The privacy discussion – How ISPs, search engines, and social media services collect your information

The repeal of the FCC Internet privacy rules has spurred on much discussion on privacy online and how companies collect and use that information.  I have fielded many questions on what this means for consumers and their privacy when going online, using search engines, and social media.  Some have wondered how Internet Service Providers (ISPs) differ from search engines and social media in how they collect consumer data.

The difference between how ISPs and social networks or search providers collect and use data comes down to the how easy it is for consumers to switch from one provider to another, the ability to opt out, and the ability to circumvent data collection.

Switching services

The primary difference is in how easy it is for consumers to switch providers.  Search engines are the easiest.  Simply navigate to another search engine, such as DuckDuckGo which does not track its users, and issue the same search.  Yes, the results may vary, and you may be less satisfied with the results, but the process is simple.  It takes very little time, and the impact is not great.  However, search providers offer more than just searching.  Email, cloud services, stock tracking, shopping and other services may also be tied into your search account, so for consumers to fully move away from the platform, they must also adopt new providers for each of these services.

It is a little more difficult with social networks because not all users are on all social networks and social networks cater to certain types of social sharing.  If a user decides they do not like how one social network uses their data, so they decide to leave, they may be unable to communicate with some people who are not on the next social platform of choice, or they may miss out on updates from some of their contacts.

Now let’s look at ISPs.  To change ISPs, a user must contact the ISP, which might involve breaking a contract and paying fees.  They must then pay for new service from a different ISP and wait until that provider can connect their service.  This might result in a period where the user cannot connect online.  There are some cases where there is only one ISP in the user’s region, so they have no choice but to work with that ISP no matter what their privacy policy is.

It is clear that it is more difficult for consumers to change their ISP or their social network than it is for them to change their search engine.  However, it is not clear whether it is more impactful for consumers to change their ISP than their social network.  It may also be more difficult for consumers to switch their search provider if they intend on fully disconnecting from that provider because this involves changing email, shopping, and other services as well.

Opting out

There is also a difference between ISPs and social or search providers in the ability for users to opt out.  Prior to the privacy rules that were recently repealed, ISPs opted in each user but allowed them the ability to opt out.  This is something that Facebook and Google do not do.  If you want to use Facebook and Google, you will be tracked and your data used.

Circumventing data collection

I believe the largest difference between the ISP and the social network or search providers and their collection of data is that ISP data collection can be circumvented with the use of a VPN.  ISP data collection takes place because they are an intermediary to the communication channel.   This gives them a broad view of the myriad tasks a household performs online which can be valuable in building a profile of a household.  However, the entire process can be circumvented by utilizing a VPN.  When users are on a VPN, the ISP only sees connections originating from the household (IP address) and going to the VPN service.  They do not see the traffic that goes over the connection since it is encrypted.  However, the services at the other end still do see the traffic since the traffic is designated for them.  In order to use a social network, a user must log in, and requests must be sent to the social network.  Requests cannot be sent to an intermediary to perform on their behalf.   The only alternative would be for users to set up fake or random accounts that are used for perusing social networks and then discarded but the use case of such a system would be limited due to the requirement of sending friend requests, and it would violate many social network’s terms of use.

This article is sponsored by JURINNOV, a TCDI company specializing in cybersecurity and computer forensic consulting services.

Regaining your anonymity online

Anonymity has been a longstanding hallmark of the Internet but you should no longer assume that your online activities are anonymous.

A vast amount of information is collected as you use the Internet. Search engines store the key words you search for and the pages you visit, browsers store web history, which may be integrated with the cloud, and websites store information your activities on their sites. Your IP address provides information on your general location and many applications can track your location data, obtained from your address or from GPS.

It takes a concerted effort to regain your anonymity. Anonymity must be protected from end-to-end starting with the operating system and then progressing to your network address, browser and search engine.

Operating System

Last month I wrote about the privacy features and flaws of Windows 10. What many don’t realize is that their operating system is collecting information on their activities which could be retrieved by malware or published to the cloud for data mining. This can be avoided by using an operating system that runs off a CD or DVD. Such systems, called “live” operating systems, run in memory, a storage component of your computer that retains data only while the computer is powered on. This data is not retained when you shut down the computer or restart it. CDs or DVDs are typically read-only, meaning that data cannot be written to them. Files that you are working on can be saved to a flash drive but operating system logs of activity are not stored with live operating systems. Similarly, spyware, malware and other junk cannot install on a live operating system. This further protects you against threats to your anonymity.

Network Address

Each device that connects to the Internet identifies itself with a unique IP address. This address can indicate your location and it can be used to correlate activity collected from multiple sources in order to build a profile on you. One method of obscuring this address is to use a proxy. A proxy requests Internet resources on your behalf and then presents them to you so that the requests appear to originate from the proxy rather than you.

However, one must be careful in using proxies because not all are intended for anonymity. Some send a forwarder that indicates where the data originated and others send data in the clear so that it can be potentially intercepted. Choose a proxy that uses SSL encryption and does not use http “forwarded for” headers. Another limitation of proxies is that attackers see them as a potential target because of the high volume of traffic traversing them. Compromised proxy servers could put your information in the hands of cyber criminals.

The Onion Router (TOR) extends the proxy model by bouncing connections between many computers within its network and then delivering the final request from one of many endpoints. Data within TOR is encrypted using SSL. It is still possible for a TOR server to be compromised but that server would only see a small portion of your traffic or possibly none at all depending on how your traffic was routed through the TOR network. The downside of using TOR is that connections are often slow due to the latency incurred by traversing so many computers.

Browser

The most common browsers are Internet Explorer, Mozilla Firefox and Google Chrome. Internet Explorer or its replacement, Edge, is the default browser on Windows machines. Linux variants often come equipped with either Firefox or Chrome, depending on the distribution. Each of these browsers has their share of privacy flaws but your choice of browser is much less important than the privacy settings you select within the browser. Restrict cookies and set your browser security settings to the highest level that still allows you to browse with ease. Many browsers also include a private browsing mode. This is very useful for restricting information from being collected by your browser on your activities while in this mode.

Search Engine

Most of the search engines collect data on your browsing habits so they can target ads to you and improve their search rankings. Some search engines share or sell this information with other parties. However, Duck Duck Go is a search engine that does none of these things and it is a valuable tool for searching the web anonymously.

These technologies and techniques can all be used to protect your anonymity. However, they provide the best protection when used together. It may not be feasible for you to use all of them. For example, you may need to use an application at the same time while you browse, making a live operating system impractical or you might want to test searches in a specific search engine. I encourage you to use as many as possible.  You may additionally use a virtual private network (VPN) to connect to your workplace or other common resources so that traffic between your computer and the VPN is encrypted and you can use wiping tools to more effectively erase data from your machine after deleting it. However, a discussion on these tools will have to wait for another article.

Continue reading

What you need to know about Windows 10 Security and Privacy

Microsoft officially launched its successor to Windows 8.1, Windows 10, on July 29, 2015, and millions have already downloaded this free upgrade or utilized Microsoft’s queued digital delivery system. Windows 10 offers users many new features including a new browser and integrated Cortana search which essentially means that your operating system is integrated with the cloud. However, don’t let all these features and launch celebrations distract you from its security, which is somewhat in the fine print.

By default, Windows 10 collects information from your microphone, location, camera, handwriting, and searches. According to Microsoft’s privacy statement, this information is used to provide services. For example, Cortana uses location, speech, handwriting and searches to provide intelligent information to you. The information is also used to send product and service information, distribute security notices and display advertisements. Information is shared with Microsoft affiliates, subsidiaries and vendors. This is a common practice for many companies and Microsoft explicitly states that they do not collect information from email, chat, video calls, voice mails, and personal files for advertisement targeting. However, unlike the web, your operating system is resident on your machine, potentially collecting information even when you are not actively using the computer.

The good news is that the default tracking can be disabled by editing Windows 10 and the Edge browser privacy settings. Microphone, location, and camera settings can be managed by clicking start and then going to settings and finally privacy. This will open the privacy menu. Search privacy is managed by opening the Edge browser then going to advanced settings under settings. After viewing advanced settings, you will see a privacy section where you can turn off the Cortana search assistance called “Have Cortana Assist Me in Microsoft Edge.” You can also manage some settings online by opting out of ads based on browsing history and interests here.

As a side note, Windows 8 integrated Microsoft online accounts with local accounts which allow Microsoft to combine data gathered from multiple computers linked to a Microsoft account and online activities together. This is also present in Windows 10, but you still have the option to use a local account rather than a Microsoft account. Using a local account will disable some application downloads and synchronization features, but it will limit the data collected to that machine so that it is not integrated with usage on other platforms or the Microsoft online community. This also prevents someone who compromises your online account from remotely accessing your computer using that account or vice versa.

Windows 10 includes a feature called Wi-Fi Sense. This feature allows your contacts to connect to your wireless network, and it has received a lot of negative press after its release. However, initial concerns raised were premature or exaggerated. Wi-Fi sense is not turned on for all your contacts automatically. Contacts are not granted access to your network unless access has been assigned and this is only available after you make a wireless network available for sharing. This feature makes it easier to allow friends to connect to your network without providing the wireless password to them, and the feature can be disabled if and when it is not needed.

What about the good features?

Windows 10 also comes packed with new security features. It has Device Guard to protect against unsigned applications, support for biometric authentication through Windows Hello, new security features in Microsoft’s Edge browser and a suite of parental controls.

Device Guard blocks unsigned applications from running on the machine. This helps prevent malicious programs and infected program files from executing malicious code on your computer. For a program to run, the software company must sign the installer file with a key that only they have. Windows checks this key to verify that the file originated from the software company and not some other third party such as a hacker and allows the installation if the key is verified.

Second, Windows 10 now supports multiple ways to log into your computer including face, eye, and fingerprint authentication through a feature called Windows Hello. The software is built into the operating system, and users just need to attach biometric devices that are Windows Biometric Framework supported to use the feature. Third party support has existed for biometric authentication for quite some time, but Microsoft’s adoption allows for enterprises to integrate biometrics into their identity management systems through native Microsoft technologies.

Microsoft’s built in browser, Edge, helps prevent websites from tampering with your machine or stealing credentials through new security controls. Edge is equipped with an even better version of SmartScreen phishing detection that checks the reputation of sites you visit while Passport encrypts saved passwords. The browser also supports W3C content security policy and strict transport security standards. Furthermore, the browser is remarkably fast with all these controls under the hood.

Lastly, Windows levels the parental controls playing field with Mac OS and even adds a few new features through Family Features. These features allow parents to better control the programs their children run and the content they view online. Parental controls include time limits on logins, block or allow rules for applications and games, web filtering and activity logging.

In the end, I think Windows 10 is a good step forward in both features and security, but it can be enhanced by turning off a few features, especially if you are not using those features. Remember that Windows 10 is still new so there will most likely be many updates as these features are put under the strain of attacks and normal workloads.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Interesting questions on virtual reality and gaming

We are getting closer and closer to virtual reality.  Some companies such as Google and Oculus have already produced virtual reality headsets and others are on the way such as the Sony PlayStation VR.  These systems offer only the headset component of virtual reality.  We have yet to develop two-way communication to and from the brain so that VR so that stimuli can be sent directly to the brain and so that players can interface with the VR system by sending the appropriate physical signals that are translated into virtual ones. However, the introduction of these initial systems will likely generate the support and refine existing technologies to bring us closer to that point.

I recently started watching an anime called Sword Art Online and I have to say that I am fascinated with it.  The series chronicles various players in a virtual reality massively multiplayer online game (VRMMO) while discussing a variety of important topics such the psychology, ethics, social costs and benefits, relationships and gender.  While VR has been discussed in science fiction for quite some time now, I found that the questions raised by the series were more relevant to today’s technological and social landscape.

Here are some of the questions that were raised in the series or ones that I asked myself as I watched the series:

1. How “real” are in-game relationships and in-game experiences as compared to real life?

2. When games present an immature culture, lacking in societal norms, how ethical is it to exploit the differences between real-world and in-game expectations?

3. Are the actions taken by persons in a video game indicative of their character or heart condition?

4. What are the consequences of exploring repressed or recessive character traits by allowing them to become dominant in an in-game persona?

5. At what point does protecting your privacy online cross the line and become dishonesty or misrepresentation?

6. Can gaming be used as a healthy tool for emotional recovery from a traumatic incident?

7. Will virtual reality blur the lines between fantasy and reality?  What about augmented reality? (Google Glass, Microsoft HoloLense)

8. Are advertisements that influence your thoughts and desires directly through a video game simply a more advanced way to appealing to human psychology and physiology or are they ethically wrong?

9. What are the social consequences of virtual research and simulation involving human subjects?  What are the consequences for researchers conducting virtual research or simulation on non-human subjects?

10. Is a game just “a game”?

11. What are the economic consequences of integrating game economies with real economies through real money exchange rates?  Should in game markets that utilize real money exchanges be subject to oversight and by whom?

12. Should there be a standard for in-game rights and legal recourse for those who violate those rights?  Legal issues might include in-game property rights, defamation of character/game persona/avatar, sale of virtual assets, transference of virtual assets or online personas upon death.

13.  Does the immediate gratification of a video game reduce a person’s motivation for self-development in the real world?

An elegy for privacy

In childhood I dreamed of a world quite grand
Where my name and face were far from mystery
A life far removed from one boring and bland
Popular, famous, in fact, pure fantasy

How could I know that my dream would become real
My name and identity are known far and wide
Governments, stores, and thieves don’t need to steal
I’ve given it freely, when asked, I provide

Now everything is different, complex, distorted
Reportedly the data on me is vast
All that I do is electronically recorded
Much of it collected to chronicle my past

I’m lacking in answers but mired in questions
How do you know data collectors will be honest?
If they’re not tracking me, explain ad suggestions
Is this the future that technology promised?

Oh give me the life that was simple and understood
When I was myself as no other could be
Alas it is gone and lamenting is no good
All that I want is a little privacy

No Place for Privacy

While many people think that a person’s social media posts, photos, and conversations are protected as private information, especially if the user has “private” settings, courts have thus far denied this privilege. In one case in Virginia, an attorney advised his client to delete incriminating photos from his Facebook and later deactivate the account. This was considered spoliation, or destruction of evidence, and it led to fines for both the client and the attorney.  It may actually end the attorney’s career.

Lawyers need to be careful when they advise clients on their privacy rights on sites such as Facebook, Twitter, Linkedin, MySpace, and other social media sites.  Privacy on these social media platforms cannot be assumed.   The Gibson Dunn 2011 Mid-Year E-Discovery Update says that individuals do not have a reasonable expectation of privacy in social media whether they have configured the privacy settings or not.

Even with privacy settings on, the social media site has access to your data and will use it for advertising or in aggregate for data mining.  The privacy policies of many social media sites allow them great latitude in what they can do with your data including selling it to other companies, using it for targeted advertising, and in some cases, owning the content you produce on the site.

Social media evidence is also increasingly important in cases and lawyers need to know how to properly preserve such data for court.  Work with a competent forensic team to obtain the data in an evidentiarily sound manner.

Search Activity Correlation

I looked at my Google search history today.  Google tracks each search that you make when logged in with your Google account and it can be a handy way to go back to previous searches, but it is much more powerful than that.
The Google search history can be found when you are logged into your Google account.  Simply click the history tab at the top and view the previous searches you have issued.  It really gets interesting when you look at the metrics that Google is collecting on your search habits.
I wondered if my search history is directly correlated with my productivity.  If so, my most productive times are at 11:00 AM and 4:00 PM with the surrounding times slightly less productive.  I have frequently said that I gear up from Monday and peak at Thursday but then start to die down on Friday.  The search activity shows that, for the most part, this is true except that I do a little bit more searching on Mondays than I do on Tuesdays.
If this little bit of information can give me insight on my productivity habits, how much more can it offer others and how much more valuable could it be when combined with other metrics and data on how I operate on a day to day basis.  I am eager to learn more about my habits and how to be more productive.  Some of my students are reviewing their search history and we are going to do an in-class exercise to examine our own online habits.  I also plan to look at our technology use and compare it to the time we spend away from technology because sometimes you are most effective when you are not using or distracted by technology.
Search Activity