Is it Possible to Surf the Web Anonymously?
In a world of cybersecurity concerns and online privacy issues, anonymous web surfing seems like an attractive option. Virtual Private Networks (VPNs) are often touted as the one-stop solution for all your digital privacy and anonymity needs. But with many things in technology, it’s not that simple. VPNs are good for some things, but they’re not the only privacy solution – or even the best one for all situations.
See Rethinking Online Anonymity with Lance Cottrell for a complete transcript of the Easy Prey podcast episode.
Lance Cottrell started his career as an astrophysicist, but dropped out of his PhD program in 1995 to start Anonymizer, the world’s first internet privacy company. He spent six years building an online anonymity platform for consumers before realizing that the people who really needed what he did worked in government. So he pivoted to building platforms for online undercover operations. After Anonymizer was acquired by Intrepid, Lance moved on to advising startups and early-stage companies through his platform Feel the Boot.
Encountering a Scammer with Anonymizer
About five years into Anonymizer’s existence, a guy approached Lance out of the blue offering to help with business development and strategic development. He had showed up at Lance’s parents’ house, introduced himself, and got a tour of the neighborhood as a way to connect with Lance. It was a really sophisticated way of infiltrating a network, and it didn’t cause Lance to put his shields up.
He did actually connect Lance to a bunch of companies. He wanted to be a principal and wanted equity. Eventually, though the board spotted the warning signs. He would claim to represent Anonymizer without checking with them first, and whenever they asked him to undo an unauthorized decision there were a ton of excuses why he could. Finally, they cancelled his shares and kicked him out. If he had been legitimate, he would have sued, but he didn’t.
Six months after kicking him out, Lance got a call from someone he’d introduced him to at another company. The woman was calling to warn him – the scammer had tanked her company. He did similar things to several other companies who hadn’t seen the signals. Lance eventually learned that he went to jail for scamming a rabbi.
[Scammers] act personable. They do a good job of generally not feeling like they’re being pushy while always driving the agenda in the direction they want to go.
Lance Cottrell
Scammers are quick to learn what you’re hungry for and what’s important to you and drop hints that they’re going to help with that. This one had a network of people he sort-of knew, and used their names to get into new companies. If the board hadn’t spotted his tricks and kicked him out, the company probably would have been destroyed.
The Origins of Anonymizer
When Lance was doing his PhD in astrophysics, his university affiliation gave him fantastic access to the early internet. He was involved in the open source community out of personal interest, and his university Unix workstation gave him great connectivity. People were just barely starting to think about anonymous web surfing.
Around this time, the government was trying to come up with a “clipper chip.” This was a concept where every computer would have this standardized chip that would provide strong encryption. But the FBI would have a copy of the keys so they could read the encrypted data on any computer in the world. That last bit sounded especially bad to Lance, especially considering how often the FBI gets hacked and how good of a target that would be.
He joined an informal group of people online called the Cyperpunks – an organization building strong open-source cryptography. At one point, Lance sat down in his spare time and created an anonymous email system called Mix Master, which was very anonymous and hard to backtrack. He realized he enjoyed it more than he enjoyed astronomy. In his PhD program, he was getting frustrated because the Hubble Telescope wasn’t big enough to get the data he needed. But on the tech side, he was getting written up in the New York Times and had tens of thousands of people running his anonymous email program.
He realized the current program was by geeks, for geeks. If you wanted to run Mix Master, the first step was to execute a make file on the command line of a Unix workstation. That ruled out a lot of people who really needed anonymous email services. So he founded Anonymizer to make online privacy tools like anonymous email and anonymous web browsing more accessible.
Committed to Privacy
In the early days of Anonymizer, there was no cloud – their anonymous web browsing programs were running in physical data centers with racks of servers. They prioritized the anonymous aspect, which made it harder. Not even their top developers could see the details of the connections, which made debugging and troubleshooting a nightmare.
Tech kept evolving, and Anonymizer had to evolve to keep up. One of their major offerings was a VPN. As VPNs started to become more commoditized, more and more VPN companies popped up. Part of the reason the ended up pivoting to government is because it wasn’t a high-margin business. AT the time, they were selling subscriptions for $70-$80 per year. By the time they finished, government contracts averaged $200,000 per user per year. Obviously they had fewer users, but that way they could provide exceptional troubleshooting.
One of the things Lance always found baffling about consumer use of VPNs is that people would turn on their VPN for anonymous web browsing, then immediately go log into a site like Facebook that’s tracking you everywhere. That undoes all the privacy-protecting aspects of a VPN. For the government, in contrast, online privacy and anonymity is often a life-or-death thing. Lance has had a number of conversations where it turned out the reason they were using Anonymizer is because last time they didn’t take online privacy seriously enough and people died. You can guarantee Lance talked to his engineers about how serious this was.
People would use our [VPN] tool to go somewhere like Facebook and log in, at which point, why? You’ve just undone everything you’re working on.
Lance Cottrell
Criminals Want Privacy Too
If you want to build things used by dissidents in oppressive countries in a way their intelligence can’t break, Americans are going to be doing bad things with it, too. Anonymizer had a lot of interactions with law enforcement, including subpoenas. By the end, they were getting contacted more than once a week. Lance’s favorite was a cease-and-desist order from the Beijing police department. They had it hung on the wall for a while, but they couldn’t do anything.
Stolen credit cards were the biggest issue. Anonymizer had a chargeback rate of over 10%. They were dropped by their credit card processor a couple times. At one point they were put on a blacklist and managed to talk their way off. The people at the bank said no one had ever talked their way off the list. But when Lance talked to them, they said he needed to take precautions against fraud and gave some suggestions. Lance showed that Anonymizer had been doing those things for years, plus a dozen other things that they didn’t think about. The bank un-blacklisted them.
Tor Isn’t the Answer for Anonymous Web Surfing
If you’re concerned about anonymous web surfing, you may have heard of Tor. It’s a privacy-focused browser that routes your browsing through a bunch of “nodes” to obscure where it came from. Between the model of not trusting anyone, picking random hosts, and multi-hopping chains, it seems like a good idea to privacy-focused people.
But the problem with Tor is that it’s very easy for someone to map the network and to block nodes. The entrance node and the exit node both get a lot of visibility on who you are and what you’re doing. And any node could be an entrance or exit node. That includes governments. Lance understands why foreign intelligence agencies would run Tor nodes. What he doesn’t understand is why anyone else does – he assumes most of them are run by one government or another. So Tor is not a good solution for anonymous web surfing, especially if you’re trying to avoid government eyes.
Lance’s argument is that you do need to trust someone. You need to research who they are, understand if you can trust them, and then trust them and not anyone who you haven’t researched. If you look at many VPN companies, they’re very opaque about who actually owns and operates them. Lance assumes a lot of them are fronts for intelligence organizations. After all, there’s no better way to access what criminals are doing than by controlling the network they’re using.
You need to trust someone. Research who that is, understand if you can trust them, and then trust them and really restrict the circle of people you can trust.
Lance Cottrell
VPNs Aren’t a Cure-All for Anonymous Web Surfing
If you listen to podcasts, you could probably tell when VPNs started becoming a big commodity. Lots of different companies were popping up, and they were sponsoring everything, whether it was relevant or not. Lance almost couldn’t avoid screaming at his car dashboard sometimes because these companies were making claims about VPNs that just aren’t true.
The biggest mistake people make about VPNs is assuming that your IP address matters much anymore. Most devices are on dynamic IPs anyway, so the address is changing constantly. People are paying much less attention to it, and that’s all a VPN effectively hides. Other information about you and your computer is still out there.
The biggest mistake is thinking that your IP address is the important thing anymore.
Lance Cottrell
If you use incognito mode on your browser, that turns off cookies. But there are a huge number of browser footprints that can identify your computer even without that. It’s pretty easy to get unique identification from a device’s physical characteristics.
Behavior is the real identifier, though. Where you go, what you type, names you use, password reusing – all of these patterns makes it hard to surf the web anonymously or have real privacy. Maintaining a pseudonym over time is challenging. Back in the 1990s, Lance wrote for a Cypherpunk mailing list as both his real name and a pseudonym. One company was trying to build tools for author identification, so he gave them the mailing list archive and asked them to find his pseudonym based on writing style. They did – first try.
VPNs Don’t Hide Everything
Just because you’re using a VPN and your IP address is now coming out of a foreign country doesn’t mean the people watching you believe that, either. Anonymizer ran into this with government customers in the US but pretending to be in Turkey. After a while, they started getting complaints that Google knew where they were. The agents were getting ads for places in their own town, not in Turkey where they were supposed to be.
Anonymizer spent a huge amount of time researching what happened. It turned out that these agents were searching for restaurants, haircuts, and other services in their local area through the platform that was supposed to be coming out of turkey. Google quickly determined that regardless of what the IP registration or traceroute says, their behavior said these people were in this particular town, so that’s the ads and results they were going to get. Anonymizer had to build a bunch of tools to overwhelm Google and keep them from recognizing these people’s real location.
When VPNs are Useful
If VPNs aren’t the solution for anonymous web surfing, what are they good for? Turns out they’re actually really beneficial in specific areas. They only secure you to the exit point, but they are designed for remote access to a secure environment. If you VPN into the office, you can access your office environment like you’re there without major security risks. With public things, though, anything from the exit point to the target is going to be vulnerable.
A lot of people need ot remember that the VPN only secures you to the exit point.
Lance Cottrell
People don’t think enough about the threat model for their VPN. Who are you really worried about seeing this? Where are they in the chain of your web surfing? What do they have access to? Is this something you even need to worry about? If you’re doing political stuff, you need to worry about jurisdictions and pick somewhere where the people watching you don’t have good access. But most of us aren’t dissident journalists, high-level criminals, terrorists, or spies. Most of us don’t need to worry about this stuff.
If you’re on a high-risk network like public wifi or third-party networks, it can be valuable for that. But most websites these days are secured with SSL and encrypted. Emails are secure automatically. A lot of things are secure by default, so VPNs’ uses are decaying quickly. Even getting around geolocation restrictions is great until the service you’re trying to circumvent gets a list of VPN-associated IPs and blocks it.
All these things are now secured by default, so that security aspect is less important than it was. Security is still important, though.
Lance Cottrell
The Bottom Line for Anonymous Web Surfing and Online Privacy
The most important take-away Lance has for privacy is to be very specific about what you want to protect. Someone who says that they just want to be private online is either a non-technical hermit or lying to themselves. It’s not possible.
The key is to decide which parts of your university you want to keep private. Pay close attention and lock those down. Then Lance encourages you to give up on the rest. There’s going to be leakage and there are going to be things that get through. It doesn’t make sense to run your life around them.
Anonymous web surfing, VPNs, or other privacy measures aren’t going to stop a really dedicated criminal. You can spend a lot of time working to stop a hypothetical criminal and put deadbolts and kick guards on your metaphorical door, but if you have a big picture window right next to your door, that’s not the best use of your efforts. Not that you shouldn’t put a lock on your front door, but eventually a criminal will give up on the door and just break your window.
Just take basic security steps. Be aware of what you’re putting out there and what you’re letting people know. Use two-factor authentication and a password manager. Update your software. The basics are most of what’s out there. The fancy stuff is icing on top, but if you’re not paying attention to the basics, the icing is irrelevant.
The basics are 99% of what’s out there. The fancy stuff is icing on top. But if you’re not paying attention to the basics, none of the rest of that really matters.
Lance Cottrell
Connect with Lance Cottrell on LinkedIn, or find his organization Feel the Boot at feeltheboot.com or on YouTube or LinkedIn.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Your Online Order Never Arrived? Here’s What to Do Next
We’re getting into the holiday shopping season, and that means that you’re probably buying at least some…
[Read More]The Ultimate Privacy Gift Guide for 2024
The holidays are rapidly approaching – which means it’s time to think about holiday shopping. If you…
[Read More]How to Identify a Scammer Online: Spotting Digital Deception
Everyone is vulnerable to scams and fraud online, especially if you’re distracted or in a hurry. That…
[Read More]VPN Update: Is it still important to use a VPN?
Using a VPN (Virtual Private Network) when you’re online is still very wise and important and that’s...
[Read More]The “Red Flags” of a Scam Can Alert You to Pending Danger
We’re used to hearing “red flag” conditions. Hopefully, we know they indicate a dangerous situation or risky…
[Read More]Windscribe VPN
Windscribe VPN provides the ultimate privacy, security, and simplicity with an easy-to-use website interface.
[Read More]