.net programming, computers and assorted technology rants

Posts tagged “Privacy

NSA scandal delivers record numbers of internet users to DuckDuckGo

Courtesy Charles Arthur, theGuardian.co.uk


Gabriel Weinberg, the founder of DuckDuckGo, who says search data ‘is arguably the most personal data people are entering into anything’.

Gabriel Weinberg noticed web traffic building on the night of Thursday 6 June – immediately after the revelations about the "Prism" programme. Through the programme, the US’s National Security Agency claimed to have "direct access" to the servers of companies including, crucially, the web’s biggest search engines – Google, Microsoft and Yahoo.

Within days of the story, while the big companies were still spitting tacks and tight-lipped disclaimers, the search engine Weinberg founded – which pledges not to track or store data about its users – was getting 50% more traffic than ever before. That has gone up and up as more revelations about NSA and GCHQ internet tapping have come in.

"It happened with the release by the Guardian about Prism," says Weinberg, right, a 33-year-old living in Paoli, a suburb of Philadelphia on the US east coast. "We started seeing an increase right when the story broke, before we were covered in the press." From serving 1.7m searches a day at the start of June, it hit 3m within a fortnight.

Yet you’ve probably never heard of DuckDuckGo. "If you asked 100 people, 96 would probably think it was a Chinese restaurant," as the SFGate site observed. (The name comes from the children’s game DuckDuckGoose, a sort of tag involving seated players.) You won’t find it offered as an alternative default search engine on any browser, on desktop or mobile. Using it is very definitely an active choice, whereas using Google is the default option on most browsers. And 95% of people never change the default settings on anything.

But this 20-person business offers what none of the big search engines do: zero tracking. It doesn’t use cookies or store data about its users’ IP addresses, doesn’t offer user logins, and uses an encrypted connection by default. (Google provides an encrypted connection for logged-in users, but not automatically for non-logged in users.) If the NSA demanded data from DuckDuckGo, there would be none to hand over.

Weinberg, who lives with his wife and two sons, did not build his search engine with that intention. The initial idea came after selling his previous startup, Opobox ("a sort of Friends Reunited"), for $10m (£6.7m) to Classmates.com in 2006. "My wife was doing her PhD, so I had some spare time," he says. Taking a class in stained-glass making, he discovered that the teacher’s handout with "useful web links" didn’t tally with Google’s results at all. "I realised that there were millions of people who knew the right list of search terms and would make a better engine than Google."

Then he noticed growing amounts of junk sites in Google results – pushed there by experts who had gamed the giant’s algorithms. He decided that by hooking into web services such as Wikipedia, Yelp and Qype, he could get focused answers cheaply. By using a combination of those services and crowdsourced links, he built the site’s first search index.

Of the privacy angle, he says: "I kind of backed into that." It wasn’t a political decision, but a personal one. "It’s hard to define my politics. I take every issue seriously and come to my own conclusion. I don’t really feel like I belong to any political party in the US … I guess I’m more on the liberal side."

The reason he decided not to store search data was because it reveals so much about us. In 2005, AOL accidentally released details of searches made by 650,000 of its users via Google; reporters from the New York Times were able to use the information to identify one of the users: a 62-year-old woman in Georgia. Nowadays Google would also have your IP address (indicating your ISP and perhaps precise location) and, if you were logged in, all your previous search history. If you logged in to use Google on your mobile, it would have your location history too.

Having decided that searching is intimately personal, he deduced that governments would want to get hold of search data. "I looked at the search fiascos such as the AOL data release, and decided that government requests were real and would be inevitable, and that search engines and content companies would be handing over that data [to government] in increasing amounts."

Search data, he says, "is arguably the most personal data people are entering into anything. You’re typing in your problems, your desires. It’s not the same as things you post publicly on a social network."

So why does Google store it? "It’s a myth that Google needs to store all this data about you. Almost all the money they make on search is based on what you type into the search box. Nothing more. They need to track you for their other services – Gmail, YouTube – because those are hard to monetise, and that’s why you get ads following around the internet all the time." (Google owns DoubleClick, the largest display ad supplier online.)

DuckDuckGo web searches

Having your data passed around can also lead you to be charged more for an item: if your browsing history shows you visit high-end sites, some sites will increase prices. (That’s why plane fares can drop if you delete the "cookie" files in your browser.)

Google’s mis-steps are turning out to be DuckDuckGo’s biggest source of new users. In January 2012 – when Google announced that it would be aggregating user data across all its services – DuckDuckGo’s traffic (which it publishes online) trebled in three months. Once Google implemented the change, "people came and stayed; it wasn’t just a rise and fall," Weinberg says.

More recently, the Prism fallout has seen traffic keep rising, building on that success. "I think these people are going to stay too."

He wasn’t that surprised at the Prism revelations. "A few months ago 60 Minutes did a programme about this humungous data centre the NSA is building in Utah. After hearing that, this didn’t surprise me that much. But it did surprise me how much we have increased our traffic."

Even so, not everyone believes Weinberg’s success matters much. Danny Sullivan, who runs the Search Engine Land site, and has been analysing the search business since Google was just a gleam in the eyes of Larry Page and Sergey Brin, argues that DuckDuckGo’s size really indicates people don’t care about privacy.

"Don’t get me wrong. If you ask people about search privacy, they’ll respond that it’s a major issue," he wrote on his site. "Big majorities say they don’t want to be tracked nor receive personalised results. But if you look at what people actually do, virtually none of them make efforts to have more private search." Compared with the 13bn searches Google does every day, he suggests, DuckDuckGo’s 3m daily (90m monthly) barely registers.

Is that because people don’t know it exists? Is it like Google in 1998, when the dominant search engine was Altavista (closed this week by Yahoo)? "I don’t think that’s it," Sullivan said. "Ask.com was pretty well-known. It did a big privacy push; didn’t help. Yahoo played up [privacy] against Google; nope. I think most people trust Google – enough, at least."


Finally! An ISP with Balls

Courtesy Rory Carroll,  theGuardian.co.uk

NSA Data Center in Bluffdale, Utah

The new NSA data centre is not far from Pete Ashdown’s privacy-centric internet service provider. The irony is not lost on him. Photograph: Rick Bowmer/AP

Silicon Valley’s role in US government surveillance has triggered public anxiety about the internet, but it turns out there is at least one tech company you can trust with your data. The only problem: it’s a relative minnow in the field, operating from offices in Utah.

Xmission, Utah’s first independent and oldest internet service provider, has spent the past 15 years resolutely shielding customers’ privacy from government snoops in a way that larger rivals appear to have not.

The company, a comparative midget with just 30,000 subscribers, cited the Fourth Amendment in rebuffing warrantless requests from local, state and federal authorities, showing it was possible to resist official pressure.

"I would tell them I didn’t need to respond if they didn’t have a warrant, that (to do so) wouldn’t be constitutional," the founder and chief executive, Pete Ashdown, said in an interview at his Salt Lake City headquarters.

Since 1998 he rejected dozens of law enforcement requests, including Department of Justice subpoenas, on the grounds they violated the US constitution and state law. "I would tell them, please send us a warrant, and then they’d just drop it."

Ashdown, 46, assented just once, on his lawyer’s advice, to a 2010 FBI request backed by a warrant from the Foreign Intelligence Surveillance Court.

"I believe under the fourth amendment digital data is protected. I’m not an unpaid branch of government or law enforcement."

Ashdown was wary about Silicon Valley’s carefully worded insistence that the government had no direct access to servers. Access to networks, not servers, was the key, he said.

Pete AshdownPete Ashdown has rejected dozens of law enforcement requests, citing user privacy laws.

The state attorney general alleged XMission was soft on crime but the company, with a staff of 45 and turnover of $7m, suffered no official retaliation, said Ashdown. "I didn’t feel that I was in danger, or that my business suffered."

In the wake of revelations over National Security Agency surveillance and ties to Silicon Valley he has published a reportdetailing official information requests, and the company’s response, over the past three years.

The Electronic Freedom Foundation called it a model for the industry. "XMission’s transparency report is one of the most transparent we’ve seen," said Nate Cardozo, a lawyer for the San Francisco-based advocacy group.

EFF has lobbied big service providers – in vain – to publish individual government requests and their responses to the requests. Google and other giants would need a different format for scale but could emulate the Utah minnow’s spirit, said Cardozo. "The major service providers should demonstrate their commitment to their users and take XMission’s transparency report as a model."

EFF’s most recent Who Has Your Back report – an annual ranking of privacy protection by big tech companies – gave Twitter the maximum of six stars and just one each to Apple and Yahoo.

Utah is an unlikely home for an internet privacy champion. The state’s conservative politicians cheered the Bush-era Patriot Act and welcomed the NSA’s new 1m sq ft data centre at Bluffdale, outside Salt Lake City.

Ashdown, who toured the facility with a group of local data centre operators, said he had not received NSA information requests but saw irony in it siting its data behemoth in his backyard.

The agency’s online snooping betrayed public trust, he said. "Post 9/11 paranoia has turned this into a surveillance state. It’s not healthy."

The only solution to internet snooping was encryption, he said, a pointhe repeated on a blog.

Ashdown, 46, attributes part of his wariness of authority to his mother, who saw the Nazis overrun Denmark. He ran as the Democratic candidate for the US senate in 2006, promising to bring technology savvy to Washington, but lost to the Republican incumbent, Orrin Hatch. He ran again in 2012, but lost in the primary.

An additional disappointment was the discovery that many if not most ordinary people – at least until the NSA scandal – cared little about privacy when selecting internet providers. "Unfortunately it’s not what people think about. They put name recognition and cost ahead of privacy."

Japanese Railway Selling E-Ticket Data

Courtesy Megan Geuss, ArsTechnica

A Suica card.

Last week, East Japan Railway (JR East), the largest rail company in the country, announced that it would be partnering with Hitachi to gather and anonymize data that it collected from its e-ticketing system, called Suica. In the program, travel histories of its passengers would be stripped of identifiers like names, addresses, and other information, and then sold in bulk to third party companies.

A June 28 Nikkei post reports that Hitachi “will profile commuter activity at each train station by parameters like gender, age, and times of use, analyzing such things as the customer-drawing power of each station and the potential for business in the area.”

But according to Jay Alabaster of Computerworld, many prominent bloggers have taken issue with the plan, and the news has caused concern. On Twitter, professor and prominent commentator on data privacy Hiromitsu Takagi wrote "Even if there is a proper way to use this (data), it must be done with the approval of society." Others expressed their disbelief that JR East and Hitachi would properly anonymize the data.

Part of the concern, Alabaster says, might come from the memory of a recent e-ticketing privacy scandal in Japan in which a Tokyo Metro employee made the personal details of a female passenger public. The employee was subsequently fired, but rumors persisted that the “Pasmo” ticketing system that the Tokyo subway uses was easy enough to crack that people could check their partners’ travel history to see if they were cheating.

JR East counts about 42 million Suica users. It plans to “sell the information in the form of monthly reports to retailers, eating and drinking establishments, and real estate agencies that operate near the train stations,” according to Nikkei. Takashi Yamaguchi, a JR East spokesman, told Computerworld, "There is no way to determine the identity of specific individuals from the data, so we feel there is no privacy issue.”

Siri remembers for up to 2 Years

Courtesy Jacqui Cheng, Ars Technica

Apple probably still has this query of mine from 2011 saved somewhere in the cloud.

Remember that time when you asked Siri about the nearest place to find hookers? Or perhaps the time you wanted to know where to find the best burritos at 3am? Whatever you’ve been asking Siri since its launch in late 2011 is likely still on record with Apple, as revealed by a report by our friends at Wired on Friday. Apple spokesperson Trudy Muller told Wired that Apple stores Siri queries on its servers for "up to two years," though the company says it makes efforts to anonymize the data.

"Apple may keep anonymized Siri data for up to two years," Muller said. "Our customers’ privacy is very important to us."

Why does Apple have your Siri queries on record in the first place? Remember, Siri doesn’t just operate locally on your iPhone or iPad—when you ask it a question, your voice query is sent to Apple’s servers for processing before the answer—a Google search, an answer from Wolfram alpha, a Yelp result, etc.—is sent back. That’s why an Internet connection is required in order to use Siri; if you have no Wi-Fi or cellular signal, you can’t use Siri to perform any actions.

According to Wired, Apple generates "random numbers to represent the user and it associates the voice files with that number" when your Siri data is sent to the server. This string of numbers isn’t associated with your Apple ID or e-mail, but it does represent your device when Apple is processing the query. "Once the voice recording is six months old, Apple ‘disassociates’ your user number from the clip, deleting the number from the voice file. But it keeps these disassociated files for up to 18 more months for testing and product improvement purposes," Wired wrote.

The question came up thanks to pressure from American Civil Liberties Union lawyer Nicole Ozer, who thinks Apple needs to post its Siri privacy policy online so users are fully informed about what’s happening to their information. Indeed, although most iOS users are likely only using Siri to set up reminders or send tweets, people should be cautious about using Siri to send or dictate any sensitive information.

Many have been aware of this since Siri first came out thanks to the Internet connection requirement, but Apple’s acknowledgment that it keeps the data is a new reminder about the potential privacy risks. After all, our last poll on whether Ars readers would use Siri on OS X showed that 52 percent would at least give it a shot—people tend to conduct even more sensitive business on their computers than their mobile devices, so the data retention aspect is an important one to keep in mind.

Muller pointed out, however, that the identifiers are deleted immediately—"along with any associated data"—when a user turns Siri off on his or her device. (You can do this by going to Settings > General > Siri on a supported iOS device.)

DoJ now in favor of using search warrants to access user email.. Gee, How Nice!

Courtesy Engadget

The United States Justice Department seems to be listening to cries from Google (among others) that the 1986 ECPA (Electronic Communications Privacy Act) should be revised to reflect the vastly different universe that we now live in. DoJ attorney Elana Tyrangiel testified before the US House Judiciary Subcommittee on Crime, Terrorism, Homeland Security, and Investigations today, and in a nutshell, she now seems willing to think about the use of search warrants to access all types of email. Previously, the entity wanted the use a far less strict method for gaining access — giving less privacy to opened emails or emails that were over half a year old.

In part, she stated: "We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened." Certainly, this is a step in the right direction, but we’re a long way from having a genuine solution. We’ll be covering the saga as it unfolds, but for now, have a look at the full brief in the source below.

Somebodies Watching Me…Hello, F.B.I?

Excerpts from Googles Transparency Report

The table below provides a range of how many National Security Letters (NSLs) we’ve received and a range of how many users/accounts were specified each year since 2009. For more information about NSLs, please refer to our FAQ. These ranges are not included in the total sum of user data requests that we report biannually.

Year National Security Letters Users/Accounts
2009 0–999 1000–1999
2010 0–999 2000–2999
2011 0–999 1000–1999
2012 0–999 1000–1999

Government requests for user data from the United States include those issued by U.S. authorities for U.S. investigations as well as requests made on behalf of other governments pursuant to mutual legal assistance treaties and other diplomatic mechanisms. For more information, please refer to our FAQ about legal process.

Reporting Period
User Data Requests  Users/Accounts  Percentage of requests where some data produced
July to December 2012
Search Warrant 
January to June 2012
July to December 2011
January to June 2011
July to December 2010
January to June 2010
July to December 2009