13 December 2011

Filed under:   censorship   copyright   political news   privacy

How the US censors the world's internet, and the imminent law change which would make it far worse

Iprc_seized_2010_11
In case you didn't know, for over a year US Immigration and Customs Enforcement (ICE, a unit of Homeland Security) has been censoring the internet of hundreds of websites they claim to be violating copyrights, by seizing their domain names and replacing them with the above scary seizure notice. The notice is very similar to the one used in the earlier "Protect Our Children" domain seizure operation for child porn websites. They've even started targeting foreign language websites with the recent seizure of 11 Korean movie websites - using a Korean version of the seizure notice.

Last week they backed down over a single site, dajaz1.com, a popular hip hop blog. They had mistakenly shut it down for over a year, denied all due process, and hid all the details. Despite their obvious lie that none of their seizures were being challenged, they had refused to respond to requests for basic information from dajaz1's lawyer for the entire time. Now that the domain is released, the RIAA continues to threaten dajaz1 with legal action, despite no evidence of wrongdoing, for daring to compete with their business.

This isn't just problematic for reasons of fair competition, due process, and free speech, but also for privacy, as ICE's method is also a means of internet surveillance.

Today the popular sharing website Megaupload announced it is suing Universal for taking down its content from YouTube - content that Universal has no rights to whatsoever. It is this kind of thing which causes thousands of videos to be wrongfully removed every day - YouTube's takedown policy is "shoot first, ask questions never". Usually the rightful uploader can't afford the legal fees, so it's nice to see rare instances like this where the issue gets a chance in court.

These examples from the last week are excellent demonstrations of situations which will be made far worse if US laws like SOPA and PROTECTIP are passed. I previously blogged about PROTECTIP, under which US citizens could get 6 years jail for uploading a video of themselves singing a copyrighted song. SOPA, an even more draconian law, is being debated in the House of Representatives on Thursday. Here's an infographic summary of SOPA, and another summarizing the legal battle. SOPA could destroy the internet - and my language is not too strong.

The imminent passing of SOPA is highlighting the ridiculous hypocrisy of the White House on internet issues that I blogged about in August, and mainstream media is beginning to catch on to the duplicity.

While Chinese users appreciate the irony of SOPA, MPAA boss Chris Dodd actually asked, "If the Chinese censor the internet without a problem, why can't the US?".

 

Update 14 December: Amendments have been introduced that water down SOPA a bit - the jist of it remains, but it's not quite as insane. It now targets only non-US sites (since US sites can already be dealt with legally) - although for the end-user it's not at all obvious whether a site is foreign or not, and US sites will still be required to self-censor references to those foreign sites. Breaking the internet's DNS system is no longer required, but optional. Also,

Under the amended plan, which was released late Monday, a judge would have to order ad networks to stop doing business with a site “dedicated” to infringing activities. Under the original proposal, a rights holder could make those demands on an ad network or payment processor and effectively kill off the site.

The amendment, however, still gives legal immunity to financial institutions and ad networks that choose to boycott "rogue" sites."

And there are other reasons it's still a very bad law.

 

Update 10 January 2012:

 

 

12 September 2011

Filed under:   privacy

How you have no real privacy on the internet, thanks to ad networks

When I discovered this, I was shocked. Essentially, you have no privacy when you browse the internet (let alone actively communicate with it) - and you can mitigate this only by means which severly impact usability. Here's how it happens, and what you can do to protect yourself.

 

The problem

Privacy_statement
Ad companies claim that online tracking is anonymous. It's not.

The above article by a researcher at Stanford is a great explanation of what is probably the biggest problem with browsing the internet: Your visit to almost every popular website is tracked by ad networks. This interactive infographic from the Wall Street Journal demonstrates how each visit to a selection of popular kids websites is being tracked by hundreds of advertising companies. Here's a list of the top 100 webpage elements used to track you.

Companies often claim the data they collect is "anonymous" because they don't directly record your name or data directly identifying you. This is false - the data is more than enough to uniquely identify you (I'll explain how below). If desired, they can link that data to your "real-world" information - name, address etc - thereby generating a detailed profile of you and your history of browsing, purchasing, and other online interactions. There's a growing market for such services, called "de-anonymizing", a kind of data-mining that turns supposedly anonymous information into real identities.

This is just part of the larger issue of increasingly widespread privacy violations by private companies that have very little accountability.

Customer data is valued immensely by corporations, and you're giving it away constantly just by loading webpages. Imagine if someone read through your browser history every day. Major ad networks have the capability to do that, for the sites their scripts run on - that is, almost all the sites you're likely to visit. Do marketing companies and random websites really deserve your trust - that they won't use your data in an undesirable way, or hand it on to third parties? And if they're trustworthy for that (which is doubtful, since they have little or no accountability for how they use your data), do you also trust that they won't be hacked, or subverted by a rogue employee?

Privacy_pah
As a quick aside: Why should you care? The most common objection at this point is "only people with something to hide (ie. criminals) need privacy". A lot of people seem to really think that it's okay to criminalize privacy, and to look at someone with suspicion because they don't share all their photos with the world on Facebook. This view is very misguided, naive, hypocritical, and ultimately terrifying. This article in The Chronicle addresses it well. In future I'd like to publish a post on why privacy is essential to the future of the internet, but for now I'll just say, there is a basic human need for privacy, whether online or not, and it's not primarily about hiding bad things, but about reducing misunderstanding and abuse. The Urewera terror raids in New Zealand were an excellent, albeit extreme, example of how a lack of privacy can result in abuse which was very damaging to the lives of many innocent activists.

 

How the networks track you, and what you can do about it

You might think that your privacy is protected by virtue of sharing a connection (IP address) with others, or being with an ISP that gives you a dynamic IP address (an address which sometimes changes). Firstly, there are statistical methods to separate users with a known probability of correctness; more importantly, all such protection will disappear under IPv6, where there are enough addresses for every machine to have a permanent address.

But in any case, tracking companies don't even need your IP address to uniquely identify you. They can use your browser.

Even if you block cookies and hide your IP address through a proxy, you can still be uniquely identified through Javscript in your browser, in two ways: One, websites can re-create any of their cookies that you remove and block. Two, your browser provides a huge amount of information to websites. EFF's Panopticlick project demonstrates how that information is enough to uniquely identify you. The only proper protection is to completely disable Javascript - which stops most websites from displaying properly and some being readable or functional at all. Torbutton does all of the above and is widely considered the best way to protect your privacy online - but expect a frustrating experience as your browsing is much slower and websites depending on Javascript fail to work properly. So I don't use it much, instead I use a raft of browser add-ons and custom settings to make me more difficult to track (some of which make browsing more complicated and frustrating, but they also increase security). I also use PeerBlock to block loading content from known ad-network IPs (PeerBlock is very ineffective at stopping anti-piracy detection, which is what most people use it for, but it can be a minor help in increasing privacy), and Scroogle (scraped Google) to search without being logged.

Measures like this are really the only thing you can do - apart from educate your friends about why privacy on the web is important, so eventually the issue might become important enough that governments better protect the privacy of their citizens. That being said, laws aren't likely to have a huge impact, and there isn't much incentive to favour consumer privacy over corporate interests. The market will never fix itself because private information is a lemon market. In New Zealand, the Privacy Commission has done some great work but it's like trying to stop the tide.

Of course privacy from the government is another issue (an important one, which I will deal with more in another article). Preventing the government from spying on your online activity is harder still - it's possible but you need a good awareness of your exposure. Torbutton is a minimum requirement, stronger protections like Off-the-Record Messaging, friend-to-friend networking and steganography tools like OpenPuff are needed in many cases. And of course don't login to websites like Google and Facebook which provide your private data to governments via an automatic interface without needing a search warrant - so you'll also need an alternative email provider.

As you can see, this stuff is complex. One thing interested people in Wellington like myself are working on is making real privacy easier for ordinary users. We need your help - especially programmers, web designers, logo designers, marketing and communications people.

 

31 July 2011

Filed under:   privacy

Reasons why full-body scanners shouldn't be used at security checkpoints

Customs recently trialled full-body scanners at Auckland International Airport. Here's why we need to stop them being introduced in New Zealand:

  1. The most important point: It's security theatre. It doesn't actually improve security, it only makes people feel more secure. There have been multiple instances of box-cutters, razors and even pistols getting through undetected; and in any case there are various simple and undetectable methods for carrying explosives.
  2. Safety concerns
    1. The European Commission and several others have recommended they are not used on pregnant women and children.
    2. The machines are not open to scrutiny from independent researchers, the software is closed-source.
    3. If the X-ray beam is stopped for even a second, the concentrated radiation would cause serious injury. Any use of powerful X-rays is inherently dangerous. Even medical scanners have malfunctioned and caused delivered significant overdoses (causing hair loss, full-body rashes and seizures1) despite all safety precautions; even more disturbingly, in some cases overdoses were not detected for over a year. Normally the very small risk of malfunction, and the radiation dose (with its corresponding increased risk of cancer), is acceptable because of the very likely benefits; but in this case there is no direct benefit to the person being scanned.
  3. Privacy concerns
    1. Many people believe it is against their religion to expose themselves to a stranger.
    2. Machine specifications require the ability to store the images (despite TSA claiming the opposite).
    3. Airport employees have been caught using the nude pictures of women as pornography.

Scanner

References at the Wikipedia article. Which BTW is messy and biased so as always feel free to improve it!

 

22 May 2011

Filed under:   censorship   political news   privacy

German police seize political party servers

Yesterday police seized the servers of Germany's Pirate Party.

Apparently this is because the Pirate Party hosted a document collaboration tool (EtherPad, forerunner of the collaboration tools in Google Docs) - on one of their servers. Someone posted an SSL key in the (public) document, which was then used by the hacker group Anonymous to attack the website of the world's largest utility, French company EDF. EtherPad was only running on one of the servers but nevertheless police took all servers including their mail and other important infrastructure. This was in response to a request of the French police, and the German police were not legally required to comply. In fact Germany has some of the best privacy protections in the world, which makes it more shocking.

Rick Falkvinge, head of the Swedish Pirate Party, wrote:

Doing this to a democratic party — Germany’s sixth largest, actually — two days before an election is nothing short of a democratic sabotage. This shows why we must introduce understanding of information policy into the justice system all across Europe. A computer is not just something you can carry away; doing so has consequences. It is not a wrench, and yet the law (and police) treat it like any tool, just like a wrench.

Not terribly surprising that the website of the German police has been down since not long after the news was announced... The Pirate Party has distanced itself from the attacks.

 

Other references

1 page of 1