Anonymous browsing with Tor reduces exposure but still has risks

In an age of tracking by governments, ad networks, and criminals, trying to break free of observation is a worthy goal.

mit anonymity Riffle privacy
Credit: MIT News

You can be tracked and have your data intercepted from many angles, by legitimate and illegitimate actors alike: governments, criminals, personal enemies, corporate spies, children without moral compasses, you name it. Many techniques let you encrypt and shield your data at rest, on your devices and on remote servers, and in transit.

But there’s one problem with all the shields you can put up: when you need to use to use a website, you’re giving yourself away, whether it’s from your current location or via a virtual private network (VPN) service that encrypts your request out to a data server location from whence it issues. Tracking which sites you visit or observing VPN end points can reveal a lot, even if the contents of sessions can’t be determined. And websites and VPNs can be blocked, as activists and average citizens in many countries have discovered.

There’s a way around this. Anonymous browsing promises some of the benefits of evading tracking from marketers, criminals, and spies, while also giving you access to information you need. It doesn’t work for every website and comes with a long list of provisos. However, it’s extremely easy to set up and use, and even the workarounds in countries that attempt to block anonymous browsing aren’t yet onerous.

(This column is part of an ongoing series on ways to protect yourself as if you suddenly found you were a dissident in the country in which you lived. Previous columns deal with passwords, where data is stored, protecting data in transit, and other topics.)

Use the Tor browser

privatei tor network circuit IDG

Each Tor session creates a “circuit” through intermediate routers, none of which knows the full path.

The Tor Project develops the Tor browser, a multi-platform Web viewer that relies on passing through a series of encrypted tunnels to and between Tor routers that are run by volunteers and organizations around the world. Each session, which lasts about 10 minutes, creates a “circuit” through a randomly selected set of routers. No router knows about anything except the immediately previous and successive connections. Encryption established by the originating browser prevents any snooper learning more about the full pathway. It’s effectively a series of anonymized VPN tunnels.

The Tor browser, which is built as a modified version of the Mozilla Foundation’s Firefox, enables a number of features by default, including always-on private browsing mode. But it has its own privacy and security settings, reachable via a green onion icon in the toolbar. (Tor’s name once stood for The Onion Router, referring to a technical definition of onion.)

privatei tor security settings IDG

The privacy settings let you clamp down on browser characteristics that can be used to track or identify your browser uniquely.

In these enhanced settings, the Tor browser’s sets several options by default to make you less easy to track using well-known techniques that can uniquely identify a browser by installed fonts, browser version, platform information, and other data a statistically significant percentage of the time. You can bump up a protection slider higher than the default, reducing the odds of being characterized uniquely, and making it harder for a remote party to have potential pathways for malware.

Tor doesn’t solve all problems. The project notes that someone observing both a website’s traffic and your computer could infer that a given session is related to your usage; that’s a government-scale form of activity, which could be pinpointed against an individual or could be a country-wide strategy to track as much Tor use as possible. However, that only works reliably for websites that an observer can monitor to match the timing of requests.

And if you log in or enter identifying details at the site you’re browsing, well, you’re maybe defeating the purpose of anonymization, although you still get the general benefits of privacy and a lack of tracking.

privatei tor network setup IDG

When launching the Tor browser for the first time, you pick a network configuration path, which can be changed later.

The browser is free and requires no manual configuration to install and set up. You’re asked the first time you launch the Tor browser whether your Internet service provider (ISP) blocks connections to the Tor network or not. If so, you may need to go through additional hoops, which Tor documents thoroughly. End points identified by their Internet protocol (IP) number exist worldwide and change constantly, and obfuscating protocols allow using these “bridges” to bypass local blocking.

Because of how iOS lets apps access networks and settings, there’s no official Tor browser for the iPhone and iPad yet. The Tor Project recommends the third-party Onion Browser, although it’s not as full featured as desktop versions. In a recent blog post, the project described work underway that might improve Tor browsing in iOS.

Anonymity is just one tentpole

Note the Tor Project—and I—hedge the notion of anonymity, because whenever you’re using a public resource, like an Internet-reachable website, using an Internet-connected device, you can’t have anything resembling true or absolute anonymity.

However, as with most well-designed tools designed to enhance and protect privacy and security, you’re setting the bar much higher, and possibly beyond the reach of, anyone trying to break through to observe your actions.

To comment on this article and other Macworld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon