Is online anonymity just a myth?

August 4, 2017

Browsing anonymity may seem appealing for various reasons. Regardless of whether they have something worth hiding/protecting or not, those who know better appreciate the value of online privacy protection.

But is VPN-supported anonymity all it is rumored to be, or not? A study coming from a joint Princeton and Stanford researcher team seems to prove otherwise.

Anonymous browsing still allows user identification

When anonymously browsing the web, users generate de-identified browsing histories. Nevertheless, these supposedly safe – from the privacy point of view – datasets in fact contain “tell-tale marks of identity”.

All online activities generate user identities – officially or not. Yet, user tracking it is an online advertising industry common practice. Some companies admit attaching identities to these browser histories, others don’t. Most such organizations claim that they ensure individual anonymity while recording, keeping and processing such data. When willingly browsing anonymously, web users transmit an extra request for privacy.

On top of this, when employing VPNs, users mask the original IP address inside the VPN tunnel. From the outside, it is uncertain whether the address marks the real user location or not. Depending on the amplitude of the virtual private network, the location of one or other of its users may be hard to determine. In simple terms, “using a VPN to hide your IP address and location in this way is called anonymous net surfing”.

However, there are important differences between pseudo-anonymity, anonymity and untraceability – and the study bases its findings precisely on these nuances.

How de-anonymization works (the big picture)

As the study itself mentions, the de-anonymization literature is extremely vast. In short, whenever the type of web surfing does not comprise real untraceability in its formula, de-anonymization is always possible. The only thing that differs is the degree of skill and technique necessary for those who engage in the de-anonymization activity itself.

Therefore, all means by which users “instruct” trackers to not follow them are just a polite, yet ineffective gesture. In return, the search history, as seen by the user itself, will appear less crowded or simply blank. But to mistake this for privacy protection and/or anonymity would be a huge error. Via specialized algorithms, certain interested parties can still determine which user did what. They may also map the user behavior through multiple devices, determine the connection degrees between different accounts. Overall, certain parties can track the real life users through all their online activities, even in real-time.

We leave the details for the most passionate to read – the above-mentioned link takes you to the study itself.

Who benefits from the de-anonymization possibilities

The research team explains the who the network adversaries are. From an employer legitimately trying to supervise what goes on in the company network to “government surveillance agencies, Internet service providers, and coffee shop eavesdroppers”, to hackers searching for details.

You perhaps remember how social engineering works. Malicious groups first gather info on individuals and companies, then prepare plausible scenarios that would determine their targets to click on infected links or prompt valuable information to them. Tracking someone’s online movements is an extremely useful preliminary move in social engineering techniques.

We should add here those companies that employ tracking techniques that borderline hacking – although their intent might be solely motivated by marketing purposes. Yet, when going over the officially admitted limits in tracking users, companies themselves become soft network adversaries. The study does mention the policy of Facebook or Google, which track users under their real identities “exploiting the fact that they are prominent first parties as well as third parties”.

What is there to do for anonymity enthusiasts?

The study itself does not provide any solutions. It just proves via detailed simulations that de-anonymization is real. What users can make out of this conclusion – this is another matter.

Just think what difference would it make to know that your VPN is not actually protecting your identity? Would you refrain from certain online activities? Would you take these activities on a different device or schedule them in another way? Or is it just a matter of feeling like someone is breathing down your neck while browsing the net?

Perhaps the idea that VPNs circulate encrypted data is the most important thing for you – and the fact that, beneath the layers of encryption, somebody out there has pinned all your activity on your identity is not important. Nevertheless, the difference between anonymity and partial cloaking or data encryption is actually considerable.

One detail worth remembering consists of the key role played by social networks in pinpointing individual identity. Public information available via the users’ own will serves in online identification. When combining it with other online traces that we leave without even being aware, and adding some medium-power algorithms in the mix, the limits of tracking expand further.

Those who care about their online anonymity should use all available means for opting-out of all forms of online tracking. Employing VPNs guarantees for data encryption. It also makes it harder for network adversaries to track your moves. Nevertheless, it does not provide actual anonymity.