PrivacyGroup

This page is an effort to maintain an updated collection of important work on privacy. Recommend stuff from this page? Link to us!

Hooray! 100K views

Calendar

Events in this calendar are to privacy-related events. Click an event for more details, and links.

News

The new TIA Office

• Breach of Amadeus affecting millions of airline travelers. NEW
• Londoners on the perpetual line-up -- Being "in public" seems to have an evolving meaning. See also the US.
• Report on the mistakes leading to the Equifax breach of 148 M records -- From the House Committee on Oversight and Government Reform. Makes you wonder if banks (and others) might compete on being less profligate "furnishers" to CRA's---maybe discriminating among CRAs by their security and privacy practices (Equifax got 0 out of 10 for these from the financial index provider MSCI here). I'd prefer a bank that did that.
• AI Now Institute issues an "urgent warning" about privacy threats from AI. -- The article and warning are problematic, but there is this bright spot from the news article on it: "'artificial intelligence' — an umbrella term that includes a myriad of both scientific attempts to simulate human judgment and marketing nonsense"
• McSweeney's End of Trust issue is available free from the EFF (but do support them for creating this great work)!
• Tim Berners-Lee's Solid project is maturing; there is now a start-up (Inrupt) developing it
• Google's deceptive location tracking under investigation by the AG in Arizona.
• California joins Illinois as among the most privacy-protective states in the US.
• IEEE is also against exceptional access
• Big privacy win in Carpenter v. U.S.
• James Clapper and James Comey make appearances to promote their books. Jim Comey is on Conan, James Clapper is on 1A on NPR (44:10 is funny), and All Things Considered on NPR.
• Spate of leaks: Grindr (which, with OPM breach, could lead to blackmail of government employees, not unlike Ashley Madison); Panera Bread; Facebook; Myfitnesspal. Consider giving an alias rather than a real name to services online (which is perfectly legal, as long as you don't use it for fraud), spamgourmet.com for addresses, privacy.com for credit cards
• Privacy fundraiser underway where DuckDuckGo will match donations!
• Mixpanel analytics, present on a zillion sites, takes in passwords on some of them
• Carpenter v. US, a SCOTUS case in which the government is arguing that owning a cell phone means your physical movements can be tracked, is now underway.
• Extent of AT&T is greater than expected (billions of emails, all communications at the UN headquarters, 1.1 billion domestic call records per day, etc.). This is all from further study of the Snowden revelations, it looks like.
• European court of human rights to rule on UK surveillance. -- Includes claim that only "sentient examination" of data violates privacy. See the NSA on 'collection' for a similar argument.
• Arbitrary code execution on the Intel Management Engine, probably! (talk is upcoming)
• DoJ says it wants to take tougher measures with technology companies whose encryption is not backdoored -- The measures they plan to take are not specified. Negotiation hasn't worked, they say.
• DHS plans to collect social media info on all immigrants, including naturalized citizens and green-card holders
• ISO rejects NSA crypto.
• Equifax loses trove of highly sensitive data
• CIA head Mike Pompeo wants bulk metadata collection back
• Germany considering fingerprinting children and spying on personal messages.
• GnuPG is running a fundraising drive. Give them a little money; their product helps people all over the world!
• US ISPs can now sell data that their subscribers send across their lines. Oh well; we should buy the records of our members of congress to thank them
• Lavabit returns. How does it compare to protonmail, or mailpile? Let me know; I haven't looked into it.
• All US visitors from Muslim majority countries soon may have to give up social media passwords to enter Given rapidly eroding rights at the border, everyone should see what you can do at the link in this section below
• WhatsApp has an in-effect-backdoor by default. The justification for failing to provide security by default is that "otherwise people might not use it," ignoring that run-of-the-mill users of WhatsApp might falsely believe that promises of end-to-end encryption for their messages means that those messages cannot be intercepted.
• Google and government, via the Google Transparency Project. Google lobbies to influence policy to reduce consumer privacy. This article also discusses the NSA-Google relationship.
• Riseup warrant canary expires, Riseup is alerted, but the canary is not updated.
• FBI now can compromise computers outside the jurisdiction of the court issuing the warrant, including overseas.
• Trump pick for CIA head, Mike Pompeo, says in the Wall Street Journal that "the use of strong encryption in personal communications may itself be a red flag" that a person is a terrorist.
• Extreme surevillance via "Snooper's Charter" is now law in the UK. Among other things, requires internet providers to log websites that their customers connect to.
• FCC requires customer opt-in for ISPs to share "sensitive data", opt-out for "other" data. Previously there was no regulation)
• be wary of dictionary sites (dictionary.com, merriam-webster.com). They have high concentrations of trackers -- Part of the "What they Know" coverage in the Wall Street Journal.
• Tucson Police Department has a "Freedom on the Move" Camera, uses it to monitor anti-islamophobia protest on U. Arizona campus (By Tucson-based Strongwatch)
• James Comey tapes his laptop camera, thus creating a "warrant-proof camera."
• Head of FTC won't use fitbit b/c of privacy worries
• Cybersecurity Sharing Act added at the last minute to a 2K page omnibus spending bill
• police and drone use in Baltimore
• U.N. Report on Encryption as a right. "... [T]he present report examines two linked questions. First, do the rights to privacy and freedom of opinion and expression protect secure online communication, specifically by encryption or anonymity? And, second, assuming an affirmative answer, to what extent may Governments, in accordance with human rights law, impose restrictions on encryption and anonymity?"
• CMU study supports that Google cannot police abuse of its ad system, resulting in violation of privacy
• CEO of Hacking Team interviewed on BusinessInsider

Tools help

People often tell me they are unsure about which privacy-enhancing technologies to use, and how to set them up. Here are some suggestions.

secure hardware elements

• Set up FIDO U2F NEW
• Set up an OpenPGP smartcardNEW

operating systems

• Qubes ...OK, not an OS... (also here is a brief description of getting wireless networking working)
• Tails

censorship resistance

• Psiphon - I don't know how good this is yet. Here's a contributor talking about it at the latest CCC. NEW

• Lantern - I don't know how good this is yet
• Tor (see below)
• Mullvad VPN -- A good vpn (vpn review sites coming soon)
• OpenVPN's latest version was audited, which helps with trustworthiness -- If you run your own VPN (which is easy), this is a good reason to make sure you're using 2.4.2 or better (I had to compile from source, as the packages aren't up to date).

anonymous browsing

• Set up an alias, with associated accounts. This is perfectly legal as long as you don't use it for fraud, as Julia Angwin notes in her article for Consumer Reports.
• Tor -- I suggest subscribing to the RSS feed of the blog of the Tor project to be sure you stay up to date. The hardened version of Tor has been discontinued; the Tor project recommends moving to the sandboxed version for increased security. As of Tor 8.0, the sandboxed Tor is no longer a separate thing; download the experimental version (>8.0) to get the benefits.
• Also who uses Tor?

browsers

• Tor Browser for everyday Use a second installation of the Tor Browser for everyday browsing without connecting to tor. Very actively maintained (better than regular FF); works great.

• Why not Chrome/Chromium? -- It does have a sandbox, but it is also the most privacy invasive browser (of the major ones). Also Google controls the extensions for it, and they are sometimes unjust.

browser tools

these all work with Tor Browser, Icecat, or (vanilla) Firefox.

• Random Agent Spoofer (blocks a variety of fingerprinting attacks)
• RequestPolicy (By Justin Samuel and Beichuan Zhang, of University of Arizona!)
• NoScript
• PrivacyBadger (EFF)
• Self-Destructing Cookies
• HTTPS Everywhere (EFF)
• BetterPrivacy (removes LSO's -- supercookies -- which survive normal cleaning of cookie cache)
• decentraleyes - runs CDN scripts locally, rather than using remote CDNs (which is trackable)
• Privacy Settings (the plugin) -- Gives quick access to useful privacy settings in the browser, with toggle switches.
• Update Scanner -- Useful for watching privacy policies for changes (since that is your obligation, as a continuing user of the site. Often such changes are not highlighted; only a new version is posted).

testing for problems

• Check whether you have "safe browsing" features turned on. -- Firefox sends 32-bit prefix hashes of your URL to Google as a "safety" measure. I don't recommend using this (and related) features, since the problem with Google is bigger than the security one this mechanism is trying to solve. So if you get a warning visiting this page, investigate how to turn off "safe browsing" features here.
• new fingerprint checker, targeting Tor users in particular
• new fingerprinting technique Uses AudioContext and getClientRects. Recommended defense is NoScript.
• panopticlick
• browserleaks
• dns leak test -- Test whether you're leaking DNS information while on your VPN, and fix it

facial recognition

• Facial Weaponization Suite - More privacy protest than technical countermeasure. "Collective masks" from aggregated face data of participants in workshops. NEW
• Hyperface Much like Glamouflage, designed to drive up false alarms in facial recognition. Update: available in August. Delayed, with no deadline given
• Reflectacles try to ignore the goofy promo. video :-)
• Privacy Visor - Can be purchased by emailing this address at Nissey Co., Ltd.
• CV Dazzle
• Glamouflage
• Flashback

other tools

• Keep your PGP keys up to date, privately -- Parcimonie updates your keyring over tor (catching revocations and expirations), at random intervals. It leaves open a connection to tor for a long time, so you may want to run it as a cron job and kill it after some interval. NEW
• anonymize scanned printouts from printers using tracking dots. From TUD, where lots of useful privacy tools have been created (kudos)
• Protecting against baseband firmware backdoors, and provider backdoors-- A little outdated, but still full of good stuff. This is a comprehensive approach; for specific tools see below. EDIT: RIP Copperhead OS.
• Silence SMS/MMS. Recommended
• Noise is just like Signal, but without the hard dependency on Google Play Store. It is therefore better! But Silence is better still...
• Get an RSS feed reader to keep up to date on privacy-related sites. For example *cough* subscribe to the PrivacyGroup's feed (It's good to use a secure RSS reader. For mobile there is Courier from The Guardian Project).
• Youtube-dl -- Downloads a variety of streaming formats -- not just for youtube! Can be used with torify (see below) to anonymously view streaming video/audio that otherwise compromises privacy (e.g., flash). Note the version in packages is often not up to date--install the latest with pip to get a version that actually works.
• Torify -- A SOCKS proxy to the Tor network, and a wrapper to use it, so you can e.g. look up GPG keys, or perform WHOIS queries, anonymously.
• Get a GPG key
• installing the latest GPG
• Get a Gnuk token! -- Good way to do encryption in a protected dedicated device. You can buy them, or build them yourself
• secure SSH
  • Using gpg-agent instead of ssh-agent

Other Sites with Tools for Protecting Your Digital Rights

• Blog post on maintaining your privacy at the border.
• you broke the internet, we'll build a gnu one
• EPIC privacy-related tools
• Surveillance Self Defense (EFF)
• Opt out of datasharing by Whatsapp before the deadline! NOTE: Whatsapp allows your messages to be intercepted without your knowledge. See #News above.
• Center for Digital Society and Data Studies -- UA's center emphasizing digital rights.
• Tactical Technology Collective -- Toolkits and guides for digital security and privacy. Includes guides for Human Rights defenders. Security-in-a-box toolkit has a few inclusions that could be improved, including unhardened Tor, and Firefox rather than Icecat.
• Access Now Defending and extending digital rights of at risk users around the world.

Tools for Making Consent to Privacy Policies More Informed

• PrivacyPal, Automated Privacy Policy Parsing
• RAPPOR for privacy-preserving stats

Why care about privacy?

• Little talk on privacy that David gave to a class here at the University of Arizona
• 5 min recorded presentation David gave to local businesses on why they should care about privacy
• DoNotTrack documentary
• Why privacy matters
• Maciej Ceglowski's excellent talk
• it could happen to you, congress
• MLK Jr. and the history of bulk surveillance of people of color
• a few other reasons to care about privacy

Anonymity

• Guest lecture David gave on anonymity at The University of Arizona

Giving up privacy

• We must have been wrong about Google and Facebook all along -- On all the privacy-related organizations that accept support from companies whose business model relies on surveillance. NEW
• Americans say they want privacy, but act as if they don't
• The End of Privacy on NPR
• Atlantic article on an Arizona man whose anti-privacy views lead him to share everything, including passwords to email, banks, etc.
• Londoners give up their first born in agreeing to privacy policy
• Ai Weiwei, Privacy, and the future of surveillance
• Article in Science, 'Privacy and Human Behavior in the Information Age' -- By Laura Brandimarte, of U. Arizona (et al)! Reviews of multiple topics in privacy including (esp. relevant to this section) why people who profess to care about privacy nevertheless act as though they don't (the "privacy paradox").

How universities can help

• Don't break Tor and tell the FBI before telling the Tor project
• boingboing on online privacy and libraries
• NSF "Dear Collegue" letter on privacy-related research
• Tor exit nodes list. Note the universities hosting! (MIT, UMich, BU, ...)

Videos

• Older video of Mike Rogers, then-Chairman of the House Permanent Select Committee on Intelligence, explaining that if you don't know your privacy was violated, it wasn't.
• Soghoian (erstwhile technologist at the ACLU) on the privacy implications of endpoint hacking
• Social media information given at the border accessible via very insecure PSN -- Video from latest CCC shows the terrible security of airline travel information. In the QA (but the whole video is very interesting) it is said that social media information gathered at the border for travellers to the US on visitor visas is linked to PSNs, which are horribly insecure. UPDATE (16 Jan.) -- A big breach at Amadeus. NEW (related)
• A series of privacy talks recently ended at The University of Arizona. UPDATE: you may need to download the files and play them locally, if your browser complains about playing them. Cached copies of
  • Privacy and Health (comments here),
  • Privacy and the Media ( comments here), and
  • Privacy and Commercial Data Collection (comments here).
• Snowden talked in a startpage.com-hosted interview in the Netherlands about privacy after the election of Trump in the U.S.; his pardon Mirrored here locally, so you can jump around the video (originally live-broadcast)
• Edward Snowden came to the UA to talk privacy with Glen Greenwald and Noam Chomsky. I mirrored the video, originally available only via flash. This is audio only.
• Edward Snowden discusses removing mounted microphones and cameras from cellphones, excesses of U.S. intelligence

Miscellaneous

• Two Arizonan lawyers' role in the history of spam
• A thorough, well-executed study of web tracking (updated monthly?). Worth a look.
• Electronic Frontier Foundation's list of printers that produce tracking dots
• ProtectionOfHumanSubjects
• Privacy Bibliography
• A review of the off-Broadway play 'Privacy', with Daniel Radcliffe
• Several years on, Edward Snowden takes stock in an interview with Der Spiegel

Privacy theme music!

• Mejores Dias (Better Days) Stego used to encourage hostages of FARC. "Escucha este mensaje, hermano." Followed by "19 people rescued. You are next. Cheer up" in Morse code (1:29 - 1:52) NEW
• A recent edition of Under Surveillance! Great radio show NEW (18 Jan 2019) (click the link for older ones, too)
• Octopus's Garden (Raffi version)
• Somebody's Watching me (Rockwell)
• 3:7:8 (Emergency Broadcast Network, or EBN)