STAY ANONYMOUS ONLINE
WORRIED ABOUT LEAKING YOUR IDENTITY ONLINE? NIK RAWLINSON SHOWS HOW IT’S POSSIBLE TO STAY ANONYMOUS WITH A FEW CLEVER TOOLS – AND A LITTLE COMMON SENSE
Worried about leaking your identity online? Nik Rawlinson shows how it’s possible to stay anonymous with a few clever tools – and a little common sense
Google Chrome’s “incognito” mode used to open up with a warning that, even while you were supposedly sur ng anonymously, secret agents could still be tracking your online activity. Most of us smiled and dismissed the idea as fantastical; then Edward Snowden broke cover and wiped the smiles from our faces. That speci c disclaimer no longer appears, perhaps because we’ve all learned our lesson.
It certainly doesn’t mean the issue has gone away. Online surveillance is still a constant threat, and there are plenty of legitimate reasons for wanting to stay anonymous online. So how can we ensure that what we do in the privacy of our browser really does stay private?
The short answer is that we can’t What we can do, however, is minimise our exposure and make life as hard as possible for would-be snoopers.
SIGN UP TO A VPN
Perhaps the simplest and most effective step you can take to protect your privacy is to sign up with a reputable VPN provider, preferably one based overseas. This acts as an encrypted conduit for your internet activity, so that your ISP and other Australian-based bodies can’t monitor what you’re doing – and it makes it a lot harder for the sites to trace where your connection is coming from.
There are plenty of services to choose from, but our advice has always been to pay for a reputable VPN service. Free providers are by no means universally illegitimate, but we’ve heard stories of user data being accidentally leaked, or deliberately sold to fund operations – which undermines the whole point.
Free providers may also insert their own content into your traf c, replacing third-party ads with their own, which isn’t always transparent and raises some troubling questions. At the end of the day, you need your VPN service to be 100% on your side, since they have the capability, should they choose, to see everything you do, from reading your emails to tracking your purchases on Amazon.
As long as you have picked a service you can trust, however, a VPN offers great peace of mind. There’s a supplementary bene t, too: you can normally route your connection through servers in a variety of different countries. This allows you to access content that’s not generally available to Australian browsers, or see how your own site looks to international visitors – an
easy way to check there are no issues with page loading times, rendering or censorship.
TURN TO TOR
Tor stands for “The Onion Router” – a name that hints at the multilayered way it works, routing internet traf c through multiple servers before nally passing it on to its destination.
There’s nothing new about the general idea of forwarding traf c around in this way – that’s basically how the whole internet operates. But Tor adds an encryption element, with each node that your data passes through decrypting a little more of the packet, like peeling away another layer of onion skin. By the time your request reaches its destination (the website you want to visit), it will have been fully decrypted, but anyone trying to intercept it en route won’t have a complete record of your activity. For the same reason, even the nodes that handle your request won’t know precisely where it came from.
Tor sounds like the perfect tool for espionage – so it perhaps makes sense that it’s at least partly the product of the United States federal government, having been originally developed at the United States Naval Research Laboratory and re ned by DARPA prior to its public launch in 2003.
There are questions, however, over whether Tor is really secure. Earlier this year, a vulnerability was found in the Tor web browser that could result in users accidentally connecting directly (and traceably) to their requested sites, without the bene t of Tor’s obfuscation. University researchers have found ways to work out the origins of Tor packets, and Europol has recently made some high-pro le arrests by successfully exposing the identities of Tor users – though,
understandably, the agency hasn’t gone into detail about its methods.
If you want to give Tor a go, it’s easy: visit torproject.org and you can download a browser (based on Firefox) for Windows, Macos and Linux that routes all of the traf c through the Tor network, as well as clearing out cookies and browsing history automatically. However, if you prefer to stick with Chrome, you will nd a selection of Tor extensions in the Chrome Web Store.
Like a VPN, Tor doesn’t just encrypt your data: it also conceals your location and other
details about your connection. When we used the Tor Browser running on a Mac just outside Sydney to visit iplocation.net, we were identi ed as a Windows 7 user in Auckland. Subsequent attempts located us in Melbourne and Singapore, so it’s going to be pretty hard for anyone to reliably track your ongoing activity. The only catch is that Tor’s convoluted routing has a big impact on browsing speed – using it can feel like a trip back to the days of the dial-up modem.
For Android users, another option is Orweb Private Web Browser, which routes requests over the Tor network.
Staying anonymous online isn’t just about ensuring your traf c can’t be intercepted. The sites you visit can keep records of your visits and build up an alarmingly detailed pro le of your interests and activity – even if you’re using a supposedly private browser that doesn’t store cookies from one session to the next.
They do this by recognising the device you’re using to connect. After all, there probably aren’t many PCs out there with the exact same combination of browser, memory, graphics hardware, screen resolution and so forth. The distinctive con guration of your computer acts like a ngerprint, so you can be identi ed each time you come back to the site – and there’s not much you can do to change it. Even if you switch browsers, you’re only altering one element of your unique technology mix. Unless you also swap out the graphics card, processor and several other elements at the same time, it’s likely you’ll still be recognised as the same person.
The thing that’s sinister about
ngerprinting is that it’s not limited to a single site: ngerprint data can be shared and sold, so even sites you’ve never visited before can identify and track you as you move around the web – even if you’re not accepting cookies.
There are ways to defeat ngerprinting. As we’ve seen, when you surf with the Tor browser, the server you’re connecting to sees the details of the exit point of your connection, rather than the computer you’re sitting at, so it can’t build up a pro le. Using a VPN isn’t so safe, though: your apparent location changes, but information about your computer con guration is forwarded to the site you’re visiting.
You can reduce your exposure to ngerprinting by disabling Java Script, because many servers
use Java Script routines to gather their data. Unfortunately, this will also stop many sites from working properly. It’s also worth looking for browser extensions that can block speci c
We all know that cookies allow websites to store information about you, and if you value your privacy it’s a sensible idea to clear them out regularly. But these aren’t the only sort of data that sites might store on your PC.
For example, when you access an Adobe Flash element, data packets called “local shared objects” are saved onto your PC. These are managed by the Flash host, rather than the browser, so they may not be deleted when you purge your cookies, and they can be used to identify you even if you switch browsers.
Flash isn’t as ubiquitous as it once was, but it’s still worth checking if you’ve got Flash objects hanging around on your system by inspecting the following locations (in File Explorer, make sure “View hidden items” is ticked) :
C:\Users\[you]\AppData\ Local\Macromedia\Flash Player\#SharedObjects\
C:\Users\[you]\Macromedia\Flash Player\macromedia.com\support\ flashplayer\sys\
If you’re using Chrome, also check this folder:
C:\Users\[you]\AppData\Local\Google\ Chrome\UserData\Default\Pepper Data\ShockwaveFlash\WritableRoot\ #SharedObjects
Another sort of cookie that isn’t easily dislodged is the sinister “Ever cookie”. This tracking le is dropped onto your PC by a Java Script app embedded in a website; it’s saved in the regular cookie folder, but also duplicated in more than a dozen locations across your PC. If you delete the cookie, the script will quietly reinstate a copy from these locations, and the tracking will continue.
Ever cookie isn’t merely a theoretical threat, though: according to documents released by Edward Snowden, GCHQ in the UK and the National Security Agency (NSA) in the US have both shown interest in using Ever cookie to track users across the Tor network. There’s no straightforward, universal way of purging all of the Ever cookie data, although disabling Java Script should prevent deleted cookies from being replaced. If you’re concerned, a quick web search will yield a few approaches to try.
A VPN encrypts your network traffic, making it all but impossible for your ISP and others to spy on you
Graphical tricks can be used to “fingerprint” your PC – even if you’re not accepting cookies The Tor Browser encrypts your network traffic and routes it through many different nodes to hide your location