Sep 12, 2018
I Don’t Think Internet Anonymity Means What You Think It Means
Internet users often misunderstand anonymizing services, like Tor and VPN, leading to bad practices and compromised privacy.
In the past few years, usage statistics for anonymity systems and tools have skyrocketed. This phenomenon can be seen most clearly immediately following the Snowden revelations in 2013, where Edward Snowden released documents detailing ongoing and widespread government surveillance activities. In response, many Internet users rushed to adopt privacy-enhancing technologies, like encryption, Virtual Private Networks (VPNs), Tor, and the privacy-focused search engine DuckDuckGo. And while government surveillance is a highly publicized reason for using these technologies, many people turn to them for a myriad of other reasons, resulting in a large user base of both technical and nontechnical users. As the number of users continues to grow, it is important to understand how these systems work and what their limitations are in order to reap the privacy benefits they provide. This essay will shed light on popular misconceptions about both the notion of anonymity itself and a few of the most commonly used anonymizing services; these misconceptions often cause Internet users to either forgo using them entirely or to use them in ways that compromise their anonymity.
Ask five different people around you what their definition of anonymity is and you’ll probably get five different answers. And with different notions of anonymity, there are varied expectations regarding the benefits of anonymity tools. As a result, very few people get what they think they are getting from using these tools. The Merriam-Webster dictionary defines “anonymous” as “of unknown authorship or origin; not named or identified”, the Cambridge Dictionary states anonymity is “a situation in which a person is not known by or spoken of by name”, and the Oxford Dictionary describes it as a “lack of outstanding, individual, or unusual features.”
All of these definitions are slightly different, but generally follow the same thought. When anonymity is considered, privacy is often assumed. And while privacy and anonymity (and even security) are interwoven concepts, privacy is not synonymous with anonymity.
Privacy and anonymity can be teased apart in a simple analogy: take the case of a secret admirer. Alice really admires Bob so she writes him a letter filled with her deepest feelings, but Alice is not sure if Bob feels the same way, so she wants to hide the fact that the letter was written by her. She sends the letter to Bob without indicating she wrote it or including her return address on the envelope; Bob receives the letter, reads it, and knows that he has a secret admirer, but does not know the identify of that person. This is anonymity, but not complete privacy; Bob can read the letter, and anyone that can open the letter can read the letter, but neither Bob nor another reader knows who sent the letter. This is a (very) simplified analogy of how Tor provides anonymity, but not complete privacy. (One can interpret anonymity as a single aspect of privacy because when someone is anonymous, he is protecting the privacy of his identity.)
Tools to Help You Remain Anonymous Online
Tor (The Onion Router) has become one of the most mainstream anonymizing services available and it is a volunteer-based network. When a Tor user accesses a web page, her traffic is routed through a Tor circuit, which is a series of at least three different Tor relays. A relay is a Tor volunteer’s computer (anyone can volunteer to run a Tor relay on their machine), which passes traffic on to the next Tor relay. Worth noting is that some relays are called exit relays, because they are the last relay in the Tor circuit, and they pass the traffic on to the machine that hosts the web page. This is how a Tor user’s IP address appears to be the IP address of the exit relay instead of the user’s true IP address. The way traffic is routed through these relays uses layered encryption (hence the name “onion routing”), but does not encrypt traffic between the exit relay and web server. Therefore, the person operating the machine used as the exit relay can see all the traffic flowing through his machine, which actually happened many years ago. Just like in the case of Alice and Bob, anyone that can see the traffic from the exit relay to the web server can see what web pages people are accessing. This is high-level generalization of how Tor works and is missing many technical details, but the main point is that Tor is an anonymity system, and does not inherently provide privacy. (To be clear, Tor does provide some privacy —- between the Tor user and the exit relay —-, but more privacy can be achieved if end-to-end encryption is also used.)
Less well-known than the Tor network itself is an option available within the Tor network known as onion services (previously called hidden services). Typically, when people refer to the “dark web,” they are referring to these onion services, which are essentially websites that allow the website owner to be anonymous. For example, someone may want to publish a blog that discusses controversial material on politics in an oppressive regime. In this case, the blogger may wish to remain anonymous to avoid legal or political repercussions. In a similar fashion to how a Tor user accesses a web page via the Tor network, onion services also establish a Tor circuit within the Tor network (note that onion services are not accessible outside the Tor network).
VPNs are likely used more often than either Tor or onion services for a variety of reasons. A few of these reasons include accessing your company’s internal network, circumventing certain censorship practices, and also privacy. Many VPN providers make broad claims about how their customers can browse the web completely anonymously, but, while they can enhance a user’s privacy in some ways, they do not provide perfect anonymity. When someone uses a VPN, they are connecting to a remote network, where their traffic is encrypted from their machines to the remote network, but not necessarily from the remote network to the web server. VPNs make it appear to the web server that the IP address of the user is an IP address associated with that private network, and not the user’s actual IP address. Unfortunately, there is no way to tell how trustworthy different VPN providers are —- they may claim to not track or collect data on the people that use their service, but users have no guarantees.
Even worse than VPNs, in terms of privacy or anonymity, are the built-in browser options of Incognito Mode (Chrome), Private Browsing (Safari), and InPrivate Browsing (Internet Explorer). The privacy that these options offer are limited to just within the browser and only applicable to past web browsing —- they do not record which web pages a user visits, so someone cannot look at the user’s browsing history and learn what web pages she visited. Consequently, they do not hide the user’s identity when they are visiting web page and they provide no additional encryption.
Understanding the Benefits Provided by Anonymity Tools
With varying definitions of anonymity, privacy, and security, and the fact that these tools are being adopted by more and more people —- both technical and non-technical —- they are often confused by what these tools actually provide in terms of anonymity. Recall the differences between anonymity and privacy, and that the majority of the tools discussed in this essay are evaluated from the perspective of anonymity.
Tor provides anonymity when accessing the Internet and onion services provide anonymity when publishing content on the Internet. This boils down to the web server not knowing the Tor user’s IP address (or other identifying information, such as location), and in the case of onion services, the Tor user does not know the IP address (or other information) of the web server. People can (and do) use Tor for many reasons, including preventing trackers, evading surveillance by an ISP or government, and censorship circumvention. Less people tend to use onion services, but when they do, it is generally for additional anonymity or security, it is the only way to access the content, or they are curious about the “dark web.” A common thought among Tor users is that using Tor or onion services for websites that require a login —- like Facebook —- renders the value of Tor or onion services as useless, but this is not completely true. Yes, while logged into Facebook via Tor, both Facebook and other people on the social networking platform know who you are —- meaning your name and other information you supply to your profile —- but they do not know your IP address or your location at that moment.
If anonymity is a major concern, stick to using a tool like Tor. If web page loading speeds are a high priority (i.e., streaming videos), and compromising some anonymity is an option, then a VPN may be a better tool. As mentioned, Tor is commonly used for censorship circumvention, but sometimes VPNs are sufficient for circumventing censorship as well. Keep in mind that the VPN provider can still view and potentially store user traffic, but if the goal is to simply avoid your Internet Service Provider (ISP) from viewing your traffic, then again, a VPN might be a suitable choice. Lastly, using Incognito Mode/Private Browsing/InPrivate Browsing is only beneficial when you want to avoid cookies or want to hide your browsing history from someone who has access to your computer, not to remain anonymous.
Tor is Not Just For “Bad Guys”
Any system that provides anonymity is going to attract people that want to remain anonymous to protect their identity because it makes them safer as well as people that want to remain anonymous because they are doing some wrong or illegal. Media coverage of anonymity systems usually mentions the “dark web” and recounts its potential for hiding illicit activities. This has given anonymity systems a bad reputation among the general public, but this is a distorted view of why many users use these systems.
Tor and onion services are tools used by journalists and sources to communicate and share sensitive files. Human rights activists working in oppressive regimes rely on Tor in life-or-death scenarios to protect themselves from their own government. In some countries, people are punished for attempting to circumvent censorship —- using Tor allows them to circumvent censorship anonymously, whereas VPNs can reveal information about who is trying to evade the censor. Others are simply using these tools to prevent their ISP, government, employer, school, etc. from learning their identity.
The amount of anonymity provided by a system like Tor is a function of the number of users of the system; some people use Tor just to increase the anonymity of others using the system.
Misusing Technology Compromises Anonymity
Internet users don’t always understand how anonymity systems and tools work, leading to poor mental models and misuse, which can subsequently compromise a user’s anonymity. For Tor, these uninformed or poor mental models often stem from usability issues associated with the Tor Browser because: 1) descriptions include technical terms the user doesn’t understand, 2) there are too many options when configuring the Tor browser, and 3) the Tor browser provides poor feedback when notifying the user of any issues. One example of this last point is when the Tor browser takes a longer than usual time to load a web page, many users think there is something wrong and that the browser isn’t working, when in reality it takes longer than usual to route traffic through three different servers located around the world. [Note that the Tor Project values and considers feedback and research, and has made many changes over the years to greatly increase the usability and security of the Tor network.]
Incorrect mental models and understandings of how Tor and onion services operate has led to usage in a way that compromised the anonymity benefits provided by them. Numerous research studies have evaluated the usability of the Tor browser and/or onion services. One such study found that sometimes people do not recognize the difference between a Tor browser window and a normal browser window and accidentally browse via the normal browser, losing any anonymity benefits provided by Tor. Others do not realize that onion services are only accessible via the Tor browser, and enter onion domain names into a normal browser, which leaks information about the onion service the user is trying to visit. When asked how they manage onion services, many people responded by saying that they use the bookmark tool in the Tor browser, but unfortunately, this leaves a trace of the websites that a user visited on their computer. Possibly the most widely-known criticism of the Tor browser is the amount of time it takes to load a web page. In some cases, this is enough of a deterrent to cause the user to stop using the Tor browser altogether, lessening the anonymity provided to Tor’s other users. Researchers have also analyzed Internet users’ perceived models of private browsing modes offered by browsers (i.e., Incognito Mode) and reported that a significant percentage of participants in their study assumed that these browsing modes made them completely anonymous.
How can we resolve these misconceptions going forward? The first step lies in understanding what anonymity systems provide and how they operate. Users don’t necessarily need to understand all the details, but learning how systems like Tor work will help prevent some misconceptions. This responsibility does not rely solely on the user, but also on the people that make these systems. Technologists, researchers, and developers need to make their systems usable and provide helpful documentation to educate their users. Both of these actions are essential in both effectively using and developing new anonymity systems. These systems and tools are critical to our society by providing a free and open Internet for people across different parts of the world.