Tag: privacy

Security Theater – Alexa Edition

Amazon announced a new privacy feature where you can ask an Alexa device to delete the day’s recordings. Not like “at 23:59:59, delete everything from today” and not “delete everything for the past 24 hours” but delete everything from 00:00:00 to right now when I’m asking you to delete it. Curious how this works in a discovery scenario. How deleted is deleted? And what happens when the next hot-tub murder scenario Alexa records is immediately followed by “hey, delete my recordings for the day”?

I expect this is in response to the poor reception news of human audio reviewers engendered. Can’t say I was shocked to hear they have humans reviewing recordings … I’ve got the same basic thought about Amazon employees/contractors listening to my recordings as I relayed to employees who were concerned that we were reading their e-mail back when I actively maintained the e-mail system. (1) They’re not that bored and (2) I’m not that interesting. I expect there’s an algorithm that flags specific scenarios for review — hopefully every time the thing wakes up and hears “cancel” because that wasn’t the wake word it just heard, probably some percentage of instances where the response is “i don’t understand that”, some other flags, and some small percentage by a pseudo-random selection.

Amazon is probably paying these reviewers a pittance, but they’re still paying them something. And Amazon isn’t paying for someone to be entertained by my daughter singing to the speaker. Are there people posting links to funny and embarrassing recordings? Sure. I also knew people who worked in a call center that contracted out to credit card companies for customer support — people who got busted for extortion because they’d read through six months of account statements after every call. Find something that might be embarrassing/suspicious & call the dude (i.e. poor sap who had rung up for assistance with his account) and demand money not to tell his wife about the affair. Or his gambling. Or what he spends at S&M clubs. Of all of my data that’s out there, smacking into the wall and yelling “bugger” as I check the temp while running out the door just doesn’t rate.
That being said, I’d just as soon not have a company retain audio recordings every time I check the time or weather. But let’s be honest — who is really going to incorporate “oh, delete today’s recordings” into their night-time routine? Once or twice, whatever. Every single day? Not gonna happen. Which is, I expect, the point. Amazon can tout this option to give you control. But they know there’s no way people would opt in to have their recordings retained. And there’s probably a significant number of people who would go through the effort of setting up retention that would automatically purge recordings after 24 hours. But this sounds like a privacy feature but is too much of a pain to use. We’ll check to see if we can purge the daily recordings via an API call, and if not we’ll have a speaker in the house play a MP3 file each night. But that’s not normal user kind of stuff … so Amazon will lose a few days worth of recordings for people who check it out, all recordings for a few uber-techs or super-security-conscious folks. A statistically significant number? Probably not. Security theater.
Worst part, though … you cannot just delete the recordings by voice. Oh, no! You’ve got to enable the function. Because it would be awful if some friend was screwing around with my device and deleted today’s recordings!? I mean, I get not wanting pranksters/kids/pets to order merchandise — which is why you can add an ordering pin for your account . But if there were some API bug which allowed any random Internet user to delete my recordings (not retrieve, not listen to … just delete), I wouldn’t care. The small subset of “every random Internet user” that actually gets within voice range of my house!?! Not exactly somewhere worthy of high security.
Amazon’s self-serving “keeping your recordings extra safe” policy means logging into the Alexa website, going to settings, scrolling down to “Alexa Privacy” (granted a fairly obvious selection), being popped over to another page which you could have hit directly if only you’d known this is where it would send you, going to “Review Voice History” (not a fairly obvious selection) and enabling voice-sourced deletion. This is, conveniently, the same place no one ever went to blow away recordings before voice deletion was an option.

Data Privacy

Facebook is getting a lot of attention for the information it gathers and how well it secures personal data you provide. We should look just as intently at other companies. Some provide services to individuals in exchange for advertising data, and some provide advertising targeting services without offering anything to the individuals being tracked.

LinkedIn — Maybe because “professional” information about oneself does not feel as private as that which is shared on Facebook, LinkedIn gets overlooked a bit. The companies I’ve worked for and titles I’ve held almost seem like public records. You can download a copy of “your data” (like Facebook, this is not apt to contain meta-data they’ve gathered regarding you – just data you have submitted to the site). In your settings, use the privacy tab and scroll down to “How LinkedIn uses your data” – the first selection is to download your data.

Nothing stunning – a list of contacts, my various employers and titles. But LinkedIn is trying to slurp in my entire contact list, maintain a web of people who know people, and allow advertisers to target users. There’s a whole tab apart from your privacy settings to control how your data is used for advertising purposes. “Advertisers” seem to be corporate hiring agents and recruiters, so this marketing is not always mentally classified as “advertising”.

LinkedIn also has a setting which allows you to opt-out (mine was on, and I’ve never opted in so I assume it is an opt-out deal) of having some of your data made available to third parties for policy and academic research.

And remember that Facebook Pixel? LinkedIn wants to track information about “websites you’ve visited” and “information you’ve shared with businesses” to show you more relevant jobs and ads.

Beyond the data feeling less private, having high-paying jobs that need my exact skill set and tend to hire people with my browsing history … well, that feels like a score compared to Facebook’s ad trying to coerce me once again to buy a pair of roller skates I already decided wouldn’t work for my daughter. Even if you’re not actively interested in changing jobs, it is nice to feel wanted. But that’s a nice veneer to data hording, analysis, and target marketing. They’ve even got a peculiar setting under the “Communications” tab that wants to use algorithms to analyze your messages to formulate suggested replies. This too seems to be an opt-out setting.

Google — no one uses Google+ (pity, that) but Google amasses information from searches, e-mails, Hangouts, Android phones. You can request an archive of your data through https://takeout.google.com — it takes a long time for the archive to be built, and it was an incredible amount of data. A few +1s from mis-clicks that there is no immediately obvious way to delete. “Bookmarks” that all appear to be map locations. A calendar that apparently was syncing with my home server back in 2009 since that’s the create date on all of the items. A whole folder for Chrome with 75 meg of browsing history and another meg of bookmarks (a meg of text is a *lot* of data, but I *love* that my bookmarks sync between devices). A handful of contacts that I assume my husband created in our shared account. The totality of every conversation I’ve ever had in Hangouts. Some Google Keep notes that I also assume are my husband’s from our shared account. My entire GMail mailbox, which is an obvious data source. The very tiny set of profile data I actually shared with Google.

Hell, Google has years worth of location data that I guess comes from my phone (it’s got fairly accurate lat/long coordinates, so GPS is the likely source). Following Google’s directions to delete the data didn’t work either (on the map, hit the hamburger menu then scroll ALL THE WAY DOWN to the ‘history’ selection”. Google both claims to have no history data for me and has 423 places on my timeline. Sooo, yeah, that would be history data. I finally managed to delete the stuff through my phone. There is a “Google Settings” app. Select “Location” from it, then “Google Location History”. There is a “Manage Activities” selection (use Google Maps to open it). Confirm you don’t want to use location history because, of course, it asks you to turn it on. Then use the hamburger menu button and select “Settings”. Waaay down at the bottom, there’s an option to delete all history or a date range of history. A couple of warnings later, the timeline map shows no data.

Then there are the photos. Gig after gig of photos. I had an Android phone that went into a reboot loop. I spent a few days wiping and reloading my phone, then failed back to an old phone. One of those iterations, evidently, slurped up all of the photos on my SD card because companies *want* your data. So the initial phone setup pushes you to backup your data, sync up your media, and generally upload ‘stuff’. One erroneous click and they’ve got metadata they’ll be able to keep forever. And there’s no readily apparent way to delete everything at once either. I’ve spent days on the web site deleting a couple hundred photos at a time. Not fun. Click the first picture, scroll down a bit, hold shift and click another picture. If you’re lucky, you didn’t select more than whatever the limit is (guessing 500) and you’ll get “389 Selected” in the upper left hand corner. At which point, you can click the delete and remove that chunk of photos. If you are not lucky, you get “2 Selected” and have to try again.

Ceasing data collection is much easier than removing data they’ve already grabbed. From your account settings, elect to “Manage your Google activity”. Then go into “Go To Activity Controls” and turn off (well, pause) whatever you want to turn off.

And I assume any bucket into which they’ve placed you based on previously gathered information will be retained even if you’ve deleted the underlying data.

 

Corporate Privacy

We had the Senate & House Facebook thing playing Tue/Wed – kind of background noise because anyone who didn’t realize a billion dollar corporation offering a “free” service was making money somehow on the back-end … well, didn’t bother thinking about it. But there were a few interesting tidbits (not the least of which being how many things one can claim, before a Congressional panel, to be ignorant of in spite of the topic being germane to the core operation of one’s company). The thing that stood out most to me through two days of testimony is that no one questioned the validity of the underlying service – consumerism is good, hence serving ads more likely to convince a person to buy the product is good too. I’ve got friends exclaiming that they’ve found products they’d never have known existed without targeted ads — which to me sounds like you’ve spent money on “stuff” that you didn’t need enough to go out and research something to fill that gap. Not a bad thing per se, but certainly not the laudable endeavor they make personalized advertising out to be. The flip side to presenting me ads that are more likely to convince me to buy something (assuming this is true, which dunno … sounds good on the face of it, but I tend to be put off by it and less likely to buy something) is, well, me buying more ‘stuff’ which is not always to my economic benefit.

But when they got onto the topic of Facebook Pixels (which work around people who block third party cookies), it got me thinking about the lack of control we all have over metadata. A lot of companies serve a menagerie the third party cookies from their site, and then execute a couple of third party JS trackers too. Because, as a company, it provides those third parties with data that potentially help drive sales. In theory. But do those marketing companies have some kind of non-compete clauses included in the contract they write with WIN? Can FB, Adobe, Google, etc have code embedded in a telco’s site, take the info they gather from my telco’s embedded JS code, and use it to promote non-telecom services? Cable TV even though it competes with a component of our business? An alternate telecom even though it’s a major line of our business? Is there a meta-category of “people who looked at my site but also looked at two competitors sites” v/s “people who have only looked at my site”?  At least that’s governed by contract and might be tightly controlled — although I doubt an org like Facebook tracks the provenance of each bit of metadata it collects to isolate its usage, that’s based on a feeling rather than any knowledge of their internal algorithms.

Employees visiting various sites — what data to we leak and how can that be used? It’s not like my company has any sort of agreement in place to control how CompanyX uses data gathered as our employees use CompanyY’s web site. My super paranoid brain goes to the potential for abuse — a competitor using our information against us. Not the marketing company directly – like FB doesn’t sell my name and data (that’s what they make their money on after all, using my data to throw me into advertising buckets) … but the company gathering the data can get acquired. Quite a few companies use Triblio – some niche B2B tracking thing as well as Google Analytics. Now Google isn’t a big acquisition target, but some small B2B marketing company? VZ bought Yahoo, so it’s not like the only thing they’re buying is towers and fiber. VZ buys Triblio and we’re in the beginning stages of forming some new product line through some company that uses Triblio. VZ doesn’t exactly know what we’re planning to sell in six months … but they’ve got a good idea. Or even industrial espionage — it’s getting to the point it makes a lot more sense to target one of these data brokers than to target a specific company.

I get that’s a little far-fetched and more than a little paranoid. Is targeted marketing effective for companies too – are company-targeted ads convincing the company’s employees to buy more stuff on the company’s behalf?

As a company are we benefiting, harmed, or indifferent to information being gathered from our employees as they navigate the web. Employees are going to show up from an assigned netblock most of the time (i.e. from the office or VPN), so it isn’t like it’s a super-hard-to-ascertain where the individual works. Is there benefit to blocking the tracking ‘stuff’ on a corporate level (and maintaining a default browser config that blocks third party cookies)? Is there harm in blocking the trackers? The parade of horrors approach would say with Facebook/Google specifically, widespread blocking would necessitate some other revenue stream for the company (i.e. we’d end up buying 1$ hundred search passes or something). Dedicated targeted advertising companies – beyond putting a company out of business (e.g. Triblio which seems to be a dedicated marketing data company) or reducing revenue (e.g. Adobe since they’ve got other profitable lines of business), not much direct impact. A vividly imagined parade would be worldwide recession as psychologically engineered spending prompts disappear and consequently consumer spending retracts. Worst thing I can come up with is being perceived as a bunch of hypocrites who track everything customers do on their site but specifically took efforts to prevent employees from being tracked around the web.

House Facebook Hearings

Day two didn’t change my opinion from day one, but it does introduce a few new nuances. If you consider “my” information to be content (text, video, images, likes) that I’ve personally submitted to Facebook … sure I have some control over ‘my’ data. Not the granular level of control I would prefer, not always readily usable control, and like all things on the Internet (including user data downloaded by a third party), I don’t have control over what people who have access to my data can subsequently do with it. But Facebook has a whole other realm of my data — metadata from images or videos, geo-location information (maybe IP-based with low accuracy, maybe GPS with high accuracy), how long I spent looking at what content, what time of day I log on … and that’s just information gathered directly from my usage of the web site.

Block third party cookies in your web browser (seriously, do it) and see how often adobetm.com, disqus.com, doubleclick.net, facebook.com, google.com, twitter.com, and youtube.com show up in the blocked cookie list.

Particular interesting tidbit from the House proceedings was the “Facebook Pixel” – so named because of the single transparent pixel served from a Facebook site if the actual script-based tracking is blocked by the browser. It’s a little code snippet with a function that allows the site owner to track specific actions within the site (i.e. there’s a difference between “someone who visited my site two months ago and has not been back”, “someone who visits my site every other day”, and “someone who spent 100 bucks at my site”) using the standard events (currently nine) and a custom catch-all event. Advertisers then have target audiences created for their custom site data — this means the advertiser cannot see that I visited their site twice a week or spent over ten bucks in the past quarter but they can elect to spend money on ads delivered to people who have visited their site twice in the past week or not deliver ads to people who purchased merchandise in the last month.

Looking through the developer documentation, that is a LOT of really personal information about me that I am not consenting to provide Facebook (in fact, they’re getting that information for people who aren’t even account holders – just their “match pixel to user” algorithm falls out and creates some phantom profile to track the individual instead of landing on a known user’s account). And it’s a lot of really personal information over which I have no control. There’s a difference between opting out of interest based advertising and opting out of tracking. And how exactly can I go about

In the particular case of the Facebook pixel, the script function is housed on a Facebook server. You can pretty easily prevent this bit of tracking. Add a line in your hosts file (/etc/hosts, c:\windows\system32\drivers\etc\hosts) to map the hosting server to your loopback address:

127.0.0.1 connect.facebook.net

Voila, fbq is no longer a valid function. I haven’t noticed any adverse impact to actual Facebook use (although I assume were a significant number of people to block their script host … they’d move it over to a URI that impacted site usage).

Facebook’s debugging tool, meant for advertisers and their developers, confirms the code failed to execute. Browser specific if the <noscript> content is loaded or not – it’s not in my case.

The same approach can be used to block a number of tracking services – script content served from dedicated servers don’t impact general web usability.

127.0.0.1 connect.facebook.net
127.0.0.1 www.google-analytics.com
127.0.0.1 disqus.com
127.0.0.1 cse.google.com
127.0.0.1 bat.bing.com
127.0.0.1 www.googleadservices.com
127.0.0.1 sjs.bizographics.com
127.0.0.1 www.googletagmanager.com
127.0.0.1 chimpstatic.com
127.0.0.1 cdnjs.cloudflare.com
127.0.0.1 api.cartstack.com
127.0.0.1 js-agent.newrelic.com
127.0.0.1 se.monetate.net
127.0.0.1 assets.adobetm.com
127.0.0.1 tribl.io

 

On Cambridge Analytica

A friend of a friend said she doesn’t mind her personality profile being tracked so FB can suggest things she likes. Why does everyone think it is so bad when she’s stumbled upon many gems from web series, shopping sites, particular products that she highly enjoys. Well, I have two reasons.

Firstly, some people are making a tactical decision to trade personal information for access to technology platforms they enjoy. There are a handful of people I knew in Uni who I thought were wonderful people, but just lost track of over the years. And it’s nice to meet them. There are special-interest groups for vegans, 3d printers, sewists, soap makers, and chicken owners that provide a lot of useful information to me. As an informed decision to share some basic demographic information & whatever FB can glean from my random musings in exchange for communicating with old friends and interest-based communities … I *don’t* think it is a bad deal (or I would not have an account). Heap-o people making something other than an informed tactical decision, though, isn’t exactly in my “good” column. And some third party having information about me because, although I have the platform ‘stuff’ disabled on my FB account, a friend downloaded an app … that contravenes my specifically selected privacy settings. And feels like a violation of my trust.

More generally, I don’t care for psyops tactics trying to separate me from my money (or, in this case, my vote serving my real interests). That’s what all these data analytics seem like to me. I opt out of interest based ads on my computer and cell phone. New companies come online and things I’ve thought about buying and decided against once again start stalking me across the Internet. And, yeah, I’ve discovered products that actually INTERESTED me (not always, advertising steaks to a vegetarian is a major profiling fail). But I don’t need, nor I particularly WANT, to spend more money on ‘stuff’. If I have an obvious need for something in my life, I either make something myself or research product options.

I’m not a huge fan of Pinterest for a similar reason – I have a large backlog of projects I want to make. I *really* don’t need an algorithm to look at my projects and suggest additional ones I may like. Yeah, I *do* like them. Until my time machine comes online, I’ve only got so many hours to spread out between family, work, friends, caped crusading, hobbies, research. And I’m quite adept at finding *new* projects when I’ve got some spare time or have a particular need.

I see interest based advertising – online, mailing, any source – the same way I think about toys in the cereal aisle at the supermarket. I don’t object to toys on principal. I object to placing them in a location my kid is going to see because young kids (the target demo, based on toys available) are prone to public screaming fits when they don’t get their way. And 2$ to avoid an unpleasant and stressful situation doesn’t seem too awful when you’re already tired and just want to GET HOME. When the yarn I already decided wasn’t worth it (or decided against the whole project) … being asked to continually reassess this decision is an attempt to reach me at a time when I’m less prone to make rational decisions.

So while “bad” isn’t the word I’d elect to use … it’s the same kind of underhanded as piping O2 into intentionally windowless casino to keep gamblers playing longer. Or maybe it is bad, because the other example I think of is chemically engineering cigarettes and processed food to be more addictive.

Apple FaceID

The irony of facial recognition — the idea is that you trade some degree of privacy for enhanced security. There are 10k four digit codes – a 1:10000 chance of any specific code unlocking your device. Apple touted a one in a million chance of facial recognition unlocking your phone.

So you trade your privacy for this one in a million super secure lock. Aaaaand a Vietnamese security firm can hack the phone with a mask. Not even a *good* mask (like I take a couple of your pictures, available online, synthesize them into a 3d image and print a realistic mask).

This feat wasn’t accomplished with millions of dollars of hardware. It took them a week and 150$ (plus equipment, but a 3d printer isn’t as expensive as you’d think).

Boyd v. United States or Riley v. California provide fourth amendment protection for phone content … but that only means the police need a warrant. Fourth amendment, check. Fifth amendment … Commonwealth of Virginia v. Baust  or  United States v. Kirschner says that you while cannot be compelled to reveal a passcode to allow police to access your phone (testimonial) … a fingerprint is not testimonial, it is documentary. And can be compelled. As with a lot of security, one can ask why I care. If I’m not doing anything wrong then who cares if the police peruse my phone. But if I’m not protesting, why do I care if peaceful assembly is being restricted. I’m not publishing the Paradise Papers, so why do I care if freedom of the press is being restricted? Like Martin Niemöller and the Nazis – by the time they get around to harming you, there’s no one left to care.

Internet Privacy (Or Lack Thereof)

Well, the House passed Senate Joint Resolution 34 — which essentially tells the FCC that it cannot have the policy it enacted last year that prohibits ISPs from selling an account’s browsing history. What exactly does that mean? Well, they won’t literally sell your browsing history — anyone bored enough to peruse mine … I’d happily sell my browser history for the right price. But that’s not what is going to happen. For one thing, they’re asking for lawsuits — you visit a specific drug’s web site, or a few cancer treatment centres and your usage is indicative of specific medical conditions. An insurance company or employer buys your history and uses it to fire you or increase rates, and your ISP has created actual damages.

What will likely happen is the ISPs become more effective sellers of online advertising. They offer a slightly different service than current advertising brokers. The current brokers use cookies embedded on customer’s sites to track your browsing activity. If you clear your cookies, some of their tracking history is lost as well. If you use multiple computers (or even multiple browsers on one computer), they do not have a complete picture of your browsing because cookies are not shared between browsers or computers. If you browse in private mode (or block cookies, or use a third-party product to reduce personalized advertising), these advertisers may not be able to glean much about you at all. The ISP does not have any of these problems — no matter what computer or browser I use at home, the ISP will see the traffic. Since their traffic history is maintained on their side … nothing I can do to clear the history. Browse in private mode or block cookies and you’re still making a request that transits the ISP’s network.

The ISPs have disadvantages, though, as well. When you are using encrypted protocols (HTTPS, SSH, etc) … the ISP can see the destination IP and a bunch of encrypted gibberish. Now *something* about you can be determined by the destination IP (hit 151.101.129.164 a lot and I know you read the NYTimes online). Analysis of the encrypted content can be used to guess the content — that’s a bit of research that I don’t believe is currently being used for advertising, but there are researchers who catalog patterns of bitrate negotiation on YouTube videos and use it as a fingerprint to guess what video is being watched using only the encrypted traffic. Apart from some guessing, though, the ISP does not know exactly what is being done over encrypted communication channels (even the URL being requested – so while they may know I read the NYTimes, they don’t know if I read the political headlines, recipes, or concert listings out on LI). Cookie-based advertisers can, however, track traffic to encrypted (HTTPS) web sites. This is because site operators embed the cookie in their site … so where an ISP cannot read the data you transmit with an HTTPS site, the server in question *can* (otherwise it wouldn’t know what site you requested).

So while an ISP won’t sell someone a database of the URLs you’ve accessed last week, they will use that information to form advertising buckets and sell a specific number of ads being served to “people who browse yarn stores” or “people who read Hollywood gossip” or “right-leaning political activists”. Because they have limitations as well, ISP ad brokerages are unlikely to replace the cookie based individualized advertising. I suspect current advertising customers will spread their advertising dollars out between the two — get someone who can target you based on browsing over HTTPS and someone who can target you even if you block cookies.

What about using VPN or TOR to anonymize your traffic? Well, that helps — in either case, your ISP no longer can determine the specific web sites you view. *But* they can still categorize you as a technically saavy and security conscious individual and throw you into the “tech stuff” and “computer security stuff” advertising buckets.

You can opt out of the cookie-based individualized advertising — Network Advertising Initiative or Digital Advertising Alliance — an industry move that I assume was meant to quell customer anger and avoid government regulations (i.e. enough people get angry enough and are not provided some type of redress, they’ll lobby their state/federal government to DO SOMETHING about it). The ISPs will likely create a similar set of policies and a process to opt-out. Which means the being passed to the president for signature essentially changed the ISP’s ability to use my individual browsing history from an opt-in (maybe as a condition of a lower price rate) to an opt-out (where I have to know to do it, go through the trouble of finding how to do it, and possibly even keep renewing my opt-out). Not as bad as a lot of reporting sounds, but also not a terribly constituant-friendly move.

A couple of links to the current targeted marketing opt-outs for companies which whom I do business so bothered to waste a few hours trying to determine how to opt-out:

https://pc2.mypreferences.com/Charter/TargetedDigitalMarketingAds

https://www.t-mobile.com/company/privacy-resources/your-privacy-choices/ad-options.html