Anonymity on the Internet, Part 1: Anonymous Surfing

The first article of the series covers basic anonymous surfing tools and providers.


Tools of the Trade

Do not use your standard browser (profile) for anonymous surfing. If you use Firefox, you can easily [url=http://www.howtogeek.com/howto/internet/firefox/use-multiple-firefox-profiles-at-the-same-time/]create and use new profiles[/url] in parallel to your default profile. Even if you’re not a Firefox disciple, I recommend using Firefox in combination with [url=http://noscript.net/]NoScript[/url] (blocks JavaScript, Java, Flash and more) and [url=https://addons.mozilla.org/de/firefox/addon/4703]CookieMonster[/url] to only allow cookies for selected websites.
Disable all privacy related settings within your new profile. Set it to delete all sensitive data (history, cookies, cache) on closing.

IP Adress to Location

Use IP address to location lookup services to check your own IP once you’re anonymized, and to find out where providers/servers are actually located.
Quick Links: [url=http://www.ip-adress.com/ipaddresstolocation/]IP-Adress.com[/url], [url=http://www.maxmind.com/app/locate_ip]MaxMind[/url], [url=http://www.geobytes.com/IpLocator.htm]GeoBytes[/url], [url=http://www.hostip.info/index.html]HostIP.info[/url]

Anonymity Providers

Onion Routing

Depending on what you’re after, [url=http://www.torproject.org/]the Tor project[/url] might be a good start. Tor uses onion routing, which practically means that your traffic is routed through a set of other Tor nodes (“entry node”, “middle node”) before the last node (“exit node”) contacts your destination. In theory there are discovery attacks possible, but you’re fairly anonymous using Tor. Unfortunately, Tor is quite slow and only suitable for browsing [url=https://www.torproject.org/volunteer.html]unless more people start to donate (bandwidth)[/url]!
[url=https://www.jondos.de/]JonDos[/url] is the commercial successor of JAP (Java Anon Proxy). Similar to Tor, but they made a few different design decisions – check out Tor’s FAQ for more information. The most important difference is that they charge by traffic usage, and since a raid in 2005 have implemented some (rarely used) interface to facilitate criminal prosecution. I have not tried the new commercial version, but before that, speed was comparable to Tor.
Similar anonymous networks include [url=http://www.i2p2.de/]I2P[/url] and [url=http://freenetproject.org/]Freenet[/url], but they are somewhat outside of the scope of this article as their main goal is to create separate anonymous networks on top of the existing IP protocol.

Virtual Private Networks (VPN)

[url=http://en.wikipedia.org/wiki/VPN]VPN/Virtual Private Networks[/url] might be a better choice for those looking for higher speeds, or those who want their IP to originate from a particular country. Prices range from $5 to $50 a month, depending on the kind of service you want: Some allow to choose from a selection of countries, others guarantee broadband speeds. Among the most popular VPN-based anonymity services are [url=http://www.relakks.com/]Relakks[/url], [url=http://www.findnot.com/]FindNot[/url], [url=http://www.perfect-privacy.com/]Perfect Privacy[/url], [url=http://www.securenetics.com/]SecureNetics[/url], [url=http://www.bananavpn.net]BananaVPN[/url] and [url=http://www.swissvpn.com/]SwissVPN[/url]. Even comparable providers have differences in what they log, and for how long. SwissVPN for example has legal assistance agreements with the European Union (and possibly the USA), and is forced by law to log IPs for 6 months – the same goes for Relakks, although they promise not to give out this information without a law suit.
VPNs are easier to use than any other method, and all your traffic is routed through a server (one!).
Again outside of the scope of this article are anonymous SOCKS/HTTP proxies.

You have been warned…

Keep in mind: In any case, your traffic is rerouted through unknown machines. Depending on how much trust you lay into the ISPs hands, don’t send sensitive information without using HTTPS! This is especially important for routing networks like Tor, where (exit) nodes [url=http://nowonder.foldr.org:8080/roller/page/vs?entry=playing_with_tor]cannot[/url] [url=http://www.teamfurry.com/wordpress/2007/11/19/on-tor/]be[/url] [url=http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attacks/]trusted[/url].
Most important (and most likely to be overlooked): Think twice about what you’re trying to achieve. If you buy a VPN account using your real name, and maybe even your credit card, you have to fully trust the VPN provider. Are you sure they will not give your account information away more carelessly than your current network provider?
Find out what country the VPN provider is located in. I’m not so sure I want to trust a service like SecureNetics, located “in a privacy friendly jurisdiction”, without any further information? Using IP to location lookup, you can at least find out that they’re hosted in Malaysia. [url=http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-559597]Malaysia has serious problems regarding privacy[/url], but, depending on what you’re after, it might be a good choice compared to US or EU based companies.
In the next article I will talk about anonymous payments (yes, it is possible). That way, you can sign up and pay using fake information.

“Real” Anonymous Surfing

With the methods summarized above, all you can do is add one (or more) layers of security above your currently assigned IP. The first step would be to find out how much information your ISP is actually storing. For example, until 2009, when (and if…) the new German data rentention law kicks in and every telecommunications provider has to store IP data for 6 months, one of the largest ISPs in Germany, Arcor, does not store IP information – as soon as they assign a new one (on every disconnect), they have no way to match IPs to accounts. Similarly, the Deutsche Telekom (T-Online) is only allowed to store IP information for 7 days.
If you want real anonymity: Use internet cafés! At least in Germany, there are a lot of small seedy cybercafés. No video surveillance, you can use your own equipment, and you pay by cash – what do you need more? In case you don’t want to go outside, use open wireless networks. [url=http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks]WEP encryption is cracked within minutes[/url], but illegal!