Can You Trust Anonymization Services?

Recently by James Black: Worried About Email Security?

Every Internet connection has a unique number – known as an Internet Protocol (IP) address – issued by an Internet service provider (ISP) and is almost always registered to a legal name, address, and Tax Identification Number.1

Every Internet domain also has a unique IP address.

The search engine, Google, for example, has the IP address of, and is located in Mountain View, California, with the latitude of 37.419 and longitude of -122.057.

An IP address is similar to a phone number – a series of unique numbers designed to establish a unique line of communication between persons. Similar to a phone number’s area code, an IP address discloses the geographical coordinates of ISP subscribers.

An Internet connection is established when one IP address connects to another IP address.

Not unlike a phone company, Internet service providers maintain a record of subscribers’ IP addresses – the date and time of connection, the IP addresses visited, the duration of the connection, and, if not encrypted, all the plain text communications transmitted between IP addresses.

An IP address, therefore, is a unique identifying number used to monitor, track, and log Internet connections. Every connection made and every website visited is logged by an Internet service provider and is uniquely registered to a subscriber of a service. By law, U.S. Internet service providers are required to retain data for twelve months, with some officials demanding even longer data retention.

Data retention is usually codified in law and may be defined as a system of data collection and management in private or government databases that is used to maintain electronic or paper records for a specified or unspecified period of time and may be local, national, or global in nature.

Data retention, however, is problematic for multitudinous reasons.

According to the Electronic Frontier Foundation:

Government mandated data retention impacts millions of ordinary users compromising online anonymity which is crucial for whistle-blowers, investigators, journalists, and those engaging in political speech. National data retention laws are invasive, costly, and damage the right to privacy and free expression. They compel ISPs and telcos to create large databases of information about who communicates with whom via Internet or phone, the duration of the exchange, and the users' location. These regimes require that your IP address be collected and retained for every step you make online. Privacy risks increase as these databases become vulnerable to theft and accidental disclosure.

Nevertheless, ISPs are not the only ones keeping records of IP addresses. Virtually all web servers – search engines, websites, and email services, for example – also retain records of visitors’ IP addresses, including information pertaining to users’ operating systems, web browsers, time zones, and communications transmitted in plain and encrypted texts, in addition to miscellaneous other data.

Overtime, IP records accrue into digital dossiers.

Consequently, there is absolutely no privacy with Internet service providers.

Instead, users must utilize so called "anonymization services" to protect their privacy from Internet service providers.

Anonymization services are not replacements for Internet service providers, however. Rather, they are designed to work with existing Internet service providers.

This cannot be stressed enough.

Essentially, anonymization services redirect network traffic to remote servers. Not all anonymization services are equal in this regard, however. The best anonymization services generate an encrypted channel from a client’s computer to a remote server. Encryption services cipher transmitted data through a local Internet service provider, thereby constituting data traffic unreadable to the Internet service provider. Although an ISP can see network traffic, it cannot read it, since it is scrambled with High-grade Encryption.

With an encrypted anonymization service, for example, an ISP subscriber makes an encrypted connection to a remote server. This encrypted connection must pass through the Internet service provider. Data traffic passes through the ISP as scrambled data; the ISP can only see that a subscriber has made a secure connection to a remote server; it cannot monitor the data or the subsequent connections beyond this point.

After connecting to a remote server, users’ IP addresses are stripped and replaced with the IP address of the remote server. Upon exiting the remote server, the encrypted data is decrypted and transmitted in plain text to the web server requests of users – subsequently, all users exit the remote server with the same IP address, which web servers cannot trace to the real IP addresses of users, though some distinguishing information remains.

The more users that connect to the same remote server at the same time, the more anonymous individual users remain. Nevertheless, because network traffic must be decrypted before exiting the remote server, the ISP of the remote server can monitor and record all of the network traffic exiting the server. However, since the ISP of the remote server cannot ascertain which users searched for which IP addresses, the pool of data is difficult to distinguish.

Although this system of anonymity may seem to provide strong privacy, users must exercise caution and judgment. A strong opponent (especially a government agency) can very easily monitor the size and timing of streamed data to ascertain which searches belong to which users. Moreover, in some instances a strong opponent may utilize a man in the middle attack, from which there is little recourse.

Although there are powerful countermeasures available to defeat a strong opponent, few anonymization services make this known to their subscribers.

Few people understand, however, that from a strict privacy perspective, most anonymization services, including Virtual Private Networks, differ little from traditional Internet service providers.

With a traditional Internet service provider, for example, all IP addresses and plain text communications, including unencrypted email, are visible. Most anonymization services add a thin layer of privacy by obfuscating IP addresses – meaning, a local ISP can see that an ISP subscriber has connected to a remote server but cannot monitor or record beyond this scope. Encryption services add more privacy by scrambling plain text data through a local ISP into cipher but the general principle applies to both Internet service providers and anonymization services – in each instance, data communications and IP addresses are visible to the operator(s) of a service.

Because most anonymization services can monitor and record the network traffic of their subscribers, it is vitally important to choose reputable services with strong privacy policies – in particular, services with no data retention. However, since there is no manner to verify if a service logs network traffic – and for how long it may be retained or for what purpose – never trust an anonymization service prima facie. Instead, users should learn to adopt precautionary practices, including implementing a partition of trust, to better protect their anonymity on the Internet.

Special attention should be given to offshore privacy services organized and operated by privacy activists. Although privacy services operated by privacy activists may all relatively appear trustworthy, in most instances, it is preferable to choose low profile services. Avoid radical, loquacious based organizations that attract the wrong type of attention – viz., governments. Perhaps more importantly, never assume all privacy services operated by privacy activists are legitimate – it is a well established fact that government agencies and criminal hackers surreptitiously operate many anonymization services.

While commercial anonymization services are very often superior to free services, avoid commercial services whose principal interest is pecuniary. Pecuniary based anonymization services tend to be pusillanimous and often times act as unofficial agents of the State. In addition, avoid commercial services that do not offer anonymous payment methods – including cash, money orders, and digital currencies.

Never trust an anonymization service. Demand evidence. Some anonymization services claim that their servers are more secure or more anonymous than other services because they are hidden and are hard to locate. These so called "Location Agnostic Servers" may appear to be more secure but are essentially marketing hype, often times masking a weak service, with a modicum network of servers. The argument that "Location Agnostic Servers" enhance privacy and anonymity may be true but there is no concrete evidence to support that it is true. There is absolutely no reason to trust any organization, without evidence, no matter how reputable it may seem.

1 For exceptions, read The Privacy Book.