The Computer Corner

May 2017
Alertness Alert

At the recent Baisakhi Khalsa Council Meetings I shared the following information with Council members and I wanted to share it with the whole Sangat this month as well.

Privacy on the Internet Does Not Exist

Republicans in the US House of Representatives approved a resolution on March 28th that prevents the privacy rules passed by the Federal Communications Commission  last year from taking effect. The vote was 215 in favor and 205 opposing the measure.

Now, broadband providers will not have to get your permission before sharing your web browsing history and other personal data with marketers thanks to the vote. Prior to this you could opt-in or opt-out of having your private information shared. Now you can no longer do that.

Broadband providers will be able to sell your personal information to the highest bidder without your permission. This includes your web browsing habits, what you're looking at, reading and buying, the apps you're using, your personal identification information including your social security number, the hardware and software you're using and where you're located.

They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. Given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So, what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad retargeting

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scam companies prefer to draw their staff directly from complicit drug detoxes and rehabs. They do this largely to ensure a compliant, desperate employee base. So, the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly by posing as a computer tech support person.

If your browser history correlates to those of low income or unemployed people, your ads would fill with work from home scams. Or low-literacy search phrasing, in conjunction with low income, could get you directed to multi-level marketing scams. There is a cornucopia full of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.

Stalking

As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking apps’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP address identifying them, permanently. Stalking via metadata has been an issue before and it will most likely happen again.

Browser History Ransom

I’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomware and tech support scams, when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.

Time to Breach

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder. Think that’s hyperbolic? In 2015, Comcast published the personal data of almost 75,000 California customers due to an operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach? Who's buying your personal data? Usually thieves, marketers and other third parties, like insurance companies.

But this is bad and I don’t want this

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers if you want to access their content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPN providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

  • Do they keep logs of your activity?
  • How much identifiable data do they keep on you?
  • Do they have physical control over their own VPN servers?
  • What countries are their servers located in?

Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with. Personally, I use ExpressVPN It costs about $8 month.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

How about my Emails?

Any emails you send can also be inspected, at any time, by the hosting company. Allegedly this is to filter out malware, but the reality is that third parties can and do access our emails for other, more sinister and self-serving, reasons. The only way around this is to use end-to-end encrypted email.

What about Net Neutrality?

Net neutrality, or the open Internet, is the principle that Internet service providers (ISPs) should give consumers access to all legal content and applications on an equal basis, without favoring some sources or blocking others. It prohibits ISPs from charging content providers for speedier delivery of their content on "fast lanes" and deliberately slowing the content from content providers that may compete with the ISP’s content.

Now Republicans in Congress are working to gut the 2015 FCC regulations that protect Net Neutrality and, in fact, essentially eliminate the government oversight agency, the FCC itself. Basically, ISPs will now be allowed to charge content providers to set up fast lanes, a practice known as paid prioritization.

Calling your congressman

Internet privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find our representatives Ben Ray Luhan here, Martin Heinrich here, and Tom Udall here.

In conclusion, it’s important to understand that, without some serious effort on your part, there is no longer any such thing as privacy online. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?

Please share your tips or experiences with your own tech with the Sangat. Email me and tell me your story, and keep sending me your suggestions for column topics, along with your own favorite smartphone app recommendations and reviews so I can share them here. Just email them to me at guruka@sikhnet.com