Marketing and Internet Surveillance

The blog post “The Internet of Things that Talk About You Behind Your Back” by Bruce Schneier is really creepy. But it isn’t new, it is just getting worse.

In IT Security, the problem of undetected communication covert channels is old and well known. Also the fact that internet marketing adopts approaches and technologies that some times are close to it, is well known.

What it is worrisome is the extent to which we are getting. There are various aspects to it.

One is the legal aspect, that is what the legislations allow and how much they protect citicizens from excesses: it would be interesting to compare current legislations between different countries, from the USA to EU, Canada, Brazil, Russia, India, China, Japan etc.

On the technical side, devices like PCs and some tablets allow the user some choices like use different browsers (even Tor), manage cookies (in particular 3rd party cookies) etc., even if it is usually difficult to really be anonymous on internet unless extra precautions are taken (and many users will not be able to adopt similar precautions).

On smaller devices, like smartphones and “smart” objects like watches etc., choices are much more limited but with a little bit of effort the user can do something to protect him/herself from this kind of surveillance.

On IoT devices at the moment there seems to be nothing that the user can do, it is either use it and be traced, or do not use / buy it at all. For these devices, legislation could be the only way of giving the user some choices.

Finally, how many users are even aware of this kind of Internet Surveillance? How many would object if they knew?

A new dress for my website … and thoughts on net “sociality”

Today I released a new version of the UCCI.IT website: a new, responsive, graphic format which has a nice display on all devices, from the standard desktop PC to the smartphones, and a complete revision and re-organization of the material.

This lead me to think again about what it means to be on-line, to divulge information about ourselves to the internet world, which by now is a big part of the real world.

I do not really know the answer to this question, I just see that we keep changing the way in which we use the internet as a tool to communicate. This is related to the introduction of new or improved technologies, but also to the current trends: a few years ago we were all for websites, then for blogs, after that for social networks (which are still really going strong) but recently I found myself going back to the very old, almost pre-internet, email-list technology. I hear friends say that they have almost closed down their website and/or their blog, others who have left the social networks, others who do not use email anymore but only a chat App on their smartphones. It seems to me that we are confused, or, at least, I am confused.

I close with the following personal notes that I wrote a couple of years ago:

Dilemma: air my ideas on the cyberspace, get friends and followers or keep it all to myself and the occasional (voice) chat?

Where does privacy end and community begin?

Internet, Privacy and Televisions

It seems that television (hardware) makers do not have very clear ideas (or have understood it too well) of which kind of information one can extract from private people when their televisions are connected to internet. Here is a possibly disturbing but not surprising story.

Obviously the televisions will ‘call home’ for a variety of reasons and purposes, and this is part of having the television connected to internet. What it should also be spelled out clearly, is what the television reports back about its owner.

Linkedin Intro-duces Intro

Linkedin has introduced a service called Intro for the moment for Iphone users. Here are some details about it.

I am very puzzled by the “How it works” details, and in particular for all possible kind of issues with the possible use of private, personal or company information. Here there are some relevant arguments against this new service which are worth reading and considering.

Device fingerprinting and user tracking

A recent study by KU Leuven-iMinds researchers points out that device and web-browser fingerprinting is on the raise, in spite of all efforts to limit it like the introduction of the “Do Not Track” HTTP Header.

This does not surprise me since advertisment and marketing are usually at odds with privacy and it is not well understood by most what is the real meaning and breath of the information that it is possible to collect by tracking users on internet.

On the other side, device fingerprinting is a very useful tool for ICT security of web transactions: knowing which device is making the transaction and to which user is (usually) associated, added to the geolocalization of IP addresses and other information, can make the difference between a valid transaction and an attempted fraud.

At the end the most important issue is by whom and how a tool is used, and this holds true in particular for security tools: a gun in the hand of a policeman should be used to a good end, but the same gun in the hand of a thief should be illegal.

On Trust and Security

Since a few months we have been reading and discussing the Snowden’s documents. Most of the information present in these NSA documents is not new since we have been discussing the possibility of similar facts at lenghts in many occasions. For example, years ago the modifications introduced in the cryptographic algorithm DES by the NSA led initially to suspicions: were they backdoors or algorithm improvements? (In this case later it turned out to be improvements.)

The real difference is that now we know that our worst suspicions in many recent cases were correct.

So what can or should we do? This is a very interesting and hard question since the main issue in my opinion is that we are mostly dealing with the possible introduction of backdoors in hardware and software, for example to weaken cryptographical algorithms. As normal, even if technical-savy, users we do not have personally the competences nor the resources to verify that all hardware and software we use, from mobile phone to super-computers, are clean of backdoors. So we have to trust third parties, in particular hardware and software makers, that hardware, operating systems, applications, libraries (in particular cryptographic libraries) etc. do not have hidden functionalities or backdoors.

This is not new, we trust car, train, airplane makers with our life, so we should also trust hardware and software makers with our information, or not?

Is our trust in today ICT companies well-founded?