Saturday, January 24, 2015

Time to enter the Dark Web?

Here are three (mildly) transgressive Internet links you might or might not care to follow:

  1. Recently-deceased Leon Brittan's link to that paedophile ring
  2. The Sun's Page 3 website
  3. Adolf Hitler's "Mein Kampf"

Let's suppose you clicked on any of the above, who knows you've done it?

Ignoring the person standing behind you, then anyone who clicks "back" on your browser, who looks at your browser history or perhaps who inspects your machine's cookies. You can address this problem, partially, by using private browsing - although any downloads will still be on your machine, and who knows about temp files buried away?

If you had logged into Google, or Amazon, or other website owners, then they certainly know where you went, keep extensive records, .. and could be subpoenaed.

They also know your location. You may be unaware that your browser can run a script asking the operating system for the WiFi SSID you're currently attached to. The big players like Google keep vast databases which link SSIDs with their geographical location: this is how Google Maps magically knows where you are. Hard to stop this happening without disabling scripts, which will stop most websites working.

Even if you were maximally careful on your own machine, your ISP - the provider of your Internet service - keeps a record of your site-visits. It can correlate your personal details (name, address, bank details) with your allocated IP address and link that with the websites you visit.

Normally this is like, who cares? These logs get to Terabyte size and no human scans them. They're expensive to keep and are wiped after some months. But the Government is pushing to legally mandate ISPs to keep these records, on everyone, for at least a year - and make them available to the security services. Is it time to get worried?

If the proposal gets through (and there's a good case for it on anti-terrorist grounds) then everyone can potentially be hoovered-up by a log-searching algorithm. Perhaps one day soon they'll start to care about 'mildly-transgressive' Internet behaviour, and your name will go down on a file somewhere. Between Google's profiling us for targeted advertising, and GCHQ tagging us for subversion, most of us might want to draw a line somewhere.

A common response is to suggest using Internet proxies (eg anonymouse, vtunnel) for any web searches beyond the most anodyne. But these are cumbersome and ad-infested - and who knows what the proxy guys are doing with the correlation between your identity and your surfing information (which they have even if your target sites don't),

The best answer is an Internet VPN service, which unfortunately involves paying some modest fee. Your traffic goes through an encrypted tunnel (eg IPsec) and is proxied at the VPN service provider's Internet breakout point. The rest of the Internet doesn't see your IP address so your web searches appear to come from the VPN service provider; meanwhile your ISP only sees your traffic going to the VPN service provider and has no idea where it's destined for afterwards. It only remains to trust the VPN service provider to not keep your transaction logs for any length of time. When 'The Man' comes asking for the last six months of your usage, there's nothing to show. This is quite a big business for a variety of reasons (watching BBC iPlayer when out of the UK is one) and the market leaders appear trustworthy enough - their business depends upon it.

They tell a good story but I somehow doubt that these VPN service providers can really evade an after-the-fact subpoena. The utility is to prevent speculative trawling.

Do we care enough? Today, probably not .. but it's nice to know we have the option going forwards.

Note: Private Internet Access was named PC Magazine's Editor's Choice in 2013. Read their review.