The U.S. government seems to have a dizzying array of programs, both already running and in the pipeline, to gather vast amounts of data on virtually everyone, store that data for who knows how long, and do who knows what with it. One thing they’re doing is data mining, looking for “suspicious” patterns in the data trying to find potential threats. Not only does data mining not work, there’s a chance it could identify you, even if you aren’t doing anything wrong.
Other countries are already putting in place even more Orwellian surveillance on their own citizens. And some countries, as we all know, arrest, torture and kill dissidents or anyone they just don’t like.
Fortunately, there are things you can do to protect yourself from all of these threats.
I called this article “Advanced online privacy protection” because it reveals things about keeping yourself safe and anonymous online which are little-known, except to the bad guys. It’s about time the good guys got hold of some serious protection.
When people get serious about keeping themselves anonymous online, they almost always stumble across Tor. They install it, turn it on, make sure it’s working, and forget it. Then they’re surprised when the jackbooted thugs catch them anyway and haul them off to be tortured and killed. Simply using Tor is not enough to protect yourself.
There are different threat models which necessitate different processes and different ways of using Tor and other privacy tools. I’m going to take a look at three of the threat models and explain what you need to do, in addition to using Tor, to reasonably protect yourself from the threats. It’s possible I haven’t thought of everything, and it’s possible I may be wrong. If you believe I’m wrong, feel free to leave a note below and we’ll talk about it. And if you somehow think that we don’t need privacy, consider that the U.S. might never have come to be without it.
I assume that you already have some knowledge of Tor and Privoxy and that you have already installed them. If not, go do that now and come back. Be sure to read the Tor FAQ, especially the section on anonymity.
Threats and protection
The first thing I am going to recommend, regardless of the threat you wish to protect against, is that you use separate browser profiles, separate user accounts, or even separate computers, for your unprotected Internet usage and your protected Internet usage. For most people, it should be sufficient to use separate browser profiles. You can set this up using the Firefox Profile Manager, and in fact, you can run both profiles in separate windows simultaneously.
If a breach of anonymity means imprisonment, torture or death, you should also encrypt everything on your computer using some sort of deniable encryption and preferably an encryption key which you don’t know and is easy to lose or destroy, such as a random string stored on a USB flash drive. Encrypting your computer, unfortunately, is beyond the scope of this article, but there are plenty of resources on the Internet for this.
Hackers, Identity Thieves and Other Criminals
The first threat model to address is that of a criminal who is looking to gain your personal information in order to commit financial or other crimes. Tor can only provide limited protection from this threat model, as the threat is directed toward an unencrypted network stream or a server outside your control whose storage is not encrypted. Even so, here are a few tips for protecting yourself.
All Web sites to which you would provide such information should already be encrypted. Look for the lock icon on your browser, and make sure the lock icon isn’t broken, unlocked or showing a red line through it; if it does, then the encryption is weak and should not be trusted.
Aside from that, the primary individual threat is if someone obtains your password. Never use the same password at more than one Web site, as many sites store the passwords unencrypted, and if someone obtains your password from one site, they could use it on any other site where you used the same password. Never use the password that the Web site assigns when you first register your account. Always change it to something else. It’s okay to let the browser remember your passwords, but only if it provides a master password which encrypts all of your saved passwords. (Firefox provides this capability, for instance.)
ISP Data Retention
This is the threat model which applies to most users: your Internet Service Provider watching everything you do and making a record of it, which is turned over to government officials on demand. Tor excels against this threat. While Tor, and any low-latency anonymizing network, have weaknesses, they generally require the attacker to be monitoring you from multiple points on the network. If you use Tor against this threat, the only thing the ISP can record is that you have made encrypted connections to a few hundred other Tor servers.
However, you may run into trouble if you use a very large ISP. Consider the possibility that you use Tor, and someone else who is a subscriber of the same ISP runs a Tor server. There is a chance that your traffic would exit from that Tor server and the ISP would then be able to record it. If they are actively monitoring you, they may be able to tell, based on timing, that you originated the requests, especially if the ISP is running the Tor server themselves with the express purpose of monitoring its users. The chance that you would be discovered rises the more you use Tor to contact the same sites, so your best bet here is to use the
ExcludeNodes torrc directive to blacklist any Tor server on any network owned by your ISP.
Weaknesses in any anonymizing network, including Tor, may make you vulnerable to a very determined and resourceful attacker who can monitor the Internet at multiple dispersed points as well as launch attacks on the Tor network itself. This category generally includes many government intelligence agencies, and may include some government internal police agencies. Consider that the U.S. Department of Justice has funded research (PDF) into how to attack anonymizing networks such as Tor. That research contract is now being handled by the Department of Homeland Security. What do you expect they want to do to anonymizing networks?
You can read all the research into anonymity for yourself if you like. And I probably will oversimplify things a bit, and I may give the attacker too much credit, for those of you more familiar with the research than I am. The very short explanation is this: A determined attacker with sufficient resources can find out who you are if you use Tor to contact the same sites too frequently. Current research has not suggested a solution to this weakness which could be incorporated into the Tor protocol.
However, there are two ways you can mitigate this threat or even eliminate it. The first way to mitigate the threat is to limit your use of Tor. I suggested above that people maintain separate browser profiles, separate user accounts or even separate computers for Tor usage and non-Tor usage. In this scenario, you would not use Tor for anything that isn’t sensitive enough to require it, only use Tor for those things for which it is essential, and never cross the two. You would be essentially maintaining a pseudonymous presence on the Internet through Tor, and you must never allow that pseudonymous presence to be associated with your true identity.
The second, and much more effective, way to mitigate the threat is to move. Never use Tor, or indeed do anything sensitive, from your home, workplace, or any other place which can be tied to you. Ideally you need a laptop for this, but using Internet cafés is usually sufficient; distributions of Firefox, Tor and Privoxy exist which fit on a USB flash drive or CD-ROM and can be plugged into any computer for access to Tor on demand. If you must use Internet cafés, do not use any which require you to identify yourself, if possible. If this is not possible (e.g. Italy) you will need to use your own laptop. Using a laptop and open Wi-Fi connections, you can then use Tor completely anonymously. Don’t use Wi-Fi hotspots which require you to pay or even to register, though. Free hotspots are easy enough to find in most countries.
If you are doing something extremely sensitive, consider using a laptop and Wi-Fi, but use any particular hotspot only once, and never return to the same place. This may eventually require you to leave whatever place you are located, but if you’re doing something that sensitive, it’s likely you’ll have to leave sooner or later anyway. Be prepared to spend extensive amounts of time traveling if you are in this situation, and ensure that your travel documents are in order and that you are not wanted by the local authorities; if you are, then I can’t help you.
If you are working against this threat model then you absolutely should have strong encryption on all of your computers. If you are in a country which requires you to surrender your encryption keys on demand, make sure your key is a random bit of data on a USB flash drive which you can easily “lose” if the need arises. Tutorials on the Internet explain how to do this for Linux. I’m afraid I don’t know about Macintosh or Windows. If you need extremely high levels of security, you probably shouldn’t be using either of those in the first place.
Security is a tradeoff. If you try to implement security out of proportion to the threats you face, you will either be unprepared for the inevitable attack, or you will be wasting your time on inconvenient measures you don’t need to bother with. At the same time, if you need more security, you must put up with more inconvenience. Let down your guard, even for a moment, and you’re dead — if not right now, then in a few months when they find you and catch up with you because of a mistake made long ago.
I probably have omitted a few things which need explanation, or have made some sort of error, in preparing this article. If you spot an error or have a question, the comment form is directly below; feel free to use it.
I also have done little to address maintaining privacy and anonymity offline; it’s outside the scope of this article. Some research and a little common sense go a long way here. Perhaps I’ll be able to address this later.
Finally, while civil disobedience has been a time-honored way to get bad laws repealed in the U.S., it’s also been a time-honored way to get yourself killed. While I can’t recommend to anyone that he break the law, whatever it is, I do recognize that sometimes it must be done. Those working for positive change need all the protection they can get, especially when simply speaking in support of change can mean the firing squad.