From an upcoming article from the Law Practice Magazine.
Stories about government and business monitoring of citizens has fanned interest in what can be done to remain anonymous. Attorneys are understanding and expect that when they visit a website their location, recent browsing history and interactions with other sites may be recorded. Less understood is what data is being gathered and how to prevent it.
People surfing the Net feel as if they were Kung Fu, gliding along the rice paper, leaving no trace of their passage, blissfully unaware of the cameras. Understanding the monitoring that occurs on the Web is difficult to visualize—and easy to ignore. A simple tool that can illustrate web tracking is Collusion. This plug in for Chrome and Firefox provides information on how data is monitored from tracking company to tracking company to service provider. It puts a small button on the browser and provides a real-time count on the number of trackers affiliated with the sites visited. When clicked you are provided with a map of all the trackers associated with your browsing session with those active on the visited site.
A free companion product is Disconnect (https://[JF1] disconnect.me). It provides listings of all entities “listening in” along with notes on the security level of the page being visited. Using Disconnect, you can view the ‘listeners’ and selectively disable sharing information with them.
Local versus Remote Anonymity
Controlling anonymity means using tools and settings that manage one or both ends of the connection. Local anonymity is the ability to avoid leaving traces on the machine in use, such as transaction cookies, history files, form data, autocomplete, and temporary files. Remote anonymity ensures that the service you are using is encrypted and that the target system cannot determine—or erroneously determines—information about you, your location and the circumstances of use.
Web Browser Local Privacy Settings
As cloud service use grows sharing unintended information rises exponentially. The relationship of a cloud service to browser is based upon exchanging information we are working with and the exchange information relating to usage history, location and context of use. (Examples: Are you mobile or in a fixed location? What OS and browser are you using?) Modern browsers provide some controls to limit this. The most hyped and least effective tool is the Do Not Track. IE 10 and Safari both enable it by default, while you need to manually adjust this with Chrome and Firefox. This setting provides notice to third parties to not track information provided by the browser. The problem? The provider still controls the decision to honor that request.
A more effective control is to create session that doesn’t record usage and erases all information once you conclude the session. This service can be called up on demand:
- Internet Explorer provides InPrivate browsing and can be activated by using the Ctrl+Shift+P keys.
- Google Chrome provides Incognito, which is called by the Ctrl+Shift+N keys.
- Firefox provides a Private Window by clicking on the Firefox button and then selecting Private Window or by right-clicking a link and choosing Open in Private Window.
- Safari offers a menu option to enable privacy by clicking on Safari then selecting Private Browsing.
Force Encryption When Possible
Web sessions come in two flavors: “http” and “https.” The latter is the important as it designates your connection to a Web server is encrypted. By default the Web server will provide unencrypted “http.” You can force your browser to use “https” by installing a small plug-in to your browser. In Chrome and Firefox use HTTPS Everywhere (https://eff.org/https-everywhere). However, in IE Explorer and in Safari, no option currently exists to force to “https.”
One consideration for forcing “https” is that it can affect the speed of the browser as the tool tries to complete an “https” connection to services that may not offer such access.
Hiding Behind a Proxy
Concealing and encrypting are a good start but using an anonymous services such as a proxy service or virtual private network will help ensure your sessions remain private. The perceived requirements of technical skill, performance sacrifice and the discipline to remain anonymous diminishes desire to maintain anonymity as most users prefer ease of use to security. Several online and local use software tools can offset the need for technical skills. The sacrifice element is that several “useful” online services depend on having access to a normalized Web browser and may not be displayed properly in a more secure environment.
A great service to maintain anonymity on the Net is called Tor. Short for “the onion router,” Tor was developed to secure military communications but now serves as a hub for privacy applications. TOR runs on most operating systems and popular mobile platforms. Download it from app stores or download pre-configured TOR bundles (https://www.torproject.org/projects/torbrowser.html.en). Bundles come with a quick-start application that begins the encryption process and then starts up a hardened Firefox Web browser containing plug-in applications required to secure the session. To use the system start your TOR client. TOR initiates a secure session and provides a window telling you the connection is secure and letting you see how you appear to remote systems.
This service will provide anonymity but you can violate that by downloading files that activate programs on your computer or by installing plug-ins that have the ability to report usage.
Need anonymizing services on the road? Remain hidden by using hosted services which access to the Web without leaving a direct trace. Most offer a basic free service with additional low-cost options for those who want faster service or fewer ads. Some examples of hosted services are
- hidemyass.com, which provides free anonymous surfing and sells add-ons such as anonymous email and improved proxy service;
- anonymouse.org, a free quick-and-dirty service running for the past 16 years; and
- anonymizer.com, which provides a business class range of services for $79 per year.
Hiding YOUR Mail
Email is a prime target for snooping. Encrypted email systems can provide your clients with peace of mind. Encrypted messaging systems typically are Web-based and can provide the ability to securely store email and provide delivery tools for recipients to securely access it. Consider the following providers:
- Hushmail (hushmail.com). Hushmail has a great track record with free accounts available and professional accounts for $49/year. Hushmail provides secure email for organizations for $2 per address per month.
- Mailinator (mailinator.com). This site provides disposable, receive-only email. You provide an email address to a person, such as email@example.com. When email arrives at the address, the system creates a new inbox and stores the email until claimed or two days have passed.
- Send Email Message (send-email.org). The opposite of Mailinator, Send-Email Message provides anonymous delivery of email. Email recipients cannot respond to it, and the email is not stored on any server.
- MyKolab (mykolab.com). Running out of Switzerland for 11 years, MyKolab provides a secure email and calendar framework where your data is completely isolated, even from administrators. It costs $10 per month, but the Swiss have the best security and privacy laws in the world.
Security is a trade-off. If you have the discipline and ability to sacrifice some of the luxuries of the Internet, a relatively private and secure digital island can be created. As people learn of the threats to privacy, your ability to demonstrably secure client information will become an appreciated selling point. If you are comfortable with the status quo, explore the tools and become familiar with their capabilities. While their day-to-day use may not be in your future, they may be for a potential client.
FTC Report on Online Privacy Adoption and Enforcement, ftc.gov/os/2010/12/101201privacyreport.pdf
Wall Street Journal, “What They Know” (online.wsj.com/public/page/what-they-know-digital-privacy.html)
Lincoln Mead is the IT Director of the Utah State Bar and serves on the ABATECHSHOW planning board. He is a frequent guest speaker on information security and technology management.
[JF1]Lincoln: Note that per magazine style, we retain https:// in URLs because it denotes the extra security, but we do not retain http:// or www. when they appear before website names—because we usually assume that those will appear before most product names. I have changed this throughout your article.