Pages

Thursday, 11 April 2013

Anonymity, Privacy, Whistle Blowing and the use of Internet

Please see disclaimer at the end of the write up - by accessing this page and reading this blog you agree to the disclaimer.


There are two major topics that are really exercising the healthcare fraternity in the UK these days. First is whistle blowing and the second is the GMC's new social media guidance for doctors. It is very frustrating that at a time when we should be encouraging whistle-blowing including anonymously if needed and the department of health seemed to have banned gagging orders, we are also presented with what might look to some, as one mass gagging order for all doctors. The message from the top is mixed and hence confusing.

Whistle blowing is to report wrong doing to someone who has authority to do something about it. UK government has advice for whistle blowers ( https://www.gov.uk/whistleblowing/overview )The NHS supports raising concerns ( http://www.nhsemployers.org/employmentpolicyandpractice/ukemploymentpractice/raisingconcerns/pages/whistleblowing.aspx ) The GMC obliges doctors to raise concerns ( http://www.gmc-uk.org/guidance/ethical_guidance/raising_concerns.asp )

Please do your very best not to post or whistle blow anonymously. Please develop the strength and courage to use your own name and then report the facts and evidence that concerns you. Anonymous whistle-blowers are generally not taken seriously ( http://www.sciencedaily.com/releases/2010/07/100712102810.htm ). The latest GMC guidance on social media says that ''If you identify yourself as a doctor in publicly accessible social media, you should also identify yourself by name'' - so if you are a doctor and talking medicine in social media you must use your own name.

Having said that it is also possible that some may be in such a vulnerable position or the impact of whistle blowing or otherwise writing non-anonymously will have a permanent and disproportionate effect on your life, then it is obviously important to protect your privacy and anonymity. You may also want to take steps to ensure that you are not ignored.

I personally feel that anonymity gives a voice to the voiceless and the weak; I wish those who are reading this are not weak and hence do not have to follow any of the methods in this blog. But for those who are forced into anonymity, what follows are methods to increase your privacy and anonymity while using the web.

For a lay person this is a basic explanation of how the internet thing works.

Your computer uses a particular piece of hardware to connect to the internet. That hardware identifies itself to your internet provider using a MAC number and connects to the internet. Then you open a browser (e.g. Mozilla Firefox, Google Chrome) and you start searching or browsing. Your internet provider (ISP) will know which websites you are visiting and emails you are sending though they may not choose to find out the actual contents of what you do in those websites or what you write in your emails. Your ISP then routes your requests to the website that you want to visit and the website you visit could fairly simply find out a lot about you.

So, for anyone using the internet it is quite easy with the right resources to identify more or less precisely who you are, what you did and where you did that from.

If you wanted to make it difficult for people to identify you a few steps could enable that (though with huge governmental resources normally reserved for high impact criminal activity, anyone can be tracked down).

Step 1
Use an Open public wi-fi network such as in shopping malls, coffee shops, etc where no log-in was needed to access the internet. You can use your own internet connection (at home, etc) but your ISP will know that you are accessing a particular service regularly (the service being the Tor network described in Step 3)

Step 2
Use software that can change the MAC number by which your computer talks to your ISP or to the open public wi-fi provider. You can change this every time you access the internet. By doing this the ISP will not be able to identify your computer specifically.
MAC spoofer (http://www.online-tech-tips.com/computer-tips/how-to-change-mac-address/ or http://www.technitium.com/tmac/index.html )

Step 3
This is the most important step. Use the Tor browser bundle.

Using the Tor browser would mean that the information that you send from your computer into the internet is encrypted and thus cannot be read on the way. Tor system then routes your communication (emails, browser requests, etc) through at least three computers with encryption. The communication then exits the Tor network to your destination but at that point it is not encrypted and hence can be captured and read but that will not identify you as the sender by revealing your computer and net details if you have not explicitly identified yourself in the communication. So you could send communication from India to USA and it will be very very difficult to identify your specific computer.

Tor browser ( https://www.torproject.org/projects/torbrowser.html.en )

When using the Tor browser use do not open attachments, do not send attachments (unless you are an expert in internet anonymity), do not open additional programs within Tor browser or when Tor browser is in use. Find out more about Tor ( http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 )

Step 4

Even within the Tor browser if you are searching, use a search engine such as Duck Duck Go  https://duckduckgo.com/
who unlike conventional search engines do not track you or otherwise want to know too much about you.

So far it is about anonymity on the net.

You will still need to make sure that you do not reveal yourself. Hence you should not be using your own regular email id, if you want anonymity or privacy. So.....

Step 5

Open a new account using any of the regular email providers (e.g. Yahoo!, Hotmail, Gmail, etc - taking care to provide only the minimum legally required information) using a Tor browser to send emails with no personal or identifiable details in the content/body of the email, subject line or in the email id. Cancel the email account once the purpose is served.

Use a disposable email ids when possible (e.g. https://www.guerrillamail.com/ ; http://10minutemail.com/10MinuteMail/index.html ) for 'forms' in websites and forums

If you are whistle blowing: Copy a news organisation for evidence record that you have reported/whistleblown. 


Step 6

Steps 1 to 5 above are things that you must do. This Step 6 is about things that you should not do:
a) do not attach any thing or send anything as attachments with your email or posts
if you attach anything you risk losing exposing who you are
b) do not open any files, programmes, or other software when you are using Steps 1 to 5 above as that will risk revealing your identity.

Please remember that all these steps and what is written in this blog post are for amateurs. Please learn about all these steps and related items, get yourself very familiar and confident before you use them. Do dummy runs, trial runs etc before you actually use it for any worthy purpose. Remember that there is no (and probably never will be) complete privacy or anonymity in the internet.

Do not use these methods for anything illegal, please do not use these methods to harass, intimidate, spread falsehood or anything else that is offensive. Please remember that internet is never anonymous and illegality should never be attempted even under anonymity.

Whistle blowing is a frustrating but noble act. Please check your facts before you blow the whistle; please see if you can raise your concerns confidentially within the organisation using normal/regular channels before you consider using whistle-blowing methods. Please consider every opportunity to whistle blow without taking recourse to anonymity.

Please note that these tools above are not just for whistle-blowers; they exist for people who just want to be anonymous. All of us could use Tor to maintain and enhance our internet privacy. We could use disposable email ids to avoid spam. 

If you have used Tor then keep the Tor on and allow your connection to be used as one of the nodes so that you will contribute to increasing the privacy of the net.


©M HEMADRI 
Follow me on twitter @HemadriTweets

Disclaimer: 
Please check if the above steps and everything else in this blog are legal for use in your location, country, area, etc

Please do not do anything illegal (anonymously or not) on the internet (or in any other area).

I am not an expert in internet security/anonymity/privacy; I am merely a normal user of some of the methods described above. The anonymity and/or privacy and/or security enabled by the methods described above have not been personally checked/validated/guaranteed by me; I only write due to an interest in these matters; I cannot therefore take or accept any responsibility for any loss of any sort including financial, lack of anonymity/privacy/security, embarrassment, or for any negative effects of following anything written in this blog post. It will be your/the reader's responsibility to ensure your own anonymity/privacy on the net and the consequences of any loss of anonymity/privacy or other negative effects.


No vested interests


PS: If there are any errors in the blog or if you have any ideas to enhance the topic please leave a comment below.





2 comments:

Anonymous said...

One very important thing that I do not see mentioned here (maybe i missed it) is that if one is doing this via some kind of forum or blog posting, be very careful NOT TO CHECK THAT PAGE FROM A NON-ANONYMIZED TERMINAL. It can be very tempting for any number of reasons to take a look at one's handiwork after going to all the trouble. THIS WILL REVEAL YOUR IDENTITY. Unless there is a great deal of pre-existing traffic to hide in, authorities and security people know that very often the person doing the posting is among the first few hits to a whistleblowing site. This is related to how, for instance, the "Fox News Mole" was detected -- he was among the first people checking the article from inside Fox News.

So the upshot of this is, do not look at your handiwork (or use, for instance, free email accounts you have created in association with this kind of activity) from a computer or device that you have not followed these anonymizing steps on EVERY TIME you check it.

M HEMADRI said...

Well said. That is correct.

Anonymous activity should be kept completely separate from non-anonymous/normal/regular/routine activity.

You are right - the steps for anonymity should be followed every time.

Thank you.