I don’t need to cover my traces, or do I?

6824175422_003a2ca642_bAnonymity on the net is a topic that is discussed more and more frequently. We all know that many services on the net can be used anonymously. Or can they? The Internet is a giant data processing machine, and data about us users is getting more and more important. Anonymity on the net is to an increasing degree becoming a hallucination. Your access is logged, your surfing is tracked by cookies and the big data companies are even gathering info about your non-digital life. People are to an increasing degree doing things online thinking they are anonymous, but in reality they leave traces behind. These traces can lead back to their real identities, and in worst case put them in serious trouble.

I’m not going into the big picture about anonymity and privacy here. I’m going to present a tool that can be used to obfuscate your true identity. The anonymity network TOR. This is a tool and network that provides fairly strong protection against anyone who try to find out where a connection over the Internet really came from.

Let’s first debunk two myths.

  • This kind of stuff is only needed by criminals. I’m a law-obeying citizen! Well, yes. It is in most cases OK to surf without this kind of protection. But it is also good to be aware of this possibility. There are situations where it can be smart to cover your traces even if you have perfectly honest intentions. And being anonymous is not wrong in any way, you have the right to use this kind of tool if you like.
  • I don’t know how to do this. I’m no hacker. Don’t worry. Using this tool is no harder than installing a program on your computer.

So what’s the problem we are trying to tackle here? Practically all services on the net log all access. This log contains the so called IP-address that you are using, no matter if you have entered your real name at the site or not. The IP-address is a numeric code that is unique for all devices that connect to the net. Your ISP assigns one to your computer (or router, or modem) automatically when you connect to the net and you don’t have to worry about that. When you surf “anonymously” on a site, the site owner will know this IP-address but not who it has been assigned to. That information remains in the ISP’s log and is typically revealed only to authorities when investigating crimes. (Depends on local laws.) So you can under normal circumstances be traced back to your ISP, but the trace stops there.

So you have a certain level of privacy when surfing from home. But what about your computer at work? Here the company is in the ISP’s position. All traffic you generate can easily be traced to the company, but not to your workstation. The company’s administrators may be able to trace further, but that depends on how the internal network is managed.

Here’s some examples of situations where the default protection may be insufficient:

  • Your ISP may protect your identity, but how reliable is that? Someone may present fraudulent accusations to get access to your true identity. People may misuse their access rights and leak data. The ISP’s employees are just humans after all. You don’t have to worry about that if you are using TOR.
  • What if you discuss something online from work, but the topic is totally unrelated to your employer? Or even in conflict with your employer’s interests. Then it’s best if no one afterwards can claim that someone from that company made a comment in the discussion.
  • If you consider becoming a whistle-blower, get TOR! Handle the case through TOR exclusively. This is a tricky situation where you may break contracts or even the law, and still do very much good for the society. You may have to pay a high price for being a hero unless you protect yourself.
  • TOR can circumvent some national censorship schemes. This benefit is obvious in totalitarian states, but might be more relevant to you than you think. Finland, for example, is considered to be a democratic country without severe human rights problems. But despite that we have an Internet censorship scheme that was developed to stop child pornography. Now it is misused to block on-line poker, criticism against the authorities and many other things. The list of censored sites is secret and site owners can’t challenge it in court. But TOR-users have free access. (Yes, seriously! Sounds like China or Iran but this is in EU.)
  • TOR is not only protecting your identity, it also encrypts traffic and prevents 3rd parties from finding out what you are doing and who you are communicating with. This may be beneficial if you don’t trust the network you are using. A good example is FRA in Sweden. They have legal rights to intercept all network traffic crossing Sweden’s borders, including traffic in transit to other countries. A bummer for us here in Finland as our cables to the world go west.

TOR is a privacy network that routes your traffic through a chain of several randomly picked servers before it goes to the site you are accessing. The traffic is encrypted all the way from your computer to the last relay machine. The protocol is also designed so that the relaying machines never know more than they need to know. The first server knows who you are but not what you are doing or what site you are accessing. The last server can see your traffic in plaintext and knows where it is going, but do not know who you are. None of this is however logged by the TOR relays as their purpose is to ensure your privacy. Even if someone with malicious intent would get hold of one of these servers, they would not be able to reveal your secret.

The simplest way to use TOR is to download and install the browser bundle. It consists of two parts that work together seamlessly. “Vidalia” is the control center that sets up the chain of secure servers and handles communication. “TorBrowser” is a Firefox-based web browser that is preconfigured to communicate through TOR. It makes it easy to start using TOR, no nerdy settings needed. A separate browser is also really necessary to guard your privacy as your normal browser is full of cookies that can identify you.

Installing TOR is easy, but that alone does not guard your identity. If you want to be truly anonymous at some certain site, you need to follow some additional guidelines.

  • Do not use a user name or account that you have used previously without TOR. That account can be connected to your real IP-address using old log entries. Start fresh and create a new account through TOR. Needless to say, your new alias shall not give any hint about your true identity.
  • Make sure that all your access to the site where you want to be anonymous is through TOR. Even a single login from a connection that can be traced may reveal you.
  • If you have to provide a mail address for your new account, use TOR to create a new mailbox in a webmail service of your choice and use that address exclusively. tormail.org is an alternative if you are paranoid.
  • Think about what info you submit when anonymous. Personal info is naturally no-no, but also other kind of knowledge may reveal you or limit the number of possible persons behind your alias.
  • Don’t use both your anonymous identity and your real identity from the TorBrowser at the same time. This makes it possible to tie them together as they both would use the same IP-address. You can use the Vidalia-console to refresh the IP-address that is shown outwards. Make sure you do this before logging in with another identity, or use your real-life identity from your normal browser instead.
  • Don’t break the law. That is of course good advice in generic as well. In this case a criminal investigation will pose a greater threat against your anonymity as the authorities have much more abilities to trace you.

Disclaimer. I hope you never truly need this kind of protection. But if you are in doubt, play safe and cover your tracks. Also keep in mind that it is tricky to be truly anonymous on the net. That is especially true if you are wanted by the authorities. Do not rely solely on this article if you are in a situation where your personal safety depends on anonymity, like for high-end whistle-blowers or opposition activists in non-democratic countries. What’s said above is a good start in these situations too, but you should get a more comprehensive understanding of on-line anonymity before putting yourself at risk.

Check what your surfing looks like from the site owners’ perspective. This site reveals the info. If using several connections, like home and work, check all of them. If you install TOR, visit the site from the TorBrowser to see how the address has changed.

Safe surfing,
Micke

PS. Another way to see the need for anonymity. The law protects our property against thieves, but still we use locks. The law protects our privacy on-line (to some extent), but most people do not enforce that in any way. TOR is for privacy what a lock is for theft. Why not play safe and lock it?

Photo by zigazou76 @ Flickr

More posts from this topic

sign license

POLL – How should we deal with harmful license terms?

We blogged last week, once again, about the fact that people fail to read the license terms they approve when installing software. That post was inspired by a Chrome extension that monetized by collecting and selling data about users’ surfing behavior. People found out about this, got mad and called it spyware. Even if the data collection was documented in the privacy policy, and they technically had approved it. But this case is not really the point, it’s just an example of a very common business model on the Internet. The real point is what we should think about this business model. We have been used to free software and services on the net, and there are two major reasons for that. Initially the net was a playground for nerds and almost all services and programs were developed on a hobby or academic basis. The nerds were happy to give them away and all others were happy to get them for free. But businesses run into a problem when they tried to enter the net. There was no reliable payment method. This created the need for compensation models without money. The net of today is to a significant part powered by these moneyless business models. Products using them are often called free, which is incorrect as there usually is some kind of compensation involved. Nowadays we have money-based payment models too, but both our desire to get stuff for free and the moneyless models are still going strong. So what do these moneyless models really mean? Exposing the user to advertising is the best known example. This is a pretty open and honest model. Advertising can’t be hidden as the whole point is to make you see it. But it gets complicated when we start talking targeted advertising. Then someone need to know who you are and what you like, to be able to show you relevant ads. This is where it becomes a privacy issue. Ordinary users have no way to verify what data is collected about them and how it is used. Heck, often they don’t even know under what legislation it is stored and if the vendor respects privacy laws at all. Is this legal? Basically yes. Anyone is free to make agreements that involve submitting private data. But these scenarios can still be problematic in several ways. They may be in conflict with national consumer protection and privacy laws, but the most common complaint is that they aren’t fair. It’s practically impossible for ordinary users to read and understand many pages of legalese for every installed app. And some vendors utilize this by hiding the shady parts of the agreement deep into the mumbo jumbo. This creates a situation where the agreement may give significant rights to the vendor, which the users is totally unaware of. App permissions is nice development that attempts to tackle this problem. Modern operating systems for mobile devices require that apps are granted access to the resources they need. This enables the system to know more about what the app is up to and inform the user. But these rights are just becoming a slightly more advanced version of the license terms. People accept them without thinking about what they mean. This may be legal, but is it right? Personally I think the situation isn’t sustainable and something need to be done. But what? There are several ways to see this problem. What do you think is the best option?   [polldaddy poll=8801974]   The good news is however that you can avoid this problem. You can select to steer clear of “free” offerings and prefer software and services you pay money for. Their business model is simple and transparent, you get stuff and the vendor get money. These vendors do not need to hide scary clauses deep in the agreement document and can instead publish privacy principles like this.   Safe surfing, Micke     Photo by Orin Zebest at Flickr

April 15, 2015
BY 
webpage screenshot TOS

Sad figures about how many read the license terms

Do you remember our stunt in London where we offered free WiFi against getting your firstborn child? No, we have not collected any kids yet. But it sure was a nice demonstration of how careless we have become with user terms of software and service. It has been said that “Yes, I have read then license agreement” is the world’s biggest lie. Spot on! This was proven once again by a recent case where a Chrome extension was dragged into the spotlight accused of spying on users. Let’s first check the background. The “Webpage Screenshot” extension, which has been pulled from the Chrome Web Store, enabled users to conveniently take screenshots of web page content. It was a very popular extension with over 1,2 million users and tons of good reviews. But the problem is that the vendor seemed to get revenues by uploading user behavior, mainly visited web links, and monetizing on that data. The data upload was not very visible in the description, but the extension’s privacy policy did mention it. So the extension seemed to be acting according to what had been documented in the policy. Some people were upset and felt that they had been spied on. They installed the extension and had no clue that a screenshot utility would upload behavior data. And I can certainly understand why. But on the other hand, they did approve the user terms and conditions when installing. So they have technically given their approval to the data collection. Did the Webpage Screenshot users know what they signed up for? Let’s find out. It had 1 224 811 users when I collected this data. The question is how many of them had read the terms. You can pause here and think about it if you want to guess. The right answer follows below.   [caption id="attachment_8032" align="aligncenter" width="681"] Trying to access Webpage Screenshot gave an error in Chrome Web Store on April 7th 2015.[/caption]   The privacy policy was provided as a shortened URL which makes it possible to check its statistics. The link had been opened 146 times during the whole lifetime of the extension, slightly less than a year. Yes, only 146 times for over 1,2 million users! This means that only 0,012 % clicked the link! And the number of users who read all the way down to the data collection paragraph is even smaller. At least 99,988 % installed without reading the terms. So these figures support the claim that “I have read the terms” is the biggest lie. But they also show that “nobody reads the terms” is slightly incorrect.   Safe surfing, Micke   PS. Does F-Secure block this kind of programs? Typically no. They are usually not technically harmful, the user has installed them deliberately and we can’t really know what the user expects them to do. Or not to do. So this is not really a malware problem, it’s a fundamental problem in the business models of Internet.   Images: Screenshots from the Webpage Screenshot homepage and Chrome Web Store    

April 8, 2015
BY