Securing your connection
Activists in countries where the web is heavily censored and internet traffic is closely monitored know that using a virtual private network or VPN is essential for remaining invisible.
A VPN is like a pair of curtains on a house: people know you are in but cannot see what you are doing. This is achieved by creating an encrypted tunnel via a private host, often in another country, through which your internet data flows. This means that anyone monitoring web traffic to find out persons of interest is unable to do so. However, the very fact that you are using a VPN may raise eyebrows.
An increasing number of VPNs promise truly anonymous access and do not log any of your activity, such as ExpressVPN and Anonymizer. However, access to some VPN providers is blocked in some countries and their accessibility is always changeable.
Know your onions
One of the internet’s strengths is also one of its weaknesses, at least as far as privacy is concerned. Traffic passes over the internet in data packets, each of which may take a different route between sender and recipient, hopping between computer nodes along the way. This makes the network resilient to physical attack – since there is no fixed connection between the endpoints – but also helps to identify the sender. Packets contain information on both the sender’s and recipient’s IP address so if you need anonymity, this is a fatal flaw.
“Onion” routing offers more privacy. In this, data packets are wrapped in layers of encryption, similar to the layers of an onion. At each node, a layer of encryption is removed, revealing where the packet is to go next, the benefit being that the node only knows the address details of the preceding and succeeding nodes and not the entire chain.
Using onion routing is not as complicated as it may sound. In the mid-1990s, US naval researchers created a browser called TOR, short for The Onion Routing project, based on the concept and offered it to anyone under a free licence.
Accessing the dark web with the Tor browser is a powerful method of hiding identity but is not foolproof. There are a number of documented techniques for exploiting weaknesses and some people believe that some security agencies use these to monitor traffic.
Put the trackers off your scent
Every time you visit a popular website, traces of your activity are carefully collected and sifted, often by snippets of code that come from other parts of the web. A browser add-on called Ghostery (ghostery.com) can show you just how prevalent this is. Firing up Ghostery on a recent visit to The Los Angeles Times website turned up 102 snippets of code designed to track web activity, ranging from well-known names such as Facebook and Google but also lesser known names such as Audience Science and Criteo.
While some of this tracking has legitimate uses, such as to personalise what you see on a site or to tailor the ads that appear, some trackers, particularly in countries where there are lax or no rules about such things, are working hard to identify you.
The problem is that trackers can work out who you are by jigsaw identification. Imagine you have visited a few places on the web, including reading an online article in a banned publication and then flicking through a controversial discussion forum. A third-party tracker used for serving ads can now learn about this behaviour. If you then subsequently log into another site, such as a social network, that includes your identity, this information can suddenly be linked together. Open-source browser extensions such as Disconnect (disconnect.me) offer a way to disable such trackers.
Use the secure web
A growing number of popular websites force visitors to connect to them securely. You can tell which ones because their addresses begin with https rather than http. Using https means that the website you are visiting will be authenticated and that your communications with the site are encrypted, stopping so-called man-in-the-middle attacks – where a malicious person sits between two people who believe they are communicating directly with each other and alters what is being communicated. Google, as well as using https for both Gmail and search, is also encouraging other websites to adopt it by boosting such sites up the search rankings.
Rather than remembering to check you are using https all the time, some people employ a browser extension created by the Electronic Frontier Foundation and the Tor Project called HTTPS Everywhere to do it for them. It is available for Chrome, Firefox and Opera and forces browsers to user https versions of sites where available.
Hide your fingerprints
Traditional identification methods on the web rely on things like IP addresses and cookies, but some organisations employ far more sophisticated techniques, such as browser fingerprinting. When you visit a site, the browser may share information on your default language and any add-ons and fonts you have installed. This may sound innocuous, but this combination of settings may be unique to you and, while not letting others know who you are, can be used to associate your web history with your browser’s fingerprint. You can see how poorly you are protected by visiting panopticlick.eff.org.
Mark Frary is a journalist and co-author of You Call This The Future?: The Greatest Inventions Sci-Fi Imagined and Science Promised (Chicago Review Press, 2008)
This article is from the Autumn issue of Index on Censorship Magazine. You can order your copy here, or take out a digital subscription via Exact Editions. Copies are also available at the BFI, the Serpentine Gallery, MagCulture, (London), News from Nowhere (Liverpool), Home (Manchester), Calton Books (Glasgow) and on Amazon. Each magazine sale helps Index on Censorship continue its fight for free expression worldwide.