Remember Snowden and how he told us about NSA eavesdropping on our online activity? If so, what are you doing to make their job more difficult?

Foreword

Let’s make something absolutely clear before I start outlining methods and software for you to help with hiding your online fingerprint: to my experience there is no way to become 100% anonymous. If there is, don’t hesitate to submit your solution in the comments!

The good thing is that there are multiple things you can do to minimize the risk of getting eavesdropped on by state (NSA, FBI), non-state (hacktivists) and criminal actors!

In the list below I’ll be outlining some good methods to at least make your digital footprint smaller.

The Onion Router (TOR)

Ever seen Shrek? If so I’m sure you have seen that funny scene when Shrek tells Donkey about how ogres are like onions in the way that they both have layers. TOR shares that notion.

If you have any knowledge of how HTTP requests/responses works you will know that when you want to browse to http://www.google.com your computer (the client) sends a request to the (or a, in this case) server at Google that then sends an appropriate response back (obviously there are A LOT of other things happening too…).

One of the things being transmitted in the HTTP request/response chain is the IP of the client (you) and the server (Google). The IP-address is in most of our cases is the address of our end-point (usually a router in a home-network). This address is generally speaking supplied to us by an ISP (Internet Service Provider) and may change from time to time.

That means that by traditional means if someone WAS listening in on your traffic he/she would see that you are attempting to access Google (because that’s the IP you are requesting a HTTP response from). Here is an extremely basic example of the request-response chain:

What TOR does (and which is really quite clever) is that it supplies you with a bunch of proxies (computers) through which you pass until you hit your original target (Google).

So the request-response chain would be different when running the TOR browser:

You start the TOR browser and navigate to Google. TOR finds an appropriate network to funnel your request through by using a predefined list. Your request is encrypted through an open connection between x proxies, each only knowing the address of the next and previous nodes. The request reaches your target (Google) and the HTTP response is sent back in the same fashion, through the same funnel your request used and the connection is closed between the nodes. You receive the HTTP request from the server.

Here is another visual representation of how such a chain could look.

So, is using TOR the silver-bullet to the question of how to become anonymous online? Of course not!

As with everything else in life there are flaws using the TOR browser. One problem is efficiency, sending your requests through a bunch of proxies are bound to take a longer time than doing it in the more traditional sense. This isn’t really a problem when it comes to anonymity, though. It only means that using TOR might take a bit longer time than you normally are used to.

Secondly (and this one might be important to know about!), some of the network’s and their end nodes might be operated by malicious users (again, anything from state to criminal actors). Meaning that a server might have been donated to the TOR network and that whenever traffic passes through it the traffic is saved for malicious use.

So the risk is that you might be using the TOR browser to avoid being detected by someone who might already be part of the network and you might be running straight into them unwittingly, thinking you are safe.

However, TOR is a great supplement to other ways of encrypting your traffic online. It’s important to remember that there are no 100% proof ways of being anonymous online unless you simply don’t go online. Just remember, anyone could be listening.

Virtual Private Network (VPN)

VPNs were widely popular (and still are) in corporations a few years back as they allow users to securely connect to their work computers from home. Nowadays there are a few other usages of a VPN.

If you live in a country where you are unable to view certain websites you can use a VPN to spoof your location. Basically making your connection to a website seem as if you live in Stockholm rather than in London. If you are like me this could potentially help you watch some restricted videos on YouTube, but can also help an individual who wish to know what actually is happening outside of his censored country.

Another reason as to why you might want to use a VPN is because it uses encryption to ensure that the connection that it has established will be secure, at least in many of the cases. Depending on what sort of VPN you are using you would have established a connection to an encrypted server or proxy from which you would be doing all your actual browsing. Meaning everything that you do online would be encrypted, which always is a great thing. But in some cases an absolutely brilliant thing (read, when on a public WiFI).

There are a literal plethora of VPNs that are readily available to the public nowadays. You can either go for the traditional route where you establish a connection to your own network, or you can simply get a browser plugin that establishes a connection between your computer (client) and another person’s server / an organisation’s server.

Not only would the connection that you establish ensure that whatever browsing you are doing are coming ‘out of their’ server, but it also should be encrypted. That means that if someone would be listening to the data you are transferring between your computer and the server, it wouldn’t be plain text for the malicious actor.

One great VPN is TunnelBear. It’s a “free” VPN that gives you a 500mb allowance / month and any additional data you use will have to be paid for. It seems to be widely recognized as one of the better ones on the market. As always, do your own research!

Services

In our daily lives we use a plethora of services ranging from email-software to search engines, but which ones are actually safe to use?

I’m of the opinion that if you wish to become anonymous you would be better off starting by limiting your usage of services that actors might be eavesdropping on rather than how to encrypt your traffic. This is not to say that you should be using lesser known services, as these might not have passed through the necessary security checks as more widely known services would have. But it is a worthwhile thing to think about what your data is being used for and who it might be shared with.

That way you get a more tangible feel of security and generally speaking the quicker you get rid of certain services, the easier it would be for you in the longer run. Consider how embedded you are with Google (if you use Android) or Apple if you use an iPad or iPhone. What if any of those corporations suddenly decided to share your emails with the government? Something that may or may not be occurring now. We do know that Google scans emails and I wouldn’t be surprised if other corporations at least do that.

We also know that Google is keeping track of our search history, or that the search history gets shared with a third-party as we get tailor-made ads that are based of these searches.

So, keeping of these things in consideration, how could we become more anonymous online? Easy, stop using the services. But what should we be using instead, you might be asking? Here are some alternatives and why you should be considering them!

First off, I want to make sure you realize this is by no means a perfect solution, but it’s a very good one.

ProtonMail is an email provider that hosts its servers in Switzerland (already sounds good, doesn’t it?), it uses two passwords to login (one to authenticate yourself and one to authenticate that you have access to the mailbox) and it allows its users to send either secure emails (sharing a password with an external user) or insecure emails. What I mean with this is that if I wanted to send an encrypted email to my girlfriend I would share a password with her; preferably either with a trusted third party or with her in person. Then any correspondance that we would be making would be encrypted with my key (since I’m using ProtonMail) and she will have to manually input the key to see the decrypted email I’ve sent her.

The strike through text is no longer the ProtonMail’s default setting.

But what makes ProtonMail truly stand out is that the emails are all encrypted and only decrypted once you successfully enter your second password (see above), which never is passed to ProtonMail, but rather used to authenticate you on the client-side. This ensures that even if ProtonMail wanted to share your emails they would first have to somehow gain access to that password to feasibly decrypt the emails.

Another neat functionality is that encrypted emails (sent) can be set to a timer after which the email is unreadable, which possibly opens a road down the Mission Impossible rabbit-hole. (“Your mission, should you accept…”).

Why might it be important for you to change your default search engine? For multiple reasons.

Say you are using Google to search for ‘Bob and Alice PGP’. This search would then likely be stored together with your IP (basically your address, as talked about above). Additionally if you are logged in to Google you would also have your username and email tagged in the stored data. That means that not only is Google able to track what you have searched for, but also where you have searched for it (ie. they can track if your IP has changed). This obviously helps them build a more detailed profile of you, which helps them target certain search terms to you better.

You might think that this doesn’t matter because you don’t use Google, which might make sense. But most of the major search engines store your search history, even though the stored data is anonymized after a set amount of time.

You might think “Great, this means that your search for ‘How to get a pet tiger’ 5 years ago is now anonymous”. However, that’s not the case. All that really happens when the search is anonymized is that part of the IP is being sliced away, which means that your user agent (basically meaning you) might still be reconstructed and therefore tied to the search.

Bottom line is regardless of if you have been stupid enough to use a search engine to search for something indecent or illegal, this is being stored. Heck, even if you haven’t done anything bad online you should be concerned. You might not want people to know that you searched for “How to boil pasta”…

What Duck Duck Go promises its users are a search engine that doesn’t store any of the users searches, which basically means that regardless of what you search for you will get the same results as anyone else. No targeted ads, no targeted news or articles who tell you how stupid you are for not knowing how to cook pasta. I was young and stupid, OK?

That’s it from me this time around. Obviously there are a BUNCH of other things to take into consideration when trying to stay anonymous and keeping your data safe online.

Hopefully this article has helped open your eyes to how your data is used online and how to limit people from making use of you and your information.

If there is a subject you feel like I’ve missed or if you have suggestions about the next post, go ahead and leave a comment! 🙂