From blocking cookies to hiding your IP address, here’s how to get off the grid
Internet privacy tends to make headlines with stories of autocratic governments spying on their citizens, creating the impression that we’re careering straight into an Orwellian dystopia. But while state surveillance is undeniable, the first invasion of your privacy is far more likely to come via a humble Google search. Although apparently anonymous, Google has a habit of tracking your searches in order to bombard you with ever-more personalised adverts. By contrast, a search engine such as duckduckgo.com generates unbiased search results without the added user profiling or tracking.
Switching to a less commercially driven search engine will certainly help you on the road to anonymity, but visit a few websites and inevitably you’ll receive cookies. These tiny text files are usually perfectly legitimate ways for websites to record things, such as frequently viewed items, so they’ll appear on your next visit. But, just as dear Toothless, How To Train Your Dragon’s wouldn’t-hurt-a-fly dragon, was converted to the dark side, so too can the humble cookie.
Tracking cookies are much more invasive and compile records of your browsing habits and personal details in order for the cookie host to target you with specific adverts. Since 2011, EU and US law has increased cookie awareness by requiring websites to display those homepage notification banners that you can’t miss, but it’s really just a token nod at respecting privacy.
A more promising attempt at keeping your browsing less trackable is the Do Not Track HTTP header, now integrated into all common web browsers. When activated, websites are requested not to use tracking cookies. However, the key word there is “requested”, as while Do Not Track may be great in theory, the feature can’t actually prevent websites and advertisers from tracking you. There’s no law to say they can’t completely ignore a DNT request.
Clear the slate
So, predictably, it’s entirely up to you to stay anonymous. Simply clearing your browser cache and cookies through your browser’s settings is a good start. Alternatively, you can use clean-up software such as CCleaner (www.piriform.com/ccleaner) to delete cookies, temporary internet files and various other web leftovers from multiple browsers in one go.
Once you’ve got a clean slate, start utilising private browsing modes for more than just keeping your foot fetish under wraps. Whether it be Microsoft’s InPrivate feature, Firefox’s imaginatively titled Private Browsing mode or Incognito in Chrome, all do a pretty good job of preventing nosey tracking cookies from setting up camp on your computer. But even without going into full-on porn mode, the big browsers also allow you to block third-party cookies, and while this doesn’t create an impenetrable barrier, it’s a lot more effective than the pathetic Do Not Track request.
Another easy way to regain control of your internet anonymity is by exploiting browser extensions to close privacy loopholes. Active web content such as Java, Flash and Silverlight can be used to obtain system information without your knowledge and piece together various browsing habits. Automated scripts can also be potential security risks, so controlling exactly what web content can and can’t run is a good thing. Browser extensions like NoScript for Firefox and ScriptSafe for Chrome allow you to do exactly that, blocking all active web content and asking for your approval before letting it run. At first these extensions can be almost as annoying as User Account Control, but the more you use them, the smarter and less intrusive they get.
Spot the spies
The problem is, even when web tracking is largely legit, the fact it happens mostly without your knowledge inevitably provokes distrust. Wouldn’t it be great if you could see exactly who’s trying to sneak information about you and stop them in their tracks? Well, that’s exactly what extensions such as Ghostery and Disconnect do. Both are available for IE, Firefox and Chrome.
With a simple browser button, you can see a list of all the active advertising, analytics and social media tracking organisations on a current webpage. You’re even able to control which ones can collect information about your browsing session. Both extensions are dead easy to use and far less troublesome than script-blockers. Plus, unlike private browsing modes, which simply stop tracking organisations from leaving cookies, these extensions can actually prevent them from monitoring you. Far more effective.
However, just because your browser is locked down doesn’t necessarily mean your system is secure. Any malware already present on your PC may still be snooping on you, and carelessly downloading the wrong zip, executable or even PDF file can also transmit your personal details to unintended recipients.
In an ideal world, any suspect file should be opened on a computer that’s permanently offline, but since that’s easier said than done, you can get similar protection by installing a virtual machine. Two powerful yet free options are VMware Player (www.vmware.com) and VirtualBox (www.virtualbox.org). With one installed, all you then need to do is set up a free Linux distribution within it. Before opening a suspicious file, ensure the virtual machine has no internet access and take a snapshot (similar to creating a System Restore point) to revert back to once you’ve dealt with the suspicious file.
Even better, why not do away with the virtual machine altogether and create a live Linux environment that’s run entirely from a USB flash drive? Using a regular Linux ISO image, tools such as LinuxLive USB Creator (www.linuxliveusb.com) will produce a portable, bootable and selfcontained Linux OS that can be run from any host computer with no reboot required. As no files are modified on the host system, a live Linux environment can be used away from home at a more anonymous location like an internet café.
Encrypting email
Email attachments aren’t the only way that your privacy can be compromised. Your actual written email correspondence is also far from anonymous. Way back when Google launched Gmail with its immense (for the time) 1GB storage limit, it was, unsurprisingly, less keen to market how this capacity was funded. Google did, and still does, scan email content in order to target you with personalised adverts, and Yahoo is up to the same tricks. So when you next see ads for both Miley Cyrus’s latest album and Veet appear by your emails, you’ll know why.
Thankfully, there’s no shortage of ways to keep your email correspondence tighter than George Osborne when asked to spare some change. If you’re serious about email anonymity, providers such as Hushmail (www.hushmail.com) offer built-in PGP email encryption and no advertising. Email another Hushmail user and your message is automatically encrypted when sent and decrypted when read. Email a non-Hushmail recipient and you can still use encryption, but require them to answer a secret question before the message can be read. Clever stuff, but you’ll need to part with $35/year for it, or there’s a free version if you can stick to a 25MB storage limit and log in frequently.
Alternatively, you can also encrypt mail sent via webmail accounts like Gmail, Outlook and Yahoo, simply by using a desktop email client such as Mozilla Thunderbird, plus a few other tools. With Thunderbird installed and configured as your email client, download and install the free GNU Privacy Guard encryption software (www.gnupg.org), and then download the Enigmail Thunderbird extension (www.enigmail.net) and follow the configuration wizard. If that all sounds like overkill for sending a couple of anonymous messages, then consider a disposable email address instead. Guerilla Mail (www.guerrillamail.com) and Mailinator (https://mailinator.com) both fit the bill, letting you quickly send and receive anonymous mail with no incriminating sign-up processes or content scanning.
The wonders of encryption can also keep instant messaging secure. Apps such as Cryptocat (https://crypto.cat) will integrate with Chrome, Firefox or Opera, giving you an encrypted chatroom to converse with other Cryptocat users. To minimise traceability, there are no static user accounts, so you create a dynamic username each time you connect. Once in, you can start your own conversation or type the title of one that’s already active to join in. No group conversations are private though, so anyone who requests your conversation name is free to participate. However, you can select an individual participant for a private chat, as well as sending encrypted files and photos.
The big bad world
Exposing and blocking advertisers or encrypting email can certainly help you take back some control of your privacy, but it’s not enough to keep you and your location hidden. Whenever your computer is connected directly to the internet, you’re still flying well above the radar unless you’ve taken some measures to conceal your IP address.
There are numerous ways to hide your IP address, of course, but firstly, do you really need to? The gatekeeper of your identifiable details is your internet service provider. But in the UK and the US, at least, they’re unlikely to phone the 5-0 if you’ve torrented your favourite Justin Bieber song, though they probably should on the grounds of crimes against taste.
Both the Creative Content UK alert programme and the US Copyright Alert System are more lenient than you might imagine. If you’re found illegally downloading a copyrighted file by the rights holder, they can record and submit your IP address to ISPs participating in the alert program. If one ISP happens to be your provider, then you’ll be sent a copyright infringement notification letter informing you of ways to avoid future breaches.
The UK system allows you to receive four such ‘educational’ letters or emails a year. After that, well, not much happens, as it stands. In the US, you get up to six warnings. By the fifth or sixth warning, ISPs can start seriously throttling bandwidth or using various other measures to make naughty subscribers play ball. Even then, however, US ISPs are not required to disconnect subscribers or even disclose personal details to the copyright holders.
This all sounds refreshingly forgiving, but relying on your ISP to protect your identity isn’t advisable. Even when most providers are reluctant to divulge your details (grassing you to the cops isn’t a great way to ensure customer loyalty), sooner or later they’ll bend over and give in to the long greasy arm of the law. Just take the recent case of Voltage Pictures identifying and attempting to sue thousands of individuals in the US, Singapore and Australia for illegally downloading the movie Dallas Buyers Club. It’s doubly risky when you consider that, even when the threat of legal action and fines may not stand up in court, fighting your corner won’t be cheap and legal aid will be more elusive than a vegan in McDonald’s.
Now, to make it clear, we absolutely don’t condone copyright infringement. The degree of financial damage that piracy has on the entertainment industry may be questionable, as might be attempts to fine illegal file-sharers a zillion times the cost of an equivalent legit download. But unless it would be ethically and financially viable for everyone to cheat the system, then exceptions can’t be made for a few. However, not all torrents infringe copyright, so here are a couple of ways to keep legal torrenting anonymous.
Torrenting
Firstly, use a seedbox. This is effectively a remote server that you can log into via a webpage and use to download and upload torrents on your behalf. Completed torrents can then be transferred from the seedbox to your computer via FTP, therefore preventing any torrent traffic being directly associated with your home IP address. Some seedboxes won’t allow connections to public torrent trackers though, therefore restricting you to private trackers and possible ratio requirements. It’s likely you’ll have to part with at least $5/month to use one, but then freedom isn’t free. It costs folks like you and me.
Another option is to try a proxy server, such as BTGuard (https://btguard.com). These have the effect of hiding your IP address from other members of a torrent swarm by funnelling torrent traffic via a proxy (intermediary) server computer. If prying eyes are monitoring IP addresses connected to a certain torrent, they’ll see your proxy’s IP, not your own. And from the other end, your ISP will only see you connecting to a proxy service, rather than a torrent tracker. It’s not an impenetrable system though, as the proxy server itself may be a weak link. Should the provider keep records of its users and traffic, the paper trail could lead back to you. It’s therefore vital to do your homework before picking a proxy, especially as you’ll be shelling out a monthly fee that’s similar to a seedbox subscription. Free proxy servers are also around, but it’s likely their bandwidth will be low and downtime high. And don’t expect them to put up much of fight if asked for your details.
Proxy servers by nature aren’t just useful for anonymising torrent traffic though. Your web browser can also be easily configured to connect to webpages via a proxy server, thereby hiding your IP address and also circumventing website blocks implemented by your ISP. It can even be possible to view country-specific video streaming services from abroad, though smart JavaScript or Flash implementation may help content providers sniff out your true IP and deny you access. This also highlights a general concern with proxy servers, as while they insert a hurdle to make tracking more difficult, they don’t conceal the entirety of your internet traffic from source to screen.
Tor of duty
One way to get closer to this level of security on the cheap is to use Tor, aka The Onion Router. If there’s an element of the internet that divides opinion – even more than the contents of Sickipedia – it’s Tor. On the one hand, if you live in downtown Shanghai and want to access pretty much any western website, it’s a godsend. But if you’re a disciple of Chairman Mao, or even a western politician with a fear of what the proletariat might get up to, out of sight of your security agencies, Tor is about as welcome as Bill Cosby is, well, anywhere.
In essence, Tor has the same effect as a proxy server, fooling monitoring systems by faking your computer’s location. But it considerably boosts your anonymity by passing your internet data packets through multiple encryption servers (nodes) before they emerge on the open internet (clearnet) and scoot off to your requested website.
As your IP address is concealed by so many encryption servers, you get multiple layers of protection rather than just a single proxy server barrier, and the result is analogous to the layers of an onion. However, like its veggie namesake, Tor can also be eye-wateringly annoying. The numerous encryption servers that relay your data within the Tor network inevitably create speed bottlenecks, and, being volunteer-run, demand usually outstrips available bandwidth. You can’t just access the Tor network via any old web browser either, as Tor requires its own modified, standalone browser, though this is a derivative of Firefox.
What’s more, while Tor does make it very difficult for agencies to perform traffic analysis, it’s not completely safe. The final Tor node that a packet is relayed through before exiting onto the clearnet is known as the exit node. There are more than 1,000 of these active at any one time, and though unlikely, it is still possible to eavesdrop on an exit node, as the data emerging there is unencrypted.
Freenet
An alternative anonymous network without this weakness is Freenet. This is different to Tor in that it’s not a means of accessing the clearnet anonymously, but rather a secure network in which to communicate and share files with trusted circles of contacts. Freenet uses a peer-to-peer model and allocates a portion of your hard drive to store Freenet data and serve it to the network. This is encrypted, as is all the data passed around Freenet, and thanks to such comprehensive end-to-end encryption, Freenet is almost impossible to penetrate and is ideal for anonymous communication and file sharing.
Users are also able to create and host Freesites, which are static websites hosted within, and only accessible from, for anonymous email, social networkstyle communication and forum contact. However, as with other peer-to-peer file-sharing systems, transfer speeds are seed-dependent, and don’t expect the overall speed of the network to be lightning-fast either.
Going virtual
Though networks like Tor and Freenet are useful for protecting privacy, their slow and limited functionality hardly makes them ideal for everyday anonymous internet usage. To go totally incognito with the fewest possible restrictions or drawbacks, you need a VPN (Virtual Private Network).
Where services like BTGuard will hide torrent traffic, and Tor can keep web browsing anonymous, A VPN will hide the entirety of your internet traffic inside an encrypted tunnel. Traditionally, VPNs have been used by companies to securely connect employees working off-site to a private corporate network, but now they’re increasingly popular for the average Joe wanting to preserve their privacy. To exploit a VPN, firstly you’ll have to pony up at least $5/month to subscribe to one of the huge number of personal VPN providers out there, and you’ll also need to install that provider’s client software so you can access your VPN tunnel. Inside the tunnel, data is encrypted to various degrees, depending on the quality of VPN you choose, but that’s not the only aspect of anonymity to consider.
Similar to the potential Tor exit node vulnerability, the weakest links of a VPN tunnel are its entry and exit points. The VPN server is able to see all data that goes into and out of the tunnel, so if you want to sleep at night without fear that MI5 may get wind of your plans to turn David Cameron into a jelly mould, leave no stone unturned in ensuring your VPN provider doesn’t log any user details or monitor traffic. It’s also a wise move to select a company that accepts payments by Bitcoin, to avoid any potential privacy breach that could occur if paying by credit card or PayPal. For more information on VPN providers, as well as comprehensive reviews, check out www.bestvpn.com.
With this amount of privacy protection in place, you’ll now be well and truly under the radar. If you’re still paranoid your every move’s being logged, it could be time to hone those Bear Grylls skills and go completely off the grid.
Paranoid or Prudent?
Several years ago, you’d have had a tough time finding a dartboard in the Pentagon without Julian Assange’s face on it. That all changed in 2013, however, when his position as arch-intelligence enemy was nabbed by a US National Security Agency contractor by the name of Edward Snowden. Snowden downloaded and leaked up to 1.7 million classified documents, revealing the extent of mass surveillance in the US and around the globe.
Key revelations from these leaks include the existence of PRISM: a partnership between the NSA and at least seven major internet companies, including Google, Apple, Microsoft, Yahoo and Facebook. PRISM enables the NSA to access the emails, documents, photos and personal details of any non-US citizen from its participating companies (which have immunity from possible ramifications), en masse, without having to specify an individual target or communications method. The only crumb of comfort is that the NSA apparently has to request the information, rather than having direct server access. They’re not shy about asking though, with Facebook alone receiving approximately 10,000 requests in the latter half of 2012.
Snowden’s leaks also revealed that the UK’s Government Communications Headquarters (GCHQ) taps around 200 fibre-optic cables carrying global internet and telephone data amounting to up to 600 million daily communications. Intelligence is then shared with the NSA in a program codenamed Tempora – which also involves telecommunications companies such as Vodafone and Verizon – and can be stored for up to 30 days for analysis.
If this wasn’t a big enough invasion of privacy, Snowden’s leaks also detailed that the NSA had collected over 200 million global text messages per day and stored details in a database accessible to GCHQ. The really scary bit? This surveillance was able to gain information on individuals who were not under any criminal suspicion.
The China Syndrome
Given what we now know about the extent of mass surveillance, you might imagine that if things got any more intrusive, we may as well be living under Combine rule in City 17. Well, that day could be a step closer if the government’s draft Investigatory Powers Bill – aka the Snooper’s Charter – is passed in the UK.
The main aim of this, of course, is to counter terrorism. In response to rapidly rising levels of global communication, David Cameron and Theresa May are attempting to step up the UK’s apparently inadequate surveillance powers to assist police investigations. The Investigatory Powers Bill would require ISPs and mobile phone companies to record all internet browsing, including social media correspondence, as well as gaming traffic, emails, text messages and mobile calls from each and every subscriber. Data would be held for a year, and the total cost of the bill is estimated at being around £1.8 billion.
Even if we ignore the proposed cost at a time of national austerity, the potential for such colossal amounts of personal records to leak into the wrong hands is cause enough for concern. Couple this with the more immediate issue that almost all of your digital communication would be tracked and digital privacy becomes a distant dream if the Investigatory Powers Bill is passed.
The bill’s efficacy is also debatable, given that increased government surveillance tends to merely force committed criminals further underground and away from detection. However, the government has preempted this, suggesting that encrypted communication could be outlawed, or at least heavily regulated, under the Investigatory Powers Bill. That’s bad news if you thought VPNs could save the day for preserving your privacy, but it could also mean apps such as Snapchat and WhatsApp are blocked, too, as they use encryption. And you thought this could only happen in China.
The Darknet
Ahh, the darknet. It’s a shame this gets such bad press, as its name sounds cooler than Clooney dipped in LN2. The darknet is part of, though not the same as, the deep web. This broader term encompasses any part of the internet that cannot be indexed by search engines, such as webpages beyond a personal login. The darknet’s difference is that it’s anonymous and isn’t inaccessible through a standard web browser.
In recent years, Tor has become the most notorious darknet network, partly for its ability to circumvent governmental censorship, but mostly because of its hidden services. These are usually websites and are set up to only be accessible from connections routed through Tor encryption nodes from the Tor browser.
Unsurprisingly, hidden services tend to be organisations with a vested interest in anonymity, so you’ll find The Pirate Bay has a hidden service on Tor, and the area of Wikileaks for uploading sensitive documents is also concealed here. More surprising is that Facebook – a pillar of privacy – also has a Tor service, though it’s more for allowing oppressed Syrians to communicate with the outside world than to stop your bunny-boiler ex from tracking you down.
But the hidden service that really put Tor on the map is the now-defunct Silk Road. With its layered encryption, Tor is the perfect place for accessing the less wholesome things in life, and Silk Road was a global marketplace specialising in the drug trade. It may as well have been run by Walter White, but its actual creator, one Ross William Ulbricht, was caught and Silk Road got shut down. However, this wasn’t facilitated by weaknesses in the Tor network, but rather Ulbricht’s sloppy promotion of Silk Road in open internet forums being matched to an email address of rossulbricht@gmail.com. #Facepalm.