“Internet users worried about their personal information being intercepted by U.S. intelligence agencies should stop using websites that send data to the United States, Germany’s top security official said Wednesday.” Cute, but pointless. France does it too, as does the UK. Documents from the Dutch intelligence agencies indicate that they, too, are involved in mass surveillance, the extent of which will supposedly be investigated by parliament.
It seems we are unable to avoid this, just the same as we are unable to avoid being recorded by surveilance cameras and the like, yet nobody seems to try and stop those being put up!
You are right, we can’t. Some things are inevitable, and this is one of them. For this reason, when I send something across the wire, I pretty much assume it’s public information at that point. I do hope that companies will try and keep things like passwords and credit card numbers reasonably secure, but many of them can’t even manage that.
Quite a few sites now use ajax.googleapis.com for hosting standard .js files.
That means ever visitor to such a site hands Google a referrer of the page they’re on, their IP address and browser fingerprint.
Doesn’t matter that it’s a site in german, mainly hosted on servers in the EU… Google can still track you if they’ve gone this route.
See also -> Google Fonts.
Why on earth is this modded up?
Your right to privacy ends at the point where you stop protecting it. If your house is made of glass don’t complain about the neighbors snooping on your activities… If you don’t want someone to overhear a conversation go somewhere they can’t hear it. If you want to go somewhere, and you don’t want anyone to know about it, you try to hide your identity…
This is all common sense stuff that no one questions.
On the internet, your ip address is public knowledge, and on the web your browser sends referrer headers and identifies itself – all for sound technical reasons. If you don’t like that figure out how to protect your communications – there are ways to do it, many of them trivial… But it is a public communications medium. Its like complaining that someone is listening in on your conversations using a CB radio – if you don’t want 3rd parties to hear what you are saying you don’t understand what CB is…
Can we all please stop bitching about a 20 year old status quo? Google is not the NSA collecting phone metadata, the difference is everyone knows about it and has all along.
Its the internet! Unless you know your communication channel is encrypted, and you know the encryption is effective, and you know the identity of the party on the other side of the connection, and you trust them completely with handling your data and communications, you may as well be broadcasting what your doing over a loud speaker.
This obsession with privacy is getting down right silly. Yes, you have a right to privacy – but only if you make some effort to protect it. Use Tor, use an anonymizing VPN, whatever – if it concerns you do something about it. But can we please stop blaming companies for mining the information we casually give to them everyday? If you don’t trust Google don’t use the internet to communicate with them, and don’t use the internet to communicate with anyone who does trust them.
Yes, that severely limits your ability to protect your privacy. So does going outside…
galvanash,
“But it is a public communications medium. Its like complaining that someone is listening in on your conversations using a CB radio – if you don’t want 3rd parties to hear what you are saying you don’t understand what CB is… ”
Strongly disagree with you here. CB radio was designed to be a public medium. Part of the fun in using it is that you don’t know who’s going to respond on the other end. Unicast network traffic between internet hosts/peers is not intended to be public any more than a 2 party telephone call is. In both cases the service providers are entrusted with our privacy. Keep in mind ISPs who systematically violated our privacy (aka phorm) were sued because *they* weren’t allowed to spy on customer traffic.
You suggest we should be using cryptography to secure private communications instead of trusting our service providers, and I would agree that’s wise to the extent possible.
It seems that you don’t care about your own privacy, but it doesn’t mean you shouldn’t respect other’s IMHO.
Edited 2013-07-05 04:37 UTC
I was using CB as a loose analogy of another public communications medium – maybe that was a poor choice because the issue I am talking about doesn’t involve a 3rd party at all. The specific example I was responding to (ip address, referrer, and UA string) is not an issue with 3rd party communications – it is unicast – its between you and google.
If you don’t want to communicate with google directly thats easy – don’t do that. If you don’t want to communicate with them indirectly (as in when they are used as a CDN for scripts or images) you can block them. The point is if you don’t like how Google uses such information you don’t have to let them – but it is information that everyone has considered non-privelaged for 20 years now.
Google isn’t eaves-dropping on your communications – if you visit sites that “trust” google to server up their version of jQuery or whatever you are indirectly “trusting” Google. Its not like it is being hidden from you – its right there in the source code. It is absolutely trivial to block such traffic.
I do care about my own privacy. What I don’t care about is having google use basic information such as my ip address and what sites I might visit to target me – because whether they are doing that or not I still see ads, mostly because I am too lazy to bother blocking them (which isn’t that hard to do either). I can’t say I like seeing them, but then again I don’t like seeing commercials on TV either. I ignore them.
The point is if it did bother me enough I would do something about it – I don’t see the point in complaining how Google uses such data when I am giving that same data to every single website I visit every day I use the internet. If I felt that data was private I wouldn’t be giving it to them.
galvanash,
“Google isn’t eaves-dropping on your communications – if you visit sites that ‘trust’ google to server up their version of jQuery or whatever you are indirectly ‘trusting’ Google.”
Well, then arguably the NSA isn’t eaves-dropping on your communications – if you use providers that ‘trust’ the NSA to install their hardware or whatever you are indirectly ‘trusting’ the NSA. Of course it’s not exactly the same thing, but I hope you can appreciate the privacy concerns.
The privacy concerns really aren’t limited to google, but they get so much attention due to their sheer size. I’m not sure you (and certainly not most people) realize how widespread google’s network is. Of course they’ve got their bigger services like gmail, youtube, blogger. But they also have lesser known ad/tracking networks it bought including doubleclick, adscape, invite media, admob, etc to supplement it’s own.
Edit: Back in 2012 google updated it’s policy to implement more tracking across services:
http://articles.latimes.com/2012/jan/25/business/la-fi-google-20120…
Edited 2013-07-05 08:19 UTC
First of all, I made a comment about the general public looking to avoid being tracked by US companies who sell personal information or hand it over to the NSA, under circumstances which we could do with further detail on.
I am well aware of the technical methods one might use to circumvent being tracked but this isn’t about you or me.
This is about the masses who won’t understand such methods or even know how much is being recorded about them.
They’re being told by a government minister that to avoid being tracked they should avoid US websites except many of the alternatives will still have ties to US companies and that is what I highlighted.
FTR, I don’t have a problem with security services targeting specific individuals based on evidence and snooping on their traffic. Hell, if they suspect me then I don’t have a problem with them looking at my traffic but this isn’t the problem.
People with technical knowledge can avoid being tracked, presumably terrorists apply similar methods to avoid detection but the people who’ve done nothing wrong are having the details of their lives recorded and the captured information is available to individuals who don’t have to justify their access or sold to marketers. That’s the problem.
BushLin,
Most people don’t seem to realize that. Everyone needs to be informed that google does have JS monitoring code on millions of 3rd party web pages where it’s not otherwise obvious that google’s tracking them. Plugins like ghostery help detect many trackers including google’s.
For example according to ghostery osnews uses these 3rd party trackers:
Cross Pixel (Manhattan, NY, USA)
Google Adsense
Google Analytics
Mint (claims to be “self-hosted” so it doesn’t share info).
Osnews itself is hosted in dallas texas. I’m curious as to why a european provider wasn’t chosen?
FYI Ghotery does nothing to stop Google getting referrers though ajax.googleapis.com and in fact their support staff are either rude or brush off this as a threat (it has been brought up many times on their forums).
e.g.
https://getsatisfaction.com/ghostery/topics/sites_using_js_files_hos…
https://getsatisfaction.com/ghostery/topics/http_ajax_googleapis_com…
If you do care about this then use something like RefControl for Firefox and tell it to block 3rd party referrers by default.
BushLin,
That’s a good point about the 3rd party referred by HTTP header, I kind of wish it were a standard browser option. But all of the browsers have strong corporate advertising ties, so it’s unlikely these things will ever get cleaned up without 3rd party plugins.
I’m rather disappointed with the way the industry has converged around 3rd party javascripts. Here we’re talking about privacy, but an even larger concern to me as a web developer is security. Many clients are running 3rd party javascripts in their websites, but unfortunately there’s no way to isolate the 3rd party code from the rest of the website. This gives 3rd parties the technical capability to hijack sessions, hook in keyloggers, covertly inject links, etc. It’s an all/nothing trust relationship which is very bad for security.
One client hired an SEO company (orange-soda), who had me install their 3rd party script. Low and behold hackers managed to exploit this 3rd party script on our site. We immediately removed their code, but I still consider 3rd party javascript code inherently insecure.
Edited 2013-07-05 16:35 UTC
Google-Ad Services and Google-Analytics have been on my browser untrusted list for a very long time now.
How long will it be before Google stop using domain names and hard code the IP address in order to get around that little blocker?
IMHO, Everyone should do what they can to reduce the amount of data being collected about them on a daily basis.
So I just know the details of the Dutch situation.
They record metadata about:
– SMS
– phone calls
– phone triangulation for every 5 minutes
– email sender/receiver
– phone/Internet account name/address
And keep it for 2 years (data retention) in a central database at separate government agency (CIOT), that can be queried by the police and secret service.
The information they keep about the queries is just statistics by a very general indicator like the police region.
They don’t need to record why they query the database.
So individuals, like a police officer, are not and can’t be held accountable.
So all we know is the database is queried millions of times a year. To give you an idea: in 2009 it was 3 million times, in a country with 16 million people.
The secret service wants to receive information from the US, so they share information with the US.
There is also a extradition treaties with the US.
So good luck with that.
Banks, shops and government are making it harder and harder to pay with cash. All digital transactions are recorded and banks accounts can only be created with a valid ID.
You can only get a valid ID if you get your face photographed in a way that face recognition works well (don’t smile, stair straight into the camera, etc.) and with finger prints.
So how do you keep away from that ?
What privacy ? What freedom ? are we talking about here ?
And I didn’t touch on CCTV face recognition from the policy in certain towns and CCTV license plate recognition on certain highways which are deployed.
There is only one advantage we have is they are some what open about it.
Edited 2013-07-04 13:51 UTC
There is a difference between collecting metadata and collecting content. Everybody collects metadata, that is no secret. The big problem is the US collects data as well, for non-US citizens without even a broad secret warrent.
OK, let’s have a different example.
The UK/GCHQ listens in on 400 fibre-optic cables. Supposedly they can analyze the content of 41 of them at a time.
If I’m in the Netherlands and visit a Dutch website, that traffic can still be routed through the London Internet Exchange.
The UK also shares it’s information with the US, so how can I prevent information being shared with the US ?
Lots of people have a Facebook account, did you know Google, Yahoo, Facebook and Microsoft run all the images people upload to their services through a face recognition software and compare it with faces provided by them by US agencies ?
Someone I know can snap a picture and upload “to the cloud” and now I’m checked as well.
I would really like the US not to know anything about me or not be able to find out stuff about me if they target me (even if by accident), but it seems to be pretty much impossible if I lead a normal life.
Sometimes, living in a 3rd world country where most of this stuff couldn’t possibly be effectively implemented is a bit awesome
They have other problems I prefer not the deal with.
Waaa! Too bad I can’t get a decent paid job in Phillipines, otherwise I’d be flying there right now. There’s a nice country with nice girls.
is a big data mining operation.
BTW I still wonder how much this madness costs tax payers.
Everyone is doing it. It’s just that the US is the most effective (with the Chinese and Russians maybe close seconds). Heck, most of US material is coming from America’s NATO allies.
ah yes, here comes the massive cognitive dissonance of the average gringo. Glorious!
And worst of all: the dreaded gringo is right!
Yeah, in some corners of the universe being right for the wrong reasons is quite bad indeed…
Wait, I’m right but I’m spreading cognitive dissonance? Talk about cognitive dissonance!
And what are the wrong reasons for being right? That I’m an “average gringo”? Are you serious?
Edited 2013-07-05 21:10 UTC
The same allies that the US is spying on, of course…
So if everyone decided to go jump off a cliff then you would too? Just because “everyone” is now spying on innocent civilians doesn’t make it right. Apparently, most people seem alarmingly hunky dory with Big Brother and Big Corporations eavesdropping on their communications. “I don’t care, I don’t have anything to hide” seems to be the common sentiment. By that same sentiment, then I guess you shouldn’t mind the police showing up at your door at random to conduct a search of your home, office, or vehicle either. You don’t have anything to hide, right? All of this surreptitious spying has gone too far and serves little purpose other than to build a fat dossier on millions of innocent people.
You are inferring a whole lot. When did I say it was okay?
Hint: I didn’t, I don’t think it’s okay.
All I’m doing is pointing out the absurdity of claiming that international users will be safer/better off by avoiding American web sites, sites which in many cases cannot be replaced with a non-American site.
About the only way to get out of this is living in a cave somewhere with no electricity and no internet or going the opposite direction and disappearing as a nameless homeless person in a major city.
EDIT: This is starting to sound eerily like Shadowrun….
Edited 2013-07-04 15:54 UTC
Amusingly, our government would have us believe that only terrorists do this too.
Or Brunner’s ‘Shockwave Rider’….
The most popular services are owned by American corporations, especially Google and Facebook. Even Estonian Skype was sold to them. As I felt, that Google had betrayed me, I switched from GMail to Neomailbox recently, but that doesn’t help much, as most of my contacts have either GMail or Hotmail address and governments eavesdrop network traffic anyway.
Checkmate in other words…
Edited 2013-07-04 16:12 UTC
See http://en.wikipedia.org/wiki/Hans-Peter_Friedrich
In the wake of NSA’s internet surveillance scandal around PRISM, Friedrich defended the NSA’s methods and promptly demanded legislation changes, in order to be able to expand the German surveillance of communication traffic as well.
“…And only use websites that go through German servers.”
LOL.
Maybe there are enough clueless german politicians and higher-level executives who believe that the Internet stops at the national border…
Encrypt your internets! But , seriously, why isn’t every website using SSL encryption by default? Yes, it takes extra cpu power, but this is not the 90s anymore and servers nowadays can easily handle the extra weight.
Is it the cost and hassle of the necessary certificate?
I doubt any small to big companies would not be able to spend $40 on a certificate for a year.
Because the data will be decrypted by the other end? (Google, Skype etc) The solution would be a user to user encryption protocol, not user to service (like SSL). So all Google sees is a bunch of garbled characters There should be an open source project for that.
True, but not all companies bent over and just gave access to our personal information. If both sides are encrypted then government should only see encrypted packets if the company is in another country or refusing to work with PRISM.
Edited 2013-07-04 19:35 UTC
Actually yes, they did. Out of 1800 FISA requests for warrants, only one was not granted. Because it was withdrawn. That’s 1799/1800 passed in secret where you will never know they are snooping on you.
if the company you talk to is involved then using SSL doesn’t matter. If we then also presumes that at least some of the certificate authorities are also involved SSL becomes almost meaningless (for keeping your stuff from Big Brother).
You might think it’s easy, CPU time isn’t the issue here. There are other issues.
Because:
1.IP-addresses:
HTTP can run multiple websites on the same IP-address “Virtual hosting” it’s called. HTTPS has SNI to do the same, but it isn’t supported by any version of IE (and Safari) on Windows XP and default browser on Android 2.x. So SNI hasn’t seen wide spread deployment because it doesn’t work with those older browsers/operating systems.
Thus each new HTTPS-site need a sperate IP-address this also is an administrative and deployment burden which cost money.
This might get worse because IPv6 did not get deployed. And the price of IPv4 will rise.
2. certificate expiration, certificates need to be renewed each year or every few years this takes effort, effort costs money/time. Can’t always be automated, because it usually happends by sending email to the domain holder (owner).
That could be solved by using self signed certificates, but no browser can trust them. If you don’t know who you are talking to, you can encrypt whatever you like, but security it is not.
3. no secure mechanism to deploy self signed certificates. DNSSEC* with DANE could solve this, but no browser currently supports this.
Because deploying DNSSEC to client machines (the device that runs a browser) is currently problematic.
There are lots of issues, a simple example is that DSL-routers are broken and don’t allow large DNS packets and there are lots of other similar issues.
4. lots of website include content from other sites, when you include content from the other site on your HTTPS-website. The other site needs to use HTTPS as well.
5. CDN-support for HTTPS is complicated and expensive
___
HTTP 2.0 might also be a possible solution to the self-signed certificate problem.
HTTP 2.0 will always use encryption certificates, but only display a lock-icon in the bar if it encounters a certificate it can validate.
* DNSSEC uses signed DNS answers, DNS is what is used for looking up domainnames.
Edited 2013-07-04 18:44 UTC
I think there may well be a way to screw those who spy on us. If there were enough people who felt comfortable with it…
We ALL include a paragraph in ALL of our emails that says something like “Please do not send me any mails that include words like ———- (all of the words we suspect will be identified in mail scans at the NSA and other spy agencies), because I do not want any spying agencies to think I am a terrorist. Thank you.”
I imagine the spy agencies’ computers would suddenly discover perhaps hundreds of thousands of potential terrorists! That may well cause pandemonium in the corridors of power. Even if they work out a solution, it would at least bend them over for a while.
To do this may reduce the value of their methods to almost zero since they wouldn’t be able to tell which messages were likely terrorists and which not, without a LOT Of resources being put into investigation. If this led to them revising the value of their methods then maybe that’s a win for liberty.
However, I’m not sure whether preventing them finding even one terrorist by the current means is a good or laudable idea.
Mm.
“Ordinary people”, i. e. the majority of Internet and phone users, simply don’t care.
“I’ve got nothing to hide.”
“This happens to the others, not to me.”
“I am too un-interesting to them.”
“They’re just doing their normal work, why complain?”
“I should not avoid surveillance. They protect my freedom.”
“Why should I say something against the democratically elected government? All they do is for my best!”
This would simply cause many “false-positives” upon first scans (simple keyword matching), but the evaluation algorithms on the “next stages” are smarter than that. Keep in mind that governments spend a lot of precious tax payers’ money to companies who develop “solutions” for evaluating the mass of data obtained.
Resources don’t matter. If a computer farm, a datacenter or a storage complex is considered “loaded”, a new one will be built. The people are financing this with their taxes. The more “hits” the “early stage” scanning algorithms can identify (even if it’s just false-positives), the more storage is required. Remember: Nobody deletes anything. Data may be “shifted” from disks to tapes (for archival purposes) and index data will be kept, so even 5 years after a certain phone call has been made, recoded, and considered “irrelevant”, it can still be brought up for proving a suspicion or constructing evidence material.
They can perfectly scale. Just hire more contractors. Money doesn’t really matter. There’s plenty of it.
Sadly no. I assume the opposite will take place: Better filtering, more storage (just in case something has been missing, and a positive slipped).
Still I believe there is a way to deal with this system: Make it turn against itself. “Itself” can mean two things here:
a) Make the system act against those who run, advocate, justify or enforce it. Those are individuals. They can be tracked and monitored in the same way as everyone else (i. e., innocent people). Gather their information. Make it public. Start with politicians, higher-level executives of the participating parasite companies, lobbyists and the like.
Why will that work? Because the mechanism that will be triggered could already be seen in action. Members of national parliaments basically have no problems when national and foreign agencies spy on people. On the people – not on their “elected representants”! In case that would be true, they threaten involved companies with recovation of their operating license (works for telecommunication operators) or causing other kind of trouble. Another example is how wealthy Germans and politicians acted when google streetview started: They insisted on blurring (“pixelating”) their houses. (From their logic, that would imply they have something to hide, which again imples they are… the nasty word with T… you know…)
b) Make the system attack itself. Feed it nonsense data. Do it anonymously. Do it creatively (so it won’t be identified as false-positive too early). Let it work for nothing. Make it an expensive game for those who are running it. This combines with a) – let the system identify those who run it as potential targets. Use sloppy security, incompetence and stupidity of those who are in charge. Exploit the weaknesses of the parts of the system.
And finally:
Make the system’s work hard. Encrypt what you can encrypt. Educate yourself about your possibilities. Closely watch what you’re doing. Value your privacy and even your anonymity where it makes sense. Think about social networks and e-mail services. Are you sure you want (you “need”) to use them? Where can you improve how you interact with people on the Internet or with the medium itself?
You can’t change a system that defines its own rules. If the system declares itself to be “democratic” or uses words like “freedom”, you cannot legally oppose to it. Politics is not a solution. It simply won’t work. People need to understand (again) what power they have. “The state” is not a mythical cloud unicorn somewhere in heaven. The state is the people. And as long as people accept what’s being done to them, things won’t change. Which means: Things will only get worse. History has proven this several times. But people don’t learn. Therefore, they repeat history. And most important: They don’t want to hear the truth.
I’d be more than happy if someone can prove me wrong on this topic…
The tinfoil radiation is very strong. My brain hurts.
That’s a very extensive response. You’ve certainly educated me on those things. I stand corrected.
1. use strong encryption
2. don’t use algorithms recommended by NSA such as AES
3. use cascading encryption, if one algorithm is broken, you are still safe
4. use TOR
5. use encrypted mail services such as tormail.org and the upcoming startmail.com
6. don’t use IE, Chrome, Safari. Use FF, Opera, Srware Iron
7. don’t use services provided by Google, FB, MS and other big players, there are open source alternatives like identi.ca for social networking
8. use search engines such as startpage.com and ixquick.com which is google with privacy added
9. keep in mind that Windows and Os X most likely have backdoors and Linux and BSDs can have have subtle backdoors
10. don’t rely on SSL or TLS, they can obtain certificates and MTM you
11. ???
12. Profit!
What we need now it’s and opensource chat app providing both video and text chat with strong encryption. The bits are there, we just need to put them together and create an app for both mobile and desktop.