{{Header}}
{{Title|title=
Tips on Remaining Anonymous
}}
{{#seo:
|description=Non-technical steps for staying anonymous
|image=No-admittance-98806-640.png
}}
[[File:No-admittance-98806-640.png|250px|thumb]]
{{intro|
The wiki page provides guidelines and good habits for online privacy and security, with a focus on distinguishing between anonymity and pseudonymity. It also offers tips for using Tor with the Whonix operating system, connecting to internet servers and resources securely, and avoiding risky scenarios.
}}
= Introduction =
This chapter provides an inexhaustive list of behaviors that users SHOULD DO when strong anonymity is necessary.
== Definitions ==
The following concepts are crucial for all chapters. Therefore a definition is warranted. We define
* '''Identity''': the unique set of characteristics that can be used to identify a person and their unique physical body as themself and no one else
* '''Pseudonymity''': the near-anonymous state in which a person has a consistent identifier For example, an identifier could be a persistent name (pseudonym) or just a unique ID, saved in a (Flash) cookie. that is not their real name
* '''Anonymity''': the state of a person's identity being unknown to all other people than themself
* '''De-Anonymization''': the process or final state of revealing the true identity of a anonymous or pseudonymous person. All data linked to the anonymous or pseudonymous entity can then be connected to the true identity.
{{Anchor|I wonder what my site looks like when I'm anonymous}
= Anonymity Modes =
{{Anchor|Do not confuse Anonymity with Pseudonymity}}
== Study: Anonymity and Pseudonymity are not the same ==
This chapter explains the difference between pseudonymous connections and anonymous connections. Please read the [[#Definitions]] before you proceed. Note that defining terms is always a difficult process because a majority consensus is required:
* '''Pseudonymous connection''': A connection to a destination server, where it is not possible to discover the origin (IP address / location) of the request, but the request can be associated with an identifier . The more often an pseudonymous identifier is detected the easier this pseudonym is traced back to a real identity.
* '''Anonymous connection''': A connection to a destination server, where it is neither possible to discover the origin (IP address / location) of the request, nor to associate any identifier with it.
'''In an ideal world''', perfection would be achieved by the Tor network, Tor Browser, computer hardware, physical security, the underlying operating system, and so on. For example, in this utopia the user could fetch a news website, and neither the news website or the website's ISP would have any idea if the user had ever made contact before. Unfortunately, fingerprinting defenses (defenses against the browser being identified via different techniques) are not yet perfect in any browser and there are still open bugs. See [https://gitlab.torproject.org/search?group_id=268&scope=issues&search=linkability&state=opened tbb-linkability] and [https://gitlab.torproject.org/search?group_id=268&repository_ref=&scope=issues&search=fingerprinting&snippets=&state=opened tbb-fingerprinting].
'''In contrast, the imperfect scenario''' results when software is used incorrectly, like when stock Firefox is used over the Tor network instead of the "Tor-safe" Tor Browser. The unfortunate Firefox user still protects their original connection (IP address / location) from discovery, but an identifier (like cookies) can be used to make that connection pseudonymous. For example, the destination website could log "user with id 111222333444 viewed Video Title A at Time B on Date C and Video Title D at Time E at Date F." This information can be used for profiling, which over time becomes more comprehensive. The anonymity set is gradually reduced, and in the worst case leads to de-anonymization.
As soon as a user logs into a website with a username for activities like forum posting or webmail, the connection is by definition no longer anonymous, but pseudonymous. The origin of the connection (IP address / location) is still hidden, but the connection can be associated with an identifier ; in this case, an account name. Identifiers can be used to keep a log of various things: when a user wrote something, the date and time of login and logout, what a user wrote and to whom, the IP address used (useless if it is a Tor exit relay), the recorded browser fingerprint and so on.
'''The authors strongly recommend always preferring anonymity, not pseudonymity'''. But there are other opinions. Maxim Kammerer, developer of Liberté Linux
https://dee.su/liberte
, for example has disparate ideas on anonymity and pseudonymity which should not be withheld from the reader so you can form your own opinion:
broken link:
I have not seen a compelling argument for anonymity, as opposed to pseudonymity. Enlarging anonymity sets is something that Tor developers do in order to publish incremental papers and justify funding. Most users only need to be pseudonymous, where their location is hidden. Having a unique browser does not magically uncover user's location, if that user does not use that browser for non-pseudonymous activities. Having good browser header results on anonymity checkers equally does not mean much, because there are many ways to uncover more client details (e.g., via Javascript oddities).{{Anchor|Do not mix Modes of Anonymity}} == Keep Anonymity Modes separate == {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = '''Warning:''' You should keep anonymity modes separate! }} The four primary anonymity modes are outlined below. These "modes" are different behavior patterns that a user will consciously or unconsciously apply to his online activities. We highly recommend that you consciously keep those "modes" separate to only be identifiable when you need to and otherwise stay anonymous safely. === Mode 1: Anonymous User; Any Recipient === * Scenario: Posting messages anonymously in a message board, mailing list, comment field, forum and so on. * Scenario: Whistleblowers, activists, bloggers and similar users. * The user is anonymous. * The real IP address / location stays hidden. * Location privacy: The user's location remains secret. === Mode 2: User Knows Recipient; Both Use Tor === * Scenario: The sender and recipient know each other and both use Tor. * Communication occurs without any third party being aware of this activity or having knowledge that the sender and recipient are communicating with each other. * The user is not anonymous. Since they are known by the recipient. * The user's real IP address / location stays hidden. * Location privacy: The user's location remains secret. === Mode 3: User Non-anonymous and Using Tor; Any Recipient === * Scenario: Logging in with a real name into any service like webmail, Twitter, Facebook and others. * The user is obviously not anonymous. As soon as the real name is used for the account login, the website knows the user's identity. Tor can not provide anonymity in these circumstances. * The user's real IP address / location stays hidden. * Location privacy. The user's location remains secret. But this information can be easily ascertained via ISP records which link Internet service accounts with a registered name and address. Alternatively, this information is leaked by the real (clearnet) IP address that was originally used to register for the service in the first place, since Tor registration is regularly blocked. === Mode 4: User Non-anonymous; Any Recipient === * Scenario: Normal browsing without Tor. * The user is not anonymous. * The user's real IP address / location is revealed. * The user's location is revealed. === Conclusion === Based on the preceding information, the table below outlines '''behavior that should be avoided'''. '''Table:''' ''Dangerous Anonymity Mode Combinations'' {| class="wikitable" ! align="left" | Combination ! align="left" | Example |- class="odd" | align="left" | Anonymity modes 1 + 2 | align="left" | If the user has an instant messenger or email account and uses that via mode 1, it is inadvisable to use the same account for mode 2. The reason is the user is mixing absolute anonymity (mode 1) with selective anonymity (mode 2; since the recipient knows the user). |- class="even" | align="left" | Two or more modes inside the same Tor session | align="left" | Using an encrypted chat application over Tor and then posting in the {{project_name_long}} forum without rotating Tor circuits. If the modes share the same Tor exit relay, this could lead to identity correlation. |- class="odd" | align="left" | Two or more modes inside the same {{project_name_workstation_long}} | align="left" | Using the same {{project_name_workstation_short}} for encrypted email as well as posting to a Tor Project mailing list. If the workstation is compromised, this leads to identity correlation. |- class="even" | align="left" | Other combinations | align="left" | Combining other modes may also be dangerous and could lead to the leakage of personal information or the user's physical location. |} === License === License of "Do not Mix Anonymity Modes": = Good Habits for Identities, Personal and System Information = This chapter helps you identify unsafe behaviors and establish good habits for keeping your personal data and your real identity safe. {{Anchor|Don't disclose identifying data about yourself}} == Always Withhold your Identifying Data == De-anonymization can happen due to exposure of connections or IP addresses. But this threat can also result from social interactions online. A number of common sense recommendations to avoid de-anonymization suggested by [Anonymous] are listed below. Users '''SHOULD REFRAIN FROM''':
mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.{{Anchor|Don't log into Twitter, Facebook, Google, etc. longer than necessary}} == Always Log Out from Twitter, Facebook, Google etc. == The danger of third-party resources to privacy should not be underestimated: For instance, advanced adversaries are known to piggyback on third-party tracking cookies to de-anonymize Tor users and to identity targets for exploitation.
Every time a user’s browser is instructed to fetch a third-party resource, that third-party server is given the ability to deliver tracking scripts and associate the first-party website with the bearer of third-party cookies and browser fingerprints. This tracking of online behavior allows for the construction of increasingly detailed user profiles, including sensitive information such as a user’s political views and medical history.'''Therefore restrict the logged in time''' for Twitter, Facebook, Google and any other account-based services (like web forums) to the absolute minimum required. '''Immediately log out after reading, posting, blogging''' and other tasks are complete. Following log out, it is safest to '''then shut down Tor Browser, change the Tor circuit using a [[Tor Controller]], wait for 10 seconds''' until the circuit has changed and then restart Tor Browser. For better security follow the [[{{project_name_workstation_short}}_Security#VM_Snapshots|recommendations to use multiple VM Snapshots]] and/or [[Multiple Whonix-Workstation|use multiple {{project_name_workstation_short}}]]. This behavior is necessary because many websites include one or more of the many integration buttons, such as Facebook's "Like" button and Twitter's "Tweet This". Notably, Facebook also [https://en.wikipedia.org/wiki/Facebook_like_button#Criticism keeps records on everyone] who views a page with a Facebook like button. In fact, in the top 200,000 Alexa websites, Facebook and Twitter social widgets are included in around 47% and 24% of those, respectively. Google third-party web services are included in around 97% of the same sample, mainly comprising Google analytics, advertisements and CDN services (googleapis.com). https://www.securitee.org/files/trackblock_eurosp2017.pdf The top 15 third party services are: doubleclick.net, google.com, googlesyndication.com, googleapis.com, gstatic.com, admob.com, googleanalytics.com, googleusercontent.com, flurry.com, adobe.com, chartboost.com, unity3d.com, facebook.com, amazonaws.com and tapjoyads.com If a user is still logged into a service, those buttons tell the originating service that the website was visited. For example, Twitter's Tweet, Follow and embedded tweets are [https://www.eff.org/deeplinks/2017/05/new-twitter-policy-abandons-longstanding-privacy-pledge used to record browsing history]. When a page is visited containing one or more of these, the browser makes a request to Twitter servers which contains a header informing of the site visited. A unique cookie allows Twitter to build a profile of browsing history, even if the user is not a Twitter user (for example, when Tor Browser is not used). Users should also read the chapter [[Tips_on_Remaining_Anonymous#Always_separate_Non-Tor_and_Tor_Accounts|above]]. = System Settings = == Change Settings ONLY if the Consequences are KNOWN == It is usually safe to change user interface settings for applications which do not connect to the internet. For example, checking a box like "Don't show any more daily tips" or "Hide this menu bar" will have no effect on anonymity. '''However changing settings for applications which connect to the internet (even user interface settings) should be thoroughly reviewed'''. For example, removing a menu bar or maximizing the screen in Tor Browser is recommended against. The latter is known to modify the detectable screen size, which worsens the user's web fingerprint. '''Before changing any settings you are interested in, first read the {{project_name_short}} documentation'''. If the change is documented and recommended against, then try to persevere with the defaults. If the change is undocumented, then carefully research the proposed action before proceeding. Modification of network settings should only be undertaken with great care, and if the consequences are known. '''For example, users should avoid all advice pertaining to "Firefox Tuning"'''. If the settings are believed to be sub-optimal, then changes should be proposed upstream so they change for all Tor Browser users with the next release. For a comprehensive list of unsafe Tor Browser habits, see [[Tor_Browser#Unsafe_Tor_Browser_Habits|here]]. = Tor = {{Anchor|Prevent Tor over Tor scenarios}} {{Anchor|Prevent_Tor_over_Tor_Scenarios}} == Refrain from "Tor over Tor" Scenarios == * Generic description: When a machine or VM (workstation) is used, that is transparently proxied over Tor, it is possible to start a Tor session from the workstation as well as from the gateway that runs Tor, creating a "Tor over Tor" scenario. * Whonix specific description: [[Whonix-Gateway]]'s [[Stream_Isolation#Transparent_Proxy|transparent proxying]] is enabled by default for all of [[Whonix-Workstation]]'s traffic. When installing an application inside {{project_name_workstation_short}} that comes with its own internal Tor client, this might create a "Tor over Tor" scenario. '''Doing so produces undefined and potentially unsafe behavior.''' In theory, the user could get six hops instead of three in the Tor network. However, it is not guaranteed that the three additional hops received are different; the user could end up with the same hops, possibly in reverse or mixed order. The Tor Project opinion is that this is unsafe: https://support.torproject.org/#misc_misc-11
We don't want to encourage people to use paths longer than this — it increases load on the network without (as far as we can tell) providing any more security. Remember that the best way to attack Tor is to attack the endpoints and ignore the middle of the path. Also, using paths longer than 3 could harm anonymity, first because it makes "denial of security" attacks easier, and second because it could act as an identifier if only a few people do it ("Oh, there's that person who changed her path length again").Users can manually choose an entry or exit point in the Tor network, https://support.torproject.org/tbb/tbb-16/ but the best security relies on leaving the route (path) selection to Tor. Overriding the choice of Tor entry and/or Tor exit relays can degrade anonymity in ways that are not well understood. Therefore, Tor over Tor configurations are strongly discouraged. License of "Prevent Tor over Tor scenarios.": This was originally posted by adrelanos (proper) to the [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO#ToroverTor TorifyHOWTO] ([https://gitlab.torproject.org/legacy/trac/-/wikis/doc/LegalStuff license]). Adrelanos did not surrender any copyrights and can therefore re-use it here. It is under the same license as this DoNot page. Tor log message: https://forums.whonix.org/t/sys-whonix-tor-over-tor-warning-in-nyx/12886
Not attempting connection to [scrubbed]:80 because the network would reject it. Are you trying to send Tor traffic over Tor? This traffic can be harmful to the Tor network. If you really need it, try using a bridge as a workaround.Thanks to [[Dev/anon-ws-disable-stacked-tor]], this issue does not happen in {{project_name_short}} when running the following applications inside {{project_name_workstation_short}}: * [[Tor]] * [[Tor Browser]] To prevent this issue for the following applications: * [[OnionShare]]; * [[Bisq]]; * [https://forums.whonix.org/t/installing-haveno-in-whonix/20014 Haveno]; * other applications with Tor integration, the user needs to follow the documentation for these applications on how to disable the internal Tor of these applications. A simple way to avoid this risk of Tor over Tor when using custom installed applications with Tor integration is to [[Stream_Isolation#Disable_Transparent_Proxying|Disable Transparent Proxying]]. {{Anchor|Do use bridges if you think Tor usage is dangerous/suspicious in your country}} == Do Use Bridges if Tor is Deemed Dangerous or Suspicious in your Location == Sometimes it is recommended to use [[Bridges]] if you have the technical knowledge. This recommendation comes with an important caveat, since [[Bridges]] are not a perfect solution: [[Bridges#Before_Configuring_a_Bridge|Before Configuring a Bridge]]
Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress an adversary might make in identifying Tor users. Using bridges might be advisable to prevent identification as a Tor user, but the Tor Project's [https://support.torproject.org/#censorship_censorship-7 bridges documentation] is primarily focused on censorship circumvention, that is, overcoming attempts by ISPs or government to block Tor use.{{Anchor|Don't alternate Tor with open WiFi}} == Always use Open Wi-Fi WITH Tor == Some users mistakenly think open Wi-Fi is a faster, safe "Tor alternative" since the IP address / location cannot be tied to their real name. For reasons explained below, it is better to use open Wi-Fi and Tor, but ''not'' open Wi-Fi or Tor. The approximate location of any IP address can be estimated to the city, region or even street level. Even if a user is away from their home address, '''open Wi-Fi still gives away the city or approximate location''' since most people do not switch continents. The person running the open Wi-Fi router and their policies are also unknown variables. They could be keeping logs of the user's MAC address and linking it with the activity being sent in the clear through them. While logging does not necessary break user anonymity, '''it does reduce the circle of suspects''' from the entire global population, a continent, or the country, down to a specific region. This effect strongly degrades anonymity. Users should always keep as much information as possible to themselves. {{Anchor|Do not use clearnet and Tor at the same time}} == Either use Clearnet OR Tor, not both == Using a non-Tor browser and Tor Browser at the same time runs the risk of confusing them at one point, and de-anonymizing yourself in the process. It is also risky to use clearnet and Tor at the same time because simultaneous, anonymous and non-anonymous server connections might be established. '''Concurrent clearnet and Tor (Browser) connections are recommended AGAINST for several reasons'''. First, the user can never be certain when an identical page is visited anonymously and non-anonymously at the same time. The reason is only the URL is visible, not how many resources are fetched in the background. Second, many different websites are hosted in the same cloud and services like [https://marketingplatform.google.com/about/analytics/ Google Analytics] are present on most websites. This leads to at least one [[The_World_Wide_Web_And_Your_Privacy#Data_Collection_Techniques|known data harvester]] seeing numerous anonymous and non-anonymous connections. If this advice is '''disregarded, then it is safer to utilize at least two different desktops''' to prevent confusing one browser with another. == What is Clearnet? == {{What_is_Clearnet}} = Rationale = The reader may skip this section. This page risks stating opinions and recommendations that are "obvious". But the question must be asked: '''"Obvious to whom?"'''. The above points may only be common sense to developers, hackers, geeks and other people with technological skills. The above-mentioned groups tend to lose contact with non-technical users. It is useful to sometimes read usability papers or the feedback from people who do not post on mailing lists or in forums. Consider the examples below: * [https://blog.torproject.org/toggle-or-not-toggle-end-torbutton To Toggle, or not to Toggle: The End of Torbutton]:
mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.* [https://lists.torproject.org/pipermail/tor-dev/2012-April/003472.html tor-dev First-time tails/tor user feedback] * [https://petsymposium.org/2012/papers/hotpets12-1-usability.pdf Eliminating Stop-Points in the Installation and Use of Anonymity Systems: a Usability Evaluation of the Tor Browser Bundle] * [https://www.bbc.co.uk/news/technology-20445632 North Korea: On the net in world's most secretive nation]:
In order to make sure the mobile phone frequencies are not being tracked, I would fill up a washbasin with water and put the lid of a rice cooker over my head while I made a phone call," said one interviewee, a 28-year-old man who left the country in November 2010.= Footnotes = {{reflist|close=1}} = Attribution = Appreciation is expressed to ''intrigeri'' and ''anonym'', who provided feedback and suggestions for this page on the Tails-dev mailing list. {{Footer}} [[Category:Documentation]]