PM David Cameron on censorship: bad when you do it, OK when I do it.

Back in February, British Prime Minister David Cameron gave a speech where he strongly opposed the censorship and crack down on protesters in Egypt.

For decades, some have argued that stability required highly controlling regimes, and that reform and openness would put that stability at risk. So, the argument went, countries like Britain faced a choice between our interests and our values. And to be honest, we should acknowledge that sometimes we have made such calculations in the past. But I say that is a false choice.
As recent events have confirmed, denying people their basic rights does not preserve stability, rather the reverse. Our interests lie in upholding our values - in insisting on the right to peaceful protest, in freedom of speech and the internet, in freedom of assembly and the rule of law. But these are not just our values, but the entitlement of people everywhere; of people in Tahrir Square as much as Trafalgar Square.

Now, with the riots in England he feels that restricting access to social media, and censoring free speech is necessary to maintain order.

Everyone watching these horrific actions will be struck by how they were organised via social media. Free flow of information can be used for good. But it can also be used for ill. And when people are using social media for violence we need to stop them. So we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality. I have also asked the police if they need any other new powers. Police were facing a new circumstance where rioters were using the BlackBerry Messenger service, a closed network, to organise riots. We've got to examine that and work out how to get ahead of them.

It is easy to condemn censorship in others, but it seems expedient when one is trying to control one's own population. When in power, the difference between justifiable actions and tyranny is largely a matter of "us" vs "them". "We" are good and would not abuse this power while "they" use censorship to keep the boot of oppression on their people.

The trouble is, it is very hard to know when one has moved past the tipping point, and powerful self justification comes easily to intelligent leaders and their advisors. As has been said many times "no man is the villein of his own story".

This is a Rubicon I hope the UK can hold back from crossing.

Researchers show about a dozen US ISPs redirecting search requests

Researchers analyzing results from the ICSI Netalyzer project have found ISPs redirecting traffic bound for Yahoo! and Bing to third parties like Paxfire, Barefruit, and Golog. According to this EFF article:

Netalyzr's measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users' entire web search traffic via Paxfire's web proxies.

This appears to be done by returning the IP address of the intercepting server rather than the true IP address when you do a DNS lookup of the server (www.yahoo.com for example). Your browser then connects to Paxfire or one of the other companies, rather than yahoo, allowing them to collect data on your activity and possibly modify the results.

There are some things you can do to protect yourself. If your connection to the website is using SSL, or if you have a VPN, your ISP can not intercept or modify your connection.

If you are running FireFox you can install the "HTTPS Everywhere" extension, which will ensure that your connection uses SSL for most of the most popular sites on the Internet.

Using Anonymizer Universal will ensure 100% of your traffic goes over an encrypted connection which will prevent this kind of interception for all websites.

I encourage all of you to visit the ICSI Netalyzer website to test your connection and your ISP for this kind of interception, and to contribute information for their research to detect this kind of strange and/or nefarious activity.

House panel votes to mandate massive user tracking

House panel approves broadened ISP snooping bill | Privacy Inc. - CNET News

Declan McCullagh of CNET is reporting on a bill to require ISPs to maintain massive records on their users. According to the article this bill requires commercial Internet providers to retain "customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses".

They are calling it the "Protecting Children From Internet Pornographers Act of 2011" in a flagrent attempt to make it politically difficult to vote against it even though the bill has noting directly to do with Internet pornography or protecting children.

Were this bill to become law, it might cause real problems for the growth of public Wi-Fi where there is no user authentication. That would be a huge leap backwards for a very possitive trend of late.

Of course, criminals will continue to be trivially able to circumvent such tracking efforts making this primarily a mechanism for gathering information on innocent persons without any hint of suspicion or probably cause.

It is absolutely un-American to require every citizen to submit to continuous tracking and monitoring on the possibility that some tiny fraction of us will commit a crime. Law enforcement always lobbies hard for such provisions. Make sure your voice is heard that you value your privacy and your rights.

Contact your Representitive and Senators if this is something you feel strongly about.

Matt Blaze: Wiretapping and Cryptography Today

Matt Blaze analyzes why the widespread use of cryptography has had almsost no impact on our practical ability to do wiretaps and gather information under legitimate court orders. Not too technical and absolutely worth a read.

Matt Blaze: Wiretapping and Cryptography Today:

Recent interview I gave on the need for anonymity in business

Revealing Secrets with a Click - Technology Review

This is a very nice interview that was just published by Technology Review on the importance of anonymity for businesses. This is a topic rarely covered. Generally either people are talking about anonymity for consumers, or businesses protecting or violating consumer privacy. Very little attention is paid to the legitimate needs of business to hide their identities on-line from time to time.

The difficulty of identifying attackers on the Internet and why it is impossible to fix.

This article in Scientific American does a nice job of describing why it is difficult to track attacks back to their true origins. This essay by Bruce Schneier goes farther arguing that it is fundamentally impossible to create an Internet without anonymity.

The core point of both articles is that identifying the computer that a given packet came from is not the same as identifying the sender. The computer could be a server set up to enable anonymous communications (like Anonymizer.com), it could be a compromised computer (like part of a botnet), or even a server run by the attacker purchased using pre-paid or stolen credit cards.

Whatever the mechanism, it will always be possible for attackers to hide their identities and activities. The real question is the degree to which we are willing to design the Internet to make tracking and monitoring of citizens easy for repressive regimes.

Facebook automatically tagging your face in pictures

Face book announced that it will soon start automatically suggesting your name for tagging photos any time it thinks it recognizes you in a picture. This automatic facial recognition is the default and will be done unless you explicitly opt out.

It looks like you need to customize your privacy settings to disable this. In Facebook, look under the "account" menu and select "Privacy Settings".

From there click the "Customize settings" link at the bottom of the table. Within there, look for "Suggest photos of me to friends", and set it to "Disabled".

I suspect that few people will simply stumble on that.

Other people tagging you in photos can lead to embarrassment you might want to avoid. Having your name suggested just makes that more likely.

While you are at it, you might want to change the setting that allows others to "check you in" to locations. That can tell thieves you are away from home or stalkers where to find you.

CNN has a good article on the announcement. Facebook lets users opt out of facial recognition - CNN.com

 

Using Language Patterns to Pierce Anonymity

Thanks to Bruce Schneier for linking to this interesting article on using patterns in language to identify the author of emails. While the technique would not allow them to identify your anonymous emails in an ocean of others, that is rarely the real world threat scenario.

In many cases there is a relative hand full of likely authors of a given email or group of emails. It is often possible to gather large samples of emails known and acknowledged to be from the likely authors. In that case this technique has a small group of targets and excellent training materials which allow for very high levels of accuracy (the authors of the paper claim 80% - 90%). That is probably enough to get a warrant to search your home and computers.

Unless you have been unusually careful, the gig is probably up by then. Remember, this might not be for criminal matters. It many cases this would come up in whistle blowing or other non-criminal situations.

Debate about activist need for anonymity on Facebook

Amid unrest, a hard new look at online anonymity | The Social - CNET News:

This article takes an interesting look at the issues with Facebook's true name policy and the impact it has on activists and dissidents in repressive countries. It quite rightly talks about the fact that for most of the history of the Internet use of "screen names" was the default.

The odd thing about this debate is that there is basically no authentication of the names used. Many people assume that since most users are under true name that all of them are. It is trivial to set up a new account with a plausible name which can not be traced back to the real user.

I would hope that dissidents, activists and others at risk would take advantage of this simple capability to protect themselves. Yes, this is in violation of the terms of service, but I think it is for a much greater good.

If you choose to do this, take care with who you friend under this alias. If the social network you create matches your real one, or that of another account, it may be very easy to unmask your identity.

Reader question on privacy software

A reader of this blog recently emailed me to ask:

What s/w do you recommend to keep anonymous while using Gmail, IE, Outlook, and Facebook on a laptop?

This is actually a very tricky question because the nature of all of these tools, except Internet Explorer (IE), is to be associated with a visible and discoverable account and identity in the "cloud". I will discuss IE last and separately.

Gmail ties to your gmail and other Google accounts. Outlook ties to some existing email account at some email provider. Facebook is tied to your Facebook account and is explicitly designed for making your information public.

The profound question here is, what do we even mean by being anonymous using these services? I would argue that the best one can manage is to be pseudonymous; that is to maintain a persistent and visible pseudonym / alias which, while discoverable, is not associated with your true identity.

Fortunately Gmail and Facebook are free and typically do not require any real credentials to set up an account, and many of the free email providers work similarly. Using Anonymizer Universal (AU), and a browser with no history or cache to set up the accounts would ensure they were not connected to your real identity. It is important that the accounts never be accessed in any way except through AU, or they will be forever after associated with your real IP address. Furthermore, it is critical that the browser used is never used for any activity connected to your real identity, or the cookies and other digital detritus in your browser may allow these sites (or other folks) to tie the pseudonym to your other real name accounts.

IE is in many ways the easiest because there is no underlying account, but all the same rules apply. You need to ensure that you isolate your anonymous or pseudonymous activity from your real name activity.

For all of this activity a virtual machine can be a very effective tool. For example, if you use a Mac you can use a virtual machine running Windows or Linux for all of your alias activities and use the normal operating system for your real name activities. Similar tools exist for other operating systems.

Anonymizer Nevercookie tool is now available

I am very excited that we have finally released our new free "Anonymizer Nevercookie" product. You can download it here from our facebook account. It enhances the private browsing mode in Firefox to protect against a whole range of new kinds of tracking cookies that currently are nearly impossible to delete.

Loan rates based on your browser

This article on The Consumerist reports that Capital One provides different car loan rates based on the browser you use when visiting their site. I suspect that there are some strong demographic trends among the users of various browsers. It would be interesting to see if they give different rates to the same browser in different states or zip codes. Once again, evidence that "they" are using your personal information in way that may not be good for you.

Excellent EFF post on failures of Cryptography regulation

The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea. The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance  and constitutional issues).