When anonymous web access becomes business-critical, the web's favorite home remedies won't help. Worse, they can harm you and our organization.
A few weeks ago, I was speaking with a regional bank in the Southwestern United States, where the lack of anonymity online had jeopardized a recent investigation. The bank was doing online research necessary for them to comply with Bank Secrecy Act and Anti Money Laundering (BSA/AML) regulations.
A financial fraud analyst found incriminating evidence on the web page of a business she was investigating. Imagine her frustration when she went back the next day to collect that evidence, only to find it had been removed in the meantime. What happened?
The bank suspects that the subject of its investigation was tipped off to the analyst's research because web traffic from the bank was hitting the website of the investigated business.
This happens more often than one would think, as I've learned in conversations with other financial services firms before.
Having secure, fully anonymous web access would have kept the bank from tipping its hand in this instance. And lacking a solution to accommodate special web access for its analysts wasn't just jeopardizing the bank's investigations.
It also put the bank's internal IT security at risk, because BSA/AML analysts frequently need to access URLs that are considered "high risk" from a cybersecurity perspective.
Why Online Anonymity Is Crucial for Business
Banking is not the only sector with this problem. Law firms face similar challenges. Take practice groups that need anonymous browsing for conducting litigation support research, for example.
Ideally, law firms would have access to a setup where they can browse anonymously while gathering information for litigation support. The legal professionals commonly pushing for these setups do so because they need to conduct online research without getting blocked by their firm's URL filter. They also need to prevent their web activity getting traced back to the firm.
Compliance managers, financial intelligence units, and law firms conducting litigation research are not the only groups facing this challenge. Professionals in other fields depend on unrestricted, secure, anonymous web access on the job as well. Cyberfusion centers, corporate security departments, private investigators, and OSINT professionals also need this level of protection when accessing the web.
And just like leading financial services and law firms, they increasingly turn to a solution that has solved similar problems for federal agencies and the Department of Defense: accessing the web through a secure cloud browser.
Where Traditional Web Browsers Fail Your Business
What's wrong with using a regular browser for this purpose, you ask? Simply put, the "free" and supposedly "secure" mainstream browser betrays you. It's neither free nor secure.
You don't have to take my word for it. Check out https://sploit.io, a tool built to see what information is being broadcast about you when going online with a browser installed on your local computer or mobile device.
Did you know what kind of information local browsers such as Chrome, Firefox, Edge, and Safari share with the world? That data includes the browser's make and version number, your device's operating system, plugins you use, languages/fonts, your location…
All of these details, together with basic tracking code such as "cookies", can be used to create a unique fingerprint.
That information is frequently used to identify and target individual end users and whole organizations.
Think about it from a security perspective. This "oversharing" by the browser also exacerbates its built-in vulnerabilities. It enables attackers to exploit your browser extensions and plugin - including such that purport to protect you.
1,000 Tips for Anonymous Web Browsing
Anonymous browsing tools galore - will they really protect your team's anonymity when conducting business-critical research?
Yes, you can find thousands of blog posts and articles on "how to browse the web anonymously" on the web. And no, most don't provide a clear answer.
They suggest a wide variety of approaches, only to then end on a note along the lines of "this is about the best you can do, and you can never be 100% sure."
Did you end up more confused than when you started? Most of these how-to guides suggest a multi-step solution where several methods are combined to prevent your web activity from being traced back to you.
It seems as if the six most commonly suggested methods are imperfect at best:
- Switching to "private browsing" or "incognito mode"
...only prevents the browser from storing your web session's browsing history, cached web pages, or "cookies" locally.
Because the browser is still sharing your browsing history and other traceable details with your Internet Service Provider (ISP), your web activities remain vulnerable to snooping and are neither anonymous nor private. Let's move on.
- Accessing the web through a Virtual Private Network (VPN)
...protects you when using public WiFi, because it encrypts the connection and makes it harder for attackers to intercept internet traffic. Still, VPN services don't fully anonymize your web activity.
VPN also does not protect against web-borne exploits, such as spyware infections, and can make larger organizations more vulnerable. And it often is slooow - but you likely knew that already.
Misconceptions about VPN are widespread even among IT professionals. If you're considering it to ensure anonymity and non-attribution for web investigations, I recommend reading this Authentic8 whitepaper about VPN [PDF] first.
- Using a proxy service
...hides your originating IP address from websites when going online. It doesn't protect users against tracking code or malware fingerprinting. Depending on the vendor that runs the proxy server, your IP address and web requests may be stored and sold to third parties who aggregate such data. Feeling anonymous yet?
- Installing browser-based anonymity or privacy tools
…can shield your online activities to a limited degree from tracking or malvertising on the local browser. Paradoxically, such browser extensions also can make it easier for third parties to find out who you are, what you're up to, or to launch an attack.
Another downside is that plugins also compound the inherent vulnerabilities of the local browser, especially in business IT environments.
Browser plugin user data can be sold to third parties and used for deanonymization. Attackers frequently hijack plugin developer accounts to push malicious "updates" for add-ons. Are you willing to take that risk?
- Using "privacy browsers"
…won't fully anonymize your web sessions either. Most of these "secure" browsers are derivatives of popular traditional browsers that are tweaked to enhance online privacy protections.
That means they still process - potentially dangerous - web code on your local machine and don't provide professional-grade anonymity.
They have been outlawed in some countries and too often get blocked by certain web services. This makes them even less viable for professionals with the need for conducting anonymous web research while abroad.
- Avoiding public WiFi
….is also a - surprisingly common - suggestion. So we're supposed to cease work when out and about, at the airport, at a coffee shop, or when connecting from the home office? Seriously?
To be fair - some of these methods can be useful for browsing mostly anonymously, as long as we keep in mind that none of them were built for this specific purpose. For business-critical and compliance-relevant use cases, however, cobbling together a mingle-mangle of tools that keep you mostly anonymous isn't enough.
In the age of remote work, enabling secure, anonymous web access becomes ever more important, because IT doesn't always control the network or machine employees and contractors are connecting from.
Needed: Commercial-Strength Online Anonymity
The different methods and tools listed above may explain why almost every commercial organization I encounter has developed its own approach to achieving secure and anonymous web access.
When they first recognize the need to better protect their analysts, researchers and investigators online, and don't realize there's a service available to accommodate them, companies often set out to build their own.
The most common approach is to create a separate "non-attribution" network with dedicated endpoints for web research that are isolated from the main corporate network. I've heard these solutions being called "dark rooms", "kiosks" and "dirty boxes", among others.
The "dirty" method has some serious drawbacks. Those who have gone down this path tell me about complicated setup, configuration, and post-mission cleanup requirements that impede their investigations.
This "build-your-own" approach to creating a platform for anonymous online research, it turns out, is time-consuming, expensive, and requires constant maintenance.
Anonymous Web Access Made Easy and Cost-Efficient
We've covered why anonymous web access is often critical for professional web investigations. We looked at what stands in the way (the local browser). We examined the methods and tools used to make it happen anyway (often unsuccessfully). We found severe problems with these approaches.
So by now, you might ask: Is there a better way?
How about one click-access to secure, fully anonymous web browsing as-a-service?
If you want a simple solution that works, without any of the deficiencies, risks, and extra costs associated with the DYI approach, use a cloud browser.
Web isolation with Authentic8's Silo Cloud Browser precludes attribution and exposure to trackers and malware by handling all web content in an isolated cloud container on Authentic8's global server network.
With Silo and Silo Research Toolbox, our platform for professional OSINT analysts, fraud researchers, investigators, and threat hunters, all content is processed and downloaded remotely. No code from the web can touch your computer or network. Web servers are presented only with the disposable cloud browser's IP address, not yours.
Using Silo, you interact with visual display information transmitted back from the cloud instead. You won't notice a difference, because Silo provides the same rich browsing experience you are accustomed to from your local browser. (Silo may be faster.)
Silo provides secure, non-attributed web sessions on demand. No more asking IT for web filter exceptions. No more complicated and costly "dirty box" or "dirty network" setups and cleanups. And no more crossing your fingers, hoping that the patchwork of solutions you've cobbled together is really keeping your team anonymous.
Because, to quote Green Bay Packers coach Vince Lombardi: "Hope is not a strategy."