An opinion, backed by quite a few supporters, claims that there is no reason to stay anonymous unless you're doing something wrong. Is it true? No! Staying anonymous is not a crime against community and your desire to remain unidentified is quite natural; it is usually based on legitimate grounds, and not on the excessive levels of paranoia in your brain. In fact, the lack of the ability to stay anonymous usually triggers mental instability -- just ask your favorite celebrity.
Anyway... Origins, pros and cons, social and ethical aspects of anonymity are not in scope of this article. Below we give you some of the methods to protect your privacy in today's world where everything seems to be identified and traceable. Once again, this is not an extract from the criminal's handbook. If you're looking for ways to conceal your identity and you belong to the statistically insignificant group of people who use google to plan something nasty and unsocial, beware that your IP address has been captured and is about to be sniffed by the K9 cyberdog. We also took your picture because you forgot to cover your network jack and your face is visible on our end of the fiber-optic cable right now. You have been warned!
First thing to do after you turn it on? Wipe it clean, reformat the hard drive, and reinstall the OS from scratch, preferably from the CD that did not come in the same box. It might seem excessive and it can be impossible unless you belong to the tech-savvy minority of the population, but it ensures that your manufacturer did not leave any proprietary software that uniquely identifies your computer. For the tech-savvy population, there are additional steps that can be taken: if possible, change serial numbers, MAC addresses, and other unique identifiers in BIOS.
Unfortunately, your computer will need software updates. Nowadays, software updates itself via the Internet and, during the process, it silently transmits serial numbers, and often other personally identifiable information. If it is not possible to anonymously download software updates or request an anonymous medium (like a CD/DVD) from the manufacturer, there is not much you can do: use your best judgment, take your changes, or do not update. The latter may be risky, because updates often fix software vulnerabilities that can be used by spyware to spread.
Make sure you have all the latest OS and software updates installed before you connect to the internet. Install only a necessary minimum of applications. If you don't intend to use an application - do not install it. Check which applications and system services open listening sockets (use netstat or similar tool to get the list of all applications listening on the network). Shutdown or uninstall listening services and applications that you don't need. Install a personal firewall capable of alerting you when an application tries to open an outgoing network connection. Configure the firewall in a white-list mode: no applications should be allowed to connect outside unless you explicitly let them do so. For applications that can automatically "check for the latest version" or "download system updates" - disable this functionality. This includes your OS, too. Initiate updates manually when they come out.
The best way to browse the Internet is to use a virtual machine. Use the functionality that restores your virtual machine to the original state on shutdown. I agree, virtual machines is not always a convenient way to surf the web, but do not worry, it is OK to use your desktop browser if you configure it properly. Of particular importance are the cookie-handling parameters: Instruct your browser to clean ALL cookies on exit and to only accept session cookies from the domain of the page you're visiting. Change the User-Agent string that your browser uses to identify itself -- set it to one of the most common values. Do not remove the User-Agent header and do not assign a unique value to it -- the best way to stay anonymous is to blend with the crowd. For the same reason, use one of the most popular browsers (currently MSIE and Firefox). Never install any 3-rd party "search toolbars" or "browser optimizers" -- they will use your browser's facilities to call back home and your firewall will not alert you because your browser will be allowed to initiate outgoing connections.
Do not use your real name on any of the publicly available websites. Use your real name only when it is absolutely necessary (banking, employer's portal, etc.). Use a different username, different password, different profile information, avatar, and signature style for every website where you register. Many browsers have "password wallet" capabilities that will help you track multiple logon credentials. 3-rd party applications with this functionality are also available.
The Internet retains everything you throw at it. Think twice before hitting that Send button! You lose control of the information when it leaves your computer. Before sending anything that is trackable back to you, think whether you want your employer, your colleagues, or your kids' kids see it later. The video of you dancing semi-naked on the table at a college party might be funny, but your future employer will not think so and you will not feel comfortable when you'll catch your grandkids 50 years from now watching it. When in doubt -- do not post! Keep in mind that your writing style, vocabulary, and punctuation can be used to profile you, restore missing links, and aid in identification. Change your style -- short sentences, long sentences, synonyms, etc. It gets easier with practice (and improves your communication skills, too).
Never use your full name in any of e-mail applications configurations, even if you only send emails to friends. Messaging applications will extract this information and store in people's address books. Spyware harvests those address books. Note that if you do not specify your name, your "friends" will type it for you. To reduce the possibility of it, use your first name in the From: field, for example "John" or "John's Home". It should be enough for your friends and it does not reveal your full name.
Configure your email client so it never replies automatically (read receipts, etc.) and never downloads anything from the Internet. Consider switching from the monstrosity of MS Outlook to the usability of Mozilla Thunderbird.
Keep 2-3 email accounts for different purposes. For example, use one for communicating to friends/relatives, one for work-related communications, and one for online banking. Thunderbird does a good job of managing multiple identities.
For all online communications that do not require long-term working e-mails (forums, e-shops) use temporary disposable email accounts (search the Internet for "disposable email", you will find numerous services like GuerillaMail or Mailinator).
Search engines retain everything you type in the search field. They also try to stick a unique id tag to each browser. It is possible to identify you by reading the list of your queries. Disable cookies for all search engines. It usually does not break the search functionality, but it makes very hard for the search engine to determine whether your consequent search requests come from the same source. Of course, to guarantee anonymity, you will have to use a different IP address and start a new browser session for every query.
Do not use applications that come from advertising companies. All search engines are advertisers -- serving ads is their core business and many "extra" applications are designed to help those companies to profile you so they can serve targeted ads better.
Search engines and advertisers host code that tracks your browsing habits. This code is usually hosted on dedicated servers, separately from the main content. There are also free and not-so-free services that enable website operators track visitors and produce meaningful statistical data. Good news is that host names of all those tracking websites are well known and available on the web. Get one of those lists and add all of them to your operating systems' /etc/hosts file (windows equivalent is \windows\system32\drivers\etc\hosts), one per line:
127.0.0.1 badhost1.example.com
127.0.0.1 badhost2.example.com
This way your OS will redirect all requests to offending hosts to your local machine (i.e. all requests will fail and you will not be tracked).
Consider installing a local proxy application that can be configured to reject junk requests. Privoxy (available in a bundle with TOR) does a good job of keeping your browsing experience private.
Read about TOR and install it. At the end of the installation, configure TOR so it does not start automatically. Start it manually as needed. Note that routing your data via TOR network, does not make it secure. One can observe your unencrypted traffic when the last TOR router in the chain (the exit router) sends it to the destination. Do not send personally identifiable information via TOR network unless it is encrypted.
Many online stores are insecure and most of the stores require you to register and provide personal information. To prevent your personal information from leaking in case one of those websites is hacked, here is the solution: Get yourself a P.O. Box and a credit card where this P.O. Box is listed as billing address. If possible (though many banks won't allow that), change your name on the credit card. Use your alternative name, your pet's name, or your business name. Create your account using one of those disposable email accounts and provide as little information as possible. Do not use real phone numbers. On your first sign up, change your password and your e-mail address (otherwise it might be possible for others to take over your account by requesting password reset via email).
Use TOR to forward P2P, IRC, and IM communications. Maintain several IM accounts, similar to the way it is described above for E-mail. Do not put every bit of personally identifiable information in your IM profile. A screen name is sufficient. Your IRC (and in many cases IM) communications are not private. Logs files do not vaporize from the servers when you log off. Think before you type. Think again before you send.
E-mail addresses:
Subscribe to a mail-forwarding service (either free or commercial) - it will give you an e-mail address that you can share with whomever you want. All emails sent to this address will be forwarded to your private e-mail address. Some forwarding services (ex: vistabug.com) can encrypt everything they forward. Switch to a different public e-mail address when you no longer need the old one or when you start receiving too much spam.
Phone numbers:
Subscribe to one of the services that let you forward phone calls. Xebba is a good one -- they will give you a free incoming number and for a few cents per minute, they will forward calls to your private number. This comes very handy when you need, for example, to sell something. Publish an ad in local paper (or online), give them your temporary phone number, and when your transaction falls through, disable that number. Done! No more phone calls about your old car three weeks after it was sold.
Again, blend with the crowd. Dress and behave the same way as do the people around you. Pay with cash when possible. Subscribe to services using real names only if it is required: for the utilities, you'll have to use your real name, but magazines do not mind sending subscriptions to "Will B Reading" at PO Box XXX. And you won't mind if they share this name and address with the whole world.
Whenever you need to fill a form, provide the necessary minimum of information. Your dentist does not need to know your driver's license number. A grocery store does not need to know your private phone number, email address, or even your name. Do not put your name, address, and phone number on your checks. A first name initial and your last name is more than enough. If you are filling a document and it says "this section is optional" -- skip it. Privacy laws and regulations (especially in the financial industry) require companies to handle your data securely and give you a way to decide whether you want your data shared with "business partners" (the boring fine print usually translates to "we'll share it left and right unless you ask not to"). Request to be excluded from whatever schemes their marketing masterminds created.
Subscribe for a P.O. Box service and use it everywhere where your private information will not be mailed back to you. The reason for it is that if you cancel your PO Box service, your mail will still reach that PO Box and then-current box owner will be able to read your messages.
Track people who sell your address and fight back! When you provide you street address, add a unique identifier to it for every company that you send it to. For example "123 Main St. #12 B432" or "123 Main St. #12 RM552". Keep track which identifier was used where. This way when you start receiving paper spam to one of the addresses, you'll know right away what company is responsible. You may be able to sue them, check with your legal advisor.
Do not make calls to toll-free numbers from your private phone or your phone number will end up on some marketing call list. Keep your private number private -- share it with only the individuals you trust. Subscribe to Xebba or similar service that will relay your calls and make them anonymous. Get a local number to give out to whoever asks for it. Xebba can play an audio back to callers or forward calls to your private number without revealing it. You can also record calls.
Whenever you receive an unsolicited call, identify the remote party, their company, and write down their number. Then tell them to cease and desist. If they call you again, remind them that you asked to be taken off the list. It they call again -- talk to your legal advisor.
Do not personalize your vehicle. Use standard license plates, stock colors, do not hang pink bunnies on your rear view window, etc. This makes your car look generic. If your license plate spells out something unique, it makes it a lot easier to remember. Do not leave your registration or insurance cards in the vehicle -- whoever steals it or breaks in might as well decide to pay you a visit later. For the same reason, do not input your home address into your car's navigation system.
Keeping your employee id visible is a bad habit, even if it is mandated by the employer's policy. If it is strictly required, be sure to put it in a pocket when you leave your work. Or flip it over so only back side of it is visible. Your name and company name is valuable information. The barcode on your id is very likely your social security number. The RFID tag in it can be read remotely. All this information combined can be used to get access to your workplace.
Buy a good confetti shredder and destroy everything that comes to your mailbox and has your name or address on it. Dumpster diving was invented long before the paper was.
If you seriously plan to follow every step described above, it might be a good idea to see a mental health professional. Many of the above described methods are mutually exclusive or not applicable everywhere. Use them wisely as needed and when needed.
This page is a work in progress and we will keep it updated. You can share your thoughts and suggestions with the authors by writing to vtalk@hexview.com