CAT | Personal Privacy
Welcome to episode 7 of The Privacy Blog Podcast.
In April’s episode, we’ll be looking at the blacklisting of SSL certificate authorities by Mozilla Firefox – Specifically, what this complex issue means and why Mozilla chose to start doing this.
In more breaking online privacy news, I will be discussing the security implications of relying on social media following the hacking of the Associated Press Twitter account earlier this week.
Next, I’ll chat about the “right to be forgotten” on the Internet, which hinges on the struggle between online privacy and free speech rights. In a closely related topic and following Google’s release of the new “Inactive Account Manager,” I will discuss what happens to our social media presence and cloud data when we die. It’s a topic none of us likes to dwell on, but it’s worth taking the time to think about our digital afterlife.
Adam Rifkin on TechCrunch has an interesting article about Tumblr and how it is actually used.
The thesis of the article is that Tumblr is used more openly and for more sensitive things than Facebook because the privacy model is so much easier to understand and implement.
If you have five interests and corresponding social circles, just set up five pseudonymous Tumblrs. Each then becomes its own independent social space with minimal risk of cross contamination.
While all of those Tumblrs are public and discoverable, in practice they are not easy to find and unlikely to be stumbled upon by undesired individuals. This is classic security by obscurity.
By contrast, Facebook wants you to put everything in one place, then use various settings to try to ensure that only the desired subset of friends, friends of friends, or the general public have access to it.
This ties to the case I have been making for a while that people want to be able to separate their various personality shards among their various social circles. Even with access controls, using the same account for all of them may be too much connection and the odds of accidentally releasing information to the wrong people is too likely.
I would like to see something like Tumblr provide stronger abilities to restrict discoverability, but it represents an interesting and growing alternative model to Facebook.
A Guest Post by Robin Wilton of the Internet Society
We are the raw material of the new economy. Data about all of us is being prospected for, mined, refined, and traded…
. . . and most of us don’t even know about it.
Every time we go online, we add to a personal digital footprint that’s interconnected across multiple service providers, and enrich massive caches of personal data that identify us, whether we have explicitly authenticated or not.
That may make you feel somewhat uneasy. It’s pretty hard to manage your digital footprint if you can’t even see it.
Although none of us can control everything that’s known about us online, there are steps we can take to understand and regain some level of control over our online identities, and the Internet Society has developed three interactive tutorials to help educate and inform users who would like to find out more.
We set out to answer some basic questions about personal data and privacy:
- Who’s interested in our online identity? From advertisers to corporations, our online footprint is what many sales driven companies say helps them make more informed decisions about not only the products and services they provide – but also who to target, when and why.
- What’s the real bargain we enter into when we sign up? The websites we visit may seem free – but there are always costs. More often than not, we pay by giving up information about ourselves – information that we have been encouraged to think has no value.
- What risk does this bargain involve? Often, the information in our digital footprint directly changes our online experience. This can range from the advertising we see right down to paying higher prices or being denied services altogether based on some piece of data about us that we may never even have seen. We need to improve our awareness of the risks associated with our digital footprint.
- The best thing we can do to protect our identity online is to learn more about it.
The aim of the three tutorials is to help everyone learn more about how data about us is collected and used. They also suggest things you need to look out for in order to make informed choices about what you share and when.
Each lasts about 5 minutes and will help empower all of us to not only about what we want to keep private, but also about what we want to share.
After all, if we are the raw material others are mining to make money in the information economy, don’t we deserve a say in how it happens?
Find out more about the Internet Society’s work on Privacy and Identity by visiting its website.
* Robin Wilton oversees technical outreach for Identity and Privacy at the Internet Society.
Their Asha and Lumia phones come with something they call the “Xpress Browser”. To improve the browser experience, the web traffic is proxies and cached. That is a fairly common and accepted practice.
Where Nokia has stepped into questionable territory is when it does this for secure web traffic (URLs starting with HTTPS://). Ordinarily it is impossible to cache secure web pages because the encryption key is unique and used only for a single session, and is negotiated directly between the browser and the target website. If it was cached no one would be able to read the cached data.
Nokia is doing a “man in the middle attack” on the user’s secure browser traffic. Nokia does this by having all web traffic sent to their proxy servers. The proxy then impersonate the intended website to the phone, and set up a new secure connection between the proxy and the real website.
Ordinarily this would generate security alerts because the proxy would not have the real website’s cryptographic Certificate. Nokia gets around this by creating new certificates which are signed by a certificate authority they control and which is pre-installed and automatically trusted by the phone.
So, you try to go to Gmail. The proxy intercepts that connection, and gives you a fake Gmail certificate signed by the Nokia certificate authority. Your phone trusts that so everything goes smoothly. The proxy then securely connects to Gmail using the real certificate. Nokia can cache the data, and the user gets a faster experience.
All good right?
The fly in the ointment is that Nokia now has access to all of your secure browser traffic in the clear, including email, banking, etc.
They claim that they don’t look at this information, and I think that is probably true. The problem is that you can’t really rely on that. What if Nokia gets a subpoena? What about hackers? What about accidental storage or logging?
This is a significant breaking of the HTTPS security model without any warning to end users.
Welcome to Anonymizer’s inaugural episode of The Privacy Podcast. Each month, we’ll be posting a new episode focusing on security, privacy, and tips to protect you online.
Today, I talk about non-technical ways your online accounts can be compromised, focusing on email address and password reuse, security questions, and using credit card numbers as security tokens. In part two, I give power user tips for getting the most out of your Anonymizer Nyms account.
Hope you enjoy the first episode in our monthly series of podcasts. Please leave feedback and questions in the comments section of this post.
Download the transcript here