The condition of being anonymous is called anonymity – Let’s suppose you want to post the most anonymous comment on a social network imaginable. What kind of tools do you need for that? VPN? Tor? SSH tunnel? In fact, none of the above. It suffices to purchase a burner SIM card and a used smartphone on a flea market nearby. Then, drive as far from your place of residence as you can, insert the card into the phone, leave the comment, and drown the device in the river. That’s it!
But what if you need more than just to write a comment once while concealing your IP address from some website? Imagine you want to reach a degree of anonymity that’s extremely hard or impossible to compromise at any level and even conceals the fact of your using anonymization tools to a certain extent. This is precisely what this article is about.
Just like any perfect thing, flawless anonymity is rather a theoretic concept, but it’s within the realms of possibility to approach it closely via multiple different layers of protection. You cannot be uniquely identified as long as you leverage a combo of technologies complementing each other, even if fingerprintable system values are used to distinguish you from the others.
This entry isn’t a call to action, and I absolutely don’t endorse any type of law violation regardless of the country you are in.
Entry-level security
This degree of security and anonymity can be roughly achieved by means of the following scheme: Client > VPN/Tor/SSH tunnel > Target.
Essentially, this is a fine-tuned alternative to using a proxy that simply allows you to obfuscate your IP address. It doesn’t provide any genuine anonymity you could rely on. This scenario is susceptible to node compromise, browser fingerprinting, and commonplace log analysis at the ISP or data center level.
Incidentally, some people consider private VPN to be more effective than public VPN services because in the former case they are certain that their system is configured the right way. Let’s imagine somebody knows your external IP, hence they know the data center that, in its turn, knows which server this IP refers to. Do you really think it’s difficult to figure out the actual IP address that was used to connect to this particular server? Not to mention that few people will ever bother to encrypt their drive and adopt protection against hardware seizure.
No one is likely to notice their server being rebooted at init level 1 and the VPN logs being switched on under the guise of fixing “minor technical issues at the data center”. As a matter of fact, this might not even be necessary, given that all of the server’s inbound and outbound addresses are known.
Speaking of Tor, first of all, using it may appear suspicious in itself. Furthermore, all the outbound nodes are known and many of them are simply banned, is a major red flag for many sites. For instance, Cloudflare allows customers to define whether their firewall should accept Tor connections.
In summary, if you need to hide your most important personal data from the rest of the world and get around the basic website access restrictions while keeping your connection speed high enough and being able to funnel all the traffic through a different node, then you should opt for VPN. The best pick is a paid service. It costs just about as much as a VPS (virtual private server) that works within your own country and needs to be configured and maintained. As opposed to that, a commercial VPN supports dozens of countries and hundreds or even thousands of outbound IPs.
Medium level of security
This level of online security is an enhanced variant of the basic one covered above. It can be implemented as follows: Client > VPN > Tor > Target. In this case, combining different technologies increases the efficiency of each one. Don’t expect too much from this set-up, though. It does prevent remote observers from determining your real IP address, but it still keeps you exposed to the attack vectors described above. It’s your physical workspace, your machine, that’s the weak link in this protection chain.
High level of security
Here’s what it looks like: Client > VPN > Remote workspace (over RDP or VNC) > VPN.
The work computer should be a remote one rather than your own. Ideally, it’s a Windows 10 machine with Firefox, a few plugins and codecs installed, and no offbeat fonts and suchlike plugins on board. It should be typical and hardly different from millions of others on the Internet. Also, even if you experience a data leak or fall victim to some other compromise, you will stay hidden behind an additional VPN.
Flawless security
The scheme is as follows: Client > Double VPN (hosted in different data centers that are close to one another) > Remote workspace with a virtual machine > VPN.
This technique involves a primary and secondary VPN connection, the latter covering your back in case the former gets compromised. This way, you conceal your traffic from the ISP and don’t reveal your real IP address to the data center hosting the remote workspace. There is additionally a virtual machine on the same server.
I have put this scheme through quite a bit of testing. The slowdowns are tangible, even if the set-up is properly implemented geographically, and yet the performance is tolerable for the most part. It’s important to refrain from dispersing the servers across different continents. Here’s another element of the logic: make sure your servers aren’t all located within, for example, the European Union, because different law enforcement entities collaborate closely in that region. Meanwhile, don’t disseminate them too broadly either. Neighboring states that don’t get along well with each other are the perfect spots for your servers.
One more thing you might want to add to the mix is automatic hits to websites taking place in the background from your real computer to emulate garden-variety web surfing. This will keep you off the suspicion radar by making it look like you aren’t using any anonymization tools. Also, consider using Whonix or Tails and go online via public Wi-Fi every now and then, having modified the network adapter’s details that might entail de-anonymization.
The ordinary VPN is a dependable instrument to circumvent the commonplace Internet restrictions while keeping your connection speed at a decent level. If you want more anonymity, add Tor to the chain, but be advised you will have to sacrifice some speed in this case. If you want, even more, follow the recommendations above.
It’s not that easy to get around browser fingerprinting and attempts to de-anonymize VPN usage based on the time it takes a packet to go from a user to a website, and then from the website to the user’s IP address. You may be able to successfully foul the trail a couple of times, but you never know what new de-anonymizers will splash onto the scene tomorrow. That’s exactly why you need a remote workspace and virtual machine to stay on the safe side. Such a solution can cost as little as $50 a month. Keep in mind, though, that you must pay with Bitcoin only.
Last but not least, the most important prerequisite for safeguarding anonymity is to separate your work with regular personal data and with sensitive information that has significant value. All of those encrypted tunnels and complex schemes become worthless once you sign into your personal Google account while using one of them.
