Using VPN and proxy services to remain anonymous
A VPN bypasses different geographical and ISP restriction. As it encrypts all the web traffic and provides users with a new IP address, it’s impossible for anyone to sniff the web traffic. This way law enforcement can’t track you if they don’t know who you are in the first place.
For VPN, the encryption process takes place before the data is transmitted to the ISP. But, why isn’t VPN so popular? Why isn’t VPN services being used by everyone around us? The actual reason could be people’s unawareness that doesn’t make privacy a chief concern. It must be noted that apart from an application, a VPN service tunnels your entire traffic and clocks it. It can also let you watch location restricted content on services like Netflix, Hulu, HBO Go, etc.
Using a proxy software, you won’t get the benefit of encryption. Also, a proxy simply anonymizes the traffic of a single application.
After setting up your VPN or proxy, you can visit sites like DNSLeak to test if DNS is leaking. By visiting sites like iPleak.net, you can further confirm your privacy.
Private mode in browsers
While some of us know its true colors, many users assume that using the incognito mode will make them untraceable and it would also mean that they never “touched” that particular computer. Well, this isn’t entirely true, and the web browsers extenuate the real purpose of the term “private browsing.”
The incognito mode is just for private browsing. By using it, you can remain assured that your web browser won’t be keeping any history, cookies or passwords saved.
Google says: “Pages you view in incognito tabs won’t stick around in your browser’s history, cookie store, or search history after you’ve closed all of your incognito tabs. Any files you download or bookmarks you create will be kept.”
The other most popular web browser Firefox too describes the similar story. This means that your friends, roommate, kids or partner can’t open your PC and see what you’ve been up to lately.
This isn’t the whole story. These web browsers also tell that your Internet Service Provider (ISP) and your employer can still track the web pages you visit. So your browser won’t create a lump of temp files and history, but that’s not enough if you need a completely anonymous experience.
Google too can sniff your doings if you sign into one of its apps while browsing in incognito mode. Apart from this, the websites you visit may still have your records.
On the other hand, Safari and Internet Explorer don’t even bother to tell you that you’re browsing incognito and being watched by ISPs, app makers and your workplace network admins.
Issues while using third party apps and services
When The New York Times reported the popular inbox-cleaning app Unroll.me was providing anonymized user data to Uber as part of the ride-hailing company’s bid to crush competition from Lyft, the backlash was swift.
Outraged users took to Twitter, bashing the company and pledging to delete the service. CEO Jojo Hedaya quickly apologized, but it did little to quell the outrage. Later, Unroll.me cofounder Perri Chase wrote an impassioned defense of Hedaya on Medium.
“Data is pretty much the only business model for email and Unroll.me is not the only company that looks at, collects and sells your data,” Chase — who is no longer part of the company — wrote. “There was no intentional malice done by Jojo or anyone at Unroll.me.”
Outside of Silicon Valley, distrust of tech companies runs deep.
When in reality the problem is not that Unroll.me was scraping data from users’ inboxes and selling it (in anonymized form) to third parties, but the lack of transparency that this was happening. The company’s entire business model is predicated on data collection but nowhere on the company’s app, website, sign-up page, or anywhere else was that made clear.
That’s why promising to do better isn’t enough. Users have a right to know exactly how and when their data is being used. And it’s up to tech companies to make that clear — not bury it in privacy policies no one reads.
In Android, most functionality of your phone is provided by apps. And this includes making phone calls as well. Android lets you replace the dialer app on your phone with a custom one. This can be amazing and horrifying at the same time. It is amazing because it allows programmers to create interesting ways to call people. But it also allows the creators of malicious apps to secretly send your private data to their servers.
For tech-savvy people this isn’t such a big issue, trust only your phone manufacturer and open source apps and you’re golden. But things aren’t always so simple when people who aren’t familiar with the best privacy practices see these apps on their app store. On top of that, things can get out of your hand when a phone update replaces the default telephone app on your phone with TrueCaller.
I wanted to see just how bad the situation was and searched on internet and found this post about android dialer apps.
When you first install this app, it greets you with a permission request for your contact list and refuses to start without being granted the permission. But that’s not too suspicious, an app that you use for calling people, an app that advertises itself as “Contacts Phone Dialer” can have tons of valid reasons for needing access to your contacts. But unfortunately, the first thing this app does after getting the permission is serializing all your contacts into a big string and sending it over to their servers.
Asus Dialer is the app that comes preinstalled with Asus phones. In my tests, it didn’t send anything from my contact list to their server. Also, no communication was observed when calling other numbers. It is consistent with the opening paragraph that a telephone app by a phone manufacturer wouldn’t steal your data carelessly, it’s just unnecessary risk for them.
Dialer+ / Contacts+
An API call to an endpoint called ‘/report’ was made with every call I did. This API call included my email address, a token and the number I was calling. I assume a copy of my contact list was also sent but I was unable to take a screenshot of that.
TrueCaller, the telephone app which another blogger was suspicious of, is also guilty in this regard. It sends all your call start-end times and some more data such as outgoing call and number dialed events to an analytics server. On top of that, it keeps track of calls and reports to their server when they start and end, along with the number called and a client ID.
This extensive collection of information is enough to gather when you to talk with people, and who you talk with. Since these apps are installed by a lot of people and your name is in their contacts list, even if you don’t install the apps you can still be tracked to a degree.
Browser in-built password manager and form filler
Nearly every web browser now comes with a password manager tool, a lightweight version of the same service offered by plugins like LastPass and 1Password. But according to new research from Princeton’s Center for Information Technology Policy, those same managers are being exploited as a way to track users from site to site.
The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.
The plugins focus largely on the usernames, but according to the researchers, there’s no technical measure to stop scripts from collecting passwords the same way. The only robust fix would be to change how password managers work, requiring more explicit approval before submitting information. “It won’t be easy to fix, but it’s worth doing,” says Arvind Narayanan, a Princeton computer science professor who worked on the project.
The Princeton research showed that information was also being funneled back to Acxiom, a massive consumer data broker. AdThink disputed that data was shared specifically with Acxiom, although the company acknowledged that data is routinely shared with third parties.
“The particular piece of code discussed in this study was experimental and is responsible for only a very tiny fraction of the data collected globally,” the company said in a statement. “At the time of writing this statement, this code has already been deleted with absolutely no impact on our advertising business.”
For Narayanan, most of the blame goes to the websites who choose to run scripts like AdThink, often without realizing how invasive they truly are. “We’d like to see publishers exercise better control over third parties on their sites,” Narayanan says. “These problems arise partly because website operators have been lax in allowing third-party scripts on their sites without understanding the implications.”