“We’ve updated our Terms of Service and our Privacy Policy”

I’m sure we’ve all seen at least a dozen or so of these types of messages over the last month.  The majority of the changes were brought on by the General Data Protection Regulation (GDPR) which is essentially a framework for the collection and usage of personal information gathered within the European Union.

Couple that with the recent revelations of Facebook’s massive data collection, and subsequent breach, and more people are starting to think about their privacy.

Let’s start off with the obvious – if it’s free, you’re probably giving up your privacy.  That includes search engines, email accounts, web browsers, social media sites, etc.  They are all tracking you, they are monetizing your data, and that’s how they offer services for free.  And even if it isn’t free, you’re probably still giving up your privacy. 

So what do you do?  Assume you’re going to leave a footprint but let’s just make it smaller.  We want to block ads and trackers so we can install browser extensions like uBlock Origin and Privacy Badger.  We can use VPNs to masquerade our source but if you’re using Internet Explorer, Edge, Firefox, Chrome, or any number of other “free” browsers, you’re still able to be tracked.  That leads us to Tor.  We have two routes, Tails or the Tor Browser Bundle.  I’m sort of blowing through these quickly because I want to focus on the Browser Bundle because I think it’s an easy compromise between giving up everything and totally paranoid.

The Tor Browser Bundle is basically another free browser except this free browser does not track you.  It’s entire purpose is privacy.  That does not mean you can’t be tracked but it’s making it a little harder.  Depending on how you set it up, you can configure the browser for Standard, Safer, or Safest.  In its safest mode, it will disable certain website functionality that may render the site unusable.  Setting it in Standard mode will make such a site work but it might also make you trackable.  At the very least, it will masquerade some, if not all, of your browsing and it will help reduce your footprint. 

First we want to download the Tor Brower Bundle.  You only want to download the Browser Bundle from torproject.org – don’t click the link from this site, search for it independently.  You also want to download the signature.  If you click the link for the signature, it will render in a page.  You want to right click and download it.  I’m going to assume you have not verified a signature in which case you’ll also want to download gpg4win, if you’re using a PC.  Prior to installing gpg4win, you’ll want to verify its integrity.  Right click the gpg4win download, select “properties”, select “digital signatures”, click the “name of the signer”, select “details”, select “advanced”, select “serial number”, and compare the value to that which is listed on the gpg4win website.  If it’s a match, you are ready to install gpg4win.

Once you have gpg4win installed, you can ignore the Windows version -- we are going to work in the command line.

Move the Tor Browser Bundle install and the signature into a folder off of the root of the C: drive.  I used c:\tor as my location.  This will make it easier for the next few commands.  Depending on which install you’re using of gpg4win, your application might either be installed in c:\program files or c:\program files (x86).  Move into the appropriate folder, then into \GnuPG\bin – for example:  c:\program files (x86)\GnuPG\bin

The next three commands will import the key, verify the fingerprint, and verify the signature. 

gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

You'll see something similar to this below but since I’ve already imported the key, my response shows “not changed”, yours should show “imported”.  If you re-run the command, you’ll see what I’ve provided here:

gpg: key 4E2C6E8793298290: 42 duplicate signatures removed
gpg: key 4E2C6E8793298290: 172 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key) <torbrowser@torproject.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

gpg.exe --fingerprint 0x4E2C6E8793298290

pub   rsa4096 2014-12-15 [C] [expires: 2020-08-24]
      EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid           [ unknown] Tor Browser Developers (signing key) torbrowser@torproject.org
sub   rsa4096 2016-08-24 [S] [expires: 2018-08-24]

gpg.exe --verify C:\tor\torbrowser-install-7.5.4_en-US.exe.asc C:\tor\torbrowser-install-7.5.4_en-US.exe

gpg: Signature made 05/08/18 02:50:04 Pacific Daylight Time
gpg:                using RSA key D1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: A430 0A6B C93C 0877 A445  1486 D148 3FA6 C3C0 7136

With these three commands, we’re validating the authenticity of the application.  Do we need to go to this extent for the sole purpose of privacy, no, we do not.  We could just install the Browser Bundle and I think we’re probably safe.  There is the off chance that someone could intercept our traffic and lead us to a fake download but I think the odds of you being hunted are fairly slim.  I wanted to spell it in one place because if you haven’t gone through this process, the instructions are in separate places and can be a little confusing. 

Before moving on, we want to verify the fingerprint and signature.  When you verify the signature, you’re going to receive a warning which basically states that there’s a match but only if you truly believe the signature is legitimately owned by your signer.  Per the web site, the best method of verification is to verify the signature in person by meeting the developer.  So basically, you’re taking a small chance.  Again, for the purposes on anonymity, we’re going pretty far into crazyland here.

Now that we’ve verified the signature, we can install the Browser Bundle.  Once it’s installed, you should see the icon on your desktop.  Launch the browser bundle and you’ll notice it starts up at a very specific size.  For the purpose of remaining anonymous, do not resize the window.  You can move it but don’t resize it because it allows you to be traced by your resolution.  If you leave it at the default size, you look just like everyone else.  Again, we’re being a little paranoid but I point this out to make you aware of the possibility.

With the browser open, in the upper left-hand corner, you’ll notice the little green onion.  Click the green onion, Security Settings, and here you’ll find the setting for adjusting how paranoid you want to be.  I’ve read a few books on being anonymous using Tor and each book suggested disabling JavaScript.  The Safer setting disables JavaScript for HTTP and not HTTPS -- if your goal is anonymity, push the slider up to Safest setting.  In testing, I wanted to see how many sites under my control would render at the highest level and every site but one rendered correctly.  I think starting out at the highest setting makes sense until you come across a site that won’t render. 

The only thing left to do is a sanity check by verifying our IP address.  You can open your standard browser and Tor browser to:  https://whatismyipaddress.com/

The standard browser will show your current IP address while the Tor browser should show something completely different. 

A few final thoughts --

1.  Tor is slower than your normal internet surfing.  That’s the nature of Tor.  Don’t expect to watch videos or stream any content.  But if you want to look up information on a medical condition, Google won’t be able to add that to your “permanent record” and Facebook won’t be able to push pharma ads to you.

2.  If you login to an account, you’ve blown your anonymity.  This is stating the obvious, I think, but if you login to an account, the act of authenticating will let someone know this connection is you.

3.  The Browser Bundle is not a guarantee for 100% privacy.  It is, however, better than straight up browsing using a standard browser on your traditional operating system.

Happy Anonymous Surfing!