Is your data secure? privacy and trust in the social web

Is your data secure?
privacy and trust in the social web

Phil Cryer
616 Collab
Saint Louis, Missouri, US

Warsaw, Poland - February 24, 2012

v1.00 any updates will be posted here: http://bit.ly/pc-slides

Warszawa, Hotel Marriott Courtyard 23-24 lutego 2012

• privacy advocate
• security researcher
• infrastructure engineer
• open source technologist

Photo courtesy of Dmitry Mozzherin

“With social media,
users’ vanity has
trumped previously held
mores concerning
privacy”
me, 2011

People’s data on social
networks becomes
permanently shared.

So what will companies
do to monetize all of this
data they collect?

Use it to better target
you with ads, of course.

To you, your social
profile...

But to the social media
companies...

Is your data secure? privacy and trust in the social web

http://cheezburger.com/View/2362193664

So, how much should
people worry about the
loss of online privacy?

http://online.wsj.com/article/SB10001424052970204190704577024262567105738.html

Danah Boyd “People want to share. But that's
different than saying that people want to be
exposed by others.”

Protecting privacy is about making certain that people
have the ability to make informed decisions about how
they engage in public. I do not think we’ve done enough.

That said, I am opposed to approaches that protect people by
disempowering them. I want to see approaches that force
powerful entities to be transparent about their data
practices. And I want to see approaches that put restrictions on
how data can be used to harm people.


Chris Soghoian “...we now regularly trade our
most private information for access to
social-networking sites and free content”

The dirty secret of the Web is that the 'free' content and
services that consumers enjoy come with a hidden price:
their own private data.
Many of the major online advertising companies are not
interested in the data that we knowingly and willingly share.
Instead, these parasitic firms covertly track our web-
browsing activities, search behavior and geolocation
information. Once collected, this mountain of data is analyzed
to build digital dossiers on millions of consumers, in some cases
identifying us by name, gender, age as well as the medical
conditions and political issues we have researched online.


Whose Life Is It Anyway? Consumers are learning
their data is currency

http://www.adweek.com/news/advertising-branding/whose-life-it-anyway-137537

Whose Life Is It Anyway? Consumers are learning
their data is currency

Each year, companies in the U.S. spend
more than $2 billion on third-party
consumer data, according to Forrester
Research. [...] growing at such a fast clip that
the World Economic Forum and other futurists
have called personal data the “new oil.”

http://www.adweek.com/news/advertising-branding/whose-life-it-anyway-137537

Could your privacy be bought from you?

http://www.forbes.com/sites/kashmirhill/2012/02/09/your-online-privacy-is-worth-less-than-a-six-pack-of-marshmallow-ﬂuff


Google [...] wants “panelists” for a program called
Screenwise who will add a browser extension in
Chrome “that will share with Google the sites
you visit and how you use them” — information that
Google will study in order to improve its products and
services.



What’s in it for you? Up to $25 in gift cards. [..] a
$5 Amazon.com Gift Card code instantly when you sign
up and download the Google Screenwise browser
extension. [...] $5 Amazon.com Gift Card codes every
three months for staying with it. It’s our way of saying
“Thank you.”


$25 USD per year


“New research finds people fork over $5,000
worth of personal information a year to
Google in exchange for access to its “free
services” such as Gmail and search.

http://blogs.smartmoney.com/advice/2012/01/25/who-would-pay-5000-to-use-google-you

“If you’re not paying for
the product, you are the
product.”

• More than 800 million active users

• More than 50% of active users login daily

• Average user has 130 friends

https://www.facebook.com/press/info.php?statistics

• More than 70 languages available on the site

• Over 300,000 users helped translate the site
through the translations application

• 75%+ of users are outside of the US

https://www.facebook.com/press/info.php?statistics

$ curl -s http://graph.facebook.com/4 | python -mjson.tool
{
"first_name": "Mark",
"gender": "male",
"id": "4",
"last_name": "Zuckerberg",
"link": "http://www.facebook.com/zuck",
"locale": "en_US",
"name": "Mark Zuckerberg",
"username": "zuck"
}

Mark Zuckerberg starts Facebook at 19 while still at
Harvard, but early messages don’t show a strong
interest in privacy...

An early instant message session with a friend...
Zuck: Yeah so if you ever need info about anyone at Harvard
Zuck: Just ask.
Zuck: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How’d you manage that one?
Zuck: People just submitted it.
Zuck: I don’t know why.
Zuck: They “trust me”
Zuck: Dumb f***s

https://en.wikiquote.org/wiki/Mark_Zuckerberg
http://articles.businessinsider.com/2010-09-13/tech/30033368_1_ims-mark-zuckerberg-facebook-ceo

Other comments to give us a feel for his thoughts on
privacy...

“Having two identities for yourself is an example of a lack
of integrity.”

http://tech.li/2012/02/zuckerberg-doesnt-understand-identity-or-integrity

More recently, Nick Bilton’s off the record chat with a
Facebook employee...

@nickbilton: How does Zuck feel about privacy?

Response: [laughter] He doesn’t believe in it.

https://twitter.com/#!/nickbilton/status/13012581261
http://www.wired.com/epicenter/2010/04/report-facebook-ceo-mark-zuckerberg-doesnt-believe-in-privacy

Privacy no longer a social norm, says Facebook
founder

“People have really gotten
comfortable not only
sharing more
information and
different kinds, but
more openly and with
more people,” he said.
“That social norm is just
something that has
evolved over time.”

http://www.guardian.co.uk/technology/2010/jan/11/facebook-privacy

Facebook Privacy: A bewildering Tangle of
Options
“To manage your privacy on Facebook, you will need to
navigate through 50 settings with more than 170
options. Facebook says it wants to offer precise controls for
sharing on the Internet.”

https://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html

https://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html

http://facebook.com

Chris Soghoian “Facebook’s covert surveillance
of your browsing activities on non-
Facebook websites...”

Although consumers knowingly share information via Facebook,
the privacy issues associated with that company are not related
to the way consumers use it, but rather the other things the
company does.

These include the tricks the company has pulled to expose
users’ private data to third-party app developers, the
changing privacy defaults for profile data, as well as
Facebook’s covert surveillance of your browsing activities on
non-Facebook websites, as long as a “Like” button is
present (even if you don’t click on it).


Facebook has cut a deal with political website Politico that allows the
independent site machine-access to Facebook users' messages, both
public and private, when a Republican Presidential candidate is mentioned by
name. The data is being collected and analyzed for sentiment by Facebook’s data
team, then delivered to Politico to serve as the basis of data-driven
political analysis and journalism.
The move is being widely condemned in the press as a violation of privacy but
if Facebook would do this right, it could be a huge win for everyone. Facebook
could be the biggest, most dynamic census of human opinion and interaction in
history. Unfortunately, failure to talk prominently about privacy protections,
failure to make this opt-in (or even opt out!) and the inclusion of
private messages are all things that put at risk any remaining shreds of trust in
Facebook that could have served as the foundation of a new era of social self-
awareness.

https://www.readwriteweb.com/archives/why_facebooks_data_sharing_matters.php

https://www.facebook.com/about/ads

Exclusive: Leaked Details of How Facebook Plans
To Sell Your Timeline to Advertisers

What most users don’t know is that the new features being introduced are all centered
around increasing the value of Facebook to advertisers, to the point where Facebook
representatives have been selling the idea that Timeline is actually about re-conceptualizing users
around their consumer preferences, or as they put it, “brands are now an essential part of
people’s identities.”
The name itself is cleverly designed to conceal the fact that your profile no longer arranges
information chronologically. Yes, things are laid out by year and by month. But, when it comes to
what’s displayed to your social circle at any given time, other metrics, including direct payments to
Facebook itself, will now influence the ranking and placement of stories. This payola will be a
crucial part of the graph rank, the new metric for placement that the social network uses to
determine what appears on your profile.

http://www.betabeat.com/2011/12/23/exclusive-leaked-details-of-how-facebook-plans-to-sell-your-timeline-to-advertisers


Disguising ads as your friends’ updates is being offered up as an antidote to the dismal
click-through rates for traditional web advertising. Sponsored stories in your feed and sidebar ads
based on your friends’ likes will become ubiquitous. Indeed in marketing materials, Facebook
says these new premium ads are 90 percent accurate, compared to the industry
average of 35 percent. “When people hear about you [the brand] from friends, they
listen.”
As the post from Facebook yesterday morning explained, sponsored stories are different from ads
in that a user’s name or profile might appear alongside the ad, ”If you’ve liked that business’s page,
the story about you liking the page (including your name or profile photo) may be paired with the
ad your friends see.” While sponsored stories don’t include additional messaging from the sponsor,
businesses pay Facebook to feature posts and activity that mention their brands. In both cases,
these are only visible “to friends you’ve already shared this information with.”



Disguising ads as your friends’ updates is being offered up as an antidote to the dismal
click-through rates for traditional web advertising. Sponsored stories in your feed and sidebar ads
based on your friends’ likes will become ubiquitous. Indeed in marketing materials, Facebook
says these new premium ads are 90 percent accurate, compared to the industry
average of 35 percent. “When people hear about you [the brand] from friends, they
listen.”
As the post from Facebook yesterday morning explained, sponsored stories are different
from ads in that a user’s name or profile might appear alongside the ad, ”If you’ve
liked that business’s page, the story about you liking the page (including your name or
profile photo) may be paired with the ad your friends see.” While sponsored stories don’t
include additional messaging from the sponsor, businesses pay Facebook to feature posts and
activity that mention their brands. In both cases, these are only visible “to friends you’ve already
shared this information with.”


Timeline is “mandatory”
for every Facebook user

Timeline is “mandatory”
for every Facebook user
with no opt-out option

Facebook settles privacy
case with the Federal
Trade Comission

http://business.ﬁnancialpost.com/2011/11/29/facebook-settles-privacy-case-wtih-ftc

Facebook has agreed to settle an investigation by the Federal Trade
Commission into deceptive privacy practices, committing to cease
making false claims and to submit to independent audits for 20
years.

The FTC said the world’s largest Internet social network had been
repeatedly deceptive. For example, Facebook promised users
that it would not share personal information with
advertisers, but it did, the agency said.

case with the FTC
Also, the company failed to warn users that it was changing its website
in December 2009 so that certain information that users
designated as private, such as their “Friends List,” would be
made public, the FTC said.
“Facebook’s innovation does not have to come at the expense
of consumer privacy,” FTC Chairman Jon Leibowitz said in a
statement.


Facebook has agreed to settle an investigation by the Federal Trade
Commission into deceptive privacy practices, committing to cease
making false claims and to submit to independent audits for 20
years.

The FTC said the world’s largest Internet social network had been
repeatedly deceptive. For example, Facebook promised users
that it would not share personal information with
advertisers, but it did, the agency said.

case with the FTC
Also, the company failed to warn users that it was changing its
website in December 2009 so that certain information that users
designated as private, such as their “Friends List,” would be
made public, the FTC said.
“Facebook’s innovation does not have to come at the expense
of consumer privacy,” FTC Chairman Jon Leibowitz said in a
statement.


Facebook’s entire
business model is under
fire in the EU

http://venturebeat.com/2011/11/28/facebook-advertising-eu

The EU is considering a ban on Facebook’s practice of selling
demographic data to marketers and advertisers without
specific permission from users.

Facebook’s entire
Now, however, the EC is planning to ban such activity unless
users themselves specifically agree to it. The EU’s data
protection working group is currently investigating how Facebook
tracks users, stores data and uses that information to serve targeted

ads. The ban may take effect as soon as next year. (11/2011)

[...] The European Commission is planning to stop the way the website
"eavesdrops" on its users to gather information about their

fire in the EU
political opinions, sexuality, religious beliefs – and even
their whereabouts.

Viviane Reding, the vice president of European Commission, said the
Directive would amend current European data protection
laws in the light of technological advances and ensure
consistency in how offending firms are dealt with across the EU.

http://www.telegraph.co.uk/technology/facebook/8917836/Facebook-faces-EU-curbs-on-selling-users-interests-to-advertisers.html

The EU is considering a ban on Facebook’s practice of selling
demographic data to marketers and advertisers without specific
permission from users.

Facebook’s entire
Now, however, the EC is planning to ban such activity unless
users themselves specifically agree to it. The EU’s data
protection working group is currently investigating how Facebook
tracks users, stores data and uses that information to serve targeted

ads. The ban may take effect as soon as next year.

[...] The European Commission is planning to stop the way the website
"eavesdrops" on its users to gather information about their

fire in the EU
political opinions, sexuality, religious beliefs – and even
their whereabouts.

Viviane Reding, the vice president of European Commission, said the
Directive would amend current European data protection
laws in the light of technological advances and ensure
consistency in how offending firms are dealt with across the EU.

http://www.telegraph.co.uk/technology/facebook/8917836/Facebook-faces-EU-curbs-on-selling-users-interests-to-advertisers.html

“Your profile is the way you present yourself on Google
products and across the web. With your profile, you
can manage the information that people see -
such as your bio, contact details, and links to other sites
about you or created by you.”

https://proﬁles.google.com

Google gives you a privacy dashboard to show
just how much it knows about you

http://techcrunch.com/2009/11/05/google-gives-you-a-privacy-dashboard-to-show-just-how-much-it-knows-about-you

Google announces privacy changes across all
products

Google said Tuesday it
will require users to
allow the company to
follow their activities
across e-mail,
search ... and other
services, a radical shift
in strategy that is
expected to invite greater
scrutiny of its privacy and
competitive practices.

http://www.washingtonpost.com/business/technology/google-tracks-consumers-across-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html

Google’s new policy
replaces more than 60
existing product-specific
privacy documents for
services including Gmail,
YouTube and Google Docs
(plus Picassa, Blogger, Google
Talk, Google Earth, etc.)

Google says the unified terms
will provide better search
results and serve up ads
that are more likely to be
of interest.

http://www.scientiﬁcamerican.com/article.cfm?id=how-googles-new-privacy-p

The new privacy policy – which Google contends will allow it to better target ads —
goes into effect on March 1. In a press release, the company said it may combine the information
users submit under their email accounts with information from other Google services or third
parties. What people do and share on the social networking site Google+, Gmail and
YouTube will be combined to create a more three-dimensional picture of consumers’
likes and dislikes, according to reports. Google did not return calls seeking comment.

http://blogs.smartmoney.com/advice/2012/01/25/who-would-pay-5000-to-use-google-you

“If Google received a warrant to disclose
documents, and your business and
personal docs are intermingled — that’s a
problem,” he said. “Some would like to say, “No,
thank you” and keep their accounts separate.”

“Google should make it easy for people to
set up and manage separate accounts if
they wish to do so,” Kurt Opsahl, senior staff
attorney for the Electronic Frontier Foundation.

http://www.scientiﬁcamerican.com/article.cfm?id=how-googles-new-privacy-p

The End of Privacy

If Google can change
its privacy policy
today, it can change it
tomorrow. And it will.
[...] This is what's
motivating their policy
change this week, and
someday it's likely to
motivate them to sell my
personal information after
all.

http://www.ﬂickr.com/photos/47691521@N07/4638981545
http://motherjones.com/kevin-drum/2012/01/end-privacy-google

Google announces
privacy changes across
products

Google announces
privacy changes across
products
with no opt-out option

http://www.ftc.gov/opa/2011/03/google.shtm

On the day Buzz was launched, Gmail users got a message announcing the new service and
were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, the FTC
complaint alleged that some Gmail users who clicked on “Nah...” were nonetheless
enrolled in certain features of the Google Buzz social network.
For those Gmail users who clicked on “Sweet!,” the FTC alleges that they were not adequately
informed that the identity of individuals they emailed most frequently would be
made public by default. Google also offered a “Turn Off Buzz” option that did not fully
remove the user from the social network.


In response to the Buzz launch, Google received thousands of complaints from consumers who
were concerned about public disclosure of their email contacts which included, in
some cases, ex-spouses, patients, students, employers, or competitors. According to
the FTC complaint, Google made certain changes to the Buzz product in response to those
complaints.

When Google launched Buzz, its privacy policy stated that “When you sign up for a particular
service that requires registration, we ask you to provide personal information. If we use this
information in a manner different than the purpose for which it was collected, then we will ask
for your consent prior to such use.” The FTC complaint charges that Google violated its
privacy policies by using information provided for Gmail for another purpose -
social networking - without obtaining consumers’ permission in advance.


http://www.zdnet.com/blog/identity/ftc-asked-to-probe-google-search-integration/143

EPIC says a review should take place given an ongoing FTC investigation of possible
antitrust violations related to the way Google compiles search results, as well as, an
April 2011 settlement Google made with the FTC regarding deceptive privacy practices.
EPIC claims the integration of Google+ and Google search, called Search plus Your World, raises
concerns over fair competition and the search giant’s adherence to the FTC settlement.
EPIC said in its letter to the FTC, “Google’s [search] changes make the personal data of users more
accessible.” The letter was signed by Marc Rotenberg, executive director of EPIC.
EPIC’s concerns were over personal data - photos, posts, and contact details - being
gathered from Google+ users and included in search results. “Google allows users to opt
out of receiving search results that include personal data, but users cannot opt out of having their
information found by their Google+ contacts through Google search,” the letter said.


EPIC says a review should take place given an ongoing FTC investigation of possible
antitrust violations related to the way Google compiles search results, as well as, an
April 2011 settlement Google made with the FTC regarding deceptive privacy practices.
EPIC claims the integration of Google+ and Google search, called Search plus Your World, raises
concerns over fair competition and the search giant’s adherence to the FTC settlement.
EPIC said in its letter to the FTC, “Google’s [search] changes make the personal data of users more
accessible.” The letter was signed by Marc Rotenberg, executive director of EPIC.
EPIC’s concerns were over personal data - photos, posts, and contact details - being
gathered from Google+ users and included in search results. “Google allows users to opt
out of receiving search results that include personal data, but users cannot opt out of having
their information found by their Google+ contacts through Google search,” the letter
said.


https://plus.google.com

Search Plus is combining personal signals — your search
and web history — along with social signals to create a new
form of personalized results. It’s not just who you are that now
influences what you see. It’s who you know. What your
friends like, share or create can influence what shows
up first when you search for something.

http://marketingland.com/faq-google-search-plus-your-world-3533

Google may use your Google account information, such
as items you +1 on Google properties and across the web, to
personalize content and ads on non-Google websites.

http://www.google.com/privacy/ads

Google Under Fire for Circumvention of
Cookie Settings in Safari for iOS to Track
Users

http://www.macrumors.com/2012/02/17/google-under-ﬁre-for-circumvention-of-cookie-settings-in-safari-for-ios-to-track-users

Safari’s cookie blocking feature is unique in two ways: its
default and its substantive policy.
Unlike every other browser vendor, Apple enables 3rd party
cookie blocking by default. Every iPhone, iPad, iPod Touch,
and Mac ships with the privacy feature turned on.
Apple’s Safari web browser is configured to block third-party
cookies by default. We identified four advertising companies
that unexpectedly place trackable cookies in Safari.
Google and Vibrant Media intentionally circumvent
Safari’s privacy feature. Media Innovation Group and
PointRoll serve scripts that appear to be derived from
circumvention example code.

http://webpolicy.org/2012/02/17/safari-trackers

+

• but, Google used a loophole to make Safari
allow cookies (which it will only do IF a user
interacts with an ad)

• an ad from DoubleClick (owned by Google)
sent an invisible form, so Safari would
think the user was interacting with the ad

• thus, cookie accepted, tracking occurred

• Google discouraged Safari users to opt-out


Lastly, Google produces a laudable transparency report, but...

Google complies with 93 percent of the 6,000 requests it receives for user data
from law enforcement agencies is very different from the approach news
organizations would take to handing over sources.

https://www.google.com/transparencyreport/governmentrequests/US/?p=2011-06&t=USER_DATA_REQUEST

“...all these concerns about
privacy tend to be old people
issues.” Reid Hoffman, the founder
of LinkedIn, in a segment during last
year’s World Economic Forum at
Davos, Switzerland

http://www.businessinsider.com/privacy-is-for-old-people-says-linkedin-founder-2011-10

http://www.businessinsider.com/privacy-is-for-old-people-says-linkedin-founder-2011-10

http://fak3r.com/2011/10/12/linkedin-is-spamming-all-of-my-gmail-contacts

• people I didn’t know well personally

• people that I work with from other countries
that aren’t on LinkedIn

• technical mailing lists that I subscribe to

• myself, four times

• and in one case, a deceased relative


• so I did opt-in

• but they didn’t use the data in the manner I
approved

• support, didn’t help


Don’t forget about file
sharing

http://www.dropbox.com

• Dropbox is a simple to use, file syncing
application

• syncs across multiple devices automatically

• offers 2 Gigs of free storage

http://paranoia.dubﬁre.net/2011/04/how-dropbox-sacriﬁces-user-privacy-for.html

How Dropbox sacrifices user privacy for
cost savings

• claimed no Dropbox personal could access
your files

• but the way they do de-duplication of files proved
this wasn’t true

• Dropbox has the encryption keys, not the user

• other services do encrypt their users' data with
a key only known to the user


How Dropbox sacrifices user privacy for
cost savings

On April 1, 2011, Marcia Hofmann at the
Electronic Frontier Foundation contacted
Dropbox to let them know about the flaw,
and that a researcher would be publishing
the information on April 12th.

At 6:15PM west coast time on April 11th, an
attorney from Fenwick & West retained by
Dropbox left Marcia a voicemail message, in
which he reveled that: "the company is
updating their privacy policy and security
overview that is on the website to add
further detail."


Privacy Policy change (April 13, 2011)

“All files stored on Dropbox servers are
encrypted (AES 256) and are inaccessible
without your account password.”

http://www.dropbox.com

http://getcloudapp.com

“CloudApp allows you to share images, links, music, videos and
files. Here is how it works: choose a file, drag it to the
menubar and let us take care of the rest. We provide you
with a short link automatically copied to your clipboard that you
can use to share your upload with co-workers and friends.”


Unfortunately, the weak entropy of
characters used for their shortened URLs
leads to (very) low privacy


http://cl.ly/2a3e


http://cl.ly/3l1k


http://cl.ly/4ety


This is fun...until you find personal documents


I wrote a script that can randomly download
gigabytes of users’ data, by guessing, or “brute
forcing” different URL combinations


• plenty of pictures, mp3s, graphics

• credit card receipts, court documents, W9
(US tax forms), personal emails, Facebook
posts, instant messages, passport scans

• ...and everything was unencrypted


People don’t know they’re sharing this data.

Responsible Disclosure: I reported my findings to
CloudApp (12/2011), they said they have a notice
on their site that it may not be secure...but they
still allow this kind of convenient ‘sharing’


They have not fixed the issue, I have released
the script to demonstrate this vulnerability.
I’m still waiting to hear back from CloudApp.

https://github.com/philcryer/ca-harvester


How could all of this
social media data be
used?

Facebook Unmasks Koobface (P2P botnets)
Gang, Aided By Their Foursquare Check-ins And
Social Networking Photos

http://www.forbes.com/sites/kashmirhill/2012/01/17/facebook-unmasks-koobface-gang-aided-by-their-foursquare-check-ins-and-social-networking-photos

Facebook Unmasks Koobface (P2P botnets)
Gang, Aided By Their Foursquare Check-ins And
Social Networking Photos
Independent security researchers and members of
the Facebook security team tracked digital breadcrumbs
to expose the five men responsible for Koobface [...] they
tracked them down based on IP fingerprints, Foursquare
check-ins, Twitter activity, friend lists on a Russian
social networking site, and Flickr photos showing the
gang vacationing across Europe.

http://www.forbes.com/sites/kashmirhill/2012/01/17/facebook-unmasks-koobface-gang-aided-by-their-foursquare-check-ins-and-social-networking-photos

For good, humanitarian
purposes

Twitter Tracks Cholera Outbreaks
Faster Than Health Authorities

Now researchers have shown that, for
the 2010 cholera epidemic in Haiti,
social media like Twitter can
track outbreaks as much as two
weeks sooner than official health
reports, especially when used by
people with mobile phones.

http://chronicle.com/blogs/percolator/twitter-tracks-cholera-outbreaks-faster-than-health-authorities/28205

https://xkcd.com
http://sylviamoessinger.wordpress.com/2011/05/04/h807-online-privacy-an-illusion-a10-1

Spokeo is a people search engine

“...organizes vast quantities of white-pages listings, social information, and other people-
related data from a large variety of public sources. Our mission is to help people find and
connect with others, more easily than ever”

http://www.spokeo.com

Spokeo is a people search engine

Not just Name, Age, Sex, but they also include Race, Politics, Religion, Cost of your home,
Occupation, Education level, Salary, Hobbies... even your Zodaic sign (?)

http://www.spokeo.com

http://cheezburger.com

Understand why
privacy matters

The Right to Anonymity is a Matter of Privacy

Privacy from employers
Privacy from the political scene

Privacy from the public eye

Achieving anonymity online

https://www.eff.org/deeplinks/2012/01/right-anonymity-matter-privacy

Communication Security; Riseup's primer on
surveillance and security. Why security matters

• Because network surveillance is so pervasive, it is a social
problem that affects everyone all the time. In contrast,
device and message security are important for people who are
being individually targeted by repressive authorities

• Improving your network security is fairly easy, in
comparison to device or message security.

https://help.riseup.net/en/security

The Filter Bubble

"Internet firms increasingly
show us less of the wide
world, locating us in the
neighborhood of the
familiar. The risk, as Eli
Pariser shows, is that each of us
may unwittingly come to inhabit
a ghetto of one."

Watch -> http://bit.ly/ﬁlter-bubble

http://www.theﬁlterbubble.com

Understand that private
browsing isn’t private

http://donottrackplus.com/learn/pbrowsing.php

Block trackers before they get your
information – social sites, ad networks,
companies

Do Not Track Plus

https://www.ghostery.com
http://donottrackplus.com

Blocks ads, flash and javascript trackers

http://noscript.net
http://adblockplus.org
https://addons.mozilla.org/en-US/ﬁrefox/addon/ﬂashblock

Via browser plugins

http://google.com/settings/ads/onweb

Or opt-out manually

http://bit.ly/optout

http://www.google.com/ads/preferences/plugin/browsers.html

Remove Your Google
Search History Before
Google's New Privacy
Policy Takes Effect

1. Sign into your Google account

https://www.eff.org/deeplinks/2012/02/how-remove-your-google-search-history-googles-new-privacy-policy-takes-effect

2. Go to https://google.com/history


3. Click "remove all Web History"


4. Click "OK"


Pauses Web History, it will remain off until
you enable it again, but this won’t stop
Google’s other tracking methods


Oops, my history was saved back to 2006


HTTPS is your friend
http://alexmillers.wordpress.com/2011/05/11/https-is-your-friend

Session hijacking
aka sidejacking

https://en.wikipedia.org/wiki/Session_hijacking

Logins: https
Then drops to: http

https://en.wikipedia.org/wiki/Session_hijacking

HTTPS Everywhere

HTTPS Everywhere is a Firefox extension
produced as a collaboration between The Tor Project
and the Electronic Frontier Foundation. It encrypts
your communications with a number of major
websites. Many sites on the web offer some limited
support for encryption over HTTPS, but make it
difficult to use. For instance they may default to
unencrypted HTTP, or fill encrypted pages with links
that go back to the unencrypted site. The HTTPS
Everywhere extension fixes these problems by
rewriting all requests to these sites to HTTPS.

https://www.eff.org/deeplinks/2011/11/long-term-privacy-forward-secrecy

HTTPS Enforcer

HTTPS Enforcer for Google
Chrome encrypts your
communications with a
number of major websites.

https://github.com/kcherenkov/HTTPS-Enforcer

OpenDNS tool secures DNS
traffic DNSCrypt is
significant because it
encrypts all DNS traffic
between Internet users and
OpenDNS. This technological
advancement thwarts efforts by
attackers, or even Internet
Service Providers (ISPs), from
spying on DNS activity, or worse,
maliciously redirecting DNS
traffic.

http://www.opendns.com/technology/dnscrypt
https://net-security.org/secworld.php?id=12075

Zappos hacked, 24
million accounts

http://money.cnn.com/2012/01/16/technology/zappos_hack/index.htm

Zappos hacked, 24
million accounts
Zappos users here are the subject matter simply because it’s
the most recent attack, but it’s true for whatever set of
services you use on the daily. If you’ve got an eBay account,
an account for your online bank account, and an account for
Zappos, you need, need, NEED to have a different
password for each of them. What you do when you keep
the same password for each of these sites is to open yourself
up to a MUCH wider array of hackers than if you change your
password for each.

http://money.cnn.com/2012/01/16/technology/zappos_hack/index.htm

SlashGear 101: Basic
Password Security
“The simplest way to keep yourself secure on the internet
is to use different passwords on each ‘secure’ site you
interact with.”

http://www.slashgear.com/slashgear-101-basic-password-security-16209438

https://lastpass.com

9Z!de*NM2y7%yZwt

wZx7CC@utHyVD@5K

cP$arcQTkt2Fhntu

#8cET!pDqDXq9HcV

9Z!de*NM2y7%yZwt
Not a perfect method, trusting a 3rd party

wZx7CC@utHyVD@5K

cP$arcQTkt2Fhntu

#8cET!pDqDXq9HcV

9Z!de*NM2y7%yZwt

wZx7CC@utHyVD@5K
Works, but looking for a more secure way

cP$arcQTkt2Fhntu

#8cET!pDqDXq9HcV

9Z!de*NM2y7%yZwt

wZx7CC@utHyVD@5K
Works, but looking for a more secure way

cP$arcQTkt2Fhntu
Ideally an Open Source option

#8cET!pDqDXq9HcV

“The world’s most private search engine”

https://ixquick.de

https://duckduckgo.com

"[...] we cannot rely on a few large companies, and compromise our privacy in
the process," says Michael Christen, YaCy's project leader. "YaCy's free search is the vital
link between free users and free information. YaCy hands control over search back
to us, the users."

“A peer to peer (P2P), distributed, anonymous search
engine anyone can run and contribute to”

http://yacy.net
http://www.theregister.co.uk/2011/11/29/yacy_google_open_source_engine

Use free, open source,
tools to protect yourself

• Tor is short for The Onion Router

• originally designed as a onion routing project of
the U.S. Naval Research Laboratory

• a network of virtual tunnels that allows people
and groups to improve their privacy and
security on the Internet

• mechanism for maintaining civil liberties
online (safeguarding online privacy and security)
and promoting free speech
https://torproject.org

The Tor Browser
Bundle lets you use
Tor on Windows, Mac
OS X or Linux
without installing
any software.

https://www.torproject.org/projects/torbrowser.html.en

Install Tor on a
server to contribute
to the network’s
robustness, and
connect yourself


• a user-friendly way of deploying Tor bridges
to help users access an uncensored Internet

• runs on a Amazon EC2 micro cloud computing
platform

• Amazon has introduced a free usage tier for a
year

https://cloud.torproject.org

“A lightweight command line service that
securely synchronizes your data”

http://lipsync.it

javascript based authentication, uses remoteStorage, a
cross-origin data storage protocol separating application
servers from data storage, your stuff on remote servers,
but you still 'hold the keys'

DIY, run your own
services, instead of using
others

http://drupal.org
http://www.joomla.org
http://wordpress.org

open source, Jabber/XMPP instant messaging server
Off-the-Record (OTR) Messaging, more secure
use SSL for encrypted communications
Google uses this service for Google Talk

http://www.ejabberd.im

open source microblogging software (like Twitter)

run your own host, keep your own information

it powers http://identi.ca

http://identi.ca
http://status.net/open-source

an open, distributed, federated, social network

mirrors functionality of Facebook, Google+

signup on an official server, or host your own

have full control over what you share

https://joindiaspora.com

Focusing public attention on emerging privacy and civil liberties issues

PROTECTING CIVIL LIBERTIES IN THE DIGITAL AGE

Conclusion
question how companies save, store and use your
data, what kind of retention policy they have

Conclusion

learn about online privacy, know your rights

Conclusion


share what you discover, educate others via blogs,
social networks, or just talk about it

Conclusion



explore by running your own server, use open source
tools to protect yourself and help others (it’s fun)

Conclusion



explore by running your own server, use open source
tools to protect yourself and help others (it’s fun)

repeat!

slides + details: philcryer.com

slides + details: philcryer.com
follow + twitter: @fak3r

philcryer.com
@fak3r

Prezentacja dostępna
będzie na stronie konferencji
semafor2012.computerworld.pl

Is your data secure? privacy and trust in the social web

More Related Content

What's hot (20)

Similar to Is your data secure? privacy and trust in the social web (20)

More from Phil Cryer (16)

Recently uploaded (20)

Is your data secure? privacy and trust in the social web