Web Anonymization Techniques 101
“Anonymity is a shield from the tyranny of the majority.” -Jean Paul Stevens, former Associate Justice of the Supreme Court of the United States
I get it. You want to surf the Web anonymously and keep your true identity private. I think many people share that same vision. Why isn’t there like a little incognito button on your browser that actually does make you incognito to the entire internet, right? But how do you achieve anonymity when it seems like the system is rigged against you? Governments, Big Tech, and advertisers do everything they can to inject methods of digitally fingerprinting users on the internet. Nonetheless, you’ve come to the right place friends. I’ll do my best to humbly and knowledgeably steer you around some of the pitfalls that can unmask your online identity while attempting to not get too technical for average users to understand.
There isn’t a week that goes by that I don’t get questions from someone who is looking for information or tips on how to anonymize their Web browser activity and which tools and techniques do what. So, there’s no doubt in my mind that its a popular topic of interest but I’ve also been professionally employed in the information security and digital forensics space for a long time. So, I also know that there’s a lot of misinformation out there that confuses the hell out of people. I’ll tell you upfront that perfect anonymity is unachievable in terms of today’s internet technology and monitoring. Go ahead and close your browser tab and heck, just take the extra steps of turning off your computer and throwing it in a ditch if you thought that was what you were going to get by reading this article.
Listen, everything you do online leaves tiny digital breadcrumbs that skilled digital forensics investigators and anyone knowledge in Open-Source Intelligence (OSINT) techniques can trace back to you given enough time and resources. Your goal is to be as anonymous as possible so that no one else can easily determine your identity. Never 100% anonymous though, that is impossible to achieve even for the most well-resourced internet users. Fortunately, however, this is a topic I have studied and written extensively about in my Becoming Virtually Untraceable series among other articles.
First, allow me to briefly explain the subtle differences between anonymity, privacy, and security which are all interrelated and mutually supporting but which are also separate concepts.
Anonymity is the condition of being anonymous which is to say that others don’t know your identity.
Privacy is the state or condition of being free from being observed or disturbed by other people. Privacy is your ability to control the personal information others can access about you.
Security is the state of being free from danger or threat; something that secures or protection such as measures taken to guard against espionage or sabotage, crime, attack, or escape.
Digital privacy is not about ditching all forms of modern technology. It’s getting the tech to work in your favor so that you, the user, have control over your personal information. Being a major proponent of online privacy and having authored several articles on improving online privacy, I think many people get wrapped around the axle when it comes to this murky topic. So much information has been published on the topic of privacy and there is no shortage of “experts” who are eager to give their opinions like me I suppose. What makes me different than any of them? Nothing really, but I’ll admit I don’t have anything to gain from publishing this information. I offer it purely for your awareness. For the average internet user, privacy and anonymity are the least of their concerns. They just want to get online as fast as possible and find what they’re looking for.
For others though, they want more tools and techniques that they can use to remain anonymous and private online. So, I thought it was finally time put together a basic Web anonymization techniques guide on Web anonymization techniques, just an introductory level piece. I’m going to keep it basic intentionally to not get too far down into the weeds. I don’t want to alienate basic internet users. Perhaps sometime later I’ll do a 201 article for intermediate users and a 301 article for advanced user techniques. For today, however, let’s focus on the basics of Web anonymization.
Conflating Anonymization With Privacy
Anonymity is not the same as privacy which is not the same as security. It is a sort of cascading effect. For us to achieve privacy by way of anonymity, we must first have information security implemented. Encryption, database table obfuscation, the ability to use handles and aliases is just the tip of the iceberg here.
The #1 rule of the internet for those who are privacy-conscious is not technical at all. It is to never willingly post anything personally identifiable about yourself like your real name, date of birth (DOB), phone number, social security number (SSN), home address, or other personally identifiable information (PII) or personal health information (PHI) details on social media sites, chat forums, or anywhere else online. Even selfie photos or pics of your kids with Aunt Edna can reveal precious location details if not directly visible in the photo itself, then possibly with metadata. Well, that’s nearly impossible to do these days you’re probably thinking. We have to give some real info if we want to receive our packages in the mail or to do online banking, etc. Of course, what I am referring to more so is the optional stuff we do online. It’s all optional really if we want to get technical. We aren’t required to use the internet but it has made life so much better in a lot of ways. Understandably, people want to use it for all the features and benefits it offers. What about our privacy though? Since when did it become internet-use OR privacy? That is a story that goes back decades actually and tech companies have angled themselves to be on the profitable side of that equation just like it is trying to do in 2020 with charging customers a fee to use the product customers already bought. It’s how tech companies stay rich forever. Think of it as their job security plan that is ultra inflation-proof.
However, I think it’s safe to estimate that most internet users aren’t aware of the fact that each website they visit installs cookies on their browser to track their activities, some of which track them onto other websites also and for other functions they use their devices for. Seem absurd? Who gave these tech companies that created this technology, these apps, and services, to become data collectors in this way? This is a classic example of technology innovation moves a lot faster than regulation does. By the time the U.S. Congress bolsters the collective motivation to address this issue after being poked, prodded, and called out by name by their constituents, tech companies will already have spent millions in lobbying against privacy laws that would hurt their businesses and will have already developed other technology that collects that same information in a different, more subtle manner that isn’t as transparent to users but all the while ensuring that it’s agreed to in their Terms of Service (ToS) and Privacy Policy. That ladies and gentlemen is how the tech game is played. Do not expect it to change because some folks like send strongly worded tweets or published detailed articles about the profiteering by tech companies off of our private user data. It’s going to take something a lot bigger, a massive movement to overturn the power and influence that tech companies maintain.
All of those details can be used by skilled hunters to track down your physical location. Regardless of how careful you are with not using your real information online, however, the computers and devices we use to connect to the internet are telling another story because the websites, applications, and services we use online are specifically coded to extract various types of user information and performance or telemetry data.
Telemetry and Metadata
Internet Service Providers (ISPs) like Time Warner Cable, Comcast, Frontier Communications, AT&T, and Tech companies like Google, Facebook, Apple, Amazon, Twitter, and even app companies like TikTok collect information about the users of the devices connecting to their services such as IP address, your device’s physical MAC address, browser, and operating system type, and even the mobile device international mobile subscriber identity (IMSI) that uniquely fingerprints each user on the network stored as a 64-bit field. This is called telemetry data and it is also Big Data because we are talking about billions of users on the Web being tracked simultaneously. Imagine the infrastructure that is required to achieve and sustain that level of data processing and collection. It boggles the mind.
“Telemetry is the automatic recording and transmission of data from remote or inaccessible sources to an IT system in a different location for monitoring and analysis. Telemetry data may be relayed using radio, infrared, ultrasonic, GSM, satellite or cable, depending on the application (telemetry is not only used in software development, but also in meteorology, intelligence, medicine, and other fields). In the software development world, telemetry can offer insights on which features end users use most, detection of bugs and issues, and offering better visibility into performance without the need to solicit feedback directly from users” (Stackify, 2020).
Web Browser Options
There are several browsers you can choose to use to access the internet, each with their own unique advantages and disadvantages when it comes to security, privacy, anonymization, as well as other factors like speed and system memory paging virtual resources. For instance, despite its overwhelming popularity, Google Chrome is a memory hog, super-intensive browser, and will slow your system performance considerably with each new browser tab you open. That’s the same to varying degrees for any Web browser though. Additionally, certain browsers are only compatible with certain operating systems like Safari being the default browser for iOS devices and Macs. Other browsers like Opera, Firefox, Chrome, Chrome, Brave, and Edge (i.e., Microsoft’s replacement for IE) are cross-platform and work on most operating systems and devices. I am not here to give you a complete rundown on which of these browsers is better than the others. If anonymity is what you’re after, then you should probably use Tor but even that browser doesn’t offer perfect anonymity as the FBI has repeatedly demonstrated its ability to exploit.
Note: Per Microsoft, “support ended 1/12/16 for Internet Explorer (IE) 10 and older. Security updates, compatibility fixes, and technical support continues for IE 11 on Windows 7, 8.1, and 10.” If you’re looking for anonymity online, IE is not it. Look elsewhere.
Internet Search Engines
Using an internet search engine like Google, Yahoo, Bing, or Baidu routes all of your intimate searches straight to the company that owns that search engine. This is only one method these companies use to collect data about internet users to put it in simplistic terms. There are several others. They call it terms of the services they provide but think about that for a minute… If you don’t have any other way to perform an information search and all you know or can remember is Google.com, then you’re kind of limited, right? They kind of have you by the short hairs I would say. But it’s not just your search details or HTTP request which
“…contains details about the browser and the computer making the request, such as the hostname, the browser type, referrer, and language. In addition, the [Document Object Model] DOM of most browsers provides access to more detailed browser and system information, such as Java and Flash support and screen resolution. Analytics uses this information in constructing reports like the Map Overlay, Browser, and Referring Sites reports. Analytics also sets and reads first-party cookies on your users’ browsers in order to obtain user session and any ad campaign information from the page request. The Google Analytics Tracking Code also reads the DoubleClick cookie to get information about the Display Features” (Google, 2020).
So, as you can see it’s not an insubstantial amount of information being collected and tracked. But that’s just Google and that’s just a search request performed on a laptop or desktop computer. If we’re talking about mobile devices, there are other types of information collected which uniquely fingerprint the user.
The fewer Web browser extensions you have, the better. Less attack surface for attackers to exploit aside from your already large attack surfaces of your browser, OS, and every other application you have running on your system that you haven’t updated in who knows how long? A few good anonymization and privacy-related browser extensions that I recommend installing are: uBlock Origin, Panopticlick, and Privacy Badger.
“But, but, I use Google for everything!!” Stop doing that. Internet users who use every Google product/service are heavily tracked by the tech giant.
Privacy Tools
If you haven’t paid a visit to the Electronic Frontier Foundation (EFF), it is a good one-stop source for data privacy information and some free tools that you should check out and use.
Privacy Badger
Privacy Badger, according to the EFF’s website is, “a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser. To the advertiser, it’s like you suddenly disappeared” (EFF, 2020). You’ll need to download it, install it on your browser, and enable Do Not Track. You control which websites you want to allow cookies on because some websites won’t allow you to access them without browser cookies. That’s a personal privacy decision you’ll have to make for yourself for which websites you allow to collect data on you or not.
Panopticlick
Panopticlick is a tool developed by EFF that tests your browser and add-ons to determine their effectiveness at protecting you against tracking. Just click on the “Test Me” button and Panopticlick will produce a short-form report displaying the results of how well your browser blocks trackers. For a more detailed version of the report, click the “Show full results for fingerprinting” option below it. The results may not be 100% accurate based on what you know to be “true” about your browser, but ‘truth’ is a relative term anyway. What you don’t know can hurt you. Your so-called privacy-themed browser may, in fact, not be private at all. You may have to tweak your browser’s privacy settings and re-test it with Panopticlick to get the desired level of anonymity. We each have our personal threat models. Just remember that the more secure and anonymous you make anything, the less functional and practical it becomes for normal use. This is the security and/or privacy paradox.
uBlock Origin is another good browser extension supported by multiple browsers that I also recommend using to block cookies. It’s free and open-source that is specifically designed for content-filtering and adblocking. Adblock Plus, Ghostery, AdGuard are some other add-ons you can substitute if you like but less is more. Don’t add too many
Tor & Virtual Private Network Web Proxies
Virtual Private Networks (VPN)
VPNs do not provide anonymity [or security]. They do, however, help somewhat with privacy. VPNs are essentially web proxy service.
1. VPNs hide your internet traffic from your ISP from your device to the first destination website. That’s it, no more.
2. VPNs allow users to access geographically-restricted internet content by allowing users to change their IP address they connect from to an entirely different country or region. Netflix users know what this means.
3. VPNs provide a measure of privacy when using public WiFi at coffee shops, hotels, restaurants, retail malls, etc.
They do not provide added security though you could make an argument that a point-to-point encrypted tunnel between your device to a destination site is more secure, that often is not the case. If you want a more thorough explanation of how VPNs work, I wrote a piece about them here.
*It’s important to also share that there are lots of VPN companies and proxy services that don’t do what they advertise. So, you’ve got to either find one you trust (e.g., a VPN from privacytools.io) or attempt to set up your own VPN or web proxy server which is easier than you might think but most internet users do not want to fuss with it. You’ve got to choose a good VPN provider that you can trust or run your own VPN server which is a topic article all on its own. ProtonVPN, Mullvad, and IVPN are good, non-U.S.-based VPN options that privacytools.io recommends.
The Onion Router (Tor)
Tor is how you connect to the Dark Web but you don’t have to use it to visit encrypted websites on the Dark Web. You can surf the surface Web using Tor also and be comforted in the fact that your IP address is proxied and the metadata stripped to the extent possible. Again, if anonymity is your objective online then a browser using Tor is your best option at this time. It’s not perfect anonymity, however, as previously mentioned because like a VPN, if an organization (e.g., Google) or government agency (e.g., the National Security Agency) has the resources to monitor all traffic going into Tor nodes, then it can also track users coming out of Tor exit nodes.
While we like to think that Tor and the Dark Web are completely safe from prying eyes, that is far from the truth. The Dark Web is not as fancy as the media and Hollywood makes it out to be. It was developed by the U.S. Navy in the mid-’90s for government spies to communicate securely but was eventually open-sourced in 2004 (Sigalos, 2018). It’s a decentralized web of approximately 7,000 or so encrypted websites (perhaps substantially more now), some of which are hidden services that may only be accessed with a login and password.
Tor is going to keep you safe from all but state-level actors/agencies who have the resources to unmask your true IP address using sophisticated Tor exploit techniques. So, if you’re not doing anything illegal on the surface Web, or Dark Web, then the fear of Tor exploits shouldn’t be a major concern factor for you unless such time as government agencies the world over begin to use them to unmask Tor users for ordinary purposes. As of right now, in 2020, there is zero evidence that is happening. We’ve seen the FBI use a Carnegie Mellon developed Tor exploit to unmask visitors of a Dark Web child porn site, but that’s about the extent of Tor exploits (Franceschi-Bicchierai, 2015). Think what you will about the FBI, my opinion is that they did a good thing by taking the site down and unmasking some of the pedophiles who they went after with the cooperation of Interpol.
Should widespread Tor exploits start occurring you can rest assured there will be collective efforts within the Tech community to quickly address it. Just to put it context, once a law enforcement organization (LEO) or Intelligence Community (IC) agency obtains an internet users’ true IP address, it is trivial for them to then obtain your home address or the address where the connection took place from the ISP.
Tor Bridges
Knowing when to use a VPN in combination with Tor and when to just use a Tor bridge is more important than many internet users may realize. There are a couple of different schools of thought on it for different use case scenarios. For instance, if you’re using Tor to perform cryptocurrency transactions then the VPN may allow for a ‘money trail’ that can be used to trace your transactions back to you. I don’t know what you buy with cryptocurrency but I am assuming you probably want to keep that private.
However, if you’re using Tor to browse the surface or Dark Web with, then you’re fine with connecting to it from a VPN but understand that connecting to Tor using a Tor bridge accomplishes the same task of hiding the fact that you’re connecting to Tor from your ISP. If you’re blocked from connecting to Tor by an ISP or corporate IP blacklist, then you could either use a Tor bridge or a VPN to circumvent. With a VPN, you could be introducing unnecessary risk to your Tor usage. If a Tor entry node is compromised, however, then a VPN would protect it from being to identify your true IP address. Think about that for a second though… Do you really think that the kind of organizations with the resources to compromise Tor entry nodes are going to have an issue deanonymizing the $5/month VPN service you’re using on top of Tor? I think not. ProtonVPN made a graphic that visualizes how their VPN over Tor would look.
A user would have four different layers of encrypted proxies. It is not necessarily a bad thing to combine Tor over VPN but users should understand the risks involved. How well do you trust that your VPN is not collecting and reporting your browser history? What are the odds that the Tor exit node has been compromised or that the owner of the Tor exit node is not collecting IPs? In information security, this is what is known as risk mitigation. Is it an acceptable risk to you or not depending on your personal threat model?
There are entire Linux-based operating systems that users can install such as I2P, Tails, Qubes, or Whonix that provide varying degrees of anonymity to users. However, for many basic internet users it is too involved or too complicated for them to download, install, and configure a Linux-based OS on their own without technical assistance. There are some good tutorials and guides on how to do so if you desire to but your Web anonymity has less to do with your OS and more to do with other things like your Web browser and your user activity. Essentially, all of these privacy-themed operating systems use Tor to connect to the Web anyway.
Command Line Interface (CLI)
Proxychains
If you’re a Linux user then chances are you a bit more advanced with your knowledge of computers, but Linux is becoming more commonly used by non-IT folks. Proxychains is a built-in feature that can be utilized from the command line add layers of proxy IP addresses to your anonymity to sites you visit. The way to use it is to add the command “proxychains” before each task such as:
$ proxychains nmap 192.168.1.1
Essentially, the command tells the system to anonymize our Nmap port scan for that specific IP addresses instead of using our true IP address. Why would this be important? The hosts you scan will log the IP address of the system scanning them, so it’s a good idea not to leave any tracks.
If you’ve downloaded Kali Linux as I’ve shown here and run it in a virtual machine (VM) using Oracle’s VirtualBox, both free by the way, you can easily navigate to the apps menu and select 10 — Post Exploitation, then select Proxychains to open a terminal with proxychains ready for use but you must be logged in as root for it to work properly.
After we used the ‘sudo’ command, it will prompt you to enter the root user password. Once you’ve done that, hit Enter and your proxychained Nmap scan will begin.
Even from the Linux CLI we can achieve some level of anonymity fairly easily.
Mobile Devices
Encryption is not only a critical component of information security but also privacy and anonymity. For the best anonymity on mobile devices, it is best to use End-to-End Encrypted (E2EE) apps like Signal to communicate and the Tor app to browse the internet. All other applications you download and install or that come with phones are potential attack surfaces that must be updated regularly, along with the device’s OS. Otherwise, it doesn’t matter what lengths you go to anonymize yourself online. Your always one software app exploit from full identity exposure depending on what other information is stored on your phone.
Physical Anonymity Hacks
Your webcam can be an open video portal to whatever is going on in your home. Take a piece of duct tape or buy a cheap webcam cover. You can also disable the webcam in your device manager settings if it’s not something you use regularly. Or, you can do as I do and just not connect a webcam to your computer at all. If you’re using a laptop with a built-in webcam then I recommend just buying a webcam cover for a few dollars.
In conclusion, when it comes to anonymization, your best defense is going to be limiting what information you freely give away online on the various websites and social media sites you visit. Other anonymization tools and techniques can be used to help anonymize your activity. However, I hope that now I have helped you understand that the infrastructure of the internet, a substantial portion of which is owned by Tech corporations like Google, and the ancient internet protocols that are still used today make total anonymity next to impossible to achieve. These techniques and tools will help you gain some anonymity but you will not be anonymous. Now go forth and do good things. Be kind to one another both online and in the real world.
Additional Resources:
References:
EFF. (2020). Privacy Badger. Retrieved from https://privacybadger.org/
Franceschi-Bicchierai, L. (2015, July 15). The FBI Hacked a Dark Web Child Porn Site to Unmask Its Visitors. Retrieved from https://www.vice.com/en_us/article/mgbygy/the-fbi-hacked-a-dark-web-child-porn-site-to-unmask-its-visitors
Google. (2020). Google Analytics. Retrieved from https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview
Sigalos, M. (2018, April 14). The dark web and how to access it. Retrieved from https://www.cnbc.com/2018/04/13/the-dark-web-and-how-to-access-it.html#:~:text=Tor%20stands%20for%20%E2%80%9Cthe%20onion,to%20anonymously%20surf%20the%20internet.
Stackify. (2020). Telemetry. Retrieved from https://stackify.com/telemetry-tutorial/
