Too Much Information by Firefox and HitRecord

Advertisements

Libraries for Privacy – Digital Security Workshop review

Venue: Glasgow Women’s Library
Date: 8 July 2016

This excellent (and somewhat terrifying) half-day workshop was organised by Scottish PEN to help libraries support users in strengthening their online privacy. The workshop was presented by Alison Macrina of the Library Freedom Project, and supported by CILIPS.

Information for the workshop has been made available via Dropbox

The man from Scottish PEN spoke very rapidly at the start so I didn’t catch either his name or that of the man who followed him. However, I did get that the 2nd man represented both CILIP and IFLA. He covered a number of points:

  • He recommended we take a look at the IFLA privacy policy
  • Privacy is a matter of library ethics and should be part of our operations
  • Privacy of users and citizens is increasingly being challenged, both by government bodies and commercial entities. For example, ebook publishers demand personal info before allowing use of their services
  • The upcoming CILIP conference will feature a debate on libraries’ roll in advocacy and teaching of privacy skills
  • CILIP is reviewing their code of ethics
  • Privacy is an issue for all librarians

A survey of authors showed the impact of surveillance – 2 thirds stated they would consider changing what they write if they perceived they were being surveilled.

The man from Scottish PEN then spoke about the current Investigatory Powers Bill:

  • It’s currently going through Westminster parliament
  • Government will have the power to gather information about the domains you visit although not the actual pages. In reality this is a minor distinction.
  • Although this data is meant to help with the detection and prevention of crime it will be fairly easily accessible by various public bodies e.g. the food standards agency!
  • bulk powers – equipment interference – basically hacking, e.g. the power to turn on the camera on your laptop
  • targeted powers – thematic warrants
  • interception – tapping your data. GCHQ have already tapped the undersea fibre optic cables from Bude to USA.
  • national security notices. technical security notices. They have the power to compel any ‘telecommunications officer’ to access personal data or devices. There is no definition of what this means – it could include library staff.
  • there’s been little talk about the cost of making data secure
  • Govt is using the Danish model – although it was thrown out by Denmark for being too expensive!
  • PEN are concerned with freedom of expression, access to information

The remainder of the workshop was run by the wonderful and knowledgable Alison from the Library Freedom Project.

“Facebook is the devil”

Beware aggregation of data – sites may only gather small pieces of data but together they can build up a detailed picture of you and your online activity.

Data is an asset. Terms of service can be changed without notification. Library data management systems are being handed over to 3rd party private companies – “you can trust us”.

TOR (The Onion Router) – network and browser. not recommended as default browser on public PCs. bounces traffic over worldwide network. zero knowledge network. libraries could be involved in hosting these relays. NSA tried to shut them down. They failed.

PGP/GPG encryptors are complex to use.

DEFINITIONS

metadata – data about data
content – body
most data collection is metadata. you don’t need content when you have metadata. metadata doesn’t lie. it’s hard to hide. the internet was designed to use metadata for routing.

FOSS – free and open source software
user is free to use, modify, view and distribute source code as they wish. If you can see the code scary govt backdoors can’t be hidden in it. version control. reproducible builds – if binaries match, nothing has been tampered with. don’t automatically trust any piece of software. Library ethics – we have shared values with the FOSS ideal: transparency, community, not being surveilled  🙂

Encryption
Only covers content. Encrypting metadata is pretty much impossible. Most people don’t encrypt.

“The Cloud”
Outsource the storage of data. Not fluffy and lovely (like a cloud). Your data is outside your control. some encrypt others don’t – iCloud mail is not encrypted. iCloud is on by default – insidious.

Decentralisation
Google – data collection and use is their business model. Use alternative services to spread your info around. If a service becomes malicious they already have all your info.

**********

Threat modelling
When considering your online privacy, first conduct a ‘threat model’. There are 4 elements to this:

  1. assets – who are you, what do you have to protect and to what lengths will you go to protect it?
  2. adversaries – who is after your data?
  3. capabilities – what powers do your adversaries have?
  4. consequences – what are the consequences of any privacy encroachment?

Threat models can change if circumstances change e.g. government, laws, etc

example – Journalist:

  • assets – computer, phone, hard drives, sources, other journalists
  • adversaries – intelligence agencies, law enforcement
  • capabilities – imagine your adversaries can do anything. Don’t underestimate them.
  • consequences – prison for source.

Recent iPhone case in USA – FBI already had lots of data. It was a cynical ploy to get them even more surveillance powers.

Privacy is like health, it’s a lifestyle choice. Perfect privacy doesn’t exist but don’t be discouraged. Beware of ‘snake oil’ technologies promising what they can’t deliver – e.g. there is currently no TOR browser for iOSdon’t be fooled by what’s available in the AppStore. Red flags: words like ‘unbreakable’ and ‘military grade’ encryption – there’s no such thing.

Laws – take a long time to change and update.

Libraries should reposition themselves as data protectors.

library-freedom-project11Contact:

@flexlibris
@libraryfreedom
alison@torproject.org

libraryfreedomproject.org/resources/privacytoolkit
https://lists.riseup.net/www/info/libraryfreedom

Talking points when trying to convince people of the benifits of protecting privacy in a library environment:

  • privacy technologies as a tool; value neutral; analogous to cash – handy to have.
  • criminals shouldn’t be the only ones with privacy. bad people will always have other means of securing their privacy
  • intellectual freedom arguments – LFP resources
  • high demand from library patrons
  • consumer rights issues – privacy encroachment affects everyone. targeted advertising

TOR browser
Obscures where you are and stops data leaking – www.torproject.org

  • obscures your real IP – via international relays
  • prevents cross-site correlation
  • blocks cookies, scripts
  • writes nothing to disc
  • bundled with extensions ‘NoScript’ and ‘HTTPS Everywhere’
  • DuckDuckGo search
  • Some usability barriers
  • Best practices

Creates fake user agent profile.

NoScript – blocks all scripts then you can ‘whitelist’ sites you want.

Extensions – not recommended to add more

Usability barriers – the web really wants to know where you are. e.g. Gmail

Not recommended as default browser on public PCs due to usability issues.

If you create accounts in TOR – and always use them there – websites will never know where you are.

Be cautious what you use TOR with – e.g PayPal really doesn’t like it and could lock you out.

Sites using location services may react oddly to TOR.

Running TOR, even when not using it, helps mask the location of other TOR users nearby.

Tor usage goes up when States enact surveillance laws.

What to do when Tor project is blocked:

  • Gettor robots – will email you a copy of Tor
  • bridges – if censor blocks public relays. Tor bridges are private relays. MEEK mimics adversaries
  • LFP letter to convince IT/city to unblock TOR
  • Tor will subvert library computer filters!
  • Tor browser all run from a flash drive

If you can’t get Tor your network is worse than Iran!

Behavioural analytics

  • cookies, high entropy cookies. Tor will block cookies
  • analytics – e.g. Google

Web browser safety

Using alternative browsers is more disruptive than you might think. However, even using alternatives occasionally will decentralise your data to some extent.

  • DuckDuckGo search – Slightly ad supported – recommended
  • Other search engines:
    • ‘Disconnect’ search – allows you to use your favourite search engine – except Google!
    • ‘Startpage’ search – based in the Netherlands
  • Privacy Badger (Chrome or Firefox)
  • uBlock Origin (Chrome or Firefox)
  • remove Flash!!! (not installed on Tor)
  • use Chrome if not Tor browser – Google is really good at security. (use Chrome for security and Tor for privacy)

Privacy Badger
Shows which 3rd parties sites are sharing your info with. Monitors 3rd parties and will block them as necessary. It’s not recommended to adjust the sliders yourself.

HTTPS
Sites encrypt data so only they can see what you input. Data integrity – error messages will tell you if your connection is not secure.

URL contains ‘https’ as well a little green lock inside the address bar – if it’s elsewhere on the page it’s likely fake.

Encryption should be on the whole site not just at checkout.

example attacks:

  • Packet analysers – folk on the same wifi network can see everything you’ve searched for
  • Man in the middle attack – hijacks your session and sends you to a mirror site

Let’s encrypt initiative
HTTPS is easy with Certbot: https://certbot.eff.org/

Keep software up to date!  Updates will contain the latest security upgrades and bug fixes.

Password:

  • Probably the biggest vulnerability on the internet
  • master password: dice ware wordlist – use this to log into a password manager
  • password managers:
    • LastPass
    • 1Password
  • 2factor authentication – use whenever available.
  • security questions – recommended to make fake answers
  • mobil device passwords – not necessary to make such a complex code but PIN passcodes are no longer reliable. biometrics on iOS is only stored locally so that’s ok but use caution otherwise.

Mobile phones
You should have no expectation of privacy on your mobile. Because of the way they need to function, it’s really not possible to have any real privacy.

Phones have 2 operating systems:

  • applications processor
  • baseband processor – proprietary code. controls the phone. IMSI catchers!

Encrypted phones – metadata can be seen but not content. iOS has better privacy than Android since Android doesn’t get system updates. iOS has prioritised security.

https://libraryfreedomproject.org/mobileprivacytoolkit/

‘Signal’ app – encrypted text and calls. Ideal for lawyer/client communication.

email
Hard to encrypt. need GPG, desktop email client, Thunderbird.

Treat all email as if it’s not secure.

Gmail has prioritised security. Also, Proton mail has secure storage.

In USA law enforcement can subpoena emails stored on servers older than 108 days

Conclusions
It is possible to protect your online privacy but that may result in some loss of functionality. Perform Threat modelling to way up your options. Aim to decentralise your data as much as possible. This will make it harder for online adversaries to form an aggregate picture. Use technologies to protect your privacy but try to choose FOSS products and avoid the ‘snake oil’. Keep all software up-to-date.

The truth, according to Google

Apparently Google is working on a new algorithm to measure the veracity of websites and order its search results accordingly. More truthful and reliable sites would be listed at the top of the ranking – via CNN Money:

The truth, according to Google

It must be true, I found it on the Internet!

Naive? Maybe. After all, cyberspace has its fair share of myths. Now Google may have found a way to clean house, or at least throw the trash in the basement.

The company is figuring out how to rank websites by the veracity of their content. The more truthful the page, the higher up it would appear in search results.

Google (GOOG) currently sorts search results based on criteria such as the number of links pointing at the website, the amount of time users spend on it, as well as the prominence of its social media profile.

The algorithm, named PageRank after Google co-founder Larry Page, is supposed to rank websites based on their reputation.

google truth

But a team of Google engineers and research scientists say the current system mainly reflects the popularity of a website, which may tell users little about its truthfulness.

Gossip websites are good example, according to the Google team. While immensely popular, they are not generally considered very reliable.

To fix the problem, Google has come up with a new truth-seeking algorithm, describing it in a research paper first reported by New Scientist.

So how would it work? The new algorithm draws on Google’s “Knowledge Vault” — a collection of 2.8 billion facts extracted from the Internet.

By checking pages against that database, and cross-referencing related facts, the research team believes the algorithm could assign each page a truth score. Pages with a high proportion of false claims would be bumped down in the search results.

Google said the new algorithm is in the research stage. The scientists still need to figure out plenty of issues before it can be used, including ensuring the system appropriately deals with new facts on a topic.

A Very Fine Library vs the Grammar Nazis!

I posted the above pic on Facebook earlier today because I felt a bit disheartened. I’ve spent a chunk of this week posting, editing and generally primping a three-part series of pieces by Edinburgh’s Makar for the ELISA website. I admit I feel pretty proud of those posts. I contacted the current Makar and asked her to write something for ELISA and she obliged, pics and all! It feels like a bit of a coup.

The first part went live on Wednesday but, so far, the only feedback I’ve received was a notification that there’s a “Wee Typing Error in the Post”. I don’t know what or where. I made a joking response but the nitpicking stung me somewhat. It’s a longish post, full of interesting information, images and poetry – but all someone thought to say was “Typo!”

Disheartening.

Incidentally, I joke about this sort of thing but I increasingly experience it as a kind of online bullying. Though my grammar is good, I’ve never been a great speller – thank the gods for spellchecker! Even so, I always feel compelled to check and double-check everything I post because I know the tiniest error will be picked up and pointed out by some ‘helpful’ soul. It’s nerve-wracking.

I honestly don’t understand why they do it. As Angry Puffin up there says, as long as your point gets across, what does it matter? People can be as precise (and anal) with their own writing as they wish – but what makes them think they have the right to correct others?

Angry Puffin says “pretentious and idiotic”. I say “bullying and oppressive”.

It’s different if someone asks to be corrected of course. A learner or someone trying to improve their language skills. I have an Italian friend who sometimes seeks advise on english-grammarly things. Also, I’m learning gaelic so welcome input on word order and suchlike in that language.

As far as english goes though, I’m not asking. While I’m writing I relish the flow and play of words. The odd typo, here and there, won’t cause the sky to fall. I endlessly footle with my posts in any case so I’m likely to pick up errors in time. And if not, so what?

Grammar Nazis and Spelling Fascists – D’you think these terms came about by accident? You may actually think you’re being helpful but folk wouldn’t call you nazis if they enjoyed what you’re doing. A lot of folk probably just find you irritating but I’m sure there are others, like me, who find your criticisms upsetting or oppressive.

Please think before you correct. Thank you.