Regarding the recent Internet Privacy bill

[Vekseid]

Note that, while this references an event in the United States, it represents something that is actually far worse in many countries. Privacy is a concern for you no matter where you live, and it is often only a secondary benefit from taking these measures.



So, this passed the House and Senate along firm party lines, and has caused a fair bit of alarm. Monday, it was signed by Trump.

And has led to what could at best be described as dangerously misinformed enthusiasm.

At worst, scams.

You cannot buy any individual American's browsing history from a telecom company. This is already illegal.

(1) Privacy requirements for telecommunications carriers
Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.

This is to say nothing of the various state laws that also apply here.

About the only good to come of the blowback from this is that it will likely stay that way.

This is not to say that it is impossible to obtain someone's browsing habits by other means. Malware, firesheep, clever css hacks, direct intrusion, snooping on DNS...

But it's not going to happen by getting it from ISPs. At least not in the United States.

To be clear, what this 'law' does is to ensure that the status quo continues. The FCC guidelines were just to prevent companies from selling their aggregate data, and this legislation blocked that regulation.



Nothing you send to a site over TLS (sites beginning with https://) can be observed by a typical third party.

This includes your web searches on any major search engine, your posts and private messages here, etc.

If a site's url begins with https:// rather than http://, then observing what you read and send requires one trick or another.

For how feasible this is on a given website, you can plug in domains you are visiting into SSL Labs here to get some verification for how secure a site is.

This isn't perfect, of course. It assumes the security of the site you are visiting, the security of the machine you are using, and information can still be gleaned from other sources.

For additional measures of security, I will go over a bit below.

Note that if your employer, school, or other entity manages your machine, then they can get around this in sophisticated setups. Don't use the following advice to expect to browse E privately on your company machine on your company network. <_<



1) Keeping your device clean.

This means a few things:

a) Removing continually-running processes that you don't actively use much. It also means keeping tabs on how much applications you do use are phoning home. Facebook and its properties (Whatsapp, Instagram) are pretty notorious for this, for example.

b) Keeping malware, bloatware, spyware, etc. off of your machine. Many 'security' products have effectively been malware for the past decade (McAfee, Symantec), doing more harm than good while costing you money. My windows machine has Microsoft Security Essentials, and that's it.

These measures don't just help with privacy. Privacy is a side benefit compared to the performance effects.

A full discussion about keeping your devices secure would be out of scope here. Stuff is getting scarier, however, so devoting a bit of mindspace to it is always wise.

I keep a list of some of the software I use here, though I do not have a similar list for mac users. The above extensions should go a long way, however, assuming you take care with what you run on your device in general.



2) Useful browser extensions

* Ghostery is the most widely-used privacy extension. I highly recommend it if this bothers you.

* uBlock Origin is now the most widely-recommended ad-blocking software, after Adblock sold out.

Keep in mind that disabling your ad-blocker should only be done on sites that you trust. Malvertising is a serious concern of late, and this issue appears to only be getting worse.

As above, both of these extensions can help make websites more responsive, especially on seriously ad-laden sites.

There are some more advanced plugins that do things like manage cookies and referer (sic) information. Not going to link them directly, because they take a bit more understanding to use. They can break things if you forget about them.

* Referer Control - allows you to block the HTTP_REFERER header (yes, a spelling error made it into a web standard), which tells a webpage where it was linked from. You should keep this to blocking 3rd-party referers only, as blocking 1st-party can only cause trouble for nearly no benefit.

* Cookie Monster - in general, Ghostery should do most of what this does, but you can use this to make blocking 3rd-party cookies explicit. This does break some things, however, particularly on streaming/media sites.



3) Learning how to use your hosts file

Your hosts file allows you to end-run around doing DNS queries for various domains. It's sometimes used to null-route known malicious sites, but it can also be used to hardcode sites whose IP you know won't change often, and that when it does, you know you'll be able to get the new one easily.

An entry for elliquiy.com would look like:

Code Select Expand


208.117.11.90 ellliquiy.com www.elliquiy.com


DNS is extremely leaky. Because it gets sent in essentially plain text, to what is usually a completely third-party server. So while a snooper couldn't tell what you were doing on Elliquiy or Google, they could tell you visited these sites, along with an idea of how much you participated.

A Special Note

You are likely going to be hearing more about this in the future - this is how the Alfa Bank - Trump Org - Spectrum link was first exposed back in October.

If the Russian bank and Betsy DeVos' brother had just set their hosts files, they wouldn't have had this additional smoking gun to this Seychelles piece.

One irony is that, although Alfa Bank is trying to sue via the CFAA over this, neither Alfa Bank, nor Spectrum, nor the Trump Org are the aggrieved party under the CFAA here. Even if they needed to compromise a server to get this information - which isn't guaranteed. Someone publishes your DNS history you have no legal option based on computer access itself, that I am aware of.

Having your favorite sites in your hosts file also means that if DNS goes out (either for the site, or you), you can still access the sites in question. It does require some maintenance, however, and is only good for mid-ranged, single-server sites like E.



4) Your public data in general

This includes things like answering Facebook quizes, etc. Some of these are just attempts to drive traffic, others are for future marketing, some may be both.

One risk with public data is exposing 'secret questions' for password recovery. Generally, where a site includes this sort of thing, I make up some bogus question with some random gibberish as an answer. Works best this way.

Another is e.g. thieves who would scour Twitter for people announcing their vacations. Best to make plans known after the fact.



About VPNs (Virtual Private Networks) and other proxies (Tor, etc.)

Don't use web proxies for anything you log into. They are often run to scrape passwords.

Keep in mind that Tor exit nodes - like all proxies - see all traffic that passes through them. It was rumored that Wikileaks got its start this way, though they denied it. Still, running tor exit nodes was a known method of harvesting sensitive information back in the day.

Proxies and VPNs are a bit of a paradox, as you are trading relative anonymity in numbers (from your ISP) to having a confirmed relationship with a known entity (your VPN provider). Who, unlike your ISP, isn't barred from releasing your private information individually. Especially if they aren't in the same country you are.

The best VPN is one that you or someone you know and trust is running. I would not accept anything less, personally - but they are not terribly difficult to setup.



For those who are concerned, or are wondering about this, I hope this helps. : )

[Hunter]

My only real concern about the bill would be whether or not it restricts the government from getting and using such data.   The government has been rather heavy handed in that regard and I don't really see them putting restrictions (on themself) on that sort of information grab.

[aouser626]

HTTPS Everywhere

[Beguile's Mistress]

I'm not sure how accurate this is but I heard the using https can prevent some things like watching videos.  Does anyone know if this is true?

[aouser626]

I'm not sure how accurate this is but I heard the using https can prevent some things like watching videos.  Does anyone know if this is true?

I think it was TOR, it disables various plugins. But YouTube does not have that specific problem due to the HTML5 format.

[Vekseid]

My only real concern about the bill would be whether or not it restricts the government from getting and using such data.   The government has been rather heavy handed in that regard and I don't really see them putting restrictions (on themself) on that sort of information grab.

That's done through Five I's. Still, the advice here helps.

HTTPS Everywhere

This is no longer necessary as it is a feature of all major browsers. E was on that list fairly early though, yes.

I'm not sure how accurate this is but I heard the using https can prevent some things like watching videos.  Does anyone know if this is true?

Using web proxies or Tor requires some things to break. There have been a lot of ways to 'expose' Tor usage.

If you want to hide your activity from an ISP, as mentioned, you should use a VPN run by someone you can trust.

[aouser626]

https://www.eff.org/observatory

[Missy]

so just go ask all your friends if any of them happen to be running a VPN then

[Lithos]

Booting tails from USB can make most things rather safe for most peoples needs. Generally I think the content in the Internet Privacy Bill is good, but as already mentioned most of it was in effect already. At least it makes changing things more tricky as well.

[MTalos]

I'd like to add:

1) The regulations that were repealed had not actually gone into effect. So nothing has changed, except companies are no longer needing to prepare to comply with them.
2) AT&T, Comcast, and Verizon have all come out with statements about their data collection and use
https://arstechnica.com/tech-policy/2017/03/comcast-we-wont-sell-browser-history-and-you-can-opt-out-of-targeted-ads/

[Vekseid]

I already stated the first bit, MTalos:

To be clear, what this 'law' does is to ensure that the status quo continues. The FCC guidelines were just to prevent companies from selling their aggregate data, and this legislation blocked that regulation.