I want to preface this effortpost by stating that everyone is ultimately responsible for their own opsec, but also that non-technical users cannot be expected to gather the knowledge necessary to consistently maintain good digital practice. It's an arms race and almost a full-time job just to stay up to date on digital privacy.
I will not focus on what details users should reveal online, nor how users structure their digital presence. This post is dedicated to how chapo.chat can take explicit measures to improve the privacy and anonymity of our users.
First, the threat model. What? Who? How? Why? The why is obvious. The who includes feds, nazis, libs, corporations, and pretty much any law enforcement agency. The what and how are the questions I will focus on.
So what are the biggest vulnerabilities to chapo users?
Like all other link aggregation sites, most opsec failures will stem from users loading data they did not know about or intend to load/send. Users need to know how they can be compromised and how little effort it can take to do so. Some scenarios:
-
Federal agent McButtigieg posts an image hosted on agency servers to chapo chat. Users inadvertently give away their IP addresses to that server just by browsing the front page.
-
Tech savvy fascist Donald runs a few Twitter shill accounts. Some are made to appear as leftists. Bad Tweet is posted to c/the_dunk_tank and Donald leaves a reply to Bad Tweet from his faux commie account. He then posts this Bad Tweet to c/the_dunk_tank, and several chapo users like the reply from their personal twitter account where they post more intimate information. Donald can then possibly de-anonymize chapo users by monitoring the interactions.
-
NSA analyst Whitey Imperialism III has a professional relationship with Reddit & Twitter's server nerds. He is allowed access to their databases with little oversight. He has the power of Donald, but at scale and with less effort, along with access to interactions, networking data, and fingerprinting. He basically can know who almost all chapo users are by comparing activity on reddit/twitter posts to posts on chapo. A user who has loaded a significant portion of content posted to chapo can likely be found.
All of this, but moreso for content coming from other unknown servers. Any malicious blog whose seemingly sincere content makes it's way here could compromise almost every chapo user.
Mitigation ideas:
- Chapo hosts a Nitter (open source Twitter frontend) instance and makes posts to tweets have an easy way of using the Nitter instance by default
- Ditto but for reddit.
- Use archive.org to generate a cached copy of all links posted here and providing an easy way for users to open the archived link instead.
- Provide an option to show full URLs in links in both posts and comments.
- Upload and rehost all links to images on chapo's image server.
- Hosting a few checker utilities like AmIUnique.org
- PLEASE c/opsec WHEN?!?
In general, I think it would be a good idea to provide access to FOSS self-hosted servers to the good people of chapo dot chat. There are a metric fuckton of alternatives to corporate software that most users will never be able to use because they lack the technical know-how to spin them up. But that doesn't mean that our users wouldn't want or need them. I have my own private cloud with tons of tools, but it would be a huge service to our users if everyone here had access to a Bitwarden server, email server, RSS reader, Jitsi instance, Adguard server, etc. We already do this with Matrix.
Devs: I don't know what our infrastructure looks like, but I do have experience in hosting some of this stuff for myself. Is there any way we could make this possible? I'd be willing to do most of the leg work for it.
Thoughts?
If chapo is working like reddit, yes. It's just a link aggregator, not a content hosting platform. I'm not a dev though, @Kitty would probably know better.