Secrecy, privacy, security, intrusion

Hahaha or you can get a similar item from Temu for ~$3-5. They look more effective, using alpha-numeric instead of those stripes.

Why don’t they ever zoom in on the result?

Of course, if someone is keen on stealing your identity they will be able to de-obfuscate your data quite easily using a scan and some software. This is why CAPTCHAs are becoming more and more difficult to decipher - machines can figure out the easy ones.

Mozilla did a study that might alarm those who don’t think about it, and really alarm most with the scope of collection.

What I find really alarming is that they ranked Nissan as worse even than Tesla! (Just waiting for the day when your Tesla will automatically update Twitter with details of your commute.)

I’m not sure what people were expecting here… sort of obvious that they would start collecting your data if your car’s setup online… just like your phone. Problem is, we still have the privacy holes that allow this to keep coming through… we’re always on the back foot until actual laws, with the ability and funding to enforce them, can be put in place to stop this constant data scraping of our personal and meta data… the EU is waking up but we’re slowly lagging way behind.

A feature coming to you soon, if not already with you, in Chrome is Privacy Sandbox. No more or at least less third party cookies but it could be more invasive if not controlled by you adjusting settings.

There is no doubt that your first option should be … Don’t use Google Chrome.

Regardless of whatever settings exist, you will never know what spying Chrome is doing - and we do know that spying is integral to Google’s business model. Personally I don’t even have Chrome installed on my computer but if I find a web site that absolutely will not work unless Chrome is used (and I occasionally bump into such a web site) then I will go and use a different computer where Chrome is installed as the last resort.

There are clouds on the horizon though because Google is pushing a controversial technology known as WEI (Web Environment Integrity). If web sites start to mandate WEI then more web sites won’t work unless you use Chrome - thereby either forcing other web browsers to follow suit or increasing Chrome’s already substantial market share.

As companies swallow up other companies and broaden their interests the privacy notices and what is possible for their data collections is infinitely expansible, barring a Very Big Stick to stop it, if that is what ‘the system’ wants to do. Otherwise it is evolving into a big data warehouse owned and operated by marketeers selling everything to everyone.

The Irish Council for Civil Liberties (ICCL) has released two reports into security risk of data mining by marketing and advertisers. While the reports focus on the US and EU, the information contained in them is just as concerning for us here in Australia and indeed any other place in the World were privacy is of concern. From the ICCL news release is the following concerning level of data about individuals that can be obtained using the RTB (Real-Time Bidding) system that Google and others use:

"Cambridge Analytica style psychological profiling of target individuals, as well as their movements, financial problems, mental health problems and vulnerabilities, including whether the target is a likely survivor of sexual abuse.

Foreign states and non-state actors can use RTB to spy on target individuals’ financial problems, mental state and compromising intimate secrets. Even if target individuals use secure devices, data about them can still flow via RTB from personal devices, their friends, family and compromising personal contacts"

The media release can be found at New ICCL reports reveal serious security threat to the EU and US

The links to the two reports pages (one for the US and one for the EU) are linked in the article but they are provided here if anyone wants to go to them directly

EU: https://iccl.ie/digital-data/europes-hidden-security-crisis/

US: America's hidden security crisis

This is certainly one for CHOICE to look at @BrendanMays and may be a SHONKY contender nomination for GOOGLE at least.

My understanding is that this tech that profiles people and uses that data to personalise their advertisements has been around for a long time and that the RTB system has been part of that for ten years or more.

Once this data is being shared around and sprayed around it comes as no surprise that it will be used for more than targeting ads. You can bet many governments, militaries and large corporations have used such data to have a peek at what their competitors’ players are up to. If you are a player, or conceive that you are, you should not be leaving a trail of transactions or activities behind you that can be identified.

I think that large organisations in pursuit of a dollar are irresponsible and unaccountable in the way they extract, manage and sell data about us. However the fact that they do so is hardly news and the idea that other parties would not be sucking on the same straw is absurd.

As part of the investigation and noted in the report is a previously unknown program that is of very serious concern called Patternz: “ We reveal “Patternz”, a previously unreported surveillance tool that uses RTB to profile 5 billion people, including the children of their targets”. ICCL’s report was a call out about the failure of self regulation to control the sharing of very sensitive personal data that could be and is used for surveillance purposes.

What has been reported on is a more complex gathering and sharing of data than was previously suspected of being garnered and shared. As noted above, data from children has also been deliberately siphoned. In our “Western” communities this collection of children’s information has been considered as a no go area but again because of self regulation has obviously failed.

My big security concern for the month is the European Union’s eIDAS 2.0.

Of course, I’m probably worrying unnecessarily. Surely I can trust every EU government - and every other government that sees this as a great model - to access encrypted online traffic as and when they choose. Do I have something to hide? No, I just like privacy. As do the stated 400 signatories of an open letter to the EU.

Surely we can trust every other user of the internet to be open, honest, trustworthy, ….
And that they have no intentions of perpetrating a fraud, scam, violence against another or over throw of our established societies?

A second reality?

We the public may have been sold on aspects of anonymity, privacy, and security of the web. At the same time the facilitators and promoters of the same have assumed in return their own rights to our data, and how they may use it.

Society is built on trust, including our democratic processes, as imperfect as they may be. There are far worse alternatives if there is none.

That’s not creepy at all. /s

It is unclear what the extent of this is.

If the extent of it is “all browsers as shipped must trust all EU government root certificates” then that’s OK-ish - because you as the user are free to remove that root certificate (as I sometimes do for any Chinese government root certificates).

If the extent of it is “(as above) and must not provide the functionality to remove a root certificate” then that is more problematic.

Even with the more extreme version, there are some defences available e.g. use the browser extension that detects unexpected changes to the CA hierarchy. So let’s say you are a frequent visitor to https://choice.community and your browser keeps a record of the CA hierarchy on one visit, and nothing in the hierarchy is due to expire, and you visit a little later on, and suddenly one of the certificates has changed - the browser can report that to you and give an indication that something might be amiss.

Unfortunately with so many sites using freebie Let’s Encrypt certificates which expire every 3 months anyway, the above only works if you really are a frequent visitor.

It is unclear to me whether this proposal would mean that a browser must not trust a root CA unless the root CA is government approved.

I think this EU proposal means that certificates signed by designated CAs have to be considered good, because the CAs have to be considered trusted.

Could well be some interesting sites using these certs, doing whatever state actor sponsered software decides to do. Browsers have to accept that.

I assume that means cert revocation lists to be ignored for these EU designated CAs and certs signed by them.

Can you remove the CAs from the browser? Maybe. Can you stop them from being downloaded on demand using the URL in the certificate and being cached? Maybe not.

What is that? I have been looking for something that will help me audit the certificates in Windows - tell me which ones are being used and by whom, so I can decide which ones I do not trust.

Hmm. Good point. Likewise OCSP. And OCSP Stapling.

E.g.

• Certificate Watch
• Certificate Pinner

Disclaimers:

1. Not used by very many users. Nor “actively monitored for security by Mozilla”, which is a pity really because IMO this should be core browser functionality in order to defend against the type of attacks that the EU is encouraging.
2. Probably won’t work well with a CDN unless the CDN provider and the CDN customer work to ensure that all content hosts use the exact same certificate (which is sometimes deemed to be bad practice, so may not happen).

I’m not sure that either of those extensions will specifically address

tell me which ones are being used and by whom

however.

A search for the first returned nada.

The second gave me a Firefox extension, but it is not exactly what I am after. What I really care about is the 60 “trusted” root CAs my system is absolutely comfortable with. WoSign is no longer on the list (although the company still apparently issues certificates), but I can’t remember whether I removed the Hong Kong Post Office manually or whether Microsoft decided to.

Google uses Windows certificates, but Firefox manages its own. Why does Firefox tell me that I trust Beijing Certificate Authority? China Financial Certification Authority? Chunghwa Telecom Co., Ltd? Mozilla, what were you thinking? Oops, there’s Hong Kong Post again. Oh, and a Turkish CA.

The point is that I should not need to trust CAs for that 90% of the Internet I cannot conceivably use. I am never likely to browse Chinese language or Russian language websites, or for that matter Swedish. But I cannot know which of these certificates have been used by my browser or system - there is no log to keep track of the ones I should care about as opposed to the ones I do not need to trust.

A further point may be 99+% of consumers will have little understanding of what is being said here, or how to respond. The web needs to be safe for all users, considering most do not have the knowledge or skills beyond ensuring a broad AV product is available to meet needs.

Sure, but…

Most people accept the defaults and will not know to remove the EU CAs. This is why Google pays Apple such a ridiculous amount for the privilege of being the default search engine!