So here I am, innocently writing a novel. Well, two novels plus a minor rewrite of a third. An issue arises: in addition to various supernatural shenanigans, this trilogy (at least?) also deals with government-agency shenanigans and issues relating to online privacy. This means…research. Figured I’d share some stuff with you guys.
Note: I could have included lots of links in this here post. However…I chose not to. First, I’m busy, and dictating it, and I’d have to add the links afterward due to software limitations. Second, you can Google (though I prefer StartPage) this stuff for yourself if you actually care, and that ought to be more convincing than stuff I cherry-pick. Third, I’m kinda lazy. It is what it is.
To Begin
There are a lot of snake-oil salesmen operating out there just lately. For example, you can Google “Onion Pi” (I’m not going to help their page rankings with a direct link here) and find quotes like “Browse anonymously anywhere you go with the Onion Pi Tor proxy” floating around. This is horse-puckey. Using this software (without understanding it fully and modifying your online behavior accordingly) is actually considerably worse than useless as far as protecting your privacy/anonymity goes. More on that in a bit.
Next, you can Google something like “BitTorrent Sync: The NSA-Resistant File Sharing Service You Might Have Missed” and find pages that sort of go with that headline. The catch? If anything, this sort of thing makes the NSA’s job easier in many use cases.
Want more? You can find VPN services like TorGuard (frankly I don’t understand the name) that purport to offer you a different sort of anonymity–the kind you get by paying someone else to fail to log your online traffic, and to protect their non-records from other interested parties. As far as I know they’re totally legit–but using them strongly implies that you trust them to keep your secrets (if any). So…do you trust them? Are you sure you know whom they’re working for?
Here’s Where I Get to Debunk Some Stuff
Okay, let’s start with the Onion Pi. What it will do (if it is configured correctly and if it works) is hide your IP address from the websites you browse to. (Oh, and it’ll also hide lots of stuff from your ISP, but not the fact that you’re using Tor, or how much data you’re up/downloading, or when you were doing any of it. And even this assumes there are no DNS leak issues, and no inconveniently revealing code on any of the sites you use, knowingly or otherwise.)
Unfortunately, this does very little to aid anonymity. I’ve spoken before about browser fingerprinting, and people tend not to believe me. Truth, though? You can go to this site and see just how much information your browser is currently giving to websites. Chances are good that you’re (at least potentially) uniquely identified. If you are logging into any sites whatsoever with information that can be tracked back to you? That’s likely to be logged, and combined with your browser fingerprint in a database. Therefore, there is almost certainly somebody out there selling information about your browsing habits. Chances are good, not that it matters for most advertisers, that they can identify you by name. Oh, and they likely have a mailing address. So what good did hiding that IP address do? There are ways around this–but routing traffic over Tor will do very little to help. It’s a useful piece of an overall strategy, but all claims of “anonymity” from this simple measure are bogus.
Actually it’s worse than that. The NSA (among, I strongly suspect, many other groups/agencies) specifically targets users of Tor software. Since Tor cannot automatically provide end-to-end encryption, and anyone at all can set up a Tor “exit node” (which you must use in order to use Tor at all), spying on the Internet traffic of Tor users is actually much easier to do than spying on traffic of people who didn’t buy claims of “anonymity” and are simply browsing the Internet normally.
Next? BitTorrent Sync. Again, this is a nice idea. But…the way this works, see, is that users’ computers share information between themselves. In order to do this, they must publicize their IP addresses and other information. There are some neat ideas built on top of this, like “SyncNet,” but as soon as you start using a network like this for anything other than sharing truly private and/or restricted information, you begin to publicize exactly which information you have chosen to download or view.
Okay. Now we come to a VPN, such as (as mentioned earlier) TorGuard. A VPN will hide your IP address. It will also encrypt all traffic between your computer or network and your VPN provider’s servers. If you believe your VPN provider about its no-logs policies, you can believe it will obscure your identity more effectively than a device such as the Onion Pi can manage (although with the same caveats about actual anonymity and fingerprinting).
Now I’ll Point out the Obvious
Decentralization is good, for reliable dissemination of online information. Having a single point of failure for anything, given the capabilities of our current technology, is pretty silly of us. Any attempts at gaining online anonymity and privacy that are based on trusting a company or government agency are…well, again they’re just silly.
Ideally? We would all start using something like BitTorrent for most internet traffic, only running it over a network something like Tor. Unfortunately, these technologies have a history of not playing well together. It’s not a technical issue, except for Torrent-freaks’ insatiable desire for bandwidth and the limited bandwidth currently available for users of Tor, given that all Tor nodes are currently free for all users–so there aren’t that many of them. As far as I can tell, it’s either a sense of competition or an example of the Not-Invented-Here phenomenon in the open-source software world.
Along with this we need web browsers that give out less of our private information. I believe they’re on the way. I believe current browsers are widely recognized to need improvement here. Should be fun to see what happens.
Here’s Where I Dive into Other Issues
Okay, you know that thing where you log into your bank’s website and something turns all green or otherwise reassures you that your connection is “secure”? More horse-puckey. Truth: your connection is encrypted. But who has the key to decrypt it? Enter a browser plug-in like “Perspectives,” which will actually give you some information about your encrypted session. Turns out ISPs, and some other companies, and hackers, will sometimes sit in between your computer and the Web server you think it’s talking to. Oh, and the NSA does this too. This is called a “Man in the Middle” attack, and they’re fairly common. Some are even carried out with what purport to be good intentions. So…we need systems to deal with this sort of problem as well.
I’m going to throw some stuff about Bitcoin in here too. Bitcoin, by design, is absolutely not “anonymous.” In fact, no Bitcoin transactions can occur in secret at all. That’s how it works. Worse yet? There aren’t that many Bitcoins, and–again by design–there never will be all that many. So if you’re buying or selling things with a value of a fractional Bitcoin, you’re not even using the Bitcoin protocol. Instead, you’re trusting an exchange provider of some sort with your money. And probably believing that something magical about Bitcoins protects you. This has already started work out badly for some people.
Are online virtual currencies a good idea? Yes, for privacy and anonymity. Bitcoin doesn’t really have what it takes to work for us in the long run, but people are jumping on the bandwagon because they don’t understand its limitations. I guess, even if they do understand, it’s still fine as long as enough other people are going along with it–sort of like the stock markets, right?
All that being said?
Tor is pretty nifty, if and only if used correctly. So is stuff like obfsproxy. And .Bit. And Bitcloud. Even BitTorrent Sync has its uses. VPNs are cool too, and could become more so if we had a truly anonymous online currency in general use. Hey, I love the cool tricks I can get my personal email server to do, too. There’s a Wild West of ideas out there right now, and many people are hard at work solving bits and pieces of our online privacy/reliability/redundancy/free-from-interference-and-monitoring issues. Sooner or later? They’ll start talking to each other a bit more, and more complete open-source systems will become available.
Nobody gets to decide whether this will happen–it has to. All we can decide is how we will react to it.
Now I’m Done
There is room for hope here, and some ideas along these lines are finding their way into the books I’m writing. I hope this has been at least vaguely interesting, because–after all–that’s what I’m here for: your entertainment.
My recommendation? Have fun out there!
Hey–for the interested, Paul Rosenberg made some good points about free services and who their customers are.
A word of warning, though: the Cryptohippie service with which he is associated, although it’s a very cool-sounding VPN service, suffers from the same reliability problem as any other VPN. You don’t know whether they’ve been compromised, or by whom, or to what extent. There are several potential areas of vulnerability, and there are no provisions for anonymous payment.
Rosenberg himself strikes me as an honest guy (FWIW), but he may not know those answers himself. In fact, he probably can’t.
I’m not sure I totally buy his argument against free services, or his arguments against using Tor either (from a different post); his bias seems clear.
Still. The guy’s worth reading, and on several topics. What else do you want from him anyway? {8’>
I sure enjoy your simple, but substantive, writing, David! I am pretty sick at the moment, so I skipped most of the text, but I saw the formatting (very good); possibly, just possibly, the main point of your rant (includes some annoyance perhaps?); and once again, the simplicity and humility with which you deliver it.
The stuff you are writing about makes me nauseous. I ain’t a techie, don’t wanna be a techie, and don’t really want to hear about it. In your case, I might have listened though if not for the personal circumstances today. (And yesterday and the day before.)
So thanks so much, and good work and good “luck” on your writing efforts, books and such.
p.s. Remember Edward Murrow the reporter of yesteryear — he is famous for ending every single broadcast with his deadpan and professional “good night; and good luck.” I love that.
I’d love to be compared to Edward Murrow more often. Or any of lots of other folks. Thanks! {8’>