This article has five parts. The fourth part focuses on the traces, the search and approaches the plan of defense.
Contents of part 4:
17. The barriers
18. The traces that you leave
19. No-logging VPNs
20. Traces you didn't know you were leaving
21. Plan of defense
• • •
What hopes do we have hiding from governments and corporations ? Where are the barriers ? What could be even half an obstacle ?
First, it's every wall which still stands.
Lack of legal action is the strongest. When there is no court order, subpoena, or some kind of legal threat at the table, no company should reveal its customer data to anyone, at least theoretically. Ironically, companies are often forbidden by law to do so.
Corporate boundaries must be taken into account. Don't have your anonymous e-mail account with a corporation which owns half the world. If you use an independent privacy-conscious provider like ProtonMail, there is a better chance that no one could read it without proper legal procedure.
Then there are different jurisdictions. I would imagine it is still difficult to have a court order from one country have effect in another. Don't forget about the joint forces - there may be effectively no legal gap between countries within the same "eyes" cluster.
Physical borders also matter. If you stay off cameras, surveillance is useless. If you don't have your cell phone with you, you cannot be traced by it.
Second, and this is where VPNs get mentioned, is that there still exist legal businesses which would take your money and shield you to an extent possible under law (or even pushing it somewhat further). So they are indeed an invaluable part of the anonymity setup.
Third, it's the same reason why they couldn't build the Tower of Babel. No matter how bad the Kings want it, people just can't build at that scale.
It's super easy to collect data at the source. It's rather difficult to build a coherent data set from multiple identical sources, even when it's in everyone's interest to build it (ask any aggregator). And it's impossibly difficult to manage a consistent view into hundreds of thousands unrelated data sources from different industries from different countries. About the same size of problem as uniting the world under a single government.
Take your laptop, get outside, go to a busy terminal, connect to a public Wi-Fi, establish VPN connection, log on to a social network and post something. Armed with all the knowledge, can you now tell, how you could be found ?
You logged in. If it was your personal account with your name, e-mail, cell phone or credit card attached to it, the search is over. If the content that you posted relates to you, goes just the same - you are busted.
If not, and they choose to follow the evidence, it effectively becomes a fan-out search across all the information they have.
As a starting point, the original social network's logs contain time and IP address from which you posted. That IP address can be easily determined to belong to a VPN provider.
They get to the VPN provider, and from its log extract the list of clients which were active at that time. There is probably more than one, therefore they may need to check them all, but you are among them.
VPN provider keeps payment and other registration information about its clients, so if you have registered an account to your name, the search is over. Had you paid with a credit card, they contact the emitting bank and get your name there.
Otherwise, the search resumes from the IP address of a public Wi-Fi, found in the VPN provider's logs. As it is a legitimate network, they can locate it precisely. Next they get to the Wi-Fi access point at the terminal. In its log appear MAC addresses of the wireless devices that were connected at the time. Again, there is a lot, as there was more than one person connected, but your laptop is among them.
Here the direct evidence ends.
In an attempt to stretch it, they could further follow the MAC address (which is unlikely to be done in practice, given that MAC address can be changed), but in theory it could be tracked to a point of sale which has sold the device. There they could again find you via payment information.
Bringing up a list of cell phones registered in the area at the time would give them another thousand suspects.
Video surveillance feeds in the area would be examined. If a decent quality footage exists, there goes your face.
As you can see, there is a great deal of hassle to have you found, there is a lot of false leads, a lot could go wrong, it could easily get nowhere and is unlikely to even start without involving law enforcement. It is also worth noting that VPN did not even help much if at all.
Hold on, but how about the VPN providers' claims of "no logs whatsoever" ? That would put an unbridgeable gap in the search, right ?
Well, in theory, yes. In practice, it prompts for a brief discussion of trust and control.
We base our trust in Internet services on user reviews, comparisons and news articles, and without firsthand knowledge it is nothing but wishful thinking.
That a VPN provider keeps no logs is primarily a marketing claim. Although I do believe that most VPN services actually do their best to live up to it, as a corporate entity they have laws to obey. In most countries, communications providers are obliged by law to keep at least some kind of traffic logs. Even if there was no logging by default, upon receiving a subpoena it may have to be activated.
How do you think VPN providers operate ? They rent a fleet of servers from data centers all over the world, install some kind of VPN server on each, and that's it. What kind of control they themselves have over the hardware ? None. The control is with the hosting.
Nothing prevents the hosting provider from listening the traffic at the servers just the same. And unlike the VPN provider, it's not in its direct business interest to keep the traffic secret to a point of a lawsuit. It has much less incentive to deflect the law enforcement.
Moreover, are security measures at a data center strict enough so that a bribed janitor couldn't plug in a traffic sniffer ? Or a rogue administrator log in from the console, install some kind of rootkit and leave ? And the list goes on.
The moral here is - don't trust anything you can't control (and you most definitely can't control the VPN provider).
Imagine you are on a secret mission. You prepare meticulously, pack the car up with everything you need - food, supplies, clothes, tools - and set to drive. What you don't notice is that your dog sneaks in and hides in the trunk. Once there, in the middle of the night, when you are not looking, she jumps out and heads for the bushes. The next morning, long after you're gone, she comes out whimpering for food. And to be sure, she has a tag with your name on it.
Everything on your computer is quietly telling on you. And then you could be found via correlation to something you didn't even know was there.
Operating systems keep calling home for the innocuous reason of checking that you are actually connected to the Internet.
Dozens of applications are running in background all the time, permanently logged to your personal accounts.
Your everyday browser drags so many cookies that it can be uniquely identified by any and all of them. Even in incognito mode it can be fingerprinted by the foreign languages it supports, screen size, history, installed fonts, plugins and who knows what else. Your "anonymous" surfing is thus marked with the same browser fingerprint as the regular one.
The computer itself could be infected by some kind of tracking malware (which, I would imagine, is far from exception).
Even when everything is clean, today's computers are nothing but update machines. Every time an application checks for update, it leaves a trace.
And all this friendly traffic follows you everywhere you go on the Internet, just like that dog. VPN, these connections will go through the same VPN and appear in the same logs side by side as a part of your activity. Then all it takes from your adversary is to inquire about a Skype account logged from that IP at that time.
There are also kinds of system traffic that could lead to more sophisticated breaches, DNS leak is a popular example, but you get the idea - you leave more traces on the Internet that you might think, unless you actively restrict it.
Just as with the direct evidence, it may sound easy on paper, but in practice, using correlation requires access to various information sources. It's one thing to know that evidence exists somewhere, another - to know where to look, and yet another - to have it extracted.
There is always uncontrolled technical risk. Hardware contains inherent security problems that manufacturers sweep under the rug, its features can be exploited as backdoors, there exist wonderfully intricate side channels, cryptographic algorithms and protocols get broken, databases with personal information leak, software has vulnerabilities permanently. Trust nothing, assume everything is compromised.
Then, it's your own behavioral patterns that give you out. There is a big difference between one-time hacking event (after which you could trash everything related to the break-in attempt, either successful or not, and start over) and long-term activity (where you need to assume the same virtual identity over time).
If they set to find you, it's no longer a one time search, bound to fail as demonstrated before, and each time they could get closer. Every time you reuse anything, be it a VPN provider, IP address, e-mail address, phone number, public Wi-Fi spot or cell phone, you are leaving behind more traces to correlate.
And such correlation can be very effective, even if for trivial statistical reasons. Where the first search failed miserably, yielding 10000 suspects, the next time you go online in the same place using the same hardware, it will end up with 10000 again, but the other 9999 will be different, and your MAC address or cell phone will stand out clearly.
Worse yet, if you are changing anything, like VPN provider, IP address, e-mail address, phone number, public Wi-Fi spot or cell phone, you leave more traces just the same, only in different places. It's slow sinking either way.
We could therefore base our defense on two principles.
First, make sure that every part of the setup is in the least possible way linked to you, either directly or through correlation.
Second, make sure that the chain of evidence that leads back to you is as long as possible and every gap in it is as hard to cross as possible.
The rest of this text will present a step-by-step instruction on how to set up an anonymous Internet connection.
• • •
Thank you for reading !
In the next (and last) part of the article:
22. Identity isolation
23. Hardware preparation
24. Getting on the Internet
25. Bootstrapping the VPN
26. Connecting to the VPN
27. Chaining VPNs
28. Working anonymously
29. Paying anonymously
30. VPNs and Tor