Researchers analyzing results from the ICSI Netalyzer project have found ISPs redirecting traffic bound for Yahoo! and Bing to third parties like Paxfire, Barefruit, and Golog. According to this EFF article:

Netalyzr’s measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users’ entire web search traffic via Paxfire’s web proxies.

This appears to be done by returning the IP address of the intercepting server rather than the true IP address when you do a DNS lookup of the server (www.yahoo.com for example). Your browser then connects to Paxfire or one of the other companies, rather than yahoo, allowing them to collect data on your activity and possibly modify the results.

There are some things you can do to protect yourself. If your connection to the website is using SSL, or if you have a VPN, your ISP can not intercept or modify your connection.

If you are running FireFox you can install the “HTTPS Everywhere” extension, which will ensure that your connection uses SSL for most of the most popular sites on the Internet.

Using Anonymizer Universal will ensure 100% of your traffic goes over an encrypted connection which will prevent this kind of interception for all websites.

I encourage all of you to visit the ICSI Netalyzer website to test your connection and your ISP for this kind of interception, and to contribute information for their research to detect this kind of strange and/or nefarious activity.

House panel approves broadened ISP snooping bill | Privacy Inc. – CNET News

Declan McCullagh of CNET is reporting on a bill to require ISPs to maintain massive records on their users. According to the article this bill requires commercial Internet providers to retain “customers’ names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses”.

They are calling it the “Protecting Children From Internet Pornographers Act of 2011″ in a flagrent attempt to make it politically difficult to vote against it even though the bill has noting directly to do with Internet pornography or protecting children.

Were this bill to become law, it might cause real problems for the growth of public Wi-Fi where there is no user authentication. That would be a huge leap backwards for a very possitive trend of late.

Of course, criminals will continue to be trivially able to circumvent such tracking efforts making this primarily a mechanism for gathering information on innocent persons without any hint of suspicion or probably cause.

It is absolutely un-American to require every citizen to submit to continuous tracking and monitoring on the possibility that some tiny fraction of us will commit a crime. Law enforcement always lobbies hard for such provisions. Make sure your voice is heard that you value your privacy and your rights.

Contact your Representitive and Senators if this is something you feel strongly about.

The press release linked at the bottom of this post is for a new website called AddressSearch.com. While I normally ignore most of the PR blasts sent to this blog, this one seemed worth posting because of the interesting realities and conflicts it exposes.

The idea is that you can use their database to find and email people. Their database contains 68.8 million email addresses, a huge number but only a fraction of all US email addresses. Given that many such databases exist, it seems inevitable that someone would set up a service like this.

On the positive side, they are doing a few different things to try to minimize abuse. First, they are limiting users to 5 message per day (although it is not clear how that is enforced). Second, they provide some general address location information about all the name matches to make it more likely that you are going to email the correct person. Finally, they don’t actually give you the recipients email address.

This last step is the most interesting. They allow you to write your email in a web form, then send it for you without revealing the recipients address to you. Of course it will be possible to abuse this, but probably not in any way that is not already widely possible. I also assume that this company keeps copies of the emails and adds your name and return address to their database. This is about protecting recipient privacy, not sender privacy.

On the whole, I am not happy that such services exist at all. I use social networking sites to make contact with me by strangers possible but only in the manner of my choosing. I don’t want random people sending messages to my personal or work email addresses. Imagine a distributed attack by members of Anonymous or LulzSec all sending 5 emails each to some victim. Of course the odds are that any attacker would have little difficulty in discovering the victim’s address through other means and then would not have any effective limit to the number of emails sent.

This may also turn out to be an unfortunate service for people who share a name with a celebrity. Interestingly, for people the service finds where it does not have an email address in the database, a paid ad refers you to Intelius.com where you can pay a couple of dollars to get the real address without any privacy features.

At the end of the day, the good news is that this company is making a significant effort to pay attention to the privacy implications of their service.

First-Ever Free Email Directory With Added Privacy Protection — JACKSONVILLE, Fla., June 21, 2011 /PRNewswire/ –

This article in Scientific American does a nice job of describing why it is difficult to track attacks back to their true origins.

This essay by Bruce Schneier goes farther arguing that it is fundamentally impossible to create an Internet without anonymity.

The core point of both articles is that identifying the computer that a given packet came from is not the same as identifying the sender. The computer could be a server set up to enable anonymous communications (like Anonymizer.com), it could be a compromised computer (like part of a botnet), or even a server run by the attacker purchased using pre-paid or stolen credit cards.

Whatever the mechanism, it will always be possible for attackers to hide their identities and activities. The real question is the degree to which we are willing to design the Internet to make tracking and monitoring of citizens easy for repressive regimes.

Face book announced that it will soon start automatically suggesting your name for tagging photos any time it thinks it recognizes you in a picture. This automatic facial recognition is the default and will be done unless you explicitly opt out.

It looks like you need to customize your privacy settings to disable this. In Facebook, look under the “account” menu and select “Privacy Settings”.

From there click the “Customize settings” link at the bottom of the table. Within there, look for ”Suggest photos of me to friends”, and set it to “Disabled”.

I suspect that few people will simply stumble on that.

Other people tagging you in photos can lead to embarrassment you might want to avoid. Having your name suggested just makes that more likely.

While you are at it, you might want to change the setting that allows others to “check you in” to locations. That can tell thieves you are away from home or stalkers where to find you.

CNN has a good article on the announcement. Facebook lets users opt out of facial recognition – CNN.com