Wednesday, February 07, 2007

Dangerous Anonymity

A Professor at Bowling Green State U writes about his experience with IT after using an anonymity program called Tor. Someone came to his door to tell him that he was not allowed to use the program that is designed to shield his identity on line.

As an anonymous blogger, and I suppose a bit of a paranoid, I have thought about how easy it would truly be to track me down if someone really wanted to. Apparently, the network people at BGSU assumed that only a criminal would want to protect his identity through this software.

As the author is, I am troubled by the lack of real privacy there is for the internet. He insisted that it was within the purvey of academic freedom to surf the web anonymously and the IT person finally left him alone.

I wonder what the situation is like on our campus.

How closely does IT monitor our comings and goings on the internet?

How much history do they keep on web activities?

Can the chancellor just call someone up and have me outed?


Anonymous said...

Good questions.

Tor is a great tool, but if you are trying to shield yourself from prying eyes on your own network it is more likely to draw attention than keep you under the radar (as the BGSU Professor discovered).

For your purposes a simple anonymizing proxy might be a better option. Tor might be overkill.

I am curious, too, how these things are handled on campus.

Anonymous said...

Federal Court's have already decided that employees using a system owned by an employer have no expectation of privacy. Many companies routinely screen their employee email and the web history. In a network setting, computers are generally assigned a specific IP address so their traffic could be easily traced and the location of the computer and who is assigned to it is quickly identified. Plus.... then there are all the log-in and log-off time stamps...

I suspect your University computer policy has some language in it that may imply privacy or not...

My advice is if you want something to be confidential don't use email... as State employees, email sent/received on your work computer may (and some recent decisions have already favored this view) even be considered public records.

Anonymous said...

Or use a GMail account, and have Firefox configured to dump your history and other personal info every time it is closed. (takes 10 seconds). Then there is no record of the e-mail left on the computer. There is also the option of some thumb-drive based solutions. Some have the Thunderbird e-mail client configured to run only on the stick, others are complete operating systems pre-configured for anonymity on a thumb drive.

Lake Winneblogo said...

These are nice suggestions, but does anyone know the actual rules?

Clearly, the network people pay attention to the traffic in and out of campus. But how closely?

Tor looks pretty cool. Maybe we should all install it and then the IT people couldn't figure out exactly who is doing what.

Anonymous said...

There is a (somewhat) legitimate reason for net admins being nervous about Tor. Once you're logged into the Tor network, you are acting as a router for other people's Internet traffic just as others are doing the same for you. I've only read about what Tor does, I don't actually use it, so I don't know if this can be turned off, but even if it could it wouldn't be very nice to do so. Share and share alike, right?

So you end up acting as a gateway for people off-campus, all over the world, making possibly illicit requests through your computer.

So yes, other solutions are probably more appropriate for academic anonymity, but I really have no idea what the rules are or how they are enforced on campus. Maybe someone should write whoever handles these things and find out.

Anonymous said...

I don't have the policy in front me (I can check on Monday), but I believe the policy states that any computer that accesses the UWO network, *any* computer, can be searched and/or confiscated ("in good faith", whatever than means). It doesn't matter if the computer is university property or not. Your UWO email account does not belong to you and is not private; files stored anywhere on the campus network belong to UWO.

The policy complies with the Federal Patriot Act.

And it would be Ken Splittberger, not Richard Wells, who would come knocking on your door.

That being said, I believe that our AC people don't like the policy any more than some of us do, and I think, in general, they respect our privacy. I do not think that anyone in AC spends time pouring over network logs. There is only one case that I know about where an employee was required to surrender computer files (for a lawsuit -- not even sure what the lawsuit was about).

Frank said...

There is no privacy on the interweb. If someone wanted to especially on a local network they can find out anything about a users on line habits. if one looks at the universities acceptable user policy, the UW reserves the right to monitor all traffic on its local net.
Tor, will only hide your local ip. With email one needs to use a program such as (pgp). Pgp is an encryption program. Gmail is also not private. If someone really wanted they can set up a packet sniffer and find your into. Most people loose their privacy via social engineering. A report just came out that estimates fully 25% of all pc's in the world are compromised and are being used as bots. One of the most well known hackers in the world “Kevin Mitnick was able to compromise systems by leaving a floppy in an office building marked “payroll .xcl”. A person would be curious, pop the disk in, and bingo Mitnick had access. I recommend that one should not get caught by social engineering which includes, emails with attachments. The way to make sure ones privacy is safe is to make sure that your local machine is running clean.

Lake Winneblogo said...

Thanks for all the comments. I went and installed TOR just for fun, so maybe and IT person will be coming by soon.

I hope they don't seize my computer. If they do, I might get something done!