The private mode in the browser is everything, but not private. A security researcher explains how you can really get through the net without leaving a trace.
People are spooked by Big Data: On Facebook, Martins hide their last name and call themselves “Mar Tin” to deceive Mark Zuckerberg. Germans delete cookies and encrypt their e-mails more frequently than people in neighbouring European countries. At least that’s what they said in a representative Infratest survey. Nevertheless, only very few people know how to get through the net really anonymously.
Matthias M. is one of them. Matthias hacked the school computer’s administrator account in 11th grade. Later he looked for security gaps in Hacking Challenges and also found them: for example in a project for smart schoolbags.
Matthias is now 28 years old and is a member of the “Security and Privacy” research group at the University of Hamburg. Together with colleagues from Dresden, he develops fast and convenient anonymization software.
We asked him what to look out for when surfing anonymously.
Honestly, do you always surf anonymously?
That all depends. When I am on the road and I use open WLANs, I often switch on a VPN or Tor so that the WLAN provider doesn’t learn so much about my surfing behavior. I am often not anonymous at work or at home.
What data do you disclose if you surf without protection?
When I visit a website just like that, I contact it directly. My IP address tells it where I come from. It gets information about which browser I use, which security extensions, how big my screen is, which fonts I have installed and so on.
That sounds boring, but with this amount of data you can identify me and my computer. If my computer regularly goes online at certain places, you can create a motion profile: I live there, work there, tuesday gym, friday local. Many sites use tracking services and have plug-ins from Facebook or other social networks. This makes it easier to link movement patterns with identities.
How can that hurt me in concrete terms?
In authoritarian regimes, the secret service could understand who criticizes the government from where and when on the Internet. Anonymity is a question of life and death there. But consequences are also threatening here: If insurance companies know everything about me, my tariff may become more expensive. The advertising industry analyzes my surfing behavior and fills me with customized advertising.
The data collected about me may fall into the wrong hands. Someone could derive my illnesses, sexual preferences or affairs from it and blackmail me. I also believe that it is important for a democracy that one can express one’s opinion anonymously, without fearing reprisals.
Now there are several services that advertise with anonymity on the net. Popular is e.g. Ghostery, a small mini-program for the browser, an add-on that blocks Tracker. Mozilla offers something similar with a special browser, Firefox Klar. Is it possible to surf with such programs undetected?
These add-ons or plug-ins block cookies, a kind of identity mark on the network, and tracking services. The browser cannot create a chronicle. That makes sense. The services, however, only provide superficial protection. They don’t cover my IP. That means, my approximate location and my browser data will still be transferred to the website.
One level more complex are VPN services. Sometimes they cost a few euros a month, but promise to cover my location up. Are they making me anonymous now?
When I use a virtual private network service, a computer is placed between me and the website. He calls the website with his IP for me. This allows me to use streaming services that are restricted to certain countries: With a VPN I could subscribe to US-Pay-TV HBO and watch Game of Thrones, or watch games in the Champions League, which only broadcasts the Austrian ORF media library and not the German ZDF. Providers like Netflix are therefore trying to block known VPNs for their services.
But when it comes to anonymization, VPN has a weakness: I have to trust the provider not to mess with my data. There are cases in which VPN providers have not only inserted advertising, but even malware into the visited websites. Maybe the service is interested in selling my data directly or cooperates with authorities. Then I’m at the mercy if I do more than just watch a series.
How do you avoid these risks?
I connect several computers in a row and give each of these computers only a part of my request. Conclusions about my identity are only possible if all computers involved join forces and decrypt and assemble this request at great expense.
The Tor network uses this principle and provides good protection for my identity – unless I’m being spied on by the NSA. In addition, it encrypts the data and changes the three intermediate computers every ten minutes. If I want to surf the Internet anonymously in the classic way, this is the best choice.
Since last year, the German security authorities have been developing the state Trojan: software with which they can monitor smartphones and computers. Is Tor protecting me?
Once the so-called state Trojan is on the computer, it records everything. It accesses before my data is encrypted and transmitted. A Trojan comes to the computer via a file, for example when I click on a strange email attachment. Or it comes through a security hole in the system. Tor won’t change that.
Is Tor foolproof?
Tor sounds more complicated than it is. I can easily download and install the Tor browser. The Tor browser looks like Firefox and I can use it just as well.
Can I actually do something wrong and still betray myself?
That’s possible. Tor anonymizes the IP address that reveals my location. But other details also reveal a lot about my identity: installed fonts, browser type and window size. So the Tor browser tells me not to drag the window to full screen – and I should stick to that.
Also, I should not be logged in with my Facebook or Google account if I want to surf anonymously with Tor – even if I use a fake account. The service simply links my surfing behavior to the IP address and browser data I am normally logged in from. From this he can then draw conclusions about my rough location and my identity.