Archive for "privacy"
Privacy Expert Delivers Speech on “Dark Patterns” in Internet Software and Services
The software and services that we use online are specifically designed to leave us at risk of security threats unless we change the default options. That was the message of privacy and security researcher Christopher Soghoian’s speech, “Evil Defaults: Why the software and services we use are intentionally designed to violate our privacy,” on March 1 in the Student Lounge.
Defaults are not exclusive to software. High school cafeterias across the nation are experimenting with changing defaults. Soghoian said that one cafeteria simply moved the pizza up so that students had to reach for it, and placed salads at eye level. The results: higher consumption of salads. A quick Google search shows dozens of similar experiments nationwide.
Software companies are doing the same thing, just without the good motives. “There’s a saying that if you’re using something for free, you are the product,” Soghoian said. He means that your privacy and data are the price you pay for something like Facebook or Gmail. “Facebook earns less than $5 per user per year from the data they sell. They could offer a premium alternative for $10, but they don’t.” The privacy invasion is a default for which there is no alternative.
But there are also more subtle default choices – ones which users can avoid. Soghoian said that many users even in the United States do not know that packet data over Wi-Fi in not encrypted. Hackers using packet sniffers can intercept user names and passwords in order to hijack accounts. There’s a very simple alternative: HTTPS (encrypted or secure HTTP). When you are accessing a service protected by HTTPS encryption, a lock icon appears in your browser. But “few users notice the lock icon when it’s there, and even fewer notice the lack of the lock icon,” Soghoian said.
For many years, Google’s Gmail service relegated HTTPS to the thirteenth option in a settings screen that most users ignored. In late 2009, a group of security experts led by Soghoian petitioned Google to change the default (see Encrypt the Cloud, Security Luminaries Tell Google, June 16, 2009). Google changed the default to HTTPS on Jan. 12, 2010. When Google did the same for its search engine in October of 2011, the marketers complained that they were being deprived of your search data (see Google SSL Default, Goodbye Query Referrer Data).
It is also possible to use HTTPS on Microsoft’s Hotmail e-mail service, but enabling HTTPS takes six steps.
Why would these companies do this? After all, it’s not in their interest for users to be afraid of identity theft as a result of using their service.
One reason may be because the government is asking them to. Valerie Caproni, General Counsel for the FBI, said in Congressional testimony that weak security helps the government catch criminals. “Criminals tend to be somewhat lazy, and a lot of times, they will resort to what is easy … [as] long as we have a solution that will get us the bulk of our targets, the bulk of criminals, the bulk of terrorists, the bulk of spies, we will be ahead of the game. We can’t have … to design individualized solutions as though they were a very sophisticated target who was self-encrypting and putting a very difficult encryption algorithm on for every target we confront because not every target is using such sophisticated communications.”
Third parties are watching you
Another reason companies do this is because it helps their own affiliates. First parties, Soghoian said, are the websites we all visit, such as the BBC, New York Times, and Reddit. Third parties are companies like Google’s Doubleclick, Microsoft’s Atlas, and independent companies such as Bluekai, all of which collect user data from first party websites and sell it.
Microsoft’s conflict of interest became clear shortly before the release of Internet Explorer 8. The original design for IE8 had sophisticated anti-tracking technologies turned on by default. The browser would accept cookies from first parties and block those from third parties. This default setting made sense to the programmers. It upset Microsoft’s advertising department, who complained directly to CEO Steve Ballmer. As a result, users can turn on IE8′s privacy options, but the browser turns off the option every time it’s shut down, so the user has to reselect it each time they start the application.
Soghoian had a more complex story to tell about Google. In 1999, computer usability student Alma Whitten co-wrote a paper called Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. The paper called for higher standards of usability in security software. Today, Alma Whitten is Google’s Director of Privacy for Product and Engineering. When Google recently announced that it would back a “Do Not Track” initiative, Whitten might have made the announcement for Google. But she didn’t. Instead, it was Google’s senior vice president of advertising, Susan Wojcicki, who made the announcement — and it’s likely that it was Wojcicki, not Whitten, who made the decision.
In companies like Microsoft and Google, defaults are set by divisions that need to make money, such as advertising — not by programmers or privacy experts.
In the software industry, Soghoian said, “dark patterns” are interfaces that are optimized to trick people—the same way that casinos in Las Vegas are designed so that you get lost, lose track of time, and keep on gambling. They’re optimized for the benefit of the business, not the customers.
Risks grow as hacking gets easier
The risks of using unsecured networks are growing, Soghoian warned. A tool released a few years ago makes it easy to hijack Facebook and Twitter accounts over unsecured Wi-Fi connections (see Firesheep addon allows the clueless to hack Facebook, Twitter over Wi-Fi). Owning and using the tool is likely illegal, but that won’t stop hackers. The Firesheep tool makes it easier to do the hacking, and when the hacking gets easier, it’s likely to also become more prevalent.
In the question and answer after his speech, Soghoian added that although a similar tool does not yet exist for hacking smartphone services, it’s likely only a matter of time.
Further reading:
Why Private Browsing Modes Do Not Deliver Real Privacy by Christopher Soghoian.
Freedom In the Cloud: Software Freedom, Privacy, and Security for Web 2.0 and Cloud Computing, the speech by Eben Moglen at NYU that inspired Diaspora, the open source alternative to Facebook.
Negligent Infliction of Emotional Distress: Facebook Etiquette
DISCLAIMER:
INTENTIONAL INFLICTION OF EMOTIONAL DISTRESS
Restatement of Torts, Second, section 46: “One who by extreme and outrageous conduct intentionally or recklessly causes severe emotional distress to another is subject to liability for such emotional distress.”
Comment d:
“Liability has been found only where the conduct has been so outrageous in character, and so extreme in degree, as to go beyond all possible bounds of decency, and to be regarded as atrocious, and utterly intolerable in a civilized community.”
NEGLIGENT INFLICTION OF EMOTIONAL DISTRESS
“Almost all states have adopted the tort of intentional infliction of emotional distress, but only a minority of courts have been willing to recognize an independent cause of action for emotional distress alone against defendants who are no more than negligent. (Shapo, Principles of Tort Law, 3d ed., 381)
BY READING THIS COLUMN, YOU HEREBY AGREE TO FORFEIT ALL POSSIBLE CLAIMS AGAINST THE AUTHOR
Introductory Note to First Column
First of all, let me say, it’s good to be back. This is my first piece of journalism written in a student news medium in more than eight years. I have missed the opportunity to make my voice heard, and while there may be plentiful amounts of my own writing at flyinghouses.blogspot.com, that website hardly registers in the national consciousness. This is not to say that The BLS Advocate registers in the national consciousness, but it is at least a resource that other students can use to recognize that they are not alone.
This column is entitled Negligent Infliction of Emotional Distress because it may cause that in the reader. To be sure, I have never shied away from writing about controversial topics, and I have often paid the price. I expect to get a fair amount of hate mail after every column I write – but my goal is to inspire thoughtful comments that can start a conversation about reasonable values that we can all share as law students. Given its ubiquity, I felt that Facebook would be the best topic for my inaugural column.
History
Before there was Facebook, there was Friendster, and before there was Friendster, there was MySpace, and before there was MySpace there was…..nothing? Hardly. Before MySpace there were chat rooms and dating sites – social networking in its infancy…..
I joined Friendster and MySpace sometime in 2003, and I joined Facebook in early 2004. I like to think of myself as something of an “original” member who has held fast through the years and changes.
Law School and Facebook
In law school, you may go to events held by the career services center. They will tell you take anything that is even the least bit questionable off of your Facebook wall, and out of your photos or videos. They will tell you that it is not worth it to risk losing what is probably the most important job search of your life by leaving up some stupid picture of [redacted] funny – yes – but it will automatically disqualify you for consideration for any job – especially one where [redacted]… – you’ve been warned). It is monumentally stupid to allow anything that could potentially result in a reputational compromise to be seen by anyone, especially those in charge of hiring at a firm.
But what if no one actually searches Facebook to spy on your profile? What if they can’t see your profile unless you accept them as a friend? I think most people are aware they can change certain privacy settings to avoid these kinds of situations from happening at all.
Moreover, what if no one wants to search Facebook for your profile? What if you’re not the sharpest tool in the NYC Legal Market and you’re not going to be considered for any jobs, period? Then, what’s the big deal? Is the NYPD or District Attorney’s office going to search your profile, see some picture that [redacted]…? No! Is your goofy younger brother going to think a joke about [redacted] Mario Party is funny? Yes!
[This is an excerpt from the writer's full column, which can be found here: http://flyinghouses.blogspot.
Christopher J. Knorps is a 2L at Brooklyn Law School. He has written two novels, a book of short stories, and a memoir of his 10-month-stint in L.A. None of his creative writings have ever been published in print form. He enjoys studying bankruptcy law. He ranks in the upper 55% of his class. You may find his blog by visiting flyinghouses.blogspot.com. It consists primarily of book reviews, a dozen or so film and music reviews, a few pieces of sports journalism, and a light smattering of “special comments” about the study of law in 2010-2012.