Staying Anonymous Online – How to Keep Your Privacy Protected on the Internet

Why You Should Care

Online TrackingHave you ever wondered how websites like Facebook can afford to be for free? That’s because Facebook isn’t the product. You are the product being sold.

These websites track you and build up entire profiles about who you are. See the attached infographic from http://www.backgroundcheck.org/.

You are being tracked online, everywhere.

Even on this blog. I use Google Analytics to see what visitors to this blog actually read and how you get here. I don’t have any ads on this site, though.

If you follow the steps below, you can keep visiting websites without them being able to compile a full profile on you.

 

 

1. How To Connect to the Internet

A proxy of some sort is absolutely crucial if you want to remain anonymous. Your IP can be tied to you personally. A proxy is much more difficult, if not possible, to tie to a person.

There are a couple of options here:

  • Tor
  • VPN service
  • Private VPN/proxy/SSH tunnel
  • Private remote desktop

1.1 Tor

Tor ProjectTor is a decentralized network of computers and servers (called nodes), between which your connection is bounced before actually reaching the public internet. Your connection enters the Tor network on one end and comes out on another (via an exit node). This is suitable for casual browsing, but expect significantly slower bandwidth speeds. Every time you connect to Tor, you will get a new IP and often even a new country. This is good and bad. It will trigger anti-fraud system with payment companies (PayPal and their ilk).

Tor gives you access to .onion (dot onion) websites, which are notorious for being anonymous websites used for various clandestine or downright illegal purposes.

Some websites block Tor IP addresses and will deny you access, but most webmasters and system administrators recognize Tor as a legitimate means to avoid surveillance or don’t know or don’t care about it.

Link: https://www.torproject.org/

Cost: Free.

1.2 VPN service

While technically a lot older, these sprung up and reached the public eye a few years ago, starting around the time of The Pirate Bay trial and various filesharing websites getting taken down. They were more or less marketed towards filesharers seeking to share their files anonymously.

The way VPN service providers work is that they place or rent servers in what they think are good (or easily marketable) jurisdictions, such as Canada, Netherlands, France, Germany, Romania, Russia, Singapore, and Hong Kong, and install a VPN server software. Users then pay to connect to these servers and browse through VPN clients. This makes it look to the outside world that the client is browsing from said jurisdiction.

A VPN service is a good start if you want to ensure privacy, but you are at the mercy of the provider not storing logs and not supplying logs to authorities if requested. Since each VPN server will have more customers than IP addresses, you will share IP address with other customers. This can trigger anti-fraud systems with payment providers, gambling companies, and so on.

Cost: Usually starts at around 5 EUR/USD per month. Pay anonymously (BitCoins, Liberty Reserve, using fake details, or other).

1.3 Private VPN, Proxy, or SSH tunnel

This requires a fair amount of technical know-how or willingness to learn.

In short, you will need a server and install a VPN server or other proxy software yourself. In the case of a Linux server, you can quite easily use it as an SSH tunnel.

The cheapest option is to get a VPS (Virtual Private Server). VPS come in many shapes and colors. For this, you only need the bare minimum. A VPS with more than 128 MB RAM, 5 GB harddisk space, and 200 GB monthly traffic is overkill, unless you know you need more bandwidth.

I prefer VPS that use the virtualization technology KVM, since it lets you encrypt the server filesystem for that extra layer of security. When selecting operating system on your VPS, I recommend Debian (a form of Linux). It uses a very conservative approach to updates, only using tried and tested versions of software. It is also very lightweight and, of course, free of charge. It’s one of the most popular forms of Linux and there is thousands of websites with information and tutorials.

The advantage to this over a VPN service is that you control what gets logged and you have your own IP, making it suitable for virtually anything.

If all of this sounded like a foreign language to you, this option is not for you unless you are willing to spend some time researching the terms and phrases below:

  • KVM LVM encryption Debian
  • SSH tunnel VPS Debian
  • Set up VPN server on Debian VPS
  • How to secure Debian
  • How to keep Debian updated

Link: Offshore VPS providers can be found on http://www.exoticvps.com/

Cost: 2 to 20 EUR/USD per month depending on location and requirements. Pay anonymously (BitCoins, Liberty Reserve, using fake details, or other).

1.4. Private Remote Desktop

This can be accomplished with either a VPS or a dedicated server. I would recommend a VPS with at least 1 GB of RAM, since this will not just be an ordinary server. Again, KVM is preferred since you’ll want to encrypt the filesystem.

For a dedicated server, there is no reason to settle for anything less than 2 GB of RAM. It’s going to cost extra, but I strongly recommend a dedicated server with KVM, IPMI, or equivalent so that you can install the operating system yourself step-by-step and encrypt the filesystem using LVM.

The difference to the previously discussed Private VPN, Proxy, or SSH tunnel is that with a Remote Desktop you use the server as a regular computer. You connect to it using VNC or RDP (Windows only; not recommended). Once connected, you can use it as a regular computer. When you close your connection, everything stays and you can resume working whenever. Perfect for the frequent traveler.

When it comes to private remote desktop, it is beneficial to have it as geographically close to you as possible to minimize lag (delay).

Recommended operating systems:

  • Ubuntu
  • Fedora
  • Debian
  • CentOS
  • Windows (if you absolutely have to)

Phrases to research:

  • Set up encrypted VNC on (insert operating system)
  • How to secure (insert operating system)

Link: Offshore VPS providers can be found on http://www.exoticvps.com/ (many VPS providers also have dedicated servers).

Cost: 15 EUR (VPS) or 50 EUR (dedicated) and up. Pay anonymously (BitCoins, Liberty Reserve, using fake details, or other).

2. How to Browse the Internet

Mozilla FirefoxThere is only one accepted browser and that is Mozilla. More specifically, this refers to Firefox or any of its deviations, such as Pale Moon. However, Mozilla’s SeaMonkey is also acceptable.

While you can find privacy-enhanced versions of other browsers – such as SRWare’s Iron (based on Chrome) – none of them have the native, at-the-core privacy capabilities of Mozilla browsers.

The reason Mozilla browsers are the only acceptable browsers to the privacy-minded is its phenomenal support for extensions. Yes, Chrome has extensions, but they are limited in how much they can do. Mozilla browser extensions can do anything.

The following extensions are essential to any Mozilla browser user who wants privacy:

  • NoScript – disables JavaScript, cookies, Flash, and other intrusive and possibly insecure features by default and lets the user decide exactly what should or shouldn’t be allowed. Reduces the user experience at first before you get used to it.
  • AdBlock Plus – this legendary add-on blocks ads and, as such, tracking of your behavior.
  • Ghostery – blocks even more tracking than AdBlock Plus.
  • Redirect Cleaner – cleans up links, making it much harder to track you based on what links you click. Can sometimes upset the user experience.
  • Modify Headers – use this to change the user-agent header of your browser so that websites do not know what browser or operating system you use.
  • HTTPS Everywhere – looks for an attempts to use HTTPS (encrypted web traffic) wherever possible, even on websites that don’t use HTTPS by default.

Another important thing to do is to disable referrers. This is used by websites to track from what side you came. This is used for tracking. Type about:config in your address bar. Click the button to continue to the settings. In the Search bar, enter network.http.sendRefererHeader. Double click the entry and change the 2 to 0.

Technical explanation:

  • 0 = do not send referer.
  • 1 = only send for clicked links.
  • 2 = always send.

You should also disable all plugins under Tools > Add-ons > Plugins. Disable every single one. This includes Flash and Java. You will see why later.

If you do all of this and browse via proxy, VPN, SSH tunnel, or remote desktop – your identity is protected online and you essentially become an online ghost.

The Tor Project has a preloaded version of Firefox called Tor-Browser which comes with many of these settings by default.

Link: https://www.torproject.org/projects/torbrowser.html.en

3. Don’t Be Stupid

All of your hard work becoming an online ghost can become completely null and void if you commit a mistake, such as using this structure to log in to your Facebook, LinkedIn, personal email, work email, bank, school, or government service… The list goes on. These are services we all use at least some of and that’s fine, if you follow this simple rule:

Use separate browsers.

I advocate using at least two different browsers. One for personal things (the aforementioned SRWare Iron, for example) and one for things that you want to keep private.

11 Comments on "Staying Anonymous Online – How to Keep Your Privacy Protected on the Internet"

  1. Hi Streber, thanks again for yet another very informative article.

    What are your thoughts on using Amazon servers (non-us hosted) for a VPS based VPN?

    http://www.hacker10.com/other-computing/build-a-vpn-tor-proxy-on-amazon-cloud-servers-with-lahana/

    Thanks!

    • Hi samstone,

      If you want to make every effort to avoid US involvement, hosting with a US-owned company isn’t suitable. There might not be automatic sharing of logs or customer details but unless there is a PR benefit to refusing cooperation, I don’t see any reason Amazon wouldn’t comply with a request from US authorities.

      From a purely technical point of view I’m sure it’s fine.

  2. Good points. Since phpBB powers some of the largest forums on the internet I assumed it’s safe.
    I haven’t taken any VM snapshots yet but now I probably never will.

  3. I have had good experience with the following setup for client communication. A forum (phpbb with no extensions) running in a encrypted VM (so it can be easily moved from server to server) running on an encrypted server. Reachable via one of the free DNS providers.
    Users can communicate via the forum (using Tor browser), you can easily set up users/user groups so everyone only sees the users/forums/topics they’re supposed to see.
    They are being notified via email when there’s a new post in the forum – which can be very vague:”Hello, there’s a been a reply in the forum. Click here to read …” etc

    I like this model because users can use whatever email address they like. There is no info other than the DNS name in the notification mail, and they don’t have to use encryption which for most people is a hassle. And the whole setup is very movable. Relocate the VM to another server (although it should be a server to which only you have physical access), update DNS entry and your users will never know about it. Also, there is no GPG key to steal which can then be used to decrypt all your emails. In this scenario there isn’t even old email to decrypt, everything’s in the forum. The only weakness are potentially weak passwords set by users.

    • Interesting set-up. Thanks for sharing!

      One weakness you’re probably aware of but didn’t mention is vulnerabilities in phpBB. Historically, phpBB has had a rather spotty track record for security, even without extension. Maybe that’s improved lately?

      Another potential risk is snapshots of the VM, if you take any. If it’s for example VMware or something else that supports snapshots, those snapshots may contain the RAM and in turn the encryption key.

  4. I don’t follow what you mean in the ‘don’t be stupid’ section. wouldn’t it be wise to use Tor, for example, for banking and email checking? from my limited understanding, doesn’t using something like Tor make your activity anonymous?

    are you saying we should use two separate tor browsers or one mainstream browser and one tor?

    thanks

    • Since Tor has such a huge pool of IPs, it might be OK to check email and internet banking through it. It’s difficult to point out who was using which IP at what time. There a risk, though, of the Tor node eavesdropping. If your bank or email provider uses a sufficiently advanced security tools, they may flag Tor IPs as risky.

      You are not anonymous if you use Tor to log in to your bank account, because your bank knows to whom the account belongs.

      The point I’m trying to get across is that it might be wise to consider using two browsers. One for every-day things like social networking and your normal email. This means you leave a normal fingerprint.

      For things you want to keep secret, you’d use another browser with a VPN/proxy of sorts and high privacy settings.

      Using Facebook or your personal email through a means by which you wish to stay anonymous kind of defeats the purpose.

      • Thanks…

        To clarify, are you saying that the Tor system itself is riskier to use for online banking than the regular browsers? If so, what’s the best way to anonymously do online banking?

        I was thinking that it would be an advantage to have certain personalized email addresses and bank accounts used exclusively through Tor because, while the bank would know about it, if IP logs were ever pulled there would be no trace of those emails addresses or bank accounts accessed. That way they would kind of be ‘dual purpose’ so to speak.

        • There are risks with using Tor that do not exist with using other types of, or no, proxy. However, the risk is most likely negligible in the grand scheme of thing.

          What are you trying to achieve here? If an authority is curious who you are, eavesdropping on your internet traffic is probably the last thing they’d do, when they could just go to the bank or email provider and get all information about you.

  5. what about email? what kind of email is better to use?
    Could you suggest us something?
    thank you

    • Email is tricky.

      What I prefer is to have private mail servers, where the filesystem is encrypted and all connections are made over encrypted connections. Preferably, all emails should be sent encrypted using for example PGP. This is quite complicated to do.

      There are mail services out there that focus on high security and privacy. The problem is that you end up trusting an unknown and often unverifiable third party. These include for example CounterMail, Neomailbox, AnonymousSpeech, Safe-Mail, and Securenym. I haven’t used any of them to any serious degree so I can’t recommend either.

      Arguably, as long as both recipient and sender use PGP, any email service could suffice.

Leave a comment

Skip to toolbar