Economic Privacy

Your IP Address

Tyrone Tuesday June 24, 2014

One of the key aspects of browsing the Internet is the Internet Protocol number, or IP address. In your use of the Internet, you are assigned by your Internet service provider an IP address, which is a number that represents the computer or workstation or mobile device that you are using. That number shows up in the e-mails you send, the web page requests you send, and in other ways. So, it can be very important.

Understanding your IP address is a first step in safeguarding your privacy, just as understanding encryption. You should also make yourself aware of methods for masking, obscuring, or changing your IP address through the use of proxy servers, the onion router (TOR), and virtual privacy networks (VPNs).

The current standard for an IP address is sometimes called a "dotted quad." It is four numbers, each between zero and 255, separated by dots or periods. For example, an IP address might look like this one: or like this one However, quite a few addresses in the 32-bit space defined by this system are reserved, so there are quite a lot fewer than the roughly 4.3 billion addresses implied in the figure two raised to the power 32. About 18 million addresses are reserved for private networks and about 270 million addresses are reserved for multicast network services (such as Ethernet multicast). There are therefore about four billion addresses available to general users. You may have difficulty imagining the world in 1981, when the current standard was established in its present form.

Even so, there are increasing difficulties with the current standard, called IP version 4 or just IPv4. It has been seen since at least 1995 that a new system would be needed. The new system uses a larger character set, called hexa-decimal. It also uses eight groups of four numbers, separated by colons. The hexadecimal character set is sixteen characters, the numbers from zero to nine plus the letters from A to F. Programmers will be familiar with the hexadecimal character set, including its use in defining colours in the RGB (red-green-blue) scheme. Non-programmers may be less familiar with it, but will be glad to know that in replacing IPv4, the new system, IP version 6 or just IPv6 has a much bigger address space.

Here is a typical IPv6 address: 2001:0db8:85f3:0042:1000:8a2e:0370:7334 Notice that it includes letters, it includes numbers, there are eight groups in the system, and the groups (each of four characters) are separated by colons. Because there are more characters in hexadecimal compared to the numerals from zero to 255, because there are four characters in each group, and because there are eight groups, the total address space is the figure two raised to the power 128.

In scientific notation that number is 3.4 times ten to the power 38. In the United States, the number ten to the power 9 is a billion, ten to the power 12 is a trillion, ten to the power 15 is quadrillion, ten to the power 18 is a quintillion, and so forth. That system of naming gives ten to the power 33 the name "one decillion" and the number ten to the power 36 "one undecillion" or "eleven -illion" if you would. Therefore ten to the power 38 is one hundred undecillion.

You can simply think of it as a really big number, written out with 38 zeroes. Another way of looking at this really big number is to compare it to other big values, such as the number of atoms on the surface of the Earth. In the IPv6 system, there would be about 40,000 addresses for every atom on Earth. So, it should be good for a few years of continued exponential growth of Internet traffic.

The use of your IP address in e-mail is embedded in message "headers" which are not normally viewed. Most web-mail programs and nearly all e-mail client programs will typically trim the headers to the ones you really care about, such as To:, From:, Subject:, and Date:, and CC:. In order to function, the e-mail client you use has to include a number of other headers. These may be viewed in some e-mail programs using "view..full headers" or a similar command.

Here is the content of an e-mail header called "Received," one of three such headers of that same name in a message I received. It says, "from blu002.domainA.com ( by smtp.domainB.com with ESMTPS (AES128-SHA encrypted); 21 May 2014 04:01:18 -0000" which tells us that a server at domainA with an IP address sent a message to the "send mail transfer protocol" or smtp server at domainB using a standard electronic-send-mail transfer protocol system, including a certain amount of encryption, at a given date. In other words, where the message came from can be traced back. A check of the logs at domainA will give further information about which client computer sent the message, and a look at the data kept by the Internet service provider can tell the physical location of the computer that sent the original message. Which means, whether you are using web-mail or an e-mail client, a determined person can figure out where your computer is located.

That's not really good news for your privacy. Similarly, when your computer sends out a request for a web page to a web server it has to tell that web server where to send the images and text of the relevant web page that is being requested. Your computer does that using the IP address assigned to your computer by your Internet service provider. So, whoever is sending your computer information, whether by e-mail or by web, can know quite a bit about your computer and, thus, you.

Your IP address was assigned to a regional authority by the Internet Assigned Numbers Authority or IANA. The five regional internet registries allocate blocks of IP addresses to local Internet service providers (ISPs) and other entities. That means that the number your computer has been assigned probably has a regional, as well as a local, association. Your geography can be tracked, along with what ISP you are using, to give web site owners a good sense of where you are and what kind of income you have.

But, it gets worse. You are probably aware that web sites store information on your computer called "cookies." These can be useful for identifying your computer as one that is "authorized" or at least familiar when you log into a site. If the computer logging into your account has never done so before, there is a greater chance that it is not being used by you, but by some person posing as you. So, many sites will pose security questions when that happens. How do they know? The web site looks for a cookie or other data stored on your computer by the site when you access it. And a whole lot of information may be stored in that cookie.

And, it continues to get worse. You may have been attracted to web sites called "social media" outlets. As far back as the early 21st Century there were sites like MySpace. More recently, Facebook has been a dominant site in this area, along with Twitter, LinkedIn, and others. These are a sort of "attractive nuisance" or "honey pot" which encourages you to post information about yourself, about your current activities, about your likes and dislikes. A huge amount of information about who you are and what you would like to buy on your next shopping trip are now available to advertisers, and the best part for Facebook is, you probably told them all these facts about you for free. In the old days, marketing professionals spent millions of dollars a year on studies to survey users, find out their preferences, and comb through the data they had accumulated to perform statistical analyses and figure out what to sell, in what range of colours, and at what prices. Today, much of that information is bought out of social media sites, often without your knowledge.

Not, of course, without your consent, because you are given a copy of Facebook's privacy policy, user agreement, and so forth, when you start an account there. There was definitely a link to that information available to you on signing up, and it is still there every time you log into your account. And you read all that stuff, right? And your lawyers reviewed these agreements, so you entered into them knowingly, right? Of course not. Nobody reads that stuff, and it is silly to imagine that you have given meaningful consent to what is in those agreements. But it is "good enough" consent for Facebook to sell a whole bunch of information, and to sell the right to put advertisements in front of you, to various folks who market things. Worse, and, yes, it does continue to get worse, the information you give to Facebook is almost certainly being sold to various government agencies in various countries, including defence, intelligence, and tax agencies. Doesn't that make you nervous?

In other words, when you visit web sites, when you send e-mail, and when you use social media, you are providing a huge amount of information on you. You are sending your private information out into the world, and you have utterly no control over who uses that information.

Yes, it continues to get worse. If you are in certain countries, such as the People's Republic of China, the information you receive may be monitored and censored before it reaches you. You may not have direct access to certain web sites. You may not have any access to some sites. And, some web sites will discriminate on what information they send you based on your IP address and what they think that means. That can be simple, from changing the language the site is shown in, to complex, changing actual content and keeping you from seeing some news and information.

Feeling uncomfortable? There is good news. The good news is that you can hide some of your information, if you are careful.

In our first overview piece on encryption, we encouraged you to get and use encryption. It turns out that only about a third of users who encounter encryption tools are able to figure them out in 90 minutes or less. (A link on that topic here: http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf ) So, we aren't saying that guarding your privacy is easy, nor user-friendly. But we are saying that it can be done.

Similarly, you can hide your location information by using a different IP address. That can be helpful to you, and it can cause a number of odd things to happen. You can change your IP address using a proxy server, the onion router (TOR), or using a virtual privacy network. For a great many reasons, the best approach is to use a virtual privacy network or VPN.

A proxy server is a server, typically a web server, that you access which then does the work of asking for web pages. If you want to experience the world as if you were living in Israel, there are proxy servers in Israel that you can access. They will request web pages for you, so that the web server thinks it is sending a page to a client in Israel.

That means that, for example, Google, if it has a separate approach to serving Israeli customers, will show up with a "Google Israel" logo on your screen. Kinda cool. Google definitely does that for Germany, France, and other places, and it will default to using the languages for those countries. So if you only speak and read English, you might find the results confusing. That's ok, though, because Google offers translation services, so that wherever you are accessing their sites from, the results show up in your preferred language. Google is one of those sites that keeps cookies on your computer, and will guess which language you are most comfortable using. Sites like translate.google.com (among a great many others) also allow you to translate foreign language web sites, but that can be more confusing than helpful unless you are very familiar with the way translation sites generate their output - and not all translations are "idiomatic" in the languages involved. So you might come away with some very wrong ideas, fair warning.

Proxy servers are inherently limited, though, to the server you choose. If you choose to use a server as a proxy that happens to be run by some party that wants to gather information on their users, such as an espionage agency, you are compromised by using that particular proxy. Proxy servers come and go, and some offer more anonymity than others. But, whatever proxy server you use, you are trusting that particular server's operator to be doing "the right thing." That might not be a safe bet.

The onion router or TOR is a different beast. TOR client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis. "Onion routing" refers to the layered nature of the encryption service: The original data are encrypted and re-encrypted multiple times, then sent through successive TOR relays, each one of which decrypts a "layer" of encryption before passing the data on to the next relay and ultimately the destination. This approach should reduce the danger of the original data being unscrambled or understood in transit.

Unfortunately, there are a bunch of problems with TOR. Probably the most difficult problem is that the exit node, where the onion routing ends and the node communicates with a particular server that is generating actual content, has a lot of information. Any exit node has access to all the information sent to it by unsecured applications. So, if the web site you are accessing is not using Secure Sockets Layer or Transport Layer Security, the information being passed to that site, such as log-in information, would be compromised to whoever is operating the exit node. It turns out that there are good reasons to think that some big players, including possibly intelligence agencies of various governments, are operating exit nodes and gathering data. Beyond exit node eavesdropping, there are quite a few other identifiable weaknesses to TOR, such as Autonomous System eavesdropping, traffic-analysis attack, TOR exit node block, bad apple attack, IP address leak through the use of certain TOR protocols, a sniper attack, and a weakness associated with the Heartbleed bug.

Among other concerns that come to mind, TOR is endorsed as the best possible methodology for Internet privacy by the USA's National Security Agency. And as Edward Snowden has proved, those people cannot be trusted.

So we come to the Virtual Privacy Network. You'll find that a VPN works very differently in that you use its software to connect to the Internet for your entire system. In other words, it is not separate for your web browser, as a proxy server would be. Everything you do with the Internet goes from your Internet service provider to the VPN provider. Everything on that channel or path is encrypted. So you are much less likely to have things compromised. You don't have a network of TOR nodes to trust, and you don't have to wonder about the exit node provider. You do, of course, have to choose a VPN provider with some care, but once that choice is made, everything you do on the Internet is much harder to track.

A VPN is created by establishing a virtual point-to-point connection through the use of a dedicated network of connections, virtual tunneling protocols, or traffic encryptions. To safeguard your private information, VPNs typically allow only authenticated remote access and make use of encryption techniques. Even if the VPN's traffic is examined at the packet level an attacker would only see encrypted data. VPNs use sender authentication to prevent unauthorised access, including by intermediaries. Message integrity is used to detect any tampering with transmitted messages.

For a great many reasons, an encrypted point-to-point connection or VPN is the most secure way to communicate privately. There are VPNs that make it very difficult to establish where the servers they host are located, so-called "location agnostic" servers. So, even if the information hosted on those servers is "banned" in some way that would be recognised by local authorities, it may be impossible to establish which jurisdiction is relevant to effect an actual seizure of those servers.

We have touched on a number of issues that are not necessarily obvious in your search for economic privacy. If you have been using a computer to browse the web, log into sites, and search on major search engines, it may only do you limited good to connect that computer to a VPN. The cookies and logged information about your computer may still expose your privacy. You might do better to start with a completely new computer, or completely re-install everything to your computer starting from a formatted hard drive. We'll get into more information about how web sites you visit collect data about your computer and how those sites store information on your computer in another posting on this blog.

Also for another day is the issue of connecting to the Internet using a mobile device. Wireless networking is very useful. It provides you with network access in all kinds of situations that used to be zones of information darkness. However, your mobile device may not be connecting to the Internet using a wireless connection to a router. It may also connect using your cell phone provider's network of towers. So, rather than having an IP address to uniquely identify your device, other information, such as the media access control (MAC) address for your device. In other words, your use of a VPN for "secure browsing" may be ineffective if you use a mobile device that isn't using a router that actually connects to your VPN. And, your mobile device (or, indeed, any computer workstation) may be identifiable by other information. We'll do our best to explain the how and why of computer privacy.

Is it easy to be free, private, autonomous, anonymous-when-you-wish, and independent? No, it is not easy. Is it possible? Yes, definitely. Is it worth the effort? Only you can establish the value of your privacy against the value of your time. We think it is very worthwhile.

"There's a difference between us. You think the people of this country exist to provide you with position. I think your position exists to provide those people with freedom. And I go to make sure that they have it. ... One day, you'll be a queen. And you must open your eyes. You tell your king that William Wallace will not be ruled... and nor will any Scot while I live." ~ "Braveheart," film, 1995