…as we all said it would. Majority Leader McConnell wants to amend the USA PATRIOT Act (possibly the most ridiculous legislative acronym ever) to make it worse. There is a portion of the Act, Section 215, which authorizes the FBI to seize “any tangible thing” relating to the subject of an investigation, without a warrant. …
Privacy
Andrew Yang’s Dangerous Idea
by Major Major Major Major| 99 Comments
This post is in: Privacy, Tech News and Issues, I Can't Believe We're Still Talking About Fucking Nazis, Into the weeds
If there’s a tech company that’s so big and ubiquitous you feel it’s a danger to democracy, what you have isn’t a justification for an algorithm-policing bureaucracy—what you have is a company that’s too big.
Andrew Yang’s Dangerous IdeaPost + Comments (99)
There are essentially two ideas united by the same fallacy:
Social media platforms have catalyzed mass disinformation campaigns over the past decade, threatening not just our wellbeing but our democracy… Algorithms driving recommendations towards conspiracy theory content or other types of disinformation need to be reined in…
We must address once and for all the publisher vs. platform grey area that tech companies have lived in for years. Facebook, Twitter, and other social media sites are using algorithms to make recommendations. These recommendations drive the majority of traffic, up to 70% for Google owned YouTube.
Section 230 of the Communications Decency Act absolves platforms from all responsibility for any content published on them. However, given the role of recommendation algorithms—which push negative, polarizing, and false content to maximize engagement—there needs to be some accountability.
I will leave aside the fact that Section 230 does no such thing and write instead about this inane focus on recommendation algorithms. (If you’re curious about my opinions on Section 230, there are upcoming EU regulations that touch on this, which I have written about here.)
Yang notes that large social networking sites are used to push massive amounts of misinformation. Further, such sites use recommendation algorithms that often reward bad-faith actors. Since these sites are so large and ubiquitous, this represents a threat to consumers and democracy. So far this is not controversial; even Facebook and Twitter acknowledge this.
However, Yang’s proposed remedy is to require said recommendation algorithms to be either posted in full online or pre-approved by the government. The former would needlessly stifle expression and innovation, and as for the latter, well, imagine Trump with that power.
So where is this faulty reasoning I’m talking about? It’s very simple. If there’s a tech company that’s so big and ubiquitous you feel it’s a danger to democracy, what you have isn’t a justification for an algorithm-policing bureaucracy—what you have is a company that’s too big. And the government already has the authority to address that.
Yang says some dumb shit about how antitrust won’t work in his proposal, which demonstrates a follow-up point: The concept of antitrust enforcement is so foreign to modern Americans that they often reach for bizarre & harmful over-regulation to mitigate the damages caused by huge companies instead of just banning huge companies.
While Yang is a sideshow, and I suspect he does not understand what a recommendation algorithm is, this mode of thinking is very common, so I wanted to start a conversation. I’m happy to get into more detail in the comments.
Panopticon Creep: UK Edition
by Major Major Major Major| 94 Comments
This post is in: Privacy, Science & Technology, Tech News and Issues, United Kingdom
Once upon a time, London was the world’s most-surveilled city. This position has since been usurped by Chongqing, a city in the Sichuan province which boasts one hundred sixty-eight cameras per one thousand people. Perhaps upset over the loss of their title, Boris Johnson has decided it’s high time that the UK began compiling records of …
Panopticon Creep: UK EditionPost + Comments (94)
[…]
At present, usage of GOV.UK is tracked by individual departments, not collected centrally. According to the documents seen by BuzzFeed News, the Cabinet Office’s digital unit, the government digital service (GDS), will add an additional layer of tracking that “will enable GDS to have data for the entire journey of a user as they land on GOV.UK from a Google advert or an email link, read content on GOV.UK, click on a link taking them from GOV.UK to a service and then onwards through the service journey to completion”.
In the personal minute, Johnson told members of the XO committee that GDS had been asked to turn the GOV.UK portal into a “platform to allow targeted and personalised information to be gathered, analysed and fed back actively to support key decision making” in the run-up to Brexit.
This is exactly what Facebook, Google, et al. tell us about the value of targeted advertising; oh how we’ll appreciate their knowing everywhere we go and every website we look at. Just think of all the highly personalized ads we can experience! But the UK government is not, of course, a corporation. We’ve seen what the Cambridge Analyticas of the world can do with access to fairly basic demographic information. Imagine what could be done with the sort of information the government is likely to have–especially a government that’s already up to their eyeballs in collusion with, er, Cambridge Analytica.
No bother, though; I’m sure this has nothing to do with the election BoJo hopes to hold in the near future.
Full disclosure: I have worked in advertising technology on and off for several years, and currently hold a position at a data-management platform in the industry.
Online Privacy and You
by Major Major Major Major| 54 Comments
This post is in: Privacy
tl;dr: scroll down to the part in bold if you just want a pro-privacy action item. Digital privacy has been in the news a lot, though you’ll be forgiven for missing it. About a year ago, the European General Data Protection Regulation (GDPR) became active. You may have noticed that you received an email about updated …
Online Privacy and YouPost + Comments (54)
*GDPR and CCPA only apply to companies with users located in their respective jurisdictions, but given how the Internet works, that is pretty much all sufficiently-large companies.
**Many ‘free’ services, such as Gmail, are funded by a Faustian bargain: in exchange for the service, the user’s information is mined as part of a broader tracking ecosystem. This data is then used in targeted advertising. If enough people opt out of data collection, the story goes, then this funding model will go out the window. What will replace it is anybody’s guess.
Full disclosure: I currently work at an ad-tech company. The opinions expressed are my own etc. This contains no privileged information etc.
Open Thread: Social Media Privacy Update, Maybe?
This post is in: C.R.E.A.M., Open Threads, Privacy, Science & Technology
PSA…you might wanna go switch this stuff off so Twitter doesn't sell your data through "select partnerships" pic.twitter.com/WBSMy0XxMZ — Auburn (@Auburn55) May 18, 2017 I don’t actually have a twitter account, because I’m fortunate enough not to need one, and I’m barely tech-competent enough to lurk there. But I’m seeing messages about the company’s latest …
Open Thread: Social Media Privacy Update, Maybe?Post + Comments (84)
Privacy, ISPs, and What You Can Do
by Alain Chamot (1971-2020)| 8 Comments
This post is in: Privacy, Tech News and Issues
I’m sure you’ve heard that the Senate, then House, voted to allow Internet Service Providers (ISPs) to sell your browsing and Internet usage data. This is astounding, and has huge implications for each and every one of us that has any Internet usage that might be looked at askance by whomever decides to license your …
Privacy, ISPs, and What You Can DoPost + Comments (8)
When you access the Internet, your computer sends out a request such as “give me a webpage from XXX.XXX.XXX.XXX” or “check email from my email server at XXX.XXX.XXX.XXX”. Really, your computer is saying “open a Y protocol connection with XXX.XXX.XXX.XXX” and then the remote computer and your computer work out a series of handshakes to successfully transmit the data and correct any errors that occur. That basic information is needed to do whatever it is you want to do, like dialing a phone number or putting an address on an envelope. That’s not secret or private, it’s important metadata that begins the handshake process that results in doing whatever it is you are trying to do.
But, since the signals from your computer going back and forth to the remote computer are on the ISP’s wires, they can see what it is you are saying. So no biggie, you’ve got nothing to hide, right? I’m a firm believer that everyone’s got stuff to hide for a good reason – your private business is YOUR private business. You can choose to declassify anything you want to anyone, but no one has a default policy of allowing anyone to probe your private business whenever they want, without having to get your permission.
So once Trump signs the law and it goes into effect, ISPs will then be able to analyze, organize, and sell/license this data. And there’s no way to ensure that “only big, responsible corporations” will get access to this data – it will be a huge target for foreign and domestic intelligence agencies, criminal enterprises, hackers, anarchists, psychos, manipulators, blackmailers, teens, insurance and other medical companies, law enforcement, credit agencies, etc. So those who want it will buy, license, or steal it. Or perhaps gain covert access to it, or access to it via an allowed third party that has poor security. Really, there are countless ways that, once this data is captured, it will leak out to bad folks and folks that you’d prefer not know that, late on Friday nights, once your buzz is on, you like to read, look at, or watch deviant porn.
“But,” you say, “don’t worry – I use Privacy mode when I browse, so no worries, right?”
Not so fast sparky – Privacy mode in a browser isn’t going to stop your ISP from seeing what you’re reading, writing, buying or selling. It limits cookies and other online tracking tech from your current session, but it doesn’t prevent the ISP from “listening on the line”, which is really what we’re talking about.
So what’s the magic bullet to slay this new beast on the horizon? Encryption!
When you encrypt things, your ISP just knows that you’re having an encrypted session with a remote computer at XXX.XXX.XXX.XXX in Y protocol. That’s it, as long as the encryption is strong and implemented well. The initial part of the handshake is unencrypted, but as soon as your computer and the remote computer work it out, the rest of the transaction is encrypted and thus private. This isn’t an on-off kind of thing; when you click on something, a new handshake takes place, and then that data is encrypted and transmitted and then decrypted.
So hurrah – such a simple answer, right? Well, yes, but…. no.
Encryption is very complex, but the end-user consumer side of it is pretty simple. Encryption uses advanced math to scramble your data and without the proper key to unscramble the data, it’s gibberish. But, as computers and techniques advance, what would have taken years now takes days. It’s a constantly moving, evolving world.
Some of you may recall last year when Balloon Juice enabled Secure Sockets Layer (SSL) and so the address went to https:// instead of just http://. That was 100% a privacy issue – because the site uses the secure HTTPS protocol, anything you read or write is protected by your browser’s encryption, ensuring your privacy. Of course, anyone that’s curious could just go to the website and read for themselves what’s here since we don’t require login or allow private messages, but there’s no way for a general person on the Internet to link your commenter nym to your IP address. And so your privacy is protected.
So you’re already using some encryption to protect some of your privacy, and that’s great! But there’s lots of sites that don’t yet use HTTPS, and there’s lots of things that you do that may not be encrypted. And perhaps you’d prefer it if your ISP has a black hole when it comes to your online behavior so that they know nothing about your behavior.
One last thing I should mention about privacy and what’s not protected: email. Email is not protected by encryption. What happens when you send an email is that you write it and hit send, and that message is then sent across the Internet from your outgoing mail server to the incoming mail server for the destination. And that email message – all of it, addressing info as well as the content and any attachments – is sent unencrypted. And it doesn’t go directly; it may go over as many as 20 different routers and computers, allowing anyone observing one or more of those machines the option to read your email and attachments. So emailing logins & passwords, credit card numbers, or any other important codes or numbers is a VERY bad idea.
A final detail about email – using an email client (Outlook, Thunderbird, Eudora, etc.) downloads your email to your local machine, but unless you’ve got encryption setup between you and the mail server, that mail is all sent “in the clear”, allowing an ISP to read them. But, should you use a web browser to work with your email, then your sending and receiving is protected by the web browsers SSL capabilities. Relatedly, don’t forget that, when using a web browser to check email, sending from/to the same system is usually VERY secure. So, for example, using a browser to send email from and to a Gmail account keeps the email “in the Gmail system” and it is encrypted the whole way through, so no ISP surveillance will work.
Next Steps
There are a few answers, different paths you can take, to protect your privacy from the prying eyes of your ISP. They all involve encryption of one form or another. And really, they all involve a Virtual Private Network (VPN) or Proxy Server, where your Internet requests are routed to another computer over an encrypted connection so that all your ISP knows is that you’re using an encrypted tunnel with a remote computer.
So, what does that mean?
It means that you pay some third party out there to allow you to setup an encrypted connection to route some or all of your Internet usage through. Of course, if that company keeps copious records of all the routing, requests, etc., and they then sell that data, you’re in exactly the same boat as with your ISP. So a company’s retention and privacy policies are very important, crucial, really.
Of course, there’s a great free solution called Tor, which you may have heard of. It is a protocol and framework designed by the US government to allow folks in repressive countries to communicate with journalists, human rights organizations, etc. without giving up their privacy or identity. Of course lots of bad guys use Tor to shroud their online activities – the Silk Road drug, gun, porn, and assassination marketplace was famously compromised because one element on a page on the site was not setup correctly, and so the FBI traced it to the server that was running the site’s forum software. And Silk Road truthers – let’s not quibble about parallel track or other ways they may have found the site’s server!
If you have something to hide, something illicit, then you likely already know about and use Tor. I’ve never played with it, so I am not in any way an expert on it, but to me, it does have a fundamental flaw – exit nodes. If a party sets up enough Tor exit nodes, then they will be able to monitor and/or capture enough traffic to track folks. Not that Tor isn’t a great thing for many privacy purposes, but it’s not magic and does have vulnerabilities, not the least of which is that human beings make the sites that are in Tor, and they often make coding mistakes or leave cookie crumbs in tech forums asking for help or advice. Oh, and did I mention that it’s complicated and that you can’t route most of what you do on the Internet through it?
“Wait,” you say, “I’ve heard that this web browser called Opera has a built-in VPN for privacy, so I can just use that, right?”
Opera, a great browser, does in fact have a VPN function built-in for privacy protection. But…it was just purchased by a Chinese Internet security firm and, well, who knows if you can trust them. I’m not sure I’d trust a browser maker anyway, as that just seems like a honeypot to attract folks (criminals) trying to hide their online behavior.
Recommendations
Depending on your needs, I recommend two different paths. I will not give any brand name recommendations.
For someone who wants to obscure everything, you’ll want to get a VPN router and route everything to a paid VPN service provider that has a privacy and data retention policy you like. This means that every signal coming in or out of your house will be encrypted, but this will slow everything down, and will likely muck up online streaming, game playing, and other high-bandwidth/low-latency uses. And this only effects the house and Internet users of the wired or WiFi connection. Your phone won’t be protected when you’re not home, for example.
For me, and for most folks, this is not a good plan. I have heard tell that Netflix is very good at blocking VPN users so it would likely not work for long, even if it does at first. And not being able to play a game or stream anything I want without issue is non-negotiable!
So my preferred solution is to setup a VPN or proxy server for just one computer or just one browser. That way, I have normal usage in the household, but have a privacy option I can use whenever I want.
So right now, on this machine I’m using, if I open Firefox, it wants to use my own private encrypted proxy server rather than the normal Internet connection that the rest of the computer (other browsers and software) use. And when I use that connection, everything I do in Firefox is safe from the prying eyes of Comcast. In my case, I am using a cloud computer that I rent as opposed to a service as this way, I control it and I like that approach as I’m a techie. I can also change my phone’s setting to always use that connection, should I so desire, but I don’t do much browsing on it. I can of course make my iPad use the proxy, but since I stream so much video and audio on it, that would be a problem!
One bonus to my approach – I can “appear” like I am somewhere else, wherever the server I use is located. This is great to reduce advertising and screws up geotargeting, etc. that advertisers use. Before I set this all up, I did ensure that I wasn’t signed into my Gmail account in Firefox, deleted all cookies and history, etc., and closed all open tabs so that Firefox opened to a blank page. To reduce browser fingerprinting, uninstalling add-ons, extensions, and toolbars is a good idea, too. That way, as far as Firefox is concerned, I am not physically where the rest of my computer knows I am, and I’ve left few crumbs to help find me.
The Risks of Strangers Knowing Your Behavior
Many of you are likely rubbing your eyes and wondering why this is so important an issue, why it’s a fundamental change in the relationship between you and the world outside of your home. Until now, neither the phone company nor the USPS could examine the content of your communications and sell that information. They could not listen and record everything you said on the phone and then sell the recording to as many different folks as want to buy it. They could not open your letters and packages, photograph or photocopy it all, and sell it to whomever wants it, without you having a thing to say about it.
But with your ISP and this new law, things have changed. There are so very many examples of how private data can be used for bad, but let’s look at a basic, relevant example.
A family member has Top Secret clearance and works with the Intelligence community. He is well trained, and mindful, and does not, to my eyes and ears, make a mistake when it comes to his phone, laptop, and other work-related things. He is trained to look for surveillance, etc., and varies his routes, times, etc. He doesn’t do much online.
But he lives in a house with his wife and children. And so everything they do won’t remain private, meaning that a foreign adversary could acquire meaningful data that might be useful for manipulation, blackmail, etc. So although he’s doing 100% what he’s supposed to do, suddenly his family become targets because their data may unveil a method to get to him.
And that’s just a personal example. With the theft of so much OMB data that was revealed in 2015, I can envision any number of ways that that purloined data could be used when coupled with ISP-recorded data. And that’s just in the Intelligence, Government, and Military world; there are so many people whose data was acquired that, for the next 20 years, people will be at risk of further targeting and violations of their privacy.
So, it’s time to give some serious thought to protecting yourself and to setting up at least one browser or computer to be your privacy vanguard. The sooner that everyone’s online behavior is a black hole to ISPs, the sooner they’ll realize that their goal should be to protect our privacy, not exploit it for profit!
Candidly, I’m thinking of launching a paid service, sort of a combo of proxy server and related privacy consultation and support because I know many folks would benefit from this setup, but for now if you have questions or want help, use the contact form and drop me a line. I will not be in the comments much as I have a few other important duties vying for my attention today.