Protection and Anonymity
By default, every Web site you visit collects information about you: where you are located, what kind of computer you are using, and which Web site referred you to a given page.
For instance, your own IP Address is 18.191.81.46, your hostname is ec2-18-191-81-46.us-east-2.compute.amazonaws.com, and your browser signature looks like Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; [email protected]).
So is it possible to surf anonymously? Or provide a mechanism to protect users who wish to participate in an international campaign?
There are steps one can take to make yourself and your users more difficult to track, but nothing can guarantee security and anonymity online.
For instsance, users may browse the Web through a “proxy server,” a second computer or software service that masks a users identifiable information. Web services like Anonymizer or Tor are available freely on the Web and may allow users to circumvent local content censorship.
In a May 2001 survey by the Chinese Academy of Social Sciences, 10% of surveyed users admitted to regularly using proxy servers to defeat censorship.
The Six/Four System creates an encrypted, anonymous tunnel between two computers. It is designed to allow a user behind a firewall that restricts Web access to browse Web sites on the other side of that firewall. It is currently in beta.
Activists should also use an email provider they trust. Normal email is something like a postcard: anyone can read it, your letter carrier, your nosy neighbor, your house mates. All email, unless encrypted, is completely insecure.
riseup.net and a coalition of other activist run email hosts use StartTLS to encrypt connections their servers, though connections to other servers without StartTLS are not encrypted.
Users can also use an email client with encryption to make their messages more difficult to snoop, though this would not address a case of entrapment in which the government lured citizens to an arrest via email communication.
Still, some security is better than none. There are some basic things a an online campaign could do such as serving the site through an encrypted Web connection (aka Secure Sockets Layer.) The technique is commonly used by e-commerce sites to protect users who make credit card transactions online. Some NGOs and activist groups use this method to protect email access via a Web based interface.
However, while this may protect against general snooping, a more targeted effort which gains access to a network could use other techniques like ARP Poisoning to monitor or “sniff” traffic.
Any of these techniques would also be defeated by keystroke logging, which records all keystrokes to a computer independent of the security of the Internet connection. In most cases installing a key-logger requires physical access to a specific computer (as the F.B.I. has done to prosecute the mafia in the United States), though the F.B.I. has admitted the development of a software based key-logger called Magic Lantern which may be installed remotely. Cheap hardware key-loggers are available commercially.
Security may also be enhanced by notifying users of security risks. Sensitive information sent via “free,” commercial email providers or from a public cybercafe may by easier to monitor, particularly in countries where cybercafes are registered by the state. Commercial email providers may turn over records to state agencies freely — even without a formal subpoena.
A Web site for homosexuals in Saudi Arabia provides their visitors with some basic advice on how to protect themselves:
- Do not use your real name
- Use a secret or confidential e-mail address.
- If some one offers to meet you, be careful.
- Do not give your home address to anyone.
- Do not give your phone number to anyone. [source]
Last modified on January 19, 2006 6:32 PM