third, RSS feeds generally cannot be checked faster than every five minutes (and every ten minutes would be safer to avoid server/ISP issues). That would cause a delay of up to several minutes before someone gets the message, and the faster they check the more data they use (which will affect their phone bill and the server’s data usage).
Finally, if we’re envisioning a better future, then I would want either a security-conscious Twitter-substitute (allowing private/anonymous following with push notifications), or an easy-to-use TOR-enabled end-to-end-encrypted cross-platform group chat program. Neither of those would immediately solve this problem, but they would make it more likely to be solved in the future.
I wish I could have found something I would consider a *good* solution, but it is very difficult to be truly anonymous online. All of the above options just make it a bit harder for any snooper to find out information about the followers.