You could just use onion services to to hide the server, and store some backup onion services (whose private keys are kept offline) within the application or its files. When the server goes down due to seizure, you spin up a new one under the backup service's pubkey, and sign a list of new backup keys which will also be kept offline until the next seizure.
You could also combine encryption with steganography, if you strip non-random 'protocol information' from your encrypted bits. Doing that, it would not be easy to prove that you are sending encrypted messages at all without having obtained your keys.
If you just want to track a few individuals... Enumerate all those who possess the data. Now look for data brokers that they deal with (as commenter korse said) and recurse. Find all the employees of every company in question. Muster a few hundred bucks or so, seems to be the market price, and there you go[0].
For research I dunno. You'd probably have to make a deal directly with one of these companies, one way or another, so I would start by talking to them.
> It helps to think of it this way, if it touches your phone or the internet in any way, it's part of the public record. No matter what app you were using. So be cognizant of that, it can come back to bite you 10 years later in ways you never would have imagined.
Meh. If that's the case, why bother caring at all? Bring it on!
What you need to do is pick an entity that has the information you desire, and recursively enumerate the graph of all business deals which involve the sale of that information (their downstreams, effectively). After that, you do OSINT to map out all of the employees of every organization that has access to these databases. After you have mapped out these tens of thousands of individuals and their likely social graphs, all you have to do is pay one of them a relatively small sum to do a query on your behalf.
Not quite. The guy who wrote Tor can be clearly seen to have been studying a lot of these things in the later 90s, and it was pretty much always public, but only developed after he got the Navy to get him an NSF grant. Hell, in one slide he had made back then, he was even well-aware of some of the fundamental vulnerabilities in the protocol, and the (still too expensive) mitigations for those flaws, so it can't even be said that anything was concealed.
If we go back further to the original concept of chained anonymous remailers as envisioned by Chaum 40 years ago, it gets even harder to claim something like this.
> If someone wants you compromised, you will get compromised, it only matters how many resources they are willing to throw at you.
Wants who compromised? What are they going to do against people who use no pseudonym and never originate from the same machine or the same physical location?
For very obvious reasons you don't need to run any nodes, craft any malware, or scrutinize a target's layer 3+ OPSEC, in order to break Tor. You simply go to tier 1 ISPs and buy up IP datagram headers going to/from entry nodes and you win. The only solution is a constant rate of fake traffic to the guard node.
Anyhow, if one slip-up is enough, you're doing it wrong. Imagine you were a mad scientist testing out a jetpack- you are confident yes? But I imagine you would feel more confident with a bunch of nets, and a trampoline underneath that, and a lightning rod in case of a storm, and a requirement that you hold down multiple buttons at once to play with the controls, etc.
That is, if you are serious you will put in multiple safety nets at every layer of the stack so that "one slip" is not enough.
You like to talk to people, but you know that a long-term pseudonym is the gravest danger of them all.
You like virtualization, but you keep some crucial data and keys(treams) on a un-networked machine.
You like anonymizing networks, but you know the caveats of traffic tunneling and didn't connect from your home router.
You connect to a randomly-chosen wireless AP, but you know that just in case your MAC-spoofing fails or you get pwned or something, you are glad that you bought the device with cash and never tied its characteristics to your identity.
You are glad that the only transceiver connected to the device is an external wireless dongle so that when you are done, you don't accidentally connect with your device from home.
You are glad you waited for an overcast day so that you could thwart spy satellites that use visible/infrared light, and that you connected to the AP from afar to thwart cameras.
The list goes on. The guy whose face you see plastered in the news? Yeah, that guy thought his experimental jetpack was the shit. And it was- until it wasn't.
You could also combine encryption with steganography, if you strip non-random 'protocol information' from your encrypted bits. Doing that, it would not be easy to prove that you are sending encrypted messages at all without having obtained your keys.