Some might say that the Internet was built on anonymity, paving the way for a place where free speech reigns supreme.
But after former NSA contractor Edward Snowden leaked documents that detailed the agency’s surveillance programs, many of which included Internet-based technologies, privacy on the Web is a more popular topic than ever. But it’s not just about government spying; it’s also about how much big companies like Google, Facebook, and Microsoft have collected about you in order to serve up targeted ads.
Though the social-networking age has led to a culture of oversharing, the Snowden revelations have prompted some to consider how best to stay anonymous online. Even Facebook, where you’re “required” to use a real name, is toying with idea of letting users post things anonymously, Mark Zuckerberg told Bloomberg in a recent interview. That came several months after he said the feds “blew it” in communicating with Americans about their surveillance programs, and if Zuckerberg thinks the spying pendulum has swung too far …
But some activists are not content to wait for the NSA, Zuckerberg, or the White House to take action. Tuesday, Feb. 11 has been designated as The Day We Fight Back (against mass surveillance). It comes two years after a major online “blackout” helped to stop the SOPA and PIPA legislation, and will also serve to honor the memory of the late activist Aaron Swartz. This time, organizers are asking sites to display banners, social media users to change their profile pictures, and all Web users to push their legislators to oppose the Foreign Intelligence Surveillance Act (FISA), which gave the U.S government such broad (and some say illegal) powers.
But how do you take back control of your own personal privacy online? Is it even possible? One 2013 Pew study reported that 60 percent of Americans have given up on that idea entirely. Ultimately, the only way to stay truly anonymous online is to not go online at all. Since that’s not really an option for most of us, here’s a rundown of what you can do to minimize the spying, the targeted advertising, and ID theft as you explore the world online.
Phone Call Confidentiality
If you want to be anonymous, forget the smartphone. The big-name OS makers are big-name control freaks (Apple) and big name ad servers (Google). If you want to be anonymous on a phone, your only choice is a prepaid phone, a.k.a., a burner.
Even with a burner, call records exist, and you could be triangulated via a GPS. But the upside of a burner is not having your real name associated with the device. And as you see in the movies, you can always throw the phone into a passing truck and lead whomever might be tracking you on a merry goose-chase.
Build the Firewall
Is your desktop or laptop computer connected directly to a broadband modem? That’s a very bad idea. Hackers are constant bombarding such IP addresses to see if they can get onto a system. You should always have a router on your home network that can mitigate that with its built-in firewall. Plus, you need the router for sharing the Internet connection, and probably for Wi-Fi. (Some ISP’s modems come with a built-in router, so that should keep you covered.)
You should also have firewall software installed on your PC. Windows 7/8 comes with a pretty decent solution called, you guessed it, Windows Firewall. However, third-party firewall software goes the extra mile and protects you from outbound problems—specifically, software programs that abuse your Internet connection, sending out information you don’t want to share. You can find firewalls as part of suites like Norton Internet Security, but you don’t need to pay: check out PCMag’s list of The Best Free Firewalls. Once you’ve got the firewall installed, use Steve Gibson’s ShieldsUP! to check for open, or vulnerable, ports on your system.
Sleuth Your Own Stealth
What does your computer (or tablet or smartphone for that matter) give away about you when you visit websites? At the very least, the site knows your IP address (and that’s necessary, otherwise you’d get no results). In most cases it also knows your approximate physical location (by checking where your ISP supplies those IP addresses—see it in action at IPLocation), and probably your time zone and what language you speak—all good info for advertisers. Your browser can also report on your operating system, browser type, and what versions of software you run for browser plug-ins like Java, Flash, and Silverlight.
If you don’t believe it, go visit Stay Invisible for a full report, though the site isn’t completely altruistic: it wants to sell you a virtual private network (VPN), which we’ll explain later on.
First, make sure your browser isn’t storing too much about you. In the settings menu, turn off the ability for the browser to store the passwords you use to access websites and services. That can be a pain, as you should have a different password on every service you use, so an alternative is to use a password manager.
Browsers also store things like images, surfing history, and what you’ve downloaded, as well as cookie files, which can remember helpful things like settings and passwords. Obliterate that info occasionally—in Chrome, IE, and Firefox, you can type Ctrl+Shift+Del to get a pop-up that helps you get rid of them. Use a product like CCleaner (Windows and MacOS) or SlimWare Utilities SlimCleaner (Windows only) to nuke these files for all the browsers you run.
Major browsers also have anonymous surfing modes. In Google Chrome it’s called Incognito (Ctrl+Shift+N to access); in Firefox it’s Private Browsing and in Internet Explorer it’s InPrivate browsing (Ctrl+Shift+P for the latter two). That will prevent the browser from saving info on pages visited, whatever you search for, passwords, cookies, downloads, and cached content like images.
There are also a number of browsers that bill themselves as privacy-focused. Of course, they all use the same rendering engines as the big names, especially Google’s Chromium engine, but the difference is the browsers don’t share any info with Google. Examples include Comodo Dragon, Comodo IceDragon (based on Firefox), and Dooble. You should also start using a different search engine than Google, Bing, or Yahoo, all of whom want to sell, sell, sell you. Instead, try DuckDuckGo, a search engine that doesn’t track you or sell your info, they promise.
Keep in mind, using stealth modes and special browsers don’t make you completely anonymous on the Web, but they do prevent sites from writing info to your computer, including cookies, which can later be read by other sites to figure out your browsing habits.
Proxies and VPNs and Tor, Oh My
The way to ensure outsiders don’t gather information about you while you’re browsing the Web is to appear to be someone else, in a different location. This requires a proxy server and/or a virtual private network (VPN) connection. With the right combo, you can not only be anonymous, but surf sites in other countries as if you’re a native.
VPN services are everywhere. They have the advantage of not only securing the traffic between your computer and servers, but also masking your IP address and location. For example, by connecting though my work VPN, sites believe I’m at corporate HQ, even though I work from home.
VPNs also double as a way to get access to location-blocked content—if you are in a country that can’t get the BBC iPlayer or Netflix, for example, a VPN could be your ticket.
They range from super simple and free (albeit ad-supported), like HotspotShield (see our list of Free VPN Services for more) to high-end subscription services like HideMyAss Pro (which is offered by the same folks behind Stay Invisible) for $11.52 a month, or SurfEasy Total for $4.99 and up a month. All three work for Windows, Mac, iOS, or Android.
No discussion of anonymity online is complete without mentioning Tor. The name comes from once being the acronym for “The Onion Network”—the implication being there are many layers of security offered. Tor is a free network of tunnels for routing Web requests and page downloads. It’s supposed to make it impossible for the site you access to figure out who you are. But does it?
The NSA’s spying controversy included what some thought was a workaround to ID users of Tor. But it wasn’t that simple. As explained by security expert Bruce Schneier in The Guardian, the NSA actually monitors what’s called the Tor “exit nodes”—they could tell users were using Tor, but not who the users were. By setting up a “man in the middle” attack, the NSA would pretend to be the site the user wanted (Google, for example) and could send data back to the user that would take advantage of exploitable holes in the browser—not a hole in Tor.
The lesson there: keep your browsers up to date, or use one of the previously noted anonymizing browsers.
Guess who else has an anonymizing browser? Tor, that’s who. Tor has an entire browser bundle for Windows (run it off a flash drive to take with you), MacOS, or Linux. If you want to stick with the traditional browsers, just get the Tor Bundle for those same OSes to get anonymous. There’s also a Tor Browser for iOS and Tor’s own Orbot proxy app for Android.
If you’re really, really paranoid, go to TRUSTe and check out the huge directory of sites that have earned its seal of approval for upholding “TRUSTe’s high standards for best privacy practices.” This means that the site has a good privacy statement and promises to do right by customer data and not pass it around. A lot of the “trusted” sites are e-commerce related, but, apparently, you can trust big media sites, such as Disney, The New York Times, and Facebook, among others. Then again, that doesn’t mean much if those sites are hacked and your info goes out the proverbial window.
As of this month, TRUSTe’s privacy index says consumer concern levels are at 9.2 out of 10. Imagine that.
As nice as it is to remain anonymous as you surf, it is far more essential for your email to go unnoticed if you want to avoid spam or surveillance. The problem is, email simply wasn’t built with security in mind.
There are secure email services, of course, which use encryption to scramble what you send and require the recipient to have a password that decrypts what you send. Edward Snowden used a service known as Lavabit, which was so secure that the government insisted that it hand over the private keys of users. Lavabit complied, but to its credit, immediately shut down to protect its customers. Silent Circle did the same (not to mention law blog Groklaw). So be aware that just because you use such a service doesn’t mean it can’t be compromised.
If you want a Webmail service that’s going to handle encrypted messages, MyKolab comes highly recommended. With a data center in privacy-minded Switzerland, the service charges $10 a month, but it keeps all your email and calendar info secure from search. HushMail is another private email with services for business ($5.24 per user per month) and individuals (free on up), but in the past it has actually handed over some records when ordered by a Canadian court.
You might think your Gmail account is safe, since you see that lock icon on the browser, and access it with a secure sockets layer (SSL) connection (indicated by the https:// in the URL). But SSL only encypts data as it is transferred from your device to the server. Google still needs to read your email a little bit because of the advertising it places on Gmail. And that is always going to be a problem with Web-based services, be they from Google, Yahoo, Facebook, or Microsoft.
That said, there are tools to encrypt Web-based email. Streak makes a Google Chrome extension called SecureGmail that does the job, asking you for a key to encrypt sent messages. The recipient will be prompted to also install SecureGmail. You give them the key and you’ve got end-to-end encryption. Mailvelope is another extension (for Chrome and Firefox) that will secure Gmail, Outlook.com, and Yahoo Mail.
Perhaps the smart move is to eschew Web-based mail and stick with desktop clients like Thunderbird or Outlook. For example, the Hushmail for Outlook add-on lets you use a HushMail account with the commercial software. Outlook 2007 and up has some built-in encryption tools, while Thunderbird for Windows has add-ons to handle message encryption/decryption such as Engimail.
Of course, the NSA can apparently break just about any encryption. But if you’re not trafficking in Snowden-level secrets, you’ll probably be OK.
Avoiding Spam, Spam, and Spam
Beyond the obvious things, like never, EVER clicking on a link in a spam message – or even opening a spam email, the best way to avoid spam is to never let them get your address. It’s almost impossible, but there are methods to mitigate.
Number one is to use an alias or dummy email, which can be used with any service that requires an email address. You might be able to set one up if you own your own domain name. In Google Apps, for example, you have your primary address, like email@example.com, but there’s the option to use William@yoursite.com as an alias for online sign-ups, messages to which can be forwarded to the main address. When spam begins to collect, change or kill that second address; there can be up to 30 aliases per individual.
Gmail is a little more straightforward: to make an alias, you just append something to the user name. Turn firstname.lastname@example.org into email@example.com. Once the alias in question accumulates spam, you can filter it right into the trash.
In Yahoo Mail, there are Disposable Addresses (under Settings > Security), which are similar to those used by Google—there’s a base name then a secondary keyword appended, like firstname.lastname@example.org. Outlook.com also supports aliases, up to 10 per account. Look for “Account Aliases” under the Account settings, to create any—they can also end in “Hotmail.com” or “live.com.” And if you have your own domain name, check the control panel at your Webhost—they’re likely to have tools for creating aliases galore.
Social (Network) Security
Should you care about security when it comes to social networks like Facebook? One word: Duh. Facebook isn’t exactly an altruistic non-profit; it gets its money by having lots of users looking at ads. That sometimes means making your data available to questionable entities. Plus, you might not want every one of your “friends” or their extended networks to know all of your business, right?
There are several steps you can take to regain some Facebook anonymity. First, on a desktop, go to the Account menu in the upper right and select Settings, then click Privacy on the left. You’re going to want to click the “Edit” link on every choice on this page to personalize just who can see what, who can friend you, even who can look you up by phone number or email address. And you can make sure your posts are not spidered by search engines. You can get as granular as you want, making sure, for example, that old boyfriends or girlfriends don’t see your posts—even the old posts.
Also under Timeline and Tagging, you can ensure that you don’t get tagged in images or posts without your express permission. The Blocking section is where you can create the Restricted List of your friends who can see your content, and also block users, apps, and invites you don’t want.
Finally, double check your contact info. Go to your General Account Settings, and again click “Edit” next to every entry. Double check the email address and phone numbers you’ve entered. Minimize the list as much as possible to maximize anonymity.
If you need out of Facebook entirely, you should delete the account. Deactivating it leaves your data on the site for your potential return.
Go to: https://www.facebook.com/deactivate.php and follow the instructions. It’ll deactivate your account for two weeks, just in case you really, really, really didn’t mean it. After that, it’s gone. However, even then, some digital photos may linger. For more, check out How to Delete Accounts From Any Website.
On LinkedIn, go to the Settings icon of your face in the upper right and select Privacy & Settings. In the center, under the Profile tab, you’ll see Privacy Controls.
What about Twitter? There’s the obvious: don’t list your website or real email in your profile. Make sure your password is different from that of any other site. That’s good advice across the board, but we know people don’t follow it. You should with Twitter, which has had some security breaches in the past. You also have the option, under Settings > Security and Privacy, to protect your tweets, meaning only those you approve get access to them. Protected tweets aren’t searchable, aren’t retweetable, and you can’t share permanent links to them with non-approved followers.
That said, you’re fooling yourself if you think using social networking (or making any post online) is 100 percent safe—all it takes is an “approved follower” to take a screengrab of something you say and share it with the world for it to get out.
Companies like Facebook, Microsoft, and Google are well on their way creating “cookies 2.0,” —files placed on your device by the browser to track what you’re doing in a way that makes today’s cookies look like they were made with an Easy-Bake Oven. Google’s existing “Advertising ID” on Android devices, and Facebook’s Atlas ad network/cookie tracker both take advantage of one major exploit: the fact that most people never log out of their services. Ever. Facebook, for example, knows whenever you hit a site that has a “Like” button. So if you want less tracking, sign out of the social media services when you’re not using them.
(article by E.Griffith)