Thursday, 26 February 2015

When I want my back doors kicking in, I’ll ask

A Yahoo executive has publicly challenged the National Security Agency (NSA) over encryption "backdoors".

Alex Stamos pressed NSA director Adm Mike Rogers on whether the access to encrypted data requested by the US authorities should also be granted to the Russian and Chinese governments.

This rather misses the point. If backdoors are enforced then someone will find a way to exploit them. It might be hackers for profit or mischief. It might be ours or another government. But there is no such thing as a backdoor that can only be used by a friendly government doing things in the interest of its citizens.

After initially dodging the question, Adm Rogers - who took over as director of the NSA last year - responded: "I think that we're lying that this isn't technically feasible.

It’s technically feasible to share data and/or access to backdoors with other nations. I don’t imagine for a second that anyone has ever said otherwise. It’s simply not the issue

The enforcement of backdoors in encryption will be a disaster. And it obviously won’t prevent the acts it’s imagined to prevent. And if access between nations to backdoors and/or data revealed becomes a mainstream political tool, conducted without oversight and fudged about by senior intelligence personnel, we lose again.

It’s hard to trust

It’s hard to trust a company whose entire business model depends on people not understanding how to manage their privacy.

Now that I’m no longer an academic, life seems too short to read Facebook’s new privacy policy.  I daresay I’ll have a look at their latest privacy settings one day soon but it’s hard to raise the enthusiastic energy even that would require.  In any case, the focus on privacy settings is at best deliberately misleading. A responsible site that cared about privacy would guide users on safe decision-making throughout the lifetime of their accounts. They’d pop up information such as “do you know that this person can see that content?” and tell us what to do if that isn’t what we wanted.

Our privacy requirements change over time. Since companies like Facebook know so much about their users, they ought to be helping those users modify their privacy settings as their lives change.  It’s not in Facebook’s immediate interest, though. We should change that.

More drone hysteria

A while back everyone lost their minds when a drunken pilot crashed a drone on the White House grounds.  Now there’s fear and loathing over drones being flown over Paris. OVER TWO NIGHTS! As a fully tin-foiled privacy advocate, people usually expect me to be against drones on principle.  They could peep in our windows! They could throw bombs at us!

They could, but I have a hard time getting excited by drones.  That’s mostly due to my usual concern that the privacy bargains we make tend to be bad ones.  Threats are often misunderstood and counter-measures not always effective.  Much of the time, we don’t know what other security or privacy threats the counter-measures will inevitably introduce.

In the case of drones I’m more concerned that banning them in various spaces is a temptation for those spaces to be abused by authorities.  For example, it would be enormously tempting, wouldn’t it, for an authority to ban drones flying over protests or otherwise observing the actions of police.  It seems quite unlikely that governments are suddenly worried about drones peeping in our windows when they’re otherwise obsessed with collecting every snippet of information about us that they can.

There are threats associated with things like drones. We’ll certainly have to rethink the nature of physical security boundaries because of it. But I can’t buy into the kneejerk reaction of banning drones in certain places because I can’t see what it would achieve and I don’t much like the probable consequences.

Get safe online

I’m supposed to be giving a talk on online safety soon and I’ve been looking for inspiration.  I keep seeing courses and tutorials to ‘stay safe online’, which annoys me because it implies online safety as the starting point, which is a really bad way of looking at safety. This site wants to teach people how to get safe, which is a better goal all round.  There’s a lot of information there and what I’ve looked at so far seems pretty good.

While I’m on the subject, there’s also this.

Lenovo cyber-attack

In the last few days we learned that some Lenovo laptops contained factory-fitted malware called Superfish.  Lenovo’s motivation seems to have been the injection of adverts into browsers.  This is naughty enough, but Superfish also had the potential to enable man-in-the-middle attacks.  I heard about Superfish the day after my wife bought a Lenovo laptop and sure enough, Superfish was there.  It was easy enough to get rid of, even though Lenovo was pretty rubbish about telling customers how to do it (it advised users to re-install Windows).  I understand it has published a set of removal tools now.

In a move that is presumably some sort of misguided attempt at revenge, Lenovo’s site has been targeted for cyber-attacks, with Lizard Squad claiming responsibility.  I’m not a fan of this kind of revenge attack but what Lenovo did was shitty.  I get more annoyed the more I think of it.  I still think the attacks were misguided, though.  Lenovo probably gets attacked all the time and it was probably customers looking for support that were affected most.  And it’s not clear that Lenovo has learned it’s lesson: it seems to be trying to fix the security issues in Superfish rather than committing to not manipulating the ads they see.

Tuesday, 10 February 2015

How young adults deal with online abuse?

On Monday I wrote about an item on the BBC’s Breakfast show in which an interviewed child had some very good insights about privacy and protecting herself online.  This seems to be part of a poll conducted by the BBC on online abuse which is summarised here and discussed with a panel of 16 year olds here.  From the latter:

One of the key findings was that more than half of the people surveyed have felt peer pressure to pass on abusive messages or images.  What’s considered a peer group is interesting:

"There's been loads of times when there's been a picture trending of a person I may or may not know, and it's like 'pass it on!'" Memunatu says.

I’m speculating, but this sounds like someone who wants to fit in with a peer group that might be global.  The urge to join and be celebrated in that group apparently outweighs any empathy felt on behalf of victims, including victims not even known to the person passing on the abuse.  I’m not sure which (if either) is worse: abusing someone you know means witnessing and discounting at least some of their misery. Abusing a stranger means discounting them as people entirely and – from the victim’s point of view - a whole new and sadistically inventive group of people piling on the hate.Perhaps the appeal of fitting into a global peer group is even more attractive than appealing to a local one so people will go to even further lengths to be noticed.  And of course, peer-group membership is often a defence mechanism so this kind of behaviour can be self-reinforcing. Urgh.

A lot of this abuse concerns the circulating of embarrassing pictures circulated without the victim’s consent. I’ve written about this before: this kind of thing can change people’s online behaviour to the extent that they will publish embarrassing pictures of themselves first, so that they can control the conversation.  This can always backfire, of course.

"Those kind of pictures are referred to as "slips"... when you take a picture of someone, without their consent," [Memunatu] explains.

I haven’t come across that term before.  Makes it sound innocent, doesn’t it?

"They're usually posted on Facebook or Snapchat, and then people share them with their friends, and make fun of it."

Not so innocent, then.  These images are meant to humiliate and dehumanise.

Yaseen admits to sharing things he later thinks he shouldn't have.

"When I see other people joining in, if everyone in the class is picking on the same guy, I start feeling guilty because it could be me that posted the picture."

I think guilt is pretty natural, but it’s interesting that Yaseen seems to feel guilty only when he’s the instigator and apparently not when ‘only’ a participant.  Brayani thinks its a guy thing:

"I'm not saying all boys are like this but the majority do like involving themselves in negative behaviour like ganging up, or just huddling and beating up one guy."

Maybe, although I tend to think of this as the sort of self-reinforcing behaviour I mentioned above.  I don’t think it has to be inevitable behaviour, it’s a cycle I’m fairly sure we can break.  Yaseen thinks that girls behave in a similar way but with words on social media rather than fists outside school.

83% of those polled said that telling a trusted adult about online abuse helped to solve the problem.  This is disappointingly vague, I’m sure lots of people are working on understanding the details, so I hope the BBC will be as keen to report on that.  Adults need to get a lot better at this.

Evil Wednesday Roundup

The man behind Ed Snowden’s favourite email encryption system is going broke. Donate here to keep the project alive.

Cory Doctorow writes in the Guardian: Go digital by all means, but don't bring the venture capitalists in to do it. “The argument that license payers should have to pay to access the material their license fees already paid for because that will allow the BBC to buy more material that license payers can pay more to access is so stupid it’s a wonder that the people who espouse it don’t turn to ash on the spot.”

Anyone who makes you choose between privacy and security wants you to have neither. An excellent piece from the ORG on the real impact of surveillance. “Mass surveillance isn’t the security blanket that politicians are holding it up to be.  For many people, surveillance makes them less safe.”

Cop who switched off his dashboard cam in order to make illegal threats will keep his job.

Macedonia’s government accused of mass, politically oriented surveillance.

Police interrogation techniques generate false memories of committing crimes.  The study had to be terminated because some subjects couldn’t be convince they hadn’t committed the false crimes.

Another news article asking whether privacy loss is inevitable. This time, it’s about smart devices. The media seem to want us all to roll over and accept the death of privacy as a done deal.

Twitter reports a 40% rise in the number of requests from governments for user data since July 2014. There were requests from around the world for the details of 7144 accounts and 52% of those were fulfilled. There were also lots of demands from government for content to be removed from Twitter.

Is privacy dead?

I’ve been told it is by all sorts of people.  The argument is usually that once the cat is out of the bag there’s no way to get it back in again, so we might as well just get used to it.  For the record, it’s not particularly difficult to get cats into bags but boxes are easier.  Anyway, the argument rests on the assertions that privacy is dead and that we can’t do anything about it.  As Peter Watts says, if privacy is already dead, why are so many people trying to kill it?

He’s got a point.  More data will always fall out if you rattle us hard enough.  Think Amazon knows everything about you because of your browsing and buying history?  It wants to learn about your social networks and the people in them, too.  That’s why it offers a gift-wrapping service.  That way it can find out who your friends are, their addresses, their approximate birthdays, ages, sex and the sort of stuff they like. Or at least the sort of stuff you think they like.  If it can match this information up with actual other customers, it can learn a lot about your relationships.  What if you use Amazon’s gift service to buy a friend’s birthday present each year, but they don’t do the same?  There are various inferences that could be made about the nature of that relationships and it’s easy to imagine various subtle but invasive ways to narrow it down further.  What if the gifts you buy for your friend are nothing like the things that friend buys for herself?  Might Amazon find ways to manipulate you into buying them the gifts Amazon wants you to buy?

It needn’t even be subtle.  What if, when you tagged something as a gift, Amazon gave you a list of suggestions, telling you it’s based on what your friend has bought or put on her wishlist? You might think of that as a useful additional service.  Perhaps it would be, but it would also tune Amazon’s picture of your (and your friends’) social networks, all the better to further exploit you all in the future. 

We might understand this and consider it a worthwhile price to pay for convenience, but our friends might not understand it or might not consider it a good deal.  We didn’t consult them before giving away valuable information about them.

There’s always more data that’ll fall out if you rattle us hard enough so it’s not the case that we’ve nothing left to protect. Privacy is not dead. It’s also not true that there’s nothing we can do about lost privacy.  First, there are things we can do to stop leaking private data.  Second, there are things we can do in some cases to take back data that’s already out of the bag.  So it’s not the case that we have no recourse but to accept it.

It’s worthwhile to consider the motives of the people who are so eager to tell us we can do nothing but accept the loss of privacy.  How often does the argument go something like this:

All you can do is accept the loss of privacy, but that’s actually super cool!  Think of all the great services you can get for the marginal loss of a little privacy?


Sure you’re losing some privacy and freedom, but you’ll be so much safer!

They are the people who are trying to overcharge you for services with greatly exaggerated worth.  They are the people who are trying to sell you bad privacy bargains.

Watts takes heart from much of this.

I take heart from the fact that the the Free World is trying to curtail freedom at every turn. I take heart from the endless attempts of the UK, the US, and Canada to pry into our private lives and put webcams in our toilets (because you never know when someone might try to avoid prosecution by flushing a bag of coke down the john, you know). I take heart from PRISM and the Snooper’s Charter and Bill-C-whatever-number-they’re-up-to-this-week— because they put the lie to those stories in Wired and the Daily Mail and the New York Times, they put the lie to all those journos and pundits who would tell us that privacy is dead. It gives me hope.

Because if privacy is really dead, why are so many still trying so hard to kill it?

Read the whole thing, it’s good.

Their details

Wiltshire Police have apologised for collecting the names and addresses of locals who bought Charlie Hebdo from their newsagent. The force seems to be placing the blame on one over-enthusiastic officer and says it has “permanently and securely disposed” of the information they collected.  Why did they have to say “permanently”?

The force said that the officer’s motivations were "purely around enhancing public safety".  That’s not very reassuring, given the activities governments and law enforcement agencies like to excuse in the name of safety.  Personally, I’m leaning toward putting it down to the police’s love of making lists of suspects for crimes that haven’t been committed, 

Or as I’m sure they’d put it, crimes that haven’t been committed…… yet.  It’s a worrying attitude.

Monday, 9 February 2015

More spying on kids

There’s a blatant and scaremongering advert for a spying app on the BBC’s Breakfast TV show this morning.  They briefly interviewed students and one had a very good point that I forgot to mention in my earlier post.

She said that if she were talking to a friend about a sensitive subject, that friend’s parents would be able to see that conversation.  That could be disastrous for the child, even if her friend’s parents were well-intentioned.  It’s none of their business and the child has given no permission for other people’s parents to read about and potentially interfere with her situation. 

It’s the sort of risky behaviour I was talking about in the previous post.  People should have a reasonable expectation that their communications won’t be intercepted without their permission.  Children might be at risk if adults find out their secrets and might not talk about it at all – which could be even more risky – if they think their friends’ parents might find out about it.

Little good is likely to come from spying on your kids and the potential for harm is significant.

Monday, 2 February 2015

Backdoor shenanigans: a national ID system for Scotland.


Gaslighting in advertising

Gaslighting is the process of manipulating a person’s sense of reality, often by denying or re-framing shared experiences.  A crude example is that of a person denying the existence of a (real) noise that another person can hear.  If several people – or a sufficiently trusted individual – were to deny the existence of the noise, the victim might doubt her sanity and would be considered gaslighted. Gaslit? 

Anyway, it’s a way of manipulating people, usually for some gain.  It is frequently used by abusers of all kinds to cause victims doubt their memories.  And it seems to me that it’s increasingly used in advertising.

It’s a less harmful form of gaslighting than many, but it bothers me nonetheless.  Here are some examples that are representative of the kind of thing I’m talking about:

  1. Remember how difficult vacuuming your home was before Brand X vacuum cleaners?  Well with the new Brand X model it’s even easier! No, we don’t remember how difficult it was because, for most able bodied people, it wasn’t difficult at all and neither the old nor the new model of Brand X made it significantly easier.  The advert is trying to fool us into accepting a premise that a new product is better by manipulating our perception that the product we have isn’t as good.  Is it really that difficult to vacuum round corners without special wheels? Did our old vacuums really leave such objectionable mess on our carpets?
  2. Take two bottles into the shower? You idiot. You could cut that effort in half by using Shampoo P. It’s not significantly more difficult taking two bottles into the shower.  And besides, I’m yet to be convinced that hair conditioner does anything worthwhile or that Product P is anything but ordinary shampoo.  Here we’re (perhaps) first being manipulated into thinking that conditioner is essential and secondly (by the same company) being manipulated into thinking that due to some remarkable innovation, we no longer need to waste the effort of moving one light bottle from one place to another. But… don’t we keep both bottles in the shower anyway? Who stores their shampoo somewhere else and carries them to the shower, which is the only place they use those products?

We’re being… I’m going to go with gaslit.  The perceived need for a product is predicated on something we’re encouraged to think is true but actually isn’t. And the practice is all over the place.  Note that this isn’t quite the same as creating a perceived but non-existent need for a product (as in the conditioner case). It’s instead telling us how bad the old (possibly unnecessary) way to solve that (possibly made-up) problem was when it wasn’t really bad at all.

This vexes me and it sets my privacy-sense tingling. Bear with me.

Gaslighting (even in this relatively benign form) is a kind of assault.  It’s a literal confidence trick.  It’s a confidence trick we seem wired to walk into without question. It takes conscious effort to avoid the trap and actually assess the supposed benefits of the new product over the old. I’m a sufficiently enormous geek to pay close attention to what adverts say as opposed to what they say they say but I have my blind spots too. I’m by no means immune. The practice is exploiting things we think we’re in control of but actually aren’t. 

I don’t think adverts should be doing this. It’s a subtle sort of lying but it’s lying nevertheless. It’s on one of those dicey lines between salesmanship and dishonesty and any attempt to legislate against it would probably be futile. It would probably also be unwelcome; there are times we want to be lied to, after all. Who hasn’t yearned for an excuse to justify buying something sniny?  But neither do we want to be manipulated into buying products we don’t really want or need.

So we need to be teaching children how to spot the signs of manipulation. If advertisers want a war, let’s equip ourselves to make it an arms race because in the long run, the consumer’s going to win. If we’re collectively smart enough, we’re more difficult to fool.  Much of how we can protect ourselves from gaslighting comes from the bottom up, while advertisers would assure us it comes from the top down.  Perhaps that’s the most pernicious form of gaslighting there is.  One of my main points about privacy is exactly this.