privacy

/Tag: privacy

Zuckerbins.

It’s interesting to ponder the ways in which privacy can be a privilege only for the wealthy. Not everyone can afford an army of hired goons and corporate secret police, an absurd wall in their backyard, and a buffer zone of razed lots around their house. Might similar class privileges someday extend into our digital lives? In the future, who will have the luxury of owning their data?

Jow Veix on stealing Zuckerberg trash.

Also, from this I learnt that there are apparently multiple legal precedents (in the US) that establish curbside trash as public, and because of that there’s a huge industry in the secure disposal of the garbage of rich people. Go figure.

2018-04-16T14:35:28+00:003rd October, 2018|Tags: culture, facebook, privacy|0 Comments

The endless experiment.

But companies usually care about their products, protect them, try to improve their state.

If I were a product, Google would do its best not to destroy me. They have invested a lot of resources into this product, so why risk it by making baffling changes to both privacy and user experience? If I stay happy with Google’s offerings, I keep being the perfect product: I can be mined for data and “sold” perpetually.

Clearly, Google doesn’t care about me personally. And how could it? There are billions of people just like me who use their services every day.

Maybe we should stop thinking we’re “Google’s product” and start thinking we are data points in endless experiments.

Rakhim Davletkaliyev on Google.

I switched to using Firefox about a day before this latest round of being-evil from Google and… yeah. I do not regret it.1

  1. Even if the scrollbars in Masto are now hideously ugly… ^
2018-09-28T08:40:09+00:0028th September, 2018|Tags: google, privacy, tech|Comments Off on The endless experiment.

Everytracker.

It’s not just Facebook; every single online publication, including all the ones reporting negative stories, are sharing your browsing data with third parties. Hell, the website at that link is sharing your data with third parties (9% of its page requests were blocked by uBlock). Hell, even this website is sharing your data with (pick one, depending on where you’re seeing it):

  • alisfranklin.com: CloudFlare, WordPress.com, Google, Gravatar.
  • ask.alisfranklin.com: CloudFlare, Tumblr, Yahoo!, Scorecard Research, MarkMonitor, Cedexis, Fastly, FontAwesome, Google, jQuery.
  • alisfranklin.dreamwidth.org: CloudFlare, Dreamwidth, Google.

In theory, most of those sites perform “valid” services. CloudFlare and MarkMonitor do DNS.1 Cedexis and Fastly do CDN-style services. Google and FontAwesome serve fonts. Gravatar provides global user avatars. jQuery provides a popular JavaScript library. Tumblr/Yahoo! and Dreamwidth are their respective platforms. But just because they’re useful doesn’t mean they’re, a) 100% necessary, or b) not potentially tracking, commodifying, and on-selling huge quantities of surveillance data.

Oh, and then there are things like Scorecard Research, which is absolutely a surveillance company. So… yanno. There’s that.

  1. Among other things… ^
2018-04-12T15:58:56+00:0027th September, 2018|Tags: privacy, tech|Comments Off on Everytracker.

‘Ware the VPN.

Speaking of the Woes of Latter-Day Social Media sites, Om Malik’s profile on “Facebook’s DNA” is an interesting read, particularly if you’re Old™ like me and remember the company’s “move fast and break things” (as opposed to “sell ads and sell ads”) phase.

Mostly, though, it contains this line:

The VPN data [from Facebook Protect] also allows Facebook to better target its ads — much like how Google Mail and Google Chrome allows Google to better target what ads you see. By the way, Facebook isn’t the only one who is taking data from VPN mobile streams. Other data brokers buy data from other VPN apps.

I’ve mentioned this before, but… If you use a VPN, just how much do you trust it?

Related: I really, really need to migrate to Firefox… oy.

2018-02-23T08:02:42+00:0012th August, 2018|Tags: facebook, privacy, social media, tech|1 Comment

In every home, by choice.

Big Brother is here, except it’s more like Little Cousins where every “cousin” is owned by a separate company. They’re all still spyin’ onya, though!

It’s worth remembering that very few “smart home” functions actually need to phone home to central servers (and even the traditional exceptions, like natural language processing, are getting to the stage where they don’t have to either). Meaning this stuff is literally just gratuitous spying for the purpose of companies onselling the data they collect about your most personal and private moments. While you’re paying for the privilege.

Yeah. No thanks.

2018-02-20T09:52:19+00:0030th July, 2018|Tags: privacy, tech|9 Comments

Common goods.

Data privacy is not like a consumer good, where you click “I accept” and all is well. Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.

Part of the problem with the ideal of individualized informed consent is that it assumes companies have the ability to inform us about the risks we are consenting to. They don’t. Strava surely did not intend to reveal the GPS coordinates of a possible Central Intelligence Agency annex in Mogadishu, Somalia — but it may have done just that. Even if all technology companies meant well and acted in good faith, they would not be in a position to let you know what exactly you were signing up for.

Zeynep Tufekci on risk.

2018-02-06T09:46:40+00:0024th July, 2018|Tags: infosec, privacy|12 Comments

Surveillance is the new black.

I saw this on Mastodon a week or so ago but… oh Stylish no. This is why we can’t have nice things, damnit.

I quite extensively use custom CSS on websites, mostly to change everyone’s ugly-ass default fonts,1 as well as some general ad removal and layout clean-up for sites I visit a lot. So I’ve switched over to the Stylus extension, and thankfully porting all my old content over wasn’t too hard.

For extra paranoia, I also added an entry in my hosts file to redirect api.userstyles.org to 127.0.0.1, just in case. Because, yanno. Privacy. What even is that, nowadays, anyway?

  1. I’m looking at you, Roboto. ^
2018-07-27T14:37:05+00:0020th July, 2018|Tags: privacy, tech|Comments Off on Surveillance is the new black.

SSL is terrible, pt. 495.

Tl;dr, like everything else with SSL, EV is fucking broken.

Because I will forever be, at heart, a huge brat, one of my favorite questions to ask people who pretend to know about INFOSEC is, “So what, exactly, is the point of SSL?” (Or TLS, or HTTPS, or however you want to word it.)1

Pretty much no one, in the field or out of it, gets the answer to this question correct. I’ve written about it before2 but, tl;dr version, the original intent of SSL was to link an online presence with a real-world entity. The problem is that the validation requirements were, well. Expensive. Like, thousands of dollars worth of expensive, which is how much a “real” SSL certificate is supposed to cost. Because the CA that issues it is “supposed” to investigate you—to actually meet you, face-to-face, in fact—and make sure you’re really who you say you are, before issuing the cert in the first place.

“But Alis!” you say. “I can get an SSL cert free from, like, Let’s Encrypt! Hell, you get free certs from Let’s Encrypt!”

Yeah, I do. And the thing about Let’s Encrypt? It’s a perversion of the entire point of the system. And it provides exactly squat in the way of security, because in a world where anyone can get a cert issued to basically anything, for any purpose, under any name, how do you know that the entity you’re communicating with is, in fact, the entity you want to be communicating with?

Spoiler alert: you can’t, see original linked article.

“Wait,” you say, confused. “If SSL is so broken, why do tech companies like, say, Google push it so hard?”

Well, Dorothy, because, firstly, the one thing SSL does do is give carriers a level of plausible deniability when it comes to government requests to wiretap internet traffic. “Well. Here are the traffic logs from the server! Oh, well. No, you can’t read them because it’s all HTTPS. Sorry, not our fault! We did what you wanted!”3

But, mostly? Google in particular pushes SSL so damn hard because one of the thing SSL does in change the way HTTP referrers are sent. Why does Google care about this? Well, because it means webmasters suddenly don’t or can’t know where some or most of their website traffic is coming from, including search requests. So isn’t it great that Google can sell them this information as part of its ad platform! Phew, thanks Google! What a win for “privacy”!

… yeah.

Tl;dr, SSL is still terrible. And the “good” news? There’s still really no better option.

  1. The difference? Very briefly, SSL and TLS are two implementations of a secure communications protocol, with SSL being the older-and-now-deprecated version. HTTPS is basically “the web but with SSL/TLS.” In most cases the three terms are used as synecdoches, though HTTP isn’t the only thing that can be used with SSL/TLS. ^
  2. At length. It’s a bugbear, what can I say? ^
  3. It’s worth noting that this is mostly security theater; nation-state level actors, specifically intel organisations, can and do actively tap backbone networks. The thing they mostly don’t do is share the information gathered from these sources with law enforcement agencies, who desperately want it. In other words, yes. Most Current Issues In Government Surveillance are a dick measuring contest between spys and the cops. ^
2018-05-22T09:01:53+00:008th June, 2018|Tags: infosec, privacy, ssl, xp|1 Comment