The iOS UDID leak

Forbs is reporting that Anonymous and Antisec have dropped a file with a million Unique Device ID (UDID) numbers for Apple iOS devices. They claim to have acquired an additional 11 million records which they may release later.

In addition to the identifiers, the file is said to also contain usernames, device names, cell numbers, and addresses. It is this additional personal information that seems to be the real threat here.

The Next Web has set up a tool for checking to see if your information is in the leaked data. You don't need to enter your full UDID into the field, just the first 5 characters. That way you don't need to trust them with your information either.

None of my iOS devices showed up on the list, so I downloaded the entire file to look it over. You can see the release and download instructions here.

Looking through the document, I don't see any examples of particularly sensitive information. In the first field are the claimed UDID. The second field is a 64 digit hex string. After that is the name of the device, frequently something like "Lance's iPad". Finally is a description of the device itself: iPad, iPhone, iPod touch.

SHA hashes are 64 hex digits long, and are widely used in forensics to verify that captured evidence has not been changed. My intuition is something like that is what we are seeing in that second column.

I have no idea where the claims about addresses, and account names came from. I am not seeing anything like that.

It is interesting that Anonymous / Antisec claim that this data came from the hacked laptop of an FBI agent. This certainly raises big questions about why he would have this information on his laptop, and why the FBI has it at all.

While 12 million is a big number, it is a tiny fraction of the over 400 million iOS devices sold to date. Still, that would represent a shockingly wide dragnet if these are all being monitored in some way by law enforcement.

Of course, for all we know this list was captured evidence from some other group of hackers.

So, short answer (too late!), you probably don't have anything to worry about here, but you might want to check to see if your device is in the database anyway.

UPDATE: It appears that the UDID may tie to more information that was immediately apparent. While Apple's guidelines forbid tying UDIDs to specific account, of course that happens all the time. My friend Steve shared a link with me to an open API from OpenFeint which can tie a UDID to personal information. Certainly there are others which would reveal other information. The existence of these, and the leaked list of UDIDs would allow an app developer to tie a user's real identity to their activity and use of the app on their iOS device.

UDATE 2: I find it impossible to actually read documents from Anonymous and Antisec, they are just so poorly written. It seems I missed their statement in lines 353,354 of the pastbin where they say that they stripped out the personal information. The 64 digit block is actually the "Apple Push Notification Service DevToken". SCMagazine is reporting that the FBI is denying the laptop was hacked or that they have the UDIDs.

My philosophy on privacy and anonymity

I have recently seen chatter suggesting people are confused about my thinking and allegiances on various privacy issues. First, a few core beliefs that form the axioms underlying my actions and positions.

I believe that:

  • The basic design of the Internet and the protocols that run on top of it make it the most privacy hostile major communications media ever used.
  • Censorship and widespread surveillance are inimical to free speech and free expression.
  • Personal privacy is critical to our social, societal, and mental health.
  • There are criminals, terrorists, and governments whose activities will undermine the quality of life for myself, friends, and family.
  • Law enforcement and intelligence organizations are a necessary part of a functioning society.
  • Governments and other organizations are made up of real people with real and diverse opinions and are not monolithic entities and edifices of conformity.
  • If data is valuable to someone, and is sitting around in a database or other storage, it is very likely to be compromised at some point, in some way.

So, these basic tenants lead me to take the following opinions:

Individuals need the ability to robustly protect their privacy when engaging on-line. While not all areas of the Internet are appropriate for anonymity (I really want my bank to make sure it is me accessing my accounts), anonymity / pseudonymity should be an option in most social spaces on the Internet.

Not only are most websites not inclined or incentivized to help you be anonymous, but the very structure of the Internet encourages detailed logging such that creating anonymity friendly systems is quite hard.

All providers of privacy services are fundamentally saying “trust me and I will protect you.” Any claims about how a service works rely on the operator to have actually implemented the system as claimed. At the end of the day this is only backed up by the reputation of the operators of those systems. Choose wisely.

Criminals and other “hostiles” are indiscriminate in their use of technologies. They will use the best tool for any job. The Internet is no exception to this rule. While there is a long history and extensive precedent for plain clothes and under cover police and intelligence activities in the meatspace, the same is not true for cyberspace. Yet, the same need applies. If one is trying to engage with a criminal on the Internet, doing so as a law enforcement officer, from known law enforcement IP addresses is going to imperil the investigation at the very least.

What does this mean for me and how I comport myself?

I have chosen to very publicly back the Anonymizer.com privacy services with my personal reputation. I have been active in the personal privacy space since I started running anonymous remailers as a grad student in 1992. I have been creating new privacy services since I wrote Mixmaster in 1993. I created the “Kosovo privacy project” during the Kosovo conflict to enable people in the country to report on atrocities going on. I have provided multiple anonymity and anti-censorship tools for the Chinese and Iranian people, protecting hundreds of thousands of their citizens against their own country. Human rights and free speech are passions of mine. Anonymizer.com itself has protected countless numbers of users of its services. In all that time there has never been a case where we have violated the privacy assurances we have made to our customers. This is not because we have not been tested. Anonymizer is regularly subpoenaed for information on our customers’ activities. Compare this to a relative newcomer “HideMyAss.com.” They, as it turns out, did keep logs and were compelled to compromise the privacy of a member of LulzSec. There are numerous examples of TOR exit nodes monitoring and even altering traffic. With a much longer and weightier track record, you will find no such incidents with Anonymizer. It is logically impossible to prove a negative, but our history speaks volumes. Anonymizer will never provide a back door or violate any of our privacy assurances while my name is attached to it. Reputation is hard to earn and easy to squander. It is my personally most valuable asset.

Law enforcement and other government entities need anonymity and pseudonymity tools too. In their cases the people trying to pierce the veil are often much more motivated, skilled, funded, and resourced, than those tying to identify ordinary individuals. It is not practical, reasonable, or desirable to have these groups simply ignore the Internet in the scope of their responsibilities I have been involved in the creation and operation of numerous tools to enable such organizations to do their jobs on-line as they do off-line. In working with these people I have discovered that they are “people.” They hold diverse opinions about privacy and anonymity. Many are personally closely aligned with my beliefs. They are also tightly constrained by legal limitations on what they can do. Watching my U.S. government customers struggle with their legal departments to do even the simplest and most innocuous activities, while very frustrating, makes me sleep much better at night.

While there have certainly been times when the U.S. Government has overstepped its authorities, they are rare, and we know about these because they came out. The diversity of people in these organizations makes any of the grand conspiracies I see discussed on the Internet absurd on their face. Secrets are either known by very few people and thus limited in scope, are reasonable to just about everyone who all agree they should be kept secret, or will get leaked or blown in some way.

Some users of my personal / consumer privacy services see themselves as in opposition to some or all of my corporate or government users, and vice versa. I think both are important and I protect the anonymity of all of my customers equally. There is no “crossing of the streams.” None of my customers get any special insight into the identities or activities of any of my other customers. As above, there are no secrets like that which would last very long, and it would destroy my reputation.

Honor, reputation, and a man’s word being his bond may be very old fashioned ideas these days, but they carry great weight with me. I hope this clarifies where I stand.

Printers watermark your documents

It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used. SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.

The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.

Consumer Privacy Bill of Rights will be hard to enforce

While I am encouraged to see the recently announced Consumer Privacy Bill of Rights, it is no reason to become complacent about your privacy.

First, the Consumer Privacy Bill of Rights is a set of fairly general statements. It is unclear if or when we would see real enforcement.

Second, it will be very difficult to enforce this against non-US services, and it is almost impossible for a user to know if some or all of a website she is visiting is being provided by a non-US company.

Third, it is very difficult to tell if the policies are being violated. Unless the website uses the information directly and immediately it is very hard to tie the use of information back to the source of the information. If it is being silently collected, you really can't tell.

While such policies and statements of principle are a good thing, and one hopes that most major websites will get on board with them, if you actually want to ensure your privacy, you need to take matters into your own hands.

Block cookies, clear out old cookies, and hide your IP address with tools like Anonymizer Universal.

Google tricks iOS Safari into tracking you

Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.

iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.

The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.

Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).

My suggestion:

  1. On your iOS device (iPhone, iPad, iPod Touch) go to "Settings", select "Safari", scroll down and "Clear Cookies and Data". Do this frequently.
  2. Don't log into Google or other social media sites through the browser, only use the dedicated apps.
  3. Use those social media apps to "like" or "+1" content, rather than doing so in the browser.
  4. Protect your IP address with a tool like Anonymizer Universal so these sites can't just use your IP address in place of cookies to track you when you are at home or work on a WiFi connection with a long term IP address.

The WSJ had the first article I saw on this, but it is paywalled.

9 to 5 Mac has a nice article on it.

John Battelle's searchblog tries to look at this issue from both sides.

Anonymizer Survey: Anti-virus and Firewall popular but ineffective privacy protectors

Anonymizer just released the results of a new survey of people's use of privacy protecting technologies. The short answer is that the old standards, anti-virus and firewalls, are widely used. Unfortunately they don't actually do much to protect your privacy. They are more about security.

For full details, read the article.

"Private" YouTube videos expose thumbnail images

Thanks to a PrivacyBlog reader for pointing me to this article: Blackhat SEO – Esrun » Youtube privacy failure

It looks like it is easy to find thumbnail images from YouTube videos that have been marked private.

If you have any such videos, go back and check that you are comfortable with the information in the thumbnails being public, or delete the video completely.

Amazon address exposure to strangers through your Wishlist

Amazon Customer's Privacy Exposed In theory, your Amazon wish list should allow people to buy you gifts, but should not reveal anything but the list of items you want.

Evidently, if you buy something for someone off their list, you can then see the delivery address in the order reports in your account.

Solution is to remove the delivery address from your list. Your friends and family would have to enter the delivery address manually, but one hopes that they already know it. A good description of the process is in the above linked article.

Facebook says “Anonymity on the Internet has to go away”

Randi Zuckerberg, marketing director and co-founder of Facebook said:

I think anonymity on the Internet has to go away… People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.

<irony> This of course explains why no one is a jerk or a bully on Facebook. </irony>

I have been doing this Anonymity thing for much longer than Facebook has existed. I have seen the debates and watched the reality. I am convinced that the problem is that most Internet spaces are impersonal, rather than that they are anonymous. People will be outrageously rude and offensive online while being unfailingly courteous in person, even if both situations are in real name.

In reality, most "real world" interactions are functionally anonymous, yet most of us behave most of the time.

I won't even get in to how terrible her idea would be for people under repressive regimes.

Facebook: “Anonymity on the Internet has to go away” | ZDNet

 

Big public email database with some interesting efforts at privacy launched this month

The press release linked at the bottom of this post is for a new website called AddressSearch.com. While I normally ignore most of the PR blasts sent to this blog, this one seemed worth posting because of the interesting realities and conflicts it exposes. The idea is that you can use their database to find and email people. Their database contains 68.8 million email addresses, a huge number but only a fraction of all US email addresses. Given that many such databases exist, it seems inevitable that someone would set up a service like this.

On the positive side, they are doing a few different things to try to minimize abuse. First, they are limiting users to 5 message per day (although it is not clear how that is enforced). Second, they provide some general address location information about all the name matches to make it more likely that you are going to email the correct person. Finally, they don't actually give you the recipients email address.

This last step is the most interesting. They allow you to write your email in a web form, then send it for you without revealing the recipients address to you. Of course it will be possible to abuse this, but probably not in any way that is not already widely possible. I also assume that this company keeps copies of the emails and adds your name and return address to their database. This is about protecting recipient privacy, not sender privacy.

On the whole, I am not happy that such services exist at all. I use social networking sites to make contact with me by strangers possible but only in the manner of my choosing. I don't want random people sending messages to my personal or work email addresses. Imagine a distributed attack by members of Anonymous or LulzSec all sending 5 emails each to some victim. Of course the odds are that any attacker would have little difficulty in discovering the victim's address through other means and then would not have any effective limit to the number of emails sent.

This may also turn out to be an unfortunate service for people who share a name with a celebrity. Interestingly, for people the service finds where it does not have an email address in the database, a paid ad refers you to Intelius.com where you can pay a couple of dollars to get the real address without any privacy features.

At the end of the day, the good news is that this company is making a significant effort to pay attention to the privacy implications of their service.

First-Ever Free Email Directory With Added Privacy Protection -- JACKSONVILLE, Fla., June 21, 2011 /PRNewswire/ --

 

Facebook automatically tagging your face in pictures

Face book announced that it will soon start automatically suggesting your name for tagging photos any time it thinks it recognizes you in a picture. This automatic facial recognition is the default and will be done unless you explicitly opt out.

It looks like you need to customize your privacy settings to disable this. In Facebook, look under the "account" menu and select "Privacy Settings".

From there click the "Customize settings" link at the bottom of the table. Within there, look for "Suggest photos of me to friends", and set it to "Disabled".

I suspect that few people will simply stumble on that.

Other people tagging you in photos can lead to embarrassment you might want to avoid. Having your name suggested just makes that more likely.

While you are at it, you might want to change the setting that allows others to "check you in" to locations. That can tell thieves you are away from home or stalkers where to find you.

CNN has a good article on the announcement. Facebook lets users opt out of facial recognition - CNN.com

 

Amazing power and danger of data retention

This Blog has an interesting article and link to the website of a german newspaper article (translated here).

The story is about a german politician Malte Spitz who sued to obtain the retained cell tower records for his own phone, then provided them to the newspaper. The newspaper has created a nice map and timeline tool to allow you to play Spitz's movements over 6 months. The resolution is impressive and should be a real wake up call about the level of detailed information being gathered on us all.

Of course, if the phone company was capturing GPS or WiFi based location information the data would be much more accurate. While GPS would quickly drain the battery, many modern phones have WiFi enabled all the time, so that information would be readily available without any additional impact on the phone's performance.

Debate about activist need for anonymity on Facebook

Amid unrest, a hard new look at online anonymity | The Social - CNET News:

This article takes an interesting look at the issues with Facebook's true name policy and the impact it has on activists and dissidents in repressive countries. It quite rightly talks about the fact that for most of the history of the Internet use of "screen names" was the default.

The odd thing about this debate is that there is basically no authentication of the names used. Many people assume that since most users are under true name that all of them are. It is trivial to set up a new account with a plausible name which can not be traced back to the real user.

I would hope that dissidents, activists and others at risk would take advantage of this simple capability to protect themselves. Yes, this is in violation of the terms of service, but I think it is for a much greater good.

If you choose to do this, take care with who you friend under this alias. If the social network you create matches your real one, or that of another account, it may be very easy to unmask your identity.

Reader question on privacy software

A reader of this blog recently emailed me to ask:

What s/w do you recommend to keep anonymous while using Gmail, IE, Outlook, and Facebook on a laptop?

This is actually a very tricky question because the nature of all of these tools, except Internet Explorer (IE), is to be associated with a visible and discoverable account and identity in the "cloud". I will discuss IE last and separately.

Gmail ties to your gmail and other Google accounts. Outlook ties to some existing email account at some email provider. Facebook is tied to your Facebook account and is explicitly designed for making your information public.

The profound question here is, what do we even mean by being anonymous using these services? I would argue that the best one can manage is to be pseudonymous; that is to maintain a persistent and visible pseudonym / alias which, while discoverable, is not associated with your true identity.

Fortunately Gmail and Facebook are free and typically do not require any real credentials to set up an account, and many of the free email providers work similarly. Using Anonymizer Universal (AU), and a browser with no history or cache to set up the accounts would ensure they were not connected to your real identity. It is important that the accounts never be accessed in any way except through AU, or they will be forever after associated with your real IP address. Furthermore, it is critical that the browser used is never used for any activity connected to your real identity, or the cookies and other digital detritus in your browser may allow these sites (or other folks) to tie the pseudonym to your other real name accounts.

IE is in many ways the easiest because there is no underlying account, but all the same rules apply. You need to ensure that you isolate your anonymous or pseudonymous activity from your real name activity.

For all of this activity a virtual machine can be a very effective tool. For example, if you use a Mac you can use a virtual machine running Windows or Linux for all of your alias activities and use the normal operating system for your real name activities. Similar tools exist for other operating systems.

Loan rates based on your browser

This article on The Consumerist reports that Capital One provides different car loan rates based on the browser you use when visiting their site. I suspect that there are some strong demographic trends among the users of various browsers. It would be interesting to see if they give different rates to the same browser in different states or zip codes. Once again, evidence that "they" are using your personal information in way that may not be good for you.