Threat models: the sushi place’s static website

At the USENIX Security Symposium 2017, Adrienne Porter Felt and April King gave a terrific presentation about HTTPS adoption and in particular showed the problems related with the long tail of websites that are not set up, or at least not set up correctly. After the talk, one of the people asking questions explicitly said that there is no point for static websites such as the one of the sushi place down the road to use HTTPS. As you can imagine, many of the people in the room (me included) disagree with this opinion drastically, and both April and Adrienne took issue with that part of the question.

At the time on Twitter, and later that day while chatting with people, I brought up the example of Comcast injecting ads on cleartext websites – a link that itself is insecure, ironically – and April also pointed out that this is extremely common in East Asia too. A friend once complained about unexpected ads when browsing on a Vodafone 4G connection, which didn’t appear on a normal WiFi connection, which is probably a very similar situation. While this is annoying, you can at least guess what these ISPs are doing is benign, or at least not explicitly malicious.

But you don’t have to be an ISP in the common sense to be able to inject into non-HTTPS websites. You can for instance have control over a free WiFi connection. It does not even have to be a completely open, unencrypted WiFi, as whoever has control of the system routing a WPA connection is also able to make changes to the data passed through that connection. That usually means either the local coffee shop, or the coffee shop’s sysadmin, MSP, or if you think you’re smart, your VPN provider.

Even more importantly, all these websites are the targets for DNS hijackers, such as the one I talked about last year. Unsecured routers where it’s not possible to get a root shell – which are then not vulnerable to worms such as Mirai – can still have their DNS settings hijacked, at which point the attacker has space to redirect the resolution of some of the hostnames.

This is even more trivial in independent coffee shops. Chains (big and small) usually sign up with a managed provider that set up various captive portals, session profiling and “growth hacks”, but smaller shops often just set up a standard router with their DSL and in many cases not even change the default passwords. And since you’re connecting from the local network, you don’t even need to figure out how to exploit it from the WAN.

It does not take a particularly sophisticated setup to check whether the intended host supports HTTPS, and if it does not, it’s trivial to change the IP and redirect to a transparent proxy that does content injection, without the need for a “proper” man in the middle of the network. DNSSEC/DANE could protect against it, but that does not seem to be something that happens right now.

These are all problems to the end users of course, rather than the problems of the Sushi restaurant, and I would not be surprised if the answer you would get from some of the small shops operator is that these problems should be solved by someone else and they should not spend time to figure it out themselves, as they don’t directly cause a problem to them. So let me paint a different picture.

Let’s say that the Sushi restaurant has unfriendly competition, that is ready to pay some of those shady DNS hijackers to particularly target the restaurant’s website to play some tricks. Of course everything you can do at this point through content injection/modification you can do by defacing a website, and that would not be stopped by encrypting the connection, but that kind of defacement is usually significantly simpler to notice, as every connection would see the defaced content, including the owner’s.

Instead, targeting a subset of connections via DNS hijacking makes it less likely that it’ll be noticed. And at that point you can make simple, subtle changes such as providing the wrong phone number (to preclude people from making reservation), changing the opening hours to something that makes it unwelcoming or even change the menu so that the prices look just high enough not to make it worth visiting. While these are only theoretical, I think any specialist who tried to do sysadmin-for-hire jobs for smaller local business has at least once heard them asking for similarly shady (or worse) tasks. And I would be surprised if nobody took these opportunities.

But there are a number of other situations in which a non-asserted content integrity can be interesting to attackers in subtle ways, even for sites that are static, not confidential, and even not controversial — I guess everybody can agree that adult entertainment websites need to be encrypted. For instance, you could undercut referral revenue by replacing the links to Amazon and other referral programs with alternative ones (or just dropping the referral code). You could technically do the same for things like AdSense, but most of those services would check where the code is embedded in and make it very easy to figure out these types of scams, the referral programs are easier to play around with.

What this means is that there are plenty of good reasons to actually spend time making sure small, long-tail websites are actually available over HTTPS. And yes, there are some sites where the loss of compatibility is a problem (say, VideoLAN, that still gets users of Windows XP). But in this case you can use conditional redirects, and only provide the non-HTTPS connection to users of very old browsers or operating systems, rather than still keeping it available to anyone else.

Laptop ban, and threat models

At some point this past month, the USA has been talking about banning laptops in cabin luggage, from flight coming from Europe as well as the Middle East, where such a ban is already in effect. This appears to have been reversed just a week later, so it may not be quite a problem right now.

Many words have been spent already to point out how pointless, unsafe, and ultimately futile this ban is from the stated reasons, and the security risks connected with the Government (capital G because this is mostly an abstract at this point) having access to your laptop without your presence, so I won’t be spending any time for that. I may come back to talking about practical security aspects, including mitigation, later, but for this post, I’m mostly interested in talking about the threat modeling, which should always be at the base of security practice, but often it isn’t.

Let’s handwave the first bullet point, and assume that anyone with the means who want to mess with you, either actively (attacking you) or passively (monitoring you), can take over your laptop against you if they have physical access. Any laptop, and an amount of time that is consistent with the time the laptop is out of your control in a situation such as checking it in a flight. As I said this has been discussed and is being discussed, and it’s not the kind of thing that I’m interested in talking about.

The question I want to ask is: who should be worried about their laptops? Everybody or a limited public? And to answer this question, I will use three straw travellers, and give examples of why all three of these should care about this particular problem, even though it may not appear so at first. These actors are drawn upon the information I have about myself, my sister, and my brother in law, because the three of us have an interesting different set of problems and fit widely different categories.

So there is me, working for a multinational company that, in its entirety, has access to a significant user base and personally-identifiable information (PII) (although I don’t have access to much of that, luckily for me). My sister, who works for a small, local company in Italy, that used to have PII from the local government, but at most nowadays has access to clothing and accessory manufacturers model and price information. And my brother in law, that works in the sales department for a different kind of multinational company, in a specific industrial manufacturing sector, holding a number of patents on their technologies.

Is every government interested in the three of us equally? I think it’s clear it’s not the case. The United States, with their current government being worse than the twenty years of Berlusconi we had in Italy, is moving further and further away from a democracy, and then having the ability to target people based on profiling that can only be done with PII no company in their sane mind would ever surrender them short of a hostile takeover, would probably be interested in me. Either because my laptop could contain, or be used to gather, credentials to access said PII, or because through me they can work their way through to more interesting targets.

Would they care about either my sister or my brother in law? Probably only if they knew the connection and were planning on getting me indirectly, which I would expect they wouldn’t do, as I’m too little a number in the organization for me to be worth that amount of time. Getting me first hand, sure, through third parties? Probably not. It would then be easy to discount the problem: who cares, if you’re a possible target of the US government, use burner laptops, if you’re not, check in your laptop and stop complaining! Except.

Except you can imagine a different government, say one that people have been very sceptical about because they tend to have a heavy hand on both their local and export market, and that has been suggested plays a role in industrial espionage on foreign companies. Such a government may actually be interested in my brother in law’s computer. While he doesn’t work on the technology himself any more, he probably gets to know about launches, new sale and, most importantly, prices they apply to their customers. If the government is out to make money, rather than profile people, he’s a target.

But governments, usually, play by some rules. Well, maybe not the US government this year, but even the TSA would have some regard about which luggage gets inspected, and how the content of said luggage is treated. My checked in luggage got inspected multiple times (because I flew a whole lot too much across the states these past few years), and they never broke or misplaced anything. In one case they actually repacked my bag better than I did myself, and I felt bad to have to empty it out to take my charger out.

What I would be more worried about is the baggage handling on the European airport side. It was in the 90s that Venice Marco Polo had a huge problem with theft from the checked in luggage, but my mother is still afraid of that and upset, because she lost a number of souvenirs from her trip to Madrid (back when such a trip was worth a lot more money, and she would get it as a prize for selling Avon products). But if valuable laptops are in the checked luggage, would you not expect this to happen again? This is something that everybody risks being a target of. But of course it is very obvious and easy to notice and possibly make right.

What if there are criminals among the baggage handlers that are more sophisticated than that, and can actually use techniques similar to the government’s to subvert your laptop? We have seen this happening already with the WannaCry attack just now, this is more than just possible. But of course just a ransomware in this case would be a lot of wasted effort and just as visible as the pure theft.

But what about criminals who may be looking for making much more money from CEO fraud? This kind of fraud is not new, and it’s spread enough, and can make quite a bit of money. In this case, the laptop of someone working in sales for a medium-sized multinational company, or someone working for a small company that contracts out for a much bigger fashion accessory company would be very interesting. Among other things, they are likely to let them in on the conversation happening with customers, and from there to understand their workflow of purchase orders and invoices… and if you just wait enough time between the travel and the scam, it’s going to be very hard to detect.

With these criminals, both my sister and my brother in law are targets, myself a significant amount less, because I work in the engineering department, and thus I have no access whatsoever to purchase orders and similar. Having an invoice arrive from me would raise all the possible red flags and give the criminals away immediately.

Now, there are of course more stereotypes or templates of people, and I’m sure that I can find one where storing a laptop in the checked luggage does not, actually, cause a significant risk. But my first impressions of having thought about this is that we should all be careful, and paranoid, about this particular attack vector, even more so than about end-to-end encrypted messaging, which has instead taken over the conversation for the past year.

Let’s have a talk about TOTP

You probably noticed that I’m a firm believer in 2FA, and in particular on the usefulness of U2F against phishing. Unfortunately not all the services out there have upgraded to U2F to protect their users, though at least some of them managed to bring a modicum of extra safety against other threats by implementing TOTP 2FA/2SV (2-steps verification). Which is good, at least.

Unfortunately this can become a pain. In a previous post I have complained about the problems of SMS-based 2FA/2SV. In this post I’m complaining about the other kind: TOTP. Unlike the SMS, I find this is an implementation issue rather than a systemic one, but let’s see what’s going on.

I have changed my mobile phone this week, as I upgrade my work phone to one whose battery lasts more than half a day, which is important since my job requires me to be oncall and available during shifts. And as usual when this happens, I need to transfer my authenticator apps to the new phone.

Some of the apps are actually very friendly to this: Facebook and Twitter use a shared secret that, once login is confirmed, is passed onto their main app, which means you just need any logged in app to log in again and get a new copy. Neat.

Blizzard was even better. I have effectively copied my whole device config and data across with the Android transfer tool. The Battle.net authenticator copied over the shared key and didn’t require me to do anything at all to keep working. I like things that are magic!

The rest of the apps was not as nice though.

Amazon and Online.net allow you to add at any time a new app using the same shared key. The latter has an explicit option to re-key the 2FA to disable all older apps. Amazon does not tell you anything about it, and does not let you re-key explicitly — my guess is that it re-keys if you disable authentication apps altogether and re-enable it.

WordPress, EA/Origin, Patreon and TunnelBroker don’t allow you to change the app, or get the previously shared key. Instead you have to disable 2FA, then re-enable it. Leaving you “vulnerable” for a (hopefully) limited time. Of these, EA allows you to receive the 2SV code by email, so I decided I’ll take that over having to remember to port this authenticator over every time.

If you remember in the previous post I complained about the separate Authenticator apps that kept piling up for me. I realized that I don’t need as many: the login approval feature, which effectively Microsoft and LastPass provide, is neat and handy, but it’s not worth having two more separate apps for it, so I downgraded them to just use normal TOTP on the Google Authenticator app, which gets me the Android Wear support to see the code straight on my watch. I have particularly failed to remember when I last logged into a Microsoft product except for setting up the security parameters.

Steam on the other hand, was probably the most complete disaster of trying to migrate. Their app, similarly to the Battle.net one, is just a specially formatted TOTP with a shared key you’re not meant to see. Unfortunately to be able to move the Authenticator to a new phone, you need to disable it first — and you disable it from the logged-in app that has it enabled. Then you can re-enable it on a new phone. I assume there is some specific way to get recovery if that does not work, too. But I don’t count on it.

What does this all mean? TOTP is difficult, it’s hard for users, and it’s risky. Not having an obvious way to de-authenticate the app is bad. If you were at ENIGMA, you could have listened to a talk that was not recorded, on ground of the risky situations there described. The talk title was «Privacy and Security Practices of Individuals Coping with Intimate Partner Abuse». Among various topic that the talk touched upon, there was an important note on the power of 2FA/2SV for people being spied upon to gain certainty that somebody else is not logging in on their account. Not being able to de-authenticate TOTP apps goes against this certainty. Having to disable your 2FA to be able to change it to a new device makes it risky.

Then there are the features that become a compromise between usability and paranoia. As I said I love the Android Wear integration for the Authenticator app. But since the watch is not lockable, it means that anybody who could have access to my watch while I’m not attentive could have access to my TOTP. It’s okay for my use case, but it may not be for all. The Google Authenticator app also does not allow you to set a passcode and encrypt the shared keys, which means if you have enabled developer mode, run your phone unencrypted, or have a phone that is known vulnerable, your TOTP shared keys can be exposed.

What does this all mean? That there is no such thing as the perfect 100% solution that covers you against all possible threat models out there, but some solutions are better than others (U2F) and then compromises depend on what you’re defending against: a relative, or nation-states? If you remember I already went over this four years ago, and again the following year, and the one after talking about threat models. It’s a topic that I’m interested in, if it was not clear.

And a very similar concept was expressed by Zeynep Tufekci when talking about “low-profile activists”, wanting to protect their personal life, rather than the activism. This talk was recorded and is worth watching.

Siphoning data on public and private WiFi

So you may remember I have been reviewing some cyber-thrillers in the past, and some of them have been pretty bad. After that I actually thought I could write one myself; after all, it couldn’t be as bad as Counting from Zero. Unfortunately the harsh reality is that I don’t know enough diverse people out there to build up new, interesting but most importantly realistic characters. So I shelved the project completely.

But at the same time, I spent a lot of time thinking of interesting things that may happen in a cyber-thriller that fit more into my world view — while Doctorow will take on surveillance, and Russinovich battles terrorists armed with Windows viruses, I would have put my characters in to deal with the more mundane variety of cyber criminals.

One of the things that I thought about is a variant on an old technique, called Wardriving. While this is not a new technique, I think there are a few interesting twists and it would be a little too interesting tool for low-lifers with a little (not a lot) of computer knowledge.

First of all, when wardriving started as what became a fad, the wireless networks out there were vastly unencryped and for the most part underutilized. Things changed, now thanks to WPA a simple pass-by scan of a network does not give you as much data, and changes in the way wireless protocols are implemented have, for a while, made the efforts hard enough.

But things changed over time, so what is the current situation? I have been thinking of how many things you could do with a persistent wardriving, but it wasn’t until I got bored out of my mind on a lounge at an airport that I was able to prove my point. On my own laptop, in a totally passive mode, invisible to any client on the network, a simple tcpdump or Wireshark dump would show a good chunk of information.

For the most part not something that would be highly confidential — namely I was not able to see anything being sent by the other clients of the network, but I was able to see most of the replies coming from the servers; just monitor DNS and clear-text HTTP and you can find a lot of information about who’s around you.

For instance I could tell that there was another person in the lounge waiting for the same flight as me — as they were checking the RTE website, and I doubt any person not Irish or not connected with Ireland would spend time there. Oh and the guy sitting in front of me was definitely Japanese, because once he sat down I could see the replies back from yahoo.co.jp and a few more websites based in Japan.

Let me be clear, I was not doing that with the intention of doxxing somebody. I originally started tcpdump because one of my own servers was refusing me access — the lounge IP range is in multiple DNSBL, I was expecting the traffic on the network to be mostly viruses trying to replicate. What I found instead was that the access point is broadcasting to all connected clients the replies coming in for anyone else. This is not entirely common: usually you need to set your wireless card in promiscuous mode, and many cards nowadays don’t even let you do that.

But if this is the small fries of information I can figure out by looking at a tcpdump trace in a few minutes, you can imagine what you can find if you can sniff a network for a few hours. But spending a few hours tracing a network in the coffee shop at the corner could be suspicious. How can you make it less obvious? Well, here’s an interesting game, although I have not played it if not in my own stories’ drafts.

There are plenty of mobile WiFi devices out there — they take a SIM card and then project a WiFi signal for you to connect your devices to. I have one by Vodafone (although I use it with a bunch of different operators depending on where I’m traveling), and it is very handy, but while it runs Linux I did not even look for the option of rooting it. These are pretty common to find on eBay, second hand, because sometimes they essentially come free with the contract, and people update them fairly often as new features come up. Quite a few can run OpenWRT.

These devices come with a decent battery (mine lasts easily a whole day of use), and if you buy them second hand they are fairly untraceable (does anybody ever record the IMEI/serial number of the devices they sell?), and are ready to connect to mobile networks (although that’s trickier, the SIM is easier to trace.) Mine actually comes with a microSDHC slot, which means you can easily fit a very expensive 128GB microSD card if you want.

Of course it relies a lot on luck and the kind of very broad fishing net that makes it unfeasible for your average asshole to use, but there isn’t much needed — just a single service that shows you your plaintext password on a website, to match to an username, as most people will not use different passwords across services, with very few exceptions.

But let’s make it creepier – yes I’ll insist on making my posts about what I perceive to be a more important threat model than the NSA – instead of playing this on a random coffee shop at the corner, you are looking into a specific someone’s private life, and you’re close enough that you know or can guess their WiFi access point name and password, dropping one of these devices within the WiFi reach is not difficult at all.

The obvious question becomes what can you find with such a trace. Well, in no particular order you can tell the routine of a person quite easily by figuring out which time of the day they are at home (my devices don’t talk to each other that much when I’m not at home), what time they get up for work, and what time they are out of the door. You can tell how often they do their finances (I don’t go to my bank’s site every day, much less often the revenue’s). For some of the people out there you can tell when they have a private moment and what their interests are (yes I admit I went and checked, assuming you can only see the server response, you can still tell the title of the content that is being streamed/downloaded.) You can tell if they are planning a vacation, and in many cases where. You can tell if they are going to see a movie soon.

Creepy enough? Do I need to paint you a picture of that creepy acquaintance that you called in last week to help you set up your home theater, and to which you gave the WiFi password so he could Google up your provider’s setup guide?

How do you defend from this? Well, funnily enough a lot of the things people have been talking before the “Snowden Revelations” help a lo with this: HTTPS Everywhere and even Tor helps with this. While the latter gives you a different set of problems (it may be untraceable but it does not mean it’s secure!), it does obfuscate the data flow out of your network. It does not hide the traffic patterns (so you can still tell when people are in or not, when they wake up, and so on) but it does hide where you’re going, so that your private moments stay private. Unfortunately it is out of the reach of most people.

HTTPS is a compromise: you can’t tell exactly what’s going on, but if your target is going to YouPorn, you can still tell by the DNS reply. It does reduce the surface of attack considerably, though, and does not require that much technical knowledge on the client side. It’s for reasons like this that service providers should use HTTPS — it does not matter if the NSA can break the encryption, your creepy guy is not the NSA, but small parts of the creepy guy’s plan are thwarted by it: the logs can show the target visited the website of a movie theatre chain, but can’t show the replies from the server with the name of the branch or the movie that the target was interested in.

What is not helping us here, right now, with the creepy guys that are so easy to come by, is the absolute paranoia of the security and cryptography community right now. Dark email? Secure text messaging? They are definitely technologies that need to be explored and developed, but they should not be the focus of the threat model for the public. In this, I’m totally agreeing with Mickens.

I was (and a bit am) scared about writing about this, it makes me feel creepy. It gives a very good impression of how easy it is to abuse a bit of technical knowledge to become a horrible person. And with the track record of the technical circle in the past few years, it does scare the hell out of me, pardon the language.

While the rest of the security and technical community keep focusing on the ghost of the NSA, my fears are in the ease of everyday scams and information leaks. I was not surprised of what the various secret agencies out there wanted to do, after all we’ve seen the movies and the TV series. I was surprised of a few of the tools and reaches, but not the intentions. But the abuse power? There’s just as much of it outside of the surveillance community, it’s just that the people who know don’t care – they focus on theoretical problems, on the Chief World Systems, because that’s where the fun and satisfaction is – and the people who are at risk either believe everything is alright, or everything is not alright; they listen to what the media has to say, and the media never paints useful pictures.

Again on threat models

I’ve read many people over the past few months referencing James Mickens’s article on threat models. Given I wrote last year about a similar thing in regard to privacy policies, one would expect me to fall in line with said article fully. They would be disappointed.

While I agree with the general gist of the article, I think it gets a little too simplistic. In particular it downplays a lot the importance to protect yourself against two separate class of attackers: people close to you and people who may be targeting you even if you don’t know them. These do seem at first sight to fit in with Mickens’s categories, but they go a little further than he’s describing. And by painting the categories as “funny” as he did I think he’s undermining the importance of security.

Let’s start with the first threat model that the article points out to in the “tl;dr” table;

Ex-girlfriend/boyfriend breaking into your email account and publicly releasing your correspondence with the My Little Pony fan club

Is this a credible threat? Not really, but if you think about it a little more you can easily see how this can morph into disgruntled ex breaking into your computer/email/cloud account and publicly releasing nude selfies as revenge porn. Now it sounds a little more ominous than being outed out as a fan of My Little Pony, doesn’t it? And maybe you’ll call me sexist to point this out, but I think it would be hypocrite not to point out that this particular problem sees women as much more vulnerable to this particular problem.

But it does not have to strictly be an ex; it may be any creepy guy (or gal, if you really want to go there) who somehow gets to access your computer or to guess your “strong” password. It’s easy to blame the victim in these situations but that’s not the point; there are plenty of people ready to betray the trust of their acquaintances out there — and believe me, people trust other people way too easily, especially when they are looking for a tech-savvy friend-of-a-friend to help them fix their computer, I’ve been said tech-savvy friend-of-a-friend, and it didn’t take many times doing the kind of usual recovery to realize how important that trust is.

The second “threat model”, that is easily discounted, is described as

Organized criminals breaking into your email account and sending spam using your identity

The problem with a similar description of the threat is that it’s too easy for people to discard it with “so what?” People receive spam all the time, why would it matter whose identity it’s sent as? Once again, there are multiple ways to rephrase this to make it more ominous.

A very simple option is to focus on the monetary problem: organized criminals breaking into your email account looking for your credit card details. There are still plenty of services that will request your credit card numbers by email, and even my credit card company sends me the full 16-digits number of my card on the statements. When you point out to people that the criminals are not just going to bother a random stranger, but actually are going after their money, they may care a significant bit more.

Again this is not all there is, though. For a security or privacy specialist to ignore the issues of targeted attacks such as doxxing, coming up with the harassment campaigns that are all the rage to date is at the very least irresponsible. And that does not involve only the direct targets of harassment: the protection of even the most careful person is always weak to the people they have around, because we trust them, with information, or access, and so on.

Take for instance Facebook’s “living will” for users — if one wanted to harass some person, but their security was too strong, they could go after their immediate family, hoping that one of the would have the right access to close the account down. Luckily, I think Facebook is smarter than this, and so it should not be that straightforward, but many people also use member of the family’s addresses as recovery addresses if they were to lose access to their own account.

So with all this in mind, I would like to point out that at the same time I agree and disagree with Mickens’s article. There are way too many cryptographers out there that look into improbable threat models, but at the same time there are privacy experts that ignore what the actual threats are for many more users.

This is why I don’t buy into the cult of personalities of Assange, Snowden or Appelbaum. I’m not going to argue that surveillance is a good thing, nor I’m going to argue that there are no abuses ever – I’m sure there are – but the focus over the past two years have been so much more on state actions that malicious actors like those I described earlier.

I already pointed out how privacy advocates are in love with Tor and they ignore the bad behaviours it enables, and I once again I do wonder why they are more concerned about the possibility of obscure political abuses of power, rather than the real and daily abuse of people, most likely a majority of which women.

Anyway, I’m not a thought leader, and my opinions are strictly personal — but I do think that the current focus on protecting the public from possibly systemic abuse from impersonal organisations such as the NSA is overshadowing the importance of protecting people from those they are most vulnerable from: the people around them.

And let’s be clear: there are plenty of things that the crypto community can and should do to protect people in these situations: HTTPS is for instance extremely important, as it does not take a huge effort for a disgruntled ex to figure out how to snoop cleartext traffic to find the odd password or information that could lead to a break.

Just think twice, next time you decide to rally people up against a generic surveillance society phantom, or even to support EFF — I used to, I don’t currently and while I agree they have done good things for people, I do find they are focusing on the wrong threats.

My Personal Privacy Policy

Be warned, this post might as well offend you — it’s actually the same topic, and mostly the same post, as I was trying to write months ago and the last of a series of drafts that Typo made me lose and for which I was actually quite pissed off at it.

A premise, considering my current employer, you could expect that I’m biased. People who have known me for a while should know that this has always been my point of view and a payslip is not enough for buying my ideals. A second premise is that what I’m writing here is my personal opinion and has nothing to do with my employer.

Before getting into the details of my personal view on privacy, I’ll have to at least categorize who I am. I’m most definitely not a public figure, but I’m also not a complete nobody. I’m not sure if I’m notable, I’m not an activist as Jürgen is, but with being a Gentoo developer, I end up in a more visible spot than your average person. Even so, I’m not an A-list or even a B-list blogger.. maybe a D-list, for Diego, would be okay. It is obvious too when you consider that my blog has unmoderated, unlimited, non-captcha comments and yet I receive only a handful of them per post.

It is not something I care to think about too much, but I have noticed when I started working here in Dublin, that there were people that already knew me, even when I did not know them before, if not by a name passing on my blog’s comments. It does not mean much, of course, as my contribution to the world is still negligible. But it does mean that what I write on my blog, on my (public) Twitter, Facebook, Google+ profiles, is seriously public. My blog, my mailing list posts, even my IRC history is something that not only employers can look into, but also something that an enemy, if there are still some out there that didn’t grow bored of making my life miserable, would be able to leverage.

So with this premise, what is my idea of privacy? Well, as you probably remember, I have no problem with relatively-big corporation knowing what I buy and given how I use both FourSquare and Ingress, I have no problem with them knowing where I am in most cases. I also have no problem with most of my friends to know where I am, sure, it takes away from me the option of lying to people if I don’t want to go out with them — I count that as a positive note though, as my friends can count on the fact that I’m not doing that. Myself, if I was to do that, I would probably just not count them as friends, and thus would not have a problem with telling them that I don’t want to see them.

Is there anything I don’t want to broadcast? Sure, plenty. And I don’t do that by default. My opinion of people, for instance, is not something I tend to talk about, well, depends on the people of course. And there are habits of my own that I’d rather not talk about. And embarrassing personal problems too, but these do not include, for instance, my diabetes or my pancreatic problems, even though, as medical records, they are among the most protected data about me that is to be found out there.

Let me try to make a practical example of what my concerns of privacy actually are. It’s not a mystery that I’m no good with relationships – surprise, surprise, for a geek – and I’m pretty sure I admitted before to being a virgin as of 28 years of age (and counting). If I was to meet a gal with whom there could be a reciprocal attraction (unlikelier by the day), that would be one thing that I wouldn’t want to be known right away by everyone on earth. If nothing else, because I would probably not believe in the situation myself.

But more importantly, both details and general gists would have different circles of people who would get to know them at different times. My mother would, most definitely, be the last one to know — I originally wrote “my family” (which is basically me, my mother and my sister and her husband), then I realized that something that I similarly wanted to keep from them happened recently, when I got almost mugged. My sister got to know about that episode the week after it happened, when I had to go to the dentist and get the tooth extracted — the punch caused me an abscess that was quite painful and dangerous. I was broadcasting the event to the public and keeping it from my family because I did not want to worry them until the whole thing was completed. My mother still does not know that happened. Helps that neither speak or read English.

So going back to the example above, it’s a certainty that my colleagues would probably find out almost first, as I’m a person of routine and anything that breaks said routine is going to be pretty visible. I could make an excuse, but why? So it’s just going to be noticed. But unless I broadcast it, my sister and mother will not get to know it until I tell them. Sure, FourSquare could possibly deduce a change in behaviour, or notice that I’m checking in with a different set of friends; a government agency tracking my phone and hers could possibly find that I’m taking long walks with a new person (and that could be easily mixed in with my phone often taking long walks with other people as I play Ingress), but what would they care about it? It’s not illegal here.

And here’s the first tenet of my personal privacy policy: the fact that I can afford not to hide from governments is a privilege, and so is my ability to broadcast my position and my habits. I live and lived in countries that are relatively civil, I’m not, say, a gay person in Russia, and, sorry to say this so bluntly, I’m not female, which makes showing people that I’m somewhere alone not that much of a concern. This is the same concept of threat model that applies to computer security and other security areas; in my threat model, what I’m concerned about are not state actors or corporations, but rather criminals and personal enemies.

Back again at the example, if actually going out with somebody would break my routine enough to be noticeable, becoming sexually active I’d expect not to – just a guess, given that I’m not able to tell at this point – and that does change a few more things. Given it would be something private between me and this hypothetical significant other, I wouldn’t be talking about it in the open, which means even my colleagues would not know about it. Somebody would probably know that basically right away: my doctor for sure, and possibly my pharmacist (yes, I do have a local pharmacy, the one where I go buy my insulin and the other prescription drugs I have to take). The former would know when I ask him a new set of blood tests to be safe, the latter would know when I’d be asking for condoms for the first time. Alternatively, Tesco would know when I’d order them from the website, and the delivery guy would know as well, when he comes delivering. I’m pretty sure between the two options I’d go with the pharmacy, as I’ve already given up with being embarrassed when talking with them.

To close this, I would like to note that even though I live in what is mostly a glass house, I don’t expect everybody else to do so too. I’m just writing this to signify that I don’t think that there are many threat models that apply to me, for which I would start wearing a tinfoil hat in light of the “NSA revelations” that last year brought us. Maybe for some of you there are, but I doubt that all the people that have been fretting about tor attacks and the like have good reason to do so.

I’m sure that there are people out there that, under oppressive governments, that entrust their life to Tor and similar tools, so identifying and resolving its vulnerabilities is something that I can’t disagree with. On the other hand, as I said before most of the self-defined privacy advocates out there tend to not consider that this also helps also people like the SilkRoad users. While I’m definitely okay with legalization of marijuana, I’m of that opinion because it would avoid the existence of things like SilkRoad.

On the other hand, the NSA revelations do concern me, not because I’m scared of the NSA, but because if they can do it now, others will be able to do so in the future, and if those others are criminals, then I’d be scared of them. So please let’s all try to make things better, encrypt everything, research and find way around browser fingerprinting and help the EFF (I’m a donor too). Just keep in mind what your threat models are, rather than just blindly follow the blogosphere’s hysteria.

You call it privacy invasion, I don’t.

So it looks like the paranoid came to my last post about loyalty cards complaining about the invasion of privacy that these cards come with. Maybe they expected that the myth of the Free Software developer who’s against all big corporation, who wants to be off the grid, and all that kind of stuff that comes out when you think of Stallman. Well, too bad as I’m not like that, while still considering myself a left-winger, but a realist one that cannot see how you can get workers happy by strangling the companies (the alternative to which is not, contrarily to what most people seem to think, just accepting whatever the heck they want).

But first an important disclaimer. What I’m writing here is my personal opinion and in no way that of my employer. Even if my current employer could be considered involved in what I’m going to write, this is an opinion I maintained for years — lu_zero can confirm it.

So, we’ve been told about the evil big brother of loyalty card since I can remember, when I was still a little boy. They can track what you buy, they can profile you, thus they will do bad things to you. But honestly I don’t see that like it has happened at all. Yes, they can track what you buy, they might even profile you, but about the evil things they do to you, I still have not heard of anything — and before you start with the Government (capital and evil G), if you don’t trust your government, a loyalty card programme is the last thing you should be worried in.

Let’s have a look first at the situation presented by the Irish Times article which I referred to in my first post on the topic. At least, they have been close to reality enough, so instead of going the paranoia of the Big Brother, they simply noted that marketeers will know about your life, although they do portray it as only negative.

Before long, he had come up with a list of 25 products which, if bought in certain amounts and in a certain sequence, allowed him to tell if a shopper was pregnant and when her due date was.

In his book, Duhigg tells the story of a man who goes into a branch of Target near Minneapolis. He is not happy as he wants to know why the retailer has suddenly started to send his high school-going daughter coupons for baby clothes and cribs. He asks the manager if the shop is trying to encourage very young girls, such as his daughter, to get pregnant.

The manager is bemused but promises to look into it, which he does. He finds that this girl had indeed been targeted with all manner of promos for baby products so he calls the father several days later to convey his apologies and his confusion.
That’s when the man tells him that when he raised the issue with his daughter, she told him she was pregnant. The retailer took a lot of flak when the details of its data mining emerged but the controversy blew over.

So first I would say I find it utterly ludicrous that sending coupons for “baby clothes and cribs” would “encourage very young girls […] to get pregnant”. I would also suggest that if the girl is so young that it’s scandalous that she could get pregnant, then it might indeed be too soon for her to have a loyalty card. In Italy for instance you have to be 18 before you can get a loyalty card for any program — why? Because you expect that a minor still does not have an absolutely clear idea of what his or her choices are going to mold their future as.

Then let’s see what the problem is about privacy here… if the coupons are sent by mail, one would expect that they are seen only by the addressee — if you have no expectation of privacy on personal mail, it’s hard to blame it strongly on the loyalty programmes. In this case, if you would count the profiling as a violation of privacy of the girl, then you would expect that her father looking at the coupons would be a bigger invasion still. That would be like reading a diary. If you argue that the father has a right to know as she’s a minor, I would answer that then she shouldn’t have the card to begin with.

Then there is the (anonymous, goes without saying) comment on my post, where they try to paint loyalty schemes in an even grimmer light, first by stating that data is sold to third party companies at every turn… well, turns out that’s illegal in most of Europe if you don’t provide a way for the customer not to have his data sold. And turns out that’s one of the few things I do take care of, but simply because I don’t want junk mail from a bunch of companies I don’t really care about. So using the “they’ll sell your detail” scare, to me, sounds like the usual bull.

Then it goes on to say that “Regularly purchasing alcohol and buying in the wrong neighbourhoods will certainly decrease your score to get loans.” — well, so what? The scores are statistical analysis of the chance of recovering or defaulting on a loan, I don’t blame banks for trying to make them more accurate. And maybe it’s because I don’t drink but I don’t see a problem with profiling as an alcoholic a person that would be buying four kegs of beer a day — either that or they have a bar.

Another brought point? A scare on datamining. Okay the term sounds bad, but data mining at the end is just a way for businesses to get better at what they do. If you want to blame them for doing so, it’s your call, but I think you’re out of your mind. There are obvious bad cases for data mining, but that is not the default case. As Jo pointed out on Twitter, we “sell” our shopping habits to the store chains, and what we get back are discounts, coupons and the like. It’s a tit-for-tat scenario, which to me is perfectly fine And applies to more than just loyalty card schemes.

Among others, this is why I have been blocking a number of webrobots on my ModSecurity Ruleset — those that try to get data without giving anything back, for me, are just bad companies. If you want to get something, give something bad back.

And finally, the comment twice uses the phrase, taken from the conspirationists’ rulebook, “This is only the beginning”. Sorry guys, you’ve been saying that this is the beginning for the past thirty years. I start to think you’re not smarter than me, just much more paranoid, too much.

To sum it up, I’m honestly of the opinion that all the people in countries that are in all effect free and democratic that complain about “invasion of privacy”, are only complaining because they want to keep hiding their bad sides, be it bad habits, false statements, or previous errors. Myself, as you can see from this blog, i tend to be fairly open. There is very little I would be embarrassed by, probably only the fact that I do have a profile on a dating site, but even in that, well, I’ve been as honest as a person can be. Did I do something stupid in my past? I think quite a few things. On the other hand, I don’t really care.

So, there you go, this is my personal opinion about all the paranoids who think that they have to live off the grid to be free. Unless you’re in a country that is far from democratic, I’d just say you’re a bunch of crybabies. As I said, places where your Government can’t be trusted, have much bigger problems than loyalty schemes or profiling.