How many pages of ToS and Privacy Policies?

So, I started this thought experiment: let’s assume for the moment that government is completely trustworthy, only has your interests at heart and doesn’t secretly sell you out to whoever they feel like. Now, on top of that, what about the agreements you enter into with corporations? How long are they and could you properly understand all the implications to your privacy and give informed consent?

So… I started with when I left home. I got on a Virgin Flight, they have a privacy policy which is eight pages. I then arrived in New Zealand and filled out a customs form. I could not find anything about what the New Zealand customs service could do with that information, but let’s just assume they’re publishing it all on the internet and selling it to the highest bidder. The other alternative is that they follow the New Zealand Privacy act, which is a mere 182 pages.

Once getting through customs I turned on my phone. The basics are probably covered by the New Zealand Telecommunications Privacy Code (35 pages) and since I was on Vodafone NZ, their three page privacy policy likely applies. Of course, I’m roaming, so the Vodafone Australia three page privacy policy also likely applies (of course, under a completely different legal framework). There’s likely things in the other agreements I have with Vodafone, the standard agreement summary is a mere 4 pages and the complete agreement is 84 pages.

I arrived at my hotel and the Langham privacy policy is two pages. I then log into Facebook, 30 pages of important things there, into Twitter, another 11 pages. My phone is all hooked up to Google Play, so that’s another 10 pages. I walk into the conference, the code of conduct is a single page which was a pleasant relief. I then log into work mail, and the GMail terms of service is three pages with a four page privacy policy.

If I was someone who used the iTunes, it would be reasonable that I would watch something in the hotel room – another 24 pages of agreement before then deciding to call home, carefully reading the full 20 pages of Skype terms of service and privacy policy.

In total, that’s 428 pages.

This excludes any license agreements to the operating system you’re using on your laptop, phone and all the application software. It also excludes whatever agreement you enter into about the CCTV footage of you in the taxi to and from the airport.

So, my question to the panel at OSDC was: how on earth is the average consumer meant to be able to make an informed decision and give their informed consent to any of this?

The Age (Fairfax) picks up on Telstra NextG ‘stalking’

http://www.theage.com.au/technology/technology-news/telstra-accused-of-next-g-web-stalking-20120705-21ivs.html

It took a while, but it’s there. There is a mention of Netsweeper and that they provide products and services to Yemen, Qatar and the United Arab Emirates but it misses what these products are really for.

Tor + Firefox + Twitter + (not rooted) Android = awesome

Update: As of October 2015, you should likely install the OrFox browser which is from The Tor Project and is a port of the Tor Browser to Android. Installing OrBot and OrFox makes browsing through Tor on an Android device easy. The rest of this blog entry is left in-tact for historical record, but as of now, look at OrFox rather than this process.

This is actually pretty simple to get going once you know how. This is a short “HOWTO use Tor on Android”

Basic problem: I want to use Tor on my phone. If you’re wondering why, perhaps my previous posts on Telstra and what they do to your traffic may be a good hint.

First of all, you’re going to want to install OrBot. It’s available from the Google Play store. There is absolutely no harm in leaving this running all the time in the background. I have found it to have zero impact on battery life of my phone (the Battery thing in settings doesn’t show OrBot at all).

With OrBot running, you now have a HTTP and SOCKS proxy available on your phone. This means you can set any app that can use a HTTP or SOCKS proxy to do their Internet access through Tor instead of directly through your Wifi or cellular network.

The Twitter client wonderfully has built in support for using a HTTP proxy. You just need to go into the Twitter app’s Settings, click “Enable HTTP Proxy”, and set “Proxy Host” to localhost and “Proxy Port” to 8118. You are now done. You can test this by disabling OrBot and then trying to refresh your Twitter stream. If it doesn’t work, then Twitter is trying to use the (not running) Tor proxy. Re-enable OrBot to be able to use your Twitter client. This “just works”.

There is pretty much no excuse not to have your phone Twitter client go through Tor. We all know that Twitter gets all sorts of legal queries for information about users. We also know that they’ve been fairly good about it, and indeed hats off to Twitter for being awesome. But… guess what? We can just ensure they don’t have any information worth handing over :)

Next step… Web Browsing. The Firefox Beta is pretty awesome. It’s fast and usable (which is exactly what you want in a web browser). This may also work with the standard Firefox browser (I’m not sure when they’ve updated it to be on par with the Firefox Beta version I’ve been using).

There is no place to specify proxy settings in the normal UI (I do hope Mozilla add this). But not to worry, Firefox on Android is built on the same base as Firefox on the desktop, so it does support it (there just isn’t a good UI).

What you need to do is go to the URL bar and go to “about:config”. This shows every little thing you can tweak in Firefox (a lot). Luckily, there’s a search bar. Search for “proxy” and modify the following settings to the following values (the = sign means “click modify and enter the value after the =”):

  • network.proxy.http = 127.0.0.1
  • network.proxy.http_port = 8118
  • network.proxy.socks = 127.0.0.1
  • network.proxy.socks_port = 9050
  • network.proxy.ssl = 127.0.0.1
  • network.proxy.ssl_port = 8118
  • network.proxy.type = 1
  • UPDATED: network.proxy.socks_remote_dns to “true” (click “toggle”)

Then head to http://check.torproject.org to check that it’s working!

This doesn’t provide you with all the features and benefits of using the TorButton in the desktop firefox, but it will stop your mobile phone provider spying on all the web sites you visit (unless they break into your phone itself).

Luckily, Android is fairly awesome and whenever you try to open a URL it can ask you what program you want to use to do that with. Guess what? Just select the Firefox you configured with Tor to open it and you’re browsing through Tor. Brilliant and easy with no need to go and “root your phone” or anything else that may turn people off from doing so.

Update: Thanks should also go to François Marier for his site that helped me get this right: http://feeding.cloud.geek.nz/2012/06/browsing-privacy-and-ad-blocking-on.html

Update: Added setting of socks_remote_dns

Telstra stops tracking, still supporting Netsweeper

http://www.zdnet.com.au/telstra-halts-customer-tracking-339340404.htm

The big news:

“We are stopping all collection of website addresses for the development of this new product,” Telstra said in a statement.

This does not change their association (and presumed financial support) of Netsweeper, helping make its technology affordable to its government customers who use it to suppress free speech and access to information.

See also:

Telstra funding censorship in Middle East

This post inspired by https://twitter.com/BernardKeane/status/217535549731389440

So, we know that Netsweeper is used by Telstra - http://www.zdnet.com.au/telstra-logs-customer-history-for-new-filter-339340337.htm

We know that Netsweeper is used in Qatar, the UAE and Yemen ( http://en.wikipedia.org/wiki/Internet_censorship – see also http://www.guelphmercury.com/news/local/article/577673–aiding-repression-or-just-doing-business ) and these states use it to suppress free speech and access to information.

The majority of countries that implement suppression of free speech on the internet could not afford the high cost of developing such software. The only thing that makes it possible is the subsidies from companies in the free world. With Telstra using Netsweeper, they directly contribute to the development costs of this software.

In years gone past free speech was suppressed by members of secret police and guns. Now you can do a lot of that with software. Software that is made affordable because the development costs are shared with companies such as Telstra.

See also my last two posts on the topic:

An update on Telstra’s surveillance of what you do online

http://www.scmagazine.com.au/News/306441,telstra-tracks-users-to-build-web-filter.aspx

I’d suggest going and reading: http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/ to learn a bit about anonymization failures.

What we know:

  1. Telstra has the ability to monitor every URL you visit on a NextG connection
  2. Telstra is, in fact, monitoring every URL you visit through your NextG connection and piping that to some computer system that then takes action on it.
  3. None of this was disclosed to customers.
  4. Telstra is building a system for censorship.

What we don’t know:

  1. If this is a violation of any Australian privacy law (I’m not a lawyer)
  2. Who else has access to this “anonymised” data (hellooo US legal system)
  3. What universal surveillance infrastructure they have running

Update: this is a followup from yesterday’s post: http://www.flamingspork.com/blog/2012/06/25/on-telstra-tracking-nextg-http-requests/

On Telstra tracking NextG HTTP requests

http://lists.ausnog.net/pipermail/ausnog/2012-June/013833.html and http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx were recently published saying that Telstra NextG users were seeing some interesting things. (Yes, there’s a Whirlpool post too, but since they block requests from Tor I’m not going to link to them)

Basically, on their servers they were seeing HTTP requests to the same URL as they had just visited with their phone, but from an IP address that certainly wasn’t their phone.

I started to investigate.

I put up a simple HTML page on a standard HTTP server and then got a NextG device to query it. I saw a log that came from a TELSTRA owned block of IPs. I didn’t see any suspicious second request though. Sadness.

Turns out you have to request the URL twice to get this other request. It is after this second request that you get a query from a Rackspace/Slicehost IP (cloud provider, so it is unlikely Rackspace itself is involved any more than as a Cloud provider) with the same URL (although via HTTP/1.0 instead of 1.1). On a subsequent request, I didn’t see a corresponding one from this IP. Also, when accessing this URL from a different NextG device, I did not see a request from the Rackspace/Slicehost IP block.

If I change the content of the file and try to fetch again, it doesn’t download it anew. This suggests that there is not inspection of the content of what’s coming back from the HTTP server.

The User Agent pretends to be Firefox running on Windows. I have not yet found out anything specific about it.

What can we learn from this?

  1. If you think that putting a URL up and only telling 1 person about it is private you are very, very, very much mistaken
  2. Telstra is quite possibly spying on you, from servers in the USA, which is under a different set of laws than if it was done in Australia.
  3. Telstra is sending what websites you visit on your NextG connection to the USA. If you are at all involved in anything that may make the US government unhappy (e.g. disagreeing with it) this may have interesting implications. Further research is needed as to what exactly
  4. Telstra keeps a record of all URLs as otherwise it could not implement “on the second request”
  5. The iPhone needs Tor more than ever and it needs it on a system level.

Update: I have been pointed to http://v3.mike.tig.as/onionbrowser/ which is an Open Source Web Browser that uses Tor on iOS.

Update: http://www.flamingspork.com/blog/2012/06/26/an-update-on-telstras-surveillance-of-what-you-do-online/

TextSecure – secure SMS for Android

So… having secure SMS really isn’t hard. Onec upon a time you may have been forgiven to think that your SMS messages weren’t recorded forever by telecommunications companies or various government agencies, but those times have long passed. At the very least you should be concerned about somebody getting hold of your phone and going through all your SMSs (phones no longer just store 20 messages).

TextSecure (Free and Open Source Software up on github) does both local encryption (messages are encrypted on your phone) and over the wire encryption. That’s right kids – you can send encrypted text messages to each other.

It’s a drop-in replacement for the built in Android text messages application, so it all “just works”.

Go install it now.

This is the app that Jacob Appelbaum mentioned in is Keynote at lca2012.

H.264 Anti-features

No, You Can’t Do That With H.264 is an excellent write up of how H.264 (“MPEG-4”) is fraught with problems that you just would not have if using Free (as in Freedom) formats such as Ogg Vorbis and Theora.

It is amazing that Final Cut “Pro” cannot actually be used to create H.264 content for commercial (i.e. “Pro”) use!

It’s the same for MPEG-2.

Oh, and if you use it to decode video that was encoded by somebody without the proper license… well, then you’re also screwed. How the heck you’re meant to work that one out I have no idea.