- Joined
- Jan 8, 2009
Note that, while this references an event in the United States, it represents something that is actually far worse in many countries. Privacy is a concern for you no matter where you live, and it is often only a secondary benefit from taking these measures.
So, this passed the House and Senate along firm party lines, and has caused a fair bit of alarm. Monday, it was signed by Trump.
And has led to what could at best be described as dangerously misinformed enthusiasm.
At worst, scams.
You cannot buy any individual American's browsing history from a telecom company. This is already illegal.
This is to say nothing of the various state laws that also apply here.
About the only good to come of the blowback from this is that it will likely stay that way.
This is not to say that it is impossible to obtain someone's browsing habits by other means. Malware, firesheep, clever css hacks, direct intrusion, snooping on DNS...
But it's not going to happen by getting it from ISPs. At least not in the United States.
To be clear, what this 'law' does is to ensure that the status quo continues. The FCC guidelines were just to prevent companies from selling their aggregate data, and this legislation blocked that regulation.
Nothing you send to a site over TLS (sites beginning with https://) can be observed by a typical third party.
This includes your web searches on any major search engine, your posts and private messages here, etc.
If a site's url begins with https:// rather than http://, then observing what you read and send requires one trick or another.
For how feasible this is on a given website, you can plug in domains you are visiting into SSL Labs here to get some verification for how secure a site is.
This isn't perfect, of course. It assumes the security of the site you are visiting, the security of the machine you are using, and information can still be gleaned from other sources.
For additional measures of security, I will go over a bit below.
Note that if your employer, school, or other entity manages your machine, then they can get around this in sophisticated setups. Don't use the following advice to expect to browse BMR privately on your company machine on your company network. <_<
1) Keeping your device clean.
This means a few things:
a) Removing continually-running processes that you don't actively use much. It also means keeping tabs on how much applications you do use are phoning home. Facebook and its properties (Whatsapp, Instagram) are pretty notorious for this, for example.
b) Keeping malware, bloatware, spyware, etc. off of your machine. Many 'security' products have effectively been malware for the past decade (McAfee, Symantec), doing more harm than good while costing you money. My windows machine has Microsoft Security Essentials, and that's it.
These measures don't just help with privacy. Privacy is a side benefit compared to the performance effects.
A full discussion about keeping your devices secure would be out of scope here. Stuff is getting scarier, however, so devoting a bit of mindspace to it is always wise.
I keep a list of some of the software I use here, though I do not have a similar list for mac users. The above extensions should go a long way, however, assuming you take care with what you run on your device in general.
2) Useful browser extensions
* Ghostery is the most widely-used privacy extension. I highly recommend it if this bothers you.
* uBlock Origin is now the most widely-recommended ad-blocking software, after Adblock sold out.
Keep in mind that disabling your ad-blocker should only be done on sites that you trust. Malvertising is a serious concern of late, and this issue appears to only be getting worse.
As above, both of these extensions can help make websites more responsive, especially on seriously ad-laden sites.
There are some more advanced plugins that do things like manage cookies and referer (sic) information. Not going to link them directly, because they take a bit more understanding to use. They can break things if you forget about them.
* Referer Control - allows you to block the HTTP_REFERER header (yes, a spelling error made it into a web standard), which tells a webpage where it was linked from. You should keep this to blocking 3rd-party referers only, as blocking 1st-party can only cause trouble for nearly no benefit.
* Cookie Monster - in general, Ghostery should do most of what this does, but you can use this to make blocking 3rd-party cookies explicit. This does break some things, however, particularly on streaming/media sites.
3) Learning how to use your hosts file
Your hosts file allows you to end-run around doing DNS queries for various domains. It's sometimes used to null-route known malicious sites, but it can also be used to hardcode sites whose IP you know won't change often, and that when it does, you know you'll be able to get the new one easily.
An entry for bluemoonroleplaying.com would look like:
DNS is extremely leaky. Because it gets sent in essentially plain text, to what is usually a completely third-party server. So while a snooper couldn't tell what you were doing on BMR or Google, they could tell you visited these sites, along with an idea of how much you participated.
Having your favorite sites in your hosts file also means that if DNS goes out (either for the site, or you), you can still access the sites in question. It does require some maintenance, however, and is only good for mid-ranged, single-server sites like BMR.
4) Your public data in general
This includes things like answering Facebook quizes, etc. Some of these are just attempts to drive traffic, others are for future marketing, some may be both.
One risk with public data is exposing 'secret questions' for password recovery. Generally, where a site includes this sort of thing, I make up some bogus question with some random gibberish as an answer. Works best this way.
Another is e.g. thieves who would scour Twitter for people announcing their vacations. Best to make plans known after the fact.
About VPNs (Virtual Private Networks) and other proxies (Tor, etc.)
Don't use web proxies for anything you log into. They are often run to scrape passwords.
Keep in mind that Tor exit nodes - like all proxies - see all traffic that passes through them. It was rumored that Wikileaks got its start this way, though they denied it. Still, running tor exit nodes was a known method of harvesting sensitive information back in the day.
Proxies and VPNs are a bit of a paradox, as you are trading relative anonymity in numbers (from your ISP) to having a confirmed relationship with a known entity (your VPN provider). Who, unlike your ISP, isn't barred from releasing your private information individually. Especially if they aren't in the same country you are.
The best VPN is one that you or someone you know and trust is running. I would not accept anything less, personally - but they are not terribly difficult to setup.
For those who are concerned, or are wondering about this, I hope this helps. : )
So, this passed the House and Senate along firm party lines, and has caused a fair bit of alarm. Monday, it was signed by Trump.
And has led to what could at best be described as dangerously misinformed enthusiasm.
At worst, scams.
You cannot buy any individual American's browsing history from a telecom company. This is already illegal.
Telecommunications Act said:(1) Privacy requirements for telecommunications carriers
Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.
This is to say nothing of the various state laws that also apply here.
About the only good to come of the blowback from this is that it will likely stay that way.
This is not to say that it is impossible to obtain someone's browsing habits by other means. Malware, firesheep, clever css hacks, direct intrusion, snooping on DNS...
But it's not going to happen by getting it from ISPs. At least not in the United States.
To be clear, what this 'law' does is to ensure that the status quo continues. The FCC guidelines were just to prevent companies from selling their aggregate data, and this legislation blocked that regulation.
Nothing you send to a site over TLS (sites beginning with https://) can be observed by a typical third party.
This includes your web searches on any major search engine, your posts and private messages here, etc.
If a site's url begins with https:// rather than http://, then observing what you read and send requires one trick or another.
For how feasible this is on a given website, you can plug in domains you are visiting into SSL Labs here to get some verification for how secure a site is.
This isn't perfect, of course. It assumes the security of the site you are visiting, the security of the machine you are using, and information can still be gleaned from other sources.
For additional measures of security, I will go over a bit below.
Note that if your employer, school, or other entity manages your machine, then they can get around this in sophisticated setups. Don't use the following advice to expect to browse BMR privately on your company machine on your company network. <_<
1) Keeping your device clean.
This means a few things:
a) Removing continually-running processes that you don't actively use much. It also means keeping tabs on how much applications you do use are phoning home. Facebook and its properties (Whatsapp, Instagram) are pretty notorious for this, for example.
b) Keeping malware, bloatware, spyware, etc. off of your machine. Many 'security' products have effectively been malware for the past decade (McAfee, Symantec), doing more harm than good while costing you money. My windows machine has Microsoft Security Essentials, and that's it.
These measures don't just help with privacy. Privacy is a side benefit compared to the performance effects.
A full discussion about keeping your devices secure would be out of scope here. Stuff is getting scarier, however, so devoting a bit of mindspace to it is always wise.
I keep a list of some of the software I use here, though I do not have a similar list for mac users. The above extensions should go a long way, however, assuming you take care with what you run on your device in general.
2) Useful browser extensions
* Ghostery is the most widely-used privacy extension. I highly recommend it if this bothers you.
* uBlock Origin is now the most widely-recommended ad-blocking software, after Adblock sold out.
Keep in mind that disabling your ad-blocker should only be done on sites that you trust. Malvertising is a serious concern of late, and this issue appears to only be getting worse.
As above, both of these extensions can help make websites more responsive, especially on seriously ad-laden sites.
There are some more advanced plugins that do things like manage cookies and referer (sic) information. Not going to link them directly, because they take a bit more understanding to use. They can break things if you forget about them.
* Referer Control - allows you to block the HTTP_REFERER header (yes, a spelling error made it into a web standard), which tells a webpage where it was linked from. You should keep this to blocking 3rd-party referers only, as blocking 1st-party can only cause trouble for nearly no benefit.
* Cookie Monster - in general, Ghostery should do most of what this does, but you can use this to make blocking 3rd-party cookies explicit. This does break some things, however, particularly on streaming/media sites.
3) Learning how to use your hosts file
Your hosts file allows you to end-run around doing DNS queries for various domains. It's sometimes used to null-route known malicious sites, but it can also be used to hardcode sites whose IP you know won't change often, and that when it does, you know you'll be able to get the new one easily.
An entry for bluemoonroleplaying.com would look like:
Code:
208.117.11.92 bluemoonroleplaying.com www.bluemoonroleplaying.com
DNS is extremely leaky. Because it gets sent in essentially plain text, to what is usually a completely third-party server. So while a snooper couldn't tell what you were doing on BMR or Google, they could tell you visited these sites, along with an idea of how much you participated.
You are likely going to be hearing more about this in the future - this is how the Alfa Bank - Trump Org - Spectrum link was first exposed back in October.
If the Russian bank and Betsy DeVos' brother had just set their hosts files, they wouldn't have had this additional smoking gun to this Seychelles piece.
One irony is that, although Alfa Bank is trying to sue via the CFAA over this, neither Alfa Bank, nor Spectrum, nor the Trump Org are the aggrieved party under the CFAA here. Even if they needed to compromise a server to get this information - which isn't guaranteed. Someone publishes your DNS history you have no legal option based on computer access itself, that I am aware of.
If the Russian bank and Betsy DeVos' brother had just set their hosts files, they wouldn't have had this additional smoking gun to this Seychelles piece.
One irony is that, although Alfa Bank is trying to sue via the CFAA over this, neither Alfa Bank, nor Spectrum, nor the Trump Org are the aggrieved party under the CFAA here. Even if they needed to compromise a server to get this information - which isn't guaranteed. Someone publishes your DNS history you have no legal option based on computer access itself, that I am aware of.
Having your favorite sites in your hosts file also means that if DNS goes out (either for the site, or you), you can still access the sites in question. It does require some maintenance, however, and is only good for mid-ranged, single-server sites like BMR.
4) Your public data in general
This includes things like answering Facebook quizes, etc. Some of these are just attempts to drive traffic, others are for future marketing, some may be both.
One risk with public data is exposing 'secret questions' for password recovery. Generally, where a site includes this sort of thing, I make up some bogus question with some random gibberish as an answer. Works best this way.
Another is e.g. thieves who would scour Twitter for people announcing their vacations. Best to make plans known after the fact.
About VPNs (Virtual Private Networks) and other proxies (Tor, etc.)
Don't use web proxies for anything you log into. They are often run to scrape passwords.
Keep in mind that Tor exit nodes - like all proxies - see all traffic that passes through them. It was rumored that Wikileaks got its start this way, though they denied it. Still, running tor exit nodes was a known method of harvesting sensitive information back in the day.
Proxies and VPNs are a bit of a paradox, as you are trading relative anonymity in numbers (from your ISP) to having a confirmed relationship with a known entity (your VPN provider). Who, unlike your ISP, isn't barred from releasing your private information individually. Especially if they aren't in the same country you are.
The best VPN is one that you or someone you know and trust is running. I would not accept anything less, personally - but they are not terribly difficult to setup.
For those who are concerned, or are wondering about this, I hope this helps. : )