From 5e2a21403883454c0221d402f46bde7170d5354f536009b4d1690d2a5faef5b1 Mon Sep 17 00:00:00 2001 From: Nicholas Johnson Date: Wed, 15 Feb 2023 00:00:00 +0000 Subject: Convert refs: private-online-shopping --- content/entry/private-online-shopping.md | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) (limited to 'content/entry/private-online-shopping.md') diff --git a/content/entry/private-online-shopping.md b/content/entry/private-online-shopping.md index 05a99d1..734bb68 100644 --- a/content/entry/private-online-shopping.md +++ b/content/entry/private-online-shopping.md @@ -2,10 +2,9 @@ title: "Private Online Shopping" date: 2021-05-12T00:00:00 draft: false -makerefs: false --- # Preface -6 months ago at the end of my post Avoiding Consumer Surveillance[1], I hinted at a post on anonymous online shopping. This is that post. As a heads up, I'll be focusing exclusively on web marketplaces since alternatives like Openbazaar are currently ghost towns. +6 months ago at the end of my post [Avoiding Consumer Surveillance](/2020/11/16/avoiding-consumer-surveillance/), I hinted at a post on anonymous online shopping. This is that post. As a heads up, I'll be focusing exclusively on web marketplaces since alternatives like Openbazaar are currently ghost towns. Sometimes it's wisest to focus on how to reduce the harm caused by doing something rather than trying to get people to stop doing it. So, in this post, I'm going to focus on harm reduction. Given that everyone isn't going to stop online shopping, how can it be done in a way that minimizes the harm to privacy? @@ -56,13 +55,13 @@ Since marketplaces don't verify the number, you can make one up. The marketplace If you made it this far, then you've managed to not explicitly give out any personal information. Unfortunately, because the web is a privacy disaster, this isn't enough. There are dozens of other ways to leak your identity without it being obvious. For example, many online shopping sites have proprietary JavaScript and cookies which facilitate tracking buyers across the web. Your IP address is also identifying information which can be used to deanonymize your purchases. But do not fear, for Tor Browser is here! ### Mitigation - Use Tor Browser -The best way to avoid browser fingerprinting and leaking your IP address is installing Tor Browser[2]. Tor Browser protects you from browser fingerprinting while making it very hard for the site to figure out your real IP address. Use Tor Browser on the highest security setting that doesn't break site functionality. If "safest" mode breaks the website, try "safer". If "safer" mode breaks the site, use "standard". I also recommend using the LibreJS[3] addon to prevent proprietary JavaScript analytics scripts from running in your browser. +The best way to avoid browser fingerprinting and leaking your IP address is installing [Tor Browser](https://www.torproject.org/download/). Tor Browser protects you from browser fingerprinting while making it very hard for the site to figure out your real IP address. Use Tor Browser on the highest security setting that doesn't break site functionality. If "safest" mode breaks the website, try "safer". If "safer" mode breaks the site, use "standard". I also recommend using the [LibreJS](https://www.gnu.org/software/librejs/) addon to prevent proprietary JavaScript analytics scripts from running in your browser. ## Tor is Blocked If you can't access the site on the "standard" security setting in Tor Browser, then it probably blocks Tor exit nodes. Some sites do allow you to browse while using Tor, but won't let you purchase anything. You just have to find out which ones are Tor friendly and which aren't by trial and error. If a site isn't Tor-friendly, all is not lost. There is still hope with Proxychains. ### Mitigation - Use Proxychains -If you still insist on using that website for your purchase, you can configure proxychains[4] to hide the fact that you're using Tor while still getting the privacy benefits of the Tor Browser. Just search for the IP address and port number of an open proxy. +If you still insist on using that website for your purchase, you can configure [proxychains](http://proxychains.sf.net/) to hide the fact that you're using Tor while still getting the privacy benefits of the Tor Browser. Just search for the IP address and port number of an open proxy. If you've properly configured Proxychains and Tor Browser is still not letting you visit the site, then most likely the site does some kind of anti-spam browser fingerprinting to determine if you're a real user and Tor browser is getting you flagged as a bot since it's resistant to fingerprinting. You could use a different browser proxied through Tor, but at this point I'd just look for the item on a different website. If the website requires browser fingerprinting, then you can't expect to buy anything anonymously. @@ -81,12 +80,12 @@ I wish I could say that's all because it feels like the overhead for making a pr * WePay * And more... -Any payment system that identifies you can't be used for privacy. Until something like GNU Taler[5] becomes popular, we're left with 1 option that offers real payment anonymity: cryptocurrency. +Any payment system that identifies you can't be used for privacy. Until something like [GNU Taler](https://taler.net) becomes popular, we're left with 1 option that offers real payment anonymity: cryptocurrency. ### Mitigation - Monero -Since most places require some form of ID verification to buy cryptocurrency and cryptocurrency ledgers allow transactions to be easily traced, no cryptocurrency is suited for an anonymous purchase, except for 1: Monero[6] or XMR. It's so private that the IRS is offering $625,000 to anyone who can crack it[7]. You can acquire Monero through centralized or peer-to-peer exchanges. The great thing about Monero is you don't need to acquire it anonymously to make an anonymous purchase with it. Coins are untraceable and transactions are unlinkable. Feel free to acquire the Monero however is most convenient for you. Localmonero.co is a solid option that doesn't require any identification or proprietary JavaScript and it has a Tor onion service. Just remember to store the coins on the Monero wallet on your own machine, not on an exchange. Also I recommend proxying the Monero client through Tor to prevent transactions being linked to your IP address. +Since most places require some form of ID verification to buy cryptocurrency and cryptocurrency ledgers allow transactions to be easily traced, no cryptocurrency is suited for an anonymous purchase, except for 1: [Monero](https://www.getmonero.org/) or XMR. It's so private that [the IRS is offering $625,000 to anyone who can crack it](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/). You can acquire Monero through centralized or peer-to-peer exchanges. The great thing about Monero is you don't need to acquire it anonymously to make an anonymous purchase with it. Coins are untraceable and transactions are unlinkable. Feel free to acquire the Monero however is most convenient for you. Localmonero.co is a solid option that doesn't require any identification or proprietary JavaScript and it has a Tor onion service. Just remember to store the coins on the Monero wallet on your own machine, not on an exchange. Also I recommend proxying the Monero client through Tor to prevent transactions being linked to your IP address. -Unfortunately few online stores actually accept Monero. Bitcoin still reigns supreme. Luckily there are coin swap services online that accept Monero and pay out Bitcoin. Kilos' KSwap[8] (WARNING: NSFW) is one example. It requires no sign up, no JavaScript and it's a Tor onion service. +Unfortunately few online stores actually accept Monero. Bitcoin still reigns supreme. Luckily there are coin swap services online that accept Monero and pay out Bitcoin. [Kilos' KSwap](http://mlyusr6htlxsyc7t2f4z53wdxh3win7q3qpxcrbam6jf3dmua7tnzuyd.onion/coinswap) (WARNING: NSFW) is one example. It requires no sign up, no JavaScript and it's a Tor onion service. The hidden fees are of course embedded in the exchange rate. When you go to buy Monero, you're going to take a hit and when you pay to convert it to Bitcoin, you're going to take a hit. In the end, you may end up paying 20% more than you otherwise would have had you just bought the item with a debit card. That's not even including the costs involved in a mailbox service. But that's just the price of your privacy if you insist on buying online. There's no easy way around it. @@ -108,14 +107,3 @@ Compared to walking into a store, paying with cash and rejecting the rewards pro But, in writing all this out, I think I've made a really strong case for just buying things in person with cash when possible. If it's not possible to purchase in person, you now have some tips for staying anonymous while online shopping. Remember that privacy isn't binary. You can follow as many of my advices as you're willing to. Don't give up completely just because you can't follow every piece of advice. If you do nothing more than start reading the privacy policies and becoming more aware of how your data is used, that's a plus in my book. As always, thank you for reading if you made it this far and feel free to send a donation if you think my posts are valuable. - - -Link(s): -[1: Avoiding Consumer Surveillance](/2020/11/16/avoiding-consumer-surveillance/) -[2: Tor Browser](https://www.torproject.org/download/) -[3: LibreJS](https://www.gnu.org/software/librejs/) -[4: Proxychains](http://proxychains.sf.net/) -[5: GNU Taler](https://taler.net) -[6: Monero](https://www.getmonero.org/) -[7: IRS Offers $625k to Break Monero](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/) -[8: KSwap](http://mlyusr6htlxsyc7t2f4z53wdxh3win7q3qpxcrbam6jf3dmua7tnzuyd.onion/coinswap) -- cgit v1.2.3