March 6, 2012

HTTPS and Tor: Working Together to Protect Your Privacy and Security Online

March 1, 2012 | By Eva Galperin

This week EFF released a new version its HTTPS Everywhere extension for the Firefox browser and debuted a beta version of the extension for Chrome. EFF frequently recommends that Internet users who are concerned about protecting their anonymity and security online use HTTPS Everywhere, which encrypts your communications with many websites, in conjunction with Tor , which helps to protect your anonymity online. But the best security comes from being an informed user who understands how these tools work together to protect your privacy against potential eavesdroppers.

Whenever you read your email, or update your Facebook page, or check your bank statement, there are dozens of points at which potential adversaries can intercept your Internet traffic. By using Tor to anonymize your traffic and HTTPS to encrypt it, you gain considerable protection, most notably against eavesdroppers on your wifi network and eavesdroppers on the network between you and the site you are accessing. But these tools have important limitations: your ISP and the website you are visiting still see some identifying information about you, which could be made available to a lawyer with a subpoena or a policeman with a warrant.

Protecting your security and anonymity against real-time government wiretapping is considerably more difficult. In a country where ISPs are controlled by the government or vulnerable to government bullying, Internet users should be especially aware of what kinds of information is still visible to ISPs and may be subject to government surveillance. To a lesser degree, websites may be subject to the same kinds of government bullying and may be compelled to give up information about their customers.

Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the “Global Network Adversary” attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.

EFF has put together an interactive graphic to explain the ways in which HTTPS and Tor work together to provide you with certain kinds of protection against a variety of potential adversaries. Click on the image to try it out.

Permalink • Print • Comment

Legal Censorship: PayPal Makes a Habit of Deciding What Users Can Read

February 29, 2012 | By Rainey Reitman

Legal Censorship: PayPal Makes a Habit of Deciding What Users Can Read

PayPal has instituted a new policy aimed at censoring what digital denizens can and can’t read, and they’re doing it in a way that leaves us with little recourse to challenge their policies in court. Indie publisher Smashwords has notified contributing authors, publishers, and literary agents that they would no longer be providing a platform for certain forms of sexually explicit fiction. This comes in response to an initiative by online payment processor PayPal to deny service to online merchants selling what they deem to be obscene written content. PayPal is demonstrating, again and to our great disappointment, the dire consequences to online speech when service providers start acting like content police.

Mark Coker, founder of Smashwords, described the new policy in a recent blog post. The policy would ban the selling of ebooks that contain “bestiality, rape-for-titillation, incest and underage erotica.” Trying to apply these definitions to all forms of literary expression raise questions that can only have subjective answers. Would Nabokov’s Lolita be removed from online stores, as it explores issues of pedophilia and consent in soaring, oft-romantic language? Will the Bible be banned for its description of incestuous relationships?

This isn’t the first time PayPal has tried its hand at censorship. In 2010, they cut off services to the whistleblower WikiLeaks, helping to create the financial blockade that has hamstrung the whistleblower organization. And as we explained when WikiLeaks was facing censorship from service providers: the First Amendment to the Constitution guarantees freedom of expression against government encroachment—but that doesn't help if the censorship doesn't come from the government. Free speech online is only as strong as private intermediaries are willing to let it be.

Frankly, we don’t think that PayPal should be using its influence to make moral judgments about what ebooks are appropriate for Smashwords readers. As Wendy Kaminer wrote in a forward to Nadine Strossen’s Defending Pornography: “Speech shouldn’t have to justify itself as nice, socially constructive, or inoffensive in order to be protected. Civil liberty is shaped, in part, by the belief that free expression has normative or inherent value, which means that you have a right to speak regardless of the merits of what you say.”

But having a right to speak is not the same as having a right to be serviced by a popular online payment provider. Just as a bookseller can choose to carry or not a carry particular books, PayPal can choose to cut off services to ebook publishers that don’t meet its “moral” (if arbitrary and misguided) standards.

Online payment providers like PayPal help many websites fund their very existence. As we explained in our interactive graphic Free Speech is Online as Strong as the Weakest Link , a payment provider can shut down controversial online speech by cutting off their means of financial support. And PayPal, the behemoth of online payment providers, has little incentive to compromise with small businesses that are punished through these arbitrary policies.

Unfortunately, Congress knows just how vulnerable online speech can be to the vagaries of payment providers. The Stop Online Piracy Act , defeated earlier this year after Internet-wide protests, contained language that would have allowed individuals and companies to cut off financial support for a website simply by sending an infringement notice to its payment providers or ad networks. No judge or jury would have been required.

The censorship of Smashwords is a blow to free speech and adds to the ever-growing list of examples of payment providers turned into content police.

Permalink • Print • Comment

February 28, 2012

Government Pressures Twitter to Hand Over Keys to Occupy Wall Street Protester’s Location Data Without a Warrant

February 21, 2012 | By Hanni Fakhoury

On October 1, 2011, over 700 Occupy Wall Street protesters were arrested on the Brooklyn Bridge. Most of the protesters, including Malcolm Harris, were charged with the mundane crime of disorderly conduct, a "violation" under New York law that has a maximum punishment of 15 days in jail or a $250 fine

And yet on the basis of a charge no more consequential than speeding ticket, the New York City District Attorney's office sent a poorly worded subpoena to Twitter requesting "any and all user information, including email address, as well as any and all tweets posted for the period of 9/15/2011-12/31/2011" regarding Mr. Harris' Twitter account, @destructuremal. Unsurprisingly, the government wanted to keep it quiet, but thankfully Twitter didn't listen. Instead, as it has consistently warned law enforcement, Twitter notified Mr. Harris, who through his lawyer, Martin Stolar of the National Lawyers Guild, has moved to challenge the subpoena in court.

The subpoena is astonishing not only for its poor grammar, but also for the breadth of information the government wants for a trivial crime that hardly requires it. The government's request that Twitter hand over Tweets is unlikely to succeed because consistent with the Stored Communications Act, Twitter releases "contents of communication" (effectively Tweets and private messages between Twitter users) only with a search warrant. In any event, Mr. Harris' account is "public", meaning the government could obtain Tweets simply by checking out Mr. Harris' Twitter feed. Plus, requesting Tweets only highlights the absurdity of the entire situation: why would the government need Tweets from both before and after the October 1 protest to prove he was obstructing traffic on the bridge? Government fishing expeditions like this raise serious First Amendment concerns. Mr. Harris was very outspoken about his support of and involvement in the Occupy Wall Street movement. With this overbroad subpoena, the government would be able to learn about who Mr. Harris was communicating with for an extensive period of time not only through Tweets, but through direct messages. And with the government's request for all email addresses associated with @destructuremal, they could subpoena Mr. Harris' email provider to get even more information about who he communicated with. The First Amendment shouldn't be trampled with only an expansive subpoena in a case that barely registers as "criminal."

Given that much of Mr. Harris' Twitter information (like Tweets and followers) is already public, it's very likely that the government was really after something else: location data. By attempting to subpoena these records, the government can get around the Fourth Amendment's prohibition against warrantless searches by requesting information that includes IP addresses. Twitter keeps track of IP address information regarding every time a person logged into Twitter, as well as the IP address information related to a Twitter user's direct messages to other users, and the date and time information related to these log ins and direct messages. Armed with IP addresses, the government — without a warrant — can go to an ISP to determine who was assigned that particular IP address. And if that person connected on a mobile device — which is where the majority of Twitter users access their accounts — the ISP will hand over to the government the specific cell tower (and its corresponding geographic location) which that person used to access Twitter. This allows the government to piece together a map of where a person physically is when he opens Twitter on his smartphone, sends a direct message to a friend, or Tweets. And with that information, the government could get a record of Mr. Harris' movement over the three months it requested from Twitter. It's no surprise then that the government singled out Mr. Harris for this request: he currently has over 1,500 followers and 7,200 Tweets. 

Allowing the government to gets its hands on this data with nothing more than an administrative subpoena renders the Fourth Amendment meaningless. Only with the protection of a search warrant, and the heightened judicial supervision that comes along with it, can the voracious appetite of law enforcement be curbed. As we've consistently argued, the Fourth Amendment protects this information. But another way to impose privacy protection from the prying hands of law enforcement is through Congressional reform of the badly outdated Electronic Communications Privacy Act ("ECPA"). As part of the Digital Due Process coalition, EFF has been calling for Congress to update ECPA to conform with the realities of the 21st century. 

It looks like judicial momentum may finally be on our side. In January of this year, the United States Supreme Court issued a landmark decision in United States v. Jones (PDF), ruling that law enforcement could not physically install a GPS device on private property without a search warrant. The majority opinion resolved the Fourth Amendment issue by looking exclusively at the physical installation of the GPS device. Importantly, however, in a concurring opinion, Justice Sotomayor warned that "physical intrusion is now unnecessary to many forms of surveillance." Collecting IP addresses of a prolific Tweeter, and matching it with other easily obtainable information from other service providers, demonstrates this problem. In writing that society is unlikely to accept extensive warrantless surveillance as "reasonable", Justice Sotomayor called into question "the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent 'a too permeating police surveillance.'” Similarly, Justice Alito's concurring opinion noted that with "dramatic technological change, the best solution to privacy concerns may be legislative." 

Hopefully with the public breathing down its neck, Congress can finally act to fix a antequated set of laws. Malcolm Harris, like Birgitta Jonsdottir before him, took a stand to protect our privacy rights. You can too by telling Congress that its time to update ECPA and tell law enforcement once and for all that in order to get a person's location data, it needs to come back with a warrant. 

Permalink • Print • Comment

White House, Google, and Other Advertising Companies Commit to Supporting Do Not Track

February 23, 2012 | By Rainey Reitman

When Stanford researcher Jonathan Mayer uncovered a Google workaround to circumvent the default privacy settings on Safari, EFF called on Google to change their tune on privacy by respecting the Do Not Track flag and building it into the Chrome browser. We specifically praised the World Wide Web Consortium (W3C) multi-stakeholder process, which for a year has been convening consumer advocates, Internet companies, and technologists to craft how companies that receive the Do Not Track signal should respond. Today, in conjunction with the White House’s new publication Consumer Data Privacy in a Networked World (PDF), the Digital Advertising Alliance (DAA) announced (PDF) that it will embrace Do Not Track. (The DAA is the latest self-regulatory organization for online advertising companies.) This is a big step in the right direction for securing user privacy rights in the digital environment, but we’ve still got a long way to go. And, unfortunately, it looks like online advertisers are already working to water down the Do Not Track protections.

There are two parts to Do Not Track: technology and policy. The technology, a simple HTTP header (“DNT: 1”), allows a consumer to signal her privacy preference. The policy specifies what companies can and can’t do when they receive the signal. Read more.

Today’s announcements are great news for the Do Not Track technology. Google, a member of the DAA, has committed to add the feature to Chrome. While we haven’t seen the user interface, presumably it’ll be a one-click check box easily accessible through your browser settings, similar to what other browsers offer. Even better, Google and other members of the DAA — including Yahoo!, Microsoft, and AOL — are committing to adding support for the Do Not Track technical signal.

Today also brought good news for enforcing Do Not Track. The White House recognized that user privacy protections are nearly useless without a method of enforcement, so it has reaffirmed that companies that commit to respecting Do Not Track will be subject to Federal Trade Commission (FTC) enforcement.

Time to celebrate? Should we declare February 23rd V-DNT Day? Not quite. While today was a great advancement on the Do Not Track technology, it did not meaningfully move the ball forward on the Do Not Track policy. Even as Google and the other giant advertisers make strong gestures toward giving users meaningful choice when it comes to online tracking, portions of today’s two announcements are also undermining some of the most powerful consumer protections. Specifically:

Favoring industry-crafted standards

The W3C is a long-respected Internet governance body that brings together a wide range of stakeholders — including civil liberties advocates, engineers, and industry representatives — to reach accord about standards affecting the future of the Internet. EFF and lots of other consumer groups are involved in the process, and anybody can read up on what’s happening through the publicly available meeting notes. For a year, W3C has been working to pin down how various websites should respect the Do Not Track header. Internet companies, including Google, have been actively participating.

The DAA, on the other hand, is an industry group for online advertisers. It includes no consumer advocates or regulators and it doesn’t offer an opportunity for public participation in their decision-making process. Historically, the DAA has eschewed providing users with powerful mechanisms for choices when it comes to online tracking. The self-regulatory standards for behavioral advertising have offered consumers a way to opt out of viewing behaviorally targeted ads without actually stopping the online tracking which is the root of the privacy concern.

While we appreciate that DAA is interested in respecting the Do Not Track flag, it’s important that they engage with the larger Internet community in doing so. DAA should use the W3C for the purposes of defining Do Not Track and determining how websites that receive this signal should react. And the White House, similarly, should turn to the well-established W3C multi-stakeholder process for addressing these issues.

Chipping away at Do Not Track’s simplicity

If you’re using the most recent version of Firefox, you can turn on Do Not Track by going into your preferences and checking the box that says “Tell websites I do not want to be tracked.”  Pretty straightforward, from a user’s standpoint. But DAA is trying to tamper with this simplicity. In its statement, the coalition of online advertisers say that they'll respect Do Not Track where a consumer "has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected." Then they noted their intention to “begin work immediately with browser providers to develop consistent language across browsers.”

The most skeptical interpretation of this statement is that the straightforward language for turning on Do Not Track might turn into some slippery legalese that doesn’t promise to do much of anything about tracking. We hope that’s not the case; much of Do Not Track’s power came from its straightforward, human-readable format.

No privacy-protective default settings

The DAA added another exception into their promise to respect Do Not Track: they won’t respect the setting unless a user affirmatively chooses Do Not Track and won’t respect it if “any entity or software or technology provider other than the user exercises such a choice.” This seems geared toward preventing a privacy-protective browser from turning Do Not Track on by default.

It’s important that advertising companies remember that users can express a preference simply by choosing a privacy-protective browser. In the same way many users may have chosen the Safari browser because of its privacy-protective policies regarding third-party tracking, many users in the future might affirmatively choose a browser that has Do Not Track enabled by default. 

While there remain serious concerns about attempts to water down enforceable tracking protection for consumers, one thing is clear: Today represents a powerful step forward in helping users protect their online privacy. We applaud Google’s decision to implement Do Not Track in the Chrome browser, and we’re looking forward to collaborating with the DAA and other stakeholders in the W3C to communicate the concerns of users and advocates in online tracking issues.

Permalink • Print • Comment

Google Circumvents Safari Privacy Protections – This is Why We Need Do Not Track

February 16, 2012 | By Peter Eckersley and Rainey Reitman and Lee Tien

Earlier today, the Wall Street Journal published evidence that Google has been circumventing the privacy settings of Safari and iPhone users, tracking them on non-Google sites despite Apple's default settings, which were intended to prevent such tracking.

This tracking, discovered by Stanford researcher Jonathan Mayer, was a technical side-effect—probably an unintended side-effect—of a system that Google built to pass social personalization information (like, “your friend Suzy +1'ed this ad about candy”) from the google.com domain to the doubleclick.net domain. Further technical explanation can be found below.

Coming on the heels of Google’s controversial decision to tear down the privacy-protective walls between some of its other services, this is bad news for the company. It’s time for Google to acknowledge that it can do a better job of respecting the privacy of Web users. One way that Google can prove itself as a good actor in the online privacy debate is by providing meaningful ways for users to limit what data Google collects about them. Specifically, it’s time that Google's third-party web servers start respecting Do Not Track requests, and time for Google to offer a built-in Do Not Track option.

Meanwhile, users who want to be safe against web tracking can't rely on Safari's well-intentioned but circumventable protections. Until Do Not Track is more widely respected, users who wish to defend themselves against online tracking should use AdBlock Plus for Firefox or Chrome, or Tracking Protection Lists for Internet Explorer.1 AdBlock needs to be used with EasyPrivacy and EasyList in order to offer maximal protection.

Technical details: Google tries to poke a small hole in Safari's privacy protections, but the hole becomes very large

The Safari and iOS browsers have a useful privacy feature: they automatically reject third-party tracking cookies unless a user actively interacts with a widget or clicks on the third party's ads. This is a big step up from the default settings on most browsers. Advertisers typically use tracking cookies to create an invisible record of your online browsing habits, and large advertisers can track you across huge swaths of the web. Safari offers some protection against this type of passive tracking: it specifically prevents a site from setting cookies unless those cookies are from a domain name that you have visited or interacted with directly.

As Google engineers were building the system for passing facts like "your friend Suzy +1'ed this ad" from google.com to doubleclick.net, they would have likely realized that Safari was stopping them from linking this data using third-party DoubleClick cookies. So it appears they added special JavaScript code that tricked Safari into thinking the user was interacting with DoubleClick,2 causing Safari to allow the cookies that would facilitate social personalization (and perhaps, at some point, other forms of pseudonymous behavioral targeting). This was a small hole in Safari's privacy protections.

Unfortunately, that had the side effect of completely undoing all of Safari's protections against doubleclick.net. It caused Safari to allow other DoubleClick cookies, and especially the main "id" tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari's protections against DoubleClick were gone.

The Wall Street Journal has an excellent infographic explaining this process.

The right hand is not talking to the left

Public statements by Google have indicated that parts of the company had a fairly good understanding of Safari's privacy protections:

In the screenshot above, Google states: “While we don’t yet have a Safari version of the Google advertising cookie opt-out plugin, Safari is set by default to block all third party cookies. If you have not changed those settings, this option effectively accomplished the same thing as setting the opt-out cookie.” If only that had stayed true.

Safari gives users an opportunity to block passive tracking by online advertisers. Google's decision to route around those settings took it down a dangerous road. Any code that was specifically designed to circumvent privacy protection features should have triggered a much higher level of review and caution, and that clearly did not happen.

Can Advertisers Learn That "No Means No" (PDF), a research study on flash cookies published in 2011, characterized online advertisers who used flash cookies to override user privacy settings as paternalistic:

Advertisers see individuals as objects. When conceived of as objects, consumers’ preferences no longer matter. Privacy can be coded into oblivion or be circumvented with technology. Our 2009 and 2011 work empirically demonstrates that advertisers implement paternalistic judgments that subjects of targeted marketing cannot make proper judgments for themselves.

Today, Google looks just as paternalistic as ad networks setting flash cookies to outfox people who try to delete their cookies.

People around the world rely on Safari to browse the web, including iPhone users, whose choices are severely limited by Apple's walled garden. That’s a lot of people who are denied a voice when it comes to online tracking.

It’s Time for Google to Make Amends: an Open Letter to Google

Google, the time has finally come. You need to make a pro-privacy offering to restore your users’ trust.

Internet users worldwide have loved your products for years, and we’ve often praised your stance on free expression and transparency and your efforts to limit government access to users’ information. But when it comes to consumer choice around privacy, your commitment to users has been weaker. That’s bad for users, for the future of the Internet, and ultimately, for you. We need to create an Internet that gives users meaningful choice about sharing their personal data, and we need your help to do it.

It’s time for a new chapter in Google’s policy regarding privacy. It’s time to commit to giving users a voice about tracking and then respecting those wishes.

For a long time, we’ve hoped to see Google respect Do Not Track requests when it acts as a third party on the Web, and implement Do Not Track in the Chrome browser. This privacy setting, available in every other major browser, lets users express their choice about whether they want to be tracked by mysterious third parties with whom they have no relationship. And even if a user deleted her cookies, the setting would still be there.

Right now, EFF, Google, and many other groups are involved in a multi-stakeholder process to define the scope and execution of Do Not Track through the Tracking Protection Working Group. Through this participatory forum, civil liberties organizations, advertisers, and leading technologists are working together to define how Do Not Track will give users a meaningful way to control online tracking without unduly burdening companies. This is the perfect forum for Google to engage on the technical specifications of the Do Not Track signal, and an opportunity to bring all parties together to fight for user rights. While the Do Not Track specification is not yet final, there's no reason to wait. Google has repeatedly led the way on web security by implementing features long before they were standardized. Google should do the same with web privacy. Get started today by linking Do Not Track to your existing opt-out mechanisms for advertising, +1, and analytics.

Google, make this a new era in your commitment to defending user privacy. Commit to offering and respecting Do Not Track.

  • 1. As this blog goes to press, we are unsure whether ad blockers for Safari can prevent the browser from sending requests, which is essential for this kind of privacy protection to be effective.
  • 2. The code was web developers call a "hidden form submission", contained in a DoubleClick iframe. This code was only sent to Apple's browsers: Mayer tested 400 user-agent strings, and found that only Safari received the JavaScript that performed hidden form submissions.

Permalink • Print • Comment
« Previous PageNext Page »
Made with WordPress and the Semiologic theme and CMS • Sky Gold skin by Denis de Bernardy