March 6, 2012

HTTPS and Tor: Working Together to Protect Your Privacy and Security Online

March 1, 2012 | By Eva Galperin

This week EFF released a new version its HTTPS Everywhere extension for the Firefox browser and debuted a beta version of the extension for Chrome. EFF frequently recommends that Internet users who are concerned about protecting their anonymity and security online use HTTPS Everywhere, which encrypts your communications with many websites, in conjunction with Tor , which helps to protect your anonymity online. But the best security comes from being an informed user who understands how these tools work together to protect your privacy against potential eavesdroppers.

Whenever you read your email, or update your Facebook page, or check your bank statement, there are dozens of points at which potential adversaries can intercept your Internet traffic. By using Tor to anonymize your traffic and HTTPS to encrypt it, you gain considerable protection, most notably against eavesdroppers on your wifi network and eavesdroppers on the network between you and the site you are accessing. But these tools have important limitations: your ISP and the website you are visiting still see some identifying information about you, which could be made available to a lawyer with a subpoena or a policeman with a warrant.

Protecting your security and anonymity against real-time government wiretapping is considerably more difficult. In a country where ISPs are controlled by the government or vulnerable to government bullying, Internet users should be especially aware of what kinds of information is still visible to ISPs and may be subject to government surveillance. To a lesser degree, websites may be subject to the same kinds of government bullying and may be compelled to give up information about their customers.

Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the “Global Network Adversary” attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.

EFF has put together an interactive graphic to explain the ways in which HTTPS and Tor work together to provide you with certain kinds of protection against a variety of potential adversaries. Click on the image to try it out.

Permalink • Print • Comment

Legal Censorship: PayPal Makes a Habit of Deciding What Users Can Read

February 29, 2012 | By Rainey Reitman

Legal Censorship: PayPal Makes a Habit of Deciding What Users Can Read

PayPal has instituted a new policy aimed at censoring what digital denizens can and can’t read, and they’re doing it in a way that leaves us with little recourse to challenge their policies in court. Indie publisher Smashwords has notified contributing authors, publishers, and literary agents that they would no longer be providing a platform for certain forms of sexually explicit fiction. This comes in response to an initiative by online payment processor PayPal to deny service to online merchants selling what they deem to be obscene written content. PayPal is demonstrating, again and to our great disappointment, the dire consequences to online speech when service providers start acting like content police.

Mark Coker, founder of Smashwords, described the new policy in a recent blog post. The policy would ban the selling of ebooks that contain “bestiality, rape-for-titillation, incest and underage erotica.” Trying to apply these definitions to all forms of literary expression raise questions that can only have subjective answers. Would Nabokov’s Lolita be removed from online stores, as it explores issues of pedophilia and consent in soaring, oft-romantic language? Will the Bible be banned for its description of incestuous relationships?

This isn’t the first time PayPal has tried its hand at censorship. In 2010, they cut off services to the whistleblower WikiLeaks, helping to create the financial blockade that has hamstrung the whistleblower organization. And as we explained when WikiLeaks was facing censorship from service providers: the First Amendment to the Constitution guarantees freedom of expression against government encroachment—but that doesn't help if the censorship doesn't come from the government. Free speech online is only as strong as private intermediaries are willing to let it be.

Frankly, we don’t think that PayPal should be using its influence to make moral judgments about what ebooks are appropriate for Smashwords readers. As Wendy Kaminer wrote in a forward to Nadine Strossen’s Defending Pornography: “Speech shouldn’t have to justify itself as nice, socially constructive, or inoffensive in order to be protected. Civil liberty is shaped, in part, by the belief that free expression has normative or inherent value, which means that you have a right to speak regardless of the merits of what you say.”

But having a right to speak is not the same as having a right to be serviced by a popular online payment provider. Just as a bookseller can choose to carry or not a carry particular books, PayPal can choose to cut off services to ebook publishers that don’t meet its “moral” (if arbitrary and misguided) standards.

Online payment providers like PayPal help many websites fund their very existence. As we explained in our interactive graphic Free Speech is Online as Strong as the Weakest Link , a payment provider can shut down controversial online speech by cutting off their means of financial support. And PayPal, the behemoth of online payment providers, has little incentive to compromise with small businesses that are punished through these arbitrary policies.

Unfortunately, Congress knows just how vulnerable online speech can be to the vagaries of payment providers. The Stop Online Piracy Act , defeated earlier this year after Internet-wide protests, contained language that would have allowed individuals and companies to cut off financial support for a website simply by sending an infringement notice to its payment providers or ad networks. No judge or jury would have been required.

The censorship of Smashwords is a blow to free speech and adds to the ever-growing list of examples of payment providers turned into content police.

Permalink • Print • Comment
Made with WordPress and a healthy dose of Semiologic • Sky Gold skin by Denis de Bernardy