What is this guide?
In this day and age, the relationship between threats to privacy and solutions developed for its protection can only be compared to a high-speed car chase.
As soon as a new attack method becomes publicly known, new products and services promising protection specifically against this attack start popping up like mushrooms after a rain. And this is just the visible part. Behind the scenes, many (and the most sophisticated ones) of these attacks come from the government agencies, and many of the oh-so-secure solutions are deliberately flawed, due to, again, Big Brother’s involvement in the development process.
There is, however, a bright side to this. While it’s easy to get overwhelmed by the large number of specific technologies, product names, and attacks with their own logos, the main principles behind the threats and the ways to protect against them remain the same. In this guide, we will bring some clarity into the matter, by explaining:
- What privacy is and how it is different from security and anonymity
- Why protecting privacy became a matter of such magnitude
- What are some of the basic steps that could be taken to make your online presence less visible
- What specific solutions are out there to provide you with the adequate level of protection
We will also point you towards some resources that can help you in making educated privacy-, security-, and anonymity-related choices.
It’s important to distinguish between Privacy and Security as pertains to personal data. While both go hand in hand and are related to protecting information, there is an important difference that needs to be understood before we go any further. Security is about protecting data from unauthorized access.
Privacy is about data collection and use. Why is it important to understand the difference? Because when we say that an Internet product or service is “secure”, it does not necessarily mean that it also the best in terms of protecting privacy. A good example: Google Chrome is arguably the most secure popular web browser. On the other hand, privacy is not something that Google is rigorously trying to protect. Quite the opposite: privacy is the price you pay for using Google’s free services. In other words, as Apple’s Tim Cook colorfully put it, “You’re the product”.
There is a constant trade-off between convenience (or, in a business setting, productivity) and security: a more secure way of performing a certain task (such as creating different complex passwords for each of your accounts instead of using “password123” for all of them) almost always means that accomplishing it will be associated with extra effort and/or resources (juggling multiple passwords by memorizing them or investing in a password management software).
Similar trade-off exists between convenience and privacy: you normally don’t have to pay anything to browse the Internet, but you are also leaving your personal information up for grabs for pretty much anyone who is interested (and, as we will discuss later, many are interested, many more that you think).
While the relationship between security and privacy is different in that more security does not necessarily mean less privacy, we often face a dilemma when entrusting our information to third parties: they promise to keep my data secure, but who are they sharing it with, either willingly or when forced to do so?
This is another pair of terms that we can often see used interchangeably. They are, however, very different, and the difference is quite simple really. Imagine a private balcony: it is private, because no one but you can use it, but when you come out to this balcony, everyone can see that it’s you. Apply this to Internet privacy: private browsing means that no one can look into your online activities, but it does not mean that no one knows that this is you who is browsing the web. This is what anonymity is for. Think of it as blinds for your private balcony.
In the context of online privacy and anonymity, it’s all up to you and your specific needs. A recent poll shows that 87% of Internet users would prefer to stay anonymous. You can have either or both, and later in this article we will discuss some of the best ways of achieving the desired outcome.
Who needs privacy, anyway? How about everyone? You wouldn’t want anyone to be going through your drawers, why would you allow someone to go through your personal data? The question of protecting Internet privacy became a topic of intense discussions due to a combination of two issues: that personal information became a commodity, a highly valued and intensely traded item, and that the government employs very sophisticated but not very honorable practices to snoop on the citizens, some foreign, but mainly their own.
Commercial use of personal data goes way beyond your preferred grocery store sending you coupons based on your shopping habits. Facebook and Google make more than 90% of their money from advertising, and the way their ads are selected is based on the data collected from their users. Facebook’s interest-based advertising model utilizes information about the users’ age, gender, location and interests. Google collects data related to users’ browsing history for purposes of targeted advertising.
But at least online platforms like Facebook and Google offer something in exchange for the data collected by enhancing the user experiences. Data brokers don’t offer squat. They just take your personal data and sell it to whoever wants to buy it (including the government). They are part of a multibillion dollar industry with players like Acxiom, which claims to have, on average, 1,500 pieces of information on more than 200 million people in the US. One may think, what’s the big deal? Advertising companies will know that I’m looking for a new TV, so what? Maybe I’ll get a better deal. Maybe you will. You may also get your credit limit reduced based on the establishments where you’ve recently shopped. Or, you may see fewer ads for high-paying career services, if you are a woman.
Or you may have
agents of an anti-terrorism task force knock on your door one morning to casually look through your belongings and discuss why you were searching for “backpack” and “pressure cookers”.
When government gets involved, it gets really scary. As documents revealed by former intelligence contractor Edward Snowden demonstrate, the US National Security Agency (NSA) and its UK counterpart Government Communications Headquarters (GCHQ) have been actively using their nearly limitless resources to “maintain unrestricted access to and use of cyberspace”.
Their web is cast wide: from blanket phone surveillance to hacking SIM card manufacturers to compromising the very foundation of the Internet security and privacy: encryption (we will talk about it later). People all over the world demand privacy, but the governments are not willing to cooperate.
Last but not least, don’t forget about cyber criminals. Needless to say that your most sensitive information, such as credit card numbers and bank account credentials would present a valuable target, but this isn’t exactly something you would post on Facebook anyway, right? Yes, but virtually any type of personal information is worth something to criminals.
They can start with an email address that can be sold to spammers for a fraction of a cent (which adds up to a considerable sum if a large database containing millions of emails gets compromised) or used to send phishing emails in order to piece together enough information for a successful identity theft. It doesn’t take all that much (your date of birth, names of your children or pets, your favorite vacation spots, etc.) to answer the security questions you’ve selected to protect your account or to trick an overly helpful help desk employee into changing your password. Identity theft affected 17.6 million Americans in 2014, resulting in $15.4 billion financial loss. Or, a much more simple scenario: your house gets broken into while you are on vacation, and on top of that your insurance company denies your claim because of all the selfies you posted on Facebook, letting the burglars know that you are away.
Scared yet? You should be. And most people are, if not scared, then at least concerned with the current state of the Internet privacy and security. A 2015 research shows that 93% of adults recognize the importance of being in control of who can get information about them, while only 6% show confidence in government agencies keeping their records private and secure. Another study shows that 86% of Internet users have already implemented some measures to reduce their digital footprints, such as clearing browser data or using VPN services. This is an encouraging statistic, however, the more relevant the matters of Internet privacy, security, and anonymity are becoming, the more related services and products start popping up everywhere, presenting users with another important question: how to chose the right solution for my privacy, security, and anonymity needs?
Current Internet Privacy Rules
As it has become clear from the latest news, the internet privacy rules we followed before have just run their course. A set of newly-accepted regulations exclude the term net neutrality.
All the US internet providers have been classified as common carriers, which has afforded ground for the FCC restrictions imposture on providers that claimed to make the internet private and free for their clients. Today the providers are forbidden to throttle traffic from specific websites, as it used to be before. Some of the well-known providers, such as CCV can’t make its own video content loading faster than a Netflix’s one.
However, there are some boosting privacy rules, which though haven’t been accepted yet, that are to make providers ask for permission before collecting any metadata on its customers or sharing the information. Up to the moment the rule-making process is completed, all the netizens should set sights on their online privacy.
What does internet privacy stand for?
Everyone surf the internet, however very few know what internet privacy is. A special focus should be based on maximization of ‘computer’ privacy online.
Being a very extensive term, internet privacy includes a variety of factors that refer to security of any personal data published via the internet and all the possible measures and technologies for the data protection.
If speaking about the importance of online privacy, it should be said that as long as the number of devices per head of population has reached unbelievable results, such as up to 20 devices in developed countries, the issue is as critical as your life protection.
Primarily, internet privacy issues alarm business owners, IT services providers like e-commerce, because there is highly confidential data on the line. All internet customers today should be concerned about privacy violation and all the threats coming from information falling into cybercriminals hands. Regardless your network needs, such as visiting social networking sites, online purchase making, online games participation or business transferring, you need to take steps for protecting your internet privacy against multiple risks.
What are the reoccurring risks of internet privacy?
Being interested in staying ahead of the curve you need to limit your data exposure on the internet, which can compromise your credit card data or scuttle a deal you’ve been on a course for several years. When trying to protect your data and information you need to study a question from all sides.
Reading such articles as ‘which windows re-tool is considered to be the least intrusive’ is not enough in case you want to achieve sure-enough internet privacy for all your devices and IoT apps. Among all the diversity of internet threats the most alarming are focused on infringing internet privacy. Such dangers as phishing, pharming, spyware, malware are run to steal user’s data for manipulation or profit making. While staying on the internet to read a new internet privacy bill or privacy laws you can come up to enclosed internet privacy threats that are to make your ‘privacy’ publicly available.
Before we get into the nitty-gritty of privacy protection, it’s important to get a better understanding of the terminology and concepts related to information security. One of the main principles that information security professionals follow is to “think like an attacker”. We, as consumers, have reached the point where we, in turn, have to think like information security professionals, because we need to protect our personal cyberspace from a wide range of adversaries described above. Experience shows that the best cyber security strategy is risk-based. To choose right solutions based on risk, you need to have a good understanding of your threats and vulnerabilities. You may see these terms in various resources, so it would probably make sense to address them in simple terms.
A threat is something that can cause a harm to you or to something that you value. You have no control over threats, they are the outside forces that may affect you in some way. NSA, data brokers, and cyber criminals are all examples of threats to your online privacy.
Vulnerabilities are weaknesses that can allow threats to do their evil deeds. If you don’t have an anti-virus software installed on your computer, you are vulnerable to viruses and other nasty things that can infect your system. There are many ways to research and identify vulnerabilities. One of the recent promising developments is Vulners, a growing database with a convenient search engine-style interface that contains various information about published vulnerabilities and exploits as well as latest security patches for popular operating systems.
Finally, a risk is where a threat and a vulnerability come together and cause some damage, or an impact. Having to pay $500 for a ransomware demand is a risk. We won’t go too deep into discussing risks, the most important thing to take out of this is that, as opposed to threats, risks are something you can, and should control. The best approach to protecting your online privacy is to identify your threats and vulnerabilities, and, based on that information, create your risk profile and deal with the risks appropriately. You cannot tell your ISP to stop monitoring your Internet traffic. You can use VPN to make it impossible for them to do so.
Feeling a little “cyber-educated” already? Good. We’re just getting warmed up. Next, let’s go over some of the things we are actually trying to protect when we are talking about protecting privacy.
Or, more importantly, what can your browser tell about you to someone who asks? Quite a bit, actually. Here are some of the things included in what we usually refer to as “browser data”:
- Browsing and Download history. Pretty self-explanatory: a log of URLs you have visited, along with dates and times for each visit.
- Cache. A temporary storage where your browser keeps some files that allow websites to load faster (images and other multimedia content, CSS style sheets, HTML files, etc.)
- Cookies. Small text files stored by browsers containing various user-specific information. They are generated when a website is visited and may contain all kinds of data, such as shopping cart contents, user preferences, and even authentication information, such as session tokens. This makes cookies a valuable target for cyber criminals, with various attack methods developed specifically for stealing or manipulating cookies.
- Tracking cookies are different in that they don’t just store data, they actually use it for cross-site communication. For example, an advertising vendor can place a cookie on your computer when you are visiting website A. When you go to website B, another vendor, affiliated with the one that placed the cookie on your computer, can see that you have visited that website and serve you ads based on that knowledge. If this isn’t a violation of privacy, then I don’t know what is.
- Flash cookies (or LSOs – local shared objects) are yet another species, which typically store the Adobe Flash-related content, but can also contain user-specific data, just as the normal cookies. LSOs are stealthier than the previous two types, because they are a) created and stored without the user’s knowledge, and b) are not affected by the browser data deleting options provided by the browsers. One of the ways to delete Flash cookies is to go to the Macromedia website and select the “Delete all sites” option to delete all cookies.
Note: The Settings Manager that you see above is not an image; it is the actual Settings Manager.
Click the tabs to see different panels, and click the options in the panels to change your Adobe Flash Player settings.
To disallow creating Flash cookies in the future, switch to “Global Storage Settings panel” tab, drag the slider all the way to the left, and un-check the boxes for “Never ask again” and “Allow third-party Flash content to store data on your computer”.
Note: The Settings Manager that you see above is not an image; it is the actual Settings Manager.
Click the tabs to see different panels, and click the jptions in the pfnels to change your Adobe Flash Player settings.
Note that this will prevent Flash-based content on some websites from loading, however, most websites are moving away from using Flash anyway, and Chrome plans on phasing out Flash support almost entirely by the end of 2016.
Another way of getting rid of Flash cookies is by using the BetterPrivacy add-on for Firefox.
Cookies are such a major security and privacy concern that websites operating in EU or serving content to EU citizens are now required by law to ask users if they agree to cookies before the site begins using them.
There may be other types of information collected and stored by the browser, such as form and login data. All in all, tons of information about your browsing habits and activities, so it is a good idea to clear your browsing data often. For better privacy protection, clear your data every time you close your browser. Most browsers have a setting for deleting at least some of the browser data automatically on exit. Firefox allows its users to delete all history and data when quitting a browsing session.
To automatically clean all private data in other browsers, you may need to use third-party plug-ins or extensions. We will cover some privacy plug-ins later.
- Web beacons. Cookies are just one of the several “third party tracking technologies” used to keep and eye and share your browsing activities. Web beacons (also known as pixel tags, tracking bugs, or pixel gifs) are tiny clear pixel-size images that notify the server when a web page with the image is loaded. When embedded in an ad, it will provide the advertising vendor with the information about users who viewed this ad. Tracking pixels are often used in emails as a way to notify sender that their message was opened by the recipient (this is one of the reasons that most email clients do not load images automatically if the email is not from a trusted sender).
Mozilla Firefox now features tracking protection, which blocks third party tracking content based on the domain the content originates from. If tracking protection is enabled, content embedded by third-party trackers will not be visible when you load the website, thus preventing the site from using third-party advertising or analytics services that engage in cross-site tracking. At the time of writing, tracking protection is enabled by default in Private Browsing mode. To enable it for normal browsing, you need to go to Preferences → Privacy settings, click “manage your Do Not Track settings”, and check the Use Do Not Track box.
Let’s get something out of the way, since we mentioned Private Browsing, or, as it is called in Google Chrome, “incognito mode”. Despite the name (and the fancy icons), it actually does very little to protect your privacy. If you actually care to read the disclaimer displayed on a newly opened incognito tab in Chrome, it says it all right there:
What? What does it do then? Not a whole lot.
Browsing history and cookies are not saved during your private browsing session, and it is a way to avoid tracking. It basically hides your activity from the device you are using, but not from any external entities that might be monitoring it. So, while incognito mode would be useful for shopping for an anniversary present for your better half if you don’t him or her to find out, but it is pretty useless in terms of protecting your online privacy from being monitored by, say your Internet Service Provider (ISP), which is the topic of our next section.
Metadata and ISPs
Most of the private data we discussed above is not that easy to collect, and generating some of it may be easily avoided with such simple measures as opening Private Browsing window or tab. However, for monitoring your online activities, this data is not actually all that important. Some ISPs will go to extreme measures and insert their own SSL certificates, thus effectively performing a man-in-the-middle attack to capture your encrypted communications. But this is not a common practice and no, “monitoring” does not mean a person sitting in front of a screen with all your activity scrolling down right before his eyes. What ISPs mainly do is collecting metadata.
The most simple and correct definition of metadata is “data about data”. So, while your ISP cannot normally see what values you filled in into a certain form on a certain website, or read your emails (it is not impossible for them to do, but will require significant effort and involve some legal complications), they can easily see the IP addresses and port numbers in your web traffic. Metadata can provide ISPs with a lot of insight into the type of activities you are engaged in (sending emails, streaming media, downloading, etc.) Specific technologies exists that are aimed at identifying types of Internet traffic, allowing ISPs to differentiate between P2P file sharing, gaming, instant messaging, and other online activities. Once a certain type of activity is identified, some ISPs may throttle, or slow down your Internet speeds. This practice is known as traffic shaping, and is most commonly applied if the use BitTorrent is identified (even though using BitTorrent is not illegal). In the US, providers like Comcast, Cox, and Verizon have been caught interfering with their customers traffic.
Aside from throttling, what else does ISP do with your personal browsing data? Sell it, of course! The US Federal Communications Commission (FCC) has proposed new data privacy rules for ISPs, which are meant to apply some restriction on using customer data, however, at the time of writing these rules are still in the comment seeking stage.
ISPs have been notoriously opaque in disclosing their monitoring and data sharing practices. One thing is for certain though: they will happily turn over your private Internet data to the government agencies, if requested. How long is your data is stored for by the ISP? It is not clear, for ISPs are privately own entities and are not required to disclose such information, however, some experts estimate the retention period of six to twenty four months.
So, with such scope and depth of monitoring and collecting of our browsing data that ISPs are able to accomplish, what can you do to protect you privacy? Going back to our risk conversation, it all depends on what exactly are you trying to protect. If your main concern is preventing anyone from seeing the actual content of websites you are visiting or reading your emails, then reliable encryption is all you need. If you don’t want your ISP to see anything you do online (in other words, if you don’t want the metadada to be collected), go with VPN. For a complete anonymity, you would need something like Tor. We will discuss all three approaches in much more detail in the following sections.
A small disclaimer first: the subject of encryption, while fascinating and necessary to be covered in this article, is also vast and quite complex. We will leave topics like full-disk encryption and file encryption for later discussion and focus on aspects that are closely related to online privacy and security: encrypted browsing and encrypted email.
At its core, the goal of encryption hasn’t changed since it’s first known use 4,000 years ago. Encryption provides a method of delivering a message to intended recipients in a way that only they can understand it. So, if the message is intercepted by someone other than an authorized party, all they get is a bunch of indecipherable gibberish. What changed are the methods of encryption.
The constantly increasing computational power truly is a double-edged sword: it makes implementing stronger cryptographic algorithms more applicable for real-life usage, but at the same time enables more sophisticated attacks on encryption. Two general approaches to attacking encryption are brute-forcing and looking for weaknesses in the underlying cryptographic algorithm, or cipher.
Brute-forcing and Key Length
Picture a burglar with a large key chain, methodically trying each key to see if one of them would fit the look on the door he is trying to open. This is the idea behind brute-forcing attack (also referred to as exhaustive key search): trying every possible combination of characters or data to determine which one would produce the key for decrypting an encrypted message.
With our burglar, the more keys are on his key chain, the longer it will take him to find the right one. With encryption, the amount of time needed to break the encryption is mainly determined by the key length (or key size): the number of bits in a key that a cipher is using for encryption. Bits are 1s and 0s, and you can do a quick math to see how many combinations are possible for a very short keys. For a 1-bit key there are only 2 possibilities: either 1 or 0. For an 8-bit key, there are already 256 possible combinations (this number is referred to as key space). An old cryptographic algorithm, DES, used 56-bit keys, with the key space of 7.2 x 1016 (this is 72,000,000,000,000,000 possible combinations).
Once we get into triple-digits though, the numbers become truly astronomical. A 128-bit key has 3.4 x 1038 possible combinations, and for a 256-bit key the key space increases to 1.1 x 1077. If you are having a hard time grasping the true magnitude of these values, we’ll give you a quick comparison: the key space of a 128-bit key is roughly equal to the number of grains of sand on Earth… times 68,000,000,000,000,000! It may seem like even a 56-bit key is more then enough.
However, it took less than 24 hours to break DES encryption by brute forcing back in 1999. Needless to say, DES is no longer considered secure, and the AES algorithm, which uses 128-, 192-, and 256-bit keys is the current cryptographic standard. And 256 bits may be an overkill, even with the modern computational powers. Here is an excerpt from a Seagate white paper on the 128-bit vs. 256-bit key debate:
So, I’m pretty safe with the AES 128-bit encryption then, right? Sure. Except…
Ciphers, NIST, and NSA
As we mentioned earlier, another (more effective) approach to attacking encryption is to find a weakness in the cryptographic algorithm itself. Successful academic (theoretical) attacks on AES have been researched, but, despite being better than brute-forcing, those attacks are still far beyond currently available computational capabilities, and, by the researchers’ own admission, “pose no immediate threat for the real world applications that use AES”. Seemingly, there is nothing to worry about. However, yet again, we’re circling back to NSA. Documents leaked by Edward Snowden revealed some disturbing information about companies like Microsoft collaborating with NSA to circumvent their own encryption. But NSA’s involvement in cryptography matters goes much deeper than that. The US National Institute of Standards and Technology (NIST), the very institution behind development and validation of DES, AES, as well as other encryption (RSA) and hashing (SHA-1 and SHA-2) algorithms, while denying any accusations of deliberately weakening cryptographic algorithms, at the same time readily admits NSA’s participation in the NIST cryptography process. After a deliberately flawed Dual Elliptic Curve Deterministic Random Bit Generator was distributed by RSA Security following a secret $10 million deal with NSA, such denials are hard to take as sincere.
HTTPS and PFS
When we talk about encryption in the context of Internet privacy, we generally refer to SSL/TLS, or, more specifically, its implementation in HTTPS (as in HTTP over SSL or HTTP Secure). HTTPS establishes an encrypted connection between your web browser and the website (and the web server hosting it), thus preventing the content of communications from eavesdropping or unauthorized modification. HTTPS also authenticates the website to your browser: proves that it is really the website you were going to visit, not a fake website someone created to steal your information. Authentication is performed via use of Digital Certificates, which act as sort of passports issued to the website by a trusted Certificate Authority. When you are securely connected to a website via HTTPS, you expect to see connection information similar to the image below:
With certificates being either very affordable or free, there is virtually no reason for any website not to use it and provide security and privacy for its visitors. However, for various reasons many websites are still use insecure HTTP protocol, or, even with HTTPS enabled, either default to HTTP or place HTTP links on encrypted pages. There is not much we can do in the first scenario (other than contacting the website owners directly or simply avoiding using such sites). To resolve the second issue, there is a browser extension developed by The Tor Project and Electronic Frontier Foundation. It is called HTTPS Everywhere and is available for Firefox, Chrome, and Opera.
With all the security and privacy benefits of HTTPS, it is not flawless. In 2014, the discovery of “Heartbleed”, a vulnerability in a widely used OpenSSL software, put 2 out 3 servers on the Internet at risk of disclosure of sensitive information, such as session cookies and unencrypted login credentials. Another serious threat to SSL certificate implementation comes from (you guessed it) NSA and GCHQ, which, with their unlimited resources, were actively looking into cracking certificate private keys.
Perfect Forward Secrecy (PFS) offer protection from both Heartbleed and private key compromise. If a web server supports PFS, a compromised certificate could not be used to decrypt past communications, because a key generated for each session cannot be derived from the server’s private key. This blog post provides a detailed explanation of PFS.
So, all things considered, does encryption provide sufficient security and privacy protection? Again, it depends. Despite all the NSA involvement, the math behind popular cryptographic algorithms is solid, so by all means you should use strong encryption for your Internet activities to protect your data against eavesdropping. As far as privacy goes, as we mentioned earlier, encryption will only protect the content itself, not affecting the metadata. If you want your ISP to remain clueless about your online habits, you should use VPN.
First thing first: in this article we will be discussing the commercial (or consumer) VPN services, rather than corporate VPNs, which are used to ensure a secure connection to the company’s internal network from the outside. While both are based on the same principle, the goals and the implementation are vastly different, so we need to make the distinction clear before we go any further.
What is VPN?
VPN (Virtual Private Network) is an abbreviation that implies a technology that permits one or several network connections over another one, for instance, the Internet. The main goal of the up-to-day technology is to supply customers with privacy, security and anonymity. It was developed about fifteen years ago, but achieved great success just in several years.
If you ever heard the term “VPN tunnel”, it actually paints a pretty accurate picture of what VPN is. You computer is on one end of the tunnel, the VPN server (owned by your VPN provider) is on the other. All your Internet activity happens inside that tunnel, invisible to anyone other than you and the VPN server.
Why Use VPN?
For some of the reasons we’ve discussed earlier, as well as many others.
If you want to hide your activity from ISP, VPN is here to help. Your ISP will only see that you are connected to the IP of the VPN server. That’s it. No metadata for you! Of course, they can still measure your bandwidth, but they have no insight into the ports you are connecting to or the protocols you are using, so they cannot throttle your internet speeds based on that data. Plus, they cannot sell your data or hand it over to the authorities, because… well, they just don’t have it!
If you want to circumvent geographic restrictions for using certain online services (e.g., watch Italian Grand Prix from Estonia), VPN can help here as well. Most VPN providers offer servers in different parts of the world. To the rest of the Internet you appear to be from wherever your VPN server IP places you.
The privacy that VPN offers is enabled by encryption, and encryption, as we already learned, provides security. Breaking into the VPN tunnel to steal your information is just as hard as it is to spy on you. So, if you are connecting to a public Wi-Fi hotspot via VPN, you don’t have to worry about this guy in a hoodie stealing your credit card information.
- Using VPN will slow down your Internet speed. There is just no way around it. The signal has to travel that extra distance between your device and the VPN server (which may be located on the opposite side of the globe). The difference may be barely noticeable, but it will be there. So, if you are not that concerned about privacy or ensuring encrypted communications, and the only thing you are trying to do is to watch BBC from outside the UK or circumvent content restrictions existing in many other countries of the world, maybe you should consider a smart DNS proxy, whose only purpose is to selectively route the traffic through a proxy server located in the area where the regionally-restricted content is accessible.
- Your ISP cannot see anything you do, but your VPN provider can. Remember, the VPN provider is on the other end of that tunnel, looking in. Consider this carefully before choosing to go with the VPN service, and make sure to evaluate the ratings and reputation of your potential service provider.
- VPN costs money. Yes, there are free VPN services out there, and some of them may actually be safe to use. Or you may end up with your computer being used by crooks. Even if a free VPN is legit, the range of features will most likely be very limited. VPN providers build their businesses around protecting privacy of their customers, and their services are usually very affordable.
- VPN does not provide anonymity. Unless you go some extra distance (such as paying for VPN service anonymously and connecting to VPN via Tor, which we will discuss later), your VPN provider knows who you are, and where you are from. VPN is all about privacy, always keep that in mind when identifying your risk profile.
How to Select a VPN Provider
Yet again, first you need to decide whether you need a VPN service at all. You probably do, so the next step would be to figure out which features matter to you most. BestVPNRating includes ratings of VPN services based on their intended usage, e.g., Best VPNs for Netflix or Best VPNs for Torrents, P2P and File Sharing. So, the next step would be to go online (in what may be your last non-private connection) and read reviews of VPN service providers on websites such as BestVPNRating. There you will find helpful guides that will point you in the right direction when loking at different providers, as well as a detailed description of the features and services offered by each VPN service, including:
- Pricing. While an important factor for many, VPN services tend to be very affordable, averaging at a cost of 1-2 cups of coffee per month (usually with options to pay annually for a discounted rate). So, with the prices not differing greatly, what you should be looking at is what you are getting for your money, which are all the things listed below.
Many VPN services offer free trials or even “freemium” plans, meaning that you can get basic access for free, but would have to pay if you want to upgrade. Those plans are usually very limited in functionality, but can give you a good idea of the overall usability of the provider’s service and software.
Another important thing is payment options, the more variety the better. If anonymity is important, you should look for a provider that accepts Bitcoin payments (we will discuss crypto currency later).
- Location and number of servers. Obviously, the more, the better. If you are into torrenting, try finding a provider with servers in Netherlands, which is basically the torrenting capital of the world. Even having multiple servers in the same country matters: going back to our earlier example, if you want to watch Italian Grand Prix from Estonia, you should select a server in Italy, but the closest one to you, so maybe in Milan rather than Rome.
- Privacy and Security Features.
- VPN protocols. Something we haven’t talked about yet, but probably should. Her is a brief overview of the three commonly used VPN tunneling protocols (also refer to these articles for additional information):
- PPTP. Point-to-point tunneling protocol is the oldest and the least secure protocol. The only advantages of it is that it is easy to set up and that it may offer slightly higher speeds due to weaker encryption. Multiple security vulnerabilities had been found in PPTP over the years and it has almost certainly been cracked by the NSA. If this is the only protocol offered by the VPN provider, you should probably keep looking.
- L2TP. Layer 2 Tunnel Protocol does not offer any encryption natively, so for a secure implementation it is used with IPsec encryption. While certainly more secure than PPTP, L2TP has some downsides. NSA is allegedly working on cracking IPsec (even though there is nothing concrete on this yet). Another disadvantage is that L2TP always uses the same UDP port 500, which makes it much easier to identify and block.
- OpenVPN. This newer protocol is based on open-source technologies: OpenSSL encryption library and SSLv3/TLS v1 protocols. It is highly configurable and, if used with AES encryption instead of Blowfish, it is the most secure out of the three. The main downside is that, unlike PPTP and L2TP, OpenVPN requires a third-party application as it is not integrated into most popular operating systems. Still, a small price to pay for privacy and security. You should definitely look for a VPN provider that offers OpenVPN.
- Encryption. You really shouldn’t settle for anything lower than 256-bit. Period.
- Logs. Now here is what it gets a bit complicated. Obviously, you should look for a service that does not keep any logs. If there are no log, there is nothing for the VPN provider to share with other parties. However, there are a few things to keep in mind here:
- Even a comprehensive VPN review site, such as BestVPNRating, has no way of verifying this particular piece of information. If the VPN provider says that no logs are kept, then this is what everyone has to believe. If you are concerned that you activity may be subject of investigation from local authorities, it may be worth contacting the VPN provider directly and obtain more information about their log keeping practices.
- “No logs” generally means “no connection logs” or “no traffic logs”. VPNs are fairly complex IT infrastructures, so some kinds of logs must exist somewhere. They may not contain any user-related data, but that should be made clear by the VPN provider.
- Pay extra attention to the VPN provider’s main location. In the US and the UK, communication services can be compelled into cooperating with authorities, and most of them choose to keep logs to avoid legal complications (however, there are exceptions to this rule).
⚑ BestVPNRating put together a review of Best Logless VPN Services.
- Shared and Dedicated IP Addresses. There are advantages and disadvantages to both, so you should choose a provider that offers the one that fits your needs, or both.
- Shared IPs. This means that one IP address is shared among multiple users. It is a feature offered by most VPN services and provides an important privacy benefit: if a certain activity will attract interest of the authorities or other parties, it would be impossible to tie it to a specific user. The downside of shared IP addresses is the so-called “bad neighbor effect”: other users’ activities may get the IP address blacklisted, or it may simply be a matter of too many people using Google search at the same time from the same IP (which makes it look like spam). In this case you may be hit with CAPTCHAs:
- Dedicated IPs. Also referred to as “static” or “private” IP addresses, those are not offered by all VPN providers and will most likely cost you a bit extra. As the name suggests, you are assigned a dedicated IP address that no one else uses. This takes care of the “bad neighbor” issue, and may offer higher speeds (since you are not sharing bandwidth with anyone), but also decreases the privacy: all activity can be tied to this one specific IP address.
- Kill switch. This feature “kills” the Internet connection if the VPN service is for some reason interrupted or not enabled. This is a must-have feature, for both privacy and security reasons. You don’t want an activity that was started when connected via VPN to continue if VPN fails, so it can be monitored. On the security side, your connection may not be encrypted and thus vulnerable to attacks.
- DNS leak protection. This is a highly desirable feature, which prevents your operating system from sending DNS requests containing your real IP address to the ISP’s DNS server instead of your VPN provider. DNS (Dynamic Name System) links URLs (such as https://www.bestvpnrating.com/) to numerical IP addresses (18.104.22.168). So, when using VPN, all DNS requests should go straight to the VPN provider’s DNS server. If they go to the ISP’s DNS server, your IP is revealed, thus defeating the privacy purpose of VPN. The importance of keeping your IP hidden is explained here in great detail. The easiest way of checking for DNS leaks is to visit www.dnsleaktest.com.
Another IP leak issue that was recently discovered is not related to DNS, but comes from a new standard called Web Real-Time Communication (WebRTC). WebRTC allows browser-to-browser voice or video communication without the need for any additional applications or configurations, which sounds pretty great except WebRTC allows websites to see the users’ real IP addresses, even if a VPN service is used. As this is not a flaw in VPN tunnel protocol, but rather in the WebRTC protocol itself, it cannot be fixed by the VPN providers.
You can check whether you are vulnerable by visiting one of the IP leak detection websites. If you are vulnerable you can disable WebRTC in Firefox by going to about:config and toggling media.peerconnection.enabled to false. In Chrome (and Chrome-based browsers, such as Opera and Vivaldi), you will need to install an extension such as uBlock Origin (which we will discuss in more detail later), or WebRTC Network Limiter, which takes care of the IP leak issue while preserving the WebRTC functionality.
- Sign-up Process and Customer Service. How much information do I have to provide when signing up? Is the website easy to navigate? Does it have a tutorial/FAQ section? If they do, how comprehensive/easy-to-follow is it? Do the y provide live support? Those are just some of the questions you have to ask when assessing the non-technical aspects of a potential VPN service. Even if all the criteria listed above are met, you don’t want to get stranded if one little thing goes wrong.
- Compatibility and Installation. If you are planning on using VPN on more than one device, this is something you should definitely pay close attention to. Mobile platforms (Android, iOS) would be something to look for if you are looking for a way to securely connect to public Wi-Fi hotspots. Linux installation may be a bit tricky with some services and require additional third-party components. Some VPN providers extend their support to devices like Roku or gaming consoles, and can even provide an easy way to route the traffic for your entire home network through VPN.
After, with the help of BestVPNRating. you’ve done your homework, select the service that best fits your needs, sign-up, and start browsing privately and securely.
But not anonymously. Unless you use Tor.
Having chosen an appropriate service, you need to pursue a simple scheme to activate it:
- In case if you agree with all the points enumerated in the rules, you need to choose an appropriate plan. In this case you should pay attention to money-back guarantee for not to incur extra financial spending. Moreover, many services offer free trial version for a short period of time, so you can test the app before paying for it.
- The next step after subscribing for a service is to choose a compatible app for your platform and to download it. As a rule it takes little time, moreover, in case if you have some difficulties with the task you have a possibility to ask a support team for help.
- When all the manipulations are done, you are ready to choose any server from the list you like and to connect to the internet through it. Here you have a chance to run a foreign network as well as different geo-blocked websites and sources, as soon as your true location is shifted.
- Provided that there are some operational questions, you are welcome to read useful data from the FAQ section of the official website or contact with the technical assistance group.
Tor (or “The Onion Router”) is arguably the ultimate option for anonymous Internet browsing. The underlying concept of Tor is routing encrypted user data through a number of different relays (minimum of three) within the Tor network, with each relay “peeling off” a layer of encryption, just enough to know which relay (or node) the data came from and to which relay to send it next. Then the packet is re-wrapped in a new wrapper and forwarded to the next relay.
When the data packet finally reaches its destination, the server sees the final node (exit relay) as the packet’s original source. Despite new attack methods aimed at de-anonymizing Tor keep being developed, they are not very reliable and require a lot of effort. The main vulnerability targeted by attackers are the Tor’s exit nodes, because this is where unencrypted communication occurs. You also have to keep in mind that some of the threats to privacy and anonymity (such as Flash cookies) remain even when browsing with Tor, so you have to apply additional measures to avoid those.
Image source: http://fossbytes.com/everything-tor-tor-tor-works/
The only truly antonymous way to use the Internet (i.e. without your VPN provider knowing who you are) is to connect to VPN through Tor. This way the VPN server sees the Tor exit relay’s IP address as yours. Combined with an anonymous payment (e.g., with Bitcoin), this can ensure that the VPN provider never knows your true identity. An important thing to remember here is that your online activity is still visible to the VPN server, it just isn’t able to link this activity back to you.
One of the main disadvantages of Tor is that using it greatly reduces your Internet speed. Combined with delay caused by the VPN, it may result in a very slow connectivity. Additionally, a “VPN through Tor” setup requires the VPN client to be configured in a certain way, which not many VPN providers support. As another development, some websites are starting to block Tor users, even though using Tor is not only legal in most countries, but for some users living under oppressive regimes may be the only way to access the government-restricted content. If you need more help in deciding whether you should go with VPN or Tor, this guide may be helpful.
Just like your normal currencies (such as USD), cryptocurrency is a medium of exchange, but unlike other currencies, it is completely decentralized, meaning that no middleman is needed for the exchange and that government has zero control over it. Production of cryptocurrency is a very interesting, yet a quite complicated process, explaining which is beyond the scope of this article. The important thing to know here is that cryptocurrency is one of the best ways to pay for various products and services (such as VPN) anonymously, even though it is not inherently anonymous.
Bitcoin, the fist and most widely accepted cryptocurrency, was created in 2009 by a developer calling himself “Satoshi Nakamoto”. To accept and send Bitcoin payments, you need to get a Bitcoin wallet, an application that can be installed on your desktop or mobile device. You don’t have to provide your actual personal information in order to get a Bitcoin wallet (as opposed to, say, opening a bank account).
The addresses you create with your wallet become your identity within the network. However, even though your personal identity may not be known, all transactions within Bitcoin network must be confirmed, and transaction history is a public record that can be accessed by anyone. Combine that with the use of services that do require some identity information (such as exchange services or shopping websites) and a careful observer can piece together enough information to link your true identity to your Bitcoin wallets. To use Bitcoin anonymously, two basic measures should be implemented:
- Disposable addresses. Using the same address over and over is a sure way to provide someone who pays attention with enough information to start building a profile of your network activity and thus figuring out who you are. With your Bitcoin wallet you should be able to create any number of addresses (if fact, many wallets will automatically create a new address for every new payment you want to receive).
- Bitcoin mixing. This is way to further enhance privacy by mixing up your Bitcoins with coins from other sources before sending them to the other side, which is done through a specialized mixing service. Mixing services also randomize transaction amounts and add time delays to transactions, making it very difficult, if not impossible, for an outsider to track the payments and link them to a specific identity. Make sure to select a reputable mixing service: scams where fake mixing services simply steal Bitcoin are not uncommon.
Bitcoin is by far the most popular cryptocurrency, but it’s not the only one. Some VPN service providers may accept “altcoins” - alternative cryptocurrencies. Nor is Bitcoin the ultimate anonymous payment option. There are VPN providers out there that even accept cash payments via mail. Finally, you may be able to buy a prepaid Visa or Master Card gift card in a store and use it to pay for your services.
Other Privacy and Security Measures
This article, as long as it is, is really only scratching a surface of possible ways to protect your privacy, security, and anonymity online. To recap, by now we’ve learned that:
- You have to know your threats and vulnerabilities and evaluate your risks.
- Encryption (even if somewhat compromised and continuously attacked by NSA) is your friend, so encrypt everything: you files, your emails, and, most importantly, your online communications.
- Smart DNS proxy, VPN, and Tor are three alternatives, available to you for an enhanced (Smart DNS), more private and secure (VPN), and anonymous (Tor) browsing experience.
- There are numerous ways to pay for your Internet services (including VPN) while not revealing your true identity: Bitcoin and other cryptocurrencies, cash, and pre-paid cash gift cards. However, in most cases you still need to take additional steps to maintain anonymity.
In the following sections we’ll talk about browser privacy and security, secure (encrypted) email, protecting against viruses and other malicious software (malware), and touch up on mobile device (we won’t go too deep into that, because it’s a topic for another comprehensive conversation).
Even if you put in great effort into protecting your privacy and anonymity following the steps discussed in the previous sections, techniques like browser fingerprinting can still allow to link your online activities with your device. Next, we will look at how browser fingerprinting is, and how to protect against it, as well as other online threats using browser extensions and plugins.
Browser fingerprinting. This is a relatively new and powerful method of tracking Internet users. Each time you make a connecting to a web server, your browser sends some information about its configuration and settings (as well as other data, such as operating system it is running on, your time zone, etc.) While most of these elements might be very common, it’s the combination of them that may turn out unique enough to identify you. There are all sorts of things that fingerprinting analyzes, some of them you wouldn’t even consider, for example, the types of fonts you have installed. There are sites like amiunique.org that allow you to determine whether your browser data can be fingerprinted and examine your fingerprint in detail. The image below shows only part of the output, there is much more information in the fingerprint, including plugin details, list of fonts installed, browser configuration (it checks whether cookies, Do No Track, and other things are enabled), even screen resolution.
Browser fingerprinting is very hard to detect as well as defend against. The best approach is to make your fingerprint as common as possible: use a popular browser with default configuration on a Windows machine, use only generic fonts, etc. This may be very difficult to do on the device you use every day, so one of the effective approaches would be to use a virtual machine (VM).
VirtualBox is a free software that allows you running multiple operating systems on the same physical machine (host). So you can run Windows on your Linux machine and do you browsing from there, with a freshly installed browser. The best part is that you can reset the VM to the initial configuration by using snapshots, so any data accumulated during your browsing sessions will be erased.
However, running multiple operating systems takes a toll on your resources, so you would need a machine with sufficient processing power.
There are other ways to thwart browser fingerprinting, such as:
- using the Tor Browser, which “standardizes” various browser characteristics and includes patches to prevent font and Canvas fingerprinting
- installing script-blocking plugins.
The last recommendation is quite ironic, since plugin data is part of the browser fingerprint in the first place, so make sure to keep plugins to a minimum and stick to the popular ones. Keep reading for some of the browser plugins and extensions we recommend for strengthening your browser’s privacy and security defenses.
Browser Extensions. BestVPNRating already did a roundup of some of the best browser extensions available. Here we will return to some of those and highlight some of the others that you can implement to elevate your level of privacy and security protection.
- uBlock Origin. Hands down the best extension to keep the annoying ads out, uBlock Origin does much more than that, such as blocking trackers and malware sites. AdBlock Plus held this spot for a while, but it’s been reported to accept payments from advertising vendors in exchange for letting their ads through its filter. uBlock Origin is pretty aggressive in its “deny all” approach, so you will need to whitelist websites on which you want ads to be displayed, which is easy to do by clicking the big blue “power button”. You can “reverse” the default behavior and blacklist specific sites as you go, but it is highly recommended to go with the default settings. uBlock Origin is available for Firefox, Chrome, Opera, and Microsoft Edge as an early development option.
- Disconnect Private Browsing. As the name suggests, Disconnect is aimed primarily at protecting privacy, and it does so by blocking third-party tracking cookies. What makes Disconnect stand out is its ability to protect against such attacks as malware embedded in ads and sidejacking (or widgetjacking) and to block tracking by social networks like Facebook and Twitter. The free option is offered for a single browser and is available for Firefox, Chrome, Safari, and Opera.
- HTTPS Everywhere. Developed by the Electronic Frontier Foundation (EFF) in collaboration with The Tor Project, HTTPS Everywhere picks up the slack for the careless website owners and web developers that failed to correctly implement encrypted browser connection to their resources. HTTPS Everywhere rewrites requests to improperly protected parts of the website so they use HTTPS. You can get HTTPS Everywhere for Firefox, Chrome, and Opera.
- Privacy Badger. Another EFF project, this add-on also offers protection from advertising and third-party trackers. With Privacy Badger being relatively new, there isn’t a whole lot of information on its effectiveness, but we decided to include it in this list because one thing is for certain: EFF does not have financial interests that could weaken the original intent. Privacy Badger is based on the AdBlock Plus code, so at the very least we should be expecting the same level of protection. At the moment of writing, Privacy Badger is available for Firefox and Chrome, with the support for Opera and Microsoft Edge planned for the near future.
With the advancement of new communication technologies, email is not going anywhere. 205 billion emails are being sent daily. Such enormous adoption was not anticipated when email was born, and the Internet was a small and friendly place. This is why email is not inherently secure: it was not designed with security or privacy in mind. Efforts to make email more secure, while constant, are met with significant difficulties: just look at the shutdowns of Lavabit and SilentCicle’s Silent Mail.
HTTPS takes care of part of the problem: protecting emails while there are being transmitted from your device to the email provider’s server. If this connection is encrypted (and VPN certainly takes care of keeping all your Internet communications within an encrypted tunnel), then intercepting email messages would not produce any meaningful results. However, once the message has reached the provider’s servers, it is out of your control and is pretty much up for grabs for NSA of whoever else is within the technical or legal reach. There are exceptions, like Canadian Hushmail, which is not free even for individual use.
The proper way to truly ensure the end-to-end protection for your email is to encrypt the message itself while it is still on your computer, so it stays encrypted until the intended recipient opens it up and decrypts for reading. To achieve such level of control and protection you need to use tools and applications that use email encryption standards OpenGPG and S/MIME. Luckily, such tools, as well as detailed manuals for their installation and use are fairly easy to find online.
The main downside of using encrypted email is that it is a two-way process, meaning that your recipient needs a way to decrypt your messages (which usually involves generating key-pairs and sharing their public key with you). And keep in mind that so far we’ve been talking about emails that you send, email encryption tools are of no use for emails that you receive, if the senders aren’t using encrypted email. Finally, encrypting messages does not encrypt their metadata (email addresses, time and date of sending, the subject line, etc.), and we’ve already discussed how valuable metadata can be for a dedicated observer. So you need to make sure that both messages, and the communication channel itself are encrypted to ensure the desired level of privacy and security.
We went with the term “anti-malware” instead of the likely more familiar “antivirus”, because
- Computer viruses are only one type of harmful (or malicious) software that can be planted on your device by the attackers: worms, Trojans, bots, rootkits, etc. You should be protecting your devices from all those threats.
- Most modern “antivirus” products and solutions are called that more out of a habit, and should be really referred to as “anti-malware”, because they are (or should be, otherwise you shouldn’t bother with them) targeting various types of malicious software, not only viruses.
- Let’s get something straight: if an adversary such as NSA would want to plant a piece of malware on your system, they will, and your anti-malware solution won’t stop them. Defeating mechanisms used by anti-malware to detect threats is a pretty trivial task for a dedicated adversary with sufficient knowledge and resources. So should you even bother? You definitely should. Anti-malware applications will protect your devices from common viruses and their variations. You should not be a low-hanging fruit for any spammer of ransomware distributor out there. Some steps that you can take to better protect your system from malicious programs and scripts include the following:
- Use a safer operating system. Note that we say “safer” rather than “more secure”. Windows is not necessarily less secure than OS X or Linux, but it is definitely more targeted by malware, making in less safe. So, use Mac, or, better yet, Linux, to stay off the radar of common attackers. Linux may take some time to get used to, but the latest Ubuntu and Linux Mint distributions come pretty close to Windows in terms of usability. Again, don’t forget about virtual machines – they are a great way to try out and experiment with alternative operating systems. Most Linux distributions are free (except for a handful of enterprise-grade variants), so why not give them a shot?
- Install a good anti-malware solution and keep it updated. Latest Windows versions come with anti-malware pre-installed, and it is not terrible, but pales in comparison with other products. So, for a more effective malware protection, turn to products like Avast!, which provide your device with sufficient protection while not taking up a lot of system resources. Make sure that your anti-malware is always up-to-date, so it’s able to protect your system from the newer threats. Most products have auto-updating enabled by default, so it’s wise to leave this setting unchanged.
- Follow basic security hygiene. This means not clicking links in emails, not opening email attachments, not downloading files from untrusted sources, etc. VMs come in handy here again: even if you end up picking up something nasty, with a very few exceptions it won’t break out and infect your physical machine. And you can always revert the VM to a snapshot and pretend that it never happened.
This is another topic for a separate, and much longer conversation, so here we will just briefly touch up on some relevant aspects. First thing to keep in mind is that, in terms of privacy and anonymity, mobile devices are inherently less secure than desktop computers. They share most (if not all) vulnerabilities, plus have their own, unique weaknesses, such as geolocation and triangulation data, plus all the records collected and kept by your mobile service provider, who is just as cooperative with authorities as the ISPs. Using disposable (or “burner”) phones, aside from being a total pain in the neck, may actually have an opposite effect from keeping you anonymous. The general ways to protect your privacy and security on mobile devices are very similar to the measures we discussed above, and include the following:
- Use a safer browser. Firefox is available for both Android and iOS.
- Enhance your browser with reputable privacy, security, and anonymity add-ons. uBlock Origin is available for Firefox for Android.. If you are sticking with Safari on iOS, Purify is one of the best options to block adds and tracking, without affecting your browsing speed.
- Use VPN. We’ve already explained the security benefits of using VPN on your mobile device: it ensure that your communications are protected at all times, especially when connecting to a public Wi-Fi hotspot. While most VPN providers offer support for mobile devices, some of them are doing a better job doing that. BestVPNRating is here to help, with reviews of Best VPNs for Android and Best VPNs for iPhone.
- Use your phone’s security features. Most newer smartphones have robust security capabilities (fingerpring recognition, encryption, etc.) baked in by design, so make sure to use them to their full potential.
- Install anti-malware solution. Avast! is available for both Android and iPhone/iPad, and is very effective in protecting your devices against viruses and other malicious software.
- Use a secure messaging app. Signal by Open Whisper Systems, provides end-to-end encryption for your conversations, and comes highly recommended by such figures in the information security community, as Edward Snowden, Bruce Schneier, and Matt Green, so you don’t have to take our word for it. Signal is available for Android and iOS, and now can be added to Chrome as a browser extension, if you want to also use it on your desktop. Other suggestions for secure messenger apps can be found in this article.
The more immersed we are in the digital technology, the more valuable our privacy becomes not just to us, but to numerous organizations and individuals out there, from the government and multibillion advertising conglomerates to garden variety spammers and script kiddies. While protecting your privacy and security may seem like a daunting task, it really comes down to analyzing your risks, getting your priorities straight, and doing your home work when choosing the most effective solutions for enhancing your data privacy and security defenses. Hopefully, this guide helped you get started looking in some of the right places. Keep checking back, because BestVPNRating is always here to assist you with choosing the VPN service that best fits your needs, and to offer you some advice on staying safe and secure.