Introduction
The idea of “truth” being found in light is a recurring one. Generally, we seek to avoid darkness. Should everything be brought to light? Are there things, such as data and information, that should remain hidden, or that we wish to keep hidden from all others?
Darkness is associated with danger and insecurity. But darkness also provides protection; what cannot be seen or found cannot be attacked. Darkness can be used in one’s favor to hide what is considered private, and to hide oneself when preferring not to be seen.
Herein lies an important question: What information should be hidden? To analyze this question from a computer science perspective, we need to estimate the enormous amount of data that would need to be protected. Every day, 3.8 billion Internet users generate 2.5 quintillion bytes and in this vast quantity of data resides private information, including locations, tastes, financial data, medical records, and others, that should not be shared publicly.[1]
To better understand the problem, the concept of privacy must be defined and appropriated (How important is privacy to people, society, and organizations?) We also need to decide which data should be protected and become familiar with the methods used by cybercriminals and organizations to obtain this information, with and without our permission, and learn what they do with it and the risks that this entails.
Finally, users need to know what tools and protection measures are available to guarantee the security of their data when using the Internet and maintain their right to remain hidden and secure.
Privacy and anonymity
Privacy is a broad concept, difficult to define because it is not limited to the subject of information, but transcends to social debate. For this reason, we’ll begin by etymologically defining the word “privacy”, which comes from the Latin privatus, meaning “that which is not public”[2]. Based on this definition, privacy can be divided into two areas: the private sphere, such as private activities, friendships, confidential matters, and sensitive information including medical records and financial data; and its opposite, the public sphere, which includes everything that society knows about us, such as names, email addresses, social networks, and, in the state sector, all the information generated by public entities.
Social psychologist Irwin Altman defined privacy as a selective border of access to oneself and one’s group (family, friends, communities, etc.).[3] Privacy, therefore, allows us to selectively control who has access to our personal information, in other words, to our private and public spheres.
It is important to formalize the concept of privacy to ensure clear, transparent, and coherent policies, which in turn guarantee people’s cyber rights. Theorist Herman T. Tavani (2007)[4] classified the theories behind this concept into four categories, which gives us an understanding of perspectives linked to privacy. According to Tavani, the four privacy theories are non-intrusion, isolation, control, and limitation.
Non-intrusion
Privacy can only be obtained when one is free from intromissions or interference from others, whether individuals or organizations. Privacy, therefore, is defined as absolute freedom from others. Under this definition, privacy is also seen as an indispensable right for all individuals (right to privacy).
Isolation
This theory defines privacy as the individual’s need to withdraw from the world into solitude, in order to think freely and without interference from others who can spy, manipulate, and even judge them.
Control
Privacy depends on the control that each individual is allowed to exercise over his or her personal information. This type of privacy provides each individual with the ability to determine how much, in what manner, and to what extent their information is published. This category of privacy allows users to share their private information with others, and as long as individuals continue to have control over it, they retain a high level of privacy.
Limitation
Privacy here is seen as the limitations or restrictions placed on the access to information; each individual can and should impose conditions and limitations on their information, so that not just anyone, and only those who follows the rules defined by its owner, can access it.
Based on these categories or definitions, we can conclude that privacy is a fundamental right.
To delve into the field of information technologies, we’ll use theoretician Johannes Buchmann’s definition: “Information privacy is the freedom to determine what information (digital data) is released or removed from the public domain of the cyber world”.[5]
Anonymity
Anonymity occurs when an individual restricts all information related to his or her identity in the world, so that no one can uniquely identify or directly relate it. This property stems from privacy and is desirable in many environments; for example, during democratic elections, anonymity must be guaranteed to ensure free and non-compliant voting.
Secret
Additionally, a secret is a part of our private sphere that we share with no one; it is that part of one’s private sphere that is restricted to all but one person. This property also stems from privacy and allows us to safely keep secrets.
In the previous section we analyzed concepts related to privacy, but it is essential that everyone understand the importance of this topic for not only individuals, but for society and the economy in general. Next, we’ll analyze the personal, social, and economic value of privacy.
Personal value
As Daniel Solove points out in his book Understanding Privacy, “there is widespread belief that personal privacy is essential to our well-being physically, psychologically, socially, and morally.”[6] Privacy allows people to act in a freer and uninhibited way, without the prejudices imposed by society, making it possible for them to express themselves freely and share opinions without fear of social repression. It also promotes personal growth and self-awareness by allowing the individual to question his or her thoughts, and even contradict them before they enter the public sphere.
Solove quotes Paul Freund to argue that “privacy offers a shelter for the loosening of inhibitions, for self-discovery and self-awareness, self-direction, innovation, groping, nourishment for a feeling of uniqueness and a release from the oppression of commonness.”[7] In this way, individuals are allowed to develop freely, honesty increases and suspicion is reduced, individuals are dignified, autonomy is respected, and the door is opened to ensuring the prevalence of other fundamental rights, such as free expression and security.
This is important, since without the freedom to an opinion and to think differently, innovation would not be possible. Works of art, engineering, science, and culture have been created thanks to the freedom to think differently and challenge the status quo, which would not have been possible without the right to isolate oneself, to remain hidden in order to cultivate innovation and creative processes, without constant criticism and social judgment, which can destroy before anything is created.
Each person or group of people has private information that belongs to them and which no one need know about. The following cases (based on the book by Daniel Echeverri[8]) illustrate the importance of privacy:
• You are in a supermarket and a stranger passes by, greets you and asks you for your home address, or the address of your workplace, your children’s school, your parents’ home, and more. Would you share this information?
• An unknown person visits your home and asks to see and copy your photos and videos of family, friends, and your spouse. Would you accept?
• While on vacation with your family, a stranger asks you about your financial situation, your credit card details, your personal tastes and those of your family, your plans for the following week or month, and whether you’ve ever had problems with the law. Would you answer these questions?
• You meet with an acquaintance you haven’t seen for a long time and at one point in the conversation he asks about your sexual tastes, your history of sexual partners, your medical history, and your passwords for social media accounts so he can read your messages. Would you give him this information? And if so, would you allow him to share it with anyone he pleased?
This parallel points out the value of private information and the restrictions that we are willing to establish to manage our data, regardless of whether we are dealing with acquaintances, strangers, or corporations.
Social Value
As mentioned previously, there are two separate areas of privacy, the private and the public sphere. The private sphere may sometimes prove antagonistic to the public, since individual interests at times run contrary to the common good. Individuals are social beings and never live in isolation; they need each other for survival and development. In order to live in harmony in society certain social norms have been created to limit individual behavior based on what is considered correct for the majority.
Often, privacy can go against norms (in the private sphere, certain individual behaviors breakB with norms, but if privacy is maintained, society will never find out and, therefore, the individual will not be held accountable for it). However, society is made up of individuals and benefits from the protection of individual privacy by allowing people to act freely. Daniel Solove points out that “When we protect privacy, we protect against disruptions to certain activities.”[9] If the privacy of individuals is affected, social relations and society will also be affected, preventing them from doing work that contributes to their development, and it is therefore essential to find a balance between individual privacy and the common good.
On the other hand, if privacy did not exist and the actions of an entire society were public, an authoritarian society could be created in which people did not have the freedom or security to give their opinion or act according to their own morals, but instead would be repressed by their rulers; that is, the state would have excessive power. Judith Andre states that “When an action can be performed privately, however, and the principles of the agent are different from the principles of possible observers, privacy does increase the likelihood that the action will accord with the principles of the agent.”[10] Without this privacy there would be no guarantees for democracy, since the freedom to choose without prejudice or fear of reprisals is supported by anonymity.
To conclude this section, privacy is protected not for the sake of or according to the wishes of a single individual, but because the well-being generated is greatly beneficial to all members of society. Likewise, the absence of privacy can cause social collapse to the extent that individuals feel insecure and without freedom.
Economic Value
Numerous applications on the Internet offer a variety of “free” services that can be accessed from a web browser or installed on a mobile device. Generally, the user creates an account and, after filling in some personal information, such as name, email, date of birth, gender, city, etc., must accept certain conditions in order to use the service. These conditions always include privacy policies, which most people never read because they do not have the right to refuse or change the policies they consider abusive, and if they do not accept all of them, the services cannot be used. Through this type of practices, companies promote ignorance of privacy issues and limit the rights of users.
All these applications make use of targeted advertising –advertising that uses the collected data and behavior of individuals to predict the interests of a group of users– in order to establish a profile for each of them and pigeonhole them in a market niche. Specific advertising is then created that will appear only to the target audience on certain websites visited by them.[11]
This is how the majority of the companies claiming to offer “free” services are financed. How much do you think your personal data is worth to these companies? Do you think that exchanging them for a service is fair? Anagnostou and Lambrou attempt to answer these questions, pointing out that a subscription to a service such as Spotify or Netflix rarely costs more than ten dollars per month, whereas, social networks (Facebook, Twitter, Instagram, etc.) charge no subscription fee for their services (estimating that, if they were to charge, it would probably be close to ten dollars) because they prefer instead to forgo fees in exchange for user data, which causes “the impression that privacy itself is of little value[12]”.
An example of this unconscious loss of privacy value is an experiment conducted in 2017, in which the value of a pizza was accepted as fair payment to Massachusetts Institute of Technology (MIT) students were unquestionably willing to share the email addresses of three classmates.[13]
As Anagnostou and Lambrou mention, there is a rather large gap between the value placed upon personal data by the user and the income generated by companies using this data. Although the value of this data can be estimated, it is impossible to calculate its exact value since a market with a supply and demand for personal data that generates monetary transactions does not exist.
In general, payment for using personal data is made in kind, in the form of services, which would be a good way to calculate its cost. Another option is to calculate customers’ willingness to pay to maintain their privacy: How much would you be willing to pay to keep your data from being collected? A third option is to estimate the value of the revenue received by companies through advertising; if users do not wish to receive publicity, they must pay a value equivalent to the income that the company will cease to receive. Each of these options uses a different valuation method based on a different point of view and all are certain to generate a variety of reactions in Internet users.
Privacy Violation Techniques
In this section we’ll learn the most common techniques used by companies, organizations and criminals to collect private information from users, often without their permission or knowledge.
Data Collection via Web Browser
One of the most common tactics used to invade privacy is through web browsers, such as Chrome, Firefox, or Internet Explorer. How do these types of attacks work? You should know that the browser installed on your device (computer or smartphone) to visit websites on the Internet has access to a lot of information about both you and your device. Your web browser delivers this information to websites that request it without asking permission or, often, even notifying users. To see how this works, visit the Webkay website. Another slightly more frightening example can be found on the Click website. A visit to these sites will show you all the private information that a website can collect through your browser without your permission.
In summary, your web browser can collect and deliver the following data:
• Geographical location within a radius of approximately 50 km.
• Operating system (Mac OS, Windows, Android, IOS).
• Physical characteristics of your computer (CPU, GPU, RAM, disk, battery).
• Installed plug-ins.
• Browser version
• Recently visited sites
• Recently used applications (Facebook, Google, Twitter, etc.)
• Bandwidth
• Detailed record of browser activities
To close out this section, it is worth noting that cybercriminals also use these types of privacy violation techniques during an initial or reconnaissance phase, to farm information later used in more sophisticated attacks, such as taking full control of your device or launching a smear campaign against you, your family, or your company.
Data Collection via Internet Services
We’ll begin by talking about search engines, an indispensable service for anyone who uses the Internet on a daily basis, since it allows us to find useful and organized information in this vast network. The best known and most used is Google, which offers its services “free”, although this is not entirely true, as we saw earlier.
In compensation for their services, companies like Google allow advertisers (who pay to show their advertising on search engines) to choose keywords, which in turn trigger advertising every time a user performs a search containing these words. The information collected from users by these companies is used to improve their services, or it is sold to or shared with other services on the Internet who then use it to target their ads.
These types of services usually collect the following kinds of information:[14]
• All searches performed, whether images, websites, or blogs
• Browsing history
• Results of Internet searches
• Type of content on websites you visit
• Time spent on each of the websites you visit
• Hours when using the search engine
• Relevant information to identify and profile users, including[15]:
• Full name
• Email address
• IP address
• Gender
• Geographic location
• Languages spoken
• Marital status
• Type of electronic devices you own
• Your children’s ages
• Academic performance
• Degrees and professional level
• Products you buy
• The products you almost buy
• Where you live
• Where you work
• Type of Internet connection
Generally speaking, these companies collect any information that may be of value, no matter how private it is.
Imagine for a moment that these companies may also have acquired your personal information from other sources, such as mobile devices, smartwatches, or your smarthome devices (televisions, video game consoles, smartcars, etc.). All these devices have the ability to record the user’s voice and send it to the Internet so that the artificial intelligence behind the services can interpret user requests as instructions, which they will then send to the device or devices involved in the user’s request. What these services do not openly tell their users is that these recordings are stored for an indefinite time and that their technicians can analyze them, manually or using other automated analysis services, in order to offer the user other types of services, or offer them to other companies.
Services such as Alexa claim that they collect information only from the commands that users execute on the device, such as “Alexa, turn on the lights in the main bedroom”; however, cases have been reported in which these devices have recorded conversations or sounds generated near their microphones, even without receiving an activation order[16].
Another worrisome case has to do with mobile device applications that make use of geographic location. Today, mobile phones have several ways of identifying your geographical location in real time, but the most used and most accurate is the global positioning system (GPS), which can report your geographical position with a margin of error of only five meters. These applications collect your geographic information in real time, making it possible to review all the places you visited during the day, the routes you took, and the amount of time spent at each of these places.
Information regarding a person’s location can be very revealing and contain very intimate details of that person’s life. Imagine, for example, that information regarding a public figure who frequents a clinic for patients with HIV, a psychiatric center, or an AA (Alcoholics Anonymous) meeting is leaked to the media. These topics are still taboo and rarely discussed in our society and could have serious repercussions, resulting in discrimination or isolation from the person’s social groups.
To make matters worse, the companies that engage in this type of practice often lack clear policies for handling such information. These policies are not required because no regulatory bodies exist to control or supervise companies, which encourages dishonest practices such as selling information on the black market or for the purposes of espionage.
It is important to know that the potential uses of this information go far beyond advertising for such companies; it can be resold or shared for other less ethical purposes, as in the Cambridge Analytica case in which the personal data of 50 million Facebook users in the United States were used to create campaigns and influence voters in the 2016 U.S. presidential elections (for more information on this case, visit Digitalwatch).
If, once informed of the risks and attack methods, you’d like to protect your data and preserve your privacy, we recommend you consult Appendix 1: “Tools for Preserving Privacy”, which outlines technical measures to reduce the danger of being attacked.
Conclusions
Darkness extends beyond the social imaginary where criminals and delinquents hide; it is a place that offers us protection, freedom, and autonomy. It is a space for innovation, essential to the development of individuals and societies. On the Internet, the concept of darkness is embodied in privacy and anonymity, yet despite the fact that everyone needs privacy, there is no widespread awareness of its importance. For the most part, people care little about protecting their personal data or finding out what large Internet companies know about them, or how their personal information is exchanged for services advertised as “free”. If we analyze the importance of privacy from different perspectives, most of us would agree that privacy is necessary and should be protected, since it is of great value to society, organizations, and individuals. It is therefore important to change the way you perceive personal information and understand that it is worth much more than the cost of an Internet service.
Despite the significant number of cases in which people, organizations, or governments violate our privacy, we have not yet created a culture that is aware of its value. And with the advent of new technologies and services, the value assigned to what transcends from the private to the public sphere continues to decrease. We are approaching the world described by George Orwell in 1984, complete with Big Brother’s systems, except that we are even willing to pay for these services, accepting them in good will without knowing what they entail.
Privacy is more than a right; it is everyone’s responsibility to protect their own personal information and that of their family. To do so, each of us must understand how this information is being collected and used, in order to determine when and how our privacy is threatened by the information technology and the Internet practices of governments, corporations, and individuals.
We must begin to demand clear-cut, transparent, and conscientious policies from the companies that exchange user data for services and these policies must establish which practices violate privacy and ensure that applications and services do not violate the rights of people, and not vice versa.
A number of tools that guarantee the right to privacy already exist and we must learn to use and configure them correctly in order to exercise our right to privacy. Be aware, however, that even if you follow all the recommendations, total anonymity on the Internet is impossible; you can greatly reduce your digital trail, but you’ll never eliminate it completely.
Appendix 1. Tools for Preserving Privacy
This section describes several technical measures that can be taken to avoid being a victim of the privacy violation techniques described above.
Protection Against Data Collection via Web Browser
To check whether your web browser has adequate protection against these types of techniques, visit the Panopticlick website, where you can verify whether your browser has the appropriate protections against privacy breaches.
If you get a por result like the one in Image 2 you have privacy problems. To correct this, configure your browser to block the websites that try to track you. We recommend the use of independent browsers that don’t depend on companies that adhere to the aforementioned practices. We recommend Firefox, which can be configured to protect your privacy against all these techniques. To enable this configuration, follow the instructions on the official Content Blocking Firefox site.
Protection Against Data Collection via Internet Services
Your best protection is to read the privacy policies of the services that you use most frequently, which may include information of a private nature. It is important to review the privacy policy so that you have clarity regarding the type of information that these services collect and what they will use it for. The policy also explains your rights and the settings to use to improve your privacy.
Always verify and change the default configurations of your applications, which usually enable tracking and information collection services. Some cases will require in-depth investigation as many services make this process difficult in order to prevent users from disabling tracking options, thus reducing their income.
The manufacturers of operating systems for mobile devices have incorporated privacy settings so that users can know and modify the settings of each of their applications. To modify the location settings and identify or modify the applications that have access to your location, use the settings listed below:
Disable applications that have access to your location on your iPhone
1. Open Settings.
2. Choose Privacy> Location.
3. If you’d like to disable all applications that track your location, you can disable the top Location option.
4. If you’d like to configure each application independently, you must select them one by one and in each of them choose between the options Never or When using the app, depending on whether you want this application to never know your location or to know it only when you the app is open. No application should be set to Always, since this means that the application will monitor your location and record your movements throughout the day, even with the application closed.
Disable applications that have access to your location on your Android phone
These settings may differ according to your phone’s manufacturer. Should these instructions not work for you, consult the user manual of your mobile device to learn how to perform the procedure.
1. Open Settings.
2. Go to Advanced> Application permissions> Location> Location history.
3. In the list of applications, disable those you think should not know your location.
Verify the privacy settings of your Google account
If you have a Google account, you should verify the privacy settings and disable those that you believe violate your privacy. As an example, we explain here how to disable the tracking feature offered by the Google Maps service from your mobile device.
1. Open the Settings for your application.
2. Go to Google> Google Account> Data and customization.
3. Select Location History and deactivate it. Google will ask you to confirm if you want to pause it.
4. Return to Data and customization.
5. Go to Web and Application Activity and deactivate it. Google will ask you to confirm if you want to pause it.
You’ll find more information on other Google services at Google Privacy Controls.
Privacy-Focused Services
A good practice to ensure your privacy is to use internationally recognized services that safeguard the privacy of their users. We recommend the search engine DuckDuckGo, which keeps your searches private. This service does not collect any kind of data from its users and therefore allows you to navigate anonymously and securely (read the service’s privacy policy here).
A list of other recommended applications and services of this kind can be found at restoreprivacy.com.
VPN
VPN is the acronym for Virtual Private Network, a service that allows you to surf the Internet privately and securely and even bypass certain regional content restrictions and censorship.
The Internet was designed to be a public network, open and easily accessible, and at the time it was created the idea was to share information freely and without privacy restrictions. Although this works quite well, in order to request and deliver these services information must be constantly sent and received over the network. Generally, this information is sent transparently (without any encryption), so that a user on the same network or an intermediate device can capture and read it.
As you’ll see, this is not at all private, which is not a problem if the service you want to access doesn’t handle important personal information. But if the service handles sensitive information related to personal banking, email, social networks, etc., a higher level of privacy is required. One solution to this problem is the VPN.
With a VPN, the user connects securely, first to a VPN server and through it to the Internet. An analogy for this type of secure connection between the user and the VPN would be that of a pipeline or tunnel that keeps information hidden, and the safest way to hide this data is using encryption.
The benefits of using this type of structure include[17]:
• The destination server, or the one that owns the service that the user requests, detects the VPN server, and not the user, as the source.
• This makes it very difficult to identify the user and track his or her actions or the services he or she uses.
• The data sent is encrypted, so if it is intercepted it cannot be understood.
You can take advantage of these features by using a VPN for different purposes, including the two most relevant to us here: first, by using the VPNs and not the user’s location, it is possible to access geographically-restricted content, and; second, the use of a VPN helps maintain a secure, spy-free connection in hostile environments such as a public Wi-Fi network.
It is a well-known fact that public Wi-Fi networks are very insecure, as any user can spy on the connections of those using the network and obtain passwords, credit card numbers, and other personal data. It is therefore a good idea to use a VPN to encrypt this information.
You should keep the following three recommendations in mind when using a VPN. First of all, the location of the VPN is very important, because if you want to access blocked content, the VPN must be located in a country where access to the content is not restricted. Also, certain countries have laws that require VPN services to provide the police with access when required, which would put your privacy at risk.
The second recommendation has to do with the price of the VPN. Several companies offer “free” VPN services in exchange for advertising, but they may not be as secure as they seem. It is therefore advisable to use a recognized, paid service.
Thirdly, we recommend that you add an extra layer of security to your data. Certain VPNs add antivirus softwares, which is worth considering.
1. Data Never Sleeps 6 | Domo (2019). Retrieved from https://www.domo.com/learn/data-never-sleeps-6.
2 Private | Origin and meaning of private by Online Etymology Dictionary (2019). Retrieved from https://www.etymonline.com/word/private.
3 I. Altman (1976). Privacy: a conceptual analysis. Environment and Behavior, 8(1), 141-141. doi: 10.1177/001391657600800108.
4 H. Tavani (2007). Philosophical theories of privacy: implications for an adequate online privacy policy. Metaphilosophy, 38(1), 1-22. doi: 10.1111/j.1467-9973.2006.00474.x.
5 J. Buchmann (2013). Internet privacy. Heidelberg: Springer.
6 D. Solove (2010). Understanding privacy. Cambridge, Mass.: Harvard University Press.
7 Daniel Solove. Op cit.
8 D. Echeverri Montoya (2016). Deep web. Móstoles: ZeroXword Computing.
9 Daniel Solove. Op cit.
10 J. Andre (1986). Privacy as a value and as a right. The Journal of Value Inquiry, 20(4), 309-317. doi: 10.1007/bf00146121.
11 What is targeted advertising? Definition|SendPulse (2017). Retrieved from https://sendpulse.com/latam/support/glossary/targeting.
12 M. E. Anagnostou & M. A. Lambrou (2018). A review of approaches to the value of privacy. https://arxiv.org/pdf/1709.04767.pdf.
13 S. Athey, C. Catalini & C. Tucker (2017). The digital privacy paradox: small money, small costs, small talk. doi: 10.3386/w23488.
14 C. Craig (2016). These search engines collect your data. | NordVPN. Retrieved from https://nordvpn.com/es/blog/these-search-engines-collect-your-data/.
15 P. Berlinquette (2018). How Google tracks your personal information - Featured stories. Retrieved from https://medium.com/s/story/the-complete-unauthorized-checklist-of-how-google-tracks-you-3c3abc10781d.
16 A. Estes (2019). The terrible truth about Amazon Alexa and privacy. Retrieved from https://gizmodo.com/the-terrible-truth-about-alexa-1834075404/amp.
17 R. Mardisalu (2019). VPN Beginner’s Guide: What is a VPN and how does it work? Retrieved from https://thebestvpn.com/what-is-vpn-beginners-guide/#secure.
Navegador TOR
Este navegador es parte de TOR Project, la comunidad más grande de internet enfocada en la privacidad y el anonimato. Usted lo puede descargar en el sitio oficial del proyecto (www.tor.project.org). Este navegador hace uso de la red TOR (The Onion Router, El Router Cebolla), también conocida como The DarkNet o La Red Oscura, que utiliza fuertes protocolos criptográficos para brindar un alto nivel de seguridad y privacidad a los usuarios y servicios. Por medio de este navegador usted podrá navegar libremente en internet, sin censura y sin restricciones.
Debido a la privacidad que provee, usted podrá encontrar sitios web a los que sólo se puede acceder a través de esta red; a los sitios que funcionan con este router se les conoce como la Dark Web o Web Oscura y funcionan con el dominio .onion. Según Internet Live Stats[17], actualmente la red oscura tiene un tamaño equivalente a una cuarta parte de los servicios tradicionales a los que usted puede acceder a través de los navegadores y motores de búsqueda normales. En la Dark Web hallará toda clase de información, al igual que productos y servicios tanto legales como ilegales. También podrá encontrar foros y chats, donde podrá debatir cuestiones técnicas, artísticas, políticas, sociales y religiosas sin ninguna clase de censura.
La red TOR es similar a una VPN en cuanto a que utiliza dispositivos intermedios para proteger la comunicación y brindar anonimato; sin embargo, una VPN sólo hace uso de un dispositivo intermedio (el servidor VPN), mientras que la red TOR crea una red de dispositivos que se conoce como circuito virtual, el cual se compone de tres clases de nodos o dispositivos de red: los nodos guardián, los nodos intermedios y los nodos de salida.
Los nodos guardián y los nodos de salida pertenecen al proyecto TOR y son vigilados por éste, mientras que los nodos intermedios están distribuidos por todo el mundo. Esto se debe a que tales nodos son los mismos usuarios que utilizan esta red, y al hacerlo, también aportan a la seguridad de la red; por lo tanto, al emplear este navegador usted estará ayudando a otros usuarios a navegar en forma anónima y segura (imagen 4).
Cuando un usuario abre el navegador TOR, éste automáticamente le solicita a la red que envíe un listado de nodos, para escoger de manera aleatoria los que conforman su circuito virtual. Cuando un usuario quiere conectarse a un sitio web que a modo de ejemplo llamaremos www, el navegador primero enviará la solicitud al nodo guardián, que tendrá que mandarla al primer nodo intermedio y éste a su vez al segundo nodo, que la enviará al nodo de salida; este último será el encargado de mandar la solicitud final al sitio www. Como puede ver, esta arquitectura garantiza que ni el sitio www, ni el nodo de salida, ni los nodos intermedios puedan conocer la dirección del usuario, ya que el único que la conoce es el nodo guardián, el cual es controlado por el proyecto TOR. Por otro lado, en este esquema el único que sabe qué sitios se están visitando es el nodo de salida; sin embargo, al desconocer la dirección del usuario, no podrá identificarlo y se conserva el anonimato (imagen 4).
Otra función que desempeñan cada uno de los nodos de la red TOR consiste en agregar una capa de cifrado al mensaje. En el esquema que se propone (imagen 4), el mensaje se debe cifrar cuatro veces, ya que es una vez por cada uno de los nodos. El tipo de cifrado que usa esta red se conoce como cifrado asimétrico y es uno de los más seguros en la actualidad. A continuación podrá ver en qué orden son agregadas estas capas de cifrado y cómo se vería un mensaje o solicitud que se envía a través de esta red (imagen 5).
Cuando un usuario quiere enviar una solicitud o mensaje al servidor www, el proceso automático que ejecuta la red TOR es el siguiente:
18 Total number of websites | Internet Live Stats (2019). Retrieved from https://www.internetlivestats.com/total-number-of-websites/.
Navegador
1. Cifrar el mensaje
1.1. El navegador toma el mensaje o la solicitud del usuario y la cifra con la clave pública del nodo de salida (agregar la capa de cifrado del nodo de salida).
1.2. El navegador toma lo que obtuvo en el paso 1.1 y lo cifra con la clave pública del nodo intermedio 2 (agregar capa de cifrado del nodo intermedio 2).
1.3. El navegador toma lo que obtuvo en el paso 1.2 y lo cifra con la clave pública del nodo intermedio 1 (agregar capa de cifrado del nodo intermedio 1).
1.4. El navegador toma lo que obtuvo en el paso 1.3 y lo cifra con la clave pública del nodo guardián (agregar capa de cifrado del nodo guardián).
2. El navegador envía lo que obtuvo en el paso 1.4 y lo envía al nodo guardián.
Nodo guardián
3. El nodo guardián toma la solicitud recibida y la descifra con su clave privada, es decir, remueve su capa de cifrado.
4. El nodo guardián toma lo que obtuvo en el paso 3 y lo envía al nodo intermedio 1.
Nodo intermedio 1
5. El nodo intermedio 1 toma la solicitud recibida y la descifra con su clave privada, es decir, remueve su capa de cifrado.
6. El nodo intermedio 1 toma lo que obtuvo en el paso 5 y lo envía al nodo intermedio 2.
Nodo intermedio 2
7. El nodo intermedio 2 toma la solicitud recibida y la descifra con su clave privada, es decir remueve su capa de cifrado.
8. El nodo intermedio 2 toma lo que obtuvo en el paso 7 y lo envía al nodo salida.
Nodo salida
9. El nodo salida toma la solicitud recibida y la descifra con su clave privada, es decir, remueve su capa de cifrado.
10. El nodo salida toma lo que obtuvo en el paso 9 y envía la solicitud al servidor www, después de remover todas las capas de cifrado.
Servidor www
11. El servidor www toma la solicitud y la responde al nodo salida.
Proceso inverso
A partir de aquí se debe ejecutar el proceso inverso para llevar la respuesta del servidor www hasta el navegador del usuario.
Ventajas de TOR
• Al igual que con una VPN, este navegador le permitirá saltarse las restricciones de zona de los servicios de internet.
• Usted podrá ejercer su derecho de libertad de expresión en una red sin censura.
• Usted no necesita ninguna herramienta adicional al navegador ni conocimientos técnicos para usar/conectarse a la red y navegar de forma privada, ya que el navegador TOR hace todo esto automáticamente por usted.
• Usted tendrá un alto nivel de privacidad y anonimato en internet.
Recomendaciones al navegar en la Dark Web
Si usted quiere navegar de forma segura en la Dark Web, debe tomar en cuenta una serie de recomendaciones y buenas prácticas para que no tenga malas experiencias.
• Para tener un mayor nivel de anonimato, usted puede conectarse primero a una VPN segura y luego sí a la red TOR.
• Sea prudente y evite visitar sitios o consumir servicios de carácter ilegal. Recuerde que en esta red usted no podrá saber quién está al otro lado, y podría encontrarse con criminales muy peligrosos o con agencias de inteligencia internacional.
• Antes de visitar cualquier sitio, usted debe saber que muchos de éstos poseen software malicioso, así que tome algunas medidas adicionales, como instalar y configurar un software de antivirus, actualizar su sistema operativo a la última versión y verificar que se encuentra al día en parches de seguridad.
• Otra opción es usar un sistema operativo enfocado en resguardar su seguridad al visitar la Dark Web, preservando su anonimato; el sistema operativo más conocido en este aspecto es Tails. Usted lo podrá usar desde una USB y en cualquier equipo, sin necesidad de una instalación.
Anexo 2. Glosario
• Criptografía (simétrica). Algoritmos basados en fuertes propiedades matemáticas que permiten transformar un mensaje (texto claro) en una representación incomprensible (texto cifrado) y viceversa, mediante el uso de claves.
• Cifrado. Proceso criptográfico para convertir texto claro en texto cifrado.
• Descifrado. Proceso criptográfico que convierte texto cifrado en texto claro.
• Criptografía de clave pública o asimétrica. Cifrado que se basa en el uso de una pareja de claves, pública y privada, de las cuales una se utiliza para cifrar y la otra para descifrar. Ambas claves están relacionadas por una función matemática, y cada una de estas claves permite descifrar lo cifrado por la otra clave.
• Servidor. Aplicación en ejecución que es capaz de atender las peticiones o solicitudes de clientes a través de una red de cómputo, como una red local o internet.