In April of 2013, Khairullozhon Matanov, a twenty-two-year-old former cab driver from Quincy, Massachusetts, went to dinner with a couple of friends—a pair of brothers, in fact. Among other topics, the three men talked about events earlier in the day that occurred near the finish line of the Boston Marathon, where someone had planted rice cookers packed with nails and gunpowder and a timer. The resulting blasts claimed three lives and left more than two hundred people injured. The brothers at Matanov’s table, Tamerlan and Dzhokhar Tsarnaev, would later be identified as the prime suspects.
Although Matanov said later that he had no prior knowledge of the bombing, he allegedly left an early post-bombing meeting with law enforcement officers and promptly deleted the browser history from his personal computer. That simple act—erasing his laptop’s browser history—resulted in charges against him.1
Deleting browser history was also one of the charges against David Kernell, the college student who hacked Sarah Palin’s e-mail account. What’s chilling is that when Kernell cleared his browser, ran a disk defragmenter, and deleted the Palin photos he had downloaded, he wasn’t yet under investigation. The message here is that in the United States you are not allowed to erase anything you do on your computer. Prosecutors want to see your entire browser history.
The charges leveled against Matanov and Kernell stem from a nearly fifteen-year-old law—the Public Company Accounting Reform and Investor Protection Act (as it’s known in the Senate), or the Corporate and Auditing Accountability and Responsibility Act (as it’s known in the House), more commonly called the Sarbanes-Oxley Act of 2002. The law was a direct result of corporate mismanagement at Enron, a natural gas company later found to be lying and cheating investors and the US government. Investigators in the Enron case discovered that a lot of data had been deleted at the outset of the investigation, preventing prosecutors from seeing exactly what had gone on within the company. As a result, Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH) sponsored legislation that imposed a series of requirements aimed at preserving data. One was that browser histories must be retained.
According to a grand jury indictment, Matanov deleted his Google Chrome browser history selectively, leaving behind activity from certain days during the week of April 15, 2013.2 Officially he was indicted on two counts: “(1) destroying, altering, and falsifying records, documents, and tangible objects in a federal investigation, and (2) making a materially false, fictitious, and fraudulent statement in a federal investigation involving international and domestic terrorism.”3 He was sentenced to thirty months in prison.
To date, the browser-history provision of Sarbanes-Oxley has rarely been invoked—either against businesses or individuals. And yes, Matanov’s case is an anomaly, a high-profile national security case. In its wake, though, prosecutors, aware of its potential, have started invoking it more frequently.
If you can’t stop someone from monitoring your e-mail, phone calls, and instant messages, and if you can’t lawfully delete your browser history, what can you do? Perhaps you can avoid collecting such history in the first place.
Browsers such as Mozilla’s Firefox, Google’s Chrome, Apple’s Safari, and Microsoft’s Internet Explorer and Edge all offer a built-in alternative way to search anonymously on whatever device you prefer—whether you use a traditional PC or a mobile device. In each case the browser itself will open a new window and not record what you searched or where you went on the Internet during that open session. Shut down the private browser window, and all traces of the sites you visited will disappear from your PC or device. What you exchange for privacy is that unless you bookmark a site while using private browsing, you can’t go back to it; there’s no history—at least not on your machine.
As much as you may feel invincible using a private window on Firefox or the incognito mode on Chrome, your request for private website access, like your e-mails, still has to travel through your ISP—your Internet service provider, the company you pay for Internet or cellular service—and your provider can intercept any information that’s sent without being encrypted. If you access a website that uses encryption, then the ISP can obtain the metadata—that you visited such and such site at such and such date and time.
When an Internet browser—either on a traditional PC or a mobile device—connects to a website, it first determines whether there’s encryption, and if there is, what kind. The protocol for Web communications is known as http. The protocol is specified before the address, which means that a typical URL might look like this: http://www.mitnicksecurity.com. Even the “www” is superfluous in some cases.
When you connect to a site using encryption, the protocol changes slightly. Instead of “http,” you see “https.” So now it’s https://www.mitnicksecurity.com. This https connection is more secure. For one thing, it’s point-to-point, though only if you’re connecting directly to the site itself. There are also a lot of Content Delivery Networks (CDNs) that cache pages for their clients to deliver them faster, no matter where you are in the world, and therefore come between you and the desired website.
Keep in mind, too, that if you are logged in to your Google, Yahoo, or Microsoft accounts, these accounts may record the Web traffic on your PC or mobile device—perhaps building your online behavioral profile so the companies can better target the ads you see. One way to avoid this is to always log out of Google, Yahoo, and Microsoft accounts when you are finished using them. You can log back in to them the next time you need to.
Moreover, there are default browsers built in to your mobile devices. These are not good browsers. They’re crap, because they’re mini versions of the desktop and laptop browsers and lack some of the security and privacy protections the more robust versions have. For example, iPhones ship with Safari, but you might also want to consider going to the online Apple store and downloading the mobile version of Chrome or Firefox, browsers that were designed for the mobile environment. Newer versions of Android do ship with Chrome as the default. All mobile browsers at least support private browsing.
And if you use a Kindle Fire, neither Firefox nor Chrome are download options through Amazon. Instead you have to use a few manual tricks to install Mozilla’s Firefox or Chrome through Amazon’s Silk browser. To install Firefox on the Kindle Fire, open the Silk browser and go to the Mozilla FTP site. Select “Go,” then select the file that ends with the extension .apk.
Private browsing doesn’t create temporary files, and therefore it keeps your browsing history off your laptop or mobile device. Could a third party still see your interaction with a given website? Yes, unless that interaction is first encrypted. To accomplish this, the Electronic Frontier Foundation has created a browser plug-in called HTTPS Everywhere.4 This is a plug-in for the Firefox and Chrome browsers on your traditional PC and for the Firefox browser on your Android device. There’s no iOS version at the time of this writing. But HTTPS Everywhere can confer a distinct advantage: consider that in the first few seconds of connection, the browser and the site negotiate what kind of security to use. You want perfect forward secrecy, which I talked about in the previous chapter. Not all sites use PFS. And not all negotiations end with PFS—even if it is offered. HTTPS Everywhere can force https usage whenever possible, even if PFS is not in use.
Here’s one more criterion for a safe connection: every website should have a certificate, a third-party guarantee that when you connect, say, to the Bank of America website it truly is the Bank of America site and not something fraudulent. Modern browsers work with these third parties, known as certificate authorities, to keep updated lists. Whenever you connect to a site that is not properly credentialed, your browser should issue a warning asking if you trust the site enough to continue. It’s up to you to make an exception. In general, unless you know the site, don’t make exceptions.
Additionally, there isn’t just one type of certificate on the Internet; there are levels of certificates. The most common certificate, one you see all the time, identifies only that the domain name belongs to someone who requested the certificate, using e-mail verification. It could be anyone, but that doesn’t matter—the site has a certificate that is recognized by your browser. The same is true of the second kind of certificate, an organizational certificate. This means that the site shares its certificate with other sites related to the same domain—in other words, all the subdomains on mitnicksecurity.com would share the same certificate.
The most stringent level of certificate verification, however, is what’s called an extended verification certificate. On all browsers, some part of the URL turns green (ordinarily it’s gray, like the rest of the URL) when an extended verification certificate has been issued. Clicking over the address—https://www.mitnicksecurity.com—should reveal additional details about the certificate and its owner, usually the city and state of the server providing the website. This physical-world confirmation indicates that the company holding the URL is legitimate and has been confirmed by a trusted third-party certificate authority.
You might expect the browser on your mobile device to track your location, but you might be surprised that the browser on your traditional PC does the same thing. It does. How?
Remember when I explained that e-mail metadata contains the IP address of all the servers that handle the e-mails on their way to you? Well, once again, the IP address coming from your browser can identify which ISP you are using and narrow down the possible geographical areas where you might be located.
The very first time you access a site that specifically requests your location data (such as a weather site), your browser should ask whether you want to share your location with the site. The advantage of sharing is that the site can customize its listing for you. For example, you might see ads on washingtonpost.com for businesses in the town where you live rather than in the DC area.
Unsure whether you answered that browser question in the past? Then try the test page at http://benwerd.com/lab/geo.php. This is one of many test sites that will tell you whether your browser is reporting your location. If it is and you want to be invisible, then disable the feature. Fortunately, you can turn off browser location tracking. In Firefox, type “about: config” in the URL address bar. Scroll down to “geo” and change the setting to “disable.” Save your changes. In Chrome, go to Options>Under the Hood>Content Settings>Location. There’s a “Do not allow any site to track my physical location” option that will disable geolocation in Chrome. Other browsers have similar configuration options.
You might also want to fake your location—if only just for fun. If you want to send out false coordinates—say, the White House—in Firefox, you can install a browser plug-in called Geolocator. In Google Chrome, check the plug-in’s built-in setting called “emulate geolocation coordinates.” While in Chrome, press Ctrl+Shift+I on Windows or Cmd+Option+I on Mac to open the Chrome Developer Tools. The Console window will open, and you can click the three vertical dots at the top right of the Console, then select more tools>sensors. A sensor tab will open. This allows you to define the exact latitude and longitude you want to share. You can use the location of a famous landmark or you can choose a site in the middle of one of the oceans. Either way, the website won’t know where you really are.
You can obscure not only your physical location but also your IP address while online. Earlier I mentioned Tor, which randomizes the IP address seen by the website you are visiting. But not all sites accept Tor traffic. Until recently, Facebook did not. For those sites that don’t accept Tor connections, you can use a proxy.
An open proxy is a server that sits between you and the Internet. In chapter 2 I explained that a proxy is like a foreign-language translator—you speak to the translator, and the translator speaks to the foreign-language speaker, but the message remains exactly the same. I used the term to describe the way someone in a hostile country might try to send you an e-mail pretending to be from a friendly company.
You can also use a proxy to allow you to access georestricted websites—for example, if you live in a country that limits Google search access. Or perhaps you need to hide your identity for downloading illegal or copyrighted content through BitTorrent.
Proxies are not bulletproof, however. When you use a proxy, remember that each browser must be manually configured to point to the proxy service. And even the best proxy sites admit that clever Flash or JavaScript tricks can still detect your underlying IP address—the IP address you use to connect to the proxy in the first place. You can limit the effectiveness of these tricks by blocking or restricting the use of Flash and JavaScript in your browser. But the best way to prevent JavaScript injection from monitoring you via your browser is to use the HTTPS Everywhere plug-in (see here).
There are many commercial proxy services. But be sure to read the privacy policy of any service you sign up for. Pay attention to the way it handles encryption of data in motion and whether it complies with law enforcement and government requests for information.
There are also some free proxies, but you must contend with a stream of useless advertising in exchange for the use of the service. My advice is to beware of free proxies. In his presentation at DEF CON 20, my friend and security expert Chema Alonso set up a proxy as an experiment: he wanted to attract bad guys to the proxy, so he advertised the IP address on xroxy.com. After a few days more than five thousand people were using his free “anonymous” proxy. Unfortunately most of them were using it to conduct scams.
The flip side, though, is that Alonso could easily use the free proxy to push malware into the bad guy’s browser and monitor his or her activities. He did so using what’s called a BeEF hook, a browser exploitation framework. He also used an end user license agreement (EULA) that people had to accept to allow him to do it. That’s how he was able to read the e-mails being sent through the proxy and determine that it was handling traffic related to criminal activity. The moral here is that when something’s free, you get what you pay for.
If you use a proxy with https protocol, a law enforcement or government agency would only see the proxy’s IP address, not the activities on the websites you visit—that information would be encrypted. As I mentioned, normal http Internet traffic is not encrypted; therefore you must also use HTTPS Everywhere (yes, this is my answer to most browser invisibility woes).
For the sake of convenience, people often synchronize their browser settings among different devices. For example, when you sign in to the Chrome browser or a Chromebook, your bookmarks, tabs, history, and other browser preferences are all synced via your Google account. These settings load automatically every time you use Chrome, whether on traditional PCs or mobile devices. To choose what information should be synced to your account, go to the settings page on your Chrome browser. The Google Dashboard gives you full control should you ever want to remove synced information from your account. Ensure that sensitive information is not auto-synced. Mozilla’s Firefox also has a sync option.
The downside is that all an attacker needs to do is lure you into signing in to your Google account on a Chrome or Firefox browser, then all your search history will load on their device. Imagine your friend using your computer and choosing to log in to the browser. Your friend’s history, bookmarks, etc., will now be synced. That means that your friend’s surfing history, among other information, is now viewable on your computer. Plus, if you sign in to a synchronized browser account using a public terminal and forget to sign out, all your browser’s bookmarks and history will be available to the next user. If you’re signed in to Google Chrome, then even your Google calendar, YouTube, and other aspects of your Google account become exposed. If you must use a public terminal, be vigilant about signing out before you leave.
Another downside of syncing is that all interconnected devices will show the same content. If you live alone, that may be fine. But if you share an iCloud account, bad things can happen. Parents who allow their children to use the family iPad, for example, might unintentionally expose them to adult content.5
In an Apple store in Denver, Colorado, Elliot Rodriguez, a local account executive, registered his new tablet with his existing iCloud account. Instantly all his photos, texts, and music and video downloads were available to him on the new tablet. This convenience saved him time; he didn’t have to manually copy and save all that material to multiple devices. And it allowed him access to the items no matter what device he chose to use.
At some point later on Elliot thought it was a good idea to give his older-technology tablet to his eight-year-old daughter. The fact that she was connected to his devices was a short-term plus. Occasionally on his tablet Elliot would notice a new app his daughter had downloaded to her tablet. Sometimes they would even share family photos. Then Elliot took a trip to New York City, where he traveled often for business.
Without thinking, Elliot took out his iPhone and captured several moments with his New York–based mistress, some of them quite… intimate. The images from his iPhone synced automatically to his daughter’s iPad back in Colorado. And of course his daughter asked her mother about the woman who was with Daddy. Needless to say, Elliot had some serious explaining to do when he got home.
And then there’s the birthday-present problem. If you share devices or synced accounts, your visits to sites might tip gift recipients off to what they’ll be getting for their birthdays. Or, worse, what they might have gotten. Yet another reason why sharing a family PC or tablet can present a privacy problem.
One way to avoid this is to set up different users, a relatively easy step in Windows. Keep the administrator privileges for yourself so that you can add software to the system and set up additional family or household members with their own accounts. All users will log in with their own passwords and have access to only their own content and their own browser bookmarks and histories.
Apple allows for similar divisions within its OSX operating systems. However, not many people remember to segment their iCloud space. And sometimes, seemingly through no fault of our own, technology simply betrays us.
After years of dating several women, Dylan Monroe, an LA-based TV producer, finally found “the one” and decided to settle down. His fiancée moved in, and, as part of their new life together, he innocently connected his future wife to his iCloud account.
When you want to start a family, it makes sense to connect everyone to one account. Doing so allows you to share all your videos, texts, and music with the ones you love. Except that’s in the present tense. What about your digitally stored past?
Sometimes having an automatic cloud backup service like iCloud means that we accumulate many years’ worth of photos, texts, and music, some of which we tend to forget, just as we forget the contents of old boxes in the attic.
Photos are the closest thing we have to memories. And yes, spouses have been coming across shoe boxes of old letters and photographs for generations now. But a digital medium that allows you to take literally thousands of high-definition photos without too much effort creates new problems. Suddenly Dylan’s old memories—some of them very private indeed—came back to haunt him in the form of photos that were now on his fiancée’s iPhone and iPad.
There were items of furniture that had to be removed from the house because other women had performed intimate acts on that sofa, table, or bed. There were restaurants where his fiancée refused to go to because she had seen photos of other women there with him, at that table by the window or in that corner booth.
Dylan obliged his fiancée lovingly, even when she asked him to make the ultimate sacrifice—selling his house once the two of them were married. All because he’d connected his iPhone to hers.
The cloud creates another interesting problem. Even if you delete your browser history on your desktop, laptop, or mobile device, a copy of your search history remains in the cloud. Stored on the search engine company’s servers, your history is a bit harder to delete and harder to not have stored in the first place. This is just one example of how surreptitious data collection without the proper context can be easily misinterpreted at a later date and time. It’s easy to see how an innocent set of searches can go awry.
One morning in the late summer of 2013, just weeks after the Boston Marathon bombing, Michele Catalano’s husband saw two black SUVs pull up in front of their house on Long Island. When he went outside to greet the officers, they asked him to confirm his identity and requested his permission to search the house. Having nothing to hide, although uncertain why they were there, he allowed them to enter. After a cursory check of the rooms, the federal agents got down to business.
“Has anyone in this household searched for information on pressure cookers?”
“Has anyone in this household searched for information on backpacks?”
Apparently the family’s online searches through Google had triggered a preemptive investigation by the Department of Homeland Security. Without knowing the exact nature of the Catalano family investigation, one might imagine that in the weeks following the Boston Marathon bombing certain online searches, when combined, suggested the potential for terrorism and so were flagged. Within two hours the Catalano household was cleared of any potential wrongdoing. Michele later wrote about the experience for Medium—if only as a warning that what you search for today might come back to haunt you tomorrow.6
In her article, Catalano pointed out that the investigators must have discounted her searches for “What the hell do I do with quinoa?” and “Is A-Rod suspended yet?” She said her pressure-cooker query was about nothing more than making quinoa. And the backpack query? Her husband wanted a backpack.
At least one search engine company, Google, has created several privacy tools that allow you to specify what information you feel comfortable keeping.7 For example, you can turn off personalized ad tracking so that if you look up Patagonia (the region in South America) you don’t start seeing ads for South American travel. You can also turn off your search history altogether. Or you could not log in to Gmail, YouTube, or any of your Google accounts while you search online.
Even if you are not logged in to your Microsoft, Yahoo, or Google accounts, your IP address is still tied to each search engine request. One way to avoid this one-to-one match is to use the Google-proxy startpage.com or the search engine DuckDuckGo instead.
DuckDuckGo is already a default option within Firefox and Safari. Unlike Google, Yahoo, and Microsoft, DuckDuckGo has no provision for user accounts, and the company says your IP address is not logged by default. The company also maintains its own Tor exit relay, meaning that you can search DuckDuckGo while using Tor without much of a performance lag.8
Because DuckDuckGo doesn’t track your use, your search results won’t be filtered by your past searches. Most people don’t realize it, but the results you see within Google, Yahoo, and Bing are filtered by everything you searched for on those sites in the past. For example, if the search engine sees that you’re searching for sites related to health issues, it will start to filter the search results and push the results related to health issues to the very top. Why? Because very few of us bother to advance to the second page of a search result. There’s an Internet joke that says that if you want to know the best place to bury a dead body, try here of the search results.
Some people might like the convenience of not having to scroll through seemingly unrelated results, but at the same time it is patronizing for a search engine to decide what you may or may not be interested in. By most measures, that is censorship. DuckDuckGo does return relevant search results, but filtered by topic, not by your past history.
In the next chapter I’ll talk about specific ways websites make it hard for you to be invisible to them and what you can do to surf the Web anonymously.