HOW TO STAY ANONYMOUS ONLINE
Worried about leaking your identity online? Nik Rawlinson shows how it’s possible to stay anonymous with a few clever tools – and a little common sense
Google Chrome’s “incognito” mode used to open up with a warning that, even while you were supposedly surfing anonymously, secret agents could still be tracking your online activity. Most of us smiled and dismissed the idea as fantastical; then Edward Snowden broke cover and wiped the smiles from our faces. That specific disclaimer no longer appears, perhaps because we’ve all learned our lesson.
It certainly doesn’t mean the issue has gone away. Online surveillance is still a constant threat, and there are plenty of legitimate reasons for wanting to stay anonymous online. So how can we ensure that what we do in the privacy of our browser really does stay private?
The short answer is that we can’t What we can do, however, is minimise our exposure and make life as hard as possible for would-be snoopers.
SIGN UP TO A VPN
Perhaps the simplest and most effective step you can take to protect your privacy is to sign up with a reputable VPN provider, preferably one based overseas. This acts as an encrypted conduit for your internet activity, so that your ISP and other UK-based bodies can’t monitor what you’re doing – and it makes it a lot harder for the sites to trace where your connection is coming from.
There are plenty of services to choose from, but our advice has always been to pay for a reputable VPN service. Free providers are by no means universally illegitimate, but we’ve heard stories of user data being accidentally leaked, or deliberately sold to fund operations – which undermines the whole point.
Free providers may also insert their own content into your traffic, replacing third-party ads with their own, which isn’t always transparent and raises some troubling questions. At the end of the day, you need your VPN service to be 100% on your side, since they have the capability, should they choose, to see everything you do, from reading your emails to tracking your purchases on Amazon.
As long as you have picked a service you can trust, however, a VPN offers great peace of mind. There’s a supplementary benefit, too: you can normally route your connection through servers in a variety of different countries. This allows you to access content that’s not generally available to UK browsers, or see how your own site looks to international visitors – an easy way to check there are no issues with page loading times, rendering or censorship.
TURN TO TOR
Tor stands for “The Onion Router” – a name that hints at the multilayered way it works, routing internet traffic through multiple servers before finally passing it on to its destination.
There’s nothing new about the general idea of forwarding traffic around in this way – that’s basically how the whole internet operates. But Tor adds an encryption element, with each node that your data passes through decrypting a little more of the packet, like peeling away another layer of onion skin. By the time your
request reaches its destination (the website you want to visit), it will have been fully decrypted, but anyone trying to intercept it en route won’t have a complete record of your activity. For the same reason, even the nodes that handle your request won’t know precisely where it came from.
Tor sounds like the perfect tool for espionage – so it perhaps makes sense that it’s at least partly the product of the United States federal government, having been originally developed at the United States Naval Research Laboratory and refined by DARPA prior to its public launch in 2003.
There are questions, however, over whether Tor is really secure. Earlier this year, a vulnerability was found in the Tor web browser that could result in users accidentally connecting directly (and traceably) to their requested sites, without the benefit of Tor’s obfuscation. University researchers have found ways to work out the origins of Tor packets, and Europol has recently made some high-profile arrests by successfully exposing the identities of Tor users – though, understandably, the agency hasn’t gone into detail about its methods.
If you want to give Tor a go, it’s easy: visit torproject.org and you can download a browser (based on Firefox) for Windows, macOS and Linux that routes all of the traffic through the Tor network, as well as clearing out cookies and browsing history automatically. However, if you prefer to stick with Chrome, you
will find a selection of Tor extensions in the Chrome Web Store.
Like a VPN, Tor doesn’t just encrypt your data: it also conceals your location and other details about your connection. When we used the Tor Browser running on a Mac just outside London to visit iplocation.net, we were identified as a Windows 7 user in Paris. Subsequent attempts located us in Romania and Norway, so it’s going to be pretty hard for anyone to reliably track your ongoing activity. The only catch is that Tor’s convoluted routing has a big impact on browsing speed – using it can feel like a trip back to the days of the dial-up modem.
For Android users, another option is Orweb Private Web Browser, which routes requests over the Tor network (
FLUMMOX FINGERPRINTING
Staying anonymous online isn’t just about ensuring your traffic can’t be intercepted. The sites you visit can keep records of your visits and build up an alarmingly detailed profile of your interests and activity – even if you’re using a supposedly private browser that doesn’t store cookies from one session to the next.
They do this by recognising the device you’re using to connect. After all, there probably aren’t many PCs out there with the exact same combination of browser, memory, graphics hardware, screen resolution and so forth. The distinctive configuration of your computer acts like a fingerprint, so you can be identified each time you come back to the site – and there’s not much you can do to change it. Even if you switch browsers, you’re only altering one element of your unique technology mix. Unless you also swap out the graphics card, processor and several other elements at the same time, it’s likely you’ll still be recognised as the same person.
The thing that’s sinister about fingerprinting is that it’s not limited to a single site: fingerprint data can be shared and sold, so even sites you’ve never visited before can identify and track you as you move around the web – even if you’re not accepting cookies.
There are ways to defeat fingerprinting. As we’ve seen, when you surf with the Tor browser, the server you’re connecting to sees the details of the exit point of your connection, rather than the computer you’re sitting at, so it can’t build up a profile. Using a VPN isn’t so safe, though: your apparent location changes, but information about your
computer configuration is forwarded to the site you’re visiting.
You can reduce your exposure to fingerprinting by disabling JavaScript, because many servers use JavaScript routines to gather their data. Unfortunately, this will also stop many sites from working properly. It’s also worth looking for browser extensions that can block specific fingerprinting techniques.
CRUNCHING COOKIES
We all know that cookies allow websites to store information about you, and if you value your privacy it’s a sensible idea to clear them out regularly. But regular cookies aren’t the only sort of data that sites might store on your PC.
For example, when you access an Adobe Flash element, data packets called “local shared objects” are saved onto your PC. These are managed by the Flash host, rather than the browser, so they may not be deleted when you purge your cookies, and they can be used to identify you even if you switch browsers.
Flash isn’t as ubiquitous as it once was, but it’s still worth checking if you’ve got Flash objects hanging around on your system by inspecting the following locations (in File Explorer, make sure “View hidden items” is ticked) :
C:\Users\[you]\AppData\Local\Macromedia\FlashPlayer\#SharedObjects\
C:\Users\[you]\Macromedia\FlashPlayer\macromedia.com\support\flashplayer\sys\
If you’re using Chrome, also check this folder:
C:\Users\[you]\AppData\Local\Google\Chrome\UserData\Default\PepperData\ShockwaveFlash\WritableRoot\ #SharedObjects Another sort of cookie that isn’t easily dislodged is the sinister “Evercookie”. This tracking file is dropped onto your PC by a JavaScript app embedded in a website; it’s saved in the regular cookie folder, but also duplicated in more than a dozen locations across your PC. If you delete the cookie, the script will quietly reinstate a copy from these locations, and the tracking will continue without your knowing it. Evercookie isn’t merely a theoretical threat, though: according to documents released by Edward Snowden, GCHQ in the UK and the National Security Agency (NSA) in the US have both shown interest in using Evercookie to track users across the Tor network. There’s no straightforward, universal way of purging all of the Evercookie data, although disabling JavaScript should prevent deleted cookies from being replaced. If you’re concerned, a quick web search will yield a few approaches to try.