How to be completely, absolutely, but not really, only a little bit anonymous.

Anonymity and privacy are not about closing the door when you go to the bathroom. For the
individual, they might be about personal autonomy, political liberty or just protecting yourself
in the digital world.

For the enterprise, employee privacy mitigates the risk of social engineering attacks, even
blackmail. The more an attacker can learn about key people within an organization, the more
targeted and effective they can make their attacks. Educating employees about how to protect
their privacy, therefore, should be a core part of any security awareness program.

You can take specific, concrete steps to protect your privacy or that of your organization’s
employees, but they require energy, time and some technical know-how.

Privacy vs. anonymity

The universe believes in encryption, a wise man once opined, because it is astronomically
easier to encrypt than it is to brute force decrypt. The universe does not appear to believe in
anonymity, however, as it requires significant work to remain anonymous.

We are using privacy and anonymity interchangeably, and this is incorrect. An encrypted
message may protect your privacy — because (hopefully) no one else can read it besides you
and your recipient — but encryption does not protect the metadata, and thus your anonymity.
Who you’re talking to, when, for how long, how many messages, size of attachments, type of
communication (text message? email? voice call? voice memo? video call?), all this
information is not encrypted and is easily discoverable by sophisticated hackers with a mass
surveillance apparatus, which is most these days.

A final thought before we dig into specific technical tools: “Online” is now a meaningless
word. Meatspace and cyberspace have merged. We used to live in the “real world” and “go
online.” Now we live online, and things like geotracking of cell phones, facial recognition in
public physical spaces, and so forth mean no amount of “online anonymity” will help you if
your meatspace self is not also anonymous, which is nearly impossible these days.

Here are some steps to being completely, absolutely, but not really, only a little bit
anonymous.

1. Use Signal
You may have heard the mantra, “Use Signal, use Tor,” and while this one-two punch combo
is a great start, it won’t take down your opponent. Signal is the best-of-breed encrypted
messaging app that lets you send text messages and voice memos as well as voice calls and
audio calls. It looks and feels just like any other messaging app but under the hood uses
encryption that, to the best of our knowledge, not even the National Security Agency can
brute-force.

What about the metadata? Any network-level adversary can tell that you’re using Signal, for
starters, and if your adversary is the U.S. or Five Eyes, then they have mass surveillance
access to all Signal traffic and know who is talking to whom, when and for how long.
Email encryption

PGP, once bleeding edge cryptography for the masses, has fallen behind the times. No
security software can be effective if it is unusable by its target audience, and PGP is so finicky
to use that it is extremely easy to shoot yourself in the foot with it. If you are a software
developer, using PGP to sign your code is a must. For secure, private, end-to-end encrypted
communication, though, unless you have a large nation-state or three in your threat model,
and you’re technically proficient, you should not be using PGP. Use Signal instead.

The makers of Signal are well aware of these technical limitations and are researching ways to
push the boundaries of what’s possible. Metadata-resistant communication is an unsolved,
cutting-edge technical research problem.

Bottom line: Signal is the most secure, easy-to-use messaging app available to date, and offers
marginally more anonymity than any other app. Do not rely on it for strong anonymity,
however. In fact, it’s questionable whether anything provides strong anonymity these days,
which brings us to Tor…

2. Use Tor
Tor is the largest, most robust, and most effective metadata-resistant software project, and the
Tor Project does great work in the space, but the technical limitations of how much
anonymity Tor can achieve have been evident to researchers for some time. No clear fix or
replacement looms large on the horizon.

The Onion Router, better known as Tor (which is not an acronym by the way; the initial-caps
spelling is a shibboleth to identify outsiders) is optimized for low-latency web browsing, only
supports TCP (not UDP, sorry torrenteers), and won’t work when accessing many larger
websites, as they block access via Tor.

Tor does not offer guaranteed, complete anonymity, even for web browsing, but it is the best
thing we’ve got at the moment. Like so many things in life (and the internet), Tor is dual use.
The same technology journalists use to research stories anonymously is also used by criminals
to do bad things. When you hear folks badmouthing the scary “Dark Web” and suggesting
“someone should do something,” remind them that just because bank robbers drive cars on the
highway doesn’t mean we propose banning cars or highways.

The Tor Browser should be your go-to choice for mobile usage. The Brave browser also
offers a Tor option. There’s an official Tor Browser app for Android devices and
OnionBrowser offers a Tor Project-endorsed but unofficial app for iOS.

3. Don’t expect anonymity from VPNs

VPNs are not anonymous. There is literally nothing anonymous about using a VPN. No
anonymity here. Did we mention VPNs don’t offer anonymity? Just wanted to make sure
we’re clear on this point.

Since everyone expects VPNs on a list of anonymity tools, we’re going to debunk the idea
instead. All a VPN does is move trust from your ISP or, if you’re traveling, your local
coffeeshop or hotel or airport WiFi network to someone else’s server. There are many
legitimate security reasons why using a VPN is a great idea, but anonymity is not on that list.
Anywhere. Not even at the bottom.

Unlike Tor, which bounces your traffic through three Tor nodes spread across the internet,
making it very difficult, but not impossible, for an adversary to see what you’re doing, a VPN
simply shifts your traffic from your ISP (at home) or coffee shop WiFi (on the road) to the
VPN’s servers. That means the VPN provider can see all your traffic. That means that an
adversary that gains control of the VPN’s servers, by hacking them or by serving the VPN
provider with a court order, can also see all your traffic.

VPNs are great. Use them. The good ones are way more trustworthy than your dodgy local
coffeeshop WiFi network, but they offer zero anonymity.

4. Use zero-knowledge services

Google can read every email you send and receive. Office 365 scans everything you write.
DropBox opens and examines everything you upload. All three companies — among many
others — are PRISM providers, per the Snowden documents, meaning they cooperate with
mass surveillance programs. If Google can see it, so can folks in Washington. You have no
privacy on any of these services.

Of course, you could encrypt everything before using Gmail or before uploading your
vacation photos to DropBox. If you care about privacy, and can figure out how to use PGP,
you probably should. On the other hand, though, you could also choose to use service
providers that advertise zero-knowledge file storage.

While you can never fully trust that a service provider hasn’t been backdoored, DropBox-
alternative SpiderOak 1, based in the U.S., advertises zero-knowledge file storage. Protonmail
2, based in Switzerland, advertises zero-knowledge email and claims that it’s mathematically
impossible for them to hand over your email to a third party.

We don’t endorse any of these providers, and you should do your homework before entrusting
anything important to them. However, the field of zero-knowledge file storage is an
encouraging sign, and one worth keeping an eye on.

5. Be careful what you post online

Privacy is about autonomy, the notion that you choose to share what you want to share and to
keep private what you want to keep private. If there’s something going on in your life you
don’t want the entire world to know about, then posting about it on social media — for the
entire world to see — may, ergo, not be the best idea.

There’s a striking generational gap on this topic. Older generations cringe at the idea of airing
their dirty laundry in public, while the generation that grew up with a cell phone welded to
their palm thinks over-sharing is normal. There’s a time and place for everything. Deliberate
sharing of things you want to the world to see clearly has value.
Consider also that sharing a particular detail about your life may not appear sensitive on its
own but taken in aggregate with many other shared personal details can build up a picture that
you might hesitate to put onto a hostile internet.

Publishing on social media today is more permanent than chiseling hieroglyphics in stone.
Take a step back and consider the whole picture of what you’re sharing.

6. Check those app permissions

Mobile apps, for both iOS and Android, tend to request way more permissions than they
actually need and are frequently caught extracting personal details from users’ phones and
transmitting those details back to the app maker in highly inappropriate ways.

Does that random app really need access to your microphone? (What for? Is it going to record
everything you say?) What about your location? (Why? Is it going to track your location?)
Your address book? (Does that app really need to know who all your friends are? What for?)

Neither Android nor iOS make it especially easy to do so, but dig through your settings and
turn off unneeded permissions with extreme prejudice.

7. Use an ad blocker
In the olden days of glorious yore, advertisements were a one-to-many broadcast. An
advertisement today bears no relationship to your grandpa’s ads. Now one-to-one advertising
networks watch you to better target ads at you.

Tracking your every move online and, increasingly, in meatspace, is the business model of
huge chunks of Silicon Valley. Google and Facebook are two of the largest players in this
space, and they track you all across the web and into meatspace, even if you don’t have an
account with either (though most of us do), and even if you aren’t logged in.

Installing an ad blocker is no magic cure, but a paper-mache sword is better than nothing at all
when the enemy hordes invade. The Brave Browser blocks ads and trackers by default.
AdBlock has a good reputation, and other extensions are worth exploring, such as the
Electronic Frontier Foundation’s excellent Privacy Badger extension. You can also sinkhole
ad network DNS requests at your local router level.

8. Dump your home assistant

If you value your privacy and anonymity, for the love of the dogs chuck your home assistant
(Amazon Echo, Google Home, etc.) and your snitch-in-a-box (Amazon Ring) into the trash.
These always-on digital snoops are poisonous to privacy and anonymity, and there is no
meaningful way to make them less privacy-invasive.

Ubiquitous deployment of such “assistants” makes clear the collective action problem: It
doesn’t matter if you choose not to purchase and install one of these devices. If all your
neighbors own them and use them, then your privacy is toast. If everyone else in your
neighborhood has a Ring recording everything that happens, then your movements in
meatspace will also be recorded and tracked.
The technical tips we’ve provided here offer little more than a band-aid on a gaping wound.
Use them, but be under no illusion that they will do much to protect your privacy. (Source:
csoonline)

Happy learning!