This is a transcript of a podcast discussing anonymous browsers.
Speaker Key: PB Phil Brown, DW David Whelan
PB: Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about anonymous web browsing.
DW: We are all much more aware than we might have been about a year ago about how governments are starting to look at everything that we are doing online, and it might be making you a little bit paranoid. Why should we be paranoid about our web browsing, Phil?
PB: Well primarily the reason why we are going to be paranoid is because we have an obligation to protect client confidentiality and, for instance, if we’re doing some research on behalf of a client, it would be nice to know that we are out there looking without necessarily leaving a trail.
DW: It’s funny how just a couple of years ago we were concerned about doing research in coffee houses because maybe people were watching our traffic, but now we realize that even if we secured it the government would have been sniffing at it as it went past anyway.
PB: I know a lot of the news that’s been out there about the things that the US government might be spying upon are related to emails and interception of emails, but I think it would be naïve to think that they’re not also looking at the browsing traffic that’s going on as well.
DW: That’s right. And it can be confusing. If you have a modern or current version of one of the major web browsers, meaning Microsoft’s Internet Explorer, Firefox from Mozilla, or Google’s Chrome, they actually have some modes that can make you think that you are browsing anonymously but you really aren’t. And the one I’m talking about is called “Incognito”. If you switch into “Incognito” mode in your web browser you are no longer leaving traces on your local computer, but you are still leaving traces out on the web for other people to find.
PB: So in spite of the little clever artistic impression of one of the spy-versus-spy guys that’s up in the corner of your web browser that makes it look like you have completely gone stealth, it is really just not tracking information on your computer in front of you.
DW: That’s right. You really need to be thinking about where you’re going and what you’re trying to do. So when you open up a web page in your web browser you are actually sending a request to a computer that has that web page sitting on it and then it sends it over the Internet to you. When it sends that file over and any pictures that are related to it and so on, it will often track where you are coming from, the specific IP address of the computer you are on, and certainly the country and city that you are in. It will also probably know information about the type of web browser you are on, the type of computer or operating system that you are using and so on.
PB: Before we get into the idea of anonymous browsing, maybe it’s a good place to point out that everything that you put into your computer, for example, a password to sign on to Facebook, a password to sign on to Twitter, or even just logging into your computer, all of those passwords are resident in a file on that computer.
DW: That’s right, and depending on where they are stored, in Windows for example they are stored in a secured area, but in web browsers you can go into most modern web browsers, click on a button next to the password where it is saved, type something like “show me the password” and you can see it in plain text. So it is not always as secure as you might think, although it is very convenient to have them saved inside your web browser.
PB: So now let’s talk about the anonymous portion of web browsing as opposed to the incognito mode. One of the reasons you might want to be anonymous for example is that there is a statistic out there that suggests that if you visit the 50 most popular websites there is going to be over 3,000 tracking files installed on your computer.
DW: That’s right, and those are commonly known as cookies. There are lots of joke you can make obviously about having cookies on your computer, but they are little files that are put there in some cases when you click the button that says, “remember me”, and that’s the cookie that they use to remember who you are and when you logged in so that they can give you the same kind of experience or the same setup on the website that you had when you came the first time.
PB: And cookies are also used for security. For instance, if you are logging into your American Express account or your banking account they are used to confirm that you are who you say you are. Even though you are putting in a password it is checking to see if you are using the same computer you have used before, things like that.
DW: Right and those are the cookies that you really want to use because obviously they help you to be more efficient, more productive going to websites, and getting in and out of sites. But there are also cookies being downloaded that relate to the advertisements that appear on websites or that may track what you are doing during the session when you are at a particular website. That information is then aggregated and made available to people who might be advertisers or the owners of the site that you are visiting. It is probably a lot more information than you would want to share if you were working on a client matter.
PB: And a lot of this information is sold to people for marketing purposes and for sales.
DW: Right and there has been a big pushback against having all of these cookies saved. I think many of us are now seeing the ability to opt out from being tracked on the web and to block the cookies from being downloaded. Certainly the recommendations tend to be, block whatever cookies you can so that you are not leaving this tracking profile out there.
PB: As we know there is going to be a future without cookies and of course the threat detection companies and the marketing companies are already thinking, “how are we going to track people without cookies?”
DW: That’s right. Your phone has a particular ID, your web browser, and the combination of all the factors of how you interact with a website may be enough of a fingerprint that they don’t need to leave a cookie. They can tell based on other factors or other features that identify you.
PB: So there are ways to browse anonymously. There are a couple of specific browsers that we are going to mention without endorsing any, but these ones are just starting to come to the forefront or at least to our notice, that enable users to anonymously browse the web. One of them would be Tor. Can you tell us a little bit about Tor?
DW: Sure. Tor is an acronym for The Onion Router because it has layers of anonymity, and so it is almost like a separate network where you have to connect with it using a Tor client, which is a piece of software is sort of like a VPN, where you log into Tor and then you can surf through what is called the dark web. Your activity is anonymous when you want it to be, and it can also go across the public Internet or the wider Internet. An example of a client that will connect you to Tor is called Orweb.
PB: Is there a record anywhere of the searching that is being done?
DW: Well again, up until about a year ago people were pretty confident that when they were on the Onion Router, on Tor, it was pretty much secured and there wasn’t a trace of who you were or where you travelled from. You would essentially connect to Tor and pop out the other end, and that traffic was completely anonymous. But there is some concern now that some of the Tor computers may have been compromised, and so some of that tracking may still be traced.
PB: Another browser that is gaining some traction is called Epic, which is very similar to Tor. Again, you download it, add it to your computer, and are able to anonymously surf the web without picking up cookies and so on as you go. It also does a number of other things. It doesn’t, however, do the autofill for you that Chrome or Internet Explorer will often offer where it fills in links for you or come up with best guesses as to the website you might have been looking for. All of those things are based on cookies in your computer or the information that is held on the website because you have been there before and it is all profiling you as you go.
DW: Any time that your computer offers you information that is meant to help you usually means that you are balancing your convenience with your security. So if you are finding something to be very convenient, you should also be aware that it may be compromising your security.
PB: I don’t know if anyone has ever done a search to find out what their Google history is, but there is a history of every site that you have been to and how many times you have been to a particular site.
DW: Yes, it can be challenging to get rid of it too, particularly with Google Chrome. It seems to stay there a lot longer. And you can clean your Internet history from your browser and still find some disconcerting suggestions.
PB: And these browsers wipe out things like that, but you also give up some features: you don’t have web extensions, spell checking, autofills, and things like that.
DW: Yes, and so you may want to have one of these browsers available for those times when you do research that requires that you have that depth of security and anonymity. You can use your normal web browser while taking some care like using secured or anonymous search. Then you can have the best of both worlds.
PB: I just wanted to mention that there are a couple of different search engines you can use to anonymize your search for particular things.
DW: Yes, when you use Google these days, certainly if you have logged in with a Google account, but even if you haven’t, they are now trying to make your search information inaccessible to the site where you are visiting. So in the past if you went to your web browser, went to Google and typed in, “doughnuts Tim Hortons”, and ended up going to a Tim Hortons website, the website person at Tim Hortons would know that you had typed in “doughnuts Tim Hortons”, and they would value that information. Now when you type that in and go to their site they get something that says nothing about who you are or where you came from, from the perspective of the search terms you used. They would still know where you came from, the city or town, or the computer, but they wouldn’t know how you got there or the search terms you used to get there.
PB: But Google would still know.
DW: Google would still know, so yes that is definitely an issue, and you want to be aware that that’s being stored somewhere.
PB: And they’d be happy to sell that information to Tim Hortons as well, to tell them how their customers found them.
DW: Right. The only benefit there is that they probably wouldn’t sell the information about who you are or those sorts of details. So Tim Hortons wouldn’t be in the position of being able to know that you stopped by at eight o’clock looking for doughnuts.
PB: That’s right, and this is almost trite to say, but it is a good idea to look through those click-through privacy agreements to find out what information is being tracked, how long it is being kept, whether it gets sold off to anyone else, or held confidential.
PB: All right. And that’s our brief look at anonymous browsers. I have a suspicion we will do another podcast about this as well.
DW: Surf carefully, Phil.
PB: All right. Take care, David.