Anyone who has had an online ad follow them around for weeks — Look, L.L. Bean, I’m not going to buy that parka after all, so please leave me alone — has a good idea that we’re not exactly anonymous IP addresses bopping from site to site anymore. But if you really wanted to, could you effectively disappear while browsing the web? In other words, is true anonymity possible online?
“The average internet user would be shocked at the amount of information that is gathered on their browsing habits on a daily basis,” says Alex Heid, chief research officer at Security Scorecard, writing over email. “Every bit of data that can be reasonably harvested, analyzed, and monetized is being used in one way or another by corporations, governments, and interested individuals from around the world.” This ranges from cookies installed in your browser (thus the same ad that follows you everywhere) to the analysis of which browser and OS you’re using, down to using historical data to determine your likely age. (To get an idea of everything a website is grabbing from you, Heid recommends installing Ghostery to quickly see how many trackers are being used on any website.)
Some of this is to be expected: Two of the web’s most valuable companies, Google and Facebook, make the majority of their money from advertising — and advertising becomes much more valuable when you can promise a certain type of audience through targeting. The same goes for plenty of other sites (including, of course, the one you’re reading right now).
Going into Incognito or Private Browsing only slightly protects you. “The private browsing modes of major web browsers only prevent the local device from collecting a history of visited URLs, and prevents the local device from caching visited images,” says Heid. Websites you visit while “shopping for presents” will still log your IP, see what browser and OS you’re using, and install cookies to keep track of your session on each site.
So using the web as 99.9 percent of us do without a trace is going to be nearly impossible. “Tracking technologies have become so commonplace and embedded within the modern web browsing experience that some mainstream news websites won’t even load correctly if the user is attempting to block advertisements or avoid cookies,” says Heid. “The fishbowl becomes even smaller when one considers that many users use Gmail or Facebook as a single sign-on for multiple platforms, everything from commenting on news websites to logging into a food-delivery service.” If you use your Google, Facebook, or Twitter account to log in to other services, the authentication provider will get a view of how often you visit that website (and can alter its advertising to you accordingly).
There are ways to reduce how many fingerprints you leave behind. Heid recommends installing AdBlock Plus to prevent certain trackers from getting placed (though, uh, as someone whose salary indirectly comes from advertisements, maybe whitelist good ol’ nymag.com?). He also endorses NoScript for Firefox, which disables Javascript on a page, and TrackMeNot, a browser plug-in that periodically spits out random search queries to all the major search engines, creating so much noise that it’s hard to pick out your actual search queries from the nonsense.
But let’s say you don’t just want to be harder to track around the web, you want to be full-on invisible. For that, you have to turn to tricks used by, well, criminals. “The success of any cybercrime operation depends on the ability for the malicious actor to avoid detection, and if detected, avoid attribution,” says Heid. To browse like a criminal, you’ll need to do some of the following tricks.
First off, whatever device you use to connect to the internet has something called a MAC address which can be linked to the actual physical device you’re using, whether that’s a laptop or cell phone. So you’ll need to change that — and ideally you’ll want to change it every time you hop online.
But it’s not enough to just change up your MAC address if you’re logging in from the same physical location each time. So you’ll need to find a public Wi-Fi (or a hacked Wi-Fi network) far away from your actual physical location.
Then, once you’re using a Wi-Fi network that isn’t your personal connection, you’re going to need to sign up for a VPN (virtual private network) service, which adds another layer of anonymity. You’ll need to pay for access for nearly all of these, though there are some free ones out there.
One you’ve signed up for a VPN, you’ll then need to find a RDP VPS (remote desktop protocol virtual private server), which will allow you to remotely operate a desktop as if it’s your own. There are plenty of services offering this, though you’ll almost assuredly need to pay for it. This is also a good time to mention you shouldn’t be paying for any of these things with your credit card, obviously, so you’ll need to use Bitcoin. Most online Bitcoin providers will want you to link to your actual bank account, which means the jig’s up on total privacy, so you’ll have to pay cash for it. Hope you like finding Bitcoin ATMs in weirdo strip malls in Secaucus!
Once you’ve managed to secure a way to pay anonymously and found a RDP VPS service, you’ll then need to install the Tor browser, which will then bounce your data exchanges with websites around the globe.
After these simple steps, you’re free to browse to your heart’s content, secure in the knowledge nobody will ever, ever know who is lighting them up in the comments section of Reddit. Of course, all the hoops you’ve jumped through mean you’re going to be dealing with significant latency, so maybe grab a sandwich while you wait for your favorite websites to load.
Except that even all this isn’t really enough to keep you totally invisible. “At the end of the day, someone with enough dedication and resources can eventually unmask and track an entity of interest despite the use of privacy-enhancing technologies,” says Heid. In 2015, the F.B.I. used a vulnerability in Tor to track down users involved in child porngraphy. In 2016, the U.S. military tracked down and killed a hacker known as “TRiCK,” who had been part of a hacking group known as Team Poison before joining ISIS. “Both of the above examples involve the full implementation of encryption and privacy solutions by individuals wishing to remain in hiding, and successful ‘client-side attacks’ conducted by opponents seeking to reveal the enemy position,” says Heid.
The reality is that while the idea of anonymity has given rise to much of internet culture, true anonymity is something we all sacrificed long ago, whether for the sake of convenience or access. Much of the web is simply shut off to you if you’re not willing to divulge at least some personal information.
As for Heid, he sticks with using AdBlock Plus (when asked if he’ll whitelist nymag.com, he replied, “I’ll disable it when I read this article and manually check the display ads for interesting JavaScript”); making sure his browser, OS, and plug-ins are up-to-date; disabling Java in his browser; and keeping a good VPN subscription running for anytime he’s on a public Wi-Fi network. As for the fact that he’s still able to be tracked? Says Heid: “In today’s era, being subject to the global opt-in surveillance grid is unfortunately part of doing business.”
