Computer Security Session 4: Surveillance and Privacy

Standard

Who wants to track you?

  • The government and law enforcement
  • Private companies (to sell you things and learn your shopping habits)
  • Criminals (to learn your patterns)
  • Friends, family and potential friends (“Facebook helps you connect and share with the people in your life.”)
  • Stalkers

How can you be tracked?

  • Data traces left on your computer (e.g. browsing history, browser cache)
  • Interactions with your Internet Service Provider (ISP)
  • “Like” buttons and advertisements
  • Browser toolbars
  • Keyloggers
  • Logs on the websites you visit
  • Wifi (and wired) snooping
  • Mysterious shadowy government projects that may or may not exist

Local Computer Privacy

There are many “digital traces” you leave behind when using a computer. This can make it difficult if you would prefer to keep your computer usage private.

Here are a few of the digital traces left behind. There are many others.

Browser caches

By default, web browsers use cache files to speed up repeated access to web pages. They also record your browsing history and can leave other file traces on your computer.

Most browsers give you options to clear your browser history. Some have a “private browsing mode” that attempts to reduce the traces left on your computer.

Deleted files

Deleted files on your computer are often retrievable, even if you empty the Recycle Bin. For example, see PhotoRec (http://www.cgsecurity.org/wiki/PhotoRec). Some programs promise to reduce retrievability by overwriting the file location on disc several times. Some utilities are documented on the Electronic Frontier Foundation site: https://ssd.eff.org/tech/deletion

Digital forensics can be used to retrieve information about your files and computer usage. These techniques can get subtle, but they also get expensive.

When donating a hard drive to somebody else, it is wise to run a disk wiping program such as DBAN http://dban.sourceforge.net.

Cookies

In computer terms, a cookie is a piece of data stored on your computer that helps a website track your status. Cookies are usually necessary in order to log into websites, but they can also be used to track your behaviour.

The Firefox web browser has a “Do Not Track” feature, but it is not clear whether Internet sites respect this. See: http://dnt.mozilla.org

Some cookies are persistent. There are even (proof of concept?) super-cookies that are very resistant to removal. See: http://samy.pl/evercookie/

Local Encryption

Usually, your files can be accessed by anyone with physical access to your computer. If you wish to protect files even under physical access, programs like Truecrypt (http://truecrypt.org) can create encrypted shares for your files. There are similar programs built into modern operating systems.

Online Privacy and Tracking

When you connect to a website (or other Internet service) that service collects and records information about your interaction, including the time you accessed the resource, the resource you accessed, and your IP Address. Government authorities (or lawyers seeking evidence for lawsuits) can then demand this information from the remote website.

Similarly, ISPs record information about your interactions online.

If your communications are not encrypted, then more data can be tracked by more parties. Techniques such as deep packet inspection can be used to determine what programs you are using, and what content you are accessing.

Marketing

When you are logged into a social networking or e-mail site (Facebook, GMail, LinkedIn, etc) companies correlate your surfing habits with your identity. (It is no accident that these websites want you to remain logged into their services at all times.)

Much of the information you share on social networks can be shared with others. Some social media sites give you controls over this, but read the fine print.

Even if you are not logged into these sites, badges and buttons displayed on webpages (“Like” buttons, web advertisements) report information about your surfing behaviour correlated to your IP address. There are some plugins that attempt to reduce this tracking: https://disconnect.me , http://www.ghostery.com/ , http://sharemenot.cs.washington.edu/

Web toolbars (Yahoo! Toolbar, Google Toolbar) also track your activities when you are surfing the Internet.

Even when this information does not identify you personally, in the aggregate it can be used to target you fairly precisely: http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html

Anonymous Proxies

Some sites and services offer anonymous proxies to get around censorship and promote privacy. You should be sure to trust these proxies before using them — they often can track your whereabouts, and thus can have their logs seized.

The TOR project https://tor.eff.org promises a mechanism to surf the Internet anonymously in such a way that even other members of the communication path will not be able to identify you. However, one common response by websites is to block known TOR nodes.

For more information about proxies and circumventing digital surveillance, see this guide by the Citizen Lab at the University of Toronto: http://citizenlab.org/guides/everyones-guide-english.pdf

Legislation

As governments become more concerned about internet activities, laws are being changed to both increase surveillance and (in a few cases, such as with medical records) increase privacy obligations. Many surveillance-related pieces of legislation are motivated by national security, terrorism, and efforts to combat child pornography, but the effects of this legislation can be far-reaching.

Lawful Access Legislation

Bill C-30 ( Protecting Children from Internet Predators Act) is currently under consideration by the Canadian parliament. It includes a number of measures to mandate ISP surveillance for law enforcement agencies.

http://www.parl.gc.ca/HousePublications/Publication.aspx?Docid=5380965&file=4

Some of these measures include:

  • Section 16: The ability for police to gather information about subscribers (cellphones and computers) on a network, specificially name, address, IP address, e-mail address, telephone number, and identifying information about the ISP. This is available without a warrant.

  • Section 6.2: ISPs will be obligated to track user activity, and hand over these logs to law enforcement with a warrant, and comply with any “confidentiality or security measures” associated with this action.

  • Section 6.3-4: ISPs that encrypt traffic between you and the ISP (for example, Blackberry Enterprise Server) will be forced to decrypt and hand over such information to law enforcement upon request. If ISPs have the ability to decrypt data they must share this ability with law enforcement.

US Patriot Act

The US Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) has provisions that allow the FBI to access records held on US servers without notifying the owners of those records. (Section 215)

Many Canadians feel wary about storing data on US servers for this reason. On the other hand, the Privacy Commissioner of Canada has made rulings that state Canadian companies outsourcing to US providers does not violate Canadian privacy laws: for example http://www.priv.gc.ca/cf-dc/2005/313_20051019_e.cfm A similar ruling was made with respect to canada.com moving to a US email provider: http://www.cippic.ca/uploads/OPC_Findings-canada.com.pdf .

US FISA

The United States also has the Foreign Intelligence Surveillance Act. This Act allows the President of the United States to authorize warrantless wiretapping of communications between non-US Citizens. For a broader overview, see https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy

Who cares?

It has become trendy to believe that privacy does not matter. Does it?

  • Some people value privacy because they are working to end unfair or oppressive practices. If those are they only people who take steps to protect their privacy then they stick out.

  • Maybe you should not want marketers to be too effective. Their interest is in selling you goods and services, not in your financial well being.

  • Some aspects of innovation (academic publication, patents) are based on the premise of being the first to invent a new idea. Surveillance undermines this premise. Similarly, we have certain data (passwords, for example) which are supposed to be secret in order to work.

Creative Commons Licence
This work by KW Freeskool is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Advertisements

Comments are closed.