SAN FRANCISCOCan something as mundane as modern Web hosting be used to increase consumer privacy? Daniel Kahn Gillmor, a senior staff technologist at the ACLUs Project on Speech, Privacy, and Technology, thinks so. He also believes that the future of consumer privacy depends on technology providers taking bolder steps to protect their users.
At a recent conference held here by the content delivery network company Fastly, Gillmor spent 20 minutes explaining a set of technology proposals that a modern Web host like Fastly can undertake to defend privacywithout burying itself in costly changes.
The adversaries who are doing network monitoring tend to focus on metadata, not on content, he told the crowd of engineers about the essential tracking data created when we write emails, watch cat videos online, or text emojis. The importance of metadata to surveillance was underscored by former National Security Agency Director Michael Hayden in 2014, when he declared, We kill people based on metadata.
Gillmor explained how a content delivery network, or CDN, could combine new Internet traffic analysis countermeasures and Domain Name System obfuscation to help prevent spies from snooping on consumers Internet activities. Gillmors talk was more of a pitch about what a CDN can do than what Fastly is actually doing.
Daniel Kahn Gillmor. Photo courtesy ACLU.
After Gillmors presentation, he and I spoke at length about three of todays biggest challenges to consumer privacy: rising costs, responsibilities of private companies to their users, and struggles to make email more safe and private.
What follows is an edited transcript of our conversation.
Q: There seems to be a growing digital divide over privacy technology. Whats your perspective?
My biggest fear is that were going to accept, as a society, that privacy is a luxury. You see that already, in many situations. Someone who can afford a home has more privacy than someone who cant afford a home. This is not just a digital-divide thing; its a general situation where people buy privacy for themselves. Its unjust.
Some services people buy are intended to help keep you off others radar. (And some of them actually are invasive.) And a lot of people dont even actively consider privacy when making purchasing decisions. So theres not enough of a market, in some sense, for privacy-preserving technologies.
Which ostensibly privacy-preserving technologies are people are buying that might actually be compromising them? Virtual private networks?
If you cant afford a VPN, most of your connections are going out in the clear, which means that your network provider has an opportunity to surveil you and build profiles about you.
But if everyone gets a VPN, all network traffic would get concentrated at a few VPN companies instead of at the various Internet service providers. And you could monitor everybodys traffic just by monitoring the VPNs, instead of all the different on-ramps.
And if you had a big budget and wanted to do a lot of monitoring, you could even set up your own VPN and sell access. Brand and market it, and then maybe Im paying you to harvest my data.
Another consideration: What privacy controls do we have on existing VPN services we might buy? They should be subject to the same constraints that we would like to put on the ISPs, because they are in the position to see all of the different stuff that we do online. Thats a different perspective than a network service that you may or may not decide to use.
Tor is the exception to this rule because its free and designed to reduce tracking, right?
Theres a bunch of mythology around Tor. But if you want to play around with it, its really not that hard. You go to TorProject.org, download the browser, and use it to browse the Web.
Its a little bit slower than what people usually expect from a Web browser. But Tor developers have really thought carefully, not just about how to route network traffic, but also about what browsers do and how they pass traffic. Tor really does provide a significant amount of user privacy.
We have a responsibility as engineers to try to fix the systems people actually use.
In dealing with cookies, for example, it uses double-keyed cookies. The typical browser makes a request, the origin sends back the page, and the page refers to several subresources such as images or video. It sends them with cookies [a small piece of computer data that can track behavior on the Web], which might come from a third party such as an ad server.
So if I visit a site, make a request from a third-party server, then visit another site that uses the same third-party server, that third party can identify me as the same person because of the identical cookies I send.
The Tor browser ensures that the cookies you send different sites dont match. I think it would be better to just not send cookies at all, but the Web has evolved such that there are things like authentication schemes that dont work, if you dont send any cookies to a third party. This is something Tor does through its browser. Its independent from its network traffic obfuscation.
If youre interested in getting the most developed set of privacy preservation tools that have been thought about, researched, and well implemented, Tor is the place to get it. As part of the Tor uplift to integrate features from the Tor browser back into Firefox, Mozilla has added double-keyed cookies into Firefox as an opt-in. This is a good example of how collaboration between noncompany technology providers can add functionality for a wide swath of users.
For instant messaging, people should be using Signal. And if theyre not using Signal, they should use WhatsApp.
What about for email?
Im involved with an effort to try to do a similar thing for email called Autocrypt. We have had email encryption technology available to us for 20 years. But encrypting email is painful.
So painful that the creator of email encryption tells people to stop using email to send sensitive data.
Phil Zimmerman doesnt use it anymore. He says people should stop using it, but the fact is, that wont happen. And he knows that.
We have a responsibility as engineers to try to fix the systems people actually use. Its one thing for us to say, Quit it. And its another thing to say, OK, we get it. You need email because email works in all these different ways.
I think we have a responsibility to try to clean up some of our messes, instead of saying, Well, that was a mistake. All of you idiots who are still doing what we told you was so cool two years ago need to stop doing it.
We need to actually support it. This is a problem that I call the curse of the deployed base. I take it seriously.
I expect to get a lot of shit, frankly, from some other members of the encrypted-email community.
The Autocrypt project is run by a group of email developers who are building a consensus around automated methods to give people some level of encrypted email without getting in their way.
Some of us deeply, intimately know the thousand paper cuts that come with trying to get encrypted email setup. We asked, Whats the right way to get around that for the majority of people? And the answer weve come up with isnt quite as good as traditional encrypted email, from a security perspective. But it isnt bad.
When someone asks me how to use email encryption, Id like to one day be able to tell him to use an Autocrypt-capable mail client, then turn on the Autocrypt feature.
From a solutions perspective, we dont necessarily handle everything correctly. But no one does traditional encrypted email properly. And encrypted email is a two-way street. If you want people to be able to do it, the people with whom you correspond need to also be doing it.
I expect to get a lot of shit, frankly, from some other members of the encrypted-email community. Five years ago, I would have said Autocrypt sounds dangerous because its not as strong as we expect. That is, I might have been inclined to give people shit about aproject like Autocrypt. However, I think that imperfect e-mail encryption with a focus on usability will be better protection than what we currently have, which is actually clear text for everyone, because no one can be bothered to use difficult e-mail encryption.
How important is it for consumers to understand whos targeting them?
This is the other thing that I feel like we dont have enough of a developed conversation around. Im a well-off white guy, working for a powerful nonprofit in the United States. Were not as powerful as wed like to be, and we obviously dont win as many of the fights that we would like to win. But I dont feel that Im personally, necessarily, a target.
Other people I talk to might be more targeted. I am responsible for pieces of infrastructure as a Debian [Linux] developer that other people rely on. They might be targeted. I could be targeted because theyre being targeted.
When we talk about threats, we take an individualistic approach when, in fact, we have a set of interdependencies. You and I exchange emails, and all of a sudden, someone who wants access to your emails can go attack my email.
We havent yet seen a sufficient shift to companies treating user data as a responsibility, instead of just as a future pot of money.
It used to be that I would set up a server, and you would connect to it to view my site. There were network intermediaries, but no CDN. Now there are both, and the CDNs privacy is my privacy is your privacy. All of these things are intermixed.
You have to think about the interdependencies that you have, as well as the threat model of the people who depend on you. Theres responsible data stewardshipI dont think that people think about that actively.
My hope is that every organization that holds someone elses data will see that data as a liability to be cared for, as well as an asset. Most people today see other peoples data as an asset because it will be useful at some point. Companies build venture capital on the basis of their user base, and on the assumption that you can monetize the user base somehow. Most of the time, that means sharing data.
We havent yet seen a sufficient shift to companies treating user data as a responsibility, instead of just as a future pot of money. How do we ensure that organizations in this middleman position take that responsibility seriously? We can try to hold them publicly accountable. We can say, Look, we understand you have access to this data, and we want you to be transparent about whom you leak it to. Or give it to.
Ive been happy to see large companies make a standard operating procedure of documenting all the times theyve had data requested by government agencies, but I dont think its adequate. It doesnt cover who theyve actually sent data to in commercial relationships.
A big challenge to the effort to protect consumers from hacking and spying is the effort to encrypt metadata. Where does it stand today?
Its complicated by a lot of factors.
First, what looks like content to some layers of the communications stack might look like metadata to other layers. For example, in an email, there is a header that says To, and a header that says From. From one perspective, the entire email is content. From another, the To and the From are metadata. Some things are obviously content, and some things are obviously metadata, but theres a vast gray area in the middle.
When youre talking about metadata versus content, it helps to be able to understand that the network operates on all these different levels. And the idea of encrypting metadata doesnt necessarily fit the full bill.
In terms of the size and timing of packets, for example, say you sent K bytes to me. You cannot encrypt the number. But you can obfuscate it.
Take profile pictures. If youre serving up a cache of relatively static data like avatars, you can serve every avatar at the same size.
Can you essentially hide other forms of metadata that cant be encrypted?
You can obfuscate an Internet Protocol address.
When I send you traffic over IP, the metadata at the IP layer is the source and destination address. If you encrypted the destination address, the traffic wouldnt reach the destination. So somebody has to see some of the metadata somewhere. And practically, realistically, I have no hope of encrypting, or protecting, the sending address. But maybe I dont need to present the source address.
Whether youre padding existing traffic to hide the size of the information transferred, or making changes to how domain name servers operate, what are the associated costs? Additional traffic isnt free, right?
Its hard to measure some of the costs. But youd measure padding to defend against traffic analysis in terms of throughput.
Imagine that your DNS was already encrypted. We know how to do it; we have the specification for it. Are we talking about an extra 5 percent of traffic? Or are we talking about an extra 200 percent or 2,000 percent of traffic? And if were talking about DNS, whats the proportion of that traffic relative to the proportion of all of the other traffic?
DNS traffic is peanuts compared to one streamed episode of House of Cards.
Some traffic analysis savant will come along and say, We found a way to attack your padding scheme, which is great. Thats how the science advances. But it might cost your adversary two to three times more to decipher, because of the padding.
If we step back from that, lets ask about other costs. Have you looked at the statistics for network traffic with an ad blocker versus no ad blocker?
Your browser pulls significantly less traffic, if it doesnt pull ads. And yet, as a society, we seem to have decided that the default should be to pull a bunch of ads. Weve decided that the traffic cost of advertising, which is more likely to be privacy-invasive, is worth paying.
So yes, metadata padding will cost something. Im not going to pretend that it doesnt, but we pay for what we value.
And if we dont value privacy, and thus dont pay for it, there will be a series of consequences. As a society, well be less likely to dissent. Well be more likely to stagnate. And, if we feel boxed in by surveillance, well be less likely to have a functioning democracy.
- Teejayx6 Will Steal Your Identityand Rap About It - WIRED - December 2nd, 2019
- Such as the struggle of the Venezuelan economy, some residents turn to a lucrative gig: Cybercrime - Herald Journalism 24 - December 2nd, 2019
- Smart users guide to the snooping game - Livemint - November 17th, 2019
- Privacy on your smartphone: how to protect your data - AndroidPIT - November 17th, 2019
- BBC News heads to the dark web with new Tor mirror - The Verge - October 27th, 2019
- The Tor Project releases Tor Browser 9.0 with several UX improvements - Neowin - October 27th, 2019
- Fraudulent Tor Browser Spies and Has Been Stealing The Bitcoins - GoodTime Nation - October 27th, 2019
- OnionShare Lets Anyone Host Anonymous Sites on the Dark Web - BleepingComputer - October 16th, 2019
- #SecTorCa: Millions of Phones Leaking Information Via Tor - Infosecurity Magazine - October 16th, 2019
- Is there anything we can do to stop someone spying on us? - Newstalk 106-108 fm - August 25th, 2017
- If you're really concerned about browser security, Incognito isn't enough - TechRepublic - August 20th, 2017
- The Daily Stormer has lost its lease, accessible only via Tor browser - The Moderate Voice - August 20th, 2017
- Tor Project 'disgusted' by Daily Stormer, defends software ethos - CNET - August 18th, 2017
- Neo-Nazi site Daily Stormer resurfaces with Russian domain following Google and GoDaddy bans - Vox - August 16th, 2017
- Tor Browser 7.0.4 Download - TechSpot - August 14th, 2017
- Debian-Based Tails 3.1 Anonymous OS Debuts with Tor Browser 7.0.4, Linux 4.9.30 - LXer (press release) - August 11th, 2017
- Tails 3.1 has been released but you'll need to do a manual upgrade - Neowin - August 10th, 2017
- China and Russia go further in squelching Internet freedom - Washington Post - August 10th, 2017
- The FBI Booby-Trapped a Video to Catch a Suspected Tor ... - Motherboard - August 9th, 2017
- Major Improvements Are Coming Soon to the Tor Browser - The Merkle - August 8th, 2017
- The Attack on Global Privacy Leaves Few Places To Turn - WIRED - August 4th, 2017
- Tor Co-Founder: There Is No Dark Web The Merkle - The Merkle - August 3rd, 2017
- Online privacy protection - Choice - CHOICE - August 2nd, 2017
- There Is Basically No Dark Web. It's Only A Few Webpages TOR Co-founder - Fossbytes - July 31st, 2017
- How to Install Tor Browser for Mac and Protect Your Online Activity - iDrop News - July 29th, 2017
- How to get around an ISP blocking a website - MyBroadband - July 26th, 2017
- Don't blame online anonymity for dark web drug deals. - Slate Magazine (blog) - July 26th, 2017
- Tor network will pay you to hack it through new bug bounty program ... - ZDNet - July 21st, 2017
- Tor Project to launch public bug bounty project - CIO Dive - July 21st, 2017
- How to access the dark web - The Daily Dot - July 20th, 2017
- Your Mailman Is a Drug Dealer. He Just Doesn't Know It. - WNYC - July 20th, 2017
- Want porn? Prove your age (or get a VPN) Naked Security - Naked Security - July 20th, 2017
- Suspected AlphaBay founder dies in Bangkok jail after shutdown of online black market - Washington Post - July 19th, 2017
- S. Sudan blocks Sudan Tribune website over hostile coverage - Sudan Tribune - July 19th, 2017
- Assassins and child porn; a darknet offers everything - The Slovak Spectator - July 19th, 2017
- Apple users warned of dangerous new Mac malware that steals banking credentials - ThaiVisa News - July 18th, 2017
- The best security apps to lock down your Android phone - The Daily Dot - July 14th, 2017
- Mozilla is held to a higher standard - Ghacks Technology News - July 14th, 2017
- Privacy blunder? Firefox's Get Add-ons page uses Google Analytics - Ghacks Technology News - July 13th, 2017
- Russia, China vow to kill off VPNs, Tor browser - The Register - July 11th, 2017
- How to safely search the deep web - The Age - The Age - July 11th, 2017
- What is Tor browser, and is it safe? | Komando.com - July 7th, 2017
- Darknet 101: Your guide to the badlands of the internet - CNET - CNET - July 5th, 2017
- In Reporting on North Korea, Tech Helps Break Through Secrecy - New York Times - July 5th, 2017
- How to safely search the deep web - The Sydney Morning Herald - July 5th, 2017
- TOR Browser - darkwebnews.com - July 5th, 2017
- How To Search The Deep Web Safely - Gizmodo Australia - July 5th, 2017
- Burleson man convicted of accessing child porn from dark website - Fort Worth Star Telegram - July 4th, 2017
- Here Brazilian Journalists Learn Privacy for Themselves and Their Sources - Brazzil.com - June 30th, 2017
- Purism aims to push privacy-centric laptops, tablets and phones to market - Computerworld - June 29th, 2017
- Brazilian site teaches journalists how to protect sources and personal data from digital attacks - Knight Center for Journalism in the Americas (blog) - June 29th, 2017
- The best ways to make your search private in 2017 - KnowTechie - June 28th, 2017
- Bill regulating online anonymizers unanimously passes first ruling in Russian Duma - Washington Times - June 24th, 2017
- The Burger King Ad That Activated Google Home Just Won A Prestigious Award - XDA Developers (blog) - June 24th, 2017
- Mozilla's new Android browser blocks ads and trackers - Boing Boing - June 22nd, 2017
- Secure OS Tails 3.0 Launches With Debian 9 Base, Redesigned ... - Tom's Hardware - June 15th, 2017
- Tails OS hits version 3.0, matches Debian's pace but bins 32-bit systems - The Register - June 14th, 2017
- Tor Browser 7.0 is released | The Tor Blog - June 10th, 2017
- Tor Browser 7.0 works harder to protect your anonymity on its own - Engadget - June 10th, 2017
- Tor Browser 7.0 released - gHacks Tech News - Ghacks Technology News - June 8th, 2017
- Tor Browser 7.0 arrives with multiprocess mode, content sandbox, and Unix domain sockets - VentureBeat - June 7th, 2017
- Wikipedians Want to Put Wikipedia on the Dark Web - Motherboard - June 7th, 2017
- What The Dark Web Is And How To Access It - Komando - June 3rd, 2017
- What is Deep Web and How is it Different from Dark Web - Guiding Tech (blog) - June 1st, 2017
- If You Think WannaCry is Huge, Wait for EternalRocks - Data Center Knowledge - June 1st, 2017
- DOJ, FBI Executives Approved Running a Child Porn Site - Motherboard - May 30th, 2017
- What is Tor, How It Works And Where to Download the Tor Browser? Everything You Need To Know - MobiPicker - May 30th, 2017
- WannaCry 2.0: EternalRocks author calls it quits - TheINQUIRER - The INQUIRER - May 28th, 2017
- Data For Sale: What Everyday Consumers Can Do To Keep Their Info Safe - Forbes - May 26th, 2017
- Fearing surveillance in the age of Trump, activists study up on digital anonymity - Washington Post - May 26th, 2017
- EternalRocks Attack Spreads While Using Same Exploit As WannaCry Ransomware - Yahoo News UK - May 23rd, 2017
- Tor browser for Android that is better than Orfox is in the works - Android Kenya (blog) - May 23rd, 2017
- Organizations Can Combat WannaCry & Jaff Ransomware With Well Instrumented DNS - Techzone360 - May 23rd, 2017
- This Spy App Can See If You've Visited Whistleblowing Sites on the Dark Web - Motherboard - May 20th, 2017
- Why Nigerian CIOs should care about the dark web - ITWeb Africa - May 20th, 2017
- A hack has put data of 17 million Zomato users at risk: Should India be worried? - DailyO - May 20th, 2017
- New Jaff Ransomware Part Of Active Necurs Spam Blitz - Threatpost - May 13th, 2017
- Three vulnerabilities allow spies to detect Tor browsers - Cloud Pro - May 9th, 2017
- Tor Browser - TechRadar - May 6th, 2017
- Tor Browser Profiles Itself - Security Intelligence (blog) - May 4th, 2017