It all depends on who's doing the surveilling -- and why, July 28, 2014

It all depends on who's doing the surveilling -- and why

There's not much you can do to prevent being tracked online -- without a Herculean effort. The Electronic Frontier Foundation's Privacy Badger add-on for Chrome and Firefox helps keep the commercial trackers at bay.

The adage goes: "If you're not paying, you're the product."

In the Internet age, having our activities catalogued, packaged, and sold is the price of admission. And there's absolutely nothing you can do about it, at least practically speaking.

Even if you take pains to preserve your anonymity, you may simply be bringing even more attention to yourself. An article on the German site Das Erste claims that the U.S. National Security Agency's XKeystone surveillance system tracks privacy software users worldwide, as well as "virtually anyone who has taken an interest in several well-known privacy software systems." (Wired's Kim Zetter also reported on the discovery earlier this month.)

A disclaimer to the Das Erste article states that the authors "have personal and professional ties to the Tor Project," which provides anonymizing services. However, the authors state that their investigation into the NSA's surveillance is independent of their paid and volunteer work with the project.

Many people ask, "What's wrong with what the NSA is doing?" If the surveillance is saving lives, it's difficult to find a reason to object to it. The only thing many people object to is the program's lack of transparency. Then again, transparency and spying would seem to be self-cancelling. I'm in the camp that's willing to give the government the benefit of the doubt on this issue -- at least for the time-being.

Surveillance's chilling effect on the press and legal pros

According to a report issued today by Human Rights Watch and the American Civil Liberties Union, government snooping on telephone calls and other electronic communications has made public officials and others less willing to talk to reporters and lawyers. The Wall Street Journal's Felicia Schwartz writes that government workers fear they cannot remain anonymous.

Not surprisingly, the government claims there has been no such chilling effect as a result of the recent crackdown on leaks from public officials. The continued appearance of classified information in the news is proof that unauthorized disclosures of sensitive data persist, according to the officials. The Obama administration insists the surveillance is both legal and necessary for our nation's security.

The report also surveyed lawyers about the impact of the Snowden revelations. Legal professionals cite the government's surveillance as the reason their clients are hesitant to communicate with them electronically.

I have a modest proposal for news reporters and lawyers: Use another medium to communicate with your sources and clients. The surveillance may make your jobs more difficult, but it doesn't make them impossible. I'm unaware of any instance of information collected by the government through its surveillance program being used to prosecute anyone other than potential terrorists. Maybe I'm naive, but to my mind, the potential for abuse of the surveillance by the government is outweighed by the potential prevention of another attack on Americans -- or innocent victims in any other country, for that matter.

'Spying' for profit is another matter altogether

I'm less inclined to abide the "spying" being done by commercial entities. There's no reason why for-profit data collectors shouldn't be crystal clear about what they collect, when they collect it, and what they do with the data -- including who they sell it to and what their customers do with it.

Last May, the U.S. Federal Trade Commission issued a 110-page report entitled Data Brokers: A Call for Transparency and Accountability (PDF). The FTC concluded that consumers don't know that their personal data is being collected, aggregated, and sold indiscriminately. The dossiers the companies create may include "bankruptcy information, voting registration, consumer purchase data, web browsing activities, warranty registrations, and other details of consumers’ everyday interactions."

The scope of the commercial databases is vast. One of the nine data brokers studied by the FTC has "3000 data segments for nearly every U.S. consumer." The categories include ethnicity, net worth, age, and health, such as "Diabetes Interest" and "Cholesterol Focus."

As with any technology, the massive consumer databases can benefit people as well as harm them. By helping to verify your identity, they can help combat fraud. However, a consumer may be unable to complete a transaction due to an error in a "risk mitigation" product, according to the report. The consumer has no way of knowing why the transaction was denied, nor a method for correcting the mistake.

More subtle dangers cited by the FTC are use of the personal databases by insurance companies to categorize a consumer labeled "Biker Enthusiast" or "Diabetes Interest" as high risk. Likewise, a people-search product could expose the address of a domestic-violence victim or public official to someone seeking retaliation.

Finally, data brokers often store the personal information indefinitely. The more personal history an identity thief or other criminal can learn about a person, the easier it is for them to "predict passwords, challenge questions, or other authentication credentials," according to the report.

A small step toward thwarting the online trackers

Much attention has been paid to the "do not track" option in browsers. I explained the shortcomings of the feature in last May's "How to improve security in Firefox, Chrome, and IE" (scroll to the bottom of the page for instructions on how to enable the feature). As that story pointed out, Susan Fulton of the American Civil Liberties Union describes the slow progress toward a single do-not-track standard.

Two of the tips in my article from last May were to set your browser to disable third-party cookies and to delete all cookies each time you close the browser. The trackers have developed a new technique that keeps tabs on your browsing habits without relying on cookies.

Canvas fingerprinting uses an unseen image rendered in your browser to take a snapshot of your computer's hardware, configuration, and software versions. According to Quinten Plummer on Tech Times, trackers combine this unique profile with other visible and invisible tracking technologies to create a profile based on your web activities.

Plummer cites a study by researchers at KU Leuvin and Princeton that found canvas fingerprinting in use at 5.5 percent of to "top 100,000 websites," including WhiteHouse.gov and Starbucks.com. Slate's Lily Hay Newman writes that the AddThis online tracking service is primarily responsible for the use of canvas fingerprinting.

In the same article, Newman points out that the tracking technique may not be effective. She quotes a researcher for AdBlock Plus who reported that canvas fingerprinting may work to identify visitors to small websites, but it doesn't scale well, so will likely be unable to identify unique users on large sites.

The AdBlock Plus add-on can be set to thwart canvas fingerprinting by blocking the script it runs to collect the information about your system, as Chris Smith explains on BGR. The Electronic Frontier Foundation's Privacy Badger add-on for Chrome and Firefox also blocks the tracking technique, as described by Peter Eckersley and Kurt Opsahl on EFF's Deep Links blog.

Almost as quickly as we learn about a new way to keep tabs on our online habits, we find out the technique may not be effective, and it is relatively easy to prevent. Is it even worth worrying about? Think about that the next time you're quoted an insurance rate or apply for a job. The organization you're dealing with likely knows a lot more about you than you know about them.

Another adage: knowledge is power.