How to set up IP anonymity for authors?

public

drupalina - Sun, 2008-03-02 13:31

Hello,

I'm trying to set s a basic indymedia-style site in a very short period of time (days). The most important thing should be that anonymous users can publish political news anonymously -- and by this I mean that not only will the users be able to publish their stories without prior registration, but, importantly, that their IP addresses and locations must be impossible to trace. Because of the current political situation, it is very important that the users are guaranteed that it is no-way that the governement will be able to trace their true identities!!!

Please help -- what do I need in order to set up absolute anonymity for people who are submitting news? I've started setting up the basic site using Drupal 6.1 , but it looks like because of lack of modules and pressure of time, I will need to set it up using drupal 5.7. Please tell me how to set up anonymity in both cases.

Additional info: there will be "Most Recent" and "Most Popular" news -- the content credibility will be mostly governed by a system of Up/Down Vote by visitors (like on Digg.com) -- "Confirm as true", "Refute as lies". The rest will be managed automatically through taxonomies.

My knowledge of Drupal is intermediatary, I've been with it since June 2007 -- I know how to install it and set up most of the important modules, but I'm not much of a coder. And I know almost nothing about internet surveillance.

Thank you for your help!!!

Sitewide tags: anonymity

» Login or register to post comments

Best at the server level

ekes@drupal.org - Sun, 2008-03-02 15:08

This is best done at the server level by applying riseup's Apache patch. http://dev.riseup.net/privacy/apache/ (there is a Debian package too). This should in my opinion be the defacto method for any Indymedia site no matter what people think their government might be like presently. There are other alternatives mentioned here http://docs.indymedia.org/view/Devel/ImcDrupalDevAnonymization , but they are not as reliable in anyway.

If people are really interested in their anonymity they should also not trust that they are being logged from their ISP to your host machine. You could promote the use of Tor http://www.torproject.org/ for what it's worth, certainly have https publishing, and consider what country the server is hosted in.

This is also something we're dealing with

Deproduction - Tue, 2008-03-18 05:19

We also recently moved our Indymedia site to Drupal, and have not yet ensure anonymity. I will pass on the Apache Patch to our current webmaster, but any assistance offered would be appreciated. We're trying to get the site functional to help with preparation for the Democratic National convention in Denver in August.

Tony

Whatever your first issue of concern, media had better be your second, because without change in the media, the chances of progress in your primary area are far less likely. http://denveropenmedia.org

For help...

ekes@drupal.org - Tue, 2008-03-18 09:37

... just mail me or ...
Try popping into #drupal-dev on irc.indymedia.org (remember irc can be pretty asynchronous especially as we are in oceania, europe and americas)
Try mailing folks on imc-drupal-dev on lists.indymedia.org

A technique I have

mfb - Tue, 2008-03-18 18:02

A technique I have implemented is periodic purging of IP addresses from drupal database tables via a cron hook, every n minutes. This allows me to temporarily store IP addresses for purposes of detecting and countering abuse. I'm not sure if it will meet your needs as far as anonymity. But various parts of drupal core do expect to receive valid IP addresses (for example the built-in flood control).

In my case I wrote a little custom module to do this -- there's probably one in contrib already or if not I could contribute mine.

I haven't seen a contrib module

christefano - Tue, 2008-03-18 23:20

I haven't seen a contrib module that does this. Please do contribute it. It's certainly much better than simply setting logging to an hour and hoping for the best.

OK I put this on my list of

mfb - Wed, 2008-03-19 17:06

OK I put this on my list of things to do. have to do some cleanup to actually release it. If you don't hear from me bug me on irc...

IP anonymizer module

mfb - Mon, 2008-03-31 03:59

I cleaned up my IP anonymizer module and posted it here: http://drupal.org/project/ip_anon

Please test it out when you get a chance and report any bugs/feature requests/etc.

thank you!

christefano - Mon, 2008-03-31 22:28

This looks great. I'm really looking forward to using it on an upcoming project.

Thank you!

Good, but good enough?

ekes@drupal.org - Thu, 2008-03-27 13:09

The Koumbit issue reminded me I was going to reply to this - as a complete security phreak.

It's certainly better to delete the logs if they are made. But if the data hit the magnetic media it's there, and it's probably still going to be there when the authorities come knocking on the door with a warrant for the physical hardware. If it's not stored (even in /tmp or swap) it's much better.