June 23rd, 2010 by Lance Cottrell
This Article on Wired.com is about an initiative by Juniper Networks in collaboration with Feeva to sell a new tracking technology to ISPs.
The enhanced router would be sold to ISPs and will automatically insert your ZIP+4 into HTML headers. This will allow marketers to have much more accurate information about the user’s physical location.
They claim that the “consumer is not in any way stripped of their privacy” but fail to actually explain how that is the case. The point is for ISPs to get a piece of the advertising pie. The ZIP will be encoded, not sent in the clear, but will be available to some undefined set of “trusted third parties”. That does not give me much comfort.
I have seen many examples of websites which charge different prices based on where you live, or otherwise restrict access to web pages. This kind of targeting does not help me at all. If I want to be located, I have many ways of explicitly telling the site where I am.
This is another example of why you can’t trust your ISP. Their interests are not the same as yours. They have a strong incentive to track and monetize your activity.
Fortunately it is easy to take back control. If your traffic is encrypted within a VPN, then the ISP will be unable to insert this information. It gives you the absolute ability to enforce your own “opt out” even if the ISP does not want to give you the option. Anonymizer Universal(TM) provides an easy tool to accomplish this.
- Lance Cottrell
June 22nd, 2010 by Lance Cottrell
Many sites, including the Los Angeles Times are reporting on a change to Apple’s privacy policy that allows collection and sharing of “anonymous” location information. The only way to prevent this seems to be completely disabling location services on the iPhone.
It appears that Google’s privacy policy allows a similar level of information collection.
Much of the chatter I have seen about this issue talks about targeted advertising and user tracking. While I have no doubt that both companies are very interested in doing that I don’t think this particular disclosure is about that. Message targeting is more likely to happen within applications where the user has granted explicit permission to push location based advertising and alerts.
I think this is all about improving Enhanced GPS services. My guess (and it is just a guess at this point) is that the phones are reporting back GPS location, Cell tower IDs and signal strength, and all visible WiFi base stations and signal strengths. Given enough of these sets of measurements, they can provide extremely accurate location information given only WiFi information (which takes much less power than GPS and also works indoors). It has been well established that multiple companies, including Google, are building such databases from trucks driving around the world (see my last post).
One purely anecdotal data point I have is from my WiFi only iPad. For background, I live on a fairly large lot and the only WiFi I can detect is my own. One of the first things I did with the new iPad was to open up the map application. It almost instantly centered the location reticule on my house. The only available location information was from the WiFi. I know that the Street View truck has never been through my neighborhood, and doubt that any others have been. My suspicion is that phones used within my house have been providing the correlating data between my physical location and my personal WiFi base station hardware ID.
- Lance Cottrell
June 21st, 2010 by Lance Cottrell
Cnet (among others) reports on Google’s interception of personal information from open WiFi nodes, including passwords and e-mail.
Clearly it was poor practice for Google to be capturing and recording such information as they drove around, but the real news should be that the information was there to be captured. The intent of the monitoring of WiFi seems to be collecting the locations of WiFi base stations to improve enhanced GPS location services. This works by having your device upload a list of all the WiFi base stations it can see (along with signal strength) which the service then looks up in a database to determine your location. This requires the service to have a database of the physical location of an enormous number of WiFi base stations.
To do this, all Google would have needed to capture was the hardware address of each device. Instead they captured some of the actual data being sent back and forth as well.
It turns out that this is incredibly easy. With many of the WiFi chipsets built in to personal computers, laptops and USB adapters, one can easily download free software that will start intercepting open WiFi traffic with a single click.
The shocking news should not be that Google accidentally got this information but that anyone with bad intent could do it to you. Anonymizer will soon be releasing a video we did a few weeks back showing how someone could take control of your Facebook account using an open WiFi and almost no technical expertise at all.
If the connection between you and a website, email server, or other service is un-encrypted, then anyone near you can intercept it if you are using an open WiFi.
To be clear, open WiFi means that the underlying connection is un-encrypted. Many public WiFi sites have a login page. This is to manage usage, and provides no security to you at all.
If you get a connection before you type in a password, especially if you see a web page before you type a password, then you should assume you are on an insecure connection and therefor vulnerable.
- Lance Cottrell
June 2nd, 2010 by Lance Cottrell
WikiLeaks seeded its database of documents by intercepting traffic through a TOR node they were operating.
This article at Wired highlights an almost buried section of this New Yorker interview with one of the founders of WikiLeaks.
Before the WikiLeaks site went live, the founders noticed that hackers were transferring stolen government documents over the TOR network. They captured over a million of these documents to form the initial core of the WikiLeaks archive.
This shows once again what I have been saying for a long time. Any privacy system that allows any untrusted and unknown person to become part of the infrastructure and have access to cleartext information is fundamentally flawed.
Any person with malicious intent can easily set up a TOR node and begin exactly the same kind of data collection that the WikiLeaks folks practiced.
Reputation is everything in this business. It is not practical for typical individuals to properly vet their providers. Track record, reputation, and respected third party endorsements are your best bet when choosing a privacy or security provider. Look for those for everyone who has access to your information.
- Lance Cottrell
May 31st, 2010 by Lance Cottrell
John Gruber at Daring Fireball posted this interesting article on the growing practice of websites intercepting your attempts to copy text from their pages. They are actually modifying the contents of your clipboard and tracking the fact that you have clipped the information.
The referenced cases seem to be doing it for marketing and informational purposes, but there are many ways this could be used in more aggressive ways.
Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.
I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.
- Lance Cottrell
May 31st, 2010 by Lance Cottrell
Apparently the legislators in Louisiana feel that crimes committed with an electronic map are much more serious than those committed with the aid of paper maps. Not just some of them, the vote in the Louisiana House approved it unanimously (89-0).
If a “virtual street-level map” is used in the commission of ordinary crimes, a mandatory additional year must be added to the sentence. In cases of terrorism, the penalty is 10 years.
This should prove a boon to the sellers of Thomas Bros. high resolution map books.
The unanimous nature of this decision makes it clear the degree to which our leaders lack any political spine. They are obviously concerned that voting against this will appear “soft on crime” despite the fact that this will have no real impact at all, and is trivial to circumvent. It is a waste of time and attention on what Bruce Schneier calls “Security Theater”.
- Lance Cottrell
May 31st, 2010 by Lance Cottrell
On May 26th Facebook announced new privacy controls. The EFF has a nice tutorial on how to properly configure these new settings to best protect your privacy.
Unfortunately these new settings options are being rolled out slowly. At this point I still don’t have the ability to use the new settings at all. If you are lucky enough to have been moved to the new system, update those settings ASAP.
- Lance Cottrell
May 28th, 2010 by Lance Cottrell
US Apologizes to Billionaire Added to Terror No-fly List - ABC News
It looks like there is a process for dealing with inaccurate No-Fly List information after all. You just need to become a billionaire and develop some very high level political connections.
- Lance Cottrell
May 26th, 2010 by Lance Cottrell
I am very excited to be organizing a couple of panels at this year’s “Computers Freedom and Privacy” (CFP) Conference in San Jose June 15-18.
Historically the conference has focused on personal privacy / freedom issues, technologies, and policies. That was certainly my focus as well when I started Anonymizer. Over time I have become aware of some other aspects to the privacy issue that I have not seen discussed. In addition to corporations impacting privacy of their customers, users, employees, etc. they also have issues and needs for privacy themselves.
Companies activities are monitored, analyzed, blocked, misinformed, and censored. While these have analogs in the personal privacy world, the details, impacts and scale, and solutions to the problems are often very different.
I am organizing a panel to discuss these issues at the conference and would love to hear from others who may have experienced these kinds of issues and would be willing and able to share them at this conference.
- Lance Cottrell
May 26th, 2010 by Lance Cottrell
This year the “Computers Freedom and Privacy” (CFP) conference is taking place in San Jose from June 15-18. This year is the 20th anniversary of the conference which helped shape my thinking about Internet Privacy and introduced me to many of the key players in this space.
Around the same time in 1992 an email mailing list started called “Cypherpunks”. Members were devoted discussions of Internet freedom and to creating and distributing privacy and security tools. Best known of these are the various flavors of Anonymous Remailers following the original anon.penen.fi.
This seems like a good time to stop and take stock of what has been achieved, lost, and abandoned in the evolution of privacy and anonymity on the Internet. I have organized a panel at CFP of some of the key Cypherpunks from the early days to talk about those early days, and share their vision and insight about where we are and where we should / are likely to end up.
I hope I will see many of you there.
- Lance Cottrell
