How to host a transgressive website
Prelude: Would a simpler solution be a better fit ?
Few people actually require full-fledged bullet-proof web-hosting. Here are some easier alternatives with vastly lower risk.
- Hosting static data. You can submit your data to archive.org or cryptome.org and those fine people can perhaps host your data for you. If that’s insufficient, there’s always IPFS, DAT, or BitTorrent (just store the file on a service like DigitalOcean and share the magnet link).
- Hosting simple applications. Use Ethereum. Ethereum remains a work in progress, and it remains unclear what diversity of applications will ultimately be host’able within Ethereum. But if your idea can run within Ethereum — you should definitely use that.
- High bandwidth not needed. Tor Hidden Services are a fine choice. When using a Tor hidden service, your identity can still be uncovered, but it’s obviously much, much harder.
- My site is so widely perceived as a good thing that shutting me down would be a public relations nightmare. Following the long tradition of public civil disobedience, some advocates prefer publicity over imperfect concealment. Historically speaking, both strategies have been effective across many different jurisdictions. However, we found that without deep knowledge of the local law enforcement incentive structures, determining whether you have sufficient numbers of the right people supporting you (in the spirit the Dictator’s Handbook) is very difficult. However, if you’re better at running Twitter campaigns than digital operations security, publicity could in fact be a solid protection mechanism. If you decide to go the publicity route, an in-depth interview with The Daily Dot, Wired, and The Information is a good start — and if they aren’t interested you can offer to make it an exclusive interview.
Nope. None of the above work for me.
Before going further, you must manage your expectations.
- You won’t be wholly anonymous. You can take steps to conceal your identity, and it is wise to do so. Your concealment will always be imperfect, and unless you are exceedingly disciplined, a determined adversary will probably be successful in discovering who you are. You will have skin in this game.
- You will overpay. Your concealment, abuse paperwork, and riskiness cost money. Your extra expenses come from three sources:
1. Your imperfect concealment requires middle-men, and each must be paid.
2. No matter the jurisdiction, internet services are a relatively automated industry, and human intervention is expensive. Unfortunately for you, handling your abuse requests requires expensive humans.
3. Working with you creates some risk. For example, although 100% legal, many banks won’t permit accounts for medical marijuana providers. However, the more you’re paying, the higher your potential collaborator’s risk tolerance because your money is worth dealing with the heat/risk your service generates.
Taking (2) and (3) together, the lowest-margin providers will prefer to simply be rid of you.
- You will have to compromise. No matter your jurisdiction, you will sometimes lose, and you will have to (occasionally) compromise. To give an illustrative example, HavenCo, the most bulletproof hosting in the world, had to yield to the wishes of Sealand’s royal family, and when relations went sour, HavenCo was terminated. Compromise is perhaps the hardest thing for newbies to accept.
Accept that you will sometimes lose. Some example issues in which you will lose include: child abuse, ransomware, Lèse-majesté (if you work in Thailand), or large-scale money laundering. If you are unwilling to occasionally acquiesce to the demands of the law or authorities, your entire service will simply be shutdown. If you repeatedly offend, your eventual destination is either bankruptcy or imprisonment. Having to compromise is proof you are being noticed, and occasional compromise is the price of success. Enjoy being small while it lasts.
Choosing your jurisdiction and creating space between you and your website
You’ll want to avail yourself to the various corporate tricks to conceal your identity and reduce your liability. The tried-and-true way to do this is to register a company (often, a private limited company) in a favorable jurisdiction, and then do all activities not as an individual, but as an agent of your company. What constitutes a favorable jurisdiction depends heavily on:
- what kind of site/service you want to host,
- your own citizenship,
- the relationship between the government of your citizenship and the government whose jurisdiction you wish to operate in.
Some swear by jurisdictions like the Isle of Man or the Cayman Islands. To the surprise of many, the United States is relatively friendly jurisdiction for many kinds of speech, and a Delaware LLC is a solid option. For those seeking European Union law, Estonia is a popular choice due to the ease of administration via e-residency. Finland and Sweden are also popular choices. Within Asia there’s no clear winner, but Hong Kong, Singapore, and Taiwan are the typical options. Of these, Hong Kong purportedly has the most independent courts, but that’s never been clear to us.
For the curious, at onion.link we chose to incorporate in the United States due to its friendly laws on common carrier protections for telecommunications services. We then received a business-license to operate in Singapore. We chose Singapore for its openness for western companies, access to an APNIC ip-block, as well as to demonstrate by example how to run interesting internet services from in one of the most free-speech hostile environments in the world (Singapore is currently ranked 154 out of 180 on the Press Freedom Index between Swaziland and Brunei; authorities seem proud of this ranking). In general, our advice is that these hostile environments can be successfully navigated by staying out of local affairs and giving sufficient deference to the local culture.
After choosing your jurisdiction, the rules of engagement are:
- For a jurisdiction where you have strong rights (it helps if you are a citizen or at least permanent resident), the letter of the law trumps the spirit of the law. Your strategy is that when the going gets tough, you can hide behind the letter of the law. If the letter of the law is against you, find a new jurisdiction.
- For a jurisdiction where you have few rights (e.g., the country isn’t into the whole “individual rights” thing, or you’re a foreigner), the spirit of the law trumps the letter of the law. In these jurisdictions, if the authorities decide you are a “troublemaker”, they can shut you down — no questions asked. Your strategy is to avoid their bad side. This is doubly true if in your chosen jurisdiction you can be imprisoned without trial.
In these jurisdictions, during your first contact with law enforcement, it is immensely in your interest to initiate a longer conversation about their goals and motives (in both the abstract and specifics) for the space in which you’re operating. Your job is then to operate your service while minimally inhibiting those goals. If you cannot find a path which achieves that, find a new jurisdiction.
Note: Technically speaking, your applicable laws consist of your country of incorporation as well as your country of personal residency. However, if these two are different, you are vastly more likely to be approached within the rubric of the jurisdiction of your incorporation, and the better you conceal your identity as the company’s owner, the less likely you are to be approached under the law of your country of residence.
Concealment I: Putting extra space between your company and you
This almost goes without saying, but minimize all references to you as a person. This means never using your physical home address or phone number. Sign up for a Post Office Box or one of those services that will scan and email your business mail. This is an instance of, “Your concealment costs money.”
Concealment II: Putting even more space between your company and you
Many jurisdictions allow corporations to be represented by nominees (usually a lawyer) instead by you. Then your own name is protected by attorney-client privilege. This is one of the strongest ways to conceal yourself, but it is also one of the more expensive.
Armor up within your jurisdiction
Many jurisdictions don’t actually care what ruckus you create as long as don’t do so locally. For example, in Singapore they really don’t care if you operate a politically transgressive site as long as you don’t discuss Singaporean politics. This strategy works for nonpolitical matters as well. So, for extra-armor you can: (1) choose a smallish country that largely legally works for you; (2) block access to your website to all users coming from your chosen smallish country; (3) be accessible from everywhere else in the world. This will give you immensely more armor within your chosen smallish hosting country.
Dealing with complaints
Your site will receive both electronic and physical mail from detractors. This mail will go to four places, in roughly this order:
- The WHOIS contact for your domain.
- Your server will have an IP address. Detractors will also contact the registrant of the IP block in which your server’s IP address resides.
- Your web-hosting provider.
- Your domain registrar.
The first of these, (1), is typically you. Just leave it as your generic company contact. We suggest foregoing PrivacyGuard on your WHOIS registration because having it increases the probability that detractors will move on to emailing (2), (3), or (4) — which you’d prefer they didn’t do.
Solving (2) requires getting your own IP block. This is nontrivial, but it can be done. The last we heard, the only organizations still giving out IPv4 blocks semi-cheaply are APNIC and AFRINIC. If you’re unable to get an IPv4 block, it can be preferable to simply forego an IPv4 address and make your site IPv6 only (and it’s vastly easier to get an IPv6 block). If you really need an IPv4-block yet cannot get one, email Backbone Telecommunications and we will see what can be done for you.
The easiest way to solve (3) is simply to find a web host that will work with you. Solving (4) by being your own registrar is impossible, so choose your registrar carefully. Fortunately, if you choose a skittish registrar, they are usually very happy to be rid of you and assist streamlining your transfer to another registrar.
Choosing your hosting/email provider
You can always do this yourself. But it’s rarely needed. We suggest attempting one of the established providers, and if that fails, then run it yourself. Ideally, your hosting provider will be located within the same (or similar) jurisdiction as where you incorporated your company — doing this will immensely simplify your legal position and make it vastly easier, and cheaper, to find a knowledgeable lawyer should you need one.
- Web: The choice of anonymous web-hosting is a well-worn topic. Pick any of these you’d like. Although we’ve never used it, others have reported a positive experience with anonymously.io. Whoever you choose, as you grow, you may need something a bit more scalable. Then you’ll probably be getting a half rack in someplace like Bahnhof’s famous Pionen bunker.
- Email: You will need exclusive access to the noc@, abuse@, postmaster@, hostmaster@ email addresses for your domain. Some email providers (e.g., Mailgun) do not give you access to these, but most will. We personally have been very happy with Migadu.
Concealment III: Putting extra space between your detractors and your website
You can put extra space between your detractors and your webhost with a CDN service like CloudFlare and Fastly. Some people don’t like these services. But in your position, regardless of ideology, these services have practical utility. Use as you see fit.
Choosing your domain registrar
Most people don’t realize this is a possible point of failure, however, if your registrar feels like it, they can NXDOMAIN you. And, speaking from experience, this does in fact happen. Pick a registrar that will work with you. If you are lucky, you’ll be able to register your chosen domain anonymously. But more important than your registrar not knowing who you are is a registrar that will work with you. For anonymity, PRQ is a popular choice with many high-profile domains under their belt. We’ve personally had success with Gandi as well as Uniregistry.
Things you’ll deal with as you grow
You will meet the abuse department of every organization in (2), (3), and (4). You may even get on a first-name basis with them. Your goal in interacting with these fine people is to be polite, understanding, and non-combative. After all, it is their goodwill that permits you to continue operating. As you grow, you will eventually have to make concessions. If you and the relevant abuse department are unable to find common ground, ask them for recommendations for alternative places to go — they will probably be glad to assist you.
You will eventually need a lawyer familiar with whatever jurisdiction you have incorporated, you will need a set of canned template responses to the most common complaints you receive. You will be sending these out regularly. If you want to be fancy, you can output these canned responses from IFTTT applets.
As you grow, various organizations will decide they don’t like you and use technical tricks to interfere with your operations. Speaking from experience, their favorite tricks are:
- spying on your traffic. For this, get a free TLS certificate from LetsEncrypt. If you need something beyond LetsEncrypt’s offering, we’ve had success with Comodo and Thawte.
- tampering with DNS caches for your site. For this, use DNSSEC, DANE, or for the maximally conservative, HTTP key-pinning. For DNS providers, we’ve had positive experiences with Dyn and DNSimple.
- tampering with your IP block’s BGP routing. For this, Route Origin Authorization will help.
Follow these and you’ll be well ahead of the curve. Who knows, maybe you’ll even be able to operate in China someday.