Anonymous iPad anyone?

Having just finished initial testing with the actual iPad device, I am pleased to announce that Anonymizer Universal (AU) provides the same level of support on the iPad that we have been providing for the iPhone and iPod Touch! Considering how these devices are going to be used, the combination of privacy along with the security when using insecure WiFi is really critical.

Tor partially blocked in China

Tor partially blocked in China | The Tor Blog That last article lead me to this post on the TOR blog from September 15, 2009 (I am a bit late to this party). China is now blocking about 80% of the public TOR nodes.

This mostly ends a rather baffling situation where for some reason the Chinese were failing to block TOR even though it was being used effectively for censorship circumvention, the list of nodes is publicly available, and they are no more difficult to block than any other server.

Once Again, Google is in a tricky spot with censorship, this time in India.

Google and India Test the Limits of Liberty - WSJ.com In this case, it is not the search engine, but their social networking site "Orkut" which is the issue. Google's troubles stem less from their actions than the fact that they are the dominant social networking site in India, and so most of those issues happen on that site.

Google has been forced to take down a lot of content, and hand over the identities of many posters. If the examples in the article are to be believed, the threshold for censorship is not high.

At the risk of repeating myself, if you live in India and you want to say something that might push or cross the line, do it with robust anonymity technology. You might still have your post taken down, but they can't come after you.

Google thinks you don't need privacy

You Have Zero Privacy Anyway -- Get Over It This is a good article by David Adams on OSnews talking about a recent quote by Google CEO Eric Schmidt saying "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." David compares this to a similar and infamous quote by Sun's Scott McNealy.

I think the reality is not that privacy is dead, or unimportant, but that it is hard. Maintaining privacy requires thought and vigilance, now more than ever. Much as I love it, the Internet is the most surveillance enabled and friendly technology ever created.

Question from a long time customer

A long time customer recently sent in the following question. Since it should be of broad interest, I asked his permission to anonymous post and answer it here.

How do you know that subscribing to an anonymizer does not simply mark you for observation? We all know the NSA is capable of intercepting any electronic communication, and with gajillions of electronic communications happening every second, how would the NSA (or the FBI or the CIA or whoever it is who watches us) know which of those communications to watch? Seems like the people wanting anonymity would be the first on the list. Surely they COULD, couldn't they? That is, get the subscriber lists, which would enable them to intercept communications this side of the proxy - i.e., intercept on the way out, on the way TO the proxy, BEFORE it gets securely tunneled? And no, that would not be possible with the web, but it would with email. Supposedly. This is what has been proposed to me. What do you think? Does it have any validity?

It is certainly the case that the government could, in principle, monitor your access to privacy services. As long as that access is over a strongly encrypted connection, the contents of your communication, what sites you are visiting or who you are communicating with would be protected. The strength of your anonymity is then largely determined by the number of other users of the same service with which your traffic is being mixed.

In the United States, the use of privacy tools is not restricted. Strict separation of intelligence from law enforcement functions should prevent drift net monitoring of your use of Anonymizer from leading to any kind of legal investigation. The huge number of Anonymizer subscribers would also make this difficult and highly visible.

Outside of the US it is another story. Many countries exercise much greater control over the Internet. Even if it were not blocked by the Iranian government, accessing the Anonymizer website from within Iran would be a risky activity. Once again, the key here is safety in numbers. We have run anti-censorship tools in Iran that supported over 100,000 users. With those numbers, it is awkward for the government to go after people simply for using the service. This is not to say that if you are already under observation for some other reason that it would not give them added ammunition. Privacy tools are generally very effective at keeping you below the radar, but can be much less effective once you are on the radar for whatever reason.

The reality is that there is no evidence of widespread Internet surveillance being used in the US to track users of privacy services. As long as the connection to the service is well encrypted, you should be fine.

Google stands up to Korean push against anonymity

YouTube Korea squelches uploads, comments | Digital Media - CNET News I am very pleased that Google is taking a stand against Korean anti-privacy laws. The law in question requires large Internet services (like YouTube) to collect real name information about any user posting content or comments. In response, Google has completely cut off any posting or commenting through the Korean version of the site. The solution Google proposes is that users should simply log in to a non-Korean version of the site and post away. This way Google never  needs to capture identifying information.

It will be interesting to see if Korea responds by trying to block access to all non-Korean versions of YouTube. Obviously anonymity tools provide an excellent end run around this kind of restriction.

I find myself of two minds on how to feel about this action. On the one hand, it respects Korea's right to set its own laws within its borders, without allowing any one country to dictate how the rest of the world will use such tools. On the other hand, I find such anti-privacy policies so repugnant, I would like to see companies simply refuse to comply and pull hardware out of that country while continuing to provide the service.

A Demonstration of a vulnerability of Cloud Computing.

Careless in the Cloud: Google Accidentally Shares Some Docs -- Seeking Alpha The article above documents a recent security breach in the on-line Google Docs system. Google Docs allows people to create and edit documents, presentations, and spreadsheets in a manor similar to the Microsoft Office software suite. Unlike Office, the Google Docs system is free and provided through a web interface. The documents are actually stored and edited within Google's servers. That is the core of the issue.

Google provides the ability to share your documents with collaborators. In this breach, Google accidently made a number of documents available to people who were not authorized. While the fraction of documents affected was very small, it is a real wake up call. To get my documents off my computer, you need to specifically breach my computer. A breach of the Google systems could yield the sensitive documents of an enormous number of people. They are a big target. Even accidental releases like this could put huge numbers of people at risk.

This vulnerability is not specific to Google, it applies generally to any provider of cloud computing capabilities. I personally avoid cloud computing when I can because I have high security needs, and because I find that I often need to work on my documents when I am off-line. Google is starting to do a good job of addressing the second issue, but the first is going to be harder.

Competition in privacy policies finally starting

For many years privacy advocates have claimed that if users were fully informed and aware of privacy policies then they would vote with their feet. Privacy policies would become part of the free market decision making process, in addition to price, brand, reputation, convenience, etc. It appears this process is actually starting to take place in one industry: search engines. It is likely that they have been the first because of the significant public focus on privacy issues around search over the last few years.

First Google said they would "anonymize" their logs after 18 months, which they later shortened to 9. Yahoo countered with 13 months and has now gone to 90 days. I talked about Google's 18 month policy back in March 2007. In August 2007 I mentioned a CNET Report on privacy ratings for Search engines.

This tit for tat shortening of the identifiable log retention policies suggests that pressure around this issue is meaningful to the search engine giants. What is somewhat less clear is whether the pressure is from the market, or from the media / politicians / government.

It is still the case that the logs are not actually deleted, but rather the source IP address and user ID cookies are stripped out. There is a good Wikipedia article on the scandal around a release of "anonymized" AOL search information, and how it was still possible to identify individual users in the data.

The real proof of this trend towards privacy policy competition will be when we see elements of privacy policies being promoted front and center on diverse websites as part of their competitive positioning / marketing.

Privacy in Chrome and IE8

Both Microsoft's new beta of IE 8 and Google's beta of their new browser Chrome tout new enhanced privacy features. I have seen a few articles like this one, that talk about this issue. The Safari browser has had these features in the production version for a long time. Privacy is a complex multi-headed beast. All of these browsers address one privacy concern while ignoring others. These browsers protect you from risks associated with the stored local data about your web browsing activities. Normally, browsers keep a history of recently visited URLs, a cache of recently visited pages (for faster retrieval) and cookies from the websites you have visited (possibly not at all recently). These browsers enable you to take control of what is recorded by your browser, and how long it is kept. This is a good and important development.

These new security capabilities do nothing to protect you from information gathering by the sites you visit, or from your ISP (see my previous post on that). Your IP address is still completely visible to any site you visit, ISPs can still intercept all your traffic.

These new privacy features are an important part of a user's toolbox, but they should not give one a false sense of security. They are part of the solution, but not a complete solution.

Judge Orders YouTube to Produce Complete Log Files

In a lawsuit by Viacom against YouTube, a judge has ordered that YouTube produce its log files of every video ever watched on YouTube. These logs will contain the user ID and IP address of every viewer. The privacy implications are obviously huge. This information is clearly personally identifying. The judge does not agree with me on this point. Here is the relevant part of the decision:

Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that 

“Plaintiffs would likely be able to determine the viewin and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address” (Do Decl. ¶ 16).   

But defendants cite no authority barring them from 

disclosing such information in civil discovery proceedings,5 and their privacy concerns are speculative.  Defendants do not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals” (Pls.’ Reply 44), and Google has elsewhere stated:   

We . . . are strong supporters of the idea that 

data protection laws should apply to any data 

that could identify you.  The reality is though 

that in most cases, an IP address without additional information cannot. 

 

Google Software Engineer Alma Whitten, Are IP addresses personal?, GOOGLE PUBLIC POLICY BLOG (Feb. 22, 2008), http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html (Wilkens Decl. Ex. M). 

Therefore, the motion to compel production of all data 

from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website is granted. 

The strength and weakness of Internet activism

Fledgling Rebellion on Facebook Is Struck Down by Force in Egypt - washingtonpost.com  For a short time Facebook became the center of a fledgling activist movement in Egypt. Over 74,000 people registered on a Facebook page devoted to this issue. It became the primary communications path for this group, and enabled its explosive growth. It also contained the seeds of its rapid unwinding and the arrest and beating of the creator of that page.To me this is yet another example of the "On the Internet nobody knows you're a dog" syndrome. People feel so comfortable in front of their computers, they will say and do things they would fear to do in public or face to face. Facebook is in no way anonymous, nor does it claim to be. While there are many tools that could have enabled these people to operate and organize anonymously, there is no evidence that they used any of them.The Internet is very powerful, but it is also very public. People wishing to use it in repressive countries need to take special care to protect themselves and their visitors. 

ISP admits to collecting web surfing data.

I encourage everyone to read this article by Declan McCullagh: Q&A with Charter VP: Your Web activity, logged and loadedThe gist is that Charter Communications, the third largest cable operator in the US, is testing a system to capture the URLs you visit when you browse the web, then provide that information to advertising networks through a third party company, NebuAd. They claim this information is "anonymized", but I can't really see how that is possible. If a company wants to target car ads at people who visit many car websites, then the advertiser must know that you have done so when you are shown the ad. Since they have your IP address, they know who you are (or at least have personally identifiable information).While the advertiser may not get the actual web logs, this is a huge amount of information, and I am sure more could be gathered by a clever and systematic set of advertising targets. For each narrow target, capture information on which users match the target criteria when there is an opportunity to show them an ad.The obvious solution is to prevent the ISP from gathering this information in the first place. Any kind of encrypted tunnel, like those provided by the various Anonymizer solutions, will prevent this kind of commercial espionage on their users.

It is not easy to stay private

New Sites Make It Easier To Spy on Your Friends - WSJ.com This article does not break any new ground, but does a nice job of listing and discussing a number of tools one can use to gather information on people. They pull from on-line information sources as well as public records for things like criminal history. For employers, it would be a good place to start before hiring someone to do a full background check.The big take away at the end is that you need to make sure you reduce your Internet footprint, specifically by taking care to check the privacy box on many sites, and to simply provide no or false information to others. For example, although I would never provide a wrong age to gain access to a restricted website, I almost never provide my correct birthday because to many other sites (like banks) use that as part of your identity verification. 

Every Click You Make - washingtonpost.com

This article discusses the risk from "deep packet inspection" by ISPs. The article states that at least 100,000 people in the US are being tracked with this technology right now. If true, the impact of this could be huge. Whereas a website can only track you when you are actually visiting that site, your ISP can see all of your activity on any website or other service you use. The idea is that the information collected could be sold to advertisers to better target marketing messages to you. If you had been looking at car sites, you might see more car ads next time you visit an advertising supported website like CNN.com.This is certainly not the realm of science fiction. The Chinese government is already using this technology on a massive scale as part of their national censorship infrastructure. They use it to detect forbidden words and phrases, "Tibet" being at the top of that list right now.Most of us assume that the bad guys are "out there" on the net, and assume that our ISPs are basically just passing our traffic along without looking at it. If they start this kind of inspection, it opens all kinds of additional risks. Once the equipment is there, a rogue sysadmin could tune it to watch for passwords, personal information, bank information, etc. It opens a whole new set of vulnerabilities.Anonymizer's Total Net Shield, and Private Surfing (with full time SSL enabled) provide significant protection against this threat. Both allow you to tunnel your traffic to Anonymizer without the ISP being able to inspect it, other than to see that it is going to Anonymizer.It is shocking to me that this kind of thing should be possible without explicit user consent. Maybe we need a "truth in labeling" law for Internet service providers.  A bottle of Napa Merlot can not be so labeled unless it is from Napa and made from merlot grapes. Similarly, it should not be called an "Internet Connection" if you can't go everywhere (some ISPs are restricting certain perfectly legal protocols). If the ISP is going to spy on you, it should be in big red letters. Maybe I am OK with that, but I certainly have a right to know in advance.

Security and Privacy Aren't Opposites

What Our Top Spy Doesn't Get: Security and Privacy Aren't OppositesWow, I don't know how I missed this one back last month! I wish I had written this essay. The key point is that privacy is not the antithesis of security. Most of the privacy invading "security" solutions we see are what I call "placebo security" and Bruce calls "security theatre" . Things like the "don't fly list" which appears to catch orders of magnitude more innocents than terrorists, and the national ID card when all the terrorists had legally issued valid ID already.In fact, many measures seriously damage security, like putting personal information in the clear on drivers licenses, including Social Security Numbers in many cases! It is an axiom of security that valuable information will leak and people with access will abuse that access. The more control a government demands, the more  oversight is required. That was my real problem with warrantless wiretapping. Not the wiretapping, but the warrantless. Surveillance of anyone at any time for any reason is the hallmark of a police state. The key is independent oversight. The debate on how that should be done must be open an honest.The security vs. privacy debate seems to me to be built on dishonest assumptions. It tends to be rhetoric and political point scoring on both sides with little discussion of whether the proposed solutions or changes actually improve security, what the real trade off is, and whether that trade is worth while.We are currently being asked to sacrifice enormous amounts of privacy and freedom to confront a threat that is miniscule compared to smoking or drunk driving, threats about which few would make such arguments. 

The Anonymity Experiment | Popular Science

The Anonymity Experiment | Popular ScienceThis is an interesting article on trying to live in the modern world without leaving any digital footprints. It is nice to see they suggested Anonymizer, unfortunately they got the facts completely wrong. They suggest that anyone could run an Anonymizer proxy, and that those people could be monitoring traffic. That is true of the TOR network, but not of Anonymizer. We own and operate all of our own servers and networks, for exactly that reason. 

Script attack for capturing your browser history

This page < Bookmark button test page > contains a nice demonstration of the ability to retrieve your surfing history from your browser. In this case, it looks for any social bookmarking sites you many have visited in the past. Obviously this could be extended to look for any other sites you might have visited. For example, this would enable an attacker to target phishing attacks at you based on the bank websites you actually visit. This shows once more the doubled edged sword of browser functionality. The scripting capabilities make possible such things as Google Docs but also enables this kind of attack. They go hand in hand. The more power you give to the scripting language the more opportunity there is to abuse that power.

Ireland to start broad data retention

It looks like the trend towards wide spread retention of traffic analysis data is spreading to Ireland, one of the last holdouts in Europe. If you want to be protected from this kind of data gathering, you need to take proactive precautions. From the SANS institute:To satisfy the requirements of a European Union (EU) directive,Ireland will begin retaining records of its citizens' emails and Internet chats. While the content of the communications will not be retained, records of the IP addresses of the participants, the time and date of the communication, and the physical size of the message would be stored. The plan would take effect within one month through a statutory instrument in lieu of introducing legislation in Parliament because the country has received notice from the EU that it is three months overdue in implementing a data retention plan. A civil liberties organization has voiced its opposition to the plan as well as the way in which it is being implemented.The group maintains that law enforcement officials will be permitted to access the retained data without court orders or warrants.