This article on The Consumerist reports that Capital One provides different car loan rates based on the browser you use when visiting their site. I suspect that there are some strong demographic trends among the users of various browsers. It would be interesting to see if they give different rates to the same browser in different states or zip codes. Once again, evidence that "they" are using your personal information in way that may not be good for you.
Firesheep is a new Firefox plugin that automates the Facebook hijack attack Anonymizer Labs demonstrated a while back
Read MoreThe EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea. The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance and constitutional issues).
Anonymizer's survey of consumers finds them to be confused about threats and what solutions apply to which problems.
Read MoreFacebook applications are sharing personal information in violation of privacy settings and policies.
Read MoreRIM averts BlackBerry ban in UAE | Security - CNET News The announcement provides very little information about what RIM did to avert the ban, whether they made significant changed (compromises) to their system, or whether the UAE blinked and backed down from the threatened ban.
Technology firms endorse self regulation for privacy protection.
Read MoreUS Government Proposes to put back door in encrypted communications. Disastrous idea.
Read MoreDespite media hype, Haystack anti-censorship tool appears to be broken.
Read MoreIndia to Monitor Google and Skype - WSJ.com. As an extension of their policy of pushing for access to encrypted communications on RIM BlackBerry devices, they are now demanding access to data from both Google and Skype. India is demanding that Skype and Google install servers within India so the government can access the information on Indian users.
Obviously bad guys can trivially bypass this through the use of VPNs and by taking care to use servers located outside of India. The real impact will be to open all legitimate Internet users to universal surveillance.
India reviewing plan to enable BlackBerry Monitoring.
Read MoreAn essay on the cost of ineffective overreaction to threats.
Read MoreThanks to David Brin for linking to this article in reason.com about the debate over arresting people for recording active duty police officers. In general the specific law being broken is about making audio recordings without the concent of all parties.
As a privacy advocate, I find this situation puts me in an uncomfortable situation. On the one hand there is concern about the privacy interests of the police officers. On the other hand, this is one of the only ways of demonstrating police abuse or other bad actions. It also acts to balance the playing field where the police are already routinely recording most interactions through the use of dashboard cameras.
The origin of the term surveilance is the latin from sur- "over" + veiller "to watch,". It implies that surveillance is about being watched by those in power (above).
Sousveillance is a term that has been coined recently to describe participant recording, or recording from "below". That feels like a very different thing that should be fine as long as it is not hidden. Especially in circumstances where there is not a clear expectation of privacy.
I guess my solution to the conundrum would be to state that there should be no expectation of privacy on the part of authorities from recording when they are exercising those authorities. The citizens being interacted with would have a possible privacy expectation with respect to recording third parties however.
I am very interested in feedback and other thoughts on this one.
There has been a lot of excitement in the privacy community around the introduction of a social location service by Facebook. Having blown the dust off my test account, I don't really understand all the fuss.
It appears that this capability only applies to mobile devices right now (although I have blogged in the past about the ability to locate your computer). When using the mobile site, or the FaceBook app, there is a button that allows you to "Check In" at your current location. It appears that this is exclusively an overt act, and that nothing is taking place passively in the background.
The privacy defaults (at least for me) were fairly restrictive. My check-in is only shared with "friends" by default. The only really interesting setting was that it defaults to show your location to others who are checked-in at the same location around the same time, but that was easily changed.
The FAQ talks about and links to the privacy settings in a prominent way. It feels strange to say this, but I don't think they have done a bad thing here. Obviously there are major privacy and security implications to telling people where you are all the time, and it may lead to stalking and/or home robberies, but you really have to ask them to do it to you. Caveat emptor.
Of course, none of this should suggest that I have any intention of ever using the service myself.
I note that most of the other social location players, like Gowalla, Yelp, Booyah and Foursquare were at the announcement. This could certainly impact them in a big way, either for good or ill. That seems like the real story, and my thoughts on that are well out of scope for this blog.
In a recent post on Privacy Digest, and an article in the NYTimes, there is a discussion of some major and well known vulnerabilities in the global public key infrastructure (PKI) and some examples of exploitations of that vulnerability.
The issue is with the proliferation of certificate authorities on the Internet, and the low level of oversight on their policies.
Using the web as an example, here is how it works. Embedded in every browser is a list of "certificate authorities". These are companies that are deemed trustworthy to issue and sign website certificates. Website certificates are what allows websites to be authenticated by your browser and enables SSL based secure connections (e.g. to your bank).
These certificate authorities may also be able to delegate their certificate signing authorities to other secondary certificate authority organizations. The list of primary certificate authorities in your browser is long (I count 43 in my copy of Firefox), and who knows how many secondary certificate authorities may be out there. These certificate authorities exist all over the world, and any of them can issue a certificate that your browser will accept as valid.
A malevolent certificate authority could issue certificates to allow them to impersonate any secure website.
The articles talk specifically about a secondary certificate authority called Etisalat, located in the UAE. They created a certificate which allowed them to sign code which would be accepted as valid and authorized by BlackBerry cell phones. They then created and distributed software to about 100,000 users which enabled government surveillance of the devices. RIM, the maker of BlackBerry, was able to detect and patch this introduced back door.
Etisalat could create certificates to allow the UAE to intercept and read all secure web traffic traveling over networks within that country.
It is likely that there are many other certificate authorities that are similarly willing to compromise the security of the PKI for various ends. To date, no action has been taken against Etisalat. The EFF is calling for Verizon to revoke Etisalat's ability to issue certificates (Verizon is the primary authority that delegated to Etisalat as the secondary).
Hack Exploits Google Street View to Find Victims - The New New Internet
This very short article describes a really simple attack that enables someone to discover your physical location with a very high degree of reliability and accuracy.
It involves using JavaScript to access the MAC address of your WiFi wireless access point (base station). The examples for this I have seen are IE specific. Any malware that has gotten itself installed on your computer could also do this.
Given that information, it is easy to pass this information to a Location Services API which returns a location good to a few hundred feet, sometimes much closer. Here is a website that does this for you.
In this interview with Eric Schmidt, CEO of Google, comes out very strongly against anonymity starting at about 5:10 in the video. His argument is that: "If you are trying to commit a terrible evil crime it is not obvious that you should be able to do so with complete anonymity." The problem is that absolute and complete anonymity is easy for criminals. There is a robust economy in stolen account, botnets, stolen credit cards, open networks and other capabilities that enable absolute anonymity for anyone willing to violate the law. It is only anonymity for the law abiding that is difficult, and the reason Anonymizer exists. Arguing against anonymity is, for all practical purposes, only arguing against anonymity for legitimate purposes while it thrives for illegitimate purposes.
I will spare you the lecture on the history of anonymity and anonymous speech dating back to the founders of the United States.
BTW, this was delayed for a while while I struggled with getting embedding working within WordPress. It seems to be working now on FireFox, but not when I view in Safari. Please comment with how I am being stupid if you know what is going wrong.
There has been a lot of media coverage of the threats of Saudi Arabia and the UAE to shut down BlackBerry connectivity in their countries unless RIM (the maker of BlackBerry) introduces a back door so they can monitor communications. I have been following this story closely, but wanted to wait until I had all the facts before blogging about it. At this point I don't think I am going to get the whole story. The statements I am seeing are absolutely contradictory and the whole thing is getting really fishy.
UAE/SA say that they need to be able to access BlackBerry communications, but they can't.
RIM says that their technology makes interception impossible because the communications are encrypted end to end between the BES server (located at the users place of business) and the handset. RIM claims not to have access to the decryption keys.
Third parties claim that RIM has arrangements with other countries (including the US and Russia) which allows such access.
RIM responds that this is false and that they don't have this ability.
It looks like RIM and UAE/SA will come to an agreement while both continue to claim that they have not compromised their positions.
The moral of this story is that you should not trust security you can not fully analyze yourself. Anonymizer Universal uses strongly encrypted L2TP VPN technology to secure your information so even if your telecommunications provider is cooperating with surveillance they still can't read the contents of your messages.
Unfortunately Anonymizer Universal does not support BlackBerry yet, but iPhone, Windows, and Mac users are protected.
Browser 'Privacy Modes' Not So Private After All - PCWorld
This article does a good job of discussing why the built in "privacy mode" built in to most browsers is less effective that you might have thought or wished.