Monthly Archives: December 2011

GoDaddy, The Stop Online Piracy Act (SOPA) and Privacy Tips for 2012

As 2011 comes to a close our thoughts move to 2012 and what it has in store for us. Leaving aside the customary promises of diets and to be better, we should each take a moment to consider the digital footprint we left in 2011 and how we can better protect our privacy (and the privacy of our families) during 2012. The coming year will see greater battles for online privacy than any previous year. Social networking will continue to dominate and I predict that there will be at least two major online privacy scandals during the next twelve months.

The legislative outlook is bleak for 2012. The U.S. House Committee on the Judiciary is currently considering the Stop Online Piracy Act (SOPA) or  H.R. 3261 as it is officially known. Although the act is well intentioned (in that it wants to stop piracy), the act is badly put together. Its broad language allows almost any attempt by a private individual to protect his or hers online privacy as an attempt to cover illegal activities. Today, GoDaddy announced it was withdrawing its support for SOPA in response to a boycott urging users to migrate away from the domain name register. GoDaddy now joins a long list of those objecting to SOPA. Earlier this year Google, Facebook, Twitter, eBay, Mozilla, Yahoo, AOL, and LinkedIn wrote a letter to important members of the U.S. Senate and House of Representatives, saying SOPA poses “a serious risk to our industry’s continued track record of innovation and job creation, as well as to our nation’s cybersecurity.” Also the European Parliament has adopted a resolution stressing “the need to protect the integrity of the global Internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names.”

While the politicians blunder about, there are many things that each individual can do, so here are our top privacy tips for 2012:

  • Time to change your passwords. Been using the same password for the last few years? It is time to change. Your password is the single barrier between you and online criminals. Should they manage to break into your email, eBay or PayPal accounts (not to mention any online financial services you use) they will be able to duplicate your identity as well as steal money from your accounts. Make sure your password are strong and contain more than just letters (e.g. good passwords contain letters, numbers, and symbols).
  • Shutdown any unused accounts. Did you sign up for a website for service in 2011 and in fact don’t use it. Close the account. Unused online accounts are a liability and could be used by hackers as a stepping stone to your more important accounts.
  • Become more unfriendly! The “problem” with social networks is that everyone wants to be your friend. Do you really want an ex-colleague from a place where you worked 10 years ago to see your family photos? The pressure is to accept all and any friend invitations. Don’t. Go through your list and remove anyone that isn’t close or can’t be trusted 100% with your holiday snaps.
  • Start 2012 with the aim to minimize personal information sharing. Only fill in the mandatory fields on any web form. Many forms ask for lost of unnecessary information, but only certain fields are mandatory (normally marked with an asterisk). Don’t trust websites with your personal information (just look at the mess Facebook has made of its users privacy). Don’t give more information than needed.
  • Make sure your online shopping is encrypted. Make sure you are using the latest version of your web browser and check that you are using a secure site if you need to enter your credit card details. Look for a padlock symbol in the bottom right of the browser window and check that the website address begins with ‘https://’. Modern browsers (like Chrome and Mozilla) support Extended Validation SSL Certificates, and the address bar willturn green when you are on a secure site.
  • Beware of identity theft attempts during 2012’s big events. There are lots of big global events scheduled for 2012 including Super Bowl XLVI, the London Olympics, and the 57th US presidential election. It is “traditional” for cyber criminals to launch phishing scams during these events. Beware of bogus retailers setup for identity theft attempts or email scams that contain links or attachments which take users to malicious websites or spread malware.
  • Enhance your PC’s security. Use privacy tools like Hide My IPCookie Crumble and Firewall Fortify to protect your online privacy. You should also strongly consider using a virtual private network (VPN) like FoxyVPN.

Download Files Via BitTorrent Anonymously

Downloading files via BitTorrent has its legitimate as well as illegal uses. Many companies like Ubuntu offer their files via BitTorrent, but at the same time it must be recognized that BitTorrent is also used to share files which infringe copyright laws.

For the uninitiated BitTorrent is a peer-to-peer download network that uses the computers of hundreds (if not thousands) of individuals to share a file. To download the complete file, different chunks are grabbed from all the different computers who are sharing the data. This way it spreads the load away from traditional download servers to individual PCs and increases the potential bandwidth available. To use it, a BitTorrent client needs to be installed on your PC (there are multitudes of variations available for Windows, Mac and Linux).

However all this sharing isn’t anonymous. As chunks of files are downloaded records are kept about who has what bit so that other computers can connect and the chunk passed on. It doesn’t take too much imagination to realize that a fake BitTorrent client can connect to the network and see who is sharing what. In fact the entertainment industry has been doing just that for years now. However this information has never really been readily available as an easy to search index. Until now that is.

Youhavedownloaded.com is a new website which lists all your recent BitTorrent downloads for everyone to see. The site can’t track every single file being downloaded on the Internet, however it has managed to collect data on nearly 2,000,000 files downloaded by over 53,000,000 users.

“We just want to remind people that the Internet is not a place to expect privacy,” said Suren Ter-Saakov, one of the brains behind the site. “Nowadays many people use it without understanding what information they leave behind. Also, even those who understand choose to ignore it quite often.”

The sites biggest failings however is with regards to dynamic IP addresses. Many Internet providers provide users with a modem which when it connects to the Internet gets a different dynamic address each time it connects. If the modem is switch off (for example at night) then the next time it connects it will have a different address.

When asked about this Suren Ter-Saakov responded: “We don’t bother ourselves to separate dynamic IPs. The site is just for show. However we have time-stamps. 3.3.3.3 might be a dynamic IP – however it belonged to a certain person at 12:12am 12/12/2011.” The implication is that together with the records from an Internet provider the exact user of any given address at any given time can be discovered.

So the key question of course is, how can you download using BitTorrent without having your IP address recorded, tracked and displayed for everyone to see.

The answer is simple. Use a virtual private network (VPN) like FoxyVPN. A VPN is a special way to connect to the Internet by creating an encrypted link from your computer to a server on the Internet. All network traffic from your PC will go out onto the Internet via the remote VPN server. This means that all your web surfing, emailing and downloads using services like BitTorrent will appear as if they come from the VPN server and not your PC. This means that any data stored on the BitTorrent network will show your VPN provider while you remain anonymous. In fact your Internet service provider won’t even be able to tell what you are doing on the net.

Facebook and the Myth of Passive Online Privacy

It is unusual for me to write two posts back to back about Facebook, but the events of this week mean I am obliged to write a second Facebook post. Last week’s post ended with comments from Facebook’s founder Mark Zuckerberg where he pointed out that  it is normal to be skeptical about Facebook’s role in how hundreds of millions of people share their personal information online. “Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected,” he said.

It looks as if those comments have come back to haunt Zuckerberg as this week photos from his private photo collection where posted online. The problem was entirely Facebook’s. It wasn’t an issue of a stolen, lost or hacked password. The very complex software which runs the site was updated and in doing so it allowed normal users to see other people’s private photos.

Although Facebook quickly fixed the mistake, don’t think for one second that this is the last time private information will be exposed online – on Facebook, or anywhere else, because it will.

Online privacy isn’t passive
Security and privacy aren’t passive in the real world and equally they aren’t in the online world. Nobody leaves their house unlocked and doors open and then hopes that a thief doesn’t break-in. No one goes to the park and puts their money, cell phone and car keys on a bench and then goes for a walk around the park hoping nobody will take their money (and phone and probably car too). At home and out in the world we are all active in protecting ourselves, our families and our property. Internet users need to be active about privacy.

Myth
Users seem to have an undiscriminating trust for web sites. Like the old adage, “don’t believe everything you read”, don’t trust the Internet with your personal and private data. Just because a site is big or popular doesn’t mean it won’t leak (intentionally or unintentionally) your private data onto the Internet. The good news for Mark Zuckerberg was that there were no embarrassing photos of him found. However family photos are private. Mark trusted his photos to his own service and his own service failed to protect his data.

Passive online privacy is at best a myth. To stay safe online you need to be active:

  • Think before sharing any private information – from personal details like your address, phone number and SSN details to photos, video clips, financial information and documents.
  • Be discriminating about how and with who (meaning websites as well as people) you share personal information.
  • Be vigilant in using the different privacy controls available.
  • Use privacy tools like Hide My IP, Cookie Crumble and Firewall Fortify to protect your online privacy.

2011 has seen several major high-profile security breaches at trusted companies like Sony, Citigroup and PBS. In Sony’s case, hackers stole the personal information of over 100 million registered users of its online gaming services including the PlayStation Network (PSN).

Be active not passive. Don’t leave yourself exposed.

Facebook Settles With FTC Over Deceptive Privacy Claims

The United States Federal Trade Commission (FTC) and Facebook have announced their proposed privacy settlement over complaints brought against Facebook that it deceived its users. In the complaint the FTC says that Facebook told its users that they could keep their information on Facebook private, and then repeatedly allowed it to be made public.

The FTC launched an investigation into Facebook as part of its ongoing effort to made sure that online giants like Facebook, Twitter and Google honor the privacy promises they make to American consumers. The original complaint outlined eight counts against Facebook saying that the social networking site’s privacy claims were unfair, deceptive, and violated federal law.

The FTC complaint listed a whole number of examples when Facebook made promises that it did not keep:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

As a result of these complaints the FTC put together a strongly worded proposal which Facebook has accepted: IT IS ORDERED that Facebook and its representatives, in connection with any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information.”

Under the proposed settlement Facebook must get approval from its users before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

The settlement also states that Facebook must establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information.

In response to the settlement Facebook’s founder Mark Zuckerberg wrote “I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done.”

He also points out that it is normal to be skeptical about Facebook’s role in how hundreds of millions of people share their personal information online. “Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected,” he said.