This morning I was having a conversation with a friend of mine who works at a major social media organization in Silicon Valley. During the course of our conversation, which spanned topics such as bringing champagne to brunch to volunteering in the community next weekend, the topic of privacy on the internet came up. Specifically, my friend made the following declaration “That’s the price you pay for using the internet and being connected”, in response to our discussion about internet companies auto-collecting data (such as GPS and IP based location information) through their Mobile and Web Applications.
This immediately reminded me of a great talk(1) famed security researcher Moxie Marlinspike likes to give on the topic of using mobile phones and the “No Network Effect”. It boils down to the fact that it’s not a choice of whether or not you want to use a mobile phone but whether or not you want to be a part of today’s society. It is this impromptu conversation on a Sunday morning that has led me to clearing my calendar and sharing my thoughts on “The Price of Staying Connected”. I hope this information is beneficial and useful to whoever comes across it. I’m only going to suggest items of how to become more anonymous in the eyes of end point services (Facebook, Google, Twitter, Ad Networks) and not how to be ‘anonymous’ on the internet.
The distinction is very important.
This information will NOT let you get away with doing illegal things.
It WILL keep commercial services from easily tracking your physical location and internet browsing history.
It is no secret that sophisticated internet businesses utilize a wide array of technologies to make their products better (resulting in personalized recommendations, etc). However, these same technologies allow them to know you better than you may want. What is done with this information is another story for another day. While you may be familiar with the privacy options that are unique to each application (Facebook, Google, Twitter, your ISP), there is a set of common practices behind the scenes that “opting-out” isn’t an option among these services:
- Network Based Location and Identity Information (Your IP Address)
- Device Based Identification Information (Cookies, Local Browser Storage, Media Access Control “MAC” Address)
- Browser Based Identification Information (User Agent, Font lists, Plugins)
- Third-party software Identification Information (Java, Flash)
I’m going to break these down into two categories (Physical Location and Sites Visited) and then suggest ways to mitigate against each.
To use the internet, you must have an Internet Protocol “IP” Address which is how other nodes in the network can find you. This address, when in use, is for the most part unique to an individual device. IP Addresses can, and are often, used by more than one device over time. An IP Address on its own is not a reliable source of location or personally identifiable information. However, when combined with other factors (such as MAC Address, User Agent, Cookies, etc) the fidelity becomes much greater. You see, each IP Address is owned or leased by some entity. The ownership information of an IP Addresses can be looked up easily in databases as ARIN (http://www.arin.net) and APNIC (http://www.apnic.net) which stores this data. Often times Internet Service Providers “ISPs” own large groups of IPs and register them in such a way that IP Addresses assigned to customers in a city reflect this as part of the listing in ARIN / APNIC. There are companies out there such as MaxMind (http://www.maxmind.com) that aggregate this information for private use by organizations as well as append it with other meta data for a fee.
When this information is combined with a MAC Address (a unique ID for every single internet connected device in the world), it can pinpoint your location with alarming accuracy. Companies such as SkyHook (http://www.skyhookwireless.com/) and Google (http://support.google.com/maps/bin/answer.py?hl=en&answer=1725632) have been driving around the world collecting information about devices that broadcast WiFi signals and correlating it to the physical address when it was detected. They then sell access to this information on demand, similar to MaxMind for IP Addresses, for a fee. In case you were wondering, if you have “WiFi Enabled” on your mobile phone, they can see this. At least one company (http://www.itworld.com/it-management/336828/attention-shoppers-retailers-can-follow-you-around-mall-way-web-trackers-do-onl) is tracking your position in malls with this method.
When it comes to mobile applications, if they have the ability to access GPS (most are authorized to do this during install), then they are correlating your exact GPS locations along with your IP Address and MAC Address.
Mitigating Physical Location Tracking:
(Note: I’m not affiliated with any of these companies in any manner; nor am I being compensated in any manner by any of these companies. Use at your own risk.)
So what can you do about this? For your desktop environment, here are a few solutions:
- Changing your Internet Protocol Address:
First you will need a VPN/Proxy client. For Windows or Mac based operating systems you want to use a “System Wide” proxy solution. What this will do is route all your internet traffic, from any application, through a remote location before it goes anywhere else.
Example: You’re in Atlanta, GA and all your traffic goes through Boston, MA before it ever gets to Facebook.com. No matter where in the world you go, it would always appear as if you’re coming from Boston, MA.
There are a lot of application and system wide proxy solutions on the market. Some free ware, which normally means a lot of Ads, and some that are fee based. Over the years I’ve personally come to favor ProxyCap (www.proxycap.com) by a wide margin. It one the simplest clients to use; it works for both Windows and Mac OS’s; and it is truly system wide. ProxyCap can be configured through a GUI interface to exclude certain applications from the Proxy process. It can also be configured to only Proxy an individual application. ProxyCap is also configurable to run at startup on your machine.
For mobile devices with Android or iOS, you will not need any additional software as each has a VPN client built in. To setup a VPN on either OS, use these simple guides from ProxyPN (replace proxy server settings with your own).
Once you have the software required to connect to a VPN/Proxy server, you will need a proxy server to connect to. There are two types: Private and Share.
Private servers reserve a dedicated IP Address for you which will eliminate the physical location issue but will still remain consistent and help services track where on the internet you go. Shared servers allow multiple individuals to use the same IP Address so the usage patterns become a melting pot which makes it hard to identify an individual user.
The Pros of a private server is that it is dedicated for your use and often provides significantly faster connection speeds. Below is a list of several high quality proxy server providers:
http://squidproxies.com/private-proxies/ (private and shared)
For the more technically inclined, I recommend getting a Linux VPS of your own and setting up Dante or Squid Proxy server. A quick Google query of: “Linux VPS $5 unlimited bandwidth SSH” will turn up satisfactory results. To find VPS’s that are more likely to come with an IP from a particular location use the Google locale site (example: www.google.co.uk for a UK based VPS provider)
Squid Proxy: https://help.ubuntu.com/12.04/serverguide/squid.html
I recommend getting multiple proxy servers in multiple locations and setting up your ProxyCap client to automatically rotate them.
- Changing your Media Access Control Address
Changing your MAC Address may present some issues depending on the types of applications you utilize. However, undoing a MAC Address change is simple so I recommend utilizing a random MAC Address where appropriate.
Use Technitium MAC Address Changer (http://www.technitium.com/tmac/index.html)
For Mac OS:
There may be an application that is as easy to use as TMAC6 for OS X but I’m not aware of one that doesn’t require moderate technical knowledge to install and setup. For that reason, I recommend reading this article by William Pearson over at OSXDaily.com (http://osxdaily.com/2008/01/17/how-to-spoof-your-mac-address-in-mac-os-x/)
Changing your MAC Address on an Android or iOS device requires the device be ‘rooted’ / ‘jailbroken’ and in light of the most recent change in the DMCA (as of yesterday it is illegal in the United States to do this for most phones I’m not going to go into the details here).
- Disabling GPS (Application specific)
iOS: Go to “Settings” -> “Privacy” -> “Location Services” and you can toggle individual application access to GPS:
Android: Go to “Settings” -> “Location/Security” and modify the settings as appropriate.
Even if you do not use sites such as Facebook, Google, and Twitter, it doesn’t protect you from being tracked by them. Wait, what?
Do any of these buttons look familiar? Anytime these icons are displayed on a website you visit, your device is sending a message to Facebook, Twitter, LinkedIn, and Google’s servers.
That message contains no less than the following information:
- Your IP Address
- Your Browser User Agent (which looks something like this)
- Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1
- Your screen resolution (example: 1280x800)
- Any cookies they have previously set (which oftentimes includes a unique ID they’ve assigned you)
- Any LocalStorage they have in your browser (Facebook describes their usage of LocalStorage as follows: http://www.facebook.com/help/330525367015217/)
- Third-party Software (Adobe Flash and Java)
- In some cases, your mobile browser will even send your full mobile phone number to every website you visit (http://www.wired.co.uk/news/archive/2012-01/25/o2-sends-phone-in-http-headers)
This practice is not exclusive to these service providers. It is wide spread and is very prolific in the display advertisement industry. Often times, services providers will share and combined their data and then provide access to the combined information for a fee such as RapLeaf for email addresses (https://www.rapleaf.com/) and LeadLander for the exact opposite (http://www.leadlander.com/)
The Electronic Frontier Foundation “EFF” has published an interesting free tool called Panopticlick to help visualize some of this and it can be found at https://panopticlick.eff.org/
Additionally, your Internet Service Provider “ISP” maintains a list of every single URL that has been requested for any device that use their network to access the internet. This accomplished by at least two methods:
- The URL of the request made (example: http://icanhas.cheezburger.com/)
- The Domain Name System “DNS” lookup (example: cheezburger.com resolves to the IP Address of “18.104.22.168”)
So what can you do about all of this? We’ve already discussed how to modify your IP and Mac Address. By using a Secure Socket Layer “SSL” IP Address proxy, your ISP is only able to see the initial connection to that server and is unable to see the sites you visit. This is also a great tool when connecting to WiFi at a coffee shop as it prevents local attackers from seeing your internet traffic.
Below, we will discuss your User Agent, Cookies, LocalStorage, Third-party Software, Ad Networks, and DNS.
Mitigating Sites Visited Tracking:
- User Agent:
There are several ways to change your User Agent and most of them are rather simple. There are browser plugins you can quickly install and configure for Firefox and Chrome. In Safari you can change it through a particular setting. By rotating your User Agent frequently you are able to remove this as a reliable variable for tracking your movements across the web.
Firefox: “User Agent Switcher” is a free plugin written by Chris Pederick and can be found at https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
Chrome: “User-Agent Switcher for Chrome” is a free plugin written by Glenn Wilson and can be found at https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg?hl=en-US
Safari: A easy to follow article for Safari can be found at http://www.dummies.com/how-to/content/how-to-activate-user-agent-switcher-in-safari.html
- Cookies, LocalStorage, and Browser History:
Most modern web browsers come with a form of “Private Browsing”. When in this mode most things such as Cookies, LocalStorage, Locally stored browsing history, and related items are no stored after you close the browser.
Safari: Click the “Safari” -> “Empty cache”
Then click “Private Browsing”
- Third-party Software and Ad Networks:
A lot of sophisticated internet companies utilize software such as Java and Adobe Flash to access more information about your device. These technologies are also utilized to store more information on your local device in ways that are very difficult to remove.
To help mitigate against this you should disable the Java and Flash plugins in your browser. Guides are listed below:
Java has even more alarming issues as of late such as significant security flaws (http://thenextweb.com/insider/2013/01/11/latest-java-vulnerability-possible-since-oracle-didnt-properly-fix-old-one-now-pushing-ransomware/) and should be disabled for this reason alone.
Other technology exists to take mitigating against third-party tracking from Ad Networks and should be utilized. One of the more effective solutions is a free available plugin for Firefox called “BetterPrivacy” which was written by NetCat (https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/)
- Domain Name System Tracking:
In most cases your device uses the DNS resolution service offered by your ISP. A DNS resolution services converts the domain name you’re requesting (cheezburger.com into an IP Address so that other devices on the network can find it). Your ISP collects this data and combines it with other information is has about your activity. For this reason alone you should utilize an independent DNS resolution service. One of the better ones out there is OpenDNS. Their VIP service
is available for only $20/yr and not only provides you with independent DNS resolution it also filters out unwanted content and a good number of viruses.
To take private browsing one step further, you should look into acquiring an IronKey by imation. IronKey’s provide one of the most secure forms of portable storage but also come with a harden version of Firefox built in. Just double click on the Firefox icon and you're browsing with a randomized version of Firefox, through a multi-hop proxy, environment that bounces between multiple countries and leaves no traces on the device you run it on after you unplug the IronKey. They start around $100 (onetime fee) and are well worth the investment. For more information see:
In closing, there are many ways by which internet companies track your movements, your interests, and your life online. However, many of these methods are invisible to end users and not easily circumvented. Additionally, choosing “not to participate” is not as simple as not using Facebook, Google, or Twitter. Although I only touched on a small number of the tracking and analytics methods employed today, mitigating against even just a few makes “The Price of Staying Connected” a lot cheaper.
Contrbuted by Adam Ghetti, CTO of Social Fotress.