How to be completely, absolutely, but not really, only a little bit anonymous.
By J.M. Porup
Senior Writer, CSO |
Anonymity and privacy are not about closing the door when you go to the bathroom. For the individual, they might be about personal autonomy, political liberty or just protecting yourself in the digital world.
For the enterprise, employee privacy mitigates the risk of social engineering attacks, even blackmail. The more an attacker can learn about key people within an organization, the more targeted and effective they can make their attacks. Educating employees about how to protect their privacy, therefore, should be a core part of any security awareness program.
You can take specific, concrete steps to protect your privacy or that of your organization’s employees, but they require energy, time and some technical know-how.
Privacy vs. anonymity
The universe believes in encryption, a wise man once opined, because it is astronomically easier to encrypt than it is to brute force decrypt. The universe does not appear to believe in anonymity, however, as it requires significant work to remain anonymous.
We are using privacy and anonymity interchangeably, and this is incorrect. An encrypted message may protect your privacy — because (hopefully) no one else can read it besides you and your recipient — but encryption does not protect the metadata, and thus your anonymity. Who you're talking to, when, for how long, how many messages, size of attachments, type of communication (text message? email? voice call? voice memo? video call?), all this information is not encrypted and is easily discoverable by sophisticated hackers with a mass surveillance apparatus, which is most these days.
A final thought before we dig into specific technical tools: "Online" is now a meaningless word. Meatspace and cyberspace have merged. We used to live in the "real world" and "go online." Now we live online, and things like geotracking of cell phones, facial recognition in public physical spaces, and so forth mean no amount of "online anonymity" will help you if your meatspace self is not also anonymous, which is nearly impossible these days.
Here are some steps to being completely, absolutely, but not really, only a little bit anonymous.
1. Use Signal
You may have heard the mantra, "Use Signal, use Tor," and while this one-two punch combo is a great start, it won't take down your opponent. Signal is the best-of-breed encrypted messaging app that lets you send text messages and voice memos as well as voice calls and audio calls. It looks and feels just like any other messaging app but under the hood uses encryption that, to the best of our knowledge, not even the National Security Agency can brute-force.
What about the metadata? Any network-level adversary can tell that you're using Signal, for starters, and if your adversary is the U.S. or Five Eyes, then they have mass surveillance access to all Signal traffic and know who is talking to whom, when and for how long.
The makers of Signal are well aware of these technical limitations and are researching ways to push the boundaries of what's possible. Metadata-resistant communication is an unsolved, cutting-edge technical research problem.
Bottom line: Signal is the most secure, easy-to-use messaging app available to date, and offers marginally more anonymity than any other app. Do not rely on it for strong anonymity, however. In fact, it's questionable whether anything provides strong anonymity these days, which brings us to Tor...
2. Use Tor
Tor is the largest, most robust, and most effective metadata-resistant software project, and the Tor Project does great work in the space, but the technical limitations of how much anonymity Tor can achieve have been evident to researchers for some time. No clear fix or replacement looms large on the horizon.
The Onion Router, better known as Tor (which is not an acronym by the way; the initial-caps spelling is a shibboleth to identify outsiders) is optimized for low-latency web browsing, only supports TCP (not UDP, sorry torrenteers), and won't work when accessing many larger websites, as they block access via Tor.
Tor does not offer guaranteed, complete anonymity, even for web browsing, but it is the best thing we've got at the moment. Like so many things in life (and the internet), Tor is dual use. The same technology journalists use to research stories anonymously is also used by criminals to do bad things. When you hear folks badmouthing the scary "Dark Web" and suggesting "someone should do something," remind them that just because bank robbers drive cars on the highway doesn't mean we propose banning cars or highways.
The Tor Browser should be your go-to choice for mobile usage. The Brave browser also offers a Tor option. There’s an official Tor Browser app for Android devices and OnionBrowser offers a Tor Project-endorsed but unofficial app for iOS.
3. Don’t expect anonymity from VPNs
VPNs are not anonymous. There is literally nothing anonymous about using a VPN. No anonymity here. Did we mention VPNs don't offer anonymity? Just wanted to make sure we're clear on this point.
Since everyone expects VPNs on a list of anonymity tools, we're going to debunk the idea instead. All a VPN does is move trust from your ISP or, if you're traveling, your local coffeeshop or hotel or airport WiFi network to someone else's server. There are many legitimate security reasons why using a VPN is a great idea, but anonymity is not on that list. Anywhere. Not even at the bottom.
Unlike Tor, which bounces your traffic through three Tor nodes spread across the internet, making it very difficult, but not impossible, for an adversary to see what you're doing, a VPN simply shifts your traffic from your ISP (at home) or coffee shop WiFi (on the road) to the VPN's servers. That means the VPN provider can see all your traffic. That means that an adversary that gains control of the VPN's servers, by hacking them or by serving the VPN provider with a court order, can also see all your traffic.
VPNs are great. Use them. The good ones are way more trustworthy than your dodgy local coffeeshop WiFi network, but they offer zero anonymity.
4. Use zero-knowledge services
Google can read every email you send and receive. Office 365 scans everything you write. DropBox opens and examines everything you upload. All three companies — among many others — are PRISM providers, per the Snowden documents, meaning they cooperate with mass surveillance programs. If Google can see it, so can folks in Washington. You have no privacy on any of these services.
Of course, you could encrypt everything before using Gmail or before uploading your vacation photos to DropBox. If you care about privacy, and can figure out how to use PGP, you probably should. On the other hand, though, you could also choose to use service providers that advertise zero-knowledge file storage.
While you can never fully trust that a service provider hasn't been backdoored, DropBox-alternative SpiderOak, based in the U.S., advertises zero-knowledge file storage. Protonmail, based in Switzerland, advertises zero-knowledge email and claims that it's mathematically impossible for them to hand over your email to a third party.
We don't endorse any of these providers, and you should do your homework before entrusting anything important to them. However, the field of zero-knowledge file storage is an encouraging sign, and one worth keeping an eye on.
5. Be careful what you post online
Privacy is about autonomy, the notion that you choose to share what you want to share and to keep private what you want to keep private. If there's something going on in your life you don't want the entire world to know about, then posting about it on social media — for the entire world to see — may, ergo, not be the best idea.
There's a striking generational gap on this topic. Older generations cringe at the idea of airing their dirty laundry in public, while the generation that grew up with a cell phone welded to their palm thinks over-sharing is normal. There's a time and place for everything. Deliberate sharing of things you want to the world to see clearly has value.
Consider also that sharing a particular detail about your life may not appear sensitive on its own but taken in aggregate with many other shared personal details can build up a picture that you might hesitate to put onto a hostile internet.
Publishing on social media today is more permanent than chiseling hieroglyphics in stone. Take a step back and consider the whole picture of what you're sharing.
6. Check those app permissions
Mobile apps, for both iOS and Android, tend to request way more permissions than they actually need and are frequently caught extracting personal details from users' phones and transmitting those details back to the app maker in highly inappropriate ways.
Does that random app really need access to your microphone? (What for? Is it going to record everything you say?) What about your location? (Why? Is it going to track your location?) Your address book? (Does that app really need to know who all your friends are? What for?)
Neither Android nor iOS make it especially easy to do so, but dig through your settings and turn off unneeded permissions with extreme prejudice.
7. Use an ad blocker
In the olden days of glorious yore, advertisements were a one-to-many broadcast. An advertisement today bears no relationship to your grandpa's ads. Now one-to-one advertising networks watch you to better target ads at you.
Tracking your every move online and, increasingly, in meatspace, is the business model of huge chunks of Silicon Valley. Google and Facebook are two of the largest players in this space, and they track you all across the web and into meatspace, even if you don't have an account with either (though most of us do), and even if you aren't logged in.
Installing an ad blocker is no magic cure, but a paper-mache sword is better than nothing at all when the enemy hordes invade. The Brave Browser blocks ads and trackers by default. AdBlock has a good reputation, and other extensions are worth exploring, such as the Electronic Frontier Foundation’s excellent Privacy Badger extension. You can also sinkhole ad network DNS requests at your local router level.
8. Dump your home assistant
If you value your privacy and anonymity, for the love of the dogs chuck your home assistant (Amazon Echo, Google Home, etc.) and your snitch-in-a-box (Amazon Ring) into the trash. These always-on digital snoops are poisonous to privacy and anonymity, and there is no meaningful way to make them less privacy-invasive.
Ubiquitous deployment of such "assistants" makes clear the collective action problem: It doesn't matter if you choose not to purchase and install one of these devices. If all your neighbors own them and use them, then your privacy is toast. If everyone else in your neighborhood has a Ring recording everything that happens, then your movements in meatspace will also be recorded and tracked.
The technical tips we've provided here offer little more than a band-aid on a gaping wound. Use them, but be under no illusion that they will do much to protect your privacy.
- Data and Information Security
- Small and Medium Business
Got news? Contact me securely: https://github.com/toholdaquill/contact Or for low security conversation: email@example.com
Copyright © 2020 IDG Communications, Inc.
7 hot cybersecurity trends (and 2 going cold)
Is there a way to be completely anonymous online? ›
Follow these steps to hide your identity online completely: Connect to a VPN, which will hide your IP address and browsing history. Use Tor as your browser, which hides your IP address and your web activity. Use a secure email provider like ProtonMail, which provides end-to-end encryption.Do you think it is possible to be truly anonymous when you are online Why or why not? ›
How It Works: It is virtually impossible to remain anonymous on the Internet. As a consequence of the protocols used for Internet communication, some details of your device's setup are communicated to your Internet service provider, and often to the site or service you are using.Does a VPN make you completely anonymous? ›
To combat this uncertainty, security experts commonly recommend using virtual private networks (VPNs) and secure browsers to keep your browsing history and personal information off the grid. The reality, however, is that these solutions can't completely keep your activity private and safe.What are the 5 positive aspects of the freedom to be anonymous on the Internet? ›
- Free speech. Being anonymous online means being able to fully exercise freedom of speech. ...
- Freedom of movement. ...
- An online persona. ...
- Personal safety. ...
- Data security.
- Identity Protection. Sometimes you just don't want anyone to know who you really are. ...
- Personal Harassment. Online anonymity also plays an important role in freedom of expression. ...
- Sensitive Issues.
You can also use a keyboard shortcut to open an Incognito window: Windows, Linux, or Chrome OS: Press Ctrl + Shift + n. Mac: Press ⌘ + Shift + n.What are the positive and negative aspects of the freedom to be anonymous on the Internet? ›
- Pro: Freedom of Speech.
- Con: Online Abuse.
- Pro: Less Judgement.
- Con: It's Easy to Lie.
- Con: Few Repercussions.
- Pro: Whistleblowers Can Get Information Out There.
- Con: Information Cannot be Trusted.
If you remain anonymous when you do something, you do not let people know that you were the person who did it.Should anonymity be allowed on the Internet essay? ›
Yes – Anonymity should be allowed on the internet:
Not everyone can freely express their opinions. If they do so, they may face threats or bullying. Anonymity allows them to express their views without compromising their safety & sanity. This upholds freedom of expression and can help in the betterment of the world.
Police can't track live, encrypted VPN traffic, but if they have a court order, they can go to your ISP (Internet Service Provider) and request connection or usage logs. Since your ISP knows you're using a VPN, they can direct the police to them.
Which VPN is most private? ›
- NordVPN - Best VPN for Privacy.
- Surfshark - Best VPN for Security.
- Private Internet Access VPN - Best VPN for Windows.
- IPVanish - Best Customer Support.
- Ivacy - Most Affordable.
- Atlas VPN - Best Data Breach Monitoring.
- ExpressVPN - Best Encryption.
- PureVPN - Best Server Base.
Internet service providers (ISPs), websites, and even governments can determine whether you're using a VPN. They might not know what you're up to online, but they will have no difficulty with VPN detection.Why is anonymity so important? ›
The anonymity in everyday life enables people to be free to do many worthwhile things without feeling inhibited. The loss of anonymity might make many people more civil in their speech and more circumspect in their actions. That's a good thing. But it might also chill a lot of valuable expression.What is the purpose of anonymity? ›
Anonymity is often used to protect the privacy of people, for example when reporting results of a scientific study, when describing individual cases. Many countries even have laws which protect anonymity in certain circumstances.What is the effect of anonymity? ›
Behavioral studies on the role anonymity plays in online interactions have yielded mixed results. Overall, researchers have found that anonymity can reveal personality traits that face-to-face interactions may hide, but that it also allows strong group rules and values to guide individual behavior.Is total anonymity possible? ›
But can you ever truly be anonymous on the dark web? In short: no. You can't be truly anonymous on the web, at least, not without wildly sophisticated pieces of technology that are more in line with a hacker's advanced needs.Can you be completely anonymous on OnlyFans? ›
It's impossible to stay completely anonymous while using OnlyFans since you'll need to share some payment information with the platform. That's a double-edged sword. It's a good thing, because it creates a fair market for performers and users.Is Tor still anonymous? ›
Tor Browser is anonymous in terms of hiding your location and browsing activity — but there are limits. Although they can't see your browsing activity or Tor encrypted data, your ISP can still see that you're using Tor.How do I make my internet private? ›
- Commit to sharing less online.
- Use strong, unique passwords and two-factor authentication.
- Tighten privacy settings for your online accounts.
- Purge unused mobile apps and browser extensions.
- Block search engines from tracking you.
- Browse online with a secure VPN.