From Googling to emailing to social networking, every day millions of Americans unknowingly leave behind digital breadcrumbs while surfing the web, sometimes at the risk of compromising their anonymity. But while there is technology available to stay anonymous in a time of surveillance, experts say policies and legislation won’t protect web users from privacy invasion or from being attacked in cyberspace.
As a medium, the Internet has allowed its users an unprecedented level of anonymity. Usernames and avatars hide names and true identities in online forums and communities, and anyone can choose how much to disclose to others in cyberspace. However, while most understand how posting personal information could have severe consequences, very few realize their online activity can be monitored and cross-referenced to reveal clues about their identity.
“It’s important to think about every time that you interact with a third party online, they have information about you,” said Rebecca Jeschke, media relations director at Electronic Frontier Foundation.”You may buy your books online–lots of people buy things online. It’s not just social-networking sites where we volunteer this information; we volunteer it in a lot of ways.”
Take the simple task of doing a web search, for example. In 2006, The New York Times reported how leaked records from AOL revealed how users’ search-engine queries could be linked to their identities. By collecting and analyzing a user’s web searches, AOL’s researchers peeled away the many layers of cyber anonymity, unveiling the identity of user No. 4417749: Thelma Arnold, a 62-year-old widow who lived in Lilburn, Ga.
During a three-month period, Arnold typed into AOL’s search engine sentences such as “60 single men,” “landscapers in Lilburn, Ga” and “tea for good health,” clues that led AOL researchers to her. Commenting on AOL’s practice of storing users’ information, Arnold said to The Times, “We all have a right to privacy … Nobody should have found this all out.”
Search engines are just one of many places that–unknowingly to most–track users’ activity. Traveling through cyberspace, you provide information to others almost every click of the way, including to the ISP that knows your IP address, the browser that tracks which sites you have visited, and the cookies that store login or registration identification and user preferences.
And the tracking doesn’t stop there. Read digital books? Then your e-book provider probably knows which titles you have read, browsed and bought, and how long you looked at each page. Use email or IM? Do not assume your communications are private, unless OTR encryption is used on both ends. Make online purchases? Then your personal contact information, bank details and purchase and browsing history are mostly likely being tracked.
Although some argue their web activity would cause nothing worse than embarrassment if made public, privacy advocates say there is a lot more at stake than just the awkwardness of having those records exposed.
Commenting on the AOL case, Jeschke said it was a great example of how words put into a search engine “hold clues to very intimate details about your life.”
“How you read and gather information can be very sensitive,” she said. “People often go on an intellectual journey where they really discover and explore fringes of political thought or other thoughts. It’s not hard to imagine a young person reading up about homosexuality, for example, if they have questions of their sexual orientation. That’s something that’s far from illegal, but something they don’t want the world to know.”
As obvious as it may sound, many don’t realize how divulging even one personal identifier– Social Security numbers, location, date of birth, or even political, religious or philosophical opinions, among others–can unmask their identity. Whistle-blowers, for example, risk their shield of anonymity if they reveal too many clues about themselves. In repressive regimes, anonymity is crucial for citizens who speak out against the government: When Zimbabwean online journalists and bloggers documented atrocities committed by Robert Mugabe’s regime, they used various encryption techniques to protect their identities.
Even in democratic nations like the United States, anonymity holds a prominent place as a notion deeply rooted in First Amendment rights, Jeschke said.
“Without the right to speak anonymously, free speech is often killed,” she said. “[People] may want to speak about their workplace and their insight of their workplace without their boss knowing. … These aren’t things that are illegal, or that would people at legal risks, but these are things people may want to discuss in an anonymous fashion and anonymous speech is very well protected under the First Amendment.”
However, while anonymity allows people to express themselves freely without the fear of retaliation or persecution, there is always a darker side to it: It breeds criminal behavior.
From phishing and spam to botnets and DDoS attacks, global crime rings have been able to form in an environment that fosters concealment. While anonymity in cyberspace is “generally a good thing,” one imminent problem is how criminals are using it in combination with the borderless nature of the Internet to develop international crime rings, said Sean Sullivan, security adviser at F-Secure’s North American Labs.
“Cyber crime is an international problem and the lack of true authentication leads many to fall victim to scams–419 advance-fee frauds, for example,” he said. “Criminals can freely and openly do business via web forums because they are able to cloak themselves.”
As the majority of today’s cyber threats are profit based, criminals do not want to be caught or have their businesses hampered, either by law enforcement or by competitors, so almost all cyber threats work to be untraceable, Sullivan said. Compromised computers act as proxies and/or illicit bulletproof hosting is used to mask true sources. Unless serious investigations are made, at best, most cyber threats can only be traced to a proxy, he said.
“Other threats, such as worms, make tracing difficult by their very nature,” Sullivan said. “Computer worms are a form of artificial intelligence. They are their own source; they reproduce themselves, and can be designed to enter the cyber world with no trace of their authorship.”
Mischel Kwon, vice president of Public Sector Security Solutions for the Worldwide Professional Services unit at RSA, The Security Division of EMC, said many hackers will use bounce-off points for other people’s servers to traverse through their IP range so it looks like someone else is performing the malicious activity.
“That is illegal; that’s considering breaking and entering, and of course it has malicious intent behind it, and that is a problem,” said Kwon, a former director for US-CERT who has nearly three decades of experience in the design, implementation and management of critical IT infrastructure and security operations programs. “But that comes with the technology that we use, as part of how the Internet works … so it’s hard to prevent.”
Looking at the different kinds of cyber attacks currently occurring worldwide, botnet attacks are one of the largest ways and most common tactics of launching an anonymous attack, Kwon said. But implementing policies or legislations wouldn’t help preventing cyber attacks because the Internet sees no boundaries.
“You also have to remember this is a global Internet; just because we create one policy to one site that happens to be housed in the United States, that site still services the world,” she said. “And just because you’re accessing the site from the United States doesn’t mean that the policy you’d want to have established works because the site might reside in another country that has different laws and policies.”
Commenting on the topic of whether it will be more of less difficult for individuals in the future to remain anonymous online, Sullivan said it depends on the question of “where” in cyberspace.
“The future may bring a realignment of the Internet and its network of networks–untrustworthy networks that provide cloaking for criminals may be disconnected,” he said. “Businesses that are attacked from anonymous sources may well decide to pull out of those countries that allow for such attacks to [be] carried out. Google is now a prominent example of this.”