VK and Text Message activation

The biggest downside of the VK social network is that in order to create an account you need to provide a cellphone number for an activation text message.

If you are paranoid about your identity you definitely need to make sure https is enabled when signing up on VK, and to always keep https enabled by visting https://vk.com rather than http://vk.com, notice the s behind http. Also enable the ‘use secure connection’ setting after signing up.

In theory governments are capable of requesting a list of all text messages sent from VK, but if you consistently use https they will not be able to easily figure out what phone number is attached to what account. If VK turns into a hangout place for ultra-nationalists, intelligence agencies may make a blacklist existing of non-Russian speakers who received a VK activation message.

If you are super paranoid, for a good reason or not, you can buy a prepaid cellphone with cash as you can get a cheap one for 10-20 Euro, charge and activate it away from your home, next take out the battery before going home to sign up for VK. Leave your house, put in the battery, turn it on, receive the text message, write down the activation code, take the battery out, and return home to finish the registration process.

Don’t simply swap out a SIM card as the phone itself has a unique serial number.

A more realistic privacy threat is that governments monitor everyone who frequently visits radical blogs without https support, like breivikreport.blogspot.com. Next they would contact your Internet Service Provider with an IP address and a timestamp and request the identity of the person paying the Internet bill. Your ISP will provide this information. Next the intelligence agency will put you on a watch list, and take further action if they have the time and resources to investigate you further, which they probably will if you have a criminal record. There are indications that Vojtěch Mlýnek was arrested due to his online activities, combined with a known passion for detonating homemade explosives.

It’s also a theoretical possibility for a government to request a password retrieval by phone or email, and intercepts the password retrieval email or text message, upon which the secret service takes over the account. This may be used as an unofficial strategy to take down radical blogs where the nationality of the blogger is known. Given the nature of Internet traffic this can typically only be effectively done by the US government, but if you use a Russian service with an American email address it’s possible for German or British authorities to use this strategy.

Alternatively they can monitor your activities and store passwords send over insecure connections. So if your Stormfront password is the same as your Tumblr password you might all of a sudden lose access to both, as Stormfront doesn’t encrypt your login page like Tumblr does.

There have been an notable number of reports where people claim to have lost access to their accounts with no explanation, though this could be the work of Marxist hackers. The most important thing to do is to use different passwords for different accounts, and use a Russian email account for Russian services, and an American email account for American services, that way British, German, or Norwegian intelligence agencies can’t interfere.

I don’t think small European governments are totalitarian enough to try something like this as it would be a public relations disaster if they were caught hacking user accounts on foreign servers.

In the case of VK I would strongly suggest creating a Russian email account at https://mail.yandex.com and link that to your VK account. Do not use a gmail email account because you will risk giving away your identity as confirmation emails are send. Also make sure to disable all VK notifications to your mobile phone and email address, they are likely to get intercepted.

For more information see my document on Online Anonymity and Privacy.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: