Wouldn't using Starbucks Wifi make me somewhat anonymous since my ip address would be the same as other users connected to the same network? Therefore, no need to use a VPN assuming I don't want the website I'm connected to know my identify. Of course, the website can figure who I am assuming my browser fingerprints is unique. However, assuming I change my browser fingerprints every session, then I should be fine. Correct?
Asked
Active
Viewed 1.0k times
16
-
The last time I connected to Starbucks Wifi in the US, they asked for my email address and ZIP code. This doesn't seem very anonymous (though of course one could just fake the info). – Michael Hampton Jun 18 '20 at 20:47
-
1@MichaelHampton not anonymous to the network, but anonymous (or somewhat given the IP is the same as many other users) to the websites one visits. – Tim Jun 18 '20 at 20:54
-
9VPN does not make you anonymous! Do not fall into a false sense of security. – Davor Jun 19 '20 at 09:27
-
9Using the same VPN from different hot-spots would actually be a way to be fingerprinted. – Kaz Jun 19 '20 at 14:19
4 Answers
33
Your scenario falls under one of the major use cases of a VPN, which is to protect yourself from untrustworthy public Wi-Fi hotspots. Other use cases being, overcoming geographic restrictions when it comes to streaming and accessing certain websites.
The most fundamental selling point of a VPN is to allow access to the public internet using a private connection.
somewhat anonymous since my IP address would be the same as other users connected to the same network?
'Somewhat' is right but having a different IP address does not mean that your identity & connection is secured. As you've mentioned that there are other users on the same network, that alone nullifies the anonymity that you are trying to achieve.
Anonymity should be the least of your worries, I'm more concerned about this from a security standpoint.
mallocation
- 1,676
- 6
- 20
-
4As a bonus, while the IP of the coffee shop may not lead back to you directly, it can instead lead to the physical location, which can be just as bad depending on your threat model. – ave Jun 19 '20 at 01:18
-
2
-
3@vsz And anonymity would be hard to achieve without security. They are interwoven concepts. – mallocation Jun 19 '20 at 04:35
-
2@mallocation : why so? What if someone wants to post a political opinion in a location where it is illegal or dangerous to do so? With a computer which isn't used for any banking and no personal information is stored on it (basically a laptop which is used solely for this purpose), or by using a virtual machine, security problems can be eliminated or at least greatly reduced. But if done from home, your IP might lead to some nice men with guns showing up at your doorstep. – vsz Jun 19 '20 at 04:42
-
3Ensure security does not come from our individual homes. You can be out & about and yet still obtain both security & anonymity. – mallocation Jun 19 '20 at 04:48
-
3Anonymity can be compromised at the Starbucks wifi, depending on the resources of the adversary. If "anonymous poster 777777564" criticizes a totalitarian government from Starbucks IP with strong correlation to the times Joe Blow is seen on his laptop there, he is eventually going to be positively ID'd. The VPN is resistant to this as long as the VPN is not cooperative with the adversary. – WDS Jun 19 '20 at 05:01
-
2VPNs are for securing a segment of a network (the P in VPN), not for anonymity. That's an unverified marketing claim from VPN vendors. There is no built-in mechanism for anonymity in VPNs, unlike TOR. You are basically using them as a proxy or a jump host. But contrary to, say, a hacked jump host, VPN providers surely do keep logs of your activity. Plus they have your e-mail and so on. Do you really think that a small business will keep the secret when the fed knock at their door for terrorism or child porn? Commercial VPNs are useful only to connect from a given country. – Margaret Bloom Jun 19 '20 at 08:07
-
2Sneaking into someone else connection is probably more anonymous than registering a VPN account. – Margaret Bloom Jun 19 '20 at 08:08
-
I know public networks are "insecure" in the sense that everyone can see the data you are sending/receiving, but if everything is over HTTPS, what types attacks should you actually be concerned about? – twiz Jun 19 '20 at 21:44
-
@vsz a series of timestamps plus the IP of the coffee shop leads to a breach of anonymity by requesting security cam footage and finding the person who was in the coffee shop at these particular times. – Peteris Jun 21 '20 at 00:28
13
"mallocation" gave a good answer.
I would add a few words about anonymity.
VPN will hide your real IP. But from the point of view of anonymity that's all. Unfortunately, browsers reveal way too much information to the web sites, and in the most cases you cannot prevent the JavaScript in your browser from communicating with their backends and sending your identifying info to them (blocking some requests often makes web sites not functioning).
There are some browser extensions that can fake some parameters used for fingerprinting like user agent string or canvas fingerprint. But other things remain visible to web sites without any changes, like:
- language: ~1 bit
- HTTP accept headers: ~2 bits
- timezone: ~6 bits
- system fonts: ~10 bits
- screen size and color depth: ~5 bits
- WebGL vendor & renderer: ~12 bits
These parameters give 36 bits info. This is sufficient to uniquely identify ~70 000 000 000 devices, it is ~10 times more than the world population. If you add WebGL fingerprint ~14 bits that is much harder to fake compared to the canvas fingerprint, audio context fingerprint ~8 bits that is also hard to fake, there will be even more identifying information, ~58 bits. And there are further parameters.
Client identification in the more reliable solutions can be more complicated than a straightforward calculation of a single fingerprint number. So faking one or two parameters will not really help to disguise you from the tracking web site.
TLDR
If some site can afford the state of the art fingerprinting, with very high probability they will identify you uniquely also when you are using VPN.
Update
The commenters below are right. The number of 70 000 000 000 devices is not quite correct. We should take into account, that some combinations of parameters occur much more often than the others. For instance, the vast majority of users with Italian language are located in the timezone CET. That's why knowing that language is Italian and timezone is CET has not much more information than knowing only that the language is Italian. Timezone data give almost no additional information in such case.
If we look at Panopticlick, we will see that clearly. The formal sum of identifying information can give 70 - 80 bits. Where as taking into account the frequency of their combinations they all together can give only 16 - 18 bits.
mentallurg
- 12,418
- 5
- 36
- 50
-
-
1How is timezone 6 bits? There are no 64 different TZs on Earth. – Violet Giraffe Jun 18 '20 at 19:14
-
4There are 37 timezones, according to https://www.timeanddate.com/time/current-number-time-zones.html. This is 5.2 bits. – Roger Lipscombe Jun 18 '20 at 19:18
-
1170 billion is an exaggeration, as you're not considering the clustering of this data. The vast majority of non-power users use [nation] language+timezone+fonts (~8 bits of nations+timezones), 1920x1080x8 (0 bits), and Chrome or Edge (1 bit). That's why browser fingerprinting is so important. – Therac Jun 18 '20 at 19:37
-
4https://panopticlick.eff.org/ is probably the best known tool for testing how unique your browser appears to web servers. Once it completes, press the "Show full results for fingerprinting" link – CSM Jun 18 '20 at 20:24
-
@CSM: If you noticed, I used the fingerprinting wording from panopticlick. I don't understand if you want to add or to change anything. What is the purpose of your comment? – mentallurg Jun 18 '20 at 20:28
-
how can language be conveyed by one bit, which is equivalent to a flag (yes/no)? – Klaycon Jun 18 '20 at 22:25
-
@ZOMVID-20 And that's why sending do-not-track header actually helps them track you lol – Captain Man Jun 18 '20 at 22:46
-
There are a lot of boundary conditions and grouping that can be done which is not mentioned in your working here; it's far from 7E10 devices – LTPCGO Jun 19 '20 at 16:47
-
1
-
-
Good update, and nice example; upvoted. Interestingly, in your original miscomment what you have illustrated is the exact reason why faking your fingerprint can be a bad idea - a user reporting Catalonian language in an East Russian timezone is going to be pretty unique! It's not even necessarily correct to simply take the most common answer seen in Panoptclick as that combination may not be most unique. – LTPCGO Jun 19 '20 at 22:26
-
@LTPCGO: Than you for pointing out about 70 000 ... :) With faking I meant following. A naive fingerprinting algorithm will just take every parameter available in particular browser. Thus, if someone fakes the canvas fingerprint, it will give much information and can make browser unique. For the user this is good. Because in the next session (or next day, or next hour) the canvas fingerprint can be again different. Thus the web site will not be able to match user requests across many days or weeks... Looks good... But... – mentallurg Jun 19 '20 at 22:35
-
@LTPCGO: ... But knowing this, a good fingerprinting algorithm may exclude some parameters completely. The same with agent string. If it is real, it is a valuable information. It it is faked, this may lead to incorrect results. That's why reliable fingerprinting is not as easy as it may appear to be. Nevertheless, all modern browsers that I know reveal way too much information about the user. – mentallurg Jun 19 '20 at 22:42
-
Relevant to the point about browser fingerprinting: consider https://www.amiunique.org/ – bytepusher Jun 20 '20 at 13:00
11
Depending on what you are talking about when you say VPN, you may very well have less anonymity if you use it.
The only thing that changes is the IP address (fingerprinting is unaffected, cookies and local storage, all the same).
Actually, VPN only means you make a connection to another network via some sort of presumably secure protocol (there's different ones, which differ in how secure they are, too). Which means that the IP address is now the IP address of your VPN server, which is either in your home (as is the case with me, for example), or some server that you have rented. In either case, you are a lot less anonymous than "someone at Starbucks".
Now, recently (2-3 years), VPN also refers to "pay some mildly trustworthy company", usually under the promise of being better in every way, super secure, and protecting you from hackers and virusses, and if you drink it, it will probably cure COVID, too. The way they do what they call "VPN", they're actually much more like a transparent proxy. With encryption, yay.
Sometimes you need an app on your device, sometimes not, implementations differ. Sometimes it's "free", too. Although do note that "free" is usually what's most expensive.
While this kind of VPN indeed has the advantage that the webserver now no longer identifies you as an individual (although thanks to sites sharing tracking data and fingerprints, it very well might, anyway), the disadvantage is that all your traffic goes through an at least not-very-trustworthy, and sometimes not-tustworthy-at-all party. If nothing else, that party now knows which sites you connect to (they might, too, be able to do a man-in-the-middle, if they insert a proper certificate).
There are also some other disadvantages such as latency, encapsulation overhead and such, but they're irrelevant to most people.
Now the question is, how much anonymity does a non-criminal, non-terrorist person reasonably need?
For me, the anonymity that I get from using NextDNS on the mobile phone (and Pihole at home) which blocks >99% of all trackers, beacons, pixel junk, and what you call them, and at the same time eliminates 90% of all ads, including the annyoing ones on this site and on youtube... is, well... just good enough!
As long as youtube doesn't recommend to me things related to what I had been watching on Amazon Fire TV the day before and as long as Amazon on a freshly installed never-run Ubuntu system doesn't offer me things related to something that I searched on Google on a different device the day before (believe it or not, I've actually had this happen some years ago, that was the reason to start using Pihole), all is good. Enough anonymity.
There's things you can do, and things you can't defend against anyway. With 1% of the effort you can get 99% of the result.
Damon
- 5,211
- 1
- 21
- 26
-
I would like to argue there are good 'vpn' (I like your definitions much better) providers out there - I can't recommend one... but I'm sure at least some are doing this well and actually providing real world benefits to security and anonymity. That being said +1 for the NextDNS and Pihole suggestions. – TCooper Jun 19 '20 at 00:24
-
Now the question is, how much anonymity does a non-criminal, non-terrorist person reasonably need?That's entirely subjective. That which is entirely legal in one country might get you shot by the secret service in another. Beside, "privacy"="hiding from government" is just pro-surveillance propaganda. It's off topic, the question is a technical one. – Rodney Jun 21 '20 at 10:43
1
First, all the currently existing answers are generally correct as far as I'm concerned.
Using the Starbuck (or some other free wifi), you will be "anonymous", as in, the IP address alone cannot be traced back to you.
Then, your browser will send cookies. Those cookie might link to a facebook profile or other things. On top, as another answer pointed, you are subject to browser fingerprinting.
And as has been outlined, you might be found out by correlation. It will be easy to find the location (Starbuck), and the time. Is there CCTV? Did you pay by credit card or another traceable mean (iow, use cash). And Starbuck might keep logs, so you also would want to change the MAC address of your adapter. There might be some MAC <=> owner link possible (if you're say an Apple customer, do they associate the serial number of your machine with you? And for each machine, do they have the MAC address?). Did you have a mobile phone? Was it on? Does it have wifi on? Did someone log the fact that Friday at 14:00 in Starbuck, some phone pinged for a wifi network "JOHN_SMITH_HOME"?
So yes, you will be anonymous, from an IP point of view. Achieve practical anonymity is different. Using a VPN should provide you an extra layer, and they usually state they don't keep logs, but I'm pretty sure history has proven the contrary in at least one case. It then comes down to how much you trust the VPN provider.
Last, there is TOR. If using TOR browser, you get also the advantage that it drastically reduces the size of your fingerprint. There are attacks against TOR (correlation attacks), but they don't strike me as applying to your case.
Now that is covered, there's the extra thing about the content. A few ways to indentify people by content:
- EXIF tags in pictures.
- More advanced: if this is text, identifying you by the way you use the language. This is not a reverse search, as in, "oh, here's a text, tell us who wrote it", but rather a "hey, here's a text, here are texts from these 10 individuals, tell us who's the most likely to have written the first piece".
- There may be ways to link a picture to a specific camera (Facebook has a patent about it, that doesn't mean they are able to do it... that doesn't mean either someone else is not able to do it).
- In very specific scenarios, assuming your typing some post online AND what you type is sent letter by letter, your typing patterns could be matched to you. Like the one about language, I'm not aware of any global database that for a pattern gives you a list of people that would match it, but given a list of "suspects", that helps narrowing down. (Note: you can work around that one by typing the text in some trusted place, like an offline app, and then just copy/paste... That said, I'm not aware of any website actively doing this type of analysis.)
And I might have missed some methods ;)
user1532080
- 571
- 2
- 8