Sigh... give them an inch and they take the universe. It seems like nearly every piece of local data an application can gather is being abused for privacy invasion, this time under the guise of fraud prevention. It's bullshit; we all know how this information will be used. Swiping, mouse movements, keyboard input habits, etc. will all be used to build a profile about you and target ads. What a sad, sad use of humanity's infinite ingenuity.
I think there's a fairly likely future that the banks and financial companies will try (and IMO succeed) to ban the providers of this data from using it for anything else. Aka: we will not use a biometrics service that uses our user's biometric data for anything other than fraud prevention and authentication.
The banks are ultra-sensitive about personal data at the moment at least, but they really want these kinds of solutions to stop fraud without interrupting your user experience. They have the scale to demand vendors stay in a particular use case and I think they'll succeed.
I would expect the future you're predicting to exist, but I expect it to come from e-commerce companies and others adopting tech from similar vendors but without demanding any restrictions on data use.
Do newspapers have to start a privacy panic about every damn thing? there are other ways to frame these reports, it's like they won't be satisfied until everything done on an electronic device is outlawed.
> Where do you think banks got the idea? They just copied an existing shady business model.
Tracking user input methods is not a shady business model. I was doing this for web forms back in 2003/4 to fight fraud, improve the user experience, and find problems.
> If my boss got a contract with a bank that said I had to track users against their will
But they aren't being tracked against their will, so you would have done this.
This article is in the business section of the newspaper. That's not exactly the optimal section if your intention was to "start a privacy panic about every damn thing."
Many people including myself were not familiar with the companies mentioned in this article or the use of their software for fraud prevention, these are the thrust of the article not hysteria.
Your conspiratorial assessment of this article seems to be misplaced.
Does anyone else feel a sense of overwhelming futility with respect to internet privacy? I'm at the point where I feel like I might as well just use all the fancy features and devices, privacy be damned.
It feels like it's a giant waste of time, even if you go out of your way to use "privacy protecting" expensive devices and software. Use an iPhone or LineageOS! Use Firefox! Don't use Google services! Don't use iCloud, back up everything to a local NAS! Pay for your email services!
It all feels mostly pointless. There's always another thing right around the corner. You're always defeated and tracked -- this time with "behavioral biometrics." For the average person, why not just give up? Throw an Amazon Echo in the corner and at least you can control your lights and play Jeopardy.
I've had that in my Privacy & Security slide deck for years. I say unless you're willing to go to EXTRAORDINARY lengths, there really is very little privacy. IT's been gone for years. Maybe new laws like the GDPR will help push things in the right direction?
Not at all. I only use the services that are the most simple, down-to earth and privacy friendly. Then every time I hear about a data leak, big hack or privacy violation, I'm happy about the fact that it didn't hit me.
I kinda feel like a best-effort attempt to minimize data-leakage + some kind of noise injection might be the best approach right now.
Ultimately though, I think we'll need legislative and platform solutions if we want to keep a good amount of online privacy. This just isn't something an individual can solve on their own.
I deal with it mostly by asking myself what "privacy" I'm really concerned about. Let's see... I don't want anyone actually stealing my money. I don't want sensitive security information that can be used to steal my money (ie passwords) falling into unauthorized hands.
But my personal history? My photos? Words I've written? Oh well. If someone wants that stuff, they can probably get it. And the gaping maw of robotic commerce doesn't actually care about me personally, it only cares what it can sell me.
I'm not worried about the police or some authoritarian tyranny on a personal level, on the level where what I say on the internet matters. I worry about it in an impersonal way. When the robot overlords are rounding up the granola-munching people of south Minneapolis for extermination, they won't be checking our internet history first.
Like you, I don’t worry about it on a personal level.
Unlike you, I do worry about how such a breach of human rights affects my neighbors today.
This is a matter of prejudice and discrimination on a level we have never contended with.
The people most vulnerable are those who do have something to hide. Even if it’s not something I want them to hide (sex offenses are a popular example), I still support due process by a public justice system. I think anything else is asking for tyranny, so I think it’s important we consider those who are more likely to be marginalized.
Some things people might want to hide to prevent unjust prejudice and discrimination against them:
-Unpopular political views: It is in the interest of a healthy democracy to protect freedom of opinion . In the event that we fear their opinion, it is in our own interest that they feel free to educate themselves and grow. Freedom of access to education resources free of prejudice should not be confused with supporting online communities of hate.
-Lower/working class: discriminated against by potential employers, hampering the social mobility possible in our society
-Sick people: discriminated against by insurance companies, employers, advertisers
-People with STDs: The discrimination here is especially in humane. And separately, we should all understand the role that freedom of information and research resources has played in the progress we’ve made here.
-People of color: classically discriminated against by law enforcement and others
-Parents: well known to be targets of extreme advertising
-Aspiring parents: discriminated against by potential employers
I sort of agree with you here, but I worry about pointing fingers in the wrong direction. Particularly, most of these forms of discrimination you've rightly pointed out function independently of online privacy.
Consider the authoritarian police reaction to people of color. That's not because they were googled. The problem is right there in the presence, in physical being. Cops don't bust people for appearing black on Facebook, but rather for appearing black while driving or walking in the park or something.
Unpopular political/social opinions aren't a matter of online privacy, generally. This is stuff that people post on Twitter, in public comments on Facebook, etc. If being an online racist blows up in someone's face, it's not because of Amazon or Wells Fargo; it's because they're shouting it in a public theater where anyone can see. (Hence the modern bigot's concern with "free speech" really meaning not that they can say what they want, but rather that no one judges them for what they say.)
Employment discrimination is widespread. And again, it's not about someone's online being, it's about their physical being. This is why so many startups are big young white dude sausage-fests. Like hires like. Are they discriminating? Sure. But not due to online privacy, but rather more pedestrian face-to-face matters.
I can go farther here, but hopefully my point is clear. When it comes to personal discrimination, that's usually a problem of person, not privacy, and tightening privacy settings offers little protection.
Your overall point is not clear to me, but I can affirm that I do not agree with your supporting arguments.
My list was of examples, not reasons. And, of course, each has varying levels of impact.
And how many reasons should one need to respect basic human privacy?
Would you assert these human rights aren’t worth defending until they’ve been invaded?
I just can’t see where the stipulation is, where the justification for your skepticism lies.
Your point of you comparisons with face-to-face interactions are lost on me entirely. Race, demeanor, height, sex, weight, and more are all determinable with enough collected data, and discrimated on accordingly. It’s the data that makes the discrimination more similar to physical interaction in terms of affect, but more scalable. Physical interactions take far more time and necessitate an emotion of conscience, both of which are often undermined in electronic communication, and always undermined in the process of data collection.
Similarly, I’m super confused about your point about political privacy. Are you seriously asserting everybody posts all of their political opinions on social media? Of course, I am referring to what they don’t post publicly. This should be a given, no? Anyhow, US law aggressively protects the ballots citizens cast in elections, and all the while any of these spying corporations readily determine this with a minuscule margin of error from citizen’s visited news outlets, search queries, social networks, etc. Anyone who has viewed their own personal Facebook data can confirm so.
Of course, physical violence is not an immediate concern over the internet. If that’s your point, then OK. It’s lessened in both directions and this is a different topic entirely.
> But my personal history? My photos? Words I've written? Oh well. If someone wants that stuff, they can probably get it. And the gaping maw of robotic commerce doesn't actually care about me personally, it only cares what it can sell me.
>
> I'm not worried about the police or some authoritarian tyranny on a personal level, on the level where what I say on the internet matters.
Yeah, but then 2016 happened.
This sort of "tactical positioning" on internet privacy is where I was prior to that year. The fact of the mater is that "personal threat exposure", while not completely irrelevant, misses the forest for the trees.
It's not YOU they're trying to manipulate, it's the herd. And it works. And that eventually comes around to impacting you just as personally as if you'd posted your bank account number and ssn on facebook.
Even if you truly have "nothing" to hide, how much do you trust these companies in securing the information from you they harvest? It's not necessarily the companies i'm worried about. It's the people that hack those companies i'm worried about. Once the hackers obtain that information, they can clone you and do all kinds of nasty fraud in your name. They can literally ruin your life.
EDIT: By clone I mean virtual clone of course, not Arnold Schwarzenegger "The 6th Day" clones
You quickly moved into hyperbole. You may not be rounded up, “just” unable to get a job, health insurance or car insurance (at viable prices).
If you are an activist, you may get arrested for an unrelated crime, like getting stopped after you had a few drinks (because geolocation) or discredited if you are not out as a gay person or for anything else which might garnish your image in any way.
Your ability to fly, or your airport experience could be influenced by invisible forces like driving around certain places or writing favorably toward certain policies or religions.
If you are a good looking woman you may be creepily stalked and tracked.
And let’s not kid ourself about the fact that more and more of this data will be sold and resold until it becomes a commodity available to anyone who is willing to pay a nominal price.
Believing in the story that your activity and data don’t matter because you don’t matter is in a way resigning to never become someone who might matter. And this is by design.
Privacy matters a huge deal. Especially in an assymetric situation.
The type of passwords you're referencing can't actually be used to steal your money, as they only control access to reversible accounts. Timely monitoring of your banks' ledgers is far more important than securing passwords. (Though passwords leaking will certainly cause a headache!)
Meanwhile, behavioral surveillance most certainly can be used to steal your money eg the pricing games that airlines and insurance companies commonly play, tailored to the individual level. Slowly accumulating a savings account named for some elective goal, someone dies across the country, and you need to get there in a day? Time to jack your airline prices. You'd hope age-old market competition would preclude this, but communications tech has been undermining that as well.
> Let's see... I don't want anyone actually stealing my money.
If online shopping sites start charging you 10% more based on your profile indicating you can afford it would you consider that stealing? How about if they just "customize" what products you're shown and you only see the high end ones?
This is on top of all the soft manipulation advertising already does, it's entire reason for existence is to make you buy something you otherwise wouldn't have. It's not stealing but it still involves less money in your wallet.
I stay sane by believing that as long as I stay active in the tech industry and do my best to constantly push to make things a little better, then I’m doing net good. The worst thing we can do is throw up our hands and admit defeat.
I try not to think about all those engineers out there on the other side, acting in opposition to user privacy, happily writing all this monitoring, tracking, fingerprinting, and profiling software. Many are probably readers here. I hope the paycheck is worth it.
It has all been predicted, and when you throw hordes of PhD's at the problem, solutions will come. I think we should heed the more serious warnings about AI too and not be so cavalier.
I completely agree its exhausting and I think that's by design.
And even given the measures you outlined, if your friend uses FB,Google services you will be exposed to those services via their address book being hoovered up, their photo tagging, their WIFI etc.
I think legislation and regulation is the only thing that's going to provide any meaningful recourse.
Almost all of my friends are this way now. They just gave up on any sense of privacy and accepted it. I can't say I blame them. They have different needs / wants than I do, but I will admit it's pretty disheartening too.
I haven't given up yet, but it's such a pain in the ass if you don't keep up on it. I ended up just ditching any service that doesn't respect my privacy or at the very least, stick with ones that say they respect it.
If there's anything real important I have a few friends who usually let me know. I still do miss some events but I figure if no one remembered to ask me, it's not important, or I'm not that important. Either way, it's not my issue.
Emotionally I didn't want companies to know about my life but practically it's going okay. Having companies know random information about me doesn't really affect my day to day life much (except for I have more targeted ads, which honestly isn't a negative).
I see it as an unfortunate consequence corollary to freedom of math and speech. If you give people the right to record and calculate everything they know it allows for invasive analytics in an attempt to soothsay by automating superstitions. If you don't have them then it opens abuses such as reporting that a scumbag serial Ponzi schemer convicted of doing so is "violating his right to be forgotten" and reporting that the local police just spend four hours loitering in diners and coffee shops is "illicitly tracking law enforcement". Restricting others to try to prevent it would prove lossy to freedom overall. Even a "no financialization" limit would allow shutting down a voting record of congress mapped to donor contributions because they are making money off of someone else's data if they try to cover their costs in any way.
I believe that the achievable thing to aim for is a transparent society instead of a half-mirror one.
I am probably very unaware of a Chrome or Firefox extension that allows this:
I wish I could Browse to... and set scripts to run before a page is navigated to. I know you can do this from the Dev Tools console just by hooking into events, but i wish there were something more user-friendly so it'd be easy to pass around scripts to average users. Simply to unreference or wrap JS APIs that allow things like this. You'd still need to be impossibly aware of what new API Google is introducing in Chrome every week. I wish they defined subsets of JS, like how there's a C++ embedded standard and such. I know in JS land you go by feature detection not profile selection (like OpenGL?).
We're just learning more ways to sandbox I suppose.
PS: I want the ability to easily re-order the scripts that run before/after an event fires.
It isn't that hard to
-- strip down and make your social media private
-- enable dual factor for everything that has it available
-- use ublock origin properly
-- use good passwords and a password manager
-- opt out of "upload all my contacts to you" whenever possible
-- default deny location sharing
-- use a VPN
-- Use the Lite app instead of FB app, and generally use less social media
I'd say that's minimal effort and private enough for most purposes.
I never cared much about that stuff. I trust big corporations, I always opt-in for telemetry and similar stuff, because I genuinely believe that it helps to make better software. And yes, I enjoy all fancy features and never had any problems with that. It's hard for me to understand people who don't want to use Windows 10 because of telemetry. It's awesome OS, who cares. It's not like Windows 98 was open source, you never really know what was collected back then, at least they are honest this time.
> Throw an Amazon Echo in the corner and at least you can control your lights and play Jeopardy.
This is where I have landed, sadly. Especially now that I have a family, I simply don't have time or energy to think about privacy all the time. And that's the only way you can fight it, is to think about it constantly.
I am totally with you on this. I only care about protecting what really matters to me. You cannot win. Companies are getting smarter on how to track you and they WILL track you no matter what you do. Hey I may be getting tracked right now typing all this. Who cares. Go ahead, show me some stupid ads. I won't click on them anyway. Or yea, get some sales guy to call my cell because I was labeled as a potential lead for some stuff based on a page I visited. I never pick up unknown calls. Next.
1) We are in tech. So what we do signals to others. How much we care signals to the public how much they care. If we don't, then why should they? And if they don't, how does legislation pass to prevent extreme invasion? It is in our (and companies') nature to push boundaries. If we don't get upset and do something then they push back.
2) There is more that I care about than Company X has Y data on me. Do I trust that company to be secure? Maybe now, but later? And that's where the government issue comes in. It isn't always about what the government is now, but can become. It should always be set up to be that IF there somehow became a dictator or oligarch, that they couldn't gain trivial access to tools that would exert extreme control.
Or can a foreign adversary exert control by using these tools (cough Russia cough)?
Yes, that kind of thing is unlikely in America, but it is much more likely to happen in other countries and what we do in the First World affects them. I personally am not worried about Trump trying to become dictator, but do we really want to set the ground for someone 50-100 years down the line that might try? Or do we want to make such an action as difficult as possible? And if they do gain that power we want to limit it as much as possible. (What happens when your system fails? Design FOR failure)
3) The argument of "we'll always be fighting" is a sadly true, but one that you can't let yourself be disheartened by. Because that would be like someone saying "well hackers are always going to try to get into my bank account, so I might as well let them." Currently we are the underdogs, and that is why it is so much harder now. But the only way to change that is to gain a critical mass.
So I ask, even if you don't think there is anything you can do and you can not take the steps to add more than minimal protection, then TALK about it. To me, the worst thing that can happen is that the public becomes (stays) complacent. While they are complacent and do not understand the consequences, then there can be no change and it will be a fruitless fight. But I think right now we have the best opportunity we've had in a long time to convince average people to care. (Facebook, Equifax, GDPR, Russian Hacks (which show how VERY real the adversarial abuse of data from non-malicious actors can be), etc).
After reading this one I'm not sure this is as bad as I thought it would be based on the headline:
"On new account applications, for example, behavioral biometric systems pay close attention to where and when applicants pause. A legitimate applicant typically types personal information — their name, their address, their Social Security number — fluidly, with few breaks. A scammer will often either cut and paste or take breaks to consult their notes."
It's currently used to do security checks. And it's being done while your interacting with the site/app. Seems like a useful security check, though I suppose there's some potential for abuse, somehow?
I think Google's CAPCHTCA thing does this too? It watches how your mouse moves and knows your a real person (or something close to that).
It's a signal. False positives need to be handled in some way. For captcha, they give you a captcha. For payments type stuff it's likely just one of hundreds of signals you can use to build a score that can raise a manual review above a certain threshold.
There is a company or two in this space that do an OK job of it.
The easy way around this as a scammer is to have the reference material visible beside the screen. I suspect it's another layer to augment existing verification checks. I do wonder about the false negative rate.
My bank's in-app password reset tool clears all fields and requires you to restart if the app is suspended mid-form. It also disables copy + paste into the app fields. And, their identity verification involves texting you a 10-digit security code, which falls just outside of most people's working memory.
And I use it often, because their password requirements are incredibly specific - so specific they cripple the search space - and they won't allow password manager pasting. Of course, if I made my password "dragondragondragon1!", they'd happily accept it and I'd never have to use their torturous interface.
It's amazing how far security features can go in being both anti-user and anti-security.
> though I suppose there's some potential for abuse, somehow?
One day you want to post online a video obtained through illegal means (for example you film animal abuse in a US abatory), you buy a burner phone and go to an open Wifi, but the behavioral fingerprint you left behind while using YouTube is used to track you down.
I guess this is still fair game, you were breaking the law after all, but you get the idea.
I guess it's a good thing that nobody with kids, a disability, or any other distractions ever fills out online forms when other things are happening in their homes, then!
I have often had my typing of personal information interrupted by my dog coming up and pushing my hand while I'm typing. Guess I wouldn't be able to apply for a loan from these people. Sheesh. What useless poppycock.
FUD. Provide some proof when you make a claim like that. If you've ever worked outside of dev you know how a paper trail or physical recording is critical for everything that happens in a businesses. You think a bank would let a customer and rep make account changes over the phone and not have a recording of that? What happens when there is a disagreement about what was said?
Journalists need to realize that likely every app is doing this. Look at the companies providing this data (FullStory, MouseFlow, AppSee etc etc), they are industry agnostic. It's as easy as installing a library or adding a few lines of code and voila, you have this same data.
This would be a huge improvement in the quality of these stories.
There's a meaningful difference between something like Red Shell, where a few games gathered data that most others don't collect, and the stream of "apps log events!" stories which find some examples and present them as company-specific outrages instead of a nasty practice across the industry. Without understanding that, it's hard to have a useful discussion about tracking.
I understand these metrics are easy to capture, but only if the browser / device makes it accessible via APIs. How difficult would it be to notify users (like GPS use, or Notifications on a phone) that X information is also being captured and allow for an opt-in?
It's not trivial as obviously applications need to know at some level where users are clicking / tapping to function, but does the device need to share that with the code being executed and/or can it hide that layer?
I'd pay good money (or pay money to support) a browser that did this well on mobile / desktop. (Tails browser has similar prompts for this kind of thing)
Admittedly, I am not well versed in the lower-level workings of the browser, so this may be a stupid thing to ask for.
`onClick(){fetchAllForumTopics();}` vs `onClick(){sendTrackingData();}`. Both are simple ajax calls.
Even if you somehow managed to know which calls to block, you could simply hack it by calling a jpg with extra parameters and then have the server save those:
Even ignoring that knowing where you click is as simple as knowing what feature you use. If you login then I know you clicked login, if you perform a search then I know you clicked on the search input. Usage of an element tells you where a user clicks. It misses things like clicking on whitespace or where your cursor traverses.
Right - that wouldn't be a perfect privacy solution but it would likely prevent significant biometric data gathering and not be too huge a burden on users / adoption.
I wasn't thinking of blocking specific function calls so much as that data not being available to the browser at all to send in the first place, providing the ability to selectively block mouse x,y coordinates tracking, etc before the code on the page was executed.
Again, this may not be possible without breaking the web given the structure of the browser and what pages need to render at a low level. Perhaps client-side middleware that only passes user data when an action is performed rather than constantly streaming coordinate and interaction data all the time?
This is a great idea! It's always a good idea to control carefully what information is available to a system you might not always be able to trust completely. It's especially important to be sure you're not leaking info through a channel you didn't consider, which at times means that an allowlisting approach is preferable to a blocklisting approach.
I’m thinking broadcast models of publication is inherently less privacy invasive.
So a browser only functioning over a federated content addressable web fetching content from trusted cache nodes could help isolate the problem to only vet information intentionally meant to be communicated leaving pure consumption reasonably private.
I for one, prefer not to be harassed by popups all day. What you propose is EU check for cookies, EU check for privacy statement, GPS check accelerometer check, keyboard check?
Ok, now we are getting a little ridiculous. If keyboard usage can be checked, that would be a warning for nearly every website. This reminds me of the app usage warnings on Android, which request access for every phone function. Or in California, the "Known to the state of California to cause cancer" notices that are in literally every restaurant.
When everything has a warning sign on it, nothing does. Opt-in just trains the user to ignore all of the prompts. A better solution in my opinion, would be to improve browser security and don't allow these APIs to be exploited beyond narrow use cases. In the interim, extensions could be used to reduce the effectiveness of all manner of data collecting.
There also is something to be said about user habits. For example, some websites are very intrusive with ads. My solution? I don't visit that site and find the information elsewhere. This is where extensions or browser features would be great. What if we created a privacy index on each site? Then the user could choose whether a visit to that site is necessary.
What I am asking for above was precisely what you suggest, a way to prevent the browser from making those APIs available for significant tracking purposes. Initially this might be "hey do you want to share your finger motions / accelerometer with this app" and I'd be OK with a number of pop-ups on first app open, but I'm a customer, not an app developer so I don't really care about the impact on adoption - I care about the privacy.
This has been going on for more than a decade. I implemented something like this back in 2004 for a payments page. The goal was completely focused on 1) fighting fraud 2) finding problems with filling out forms and 3) improving the experience for users.
People can argue that these things can be used for nefarious purposes, such as serving up targeted ads, but that's literally every browser you've ever used. That's literally the internet, and how it works.
This is abuse and wrong. Just as it is abuse and wrong for every website or app that does something similar. And this couldn't exist if we as software creators didn't make it. We as the creators of software need to look at everything we create for its potential to be used against people and if it could potentially be used to abuse someone, like say exposing interfaces that can be used for biometrics, we need to refuse to make it. People have survived for ages without your software and they might be better off if it stays that way. Don't be a part of this.
But how would that work? If I work on a word processing application, that application can be used to write horrible lies and propaganda that many people would believe. Are you saying I shouldn't work on such a product because of that?
If you look at the story of how browser cookies came about[0], it wasn't for advertising and tracking people. It was just intended to be a simple way to allow users to keep state between web pages to provide services the people wanted. It was later hijacked by ad companies to do surveillance and then the government hopped on board.
I think you make a great point. We _should_ question whether it's a good idea to make the word processor. I'm not saying it shouldn't necessarily be made but we should think about how it can be used and if the potential for harm is too high or if it can be mitigated. My point is these things should always be kept in mind and we need to not be afraid of not making the technology.
> Because your reaction is so individual, it’s hard for a fraudulent user to fake.
Malware can record behavioral user data from a compromised device then replay/modify to simulate the human on that device or another. Yet another arms race for black marketable behavioral "signatures".
74 comments
[ 3.1 ms ] story [ 137 ms ] threadThe banks are ultra-sensitive about personal data at the moment at least, but they really want these kinds of solutions to stop fraud without interrupting your user experience. They have the scale to demand vendors stay in a particular use case and I think they'll succeed.
I would expect the future you're predicting to exist, but I expect it to come from e-commerce companies and others adopting tech from similar vendors but without demanding any restrictions on data use.
They are reporting on a problem that we keep creating. I don't see any problems with this.
You make it sound like software engineers lobbied Bank CTOs to install this under duress
B) The developers could have said no. If my boss got a contract with a bank that said I had to track users against their will, I would turn it down.
The point is that the newspapers are bringing up a legitimate problem. It's not a "panic", it's a valid concern.
Tracking user input methods is not a shady business model. I was doing this for web forms back in 2003/4 to fight fraud, improve the user experience, and find problems.
> If my boss got a contract with a bank that said I had to track users against their will
But they aren't being tracked against their will, so you would have done this.
Just because you don't have a problem with this practice doesn't mean it is without problems.
It's not a business model. It's a security mechanism. Willing to bet that you track people.
> Just because you don't have a problem with this practice doesn't mean it is without problems.
Didn't say it was without problems. I just don't see any issue with using data people provide freely.
1. Outrage sells, so they like to cause outrage.
2. Their business model was invalidated by technology 20 years ago and they're still fighting to stay relevant.
If you want to see how they really feel about privacy, just visit their site with an ad blocker and see how many trackers get blocked.
Many people including myself were not familiar with the companies mentioned in this article or the use of their software for fraud prevention, these are the thrust of the article not hysteria.
Your conspiratorial assessment of this article seems to be misplaced.
It feels like it's a giant waste of time, even if you go out of your way to use "privacy protecting" expensive devices and software. Use an iPhone or LineageOS! Use Firefox! Don't use Google services! Don't use iCloud, back up everything to a local NAS! Pay for your email services!
It all feels mostly pointless. There's always another thing right around the corner. You're always defeated and tracked -- this time with "behavioral biometrics." For the average person, why not just give up? Throw an Amazon Echo in the corner and at least you can control your lights and play Jeopardy.
It's totally exhausting.
http://flowingdata.com/2010/10/22/privacy-and-the-internet/
I've had that in my Privacy & Security slide deck for years. I say unless you're willing to go to EXTRAORDINARY lengths, there really is very little privacy. IT's been gone for years. Maybe new laws like the GDPR will help push things in the right direction?
Ultimately though, I think we'll need legislative and platform solutions if we want to keep a good amount of online privacy. This just isn't something an individual can solve on their own.
But my personal history? My photos? Words I've written? Oh well. If someone wants that stuff, they can probably get it. And the gaping maw of robotic commerce doesn't actually care about me personally, it only cares what it can sell me.
I'm not worried about the police or some authoritarian tyranny on a personal level, on the level where what I say on the internet matters. I worry about it in an impersonal way. When the robot overlords are rounding up the granola-munching people of south Minneapolis for extermination, they won't be checking our internet history first.
Unlike you, I do worry about how such a breach of human rights affects my neighbors today.
This is a matter of prejudice and discrimination on a level we have never contended with.
The people most vulnerable are those who do have something to hide. Even if it’s not something I want them to hide (sex offenses are a popular example), I still support due process by a public justice system. I think anything else is asking for tyranny, so I think it’s important we consider those who are more likely to be marginalized.
Some things people might want to hide to prevent unjust prejudice and discrimination against them:
-Unpopular political views: It is in the interest of a healthy democracy to protect freedom of opinion . In the event that we fear their opinion, it is in our own interest that they feel free to educate themselves and grow. Freedom of access to education resources free of prejudice should not be confused with supporting online communities of hate.
-Lower/working class: discriminated against by potential employers, hampering the social mobility possible in our society
-Sick people: discriminated against by insurance companies, employers, advertisers
-People with STDs: The discrimination here is especially in humane. And separately, we should all understand the role that freedom of information and research resources has played in the progress we’ve made here.
-People of color: classically discriminated against by law enforcement and others
-Parents: well known to be targets of extreme advertising
-Aspiring parents: discriminated against by potential employers
Consider the authoritarian police reaction to people of color. That's not because they were googled. The problem is right there in the presence, in physical being. Cops don't bust people for appearing black on Facebook, but rather for appearing black while driving or walking in the park or something.
Unpopular political/social opinions aren't a matter of online privacy, generally. This is stuff that people post on Twitter, in public comments on Facebook, etc. If being an online racist blows up in someone's face, it's not because of Amazon or Wells Fargo; it's because they're shouting it in a public theater where anyone can see. (Hence the modern bigot's concern with "free speech" really meaning not that they can say what they want, but rather that no one judges them for what they say.)
Employment discrimination is widespread. And again, it's not about someone's online being, it's about their physical being. This is why so many startups are big young white dude sausage-fests. Like hires like. Are they discriminating? Sure. But not due to online privacy, but rather more pedestrian face-to-face matters.
I can go farther here, but hopefully my point is clear. When it comes to personal discrimination, that's usually a problem of person, not privacy, and tightening privacy settings offers little protection.
My list was of examples, not reasons. And, of course, each has varying levels of impact.
And how many reasons should one need to respect basic human privacy?
Would you assert these human rights aren’t worth defending until they’ve been invaded?
I just can’t see where the stipulation is, where the justification for your skepticism lies.
Your point of you comparisons with face-to-face interactions are lost on me entirely. Race, demeanor, height, sex, weight, and more are all determinable with enough collected data, and discrimated on accordingly. It’s the data that makes the discrimination more similar to physical interaction in terms of affect, but more scalable. Physical interactions take far more time and necessitate an emotion of conscience, both of which are often undermined in electronic communication, and always undermined in the process of data collection.
Similarly, I’m super confused about your point about political privacy. Are you seriously asserting everybody posts all of their political opinions on social media? Of course, I am referring to what they don’t post publicly. This should be a given, no? Anyhow, US law aggressively protects the ballots citizens cast in elections, and all the while any of these spying corporations readily determine this with a minuscule margin of error from citizen’s visited news outlets, search queries, social networks, etc. Anyone who has viewed their own personal Facebook data can confirm so.
Of course, physical violence is not an immediate concern over the internet. If that’s your point, then OK. It’s lessened in both directions and this is a different topic entirely.
Yeah, but then 2016 happened. This sort of "tactical positioning" on internet privacy is where I was prior to that year. The fact of the mater is that "personal threat exposure", while not completely irrelevant, misses the forest for the trees.
It's not YOU they're trying to manipulate, it's the herd. And it works. And that eventually comes around to impacting you just as personally as if you'd posted your bank account number and ssn on facebook.
EDIT: By clone I mean virtual clone of course, not Arnold Schwarzenegger "The 6th Day" clones
If you are an activist, you may get arrested for an unrelated crime, like getting stopped after you had a few drinks (because geolocation) or discredited if you are not out as a gay person or for anything else which might garnish your image in any way.
Your ability to fly, or your airport experience could be influenced by invisible forces like driving around certain places or writing favorably toward certain policies or religions.
If you are a good looking woman you may be creepily stalked and tracked.
And let’s not kid ourself about the fact that more and more of this data will be sold and resold until it becomes a commodity available to anyone who is willing to pay a nominal price.
Believing in the story that your activity and data don’t matter because you don’t matter is in a way resigning to never become someone who might matter. And this is by design.
Privacy matters a huge deal. Especially in an assymetric situation.
https://www.ted.com/talks/glenn_greenwald_why_privacy_matter...
Meanwhile, behavioral surveillance most certainly can be used to steal your money eg the pricing games that airlines and insurance companies commonly play, tailored to the individual level. Slowly accumulating a savings account named for some elective goal, someone dies across the country, and you need to get there in a day? Time to jack your airline prices. You'd hope age-old market competition would preclude this, but communications tech has been undermining that as well.
If online shopping sites start charging you 10% more based on your profile indicating you can afford it would you consider that stealing? How about if they just "customize" what products you're shown and you only see the high end ones?
This is on top of all the soft manipulation advertising already does, it's entire reason for existence is to make you buy something you otherwise wouldn't have. It's not stealing but it still involves less money in your wallet.
I try not to think about all those engineers out there on the other side, acting in opposition to user privacy, happily writing all this monitoring, tracking, fingerprinting, and profiling software. Many are probably readers here. I hope the paycheck is worth it.
And even given the measures you outlined, if your friend uses FB,Google services you will be exposed to those services via their address book being hoovered up, their photo tagging, their WIFI etc.
I think legislation and regulation is the only thing that's going to provide any meaningful recourse.
You had me at overwhelming futility
I haven't given up yet, but it's such a pain in the ass if you don't keep up on it. I ended up just ditching any service that doesn't respect my privacy or at the very least, stick with ones that say they respect it.
If there's anything real important I have a few friends who usually let me know. I still do miss some events but I figure if no one remembered to ask me, it's not important, or I'm not that important. Either way, it's not my issue.
I believe that the achievable thing to aim for is a transparent society instead of a half-mirror one.
I wish I could Browse to... and set scripts to run before a page is navigated to. I know you can do this from the Dev Tools console just by hooking into events, but i wish there were something more user-friendly so it'd be easy to pass around scripts to average users. Simply to unreference or wrap JS APIs that allow things like this. You'd still need to be impossibly aware of what new API Google is introducing in Chrome every week. I wish they defined subsets of JS, like how there's a C++ embedded standard and such. I know in JS land you go by feature detection not profile selection (like OpenGL?).
We're just learning more ways to sandbox I suppose.
PS: I want the ability to easily re-order the scripts that run before/after an event fires.
I'd say that's minimal effort and private enough for most purposes.
This is where I have landed, sadly. Especially now that I have a family, I simply don't have time or energy to think about privacy all the time. And that's the only way you can fight it, is to think about it constantly.
1) We are in tech. So what we do signals to others. How much we care signals to the public how much they care. If we don't, then why should they? And if they don't, how does legislation pass to prevent extreme invasion? It is in our (and companies') nature to push boundaries. If we don't get upset and do something then they push back.
2) There is more that I care about than Company X has Y data on me. Do I trust that company to be secure? Maybe now, but later? And that's where the government issue comes in. It isn't always about what the government is now, but can become. It should always be set up to be that IF there somehow became a dictator or oligarch, that they couldn't gain trivial access to tools that would exert extreme control.
Or can a foreign adversary exert control by using these tools (cough Russia cough)?
Yes, that kind of thing is unlikely in America, but it is much more likely to happen in other countries and what we do in the First World affects them. I personally am not worried about Trump trying to become dictator, but do we really want to set the ground for someone 50-100 years down the line that might try? Or do we want to make such an action as difficult as possible? And if they do gain that power we want to limit it as much as possible. (What happens when your system fails? Design FOR failure)
3) The argument of "we'll always be fighting" is a sadly true, but one that you can't let yourself be disheartened by. Because that would be like someone saying "well hackers are always going to try to get into my bank account, so I might as well let them." Currently we are the underdogs, and that is why it is so much harder now. But the only way to change that is to gain a critical mass.
So I ask, even if you don't think there is anything you can do and you can not take the steps to add more than minimal protection, then TALK about it. To me, the worst thing that can happen is that the public becomes (stays) complacent. While they are complacent and do not understand the consequences, then there can be no change and it will be a fruitless fight. But I think right now we have the best opportunity we've had in a long time to convince average people to care. (Facebook, Equifax, GDPR, Russian Hacks (which show how VERY real the adversarial abuse of data from non-malicious actors can be), etc).
"On new account applications, for example, behavioral biometric systems pay close attention to where and when applicants pause. A legitimate applicant typically types personal information — their name, their address, their Social Security number — fluidly, with few breaks. A scammer will often either cut and paste or take breaks to consult their notes."
It's currently used to do security checks. And it's being done while your interacting with the site/app. Seems like a useful security check, though I suppose there's some potential for abuse, somehow?
I think Google's CAPCHTCA thing does this too? It watches how your mouse moves and knows your a real person (or something close to that).
There is a company or two in this space that do an OK job of it.
And I use it often, because their password requirements are incredibly specific - so specific they cripple the search space - and they won't allow password manager pasting. Of course, if I made my password "dragondragondragon1!", they'd happily accept it and I'd never have to use their torturous interface.
It's amazing how far security features can go in being both anti-user and anti-security.
One day you want to post online a video obtained through illegal means (for example you film animal abuse in a US abatory), you buy a burner phone and go to an open Wifi, but the behavioral fingerprint you left behind while using YouTube is used to track you down.
I guess this is still fair game, you were breaking the law after all, but you get the idea.
I have often had my typing of personal information interrupted by my dog coming up and pushing my hand while I'm typing. Guess I wouldn't be able to apply for a loan from these people. Sheesh. What useless poppycock.
There's a meaningful difference between something like Red Shell, where a few games gathered data that most others don't collect, and the stream of "apps log events!" stories which find some examples and present them as company-specific outrages instead of a nasty practice across the industry. Without understanding that, it's hard to have a useful discussion about tracking.
It's not trivial as obviously applications need to know at some level where users are clicking / tapping to function, but does the device need to share that with the code being executed and/or can it hide that layer?
I'd pay good money (or pay money to support) a browser that did this well on mobile / desktop. (Tails browser has similar prompts for this kind of thing)
Admittedly, I am not well versed in the lower-level workings of the browser, so this may be a stupid thing to ask for.
`onClick(){fetchAllForumTopics();}` vs `onClick(){sendTrackingData();}`. Both are simple ajax calls.
Even if you somehow managed to know which calls to block, you could simply hack it by calling a jpg with extra parameters and then have the server save those:
`onClick(){body.css({backgroundImage: 'http :// mysite.com/ images/ logo.png?x=123&y=512&elementName=BankAccountNumber'});}`
Again, this may not be possible without breaking the web given the structure of the browser and what pages need to render at a low level. Perhaps client-side middleware that only passes user data when an action is performed rather than constantly streaming coordinate and interaction data all the time?
Your heart is in the right place. Keep iterating!
So a browser only functioning over a federated content addressable web fetching content from trusted cache nodes could help isolate the problem to only vet information intentionally meant to be communicated leaving pure consumption reasonably private.
Ok, now we are getting a little ridiculous. If keyboard usage can be checked, that would be a warning for nearly every website. This reminds me of the app usage warnings on Android, which request access for every phone function. Or in California, the "Known to the state of California to cause cancer" notices that are in literally every restaurant.
When everything has a warning sign on it, nothing does. Opt-in just trains the user to ignore all of the prompts. A better solution in my opinion, would be to improve browser security and don't allow these APIs to be exploited beyond narrow use cases. In the interim, extensions could be used to reduce the effectiveness of all manner of data collecting.
There also is something to be said about user habits. For example, some websites are very intrusive with ads. My solution? I don't visit that site and find the information elsewhere. This is where extensions or browser features would be great. What if we created a privacy index on each site? Then the user could choose whether a visit to that site is necessary.
People can argue that these things can be used for nefarious purposes, such as serving up targeted ads, but that's literally every browser you've ever used. That's literally the internet, and how it works.
If you look at the story of how browser cookies came about[0], it wasn't for advertising and tracking people. It was just intended to be a simple way to allow users to keep state between web pages to provide services the people wanted. It was later hijacked by ad companies to do surveillance and then the government hopped on board.
[0] https://en.wikipedia.org/wiki/HTTP_cookie#History
Malware can record behavioral user data from a compromised device then replay/modify to simulate the human on that device or another. Yet another arms race for black marketable behavioral "signatures".
How can a browser-based app detect whether I'm using the number pad or not?