Frequently Asked Questions
If you know what your contact email address is, but you've lost access to it, usually that is no problem. As long as you still know your login and password, you can just log in, go to the profile tab, and change the email address we have on file to your correct address.
The only time this becomes a problem is when you have lost accessed to your email address and you can't log in. That's a much more difficult situation. If you contact us from an email address not associated with your membership, we have no way of differentiating you from someone who set up that email address five minutes ago in your name to steal access to your membership. That's one reason why it's very important to keep your member contact email address up to date at all times. (But if you're reading this, it's probably too late for that reminder to be helpful right now, so just keep it in mind for the future.)
To resolve this situation, you will have to have us change the email address associated with the membership. However, that can only be done after completing our login recovery process. To complete this process for a lost email address, please follow these steps:
Other requested steps will be initiated from our end as appropriate once all documentation requirements have been satisfied. After the process is complete, any personally-identifying information you provided during the recovery process will be discarded.
While completing this process, please observe the following guidelines:
The process typically takes 10-60 minutes of work on your part to complete. Although burdensome by Internet standards, it is typically not actually difficult unless there are extenuating circumstances. For example, if you gave us a fake name when you signed up, you're probably about to have a very bad day.
Due to the requirement that we attempt (and fail) to reach you through your current contact email address, recoveries of this type can take a long time, up to a week. Once the process is completed, we will update the email address associated with your membership to the one you used to initiate the recovery process. At that point, you will be able to recover your login information and regain access to our system.
Important: Because we don't know whether you're you, we will not help you complete the process. We will not give you hints. We will not tell you how many actions you have to complete. We will not give you any information about the status of the membership. In fact, you may find our staff unusually distant and/or unhelpful during the recovery process. To avoid leaking information, while your membership is in the recovery process, the only response to any inquiries you send will be automated messages indicating whether or not you are making progress toward recovery.
This is not personal, nor is it representative of our attitude toward helping our members. It reflects that most people who attempt the recovery process are trying to steal something, and those are people we have no interest in helping at all. That we helped them accidentally or with the very best of intentions won't be any consolation to the member we helped them steal from. So, we apologize in advance to our legitimate members for any "guilty until proven innocent" treatment they may receive while completing the recovery process. It's hard, and it sucks for everyone, but it's the right way to keep our members' stuff safe.
You can recover your login name (using your member email address) or reset your password (using your login name and email address) from this page on our public web site.
You can initiate a password reset up to once per hour. When you initiate a password reset, you will receive an email that contains both a confirmation link and a new temporary password. To prevent other people from harassing you by resetting your password, the new temporary password will not take effect until you confirm receipt of the message by clicking the confirmation link.
Consequently, to complete a password reset, you must perform the following steps:
To prevent other people from harassing you, the temporary password found in the password reset email will not become effective until you complete step 2. If at any point prior to step 2 you log in with your old password, the password reset will be cancelled.
The short answer is that fraudsters and thieves wrecked it for you.
While we support the notion of Tor on an ideological level, our real-world experience with Tor has consisted of extensive problems with Tor-sourced hacking attempts and an unsustainable level of Tor-sourced credit card fraud. We also encountered relentless exploitation by spammers and phishers using Tor to create throwaway accounts. (Sign up, create site, send spam, get caught, sign up, create site, send spam, get caught, sign up...)
We understand that it isn't the existence of the Tor network that makes these things possible, but it does make them easy, and when virtually all of the traffic from a certain source is malevolent, blocking that source can be the only option. Forcing people off of Tor at least long enough to confirm their membership and make an initial deposit may not be the ideal solution, but it's hard to argue with results.
For that reason, we restrict access to our member interface from IP addresses that are listed as a current Tor exit node. To lift the Tor restriction for your membership, you must already have a membership and a funded account and you must explicitly request that Tor access be allowed via our assistance request system. (All of which must be done without using the Tor network.) We choose not to allow it automatically so we can filter approvals based on the common sense of a real person, and to protect members who don't use Tor from Tor-based brute force attacks on their password. We charge a nominal fee ($1.00 -- waived for subscription members) to reflect the manual nature of the review.
If you know of a reliable way for us to distinguish a handful of good people amidst a throng of would-be criminals in an environment that's raison d'être is to make distinguishing people impossible, please let us know. So far, making sure we already have a relationship with the good people is the best we've come up with.
Note: if your IP is operating a Tor exit node with a policy that allows access to our system, it doesn't matter whether you are using Tor to access our system our not; if traffic originates from a Tor exit node there is no technical way to distinguish whether or not it passed through Tor. (If there was, it would seriously undermine Tor.) For example, if you are running a Tor exit node but bypassing it to access our system, the limit will still apply. Similarly, if you use a VPN service that allows its customers to run Tor exit nodes (e.g. AirVPN) your VPN server's IP may be listed as an exit node even if you are not personally running one. These are all situations that can be addressed through the approval process.
Completely separate from that, we also have concerns about reports of unscrupulous Tor exit node operators diverting TLS connections. This is a real thing; I have personally experienced a case where using a particular exit node led to TLS certificate mismatches when accessing a site where I knew no such mismatch existed. You should think carefully about passing any secure information through the Tor network.
If you are running a Tor exit node on your IP, even if you aren't using it to access us, you'll have to cut back to relay-only, and do so long enough for the change to be picked up by Tor's published server list, before you can sign up or log in. If someone else is running a Tor exit node on your IP address, you'll need to either work with them to do so or use a different IP address to access our system and request approval.
To make sure you receive automated system emails from us (including signup confirmations, password resets, account balance warnings, domain renewal notices, and other automatic service-affecting messages), make sure you are allowing email from notify@NearlyFreeSpeech.NET.
To make sure you receive any handwritten emails from us, make sure you are allowing email from support@NearlyFreeSpeech.NET. Finally, each support ticket is assigned a unique email address @support.nearlyfreespeech.net (but we don't get too many reports of those being blocked).
We won't send you any spam or unnecessary messages from any of these addresses.
If you're not receiving email from us, the first thing to check is your junk mail folder. Since our system is highly automated, junk mail filters occasionally incorrectly flag the messages it sends as spam. If you don't find them there, check your junk mail settings. Some email providers make it very easy to block a sender and silently delete such messages, making it very hard for you to figure out later that the sender is blocked.
If you're still unable to resolve a problem receiving email from us or our system, please feel free to contact us. Ironically, you'll probably have to do that by email, but if the problem is with receiving automatic messages, we'll have a real person write back. Write to us from the email address you're having trouble with, and we'll look up the fate of any messages we tried to send there. If there's a problem on our end, we'll fix it. If there's a problem on your end, we'll try to find a way to provide you with the relevant log entries so you can ask your email provider what the heck is going on.
Our login recovery process applies in very specific, rare situations:
To recover access to a membership in these situations, we offer a variety of possible recovery actions, and a certain number of them must be completed successfully. The login recovery process is very onerous (by Internet standards, anyway; it's not really that difficult) and since its goal is to prevent illicit membership access, you will probably find that we are not very helpful while you are completing it.
These recovery actions can be performed by any member at any time:
These optional actions must be set up in advance from the profile tab in our member interface in order to be used for recovery:
The default number of actions required to recover a membership is three, but this can be customized from the profile tab in our member interface to make recovery (and consequently hijacking) more or less onerous.
If (and only if) you choose to provide both a photo ID and an account statement, then at least one must display the same official mailing address as that shown on the corresponding account. If neither does, you must additionally provide address verification, typically a utility bill, lease, or property tax bill matching both the address and the surname or company name on the account (either currently or contemporary with the deposit). If you are providing either photo ID or an account statement, but not both, then you can skip this requirement.
The third and worst case scenario is that you have two-factor authentication configured that isn't working and you didn’t save any one-use recovery codes and you don't know your login and password and your member contact email address isn't working. This case is so spectacularly unlikely that even if your recovery settings are lower, you will have to complete all possible verification steps to regain access to your membership. Seriously, don't let this happen.
Unfortunately, the vast majority of "I lost all my information, please make an exception to your security practices and let me in" requests we receive come from people trying to gain illicit access to someone else's membership. NearlyFreeSpeech.NET takes the security and privacy of our members' services very seriously. We believe our members know that we are serious about protecting their privacy and security. We believe that's at least part of the reason a lot of them pick us. We believe that they expect us to live up to that in situations such as these so that when they emerge from it, they can be supremely confident that their membership can't be hijacked by the first person who comes along with a good story. Consequently, we automatically construe any attempt to convince us to make an exception to our standard practices as an attempt by an unauthorized party to socially-engineer illicit access. This includes threats, attempts at negotiation, sob stories, and everything in between.
If you are a current member of our service and you log in successfully with your correct member login name and password, and then you get redirected (possibly after seeing a "click here to continue link" flash by) to the same login page again without any red error messages, this indicates that your browser did not accept the cookie our site sets to indicate you are logged in.
If this happens, here's what to check:
To help debug these issues, try logging in from a different browser on the same computer. If that works, it tends to indicate a browser issue. If it still doesn't work, that suggests a systemwide issue like security software or a clock problem.
First, if you are having trouble logging in, make sure this is the exact error message you are receiving. There are several other things detailed in this section of our FAQ that can cause problems logging in, but they each display a different message.
To prevent people from using incorrect login attempts to gain information about your membership or our system, this message is intentionally vague. However, if you see the "login information is incorrect" error after attempting to log in, our system will send an email to your member contact address with more detailed information about the failed login attempt. That information will include whether the problem is with the password, or (if you are using it) two-factor authentication.
If the problem is with the username, our system won't know who you are and can't send the email, so make sure to check for typos in the username. If you're not sure about your username, you can request that our system verify it for you.
If the email refers to a problem with two-factor authentication or "secondary auth," that typically indicates that you have a two-factor device configured for your membership, but that you didn't enter an authentication code from your device, used the wrong one (perhaps one for another service), or waited too long to login after generating it. If your two-factor device is lost or broken, you can use previously-generated one-use recovery codes to log in. If you don't have any one-use recovery codes saved, you'll have to go through our login recovery process.
If the email indicates the problem is with the password and you're not sure you have the right one, you can request a reset. When using temporary passwords generated by our system, the most common problems are:
We don't know what your password is, and there is no way for us to retrieve it. If a particular password is giving you trouble, even if you're sure you know what it is, your best option is often to request a reset anyway. (You can do this up to once an hour.)
When you enable two-factor authentication, you are supposed to generate and securely save one-use recovery codes. This situation is what those codes are for; they are used in lieu of codes generated by your two-factor device. As long as you have them, you can use one code to log in as normal and two codes to remove the two-factor device from your membership. Then you will be all set.
If for some reason you don't have those codes, you will have to complete our login recovery process.
To start that process, please send a message to email@example.com from the contact email address associated with your membership indicating that you want to complete the login recovery process to generate additional recovery codes.
Assuming you contact us from the correct email address, our system will send you a response listing which recovery actions are configured for your membership and how many of them you must complete, along with more specific instructions about how to proceed.
If, for some reason, you have lost your two factor device and access to your email at the same time, you're probably screwed, but if not you must do login recovery to update your email address first. We will not process recovery requests related to 2-factor devices from email addresses other than the current member contact address.
You can ask our system to send a message to the email address associated with your membership telling you what that address is by visiting the login recovery page.
If you know what your contact email address is but you can no longer access it, or if you have no idea what the address is and cannot find our recovery emails, please see this related entry.
Memberships are held by individuals and have that individual's name on them. Our policies strictly forbid both sharing memberships and transferring your membership to another person. (It is, however, quick, easy and allowable to transfer an account from one membership to another or to share an account between multiple memberships when appropriate.)
If you share or transfer control of your membership, we will eventually detect that, and the membership will be suspended. Murphy's law guarantees that this will happen at the time that is most inconvenient and problematic for you. If you're reading this entry, that time is probably now.
To restore access to a membership suspended for this reason, you must contact firstname.lastname@example.org from the email address that was on the membership prior to any fraudulent transfers, and complete all of the following steps:
If you do not have access to that email address, you must complete additional verification steps for a lost email address.
If someone else gave you control over their membership and it was subsequently frozen as a result, you will not be able to complete this process. Only the named member can do so. Your only recourse is to find them and obtain their assistance. This is true even if they quit, got fired, moved away, were voted out of office, broke up the band, divorced, went to jail, graduated, made a vow that forbids use of technology, whatever.
Please do not contact us asking for exceptions or special treatment. This situation only occurs as a direct result of violating our Terms & Conditions of Service (and the bold-print warnings presented at signup), and any problems that result are entirely self-inflicted.