Anonymity is only as stong as the group you are hiding in

August 22, 2014 by lance in Anonymity, Internet, Personal Privacy, Security Breaches, Social Networking

Unknown known

Your Anonymous Posts to Secret Aren’t Anonymous After All | Threat Level | WIRED

This article describes a clever attack against Secret, the “anonymous” secret sharing app.

Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.

In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Postmortem Social Media (a.k.a. virtual zombies)

April 29, 2013 by lance in Social Networking

For millennia people have asked the question “what happens to us when we die?”

While the larger spiritual question will continue to be debated, the question about what happens to our on-line data and presence is more recent, and also more tractable.

Until very recently little thought has been given to this issue. Accounts would continue until subscriptions lapsed, the website shut down, or the account was closed for inactivity.

This has lead to some rather creepy results. I have lost some friends over the last few years, but I continue to be haunted by their unquiet spirits, which remind me of their birthdays, ask me to suggest other friends for them, and generally keep bobbing in my virtual peripheral vision.

Many social media sites do have a process for dealing with accounts after the death of their owners, but they are cumbersome and I have never actually seen them used. Generally, they are only engaged postmortem, by the family of the deceased. Assuming that they don’t have the passwords to the account, they need to contact the provider in writing and provide proof that they are a relative and of the death of the account’s owner.

Google has an interesting idea that I would like to see other sites adopt. They have set up the “Google Inactive Account Manager” which allows the user to specify what will happen in advance. The user specifies what length of inactivity should be taken as a sign of death. Once that is triggered, Google contacts the user using secondary email accounts and phone numbers, if available, to make sure this was not just a long vacation or a loss of interest. If there is no response to that, then the Inactive Account Manager kicks in.

It notifies a list of people that you specify that this has happened. You have the option of having your data packaged up and sent to some or all of those people. Finally, you may have it delete your account, or leave it available but closed as a memorial.

This may not be the perfect implementation of this concept, but it is an important step.

So please, set up your digital will, and lets put a stop to the digital zombie apocalypse.

The Privacy Blog Podcast – Ep.7: Blacklisted SSL Certificates, Social Media Hacking, and the “Right to be Forgotten” Online

April 26, 2013 by lance in Free Speech, News, Personal Privacy, Podcast, Security Breaches, Social Networking, Surveillance

Welcome to episode 7 of The Privacy Blog Podcast. In April’s episode, we’ll be looking at the blacklisting of SSL certificate authorities by Mozilla Firefox - Specifically, what this complex issue means and why Mozilla chose to start doing this.

In more breaking online privacy news, I will be discussing the security implications of relying on social media following the hacking of the Associated Press Twitter account earlier this week.

Next, I’ll chat about the “right to be forgotten” on the Internet, which hinges on the struggle between online privacy and free speech rights. In a closely related topic and following Google’s release of the new “Inactive Account Manager,” I will discuss what happens to our social media presence and cloud data when we die. It’s a topic none of us likes to dwell on, but it’s worth taking the time to think about our digital afterlife.

The power we give to Social Media

April 25, 2013 by lance in hacking, Social Networking

Last week the Twitter account of the Associated Press was hacked, and a message posted saying that bombs had gone off in the white house, and the president was injured.

Obviously this was false. The Syrian Electronic army a pro regime hacker group has claimed responsibility, which does not prove that they did it.

There is talk about Twitter moving to two factor authentication to reduce similar hacking in the future. While this is all well and good, it will not eliminate the problem.

The bigger issue is that these poorly secured social media sites are used by people around the world as reliable sources of news.

Apparently much of the crash came from automated trading systems parsing the tweet, and generating immediate trades without any human intervention at all.

The DOW dropped 140 points in 5 minutes.

The creators of these trading algorithms feel that news from twitter is reliable enough to be the basis of equity trades without any confirmation, or time for reflection.

Certainly very large amounts of money were made and lost in that short period.

Why make the effort to hack into what we hope is a well defended nuclear power plant or other critical infrastructure, when you can get similar amounts of financial damage from subverting a nearly undefended twitter account.

Because individual twitter accounts are not considered critical infrastructure, they are hardly protected at all, and are not designed to be easy to protect.

Nevertheless we give it, and other social media, substantial power to influence us and our decisions, financial and otherwise.

Take for example the crowd sourced search for the Boston bombers on reddit. Despite the best of intentions, many false accusations were made that had major impact on the accused, and one can imagine scenarios which could have turned out much worse. What if the accused at committed suicide, been injured in a confrontation with authorities, or been the vicim of vigilante action? Now, what if there had been malicious players in that crowd intentionally subverting the process. Planting false information, introducing chaos and causing more damage.

This is an interesting problem. There are no technical or legislative solutions. It is a social problem with only social solutions. Those are often the hardest to address.

The Privacy Blog Podcast - Ep.6: Breaking Privacy News – Facebook “Likes” Predict Personality, Google's Wi-Fi Sniffing, and the Six Strikes Anti-Piracy Policy

March 22, 2013 by lance in Announcements, Anonymizer, Podcast

In the March episode of The Privacy Blog Podcast, I’ll run down some of the major privacy news events of the last month. Learn how Facebook “Likes” can paint an extremely detailed and eerie picture of your real-life character traits. I’ll provide my take on Google’s Street View Wi-Fi sniffing controversy along with how “Do Not Track” flags are affecting the everyday Internet user. We’ll then touch on the implementation of the “Six Strikes” copyright alert system that was recently adopted by all five major ISP providers. Stay tuned until the end of the episode to hear about Anonymizer’s exciting new beta program for Android and iOS devices. Thanks for listening!

Interesting study of message deletion censorship

March 29, 2012 by lance in Censorship, China, International, Internet, Social Networking, Surveillance

This article from Threatpost discusses a study out of CMU of Chinese censorship of their home grown social networking websites.

Now that they are blocking most of the western social media sites entirely, the focus of censorship is internal. Obviously blocking the internal sites as well would defeat the purpose, so they are selectively deleting posts instead. This study looks at the rate at which posts with sensitive key words are removed from the services.

It clearly shows how censorship can be taken to the next level when the censor controls the websites as well as the network.

India asks social network sites to manually screen all posts.

December 06, 2011 by lance in Free Speech, India, International, Internet, legal, Social Networking, Stupidity, Surveillance

The NYTimes.com reports that Kapil Sibal, the acting telecommunications minister for India is pushing Google, Microsoft, Yahoo and Facebook to more actively and effectively screen their content for disparaging, inflammatory and defamatory content.

Specifically Mr. Sibal is telling these companies that automated screening is insufficient and that they should have humans read and approve allmessages before they are posted.

This demand is both absurd and offensive.

It is obviously impossible for these companies to have a human review the volume of messages they receive, the numbers are staggering.
The demand for human review is either evidence that Mr. Sibal is completely ignorant of the technical realities involved, or this is an attempt to kill social media and their associated free wheeling exchanges of information and opinion.
There is no clear objective standard for "disparaging, inflammatory, and defamatory" content, so the companies are assured of getting it wrong in many cases putting them at risk.
The example of unacceptable content sighted by Mr. Sibal is a Facebook page that maligned Congress Party president Sonia Gandhi suggesting that this is more about preventing criticism than actually protecting maligned citizens.

PM David Cameron on censorship: bad when you do it, OK when I do it.

August 13, 2011 by lance in Free Speech, International, Internet, Social Networking, Surveillance

Back in February, British Prime Minister David Cameron gave a speech where he strongly opposed the censorship and crack down on protesters in Egypt.

For decades, some have argued that stability required highly controlling regimes, and that reform and openness would put that stability at risk. So, the argument went, countries like Britain faced a choice between our interests and our values. And to be honest, we should acknowledge that sometimes we have made such calculations in the past. But I say that is a false choice.
As recent events have confirmed, denying people their basic rights does not preserve stability, rather the reverse. Our interests lie in upholding our values - in insisting on the right to peaceful protest, in freedom of speech and the internet, in freedom of assembly and the rule of law. But these are not just our values, but the entitlement of people everywhere; of people in Tahrir Square as much as Trafalgar Square.

Now, with the riots in England he feels that restricting access to social media, and censoring free speech is necessary to maintain order.

Everyone watching these horrific actions will be struck by how they were organised via social media. Free flow of information can be used for good. But it can also be used for ill. And when people are using social media for violence we need to stop them. So we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality. I have also asked the police if they need any other new powers. Police were facing a new circumstance where rioters were using the BlackBerry Messenger service, a closed network, to organise riots. We've got to examine that and work out how to get ahead of them.

It is easy to condemn censorship in others, but it seems expedient when one is trying to control one's own population. When in power, the difference between justifiable actions and tyranny is largely a matter of "us" vs "them". "We" are good and would not abuse this power while "they" use censorship to keep the boot of oppression on their people.

The trouble is, it is very hard to know when one has moved past the tipping point, and powerful self justification comes easily to intelligent leaders and their advisors. As has been said many times "no man is the villein of his own story".

This is a Rubicon I hope the UK can hold back from crossing.

Facebook automatically tagging your face in pictures

June 08, 2011 by lance in GeoLocation, Internet, Online Privacy, Personal Privacy, Social Networking, Tracking

Face book announced that it will soon start automatically suggesting your name for tagging photos any time it thinks it recognizes you in a picture. This automatic facial recognition is the default and will be done unless you explicitly opt out.

It looks like you need to customize your privacy settings to disable this. In Facebook, look under the "account" menu and select "Privacy Settings".

From there click the "Customize settings" link at the bottom of the table. Within there, look for "Suggest photos of me to friends", and set it to "Disabled".

I suspect that few people will simply stumble on that.

Other people tagging you in photos can lead to embarrassment you might want to avoid. Having your name suggested just makes that more likely.

While you are at it, you might want to change the setting that allows others to "check you in" to locations. That can tell thieves you are away from home or stalkers where to find you.

CNN has a good article on the announcement. Facebook lets users opt out of facial recognition - CNN.com