Privacy Tool, GoogleSharing, Gets an Upgrade

Slashdot links to a Forbes article highlighting the work of Moxie Marlinspike with the anonymizing Firefox plugin, GoogleSharing. In addition to a reminder of how the plugin works by scrambling requests across all of the users using it, Forbes explains the recent update that addresses a question I certainly had when the plugin was first released. What if you don’t trust the administrators running the service that makes GoogleSharing work?

So when Google introduced encrypted search last May, Marlinspike saw an opportunity to solve that trust problem. Now that Google can accept encrypted search terms, he’s set GoogleSharing to scramble its queries and pass on the data in encrypted form. That means whoever is running the GoogleSharing server can see only identifying details like a user’s IP address, not the content of his or her online activities. And as has always been the case with GoogleSharing, Google can see only a user’s activities, not his or her identifying details. “Neither one of us gets to see the complete picture,” Marlinspike says.

This is excellent news if you just cannot give up Google for searches. If you are concerned about your search privacy, I would suggest you also consider checking out DuckDuckGo which has increasingly been offering more privacy options. There isn’t a technical assurance that DDG won’t track you, but there is a pretty strong policy statement. And for anyone else who might eavesdrop on your searches, DDG runs a Tor exit node and just recently added a Tor hidden service. (And to be clear, I have no affiliation with DDG, I am just a happy user.)

GoogleSharing, Now With No Trust Required, Slashdot

Nigh-Indestructible Cookie

Slashdot links to the efforts of a security researcher proving out a contention Ed Felten offered early on in discussions of tracking technologies. If you use legislation or technology to obliterate one form of tracking without addressing the core behavior and economics that drive it, advertisers will just route around the obstacle.

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

There are ways to defend against the various technologies used. At the proof of concept site, you can test your deletion techniques interactively. There are also more techniques for making the evercookie more insidious that have not yet been implemented.

This shows that a determined advertiser could make the cost of avoiding tracking increasingly high, to the point where more folks are likely to get snared. This doesn’t even take into account the work by the EFF on browser finger printing for which there is no effective defense though some browser makers are seriously considering how to change that.

Introducing the Invulnerable Evercookie, Slashdot

Biometric IDs for Every Indian Citizen

Slashdot links to an Alternet story about a plan to record biometrics and tie an individual’s data to a unique identification number. The IDs are being rolled out in phases but eventually are meant to be issued to all of the country’s 1 billion plus citizens. Part of the rational being offered is that it will improve access by the lower classes to civil resources. It seems to me that tying to two together is not essential to improving access, that it is coincidental and undoubtedly serves more fraught purposes than being admitted. Fortunately, local public interest groups are raising the right kinds of questions about unforeseen consequences and known dangers for similar programs elsewhere.

All I can think of when reading through this are the abuses that have arisen from the use of Social Security Numbers in the US, data that were never meant to be identifying outside of a single federal program. This idea seems to willfully be committing the same mistakes and worse tying it to identifying data that cannot be revoked or otherwise easily handled in the case of a breach or other problem.

Biometric IDs For Every Indian Citizen, Slashdot

Study Reveals Counter Intuitive Privacy Behavior

John Timmer at Ars discusses the findings in study to be published in the Journal of Consumer Research. It didn’t get to the bottom of why users give up personal data when they clearly should know better. Rather it just revealed how ineffective environmental cues about privacy risks are and that they might even have the opposite of the desired effect.

I can’t help but think of my friend and privacy lawyer, Carey Lening, who routinely rolls her eyes when I share bits like these revealing how easily ordinary folks violate their own privacy. She always uses the example of how quickly people will give up their info for even the most modest reward, like a tchotchke or t-shirt. To be fair, this study is a little more confounding than that.

I am increasingly convinced by her arguments that we need user education before we wade too deeply into crafting new regulations. These findings however suggest that education may not be enough. Or that there may be greater challenges inherent in crafting an effective curriculum than it seems at first blush.

Users are still idiots, cough up personal data despite warnings, Ars Technica

TCLP 2010-08-15 News

This is news cast 222, an episode of The Command Line Podcast.

In the intro, letting everyone know Dragon*Con is coming up. I’ll be taking a little more time this year off from the show to prepare for my travel there. There will be no news cast on either September 29th or the 5th. There will be no feature cast on the 1st and possibly the 8th, depending on what recordings I come back with and how much work they need.

This week’s security alerts are first Android SMS trojan and a vulnerability in OpenSSL 1.0.

In this week’s news artificial life evolves a basic memory, John Doe who challenged the FBI freed to speak, touch screens open to smudge attack, and the state of 3D printing. The book I mention in the a-life segment is “Complexity” by Mitch Waldrop.

Following up this week just the announcement of what Google and Verizon were up to. There was an op-ed from the two CEOs though I don’t think it added anything. There was also a ton of analysis and commentary though I am going to recommend that from EFF’s Cindy Cohn. Not surprisingly, Google has already posted a defense.

[display_podcast]

View the detailed show notes online. You can also grab the flac encoded audio from the Internet Archive.

Creative Commons License

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

feeds | grep links > Schmidt Steps in It Again, Acting Against Broadening of the CFAA, Automate News Site Digg is Gamed, and More

“Yes Men” Using BitTorrent to Avoid Censorship

Ernesto at TorrentFreak has news of the latest with the duo who most recently drew unfortunate attention from the US Chamber of Commerce in response to them hijacking a press conference. I am surprised they didn’t try this sooner as the popular p2p technology has proven resistant to take downs, especially with the actions of the high profile Pirate Bay.

More specifically, the activists are using VODO, a BitTorrent powered platform that hooks into a variety of high profile channels including Lime Wire and The Pirate Bay. Being able to reach a larger audience than those already savvy with BitTorrent itself will help in their fund raising efforts for current and future projects.

“There are a few reasons why we chose BitTorrent. First off, it’s a way to avoid censorship,” Mike Bonanno told TorrentFreak. “This version includes video of an action against the US Chamber of Commerce that we are being sued for. No commercial outlets will touch it. We had a TV show scheduled on Planet Green and their lawyers nearly wet themselves when they heard we wanted to use footage of us making political mince-meant out of the largest lobbying organization in the world.”

Ernesto goes much deeper into the Yes Men’s views on distribution, piracy and the “copyright mafia”. Well worth a read and food for thought when consider the free speech burden that copyright and the current media distribution models impose.

“Yes Men” Use BitTorrent to Avoid Censorship, TorrentFreak

Digital Economy Act Could Spur More “Pirate” ISPs

The launch of Pirate ISP by the original Pirate Party clearly has the members of the UK Pirate Party thinking. Specifically, they expect that the Digital Economy Act may encourage smaller ISPs to crop up that also resist turning over customer data and do not retain logs.

You would think that refusing to play along with the new law’s deputization of service providers would already be out of bounds but there is apparently a loop hole related to the size of the provider.

However, the Ofcom proposals only apply to large ISPs, which the [UK] Pirate Party says will drive mid-size ISPs to break into smaller companies which fall outside the rules – creating a wave of so-called “Pirate ISPs” in the UK.

The prediction is not that unlikely. In other countries, like South Korea and France, where three strikes rules have come into play, file sharers have managed to route around those responsible for enforcing disconnection. The party specifically anticipates existing ISPs will hive off into smaller operations which also seems more likely than spinning up entirely new services, like the Swedish party did.

Digital Act to Create Pirate ISPs in UK via Slashdot.

The Pirate Party Launches an ISP

I lamented the disbanding of the Piratbyrån, fearing that without that group there would be a lack of hands on, constructive projects to test concerns with copyright. Judging by its recent actions, the original Pirate Party in Sweden is clearly stepping into this gap. Over the past few months, the party has repeatedly stepped into to support the beleaguered Pirate Bay site, a searchable directory of BitTorrent files. Most notoriously the party started hosting the site out of the Swedish Parliament, taking advantage of the immunity doing so conveys.

Their latest effort continues in this vein. As enigmax at TorrentFreak explains, the idea behind launching the Pirate ISP is to not only provide an ISP with an iron clad commitment to privacy and protecting users’ rights but to compete with existing ISPs on these very ideals. ViaEuropa, the company behind the anonymizing VPN service, iPredator, will operate the ISP. It will start small and grow slowly but with a plan to build presence throughout Sweden. It is the idea of having points of presence in multiple Swedish markets that lends credibility to the ISP as a competitive concern, not just a novelty.

Beyond refusing to give up customer information and keeping no logs whatsoever, the new ISP is set up as a lightning rod for escalating issues to constitutional debate. That provocative stance even extends to international challenges.

Nipe was also clear on how Pirate ISP would respond to outside interference, in particular that from the United States.

“They can bring on whatever they have, we will refuse to follow there. We don’t agree with what they are saying and we don’t agree with the laws they are making so if they have an issue with us, then we will have an issue – but that’s it.”

Read the rest of enigmax’s article, it is full of quotes explaining how the ISP is already prepared for the usual threats. I wish them luck and look forward to their success an all fronts, both as a valuable service I wish I could use here in the US and as a prod to upset the status quo when it comes to the interaction of copyright and digital technologies.

Anticensorship Tool Relies on Unwillingness to Block Social, User Generated Content

Nothing about Collage, developed at Georgia Tech is particularly novel, as this Networkworld article, via Slashdot, explains. At its core it uses steganography, hiding messages in other information, a technique that the researchers themselves admit isn’t secure in and of itself. This is a well known limitation of steganography, it relies on obscurity rather than provably strong measures like the non-trivial math used in modern cryptography. It does sound like the hiding extends even to trying to make the network traffic used to pass messages blend into ordinary traffic one would expect to see at social networking sites and user content sharing sites. The use of a web site testing tool, Selenium, is pretty clever actually to achieve this end.

What Collage does rely on to get past censorship is an expectation that those trying to block communications would be unwilling to enact a massive blockade on the kinds of sites through which Collage operates. Ethan Zuckerman, at the Berkman Center, refers to this as the cute cat theory. I was skeptical of Twitter’s usage during the Iranian elections until my friend, Quinn Norton, referred me to this idea.

If Collage is able to adapt in the face of partial blocking, it would probably be all that much more effective to boot. Would censors back off if they thought they’d block enough to stifle speech? The more tools there are like this, the more options those needing to get around censorship have. I could also see this as part of a layered technique, swarming through open channels, obscured ones like Collage, and encrypted ones like Tor.