Proxies and Their Limits

There are two general categories of bad actors that want to infringe on the privacy of the web: malicious governments with access to ISPs (Internet Service Providers) and mega corporations that run social and advertising networks. Proxies like TOR (The Onion Router) and I2P (the Invisible Internet Project) are useful in protecting privacy from malicious governments (which spy on traffic in transit) but not from mega corporations (which embed malicious code on web servers).

Malicious Governments

Malicious governments often spy on their citizens to punish dissent or human rights activity. They commonly either operate the local ISPs or they can force them to disclose information showing every IP address that is visited by each user. Layered proxies are designed to defeat this infringement of privacy by encrypting the traffic from a user’s device and routing it through multiple servers on the internet before sending it on to the final destination. This means that no individual ISP, server, or website, can know both the IP address of the user’s device and the IP address of the final web server. Malicious governments and the ISPs they control cannot tell which web servers a user is accessing, although they can tell that the user is using a layered proxy service. In some parts of the world, using proxies could be construed as an evidence of illegal behavior (“If you didn’t have anything to hide you wouldn’t be encrypting your traffic”) and users could be punished because governments assume they are doing something that is prohibited. Thus, proxies can be helpful, but they aren’t a panacea.

Mega Corporations

When a user connects to a web server, the web server can see the user’s IP address. Although it isn’t a perfect science, IP addresses can be turned into physical addresses with a fair amount of accuracy. Small web servers typically rely on IP addresses to identify the location of the users visiting their site. Proxies are a good solution to mask the user’s location from these servers. But large mega corporations that own social media and advertising networks use a whole profile of information that is designed to track users across devices and IP addresses. These profiles employ a variety of techniques to identify users, including JavaScript, cookies, tracking IDs, and browser fingerprinting. Because the vast majority of the websites on the internet either load an ad from one of the major networks or embed social media icons with their associated JavaScript, these corporations have built profiles for almost every online user and can track their internet activity across unrelated sites.

They track every site that is visited, everything that is purchased, every credit card that is used to make a purchase, every address that items are shipped to, and the GPS metadata of every picture that is uploaded to the internet. They build a profile of a user’s age, gender, marital status, address, political affiliations, religious affiliations, family circumstances, number of pets, and everything else they can get their hands on. They even buy up databases of credit card transactions at local stores, so they can track the off-line purchasing patterns of the users in their profiles. Because they already have much more accurate address information about a user than an IP address discloses, proxies provides no real privacy protection against mega corporations.

The single best privacy protection against mega corporations is to browse the web with JavaScript disabled, followed by blocking ad networks, disabling cookies and DOM storage, and using a browser that is difficult to fingerprint.

Using Proxies

Despite their limitations, proxies can be useful in some circumstances. Tor and I2P have Android apps that make it easy to use their proxy networks. When proxying is turned on in Privacy Browser, the app bar will have a light blue background instead of the default light grey. Because traffic is being routed through several proxy nodes, using a layered proxy is often much slower than connecting directly to the internet.