Review

Surfing pornography anonymously
  • A new data breach suggests South African cellphone users could have been tracked as they surfed pornography, though Vodacom and Telkom say their customers were not affected.
  • Google and Facebook do track porn surfing, though, even in browsers set to "private" or "incognito".
  • If you don't want to leave a record of your online habits (porn or otherwise), you can pay a couple of dollars for anonymity.
  • For more stories go to the Business Insider South Africa homepage.

A South African company has reportedly leaked a massive database of web browsing history along with mobile-phone identifiers, and in some cases social media usernames, allowing some individuals to be identified – and linked to the pornography they viewed.

The breach was discovered by researchers at specialised review site vpnMentor, and first reported on by MyBroadband this week.

The unencrypted and publicly-available database it discovered ran to more than 890GB and contained more than a million records "from customers of numerous ISPs based in African and South American countries", vpnMentor said.

It provided a redacted example of the kind of detailed information it found relating to the kind of pornography one user downloaded, with some file names so explicit that they, too, were redacted.

Surfing example
(vpnMentor)

The data appeared to be gathered by a web filter created by Conor Solutions, a unit of JSE-listed Adapt IT. Conor Solutions counts Vodacom and Telkom among its customers, and the database features MSISDN numbers – mobile phone numbers – which suggests the data was scraped as cellphone users surfed the web.

Adapt IT confirmed it was aware of a breach of what it described as a "web usage logging portal"

Vodacom and Telkom said they do not use web filters from Conor, and do not believe their users' data had been compromised.

But the incident suggests that cellphone companies – or their suppliers – can not only track web surfing by their customers, but can inadvertently publish that information online.

Even if mobile providers do not engage in such tracking, Facebook and Google do, while websites – including pornographic websites – can use techniques such as "fingerprinting" to gather a lot of information about you, albeit falling short of linking that to a telephone number.

See also: Facebook and Google are tracking the porn you're watching, even when you're in incognito

While setting a browser to "private" or "incognito" mode means the sites you visit won't be captured in the browsing history of your computer or phone, that does nothing to mask your activity from your internet service provider (ISP) – or any third parties it gives access to that data.

You can, relatively easily, prevent the gathering of that information, as long as you are willing to spend a couple of dollars a month, and have at least a slightly slower internet connection.

Picking the right VPN

Virtual private network (VPN) services use a complex set of technologies to offer a simple product: anonymity. Connecting to a VPN creates an encrypted connection between your device and a specialised server, which acts as a forwarding address for all your traffic.

Once that encrypted connection is created, anyone monitoring your connection (including your ISP) can see only that you are communicating with the VPN server, and has no inkling of the content you are sending and receiving. Likewise, websites you access will see only that they are connecting to the VPN server, with no idea who is on the other end of that connection.

The price for that service varies, but expect to pay in the region of R100 per month. One of the largest VPN providers, ExpressVPN, charges nearly $13 (around R190) per month, though that number can halve if you sign up for a longer-duration contract. Close competitor NordVPN has very similar pricing. Smaller player Mullvad offers connections at €5 per month month (around R80) without any long-term commitment. (See below for free options, and the caveats that come with those.)

The big catch is that your VPN provider knows exactly what you are doing and, depending on your method of payment, who you are. That makes selection of a VPN service critical.

Here's what you should look out for in selecting a VPN.

A clear 'zero logs' policy

It is virtually impossible to check, but do not use any VPN that does not at least claim to keep no record of online activity, known as a "zero logs" policy.

Such a claim could be false, either through malice or technical mistakes, but that creates personal risk for the people behind the provider, and adds a little more safety for you.

If a VPN provider keeps logs because it is required to do so by the law of the jurisdiction in which it operates, then those logs could be subject to seizure. They could also leak, or otherwise be exposed, negating your protection.


Payment by anonymous currency such as bitcoin

You may choose to pay by credit card, which is typically easier, and that will make you easily identifiable. But a VPN provider that will only accept payment by credit card or similar formal channels should set off alarm bells.

VPNs are for those with above-average privacy requirements, and some of those will want to pay anonymously. A VPN service provider that does not accept anonymised payment either can not be bothered to serve the needs of the more savvy customers – or may want to keep its entire customer base identifiable.


A 'kill switch' system in the client software

A VPN runs as a service on top of your normal internet connection. For any number of reasons the VPN service can become disconnected while you are still online – exposing your traffic again – without your machine or operating system giving you any warning.

Making sure that does not happen is up to your VPN provider, and the software they provide. Unless you know what you are doing, use that software rather than setting up the VPN on your machine manually – and make sure the system includes a "kill switch" that will cut you off from the internet entirely if it detects the VPN is down while it should be active.


Client software for your phone

VPNs use standard networking protocols, and can be set up by fiddling with the system settings of a device to which you have full administrative access, such as a personal phone. But that can get tricky, and means you don't get extras such as a kill switch or the ability to change server locations on the fly.

If you are going to be using a VPN on your phone, make sure the provider has client software for your system available before you pay.


Servers in the right geographies – if you care.

VPN providers often offer the ability to connect to servers in specific countries all over the world, which makes you appear resident in that geography.

If you wish to appear to browsing from, say, the UK, in order to access BBC services restricted to residents, you'll want a VPN provider with servers there.

But be warned: companies that restrict content geographically are good at identifying VPN servers and blocking them entirely, so you may not succeed. And the number of countries a VPN provider can offer you is no indication of quality.


Beware of "free"

Running a VPN comes with inescapable costs; your provider has to pay for the bandwidth that makes your connection possible. So anyone offering a "free" service is either gloriously philanthropic, or has something else going on.

There are generally trusted companies to offer free VPN services, typically as loss-leaders to market their paid-for services, but those come with various restrictions. ProtonVPN limits the speed of free connections, Hotspot Shield limits data used to 500MB per day, and so on.


If it is too hard to use, look elsewhere

VPN service providers make promises in terms of speed and reliability of connections, but unless you are paying a great deal of money those promises are couched as "best effort" – with no guarantees.

Many things can go wrong with a VPN service, aside from the small speed hit you must inevitably take because encrypted data is more bulky than unencrypted data. Inefficient client software could make your device slow, or network or sever capacity constraints at your provider could make your connection slow.

If you find you can't be bothered to use your VPN service any time you connect to a public wifi hotspot – as you should, even if you have nothing to hide – it is a good sign you need a better service provider.

See also: How to sext as safely as possible, according to experts


Receive a daily update on your cellphone with all our latest news: click here.

Also from Business Insider South Africa: