Undercover Web surfing

Anonymous Internet use – particularly for Web surfing – was a really hot topic a couple of years ago and the whole idea appears to be gaining a resurgence of interest, mainly because of consumer concerns over privacy and security.

The problem with previous Web access anonymizing systems was that they came in two flavors: simple and not a very “strong” shield, or complex to a degree that stymied most potential users.

I’ve just been testing a new release (Version 3.0) of an anonymizing system called Complete Anonymous Web Surfing (CAWS, see editorial links below) from PC Mesh.

Before I go any further I have to point out that PC Mesh offers absolutely no contact information other than generic company e-mail address – no telephone numbers, no street address. Even its WHOIS entry is devoid of useful contact information. While it may be that these chaps take their privacy seriously, this level of anonymity looks odd when it is from someone who wants your money. But I digress.

CAWS uses public proxies to route requests to target Web sites. This list is updated from multiple lists on the ‘Net and the results are ping’ed to determine which provide the best connectivity. The proxies are also ranked by the degree of privacy they provide, although there is no explanation I could find detailing how this is tested – I suspect it is determined by checking whether the proxy creates an HTTP_X_FORWARDED_FOR header field.

Once the proxy list is assembled, the individual proxies verified and tested, and proxying is enabled, CAWS provides a local proxy (127.0.0.1), reconfigures your Web browser and routes all HTTP requests through it. The local proxy then passes the requests on to one of the five fastest and most secure remote proxies (you can change the number of proxies and the level of security you will accept) and every five minutes (also a configurable value) selects a different proxy from the list of five (or whatever).

The anonymity provided by CAWS is not, as billed, “complete” because the HTTP request header can still contain an HTTP_Referrer field (the URL of the Web page that the target URL was accessed from) as well as an HTTP_USER_AGENT field (providing details of your browser and configuration). And if the browser hasn’t disabled cookies then tracking the user will still be possible.

I tested the software for a few hours and while it was fairly easy to use I suspect the average consumer will simply struggle to understand the what and why of the system. I also encountered a few problems – after loading the proxy list from all the public proxy directories, CAWS simply vanished and had to be restarted. Later on, CAWS crashed with an internal “array out of bounds” error that it caught but was apparently unable to handle.

The question is what will users running CAWS look like to your Web server? With respect to an individual user using CAWS or a similar system and browsing your content you will most likely see an increase in shorter than usual user sessions (depending on the CAWS proxy rotation frequency) and more of them. You’ll get less detailed information and if they switch off cookies then tracking their detailed behavior will be very difficult.

Adding user session specific tags to pages will help but you may have to review how your Web metrics analysis is done as the “broken” sessions could confuse the logic.

But the reality is that for some long time to come it is unlikely that there will be a huge public move to embrace Web access anonymization – even with a tool like CAWS it is still too complicated and too geeky with too little perceived payoff. Of course, should you be dealing with a very technical market your mileage may vary but I’d put this in the same category as tools such as PGP – a great idea but not “immediate” enough for a mass market.

That said, there are likely to be many users who would like to (and maybe should) stay anonymous when browsing – just consider the amusing recent story of Warner Music trying to manipulate various music criticism blogs and failing to cover their tracks (no pun intended).

Judging from PC Mesh’s remarks in its support forum the next release of CAWS promises to tighten up the level of anonymity even further. If PC Mesh manages to streamline and simplify the user interface and online anonymity becomes a bigger public issue, it may well be on to something important and all of you running Web servers are going to have to think seriously about how valuable your Web metrics will be.

CAWS pricing starts at $39 per seat.