THREE Comments Of The Day (Really Useful Ones): “Tech Dirt’s Mike Masnick On The Internet Privacy Bill”

There were not one but three excellent, informative, detailed comments, one after the other,  in response to the post about the GOP’s elimination of the recent Obama FCC regulations of Big Data gathering by broadband providers. Technology competence is, I believe, the greatest looming ethics issue for the professions, and it is important for the general public as well. All three of these Comments of the Day are educational. If only the news media and elected officials were as well-informed as Alex, John Billingsley, and Slick Willy.

I am very proud of the level of the discourse on Ethics Alarms, and these three Comments of the Day on the post Ethics Quote Of The Month: Tech Dirt’s Mike Masnick On The Internet Privacy Bill are prime examples.

First, here’s slickwilly:

How to be safe with electronic data

First rule: anything online is vulnerable, no matter who secures it. It follows that any computer/device connected online is also vulnerable.

Second rule: Public WiFi is hack-able, and doing so is not that difficult. Someone just has to want to. Using it for playing games could make you vulnerable, and using it to access your financial information (banks, brokers, etc.) is stoopid

Third rule: Anything you do electronically is forever. Any tweet, snap chat, Facebook post, cell phone text or conversation, email, web post, browsing activity, and anything else may be saved by someone. Some of those are harder to get than others: browsing activity takes a snooper on the data line, or a court order to set a snooper up at your ISP. For instance, all cell phones activity is now all saved by the NSA, including where the phone was when. No, no one looks at it, not until they have a reason to research a person, perhaps years later. ‘Smart’ TVs can record you in your own home, without your knowledge, unless you take steps to stop it (electrical tape over cameras/microphones is a start, but still not enough)

Fourth rule: Any public activity can be recorded today. Besides CCD cameras everywhere and license plate readers on many roads, facial metrics can track you in most urban and many rural areas. Even going into the desert or mountains could be spotted via satellite, should the motivation be enough to look your way.

So don’t leave your computer connected to the Internet 24/7 (a power strip that stops electricity from reaching the computer helps cut connectivity when ‘off’), do nullify the ability of other devices to spy on you in your home, and never say anything electronically you do not want going public. Use complex passwords, and never the same for multiple sites. Password safes are better than written notes (and Apple Notes are silly to use for this.) How much you protect yourself depends on your level of paranoia.

Do you have something to hide? A secret you would rather not be made public? Do not document it electronically! Or use the method below.

Now, how to be safe with electronic information: Place it exclusively on an air-gapped (no network connection at all) computer. Place that computer in a heavy steel safe. Encase that safe in concrete, take it out to a deep ocean trench, and drop it overboard. Forget the coordinates where you dropped it.

The point is, nothing is fool-proof

You can take steps to lower the probability that your information gets out, but even using paper and quill pen was only so good as the physical security the document was placed under. Learn some simple steps and you will remove yourself from the radar of most predators. People are careless, apathetic, and just plain dumb, so anything you do helps keep you safer.

I keep such information in a secure, encrypted flash drive that is not stored in a computer USB slot. Could someone break the encryption, should they find the drive and wish to spend the effort? Sure. But if they want me that badly they will get me, one way or another. Why would they? I do not have any deep dark secrets or hidden crimes in my past. Even so, why should my business be available to anyone just to browse through?

Your mileage may vary, but doing nothing is unethical in my responsibilities to my family.

Now John Billingley’s contribution:

Excellent information slickwilly. But even if one takes all of these precautions, going to the point of not having an internet connection or even using a computer, there remains a vulnerability. The vulnerability is private information being put on the internet pretty much every time one accesses any form of healthcare.

All of the health insurance companies and healthcare providers by nature of their business have huge databases. In 2015, 4.5 million records of the UCLA hospital system were hacked. Estimates are that more than 150 million records have been exposed since 2009. Healthcare providers were rushed into adopting Electronic Health Records even though they didn’t have adequate cyber security in place. Having your sensitive medical or mental health history exposed is the least of your worries. Medical records sell for hundreds of dollars because they provide a complete dossier of personal information–SSAN, address, date of birth, driver’s license number, credit card numbers and much more. Having your credit card number stolen is nothing compared to this.

If you manage to avoid having your records stolen, you are not out of the woods. Hospitals are regularly being attacked by ransomware, sometimes completely shutting down operations until the ransom is paid. The system is usually infected by someone opening a phishing email or other social engineering attack such as scattering infected USB sticks and waiting for someone to put one in a computer on the network thereby installing the malware.

OK, all of the above attack vectors have been secured and now you’re safe. Wrong. A plethora of medical devices from respirators, pacemakers, and infusion pumps up to MRI scanners and lab analyzers are running embedded programs and connected to the hospital network. If you are lucky, they will only hack the device to get on the network and steal records or plant ransomware. If you are unlucky, they can kill you. But looking on the bright side, a medical record is more valuable to them than your death.

What can you personally do about it? Very little as far as I can see. You can try going to doctors who don’t use EHRs but they are getting harder and harder to find and anyway sooner or later you will need to go to the hospital and they all use them. Besides, you probably have health insurance and there is plenty in those records. This is a huge problem and I think Congress needs to stop worrying about just protecting browser histories and start worrying about protecting all the health information that is out there and continuing to increase exponentially.

Finally,  Alex:

What is being reported is wrong, but I think even if you take the most optimistic view you’re taking a stance that is not considering all the consequences of ISPs collecting all the data.

(For background, I think the Obama rule was wrong and oppose net neutrality as proposed. I might get behind regulating ISPs as utilities, but only because currently they enjoy monopoly status because local jurisdiction prevent competitors from entering the market.)

First, the way the data is collected it is not necessarily anonymized. Actually for some types of data (say, you visit a site that distributes “cracked” software or even certain security related ones) the ISP will flag your account and send you a letter. So they are keeping your non-anonymized history. Even if they didn’t, matching a set of grouped anonymized searches to a real person is a relatively easy exercise. I know what are the four sites I visit every day and on some of them I leave comments that can be easily traced to my real identity. Anybody watching my traffic – or an anonymized collection of my website visits – can find out everything about me in minutes.

Second, the ISPs are actually storing the raw data (not the content of the pages you visit, but the full URLs). Not aggregates, not statistics. Storage is cheap these days, and whatever they can gain from that extra tenth of a cent will be saved for future use. They already have the infrastructure, so doing it is almost free.

Third, the data is stored forever, or a very long time at least, and it’s barely secured at all. There are no internal controls and they can’t even confirm if there have been external breaches. A legitimate court order can ask them for all the data they have logged on you, based on your physical location or your IP address. I don’t want law enforcement knowing that I bought “The Machinery of Freedom” and have downloaded “The Anarchist’s Cookbook”, and yet they can trivially know that by asking Comcast for it politely.

Fourth, you only know you’ve been targeted when you’re told, but there is no way to know that I have not been the subject of one of these fishing expeditions that turned up nothing. I do not know if anyone has looked at my internet history.

Fifth, your ISP has no incentive to protect you. In many places you can’t go to a competitor, and where you can they have the same policies. The best you can do is take your $50/month away, the government can make their lives comfortable or miserable for years. Guess who they’re going to side with.

What can you do to protect yourself?

– Encrypt everything. That’s not on us but on website operators. Now your ISP only has the domain instead of the full URL. An improvement, but they can still figure out if you visit unsavory places like “how to start a revolution dot com” or “ethics alarms dot com”.

The VPN solution being suggested by some pundits is stupid. You give more money to someone else who is under the exact same position as your current ISP.

Use TOR. I use it sparingly, and in the past have run a relay node at my IP address. Unfortunately it is so uncommon that it just brings more attention to yourself. Besides if everything went through TOR traffic the network load would slow things down noticeably.

In the end I can only think of using privacy-friendly services (e.g. DuckDuckGo for your search engine), having the ability to protect your traffic when needed (TOR, but routinely use it to make it “the new normal”) and support those developing the technology to protect privacy (e.g. the EFF). The current incentives are not in your favor, and Congress has demonstrated an absolute inability to do anything about it. This will be a long an upward battle, I don’t expect to see any gains on the individual’s side for decades.

PS: Read this essay by Bruce Schneier: I generally oppose government regulation to solve these problems, but the “toxic waste” analogy makes a very strong point.


2 thoughts on “THREE Comments Of The Day (Really Useful Ones): “Tech Dirt’s Mike Masnick On The Internet Privacy Bill”

  1. Excellent, all three of you. John touched on this, but I would say that I am not worried about what’s on MY computer, I’m worried about what of mine is on somebody else’s computer…like the VA, just as an example.

  2. The story Little Brother explores many of these issues very well. Just encrypting all traffic draws a bulls-eye on your IP address, should anyone be paying attention.

    The information in other people’s servers is a valid concern. And a private citizen can do almost exactly zero about it. Robert Heinlein’s method of throwing sand in the gears (“pay a nickel too much, spell your name a bit differently on each form, make minor mistakes to bolix the system”) no longer works, as systems routinely catch such errors (and routinely miss them, depending on the policies of those who run them, but that is a different topic) and compare across each other. No answer there, just as there is no way to avoid the NSA keeping your data forever.

    “…the ISP will flag your account and send you a letter. So they are keeping your non-anonymized history…”

    Yes and No. You are at least partly referring to the Digital Millennium Copyright Act (DMCA), a horrible law designed to make work for lawyers suing ISPs. ISPs are required to be able to pinpoint any IP address to the minute at any time in the past (to the limits established in the law) and show what URL it was accessing, on the theory that content in a totally transparent and insecure medium (the Internet) should not be shared and copied, should the owner decide so.

    The new money scam is to set up a site that allows video to be copied, then send the ISP a letter to make them stop their users from copying the content once any user visits the site and does so. Should the ISP fail to stop the objectionable activity, the owner sues the ISP for ‘damages,’ with a forthcoming offer to ‘settle’ for a still outrageous sum, but less than going to court. Since many ISPs do not have the ability to stop or block their users from visiting such sites, they pay up. Note that it takes an hour or less to set up such a site, and software can do this many times a day without human support, and the same software sends form letter emails to ‘violators’ ISPs automatically, usually in such a way that the ISP has to have a human review each email individually. This results in even very small ISPs (less than 10,000 users) getting thousands of the automatic emails a month, many of which are in error themselves and have to be weeded out by hand!

    This in turn motivates the ISP to upgrade to the ability to log all traffic such that it can be produced in time to avoid a lawsuit. If the site cared about its content, they could secure it in the first place (and many do so) but this predatory type of site WANTS the materiel copied.

    …And your privacy is compromised.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.