Privacy, logging policies, and trackrecord
There has been a lot of attention recently to the arrest of an alleged LulzSec hacker after his anonymity was compromised by the anonymity service he was using, HideMyAss.com. Some articles on the event are here, here and the provider’s explanation here.
The reason this company was able to compromise the privacy of their user was that they had logs of user activity. They know what IP address is assigned to each user and can use that to attribute any activity back to the real identity of the person behind the account.
The real problem with logs is that they exist or they don’t. You can’t keep logs only for “bad users” but not for responsible “good users” because even if it was possible to identify them as such in advance, you would not find anything like agreement about who should fall in which category.
Many operators of privacy services, including myself, feel very strongly that such tools should be usable in countries like China to circumvent the censorship and surveillance there. Such actions are certainly illegal for the user, and probably for the provider. While being a UK company and only responding to UK court orders, they were “forced” to expose the identity of a person in the US who was then arrested by the FBI.
I don’t know enough about this case to debate whether or not this person is guilty or deserved to be arrested. My concern is that this case has demonstrated that anyone who can cause a UK court order to be severed against this company can expose their users. It also makes them a target for hacking, social engineering, infiltration and other attacks which could gain access to these logs without a UK court order.
As a general rule, if information exists and people want it, there is a very good chance it will escape, if only by accident.
Perhaps we should not be too surprised that this company failed to protect its users, when it has no visible privacy policy on the website, and there are no identifiable people standing behind the product and brand with their personal reputations.
I founded this company, Anonymizer.com, and I personally stand behind our services. We have clear privacy policies, we keep no logs of the surfing activities of our users, we have no way of identifying what user may have visited what website. We have an unblemished record of providing robust privacy since 1995.
As I have said in many previous posts, it all comes down to trust. If you don’t know who is providing the service, and don’t have the ability to research their history and gauge their integrity, you should not use that service.
- Lance Cottrell
September 28th, 2011 at 12:21 pm
16 years is certainly an impressive record.
But the way you are posing “anonymity by policy”, or credentials, record, assurances, etc., is plainly wrong.
This Tor blog post approaches the issue most effectively:
https://blog.torproject.org/blog/anonymity-design-versus-policy
Assurances and reputation are certainly important, but what does that do for anonymous users if there’s a court order. A USA PATRIOT Act investigation?
The only solution is for an anonymity service not to have any information on their users.
Open source services that *can’t* determine the identities of their users is the best method.
September 28th, 2011 at 7:36 pm
Or you could just use Tor.
September 29th, 2011 at 3:57 pm
I know and respect the folks who built the TOR network, but I disagree with them at a fundamental level. Because anyone can set up a TOR node, there is no trust in the operators, yet there are many attacks TOR node operators can launch against you.
Anonymizer keeps no logs of the activity of users of the Anonymizer Universal or Total Net Shield services. When subpoenaed, we have no information to provide. This has been tested hundreds of times over the years.
Given the many cases of hackers, researchers and others gathering information and doing more hostile things with TOR nodes, I do not trust the node operators, the developers are great folks, and will not use them.
It is a difference of security philosophy. Do what you are comfortable with.
October 2nd, 2011 at 4:15 pm
Ok. Anonymizer doesn’t keep logs. But why does Anonymizer require name and address information for subscriptions if your users are to remain truly anonymous?
October 3rd, 2011 at 6:33 am
Why do we ask for name and address information? Great question. It is all about billing. The vast majority of our customers have always chosen to pay us by credit card. To process those payments we need to collect name and address information.
Your anonymity is protected with respect to other websites and with respect to your online activities. We know who you are, but not what you are doing. We can see your incoming IP address directly as well. It is basically impossible for us to avoid knowing who our customers are.
We design our systems so that our having that information can not put our customers at risk of exposure.
October 3rd, 2011 at 3:40 pm
Lance,
I need help to better understand your service. I presently use TOR via a thumb drive at the library in an attempt to keep a project as secret as I am able. I am not a computer person and do not understand how a TOR node operator could advantage or expose me. With regards to your service, I would like you to clarify if you keep any records that matches my IP to the new IP you assign? If you keep these records, how long before you destroy them? It seems to me that Hidemyass was keeping records of which users were assigned to which IP. This information could then be used to identify which person visited which website or sent which email. I am willing to use your service if you can keep me 100% anonymous. I am sorry to ask for clarification, but it would be great if your website had a “plain English” version of what you offer. Also, the TOR project says that they use the special Firefox browsers that does not contain Java because that can leave a trace as to my real identity. When using your service do I need to use a different browser? Please address and pardon my lack of technical knowledge.
October 4th, 2011 at 6:33 am
I have talked a bit before about vulnerabilities in TOR, so rather than repeat, I will link to those posts here.
http://www.theprivacyblog.com/online-privacy/tor-hack-proposed-to-catch-criminals/
http://www.theprivacyblog.com/online-privacy/rogue-nodes-turn-tor-anonymizer-into-eavesdroppers-paradise/
http://www.theprivacyblog.com/online-privacy/tor-may-actually-reduce-your-privacy/
We keep no logs of what IP addresses are assigned to our users. All of the users are randomly assigned to one of a small number of addresses that are active on any given day. There are a great many users attached to each IP address at any given moment. We have no idea what traffic comes from which users, and do not do any monitoring of that traffic.
Our standard consumer services are targeted at typical users. People with very high threat models need to take additional precautions including running their operating system from a completely clean operating system every time.
Turning off all active content can be effective, but it will prevent access to a lot of content, and absolutely flags you as someone very unusual (and potentially interesting).
When thinking about the best tools to use, you need to think carefully about exactly who you are trying to protect against, and what capabilities they can realistically use against you.
Any more detailed advice is likely to be too sensitive to conduct in the comment thread. Please email me at blog@anonymizerinc.com if you want more help.
October 8th, 2011 at 6:38 am
There are and will continue to be vulnerabilities in Tor software. The Tor developers are very clear about that. Note that all the releases continue to be ./dot releases.
But since it’s open source software, meaning that the software code and the Tor network’s architecture is available for review and critique, it is in a separate category than services like Anonymizer.
External parties are not in a position to do a full audit of Anonymizer. The software and network architecture are not open to all eyes.
Again, I’m not interesting in attacking Anonymizer or Lance. For certain users with certain adversaries, it’s an appropriate solution. If you are dealing with an adversary such as the North Korean government, Anonymizer might be an adequate solution.
But if Anonymizer is subject to any particular jurisdiction, such as the US, then all bets are off.
As mentioned, with the USA PATRIOT ACT, the US government can grab logs, billing information, etc., while Anonymizer would face a gag-order to not make a peep about it. Not even to their users. There is no such option with Tor. The array of Tor node operators can be good or bad, but they can’t be put in the same pot or subject to the same governments, regulations, and so on.
Open systems have their weaknesses. Tor itself is continually under attack day-to-day, not to mention at technical conferences. But that is also the beauty of open source systems. There can be that critique, thus driving more review and enhancements. Everyone gets to hear about the warts and blemishes without makeup. External parties are not able to do that with Anonymizer and other private proxy-type services.
Quick note to Jeff: determine *who* your adversary is to assess your solution. It’s hard to say X or Y is the best fit for you without knowing if you’re a political dissident in China or a Wikileak-submitter at the Bank of America, or a teenager browsing pr0n to avoid your parents
Nevertheless, stick to the solution you are most comfortable with so that you can continually critique it and improve with experience. There are no snake oils in anonymity, unfortunately.
October 10th, 2011 at 6:17 am
Yes, you can confirm that your copy of the TOR software is clean. You can not confirm that the copy being run by the operators of a node is clean, nor that there have not been other changes or actions taken which could impact your privacy.
I could open source the Anonymizer system, then actually run something completely different internally. It does not buy you anything.
The failure of HideMyAss.com clearly shows the problem with keeping logs (in their case in the UK). You are correct that Anonymizer can be compelled to produce any logs that it possesses. We are not obliged to keep any logs which would show which of our subscribers visited what sites, when, or what they did there.
If Anonymizer had been forced to hand over logs which penetrated a user’s privacy it would not stay secret. Again look at the example of HideMyAss.com. We have received a great many subpoenas and other kinds of court orders over the years. This is not a theoretical or academic point. Our policy has withstood this for many years. If we could be forced to expose our users, there would be lots of people shouting about it. We do know who our users are, but being an Anonymizer subscriber is not a crime, nor is it evidence of any kind of illegal or malicious activity. In particular it can not be tided to any specific incident or event.
Try as the might, the code is not going to provide the privacy, people are. You need to trust those people. Yes, there is risk in that. Think very long and hard about who and where you choose to trust.
October 12th, 2011 at 7:13 am
Lance,
Your reputation and that of Anonymizer is solid. I think I can trust you, but I’m paranoid. Tell me how you ensure someone else at Anonymizer, working undercover for the NSA or Chinese government for example, hasn’t installed a logger without your knowledge. And let’s say Anonymizer is bought out or you leave. The most trustworthy asset of Anonymizer is Lance Cottrell, not the technology. If you’re not in the picture or your control is compromised, will you broadcast that to your users immediately?
Thanks. Stay honest.
–Jeff
October 16th, 2011 at 4:43 pm
I commit to ensuring that it is widely known if I part ways with Anonymizer or feel that I can’t personally stand behind the company and product at any time in the future.
November 5th, 2011 at 1:22 pm
“We keep no logs of what IP addresses are assigned to our users.”
Do you keep logs of or regularly track from what IP address a user connects to your service?