Be very careful what you search for on the Internet. It’s not just search engines that track your online habits; every website you visit does as well. And you’d think that some of them would know better than to expose private matters to others. For example, a 2015 report found that “70 percent of health sites’ URLs contain information exposing specific conditions, treatments, and diseases.”1
In other words, if I’m on WebMD and searching for “athlete’s foot,” the unencrypted words athlete’s foot will appear within the URL visible in my browser’s address bar. This means that anyone—my browser, my ISP, my cellular carrier—can see that I am looking for information about athlete’s foot. Having HTTPS Everywhere enabled on your browser would encrypt the contents of the site you are visiting, assuming the site supports https, but it doesn’t encrypt the URL. As even the Electronic Frontier Foundation notes, https was never designed to conceal the identity of the sites you visit.
Additionally, the study found that 91 percent of health-related sites make requests to third parties. These calls are embedded in the pages themselves, and they make requests for tiny images (which may or may not be visible on the browser page), which informs these other third-party sites that you are visiting a particular page. Do a search for “athlete’s foot,” and as many as twenty different entities—ranging from pharmaceuticals companies to Facebook, Pinterest, Twitter, and Google—are contacted as soon as the search results load in your browser. Now all those parties know you have been searching for information about athlete’s foot.2
These third parties use this information to target you with online advertising. Also, if you logged in to the health-care site, they might be able to obtain your e-mail address. Fortunately I can help you prevent these entities from learning more about you.
On the health-care sites analyzed in the 2015 study, the top ten third parties were Google, comScore, Facebook, AppNexus, AddThis, Twitter, Quantcast, Amazon, Adobe, and Yahoo. Some—comScore, AppNexus, and Quantcast—measure Web traffic, as does Google. Of the third parties listed above, Google, Facebook, Twitter, Amazon, Adobe, and Yahoo are spying on your activity for commercial reasons, so they can, for example, load ads for athlete’s foot remedies in future searches.
Also mentioned in the study were the third parties Experian and Axiom, which are simply data warehouses—they collect as much data about a person as they possibly can. And then they sell it. Remember the security questions and the creative answers I suggested that you use? Often companies like Experian and Axiom collect, provide, and use those security questions to build online profiles. These profiles are valuable to marketers that want to target their products to certain demographics.
How does that work?
Whether you type the URL in manually or use a search engine, every site on the Internet has both a hostname and a numerical IP address (some sites exist only as numerical addresses). But you almost never see the numerical address. Your browser hides it and uses a domain name service (DNS) to translate a site’s hostname name—say, Google—in to a specific address, in Google’s case https://74.125.224.72/.
DNS is like a global phone book, cross-referencing the hostname with the numerical address of the server of the site you just requested. Type “Google.com” into your browser, and the DNS contacts their server at https://74.125.224.72. Then you see the familiar white screen with the day’s Google Doodle above a blank search field. That, in theory, is how all Web browsers work. In practice there is more to it.
After the site has been identified through its numerical address, it will send information back to your Web browser so that it can start “building” the Web page you see. When the page is returned to your browser, you see the elements you would expect—the information you want retrieved, any related images, and ways to navigate to other parts of the site. But often there are elements that are returned to your browser that call out to other websites for additional images or scripts. Some, if not all, of these scripts are for tracking purposes, and in most cases you simply do not need them.
Almost every digital technology produces metadata, and, as you’ve no doubt already guessed, browsers are no different. Your browser can reveal information about your computer’s configuration if queried by the site you are visiting. For example, what version of what browser and operating system you’re using, what add-ons you have for that browser, and what other programs you’re running on your computer (such as Adobe products) while you search. It can even reveal details of your computer’s hardware, such as the resolution of the screen and the capacity of the onboard memory.
You might think after reading this far that you have taken great strides in becoming invisible online. And you have. But there’s more work to be done.
Take a moment and surf over to Panopticlick.com. This is a site built by the Electronic Frontier Foundation that will determine just how common or unique your browser configuration is compared to others, based on what’s running on your PC or mobile device’s operating system and the plug-ins you may have installed. In other words, do you have any plug-ins that can be used to limit or otherwise protect the information that Panopticlick can glean from your browser alone?
If the numbers on the left-hand side, the results from Panopticlick, are high—say, a six-digit number—then you are somewhat unique, because your browser settings are found in fewer than one in one hundred thousand computers. Congratulations. However, if your numbers are low—say, less than three digits—then your browser settings are fairly common. You’re just one in a few hundred. And that means if I’m going to target you—with ads or malware—I don’t have to work very hard, because you have a common browser configuration.3
You might think that having a common configuration can help you become invisible—you’re part of the crowd; you blend in. But from a technical perspective, this opens you up to malicious activities. A criminal hacker doesn’t want to expend a lot of effort. If a house has a door open and the house next to it has a door closed, which do you think a thief would rob? If a criminal hacker knows that you have common settings, then perhaps you also lack certain protections that could enhance your security.
I understand I just jumped from discussing marketers trying to track what you view online to criminal hackers who may or may not use your personal information to steal your identity. These are very different. Marketers collect information in order to create ads that keep websites profitable. Without advertising, some sites simply could not continue. However, marketers, criminal hackers, and, for that matter, governments are all trying to get information that you may not want to give, and so, for the sake of argument, they are often lumped together in discussions about the invasion of privacy.
One way to be common yet also safe from online eavesdropping is to use a virtual machine (VM; see here), an operating system like Mac OSX running as a guest on top of your Windows operating system. You can install VMware on your desktop and use it to run another operating system. When you’re done, you simply shut it down. The operating system and everything you did within it will disappear. The files you save, however, will remain wherever you saved them.
Something else to watch out for is that marketers and criminal hackers alike learn something about visitors to a website through what’s known as a one-pixel image file or web bug. Like a blank browser pop-up window, this is a 1×1-pixel image placed somewhere on a Web page that, although invisible, nonetheless calls back to the third-party site that placed it there. The backend server records the IP address that tried to render that image. A one-pixel image placed on a health-care site could tell a pharmaceuticals company that I was interested in athlete’s foot remedies.
The 2015 study I mentioned at the beginning of this chapter found that almost half of third-party requests simply open pop-up windows containing no content whatsoever. These “blank” windows generate silent http requests to third-party hosts that are used only for tracking purposes. You can avoid these by instructing your browser not to allow pop-up windows (and this will also eliminate those annoying ads as well).
Nearly a third of the remaining third-party requests, according to the study, consisted of small lines of code, JavaScript files, which usually just execute animations on a Web page. A website can identify the computer accessing the site, mostly by reading the IP address that is requesting the JavaScript file.
Even without a one-pixel image or a blank pop-up window, your Web surfing can still be tracked by the sites you visit. For example, Amazon might know that the last site you visited was a health-care site, so it will make recommendations for health-care products for you on its own site. The way Amazon might do this is to actually see the last site you visited in your browser request.
Amazon accomplishes this by using third-party referrers—text in the request for a Web page that tells the new page where the request originated. For example, if I’m reading an article on Wired and it contains a link, when I click that link the new site will know that I was previously on a page within Wired.com. You can see how this third-party tracking can affect your privacy.
To avoid this, you can always go to Google.com first, so the site you want to visit doesn’t know where you were previously. I don’t believe third-party referrers are such a big deal, except when you’re trying to mask your identity. This is one more example of a trade-off between convenience (simply going to the next website) and invisibility (always starting from Google.com).
Mozilla’s Firefox offers one of the best defenses against third-party tracking through a plug-in called NoScript.4 This add-on effectively blocks just about everything considered harmful to your computer and browser, namely, Flash and JavaScript. Adding security plug-ins will change the look and feel of your browsing session, although you can cherry-pick and enable specific features or permanently trust some sites.
One result of enabling NoScript is that the page you visit will have no ads and certainly no third-party referrers. As a result of the blocking, the Web page looks slightly duller than the version without NoScript enabled. However, should you want to see that Flash-encoded video in the upper left-hand corner of the page, you can specifically allow that one element to render while continuing to block everything else. Or, if you feel you can trust the site, you can temporarily or permanently allow all elements on that page to load—something you might want to do on a banking site, for example.
For its part, Chrome has ScriptBlock,5 which allows you to defensively block the use of scripts on a Web page. This is useful for kids who may surf to a site that allows pop-up adult entertainment ads.
Blocking potentially harmful (and certainly privacy-compromising) elements on these pages will keep your computer from being overrun with ad-generating malware. For example, you may have noticed that ads appear on your Google home page. In fact, you should have no flashing ads on your Google home page. If you see them, your computer and browser may have been compromised (perhaps some time ago), and as a result you’re seeing third-party ads that may contain Trojan horses—keyloggers, which record every keystroke you make, and other malware—if you click on them. Even if the ads don’t contain malware, the advertisers’ revenue comes from the number of clicks they receive. The more people they dupe into clicking, the more money they make.
As good as they are, NoScript and ScriptBlock don’t block everything. For complete protection against browser threats, you might want to install Adblock Plus. The only problem is that Adblock records everything: this is another company that tracks your surfing history, despite your use of private browsing. However, in this case the good—blocking potentially dangerous ads—outweighs the bad: they know where you’ve been online.
Another useful plug-in is Ghostery, available for both Chrome and Firefox. Ghostery identifies all the Web traffic trackers (such as DoubleClick and Google AdSense) that sites use to follow your activity. Like NoScript, Ghostery gives you granular control over which trackers you want to allow on each page. The site says, “Blocking trackers will prevent them from running in your browser, which can help control how your behavioral data is tracked. Keep in mind that some trackers are potentially useful, such as social network feed widgets or browser-based games. Blocking may have an unintended effect on the sites you visit.” Meaning that some sites will no longer work with Ghostery installed. Fortunately, you can disable it on a site-by-site basis.6
In addition to using plug-ins to block sites from identifying you, you might want to confuse potential hackers further by using a variety of e-mail addresses tailored for individual purposes. For example, in chapter 2 I discussed ways of creating anonymous e-mail accounts in order to communicate without detection. Similarly, for simple day-to-day browsing, it’s also a good idea to create multiple e-mail accounts—not to hide but to make yourself less interesting to third parties on the Internet. Having multiple online personality profiles dilutes the privacy impact of having only one identifiable address. It makes it harder for anyone to build an online profile of you.
Let’s say you want to purchase something online. You might want to create an e-mail address that you use exclusively for shopping. You might also want to have anything you purchase with this e-mail address sent to your mail drop instead of your home address.7 In addition, you might want to use a gift card for your purchase, perhaps one you reload from time to time.
This way the company selling you products will only have your nonprimary e-mail address, your nonprimary real-world address, and your more-or-less throwaway gift card. If there’s ever a data breach at that company, at least the attackers won’t have your real e-mail address, real-world address, or credit card number. This kind of disconnection from an online purchasing event is good privacy practice.
You might also want to create another nonprimary e-mail address for social networks. This address might become your “public” e-mail address, which strangers and mere acquaintances can use to get in touch with you. The advantage to this is that, once again, people won’t learn much about you. At least not directly. You can further protect yourself by giving each nonprimary address a unique name, either a variation on your real name or another name entirely.
Be careful if you go with the former option. You might not want to list a middle name—or, if you always go by your middle name, you might not want to list your first name. Even something innocent like JohnQDoe@xyz.com just tipped us off that you have a middle name and that it begins with Q. This is an example of giving out personal information when it isn’t necessary. Remember that you are trying to blend into the background, not call attention to yourself.
If you use a word or phrase unrelated to your name, make it as unrevealing as possible. If your e-mail address is snowboarder@xyz.com, we may not know your name, but we do know one of your hobbies. Better to choose something generic, like silverfox@xyz.com.
You’ll of course also want to have a personal e-mail address. You should only share this one with close friends and family. And the safest practices often come with nice bonuses: you’ll find that not using your personal e-mail address for online purchasing will prevent you from receiving a ton of spam.
Cell phones are not immune from corporate tracking. In the summer of 2015, an eagle-eyed researcher caught AT&T and Verizon appending additional code to every Web page request made through a mobile browser. This is not the IMSI—international mobile subscriber identity—I talked about in chapter 3 (see here); rather, it’s a unique identification code sent with each Web page request. The code, known as a unique identifier header, or UIDH, is a temporary serial number that advertisers can use to identify you on the Web. The researcher discovered what was going on because he configured his mobile phone to log all web traffic (which not many people do). Then he noticed the additional data tacked on to Verizon customers and, later, AT&T customers.8
The problem with this additional code is that customers were not told about it. For instance, those who had downloaded the Firefox mobile app and used plug-ins to increase their privacy were, if they used AT&T or Verizon, nonetheless being tracked by the UIDH codes.
Thanks to these UIDH codes, Verizon and AT&T could take the traffic associated with your Web requests and either use it to build a profile of your mobile online presence for future advertising or simply sell the raw data to others.
AT&T has suspended the operation—for now.9 Verizon has made it yet another option for the end user to configure.10 Note: by not opting out, you give Verizon permission to continue.
Even if you turn off JavaScript, a website may still pass a text file with data called an http cookie back to your browser. This cookie could be stored for a long time. The term cookie is short for magic cookie, a piece of text that is sent from a website and stored in the user’s browser to keep track of things, such as items in a shopping cart, or even to authenticate a user. Cookies were first used on the Web by Netscape and were originally intended to help with creating virtual shopping carts and e-commerce functions. Cookies are typically stored in the browser on a traditional PC and have expiration dates, although these dates could be decades in the future.
Are cookies dangerous? No—at least not by themselves. However, cookies would provide third parties with information about your account and your specific preferences, such as your favorite cities on a weather site or your airline preferences on a travel site. The next time your browser connects to that site, if a cookie already exists, the site will remember you and perhaps say “Hello, Friend.” And if it is an e-commerce site, it may also remember your last few purchases.
Cookies do not actually store this information on your traditional PC or mobile device. Like cell phones that use IMSIs as proxies, the cookie contains a proxy for the data that lives on the back end at the site. When your browser loads a Web page with a cookie attached, additional data is pulled from the site that is specific to you.
Not only do cookies store your personal site preferences, they also provide valuable tracking data for the site they came from. For example, if you are a prospective customer of a company and you have previously entered your e-mail address or other information to access a white paper, chances are there is a cookie in your browser for that company’s site that matches, on the back end, information about you in a customer record management (CRM) system—say, Salesforce or HubSpot. Now every time you access that company’s site, you will be identified through the cookie in your browser, and that visit will be recorded within the CRM.
Cookies are segmented, meaning that website A can’t necessarily see the contents of a cookie for website B. There have been exceptions, but generally the information is separate and reasonably secure. From a privacy perspective, however, cookies do not make you very invisible.
You can only access cookies in the same domain, a set of resources assigned to a specific group of people. Ad agencies get around this by loading a cookie that can track your activity on several sites that are part of their larger networks. In general, though, cookies cannot access another site’s cookies. Modern browsers provide a way for the user to control cookies. For example, if you surf the Web using incognito or private browsing features, you will not retain a historical record within the browser of your visit to a given site, nor will you acquire a new cookie for that session. If you had a cookie from an earlier visit, however, it will still apply in private mode. If you are using the normal browsing feature, on the other hand, you may from time to time want to manually remove some or all of the cookies you acquired over the years.
I should note that removing all cookies may not be advisable. Selectively removing the cookies that are associated with one-off visits to sites you don’t care about will help remove traces of you from the Internet. Sites you revisit won’t be able to see you, for example. But for some sites, such as a weather site, it might be tedious to keep typing in your zip code every time you visit when a simple cookie might suffice.
Removing cookies can be accomplished by using an add-on or by going into the settings or preferences section of your browser, where there is usually an option to delete one or more (even all) of the cookies. You may want to determine the fate of your cookies on a case-by-case basis.
Some advertisers use cookies to track how long you spend on the sites where they’ve placed their ads. Some even record your visits to previous sites, what’s known as the referrer site. You should delete these cookies immediately. You will recognize some of them because their names won’t contain the names of the sites you visited. For example, instead of “CNN,” a referrer cookie will identify itself as “Ad321.” You may also want to consider using a cookie cleaner software tool, such as the one at piriform.com/ccleaner, to help manage your cookies easily.
There are, however, some cookies that are impervious to whatever decisions you make on the browser side. These are called super cookies because they exist on your computer, outside of your browser. Super cookies access a site’s preferences and tracking data no matter what browser you use (Chrome today, Firefox tomorrow). And you should delete super cookies from your browser, otherwise your traditional PC will attempt to re-create http cookies from memory the next time your browser accesses the site.
There are two specific super cookies that live outside your browser that you can delete—Flash, from Adobe, and Silverlight, from Microsoft. Neither of these super cookies expires. And it is generally safe to delete them.11
Then there’s the toughest cookie of them all. Samy Kamkar, once famous for creating the rapidly spreading Myspace worm called Samy, has created something he calls Evercookie, which is simply a very, very persistent cookie.12 Kamkar achieved this persistence by storing the cookie data in as many browser storage systems as possible throughout the Windows operating system. As long as one of the storage sites remains intact, Evercookie will attempt to restore the cookie everywhere else.13 Thus simply deleting an Evercookie from the browser’s cookie storage cache is not enough. Like the kids’ game whack-a-mole, Evercookies will keep popping up. You will need to delete them completely from your machine in order to win.
If you consider how many cookies you might already have on your browser, and if you multiply that by the number of potential storage areas on your machine, you can see that you’ll be in for a long afternoon and evening.
It’s not just websites and mobile carriers that want to track your activities online. Facebook has become ubiquitous—a platform beyond just social media. You can sign in to Facebook and then use that same Facebook log-in to sign in to various other apps.
How popular is this practice? At least one marketing report finds that 88 percent of US consumers have logged in to a website or mobile application using an existing digital identity from a social network such as Facebook, Twitter, and Google Plus.14
There are pros and cons to this convenience—known as OAuth, an authentication protocol that allows a site to trust you even if you don’t enter a password. On the one hand, it’s a shortcut: you can quickly access new sites using your existing social media password. On the other hand, this allows the social media site to glean information about you for its marketing profiles. Instead of just knowing about your visit to a single site, it knows about all the sites, all the brands you use its log-in information for. When we use OAuth, we’re giving up a lot of privacy for the sake of convenience.
Facebook is perhaps the most “sticky” of all social media platforms. Logging out of Facebook may deauthorize your browser from accessing Facebook and its Web applications. Furthermore, Facebook adds trackers for monitoring user activity that function even after you’re logged out, requesting information such as your geographic location, which sites you visit, what you click on within individual sites, and your Facebook username. Privacy groups have expressed concern about Facebook’s intent to start tracking information from some of the websites and apps its users are visiting in order to display more personalized ads.
The point is that Facebook, like Google, wants data about you. It may not come right out and ask, but it will find ways to get it. If you link your Facebook account to other services, the platform will have information about you and that other service or app. Maybe you use Facebook to access your bank account—if you do, it knows what financial institution you use. Using just one authentication means that if someone gets into your Facebook account, that person will have access to every other website linked to that account—even your bank account. In the security business, having what we call a single point of failure is never a good idea. Although it takes a few seconds more, it’s worth signing in to Facebook only when you need to and signing in to each app you use separately.
In addition, Facebook has deliberately chosen not to honor the “do not track” signal sent by Internet Explorer on the grounds that there’s “no industry consensus” behind it.15 The Facebook trackers come in the classic forms: cookies, JavaScript, one-pixel images, and iframes. This allows targeted advertisers to scan and access specific browser cookies and trackers to deliver products, services, and ads, both on and off Facebook.
Fortunately there are browser extensions that block Facebook services on third-party sites, e.g., Facebook Disconnect for Chrome16 and Facebook Privacy List for Adblock Plus (which works with both Firefox and Chrome).17 Ultimately the goal of all of these plug-in tools is to give you control over what you share with Facebook and any other social networks as opposed to forcing you to take a backseat and allowing the service you’re using to govern these things for you.
Given what Facebook knows about its 1.65 billion subscribers, the company has been fairly benevolent—so far.18 It has a ton of data, but it, like Google, has chosen not to act on all of it. But that doesn’t mean it won’t.
More overt than cookies—and equally parasitic—are toolbars. The additional toolbar you see at the top of your traditional PC browser might be labeled YAHOO or MCAFEE or ASK. Or it may carry the name of any number of other companies. Chances are you don’t remember how the toolbar got there. Nor do you ever use it. Nor do you know how to remove it.
Toolbars like this draw your attention away from the toolbar that came with your browser. The native toolbar allows you to choose which search engine to use as the default. The parasitic one will take you to its own search site, and the results may be filled with sponsored content. This happened to Gary More, a West Hollywood resident, who found himself with the Ask.com toolbar and no clear way to remove it. “It’s like a bad houseguest,” said More. “It will not leave.”19
If you have a second or third toolbar, it may be because you’ve downloaded new software or had to update existing software. For example, if you have Java installed on your computer, Oracle, the maker of Java, will automatically include a toolbar unless you specifically tell it not to. When you were clicking through the download or update screens, you probably didn’t notice the tiny check box that by default indicated your consent to the installation of a toolbar. There’s nothing illegal about this; you did give consent, even if it means that you didn’t opt out of having it install automatically. But that toolbar allows another company to track your Web habits and perhaps change your default search engine to its own service as well.
The best way to remove a toolbar is to uninstall it the way you would uninstall any program on your traditional PC. But some of the most persistent and parasitic toolbars may require you to download a removal tool, and often the process of uninstalling can leave behind enough information to allow advertising agents related to the toolbar to reinstall it.
When installing new software or updating existing software, pay attention to all the check boxes. You can avoid a lot of hassle if you don’t agree to the installation of these toolbars in the first place.
What if you do use private browsing, have NoScript, HTTPS Everywhere, and you periodically delete your browser’s cookies and extraneous toolbars? You should be safe, right? Nope. You can still be tracked online.
Websites are coded using something called Hypertext Markup Language, or HTML. There are many new features available in the current version, HTML5. Some of the features have hastened the demise of the super cookies Silverlight and Flash—which is a good thing. HTML5 has, however, enabled new tracking technologies, perhaps by accident.
One of these is canvas fingerprinting, an online tracking tool that is cool in a very creepy way. Canvas fingerprinting uses the HTML5 canvas element to draw a simple image. That’s it. The drawing of the image takes place within the browser and is not visible to you. It takes only a fraction of a second. But the result is visible to the requesting website.
The idea is that your hardware and software, when combined as resources for the browser, will render the image uniquely. The image—it could be a series of variously colored shapes—is then converted into a unique number, roughly the way passwords are. This number is then matched to previous instances of that number seen on other websites around the Internet. And from that—the number of places where that unique number is seen—a profile of websites you visit can be built up. This number, or canvas fingerprint, can be used to identify your browser whenever it returns to any particular website that requested it, even if you have removed all cookies or blocked future cookies from installing, because it uses an element built into HTML5 itself.20
Canvas fingerprinting is a drive-by process; it does not require you to click or do anything but simply view a Web page. Fortunately there are plug-ins for your browser that can block it. For Firefox there’s CanvasBlocker.21 For Google Chrome there’s CanvasFingerprintBlock.22 Even the Tor project has added its own anticanvas technology to its browser.23
If you use these plug-ins and follow all my other recommendations, you might think that you’re finally free of online tracking. And you’d be wrong.
Firms such as Drawbridge and Tapad, and Oracle’s Crosswise, take online tracking a step further. They claim to have technologies that can track your interests across multiple devices, including sites you visit only on your cell phones and tablets.
Some of this tracking is the result of machine learning and fuzzy logic. For example, if a mobile device and a traditional PC both contact a site using the same IP address, it’s very possible that they are owned by a single person. For example, say you search for a particular item of clothing on your cell phone, then when you get home and are on your traditional PC, you find that same item of clothing in the “recently viewed” section of the retailer’s website. Better yet, let’s say you buy the item of clothing using your traditional PC. The more matches created between distinct devices, the more likely it is that a single individual is using both of them. Drawbridge alone claims it linked 1.2 billion users across 3.6 billion devices in 2015.24
Google, of course, does the same thing, as do Apple and Microsoft. Android phones require the use of a Google account. Apple devices use an Apple ID. Whether a user has a smartphone or a laptop, the Web traffic generated by each is associated with a specific user. And the latest Microsoft operating systems require a Microsoft account in order to download apps or to store photos and documents using the company’s cloud service.
The big difference is that Google, Apple, and Microsoft allow you to disable some or all of this data collection activity and retroactively delete collected data. Drawbridge, Crosswise, and Tapad make the process of disabling and deletion less clear. Or it may simply not be available.
Although using a proxy service or Tor is a convenient way to obscure your true location when accessing the Internet, this masking can create interesting problems or even backfire on you, because sometimes online tracking can be justified—especially when a credit card company is trying to fight fraud. For example, just days before Edward Snowden went public, he wanted to create a website to support online rights. He had trouble, however, paying the host company for the registration with his credit card.
At the time, he was still using his real name, real e-mail address, and personal credit cards—this was just before he became a whistle-blower. He was also using Tor, which sometimes triggers fraud warnings from credit card companies when they want to verify your identity and can’t reconcile some of the information you provided with what they have on file. If, say, your credit card account says you live in New York, why does your Tor exit node say you are in Germany? A geolocation discrepancy like this often flags an attempt to purchase as possible abuse and invites additional scrutiny.
Credit card companies certainly track us online. They know all our purchases. They know where we have subscriptions. They know when we leave the country. And they know whenever we use a new machine to make a purchase online.
According to Micah Lee of the EFF, at one point Snowden was in his Hong Kong hotel room discussing government secrets with Laura Poitras and Glenn Greenwald, a reporter from the Guardian, and at the same time he was on hold with the customer support department at DreamHost, an Internet provider based in Los Angeles. Apparently Snowden explained to DreamHost that he was overseas and didn’t trust the local Internet service, hence his use of Tor. Ultimately DreamHost accepted his credit card over Tor.25
One way to avoid this hassle with Tor is to configure the torrec config file to use exit nodes located in your home country. That should keep the credit card companies happy. On the other hand, constantly using the same exit nodes might ultimately reveal who you are. There is some serious speculation that government agencies might control some exit nodes, so using different ones makes sense.
Another way to pay without leaving a trace is to use Bitcoin, a virtual currency. Like most currencies, it fluctuates in value based on the confidence people have in it.
Bitcoin is an algorithm that allows people to create—or, in Bitcoin terminology, mine—their own currency. But if it were easy, everyone would do it. So it’s not. The process is computationally intensive, and it takes a long while just to create one Bitcoin. Thus there is a finite amount of Bitcoin in existence on any given day, and that, in addition to consumer confidence, influences its value.
Each Bitcoin has a cryptographic signature that identifies it as original and unique. Transactions made with that cryptographic signature can be traced back to the coin, but the method by which you obtain the coin can be obscured—for example, by setting up a rock-solid anonymous e-mail address and using that e-mail address to set up an anonymous Bitcoin wallet using the Tor network.
You buy Bitcoin in person, or anonymously online using prepaid gift cards, or find a Bitcoin ATM without camera surveillance. Depending on what surveillance factors could potentially reveal your true identity, every risk needs to be taken into account when choosing which purchasing method to use. You can then put these Bitcoins into what’s known as a tumbler. A tumbler takes some Bitcoins from me, some from you, and some from other people chosen at random and mixes them together. You keep the value of the coins minus the tumbling fee—it’s just that the cryptographic signature of each coin may be different after it’s mixed with others. That anonymizes the system somewhat.
Once you have them, how do you store Bitcoins? Because there are no Bitcoin banks, and because Bitcoin is not physical currency, you will need to use a Bitcoin wallet set up anonymously using the detailed instructions described later in this book.
Now that you’ve bought and stored it, how do you use Bitcoin? Exchanges allow you to invest in Bitcoin and change it into other currencies, such as US dollars, or purchase goods on sites such as Amazon. Say you have one Bitcoin, valued at $618. If you only need around $80 for a purchase, then you will retain a certain percentage of the original value, depending on the exchange rate, after the transaction.
Transactions are verified in a public ledger known as a blockchain and identified by IP address. But as we have seen, IP addresses can be changed or faked. And although merchants have started accepting Bitcoin, the service fees, typically paid by the merchant, have been transferred to the purchaser. Furthermore, unlike credit cards, Bitcoin permits no refunds or reimbursements.
You can accumulate as much Bitcoin as you would hard currency. But despite its overall success (the Winklevoss brothers, famous for challenging Mark Zuckerberg over the founding of Facebook, are major investors in Bitcoin), the system has had some monumental failures as well. In 2004, Mt. Gox, a Tokyo-based Bitcoin exchange, declared bankruptcy after announcing that its Bitcoin had been stolen. There have been other reports of theft among Bitcoin exchanges, which, unlike most US bank accounts, are not insured.
Still, although there have been various attempts at virtual currency in the past, Bitcoin has become the Internet’s standard anonymous currency. A work in progress, yes, but an option for anyone looking for privacy.
You might feel invisible right now—obscuring your IP address with Tor; encrypting your e-mail and text messages with PGP and Signal. I haven’t, however, talked much about hardware—which can be used to both find you and hide you on the Internet.