Outsmarting the Online Privacy Snoops

With the controversy over Internet privacy growing, more businesses are seeking to ease user concerns by offering new tools that enable anonymous searches and Web surfing.

In recent hearings, members of Congress chided U.S. companies for helping China monitor and restrict its citizens' use of the Internet. But in the U.S., surfers are not necessarily exempt from such monitoring: The White House has recently subpoenaed U.S. search engine records for use in its defense against an American Civil Liberties Union lawsuit challenging the constitutionality of the anti-child porn Child Online Protection Act.

"If you care about privacy online, you need to actively protect it," says Roger Dingledine, director of the Tor Project.

The Tor Project, a grassroots network of online volunteers, is backed in part by the Electronic Frontier Foundation. Tor's free software lets you request and view Web pages without revealing the location of your computer to the site--information most sites collect from traditional browsing.

Meanwhile, Lance Cottrell, president and founder of Anonymizer, is developing a Chinese version of his commercial Anonymizer software. He says he will make the version of his software available to Chinese citizens who wish to conceal their Web whereabouts from government snoops and censors by the end of March.

"We see protecting privacy as a moral imperative," Cottrell says.

Government Ties

Both the Tor Project and Anonymizer have ties to the U.S. government. The Tor Project was originally funded by the U.S. Navy. According to Dingledine, the government still uses Tor for intelligence gathering. Tor, he says, is an ideal tool for government investigators who wish to visit or monitor Web sites without creating Web log records of IP addresses that could be traced to government computers.

Anonymizer's ties to the U.S. government stretch back to 2003 when the company worked with the Voice of America to provide anonymous surfing tools to the Chinese public. That contract has lapsed, but Anonymizer now works with VOA to give Iranians the ability to use the Internet without fear government snoops will try to block or intercept Web page requests. Cottrell says his company is footing the bill for the upcoming Chinese-language version of his software.

"I started this company because I'm passionate about privacy," Cottrell says. "And I won't sit idly by while the freedom of the Internet is crushed and access to information is restricted under the thumb of repressive regimes."

Anonymizer and Tor hide the numerical Internet address that is assigned by your ISP when you log on and can be used to identify your PC. This is important because censors in China, for example, can block access to Web page requests made by PCs whose IP addresses are controlled by a Chinese ISP. If censors cannot determine whether a PC has a Chinese-controlled IP number (and is therefore presumably located in China), it can't prevent that PC from accessing censored content.

Hiding the Path

Tor hides a PC's numeric address by routing page requests through at least three Tor servers, making it impossible to trace a page request back to the PC that actually made it.

The Tor Project makes several versions of its software. One version turns a PC into a Tor server, while a second version allows you to access the network of Tor servers to anonymously surf the Internet.

Another version of Tor, called TorPark, fits on a USB flash memory drive. Simply plug the USB drive into an Internet-connected PC, run the TorPark software from the drive, and it will launch the Tor program, which creates an encrypted connection between your computer and the Tor network.

But Tor can slow down your Internet access. During my informal test of Tor, a normally lightning-fast broadband connection to the Internet was reduced to something comparable to dial-up service. This experience with the current version of Tor, Dingledine says, is typical given the network demands of 500,000 users, with more than 250,000 coming on weekly from China alone.

Page Within a Page

The free version of Anonymizer currently being promoted in Iran works slightly differently than Tor. It defeats snoops by routing Web requests through a Web-based proxy server. No software download is required: All an Iranian citizen has to do is visit the Anonymizer Web page and submit the Web address of the site they wish to visit. Anonymizer displays the desired site in the browser window.

The concept is simple: Instead of requesting a Web page directly, you send your request to another computer--called a proxy--that fetches the page from the site and passes it on to you. Your target site sees only a request from Anonymizer; it can't tell where the page goes after that. And anyone watching your Net connections sees only communication between you and the Anonymizer server. For good measure, Anonymizer also scrambles your communications using Secure Socket Layer encryption.

Anonymizer makes a free limited-use version of its browser-based service available at its Web site, but its bread-and-butter business is selling subscriptions for beefed-up versions of its software that include anti-malware and anti-phishing protection.

Cottrell says the Chinese version of Anonymizer that he is working on will be more like the one his paying customers use. It will be a software download that runs on a PC, establishing an encrypted connection to Anonymizer's servers. This version of Anonymizer will reroute page requests to desired Web sites and send the traffic back to the end user.

More proxy-based options

Services similar to the proxy-based version of Anonymizer can be found at BeHidden.com and at WhiteFyre, a United Arab Emirates-based Web site that offers a tool called PHProxy.

"I originally come from Saudi Arabia, where the Internet is censored from head to toe. So naturally, a need has arisen to bypass these restrictions," says Abdullah Arif, creator of the anonymous PHProxy software.

For those concerned about Google or Yahoo keeping tabs on their search requests, Google critic Daniel Brandt has created a site called Scroogle. Scroogle acts as a proxy, but only for Google and Yahoo, allowing users to search either site without sharing their IP address.

Censoring the Anonymizers

The big failing of these programs is that the government can eventually figure out which Web sites offer them, and can then censor those sites.

To deal with this problem, Anonymizer sends out a daily e-mail to subscribers that lists the latest sites that link to Web-based open proxies, so they will know what sites are available. The possibility that government censors also get these messages doesn't bother Cottrell: He says it takes at least 24 hours to block a site, and by that time a new e-mail has already gone out with the next day's list of open proxies.

The Tor Project works in a similar fashion. But Dingledine says the next version of his Tor client software will automatically discover open network proxies.

"The more countries like Saudi Arabia, Iran, and China impose restrictions and censor the Internet, the more creative and advanced we get in circumventing their restrictions," Arif says. "As Plato said, 'Necessity is the mother of invention.'"

Subscribe to the Security Watch Newsletter

Comments