REUTERS/Tony Gentile
Here is how I did it:
Some background
I became aware of a teenage hacker who made a malware platform called Tox that was quite powerful. The hacker communicated using the dark web - forums on websites that could only be accessed using web browsers that anonymize traffic. He also posted a few updates on Pastebin, a website hackers frequently post messages, including the announcement that he wanted to leave behind his life of cybercrime.
Using the information this Tox hacker had posted, I had very few details on how to contact him. It boiled down to a possible email address that he used and a PGP key (see my explanation on what that is below). Using these two pieces of information, I delved further, and ultimately found a way for us to talk in private.
What is a PGP key?
PGP stands for Pretty Good Privacy - no joke. A PGP key is a way that internet users can encrypt their messages, making it nearly impossible for anyone but the sender and receiver to read the message. Everyone using PGP must have two keys - a public key and a private key.
PGP works like this: If I want to send a message to you, I first need to know your public key (there are online repositories with public keys available). Then, using software, I write my message and the text is ciphered in a way that is unique only to your public key.
But the only way for this message to be deciphered is to use the second part of the puzzle - your private key. So I send you a message that is encrypted using your public key. You must then put your private key into the PGP software to decrypt the message.
Given that no one but you knows the private key, it is nearly impossible for anyone to intercept the message and decode it.
I generated my own encryption key using software called GPG Suite. It is a program that makes it easy for people to encrypt and decrypt messages. (I won't go into great detail about all the things GPG Suite can do, but here's a bunch of documentation about the software if you're interested in learning more.)
Here's what my PGP public key looks like:
Screenshot
Back to the Tox hacker
Since I had his public key as well as probably email I address, I decided to write him a message using PGP to show that I trusted his privacy.
So I wrote a short message asking if he'd talk to me. I said we could chat on Skype, as it's been known as a good place for hackers to chat.
I used a web platform to encrypt my message on the iGolder website. It's an easy form that has me copy and paste the public key as well as the message. It then encrypts the message into a garble of letters and numbers.
Screenshot
I then copied the encrypted message into an email and sent it to Tox. I also posted the encrypted body of my text to Pastebin in case the email didn't work. This way, if he was searching on Pastebin for anything entitled Tox (I named him in the subject), he would be able to copy the text and use his private key to decrypt the message.
Screenshot
And, what do you know, less than a day later I got a reply from the email I sent!
The Tox hacker said he would be interested in talking, but did not want to use Skype. He prefers to audit all the communication software he uses, and he wasn't sure about Skype's security. Instead, he wanted to use another chat client.
Using TorChat
The Tox hacker decided that TorChat was best, because it best ensured anonymity. TorChat uses Tor networks, which is a decentralized network to make tracking traffic nearly impossible. TorChat also encrypts messages (like the PGP emails before) making the text of the messages sent impossible to intercept.
TorChat can be used for both instant messaging and file sharing, making it a go-to for dark net businesspeople.
When you log into TorChat it gives you a randomly assigned address, which serves as your screen name. Tox gave me his TorChat address, I downloaded the app, and then we connected.
Screenshot
Following that, we chatted using a simple interface very similar to iMessage. The rest of our correspondences were done using TorChat.
Screenshot
Using these services I was able to get in contact with and gain the trust of someone who held his privacy to the utmost degree.
There are a variety of other privacy-focused programs out there, but these are good starting points and a good way to see how the most skeptical of web users keep their web activity private.