Different strategies for online anonymity and their +/-s?

Question

I saw this question about anonymous web browser, but I wanted to go a little bit more in depth. I prefer answers that take into account how a connection would be traced back, time it would take to trace back (ie: complexity factor), speed loss due to methods of anonymity, and cost-effectiveness of the various solutions. So, with those factors taken into account:

What different strategies can one take to become anonymous online, and what are the benefits/drawbacks of each?

In addition, is there a way for one to access an internet site from their home computer and completely prevent that access from being traced back to them (eg vpn, proxy, etc)?

Answer 1

Strategies to stay anonymous online:

1. Use Tor. I highly recommend using Tor and Torbutton (Tor kindly provides integrated distributions of all the software you need to use Tor). Tor protects your anonymity while browsing the web and helps prevent the end site from learning your IP address. See the Tor web site for more.

   You might want to use one of the distributions that provides Tor on a LiveCD; every time you need to go online, boot from the LiveCD and use the Internet. Using a LiveCD helps ensure that nothing is stored permanently on your computer, thus better preserving your anonymity in case your computer should be seized or inspected by the enemy. Using your browser's private browsing feature also provides similar benefits (it does not hide your identity from web sites, but it reduces the amount of information stored on your computer). Using a LiveCD is probably more reliable; for best protection, use both measures.

   Do note that Tor only protects your web browsing, not your other use of the Internet. For instance, it doesn't protect your anonymity while you read email.

2. Alternatively, use a VPN. Alternatively, you could buy private VPN access from a reputable third-party source who will protect your anonymity. This way, your Internet access is routed through the third party. However, this is more dangerous, because the third party still knows your identity and is able to reveal it if they choose or if they are required to by law.

   If you use a VPN, select one that is in a different jurisdiction and that you judge is unlikely to reveal your identity.

3. Never enter your real information online. Perhaps this is obvious, but don't enter in anything that may reveal your identity online. If asked for your personal details when signing up for a web site, lie.

4. Take extra caution with email. Somewhat different strategies are needed to use email securely. Using Tor and a webmail provider may be sufficient to read email with a reasonable degree of anonymity, if all you want to do is receive email and read it over the web. However, if you want to send email, that's may not be enough. One option is to look into use of anonymous remailers.

5. Take extra caution if you register a domain name. If you want to set up a site of your own, you might be tempted to register your own domain. Be careful. Domain name registrars collect a lot of information, and reveal a lot of information in WHOIS records. If you register a domain name, register it anonymous.

The above methods may be enough to provide a reasonable degree of anonymity. However, if your life depends upon staying anonymous, I'm not sure they are strong enough to rely upon, so be cautious.

Additional resources: EFF's tutorial for defending yourself online in authoritarian regimes.

Answer 2

Have a wee read of this question and this one, as they have some useful info on Tor and anonymous browsing, and have a think about exactly what your requirement is...

Aside from that - don't go online from home if you want to avoid a trace back to your home, carry out multiple hops where possible, use a one time portable browser (ie one with read only access on a USB stick that you take to an internet cafe) etc

Answer 3

I only had one thing to add (previous post already covered the "tor-thing-based") :

Be aware of tracking website (for ads), because they have your browsing history. Some usefull advices for getting rid of it on Firefox :

• Disable referer : network.http.sendRefererHeader to 0
• Disable css-visited links : *layout.css.visited_links_enabled* to false
• Usefull plugins :
  • Adblock Plus with Fanboy List and Adversity List -> removing ads and sharing buttons (yes, they're tracking you too ...).
  • Ghostery plugin -> removing trackers
• I also recomand to disable JavaScript/Flash/Silverlight (but if you use the TorButton plugin, this is already done).

This stuff can help to reduce your footprint (and btw, sorry for my poor english ^^).

Answer 4

[*] Tunneling out

Tunneling is fine, but remember that in the end it's still your packet, sent from your OS's network stack. Packet normalization could be used on a bouncing router and local router (only when being in "anonymous mode"). Also, make sure you block all the traffic going out of your host to anywhere but the TOR network. Bouncing on several servers works only if the last one is sure to not be compromised and be the only one that can decipher the encapsulated packets.

For layer 2 tunnels, change your MAC address. Tunneling implementations can differ between OS and therefore expose/leak some information about you. Take care of this (see bellow).

Notes:

• TOR cannot be trusted (really), so bounce before.
• The bouncing host should be a compromised box that you secured back. Make sure it's a busy webserver or other and assume it can be confiscated to be analyzed or spied on later on.

[*] Virtualization

You could use a dummy VM inside your OS and use a pre-configured image that you replace before each use. This will ensure that even if your browser or application is exploited, no relevant information about you will be disclosed.

[*] Behavior

Everything you use in "anonymous mode" should only be used in this mode. On the same note, never check your facebook account or you emails or favorite website on this mode. You should cut it off from everything you are and you know. It's kind of like having a second life.

Using encryption and tunnels is suspicious, don't do it if you're under surveillance.

Also, stay low and don't attempt to commit crimes. If you really want to escape prosecution, these tips will only slow down classic investigation methods, you will eventually be caught, if you need to ask about more advanced strategies, you're already screwed.

[*] Real life

With all this, you might still be victim of a targeted attack by skillful remote attackers (who want to discover your identity). And if you don't already know all this and more, you won't be able to achieve a perfect level of anonymity. If you are under an authoritarian regime and want to speak out using the Internet, you should go a step further and design stealthy protocols, use an optional HTTP header field to carry data to a server hosted in another country, this web server will sell potatoes or talk about dogs and let you tunnel out without being suspicious.

If you really want specific advice, I will need more details to give you an adequate level of anonymity. These were just basic things that people tend to forget or never use because it's too painful. But not as painful as being arrested for speaking out, or worse. It depends where you expect the privacy threat to intervene and how much you want to hide.

Answer 5

You may want to use a tiered approach, depending on the anonymity you desire for various kinds of browsing.

Keep a clean browser or two that you can use for casual, non-logged-in, non-sensitive browsing. Set them up to clear all data upon quitting, and quit often.

Use Tor for your most sensitive browsing. Establish new Tor identities often (or just quit and restart) to minimize correlation across sessions or sites.

In between those, use VPNs or SSH tunnels to anonymize swaths of your traffic, though you must have some trust in the provider (I sometimes buy these services with gift cards paid for in cash). VPNs tend to be system-wide, SSH tunnels can be very focused on traffic from specific apps (browser, IM client, etc). Different Firefox profiles can be set up to automatically use different SOCKS setups. Keep a few instances of Firefox to be able to run them simultaneously with different profiles. Keep a good set of privacy-enhancing add-ons in your Firefox configs. I use different setups like these to minimize aggregation of behavior across online personas. Be sure to set Firefox to direct your DNS traffic through the proxy (set network.proxy.socks_remote_dns to true in about:config).

Keep in mind though that device fingerprinting can be a powerful tool and could potentially correlate your different setups. For an extra measure of protection against this, use separate physical or virtual machines to house your separate personas.