Tuesday 1 August 2017

What not to do while anonymous

Ineffective security can be worse than no security at all. Being lulled into a false sense of security can cause us to engage in risky behaviours. This is true of anonymous browsing technologies such as Tor.  As the Tor Project site takes pains to tell us, Tor is by no means a panacea. We need to avoid certain behaviours to remain anonymous online even if we're using anonymisation technology.

Hiding our IP address and encrypting our traffic is not enough to remain anonymous. As the Tor Project puts it:
Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.
Whonix is more specific on its Do Not page. Note: you should definitely check out Whonix if you are interested in online anonymity.

Here's their index of things not to do while trying to be anonymous.  All excellent advice, as you'd expect.
Things NOT to Do

    Visit your Own Website when Anonymous
    Login to Social Networks Accounts and Think you are Anonymous
    Never Login to Accounts Used without Tor
    Do not Login to Banking or Online Payment Accounts
    Do not Switch Between Tor and Open Wi-Fi
    Prevent Tor over Tor Scenarios
    Do not Send Sensitive Data without End-to-end Encryption
    Do not Disclose Identifying Data Online
    Do Use Bridges if Tor is Deemed Dangerous or Suspicious in your Location
    Do not Maintain Long-term Identities
    Do not Use Different Online Identities at the Same Time
    Do not Login to Twitter, Facebook, Google etc. Longer than Necessary
    Do not Mix Anonymity Modes
        Mode 1: Anonymous User; Any Recipient
        Mode 2: User Knows Recipient; Both Use Tor
        Mode 3: User Non-anonymous and Using Tor; Any Recipient
        Mode 4: User Non-anonymous; Any Recipient
        Conclusion
        License
    Do not Change Settings if the Consequences are Unknown
    Do not Use Clearnet and Tor at the Same Time
    Do not Connect to a Server Anonymously and Non-anonymously at the Same Time
    Do not Confuse Anonymity with Pseudonymity
    Do not Spread your Own Link First
    Do not Open Random Files or Links
    Do not Use (Mobile) Phone Verification
This is just the index. Visit the page to see why these are all bad ideas.

There are things you can do to help projects like this.

You can donate to Tor and/or Whonix. You can run a Tor relay. You can campaign and advocate for privacy and you can harangue your government representatives. You can support the Open Rights Group and the Electronic Frontier Foundation. And you can educate your loved (or hated) ones.

No comments:

Post a Comment