When it comes to cybersecurity, there are no guarantees, and the same holds true for browsing the internet. Though there are steps you can take to increase privacy and make yourself more anonymous, achieving total and complete privacy and anonymity is unlikely.
There are many reasons organizations and individuals seek to browse the internet anonymously or privately. For businesses, keeping employee internet traffic private is a matter of security: shielding employee internet traffic makes it more difficult for cybercriminals to gather the information they need for social engineering attacks or blackmail. As such, taking organizational-wide steps to improve employee privacy as well as educating employees about the importance of privacy and what steps they can take is critical for any security posture.
To help you best safeguard your organization, we have created this handy guide outlining some tools and policies you may want to consider adopting.
Private is Not the Same as Anonymous
It takes a surprising amount of work to remain anonymous on the internet. Though many articles and organizations within the cybersecurity space use the terms “anonymity” and “privacy” interchangeably, they are not actually interchangeable.
An encrypted message is private because only you and the recipient can read its contents, but because of metadata, you aren’t actually anonymous. Metadata is snippets of information that provide context about the message, such as who you are talking to, how long you have been exchanging messages, how many messages you have sent, the presence and size of attachments, and what medium you are using (text, email, etc.), and unlike the contents of your message, isn’t encrypted.
Because you can’t encrypt this metadata (which can be accessed by cybercriminals and other unauthorized individuals with the right tools, technical knowledge, and motivation), you can’t actually browse the internet or send messages anonymously.
Tips & Tools to Increase Your Privacy Online
Using Tor & Signal
Tor is the largest, most comprehensive, and highly effective meta-data resistant piece of software designed to promote privacy and anonymity. Though Tor doesn’t guarantee it will keep your browsing habits private, it is the best option currently available. Tor has developed a bit of a bad reputation because it is favored by criminals looking to keep their illegal activities secret, but it has also been a critical tool for journalists looking to research stories anonymously and has even partnered with Reporters Without Borders. However, using Tor comes with some complications: browsing the internet over Tor is slower than using other search engines, and some large web services block Tor users.
Signal is a popular and highly effective messaging app that allows users to send and receive encrypted text messages, voice memos, audio calls, and video calls. Its user interface is similar to other popular messaging apps, making it easy to use even for less tech-savvy individuals.
However, just because your messages are private doesn’t mean you are anonymous. Any network-level adversary can tell you are using Signal, and government agencies such as the CIA can still digitally peek over your shoulder using malware. Also, the metadata associated with Signal users is still available, so organizations such as the US government and Five Eyes are able to access Signal traffic to learn who is communicating with whom when they are communicating and how long they have been in communication. Though the developers of Signal are aware of these shortcomings, metadata-resistant communication remains an unsolved technical problem.
In short, Signal is the best encrypted messaging app available, offering a more private communication experience, but it isn’t perfect and cannot be relied on for total or even strong anonymity.
VPNs Are Useful, But Don’t Actually Offer Anonymity (Only Privacy)
VPNs (virtual private networks) do not actually anonymize your browsing. All they do is move trust from your ISP address (at home, at the office, at your local coffee shop) to someone else’s server. VPNs can be incredibly effective security tools (and vital for remote workers who might be logging on from less than secure networks), but they don’t offer anonymity.
Since the VPN just shifts your traffic to their server, they can still see all of your traffic; as such, if someone you wish to hide your browsing from accesses the VPN’s servers (either through a cyber attack or via legitimate means such as a court order) they will also be able to see all your traffic.
Using Zero-Knowledge Services
Many of the tools you likely use every day, including Gmail, Office365, and DropBox, know everything you do on their respective platforms; Google reads your emails, Office365 can access everything you write, and DropBox has the ability to open and examine all files you upload. These three organizations, along with many more, are also Prism providers, which means they cooperate with mass surveillance programs and, as such, are willing to share anything you do on their platforms with the US government.
While you can protect your privacy on these platforms by encrypting everything you do, you can also choose more privacy-conscious alternatives such as SpiderOak (an alternative to DropBox) or Protonmail (as opposed to Gmail). You should carefully vet these companies for yourself before using their products, but these zero-knowledge options are certainly worth exploring further.
Check Your App Permissions
Though Apple recently released an update designed to improve user privacy and security (including limiting photo and location access, discouraging Wi-Fi tracking, and at a future date, limiting app tracking), both Apple and Android users should still take the time to check their app permissions. Many apps request greater permissions than they need (including camera and microphone access, location data, and other information), raising security and privacy concerns.
Be sure to periodically check your app permission settings and revoke unnecessary permissions.
Consider Installing an Ad Blocker on Your Browser
Ads used to be targeted at wide demographics, using a one-to-many broadcasting model. However, targeted advertising now means that what ads you see while browsing the internet are specifically tailored to you to maximize your chances of clicking a link or buying a product or service. This personalization is possible because of online tracking.
Installing an ad blocker won’t completely hide your browsing activities from curious advertisers, but products such as Brave Browser, AdBlock, and the Electronic Frontier Foundation’s Privacy Badger offer better protection than nothing at all.
Consider an Ad Blocking DNS Service
To block ads at the network level, you may want to consider a DNS adblocker such as Pi-hole. DNS ad blockers are basically DNS (domain name system) servers that act as DNS sinkholes, blocking ad traffic by checking requests from your browser (in this case, coming from advertisers who want to serve you ads) against your client hosted DNS server, which contains a list of domains that usually serve ads. If a requester is on that list, their request is denied, blocking the ads before they even reach your computer. This approach is usually done via hardware (for example, Pi-hole requires a Raspberry Pi).
Technically savvy readers who use Windows may want to consider checking out this handy guide on DNS-level ad Blocking from Privacy International.
Fire Your Digital Assistant
Google Home, Amazon Echo, and Apple’s Siri offer convenience, but they are a privacy nightmare. In order to know when to update your grocery list, play a requested song, or call your parents, these devices need to be constantly listening for instructions. Private conversations aren’t private if you have a digital spy in the room, but even if you refuse to get an Amazon Ring for your front door, it doesn’t really matter if they are ubiquitous in your neighborhood.
However, if you are concerned about privacy, you should still consider banning these devices from the office (and the home office) and turn off Siri voice activation.
Use Common Sense
At its core, privacy is about autonomy: choosing which information you share and with whom. A good general rule is that you are doing something you don’t want the world to know about, it’s probably best to keep it off the internet. If your team needs to discuss a top-secret project, have them meet in person (when it’s safe to do so) or limit communication to secure devices and products only.
Depending on the nature of your business, you may want to create clear social media and internet use guidelines for employees, contractors, volunteers, and any other individuals involved in your organization.
It’s almost impossible to be truly anonymous on the internet, but that doesn’t mean there aren’t steps you can take to improve privacy (and, by extension, security) at the individual and organizational level. For more information about steps, your organization can take, please contact the Virtual Armour team today.