The recent Kickstarter campaign for Anonabox proved to be insanely popular but ultimately unsuccessful after the campaign was suspended by Kickstarter. If you’re unfamiliar with it, it was a small network device that you could plug into an existing network connection and then either use the provided Wi Fi hotspot, or plug in another network cable all traffic routed through the device would go over Tor. The idea behind the device is to make it dead easy for people to use Tor holistically, preventing software from making direct requests to the internet. The other advantage is that it would work without particular applications having to be aware of Tor or configured to use Tor. Just plug it in an go.
I think the intent behind this device is great but there’s a bunch of things people forget and confuse when it comes to online privacy, anonymity and security. I think the danger with a device like this would have been lulling users into a false sense of security, or illusion that they couldn’t be traced / tracked / monitored / discovered / whatever it is they thought they were achieving by using this. This prompted me to think about a bunch of things and following is my brain dump on what some of the differences are between privacy, anonymity and security – why you might want to pursue any or all of these online. This is stuff I’ve been mulling over for months after reading books like Black Code, No Place To Hide and following the details of the Snowden revelations as well as the metadata collection debate currently happening in Australia.
Let’s start with online security. This covers your basic approach to doing things securely on the internet – ensuring you use a password manager to enable strong, unique passwords on each and every site you use; using anti-virus software and personal firewalls; enabling two-factor authentication and using extensions such as HTTPS Everywhere to enforce the usage of https on websites. You make a conscious effort to avoid using insecure websites and applications that do dumb things like email you your password, don’t use https, having stupid password restrictions and so on.
More advanced approaches to security include encrypting communications (instant messaging, text messaging, emails), encrypting files and whole drives (computer, smartphone).
Why do we do these things? We do these things to avoid having our accounts compromised, money stolen, identity revealed (more on this later), personal information leaked – including nude selfies. The consequences of these things ranges from pain in the arse to major impact on our lives.
Privacy is about controlling information about yourself – consenting to provide that information understanding how it will be used, your rights regarding deleting that information and how long it is stored for. Clearly a major trend in the last decade is the erosion of our privacy in the online world through constant mishandling of our personal information leading to leaks.
This is not to be confused with scenarios where we opt in to applications to receive a benefit – providing personal information when there is a net benefit in applications like Facebook. These systems work because without opting in and providing your information you won’t be able to establish the connections with your friends. Essentially you get to use this application for free because you’re providing personal information. That the application aggregates all of this personal information and uses it for marketing purposes is something (most of us) are consciously aware of and acknowledge. The benefit we receive is worth it to us.
What complicates privacy are the many different facets of information about ourselves and who we want to reveal them to is very granular.
Anonymity is about the right to pursue your life anonymously without having to provide identifying information. In an online world this means the ability to use pseudonyms and non-identifying information when interacting with applications and other users on the internet.
A disturbing angle relating to anonymity is the practice of having your online habits tracked across multiple sites over a period of time through advertising networks. While we can read and agree to privacy statements of individual sites and receive a pretty obvious benefit in return for providing some information to the Facebooks of the world, it’s less obvious the benefit we get from being tracked. ‘More targeted advertising’ is usually the result, but for most people that’s a pretty dubious benefit. It’s great for business, but not the individual.
Trying to be anonymous on the internet can include trying to opt out or actively block this kind of tracking (if you’re interested, check out Disconnect.Me). Modern browsers have privacy modes that attempt to limit some of this but it’s really only a quick and convenient way of browsing a few sites you don’t want to appear in your local history. They’re not known as porn mode for nothing. These browser modes do nothing to prevent your requests from being monitored by your ISP, tracked by the servers your requesting information from and more.
So what about Anonabox?
Anonabox seemed to be popular because it makes using Tor easier. Tor enables you to cloak details about your web requests. Requests are routed through the Tor network rather than straight out from your ISP. The Tor network is a series of nodes around the internet that bounce requests between them. The idea is that you’re making it harder for people at the remote end to trace back to you, and you’re also disrupting people who may be monitoring your traffic (ISP, government, local Wi Fi snoop).
I think the main demand for this box (in the campaign) has come from people who are aghast at the Snowden revelations and want to stymie mass surveillance of the internet by governments. But I think that’s flawed – in that I don’t think the Anonabox is the panacea it seems.
The accusations against the five eyes governments involve mass surveillance of the internet with the (begrudging?) cooperation of telcos and internet companies who provide these services. Using Anonabox or Tor only scrambles your network traversal. They still have access to your information either straight from the pipe or from the company itself. Furthermore, using a normal browser with Anonabox still means you’re subject to the same advertising based tracking and so you’ve defeated nothing. (To be fair they recommended using the Tor Browser Bundle in conjunction with Anonabox).
Whistleblowers and people who face persecution in their country (for sexual orientation, political or other reasons) are pretty serious about security, privacy and anonymity. In order to keep themselves safe they have probably already researched effective ways to keep their identities hidden. While Anonabox is trying to make this easier, without the proper education of users there is still a risk that they make mistakes that reveal their identity or personal information.
I don’t think there’s a single easy solution to trying achieve anonymity, maintain full privacy and security online. Anonabox looks like a step in the right direction but seems to be at risk of giving people a false sense of security that they are totally anonymous and private on the internet.