Is Truly Anonymous Web Browsing Even Possible?

Thursday, January 13, 2011

Rafal Los


"The problem with losing your anonymity is that you can never go back."   --Marla Maples

There's anonymity, and then there's being anonymous.

Oddly enough the line is a lot more difficult to understand then one may wish.  Anonymity is a tricky thing because on one end of the argument you must concede that in order to have an acceptable user experience in the modern web world you must be tracked to some acceptable extent, while the other end of the argument would say that we don't want web sites, vendors and nation-states/organizations tracking us and our browsing habits.  

Throwing into this the complexity of free content (what's really "free" today, really?) like Facebook and other types of free-for-a-fee sites and you have yourself an ugly little mess.

So what are the issues?

The issues with truly anonymous web browsing look something like this -

  • Can making anonymous surfing still sustain the "free web" concept? - Much of the content you surf today is free, meaning, you don't pay to go to the site and access it. Many of these sites offer feature-rich experiences, and lots of content, information and require lots of work and upkeep. It's no secret that these sites rely on advertising revenue at least partly (which relies on tracking you) to survive ...if this model goes away what happens to these types of sites? Does the idea of free Internet content go away?  What would that model evolve to?
  • Is a user willing to pay for content on sites in exchange for their "privacy" (not being tracked)? - In line with the above point, would you be willing to pay $50/month for Facebook? How about $10/month for to look up your local weather, or $25/month to look up the sports scores or $75/month to read the online news or get the idea. Many of these sites are free right now because they rely on alternative means (which rely on knowing who you are and your browsing habits) to make their revenue.
  • Can we effectively de-couple "session management" from "user tracking"? - While this may seem like a simple question, it's a lot more complex politically then technically. Managing a user's session means knowing what places on your site they visit, and while this isn't that big of a deal if you operate a single-site organization it becomes a lot more complex if you're managing an authentication mechanism for an organization that owns dozens or hundreds of sites worth of content. At that point you have to be careful to not give into the temptation of tracking the user not just across your own site(s) but then across your partner sites, etc. Managing a session can be as simple as answering the question of whether the user is authenticated or not - but then why not take advantage of all the other available information?
  • How does the industry draw the line between "enriching the user experience" and "tracking the user" - Where does the online industry draw the line between enhancing the user experience and just outright tracking the user? Does anyone remember how everyone was up in arms over Facebook's tracking capabilities across multiple sites, such as news sites, retail shopping, etc? As an industry there needs to be clearly defined regulations and rules around what can be considered managing the user's session and enhancing their experience - and "tracking" the user; creating a legitimate opt-in system where a user must consent to being tracked first - then having that respected by the technology and code that they utilize. I fear we're very far from this type of environment today.

In the end, though, we're left with the trust we place in our web applications... so we're left with the intersection of privacy and software security assurance.  Answering the basic question again - can the user trust the software?

Take the Internet Explorer 9 no-tracking option... and a great way to understand the technical calamity of it all -

"The site must request permission, the user must consent, the browser must respect user's decision ...and an XSS flaw invalidates the whole thing. Lovely."

This is pretty serious stuff - so over a few posts in the future I'll go over each of the bullets above in more detail, with a guest-post and discussion on each ...stay tuned!  If you'd like to contribute, or have something to say as always - please chime in by leaving a comment, or hit me on Twitter/Skype/email and I'll get back to you quickly.

Thanks for reading ...I look forward to continuing this thought.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Facebook Privacy Browser Security Vulnerabilities Monitoring Cookies
Post Rating I Like this!
Robb Reck They key, for me, is not that I require that the sites I visit can't know about my behavior, it's that I want that behavior to not be tracked back to me. It's okay with me if knows that I go from reading stories about baseball, to checking the NBA standings. And it's okay with me if the company who pays for ad space on ESPN knows that's where I came from. My own personal line is that I don't want any of them to capture that the behavior comes from my IP address (or username, or whatever). I understand that there are probably some privacy issues even in this type of model, but it's something I'm much more comfortable with.

In regards to pay-for-use on websites, I think it's incredibly unlikely to happen within the next 20 years. The first website to charge a fee will see a huge majority of their traffic leave immediately. The best bet for Myspace (or any new social network) to succeed would be if Facebook started charging the users.

All that said, even if they did decide to start charging users, the numbers you threw out are way way too high. $1/month would be a much more likely fee for a pay-site, and even that would be a significant increase over the ad revenue generated on a per-user basis.

Anyway, it's a great subject, and a topic well worth discussing. Thanks for your post.
Rafal Los Robb- Thanks for taking the time to read and comment. There is an often subtle yet blurry distinction between tracking a user, and enriching their experience... and there shouldn't be.

I invite you to read the rest of the content on my blog, as you may find it of value as well.

Dina Saarelainen Online privacy test to analyze what does your browser reveal to websites, in addition to your IP address. Allows to check your default Internet connection and connections protected with "hide my IP" services like proxy or VPN - often with shocking results. Modern web browsers provide a user with a lot of features but they have also been designed to reveal your IP address and tons of other "innocent looking" information to websites. A collection of such information can be used to compile browser fingerprints that according to the EFF study are unique, identifiable and can be easily used for online tracking.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.