Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard.

I call this my law of perversity in computer security.

Today, Kashmir Hill brings a great example in “So which is it?”

Privacy online

Contradiction much? When it comes to the state of online privacy, the media tend to send mixed messages, but this is one of the more extreme examples I’ve seen.

It’s just perverse: it’s hard to be sure when someone wants to rely on the data to protect kids, but it’s easy (for marketing firms) when we prefer to remain private.

Future of Privacy Seeks Input

The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third edition of Privacy Papers for Policy Makers.

The selected papers will be distributed to policy makers in Congress, federal agencies and data protection authorities internationally.

PRIVACY PAPERS FOR POLICY MAKERS 2012
The Future of Privacy Forum (FPF) invites privacy scholars and authors with an interest in privacy issues to submit papers to be considered for FPF’s third edition of “Privacy Papers for Policy Makers.”

PURPOSE
• To highlight important research and analytical work on a variety of privacy topics for policy makers
• Specifically, to showcase papers that analyze current and emerging privacy issues and either propose achievable short-term solutions, or propose new means of analysis that could lead to solutions.

For more info, http://www.futureofprivacy.org/issues/fpf-advisory-board/.

Mozilla’s Vegan BBQ

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll have to find the special line.

Obviously, I’m just kidding. Mozilla isn’t hosting a vegan BBQ in Dallas, but they are hosting one for your browsing privacy, by their choice for the “Do Not Track” (DNT) setting.

Poll after poll shows that people around the world prefer privacy, in the same sort of way they prefer cow burgers. This preference is stable, extending back decades, and being shown in nearly every poll. So why is Mozilla defaulting to not setting DNT?

Meanwhile, [some participants in] the W3C [working group are] is suggesting that the best we can possibly do is whenever you install a new browser, it goes through an Eliza-like process of interviewing you about weird technical settings, rather than having a great first-run experience.

Now it’s true, some people are ok with a tradeoff between what advertisers want (to trade content for ads) and what they want (privacy). Some advertisers go so far as to claim that there would be no content without ads, and they are, simply, flatly wrong. There is and will continue to be, content like this, which I hope you’re enjoying. I’ll draw to your attention that this blog is ad-free. We write because we have ideas we want to share. I’m sure that with fewer ads, we’d see less Paris Hilton ‘content’. But more importantly, the advertising industry is good at spreading messages. If they need DNT “off”, perhaps they could spread the message of why that’s a good thing for people, and, as is their wont and charter, convince people to make that change.

But the simple truth, known to the ad industry, the W3C and to Mozilla, is that most people prefer not to be tracked, in the same way most people prefer beef burgers. The “please let us track you” people have a hard message to spread, which is why they prefer to fight in relative obscurity over defaults.

Some additional background links: “Ad industry whines while privacy wonks waffle,” “Could the W3C stop IE 10′s Do Not Track plans?

I should be clear that my distaste at the idea of a vegan BBQ is mine. Even if my employer and I both prefer beef burgers, my opinions are mine, theirs are theirs, and I didn’t cook this blog up with them.

[Update: Clarified that I didn't mean to imply the decision was that of the W3C as a whole.]

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports:

There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. (“Study: 13 Million People Haven’t Touched Facebook Privacy Settings“, Consumerist)

Consumerist’s headline focused on the small portion who haven’t touched their privacy settings. I think much more interesting is that based on the Consumer Report numbers, 91% of Americans have taken the time to dig into Facebook’s privacy controls. Also, 72% lock down their wall posts. Those are privacy protective actions, and we regularly hear how those privacy controls are hard to use, and how frequently Facebook changes them.

We often hear privacy-invaders making claims that Americans don’t care about privacy, or won’t do anything about it. Those claims are demonstrated to be false, and false amongst even those least likely to be privacy-concerned (young, willing to be on Facebook).

So next time you hear someone make one of those claims, ask them why 91% of Americans change their privacy settings.

As an aside, the article has a really clear summary of the many privacy problems around Facebook.

Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before.

From 1999 until 2002, I was Director of Technology and Most Evil Genius at Zero-Knowledge Systems, a Montreal-based startup devoted to delivering privacy-enhanced internet services. Zero-Knowledge raised approximately $71 million dollars to deliver internet privacy, and then had to pivot its business model (before pivoting was trendy). Because management pivoted and found value in what we had built, it didn’t deliver on the privacy dream, but the company did make good money for shareholders.

It’s my hope that Calyx can deliver more privacy to more people over a longer time, and make money for shareholders as it does so. To do that, they’ll need to move from the excitement accompanying their announcements to delivering products in the market. So let me turn to:

The market for privacy
There’s a lot of excitement. Nearly a thousand people have donated cash. They’ve put together a nice advisory board. That’s because people care about privacy. A lot of folks claim that there’s no market for privacy (pointing to things like Zero-Knowledge), but I believe that they’re wrong. There is a market, and it’s hard to tap into.

One of the key reasons it’s hard to tap into the market is because privacy means different things to different people. It means so many things that there’s a good book on “Understanding Privacy.” (My review.) So, does privacy mean the same thing to consumers as it will to Calyx? Resisting demands from 193 national intelligence services is great, but what about protecting me from advertisers? The disjointed things people mean by privacy make it challenging to ensure that you line up with people’s concerns.

Another issue is that privacy is rarely a thing sold in and of itself. Privacy is an aspect of some service, either by providing a privacy-protecting version of the service, or privacy protection against the service. A privacy-protecting ISP has to offer me ISP service equivalent to what I get today, or some bundle that makes sense for me. For example, I pay extra because Speakeasy didn’t demand my SSN, and had technically competent people answering the support phones. They’re less awesome since Megapath bought them, but they’re not Comcast, and they’re not running for most infuriating company in the country. Tor is an example of privacy protection against your ISP. You have to get the whole bundle right, which is likely going to be harder than getting the bundle right without privacy. Of course, sometimes it’s easier. By billing my credit card, Speakeasy doesn’t need to collect my SSN, doesn’t need to protect it, and doesn’t need to pay for a credit check. (They do have to pay a monthly cut to the credit card company, but Comcast probably also pays that for most of their customers.)

That said, consumers do care about privacy, and do spend money on it when they can understand the threat and defense. It requires entrepreneurs and hackers willing to experiment. and eventually someone’s going to make a boatload of money doing so.

For more in-depth comments on this, see my home page, especially the end of 2002 and the start of 2003.

With that, let me turn to some questions about…

What Calyx is doing
Let me start with two quotes, which is the sum of my knowledge:

This project’s goal is to raise funds for my nonprofit organization, Calyx Institute, which will launch a privacy-focused Internet Service Provider and mobile phone service using end-to-end encryption technology.

and

Through other partnerships, we are poised to offer Internet service in 70 markets in the US using wireless spectrum which we will bundle with end-to-end encrypted Virtual Private Network (VPN) technology in order to keep the customer’s data as private as possible. The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files. This means that the provider (Calyx) will not be able to read your email or files even if it wanted to. And if Calyx can’t read it, it can’t be targeted by unconstitutional surveillance tactics. (Both quotes from “The Calyx Institute fundraising page“)

So running a privacy-preserving ISP is great. And again, I want what I have to say to be heard in the context that I’ve given them money to help them get going.

My first questions are around the ISP part of the business. Is this an ISP in the form of “I can buy a DSL line from them?” (or otherwise, get internet service directly?) If it’s a partnership, how are we protected from the partner? Encryption is all well and good, but if I don’t have cover traffic, then my use or non-use of the service gives out information. Someone at the entry node (say the partner) who choses to collaborate with someone who can watch the exit node (say the NSA, or the FSB/KGB) can figure things out over time. This issue is fundamental to all low-latency internet-based privacy systems, including the Freedom Network that Zero-Knowledge operated, Tor, etc. The fix is approximately sufficient and continuous cover traffic that exceeds the bandwidth in use.

The second comment, which derives from that is “if Calyx can’t read it, it can’t be targeted by … surveillance tactics.” That is simply untrue. An observer which can see more can apply more clever analysis. I’m willing to forgive this as an aspirational statement today, but it’s important for privacy providers to ensure that they don’t over-promise.

My next question is why New York? Because the founder is there? The NYPD has done some bad things in the civil liberties camp, including for example surveillance of mosques without cause, kettling and rounding up protesters and bystanders without cause during the 2004 Republican Convention. Does New York have the most favorable laws in the US for this sort of thing?

When we get to the phone company idea, I’m in favor of the idea, but operating a nation-wide mobile phone service is expensive. If you don’t do so yourself, you can operate a “Mobile Virtual Network Operator.” But if Calyx does so, then the network operator from whom it leases bandwidth can see IMEI numbers and otherwise fingerprint phones. There are some interesting challenges here, and we need to know more to understand what Calyx can deliver.

In conclusion
There is a market for privacy, and there is a market for private internet services. Calyx has an opportunity to tap into such a market, but it’s tricky and complicated to do so successfully. There are a lot of hard questions to be addressed along the way. However, it’s important to remember that privacy is an important and cherished value for excellent reasons. Calyx is unlikely to be either perfect, or as bad as the main players in today’s market. So they deserve your support, your attention, and perhaps even your money. Why not go donate?

Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing.

In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look through people’s Facebook profiles:

I got her out of the room as quickly as possible. The next few interviews were a blur, I was shaken. And then it happened again. This time, I found myself talking to a young man fresh out of University about a development position. After allowing me to surf his Facebook, he asked me how I felt about parenting. As a parent, it was easy to say I liked the idea. Then he dropped the bombshell.

His partner was expecting, and shortly after being hired he would be taking six months of parental leave as required by Ontario law. I told him that he should not have discussed this matter with me. “Oh normally I wouldn’t, but since you’re looking through my Facebook, you know that already. Now of course, you would never refuse to hire someone because they plan to exercise their legal right to parental leave, would you?”

I think it’s a fascinating bit of chaotic blowback, and one that employers and applicants will be exposed to more and more as “social network background check” services help focus what search engines or marketers can already tell us.

In other words, be careful what you ask for, you might just get it.

For the first time in a long time, I’m tempted to set up a Facebook account.

Browser Privacy & Fingerprinting

Ivan Szekely writes in email:

A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to build a system-fingerprint database for further analysis. The description of the method and the analysis of the fingerprints can be read at http://pet-portal.eu/articles/view/37/2012-02-20-User-Tracking-on-the-Web-via-Cross-Browser-Fingerprinting.php (thesite is tri-lingual, if other language articles appear on your screen, click on the English flag)

By now the team has developed a new version of the fingerprinting system and is working on an effective method to prevent fingerprinting. In order to fine-tune the defense against fingerprinting, my colleagues need your feedback. Please click on http://fingerprint.pet-portal.eu, make a few tests and share your comments and suggestions with the developers.

Please take a second to visit http://fingerprint.pet-portal.eu and help them and us understand browser fingerprinting.

More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path:

  • Google+ and The Trouble With Tribbles

    The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook is being far more successful in doing so using far more insidious means). Facebook also has a policy of Real Names, but it realizes that to make the social work you have to cater to the psychology of the users. So there are no identity verification processes, no automatic suspension of accounts and schemes that entice us to provide real data instead of telling us to do so. The fidelity of the data is proven by it’s socially verified reputation, not because there is a policy document that can be pointed to (at the end of the day, a much more robust and legitimate mechanism).

  • For Ceorl Onlyone, thanks…

    “As I’ve said previously, I left Facebook and Google+ because I could see the direction and I discerned the narrowing that indicates both subtle and direct attacks upon choice and privacy. I left because my presence was a reason for my family, friends, and peers to remain.

  • The Social Graph is Neither.”
    There’s no clear pull quote, but boy is this a great de-construction of the phrase (and product name) “the social graph”. Read it carefully, and you’ll never hear those words the same way.

  • In a number of places, including “Take back the comments: stop online harassment” and comment on “Why it Matters: Google+ and Diversity, part 2,” Kathy Sierra says:

    Keep the pseudonyms and lose the assholes.

Previously: “Google+ Failed Because of Real Names” and “Yes, Google+ Is a Failure

Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician.

Some folks might advise me to stop digging a hole, put down the shovel and walk away. But
I’m going to pick up that shovel, and try to convince you that I’m not exaggerating. Google+ may not be a New Coke level failure, it may be a successful failure, but it’s a failure nonetheless.

The goal of Google+ is to dominate the social network space, replacing Facebook, LinkedIn and Twitter, and building a moat around Google’s core business of advertising. That moat ought to consist of Google having more information about you than the CIA does (ok, that’s hyperbole. The CIA can’t store that much info). The moat ought to be that Google can show your wallet-name ads that tug at your wallet-strings.

Do you really think that Google wanted to enter this market to play second-fiddle to Facebook? Do you think that Google is happy that Facebook is going to pop out in the biggest IPO in history real soon now, giving them a massive war chest?

I think that the answer is fairly obviously a no. Now, you could argue that Google+ is en route to topple Facebook. That Google will take three tries to get it right or something, like they did with Search and Mail and Maps. (Oh, wait, they didn’t take three tries on any of those.)

What’s more, I don’t think that no was pre-ordained because of Facebook’s massive user-base. People were willing to show up at Google+ and explore. And that exploration rapidly foundered on the nymwars.

I think the system could and should have done better, if Google wasn’t so hell-bent on controlling what name people could display for themselves.