Anonymity: How to hide your identity

Staying anonymous on the internet is a tough challenge – some say, it is impossible nowadays. There are in fact a lot of things journalists and their sources have to take into account if they want to operate “under the radar”. To hide an online identity, not a single program is enough, but a whole bunch of tools and behavioural rules. The question is not so much about “being completely anonymous”, but “anonymous to whom”?

In this chapter, we provide basic information on how online anonymity is technically provided and what key questions journalists and sources need to answer before using products. Moreover, we provide information about VPNs and the tor network.

 

 


What anonymization means – and what not

The internet only works with data, and data may be linked to an identity. There will never be an internet without data – so there will never be absolute anonymity, unbreakable for every potential adversary. Nevertheless, there are solutions that can make users practically anonymously on the current state of the art. All approaches have in common that they try to hide a real identity under a pseudonym – and make it hard for adversaries to detect the real identity. To understand the core differences, we focus on VPNs and Tor.

 

 


VPN – Virtual Private Network

A VPN is probably the most common way to connect “anonymously” with the internet or to circumvent censorship. But how does it work? And does it really makes you anonymously? Not really.

VPN stands for Virtual Private Network. While users regularly tell their Internet Service Providers (ISP) which website they want to access, they now tell their ISP that they want to be connected with a VPN. The VPN provider creates a tunnel between itself and the user to exclude the ISP from knowing what the user is doing on the internet. However, that the user is connected to the VPN remains visible for the ISP.

An example: Given a User has internet access provided by his or her ISP and wants to open the website www.example.com.

A) Without a VPN, the ISP sees at least the IP address of the user and the address of the website www.example.com. So in most cases, the ISP knows the identity of the user and the website he or she accesses.

B) With a VPN, the ISP sees at least the IP address of the user and an IP address of the VPN provider. So in most cases, the ISP knows the identity of the user and that he or she is connected to a VPN, but not more. However, now the VPN provider knows the identity of the user and the website he or she accesses.

 

VPN: Pro & Contra

Pro: A VPN can help to exclude the Internet Service Provider from tracking users behaviour. While ISP’s are often nationally regulated and legally obliged to hand over data to governments, this may differ for a VPN. Some providers may be based in countries that do not legally cooperate with your state adversaries. Secondly, a VPN can help to circumvent censorship. As the ISP is excluded, it cannot hinder you to access a blocked website any more.

Contra: Users have to trust a VPN provider that it really does what it claims to do. While users don’t have to trust their ISP anymore, the “all knowing entity” is now the VPN. Secondly, also a VPN provider may be legally bound to hand over certain data. Users should check this in advance. Thirdly, especially free VPN providers may earn money with users data. As they are the “all knowing entity”, they may record users behaviour and make money with these data. Lastly, only the use of a VPN could make users suspicious in certain countries and contexts.

Please also check our Key Questions for anonymization tools.

 

 


Tor – Onion Services

The most useful use case of Tor is probably to browse in the internet anonymously. However, Tor can do more. There are also so-called Onion Services that host websites in the Tor network itself. So Tor is not ‘only’ a bridge in the regular web, but the destination of a connection. Why is that useful?

People who operate an Onion Service not necessarily have to reveal their identity and information about the location of the Onion Service. Therefore, nobody can force them to delete certain information. Tor Onion Services are resistant against censorship and guarantee anonymity for both its operators and visitors.

For journalists, they may be relevant to share files anonymously (e.g. over Onion Share) or to set up an anonymous post box for whistleblowers (e.g. over Secure Drop).

 

Tor: Pro & Contra

Pro: Tor can help to exclude the Internet Service Provider from tracking users behaviour. While ISP’s are often nationally regulated and legally obliged to hand over data to governments, Tor is global, decentralized network that cannot easily regulated by single states. By default, Tor does not store any user data, so Tor cannot even provide data if it was legally obliged to do so. Secondly, Tor can help to circumvent censorship. As the ISP is excluded, it cannot hinder you to access a blocked website any more. Even if the access to Tor itself blocked, the network offers a special way to circumvent that with its “bridges”.

Contra: Only the use of Tor could make users suspicious in certain countries and contexts. Also, the access to Tor can sometimes be blocked by national ISP’s (see how to circumvent that here) and the speed of the internet connection is usually a bit slower than without Tor.

Please also check our Key Questions for anonymization tools.

 

 


Factors that can compromise anonymity

There are several kinds of data that may compromise users anonymity online. The most important are as follows, but are not limited to these:

  • IP address: An IP address is provided by an internet service provider (ISP). It knows the identity of the person that made the contract for internet access with it.
  • System data (‘fingerprints’): While accessing the internet, your computer or smartphone sometimes has to send technical information about the system like software version, language settings, hardware information or screen size. These information can reveal your identity or at least work as an identifier, as the composition of different data is often unique.
  • Account information: If users sign up for a service, they mostly have to provide certain personal information like email addresses, telephone numbers or bank information for the purpose of billing.
  • User provided information: Every content that user provide on the internet might be individual, and therefore be linked to an identity. This can included messages, shared photos or metadata about a users activity. For example, using an anonymization tool would be useless if a user reveals his or her name in an unencrypted message.
to top