This article was published in the October 2015 issue of Maximum PC. For more trusted reviews and feature stories, subscribe here.
We reveal who's watching you online and the best ways to shut them out
Picture the scene. You're minding your own business, happily downloading torrents, when the FBI storm your room and drag you to jail faster than you can say "fresh meat." This actually happened… in South Park. In reality, your pert posterior probably won't be in danger of hosting uninvited appendages quite so quickly, but the wrong kind of Internet activity can still land you in hot water.
Assuming you're not pirating, there's nothing inherently wrong with guarding your personal details and browsing habits. If photos of Miley Cyrus's underarm gardens fl oat your boat, why should anyone be able to eavesdrop on your antics? In fact, it's far more likely that your privacy is compromised by advertising agencies than anyone else. From a simple Google search, to pretty much any ad-funded website, your browsing behavior can be tracked to establish which ads you're most likely to click on.
Fortunately, there are plenty of ways to prevent this monitoring. We'll show you some of the best options, from simple tricks to more hardcore solutions that can shield you from almost any surveillance. But before the juicy stuff, a shameless disclaimer. Any tips, guides, or methods in this feature are not guaranteed to protect your anonymity. If you use them to hide illegal activity, don't come crying to us if you're identified, extradited to Guantanamo, and have electrodes stuck where the sun don't shine.
Hit the Road to Anonymity
From blocking cookies to hiding your IP address, here's how to get off the grid
Internet privacy tends to make headlines with stories of autocratic governments spying on their citizens, creating the impression that we're all careering straight into an Orwellian dystopia. But while state surveillance is undeniable, the first invasion of your privacy is far more likely to come via a humble Google search. Although apparently anonymous, Google has a habit of tracking your searches in order to bombard you with ever-more personalized advertising. By contrast, a search engine such as www.duckduckgo.com generates unbiased search results without the added user profiling or tracking.
Unlike Google, DuckDuckGo doesn't keep tabs on your web searches.
Switching to a less profit-driven search engine will certainly help you on the road to anonymity, but visit a few websites and inevitably you'll receive cookies. These tiny text files are usually perfectly legitimate ways for websites to record things, such as frequently viewed items, so they'll appear on your next visit. But, just as dear Toothless, How To Train Your Dragon's wouldn't-hurta-fly dragon, was turned to the dark side, so too can be the humble cookie.
Tracking cookies are much more invasive and compile records of your browsing habits and personal details in order to target you with specific adverts. Since 2011, US law has increased cookie awareness by requiring websites to display those homepage banners that you can't miss, but it's really just a token nod.
A more promising attempt at keeping your browsing less trackable is the Do Not Track HTTP header, now integrated into all common web browsers. When activated, websites are requested not to use tracking cookies. However, the key word there is "requested," as while Do Not Track may be great in theory, the feature can't actually prevent websites and advertisers from tracking you. There's no law to say they can't completely ignore a DNT request.
Clear the Slate
So, it's entirely up to you to stay anonymous. Clearing your browser cache and cookies through your browser's settings is a start. You can also use clean-up software such as CCleaner (www.piriform.com/ccleaner) to delete cookies, temporary Internet files, and various other web leftovers from multiple browsers in one go.
Once you've got a clean slate, start utilizing private browsing modes for more than just keeping your foot fetish under wraps. Whether it be Microsoft's InPrivate feature, Firefox's Private Browsing mode, or Incognito in Chrome, all do a pretty good job of preventing nosey tracking cookies from setting up camp on your PC. But even without going into full-on porn mode, the big browsers also allow you to block third-party cookies. While this doesn't create an impenetrable wall, it's a lot more effective than the pathetic Do Not Track request.
Another easy way to regain control of your Internet anonymity is by exploiting browser extensions to close privacy loopholes. Active web content such as Java, Flash, and Silverlight can be used to obtain system information without your knowledge and piece together various browsing habits. Automated scripts can also be potential security risks, so controlling exactly what web content can and can't run is a good thing. Browser extensions like NoScript for Firefox and ScriptSafe for Chrome allow you to do exactly that, blocking all active web content and asking for your approval before letting it run. At first, these extensions can be almost as annoying as User Account Control, but the more you use them, the smarter and less intrusive they get.
Spot the Spies
The problem is, even when web tracking is largely legitimate, the fact that it happens mostly without your knowledge inevitably provokes distrust. Wouldn't it be great if you could see exactly who's trying to sneak information about you and stop them in their tracks? Well, that's exactly what extensions such as Ghostery and Disconnect do. Both are available for IE, Firefox, and Chrome.
With a simple browser extension like Disconnect, you can see who's tracking you.
With a simple browser button, you can see a list of all the active advertising, analytics, and social media tracking organizations on a current webpage. You're even able to control which ones can collect information about your browsing session. Both extensions are dead easy to use and far less troublesome than script-blockers. Plus, unlike private browsing modes, which simply stop tracking organizations from leaving cookies, these extensions can actually prevent them from monitoring you. Far more effective.
However, just because your browser is locked down doesn't necessarily mean your system is secure. Any malware already present on your PC may still be snooping on you, and carelessly downloading the wrong zip, executable, or even PDF file can also transmit your personal details to unintended recipients.
In an ideal world, any suspect file should be opened on a computer that's permanently offline, but since that's easier said than done, you can get similar protection by installing a virtual machine. Two powerful yet free options are VMware Player (www.vmware.com) and VirtualBox (www.virtualbox.org). With one installed, all you then need to do is set up a free Linux distribution within it. Before opening a suspicious file, ensure the virtual machine has no Internet access and take a snapshot (similar to creating a System Restore point) to revert back to once you've dealt with the suspicious file.
Even better, why not do away with the virtual machine altogether and create a live Linux environment that's run entirely from a USB flash drive? Using a regular Linux ISO image, tools such as LinuxLive USB Creator (www.linuxliveusb.com) will produce a portable, bootable, and self-contained Linux OS that can be run from any host computer with no reboot required. As no files are modified on the host system, a live Linux environment can be used away from home, at an Internet café, for example.
Encrypting Email
Email attachments aren't the only way that your privacy can be compromised. Your actual written email correspondence is also far from anonymous. Way back when Google launched Gmail with its immense (for the time) 1GB storage limit, it was, unsurprisingly, less keen to market how this capacity was funded. Google did, and does, scan email content in order to target you with personalized ads, and Yahoo is up to the same tricks. So when you next see ads for both Miley Cyrus's latest album and Veet appear by your emails, you'll know why.
Here's what an encrypted email looks like. Stare at it long enough and you'll see a silhouette of Jesus.
Thankfully, there's no shortage of ways to keep your emails tight. If you're serious about email anonymity, providers such as Hushmail (www.hushmail.com) offer built-in PGP email encryption and no advertising. Email another Hushmail user and your message is automatically encrypted when sent and decrypted when read. Email a non-Hushmail recipient and you can still use encryption, but require them to answer a secret question before the message can be read. Clever stuff, but you'll need to part with $35/year for it, or there's a free version if you can stick to a 25MB storage limit.
Alternatively, you can also encrypt mail sent via webmail accounts like Gmail, Outlook, and Yahoo, by using a desktop email client such as Mozilla Thunderbird, plus a few other tools. With Thunderbird installed and configured as your email client, download and install the free GNU Privacy Guard encryption software (www.gnupg.org), and then the Enigmail Thunderbird extension (www.enigmail.net), and follow the configuration wizard. If that all sounds like overkill for sending a couple of anonymous messages, then consider a disposable email address instead. Guerilla Mail (www.guerrillamail.com) and Mailinator (https://mailinator.com) both fit the bill, letting you quickly send and receive anonymous mail with no incriminating signup processes or content scanning.
The wonders of encryption can also keep instant messaging secure. Apps such as Cryptocat (https://crypto.cat) will integrate with Chrome, Firefox, or Opera, giving you an encrypted chatroom to converse with other Cryptocat users. To minimize traceability, there are no static user accounts, so you create a dynamic username each time you connect. Once in, you can start your own conversation or type the title of one that's already active to join in. No group conversations are private though, so anyone who requests your conversation name is free to participate. However, you can select an individual participant for a private chat, as well as sending encrypted files and photos.
It looks worse than the original MSN Messenger, but Cryptocat is great for anonymous IM.
The Big Bad World
Exposing and blocking advertisers or encrypting email can certainly help you take back some control of your privacy, but it's not enough to keep you and your location hidden. Whenever your computer is connected directly to the Internet, you're still flying well above the radar unless you've taken some measures to conceal your IP address.
There are numerous ways to hide your IP address, but do you need to? The gatekeeper of your identifiable details is your Internet service provider. But, in the United States at least, they're unlikely to phone the 5-0 if you've torrented your favorite Justin Bieber song, though they probably should on the grounds of crimes against taste.
The US Copyright Alert System is more lenient than you might imagine. If you're found illegally downloading a copyrighted file by the rights holder, they can record and submit your IP address to ISPs participating in the alert program. If one ISP happens to be your provider, then you'll be sent a copyright infringement notification letter informing you of ways to avoid future breaches. You get up to six warnings. By the fifth or sixth warning, ISPs may start throttling bandwidth or using various other measures to make naughty subscribers play ball. Even then, however, ISPs aren't automatically required to disconnect subscribers or disclose personal details to the copyright holders.
The recent hack of Ashley Madison highlights that our privacy is often left in the hands of others. For better or worse.
This all sounds refreshingly forgiving, but relying on your ISP to protect your identity isn't advisable. Even when most providers are reluctant to divulge your details (snitching on you to the cops isn't a great way to ensure customer loyalty), sooner or later they'll bend over and give in to the long greasy arm of the law.
Just take the ongoing case of Voltage Pictures. The production company behind The Hurt Locker and Dallas Buyers Club has developed a reputation for being a copyright troll, by sending threatening letters, demanding financial compensation, to alleged pirates. Voltage claims to identify the pirates by collecting IP addresses from BitTorrent swarms, though serious questions remain over the reliability of the evidence. After resistance from ISPs, the firm has gained court orders in several countries, including the United States, that force ISPs to hand over details of the customers linked to those IP addresses.
Those customers then receive letters that threaten legal action if a financial settlement is not agreed upon. No matter how dubious the evidence, however, defending your corner will be expensive. In one series of cases in Chicago, defense costs were estimated at up to $50,000, making it unsurprising that many chose to settle with Voltage for around $5,000.
Now, to make it clear, we absolutely don't condone copyright infringement. The degree of financial damage that piracy has on the entertainment industry may be questionable, as might be attempts to fine illegal file-sharers a zillion times the cost of an equivalent legit download. But unless it would be ethically and financially viable for everyone to cheat the system, then exceptions can't be made for a few. However, not all torrents infringe copyright, so here are a couple of ways to keep legal torrenting anonymous.
Torrenting
Firstly, use a seedbox. This is effectively a remote server that you can log into via a webpage and use to download and upload torrents on your behalf. Completed torrents can then be transferred from the seedbox to your computer via FTP, therefore preventing any torrent traffic being directly associated with your home IP address. Some seedboxes won't allow connections to public torrent trackers though, therefore restricting you to private trackers and possible ratio requirements. It's likely you'll have to part with at least $5/month to use one, but then freedom isn't free. It costs folks like you and me.
Another option is to try a proxy server, such as BTGuard (https://btguard.com). These have the effect of hiding your IP address from other members of a torrent swarm by funneling torrent traffic via a proxy (intermediary) server computer. If prying eyes are monitoring IP addresses connected to a certain torrent, they'll see your proxy's IP, not your own. And from the other end, your ISP will only see you connecting to a proxy service, rather than a torrent tracker. It's not an impenetrable system though, as the proxy server itself may be a weak link. Should the provider keep records of its users and traffic, the paper trail could lead back to you. It's therefore vital to do your homework before picking a proxy, especially as you'll be shelling out a monthly fee that's similar to a seedbox subscription. Free proxy servers are also around, but it's likely their bandwidth will be low and downtime high. And don't expect them to put up much of a fight if asked for your details.
Proxy servers by nature aren't just useful for anonymizing torrent traffic though. Your web browser can also be easily configured to connect to webpages via a proxy server, thereby hiding your IP address and also circumventing website blocks implemented by your ISP. It can even be possible to view country-specific video streaming services from abroad, though smart JavaScript or Flash implementation may help content providers sniff out your true IP and deny you access. This also highlights a general concern with proxy servers, as while they insert a hurdle to make tracking more difficult, they don't conceal the entirety of your Internet traffic from source to screen.
Tor of Duty
One way to get closer to this level of security on the cheap is to use Tor, aka The Onion Router. If there's an element of the Internet that divides opinion—even more than the contents of Sickipedia—it's Tor. On the one hand, if you live in downtown Shanghai and want to access pretty much any western website, it's a godsend. But if you're a disciple of Chairman Mao, or even a western politician with a fear of what the proletariat might get up to, out of sight of your security agencies, then Tor is about as welcome as Bill Cosby is, well, anywhere.
In essence, Tor has the same effect as a proxy server, fooling monitoring systems by faking your computer's location. But it considerably boosts your anonymity by passing your Internet data packets through multiple encryption servers (nodes) before they emerge on the open Internet (clearnet) and scoot off to your requested website.
As your IP address is concealed by so many encryption servers, you get multiple layers of protection rather than just a single proxy server barrier, and the result is analogous to the layers of an onion. However, Tor can also be eye-wateringly annoying. The numerous encryption servers that relay your data within the Tor network inevitably create speed bottlenecks, and, being volunteer-run, demand usually outstrips available bandwidth. You can't just access the Tor network via any old web browser, either, as Tor requires its own modified, standalone browser, though this is a derivative of Firefox.
Browsing the web with Tor can be a frustratingly slow experience.
What's more, while Tor does make it very difficult for agencies to perform traffic analysis, it's not completely safe. The final Tor node that a packet is relayed through before exiting onto the clearnet is known as the exit node. There are more than 1,000 of these active at any one time, and though unlikely, it is still possible to eavesdrop on an exit node, as the data emerging there is unencrypted.
Freenet
An alternative anonymous network without this weakness is Freenet. This is different to Tor in that it's not a means of accessing the clearnet anonymously, but rather a secure network in which to communicate and share files within trusted circles of contacts. Freenet uses a peer-to-peer model and allocates a portion of your hard drive to store Freenet data and serve it to the network. This is encrypted, as is all the data passed around Freenet, and thanks to such comprehensive end-to-end encryption, Freenet is almost impossible to penetrate and is ideal for anonymous communication and file sharing.
Freenet is a private peer-to-peer network that's completely under the radar.
Users are also able to create and host Freesites, which are static websites hosted within, and only accessible from, the Freenet. There are also plugins for anonymous email, social network-style communication, and forum contact. However, as with other peer-to-peer filesharing systems, transfer speeds are seed-dependent—don't expect the overall speed of the network to be lightning-fast.
Going Virtual
Though networks like Tor and Freenet are useful for protecting privacy, their slow and limited functionality hardly makes them ideal. To go totally incognito with the fewest possible restrictions, you need a Virtual Private Network (VPN).
Where services like BTGuard will hide torrent traffic, and Tor can keep web browsing anonymous, A VPN will hide the entirety of your Internet traffic inside an encrypted tunnel. Traditionally, VPNs have been used by companies with employees working off-site, but now they're increasingly popular for the average Joe wanting to preserve their privacy. To exploit a VPN, firstly you'll have to hand over at least $5/month to subscribe to one of the huge number of personal VPN providers out there, and you'll also need to install that provider's client software so you can access your VPN tunnel. Inside the tunnel, data is encrypted to various degrees, depending on the quality of VPN you choose.
Similar to the potential Tor exit node vulnerability, the weakest links of a VPN tunnel are its entry and exit points. The VPN server is able to see all data that goes into and out of the tunnel, so if you want to sleep at night, leave no stone unturned in ensuring your VPN provider doesn't log any user details or monitor traffi c. It's also a wise move to select a company that accepts payments by Bitcoin, to avoid any potential privacy breach that could occur if paying by credit card or PayPal. For more information on VPN providers, as well as comprehensive reviews, check out www.bestvpn.com.
Before signing up to a Virtual Private Network, read the reviews at www.bestvpn.com.
With this amount of privacy protection in place, you'll now be well and truly under the radar. Still paranoid? It could be time to hone those Bear Grylls skills and get completely off the grid.
Paranoid or Prudent?
Several years ago, you'd have had a tough time finding a dartboard in the Pentagon without Julian Assange's face on it. But that all changed in 2013, when his position as arch-intelligence enemy was taken by a US National Security Agency contractor by the name of Edward Snowden. Snowden leaked up to 1.7 million classified documents, revealing the extent of mass surveillance around the globe.
Key revelations included the existence of PRISM: a partnership between the NSA and numerous major Internet companies, including Google, Apple, Microsoft, Yahoo, and Facebook. PRISM enables the NSA to access the emails, documents, photos, and personal details of any non-US citizen, outside of the US, from its participating companies, without having to specify an individual target or communications method.
That, however, doesn't mean US citizens can rest easy. Indeed, a leaked NSA inspector general's report stated the "NSA maintains relationships with over 100 US companies" and that the US has the "home-field advantage as the primary hub for worldwide communications." One leaked court order, for example, revealed Verizon has been told to hand the NSA details of all calls in its systems, in bulk, on an "ongoing, daily basis."
Snowden's leaks also revealed that the UK's Government Communications Headquarters (GCHQ) taps around 200 fiber-optic cables carrying global Internet and telephone data, amounting to up to 600 million daily communications. Data, stored for up to 30 days, is shared with the NSA.
Snowden's leaks also detailed how the NSA had collected over 200 million global text messages per day. The really scary bit? This surveillance was able to gain information on individuals who were not under any criminal suspicion.
Hacking the Hackers?
Of all the people on the Internet, you'd think hackers would be more paranoid than most when it comes to privacy. But that didn't help those using infamous hacking forum Darkode, which was recently taken down by the authorities in 20 countries, as part of the FBI-led Operation Shrouded Horizon. A site frequented by cybercriminals, Darkode was essentially a marketplace for botnet services (think DDoS attacks), stolen credit card and banking details, zero-day exploits, and various other nasties.
The takedown is notable for the fact that Darkode was one of the major English-language hacking forums in the world (there are believed to be over 800 hacking sites worldwide, but the vast majority are not in English). It was also significant for being visited by members of Lizard Squad, a group of hackers who claim responsibility for carrying out high-profile attacks on the likes of Sony and Microsoft.
The clampdown is an obvious boon for the security services, but it also highlights the importance of privacy, particularly as Darkode members were known to boast about how the site was impenetrable and used so-called "bulletproof" hosting providers. Potential users could also only gain access to the site if their name was put forward by an existing member. It sounds good in theory, but as ever with any kind of security, the weak spot was the human element. The site was ultimately taken down due to the fact that the FBI managed to infiltrate the Darkode membership itself.
As part of the operation, 28 people were immediately arrested for cybercrime offences. That quickly climbed to 70 people around the world, a number expected to rise higher and higher, now that the Feds have full access to the site and the transactions that have taken place.
The Darknet
Ahh, the darknet. It's a shame this gets such bad press, as its name sounds cooler than Clooney dipped in LN2. The darknet is part of, though not the same as, the deep web. This broader term encompasses any part of the Internet that cannot be indexed by search engines, such as webpages beyond a personal login. The darknet's difference is that it's anonymous and inaccessible via a standard browser. Tor has become the most notorious darknet network, partly for its ability to circumvent governmental censorship, but mostly because of its hidden services. These are usually websites set up to only be accessible from connections routed through Tor encryption nodes from the Tor browser.
Unsurprisingly, hidden services tend to be organizations with a vested interest in anonymity, so you'll find The Pirate Bay has a hidden service on Tor, and the area of Wikileaks for uploading sensitive documents is also concealed here. More surprising is that Facebook also has a Tor service, though it's more for allowing oppressed Syrians to communicate with the outside world than to stop your bunnyboiler ex from tracking you down.
But the hidden service that really put Tor on the map is the now-defunct Silk Road. With its layered encryption, Tor is the perfect place for accessing the less wholesome things in life, and Silk Road was a global marketplace specializing in the drug trade. It may as well have been run by Walter White, but its actual creator, one Ross William Ulbricht, was caught and Silk Road got shut down. However, this wasn't down to weaknesses in the Tor network, but rather Ulbricht's sloppy promotion of Silk Road in open Internet forums being matched to an email address of rossulbricht@gmail.com. #Facepalm.
