Google: An Escape Plan – Part I – Bones Beneath the Chromatic Garden

tumblr_ng00oaxf0k1rqbl96o1_1280

It preaches “don’t be evil” and updates its search engine page with a cute holiday-relevant animation on occasion. Google practically oozes its quirkiness with a range of promises including tons of different “free” services, but let’s be honest, we all know nothing is really free (not digitally, at least). I sometimes catch flak for my distaste for Google and its services, but it’s only because I’m honestly tired of feeling trapped in their almost omnipotent snare. Everywhere you turn, with every digital service you use, they seem to be so closely affiliated.. that is, if they don’t already own whatever you might be using. It’s almost as if you don’t even have a choice as to whether you want to use Google’s services or not anymore; outside of unplugging from the internet completely. When you begin to do some research on the company, this all starts to sink in.

For example, if you look through the Wikipedia entry for ‘List of Mergers and acquisitions by Google‘, you will see a listed table than runs 181 rows long. If you’re reading this post even a few weeks or so after the date it was published, it is sure to be longer. Among these acquisitions is the popular aggregate-focused antivirus tool VirusTotal, multiple facial recognition programs, home monitoring and home automation companies, and even the popular robotics company Boston Dynamics. Now, of course I’m not worried about Google sending out sentient robots to my house, but I am worried that one company (that collects a whole lot of my information, which I consider pretty personal) has so many outlets at their disposal. Having a Google account, so many of the different internet services I use every day are all connected into one company. Gmail, YouTube, Google Music, and the list goes on. Vacuuming up as much user data as they can. Remember, Google is the self-proclaimed world’s largest advertising and search monetization program.

~

Beyond the fact of how much Google owns, there are several factors of what exactly they are doing with their products which stand as irksome to me.

There is, for example, the matter of Google striving to give off a posture of openness – in terms of software and APIs. This is often less true than false. Take for instance Google’s Android OS. As Ron Armadeo of Ars Technica put it, things on Android have become “look but don’t touch”:

When Android had no market share, Google was comfortable keeping just these apps and building the rest of Android as an open source project. Since Android has become a mobile powerhouse though, Google has decided it needs more control over the public source code. For some of these apps, there might still be an AOSP [Android Open Source Project] equivalent, but as soon as the proprietary version was launched, all work on the AOSP version was stopped. Less open source code means more work for Google’s competitors. While you can’t kill an open source app, you can turn it into abandonware by moving all continuing development to a closed source model. Just about any time Google rebrands an app or releases a new piece of Android onto the Play Store, it’s a sign that the source has been closed and the AOSP version is dead.

It’s true, as Android has soaked in a relevant share of the mobile OS market, the demise of once-open-source applications on Android – the Music, Calendar, Photo gallery, and several other applications has occurred as well.

There are also the broken promises or lapses in expectations from the company in terms of privacy/security-conscious OS implementations. Take for instance, the recent backpedaling on encryption-by-default settings being prepared for the next Android version update:

..despite all those promises, Google hadn’t updated its Android Compatibility Definition document for Lollipop, which lists rules for its hardware partners, to include a stipulation for encryption. It stated the following: “If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data… as well as the SD card partition if it is a permanent, non-removable part of the device… For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.”

And there you have it. Though it looks to be laying down the law at first, Google simply recommends partners add encryption by default, though they must support it (this is no different from previous Android iterations, though). It seems Google pushed the button too early, at least for some manufacturers worried about the performance impact on phones that can’t handle the extra data load.

Here is the update on the change in plans from Google‘s official Android Blog:

Update: In September, we announced that all new Android Lollipop devices would be encrypted by default. Due to performance issues on some Android partner devices, we are not yet at encryption by default on every new Lollipop device. That said, our new Nexus devices are encrypted by default and Android users (Jelly Bean and above) have the option to encrypt the data on their device in Settings —> Security —> Encryption. We remain firmly committed to encryption because it helps keep users safe and secure on the web.

Encryption is a crucial piece of security for what’s basically a handheld computer you carry around with you each and every day, and while in the height of legal strain on the idea of “crypto for everyone” this may have been a “too idealistic” pitch for Google HQ, this doesn’t seem to resonate in the official statement from the company. The fact that the ability for encryption remains an option for users makes this a sort of small quibble, but is it really too much to ask for a company that stores and transfers so much user data to have such security implemented out-of-the-box? Even Apple uses fairly robust system encryption in iOS8 all by default, which even includes a type of public-key cryptography scheme with their popular iMessage service.

~

In a more human aspect, Google pulls some serious bureaucratic strings. According to the Center for Responsive Politics, Google was the ninth highest spender in political lobbying through 2014. It’s remained in the Top 20 of this list for the last three years.

Top Spenders in Political Lobbying - 2014 (Center for Responsive Politics)

Top Spenders in Political Lobbying – 2014 (Center for Responsive Politics)

But just in case you’re not as firm a believer as I am in the “money talks” principle that suits our political system, we can take a look at the particulars of the company’s stake in the situation:

A Revolving Door, Indeed.

A Revolving Door, Indeed.

Yes, that charts clearly spells it out: ~82% of the time a Google lobbyist has previously held a government job. You can further investigate each of the individual Google lobbyists yourself, if you’re still not convinced of its presence.

This leads me to the largest issue I personally have with Google – the realm of user privacy. Regardless of several several higher-ups claiming that Google will stand against mass surveillance, there are several very blatant actions Google has taken to do just the opposite. Yes, Google had filed a First Amendment lawsuit against the NSA shortly after the Snowden leaks began to reveal the extent of the agency’s capabilities under their PRISM program, and sure, they fight against the secrecy behind National Security Letters as well, but it would be wise not to start cheering here. Again, Google’s priority is expanding their assets and mining as much user data/metrics as possible for businesses and agencies they have relationships with (basically every business and marketing agency with an internet connection). If they build it, who will come?

When most people think of mass digital surveillance, several three-letter agencies come to mind. But the fact is major corporations – especially ones that process well over 20 petabytes of user data per day – are generally overlooked in this aspect. These are the companies that we are supposed to trust day in and day out to keep us safe as we use their services through our various personal devices. Scraping the bounds of user information they do, they are leaving critical pieces of our devices open as ripe targets for people striving to scrape the same information for their own benefit and other malicious means.

Google both uses personally and lets their advertising/marketing clients use their browser cookie technology to monitor the way users interact with their websites. It does this by injecting a cookie into the user’s browser as they travel along the way, which communicates back to Google’s servers, and to an advertising account/dashboard the client has control of as well. This is what the information from a DoubleClick (Google-owned) cookie looks like:

time: 01/Aug/2015 9:01:45
ad_placement_id: 105
ad_id: 1003
userid: 0000000000000001
client_ip: 209.85.128.1
referral_url: http://www.facebook.com/Google

This includes the site you visited, when you visited this site, the IP address you visited this site from, and the unique cookie generated and “fed” to your browser during this visit. Most of the time, these DoubleClick cookies are deployed over HTTP – an unencrypted protocol, thus making them susceptible to hijacking. The way Doubleclick’s advertising scheme functions has also left a door open for several attacks attempting to spread malware through webpages running the advertising service as a redirect. Even besides these instances, the idea of harnessing that amount of data on users should at least make you think about the repercussions involved. We are talking about a cookie that usually lasts a minimum of 30 days and keeps track of any other sites you’ve visited besides the original one, as long as they are running the DoubleClick from their page as well (and as long as they are not deleted locally from the browser *cough*). According to a digital advertising buying guide printed in 2011, the use of tracking by means of DoubleClick is extremely widespread. Here are some details from the “Who We Are” section, presumably written up by an employee working at Google:

Buyers have access to a vast, global pool of inventory to reach their audiences with the frequency they want across more than 2 million sites. Google reaches 80 percent of Internet users worldwide, serving hundreds of billions of impressions to more than 500 million users each month, in 100 different countries and 20 languages. This massive inventory pool is uniform across DoubleClick Ad Exchange and the Google Display Network, and is readily accessible to Invite Media clients.

Our clients can reach hundreds of millions of users classified into demographics and interests..

While this does benefit businesses to understand user behavior involved with their products, it seems more and more like the user is becoming the product. Having been in a digital marketing environment before, it has become clear to me that Google and its clients want, more than anything, a particular wealth of information more than anything else – a full layout of each individual user and their browsing behavior. The company has been recently striving to find ways to tie an individuals devices together, so that actions such as web searches and page views can be all rounded up under a unique user profile – regardless of which device you’ve used, which network you were connected to, and regardless of if you were even logged into your Google account while you made them.

While Google does probably have some keen internal checks and balances involved to try and protect user information, their Privacy Policy is vague at best. This strikes up yet another concern involved, one regarding the Privacy Policies and End User Licenses agreements (see details on the complexity/criticism surrounding Google’s EULA’s in this post) you’ll be (probably blindly) agreeing to before using Google’s services. Well, that is most of the time you’ll be agreeing to them before you use the product, unless you are using something like their commuting route optimization tool Waze, which won’t let you view its Privacy Policy until after you’ve agreed to let it utilize your location on your phone.

~

While I think that at this point its pretty plain to see that my thoughts towards Google as a company and all-around entity on the internet are not fond ones, that’s not to say that I don’t appreciate certain things they’ve been involved with. For one, I think their coveted team known as Project Zero has done a fantastic job at digging into vulnerabilities, bugs, and things that are way over my head. I also think that Google has brought an idea of convenience in their product that has changed the way developers of tech tools approach making things “user-friendly”. But with this convenience, Google has managed to convince users opening an account with them to tie seemingly every asset they use to the company. Your email, your internet searches, your wallet, your locations, your frequent routes, the music you listen to, your spreadsheets, your photographs, your home thermometer, your.. well, you get the point. And what happens when your Google account gets hacked? What about when Google decides to change their mind and start selling your data to the highest bidder? Believe me, data gets retained, and its not like the entrails of your Google account will just vanish into thin air upon closing it.

Compartmentalization is a big deal in terms of privacy and personal data security in this day and age. It’s a very scary idea to me that all of these are tied together per a single user account in the name of “convenience”, all created by one of the world’s largest corporations. Take it from Moxie Marlinspike, an expert in the field of privacy and digital security: Google is something regime intelligence agencies could only dream of having within their grasps:

A transcription of the embedded video, starting from 12:10:

Slide reads: “Develop the technology to easily mine the massive amoiunt of data you collect – that’s Google’s jam!”

..

“Now, clearly, their [Google’s] intent is different; they’re not John Poindexter, they’re trying to sell advertising. But make no mistake about it, they are in the surveillance business. That’s how they make money: they surveille people and use that to profit, and so the effect is the same.

So there’s this quote, ‘who knows more about the citizens in their own country: Kim Jong Il, or Google?’

Now I think its Google,.. it’s pretty clearly Google.

So once again, there’s this question, why are people so concerned about the surveillance practices of the John Poindexters of the world, and not as concerned about things like Google?

Again, I think it comes back to this question of choice; you choose to use Google, and you don’t choose to be surveilled by John Poindexter or Kim Jong-Il, but once again I think the scope of this choice is expanding, and it’s going to become harder and harder to make that choice, until its a choice of participating in society or not.

I mean, already, if you were to say “I don’t want to participate in Google’s data collection., so I’m not going to email anybody who has a Gmail address.” …that’s probably pretty hard to do. I mean, you would in some sense be removed form the social narrative – you would be cut out from part of the conversation that’s happening that’s essential to the way society works today.”

Looking back on this talk, it seems things have only become more polarized towards a Google-glazed internet. So what’s a user to do about it? In this series of posts, I intend to find out if Moxie Marlinspike’s predictions from that Defcon18 talk ring as true as they seem they might. I’m going to attempt to ditch Google. I mean this in its the purest way possible – an attempt to completely sever myself from anything Google related. In this trilogy of posts, I will explore the scenario as follows:

Part One: What are the reasons I want to get rid of Google? What makes them worth straying away from? (This is the post you’ve just read/skimmed through)

Part Two: Just how much of Google’s services do I use? What is “ditching Google” going to look like? (an escape plan, if you will)

Part Three: This is where I will make my “escape” and share what happens along the way. I will be documenting alternative services used, practices, and any instances of failure.

How hard is it to use the internet without Google? Will doing so disqualify me from fully “participating with society?” It’s questions that have my mind stirring, questions I intend to answer, and ones that will surely require some stiff drinks along the way.

Leave a comment

Filed under Uncategorized

EULA Obscurity

This is why you read the Terms of Agreement [click for source]

End User License Agreements, Terms of Agreement, and Privacy Policies. Just click “agree” and carry on, right? While it seems that practically nobody reads these (and understandably), they remain an integral piece of the user experience. EULAs are legal contracts between the “licensor” and purchaser of the product (in this case, the piece of software). While usually easily available to the user, these documents commonly contain very vague terms and conditions as well as often confounding terminology. It’s safe to say that the everyday user will almost never take the time to become familiar enough with this type of documentation.

Recently, a couple of popular mobile app featured in the Google Play store came under fire when they were found to be using the user phones to mine a cryptocurrency known as Dogecoin (yeah, not even Bitcoin, but Dogecoin).

Here is a screenshot of the EULA for the previously mentioned coin-mining app, known as Prized:

Note here, that you are giving your phone’s CPU the permission to “run calculations and process data without limitations” – perhaps a giveaway that there could be a hidden catch to streaming your music with the service. In this case, there was. But really, even to someone who has a generally keen knowledge on how software operates, this part can be unclear. It’s obvious that data is going to be processed through a music streaming service, but with vague language like this who knows what else might be at hand.

This is far from the only instance of irksome material included within a policy. Name any type of software and there is bound to be a program out there with an ambiguous EULA bound to it.

Even the terms of agreement behind antivirus clients has been seen as suspect. Avast!, for example, one of the most popular clients of its kind. And even having such notoriety, its intentions with personal data use have come under questioning from many privacy-conscious individuals. Read the following excerpt from the ‘Privacy; Processing of Personal Information section of the free client’s EULA:

8. Privacy; Processing of Personal Information
The Software automatically and from time to time may collect certain information, which may include personally identifiable information, from the computer on which it is installed, including:

8.1 URLs of visited websites that the Software identifies as potentially infected, together with the information on the nature of identified threats (e.g. viruses, Trojans, tracking cookies and any other forms of malware) and URLs of several sites visited before the infection was identified to ascertain the source of the infection;
8.2 Information and files (including executable files) on your computer identified by the Software as potentially infected, together with the information about the nature of identified threats;
8.3 Information about the sender and subject of emails identified by the Software as potentially infected, together with the information on the nature of identified threats;
8.4 Information contained in emails reported by you as spam or as incorrectly identified as spam by the Software;
8.5 Copies of the files identified by the Software as potentially infected or parts thereof may be automatically sent to AVAST for further examination and analysis;
8.6 Certain information about your computer hardware, software and/or network connection;
8.7 Certain information about the installation and operation of the Software and encountered errors or problems;
8.8 Statistical information about threats detected by the Software; and
8.9 If your version of the Software includes the Website reputation function, which provides information on reputation of web sites as potential sources of malware, and you set the Website reputation function to active, the Software may send AVAST the URLs of all websites you want to visit and the results of your web searches through search engines.

While most of these seem relatively reasonable, spelling out that specifically items and activity that sets off Avast’s triggers will be collected and sent to the folks at “headquarters”, but again we are met with some seriously vague language, specifically here:

8.6 Certain information about your computer hardware, software and/or network connection;

“Certain information” could mean any number of things, really, especially in the context of your network connection. while point number 8.9 makes it clear that the websites and searches you make will be logged if you choose to enable the in-browser reputation function, however 8.6 fails to elaborate. For all we know, avast could be vacuuming up IP addresses and retaining them for large periods of time. Of course, this isn’t likely, but if there were a clearer and more definite explanation of what is at hand, users would need not worry about being so paranoid.

In the earlier linked forum post (here it is again, as its worth reading through for those interested), discussion continued, including arguments against the casual use of words such as “generally” and “some” in the Avast! EULA. Some posters responded to these skepticisms with an “if you don’t trust it, just don’t use it” frame of mind. While this is truly an option, it goes against the grain of an opposite school of thought – keeping software (and the terms behind it) “for the people”. In other words, it is one thing to read through the license and find things that you might disagree with, but a further step would be to voice your opinion – that is, if you find yourself invested in the product as a user. This argument states “software is intended to fit a users needs and desires after all, isn’t it?”

Some might find this ideology silly, idealistic, or over zealous. But as we arrive back to the initial problem of slogging through incredibly dense EULAs that could mean serious consequences for users if they are not comprehended (or even read through in the first place) one might find that there is reason for investigation and eventual action after all.

The popular technology-focused youtube channel ‘Computerphile‘ had a video segment titled ‘Blindly Accepting Terms & Conditions?’ that was created earlier this year. In it – after Professor Tom Rodden shares similar sentiments on the state of confusing software Terms of Agreement –  a useful application was offered to explore EULA’s more thoroughly. This particular tool is a Chrome browser extension called Literatin, which basically allows users to “explore the complexity” of a piece of text – in this case, a program’s EULA – providing them with a word count and comparison in length as well as complexity level to a famous piece of classic literature.

The Literatin extension utilizes an algorithm that the developers refer to as Smog (Simple Metric of Gobbledigook), which is used to measure how “complex and dense” the text at hand is. This is then mapped to pre-existing statistics from UK education levels – “how much education would you have had to complete in order to read a document that complex”, as professor Rodden puts it in the video. This takes into account things such as the length of sentences included, amount of secondary clauses, and other metrics that are not clearly mentioned in the video or on the official website for the extension. All in all it seems like a relatively nice meter in how intense an EULA might be, but it would be nice to see the actual algorithms and source behind the ‘Readability Statistics’.

In order to get a better idea on just how much of a mess it is to get through EULAs for commonly used software, I went out to explore some of them myself using Literatin. I began with two programs just about everyone is familiar with: iTunes and the Chrome Browser. The respective results were as follows:

Full iTunes EULA ran through the Literatin Extension.

Full iTunes EULA ran through the Literatin extension.

While the overall length of the iTunes legal document was only around eight pages (along the level of ‘Green Eggs and Ham’, Literatin told me), the complexity of the text was allegedly staggering. The adult literacy level was “suitable only for a graduate-level audience” and Literatin compared its complexity to Nietzsche’s ‘Beyond Good and Evil’. This seems like it could be an exaggerated comparison, but after reading through random sections from each one, the thought doesn’t seem to farfetched.

Full Chrome EULA ran through the Literati Extension.

Full Chrome EULA ran through the Literatin extension.

As for Chrome’s terms of service document, the length was 6,552 total words (around 374 sentences) – almost as long as ‘Sleepy Hollow’ – and had an adult literacy level that weighed equivalent to a couple of Washington Irving’s classics. It just so happens that Google has come under quite a controversy in 2007 concerning its Chrome EULA… and in 2008.

Collectively, its safe to say that these license agreements are very complex to the common user. This again understands that the average user is even reading these before clicking “Agree and Continue” anyways. We’re at a point now where we’re met with an entire series of possible struggles to be dealt with:

  1. Intentional or non-intentional use of vague language that could lead to privacy/data concerns
  2. Long and/or very complex language (as in double-digit-paged documents that look as if they were written by James Joyce)
  3. Terms and conditions constantly changing (with new version releases, change in ownership, etc)

In 1989, Richard Stallman wrote the first draft of the GNU General Public License (GPL), a free software license intended to retrofit to any piece of software and give the user as close to complete freedom as possible in terms of use and sharing. This licensing is used very often by open source programs and projects and has been reviewed before revised many times over. Having said that, it is still very long and heavy with terminology (24 pages long, 5,921 total words, 1105 of them considered “complex” by Literatin, which gave the EULA a 20.62 Smog Rating). While this user-friendly license is deemed as more trustworthy, it is still hard to follow and can still be confusing to the curious reader.

So is there any alternative that can put absolute ease to the inquiring mind? There’s got to be something out there that cuts through the legal speak and gives a clear cut, concise set of terms to adhere by.

There is. Its another public license, known as the WTFPL – the Do What The Fuck You Want License. The title may seem a bit over the top, but upon reading the entirety of the WTFPL, its fitting:

DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
                    Version 2, December 2004 

 Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 

 Everyone is permitted to copy and distribute verbatim or modified 
 copies of this license document, and changing it is allowed as long 
 as the name is changed. 

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 

  0. You just DO WHAT THE FUCK YOU WANT TO.

That’s it. A license where you practically need no more after looking at the title. Now, of course I realize the comedy behind this, and understand that you might as well not use a license at all if you’re going to implement this. But there is the explicit paragraph there that can be used as reference.

While dangers will always lurk behind certain software license agreements and privacy policies, there seems to be a generally wider understanding of these threats as well as a push from those open source developers and proponents to enforce fair terms for users. Having said this, at the end of the day, it is up to the user to stay vigilant. Scroll through carefully, and absorb as much as possible. Stay curious and do your research. You have the entire internet at your disposal – if you see something, search something.

Leave a comment

Filed under Uncategorized

Newsweek’s Nakamoto Article – My ~0.0001617 BTC on the Matter.

Dorian Satoshi Nakamoto (Photo from Reuters)

When someone calls the police in response to a reporter knocking at their front door, it is obvious he/she is hesitant to be a part of the story. This is the action Dorian Prentice Satoshi Nakamoto took from his California home as Newsweek reporter Leah McGrath Goodman asked to talk with him about a few things. Namely, Bitcoin.

This was the beginning of a series of evens – all rooted from an online news article – that would be heightened and talked about amongst crypto nerds even somewhat interested Bitcoin. But it has also (gratefully) become a pivotal event in the debate on how journalism does – and how it should – function. A provoking and timely discussion regarding privacy rights for those involved in a news story has risen. Instead of delving into my opinion on the currency or the politics behind it, I find it more important to examine the commotion this story has caused.

THE ARTICLE

The story, uploaded on March 6th to the Newsweek Magazine website, stood as an unmasking and detailed expose on the supposed creator behind Bitcoin. The emphasis must be placed on supposed, however, as we will learn later. The alleged first response from Dorian when Goodman asked him about his work on Bitcoin, he responded with the following:

“I am no longer involved in that and I cannot discuss it.. It’s been turned over to other people. They are in charge of it now. I no longer have any connection.”

The article trailed on a great length, dissecting Nakamota as a humble yet strikingly stubborn and intelligent man, and went on to report similar descriptions from family members and former co-workers. There was much talk of his lifetime accomplishments, from his train collecting hobby to his former secret government work and of course some talk on his possible creation of Bitcoin, Most of his family was interviewed along the way.

While all of this may seem somewhat casual or benign in the sense of invading privacy, the details of Nakamoto’s living situation were very candidly spilled by the Newsweek scoop. Not only did the article’s page contain the name of the California town where Nakamoto currently resides, but it also included a picture of the front of his house taken from a Google Street View Camera, complete with his car showing a legible license plate.

THE OUTRAGE

As would be expected, many fans and investors in the Bitcoin phenomenon reacted swiftly with frustration and contempt towards the publication and its reporter. Leah McGrath Goodman and Newsweek were both lambasted by comments on Twitter. There was an attempted olive branch extended by the reporter, however, as she offered to tie up any loose ends or answer any concerns that people might have regarding the article and its contents.

The author of the Nakamoto article responds to criticism on Twitter.

The author of the Nakamoto article responds to criticism on Twitter.

Rightfully, most questions where a variation of “Why on earth did you include a picture of the man’s face along with his front yard, car, and license plate?” to which  there really wasn’t much justification from individuals further than ‘that information was public and Newsweek did nothing illegal’.

Even Newsweek’s editor Jim Impoco responded to the criticisms with the publication, exclaiming that he “..feels very comfortably that we approached the story as responsible as possible” and that he found the criticisms of the story to be “..phenomenally offensive.”

THE OUTCOME

Cut to an overwhelmed Dorian Nakamoto plagued by reporters as he makes a daring escape with a handpicked journo to a sushi restaurant, attempting to explain himself.

Cut back to Newsweek, now releasing a statement on the story and its response, claiming the story was released because it was an important one in which the publication”..recognized a public interest in establishing some core facts about Bitcoin and better informing those who might invest money in it” and that publication “..encourages all to be respectful of the privacy and rights of the individuals involved.”

And finally, pan to a confident looking Goodman, explaining her thoughts through the story and lasting impressions:

And after all of this, the credits seem so far from rolling. In a swipe back at the posting of images connected to the personal life of Dorian Nakamoto, a Cryptome post was published revealing many of Goodman’s own personal images. These included a redacted visa, tax documents, alleged Google photos of her house, and a list of previous addresses with a bullying sub-header:

“This material may not apply to the Leah McGrath Goodman who claimed to have located Satoshi Nakamoto.”

All this occurring around the time Dorian quickly took to recanting his first utterances in the original article, saying he “..never had anything to do with it [Bitcoin].” Shortly after this statement was included in an Associated Press report, A comment was made on the 2009 P2Pfoundation post titled ‘Bitcoin open source implementation of P2P currency’ by the original poster – the official Satoshi Nakamoto account – which read as follows:

Reply by Satoshi Nakamoto on March 7, 2014 at 1:17                                                                                                                                  “I am not Dorian Nakamoto.”

LESSONS

Sure, Dorian could be the Satoshi Nakamoto, creator of Bitcoin. He could have logged in to his P2PFoundation account and made that comment himself in an attempt of obfuscation. Or maybe he just isn’t and maybe that comment was left by the real Nakamoto. Regardless, Goodman and Newsweek seems to have already made that decision for us a long time ago. And therein lies one of the problems. In a day and age where practically the entire internet will eat you alive for misreporting, we have an act of a journalist so assuredly unmasking the identity of someone who is not only the creator of a financial underdog, but is also worth an estimated $400 million. While Goodman could have presented this unveiling as more of a thesis than proclamation, it seems she desired to take the more heavy handed route of reporting. Many would even call this a “doxing”.

Felix Salmon summed up an attitude that I find very damaging in his recent Reuters editorial:

Goodman, on the other hand, is a proud journalist, who gets personally offended whenever anybody raises questions about her journalism, her techniques, or her reporting. In a reporter’s career, she says, “you check facts, you are building trust and building a reputation”. Goodman feels that her own personal reputation, combined with the institutional reputation of Newsweek, should count for something — that if Newsweek and Goodman stand behind a story, then the rest of us should assume that they have good reason to do so.

While there is no need to condemn a journalist for being proud of their work, there is room for condemnation of one who doesn’t think carefully of both the source and the public as they construct their story.

I have no intentions to defending Newskweek. I also have no intentions of defending Bitcoin or its users. I do, however intend to question and defend methods of journalism, which should always be geared towards necessary public knowledge and trust. Here we see a man who has done nothing illegal or shown any reason that he intends to be a public figure deserving of scrutiny. I don’t consider this necessary for a moment. Spearheading an expose like this is bound to clash with certain ethics reports should hold close. Take, for example, some points in the Society of Professional Journalists’ Code of Ethics pertaining to ‘Minimizing Harm’:

  • Recognize that gathering and reporting information may cause harm or discomfort. Pursuit of the news is not a license for arrogance.
  • Recognize that private people have a greater right to control information about themselves than do public officials and others who seek power, influence or attention. Only an overriding public need can justify intrusion into anyone’s privacy.
  • Show good taste. Avoid pandering to lurid curiosity.

I think its quite clear that all of these should have been taken into consideration during (and before and after) the reporting of the Nakamoto story. These should be top of mind, especially in times when so many are aware of just how much privacy is being stripped away from their everyday lives. Maybe that’s why so many rush to defend Dorian Nakamoto; because they can identify with him as a man who would rather keep to himself being thrown into a tabloid-esque limelight. Having said this, there should be no exception for turning the tables. The Crytome doxing of Goodman should be viewed as just as intrusive (or more, even) of an act against someone’s private life. Any such act should be condemned, no matter how deserving people may think it is.

As many might suspect, this act and all the others hasn’t nearly dampened the noise surrounding the article. In fact, the bickering continues. It seems that with social media at their disposal, Bitcoin users and Newsweek staff could be going at it for a while, all while Dorian can only hope for the obscurity he once had.

Leave a comment

Filed under Uncategorized

Surveillance in Sochi – A Summary of Events

Welcome to the 2014 Sochi Olympics.

Sochi – all eyes on me.

The road to the 2014 Winter Olympics in Sochi has been one paved in bathroom jokes and quips about drinking water. Those traveling abroad in the Russian city have posted pictures on their twitter accounts and other social media platforms, joking about how they are missing a door knob and willing to trade some light bulbs for one, or how stray dogs have become their companions, following them through their commute.

Accompanying the laughing, however, has been a serious feeling of paranoia – and not without merits. Before the opening ceremony had even kicked off, and as soon as some journalists and spectators had landed and connected to a nearby wireless router, they had possibly become victims of snoopers and malicious attacks.

But lets be careful here not to take the half-baked reporting route that a certain NBC special broadcast had, where a reporter and his hired techie side-hand demonstrated how their brand new laptop and cell phone were both “instantly hacked” as they entered a bar near Sochi’s airport. While I’m sure Russian hackers are taking advantage of the tourism in Sochi around now, this type of event could happen at just about any coffee shop across the globe (including your favorite Starbucks here in the states) where people with little or no understanding of security practices are connecting to public WiFi that probably isn’t properly secured itself. This stuff needs to be properly analyzed, after all.

Outside of this hyperbolic report, there has been an actual flurry of activity in Sochi in terms of eavesdropping, and not all of it should be downplayed. The fact is, while a pub in New York might have some local bad actors snooping on on internet traffic, steps have been taken in Russia to ensure that literally all of the local traffic can be vacuumed up regardless of the connection. This quickly assembled FSB surveillance campaign has been exposed in a recent Salon article:

On Wednesday, I spoke to Andrei Soldatov, a Russian investigative journalist who broke the biggest security story of the Sochi Olympics: SORM, the Russians’ virtual surveillance system. The Russian FSB (successor to the KGB) will monitor all communications between spectators, journalists, athletes and anyone else who visits (or lives in) Sochi. The U.S. State Department has warned business travelers to be careful with sensitive information, which “may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.” One security expert said SORM was like “PRISM on steroids.

“There’s not public outcry about these measures,” Soldatov said. “After every big terrorist attack, like Volgograd,” — where suicide bombings killed 34 people last month — “Russian society approves half-measures. And metadata seems quite innocent in comparison to what was proposed.” In October, for example, the lower house of the Russian Parliament approved a law to hold the relatives of terrorists financially responsible for crimes. Muslim women in nearby Dagestan say they have been asked to provide saliva samples to the FSB so that their body parts may be identified in the event of a suicide bombing.

Very bleak measures that need not even think of civil liberties are being taken for the event. Earlier on in the same article, we see the HUMINT capabilities of the Russian Government – 60,000 security personnel, one for every six residents of the Russian city.

And even more robust is SORM (System for Operative Investigative Activities), allowing deep packet inspection of just about anyone in the region. There’s no way out through a smaller or safer ISP either, with reports of providers refusing to install FSB software used with SORM.

Another hint of surveillance practices occurred early on before the opening ceremony. It was almost whispered in reporting from a Wall Street Journal article highlighting their tour taken of the revamped Russian city that would hold the seasons largest international athletic event:

Dmitry Kozak, the deputy prime minister responsible for the Olympic preparations, seemed to reflect the view held among many Russian officials that some Western visitors are deliberately trying to sabotage Sochi’s big debut out of bias against Russia. “We have surveillance video from the hotels that shows people turn on the shower, direct the nozzle at the wall and then leave the room for the whole day,” he said. An aide then pulled a reporter away before Mr. Kozak could be questioned further on surveillance in hotel rooms. “We’re doing a tour of the media center,” the aide said.

Careful there, Mr. Kozak! It’s okay, he quickly sent on of his cohorts to dispel the worry later that day:

A spokesman for Mr. Kozak later on Thursday said there is absolutely no surveillance in hotel rooms or bathrooms occupied by guests. He said there was surveillance on premises during construction and cleaning of Sochi’s venues and hotels and that is likely what Mr. Kozak was referencing. A senior official at a company that built a number of the hotels also said there is no such surveillance in rooms occupied by guest

The fact is, there is definitely a lot of surveillance going on in Russia, which one would expect with the elevated threats to their security against terrorists and other threats, but for a high ranking figure like Kozak to confidently blurt out “the westerners are wasting our water, and we know this because we watch them shower” brings the question of journalists, athletes, and other foreigners being targeted by that same surveillance apparatus to an even more physical level.

The State Department (DoS) even publicly announced that visitors in Sochi should have ‘no expectations of privacy’:

“Russian Federal law permits the monitoring, retention and analysis of all data that traverses Russian communication networks, including Internet browsing, email messages, telephone calls, and fax transmissions.”

So, really, this is spelled out in Russia’s law. I guess they don’t need it stamped by a judge in a secret court, even. The question comes to mind: how much of this is actively being intercepted and monitored by Russian intel agencies? Are journalists being targeted by the FSB, not just script kiddies and packet sniffers that want as many facebook credentials as possible? This could be a bigger problem on the threat level for those spending time reporting on the Winter Games. Imagine a LGBT activist in Russia has a new scoop on violent actions taken against the homosexual community in Russia – something that, if brought to the public, would surely cause an outcry against those responsible. With active targeting of plaintext communications, it could spell more than trouble for any reporter willing to talk to an activist over Sochi WiFi. Last year, the Reporters Without Borders ranked Russia 148 out 0f 179 countries on the Press Freedom Index, very close to the worst.

There is a possibility snooping through digital means has even had an impact on a key member of our very own DoS. a conference call that included Assistant Secretary of State for European Affairs Victoria Nuland. A video recently surfaced on YouTube containing audio from Secretary Nuland in which she is heard saying “..fuck the EU.” while talking about developments and strategies concerning Ukraine. Quickly after the audio was spread across the web, U.S. officials furiously claimed the conversations were intercepted by Russian hackers, which was quickly denied by an aide to the Deputy Prime Minister of the country, Dmitry Rogozin. While we don’t have verification on the who the actual culprit is (yet), the possibility of Russian involvement does seem to touch the realm of possibility. Or should we be more surprised that the conference was intercepted in the first place and not properly secured?

There are those who have come somewhat prepared, however, understanding the widening landscape of eavesdropping threats. Two of the Philelphia Flyers physicians are one example. Peter DeLuca and Gary Dorsheimer are working as medical representatives for the Olympic Mens U.S. Hockey team, and have been taking appropriate precautions. Their phones – probably full of both personal and patient/athlete’s data – have been left in at home, and they were issued “clean” new phones to be used in Sochi. The physicians are worried that someone could intercept their communications regarding the health (or lack thereof) of certain U.S. players, and they could be provided to another team to use as an advantage in the games.

Hopefully others in delicate positions are taking steps similar to these. But hey, we can’t all afford brand new “clean” phones to use for a couple of months. But did you notice how I mentioned encryption earlier? We could all do ourselves a favor if we would “Trust the math”, as Bruce Schneier would say. Encrypting every bit of data and communications possible on mobile phones and laptops with the appropriate tools is the second best bet. Second to leaving them off with their batteries out, or at home.

But what’s there to be done when you’re being watched in your hotel shower? And who knows where else? So while twitter giggles itself through the day over jamming hotel doors and other #SochiProblems, there are darker deeds being done that deserve more than a hashtag’s notice. Though many of these instances of unjustifiable surveillance have gone unverified, questions must be asked regarding possible serious privacy violations.

1 Comment

Filed under Uncategorized

We Need to Talk About Commercial Drones.

On Sunday, December 1st, 60 Minutes featured a story on Jeff Bezos, Amazon founder and CEO, and his plan to introduce drone-based delivery of packages by 2015. Through the interview, Charlie Rose and Bezos talked gleefully about how the new technology will ‘change the game’ of the delivery enterprise. While Bezos explained that the drones planned as delivery makers were created to be ‘autonomous’ – not controlled by human hands – and will find their delivery points by logging GPS coordinates, he admitted that perhaps the most worrisome aspect of the system is the idea of drones suffering failures and landing on unsuspecting people, causing serious damage. He briefly touched on this in the interview:

“This thing can’t land on somebody’s head as they’re walking around the neighborhood, that’s not good.”

He reassured Rose and the viewers that ‘years of additional work’ is needed in order to ensure that the delivery drones are safe and reliable.

The fact is, general domestic drone (UAV) use is nothing very new. It’s a very quickly growing hobby, and looks to become quite the delivery gimmick, with corporations already making plans to follow suit with Amazon’s utilization. There is the ‘Burrito Bomber‘ for one, a UAV created to target the location of your phone as you make an order from it, and drop your freshly-made burrito off without having to wait through traffic. Or InventWorks and Boulder Labs, who plan on making producing drones for farmers to use in order to control invasive plants and watch over their livestock. There will surely be more to come, but the issues that might effect people beyond these businesses don’t seem to be stated often enough.

——-

CRASHING:

These ideas and implementations may sound fun and quirky to most, however (as even Bezos acknowledges) these small drones do crash. And they crash quite often. Perhaps this is due to the fact that the person (or program) piloting the machine isn’t as cautious in terms of flying, since they are not at any risk of hurting themselves in the process. There is also the factor of sight. UAV’s are operated from screens; your computer, your tablet, or even your cell phone. Visuals from flight are limited, and can even go black at times, increasing the chances for error and an eventual crash.

It will be interesting to see just what kind of programming lies beneath the ‘autonomous’ guidance system Amazon plans to implement within its delivery drones… that is if they ever release any of it to the public. We should all hope that there are rigorous measures taken by the engineers and developers behind the delivery drones, both for our parcels and – more importantly – our houses.

HACKING:

Crashing isn’t the sole worry that will have you listening for humming from the skies. Just like every newly emerging technology used in its early years, drones are going to have their bugs and/or exploits.

Meet SkyJack, a DIY RaspberryPi-based drone with a program hellbent on taking control of your popular Parrot drone. Creator Samy Kamkar elaborates on his website:

SkyJack is a drone engineered to autonomously seek out, hack, and wirelessly take full control over any other drones within wireless or flying distance, creating an army of zombie drones under your control.

SkyJack can be easily downloaded from both Kamkar’s webpage for the project and his Github page. The type of drone that this hack  is unleashed upon is one of the more popular ones, making this zombie attack a serious problem. There will also surely be more of these exploits unleashed into the wild, especially for drones that rely upon WiFi and Bluetooth connectivity.

SPY GAMES:

Most drones come complete with functional cameras that con be monitored from remote locations, and the ones that don’t can easily be altered to carry such devices. This obviously creates a privacy issue.

There are already several corporate surveillance institutions determined to use drones to their advantage. There is also the issue of leaps in the development of smaller drones, some disguised as birds to hide themselves from any suspect.

As the Electronic Frontier Foundation points out in a recent article on drone policy, transparency should be paramount:

While we appreciate the steps the FAA has taken so far, the agency could and should go further to require similar transparency from all drone operators. The FAA has already authorized almost 1,500 permits for domestic drones since 2007, but, despite our two Freedom of Information Act lawsuits for drone data, we still don’t know much about where these drones are flying and what data they are collecting.

There have already been a few companies offering drone-based surveillance services across the globe, and if these companies show a success, it is presumed that U.S. corporations that monetize in snooping will surely look to the skies in optimizing their abilities.

——-

In September of 2015, Congress has required that the FAA create a set of rules to regulate drones in order for them to safely fly through U.S. skies. Here is the FAA’s ‘Modernization and Reform Act of 2012‘.

Sure, drones aren’t whizzing by us too often at this point in time, but instead of holding our breath for a couple of years – before the guidelines for commercial drones are clearly laid out – we should be asking ourselves these questions and drilling companies who plan on using drone technology, whether its for surveillance, advertising, or even delivering a burrito. The regulations on these machines and the entities controlling them must keep public safety and the right to privacy as the priority, and public education along with an airing of any grievances regarding the subject is the best way we can attempt to achieve this.

Leave a comment

Filed under Uncategorized