It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used. SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.
The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.
Courthouse News Service reports that a virginia judge has ruled Facebook "Likes" are not protected speech.
The case was related to employees of the Hampton VA sheriff's office who "Liked" the current sheriff's opponent in the last election. After he was re-elected, he fired many of the people who had supported his opponent.
The judge ruled that posts on Facebook would have been protected, but not simple Likes.
This article from Threatpost discusses a study out of CMU of Chinese censorship of their home grown social networking websites.
Now that they are blocking most of the western social media sites entirely, the focus of censorship is internal. Obviously blocking the internal sites as well would defeat the purpose, so they are selectively deleting posts instead. This study looks at the rate at which posts with sensitive key words are removed from the services.
It clearly shows how censorship can be taken to the next level when the censor controls the websites as well as the network.
CNET has a good description of exactly how to do it.
While I am encouraged to see the recently announced Consumer Privacy Bill of Rights, it is no reason to become complacent about your privacy.
First, the Consumer Privacy Bill of Rights is a set of fairly general statements. It is unclear if or when we would see real enforcement.
Second, it will be very difficult to enforce this against non-US services, and it is almost impossible for a user to know if some or all of a website she is visiting is being provided by a non-US company.
Third, it is very difficult to tell if the policies are being violated. Unless the website uses the information directly and immediately it is very hard to tie the use of information back to the source of the information. If it is being silently collected, you really can't tell.
While such policies and statements of principle are a good thing, and one hopes that most major websites will get on board with them, if you actually want to ensure your privacy, you need to take matters into your own hands.
Block cookies, clear out old cookies, and hide your IP address with tools like Anonymizer Universal.
Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.
iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.
The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.
Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).
My suggestion:
The WSJ had the first article I saw on this, but it is paywalled.
9 to 5 Mac has a nice article on it.
John Battelle's searchblog tries to look at this issue from both sides.
The FBI in conjunction with the Bureau of Justice Assistance and Joint Regional Intelligence Center have produced a number of fliers to help the public identify possible terrorists. While some of the points have merit, it is very likely that this will generate an extremely high proportion of false alerts based on perfectly reasonable and legal behaviors.
A big red flag for me were the fliers for cyber cafes and electronics stores. These suggest that the use of privacy protecting services, like Anonymizer, should be deemed suspicious. They also call out Encryption, VoIP, and communicating through video games.
In almost all of the fliers they suggest that wanting to pay cash (legal tender for all debts public and private) is suspicious.
Thanks to Public Intelligence for pulling together PDFs of the documents.
The NYTimes.com reports that Kapil Sibal, the acting telecommunications minister for India is pushing Google, Microsoft, Yahoo and Facebook to more actively and effectively screen their content for disparaging, inflammatory and defamatory content.
Specifically Mr. Sibal is telling these companies that automated screening is insufficient and that they should have humans read and approve allmessages before they are posted.
This demand is both absurd and offensive.
Anonymizer just released the results of a new survey of people's use of privacy protecting technologies. The short answer is that the old standards, anti-virus and firewalls, are widely used. Unfortunately they don't actually do much to protect your privacy. They are more about security.
For full details, read the article.
Thanks to a PrivacyBlog reader for pointing me to this article: Blackhat SEO – Esrun » Youtube privacy failure
It looks like it is easy to find thumbnail images from YouTube videos that have been marked private.
If you have any such videos, go back and check that you are comfortable with the information in the thumbnails being public, or delete the video completely.
HideMyAss.com keeps logs and exposes their users. Why that is a bad policy, and how to judge a good privacy provider.
Read MoreSchneier on Security: Domain-in-the-Middle Attacks
Bruce Schneier on the real world effectiveness of a very simple domain name based man in the middle attack.
Here is a Wired article on the same issue showing how it was used to steal 20 GB of email from a Fortune 500 company.
It looks like Microsoft got caught using "evercookie" or "supercookie" technologies to recreate tracking cookies even after users have tried to delete them from their browsers.
Sneaky tracking code (finally) purged from Microsoft sites • The Register
Amazon Customer's Privacy Exposed In theory, your Amazon wish list should allow people to buy you gifts, but should not reveal anything but the list of items you want.
Evidently, if you buy something for someone off their list, you can then see the delivery address in the order reports in your account.
Solution is to remove the delivery address from your list. Your friends and family would have to enter the delivery address manually, but one hopes that they already know it. A good description of the process is in the above linked article.
Vendor of Stolen Bank Cards Hacked — Krebs on Security Brian Krebs has an interesting blog post on how all of the credit card information was stolen by a hacker from a website that sells stolen credit cards.
This is in the "don't know whether to laugh or cry" department.
Back in February, British Prime Minister David Cameron gave a speech where he strongly opposed the censorship and crack down on protesters in Egypt.
For decades, some have argued that stability required highly controlling regimes, and that reform and openness would put that stability at risk. So, the argument went, countries like Britain faced a choice between our interests and our values. And to be honest, we should acknowledge that sometimes we have made such calculations in the past. But I say that is a false choice.
As recent events have confirmed, denying people their basic rights does not preserve stability, rather the reverse. Our interests lie in upholding our values - in insisting on the right to peaceful protest, in freedom of speech and the internet, in freedom of assembly and the rule of law. But these are not just our values, but the entitlement of people everywhere; of people in Tahrir Square as much as Trafalgar Square.
Now, with the riots in England he feels that restricting access to social media, and censoring free speech is necessary to maintain order.
Everyone watching these horrific actions will be struck by how they were organised via social media. Free flow of information can be used for good. But it can also be used for ill. And when people are using social media for violence we need to stop them. So we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality. I have also asked the police if they need any other new powers. Police were facing a new circumstance where rioters were using the BlackBerry Messenger service, a closed network, to organise riots. We've got to examine that and work out how to get ahead of them.
It is easy to condemn censorship in others, but it seems expedient when one is trying to control one's own population. When in power, the difference between justifiable actions and tyranny is largely a matter of "us" vs "them". "We" are good and would not abuse this power while "they" use censorship to keep the boot of oppression on their people.
The trouble is, it is very hard to know when one has moved past the tipping point, and powerful self justification comes easily to intelligent leaders and their advisors. As has been said many times "no man is the villein of his own story".
This is a Rubicon I hope the UK can hold back from crossing.
Researchers analyzing results from the ICSI Netalyzer project have found ISPs redirecting traffic bound for Yahoo! and Bing to third parties like Paxfire, Barefruit, and Golog. According to this EFF article:
Netalyzr's measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users' entire web search traffic via Paxfire's web proxies.
This appears to be done by returning the IP address of the intercepting server rather than the true IP address when you do a DNS lookup of the server (www.yahoo.com for example). Your browser then connects to Paxfire or one of the other companies, rather than yahoo, allowing them to collect data on your activity and possibly modify the results.
There are some things you can do to protect yourself. If your connection to the website is using SSL, or if you have a VPN, your ISP can not intercept or modify your connection.
If you are running FireFox you can install the "HTTPS Everywhere" extension, which will ensure that your connection uses SSL for most of the most popular sites on the Internet.
Using Anonymizer Universal will ensure 100% of your traffic goes over an encrypted connection which will prevent this kind of interception for all websites.
I encourage all of you to visit the ICSI Netalyzer website to test your connection and your ISP for this kind of interception, and to contribute information for their research to detect this kind of strange and/or nefarious activity.
Randi Zuckerberg, marketing director and co-founder of Facebook said:
I think anonymity on the Internet has to go away… People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.
<irony> This of course explains why no one is a jerk or a bully on Facebook. </irony>
I have been doing this Anonymity thing for much longer than Facebook has existed. I have seen the debates and watched the reality. I am convinced that the problem is that most Internet spaces are impersonal, rather than that they are anonymous. People will be outrageously rude and offensive online while being unfailingly courteous in person, even if both situations are in real name.
In reality, most "real world" interactions are functionally anonymous, yet most of us behave most of the time.
I won't even get in to how terrible her idea would be for people under repressive regimes.
Facebook: “Anonymity on the Internet has to go away” | ZDNet
Publicly accessible Wi-Fi geolocation databases enable tracking of individual laptops and cell phones.
Read MoreHouse panel approves broadened ISP snooping bill | Privacy Inc. - CNET News
Declan McCullagh of CNET is reporting on a bill to require ISPs to maintain massive records on their users. According to the article this bill requires commercial Internet providers to retain "customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses".
They are calling it the "Protecting Children From Internet Pornographers Act of 2011" in a flagrent attempt to make it politically difficult to vote against it even though the bill has noting directly to do with Internet pornography or protecting children.
Were this bill to become law, it might cause real problems for the growth of public Wi-Fi where there is no user authentication. That would be a huge leap backwards for a very possitive trend of late.
Of course, criminals will continue to be trivially able to circumvent such tracking efforts making this primarily a mechanism for gathering information on innocent persons without any hint of suspicion or probably cause.
It is absolutely un-American to require every citizen to submit to continuous tracking and monitoring on the possibility that some tiny fraction of us will commit a crime. Law enforcement always lobbies hard for such provisions. Make sure your voice is heard that you value your privacy and your rights.
Contact your Representitive and Senators if this is something you feel strongly about.