The Critique Circle Blog

The CC Blog is written by members of our community.
Do you want to write a blog post? Send Us a blog request

Menu
  • View RSS Feed
  • View all blogs
Apr
18
2016

On the Internet, who knows if you're a dog? -- by Megan Carney

Anonymity and the Internet is a tricky topic for writers because it can get highly technical. In most cases, if you're asking yourself if your character can be anonymous the answer is 'it depends.' Whether or not your character (we'll call her Alice) can remain anonymous really depends on how badly their opponent wants them not to be. With that in mind, here are some real-world tools that people use to protect their privacy online, and what exactly those tools do.

Script blockers or ad blockers

Advertisers really, really, really want to know everything about you. And Alice. If Alice searches for whitening toothpaste on Amazon, they want to be able to show Alice ads for electric toothbrushes on an entirely differently page. Or maybe show Alice ads for a drug for bipolar disorder if she's researched that condition. The methods advertisers use varies, but most use some combination of scripts that leave breadcrumbs in Alice's web browser. These breadcrumbs can be cookies, Flash objects, or other durable objects that survive reboots and browser shutdowns (unless Alice runs a program to clear these artifacts out).

Script blockers and ad blockers protect a user's privacy by interfering with the creation of these breadcrumbs. It's not a perfect system. It's a very weak form of anonymity, but it will prevent an advertiser (or a government looking at an advertiser's data) from connecting Alice's behavior on Facebook with her browsing activity on WebMD.

Virtual Private Network (VPN)

VPN is a term that gets thrown around a lot in fiction, kind of like firewall does. All a VPN does is mask Alice's location from whatever site she's using. For instance if Alice lives in Boston, uses a VPN server in Canada, and tries to log into Facebook, Facebook will think Alice is in Canada. To be precise, Alice's traffic is being routed from Boston, to the VPN server (in Canada), and then to Facebook. All Facebook knows is that Alice's login came from an IP address that belongs to a particular VPN service. Anyone eavesdropping would only see that Alice is talking to the VPN server or that a VPN server is talking to Facebook, not that Alice's connection went to Facebook.

Anonymity is a tricky concept in this case. To Facebook, Alice is not anonymous because she used her login. The person eavesdropping, on the other hand, doesn't know who Alice is immediately. But they can find out with a little bit of work. Legitimate VPNs will respond to court orders, just like any other business. (Shady VPNs won't respond to legal requests, but these network blocks tend to be blacklisted in multiple places and Alice would have difficulty accessing common services.)

VPNs are weak protection from nation-states who are willing to pursue Alice with legal means. Routing a connection through multiple VPNs will require multiple legal requests, which slows identification down, but still isn't great protection. In short, if Alice does something that attracts the attention of the government, the VPN doesn't help much.

VPNs are decent protection against lazy criminals who are passively monitoring traffic. Like on public Wi-Fi networks, where Alice can't trust all her neighbors. Highly motivated criminals are a different story. There are various side-channel attacks that take advantage of improper programming. For instance, an attacker might craft a malicious Flash object and disguise it as a game for Alice to play. In the background, the game could send Alice's real location to the attacker.

MAC (Media Access Control) address spoofing

Fiction talks a lot about IP addresses as a way of tracking users, but most laptops have a unique identifier that's much more reliable, if an attacker has access to local network data. Each network connection has a MAC address that was assigned by the manufacturer. The purpose of this address is benign. When a computer first appears on the network, the computer has no IP address. The computer must request one, and in order to avoid confusion the computer will use its MAC address as a unique identifier.

Why might Alice want to spoof her MAC address? Let's say Alice is a reporter who rotates between coffee shops. A motivated attacker (or nation-state) who knew where Alice's favorite coffee shops were could watch for her MAC address on the local network, tie those MAC addresses to IP addresses, and then connect what Alice researched on Tuesday night with what she researched on Wednesday morning, even if her IP address and location had changed.

Tor (The Onion Router)

Yes, it's an acronym. Yes, it's not capitalized. No, I don't know why. Anyway. We discussed earlier how VPNs were a weak form of protection against motivated attackers; Tor is one step beyond a VPN. The idea is to mix up Alice's traffic with Bob's traffic, and Eve's traffic, and a bunch of other users, and anyone listening in would find it difficult to single out Alice's traffic. Tor is better than a VPN (though some services will block Tor traffic, sadly), but has a couple drawbacks.

For one, any eavesdropper will know that Alice is using Tor. Unfortunately, some law enforcement types consider the use of Tor to be a red flag in itself. But putting that aside, side-channel attacks are still a possibility with Tor, just as they are with a VPN.

The real problem

The real difficulty with Alice staying anonymous has nothing to do technology. It’s very hard to be anonymous and useful at the same time. One person plotting by themselves can only do so much. A network of people plotting can do a lot more, but they need to communicate with each other. Develop trust by sharing information. Make plans. Buy materials. Conspirators need to be social, at least with the people who have things they need.

Being social leaves a trail that can be followed. Whether or not that trail is followed depends on how closely the conspirators are being watched, electronically or otherwise.

------------

My debut thriller, Sarina, Sweetheart, was a quarterfinalist in the Amazon Breakthrough Novel Award contest. Publisher's Weekly describes it as "[a] narrative with a dark humor that complements its fast pace and high stakes."

You can find out more about me, my writing, photography, and geekery at megancarney.com. I also tweet as @SometimesAthena, though not as often as the social media gods say I should.

Posted by Megan Carney 18 Apr 2016 at 02:43
Do you want to write for the Critique Circle Blog? Send us a message!

Responses to this blog

Demonqueen 18 Apr 2016 at 04:29  
I got a little confused at the beginning - thought you meant writers staying anonymous on the internet! (You know, cuz we is all shy), but this is a really helpful post! Bookmarked for future ref.


Spartucus 18 Apr 2016 at 17:23  
A very thought provoking piece. If I ever try to write anything that involves any kind of tech this will be a useful reference to get the jargon right and to keep things as authentic as possible.
Pmartissm 18 Apr 2016 at 20:47  
Anyone watched the CSI: Cyber TV series? This can get really scary with what is possible with smartphones, etc.
Imjustdru 18 Apr 2016 at 20:55  
I have. It does make people think about all that stuff.

Respond to this blog

Please log in or create a free Critique Circle account to respond to this blog


Member submitted content is © individual members.
Other material is ©2003-2017 critiquecircle.com
Back to top