Anonymity, Privacy, & Reality

by XCM (xcm@tuta.io)

I occasionally come across online posts discussing anonymity and privacy online.  The odd article here and there also tries to address the concern in a level of depth generally appropriate for the specific readership.

This is always a great topic and awareness amongst non-technical readers is an encouraging sign.  At the same time, I find that there is some level of confusion and occasionally a misleading advertisement associated with silver bullet, one-size-fits-all privacy software.

It would be far safer to understand all the privacy risks rather than hoping our software will protect us from something we do not grasp.

As anonymity and privacy are two very different goals, I have two very different opinions on their achievability.  Let's see them both.

Anonymity

Short answer: Forget about it.

Long answer: For long term anonymity, there is such a huge series of lifestyle changes to adopt that if you are ready for it, chances are you either work for a secretive government agency or a highly organized criminal gang.  And even they fail at times.

Consider the following, which is a non-exhaustive list of things to keep in mind when going about buying a computer to begin your anonymous online presence:

Choose a computer with open-source firmwares.

Use cash to buy it.

Do not order the computer online.

Don't drive to pick it up.

Only use a burner phone to contact the seller and only put the battery in and turn it on when far from home.   Wipe it and throw it away once the collection is completed.

Walk to the collection point avoiding cameras and wear something to confuse face recognition software (probably the easiest part in the current climate).

Ensure you are not followed, make detours, and use different routes each way.

Before going back home with your computer, open it up and look for alterations.

Wipe the drive clean (even better, use a new one), flash FOSS firmwares, and install an open-source OS.

Never use your own broadband nor use a circumscribed list of networks that could pinpoint your position.

When traveling to hotspot areas, follow the above applicable suggestions.

The list could go on, and we haven't even touched upon what to actually do once online.

If you are not ready to go to such lengths, let's explore the second goal instead.

Privacy

Privacy is a fluid concept, rather than a binary status such as with anonymity.  You do not reach a status of privacy.  You lower your current exposure by working on different fronts.

Let's start with a list of areas where data about you and your habits could be collected or leaked, thus reducing your privacy level:

Your local device.

Anyone connected to the same network as you.

Your ISP.

Owners of intermediate network equipment and ISPs between you and the service you are accessing.

Owners of the accessed service.

Owners of the provider where the service resides.

Third-party trackers.

This might not be a complete list, but I am pretty sure it offers a good coverage.  Of course, we must also be mindful of any organization or individual who might gain access, lawfully or otherwise, to the data stored at any stage of the network transaction.  If we reduce our footprint, there will be less data to access in the first place.

Before we continue: most of the risks covered in this section can be addressed by using the Tor browser.  Whereas Tor is an excellent project, the point of this article is not to suggest a tool that solves your existential difficulties, but rather attempts to cover the whole process and its implications.  Only then will it be possible to make informed decisions on how to manage our exposure online.

Another important point: recommendations below are O.K. for the general population.  If you suspect you are under targeted surveillance, they will not protect you.

Enough with caveats.  Let's start with addressing the first hop: your local device.

As we all know, each time we visit a website, data is kept locally for different reasons.  This data can be used to tell we have visited the website, should anyone gain direct or remote access to our device.

The most convenient way to minimize this risk is to use an incognito session in an open-source browser.  Data and history will be removed once the browser is closed and not retrievable other than with forensic techniques.

Of course, this will only address local data storage for websites accessible via a traditional browser.  When resources are accessed via other software clients, different countermeasures will be necessary.

If you do not know how to remove each local storage for the various clients on your computer, a system-wide option is to use a non-persistent session such as one afforded by using a live Linux distribution or a virtual machine that gets reset after each use.

The next three areas - people you share the network with, your ISP, and intermediate ISPs - present privacy concerns that can be addressed with a common approach.

The most known and popular is to use a VPN.  If set up correctly, this can effectively hide your traffic habits from anyone between your device and the remote resource you are accessing.  Proper care must be exercised in ensuring that all network traffic goes through the VPN tunnel and nothing is leaked.

To be precise, your activity is not actually hidden as the company providing you with the VPN service will have full visibility of your online endeavors.  It is up to you to identify a reputable provider and trust they will not misuse or release the information they have on you.  Most VPN providers state they do not collect data in the first place, but I would always question everything and verify what different jurisdictions have to say about not collecting data.

Another possibility for web traffic, as an alternative to a VPN, is to use encrypted DNS such as DoH or DoT, in conjunction with TLS 1.3 and Encrypted Client Hello (ECH) or Encrypted Server Name Indication (SNI).  Let me expand on this.

Encrypting DNS requests over HTTPS/TLS offers the obvious advantage of hiding which domains you are requesting access for.  Again, your DNS request will eventually be read by the operator of the DoH/DoT server, so the usual healthy level of paranoia is advised.  ECH/ESNI is a TLS extension to prevent third-parties from eavesdropping which domain the client is accessing.  The trouble is that ECH/ESNI is selectively enabled on the server-side and, at the time of writing, its deployment is far from universal.

Additionally, relying on this technique will not hide the destination IP address, so it only makes sense when accessing resources hosted on large CDNs or public cloud providers.

Moving along our list: To enhance your privacy in relation to the website owners, their service providers, and third-parties, it does not really matter whether you encrypt your connection to their website or not.  What matters is that you hide where you are coming from and who you are.  This is again achievable using a VPN or other sharing devices such as HTTP(S) proxies, remote virtual machines, or remote isolated browsers such as WEBGAP.

On top of that, you must ensure that your local browser does not leak information on yourself or your real location.  This can happen via browser extensions, scripts, and fingerprinting.

Minimizing risk associated with extensions and server-side scripts is relatively easy.  You can test your browser for such misconfigurations at browserleaks.com and go through the various tests.  Obviously, going through a VPN serves no purpose if a piece of JavaScript can read your real IP or geolocation, so make sure you rule that out.

Reducing the risk of fingerprinting is instead more complex.  Fingerprinting is a way used primarily by trackers to create a personal profile based on various browser and device characteristics.  This can be very effective even when you actively block third-party cookies or remove data after the browsing session, as the characteristics making up your fingerprint will stay the same between sessions.  Profiles can be generated and enriched over time and used to track you across different domains, albeit your true identity might not be known to the tracker.

The reason why thwarting this threat is so difficult is because the more you actively try to alter your browser with privacy plugins and the like, the more unique your browser and its fingerprint will be.  EFF has a dedicated website on this topic where you can also run a test: coveryourtracks.eff.org.

The only partially effective countermeasures I know of against fingerprinting are to use a vanilla version of a very popular browser on a very common OS which, unfortunately, will generally not be open-source.  As an additional measure, you could disable JavaScript.

These two steps together might not make your fingerprint unique, but they should make it less specific.  And, of course, do not forget that the Tor browser also tries to address this threat to your privacy by default.

One of the latest approaches to disrupting fingerprinting is to pollute the fingerprint with random data and rotate it across browsing sessions.  The theory seems promising and that's exactly what browsers like Brave are doing.

At any rate, if you manage to block unauthorized web requests to third-party trackers, that would already be a great achievement.  Concerns related to scripts and fingerprinting would then be reduced as no data would reach the tracker in the first place.

Some browsers block requests to known trackers.  Additional plugins can be used for the same goal or you could maintain on your home router/firewall a dynamic block list of domains known to be used for tracking.  An interesting project focusing on this approach can be found at: codeberg.org/spootle/blocklist.

I hope this overview has been informative and sparked your curiosity if any of this information is new to you.

Now, remember to value your privacy.  Nobody else will.

Return to $2600 Index