Too Much Information by Firefox and HitRecord

A little more about online privacy

I’ve been reading a UKeiG white paper – ‘The Internet of Things’ by Martin De Saulles – and, in light of the privacy workshop I recently attended, the following paragraphs jumped out at me somewhat…

Google’s success is built on the aggregation of billions of data points about our search habits which it sells on to advertisers. Google’s parent company, Alphabet, on the 8 April 2016 had a stock market valuation of $522 billion. Approximately 90% of the company’s revenues are derived from advertising showing how the “data exhaust” of something as innocuous as web searching can be monetized when it is collected at scale.

The importance of scale as a value-adding factor for data sets can also be seen with another Google product, Google Maps. At a basic level, Google Maps operates like any other satellite navigation system by linking map data with the GPS coordinates of the user. However, by combining internet connectivity with the movements of the more than 1.5 billion users of its mobile operating system, Android has added a new layer of value. By tracking the movements of Android phones users, Google is able to provide real-time traffic updates to its Map’s users showing where delays are on the roads ahead and offering re-routing advice to optimize journey times

The move into building data services alongside more traditional product ranges is exemplified by the US sportswear company, Under Armour. In 2015, Under Armour bought two fitness tracking app companies, MyFitnessPal and Endomondo for more than $500 million . These acquisitions gave the company access to the health and fitness data of approximately 120 million users across Europe and the US. While the user bases of these apps provide obvious marketing opportunities for a sportswear company it is the aggregation of the data which monitors the health status of millions of amateur athletes along with their dietary habits which may offer the real value.

Et tu, MyFitnessPal?

The full paper can be viewed here

Libraries for Privacy – Digital Security Workshop review

Venue: Glasgow Women’s Library
Date: 8 July 2016

This excellent (and somewhat terrifying) half-day workshop was organised by Scottish PEN to help libraries support users in strengthening their online privacy. The workshop was presented by Alison Macrina of the Library Freedom Project, and supported by CILIPS.

Information for the workshop has been made available via Dropbox

The man from Scottish PEN spoke very rapidly at the start so I didn’t catch either his name or that of the man who followed him. However, I did get that the 2nd man represented both CILIP and IFLA. He covered a number of points:

  • He recommended we take a look at the IFLA privacy policy
  • Privacy is a matter of library ethics and should be part of our operations
  • Privacy of users and citizens is increasingly being challenged, both by government bodies and commercial entities. For example, ebook publishers demand personal info before allowing use of their services
  • The upcoming CILIP conference will feature a debate on libraries’ roll in advocacy and teaching of privacy skills
  • CILIP is reviewing their code of ethics
  • Privacy is an issue for all librarians

A survey of authors showed the impact of surveillance – 2 thirds stated they would consider changing what they write if they perceived they were being surveilled.

The man from Scottish PEN then spoke about the current Investigatory Powers Bill:

  • It’s currently going through Westminster parliament
  • Government will have the power to gather information about the domains you visit although not the actual pages. In reality this is a minor distinction.
  • Although this data is meant to help with the detection and prevention of crime it will be fairly easily accessible by various public bodies e.g. the food standards agency!
  • bulk powers – equipment interference – basically hacking, e.g. the power to turn on the camera on your laptop
  • targeted powers – thematic warrants
  • interception – tapping your data. GCHQ have already tapped the undersea fibre optic cables from Bude to USA.
  • national security notices. technical security notices. They have the power to compel any ‘telecommunications officer’ to access personal data or devices. There is no definition of what this means – it could include library staff.
  • there’s been little talk about the cost of making data secure
  • Govt is using the Danish model – although it was thrown out by Denmark for being too expensive!
  • PEN are concerned with freedom of expression, access to information

The remainder of the workshop was run by the wonderful and knowledgable Alison from the Library Freedom Project.

“Facebook is the devil”

Beware aggregation of data – sites may only gather small pieces of data but together they can build up a detailed picture of you and your online activity.

Data is an asset. Terms of service can be changed without notification. Library data management systems are being handed over to 3rd party private companies – “you can trust us”.

TOR (The Onion Router) – network and browser. not recommended as default browser on public PCs. bounces traffic over worldwide network. zero knowledge network. libraries could be involved in hosting these relays. NSA tried to shut them down. They failed.

PGP/GPG encryptors are complex to use.

DEFINITIONS

metadata – data about data
content – body
most data collection is metadata. you don’t need content when you have metadata. metadata doesn’t lie. it’s hard to hide. the internet was designed to use metadata for routing.

FOSS – free and open source software
user is free to use, modify, view and distribute source code as they wish. If you can see the code scary govt backdoors can’t be hidden in it. version control. reproducible builds – if binaries match, nothing has been tampered with. don’t automatically trust any piece of software. Library ethics – we have shared values with the FOSS ideal: transparency, community, not being surveilled  🙂

Encryption
Only covers content. Encrypting metadata is pretty much impossible. Most people don’t encrypt.

“The Cloud”
Outsource the storage of data. Not fluffy and lovely (like a cloud). Your data is outside your control. some encrypt others don’t – iCloud mail is not encrypted. iCloud is on by default – insidious.

Decentralisation
Google – data collection and use is their business model. Use alternative services to spread your info around. If a service becomes malicious they already have all your info.

**********

Threat modelling
When considering your online privacy, first conduct a ‘threat model’. There are 4 elements to this:

  1. assets – who are you, what do you have to protect and to what lengths will you go to protect it?
  2. adversaries – who is after your data?
  3. capabilities – what powers do your adversaries have?
  4. consequences – what are the consequences of any privacy encroachment?

Threat models can change if circumstances change e.g. government, laws, etc

example – Journalist:

  • assets – computer, phone, hard drives, sources, other journalists
  • adversaries – intelligence agencies, law enforcement
  • capabilities – imagine your adversaries can do anything. Don’t underestimate them.
  • consequences – prison for source.

Recent iPhone case in USA – FBI already had lots of data. It was a cynical ploy to get them even more surveillance powers.

Privacy is like health, it’s a lifestyle choice. Perfect privacy doesn’t exist but don’t be discouraged. Beware of ‘snake oil’ technologies promising what they can’t deliver – e.g. there is currently no TOR browser for iOSdon’t be fooled by what’s available in the AppStore. Red flags: words like ‘unbreakable’ and ‘military grade’ encryption – there’s no such thing.

Laws – take a long time to change and update.

Libraries should reposition themselves as data protectors.

library-freedom-project11Contact:

@flexlibris
@libraryfreedom
alison@torproject.org

libraryfreedomproject.org/resources/privacytoolkit
https://lists.riseup.net/www/info/libraryfreedom

Talking points when trying to convince people of the benifits of protecting privacy in a library environment:

  • privacy technologies as a tool; value neutral; analogous to cash – handy to have.
  • criminals shouldn’t be the only ones with privacy. bad people will always have other means of securing their privacy
  • intellectual freedom arguments – LFP resources
  • high demand from library patrons
  • consumer rights issues – privacy encroachment affects everyone. targeted advertising

TOR browser
Obscures where you are and stops data leaking – www.torproject.org

  • obscures your real IP – via international relays
  • prevents cross-site correlation
  • blocks cookies, scripts
  • writes nothing to disc
  • bundled with extensions ‘NoScript’ and ‘HTTPS Everywhere’
  • DuckDuckGo search
  • Some usability barriers
  • Best practices

Creates fake user agent profile.

NoScript – blocks all scripts then you can ‘whitelist’ sites you want.

Extensions – not recommended to add more

Usability barriers – the web really wants to know where you are. e.g. Gmail

Not recommended as default browser on public PCs due to usability issues.

If you create accounts in TOR – and always use them there – websites will never know where you are.

Be cautious what you use TOR with – e.g PayPal really doesn’t like it and could lock you out.

Sites using location services may react oddly to TOR.

Running TOR, even when not using it, helps mask the location of other TOR users nearby.

Tor usage goes up when States enact surveillance laws.

What to do when Tor project is blocked:

  • Gettor robots – will email you a copy of Tor
  • bridges – if censor blocks public relays. Tor bridges are private relays. MEEK mimics adversaries
  • LFP letter to convince IT/city to unblock TOR
  • Tor will subvert library computer filters!
  • Tor browser all run from a flash drive

If you can’t get Tor your network is worse than Iran!

Behavioural analytics

  • cookies, high entropy cookies. Tor will block cookies
  • analytics – e.g. Google

Web browser safety

Using alternative browsers is more disruptive than you might think. However, even using alternatives occasionally will decentralise your data to some extent.

  • DuckDuckGo search – Slightly ad supported – recommended
  • Other search engines:
    • ‘Disconnect’ search – allows you to use your favourite search engine – except Google!
    • ‘Startpage’ search – based in the Netherlands
  • Privacy Badger (Chrome or Firefox)
  • uBlock Origin (Chrome or Firefox)
  • remove Flash!!! (not installed on Tor)
  • use Chrome if not Tor browser – Google is really good at security. (use Chrome for security and Tor for privacy)

Privacy Badger
Shows which 3rd parties sites are sharing your info with. Monitors 3rd parties and will block them as necessary. It’s not recommended to adjust the sliders yourself.

HTTPS
Sites encrypt data so only they can see what you input. Data integrity – error messages will tell you if your connection is not secure.

URL contains ‘https’ as well a little green lock inside the address bar – if it’s elsewhere on the page it’s likely fake.

Encryption should be on the whole site not just at checkout.

example attacks:

  • Packet analysers – folk on the same wifi network can see everything you’ve searched for
  • Man in the middle attack – hijacks your session and sends you to a mirror site

Let’s encrypt initiative
HTTPS is easy with Certbot: https://certbot.eff.org/

Keep software up to date!  Updates will contain the latest security upgrades and bug fixes.

Password:

  • Probably the biggest vulnerability on the internet
  • master password: dice ware wordlist – use this to log into a password manager
  • password managers:
    • LastPass
    • 1Password
  • 2factor authentication – use whenever available.
  • security questions – recommended to make fake answers
  • mobil device passwords – not necessary to make such a complex code but PIN passcodes are no longer reliable. biometrics on iOS is only stored locally so that’s ok but use caution otherwise.

Mobile phones
You should have no expectation of privacy on your mobile. Because of the way they need to function, it’s really not possible to have any real privacy.

Phones have 2 operating systems:

  • applications processor
  • baseband processor – proprietary code. controls the phone. IMSI catchers!

Encrypted phones – metadata can be seen but not content. iOS has better privacy than Android since Android doesn’t get system updates. iOS has prioritised security.

https://libraryfreedomproject.org/mobileprivacytoolkit/

‘Signal’ app – encrypted text and calls. Ideal for lawyer/client communication.

email
Hard to encrypt. need GPG, desktop email client, Thunderbird.

Treat all email as if it’s not secure.

Gmail has prioritised security. Also, Proton mail has secure storage.

In USA law enforcement can subpoena emails stored on servers older than 108 days

Conclusions
It is possible to protect your online privacy but that may result in some loss of functionality. Perform Threat modelling to way up your options. Aim to decentralise your data as much as possible. This will make it harder for online adversaries to form an aggregate picture. Use technologies to protect your privacy but try to choose FOSS products and avoid the ‘snake oil’. Keep all software up-to-date.

Chilling MYSTERY in Outer Space!

Pulp-O-Mizer_Cover_Image

Just because… I can   😉

The truth, according to Google

Apparently Google is working on a new algorithm to measure the veracity of websites and order its search results accordingly. More truthful and reliable sites would be listed at the top of the ranking – via CNN Money:

The truth, according to Google

It must be true, I found it on the Internet!

Naive? Maybe. After all, cyberspace has its fair share of myths. Now Google may have found a way to clean house, or at least throw the trash in the basement.

The company is figuring out how to rank websites by the veracity of their content. The more truthful the page, the higher up it would appear in search results.

Google (GOOG) currently sorts search results based on criteria such as the number of links pointing at the website, the amount of time users spend on it, as well as the prominence of its social media profile.

The algorithm, named PageRank after Google co-founder Larry Page, is supposed to rank websites based on their reputation.

google truth

But a team of Google engineers and research scientists say the current system mainly reflects the popularity of a website, which may tell users little about its truthfulness.

Gossip websites are good example, according to the Google team. While immensely popular, they are not generally considered very reliable.

To fix the problem, Google has come up with a new truth-seeking algorithm, describing it in a research paper first reported by New Scientist.

So how would it work? The new algorithm draws on Google’s “Knowledge Vault” — a collection of 2.8 billion facts extracted from the Internet.

By checking pages against that database, and cross-referencing related facts, the research team believes the algorithm could assign each page a truth score. Pages with a high proportion of false claims would be bumped down in the search results.

Google said the new algorithm is in the research stage. The scientists still need to figure out plenty of issues before it can be used, including ensuring the system appropriately deals with new facts on a topic.

New ELISA website

I launched the new, updated and re-vamped ELISA website the other day. The new logo was agreed, slightly edited, and uploaded. The structure has been altered, the content checked and up-dated and a big old invitation email has been sent out encouraging folk to sign up. Now comes the hard part – getting folk to post – and other folk to read those posts. Building a blog is easy. Keeping it alive is tough.

I’ve already posted a before picture of ELISA’s site. Here’s what it looks like now:

elisa new site

I’m pretty pleased with this one. I love the colours! Fingers crossed the intended audience will like it too!

At least my ‘clients’ are happy with the work. I’ve had some nice feedback already. And this seems like a fairly active group. I’m hopeful (as always) that they will engage with the site.

Something new – although I’m the chief admin, I actually have some volunteer help this time. Nice as this is, it’s been a challenge to my blog-territoriality – and my techno-control freakery – to share one of my babies with someone else. Luckily, I can ease into it since my helpers are new to the ways of the blog. They are happy for me to be the boss of them… so far. We’ll see how it goes once I’ve got them trained up and brimming with confidence and ideas…   🙂

New project!

As I mentioned before, I recently got involved with the Edinburgh Library And Information Services Agency (ELISA). They happen to have lost their ‘online person’ so I offered my services. I may not be the most tech-savvy but I have some skills and I’m super keen to learn – what better way to do that than via a practical project?

So, over the next few months I’ll be re-vamping the website:

ELISA's site today

ELISA’s site today

It was created using WordPress.org – the sister site to this one – so, although I’ll know my way around, I understand that site requires use of html.  That is the main attraction of this project for me.  I wanted to learn to code and this can be my starting point.

However before I get to that, they want to use this opportunity to rebrand so my first job is to design a new logo.  Here are my first attempts (they’re all variations on the barcode theme the group was using before):

ELISA logo1    ELISA logo5    ELISA logo6

I haven’t quite been able to reproduce the image I had in my head – I don’t have the software – but I like these. So, I’ve circulated them and now I’m waiting for feedback…