Ads, spying, and my personal opinion

In the past year or so, I have seen multiple articles, even by authors who I thought would have more rational sense to them, over the impression that people get about being spied upon by technology and technology companies. I never got particularly bothered to talk about them, among other things because the company I work for (Google) is one that is often at the receiving end of those articles, and it would be disingenuous for me to “defend” it, even though I work in Site Realiability, which gives me much less insight in how tracking is done than, say, my friends who work in media at other companies.

But something happened a few weeks ago gave me an insight on one of the possible reasons why people think this, and I thought I would share my opinion on this. Before I start let me make clear that what I’m going to write about is something that is pieced together with public information only. As you’ll see soon, the commentary is not even involving my company’s products, and because of that I had access to no private information whatsoever.

As I said in other previous posts, I have had one huge change in my personal life over the past few months: I’m in a committed relationship. This means that there’s one other person beside me that spends time in the apartment, using the same WiFi. This is going to be an important consideration as we move on later.

Some weeks ago, my girlfriend commented on a recent tourism advertisement campaign by Lithuania (her country) on Facebook. A few hours later, I received that very advertisement on my stream. Was Facebook spying on us? Did they figure out that we have been talking a lot more together and thus thought that I should visit her country?

I didn’t overthink it too much because I know it can be an absolute coincidence.

Then a few weeks later, we were sitting on the sofa watching Hanayamata on Crunchyroll. I took a bathroom break between episodes (because Cruncyroll’s binge mode doesn’t work on Chromecast), and as I came back she showed me that Instagram started showing her Crunchyroll ads — “Why?!” We were using my phone to watch the anime, as I have the account. She’s not particularly into anime, this was almost a first as the material interested her. So why the ads?

I had to think a moment to give her an answer. I had to make a hypothesis because obviously I don’t have access to either Crunchyroll or Instagram ads tracking, but I think I’m likely to have hit close to the bullseye and when I realized what I was thinking of, I considered the implications with the previous Facebook ads, and the whole lot of articles about spying.

One more important aspect that I have not revealed yet, is that I requested my ISP to give me a static, public IPv4 address instead of the default CGNAT one. I fell for the wet dream, despite not really having used the feature since. It’s handy, don’t get me wrong, if I was to use it. But the truth is that I probably could have not done so and I wouldn’t have noticed a difference.

Except for the ads of course. Because here’s how I can imagine these two cases to have happened.

My girlfriend reads Lithuanian news from her phone, which is connected to my WiFi when she’s here. And we both use Facebook on the same network. It’s not terribly far-fetched to expect that some of the trackers on the Lithuanian news sites she visits are causing the apartment’s stable, static, public IP address to be added to a list of people possibly interested in the country.

Similarly, when we were watching Crunchyroll, we were doing so from the same IP address she was checking Instagram. Connect the two dots and now you have the reason why Instagram thought she’d be a good candidate for seeing an advert for Crunchyroll. Which honestly would make more sense if they intended to exclude those who do have an account, in which case I would not have them trying to convince me to… give them the money I already give them.

Why do I expect this to be IP tracking? Because it’s the only thing that makes sense. We haven’t used Facebook or Messenger to chat in months, so they can’t get signal from that. She does not have the Assistant turned on on her phone, and while I do, I’m reasonably sure that even if it was used for advertisement (and as far as I know, it isn’t), it would not be for Facebook and Instagram.

IP-based tracking is the oldest trick in the book. I would argue that it’s the first tracking that was done, and probably one of the least effective. But at the same time it’s mostly a passive tracking system, which means it’s much easier to accomplish under the current limits and regulations, including but not limited to GDPR.

This obviously has side effects that are even more annoying. If the advertisers start to target IP address indiscriminately, it would be impossible for me or my girlfriend to search for surprises for each other. Just to be on the safe side, I ordered flowers for our half-year anniversary from the office, in the off-chance that the site would put me on a targeting list for flower ads and she could guess about it.

This is probably a lot less effective for people who have not set up static IP addresses, since there should be a daily or so rotation of IP addresses that confuses the tracking enough. But I can definitely see how this can also go very wrong when a household dynamic are pathological, if the previous holder of the address managed to get the IP on targeted lists for unexpected announces.

I have to say that in these cases I do prefer when ads are at least correctly targeted. You can check your Ads preferences for Google and Facebook if you want to actually figure out if they know anything about you that you don’t want them to. I have yet to find out how to stop the dozens of “{Buzzword} {Category} Crowdfunding Videos” pages that keep spamming me on Facebook though.

Facebook, desktop apps, and photography

This is an interesting topic, particularly because I had not heard anything about it up to now, despite having many semi-pro and amateur photographer friends (I’m a wannabe). It appears that starting August 1st, Facebook will stop allowing desktop applications to upload photos to albums.

Since I have been uploading all of my Facebook albums through Lightroom, that’s quite a big deal for me. On Jeffrey Friedl’s website, there’s this note:

Warning: this plugin will likely cease to work as of August 1, 2018, because Facebook is revoking photo-upload privileges for all non-browser desktop apps like this.

As of June 2018, Adobe and I are in discussions with Facebook to see whether something might be worked out, but success is uncertain.

This is now less than a month before the deadline, and it appears there’s no update for this. Is it Facebook trying to convince people to just share all their photos as they were shot? Is it Adobe not paying attention trying to get people on their extremely-expensive Adobe CC Cloud products? (I have over 1TB of pictures shot, I can’t use their online service, it would cost me so much more in storage!) I don’t really know, but it clearly seems to be the case that my workflow is being deprecated.

Leaving aside the consideration of the impact of this on me alone, I would expect that most of the pro- and semi-pro-photographers would want to be able to upload their pictures without having to manually drag them with Facebook’s flaky interface. And it feels strange that Facebook wants to stop “owning” those photos altogether.

But there’s a bigger impact in my opinion, which should worry privacy-conscious users (as long as they don’t subscribe to the fantasy ideal of people giving up on sharing pictures): this moves erodes the strict access controls from picture publishing that defined social media up to now, for any of the users who have been relying on offline photo editing.

In my case, the vast majority of the pictures I take are actually landscapes, flowers, animals, or in general not private events. There’s the odd conference or con I bring my camera to (or should I say used to bring it to), or a birthday party or other celebration. Right now, I have been uploading all the non-people pictures as public (and copied to Flickr), and everything that involves people as friends-only (and only rarely uploaded to Flickr with “only me” access). Once the changes go into effect, I lose the ability to make simple access control decisions.

Indeed, if I was to upload the content to Flickr and use friends-only limited access, very few people would be able to see any of the pictures: Flickr has lost all of its pretension to be a social media platform once Yahoo stopped being relevant. And I doubt that the acquisition of SmugMug will change that part, as it would be just a matter of duplicating a social graph that Facebook already has. So I’m fairly sure a very common solution to that is going to be to make the photos public, and maybe the account not discoverable. After all who might be mining the Web for unlisted accounts of vulnerable people? (That’s sarcasm if it wasn’t clear.)

In my case it’s just going to be a matter of not bringing my camera to private events anymore. Not the end of the world, since I’m already not particularly good at portrait photography, and not my particular area of interest. But I do think that there’s going to be quite a bit of problems in the future.

And if you think this is not going to be a big deal at all, because most parties have pictures uploaded by people directly on their mobile phones… I disagree. Weddings, christenings, cons, sport matches, all these events usually have their share of professional photographers, and all these events need to have a way to share the output with not only the people who hired them, but also the friends of those, like the invitees at a wedding.

And I expect that for many professionals, it’s going to be a matter of finding a new service to upload the data to. Mark my words, as I expect we’ll find that there will be, in the future, leaks of wedding pictures used to dox notable people. And those will be due to insecure, or badly-secured, photo sharing websites, meant to replace Facebook after this change in terms.

Emailing receipts

Before starting, I usually avoid taking political stances outside of Italy, since that is the only country I can vote in. But I think it’s clear to most people over here that, despite posting vastly about first-world problems, I do not thrive of the current political climate overall. So while you hear me complaining about things that are petty, don’t assume I don’t have just as much worries that are actually relevant to society as a whole. I just don’t have solutions, and tend to stick to talking to what I know.

I’m visiting the US, maybe for the last time for a while, given the current news. It reminds me of Japan and China, in the sense that it’s a country that mixes extremely high-tech and vintage solutions in the same space. The country had to be brought kicking and screaming into the 20th century some years ago to start issuing chip cards but on the other hand, thanks to Square, and LevelUp and all kind of other similar mobile payment platforms, email receipts are becoming more and more common.

I find this is interesting. I wrote some time ago my preference for electronic bills but I did not go into details of simpler receipts. I have touched on the topic when talking about expenses but I did not go into precise details either. And I thought that maybe it’s time to write something, if nothing else because this way I can share what my opinion on them is.

For those who may have not been to the States, or at least not in California or Manhattan, here is the deal I’m talking about: when you pay with a given credit card with Square for the first time (but the same applies to other platforms), it asks you if you want to receive a receipt confirmation via email. I usually say yes, because I prefer that to paper (more on that later). Afterwards, any payment made with the same card also gets emailed. You can unsubscribe if you want, but the very important part is that you can’t refuse the receipt at payment time. Which is fun, because after going to a bibimbap restaurant near the office last week, while on business travel, and taking a picture of the printed out receipt for the expense report, I got an email with the full receipt, including tip, straight into my work inbox (I paid with the company card, and I explicitly make the two go to different email addresses). The restaurant didn’t even have to ask.

As it happens, Square and mobile payments are not the only ones doing that. Macy’s, a fairly big department store in North America, also allows you to register a card, although as far as I remember, it allows you to still opt to only get the paper receipt. This different in options is interesting, and it kind of make sense, in the context of what spending pattern you may have: if you’re going to Macy’s to buy a gift for your significant other, it makes sense that you may not want to send them a copy of the receipt of the gift. On the other hand, I would not share my email password with a SO — maybe that’s why I’m single. Apple Stores also connect a card with an email address, but I remember the email receipt is also opt-in, which is not terribly good.

Why do I think it is important that the service allows you to opt-in to receipts but not opt-out of a single transaction? It’s a very good safeguard against fraud. If a criminal were to skim your card and use it through one of those establishment that send you email receipts, they would definitely opt out of the email receipts, as to no alert you. This is not a theoretical by the way, as this happened to me earlier this month. My primary card got skimmed – I have a feeling this happened in December, at the MIT Coop store in Cambridge, MA but that’s not important now – and used, twice at one or two Apple Store in Manhattan, buying the same item for something above €800, during what, for me, was a Saturday evening. I honestly don’t remember if I used that card at an Apple Store before, but assuming I did and the receipts would not be opt-in, I would have known to call my card company right away, rather than having to wait for them to call me on Monday morning.

While real-time alerts is something that a few banks do provide, no bank in Ireland does that, to my knowledge, and even in Italy the banks doing that make you pay extra for the service, which is kind of ludicrous, particularly for credit cards where the money at stake is usually the banks’. And since accounting of foreign transactions sometimes can easily take days, while the receipts are nearly instantaneous by design, this is very helpful to protect customers. I wish more companies started doing that.

An aside here about Apple: by complete coincidence, a colleague of mine had a different kind of encounter with criminals who tried to buy Apple devices with his card the week before me. In this case, the criminals got access to the card information to use online, and set up a new Apple ID to buy something. In this case, he did have the card attached to his real Apple ID account, and made online purchases from them not long before, so when they tried that, the risk engine on Apple’s side triggered, and they contacted him to verify whether the order was genuine. So in this case neither Apple nor the bank lost money, as the transaction was cancelled lately. He still had to cancel the card, though.

But there is more. Most people will treat receipts, and even more so credit card slips, as trash and just throw it the first chance they have. For most people and in most cases this is perfectly okay, but sometimes it is not. Check out this lecture by James Mickens — who I had the pleasure to listen to in person at LISA 2015… unfortunately not to meet and greet because I came under shock during his talk, as exactly at that time the Bataclan attacks in Paris happened, and I was distraught trying to reach all my Parisian friends.

If you have watched the full video, you now know that the last four digits of a credit card number are powerful. If you like fantasy novels, such as the Dresden Files, you probably read that “true names have power” — well, as it happens, a credit card number has possibly more power, in the real world. And the last four digits of a credit card can be found on most credit card slips, together with a full or partial name, as written on the card. So while it’s probably okay to leave the credit card slip on the table, at a random restaurant in the middle of the desert, if you’re the only patron inside… it might not be quite the same if you’re a famous person, or a person a risk of harassment. And let’s be honest, everybody is at risk nowadays.

While it is true that credit card slips and receipts are often separate, particularly when using chip cards, as the POS terminal and the registry are usually completely separated, this is not always the case, and almost never the case for big stores, both in the United States and abroad. Square cash registries, as well as a number of other similar providers, that graduated from mobile-only payments to full blown one-stop-shop of payment processing, tend to print out a single slip of paper (if you have not registered for the email receipts). This at least reduces the chance that you would throw away the receipt right away, as you probably want to bring it home with you for warranty purposes.

And then there is the remaining problem: when you throw away paper receipts directly into the trash, dumpster diving makes it possible to find out a lot about your habits, and in particular it makes significantly easier to target you, just as an opportunity, with the previously-mentioned power of the last four digits of your card, and a name.

Now, it is true that we have two different security problems now: the payment processing companies can now connect a credit card number with an email address — but I would hope that PCI-DSS would stop them from actually storing the payment information in cleartext, I hope they only store a one-way hash of the credit card number, to connect to the email address. It still is tricky, because even with the hashed card numbers, a leak of that database would make the above attacks even easier: you can find out the email address, and from that easily the accounts, of a credit card owner, and take control way too easily.

There is also a risk that you’re opening up more details of your personal life to whoever has access to your email account — let’s say your employer, if you’re not properly siloing your email accounts. This is a real problem, but only made slightly worse by the usage of email receipts for in-store purchases. Indeed, most likely for stores like CVS, you can have a order history straight from the website, which most likely you can already access if you have access to the email account — which, by the way, it’s why you should ask for 2FA!. As I said above, I only get sent email to my work account if they are undoubtedly work only; anything I buy with the work credit card is clearly work-related only, but for instance taxi receipts, flights or hotel bookings may be personal, and so the account is set to mail my personal account only — when needed I forward the email messages over, but usually I just need the receipts for expensing.

And hey, even the EFF, who I renewed my support today, uses Square to take donations, so why not?

My opinion on internet ads

You may or may not remember that I did post about my (controversial) privacy policy and some of my thoughts on threat models. A related, though should probably be separate, topic is how to handle internet advertisers, and tools like AdBlock, so I thought I would write down my personal preference and how I work.

First of all, I should point out the obvious elephants in the room: not only I work for a company that sells internet ads, but I also use ads on both this blog and Autotools Mythbuster — mostly to try reducing the cost of running these operations, which are mostly a personal whim. On the other hand, the opinions I express in this post are all personal, and are not being influenced by this. They have been forged over time and experience, and some of said experience may have been related to these, though.

Once this is clarified, I should describe my current setup, since that will spark the rest of the content of the post. I (still) use AdBlock Plus extension for Chrome — even with all the possibly shady behaviour that the current owners are behind, I have not found a good replacement; uBlock Origin is not a replacement, as I’ll get to later. I’ve set the extension to behave as an opt-in, rather than opt-out: ads are not blocked anywhere until I ask it to. Chrome for Android does not have AdBlock or similar, so I have nothing really there, on the other hand it’s less of an issue there because I usually just look at the same dozen websites most of the time.

To make ads generally less annoying, I signed up for Google Contributor which allows me to declare a target monthly contribution to use to replace Google Ads with whatever set of images (or nothing at all.) I set it to show me cats, including my own.

As I said above, I set my AdBlock to not block ads by default, so when do I decide to turn it on? Well, to start with I run it on my own websites (except when I’m testing them), since otherwise it’s a bit of a mess with the Terms of Service of AdSense, so this is easier. Other than that, I usually turn it on for various sites when I land on a page and I find it “scammy.” The definition of scammy is of course up to debate, so let me try to explain where I come from.

Also, I need to make this point here, so that if you completely disagree with my idea here, you can probably stop reading (and please don’t comment either): I don’t believe that advertising and marketing are inherently evil. I know plenty of privacy extremists take an issue with the statement, so if you do feel free to move on and read something else altogether.

Not all internet ads are created equal, I think this is obvious to essentially anybody who has been browsing the Internet for more than a few months. Ads may be more or less intrusive, they may be more or less relevant to your interests and they may or may not always be legal. While no supplier is immune, most of the big names thrive hard to avoid ads that outright lie, or that try to pass off for something else. The results are usually mixed as everybody knows already.

On the other hand, there are suppliers that explicitly go for the scams, and some website operators accept them quite willingly. The reason is usually monetary: these networks pay off much better, as the “advertisers” are happy to pay premium to get their (frequently) malware advertised. To give you a bit of an idea, I suggest you read or watch this presentation from the USENIX Security conference.

This is not all, of course. There are also the self-defined “content discovery networks”, that purport to point people at other content they should be interested in, mixing content from the same site with “sponsored links.” Even I tried it once before I noticed how useless it ended up being. Nowadays a lot of those kind of links are coming from two networks: Taboola and Outbrain; in my experience, the latter actually provides kind-of relevant content, the former has lots of almost definite scams that I do not appreciate.

To give you an idea, if I’m reading an article about Brexit, I find it perfectly reasonable to get links to articles suggesting cheap vacation to the UK, an ad for Transferwise and an ad for ig.com (which is, as far as I know, a totally legit tradit website I have no affiliation with, but just seem to spend lots of money in advertisement, as I see it on every other website.) If, on the other hand, a different article on the same topic proposes me links such as “This one trick hated by doctors to lose weight” and similar, then I think there is more than a little bit of a problem.

But you can get worse than this! Some months ago I was traveling to London, and an acquaintance of mine shared on Facebook an article he wrote for an Italian newspaper (since he’s still living around where I’m from.) Since I was curious about the topic, I looked at it and … well, you can see it by yourself:

Scammy ads from Italian newspaper site

Two things are kind of obvious when looking at it: “Make ¤NNN a day” scams are freaking common not only in comment-spam, and people really seem to believe you can look 30 years younger by buying something. Out of eight “links”, only half actually point back to the newspaper, two point to possibly fake cosmetics (from two “different” sites — which are clearly the same), and two points to outright scams that suggest you can make money without doing anything (these reporting the same site name at least.) It’s also apparent that those two sets are auto-generated by taking a set of stock images, a set of stock headline templates, and throwing different currency symbols, numbers and country names.

Now you may ask why a newspaper – one for which a friend of mine even writes! – would use such a blatantly scammy ad network. The answer is that they did not realize it was a scammy network until I showed him the screenshot. Indeed, from within Italy their ads are useless, but at least legit; it isn’t until you’re visiting from the outside that they start providing you with scam. This is, by the way, why sometimes you may find spam that simply links to a blog post of a newspaper or other site in a non-English language: they still want you to “see” these ads, if they are the only thing you understand in the page, that’s still okay. If you don’t know better, you may still fall for it.

There are more cases, but these are the major ones. So if I see any of these scammy ads, I just go and enable AdBlock for the whole domain. Usually, I also try to stay away from that website altogether, but sometimes it’s not as easy. For instance Wikia – yes, headed by the same Jimmy Wales that keeps insisting he doesn’t want ads on Wikipedia by putting a 50%-height banner of his face on it from time to time – uses the medium-grade scammy Taboola — it’s not quite outright illegal activity, but clearly it’s not something I care to see. So there goes AdBlock.

In addition to the actual scammy, I enable AdBlock plus if I see other ads that, whether legit or not, are just an active pain in the arse. For instance, some sites, particularly I noted around hardware reviews, use ad networks that hook on-hover ads to words. So if you’re like Randall and me and go on selecting text to remember where you were reading if you’re distracted, you may end up playing one of their stupid (sometimes scammy, sometimes not) ads. Bam. Auto-playing video ads with audio gets the AdBlock hammer too. Bam. And so do those sites that just get my CPU to spin though it’s not obvious there is any ad playing already. Bam.

So with all this explained, let me go back to uBlock Origin, which seems to be the only alternative to AdBlock Plus that is ever suggested. This extension is clearly written by privacy extremists. I already had a couple of times people replying to my complaints about it on twitter trying to be funny with “well, that’s intended” or “I don’t see a problem” — that does not make you smart, that makes you completely tone-deaf.

The extension does not only block ads, but it keeps insisting it wants to block all the client-side tracking. As I said before there is still plenty of space for server-side tracking, particularly for malicious purposes; client-side tracking is usually done for marketing purposes, and so I don’t really mind it.

It goes beyond that. The rulesets in uBlock Origin are designed to block based on regular expressions; some of these expressions are of significantly wide reach, for instance when I tried it I couldn’t even go and check my own AdSense console. Or even access SourceForge! — as much as I really disliked SourceForge’s turning to bundling malware last year, marking the whole site off-limits is crazy.

More bothersome for me, was the way the extension decided that any of the tracking-click from Skymiles Shopping were ads and so just decided it was a good thing to block them. For those who don’t know Skymiles Shopping, or one of its many other incarnation for hotels, airlines and other loyalty programs, it’s essentially a way to bridge the referral system of various online shopping venues with your own interests, pretty much the same as Socialvest used to do. When you click on a given offer from the portal, they ask you for your loyalty identifier (in my case a Delta SkyMiles frequent flyer number), then send you to the shopping site with a personalized tracker. After you order from the site, they get a referral commission, and credit you with something — in the case of Socialvest back in the days, you could donate that to non-profits, or get it added to your Flattr wallet, in the case of Skymiles Shopping, they give you a number of Delta rewards miles.

Am I trading part of my privacy away for some benefit? Yes. I’m okay with that, as I said. And so is, very likely, the majority of people out there. So without providing an option to disable this behaviour, and insisting that it’s the correct one, the only way they can read it is that the extension is not for them, and they will fallback to either the (possibly shady) AdBlock Plus, or to no extension whatsoever — and with badvertising being an actual problem, that’s not good either.

For you it might be that your privacy is just that valuable, but there are indeed enough people for which these cash-back, custom tailored offers, or generally legit, non-scammy ads are important. It’s not far from the toilet paper problem.

Indeed, this kind of tone-deaf response from many privacy and Free Software activists is what turned me significantly away from the movement over the past few months. I plan on writing more of it, but I thought this would be a good place to start.

EFF’s Panopticlick at Enigma 2016

One of the thing I was the most interested to hear about, at Enigma 2016, was news about EFF’s Panopticlick. For context, here is the talk from Bill Burlington:

I wrote before about the tool, but they have recently reworked and rebranded it to use it as a platform for promoting their Privacy Badger, which I don’t particularly care for. For my intents, they luckily still provide the detailed information, and this time around they make it more prominent that they rely on the fingerprintjs2 library for this information. Which means I could actually try and extend it.

I tried to bring up one of my concerns at the post-talk Q&A at the conference (the Q&A were not recorded), so I thought it wold be nice to publish my few comments about the tool as it is right now.

The first comment is this: both Panopticlick and Privacy Badger do not consider the idea of server-side tracking. I have said that before, and I will repeat it now: there are plenty of ways to identify a particular user, even across sites, just by tracking behaviour that are seen passively on the server side. Bill Budington’s answer to this at the conference was that Privacy Badger’s answer is allowing cookies only if if there is a policy in place from the site, and count on this policy being binding for the site.

But this does not mean much — Privacy Badger may stop the server from setting a cookie, but there are plenty of behaviours that can be observed without the help of the browser, or even more interestingly, with the help of Privacy Badger, uBlock, and similar other “privacy conscious” extensions.

Indeed, not allowing cookies is, already, a piece of trackable information. And that’s where the problem with self-selection, which I already hinted at before, comes to: when I ran Panopticlick on my laptop earlier it told me that one out of 1.42 browsers have cookies enabled. While I don’t have any access to facts and statistics about that, I do not think it’s a realistic number to say that about 30% of browsers have cookies disabled.

If you connect this to the commentaries on NSA’s Rob Joyce said at the closing talk, which unfortunately I was not present for, you could say that the fact that Privacy Badger is installed, and fetches a given path from a server trying to set a cookie, is a good way to figure out information on a person, too.

The other problem is more interesting. In the talk, Budington introduces briefly the concept of Shannon Entropy, although not by that name, and gives an example on different amount of entropy provided by knowing someone’s zodiac sign versus knowing their birthday. He also points out that these two information are not independent so you cannot sum their entropy together, which is indeed correct. But there are two problems with that.

The first, is that the Panopticlick interface does seem to think that all the information it gathers is at least partially independent and indeed shows a number of entropy bits higher than the single highest entry they have. But it is definitely not the case that all entries are independent. Even leaving aside browser specific things such as the type of images requested and so on, for many languages (though not English) there is a timezone correlation: the vast majority of Italian users would be reporting the same timezone, either +1 or +2 depending on the time of the year; sure there are expats and geeks, but they are definitely not as common.

The second problem is that there is a more interesting approach to take, when you are submitted key/value pair of information that should not be independent, in independent ways. Going back to the example of date of birth and zodiac sign, the calculation of entropy in this example is done starting from facts, particularly those in which people cannot lie — I’m sure that for any one database of registered users, January 1st is skewed as having many more than than 1/365th of the users.

But what happens if the information is gathered separately? If you ask an user both their zodiac sign and their date of birth separately, they may lie. And when (not if) they do, you may have a more interesting piece of information. Because if you have a network of separate social sites/databases, in which only one user ever selects being born on February 18th but being a Scorpio, you have a very strong signal that it might be the same user across them.

This is the same situation I described some time ago of people changing their User-Agent string to try to hide, but then creating unique (or nearly unique) signatures of their passage.

Also, while Panopticlick will tell you if the browser is doing anything to avoid fingerprinting (how?) it still does not seem to tell you if any of your extensions are making you more unique. And since it’s hard to tell whether some JavaScript bit is trying to load a higher-definition picture, or hide pieces of the UI for your small screen, versus telling the server about your browser setup, it is not like they care if you disabled your cookies…

For a more proactive approach to improve users’ privacy, we should ask for more browser vendors to do what Mozilla did six years ago and sanitize what their User-Agent content should be. Currently, Android mobile browsers would report both the device type and build number, which makes them much easier to track, even though the suggestion has been, up to now, to use mobile browsers because they look more like each other.

And we should start wondering how much a given browser extension adds or subtract from the uniqueness of a session. Because I think most of them are currently adding to the entropy, even those that are designed to “improve privacy.”

Artificial regions, real risks

In my last encounter with what I call “artificial regions” that I talked about, I was complaining about the problems with ping-ponging between US and Italy, and then moving to Dublin. Those first-world problems are now mostly (but not fully) solved and not really common, so I wouldn’t call them “real” for most people.

What I have ignored in that series of posts was, though, the region-locking applied by Big Content providers, particularly in regards to movies, TV series, and so on. This was because it’s a problem that is way too obvious already, and there isn’t much that one can add to it at this point, it has been written about, illustrated and argued for years by now.

The reason why I’m going back to this now, though, is that there has recently been news of yet another scam, at the damage of the final consumers, connected to a common way to work around artificial region limitations. But first, let me point out the obvious first step: in this post I’m not talking about the out-and-out piracy option of downloading content straight from The Pirate Bay or anything along those lines. I’m instead going to focus on those people who either pay for a service, or wants to pay for content, but are blocked by the artificial region set up for content.

I’ll use as my first example Comixology of which I’m a customer, because I like comics but I travel too much to bring them with me physically, and more importantly would just increase the amount of things I’d have to move with me if I decide to change place. Unlike many other content providers, Comixology uses multiple regional segregation approaches: your payment card billing address tells you which website you can use, which actually only changes how much you’re paying; the IP you’re coming from tells you which content you can buy. Luckily, they still let you access paid content even if your IP no longer match the one you can buy it from.

This is not really well documented, by the way. Some time ago they posted on their G+ page that they opened a deal with a manga distributor so that more content was available; I took the chance to buy a bunch of Bleach issues (but not all of them) as I have not finished watching the anime due to other issues in the past, and I wanted to catch up on my terms. But a few weeks later when I wanted to buy more because I finished the stash… I couldn’t. I thought they broke off the deal, since there was no reference to it on the website or app, so I gave up… until they posted a sale, and I saw that they did list Bleach, but the link brought me to a “Page not Found” entry.

Turns out that they admitted on Twitter that due to the way the rights for the content go, they are not allowed to sell manga outside of the States, and even though they do validate my billing address (I use my American debit card there) they seem to ignore it and only care on where they think they are physically located at the moment. Which is kinda strange, given that it means you can buy manga from them if you’ve got an European account and just so happens to travel to the United States.

Admittedly, this is by far not something that only happens with this website. In particular, Google Play Movies used to behave this way, where you could buy content while abroad, but you would be stopped from downloading it (but if you had it downloaded, you could still play.) This was unlike Apple, that always tied its availability and behaviour on the country your iTunes account was tied to, verified by billing address of the connected payment card — or alternatively faked and paid with country-specific iTunes gift cards.

One “easy” way to work around this is to use VPN services to work around IP-based geographical restrictions. The original idea of a VPN is to connect multiple LANs, or a remote client to a LAN, in a secure way. While there is some truth about the security of this, lots of it is actually vapourware, due to so many technical hurdles of actually securing a LAN, that the current trend is to not rely on VPNs at all. But then again, VPNs allow you to change where your Internet egress is, which is handy.

A trustworthy VPN is actually a very useful tool, especially if what you’re afraid of is sniffers of your traffic on public WiFi and similar, because now you’re actually only talking with a single (or limited set of) points-of-presence (POP) with an encrypted protocol. The keyword here is trustworthy, as now instead of worrying of what people in your proximity could do with your non-encrypted traffic, you have to worry what the people who manage the VPN, or in proximity to the VPN provider, would do with that information.

Even more important, since VPNs are generally authenticated, an attacker that can control or infiltrate your VPN provider can easily tie together all your traffic, no matter where you’re connecting from. This is possibly the sole thing for which Tor is a better option, as there isn’t a single one manager for the VPN — although recent discussions may show that even Tor is not as safe from following a single user as some people kept promising or boasting.

These VPN services end up being advertised as either privacy tools, for the reasons just noted, or as tools against censorship. In the latter case the usual scare is the Great Firewall of China, without considering that there are very few websites that suffer what I’d define “censorship” on a country level — The Pirate Bay does not count, as much as I think it’s silly and counterproductive to ban access to it, censorship is a word I’d reserve for much more venomous behaviour. Region-locking, on the other hand, as I’ve shown is pretty heavy, but just saying out loud that you work around region-locking is not really good for business, as it may well be against all terms of service that people say they accepted.

Here comes the bombshell for most people: yes, VPN services are (for the most part) not managed by angels who want all information in the world to be free. Such “heroes” are mostly created by popular culture and are much rarer than you would think. Painting them as such would be like painting MegaUpload and Kim Dotcom as generous saviours of humanity — which admittedly I’ve seen too many people, especially in the Free Software and privacy-conscious movements, doing.

VPN services are, for many people, quite profitable. Datacenter bandwidth is getting cheaper and cheaper, while end-user speeds are either capped, or easily capped by the VPN itself. If you make people pay for the service, it’s not going to take that many users to pay for the bandwidth, and then start making profits. And many people are happy to pay for the service, either because it’s still cheaper than accepting the geographical restrictions or because they go for the privacy candy.

On the other hand there are free VPN services out there, so what about them? I’ve been surprised before by self-defined privacy advocates suggesting to the masses to use free VPN services, while at the same time avoiding Dropbox, Microsoft and other offerings with the catchphrase «If you’re not paying for it, you’re the product.» Turns out for free VPN providers, you most definitely are a product.

To use the neologism I so much hate, it’s always interesting to figure out how these providers monetize you, and that’s not always easy because it may as well be completely passive: they could be siphoning data the same way I described in my previous post, and then use that to target you for more or less legal or ethical interests. Or they could be injecting referral codes when you browse websites with affiliate programs such as Amazon (similarly to how some Chrome extensions used to work, with the difference of being done at the router level) — this is, by the way, one extremely good reason to use HTTPS everywhere, as you can’t do that kind of manipulation on protected pages without fiddling with the certificate.

Or, as it became apparent recently, they may be playing with your egress so that sure, you are now going to the Internet through some random US person’s address, but at the same time, your address is being used for… something else. Which may be streaming a different version of Netflix – e.g.: the Big Bang Theory is available on French Netflix, but not in the US one – or they may be selling stolen credit card data, or browse for child porn, or whatever else they care to do.

What’s the bottom line here? Well, it seems obvious that the current regime of rights that imposes region-locking of content is not only unlikely to be helping the content producers (rather than distributors) much – The Pirate Bay content never was region-locked – but it’s also causing harm to people who would otherwise be happy to pay to be able to access it!

I’m not advocating for removing copyright, or that content should be free to all – I may prefer such a situation, but I don’t think it’s realistic – but I would pretty much like for these people to wake up and realize that if I’m ready to give them money, it would be a good thing for them to accept it without putting me at risk more than if I were not to give them money and just pirate the content.

And now go, and uninstall Hola, for universe’s sake!

LOLprivacy, or Misunderstanding Panopticlick for the Worst

So Sebastian posted recently about Panopticlick, but I’m afraid he has not grasped just how many subtleties are present when dealing with tracking by User-Agent and with the limitations of the tool as it is.

First of all, let’s take a moment to realize what «Your browser fingerprint appears to be unique among the 5,207,918 tested so far.» (emphasis mine) means. If I try the exact same request as Incognito, the message is «Within our dataset of several million visitors, only one in 2,603,994 browsers have the same fingerprint as yours.» (emphasis mine). I’m not sure why EFF does not expose the numbers in the second situation, hiding the five millions under the word “several”. I can’t tell how they identify further requests on the same browser not to be a new hit altogether. So I’m not sure what the number represents.

Understanding what the number represents is a major problem, too: if you count that even just in his post Sebastian tried at least three browsers; I tried twice just to write this post — so one thing that the number does not count is unique users. I would venture a guess that the number of users is well below the million, and that does count into play for multiple factors. Because Panopticlick was born in 2010, and if less than a million real users hit it, in five years, it might not be that statistically relevant.

Indeed, according to the current reading, just the Accept headers would be enough to boil me down to one in four sessions — that would be encoding and language. I doubt that is so clear-cut, as I’m most definitely not one of four people in the UKIE area speaking Italian. A lot of this has to do with the self-selection of “privacy conscious” people who use this tool from EFF.

But what worries me is the reaction from Sebastian and, even more so, the first comment on his post. Suggesting that you can hide in the crowd by looking for a “more popular” User-Agent or by using a random bunch of extensions and disabling JavaScript or blocking certain domains is naïve to say the least, but most likely missing and misunderstanding the point that Panopticlick tries to make.

The whole idea of browser fingerprinting is the ability to identify an user across a set of sessions — it responds to a similar threat model as Tor. While I already pointed out I disagree on the threat model, I would like to point out again that the kind of “surveillance” that this counters is ideally the one that is executed by an external entity able to monitor your communications from different source connections — if you don’t use Tor and you only use a desktop PC from the same connection, then it doesn’t really matter: you can just check for the IP address! And if you use different devices, then it also does not really matter, because you’re now using different profiles anyway; the power is in the correlation.

In particular, when trying to tweak User-Agent or other headers to make them “more common”, you’re now dealing with something that is more likely to backfire than not; as my ModSecurity Ruleset shows you very well, it’s not so difficult to tell apart a real Chrome request by Firefox masquerading as Chrome, or IE masquerading as Safari, they have different Accept-Encoding, and other differences in style of request headers, making it quite straightforward to check for them. And while you could mix up the Accept headers enough to “look the part” it’s more than likely that you’ll be served bad data (e.g. sdch to IE, or webp to Firefox) and that would make your browsing useless.

More importantly, the then-unique combination of, say, a Chrome User-Agent for an obviously IE-generated request would make it very obvious to follow a session aggregated across different websites with a similar fingerprint. The answer I got by Sebastian is not good either: even if you tried to use a “more common” version string, you could still, very easily, create unwanted unique fingerprints; take Firefox 37: it started supporting the alt-svc extension to use HTTP2 when available, if you were to report your browser as Firefox 28 and then it followed alt-svc, then it would clearly be a fake version string, and again an easy one to follow. Similar version-dependent request fingerprinting, paired with a modified User-Agent string would make you light up as a Christmas tree during Earth Day.

There are more problems though; the suggestion of installing extensions such as AdBlock also adds to the fingerprinting rather than block from it; as long as JavaScript is allowed to run, it can detect AdBlock presence, and with a bit of work you can identify presence of one out of the set of different blocking lists, too. You could use NoScript to avoid running JavaScript at all, but given this is by far not something most users will do, it’ll also add up to the entropy of a fingerprint for your browser, not remove from it, even if it prevents client-side fingerprinting to access things like the list of available plugins (which in my case is not that common, either!)

But even ignoring the fact that Panopticlick does not try to identify the set of installed extensions (finding Chrome’s Readability is trivial, as it injects content into the DOM, and so do a lot more), there is one more aspect that it almost entirely ignores: server-side fingerprinting. Beside not trying to correlate the purported User-Agent against the request fingerprint, it does not seem to use a custom server at all, so it does not leverage TLS handshake fingerprints! As can be seen through Qualys analysis, there are some almost-unique handshake sequences on a given server depending on the client used; while this does not add up much more data when matched against a vanilla User-Agent, a faked User-Agent and a somewhat more rare TLS handshake would be just as easy to track.

Finally, there is the problem with self-selection: Sebastian has blogged about this while using Firefox 37.0.1 which was just released, and testing with that; I assume he also had the latest Chrome. While Mozilla increased the rate of release of Firefox, Chrome has definitely a very hectic one with many people updating all the time. Most people wouldn’t go to Panopticlick every time they update their browser, so two entries that are exactly the same apart from the User-Agent version would be reported as unique… even though it’s most likely that the person who tried two months ago updated since, and now has the same fingerprint as the person who tried recently with the same browser and settings.

Now this is a double-edged sword: if you rely on the User-Agent to track someone across connections, a ephemeral User-Agent that changes every other day due to updates is going to disrupt your plans quickly; on the other hand lagging behind or jumping ahead on the update train for a browser would make it more likely for you to have a quite unique version number, even more so if you’re tracking beta or developer channels.

Interestingly, though, Mozilla has thought about this before, and their Gecko user agent string reference shows which restricted fields are used, and references the bugs that disallowed extensions and various software to inject into the User-Agent string — funnily enough I know of quite a few badware cases in which a unique identifier was injected into the User-Agent for fake ads and other similar websites to recognize a “referral”.

Indeed, especially on Mobile, I think that User-Agents are a bit too liberal with the information they push; not only they include the full build number of the mobile browser such as Chrome, but they usually include the model of the device and the build number of the operating system: do you want to figure out if a new build of Android is available for some random device out there? Make sure you have access to HTTP logs for big enough websites and look for new build IDs. I think that in this particular sub-topic, Chrome and Safari could help a lot more by reducing the amount of details of the engine version as well as the underlying operating system.

So, for my parting words, I would like to point out that Panopticlick is a nice proof-of-concept that shows how powerful browser fingerprinting is, without having to rely on tracking cookies. I think lots of people both underestimate the power of fingerprinting and overestimate the threat. From one side, because Panopticlick does not have enough current data to make it feasible to evaluate the current uniqueness of a session across the world; from the other, because you get the wrong impression that if Panopticlick can’t put you down as unique, you’re safe — you’re not, there are many more techniques that Panopticlick does not think of trying!

My personal advice is to stop worrying about the NSA and instead start safekeeping yourself: using click-to-play for Flash and Java is good prophylaxis for security, not just privacy, and NoScript can be useful too, in some cases, but don’t just kill everything on sight. Even using the Data Saver extension for non-HTTPS websites can help (unfortunately I know of more than a few blocking it, and then there is the problem with captive portals bringing it to be clear-text HTTP too).

Siphoning data on public and private WiFi

So you may remember I have been reviewing some cyber-thrillers in the past, and some of them have been pretty bad. After that I actually thought I could write one myself; after all, it couldn’t be as bad as Counting from Zero. Unfortunately the harsh reality is that I don’t know enough diverse people out there to build up new, interesting but most importantly realistic characters. So I shelved the project completely.

But at the same time, I spent a lot of time thinking of interesting things that may happen in a cyber-thriller that fit more into my world view — while Doctorow will take on surveillance, and Russinovich battles terrorists armed with Windows viruses, I would have put my characters in to deal with the more mundane variety of cyber criminals.

One of the things that I thought about is a variant on an old technique, called Wardriving. While this is not a new technique, I think there are a few interesting twists and it would be a little too interesting tool for low-lifers with a little (not a lot) of computer knowledge.

First of all, when wardriving started as what became a fad, the wireless networks out there were vastly unencryped and for the most part underutilized. Things changed, now thanks to WPA a simple pass-by scan of a network does not give you as much data, and changes in the way wireless protocols are implemented have, for a while, made the efforts hard enough.

But things changed over time, so what is the current situation? I have been thinking of how many things you could do with a persistent wardriving, but it wasn’t until I got bored out of my mind on a lounge at an airport that I was able to prove my point. On my own laptop, in a totally passive mode, invisible to any client on the network, a simple tcpdump or Wireshark dump would show a good chunk of information.

For the most part not something that would be highly confidential — namely I was not able to see anything being sent by the other clients of the network, but I was able to see most of the replies coming from the servers; just monitor DNS and clear-text HTTP and you can find a lot of information about who’s around you.

For instance I could tell that there was another person in the lounge waiting for the same flight as me — as they were checking the RTE website, and I doubt any person not Irish or not connected with Ireland would spend time there. Oh and the guy sitting in front of me was definitely Japanese, because once he sat down I could see the replies back from yahoo.co.jp and a few more websites based in Japan.

Let me be clear, I was not doing that with the intention of doxxing somebody. I originally started tcpdump because one of my own servers was refusing me access — the lounge IP range is in multiple DNSBL, I was expecting the traffic on the network to be mostly viruses trying to replicate. What I found instead was that the access point is broadcasting to all connected clients the replies coming in for anyone else. This is not entirely common: usually you need to set your wireless card in promiscuous mode, and many cards nowadays don’t even let you do that.

But if this is the small fries of information I can figure out by looking at a tcpdump trace in a few minutes, you can imagine what you can find if you can sniff a network for a few hours. But spending a few hours tracing a network in the coffee shop at the corner could be suspicious. How can you make it less obvious? Well, here’s an interesting game, although I have not played it if not in my own stories’ drafts.

There are plenty of mobile WiFi devices out there — they take a SIM card and then project a WiFi signal for you to connect your devices to. I have one by Vodafone (although I use it with a bunch of different operators depending on where I’m traveling), and it is very handy, but while it runs Linux I did not even look for the option of rooting it. These are pretty common to find on eBay, second hand, because sometimes they essentially come free with the contract, and people update them fairly often as new features come up. Quite a few can run OpenWRT.

These devices come with a decent battery (mine lasts easily a whole day of use), and if you buy them second hand they are fairly untraceable (does anybody ever record the IMEI/serial number of the devices they sell?), and are ready to connect to mobile networks (although that’s trickier, the SIM is easier to trace.) Mine actually comes with a microSDHC slot, which means you can easily fit a very expensive 128GB microSD card if you want.

Of course it relies a lot on luck and the kind of very broad fishing net that makes it unfeasible for your average asshole to use, but there isn’t much needed — just a single service that shows you your plaintext password on a website, to match to an username, as most people will not use different passwords across services, with very few exceptions.

But let’s make it creepier – yes I’ll insist on making my posts about what I perceive to be a more important threat model than the NSA – instead of playing this on a random coffee shop at the corner, you are looking into a specific someone’s private life, and you’re close enough that you know or can guess their WiFi access point name and password, dropping one of these devices within the WiFi reach is not difficult at all.

The obvious question becomes what can you find with such a trace. Well, in no particular order you can tell the routine of a person quite easily by figuring out which time of the day they are at home (my devices don’t talk to each other that much when I’m not at home), what time they get up for work, and what time they are out of the door. You can tell how often they do their finances (I don’t go to my bank’s site every day, much less often the revenue’s). For some of the people out there you can tell when they have a private moment and what their interests are (yes I admit I went and checked, assuming you can only see the server response, you can still tell the title of the content that is being streamed/downloaded.) You can tell if they are planning a vacation, and in many cases where. You can tell if they are going to see a movie soon.

Creepy enough? Do I need to paint you a picture of that creepy acquaintance that you called in last week to help you set up your home theater, and to which you gave the WiFi password so he could Google up your provider’s setup guide?

How do you defend from this? Well, funnily enough a lot of the things people have been talking before the “Snowden Revelations” help a lo with this: HTTPS Everywhere and even Tor helps with this. While the latter gives you a different set of problems (it may be untraceable but it does not mean it’s secure!), it does obfuscate the data flow out of your network. It does not hide the traffic patterns (so you can still tell when people are in or not, when they wake up, and so on) but it does hide where you’re going, so that your private moments stay private. Unfortunately it is out of the reach of most people.

HTTPS is a compromise: you can’t tell exactly what’s going on, but if your target is going to YouPorn, you can still tell by the DNS reply. It does reduce the surface of attack considerably, though, and does not require that much technical knowledge on the client side. It’s for reasons like this that service providers should use HTTPS — it does not matter if the NSA can break the encryption, your creepy guy is not the NSA, but small parts of the creepy guy’s plan are thwarted by it: the logs can show the target visited the website of a movie theatre chain, but can’t show the replies from the server with the name of the branch or the movie that the target was interested in.

What is not helping us here, right now, with the creepy guys that are so easy to come by, is the absolute paranoia of the security and cryptography community right now. Dark email? Secure text messaging? They are definitely technologies that need to be explored and developed, but they should not be the focus of the threat model for the public. In this, I’m totally agreeing with Mickens.

I was (and a bit am) scared about writing about this, it makes me feel creepy. It gives a very good impression of how easy it is to abuse a bit of technical knowledge to become a horrible person. And with the track record of the technical circle in the past few years, it does scare the hell out of me, pardon the language.

While the rest of the security and technical community keep focusing on the ghost of the NSA, my fears are in the ease of everyday scams and information leaks. I was not surprised of what the various secret agencies out there wanted to do, after all we’ve seen the movies and the TV series. I was surprised of a few of the tools and reaches, but not the intentions. But the abuse power? There’s just as much of it outside of the surveillance community, it’s just that the people who know don’t care – they focus on theoretical problems, on the Chief World Systems, because that’s where the fun and satisfaction is – and the people who are at risk either believe everything is alright, or everything is not alright; they listen to what the media has to say, and the media never paints useful pictures.

Again on threat models

I’ve read many people over the past few months referencing James Mickens’s article on threat models. Given I wrote last year about a similar thing in regard to privacy policies, one would expect me to fall in line with said article fully. They would be disappointed.

While I agree with the general gist of the article, I think it gets a little too simplistic. In particular it downplays a lot the importance to protect yourself against two separate class of attackers: people close to you and people who may be targeting you even if you don’t know them. These do seem at first sight to fit in with Mickens’s categories, but they go a little further than he’s describing. And by painting the categories as “funny” as he did I think he’s undermining the importance of security.

Let’s start with the first threat model that the article points out to in the “tl;dr” table;

Ex-girlfriend/boyfriend breaking into your email account and publicly releasing your correspondence with the My Little Pony fan club

Is this a credible threat? Not really, but if you think about it a little more you can easily see how this can morph into disgruntled ex breaking into your computer/email/cloud account and publicly releasing nude selfies as revenge porn. Now it sounds a little more ominous than being outed out as a fan of My Little Pony, doesn’t it? And maybe you’ll call me sexist to point this out, but I think it would be hypocrite not to point out that this particular problem sees women as much more vulnerable to this particular problem.

But it does not have to strictly be an ex; it may be any creepy guy (or gal, if you really want to go there) who somehow gets to access your computer or to guess your “strong” password. It’s easy to blame the victim in these situations but that’s not the point; there are plenty of people ready to betray the trust of their acquaintances out there — and believe me, people trust other people way too easily, especially when they are looking for a tech-savvy friend-of-a-friend to help them fix their computer, I’ve been said tech-savvy friend-of-a-friend, and it didn’t take many times doing the kind of usual recovery to realize how important that trust is.

The second “threat model”, that is easily discounted, is described as

Organized criminals breaking into your email account and sending spam using your identity

The problem with a similar description of the threat is that it’s too easy for people to discard it with “so what?” People receive spam all the time, why would it matter whose identity it’s sent as? Once again, there are multiple ways to rephrase this to make it more ominous.

A very simple option is to focus on the monetary problem: organized criminals breaking into your email account looking for your credit card details. There are still plenty of services that will request your credit card numbers by email, and even my credit card company sends me the full 16-digits number of my card on the statements. When you point out to people that the criminals are not just going to bother a random stranger, but actually are going after their money, they may care a significant bit more.

Again this is not all there is, though. For a security or privacy specialist to ignore the issues of targeted attacks such as doxxing, coming up with the harassment campaigns that are all the rage to date is at the very least irresponsible. And that does not involve only the direct targets of harassment: the protection of even the most careful person is always weak to the people they have around, because we trust them, with information, or access, and so on.

Take for instance Facebook’s “living will” for users — if one wanted to harass some person, but their security was too strong, they could go after their immediate family, hoping that one of the would have the right access to close the account down. Luckily, I think Facebook is smarter than this, and so it should not be that straightforward, but many people also use member of the family’s addresses as recovery addresses if they were to lose access to their own account.

So with all this in mind, I would like to point out that at the same time I agree and disagree with Mickens’s article. There are way too many cryptographers out there that look into improbable threat models, but at the same time there are privacy experts that ignore what the actual threats are for many more users.

This is why I don’t buy into the cult of personalities of Assange, Snowden or Appelbaum. I’m not going to argue that surveillance is a good thing, nor I’m going to argue that there are no abuses ever – I’m sure there are – but the focus over the past two years have been so much more on state actions that malicious actors like those I described earlier.

I already pointed out how privacy advocates are in love with Tor and they ignore the bad behaviours it enables, and I once again I do wonder why they are more concerned about the possibility of obscure political abuses of power, rather than the real and daily abuse of people, most likely a majority of which women.

Anyway, I’m not a thought leader, and my opinions are strictly personal — but I do think that the current focus on protecting the public from possibly systemic abuse from impersonal organisations such as the NSA is overshadowing the importance of protecting people from those they are most vulnerable from: the people around them.

And let’s be clear: there are plenty of things that the crypto community can and should do to protect people in these situations: HTTPS is for instance extremely important, as it does not take a huge effort for a disgruntled ex to figure out how to snoop cleartext traffic to find the odd password or information that could lead to a break.

Just think twice, next time you decide to rally people up against a generic surveillance society phantom, or even to support EFF — I used to, I don’t currently and while I agree they have done good things for people, I do find they are focusing on the wrong threats.

Privacy Theatre

I really wish I could take credit for the term, but Jürgen points out he coined the term way before me, in German: Datenschutztheater. I still like to think that the name fits many behaviours I see out there, and it’s not a coincidence that it sounds like the way we think of TSA’s rules at airports, security theatre.

I have seen lots and lots of people advocating for 100% encryption of everything, and hiding information and all kind of (in my opinion) overly paranoid suggestions for everybody, without understanding any threat model at all, and completely forgetting that your online privacy is only a small part of the picture.

I have been reminded of this as I proceeded sorting out my paperwork here in Dublin, which started piling up a little too much. My trick is the usual I used in Italy too: scan whatever is important to keep a copy of, and unless the original is required for anything, I destroy the hard copy. I don’t trash it, I destroy it. I include anything that has my address on it, and when I was destroying it with my personal shredder, I always made sure to include enough “harmless” papers in the mix to make it more difficult to filter out the parts that looked important.

As I said in my previous post, I’m not worried about “big” corporations knowing things about me, like Tesco knowing what I like to buy. I find it useful, and I don’t have a problem with that. On the other hand, I would have a problem with anybody, wanting to attack me directly, decided to dumpster-dive me.

Another common problem I see that I categorize as Privacy Theatre is the astounding lack of what others would call OpSec. I have seen plenty of people at conferences, even in security training, using their laptop without consideration for the other people in the room, and without any sort of privacy screen. In one of the past conferences I’ve seen mail admins from a provider that will go unnamed, working on production issues in front of my eyes: if I had mischievous intents I would have learnt quite a bit about their production environment.

Yes I know that the screens are a pain, and that you have to keep taking them in and out, and that they take away some of the visual space on your monitor. Myself, for my personal laptop I decided for a gold privacy screen by 3M, which is bearable to use even if you don’t need it, as long as you don’t need to watch movies on your laptop (I don’t, the laptop’s display is good but I have a TV and a good monitor for that).

But there are tons of other, smaller pieces that people who insist they are privacy advocates really don’t seem to care about. I’m not saying that you should be paranoid, actually I’m saying the exact opposite: try to not be the paranoid person that wants everything encrypted without understanding why. In most cases, Internet communication needs to be encrypted indeed. And you want to encrypt your important files if you put them in the cloud. But at the same time there are things that you don’t really care about that much and you’re just making your life miserable because Crypto-Gods, while the same energy could be redirected to save you from more realistic petty criminals.