The Difficulties of Anonymity Online

Quite some time ago, I wrote a piece questioning whether Anonymity will ever be impossible online. At the time I concluded that it would always be possible, what I didn't touch upon is something highlighted recently - the huge amount of trust you need to place in others to actually achieve anonymity.

This post looks at the mistakes that can be made, as well as where true anonymity is not always necessary.


What is True Anonymity?

When I write about true anonymity, I mean cases where it is difficult for anyone to find out the source of whatever you are up to. Posting an anonymous comment to a forum wouldn't generally qualify as needing true anonymity unless you were posting something really outrageous!

The thing about the Internet is it's very difficult to be 100% anonymous, someone, even if just an ISP will know that IP x.x.x.x connected to such and such site, even if that site is simply a proxy server. It's more about making it so difficult to trace back that the benefits of doings so simply aren't worth the effort required. Much like modern cryptography in fact, it doesn't need to be 100% unbreakable, just so strong that it's not usually worth the effort to break it.


Where is True Anonymity required?

Although we all like to be anonymous from time to time, there are things we do online that do not require true anonymity. The level required depends entirely upon what you are planning to do, whilst you probably don't want your name splashed in lights when you are watching - ahem - adult content, a pseudonym is usually sufficient. Quite aside from the issues with latency, not many people would feel it's necessary to route their connection through multiple relays to watch legal, if adult, content.

For some, a simple pseudonym is protection enough for trolling, even when posting derogatory comments on the FaceBook profiles of dead soldiers. Not necessarily the wisest move, but it does highlight how the mindset of the user directly impacts the level of anonymity deemed appropriate. Some however, may pass through a single proxy in an attempt to hide their identity.

If, however, you were planning on attacking the website of a multinational corporation, you would obviously want to take a few more precautions. A direct connection to a single proxy is better than a direct connection from your PC to the target, but you'd really want to make it a little harder. So you route your connection through multiple relays around the world, and tolerate the increasing levels of latency that go with it.

In an ideal world, the latter case could be so hard to trace that, despite best efforts, the investigation ends without having collared the culprit.


Where It All Falls Down

The weak point is the level of trust you have to place in a third party. There's absolutely no point in routing connections through servers you own, or that are even affiliated with you (we'll conveniently ignore cracked servers for now!).

It doesn't matter whether it's a company, or someone you know; if they are keeping records of IP's connecting in and the corresponding outbound connections, you've become a lot easier to find.

As happened in the case of HideMyAss, those logs could be all that's needed to finish connecting the dots and identify the attacker. It could be that the proxy company you are using keeps the same basic logs, or even that your 'friend' wasn't quite as techy as he claimed and didn't realise that his server was logging all connections. It only takes one mistake to get caught, and the mistake could easily be who you place your trust in.


Right or Wrong

Following the HideMyAss incident, parts of the internet are now divided into two camps: those condemning HideMyAss and those supporting them. Ultimately, lessons will be learned from the incident and it seems likely that those requiring higher levels of anonymity will perhaps be more careful about who they trust in future. As mentioned in the HideMyAss blog, the service is largely designed for circumventing censorship and the T&C's state that it shouldn't be used for illegal activity.

Whether it's then right for HideMyAss to keep even basic logs is down to the individual to decide, but it does show that if you truly want to be anonymous on the net, you need to think very carefully about who you trust. There are a number of methods that can be used which are more effective, if not nearly as convenient, as those provided by VPN suppliers purely because you don't need to trust a company that is bound to obey the laws of the country/countries it operates in.



True Anonymity is not actually necessary for the main body of things one may do on the Internet, but it is still achievable for those who desire it. Only those who actually understand the true nature of subterfuge are likely to achieve it though, as many of the considerations required to truly stay anonymous don't seem to be being observed.

Despite being quite an obvious mistake, trust was placed in a Western company to protect and individuals identity from a Western state. It was just never going to happen, as much as HideMyAss may or may not believe in the ideals of Anonymous & LulzSec they are bound by UK law and probably don't wish to risk their business simply to try and help someone who would have seen the danger if he'd read the T&C's.

It doesn't matter whether you're fighting a battle in real-life, or sending packets into battle, good solid intelligence is a must, and the downside of that is simple: If you are going to trust a site/person/company with anything that could trace back to you, you need to read their terms and conditions very carefully! We all know that a Tor endpoint can be compromised and configured to intercept sessions, and it's something considered when deciding if Tor is the appropriate solution for our task, it's not that big a stretch to actually apply that level of consideration to all other possible solutions!

I don't condone attacking other sites/servers (at least not without permission!), but those that do often focus on just one area - technical expertise. If you want to successfully attack sites and potentially get away with it, there is a lot more to it than simply knowing your way around software/hardware. Failure to observe proper controls will eventually lead to getting caught!