The Looming End of Network Neutrality and How to Protect Yourself

Let’s get this out right up front. I am a strong advocate for network neutrality. ISPs like Comcast say that these regulations strangle innovation, and that all the concerns about how they might abuse their position are just paranoia.

First a quick review. Network Neutrality is the principle that ISPs should not discriminate between the different sources of traffic on their network. My YouTube, your Facebook, his BitTorrent, her porn site, all should have the same access to, and performance on, the internet. In effect, the internet is like water or electricity, a utility delivered to your doorstep. Those utilities don’t get to control how I use those resources, or limit my ability to plug in certain brands of appliance. Similarly, the utilities should not be able to inject things into the water or send unwanted messages over your electric wires. They are just providing a simple service.

The big ISPs have a long history of abusing their near monopoly status. Way back in 2007, I wrote a blog on how Comcast was blocking BitTorrent traffic. Despite their repeated denials, the Associated Press was finally able to prove that they were.

In 2013, Comcast was called out for injecting code into the websites users were visiting. At that time the code was mostly notifying users that they were close to their data cap. To do this, Comcast is intercepting your connection to the website, reading the content, then modifying it to add their code before sending it on to you. They, and other ISPs, were still at it in 2015 despite all the backlash.

Now in late 2017, partly because of the Network Neutrality debate, we are seeing reports of this again. There is no way to opt out of this, and for most Americans, there is only one choice for a fast network connection where they live. Changing providers is simply not an option.

American ISPs have generally avoided obvious throttling of commercial content because of the threat of enforcement of Network Neutrality regulations, and the possibility of stronger ones to come if they did. They are claiming that if the regulations are removed, they will continue to act in good faith.

While the companies won’t let you opt out, you do have a technical way directly preventing them from messing with your traffic, a VPN. Services like Anonymizer create an encrypted path past your ISP out to the internet. There is no way for the ISP to see the contents of your communication either to modify it, or to throttle it.

If this is an issue that you feel is important too, you can make the issue more visible with some of the techniques and suggestions here.

Russia accelerates requirement for local Internet control

Russia whitehouse gate On September 24, the Russian Duma passed a bill moving the date on which all Internet services must host local data locally from Sept 1, 2016 to Jan 1, 2015. That is an effectively impossible timeline for international Internet companies, which is probably the whole point.

While the bill has not been finally passed, the remaining steps are mostly formality.

Russia is suggesting that foreign firms could rent infrastructure, if they will have no time to build, giving Russia even stronger leverage.

My original post on the law was back in July, and I talked about other Russian Internet control and censorship activity here.

https://www.youtube.com/watch?v=FmH4hK05_78

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Brazil enforcing ban on Anonymity

Sauron-BrazilA Brazilian court is enforcing a constitutional ban on anonymity by requiring Apple and Google to remove Secret, an anonymous social network chatting app from their app stores. Microsoft is being required to remove Cryptic, a similar windows phone app. In addition to that, they have been ordered to remove the app from the phones of all users who have installed it. These kinds of retroactive orders to have companies intrusively modify the contents of all of their customer’s devices are concerning. At least these apps are free, if users had paid for them, that would introduce another complication.

One wonders how this will apply to tourists or business travelers visiting Brazil. Will their phones be impacted as well?

The law exists to allow victims of libel or slander to identify and confront their those speakers.

While this ruling only applies to Apple, Google, and Microsoft, and only with respect to the Secret and Cryptic apps, the underlying principle extends much further. There are still final rulings to come, so this is not the last word on this situation.

Anonymizer has had a great many Brazilian customers for many years. Anonymizer provides those users important protections which are well established in international human rights law. We certainly hope that they will continue to be allowed to use our services.

Brazil Court Issues Injunction Against Secret And Calls For App To Be Remotely Wiped | TechCrunch

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

More proof that the web security model is totaly broken

Broken cyber lock Fake Google Digital Certificates Found & Confiscated

On July 2, Google engineers discovered unauthorized certificates for Google domains in circulation. They had been issued by the National Informatics Center in India. They are a trusted sub-authority under the Indian Controller of Certifying Authorities (CCA). They in turn are part of the Microsoft Root Store of certificates, so just about any program running on Windows, including Explorer and Chrome, will trust the unauthorized certificates.

The power of this attack is that the holder of the private key to the certificate can impersonate secure Google servers. Your browser would not report any security alerts because the certificate is “properly” signed and trusted within the built in trust hierarchy.

Firefox does not have the CCA in its root certificate list and so is not affected. Likewise Mac OS, iOS, Android, and Chrome OS are safe from this particular incident as well.

It is not known exactly why these certificates were issued, but the obvious use would be national surveillance.

While this attack seems to be targeted to India and only impacts the Microsoft ecosystem, the larger problem is much more general. There is a long list of trusted certificate authorities, which in turn delegate trust to a vast number of sub-authorities, any of whom can trivially create certificates for any domain which would be trusted by your computer.

In this case the attack was detected quickly, but if it had been very narrowly targeted detection would have been very unlikely and monitoring could have continued over very long periods.

As an end user, you can install Certificate Patrol in Firefox to automatically detect when a website’s certificate is changed. This would detect this kind of attack.

On Chrome you should enable “Check for server certificate revocation” in advanced settings. That will at least allow quick protection once a certificate is compromised.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Update: Microsoft has issued an emergency patch removing trust from the compromised authority.

New Russian law requires data to be stored inside Russia

Russia Flag Keyboard

Continuing the pattern of Internet restrictions I talked about before, Russia has passed a new law requiring Internet companies to keep the personal data of Russians in data centers within the country. The ostensible reason for this is to protect Russians against US Government snooping (in the wake of the Snowden leaks), and against other outside threats.

The law requires that companies doing business in Russia must open data centers within the borders by 2016 or be blocked.

There are many ways for people motivated to bypass these restriction to access whatever they want, but most people will just use what is available, giving the Russian government more ability to monitor the activities of their citizens themselves. 

Russia passes law requiring online personal data to be stored inside its borders | The Verge

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Shanghai getting more relaxed great firewall

The South China Morning Post reports that the ban on Facebook, Twitter, the New York Times, and many other sites, will be lifted, but only in the Shanghai free-trade zone.

The information came from anonymous government sources within China. The purpose is to make the zone more attractive to foreign companies and workers who expect open Internet access. The sources say that the more open access may be expanded into the surrounding territory if the experiment is successful.

It will be interesting to see if this actually comes to pass.

Two questions occur to me. First, will the free-trade zone be considered to be outside the firewall, and hard to access from within the rest of China? Second, is this as much about surveillance of activity on those websites as it is about providing free access?

Japanese ask sites to block "abusive" TOR users.

Wired reports on a move by the Japanese government to ask websites to block users who "abuse" TOR. 

I assume that TOR is being used as an example, and it would apply to any secure privacy tool.

The interesting question is whether this is simply a foot in the door on the way to banning anonymity, or at least making its use evidence of evil intent.

Currently, public privacy services make little effort to hide themselves. Traffic from them is easily detected as being from an anonymity system. If blocking becomes common, many systems may start implementing more effective stealth systems, which would make filtering anonymity for security reasons even harder.

The Privacy Blog Podcast – Ep.7: Blacklisted SSL Certificates, Social Media Hacking, and the “Right to be Forgotten” Online

Welcome to episode 7 of The Privacy Blog Podcast. In April’s episode, we’ll be looking at the blacklisting of SSL certificate authorities by Mozilla Firefox - Specifically, what this complex issue means and why Mozilla chose to start doing this.

In more breaking online privacy news, I will be discussing the security implications of relying on social media following the hacking of the Associated Press Twitter account earlier this week.

Next, I’ll chat about the “right to be forgotten” on the Internet, which hinges on the struggle between online privacy and free speech rights. In a closely related topic and following Google’s release of the new “Inactive Account Manager,” I will discuss what happens to our social media presence and cloud data when we die. It’s a topic none of us likes to dwell on, but it’s worth taking the time to think about our digital afterlife.

Dark alleys of the Internet not actually the dangerous parts.

For years I have been telling people to be especially careful when they venture into the dark back alleys of the Internet. My thinking was that these more "wild west" areas would be home to most of the malware and other attacks.

Dark Reading analyzes a Cisco report which says that online shopping sites and search engines are over 20 times more likely to deliver malware than counterfeit software sites. Advertisers are 182 times more dangerous than pornography sites.

So, I guess I need to change my tune. Be careful when you are going about your daily business, and have fun in those dark alleys!

Nokia does a man in the middle attack on your secure mobile browsing

Gigaom reports on a major security issue at Nokia, first announced in the "Treasure Hunt" blog.

Their Asha and Lumia phones come with something they call the "Xpress Browser". To improve the browser experience, the web traffic is proxies and cached. That is a fairly common and accepted practice.

Where Nokia has stepped into questionable territory is when it does this for secure web traffic (URLs starting with HTTPS://). Ordinarily it is impossible to cache secure web pages because the encryption key is unique and used only for a single session, and is negotiated directly between the browser and the target website. If it was cached no one would be able to read the cached data.

Nokia is doing a "man in the middle attack" on the user's secure browser traffic. Nokia does this by having all web traffic sent to their proxy servers. The proxy then impersonate the intended website to the phone, and set up a new secure connection between the proxy and the real website.

Ordinarily this would generate security alerts because the proxy would not have the real website's cryptographic Certificate. Nokia gets around this by creating new certificates which are signed by a certificate authority they control and which is pre-installed and automatically trusted by the phone.

So, you try to go to Gmail. The proxy intercepts that connection, and gives you a fake Gmail certificate signed by the Nokia certificate authority. Your phone trusts that so everything goes smoothly. The proxy then securely connects to Gmail using the real certificate. Nokia can cache the data, and the user gets a faster experience.

All good right?

The fly in the ointment is that Nokia now has access to all of your secure browser traffic in the clear, including email, banking, etc.

They claim that they don't look at this information, and I think that is probably true. The problem is that you can't really rely on that. What if Nokia gets a subpoena? What about hackers? What about accidental storage or logging?

This is a significant breaking of the HTTPS security model without any warning to end users.

Syria switches tactics and kills their Internet

Fast Company has a good article laying out the state of events regarding the Internet in Syria.

Here is the short version. Syria has changed tactics from keeping the Internet available but highly monitored and surveilled, to turning off apparently absolutely all Internet connectivity within the country. 

Syria was unique in its cyber response to their Arab Spring uprisings. Rather than lock down the Internet, they actually un-blocked some popular social media sites. They did this because of the incredible surveillance capabilities this makes possible. Business Week has a nice story on this aspect.

The change of face would seem to have a few possible reasons.

1) Dissident tactics like encryption are making the surveillance less effective.

2) The damage from dissident publishing is greater than the value of the intelligence.

3) The Syrian government is about to do something really nasty and they want to make it very hard to report about it.

We shall see. The fact that the Syrian government appears to have turned off even its own Internet access suggests that they are worried about any leaks through the wall, which makes reason 3 seem more probable.

App accuses you of piracy using your own Twitter account.

Dictionary apps post false piracy confessions on Twitter - Crave

The Oxford Deluxe dictionary app requests access to your twitter account when it is installed. In some cases it then uses that account to post hundreds of identical tweets saying that you will pledge to stop pirating software.

It is not exactly clear what criteria the software uses, but obviously there is a lot of backlash going on.

Another argument for taking great care about what applications and services you allow to take control of your social media accounts.

Google gets 55% more government information requests in 2012 than 2010

Google Transparency Report shows government surveillance, takedown requests are up.

The number of information requests coming to Google from governments around the world is growing fast. It is up 55% for the first half of 2012 vs. the first half of 2010. The linked article has some nice graphs showing the trend.

It is interesting to note that the US leads the world with over a third of the total requests, followed by India then Brazil.

The other even faster trend is in takedown requests. Since they are s search engine, not a host, this is really pure censorship. It is up 88% between the first half of 2011 and the first half of 2012. That is a true hockey stick. A lot of it appears to be trying to suppress criticism of government or government activities.

The more such information is gathered, the more important it is to take control of your own personal privacy.

Facebook "Like" not protected speech in Virginia

Courthouse News Service reports that a virginia judge has ruled Facebook "Likes" are not protected speech.

The case was related to employees of the Hampton VA sheriff's office who "Liked" the current sheriff's opponent in the last election. After he was re-elected, he fired many of the people who had supported his opponent.

The judge ruled that posts on Facebook would have been protected, but not simple Likes.

Interesting study of message deletion censorship

This article from Threatpost discusses a study out of CMU of Chinese censorship of their home grown social networking websites.

Now that they are blocking most of the western social media sites entirely, the focus of censorship is internal. Obviously blocking the internal sites as well would defeat the purpose, so they are selectively deleting posts instead. This study looks at the rate at which posts with sensitive key words are removed from the services.

It clearly shows how censorship can be taken to the next level when the censor controls the websites as well as the network.

"Private" YouTube videos expose thumbnail images

Thanks to a PrivacyBlog reader for pointing me to this article: Blackhat SEO – Esrun » Youtube privacy failure

It looks like it is easy to find thumbnail images from YouTube videos that have been marked private.

If you have any such videos, go back and check that you are comfortable with the information in the thumbnails being public, or delete the video completely.

PM David Cameron on censorship: bad when you do it, OK when I do it.

Back in February, British Prime Minister David Cameron gave a speech where he strongly opposed the censorship and crack down on protesters in Egypt.

For decades, some have argued that stability required highly controlling regimes, and that reform and openness would put that stability at risk. So, the argument went, countries like Britain faced a choice between our interests and our values. And to be honest, we should acknowledge that sometimes we have made such calculations in the past. But I say that is a false choice.
As recent events have confirmed, denying people their basic rights does not preserve stability, rather the reverse. Our interests lie in upholding our values - in insisting on the right to peaceful protest, in freedom of speech and the internet, in freedom of assembly and the rule of law. But these are not just our values, but the entitlement of people everywhere; of people in Tahrir Square as much as Trafalgar Square.

Now, with the riots in England he feels that restricting access to social media, and censoring free speech is necessary to maintain order.

Everyone watching these horrific actions will be struck by how they were organised via social media. Free flow of information can be used for good. But it can also be used for ill. And when people are using social media for violence we need to stop them. So we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality. I have also asked the police if they need any other new powers. Police were facing a new circumstance where rioters were using the BlackBerry Messenger service, a closed network, to organise riots. We've got to examine that and work out how to get ahead of them.

It is easy to condemn censorship in others, but it seems expedient when one is trying to control one's own population. When in power, the difference between justifiable actions and tyranny is largely a matter of "us" vs "them". "We" are good and would not abuse this power while "they" use censorship to keep the boot of oppression on their people.

The trouble is, it is very hard to know when one has moved past the tipping point, and powerful self justification comes easily to intelligent leaders and their advisors. As has been said many times "no man is the villein of his own story".

This is a Rubicon I hope the UK can hold back from crossing.