Is using a web anonymizer like Tor or one of its alternatives, enough to keep you truly anonymous online? Does a VPN make you anonymous? Is there any one program or service that will keep you completely anonymous on the internet?
Regrettably, the answer to all of the above questions is the same two letter word: No.
To truly stay anonymous, you do need access to tools like Tor and its alternatives as well as a good VPN. But those aren’t enough by themselves. You also need to be aware of the common mistakes that people make online that lead to anonymity being broken.
A case study in not staying hidden
The first Silk Road provides an excellent example of how to not stay hidden. When Ross Ulbricht, a.k.a. “Dread Pirate Roberts” (DPR), first set out to create an anonymous online marketplace, he wasn’t focused on becoming a criminal mastermind. He just wanted to provide a way for people to exchange money for goods that they did not want traced back to them. I’m not sure what goods he had in mind, if any, but his idea was not, in and of itself, illegal. Because of this oversight, he did not think that he needed to mask his identity from the start.
However, once the site was up, he started taking his identity masking a bit more seriously–too late, I might add. His initial attempts at anonymity were unpracticed and a bit clumsy. Initially, he did set up the server as a hidden service in the Tor network. His customers and clients were promised anonymity in their online dealings. The initial configuration of the server used a VPN combined with the Tor Browser.
Then he started leaving a trail of breadcrumbs that law enforcement followed directly to his home, as well as his favorite wifi hotspots that he regularly used to connect to the internet.
Here is a chronological list of his actions/mistakes that led law enforcement right to him:
- January, 2011: a user named altoid posted on forums for Shroomery.org and Bitcoin Talk advertising a hidden Tor service that operated as an anonymous Amazon.com pointing to silkroad420.wordpress.com for instructions on how to access the site on the Tor network.
- October, 11, 2011: Another post on the Bitcoin Talk forum by user altoid advertising for an IT pro in the Bitcoin community. Applicants were told to submit resumes to “rossulbricht at gmail dot com”.
- The Google+ profile of firstname.lastname@example.org contained a list of favorite videos on mises.org, the “world center of the Austrian School of economics”, which also had a profile for Ross Ulbricht. Several of DPR’s blog posts on Silk Road cited Austrian Economic theory and the works of Mises Institute economists Ludwig von Mises and Murray Rothbard.
- March 2012: a new account was created at Stack Overflow with the username Ross Ulbricht and using the email address email@example.com. This user posted two questions on the Stack Overflow forum, the second of which caught the eye of an FBI investigator actively looking for information about hidden services: “How can I connect to a Tor hidden service using curl in php?” Less than a minute after posting the question, Ulbricht changed his username to “frosty”. Weeks later, the email address was changed to firstname.lastname@example.org. The encryption key on the Silk Road server ended with “frosty@frosty”.
- The curl script posted in the above Stack Overflow question is identical to code obtained from one of the Silk Road servers.
- July 20, 2013: Customs intercepts nine fake IDs coming into America from Canada, all under different names, but all having the same picture of Ross Ulbricht. When interviewed about this, Ulbricht told authorities that anyone can order drugs, fake IDs or anything else off of the Silk Road.
- The server running Silk Road was imaged and forensically examined in late July. This was done surreptitiously by the hosting provider at the request of the FBI via local authorities and the Mutual Legal Assistance Treaty. They used the server’s ssh config to find the VPN server Ulbricht was logging in from and the VPN server’s last login record of IP addresses to locate a cafe near his home. The FBI was able to correlate the location based on Google’s records of the email account that was previously used to solicit users and help on the Bitcoin Talk forums, which he accessed from home the same day he logged into the VPN server. Other information on the Silk Road hidden server was used to correlate with openly sourced information to get the probable cause needed to arrest him.
- It is not currently known how the FBI found the physical server that was hosting the first Silk Road. It is likely that the FBI exploited a vulnerability in the software on the server to get it to reveal it’s actual IP address, possibly by getting it to send information to the internet, while at the same time the FBI was performing a traffic analysis attack on both ends of the Tor network. Traffic analysis is the main weakness of the Tor network. This is the most likely explanation, given the operator’s lack of caution and apparent lack of serious technical skill and/or experience.
- Another indictment that had surfaced revealed that DPR arranged for a delivery of 1kg of cocaine from an undercover agent to a Silk Road employee. The Silk Road employee was arrested and it is possible that information from his computer led them to the Silk Road server.
- A third possibility is the Silk Road server, or some other related server, may have handled some bitcoin transactions without using TOR, allowing investigators to locate that server and trace its communications to the main Silk Road server.
- Nicholas Weaver, a security analyst who specializes in cyber security, speculated, “the FBI (with a warrant) hacked the site sufficiently to discover the site’s IP by generating a non-Tor phone-home and then contacted the country of the hosting provider which then got the server imaged. But since the server imaging didn’t involve taking the server down or disrupting service sufficiently to spook DPR into taking his bitcoins and running, I suspect that this was some virtual-machine hosting provider.”
What about DPR2, Blake Benthall and Silk Road 2.0?
Silk Road 2.0 went up within a couple months of the Silk Road bust. This time, the person in charge, Dread Pirate Roberts 2, successfully masked his identity so thoroughly that he is still at large and, apparently, not being actively sought by law enforcement. The main coder for the site, however, made enough mistakes to lead law enforcement right to him. Blake Benthall, a.k.a. Defcon, was brought on as DPR2’s second in command right at the beginning. At one point, he even took control of Silk Road 2.0 when DPR2 was unreachable for more than a couple weeks. In essence, he became the new DPR for a short time, which led to the takedown of Silk Road 2.0’s network of servers when he was arrested.
Here are the mistakes that Benthall made:
- Benthall (a.k.a. Defcon) actually registered one of the Silk Road 2.0 servers using his real name in a Google+ email address, email@example.com. He was not the new Dread Pirate Roberts, but merely the main coder of Silk Road 2.0, DPR2’s second in command. Of course, he eventually took over from DPR2 and even had arranged a sort of pension plan for DPR2’s retirement.
- Homeland Security had an undercover agent in place at Silk Road 2.0 fairly early on. This agent worked his way up until he was a paid employee with administrative rights on one of the servers. He was then able to use his access to that server to not only find it’s location in the world, but also other servers that it communicated with on a regular basis. There were cryptographic security keys and even chat logs between Defcon and DPR2.
- Currently, DPR2 is still at large and the FBI does not know who he is or where to look for him. There is no doubt that DPR2 and Defcon are two different people. It would seem they are content with the arrest of Benthall and have stopped actively hunting for DPR2.
How to avoid Ulbricht’s and Benthall’s mistakes
If you want to remain anonymous online, whether you’re the kingpin of a massive online drug ring or a whistleblower at a corrupt corporation, you don’t want to make the same mistakes as Ulbricht and Benthall. The following list of suggestions are just the tip of the iceberg. These are some of the most commonly overlooked, ignored or just plain unknown anonymity failures today:
- Don’t access any site that requires a login but does not use encryption, especially if the user account on that site contains any personally identifiable information. An encrypted site will use “https:\\” at the beginning of the URL. Most browsers today will display a small padlock icon to the left of the address bar when the site is secure. There may also be a blue or green URL bar button in the Tor Browser.
- Don’t log into Google, YouTube, Gmail, Hotmail, Yahoo! or any other secure site that has your personal information while using an anonymizer. All of those sites maintain logs of IP addresses that their users log in from. While this can’t be used to find you, it can be used after you’ve been found to further damage your, and everyone else’s, anonymity. The providers of all of these types of services keep their own logs relating to any user’s access. No matter what anonymous tool is used, after the user has been caught, these logs demonstrate what anonymous tool they used, how that tool works on both ends, as they will invariably be in possession of the user’s computer. Also, those sites use auto-refresh to repopulate your browser with new content. Unfortunately, this also sends your information back to the webhost with every refresh, adding to the information kept in the logs.
- Stay away from forums, blogs and microblogs that you normally visit as yourself when online. Don’t even quote any of them. Even creating an anonymous user account at those places can end up working against you. It’s far safer to just stay away from them until you are finished with your anonymous internet session.
- Turn off or shut down any applications or programs that automatically sync with a server, or configure them to send all of their traffic through your anonymizer of choice. Things like email clients, Facebook, Twitter, instant messenger programs, streaming media, etc. Anything that cannot be configured to communicate anonymously should not be running while you are trying to be unrecognized. Ideally, the best option is to use a liveOS like Tails or any of the live linux distributions that can be kept on a CD, DVD or even a thumb drive. When a computer is booted into one of these operating systems, especially one that is designed for anonymity, like Tails.
- Develop a checklist of anonymous practices before you do anything online. Only you know what sorts of things you do online and it should stay that way. A checklist will help ensure that you don’t get careless.
- If you must download something while using an anonymizer, don’t open it while your computer is still connected to the internet. Many innocuous seeming documents can contain links or even live streams of data that can and will give away your IP address when they connect to their remote data source. This is especially true of files ending in .doc and .pdf. Instead, either disconnect from the internet completely or open them in a virtual machine that does not have a network connection.
- Do not torrent over Tor or any anonymous access tool that is not specifically designed to be used for torrenting. This is one of the most often ignored pieces of advice. All of the standard torrent clients use the IP address of the host computer to receive the torrent streams from other clients, or seeders, and to source streams to others that are downloading that data, known as leeches. These programs embed the client computer’s actual IP address into the header of each packet of data transmitted. That way both the computer requesting the data and the computer sourcing the data can send and receive data without having to rely on any servers or “middle men.” This is how the vast majority of torrent clients work. Using a standard torrent client is in no way anonymous. However, there are torrent clients that are designed to be anonymous. Look into GNUnet and Aqua for sharing large files anonymously over an anonymous file sharing network.
- Do not modify the security settings or install any plugins in your browser or the browser provided as the anonymizer, unless specifically told to do so by the anonymous service provider of your choice. If you are not using the Tor Browser specifically, make sure you do not install any plugins in your web browser. This includes things like Adobe Flash Player, Apple QuickTime, Java and others. Preferably, you will be using the Tor Browser, possibly even the hardened version, or one of its alternatives. That way, you will get the latest updates as soon as they are released.
- If you don’t want your ISP to know that you are connecting to an anonymous network, like Tor, use a bridge instead of a regular entry node.
- If you are engaged in any activity that is illegal in your home country, know that you will be actively hunted by your local law enforcement at the very least. In the United States, illegal activity is investigated by the FBI for any crimes that cross state lines, the DEA for any crimes involving narcotics, Homeland Security for anything they feel like investigating, the ATF when firearms are involved and the IRS when significant amounts of money is changing hands, regardless of what currency is used. These entities will all work together using a lot of different tools to find you. Any mistakes, no matter how small, will lead them right to you.
- Ultimately, you will want to become familiar with and use several different anonymity tools. If you use a VPN, change servers often. Also, never use your anonymous access program without using a VPN, even if the VPN server you are connecting to is in your home city. You already should know that any logs kept by the VPN provider can point right to you, so make sure you choose a provider that does not keep any logs relating to you and your connection.
- On the subject of VPNs specifically, not all are created equal. When shopping for one, you want to look for a provider that has, and keeps to, a strict “no logs” policy. You also want to make sure they use shared IP addresses. Just like with some websites, several VPN servers can exist on the same physical server as virtual machines. The physical server has only one IP address, so all of the virtual servers that it hosts all have to share that address. There can also be other servers being hosted like websites, email servers, databases and file sharers. The main benefit is that your VPN server can show up in the destination server logs as any of these, not necessarily a VPN.
You’re safest bet is to simply not do anything illegal online. After all, you are human. Humans are perfectly imperfect creatures. Mistakes are almost a way of life for most of us. You will make mistakes that will lead any one of these law enforcement agencies right to you, and they will bring all the others with them. Also, if they have to break the anonymity of every user of the anonymity tool or network that you are using just to find you, they will do exactly that. If need be, they will bring in a team of specialists as “consultants” or even “researchers” to perform the actual breaking of anonymity.
A special note for law enforcement
A final word for those of you in the law enforcement arena. Keep in mind that your target, no matter how smart, technologically savvy, educated or clever, will make mistakes. They are the weak link and will provide you all the rope you need to hang them. Performing traffic analysis attacks on anonymous networks can get expensive and is a waste of funds.
All of these people can be found using security holes in their servers, anonymous tips from dissatisfied clients or former employees, backtracking online activity of people of interest and generally just good old-fashioned detective work. However, infringing on everyone else’s freedoms is, in itself, illegal and you are supposed to be above that. There are other means available to you and your colleagues that don’t require you to break the law to find your targets. Like the criminals you are seeking, there is only so much you can get away with.
The big takeaway
If you intend to take your privacy seriously, then you need to make a decision every time you fire up your browser: to be, or not to be. Anonymous, that is. Being anonymous takes planning and foresight. After all, the only person that really cares about the safety and security of your privacy is you.
The examples provided in the case study above are the extremes when it comes to trying to hide your activities online, and for good reason. The extremes help to underline the simple mistakes that one can make and the repercussions to which those mistakes can lead.