There is no such thing as anonymous online tracking A 1993 New Yorker cartoon famously proclaimed, "On the Internet, nobody knows you're a dog." The Web is a very different place today; you now leave countless footprints online. You log into websites. You share stuff on social networks. You search for information about yourself and your friends, family, and colleagues. In the language of computer science, clickstreams — browsing histories that companies collect — are not anonymous at all; rather, they are pseudonymous. Will tracking companies actually take steps to identify or deanonymize users? Regardless, what I will show you is that if they’re not doing it, it’s not because there are any technical barriers. Here are five concrete ways in which your identity can be attached to data that was initially collected without identifying information. 1. Most of the companies with the biggest reach in terms of third-party tracking, such as Google and Facebook, are also companies that users have a first-party relationship with. 2. 3. 4. 5.
Web 2.0 Suicide Machine - Meet your Real Neighbours again! - Sign out forever! Who is Neustar? Brad Stone at the New York Times reports on an industry group working on a new platform for portable digital movie downloads: The [Digital Entertainment Content Ecosystem or DECE] is setting out to create a common digital standard that would let consumers buy or rent a digital video once and then play it on any device... Under the proposed system, proof of digital purchases would be stored online in a so-called rights locker, and consumers would be permitted to play the movies they bought or rented on any DECE-compatible device. Most consumers have likely never heard of Neustar, yet the firm plays an important role in the telecommunications industry, and has built a highly profitable business faciliating the disclosure of information regarding consumers' communications to law enforcement and intelligence agencies. How many times a year does Neustar hand over information on individuals to law enforcement and intelligence agencies? On the firm's website, Neustar describes its LEAP service:
The Intimate Social Graph October 14, 2010, 11:02 AM — For a number of years I have had a privacy concern that is just now beginning to peep into view on the Internet at large. Around 2001 I spent some time in a casual multiuser game hosted by PopCap. It featured a way that two players could chat in a private space while playing the game. The game was centrally hosted: each user's local Java applet talked with a PopCap server, so every keystroke typed in those private conversations was sent up to the server and back out to the other party's client. I wondered at the time: were those conversations being stored? The privacy of one-to-one communications in Facebook messages, LinkedIn InMail and Twitter direct messages is protected mainly under the Electronic Communications Privacy Act (ECPA). Fast-forward to 2010. Of course the privacy of social networking data is dependent on security. Users of Facebook and LinkedIn can choose which information appears on their public pages for all the world to see.
UltraViolet shines light on locker in the cloud UltraViolet is the consumer brand for an ambitious initiative from the Digital Entertainment Content Ecosystem, a cross-industry consortium including major media companies, consumer electronics manufacturers and digital rights management providers. It aims to provide a system to allow consumers to share digital media they purchase in a controlled manner. UltraViolet will provide a centralized licence locker that grants access to material on compatible devices registered to a household account. It sounds fine in principle but there could be problems in practice. The UltraViolet licensing programme for media, technology and service providers has now opened. The technical specifications include a common file format for downloads, designed to work with multiple digital rights management systems. The centralized UltraViolet license broker will be developed and operated by Neustar, a directory and registry operator for telephony and internet services. www.uvvu.com
Thoughts on the DOJ wikileaks/twitter court order The world's media has jumped on the news that the US Department of Justice has sought, and obtained a court order seeking to compel Twitter to reveal account information associated with several of its users who are associated with Wikileaks. Communications privacy law is exceedingly complex, and unfortunately, none of the legal experts who actually specialize in this area (people like Orin Kerr, Paul Ohm, Jennifer Granick and Kevin Bankston) have yet to chime in with their thoughts. As such, many commentators and journalists are completely botching their analysis of this interesting event. While I'm not a lawyer, the topic of government requests to Internet companies is the focus of my dissertation, so I'm going to try to provide a bit of useful analysis. However, as always, I'm not a lawyer, so take this with a grain of salt. A quick introduction to the law The order to twitter It is the second part of the order that is more interesting. Reading between the lines 1. 2. 3. 4. 5.
internet4.org - internet4.org Google+ and Privacy: A Roundup July 3, 2011 at 7:04 pm By all accounts, Google has done a great job with Plus, both on privacy and on the closely related goal of better capturing real-life social nuances. [1] This article will summarize the privacy discussions I’ve had in the first few days of using the service and the news I’ve come across. The origin of Circles “Circles,” as you’re probably aware, is the big privacy-enhancing feature. But Adams defected to Facebook a few months later, which lead to speculation that it was the end of whatever plans Google may have had for the concept. Meanwhile, Facebook introduced a friend-lists feature but it was DOA. Why are circles effective? I did an informal poll to see if people are taking advantage of Circles to organize their friend groups. One obvious explanation is that Circles captures real-life boundaries, and this is what users have been waiting for all along. There are several other UI features that contribute to the success of Circles. The resharing bug
Free Dropbox Forensics Tool Dropbox Reader is a set of Python scripts for forensic investigators. The scripts provide investigators with information about a particular Dropbox user’s account and activities, such as the registration e-mail, Dropbox identifier and most recently changed files. Dropbox Reader was created by Cybermarshal, the computer forensics wing of ATC-NY. Here’s a list and description of the tools from the product website: read_config script outputs the contents of the Dropbox config.db file in human-readable form. DOJ Wants to Know Who’s Rejecting Your Friend Requests In the latest turn in our Freedom of Information Act (FOIA) lawsuit for records related to the government’s use of social networking websites , the Department of Justice finally agreed to release almost 100 pages of new records. These include draft search warrants and affidavits for Facebook and MySpace and several PowerPoint presentations and articles on how to use social networking sites for investigations. (For more on what we've learned from the documents so far, see our earlier blog posts here , here , here , here , here , and here .) The draft search warrants are particularly interesting because they show the full extent of data the government regularly requests on a person it’s investigating. As of December 2009, Facebook is technically limited in its ability to provide complete IP logs ( , IP logs that contain content and transactional information, in addition to login IPs). See the documents linked below for more ( ). - Facebook Warrant, Affidavit, and Usage Notes
Android phones keep location cache, too, but it's harder to access After this week's disturbing revelation that iPhones and 3G iPads keep a log of location data based on cell tower and WiFi base station triangulation, developer Magnus Eriksson set out to demonstrate that Android smartphones store the exact same type of data for its location services. While the data is harder to access for the average user, it's as trivial to access for a knowledgeable hacker or forensics expert. On Wednesday, security researchers Alasdair Allan and Pete Warden revealed their findings that 3G-capable iOS devices keep a database of location data based on cell tower triangulation and WiFi basestation proximity in a file called "consolidated.db." The iPhone, as well as 3G-equipped iPads, generate this cache even if you don't explicitly use location-based services. This data is also backed up to your computer every time it is synced with iTunes. Eriksson suspected that his Android device collected similar information.
DHS Monitoring Of Social Media Under Scrutiny By Lawmakers WASHINGTON -- Lawmakers looking into homeland security officials' practice of monitoring social media sites seized on a report Thursday by a civil liberties group that said taxpayers have shelled out more than $11 million to a private contractor to analyze online comments that "reflect adversely" on the federal government. In a rare show of bipartisan agreement, members of the House Homeland Security Subcommittee on Counterterrorism and Intelligence held up a report by the Electronic Privacy Information Center (EPIC) as they questioned the chief privacy officer of the Department of Homeland Security. The hearing, titled "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy," relied heavily on talking points from a recent EPIC report on nearly 3,000 pages of documents it obtained under a Freedom of Information Act lawsuit. Rep. They repeated their concerns in a letter they sent to DHS Thursday.
Mobile Surveillance - A Primer Share This Mobiles can be useful tools for collecting, planning, coordinating and recording activities of NGO staff and activists. But did you know that whenever your phone is on, your location is known to the network operator? Or that each phone and SIM card transmits a unique identifying code, which, unless you are very careful about how you acquire the phone and SIM, can be traced uniquely to you? With cameras, GPS, mobile Internet come ever more dangerous surveillance possibilities, allowing an observer, once they have succeeded in gaining control of the phone, to turn it into a sophisticated recording device. This is understandably disquieting to activists involved in sensitive work. Obviously, the most secure way to use a phone is not to use one at all. For every phone currently on the network (receiving a signal, regardless of whether the phone has been used to call or send messages) the network operator has the following information: SMS you have sent or received Data Sheet Author:
2010 Report on Distributed Denial of Service (DDoS) Attacks Published December 20, 2010 Authored by Ethan Zuckerman, Hal Roberts, Ryan McGrady, Jillian York, John Palfrey Introduction Distributed Denial of Service (DDoS) is an increasingly common Internet phenomenon capable of silencing Internet speech, usually for a brief interval but occasionally for longer. This paper makes recommendations for how independent sites can best mitigate the impact of DDoS. You can download the full paper by clicking on Download PDF link above or by clicking here.