Social Networkers Risk More Than Privacy | Privacy Digest

in

Social Networkers Risk More Than Privacy | Privacy Digest Here is another story about how bad people can use your social network presence against you. In this case, it is about home burglars using information about travel and vacation plans. This really demonstrates why I have this ambivalent relationship with social networking. On the one hand, I love being able to find and reconnect with old friends. On the other, I feel unable to use more than a tiny fraction of the capability because of the identity theft, privacy, and physical security issues associated with really opening myself to the world.

I even agonize over whether I should only "friend" real friends, so only they can see some of the content on my page. The other option is to accept everyone so analysts can't tell who my real friends are from looking at my network.

In general I have opted out. Even anonymity is a tricky thing in this context. If I go in totally anonymously, then I really get very little benefit from the site. If I try to be anonymous but still connect with friends, the anonymity will be tissue thin and instantly penetrated by anyone interested.

The Proxy Fight for Iranian Democracy - Renesys Blog

in

The Proxy Fight for Iranian Democracy - Renesys Blog This is an article worth reading and understanding. The gist is that the use of proxies to evade censorship in Iran is failing. They are now getting blocked faster than they can be created. This is a basic flaw in the idea of simply deploying a proxy and promoting it. One must assume that the Iranian censors are monitoring the same channels you are trying to use to promote the proxy. After all, a proxy no one knows about is of little use. Public open proxies are similarly doomed because the Iranian censors can use the same discovery tools you do to find such proxies. Also, once you try to let people know about them, the same problem applies as with new proxies.

Distribution of a given proxy address to only a small number of people solves that problem, but it is very limiting. It takes tremendous numbers of proxies to serve a large population, and only those with contacts who have set up proxies are protected.

There are solutions to these problems, but they require substantial technical skills and resources to implement.

If you have contacts within Iran, do what you can to set up closed proxies that they can use to bypass censorship. In the short run, it is an effective action you can take right now. A good place to start would be here.

Google stands up to Korean push against anonymity

in , , , , ,

YouTube Korea squelches uploads, comments | Digital Media - CNET News I am very pleased that Google is taking a stand against Korean anti-privacy laws. The law in question requires large Internet services (like YouTube) to collect real name information about any user posting content or comments. In response, Google has completely cut off any posting or commenting through the Korean version of the site. The solution Google proposes is that users should simply log in to a non-Korean version of the site and post away. This way Google never  needs to capture identifying information.

It will be interesting to see if Korea responds by trying to block access to all non-Korean versions of YouTube. Obviously anonymity tools provide an excellent end run around this kind of restriction.

I find myself of two minds on how to feel about this action. On the one hand, it respects Korea's right to set its own laws within its borders, without allowing any one country to dictate how the rest of the world will use such tools. On the other hand, I find such anti-privacy policies so repugnant, I would like to see companies simply refuse to comply and pull hardware out of that country while continuing to provide the service.

In defense of extreme unmoderated anonymity

in ,

Doug Feaver - Listening to the Dot-Comments - washingtonpost.com I am quite impressed with this article by a former executive editor of the Washington Post. He makes a strong case for the importance of anonymous comments. Attribution immediately leads to self censorship. Anonymous comments give a much better picture of what people really think rather than what they would like to be seen to be thinking. It is not pretty, but it is reality.

A Demonstration of a vulnerability of Cloud Computing.

in , , ,

Careless in the Cloud: Google Accidentally Shares Some Docs -- Seeking Alpha The article above documents a recent security breach in the on-line Google Docs system. Google Docs allows people to create and edit documents, presentations, and spreadsheets in a manor similar to the Microsoft Office software suite. Unlike Office, the Google Docs system is free and provided through a web interface. The documents are actually stored and edited within Google's servers. That is the core of the issue.

Google provides the ability to share your documents with collaborators. In this breach, Google accidently made a number of documents available to people who were not authorized. While the fraction of documents affected was very small, it is a real wake up call. To get my documents off my computer, you need to specifically breach my computer. A breach of the Google systems could yield the sensitive documents of an enormous number of people. They are a big target. Even accidental releases like this could put huge numbers of people at risk.

This vulnerability is not specific to Google, it applies generally to any provider of cloud computing capabilities. I personally avoid cloud computing when I can because I have high security needs, and because I find that I often need to work on my documents when I am off-line. Google is starting to do a good job of addressing the second issue, but the first is going to be harder.

Video: Hacker war drives San Francisco cloning RFID passports - Engadget

in , , ,

Video: Hacker war drives San Francisco cloning RFID passports - Engadget The law of unintended consequences strikes again. In an attempt to improve national security, the U.S. Government has been pushing hard for the widespread adoption of RFID tags in passports around the world. They are already in U.S. passports. The problem is that they are easily scanned from a distance (as shown in the video), and can be cloned. If the RFID chip in the passport is trusted by the authorities, then the security situation is actually worse, not better. Getting real passport information from someone used to be hard. It generally involved actually stealing the passport. With the scanner, one could produce large numbers of clones while simply standing around the airport with the antenna in ones roller luggage (staying out side of security).

The long range readable RFID tags also make possible all kinds of other tracking and identification. The video talks about correlating personal information from RFID enabled credit cards with the passport number to produce even better fakes.

Distribution of such devices around a city would provide much better and more accurate and automated tracking of a population than cameras with their resolution, and facial recognition issues.

Competition in privacy policies finally starting

in , , ,

For many years privacy advocates have claimed that if users were fully informed and aware of privacy policies then they would vote with their feet. Privacy policies would become part of the free market decision making process, in addition to price, brand, reputation, convenience, etc. It appears this process is actually starting to take place in one industry: search engines. It is likely that they have been the first because of the significant public focus on privacy issues around search over the last few years.

First Google said they would "anonymize" their logs after 18 months, which they later shortened to 9. Yahoo countered with 13 months and has now gone to 90 days. I talked about Google's 18 month policy back in March 2007. In August 2007 I mentioned a CNET Report on privacy ratings for Search engines.

This tit for tat shortening of the identifiable log retention policies suggests that pressure around this issue is meaningful to the search engine giants. What is somewhat less clear is whether the pressure is from the market, or from the media / politicians / government.

It is still the case that the logs are not actually deleted, but rather the source IP address and user ID cookies are stripped out. There is a good Wikipedia article on the scandal around a release of "anonymized" AOL search information, and how it was still possible to identify individual users in the data.

The real proof of this trend towards privacy policy competition will be when we see elements of privacy policies being promoted front and center on diverse websites as part of their competitive positioning / marketing.

Argentine judge: Google, Yahoo must censor searches | Latest News in Politics and Law - CNET News

in , , , , ,

Argentine judge: Google, Yahoo must censor searches | Latest News in Politics and Law - CNET News There is a disturbing trend towards increasing regulation of the Internet. In this case, Argintine judges have ordered Google and Yahoo to remove certain search results related to various individuals. This appears to be a back door way of removing the content without actually having to go after all the sites hosting the objectionable content. The concept is that information that can't be found is almost the same as information that does not exist at all.

Because a few search engines dominate the market, they become an easy leverage point for achieving broad objectives. Countries like China and Iran have long understood the power of censoring the search engines to block access to information they don't have easy reach to censor directly.

Surveillance of Skype Messages Found in China - NYTimes.com

in , , , , ,

Surveillance of Skype Messages Found in China - NYTimes.com Activists at Citizen Lab, a research group at the University of Toronto, have discovered a massive program of surveillance against Skype in China. Specifically the Chinese are monitoring instant message traffic on Tom-Skype, a joint venture between eBay (the owner of Skype) and a Chinese wireless operator.

It looks like all of the text messages passing through the service are scanned for key words of interest to the Chinese government. This program captures both messages within the Tom-Skype network and between that network and the rest of the Skype network.

This is yet another compelling argument for using strong encryption to prevent interception of message content. People in China can avoid this surveillance by using the non-chinese version of Skype, and using a VPN to get the communications safely out past the Chinese scanners.

Sarah Palin email hacker

in , , , ,

There have been a lot of articles lately talking about the fact that the person who hacked in to Sarah Palin's Yahoo! account used "an anonymizer". The articles also say that the privacy provided was compromised. The unfortunate misuse of Anonymizer's registered trademark has created some confusion. The person who hacked the account used a privacy service, but not one connected in any way to Anonymizer Inc.

Changes at Anonymizer

in ,

It has been a while since the last major change to the product suite at Anonymizer. We have been thinking long and hard about how best to continue to improve the services we offer. Anyone who has been an Anonymizer customer or has ever read my blog knows of my staunch commitment to listening to our users and providing the highest quality offerings available.

Some of our products provide important capabilities, but are not unique or distinctive to Anonymizer. Lately our development team has been spread thin updating and improving a wide range of software services. I want to make sure we are focusing on our core Anonymizer tools and making them the best they can be. As part of this continuing effort, I wanted to let you know that we’ve decided to discontinue offering our Dial-Up, Digital Shredder Lite and Anti-Spyware features, effective September 15, 2008. Doing so will ensure that we can remain focused on our Anonymous Surfing, Total Net Shield, and Nyms services.

You can find the official word on this at our Anonymizer Support Center  https://www.anonymizer.com/support_center/. Subscribers can also call our dedicated customer support team at 888-270-0141 between the hours of 7:30 a.m. and 5 p.m. PST Monday-Friday.

Please leave your suggestions for how we can improve our core products either here, or better yet as feedback to our customer support center. The Internet makes for a rapidly changing landscape. Only with your suggestions can we continue to shape Anonymizer to meet your needs.

Privacy in Chrome and IE8

in , ,

Both Microsoft's new beta of IE 8 and Google's beta of their new browser Chrome tout new enhanced privacy features. I have seen a few articles like this one, that talk about this issue. The Safari browser has had these features in the production version for a long time. Privacy is a complex multi-headed beast. All of these browsers address one privacy concern while ignoring others. These browsers protect you from risks associated with the stored local data about your web browsing activities. Normally, browsers keep a history of recently visited URLs, a cache of recently visited pages (for faster retrieval) and cookies from the websites you have visited (possibly not at all recently). These browsers enable you to take control of what is recorded by your browser, and how long it is kept. This is a good and important development.

These new security capabilities do nothing to protect you from information gathering by the sites you visit, or from your ISP (see my previous post on that). Your IP address is still completely visible to any site you visit, ISPs can still intercept all your traffic.

These new privacy features are an important part of a user's toolbox, but they should not give one a false sense of security. They are part of the solution, but not a complete solution.

Before the Gunfire, Cyberattacks - NYTimes.com

in , ,

Before the Gunfire, Cyberattacks - NYTimes.com I held off a while before blogging about this to see a bit of the analysis come in after the initial flush of opinion. It seems clear that a cyber attack of some kind did take place against Georgia. It also seems clear that it was Russian in origin. It further seems clear that it was timed to coincide with the Russian land assault. It is an interesting characteristic of cyber warfare that it is almost impossible to determine if this was actually government controlled, directed, sponsored, or simply a independent sympathetic effort. It is hard to rule out a scenario like support from patriotic cyber criminal organizations. There is at least some evidence that such a scenario played at least some part in the attack. Because Georgia is such a minimally wired country, the actual impact of the attacks was negligible. I would assume there are few significant connections between Georgia and the rest of the Internet. If so, they should have been able to unplug from the rest of the net while deciding how to react. A country like the US or a nation in Europe or much of Asia would be much harder pressed  to disconnect because of the tremendous diversity of international interconnections. Such countries are also much more vulnerable because they rely on the Internet for many critical functions. Additionally, enormous economic damage would result from such an attack.

Judge Orders YouTube to Produce Complete Log Files

in , ,

In a lawsuit by Viacom against YouTube, a judge has ordered that YouTube produce its log files of every video ever watched on YouTube. These logs will contain the user ID and IP address of every viewer. The privacy implications are obviously huge. This information is clearly personally identifying. The judge does not agree with me on this point. Here is the relevant part of the decision:

Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that 

“Plaintiffs would likely be able to determine the viewin and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address” (Do Decl. ¶ 16).   

But defendants cite no authority barring them from 

disclosing such information in civil discovery proceedings,5 and their privacy concerns are speculative.  Defendants do not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals” (Pls.’ Reply 44), and Google has elsewhere stated:   

We . . . are strong supporters of the idea that 

data protection laws should apply to any data 

that could identify you.  The reality is though 

that in most cases, an IP address without additional information cannot. 

 

Google Software Engineer Alma Whitten, Are IP addresses personal?, GOOGLE PUBLIC POLICY BLOG (Feb. 22, 2008), http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html (Wilkens Decl. Ex. M). 

Therefore, the motion to compel production of all data 

from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website is granted. 

Chinese Bloggers Scale The Great Firewall In Riots Aftermath - WSJ.com

in , , , , , ,

Chinese Bloggers Scale The Great Firewall In Riots Aftermath - WSJ.com In a triumph of low tech, Chinese bloggers are evading the Chinese national censorship system by simply converting their posts to read right to left rather than left to right.Clearly this is only a short term solution, and the government will adapt quickly, but it shows again how brittle these censorship systems are. 

Charter's Web monitoring draws intervention from Capitol Hill | The Iconoclast - politics, law, and technology - CNET News.com

in , , ,

Charter's Web monitoring draws intervention from Capitol Hill | The Iconoclast - politics, law, and technology - CNET News.comIt looks like Charter may not start monitoring its user's web activity after all. We shall see... 

High resolution tracking through cell phones

in , , ,

It appears that a company is now selling a tool that will allow high resolution tracking of the motion of customers through stores and malls by triangulating on their cell phones. The technique involves tracking the phone through its globally unique IMEI number. The company claims that this is anonymous because only the phone company knows the correspondence between the IMEI and the customer's real name.I have very little faith in that protection. There are simply too many ways one might extract that kind of information, which could then become widely available. One could even connect the location information and IMEI data to checkout records. After a couple of trips, it would be fairly unambiguous. This is certainly clever, but disturbing. There is no opt-in or opt-out, and the tracking takes place passively with no ability for the user to detect that it is going on.Shops track customers via mobile phone - Times Online

The strength and weakness of Internet activism

in , , , , , ,

Fledgling Rebellion on Facebook Is Struck Down by Force in Egypt - washingtonpost.com  For a short time Facebook became the center of a fledgling activist movement in Egypt. Over 74,000 people registered on a Facebook page devoted to this issue. It became the primary communications path for this group, and enabled its explosive growth. It also contained the seeds of its rapid unwinding and the arrest and beating of the creator of that page.To me this is yet another example of the "On the Internet nobody knows you're a dog" syndrome. People feel so comfortable in front of their computers, they will say and do things they would fear to do in public or face to face. Facebook is in no way anonymous, nor does it claim to be. While there are many tools that could have enabled these people to operate and organize anonymously, there is no evidence that they used any of them.The Internet is very powerful, but it is also very public. People wishing to use it in repressive countries need to take special care to protect themselves and their visitors. 

ISP admits to collecting web surfing data.

in , , ,

I encourage everyone to read this article by Declan McCullagh: Q&A with Charter VP: Your Web activity, logged and loadedThe gist is that Charter Communications, the third largest cable operator in the US, is testing a system to capture the URLs you visit when you browse the web, then provide that information to advertising networks through a third party company, NebuAd. They claim this information is "anonymized", but I can't really see how that is possible. If a company wants to target car ads at people who visit many car websites, then the advertiser must know that you have done so when you are shown the ad. Since they have your IP address, they know who you are (or at least have personally identifiable information).While the advertiser may not get the actual web logs, this is a huge amount of information, and I am sure more could be gathered by a clever and systematic set of advertising targets. For each narrow target, capture information on which users match the target criteria when there is an opportunity to show them an ad.The obvious solution is to prevent the ISP from gathering this information in the first place. Any kind of encrypted tunnel, like those provided by the various Anonymizer solutions, will prevent this kind of commercial espionage on their users.