On Episode 8 of The Edge of Innovation, we talk about how digital footprints make finding a killer almost too easy.
Tag: anonymous
Anonymity is an Illusion
On Episode 7 of The Edge of Innovation, we continue our conversation on what it means to be anonymous, and look at why it is not possible.
Transcript
Sections
Phones as Proof of Identity
Browsers to Use for Anonymity
What is a Right?
Introduction
Paul: This is the Edge of Innovation, Hacking the Future of Business. I’m your host, Paul Parisi.
Jacob: And I’m Jacob Young.
Paul: On the Edge of Innovation, we talk about the intersection of between technology and business, what’s going on in technology and what’s possible for business.
Phones as Proof of Identity
Paul: So, again, we’re trying to talk about anonymity. So, I have pondered, “Okay, how do you become anonymous?”
Jacob: Sure.
Paul: Alright. One of the things that has been a prerequisite is to have a phone nowadays. You have to have a phone in order to receive a text message or a phone call, which is proof of who you are, a validation of who you are. Well, there’s unfortunately, a huge loophole out here, where you can go to Wal-Mart and buy a phone. And if you buy it with cash, there is no record of you buying that phone.
Jacob: Right. That phone’s not connected by Visa’s data to Paul Parisi.
Paul: Right. I have to usually buy a card to charge it, or something like that. You know, a SIM card with 100 minutes on it or something. But now I have that. Now, there could have been a surveillance camera that caught me purchasing something at Wal-Mart at that time. The thing that’s unknown to me, which I don’t believe is the case is I do not believe Wal-Mart or your local neighborhood convenience store says that at, you know, at 9:45PM somebody bought a prepaid cell phone. But if they did, of this serial number. Okay? I don’t think they’re registering that. They would be wise to, because then, when I go and make that, you know, that bomb threat with that call, there’s things called an IMEI number, and different codes that are recognized by the cell system, that can tell what phone made that. And it’s physically in the phone.
So, I could say, “Oh, my gosh. You know we have this phone out there that people, this person is calling and threatening a bomb threat.”
Jacob: Sure.
Paul: Hmm. We want to do something about it. We want to catch this guy. So, if the IMEI number is registered to that serial number, and we could find out that it was bought at 9:45 at Wal-Mart on the 15th, we could look at the camera footage and see that, “Gee, it was a guy that was six feet tall with black hair and glasses.” And oh, my gosh, when we find this guy in the lineup, it looks just like him. It looks just like me.
The other thing that happens when you use a cellphone is they know where you are. They know from both GPS and also from cell tower use, so which cell tower you’re near. So, if you go and buy one of these prepay phones, and you use it from your house, they are going to know that somebody is using this phone from that house.
So, okay. So, we go out and we buy the phone. And we go somewhere, I guess, near our house. You know, within 10 miles or something.
Jacob: You just stand in your neighbor’s front yard.
Paul: Yeah. You go and stand in your neighbor’s front yard, and we go to Google, and we want to register for an account.
Okay. So, let’s… We go to the local McDonald’s. We have this phone. We are using their Wi-Fi, which is free. We don’t have a proxy server. We don’t have anything yet. We just have a computer.
So, now, we need to do some things to secure our computer. We need to go and change, which is, what is called the MAC address. The Media, Access Control Address. And that is the serial number of the network card in your machine. It’s relatively easy to change.
You can override it in the software, so if you figure that out, you go with your laptop and you change the MAC address. You also download a browser that allows no tracking whatsoever. You might even run an OS that allows no tracking whatsoever.
You go to Google.com, and you want to sign up for a new address.
Browsers to Use for Anonymity
Jacob: Right. Now, would TOR or something like that be one of those browsers that does not allow for…
Paul: It would. Google doesn’t like tor. And if you use Chrome, Chrome is engineered to give Google as much information as possible. So, don’t use Chrome.
Jacob: Right.
Paul: You could use private mode in Internet Explorer, private mode in Opera, or private mode in Firefox. And they’re relatively good. If you want to be extremely careful, use something called Tails, which is an operating system and browser environment that allows you to boot on an ISO.
There have been rumors that the FBI tracks everybody who downloads Tails. I find that difficult to believe, but okay. Let’s say they do.
So, I go to my McDonald’s. I change my MAC address so that my machine can’t be tracked. And I go to a browser that doesn’t share the fonts I have and all the different things that could be used to fingerprint me.
And I have my trusty little phone there. I go to Google, and I… I… You could try and use a proxy server if you happen to have one, but again, we’ve just been born. We don’t exist.
If you use a proxy server, Google will say, “I’m sorry. You can’t access us that through this proxy server.”
So, anyway. So, I have my phone sitting there. I go to Google and I sign up, and I say, “I want a new email address.” Anonymous@google.com, let’s say.
It says, “Well, in order to validate you, you have to give us a phone number.” Well, where do I get a phone number? Well, I have a phone number.
Jacob: You just bought one, right?
Paul: I just bought one. And so now, I have gotten around the chief way in which they validate that you’re real.
Jacob: Right.
Paul Now, we need to assume that Google has a fingerprint of me from that browser, from whatever it could get. And a browser that’s clean is as much as a fingerprint as a browser that has all the different fonts and all those things in it.
So, we go to the next step. We say, “Gee, I want an account at wherever it might be- Amazon or whatever. And I can do this by buying gift cards. So, I can go out and buy gift cards with cash, and now I am relatively anonymous on the web.
Now, I need to be very careful because I don’t want to log in with that Google acct at my home or with a different browser.
Jacob: Which means you probably need to turn the computer off in a sufficiently dead way, where it’s not going to like occasionally ping.
Paul: Yeah. That’s not as much as the concern. The concern is doing something humanly stupid, where you just forget you’re not connected, but you’re connected, and you use that browser and it opens, and it goes back to your Google page and automatically logs you in, like it does. Because if you drive around with your phone, I mean, with your computer, and you use it, use it in New York City, fly to London, and open your browser up, you’re still logged in to Google.
Jacob: Right.
Paul: But they know you’re in London and in New York. You were in New York, and now you’re in London. So, the fact of the matter is you have a legitimate, you’re a legitimate brand new user on the internet. You’ve validated yourself through this phone. Now what could the authorities get on you?
Well, there was a phone that was used at this McDonald’s, because they know that both from the cell phone tracking, from the GPS location, potentially in the cell phone. They know that from the McDonald’s Wi-Fi logs. They can look at your MAC address and see, “Okay. Is was a MAC address.” They could go back, and if they knew it was a Dell MAC address, they could say who owns, who did you sell that MAC address to, that computer with that network card that had that MAC address to?
But since we’ve changed it now, they can’t go to Dell and… You know, they could go to Dell and they say, “We never issued that MAC address.” Again, this would be a lot of work. But, you know, detectives would have to do it.
Jacob: Well, just the idea of having to go through all of the work of getting this stuff set up and then like, for example, buying stuff on Amazon anonymously, having to go get the gift cards. I mean, it just sounds like you’re committing.
Paul: Yeah. It’s definitely work. Now, the problem with buying something on Amazon is you need to have it delivered.
Jacob: Right.
Paul: So, unless it’s a digital good, you need I have it delivered somewhere.
Jacob: Now if it were a digital good, would they be able to track like, oh, there’s a code. You downloaded this Beatles album, and now you’ve got it playing on this computer.
Paul: Early in the iTunes days, there was rumors, I don’t know if it was true but when they switched from proprietary to mp3, when you could download mp3 that you could effectively give to somebody else, that your name was in the meta data. I don’t know if that was ever the case. And I don’t know that about Amazon, actually. That’s a great question to really look at that and see if it is.
Now, the name isn’t going to be sitting there, Paul Parisi. It’s going to be some big hash on the name. But you could go in and potentially strip those out. But if I were doing it, I would make it so you couldn’t strip it out and it would be part of the data in the file.
So, I don’t know. That’s a great question. It’s plausible.
Jacob: Yeah.
Paul: To your point. So, you could buy something, and you put it on a server. And so you buy it as new person, and then you go and put it up on a server as yourself. You know, as your real self. If Amazon could track that and say, “Well, you just stole that. You just bought it, and now you’re giving it away. Where did you, your real Jacob, get that from?
Well, I downloaded it illegally somewhere else? Or a bought it as my anonymous self? So, that could be a problem in that sort of payload, using a payload to track who you are.
It is difficult with these prepaid phones. That is the biggest loophole for becoming anonymous. Or it’s the biggest opportunity for becoming anonymous.
There are also, you know, there are phone apps that will, that will, as a service, allow you to make a phone call through this app, that they promise is anonymous.
Jacob: Sure.
Paul: Well, that’s okay. But you’re trusting them. And they must have some logs or something. Maybe they don’t, you know, but there’s all these different services out there that do that. And they make it very easy to do it. So, it could be that it is anonymous, or it might not be. So, some of the proxy servers, for example, this is a great example.
You buy a proxy server service. If it’s an American company, they have to keep logs of who used the proxy service. So, I know that Jacob bought it, and I know that he used it at 9:45PM, and he went to this weapons website, and he bought, you know, five nuclear missiles. And that’s illegal. Well, all the US does, government does, is go to that and say, “Let me see the logs,” and we can now correlate that and see that it was Jacob.
So, if I used overseas proxy services, companies that are overseas, they have different log keeping. And there are several companies that don’t keep any logs.
So, the issue is, is even… American companies can do that. They can say, “We don’t keep logs.” So, if you don’t have them, there’s nothing to produce.
What is a Right?
Jacob: Right. This seems to kind of touch on the issue of, you know, is the internet inherent… Does it have to be inherently anonymous? Or is an inherent right that then has to be protected by free speech or something like that? Because if we’re a country will legislate that sort of thing, I strikes me as getting to that sort of dynamic.
Paul: You know, I don’t know, personally, what is a right? You know, what…? We have personal agency in our actions. And there are certain things that our society has deemed to be inappropriate. Going into a building and yelling, “Fire” whether you’re anonymous or not is wrong. Most people will say that it’s wrong. I mean, you should be aware that there, there is this whole postmodern philosophy that permeates our culture, and the example I give will be absurd. But we are moving quickly towards this level of absurdity, that if you want to say, “There is a fire,” you should be able to say, “There is a fire.” You don’t even need to believe it. You just, you should be have that right to express yourself.
And the postmodern philosophy says that whatever you think is whatever you think, and it’s good. And we can do this, or we can do this. And whatever circumstance, we define what is right in that circumstance. That is the fundamental sort of tenet of postmodern philosophy. And most of what you see in society is based on that. And America right now is at a crossroads where you can’t tell anybody that something is wrong, down to the point of some, you know, early childhood education things, where it’s okay for a kid to believe two plus two is five.
Jacob: Right.
Paul: I know that sounds absurd, but there are people that want to, you know, it’s better to encourage and empower the child, rather than say, “No, there are rules and facts.” So… Having said that, you know, your question is, is should it be anonymous, or should it be, should we have control over what we say and do.
And really, what you’re asking isn’t should we have control over what we say and what we do and what the government observes, because we already have control over that. We don’t need to do the wrong thing or the right thing. And we need to be responsible. See… And that’s really the gist here is who is responsible. And the ration, rationale of thinking that well, the government shouldn’t be able to watch me doing things that are irresponsible and hold me accountable to them.
Well, okay. But if you are being a responsible individual in a society, you should take that on yourself. And I think that’s really the crux of the issue. So, you know, we’re talking about, you know, I’ve given you a way to do things that you shouldn’t do.
Jacob: Yeah.
Paul: But you should be a conscious active participant in society, and it shouldn’t be a problem. You shouldn’t do those things, because it’s not best for you. It’s not best for you to go into a school and say there’s a fire.
Jacob: Right.
Paul: But you know, “I want free speech.” Well, that doesn’t extend to that, because it’s not reasonable.
Jacob: So, is anonymity on the internet, is that an act of free speech then?
Paul: I don’t think so. You know, you could be a dissident in, in a country that is being, that is suppressing your, your views on society. So, you want to say that this country, this government is wrong. Think of North Korea. Somebody wants to say something. Well, anonymity would help that person.
Now, they’re in a highly controlled state, so for us to come over from the outside, to say, “Oh, you need to allow anonymity,” well, the government in Korea, North Korea is going to say, “That’s crazy. Why would we do that? We don’t want the results of that.”
So, you know, you have some semblances in America of anonymity. You know, you can go to a chat board and sign in and say something. If you say something that’s illegal and inflammatory, you, you probably will find that you don’t have the anonymity that you thought you did. If you use this technique I’ve told you about, yeah, you could do that, you know.
So, you know, I think the thing really focuses on personal responsibility. I mean, free speech is a privilege, I think, not a right, because you have to use some judgement when you exercise free speech. Now, you know, in America, we have people on all sides of different political persuasions, and sociological persuasions, and they can say things that are deeply offensive to another persuasion. And that is protected. But it isn’t protected to go into a room and say there is a fire.
Jacob: Right.
Paul: So, there is a reasonableness there. And there is almost a pride in America in that ability of somebody to say something offensive. And I think we need to protect that, because at some point, somebody is going to say something that’s offensive to you. And if you had the ability to punitively punish them, that would not be a free and open society.
Jacob: Sure.
Paul: So, you’re saying, how does that translate to the internet and how does the internet do that. And I don’t think… I mean, again, there’s a semblance of anonymity because of the technology. You know, if you, 200 years ago, if you wrote a note and posted it to a wall or a door and nobody could identify your handwriting, maybe you pieced it together out of magazines, they couldn’t figure out who you were. It was just not possible.
Now, they might go and dig through the trash and find out that you cut all the letters out of the magazine in your trash, they might be able to say, you know… But it wasn’t simple. It’s not simple now, but it wasn’t, I couldn’t comprehend that it was simple then.
So, I don’t know if that answers your question.
Jacob: No. I mean, I guess in some ways as we’re talking about this, I am beginning to think about how, you know, it’s funny. I, you know, I love my wife dearly, but if she sits next to me, I get, while I might be, you know, looking at Facebook or something like that, I, I feel like, “Why are you watching over my shoulder?” Like there’s kind of like a you’re watching over my shoulder. This is slightly annoying. There is a sense in which some of those aspects of being able to fingerprint and the anonymity rubs us the wrong way. But I’m not… I guess I’m just curious, is there something to be concerned about with, you know, the way in which we are fingerprinted and should we be more cautious about those things. Or is it just kind of a part of, you know, this is just the way the world is, and get used to it.
Paul: Well, I think it is the world, the way the world is. So, tough. If you want the use the services, you ultimately control what you do. That’s really the personal responsibility. You can reduce your fingerprint to nothing.
Jacob: Right.
Paul: Don’t use Facebook. Don’t do this. But you make a value judgement every time you use it. The value outweighs the, the personal information I’m giving away. And you know, so, I don’t know what people are worried about. You know, because, you know, let’s, you know, if I were interested in basketball, and the government outlawed basketball and was going to send jack-booted thugs to go around and kill everybody that was interested in basketball. And the people were behind it, that’s a pretty absurd statement. I mean, you know, you could talk about, you know, polarizing ideas, such as pro-life or pro-choice. So, one of those becomes, you know, completely unacceptable and they send out thugs to kill the people that believe it. That’s a little absurd, you know, for a… But it isn’t absurd given our history of the 20th century of what’s happened, you know, in Nazi Germany, you know. Just by being a certain race, you could be killed, you know.
So, the technology allows the government to identify those people, you know, and is it ever going to happen again? Gosh, I hope not. But it has happened. It’s, it’s weird because we could be theorizing about this. But what happened is, is it actually… You know, if you were sympathizer to a, a Jew in, in Nazi Germany, you could be killed.
Jacob: Right.
Paul: Wow. So, you know, let’s extrapolate that our silly thing, if I liked basketball, and they put basketball on my Verizon cable, and everybody who watches it gets a visit by the jack-booted thugs, that’s absurd. But it happened.
Jacob: Yeah, yeah.
Paul: You know, the more polarizing thing, really, actually a more absurd thing, you know. I mean, you know, you could say, “I like, you know, b-science fiction movies,” you know. And, you know, they’re really bad. Well, this obviously you have no judgement and don’t deserve to live. You know, that would be more reasonable than what’s actually happened.
So I don’t know. Again, we all have the option to opt out. You know, so you can just choose to not participate. That is the ultimate in privacy, the ultimate in anonymity. You know, use cash for all your transactions. But, you know, I don’t think you’re going to go home tonight and say I’m giving up all my technology.
Also published on Medium.
Anonymity – Part 1
On Episode 6 of The Edge of Innovation, we are going to be talking about what it means to be anonymous without an identity in the digital age. Paul is going to be helping us think through what that means and what it is.
Transcript
Sections
Introduction: What does it mean to be anonymous?
Identification by payment method
Anonymity in the past vs. now
Cell phones and normal behavior
Browsing and IP proxies: Peeling back the onion
Fingerprinting your profile
Introduction
Paul: This is the Edge of Innovation, Hacking the Future of Business. I’m your host, Paul Parisi.
Jacob: And I’m Jacob Young.
Paul: On the Edge of Innovation, we talk about the intersection of between technology and business, what’s going on in technology and what’s possible for business.
Introduction: What does it mean to be anonymous?
Jacob: Paul, can you talk us through what does it mean to be anonymous today?
Paul: Sure. If we look at the definition – I didn’t look it up before this – but it has different meanings to different people. It’s similar in the way that somebody says, “Well, I want a secure server.” Or “I want a secure system.” Or “I want my stuff to be secure.” It’s like, well what do you mean by that?
Because security has a different meaning to everybody as well. There’s towns in America that feel that they’re secure, and they leave their doors open. They don’t even have locks on them. So, they’re secure. The… So, it’s really a perception.
Identification by payment method
So, anonymous… Again, what does that mean? And if we take it to the extreme, that somebody doesn’t know who I am, and can’t figure that out, that may be true anonymity. So, for example, if you take a dollar bill, and you go to a store, and you buy something, forget about any technology around that, you’re anonymous. There is really no way to know that you had that dollar bill with that serial number on it. It does have a serial number, which is interesting. Why does it have a serial number and they’re unique? It implies some scarcity from the government.
So, if you walk into a convenience store and take a dollar out and pay for a candy bar, there is no way, through that dollar, to track who you are. Very differently than if you take a credit card out and you buy a candy bar. Now all of a sudden, I have… I know exactly who you are. Certainly the credit card company does – Visa, American Express. They know that you were there at that day. They may even know the time. They don’t really know what you bought, but you were there.
If there was a robbery around on that day, one of the things that we could do is if we had an electronic payments and that’s all we accepted… Somebody came in… Well, the robber probably wouldn’t have used a credit card.
So, let’s just think about this. How do you get anonymity? So, let’s take it this way. You go to the bank. And you ask for a dollar out of the ATM and the bank carefully scans the number of that dollar and says, “I am giving that to Jacob.” And it has a photograph of you, so it does a face identification of you, and it knows that Jacob has that dollar.
You then go to the grocery store or the convenience store, and you spend that dollar. And while they don’t take your name, they scan that dollar as it does into the cash register, and they get the serial number of that. And they know that you bought a Milky Way bar. So, somebody with the wherewithal could hack the bank, or the bank could freely give it up, or the government could demand it. “We want all the money that you gave out and all the serial numbers and who you gave them to.”
And then they could go to all the stores and say, “We want all of the money that you got in and what they bought with it.”
So, now this is a little bit of a silly example, but the fact of the matter is that I could track the fact that Jacob got a dollar at one o’clock from an ATM and then went to a store within a 10 minute time period, so it’s feasible – he didn’t go to Los Angeles from Boston and spend the money – and spent that dollar with that serial number. And I could subpoena from the store the fact that what did he buy. And he bought a Milky Way bar. Now there is a problem there in that you could claim that you gave the dollar away.
Jacob: Sure. You could do that. Yeah.
Paul: Okay. So, now thankfully, as of right now… Honestly, I don’t know. It is a very good question. Do ATMs record the serial numbers of bills that they give out to people? Why wouldn’t they? Because it’s an inventory problem, they would certainly want to know it. And it’s trivial to do that. And then, now the stores certainly don’t. You don’t see them scanning a dollar bill in that way. They just put it in the drawer.
But the fact of the matter is, if I give you that, I could have some stickiness to that information and identify who got that dollar bill. So, let’s say you got the dollar bill at 1PM and you gave it to Mr. Bad Guy at 2PM, and he went into the store and bought bullets with it and committed a crime with that. Or bought a gun, let’s say. Well, something that isn’t tracked, but… So, he brought, let’s say, lighter fluid, because he wanted to light a fire, do something bad. And he bought that.
If we track those serial numbers, it would come back to you. So, that’s the problem with tracking currency.
Anonymity in the past vs. now
Now, Bitcoin makes it easy to track. And, 25 years ago, before the internet, before Mr. Gore did the wonderful work he did for us in creating the internet, you would… Kids, when I grew up, we’d go out to play after school. We’d get home from school, and then we’d go out to play, and our parents really had no clue where we were, and they had no way to reach us. We were smart enough, we’d learned, that we needed to be home for dinner. We would be home for dinner. And usually we were within earshot of highly developed lungs of our mothers.
But nowadays… And we were completely anonymous at that point. We didn’t have an ID.
Jacob: You mean, apart from a social security.
Paul: Yeah, well sure. But you didn’t carry that around with you. So, if somebody were to see me, they might be able to identify me as a child and say, “Oh that was Paul, who was over there painting that graffiti.” But if they didn’t get a good glimpse of me, there’s really no way to know where I am.
Cell phones and normal behavior
Now let’s introduce a cell phone. Cell phone companies know exactly where we are, every single minute of every day. So… Or more so, they know where your cell phone is every single moment of every day. I’m sitting here with an iPad next to me that is on T-Mobile. T-Mobile knows where that iPad is. So, just that ripple of interjection there changes the concept of anonymity hugely. I mean, there is nothing called anonymity unless people close their eyes to the data.
So, the data gets produced and recorded in perpetuity and we can go back and correlate all that data, if we have access to it. Law enforcement can usually get a…
Jacob: They can subpoena that information.
Paul: Right. They can get legal access to it. Now there are people like me and others who have the technical ability to do it but don’t have the legal ability to do it. Because I don’t think a judge would give me a warrant to search your data.
Now, but if I were a criminal or willing to do something illegal, what’s preventing me from correlating all of that information? Well, first of all, it’s a lot of work. And it’s got to be worth it. But if it’s worth it, I could go and find out where you used your credit cards. I could go and find out.
Jacob: Create a profile of somebody from that information that’s available.
Paul: Yeah. Or just…and do all sorts of things, and really track what you’re doing. Now, you could sit there and claim, “Well, somebody else had my credit card that day and used it.” Okay. But, hopefully if we look at a wide enough view of things, that’s going to be saying… So, you haven’t had control of your credit card for the last six months.
And you look at people’s behaviors and they are very normal. There are very few outliers. You don’t usually do something that’s…
Jacob: Irrational.
Paul: Yeah, well, or just outside…an outlier, outside of your norm. I’d look at it, when I’m traveling and I’m in an airport, I go to this restaurant or this or… It would be interesting to draw that profile, that person. And somebody could look at that and say, “Hmm. Paul isn’t behaving as he normally does when he travels.”
Jacob: Right. Doesn’t this relate to… We’ve talked previously about the whole concept of Big Data.
Paul: Absolutely. Yeah, this is Big Data. I mean, Big Data is all of these little observances that can be correlated together. So, we started out asking what is anonymity. And I’ve spent a lot of time trying to figure out how could somebody become anonymous.
Browsing and IP proxies: Peeling back the onion
So, let’s imagine you want to browse the internet anonymously. Well, you have a problem in that more than likely you have internet service. And that internet service comes with an IP address. So, when you sign up for Comcast or Verizon Fios or any of the different internet providers, you get an IP address that is assigned to your modem or router. Now, that may change. But they log all of that. So, they know that on Tuesday June 19th, you had IP address 167.50.12.14.
And you can actually…I’ve been part of a subpoena where we subpoenaed those kind of things. We wanted to know… And there was legal precedent to do it. So, we said, give us all the IP addresses this house had over this period of time. And we got that list. And that was a couple of years ago. In other words… So it wasn’t like I was asking for last week’s information. I was asking for a couple of years ago information.
So, now all of a sudden, I can go to websites that you might have gone to. Let’s say it was a bad political website that seems reasonable to be concerned about. We’re sort of dismissing free speech here at the moment. So, I go there, and I look at their logs. I ask them for their logs or I hack them and get them. And I look for that IP address. And I look at the date you had it. You had it on June 19th, and I see that that IP address accessed it on this date.
So, that’s, like, the hardest way to do it. Now, what’s interesting is that Verizon, Comcast can easily keep a list of every website you connect to. So, they could see… There is nothing preventing them from keeping that information and say, “Oh, every day, at six o’clock, Jacob comes home and opens up ESPN,” because they know. So, really what they could say is somebody in Jacob’s household, using his internet, is browsing ESPN at this time.
Now, if it was how to buy illegal weapons or child pornography, that might be a thing where I can say, “Well that’s not good. We need to go and do something about that as a society and intervene.” So, then you say, “Well, how do I prevent that? How do I actually go out and not allow the organizations to see what I’m doing?”
And there’s these things called proxy servers. So, a proxy server is a server that browses on your behalf. So, you would open up a web browser and configure your computer so that all of your traffic, although it goes out this pipeline to Verizon – let’s use Verizon as the example – that information will go to Verizon and go out to the internet.
So you set up a virtual connection now that all the traffic that you have is going to go to this IP address that may be in Canada, may be in Europe, who knows where. And then it is going to go and browse on your behalf.
Jacob: So this virtual connection, this IP address, um, is that like an actual computer effectively?
Paul: Yeah. There is. There are computers that are called proxy servers.
Jacob: Oh, okay. So, it has its own operating system, and you’re basically like a hand in a puppet.
Paul:Yes. Very good example, yeah, or analogy. So you now, when you browse into ESPN.com, they see you coming from that IP address.
Jacob: I see.
Paul: Not from your Verizon IP address.
Jacob: I see.
Paul: Now, Verizon, all Verizon knows is that you are connecting to this proxy server.
Jacob: Okay.
Paul: Or to this IP address is Europe somewhere. So, you have traffic flowing there. It’s encrypted, so they can’t detect what’s in there. So it’s a literally sort of like a stream of water that is in a armored pipe that is going between your computer and this computer in Europe. So, then, so ESPN then sees you coming now as this European IP address.
Jacob: Interesting.
Paul: And that can be a problem, because they may say, “Well, we don’t serve this information to Europeans.”
Jacob: Right.
Paul: Or the other way around.
Jacob: I see that on YouTube. There will be occasionally videos that I want to watch that are recommended by a friend, go to see them, and you’re licensing doesn’t allow you to see it in the United States.
Paul: Right. A lot of people have for being able to view US Netflix, have been using proxy servers to get a, in Europe, to get a US IP address.
Jacob:Oh, yes. I’ve heard of that. Right. Yeah, I’ve heard of that, where they’ve got, I guess more selection with the US Netflix as opposed to their country.
Paul: Yeah. Downton Abbey was a good example. People in the US had to wait six months to watch Downton Abbey. If you bought Netflix in America and basically logged in via a proxy server in Europe, you would be able to see the Downton Abbey on Netflix in Europe.
Jacob: Oh, interesting.
Paul: Or whatever, you know, PBS or whatever. Or on the BBC itself. But if you browse through the BBC website and try to watch something from America, it will say, “Sorry. You’re outside of our coverage.”
Jacob: Interesting.
Paul: So you could do that now. They’ve all started to get more savvy at this, and they actually are seeing, well wait a minute. We got a lot of traffic coming from this one IP address. That probably is a proxy, because a lot of people are trying to go through it. So, in the proxy, people are fighting that. But we’re talking about how to be anonymous.
Jacob: Right.
Paul: So, a proxy server can help you be anonymous, and it is one way to do it. And there’s also this thing called the onion router, or the TOR network.
Jacob: Yeah. I’ve seen you list some articles along those lines.
Paul: And basically, what it is, is it’s a web of servers that pass your information around to multiple nodes so that it is difficult to unscramble all of that. So, rather than sending it to a proxy server, I send it to a TOR node that’s near me. It sends it to another TOR node to another one to another one to another one to another one to another one to another one, and then it finally goes out to the destination.
Jacob:Oh, interesting. So it’s not like… It’s not breaking up one point of information into six points and then to your destination. It’s just rerouting it six or seven times before it gets there.
Fingerprinting your profile
Paul: Yes. Exactly. Yeah, like onions, it’s different layers, peeling back an onion. And so, that can be helpful. The problem is that there’s things that go on… So, for example, here’s the problem. If you want ESPN to… You don’t want ESPN to know who you are, so you go and get a proxy server. And you use the proxy server and you go to ESPN, and you do that religiously.
One day, you forget to turn on your proxy server, and you go to ESPN. Well, if ESPN is smart, and they could be. I don’t know if they care. But let’s say if we were really smart and clever here, they’re not just tracking you by your IP address. They’re fingerprinting you. And fingerprinting goes down to the level of what browser you’re using, what fonts you have installed, what version of your operating system, on and on and on. And all of those attributes give you a fingerprint.
So now, I can take that fingerprint, and I can see wherever it comes in. I see it coming in off of this, this IP address in Europe. Okay. That’s our friend’s, whatever, we’ll call him George, just as an anonymous name. We don’t know who it is.
Now all of a sudden, I get a hit from you coming in with that same fingerprint, same browser, everything, uh, from a Verizon acct in Massachusetts.
Jacob: Interesting. Yeah. Yeah.
Paul: Okay. So, now. Alright, that’s no big deal. So, they’ve got one hit from Massachusetts and 100 hits from Europe.
Jacob: Right.
Paul: But now if some of those sites start to share information and Amazon, let’s say, they have that same fingerprint. And Google has that same fingerprint. And ABC.com has that same fingerprint. They can now start to say, “Hey, do you have anything for this fingerprint?” And they can correlate that.
Jacob: Interesting.
Paul: And know that gee, Google says, “Yeah, I know it’s Jacob, because he’s logged in.”
Jacob: Right.
Paul: Or it’s somebody using Jacob’s computer.
Jacob: Right.
Paul: And he’s logged in, so I know who Jacob is, or Amazon is even better, because you’ve given a credit card and you’ve had years of activity with them, and they know you from this IP address and this fingerprint. So, uh, you have all that information, and we can correlate it and say, “Well, he’s trying to be anonymous here, but because of his fingerprint, we know ESPN knows that who it is.
Jacob: Right.
Paul: Now you might not think… I mean, it’s hard to get anybody to work together, so it’s probably unlikely that Amazon and ESPN are sharing that type of information.
Jacob:Â That was my question as to whether there’s actually proof that they’re doing that. I mean, I understand it’s theoretically true.
Paul: Yeah, but it’s not a good business practice for them to do it, okay? So that’s the case. But now we have this thing called ads. And we have web bugs. And there is many of those. There’s one thing called Google Analytics, which gives Google all of your browsing habits for every website you browse that has Google Analytics on it.
Jacob: Right.
Paul: So, they sell that as a benefit to the, to the webmaster, to the person hosting the website, to say, “Hey, you can get who viewed your page, how long it was, how long they were there, etc.”
So, you can get all of this information, but you’re effectively giving Google the demographics of the people and when they use your site and why they use it.
Jacob: Right.
Paul: Now, that’s Google. There’s a company called AddThis, which is, uh, a social sharing and bookmarking applet that you can put in your webpage. So, you can add that so somebody can like it on Twitter or Facebook and tweet it and do all those if things with very little work. Well putting that bug on there gives them a flow of information. And, I knew the CTO of AddThis and I was talking to him. This was probably five or six years ago, and I said, “Are you actually profiling the pages that people are liking?” And at the point, they weren’t. But I know that they’re starting to do that. So, they do it using natural language processing to see that you browsed – you didn’t have to tweet it. You didn’t have to do anything. You just browse, because their bug was being loaded on the page, and you browsed a page on boats.
Jacob: Right.
Paul: So, now all of a sudden, they can take that and say, “Gee, Paul is browsing boat sites.” By the way, I don’t like boats. I have no use for them, being out in the ocean without…
Jacob: We’re clarifying this because you’ve used this before.
Paul: I do. Yeah. There’s no shade on the ocean. It is not a good thing.
Paul: So, they can then sell that back to boat manufacturers and say, “Hey, Paul’s interested in boats. Do you want to sell him boat ads? Do you want to show him boat ads?”
Now they don’t do it and say, “Paul,” but they say, “Let’s sell it to Amazon.” And, I’ve used the stereo example. You were browsing stereos on one site, you’ve used these plugins. You might have gone to a personal blog of somebody that talks about the best stereo for home theater for 2015 and ’16, and you read that. Add This is on the site. They know that you read an article about home theater stereos.
Magically, ads will start showing up from Amazon or Crutchfield saying, “Hey, you’re interested in home theater stereo. Is that anonymous? Well, it’s anonymous in the way they’re using it, and they would claim that, that they are using anonymized data. We don’t know who it is, that it’s Jacob or Paul browsing, we just know that this person’s fingerprint wants to see boat information.
Jacob Sure.
Paul: But you can see that it’s one click of the dial to say that that’s Jacob.
Jacob Right.
Paul: And so, if it were illegal to think about boats, uh, you could see how a totalitarian regime could use that and say, “You’re…we’re going to find you and hunt you down and change your behavior.”
Jacob: Sure. Now, forgive my ignorance on this. Let’s say, for example in a company – this was a company of 50 people or something like that – there was somebody who was using the company computer to do, you know, nefarious things or whatever. Would they be able to be subpoenaed in such a way as to find out that it was that specific person, or would the whole company be implicated by that person’s activity?
Paul: Sure. Well, the company would be implicated to the extent that they are providing the service, and they are responsible for the use of that service. Now, whether they have or do not have tracking internally, would be difficult to know. In other words, do I know what web pages you browsed before this. Well, technology could have been implemented to track that. I don’t have it in this company. So, it could be, the government could come back and say, well, I’m culpable as the company, because I should have been controlling the access to the internet if you did something illegal.
The technology, though, certainly exists to track that. Now, having said that, let’s say I didn’t and, you know, Google has great fingerprinting technology, great, comprehensive, you know, whatever you want to say, insidious, you know. The technology is amazing. Whether it’s good or not is another question. But they could come in and say, “Well, let’s have all of your 50 machines try and, uh, browse to this test page.” They could identify which machine did it.
Now, I don’t know who’s sitting at that machine when they did it, unless… You could be at your machine, you’re logged into Google, so you’re on Google. You go out to lunch. I sit down at your machine. You know, so that’s plausible.
Jacob: Right.
Secure wi-fi as an identifier
Paul: The same thing with wi-fi is if you keep your, a wi-fi secure, that presents a threshold to somebody from using it. But let’s say they break in and use it. So, they go off and they browse some illegal sites. And the government finds out that you, your internet has your internet service provider reports that you have browsed illegal sites. And you come back and you say, “Well, I didn’t do it.” So, alright. Well, who else uses the computer in the household?
So, we talk to your family, and somebody in this household did it. Well, it’s hard to then say, “Well, we have an encrypted wi-fi. And we have a password. But I’ve given it to my neighbor. So, he uses it. Or she uses it. Hmmm. It could have been them.”
If you have open wi-fi, well, it could be anybody that used it. So, it’s a very interesting thing, you know, where you would think, “Oh, I want to secure my network.”
Well, the minute you secure your network, it becomes exclusive. And it’s only going to point back to you as the one who did something. But, you could easily say, no it was my three-year-old boy. You know, throw him right under the bus. He didn’t know better.
Jacob: Yeah, sorry buddy.
Paul: And that might not be believable, or he’s not really up at three o’clock in the morning.
Jacob: He does like looking at grenade launchers.
Paul: That’s right. Exactly. He does. And most little boys do, you know, so…
So, I have pondered, “Okay, how do you become anonymous?”
Jacob: Sure.
Paul: Alright. One of the things that has been a prerequisite is to have a phone nowadays. You have to have a phone in order to receive a text message or a phone call, which is proof of who you are, a validation of who you are.
Also published on Medium.