Tuesday, 9 September 2014

Basic Guide to Online Anonymity

I am often asked by people of no particular denomination what it is that they need to do in order to remain anonymous online. I therefore thought I’d share some insight here.
First, let’s have a closer look at the problem. Note the main issue people are trying to work around is not how to prevent the contents of whatever it is they do online from falling into the wrong hands. Although there are plenty of issues in that department, well implemented encryption can do a fine job as long as it's comprehensive. No, the thing that bothers these people is how to prevent their metadata from being acquired by others. As in, how to avoid leaving tracks behind when one operates online.
The first and most obvious need is to hide one’s direct activities. That is, prevent records of what one did online from accumulating somewhere in the first place, with “somewhere” usually standing for your ISP (Internet Service Provider). There are three core avoidance strategies there: proxy, VPN and TOR.
Using a proxy server implies that all your requests to access certain parts of the Internet are made on your behalf through your proxy server of choice. Whoever is looking at the breadcrumb trail you’ve left behind will see you communicating with that server, but unless they have access to the proxy server's own records did they will not be able to know what you did. On the downside, using a proxy server does not mean the connection between you and the server is necessarily encrypted. By the nature of Internet things, a lot if not most of traffic isn’t encrypted. Therefore, while leaving not much in the way of metadata behind, you will still leave lots of data behind. That is where the VPN solution steps in.
The VPN solution takes the proxy approach a step further. Everything coming and going out of your computer (or smartphone or tablet) is channelled through an encrypted tunnel between you and the VPN server. There are some very sophisticated ways to tell the nature of what’s passing between you and the VPN, but not much more.
In the eyes of the rest of the world, it is not you who is communicating with the world through the Internet, but rather the VPN server. That means you put your trust with that VPN server – and that’s a lot of trust to put in someone’s hands. On the other hand, there are VPN providers whose main purpose in life is to provide a reliable channel that does not keep any records of your activities (check here for best of breed references).
TOR steps in to provide an even more secure solution. With TOR, your traffic goes in and out of the TOR network’s exit nodes several times; research indicates that after three such hoops it is effectively impossible to determine where the traffic came from. Sounds cool, but TOR has its issues: it is very slow, and by piggybacking on it you use the generosity of several nice people who lend their hand to provide an exit node. TOR is therefore not suitable for high volume traffic, like downloading or streaming; I prefer to leave it to the world’s oppressed so that they have an easier time using the Internet for constructive causes.

So far we have discussed means to hide an Internet user’s IP address from the rest of the world. That is, how to prevent your computer's identifying address from getting collected in direct association with you. Whether through proxy, VPN or TOR, your main achievement is that the other side – the place on the Internet you’re communicating with – does not know who you are; instead, they recognise “you” as the proxy server, VPN server or that last TOR exit.
However, there are other ways of knowing what you’re up to online. When one uses the Internet one leaves behind a long trail of metadata. Trying to be anonymous online is, in effect, an act of making an effort to minimise that trail of metadata. For anyone other than superman, completely eliminating one's trail is as achievable as getting to that pot of gold at the end of the rainbow.
One fine example of this trail is the matter of DNS. Every time you ask to access a certain website, someone needs to be able to identify where exactly that website resides for you. That someone is called a DNS server. The DNS server contains the location of popular websites, recently used by others websites as well as other DNS servers that might know more about the locations of things on the Internet. By default, most of us use the services of our own Internet provider’s DNS server.
The catch with using your Internet provider’s DNS server is that by doing so you are letting your provider know where you wanted to make your computer connect to through the Internet. Not the smartest way of going about if one wants to keep one’s online activities for oneself.
There are solutions available in the shape of other DNS servers. No one is forcing you to use your provider’s; you can relatively easily direct your browser or your router to use another. Google offers popular DNS servers that hold onto user requests info for 24 hours only, although it probably does the most it can analysing that data for its core business of selling advertisements.
The plot thickens, though. For example, the better VPN services will direct your querying computer to their own set of DNS servers. However, there is often some unreliability in the air that causes “leaks”: despite the best of intentions from your VPN provider, your computer still directs some or all of its DNS queries to your ISP's server. One can check for such leaks through the help of web facilities such as this.
One can and should make even further efforts in order to ensure their online anonymity. For example, there is no point in going through all of the above measures if you’re still logged into Google’s services (say, your Gmail account). Or, for that matter, if your computer is running an email application that checks with Google for updates regularly. Or if your computer checks on a named Apple or Microsoft account for updates. As recently discussed here, you may even be identified through the unique settings of your browser; on the other hand, you may choose to fight back by spoofing your browser’s identification using such tools as Random Agent Spoofer add-on for Firefox.
I can continue further with this list of additional things to be aware of if one wants to ensure online anonymity. I won’t, though, because the point I am trying to make is that this is an effort for which perfection demands such attention levels that there is no point in trying to achieve it. Take the Dread Pirate Roberts from the illegal drugs trading TOR "dark Internet" site Silk Road: this criminal mastermind was identified through the anti-abuse CAPTCHA service he applied to his site (see here for details).
One needs to understand that when one attempts online anonymity, one is – in effect – wearing protective onion rings on top. Most companies and people will be thrown off the track by the outer shells, but the experienced hacker can go deeper. Authorities such as the NSA, with their infinite arsenal of knowledge, resources and vulnerabilities will get you if they put their mind to it; as my colleague Edward Snowden has shown, they might not be able to crack all manner of encryption yet, but they can sure as hell infiltrate anybody’s computer if they put their collective mind to it.

If that is the case, then why bother with aspiring for online anonymity in the first place?
In our recent climate of terrorism fear mongering and governments trying to look tough by being tough on terror, we’ve been hearing that “nothing to fear, nothing to hide” argument all too often. Usually in the context of allowing governments to keep track of everybody’s exact history of online and mobile phone activities. Yes, our governments are seeking the legal right to know exactly where we were, when and what we did. We are told that we needn’t worry about them being able to do so, because we have nothing to fear as long as we have nothing to hide.
Or do we? I don’t know about you, but I don’t want a governments with proven track records in losing people’s information, being hacked to death, or just harbouring plenty of petty criminals to have access to my detailed financial information. I do not want anyone and everyone to know the finer details of my health records. And if you have a chat with Jennifer Lawrence, she will tell you that she doesn’t particularly want various third parties looking at her private photos. In other words, we all have something to hide. Even if we are law abiding citizens, and I consider myself to be one, we still have things we want to keep to ourselves.
The problem is, all this information of ours that we put online is getting collected by multitudes of governments and companies who use our information to their own selfish purposes. Usually it’s to make money, and often it is done in ways that we would not approve. None of us will let someone we bump into on the street grab our phone, take our photos from it and print them for the whole world to see. Yet that is exactly what most of us are doing by the mere act of taking a photo with our smartphone, with the slight difference that the person collecting our photo is actually one or many companies.
Most people seem happy to live in blissful ignorance with regards to these issues. I don’t, which goes a long way into explaining why I will make an effort to have the ability to be [near] anonymous online.

Image by Keoni Cabral, Creative Commons (CC BY 2.0) licence

No comments: