Sign In

Communications of the ACM

ACM News

Shrouding Oneself in Secrecy


A logo of the TOR project.

Identity cloaking tools were first developed to protect the privacy of Internet users, but now are being used to skirt cybersecurity and international law.

Credit: The Tor Project, Inc.

The ability to mask one’s identity online has gained attention in recent weeks since it was revealed the terrorists in the recent attacks in Paris used cybertools to communicate and keep their activities anonymous. France is now reportedly looking into banning the Tor browser, which lets users "defend against traffic analysis."

The original intent of cloaking tools was to help protect the privacy and identity of whistleblowers, political artists, and protestors within oppressive regimes or governments, says Christopher Wilder, senior analyst and practice lead for Cloud Services and Enterprise Software at analyst firm Moor Insights & Strategy. Identity-cloaking helps users avoid Internet traffic analysis and network surveillance, as well as providing the ability to mask business activities, state security, and other relationships, he says. "Unfortunately, cloaking tools/services are also being used by criminals, hackers, and terrorist organizations to skirt cybersecurity and international laws. Criminals and terrorist organizations are taking substantial steps to avoid detection — especially [their] physical location."

Yet identity cloaking services are not only being used to hide nefarious behaviors. Even before the Paris attacks, Internet users have become increasingly concerned about hiding their identities online.

"Customers are changing their behavior because they care passionately about privacy," according to the November 2015 Forrester Research report Predictions 2016: The Trust Imperative for Security & Risk Pros. The report found some 33% of U.S. online adults have canceled a transaction due to privacy concerns; "In response, forward-thinking security and risk professionals no longer treat privacy as an irksome regulatory requirement to fulfill at the lowest possible cost; instead, they champion privacy to build trusted customer relationships and drive business growth.’’

Identity cloaking, which most commonly involves using a third party as a "cloaking intermediary" to prevent sites from tracking you, has been around for a while, observes Jack Gold, founder and principal analyst at technology firm J.Gold Associates. Websites track visitors through their IP addresses and typically use that information for marketing and research purposes, but if you visit a site through an Internet Service Provider (ISP), your IP address "could lead [someone] back to my house,’’ Gold says. "When you use an identity cloaking service and log in via your browser or phone to my site, then your browser will be connected to my site and it brings up a virtual browser and becomes your IP address. It becomes like a Dropbox system."

Gold suggests while it is hard to know just how many people use identity-cloaking tools and services, it is a relatively small number because consumers, for the most part, are not aware such technology exists. Meanwhile, deterrents and the people going after criminals leveraging Internet cloaking are growing, he believes. "There’s no such thing as 100% security, and the bad guys will find ways around it, and then the smart guys will find ways to catch up and stay one step ahead, if they can."

Explains Wilder, "The technology behind identity cloaking is a combination of a group of globally dispersed (proxy) servers that obfuscates internet traffic to bypass direct connections onto the Internet.’’ Other relevant services include Secure Session Hosting (SSH) tunneling and Virtual Private Network (VPN) technologies.

Tor is the most well-known service for providing online anonymity, according to Wilder. Originally called The Onion Router, Tor was funded by the U.S. Naval Research Laboratory in the 1990s, reportedly to allow government officials to securely communicate on the open Internet without revealing their location. The U.S. government still spends a considerable amount on the search for cyber-criminals, and on resources in cyber-cloaking tools to stop identify theft and sophisticated Internet extortion scams, says Wilder. "From my experience in the intelligence community, investment in cloaking technologies will continue to be focused on expanding intelligence capabilities to break down criminal networks and expand information-sharing partnerships with governments, businesses, and universities."

Gold agrees the U.S. government funds identity-cloaking activities both secretly and openly, and research on identity cloaking is being done "on every [college] campus in the world … so it behooves the government to be involved in it."

The use of cloaking tools/services will increase, Wilder says, especially in countries where governments monitor Internet user activity and where hackers have free reign, although he adds the list of countries that are excluded (countries like Russia, China, and others "that have developed cottage industries and [are] turning their backs on hackers attacking foreign businesses, governments, and university networks") is growing smaller by the day.

"We expect to see more usage/adoption of cloaking tools in public Wi-Fi environments, public Internet, and company/university network environments,’’ Wilder says. "Sophisticated users want to maintain some semblance of privacy online, and I anticipate Privacy as a Service models to gain traction in the near future."

Esther Shein is a freelance technology and business writer based in the Boston area.


 

No entries found