Anonymity on line and privacy

June 21, 2014 |

Under the Privacy Act individuals should have the ability to either be anonymous or use a pseudonym when dealing with organisations or agencies except in some circumstances.  Australian Privacy Principle 2 encompasses this entitlement.  It provides:

2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.

2.2 Subclause 2.1 does not apply if, in relation to that matter:

a.   the APP entity is required or authorised by or under an Australian law, or a court/tribunal order,   to deal with individuals who have identified themselves; or
b.   it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym.

The exceptions under 2.2 at first glance seem to dilute the effectiveness of APP 2 however the Privacy Commissioner’s Guidelines restricts the claim of impracticability to 2.2(b) to fairly limited types of situations and ones where anonymity or pseudonymity is reasonable.  It is a very poorly understood and appreciated APP and considerable work will be done to have organisations comply.

The other issue which is complementary to the legal right/ability to anonymous communication is the technical ability to anonymise ones self on line.  Through the Tor, in its many variants, and other programs and apps such as Guerilla Mail,  Onion Browser and Enigma Mail it is possible to reasonably safely browse the web, send email and use messaging reasonably anonymously on desktop.  It is considerably less easy to do so through mobile devices.  Wired in How to Anonymize Everything You Do Online sets out in great detail how it is possible to anonymise one’s activity on line.  It is one of the best articles on the subject for some time.

It provides:

One year after the first revelations of Edward Snowden, cryptography has shifted from an obscure branch of computer science to an almost mainstream notion: It’s possible, user privacy groups and a growing industry of crypto-focused companies tell us, to encrypt everything from emails to IMs to a gif of a motorcycle jumping over a plane.

But it’s also possible to go a step closer toward true privacy online. Mere encryption hides the content of messages, but not who’s communicating. Use cryptographic anonymity tools to hide your identity, on the other hand, and network eavesdroppers may not even know where to find your communications, let alone snoop on them. “Hide in the network,” security guru Bruce Schneier made his first tip for evading the NSA. “The less obvious you are, the safer you are.”

Though it’s hardly the sole means of achieving online anonymity, the software known as Tor has become the most vouchsafed and developer-friendly method for using the Internet incognito. The free and open source program triple-encrypts your traffic and bounces it through computers around the globe, making tracing it vastly more difficult. Most Tor users know the program as a way to anonymously browse the Web. But it’s much more. In fact, Tor’s software runs in the background of your operating system and creates a proxy connection that links with the Tor network. A growing number of apps and even operating systems provide the option to route data over that connection, allowing you to obscure your identity for practically any kind of online service.

Some users are even experimenting with using Tor in almost all their communications. “It’s like being a vegetarian or a vegan,” says Runa Sandvik, a privacy activist and former developer for Tor. “You don’t eat certain types of food, and for me I choose to use Tor only. I like the idea that when I log onto a website, it doesn’t know where I’m located, and it can’t track me.”

Here’s how you can use the growing array of anonymity tools to protect more of your life online.

Web Browsing

The core application distributed for free by the non-profit Tor Project is the Tor Browser, a hardened, security-focused version of Firefox that pushes all of your Web traffic through Tor’s anonymizing network. Given the three encrypted jumps that traffic takes between computers around the world, it may be the closest thing to true anonymity on the Web. It’s also rather slow. But the Tor browser is getting faster, says Micah Lee, a privacy-focused technologist who has worked with the Electronic Frontier Foundation—one of the organizations that funds the Tor Project—and First Look Media. For the past month or so, he’s tried to use it as his main browser and only switch back to traditional browsers occasionally, mostly for flash sites and others that require plugins.

After about a week, he says, the switch was hardly noticeable. “It may not be entirely necessary, but I haven’t found it that inconvenient either,” Lee says. “And it does have real privacy benefits. Everyone gets tracked everywhere they go on the Web. You can opt of out of that.”

Email

The simplest way to anonymously send email is to use a webmail service in the Tor Browser. Of course, that requires signing up for a new webmail account without revealing any personal information, a difficult task given that Gmail, Outlook, and Yahoo! Mail all require a phone number.

Runa Sandvik suggests Guerrilla Mail, a temporary, disposable email service. Guerrilla Mail lets you set up a new, random email address with only a click. Using it in the Tor Browser ensures that no one, not even Guerrilla Mail, can connect your IP address with that ephemeral email address.

Encrypting messages with webmail can be tough, however. It often requires the user to copy and paste messages into text windows and then use PGP to scramble and unscramble them. To avoid that problem, Lee instead suggests a different email setup, using a privacy-focused email host like Riseup.net, the Mozilla email app Thunderbird, the encryption plugin Enigmail, and another plugin called TorBirdy that routes its messages through Tor.

Instant Messaging

Adium and Pidgin, the most popular Mac and Windows instant messaging clients that support the encryption protocol OTR, also support Tor. (See how to enable Tor in Adium here and in Pidgin here.) But the Tor Project  is working to create an IM program specifically designed to be more secure and anonymous. That Tor IM client, based on a program called Instant Bird, was slated for release in March but is behind schedule. Expect an early version in mid-July.

Large File Transfers

Google Drive and Dropbox don’t promise much in the way of privacy. So Lee created Onionshare, open-source software that lets anyone directly send big files via Tor. When you use it to share a file, the program creates what’s known as a Tor Hidden Service—a temporary, anonymous website—hosted on your computer. Give the recipient of the file the .onion address for that site, and they can securely and anonymously download it through their Tor Browser.

Mobile Devices

Anonymity tools for phones and tablets are far behind the desktop but catching up fast. The Guardian Project created an app called Orbot that runs Tor on Android. Web browsing, email and IM on the phone can all be set to use Orbot’s implementation of Tor as a proxy.

Apple users don’t yet have anything that compares. But a 99-cent app called Onion Browser in the iOS app store offers anonymous web access from iPhones and iPads. An audit by Tor developers in April revealed and helped fix some of the program’s vulnerabilities. But Sandvik suggests that prudent users should still wait for more testing. In fact, she argues that the most sensitive users should stick with better-tested desktop Tor implementations. “If I were in a situation where I needed anonymity, mobile is not a platform I’d rely on,” she says.

Everything Else

Even if you run Tor to anonymize every individual Internet application you use, your computer might still be leaking identifying info online. The NSA has even used unencrypted Windows error messages sent to Microsoft to finger users and track their identities. And an attacker can compromise a web page you visit and use it to deliver an exploit that breaks out of your browser and sends an unprotected message revealing your location.

So for the truly paranoid, Lee and Sandvik recommend using entire operating systems designed to send every scrap of information they communicate over Tor. The most popular Tor OS is Tails, or The Amnesiac Incognito Live System. Tails can boot from a USB stick or DVD so no trace of the session remains on the machine, and anonymizes all information. Snowden associates have said the NSA whistleblower is himself a fan of the software.

For the even more paranoid, there is a lesser-known Tor-enabled OS called Whonix. Whonix creates multiple “virtual machines” on the user’s computer—software versions of full computer operating systems that are designed to be indistinguishable from a full computer. Any attacker trying to compromise the user’s computer will be confined to that virtual machine.

That virtualization trick underlines an important point for would-be anonymous Internet users, Lee says: If your computer gets hacked, the game is over. Creating a virtual sandbox around your online communications is one way to keep the rest of your system protected.

“Tor is awesome and can make you anonymous. But if your endpoint gets compromised, your anonymity is compromised too,” he says. “If you really need to be anonymous, you also need to be really secure.”

One of the revelations of the Snowden leaks has been NSA’s ability and willingness to access encryption keys so as to monitor communications.  Of all the revelations this has had the biggest impact on ISPs and other service providers in cyberspace.  Claims to consumers that their communications are secure and private were immediately compromised.  Having access to back doors in encryption programs or requiring designers to insert weaknesses that can be used by the NSA has had a massive effect on the cyberspace business community.  It spooked the big players and they lobbied the President and Congress. It was and is bad for business not to mention the civil liberties issues.  In that context Pro Publica reports in House Adopts Amendment to Bar NSA From Meddling With Encryption Standards h that Congress has taken tentative steps to interfere with encryption standards.

It relevantly provides:

An amendment designed to bar the National Security Agency from undermining encryption standards was approved by the House last night.

The move follows reporting last year by ProPublica, the Guardian, and the New York Times on the NSA’s efforts to weaken encryption, including by influencing the development of standards by the National Institute of Standards and Technology. The stories were based on documents provided by Edward Snowden.

 The amendment, sponsored by Rep. Alan Grayson (D-Fla.) and similar to one he advanced last month, bars the NSA from using appropriation funds to consult with NIST in a way that undermines security standards.

It still has a way to go before becoming law: While the House is expected today to approve the full appropriations bill that the amendment is a part of, the Senate would have to pass the same text, and ultimately President Obama would have to approve.

The amendment is separate from another one the House adopted last night that is designed to block the NSA from conducting “backdoor” spying on Americans by querying databases of foreign intelligence.

The voice vote on Grayson’s amendment, co-sponsored by Reps. Rush Holt (D-N.J.) and Zoe Lofgren (D-Calif.), was preceded by a few minutes of interesting debate among Grayson, Holt, and Rodney Frelinghuysen (R-N.J.), chairman of the defense appropriations subcommittee.

Noting that he did not oppose the amendment, Frelinghuysen nevertheless rejected what he called the “allegations” that NSA had meddled with encryption standards.

“The idea that NSA has deliberately sabotaged security is ridiculous,” Frelinghuysen said. “These folks know the threat we face and are helping to secure the Internet we all rely on so heavily.”

Grayson and Holt cited our reporting on the NSA’s efforts to undermine encryption standards.

A Grayson spokesperson cautioned it’s always possible that the NSA has a classified funding stream that could allow it to continue to meddle with encryption standards.

 

One Response to “Anonymity on line and privacy”

  1. Anonymity on line and privacy | Australian Law Blogs

    […] Anonymity on line and privacy […]

Leave a Reply





Verified by MonsterInsights