Rahul Gaitonde… The system provided by Hey for managing and organizing incoming email is what sets it apart from the competition, and it’s so good I don’t mind being locked into a proprietary service.
– Federico Viticci, Macstories
Famous last words, uttered by countless computer users over the last fifty years, to their inevitable regret.
From the encrypted email service Protonmail’s response to the Council of the EU calling for an update to laws governing encryption in internet applications:
While it’s not explicitly stated in the resolution, it’s widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors. However, the resolution makes a fundamental misunderstanding: encryption is an absolute. Data is either encrypted or it isn’t; users have privacy, or they don’t. The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen’s home and might begin a slippery slope towards greater violations of personal privacy.
“Either data is encrypted or it isn’t” is right. As we have discussed before on the site, we’d need a fundamentally different type of algorithm in order to encrypt data such that it’d both be secure from decryption attacks but also be able to be unlocked by specific keys owned by a set of people. Today’s algorithms just don’t have this selective encryption. If the private key is with the user (or on their device, as in the case of the Secure Enclave on iOS devices), then it’s with no one else. You can’t have a bunch of private keys, one with the user and another with law enforcement. And even if you could, it raises the Q of keeping that key secure, and so on and on.
The debate between personal privacy and societal security is one we will be forced to have and settle at a public level quite soon. But lawmakers need to appreciate technology, even if they don’t understand it. As a memorable quote from a former Australian prime minister goes,
“The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
The twenty first century cannot afford this.
The websites you visit – This is the Big Tech that people are usually concerned about. Whether Facebook.com or Google.com or Amazon.com, incognito mode protects you somewhat here as long as you don’t log in, but even then trakcers now use digital ‘fingerprinting’ that combines several signals to uniquely identify you between visits. Those trackers often send data to other trackers that consolidate this sort of data.
The apps you use – Also includes Big Tech, but goes well beyond them. As we have seen in the article about whether or not to use Whatsap, apps use ‘SDK’s or software packages from a number of tracking companies that record your activity in the app in great detail. This activtiy data is a lot creepier and a lot more valuable than we usually suspect. Consider Netflix’s analytics for modeling your preferences. It tracks
And also
Similarly, for an ecommerce app, your activity in its app – when you browse, how long you browse, what categories you spend time in, what items you tap preview images for – all this stuff collectively is as valuable as the stuff you actually buy. Same for chat apps. Even if your chat data cannot be decrypted by the company, your behaviour in the app including who you chat with, when, how long, what profiles you tap – all of this builds a picture of you. This The amount of data you can collect on an app – phone make, precise location, contacts – is deeper than websites.
Your DNS provider – DNS is the Internet’s way of translating the internet requests your browser makes and translating them to IP addresses to locate websites, images, CSS stylesheets, fonts and so on. In most cases, your DNS is provided by your ISP. That gives your ISP direct visibility to the sites you visit. If you use another, secure, DNS provider, perhaps one set by your router, or your smart device, or if you change it on your computer/phone/tablet to, say Google or Cloudflare or OpenDNS or some of the others, they now have access to that list. And using a third party DNS provider doesn’t totally hide your web traffic from your ISP either. They may not see the precise DNS request, but they’ll see the reply. You can hide this from your ISP by using a VPN service, but now your VPN provider has access to your traffic [1]
The point of all this is to show that we usually think of privacy in the context of the Big Tech USA companies: Google, Amazon, Facebook and similar. That concern is justified. If anything, it’s under-discussed and poorly understood. But the scope of online surveillance is a lot wider and a lot deeper. And significantly more creepy.
Now that you have some idea of what is watching you online, we can get into how you can protect yourself. We’ll discuss that in the coming days.
(Part 3 – a comment on data custody and open source)
Footnotes
[1] Unless you host your own VPN, but that requires technical capability, and if you’re hosting it in the cloud so you can use it both at home and outside, then you’re paying the cloud provider for all the traffic routed through the VPN.
(Featured Image Photo Credit: Anastasiia Krutota/Unsplash)
When we read about loss of privacy, it’s usually in one of two contexts:
And this is true. But they aren’t the only ones who track your activity online:
Other people on a shared computer – this is what incognito mode is for. Now that each of us has a personal phone, tablet, laptop, this isn’t as much an issue as it used to be. Incognito mode is also useful to have websites ‘forget’ you; more later.
Your computer – the operating system that runs on your computer has access to files, note, contacts, calendar, pictures, music, videos – anything that you store on that computer. Even if you encrypt your hard drive, the operating system – Windows or Mac OS – is what does the encrypting.
Your phone – same as above. You’re most likely running iOS/Apple or Android/Google. In the case of Android phones, most phone manufacturers modify Android – for cosmetic reasons and to add phone-specific functionality. Often their apps are the defaults, not Google’s. In any case, that manufacturer also has access to a lot of the data
Your browser – Chrome, Safari, Edge, made by Google, Apple and Microsoft respectively, need to be able to “see” what websites you visit in order to be able to work. Browsers now have you sign in to not just a website but into the browser itself (think Chrome and your Google account) to sync history, bookmarks and extensions across devices – which means the browser not just tracks this information but stores it centrally. Also – the browser sees your activity even in incognito mode or private mode. That mode just means the browser doesn’t save any information.
Your Internet Service Provider (ISP) – all your traffic needs to go through this entity before it connects to the public internet. Your ISP isn’t able to see HTTPS-encrypted traffic, like the contents of your email on gmail.com, but it knows what sites you’re visiting. This isn’t limited just to your computer – any device at home like an Amazon Echo, Google Chromecast, or a Samsung Smart TV (and similar devices from other brands) – that connects to the internet sends data through your ISP. Technically your home router can also see all your data – this is the one that connects your home wifi to your internet service provider – but I don’t know of routers that are known to systematically ‘phone home’ your data. It’s too big a reputational risk.
Your operator/carrier – same as above, when you’re using your mobile data plan. This is true not just of browser traffic, but also when you use apps, like games. Your operator is very likely able to figure out what games you play based on the internet traffic the game generates. Just because you use the Twitter app instead of visiting twitter.com doesn’t mean you’re sending any less data.
(Part 2 – more entities that track you, including the ones you’re concerned about)
(Featured Image Photo Credit: Tolga Ahmetler/Unsplash)
A friend sent me this message from one of the groups she was on:
I’ve just found out that chats in Telegram (unlike in Signal) are not encrypted by default (unless started as secret chat) and group chats are not encrypted at all!”
and asked if this was true.
I think terms like “not encrypted”, “end to end encryption” need to be understood better so we can make better decisions about what to use and not. Here’s what I wrote back:
“Yes, Telegram encryption works differently from Signal but it’s just plain inaccurate that Telegram chats are not encrypted. They are. Both “in transit” ie from your phone to Telegram and “at rest” ie on Telegram servers.
So what’s the difference between the apps?
Telegram chats are encrypted by Telegram’s keys, which are stored separately from the data. From their privacy policy:
Telegram is a cloud service. We store messages, photos, videos and documents from your cloud chats on our servers so that you can access your data from any of your devices anytime without having to rely on third-party backups. All data is stored heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions. This way local engineers or physical intruders cannot get access to user data.
All group chats are also encrypted in the same way:
In addition to private messages, Telegram also supports public channels and public groups. All public chats are cloud chats (see section 3.3.1 above). Like everything on Telegram, the data you post in public communities is encrypted, both in storage and in transit — but everything you post in public will be accessible to everyone.
For 1:1 conversations, Telegram has what it calls ‘secret chats’, where the encryption keys are known only to the two devices – one for each person. Again from Telegram’s privacy policy:
[In secret chats] all data is encrypted with a key that only you and the recipient know. There is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages. We do not store your secret chats on our servers. We also do not keep any logs for messages in secret chats, so after a short period of time we no longer know who or when you messaged via secret chats.
So if you only use Telegram on one iPhone and I use it on iPhone, iPad, and two Macs and I use each of them to chat with you, you will have four distinct ‘secret’ conversations with me on the same phone, and I will have one conversation with you on each of my devices, but all disjointed. In return, no messages are stored on Telegram’s servers.
Signal works this way by default – separate message queue for devices. You can see that the conversion on my iPhone is not synced to my iPad automatically:
But there is a tradeoff. Once again, Telegram’s privacy policy:
For the same reasons secret chats are not available in the cloud — you can only access those messages from the device they were sent to or from.
Without getting into the details, it’s really tough to do all three of the following:
With this model,
Hope this helps.”
I’m quite happy with the ongoing conversation around the loss of personal privacy online. There seems to be mainstream coverage of its pervasiveness for the first time, even if it’ll be churned away by the next news cycle.
But this conversation is as vulnerable to being hijacked and derailed by disinformation as any other. I think it’s important for those who can to explain technology and terminology in such a way that people can make educated decisions about reclaiming their privacy.
(Featured Image Photo Credit: Mitchell Ng Liang an/Unsplash)
In my post last week, I wrote that simply deleting Whatsapp and moving to Telegram or Signal wasn’t going to make much of a difference to your privacy. There are so many other ways that Facebook collects data from you, your phone and your computer:
The subtext of the article was also that you need to think about your privacy as a whole, not just limited to one app or company.
I won’t pretend that thinking about privacy is straightforward (leave alone appealing), but it’s not impossible either. And since the biggest companies today make money directly or indirectly off your data, it’s worth investing time to understand just how much of your data these companies have, how they get them and how it affects you.
We rest in the fact that we’re just one uninteresting person among hundreds of millions of users of Facebook or Google or Amazon and our particular stream of data isn’t worth much:
But the algorithms that sift through all this data have little to do with the number of people that they draw conclusions for. You could be a nameless, claimless casualty of an incorrect inference that this algorithm makes: Sir Tim Berners-Lee, one of the fathers of the internet, gives one example:
Just think your insurance gets cancelled because you’ve been searching for cancer online too much. But, in fact, you were looking because a friend of a friend had some form of cancer. However, now the system suddenly decides that it’s worth sending you ads about cancer then also it can decide whether it’s worth increasing your insurance premiums, maybe blocking you from taking on a new insurance policy because they’re worried that you might have an existing condition.
– Sir Tim Berners-Lee: The marketing impact of artificial intelligence
Lately with contract tracing apps mandated by governments, you may not have a choice in data being collected about you. Even if there’s location data about millions of people being collected daily, once the central algorithm identifies that someone near you tested positive, you will almost certainly be required to subject yourself to tests, typically at your expense, and be barred from travel until you receive your results.
But today’s geo-location tech can’t identify that the person who tested positive was enclosed in a changing room in a store while you were browsing a clothes rack outside, both masked at the time.
The result? You being inconvenienced unnecessarily in the name of safety because of incorrect conclusions made from data you shared without choice.
Sticking with real life, as an ordinary person among millions of fellow citizens, you may be arrested because surveillance cameras and the associated facial recognition technology misidentified you. This has happened – repeatedly:
The identifications justified Talley’s detention, even though he claimed he had been at work as a financial adviser for Transamerica Capital when the May robbery took place. Talley said he was held for nearly two months in a maximum security pod and was released only after his public defender obtained his employer’s surveillance records. In a time-stamped audio recording from 11:12 a.m. on the day of the May robbery, Talley could be heard at his desk trying to sell mutual funds to a potential client.
How a Facial Recognition Mismatch Can Ruin Your Life
The article from which I’ve taken the quote is an detailed dismal tale of how the person, wrongly identified, had his life turned upside down trying to prove his innocence while struggling to live his life alongside.
The burden of proof, previously solely on prosecutors, has now shifted to an algorithm that doesn’t have to explain itself – another example of how involuntary loss of privacy, this time through surveillance cameras – severely affected an otherwise unremarkable person.
Whether on the Internet or in the real world, it’s easy for your data to be turned against you, even if inadvertently or accidentally. This has nothing to do with how well-known you are, or if someone wants do get back at you.
In this new world, it’s important for you, me, our families – everyone – to understand our loss of privacy and then form our own plan to reclaim it.
Once, a long time ago when Whatsapp was independent, their founders wrote:
We knew that we could charge people directly if we could do all those things. We knew we could do what most people aim to do every day: avoid ads. No one wakes up excited to see more advertising, no one goes to sleep thinking about the ads they’ll see tomorrow.
The company they did NOT want to become? One where
…their engineering team spends their day tuning data mining, writing better code to collect all your personal data, upgrading the servers that hold all the data and making sure it’s all being logged and collated and sliced and packaged and shipped out… And at the end of the day the result of it all is a slightly different advertising banner in your browser or on your mobile screen.
But this week in 2021, Whatsapp backed away, temporarily, from a change in their privacy policy. Newspaper ads clarifying the change didn’t work well enough, so we’re now at another blog post:
… we don’t keep logs of who everyone’s messaging or calling. We also can’t see your shared location and we don’t share your contacts with Facebook. his update does not expand our ability to share data with Facebook… we’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp…
This is a company, sold by its founders to Facebook, now having to fight against the widespread perception that its a siphon for data to its parent.
That 2012 blog post, which quoted Fight Club, was a glimpse of an alternate way the decade could have unfolded: one where Whatsapp made money and the mere act of people writing and talking with each other wouldn’t be a stream of activity and metadata.
Part of why we don’t think online privacy is a big deal is because for so many years we have signed away our privacy by agreeing to terms and conditions we don’t understand. We no longer think there’s anything wrong with this and cannot imagine any other model.
But the way in which terms of use are presented to us makes it impossible to truly understand what we are getting into.
The writer of this well-written piece says that informed consent is the basis of any contract that two parties sign. With much of the online services we interact with, we do not give such informed consent:
One, it is simply not practical to read, process and understand the average service’s terms of use. They are several hundred or several thousand words long, often ambiguous, displayed when you’ve already begun the installation or signup process, and require you and me, the users, to keep track of future changes made to the terms.
Two, it’s all or nothing. Even if you don’t understand the terms, you aren’t allowed to use the application or service. There is no middle ground, no customization, no negotiation. If you’re an existing customer and don’t agree to a new change to the terms, which were made unilaterally, you’re supposed to exit the service. Whether you’re allowed to take your data with you, and whether and how long your data is kept around is once again entirely up to the service provider.
This not only makes everyday conveniences difficult, when it comes to what the writer calls mandatory applications, like a contact tracing app during a pandemic, it is outright disenfranchising.
I recently read, in the context of sexual consent, that a yes has no meaning if no is not a safe option. Our relationships with tech companies are unbelievably unequal – we have no real ability to say no. And our collective individual loss of privacy is directly – though not exclusively – due to our woeful lack of understanding of this lack of consent.
Why is it hard to find beautiful products that are respectful of their users’ privacy and are designed to last?
There’s such an opportunity for something that looks as good as the Nest, but doesn’t require two-factor authentication to replace. I didn’t want to call it dumb but beautiful, so let’s say “autonomous and beautiful” appliances and home devices. I still want it to be smart, but if you’re going to have the risk profile of a device that connects to the internet, it needs to be worth it, like Brilliant, Sonos, smart TVs, or connected cameras.
– Matt Mullenweg
One argument is that design talent is expensive, and that they work at those very companies whose idea of advanced equals internet connectivity.
Free/Open Source Software has disproved this for engineers. For over three decades it’s shown that the world’s best engineers can work on products that respect security, privacy and work independently of the Internet. It could be equally true of designers, and there are in fact well designed open source software products – take the Firefox browser or the KDE desktop environment or the NextCloud suite. One problem is that it isn’t mainstream yet.
The main problem, I think, is that great companies stay independent for shorter and shorter times. Nest was an independent company was less than four years from its founding to its acquisition by Google. That’s less time than you expect your thermostat to last. I have more to say on this but I’m organising my thoughts at the moment.
This New York Times article talks to people who own bitcoin but cannot access them because they’ve forgotten the keys to their bitcoin wallets. Some of these people have all but lost thousands of bitcoin, which are worth hundreds of millions of dollars today. I personally know someone who was gifted a hundred or so bitcoin when they were worth a dollar each, and has since been unable to recall how to access them.
The genius of bitcoin – and therefore the problem – is that has no issuer, like a central bank. Inherently, there is no equivalent of a bank account that holds bitcoin, and no bank that you can visit or call to have your password restored. It is as decentralised as the Internet is, and people have over and over extolled bitcoin as being able to be your own bank.
But one man’s freedom is another man’s overhead. As more people hold bitcoin and other cryptocurrency, they will turn to entities to manage it for them. Specialised cryptocurrency custodial services have existed for years now, and mainstream financial institutions like Fidelity already offers it. J P Morgan is seriously evaluating it; a solution from the 130 year old Northern Trust is pending approval. It’s likely that between new and old world financial entities, most cryptocurrency will be held in custody like more traditional securitised assets.
Digitally-native things are alike in this regard. You can own them if you like, but it’s a lot easier to have a third party hold them in custody for you.
Twenty years ago it was highly uncommon for the entity that gave you your email address to give you any sort of storage service for your email. You’d download your email to your computer through POP3 and it’d be wiped off the email provider’s servers . You truly owned your email – and were responsible for it. Today most people don’t even have a email client on their laptops or desktops, preferring to use web-based email with data stored entirely online. Even the email app on your phone doesn’t store all email offline, only the most recent. Your email provider is also your email custodian.
IRC messaging was similar. Many private/hobbyist IRC servers simply didn’t have the capacity to store chats. It was your IRC client stored chat logs offline, limited only by your computer’s hard drive size. But today, chat apps like Facebook Messenger and Whatsapp store chat logs entirely online, even if they claim they are end to end encrypted.
In the early days of digital cameras – the 1990s and 2000s, your photo library would exist solely on your hard drive. You had total control over the import and organisation of your photos – and consequently had total responsibility. My desktop machine crashed in 2008, leaving me with no photos from before that time – a terrible loss. Now, chances are you use either iCloud Photos or Google Photos for the massive amounts of photos your phone takes, and leave organisation to their AI while paying for online storage. They are your photo and memory custodians.
Finally, your documents, contacts, calendars all have online custodians, usually but not always Apple or Google. This is even though you could store them on your hard drive or self-host your sync server, it’s just too much work for most people.
Whether we realise it or not, whether we like it or not, we live in the Custodial Internet. We pay our custodians in cash or in data, often both.
Like people will doubtless do with bitcoin, we should evaluate custodians for our other data carefully. That data holds our relationships, our memories, our creative output, our wealth, our plans – in sum, our life.