Protecting Your Privacy Online

1. Introduction
2. Web Surfing
3. Email
4. Voice
5. Instant Messaging
6. File Sharing

Technical Difficulty
Software Supported
OS Supported


Web Surfing



Instant Messaging

File Sharing
Internet Explorer
Silent Phone

       Silent Phone is a paid service from Silent Circle that does the same thing as Red Phone.  The service looks good but why pay for what you can get free?  The only reason to use it is it supports more phones, including iPhone.

       If you can't or don't want to use your cell phone, VOIP (Voice over Internet) is another option.  VOIP allows you to have a 2 way audio conversation over the internet with other VOIP users and even regular phones as well.  Some services include video.  Skype is a popular example, but Skype is no good for privacy because it has been modified to allow interception/surveillance by Big Brother.  Instead we can use another VOIP provider with encryption that will make our conversations truly private.  Be warned that setting up VOIP can be technically complex and online documentation is lacking, so if you are looking for an easy solution, one of the phone based alternatives above is better.

       First set up an account with a VOIP provider.  Sip2Sip is a VOIP provider that offers free calls to other Sip2Sip subscribers, but requires you to pay to call outside numbers.  IPTel is another free VOIP provider that gives free calls to any VOIP user on any network, but doesn't allow calls to regular telephone numbers. 


       Zfone is a free open source VOIP software plugin that works with your existing VOIP client, be it Google Talk, Yahoo, Magic Jack, or several others.  It uses the open ZRTP standard for encrypting voice traffic over the internet.  Many other VOIP clients also claim to support encryption but use less secure types of encryption which are either intentionally "backdoored" to allow Big Brother to listen in or are vulnerable to eavesdropping under certain circumstances (SRTP for example).  ZRTP is the only VOIP standard that protects against all known attacks.  To get started with Zfone go here:

       If your VOIP client of choice doesn't support ZRTP, you have a few other alternatives.  Mac and Windows users can use Jitsi or Linphone, while Linux users can use either of those or additionally Twinkle

Installing Jitsi

Setting up encryption on Jitsi
Note: these instructions use XMPP in place of SIP.  Either is fine for VOIP, but only SIP lets you call phone numbers.

Instructions for Twinkle

Download Linphone
(sorry I couldn't find any installation instructions)

Anonymous Voice Conversations

       Nothing available at this point.  It is rumored Skype can be used over Tor, but the challenge of doing so would be formidable.  Pre-paid cell phones offer some level of anonymity, but are far from foolproof and would have to be changed regularly to offer any anonymity at all.  For a good explanation of the problems with anonymous voice communication, look here:
       You may be surprised to find out that it is possible to encrypt calls you make from your cell phone, and even land line if you use the Magic Jack service.  There are not a lot of options, but there are both commercial and free phone encryption services available.

Red Phone

       Red Phone is a free open source app you can install on your Android smart phone.  I've checked out several of the technical papers and it looks pretty solid from a security standpoint.  The encryption keys are all stored locally on your phone, so you don't have to trust the phone company, handset maker, or even the author of the app.  Calls to people without the Red Phone app are placed normally, which is to say wide open to Big Brother.  Calls placed to anyone who also has the Red Phone app are automatically encrypted, so no one can listen in.  SMS messages are also encrypted as long as both parties have the Red Phone app.  The first time you place an encrypted call, keys must be exchanged so you need to verify the key by reading the key fingerprint over the phone to the caller.  Other than that it is transparent and works in the background.  It works on any phone network, but only on certain handsets.  For more info check here:
       Recent disclosures have illuminated the fact that all internet activity is subject to surveillance of the national spy agencies for several large countries (US, UK, New Zealand, Australia, Canada, probably Russia, China as well).  You may wonder if it is possible to do anything to prevent this, whether it is possible to have a private conversation on the internet at all.  It is possible but requires some additional protective measures you may not be familiar with.  This guide aims to educate you to take back your privacy using simple language and step by step instructions you don't need to be an expert to understand.  Only a few best-of-breed solutions, out of the dozens available, will be presented for simplicity.  If you have needs that are not addressed here, an excellent compendium of free, open source, privacy oriented software can be found at: Another excellent resource with simple, easy to understand how-tos is  Don't let the length of this guide worry you.  You can start small, making changes to the internet services you use most frequently.  Each step provides a significant benefit.

       Encryption is just another word for code, and it has been around as long as the written word.  A simple code, called substitution, would be to change letters to numbers.  A = 1, B = 2, C = 3, and so on.  Using this code, the message "Encryption protects privacy" would become "5 14 3 18 25 16 20 9 15 14 16 18 15 20 5 3 20 19 16 18 9 22 1 3 25".  Such a simple code would be quite easy to break but serves as an example.  Most encryption ciphers in use today, with names like AES-256 and Blowfish, operate on a similar principle.  They convert letters to numbers, perform a complex series of mathematical operations on those numbers, then convert the result into machine-speak, like Base64, before transmitting it over the internet.  The receiver must then perform the exact same series of mathematical operations -in reverse- to decode the message.  The exact series of steps to encode and decode messages is known as the key, and both the sender and receiver must have this key to communication using encryption.  Without the key, an eavesdropper who intercepts the message will see this:


       Thankfully you don't need an advanced mathematics degree to use high level encryption, as there is software available, free to use, which will perform all the advanced calculations, manage your keys, and transmit them securely to the intended recipient.  All you have to do is feed it the raw message, i.e. plaintext, and out pops the encrypted ciphertext.

       When you send an encrypted message to someone, you have privacy because no one else can read it, but you don't have anonymity because an eavesdropper can see that a message was sent even if he can't read it.  Quite a lot can be guessed based on frequency and timing of messages between various persons.  This may or may not concern you, but it is important to at least note the difference between privacy and anonymity, as it will come up in later sections.  Some tools provide privacy, some anonymity, and using them in combination can provide both together.
       Every time you open a new web page, whether you are using Internet Explorer or Firefox or something else, not only the page you requested, but several dozen others also open simultaneously behind the scenes.  This is because it has become common for web pages to embed javascript and other more arcane web technologies into each page.  Some of these scripts are to add additional functionality to the site, some are for visitor tracking or advertising.  Each of these invisible mini-pages reads and sets "cookies", a  unique identifier to track you as you move from page to page, server to server across the internet. 

       For example, if you visit a pharmacy web page to order medication and do a google search and both google and the pharmacy use the same ad network, the advertiser will be able to see not only your google search terms but also which drugs you viewed on the pharmacy website.  This type of data can be gathered over long periods of time to build up an accurate and detailed portfolio of information about you.  This information portfolio can be bought, sold, and shared with a wide variety of corporations and government agencies.  It can also be linked to your real identity in many cases.

Learn More

       If you don't want the entire world of advertising and government to know you are pregnant, have herpes, or are considering divorce, you will need to install and use some type of ad and tracker blocking software. 

       Ghostery keeps a list of known ad networks and trackers and selectively blocks those networks from setting cookies in your browser.  It is very easy to use and painless.  Highly recommended

       To install, go to the Ghostery download page here and click the download link for your browser version.  It will attempt to automatically install and a warning pop up may appear.  Click "Allow" and the install will complete.
No Script

       It is not uncommon for ad networks to become contaminated with malware, which gets pushed out to all thier subscriber web sites, including big name sites like or  Ghostery only blocks cookies and will not stop malware, so it is a good idea to also use No Script which will block javascript, java applets, and flash.  Rather than using a known blacklist like Ghostery, No Script just blocks everything until you approve each site.  This can break some sites' functionality, so you may have to unblock the site you are visiting if things don't display properly.  Sometimes this is not enough and you will have to unblock one (or more) of the 3rd party web addresses that are embedded into the site, which can be a bit confusing.  I feel it is a small price to pay for not getting infected just from surfing the net.  Optional but still highly recommended.  Unfortunately No Script only works on Firefox.

       To install, go to the NoScript download page here  and click "Install". If a warning pop up appears, click "Allow".  Once it is installed you can change the settings by clicking the little "S" icon.  If you need to unblock something, click the S icon and start picking names off the list to Allow until the site works.  You can make your choices temporary or permanent.  The default options for No Script are pretty good, but if you want a little more privacy it is recommended to go into Options menu, select Whitelist, and take Google, Microsoft, and Yahoo out of the whitelist.  This will block those companies from tracking you and executing scripts which are normally allowed by default. 

More Info
HTTPS Everywhere

       HTTPS is the encrypted version of the standard HTTP protocol which is used to load web pages from the internet.  Every time you load a web page you are using either HTTP (unencrypted) or HTTPS (encrypted) to do so.  The difference can be seen mainly from the address in the address bar and the little lock icon.  Anything sent over regular HTTP can be seen by any router in your communication path or anyone who has a tap on any of the dozens of transmission lines that carry your data from your home to the server you are communicating with over the web.

       Since the spying revelations, many companies have announced they are moving to HTTPS by default, including Yahoo and Hotmail.  This is a very good thing because it means that snoops will no longer be able to intercept your messages to grandma just by sniffing the packets on the undersea internet cables.  However, most web sites don't use HTTPS by default.

       The HTTPS Everywhere plugin sets HTTPS by default for every site you connect to.  Not every site supports HTTPS at all, but for the ones that do you can be assured your browser will encrypt your traffic to and from those sites.  Not only does using HTTPS protect you from snoops, but it also protects you from certain types of attacks which have been revealed are favorites of the spy agencies where your internet traffic is tampered with and malware silently inserted into an ongoing conversation between your computer and an internet server.  HTTPS is very easy to use and will have no noticeable effect on the load times of your web pages, so it is very highly recommended.

       To install, go to the HTTP Everywhere download page here  and click the "Install" button for your browser version.  If a warning pop up appears, click "Allow".
Anonymous Web Browsing

       Every time you connect to a server on the internet, you have to provide your IP address in order for the reply to reach you.  Your IP address is assigned by your Internet Service Provider (ISP) and operates the same way as your mailing address.  A location where servers you connect to on the internet can send data and webpages intended for you.  It is uniquely identifiable and can be tied to a particular city, state, and country by anyone using tools like these.  IP Geolocation   In addition, most governments will have access to a master list showing everyone's IP address and billing information, ie credit card data, home address, etc.  So everything you do on the internet and every site you visit can be tied directly to you, or whoever pays for your internet.

       If, in addition to protecting the content of your communications using encryption, you also want to preserve your anonymity you have a few options to mask your identity.  Tor is the most commonly thought of application for this and it provides very good anonymity.  Probably the best anonymity you can get, provided you follow all the guidelines in the Tor documentation.   You will need to keep it updated as there is no automatic update option, and you may need to configure No Script a second time, since Tor uses a separate browser instance.

       To install Tor, go to the download page here.  There are installation instructions for Windows, Mac, and Linux.  You will notice there are two links for each version.  One is the installer file itself, listed as "32-bit" or "64 bit".  The other says "sig" and is a PGP signature that proves the Tor software you are installing hasn't been tampered with.  PGP is explained below, but you can find step by step instructions on verifying the .sig file here.

       Tor is unfortunately very slow.  Too slow for regular daily use.  Tor is for special occasions when you need the best protection available.  VPN, or Virtual Private Network, is a secure encrypted connection between your computer and a server hosted by your VPN service.  All your internet traffic is sent though this encrypted "tunnel" to the VPN company who forwards your traffic onto its destination and forwards the return traffic back to you through the tunnel.  To anyone using a geolocation service, it appears as if you are physically located in the same building as the VPN provider, along with all the other VPN users.  These other users are what really provides your anonymity in a way that simply going to a friend's house or a library won't. 

Learn More
       If you go to a friend's house and connect to a service already associated to you, say by having paid for it with a credit card or using your real name, (ie then other services you use, (ie can be tied to your real identity.  The number of people who use the internet at your friend's house is not that large, just you, your friend and maybe your friend's roommates, so it doesn't take a whole lot of guesswork to draw a connection between your internet activity on various sites using different usernames, email addresses, etc.  When you use a VPN, hundreds or thousands of other people all around the world are also using the same provider simultaneously.  It becomes very difficult to look at one communications session and definitively connect it to another.  You get lost in the crowd and only the VPN provider can tell your traffic from all the others.  So for this reason it is essential to choose a good VPN provider who can be trusted to keep your information safe.  Many have strict privacy policies and turn off all logging on their servers, so even if they are given a subpoena for data they have nothing to give.  Here are some of the better ones.

Based in Sweden

Based in Malta

A good discussion of the pros and cons of various VPN providers:
       Email has so completely woven itself into our lives it has almost completely replaced traditional mail.  Yet it does not have the same protections as traditional mail.  In the US and many other countries it is a serious crime to open someone's mail without permission, but email is not accorded the same protections.  Email left on a mail server in the US for more than 180 days is considered "abandoned" and may be read at will without need for warrant or subpoena.  In addition, many free email providers, such as Google, will read users' email for use in targeted advertising.  For this reason it is recommended to not use webmail and instead download all your mail to your personal computer using a mail client such as Claws, Eudora, Thunderbird, etc.  Outlook and Outlook Express are not recommended due to a large number of security vulnerabilities in those products.  Despite this, I know it can be a pain to switch your normal mail habits, and so will provide instructions on how use encryption for all the most common products.

Learn More

       By default most mail clients will download mail using standard POP3 or IMAP protocol and send mail using standard SMTP protocol.  Neither of these transport methods utilizes any form of encryption, so your mail is open for anyone to read who can see the traffic flashing by.  It is comparable in many ways to writing on a postcard.  The mailman can read it, all the workers in the mail processing center can read it, the drivers in the delivery vans can read it.  If you want to keep your email private you will need to put it in a sealed envelope.  In the case of email, the sealed envelope is called TLS and every major mail client already has it built in.  Even the lightweight mini-client bundled with your phone probably supports it.  You just need to specify that TLS should be used.  You do that by changing the port number for incoming and outgoing email and the mail program (usually) recognizes you want to use secure transport for sending and receiving.  The simplest thing to do is look at the existing setup and change the unencrypted port number to the encrypted number and your mail client will do the rest.

                                  Open                Encrypted
POP3                        110                        995
IMAP                         143                        993
SMTP                        25                          465

       In some cases it may not be so easy as changing the port number, but also having to change the server address or using a different port number than the one listed above or having to set parameters for TLS, which will depend on your email provider.  9 times out of 10 just changing the port number works fine.  For those special cases, here are some additional resources.
Setting up TLS for Thunderbird

Setting up TLS for Outlook 2010
Note: This example uses a server address of  Rather than using that mail server address, use the address assigned by your email provider.

Setting up TLS for Outlook Express
Note: This example uses a server address of  Rather than using that mail server address, use the address assigned by your email provider.

Setting up TLS for Claws

Setting up TLS for Eudora

Setting up TLS for iPhone
Note: This example uses a server address of  Rather than using that mail server address, use the address assigned by your email provider.

Setting up TLS for Android Phones
Note: This example uses a server address of and  Rather than using that mail server address, use the address assigned by your email provider.

       Since you have a choice of downloading mail over either POP or IMAP you may wonder which to use.  POP generally removes the mail from the server when it downloads, so there is only one copy and is useful if you only use email on a home PC.  IMAP leaves the mail on the server after downloading so you can download over and over with multiple devices that all need to keep synchronized, like a phone, tablet, laptop, etc.  It would be inconvenient to have different emails in each inbox depending on which device downloaded first, so IMAP leaves mail on the server indefinitely, which does open up the same problem with webmail about leaving mail on the server more than 180 days.  In this case you can log into the webmail every so often and delete all the old messages.  Or you can set up one device to use POP and the others to use IMAP making sure the POP device (typically your home PC) is set not to download automatically. While you are out and about all your mail goes to the mobile devices.  When you get home and manually check new mail all the mail will get downloaded to your home PC and deleted from the server, but leave any copies already downloaded on your mobile and home PC.  This may not work with all providers as some won't delete email unless you log into the webmail, even with POP, so make sure to check.  You can set IMAP to expire messages after a certain time limit, but this is less useful as it removes mail not only from the server but the phone also.

       If you are using HTTPS to connect to your webmail or TLS to download mail from your mail server you will be protected from anyone tapping into the internet transport infrastructure to capture data, but large US based mail providers such as Microsoft's Hotmail/Outlook, Yahoo, Google's GMail, and Apple are all part of a program called PRISM which voluntarily shares user account data, contacts, and email with the NSA.  So after you go to the trouble to encrypt your connection to your mail provider, they turn around and hand the unencrypted emails over to the US government.  It is still a good idea to use HTTPS and TLS because there are other snoops in the world besides the NSA, but if you want to keep your email private from the US Gov some additional steps are required.

       PGP (Pretty Good Privacy) is basically military grade encryption for regular people.  It is so powerful, the US government filed criminal charges against its creator, Phil Zimmerman.  There is an amusing (or scary) tale behind it, but the end result is that Big Brother failed to shut down PGP and it has continued on through many revisions and turned into an open standard, OpenPGP, of which GPG or GnuPG is the most common software currently in use.

       It is unfortunately not very user friendly software.  Very few people are comfortable working with a command line interface.  Several attempts have been made to come up with a graphical user interface, Enigmail and Kleopatra for example, but these interfaces can be frustrating or difficult in their own right, so it is advisable to learn at least the basic GPG commands.

       Once you understand how to use it, it is extremely powerful.  You can verify that software you download from the internet hasn't been tampered with.  You can sign messages in a way that no one can impersonate you and the recipient can verify they haven't been altered.  You can encrypt your messages (or files) so that the best code breaking computers in the world can't decipher them.  All this results from a mathematical theorem called Public Key Encryption or Asymmetric Encryption.  The basics of it is you have 2 keys, a public key you give to others so they can encrypt messages only you can decrypt and a private key that allows you to decrypt them.  In most other encryption systems you have to find a way to share the same key with whoever you want to communicate with, not so with PGP.  The 2 keys used by PGP are mathematically related so that one decrypts what the other encrypts, the private decodes the public and the public decodes the private, so you use the public key to encrypt messages and the private key to sign them.  The software keeps track of all the keys so you don't need to worry about it, but if you want a more detailed explanation, this one is pretty good.  All modern Linux versions include GPG by default.  Windows and Mac users will need to download it. 
Download GPG for Windows

Install and Setup Help for Windows

Instructions on Verifying Your Download

Download GPG for Mac

Install and Setup Help for Mac
Note: You may need to change your security settings to allow you to install GPG.  You can find instructions how to do so here.
GPG Command Line

GPG on the command line takes a huge number of possible switches and arguments.  You only need to concern yourself with a handful of these:

-e or -d encrypts or decrypts, respectively
--gen-key creates a new key pair.  You only need to use this the first time.
-u if you have more than one key pair this allows you to specify which to use when decrypting a message.
-r who the recipient of the message is if you are sending
--send-keys sends your public key to a keyserver so others can look you up and send you encrypted messages.  Think of it like a phone book for PGP users. 
--search-keys search by email address or name to see if your friend has a key on the keyserver
--recv-keys requests the public key for a particular user.
--keyserver lets you specify which keyserver to use for sending/recieving/searching
--sign-key validates that you are *sure* this key belongs to a particular user and is not a phony.  Prevents error messages about unsigned keys, but is not otherwise required.
-a output ascii text for use in mail readers, web browsers, etc.  You will almost always want to use this option as you can't copy/paste without it.
--export use this to send someone your public key directly without using a keyserver.  You'll also want to add the -a to put it in ascii text the recipient can read, ie gpg -a --export
--import use this if your friend sends you her public key directly without using a keyserver
--verify use this to verify a signature

This is a pretty good walkthrough of the steps to take to set up GPG for a first time user:

A more detailed walkthrough is here:
GPG Tips

Example: gpg -a -e -r email.txt

       This command will encrypt a text file containing a message named "email.txt" (which must already exist) with the public key for "" (which you must have already been imported) and output the encrypted result in ascii formatted text to the screen.  You don't need to specify the -r as gpg will ask you who the recipient is if you don't and you don't even need to put in email.txt.  If you don't specify a file to be encrypted gpg will sit and wait while you type a message, then to end you hit the Control key and D at the same time.  Most of the options are like this.  If it needs more information, it will ask, otherwise it will just make the best guess and if it guesses wrong you can try again and be more specific in the command by using switches like -r and -u. The command   
gpg -a -e -r email.txt > email.asc   
will do the same thing only it will output the encrypted ascii text to a file called email.asc.

       Keys are generally specified by an 8 character alphanumeric (hex) identifier, such as D59B88A1  In many cases GPG will correctly guess which key you mean to operate on based on the options you select.  For example, if you just type gpg --export and you only have one keypair, it will automatically select the public key for that key pair.  If you have more than one key pair, you can specify the key you want to --send-key or --recv-key or --export by using the hex identifier thusly:
gpg --recv-key D59B88A1 --keyserver hkp://

       If you don't like to manage keys on the command line, you can search for, send and receive keys in your web browser by going to  However if you are using the command line you must use the hkp:// as shown above.  When specifying the user to send/encrypt or receive/decrypt you can use either email address or hex identifier, i.e.
gpg -d -u encrypted.txt    OR     gpg -d -u D59B88A1 encrypted.txt

       Enigmail is a plugin for Thunderbird, a free open source mail reader for Linux, Mac, or Windows.  Enigmail is only a front end for GPG.  It manages the keys and selects the right one to encrypt or decrypt based on email address and some internal logic, but it does not always do this correctly, so it is a good idea to know how to use the command line interface of GPG.  If Enigmail doesn't work you can always use GPG to encrypt/decrypt and copy/paste into or out of your email program using ascii text.  Even though Enigmail is not 100% perfect it does save you some headache if you are not comfortable with a command line interface, as it mostly does a good job of keeping track of your keys and using the right one automatically when you click the "Encrypt" button.

Instructions on installing Enigmail

       Google is working on a new plugin for Chrome to encrypt Gmail messages using PGP. It is not yet available for download.


       Users of webmail actually do have an option to use GPG more or less seamlessly using Mailvelope.  I have not used it personally but it looks like a reasonably easy to use and secure bit of software.  It intercepts the create new message screen from several popular webmail providers (Gmail, Hotmail, Yahoo, GMX) and opens a text window instead, automatically encrypting the message when you are ready to send and inserting it back into the browser window.  You can download it here.  Instructions for installing on Chrome are here.  Firefox users will need to download the .xpi file and double click to install.
Paid Providers

       If all of the above options are too difficult, you can pay for an encrypted webmail account from Countermail or Hushmail however be aware that when you pay a 3rd party for encryption services you have to trust them not to hand over your keys to Big Brother should he come calling.

Anonymous Email

       Even if you don't put your real name on an email account, it can be tied to your real identity by recording the IP address you use to connect to it.  Despite the availability of IP masking, such as VPN and Tor, anonymous email is surprisingly difficult to set up.  In theory you can simply connect to a webmail provider using Tor, create a new account which cannot be traced back to you since you are using Tor, and then only ever send mail from that account while connected through Tor.  However, all the major webmail providers will not allow new accounts to be set up using Tor and even trying to access a previously set up account using Tor will often result in that account getting "locked" by the provider.  The reason being that Tor IP addresses are, for the most part, well known by webmail providers who actively restrict any connection coming from those IP addresses.  There are a handful of smaller webmail providers who do not use these restrictions, but finding them is hit or miss.  There is one email provider specific to Tor, Privatdemail, however, I can't recommend its use to non-technical users due to its requirement to enable javascript, which carries some risks.  Better to find a small time webmail provider which doesn't require you to turn on javascript.  A less anonymous alternative, but good enough for most purposes, is to set up a new email account using a VPN and only access it over the VPN.  There are also anonymous remailer services like Mixminion, but I have no experience with them.
Disposable Email Accounts

       It seems that most every site on the net these days requires you to create an account and log in to download, post, or use the site.  You may not want to give out your real email to everyone who asks.  You can get spam or worse, and it's counter to our goal of remaining anonymous.  An easy solution is to use a disposable email provider, such as Mailinator or GuerrillaMail.  These services will receive any email sent to any address at any of their many domains like "".  You can enter a fake email address on any signup form without having to set it up on the mail provider in advance, such as  Then just go to and type in "fake123" into the inbox prompt and you will see the test email the website sent to make sure you gave them a "real" email address.  You can use a different fake address for every site and make it really hard to correlate your activities between sites.  If you need to keep track of the horde of different logins a password vault like KeePass will do the trick. Be aware that the IP address you use to access the disposable email account can still be used to identify you, so its value for anonymity is limited unless combined with either Tor or a VPN.
       Instant Messaging (IM) provides one of the easiest ways to have a private conversation on the internet, because many popular IM software clients have already implemented support for encryption.  This gives you plenty of options based on convenience and features.  Most IM clients are "multi-protocol" which means that you can communicate with friends even if they don't use the same software.  However, all commercially produced software is subject to laws which require a "backdoor" to be built into the encryption to allow Big Brother to eavesdrop.  For this reason, free open source software which is not subject to these laws is preferred, and for IM use, the ability to utilize the OTR protocol is critical.  You can find out if your favorite IM client supports OTR here:

       Off The Record (OTR) is an open source encryption protocol designed to be used with instant messaging.  It is much more secure than any of the vendor specific, closed source encryption products and has become the standard for encryption in IM.  Besides simply encrypting your messages, it has two other features worth mentioning.  First is that, unlike email encryption using PGP, there is no way to prove who said what after the fact, which is why it is called "off the record".  The mechanism for this is technically complex, but what it means is that anything you say in an OTR protected IM session cannot legally be used against you later.  The other noteworthy feature is that it uses Perfect Forward Secrecy, which means that even if Big Brother gets hold of your encryption key, he can't decrypt past messages, only future ones. 

Learn More

Setting up OTR with Pidgin
First download the plugin here:
then follow the instructions here

Setting up OTR with Jitsi

Setting up OTR with Adium

Setting up OTR with Miranda
First download the plugin here:
then do your best to install it.  Sorry I can't point you to any instructions as no documentation exists!
Anonymous Messaging

       Not many options out there for fully anonymous messaging.  Torchat is the only thing I am currently aware of.  It is just a very basic chat client that runs over the Tor network, providing both anonymity and encryption.  However, it is incomplete and apparently abandoned.  It works with both Linux and Windows.  To use Torchat, just download, install, and run.  It should set up a new user id for you and automatically connect to the Tor network.  Bittorrent chat is in the works and should provide another option, but is not currently released yet.  You can also set up a new account while using Tor and only connect to it over Tor using a regular IM client.   Many IM clients support proxying connections over Tor.  You can find a complete list here:  Just look under the proxy heading for "socks".  Both you and whoever you want to communicate anonymously with will need to use Tor to set up anonymous accounts for this to be effective.  Setting up an account using Tor may be difficult as the large providers create obstacles to setting up an account under Tor.  Often they will require phone verification, which defeats the purpose of anonymity.  ICQ allows account creation using Tor, at least for now.  However, be warned that software not intended for use with Tor sometimes "leaks" identifying information.
       If you use a search engine to search for "secure file sharing" you will see dozens of companies offering that as a service.  Some of the big ones are Dropbox, SkyDrive, and Google Drive.  These days everyone promises to use encryption to protect your files, but they don't provide details as to how exactly this works much less give you the ability to verify.  This requires a great deal of trust in the company to not only not hand over your data to Big Brother, but also to adequately protect it from hackers.  However, if you do all the encryption and decryption on your own computer, that alleviates much of the risk as all the data you are handing over to these companies is already securely encrypted before they see it.

       There are some strange goings-on in the world of Truecrypt.  The authors have disavowed the software without explanation.  Many are speculating due to the sudden and bizare nature of the announcement that the authors have been placed under some legal pressure from the US Government to install a backdoor or otherwise modify the program.  The software is open source and it is being audited for bugs, but until the authors come forward with clear and reasonable explanation for the confusion, I cannot recommend Truecrypt for any but advanced users who are aware of and comfortable with the risk.

Installing Truecrypt

       Truecrypt is extraordinarily easy to install.  For Windows or Mac users download the installer here: then run the installer once finished downloading.  There's really not much more to it than that.  Linux users have the additional steps of choosing between 64 and 32 bit versions and unpacking the gzipped download, but once that is done the install is just as easy as Windows.  Note: Truecrypt does not work in Windows 8.
Setting Up an Encrypted Container

       Rather than encrypting individual files, truecrypt uses "containers" that can store many files and directories.  Think of it like putting your valuables into a safe.  The container will be protected with a password, a key file, or both.  A key file is just a regular file that you designate as the "key" to unlock the container.  It's not required, but adds a lot of extra protection.  Don't leave the key file inside the container, or you won't be able to open it again.  Before you can put anything inside, you need to have the safe itself, so our first step is to create the container.  Follow the instructions here

       Make sure to create a container big enough to hold all the data you intend to put in it plus whatever you might add to it in the future.  Every time you change one of the files on your local machine and want to put it on your file sharing site you will have to upload the whole container all over again, so it is probably best to make a few smaller containers with different types of files (music, office files, etc) than one big container with everything.  You can, if you want, make lots of little containers just big enough for one or a few files, but that is a lot of work. 

       The container includes a copy of the encryption key protected by the password you chose when setting up the container.  Since you will be giving the container (and encryption key) to a company to hold for you they will have the opportunity to try to guess the password you used and lots of time to do so, so make sure you pick a really good password.  20 characters at a minimum.  30 is better.  30 + a key file is even better, just make sure to keep multiple copies of the key somewhere safe.  Note that the key file is different than the encryption key, even though the terms are similar.  The encryption key is the actual code to use to translate the data from encrypted to decrypted, where the keyfile is something that protects that code.  Its like putting the key to your safe into another smaller safe.

       Open and close the container a few times to get the hang of things.  Truecrypt calls open and close "Mount" and "Dismount".  Now you are ready fill it up with all your precious data and lock it up.  Once the data is encrypted, you can send it off to whatever cloud provider you like best.  Whoever you intend to share the data with will need to install Truecrypt and enter the password and/or key file you used to secure it, so you'll need to get that to them via some other method such as encrypted email or IM. 
Paid Services

       Some providers offer client-side encryption, which means that the encryption process is run on your local machine and in some cases the key is stored on your machine as well.  This is much more secure than putting all your trust in the storage provider, but since you are using their proprietary closed-source software you still have to place some trust in the provider.   Client side encryption is used by the more secure cloud storage/file sharing providers, such as Mega, Least Authority, SpiderOak, and Wuala. If you are not comfortable following the instructions for using Truecrypt containers, these companies can provide a higher level of security than you will find elsewhere.



       Retroshare is a new approach to file sharing that doesn't rely on any centralized servers.  This is known as peer-to-peer sharing, which has been done before, but not previously with security and privacy as the primary concern.  Retroshare actually offers much more than just file sharing and aims to be an all-in-one social platform that includes IM, group chat, and variety of private, semi-public, and public communication methods, all protected by encryption.  It is very new however and hasn't been fully tested by independent security experts yet, but keep an eye on it because it looks like it may end up solving many private communications and file sharing needs at once.
Anonymous File Sharing

       Anonymous file sharing poses the same problems as any other anonymous communications as far as the IP address used to connect to the file sharing service potentially giving away your real identity.  However, not only does the connection to/from the file hosting service have to be anonymous, but you also need to transmit and receive the passwords and/or encryption keys anonymously.  There are services set up to allow this, Freenet and I2P come to mind, but I don't have much experience with either and am unable to offer guidance.  For small scale anonymous file sharing you might just use Tor to set up a free email account with lots of storage and email Truecrypt containers using the anonymous account to itself to create a repository, then share the passwords using anonymous encrypted IM.  But that would be a kludge at best and uploading Truecrypt containers of any significant size over Tor would be a major headache.  Experimentation will be required to find a solution that works for you.
A Note For Travellers

       It has become increasingly common for travellers to have their laptops and other digital devices searched at international borders.  All the instructions on how to set up encrypted communications only protect your messages in transit.  Once they arrive at their destination, they are decrypted and often saved to the hard drive in decrypted form.  If anyone takes your computer and physically examines it, they will be able to read saved (and possibly deleted) messages.  To prevent this, you will need to set up full disk encryption on your computer hard drive.  You can find out more here.

       Jackpair is an ingenious little hardware device that encrypts your voice before it even gets sent to your phone.  The recipient must have a Jackpair device also.  You read aloud the key fingerprint for the encryption to verify the connection has not been intercepted and the hardware handles all the encryption transparently so you can just talk normally.  What makes it a bit more clever than other solutions is the dedicated hardware.  An encryption app installed on your phone can be circumvented if the phone has a backdoor installed to steal the encryption key.  Jackpair doesn't require you to trust your handset maker, and when used on a dedicated secure phone with the handset microphone covered or removed, it is just about as foolproof as you can get.  At least in theory.  It is still in development so there will inevitably be some bugs to work out.  Don't take any chances on it just yet, but keep an eye on it because it could be a game changer.  The developers are clearly very serious about security as they have announced thier intentions to open source both the hardware and software, so you can build your own from scratch if you are really paranoid.  It also works with any device that takes has a standard headphone jack, so it should work equally well over any Skype-like service or even walkie talkies, ham radio, etc.


       Darkmail isn't a service so much as it is a platform and set of standards that email service providers can choose to adopt to encrypt emails in a very simple fashion.  Much simpler than PGP but with equal or greater levels of protection.  It has some heavyweight backers with real credibility, but very few details have been made available at this point other than it will be open source.  They are attempting to make it not only private but also "solve the metadata problem" which would make it anonymous or semi-anonymous.  Let's hope they succeed.
Ricochet Messenger

       Ricochet is being designed from the ground up as a fully anonymous IM client that works over Tor and has encryption built in for both privacy and anonymity.  The advantage over just using a regular chat client over Tor is that it is all peer to peer with no centralized server keeping track of users.  It is being put together by some well respected people in the security field, so you can be confident it will be thoroughly tested for bugs and flaws before release.  The source code is fully open and available for viewing/collaboration on Github.