Paessler Blog - All about IT, Monitoring, and PRTG

How to Become Anonymous on the Internet - Part 1/2

Written by Patrick Gebhardt | Jul 10, 2019

I think it only makes sense to seek out and identify structures of authority, hierarchy, and domination in every aspect of life - and to challenge them; unless a justification for them can be given, they are illegitimate and should be dismantled, to increase the scope of human freedom.

(Noam Chomsky)

Our ideas of privacy and freedom have changed with the Internet. In earlier times, thoughts of freedom were enshrined in constitutions to protect us against tyrants and menaces. In our digital lives, there are complex threats and the laws written to protect us belong to times no longer linked to our realities. The protection of your digital rights is an individual, personal undertaking.

3 remarks on this article:

  • I will provide step-by-step instructions for different audiences. Some people only want to protect their most sensitive data, while others want to move around the Internet completely anonymously. I'll show you in ascending order and with simple steps, what needs to be considered.
  • Anonymity and overall security go hand in hand. If you neglect the security of your devices, it directly affects the integrity of your personal information.
  • This article does not advocate not disclosing any data about yourself on the Internet. It is about being able to decide freely and independently which data is disclosed.

Let's get started.

Become 30% anonymous

You want to have more privacy on the Internet and in your digital communication, without going too far at the same time? Good for you! 

πŸ’¬ Messaging Apps

You should first look at your day-to-day messaging apps. This is where you share the most sensitive information and accordingly where you should have very high expectations. Only three messaging apps - Signal, Threema and Wire - can currently stand up to rigorous standards. Their advantages are:

  • Company & infrastructure jurisdiction: Wire has its company jurisdiction in Switzerland and its infrastructure jurisdiction in Germany and Ireland. With Threema, both are in Switzerland.
  • Funding: Signal is funded by, among others, the Freedom of the Press Foundation, the Knight Foundation, and the Open Technology Fund. Threema is financed exclusively from user fees. 
  • Cooperation with intelligence agencies: Signal, Threema and Wire are not implicated in giving customers' data to intelligence agencies as opposed to iMessage, Skype, Facebook Messenger, and others.

i❌ Don't use WhatsApp Saying WhatsApp is trustworthy because it offers end-to-end encryption is as naive as claiming that the NSA doesn't spy on you because it's illegal. WhatsApp is underperforming in every conceivable digital privacy category. In September 2017, WhatsApp co-founder Brian Acton left Facebook abruptly - although he would have received another $850 million share payment a few months later. This was perhaps the most credible moral statement of all time and a warning that there's some shady stuff happening with WhatsApp soon.

πŸ“§ Secure Email

Maybe we don't use them as frequently as messaging apps - but still we communicate via email quite often. And again, there are companies that offer clear advantages in terms of digital anonymity.

I recommend ProtonMail because here, as with Threema, the company and infrastructure jurisdiction lie in Switzerland.

  • ProtonMail is clearly committed to the privacy and anonymity of its users. No private information such as date of birth or mobile phone number has to be provided when registering.
  • The free package only comes with 500MB of storage, but can be upgraded to 5-20GB using the paid services (at reasonable costs).
  • ProtonMail offers end-to-end encryption for which the recipient of a message must also use ProtonMail. Alternatively you can communicate via PGP (more details in part 2/2), for which ProtonMail by default assigns a private and a public key, which you can find in the settings. 

Other email providers that are considered secure and trustworthy:

  • Tutanota is located in Hanover, Germany. Every mail and attachment sent is automatically encrypted by the open source webmail client and no IP information is retained after sending.
  • Hushmail offers easy to use web and desktop clients. It's based in Canada and many users feel particularly secure due to Hushmail's many years of experience - it has already been on the market for 20 years.
  • LuxSci might be the right choice if you’re looking for a business email solution and you’re based in North America. LuxSci is from Massachusetts and offers a suite of secure communications tools. Packages come with 1-50GB of storage.

πŸ“Ά Public WLAN

Public WLAN represents a security risk and can undermine your digital anonymity. There is, of course, a way to avoid the dangers of wireless communication: Use WLAN only where you can be sure that not only the operator of the access point, but also the other users are trustworthy.

Besides that, you should follow these guidelines:

  • Block unencrypted networks: Both notebooks and smartphones automatically connect to all the networks they think they already know because they used a network of the same name in the past. So the first thing you have to do is to clean out this list and in particular throw out all unencrypted networks that you may have used in the past.
  • Keep an eye on https:// or set bookmarks: In order to avoid that you inadvertently call up an unencrypted URL when typing, for example by auto-completion, it is best to place a bookmark on the https login page, which you then use consistently.
  • Caution with certificate errors: Error reports about certificates should generally not be taken lightly. The risk of an attack is particularly high in public networks, where anyone can redirect and manipulate data traffic. The error messages could therefore be traced back to a man-in-the-middle attack.
  • Rather do without apps: As a user you normally don't have the possibility to adjust the security settings of smartphone apps in depth. Even with many banking apps, studies have shown a significant vulnerability to man-in-the-middle attacks on encryption.
  • Make use of VPN: If you want to be on the safe side that possible eavesdroppers in foreign W-Lans do not record any plain text data, you can use a Virtual Private Network (VPN). More about VPN below.

πŸͺ Cookies

Almost all pages on the Internet make use of cookies. That's no reason to get agonal respiration. But the proficient handling of cookies is a fundamental step towards more power over your privacy. It makes sense to delete cookies regularly. The more often you delete cookies, the less transparent your web behavior will be.

Roughly speaking, cookies can be divided into two groups:

  • The first are the so-called session cookies. They ensure that websites can remember you. Without these session cookies, the Internet would be far less comfortable.
  • The cookies that are criticized more frequently are tracking cookies. Because not only websites themselves store cookies in your browser, but so do many of the advertising banners that are displayed to you. This means that even if you visit a single website, several cookies can still be stored in your browser.

Become 60% anonymous

Let's climb one step up the anonymity ladder.

πŸ—οΈ Tor

If you want to be as anonymous as possible while surfing, you inevitably end up with Tor. There is currently no real alternative to it. You can simply download and install the Tor browser; it looks and works just like Firefox.

iπŸ‘» Tor already has a complex history The first ideas for Tor date back to 2000 and two years later Matej Pfajfar started working on Tor at Cambridge University. This was followed by the release of the first alpha version on September 20, 2002. From 2001 to 2006, Tor was supported by the United States Naval Research Laboratory with support from the Office of Naval Research (ONR) and the Defense Advanced Research Projects Agency (DARPA), represented by Paul Syverson. So a recurring and semi-true statement is that Tor was invented by the US government. In December 2006, Dingledine, Mathewson and others formed the Tor Project, a non-profit research and education organization responsible for Tor maintenance. In March 2011, the Free Software Foundation awarded the "Social Benefit" Award to the Tor Project. The reason given for the award was that Tor enabled approximately 36 million people worldwide to gain uncensored access to the Internet with control over privacy and anonymity. Tor has shown itself to be very significant for the opposition movements in Iran and Egypt.

When you visit a website with a normal browser, you contact the website directly. It will know your IP address, where you come from, it gets information about which browser you are using, how big your screen is, what fonts you have installed and so on.

  • Usually it is the totality of all this data that creates an individual fingerprint through which you become recognizable. Movement patterns get linked to identities, and the grid becomes increasingly tight.
  • Like an onion, the Tor net consists of several layers. Different routers run randomly through the inner Tor network. The path always begins with an entry node, to which the Tor client connects.
  • This connection between the client computer and the entry node is encrypted. Since the entry node knows the client's IP address, traffic is now forwarded to the next Tor node. This only has access to the IP address of its preceding node.
  • This means that the source IP address of the client is no longer known when the exit node finally requests the data packet.
  • And here's the catch: From the client to the exit node, Tor traffic is encrypted, but then it depends on the browser whether an SSL/TLS connection is established.
  • Data traffic is no longer transported on the shortest Internet route, but via the Tor network. That's definitely not made for the impatient. 
  • If a Tor exit node is now under the control of a government agency, it can record all traffic.

But even when using Tor, there are a few things to keep in mind in order to achieve a high level of anonymity:

  • Tor does not show the IP address that tells your location, but other details reveal a lot about your identity as well: browser type, window size or installed fonts. The Tor browser will therefore tell you not to drag the window to full screen.
  • If you really want to stay anonymous, don't download and open PDF, Word or other documents from web pages. While programs like Acrobat Reader access the document, they will reveal your actual IP address.
  • Also make sure that no background programs communicate with the Internet, as they won't do so through Tor. That's a fairly big problem, and I'll offer a solution in part 2/2.

πŸ–₯️ VPN

Within a Virtual Private Network (VPN) different participants of an IP network are connected to a protected subnet. In order to secure the data transmitted in the Virtual Private Network via the public Internet from unauthorized access, the connections are encrypted. Tunnel connections are created between the individual participants, which are not visible from the outside.

VPN includes end-to-end connections between two end devices, two servers or one end device and one server. This type of connection is a network consisting of only two participants. In the VPN field we find the professional use cases, often in constellations where employees work remotely. But VPN has been of increasing importance in the private sector for some time now; even if only for concealing the IP address for Netflix or other streaming providers (VPN leverages geo-blocking). Nevertheless, VPN is a true security tool. In this context, I can recommend 3 providers to you:

  • NordVPN has been the test winner of many VPN comparisons in the first quarter of 2019 and proves to be very stable. What speaks for NordVPN is the high security, an appealing appearance (also in the mobile apps) and the fact that the company jurisdiction lies in Panama. Perhaps the only disadvantage of NordVPN is its higher-than-average price.
  • CyberGhost beats NordVPN by a better server selection, but has some functional disadvantages (e.g. the Firefox plugin is not fully functional).
  • ProtonVPN is especially recommendable if you already use ProtonMail (see above). Both solutions come from the same development teams. A free version is available and only the upload speed is not really satisfying.

Proxy offers in no way a data security like a VPN service, because it only lends a different IP address and forwards under that one to the visited websites.

iWait... What? 😡

 

The belief that a proxy server somehow does the same thing as a VPN server is completely wrong. Proxy servers are substitutes and VPN services are secure tunnels through the Internet.

  • VPN encrypts all data transmission, while connections to proxies are limited to certain protocols (such as browser usage).
  • The proxy hides all users behind its own proxy IP address, but the data is not fully encrypted or secured. VPN encrypts all data sent or received, as well as other applications running on the device. In many cases, each user also receives a temporary anonymous IP address.
  • Proxies can also decrypt, view and manipulate encrypted data between the user and a website unnoticed. VPN services are based on NAT technology, which cannot view or store transmitted data.
  • Proxies usually do not use their own software and can easily be specified in the browser settings. VPN requires an access software to connect, which encrypts or decrypts the data.

πŸ”’ Password protection And Smart Home Devices

As I wrote above: If you neglect the security of your devices, it directly affects the integrity of your personal information.

  • The intelligent handling of your passwords is absolutely crucial. You should use a password manager and show some skepticism about biometric passwords; those are far from secure! It may be convenient to unlock your mobile phone or certain websites with your finger or face. But firstly, biometric access data can easily be falsified and secondly, you usually have only a limited number of fingers and one face, which means that as soon as this information gets into other hands, the game is over anyway. Fingerprints in particular are very easy to reproduce. If your fingers can be seen on photos from the front (don't make a victory sign into the camera), and the picture was taken in a reasonable resolution, they can be copied. Hacker collectives already showed this in 2014, when they replicated the fingerprints of top European politicians. The same applies to cloning based on used objects, such as a water glass. Somewhat more ambitious but by no means impossible: Experiments show that similar approaches fool iris and facial recognition.
  • Move away from passwords and towards passphrases. Anything under 10 characters is really a joke. And complex, improbable phrases like Ihavealwaysbeen110%satisfiedwithmyWindowsPhone#yolo are perfect.
  • Is it really surprising that certain smart home devices are spying on you? Therefore I can avoid a long introduction and already stir up some excitement about a new Maker Monday video coming out soon: We will show you how to put a Google Home Speaker in its place so that it functions just as it should.

 

All right, that was part 1/2. Here's part 2/2, where I not only show you how 90% anonymity on the Internet can be achieved, but why it is so damn exhausting to crack the remaining 10%.

Any thoughts on your mind until then? Our comment area never fails to listen!