We all have things we’d rather not tell the world about — whether that be a flagrant disregard for copyright law, a penchant for specialist videos, or a desire to simply stay out of Big Brother’s ever-probing eye. Whatever the reason, I think it’s about time we clear up a few things about anonymity online — and answer once and for all, whether it’s really possible. We’ve already tackled the topic of why email can never be secure from government surveillance, but I think it is worth tackling the Internet as a whole.
If you’d rather watch than read — I’ve got you covered.
It All Starts With Your IP
You probably already know this, but your IP address is the gateway to revealing everything about you. Your ISP keeps logs of who is assigned which IP and is able to map those to a customer. They keep records of this for varying lengths of time — typically 6 months to 2 years — and governments are trying to constantly increase this “retention period” to make recovering the identity of criminals easier.
Your IP is transmitted every time you access any website. The website you visit doesn’t know who you are, per se, but they will have records of every IP that accessed the site. These log files are minimal, and could easily be kept for years.
Claiming that it wasn’t you using the computer at the time is not an excuse. As the subscriber of that internet connection — even if you’ve made that connection available to patrons of your cafe — you are responsible, and legally liable for everything that goes through it. It’s your job to secure your own connection.
So with this is mind, how do you go about hiding your IP address?
Let’s get this out the way quickly. There’s been a lot of talk about the PirateBrowser lately, a specially customized version of Firefox released by the PirateBay team which includes elements of Tor and some proxy plugins pre-configured for you. It lets you access censored sites — thats all. It doesn’t make you anonymous. It bypasses any firewall blocks that your ISP or government has in place and lets you access the sites regardless, but it will not anonymise you. So I say it again, PirateBrowser will not make you anonymous.
HTTP Secure encrypts your connection to a website. The website itself will still know exactly what your IP address is and your activity on that site, but no one will be able to snoop on the traffic — such as your ISP.
So how about using only secure connections to websites? Well, that’s one option – but be sure to type HTTPS directly into your browser address bar.
Many sites will automatically redirect you to the secure version of the site once you’ve logged in; but that’s too late. If your connection to the site starts unsecured, then an attacker can sit in the middle and fake the secure handshake; they’ll redirect you to the unsecured version of the site and intercept everything you send.
Moving on, how about some good old VPNs? A VPN tunnels through your regular Internet and uses another remote server as your visible connection to the world — thereby giving you a different IP address. Ideally, one that can’t be mapped back to you. But not all VPNs are created alike.
In fact, some VPNs are known to give up customer information at a moments notice. HideMyAss is a particularly notorious example; despite what their nomenclature suggests, not a single inch of your posterior is covered if you break their terms of service, which includes conducting any illegal activity.
Some VPNs claim to keep no records at all, and this really is the only way to be truly safe from low level investigations. It doesn’t matter if authorities request the records — there simply aren’t any to give. But how much can you really trust the word of these companies? If they were cooperating with security agencies, they would have to deny it anyway. The lesson there: use a non-American VPN that has a trusted reputation of not keeping any records. Do your research first.
So, even if you do directly navigate to the HTTPS version of a site or use a VPN to secure the connection, if the site is hosted in America there’s a good chance the NSA already has a backdoor into their services with programs like the PRISM or could request one at a moments notice. You wouldn’t know if they were doing so because gag orders prevent them from telling anyone. It’s not just services hosted in America; agencies throughout the world cooperate with the government — the UK does exactly the same thing.
What about Tor?
Most people are under the impression that Tor is the ultimate in online anonymity, but a recent FBI operation took down the largest darknet child pornography site in the world, by injecting malware into the browsers of Tor users — and obtained the IP addresses of all the site members in the process.
Given enough time and effort, traffic correlation data can be used to identify users by controlling Tor nodes. The more you control and can snoop on traffic, the faster you can crack the anonymity. With one node it might take you 6 months to identify a single user. With 10s or 100s of nodes, you’re laughing. It’s not something your average hacker is going to do, but official surveillance budgets can clearly handle that level of commitment. Ultimately, Tor does not make you anonymous. If anything, the fact you’re even using Tor may be more of a red light for authorities to delve further.
No, You Can’t Be Anonymous
The ultimate truth is, there’s no real way to be truly anonymous online. But on the other hand, no government agency really cares that much about you pirating things or seeking encounters on CraigsList. A properly chosen VPN offers more than enough protection for most purposes. Tor even more so. Breaking your anonymity takes a lot of work, patience, and court orders (unless you’re NSA, then it’s just a few keystrokes away sometimes). But when it comes to things like planning to bomb things, or posting pictures of children — you’re never going to be safe. And that’s a good thing.
What is your personal point of view about online anonymity? Tell us in the comments.