privacy

/Tag: privacy

‘Ware the VPN.

Speaking of the Woes of Latter-Day Social Media sites, Om Malik’s profile on “Facebook’s DNA” is an interesting read, particularly if you’re Old™ like me and remember the company’s “move fast and break things” (as opposed to “sell ads and sell ads”) phase.

Mostly, though, it contains this line:

The VPN data [from Facebook Protect] also allows Facebook to better target its ads — much like how Google Mail and Google Chrome allows Google to better target what ads you see. By the way, Facebook isn’t the only one who is taking data from VPN mobile streams. Other data brokers buy data from other VPN apps.

I’ve mentioned this before, but… If you use a VPN, just how much do you trust it?

Related: I really, really need to migrate to Firefox… oy.

2018-02-23T08:02:42+00:0012th August, 2018|Tags: facebook, privacy, social media, tech|0 Comments

In every home, by choice.

Big Brother is here, except it’s more like Little Cousins where every “cousin” is owned by a separate company. They’re all still spyin’ onya, though!

It’s worth remembering that very few “smart home” functions actually need to phone home to central servers (and even the traditional exceptions, like natural language processing, are getting to the stage where they don’t have to either). Meaning this stuff is literally just gratuitous spying for the purpose of companies onselling the data they collect about your most personal and private moments. While you’re paying for the privilege.

Yeah. No thanks.

2018-02-20T09:52:19+00:0030th July, 2018|Tags: privacy, tech|Comments Off on In every home, by choice.

Common goods.

Data privacy is not like a consumer good, where you click “I accept” and all is well. Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.

Part of the problem with the ideal of individualized informed consent is that it assumes companies have the ability to inform us about the risks we are consenting to. They don’t. Strava surely did not intend to reveal the GPS coordinates of a possible Central Intelligence Agency annex in Mogadishu, Somalia — but it may have done just that. Even if all technology companies meant well and acted in good faith, they would not be in a position to let you know what exactly you were signing up for.

Zeynep Tufekci on risk.

2018-02-06T09:46:40+00:0024th July, 2018|Tags: infosec, privacy|Comments Off on Common goods.

Surveillance is the new black.

I saw this on Mastodon a week or so ago but… oh Stylish no. This is why we can’t have nice things, damnit.

I quite extensively use custom CSS on websites, mostly to change everyone’s ugly-ass default fonts,1 as well as some general ad removal and layout clean-up for sites I visit a lot. So I’ve switched over to the Stylus extension, and thankfully porting all my old content over wasn’t too hard.

For extra paranoia, I also added an entry in my hosts file to redirect api.userstyles.org to 127.0.0.1, just in case. Because, yanno. Privacy. What even is that, nowadays, anyway?

  1. I’m looking at you, Roboto. ^
2018-07-27T14:37:05+00:0020th July, 2018|Tags: privacy, tech|Comments Off on Surveillance is the new black.

SSL is terrible, pt. 495.

Tl;dr, like everything else with SSL, EV is fucking broken.

Because I will forever be, at heart, a huge brat, one of my favorite questions to ask people who pretend to know about INFOSEC is, “So what, exactly, is the point of SSL?” (Or TLS, or HTTPS, or however you want to word it.)1

Pretty much no one, in the field or out of it, gets the answer to this question correct. I’ve written about it before2 but, tl;dr version, the original intent of SSL was to link an online presence with a real-world entity. The problem is that the validation requirements were, well. Expensive. Like, thousands of dollars worth of expensive, which is how much a “real” SSL certificate is supposed to cost. Because the CA that issues it is “supposed” to investigate you—to actually meet you, face-to-face, in fact—and make sure you’re really who you say you are, before issuing the cert in the first place.

“But Alis!” you say. “I can get an SSL cert free from, like, Let’s Encrypt! Hell, you get free certs from Let’s Encrypt!”

Yeah, I do. And the thing about Let’s Encrypt? It’s a perversion of the entire point of the system. And it provides exactly squat in the way of security, because in a world where anyone can get a cert issued to basically anything, for any purpose, under any name, how do you know that the entity you’re communicating with is, in fact, the entity you want to be communicating with?

Spoiler alert: you can’t, see original linked article.

“Wait,” you say, confused. “If SSL is so broken, why do tech companies like, say, Google push it so hard?”

Well, Dorothy, because, firstly, the one thing SSL does do is give carriers a level of plausible deniability when it comes to government requests to wiretap internet traffic. “Well. Here are the traffic logs from the server! Oh, well. No, you can’t read them because it’s all HTTPS. Sorry, not our fault! We did what you wanted!”3

But, mostly? Google in particular pushes SSL so damn hard because one of the thing SSL does in change the way HTTP referrers are sent. Why does Google care about this? Well, because it means webmasters suddenly don’t or can’t know where some or most of their website traffic is coming from, including search requests. So isn’t it great that Google can sell them this information as part of its ad platform! Phew, thanks Google! What a win for “privacy”!

… yeah.

Tl;dr, SSL is still terrible. And the “good” news? There’s still really no better option.

  1. The difference? Very briefly, SSL and TLS are two implementations of a secure communications protocol, with SSL being the older-and-now-deprecated version. HTTPS is basically “the web but with SSL/TLS.” In most cases the three terms are used as synecdoches, though HTTP isn’t the only thing that can be used with SSL/TLS. ^
  2. At length. It’s a bugbear, what can I say? ^
  3. It’s worth noting that this is mostly security theater; nation-state level actors, specifically intel organisations, can and do actively tap backbone networks. The thing they mostly don’t do is share the information gathered from these sources with law enforcement agencies, who desperately want it. In other words, yes. Most Current Issues In Government Surveillance are a dick measuring contest between spys and the cops. ^
2018-05-22T09:01:53+00:008th June, 2018|Tags: infosec, privacy, ssl, xp|1 Comment

Stop using Facebook.

Seriously. I’m not even kidding.

Stop.

Using.

Facebook.

2017-11-28T09:10:22+00:0011th May, 2018|Tags: facebook, infosec, privacy, social media|Comments Off on Stop using Facebook.

The problem with archive.org.

Joy Reid is one of those “lucky” political commentators that gets a kicking from both ends of the political spectrum, either for being too liberal (by conservatives), or a liberal centrist sell-out shill (by progressives). I’m sure the fact that she’s a prominent African American woman has no-oo-oo-othing to do with either the impossible standards or the vitriol that gets directed her way over any and every perceived misstep.

Anyway. Recently, enterprising individuals have been using the Wayback Machine to dig up anti-gay posts Reid allegedly posted at her blog a decade ago. I say “allegedly”, because Reid claims she didn’t write the posts and that they were added to her site and/or the Wayback Machine itself later by hackers. archive.org disagrees.

Notably, Reid (and her lawyers) have request the material be removed from the Wayback Machine, which is supposedly a thing you can do.1 The official response?

[D]ue to Reid’s being a journalist (a very high-profile one, at that) and the journalistic nature of the blog archives, we declined to take down the archives.

… yeah.

And, okay look. I know that in some corners of the internet, the existence of the Wayback Machine is considered almost sacrosanct. That the archive itself can Do No Wrong and that its mission is Good™ are unquestioned and absolute.

Except, here’s the thing about the Wayback Machine:

People change.

The internet is pretty old, now, as is this whole blogging thing, and there are those of us who’ve been at it for a long time.2 And the people we were ten or fifteen or twenty years ago are not the people we are now. I know I’ve personally published things in old blog posts that would, nowadays, make me cringe, either because they reflect views I no longer hold or actions I would no longer take or just straight-up things I would no longer say out loud.3 And that’s… fine. It’s normal. It’s called growing up and learning and changing and shifting one’s views with the availability of new information. People make mistakes, and part of life is learning and moving on from them.

But there’s a culture of gotcha-games that exist in a particularly virulent form online, and that seem to disproportionally impact women and people of color, and especially disproportionally women and people of color to the progressive left of the political spectrum. Said something ~problematic~ on LiveJournal once back in 2003? Better hope you don’t get too big for your britches, sweetheart, because if you do? If you do, someone has a screenshot of that shit and it is going to come back to haunt you.

There are, obviously, things in the pasts of public figures that are of legitimate public interest. Crimes come to mind, or other ongoing harmful behavior. But writing ill-advised blog posts is not a crime. Nor is the fact that you once held a ~problematic~ view you’ve since moved on from an “ongoing harmful behavior”. It’s like the opposite of a that, in fact! It’s a good thing, a desired outcome. We all live in kyriarchial culture and no one was born woke on every intersection. We want people not just to change, but to feel that they’re able to change. Constantly accosting them with old mistakes? Not necessarily helpful on that front.4

And this is where I get to my problem with things like the Wayback Machine. Because more often than I’ve seen it used as a tool for “good”, I’ve seen it used as a tool of harassment. I’ve seen it used as a weapon, and primarily a weapon against successful marginalized people by bystanders who want to tar them with past sins. It’s used to extract grovelling public mea culpas because how dare a woman, or a person of color—or worse, both—be proud and successful on their own terms. Don’t they know only white men get to live the unapologetically edited versions of their own histories?

And here’s the thing. The idea that some unaccountable third-party gets to keep, in perpetuity, a record of everything you’ve ever said and done, and to make that record available to anyone who wants to trawl it, is Surveillance Culture 101. And while it might dress itself up in academic colors, make no mistake: the Wayback Machine is just as much a part of that as is Facebook or the NSA or Experian. And it’s beyond time to face up to that.

(While is, like, not to even to mention that whole big, “Er, actually, is this copyright infringement?” issue. Or the fact that the Wayback Machine is deceptive about its “opt-out”/exclusions policies. Sure, you can robots.txt it out… but only so long as the robots.txt file remains active. The Wayback Machine will still take a copy of your site, and will make it available as soon as that little files goes away. Which is… kinda dodgy. To say the least.)

  1. Although, when I just went to try and dig up the FAQ link on how to get stuff removed, I couldn’t find it. On the other hand, I could find a lot of people by people wanting to get their stuff removed from the Archive, and the Archive not complying. Hm… ^
  2. Nineteen years and counting for yours truly, in fact. ^
  3. Usually political beliefs, life choices, and social interactions, respectively. ^
  4. In fandom, incidentally, this behavior is part of what’s called “anti-culture”. The prevailing theory is this constant policing of purity and demanding of public grovelling for any perceived sin has been imported from that very American strain of fundamentalist Evangelical Christianity. In other words, the political beliefs of individuals breaking away from their far-right theocratic upbringings may have changed, but their social modes of dealing with things have not. ^
2018-04-27T09:14:26+00:0027th April, 2018|Tags: culture, privacy, tech, xp|1 Comment

Facebook: Still terrible.

So most of you probably know Facebook is currently facing down new privacy regulation in the EU, called the GDPR. In essence, its introduction means that, a) Facebook can no long shadily sell off European users’ data to the highest bidder, and b) there are hefty fines for any company caught doing the dodgy.1

What most of you might not know, however, is that all Facebook users outside of the US and Canada are considered “European users”, since Facebook runs its non-North American operations out of Ireland.2 What that means is that, technically, the GDPR should protect the data of all of those users too. That’s 1.5 billion user accounts, i.e. the majority of Facebook’s userbase, including all Australian users.

So, naturally, Facebook is working to immediately exempt them from the law. Because it literally has no other way of surviving other than selling your data off to spy agencies both government and private.

So, yanno. About that…

Edit: More here.

  1. And, let’s be honest, Facebook gets caught doing the dodgy a lot. ^
  2. A lot of companies do. It’s a tax dodge. ^
2018-04-20T08:11:21+00:0020th April, 2018|Tags: privacy, social media, tech|2 Comments

Big data brokers.

Tl;dr, your mobile carrier (at least if you live in the US) sells your account information meaning any website can buy it in order to correlate you to your mobile IP address (and, thus, what you do online). Some more technical demos and proof-of-concepts here.

So, on the one hand, this is from the website of a VPN provider,1 so they have a financial interest in scaring you with this information. That being said, this sort of customer data selling and big data correlation is both commonplace and legal… in the US. Because the US has no privacy laws, basically. Individual actions, such as using a VPN service, won’t fix the issue,2 although it’s in the tech industry’s interest to try and convince you they will, because the alternative—e.g. legislating to introducing EU-style privacy laws—will literally cause most big internet companies to go bankrupt.

  1. Disclaimer: It’s the VPN provider I use, when I feel the need to use a VPN, which is both rarely and a whole post in-and-of-itself… ^
  2. Quite literally: All it does is shifts the focus of who does the data selling from your ISP to your VPN provider. ^
2017-10-23T10:03:54+00:006th April, 2018|Tags: infosec, privacy, tech|Comments Off on Big data brokers.