How much privacy do you have left on the web?

Posted on by Wladimir Palant

Every now and then, politicians will demand mandatory use of real names on the web. Supposedly, this will restrict hate speech and make the discourse more civilized overall. South Korea tried this approach already and realized that there was only a marginal effect if any. It has been argued again and again that this approach doesn’t help against hate speech but damages freedom of individuals [German], but why would anybody care about facts?

I have nothing to add to the debate as such, everything has been said already. But I, like probably many others, had the impression that the debate is going on because being anonymous on the web is so easy. You have to keep in mind that the last time I did something on the web without signing with my real name was more than a decade ago. So when now I tried to establish an identity on the web not tied to my real-life identity, I was in for a huge surprise: things changed massively! As things stand right now, being truly anonymous on the web is hardly possible at all.

Why being anonymous?

A while ago I made the decision to sign all my online communication with my real name. Many (most?) people have it similarly. So why would anybody want to stay anonymous if not for some shady or even criminal business? Turns out, there are many very valid reasons [German]. For example:

  • Writing anything under your real name would result in personal attacks and discrimination. The article mentions the name “Fatima” which people will immediately associate with a Muslim woman and act accordingly.
  • You want to write about topics that are “controversial” in the society (as in: there is a large group that will try to silence anybody talking about it). That affects feminists, gay and transsexual people, sex workers and many others. These people might not want the “debate” to spill over into real life and result in harassment, mobbing, even job loss.
  • Some people have the need to exchange information about their invisible handicap. Yet they don’t want the whole world to know about such private matters, e.g. their neighbors should not be able to find out.

The basics: hiding your IP address

The first step in establishing an anonymous identity is always hiding your IP address. That’s not so much because somebody might get your ISP to disclose the name behind the IP address, but simply because you probably have another identity on the web already, and be it for work. If the same IP address is associated with both identities, some entities will make the connection. That’s especially true for the big players like Google or Facebook but probably some smaller advertising and tracking services as well. Once the connection is established, you can never know who it will be shared with and whether it will leak in the next big data breach.

You might be inclined to go with a VPN provider to achieve this goal. However, as some people already learned, even if a VPN provider claims to not keep any logs, that’s not necessarily true. In general, not all VPN services are trustworthy and it is hard to know whether one is. Also, VPN browser extensions generally don’t provide real privacy.

So your best choice to achieve this goal is installing the Tor Browser. Not only will it route all your traffic through the Tor network so that the origin of a request cannot be traced back, it will also provide a number of additional protection measures. Essentially, Tor Browser is a modified Firefox always running in Private Browsing mode by default, so no data will be stored locally.

The downside of using Tor (and similarly a VPN) is that you make yourself suspicious. Websites will immediately suspect that you are a spammer, so they will be extra careful before accepting anything from you. This means in particular that you will see reCAPTCHA far more often than you used to, and making it accept you as a human will take far more time. Used to clicking “I’m not a robot” and that single click being accepted? Forget about it, with Tor Browser you will have to solve ten tasks before it believes you.

Creating new accounts

This results in immediate difficulties when you try to get an email address for your new identity. For example, a privacy-minded person might want to create a ProtonMail account. Yet ProtonMail will distrust Tor users and require an additional validation step. You have the choice between SMS validation and making a donation. The former requires providing your mobile phone number which is immediately tied to your real-life identity — more on that soon. The latter requires you to make an online payment which will normally be tied to your credit card or some other identifying token.

Sidenote: It seems that US citizens are better off here and at least in the past there was the option to purchase an anonymous prepaid debit card. This article is quite a bit older however, and while the website is still online, it would be nice for somebody to confirm that you can indeed still buy and activate these cards anonymously.

Having failed creating a ProtonMail account I tried various smaller providers but all of them required SMS validation. Eventually, I succeeded creating an outlook.com account that merely required me to solve a CAPTCHA correctly. I could then use this email address to create further accounts. However, the next day I found my account locked due to “suspicious activity” and once again requiring SMS validation to unlock.

But why bother creating a proper email account if there is Mailinator? One might be inclined to choose a long random inbox name that nobody would be able to guess and use that as your email “account.” Ok, Mailinator locks out Tor users but similar services such as the German-language Wegwerf-eMail-Adresse work. And sometimes this will do. Unless you are registering at GitHub of course which makes a massive effort to recognize these temporary email addresses and won’t let you verify them.

Either way, using my outlook.com address I successfully created a Twitter account. And guess what: after only a few minutes that account was locked down due to “suspicious activity.” Only way to unlock: SMS validation. There appears to be a system here. Theoretically, Twitter doesn’t require accounts to be linked to mobile phone numbers. In practice however, when I created my regular Twitter account I was also locked out after a day and forced to use SMS validation.

The trouble with SMS validation

Wherever you go, it seems that the state of the art today is sending an SMS to a phone number in order to verify an account. If you didn’t have to do it, it’s likely because the website already knows your real-life identity. This is highly problematic privacy-wise of course, as that phone number becomes the single most reliable trait that various actors can use to combine records about a person. Not only Google, Facebook and a bunch of smaller internet companies will collect (and sell or leak) data about you this way, state-level actors such as NSA will do as well. So having your different online identities tied to different phone numbers is essential now.

Now there are plenty of websites that will give you access to a public SMS inbox. These sites own several phone numbers and will let anybody see the messages received by those. Problem solved? Not quite. First of all, many websites will actively block such phone numbers. But even if they don’t, chances are that you will receive a response like “an account is already registered for this number.” That’s because there are far too few public inboxes available for the number of people who would like to use them.

There is also another issue. The supposedly privacy-minded Signal messenger won’t let you register without proving control of a phone number. I managed to register a test account using a public inbox. However, after a day somebody kicked me out of that account. If your account is linked to a public inbox, anybody can start the account recovery process and will usually succeed taking control of it merely by proving that they can receive an SMS meant for you. So public inboxes are only good for test accounts but not something you don’t want to fall into the wrong hands.

The same websites advertise private SMS inboxes which you can rent for a certain monthly amount. Here again the issue is paying for the service anonymously which is usually impossible. Also, I was told that Telegram messenger somehow managed to recognize and block these numbers even though they wouldn’t be publicized or shared.

So it might seem that going into a shop and buying a prepaid SIM card with cash would be your best option. Ideally, you would also buy cheap hardware for it, so that this card cannot be linked to your regular mobile phone number via your IMEI number. Many countries closed this loophole under the premise of fighting terrorism however. For example, in Germany you used to be able to activate prepaid SIM cards online and the data you entered was barely verified. As of summer 2017, this is no longer possible and even online activation requires you showing your ID via video chat. My understanding is that similar legislation exists in all of EU, and I was told that India and China also won’t allow anonymous SIM cards.

So it seems that having your accounts linked to your real-life identity via your mobile phone number is usually unavoidable even if it’s not the same number you normally use. Does being worried about it make you paranoid? In theory, only law authorities should be able to request the identity behind a certain number, and this should be rather unlikely if you aren’t doing anything illegal. Then again, can mobile providers really be trusted? If they sell your location data, can you trust them to keep your name private? And even if they have the moral integrity (or rather: legal obligation) to keep that data for themselves, the direction in which the web is heading makes the data guarded by mobile providers a huge target. Will they be able to repel attacks launched by all kinds of malicious actors? Looking at how they deal with SIM swapping scams I consider that rather unlikely.

Conclusion

Initially, I was researching how one would stay anonymous on the web. I realized however that true anonymity on the web is already almost non-existent. Sure, you can probably be anonymous in some obscure corner of the web. But being part of the mainstream discussion without leaving hints towards your identity? No longer possible. So when German law enforcement claims to be unable to prosecute online crimes such as hate speech that’s due to lack of motivation and/or competence rather than “too much” freedom of speech online.

I find it highly concerning how all of your online activity is increasingly tied to your mobile phone number. Not only is the assumption that everybody owns a mobile phone excluding people. Not only does this make it very hard to properly separate different facets of your online activity from each other. It also makes mobile providers the keepers of everone’s privacy, a role that they seem to be ill-equipped to fulfill.

Either way, the point should no longer be that we want the right to use the web anonymously to remain. We should rather fight to get this right back, because at some point somewhere along the way we lost it and nobody noticed.

Categories:

Comments

  1. will privacy

    Thanks for sharing link at Krebs and nice writeup! so true…“It also makes mobile providers the keepers of everone’s privacy, a role that they seem to be ill-equipped to fulfill.

    Either way, the point should no longer be that we want the right to use the web anonymously to remain. We should rather fight to get this right back, because at some point somewhere along the way we lost it and nobody noticed.”

  2. NTN

    It is not that hard to pay a homeless person to get a prepaid SIM card registerd to him. Would that work as an anonymous phone?

    Reply from Wladimir Palant:

    Sure, but that would be shady or even illegal. There is no question that criminals can circumvent these restrictions, there are plenty of ways. I wanted to approach this as a regular person who doesn't want to do anything wrong.

  3. Anon

    You can register a google (includes gmail, youtube, etc.) account by requesting a callback instead of SMS. At least 2 years ago I could do it from a public phone booth. Just don't forget your phone at home. Preferable to use LineageOS with Tor Browser for Android.

Comment

Enter your comment below.


Only if you want to be notified about my reply.


You can use Markdown syntax here.

By submitting your comment, you agree to your comment being published here under the terms of the Creative Commons Attribution-ShareAlike 4.0 International License.