Daily Post, October 24, 2017

5 min read

It's been a busy few days, but here are some of the things I've been reading. Enjoy!

Open Source Code from ProPublica to Detect Political Ads

While the lawyers at major tech companies complain that it's too hard to find political ads, ProPublica released code showing how easy it is to identify political ads..

We're asking our readers to use this extension when they are browsing Facebook. While they are on Facebook a background script runs to collect ads they see. The extension shows those ads to users and asks them to decide whether or not a particular ad is political. Serverside, we use those ratings to train a naive bayes classifier that then automatically rates the other ads we've collected. The extension also asks the server for the most recent ads that the classifier thinks are political so that users can see political ads they haven't seen. We're careful to protect our user's privacy by not sending identifying information to our backend server.

Adtech won't fix this problem. They have a financial interest in not fixing this problem. Every day that passes without a fix for this problem is another day they make money from undermining our democracy. I also doubt the ability of our current crop of lawmakers to understand the problem, or understand a good solution.


Blockbear is an ad blocker for iOS, made by the same folks that make TunnelBear VPN.

A really simple, often adorable adblocker for your iPhone or iPad.

  • Blocks ads and invasive online tracking
  • Load many websites 3-5 times faster
  • Whitelist your favorite websites
  • Has bears

You could download another adblocker, but then you wouldn't have a bear!

While I haven't used this, it looks interesting.

Obfuscation Workshop Report

The report from the Inernational Workshop on Obfuscation is now released and available for download.

We have asked our panelists to each provide a brief essay summarizing their project, concept, application—with an emphasis on the questions, challenges, and discussions raised during the weekend. As with the workshop itself, this report is a starting point rather than an end point.

I haven't read this yet, so have little to say on the contents, but obfuscation is one of many tools we have to protect our privacy, and make the data collected about us less useful.

China's "Social Credit" System

China is rolling out a system that publicly measures every citizen. Thought experiment: how much more data would a country need besides what Facebook or Google already collect to create a similar system?

Imagine a world where many of your daily activities were constantly monitored and evaluated: what you buy at the shops and online; where you are at any given time; who your friends are and how you interact with them; how many hours you spend watching content or playing video games; and what bills and taxes you pay (or not). It's not hard to picture, because most of that already happens, thanks to all those data-collecting behemoths like Google, Facebook and Instagram or health-tracking apps such as Fitbit. But now imagine a system where all these behaviours are rated as either positive or negative and distilled into a single number, according to rules set by the government. That would create your Citizen Score and it would tell everyone whether or not you were trustworthy. Plus, your rating would be publicly ranked against that of the entire population and used to determine your eligibility for a mortgage or a job, where your children can go to school - or even just your chances of getting a date.

This is what data does, very well. Data supports systems that rate, rank, sort, all day long. This is not a neutral activity. Anyone who claims otherwise is not adequately informed.

Can We All Just Encrypt Our Stuff Already?

Troy Hunt lays out a clear roadmap for implementing encryption on a web site.

Well, it can be more difficult but it can also be fundamentally simple. In this post I want to detail the 6-step "Happy Path", that is the fastest, easiest way you can get HTTPS up and running right.

This change is coming, so please, just do this. Now. Please.

For $1000 You Can Track Someone Via Adtech

The research in this paper shows how the core features of an ad network can be used to track an individual.

There is a fundamental tension at work in the online advertising ecosystem: the precision targeting features we used for these attacks have been developed for legitimate business purposes. Advertisers are incentivized to provide more highly targeted ads, but each increase in targeting precision inherently increases ADINT capabilities.

This is how data tracking works. Data allows us to ask questions. The researchers in this study didn't exploit a bug. They used the advertising systems exactly as they were designed. This technicque would almost certainly work to target children.

Facebook Tests Gouging Publishers

Facebook can spin this effort to gouge publishers in a few ways, but their move to pull all non-sponsored posts from user's feeds would force publishers to pay Facebook in order to reach people.

A new system being trialled in six countries including Slovakia, Serbia and Sri Lanka sees almost all non-promoted posts shifted over to a secondary feed, leaving the main feed focused entirely on original content from friends, and adverts.

Facebook might even try and spin this as an effort to combat misinformation, but this move really demonstrates what the "meritocracy" looks like in Silicon Valley: if you want access, pay the people who control it. For any publishers who had any illusions about how Facebook views them, this move should dispel all doubts. It's also worth noting where Facebook rolled this test out: smaller countries with, presumably, a userbase with fewer connections.

Daily Post - October 18, 2017

4 min read

Some of the articles and news that crossed my desk on )ctober 18, 2017. Enjoy!

Facebook and Google Worked with Racist Campaigns, at Home and Abroad

Both Facebook and Google worked closely with an ad agency running blatantly racist ads during the 2016 campaign. Both companies worked on targeting more precisely, and provided a range of technical support.

Facebook advertising salespeople, creative advisers and technical experts competed with sales staff from Alphabet Inc.’s Google for millions in ad dollars from Secure America Now, the conservative, nonprofit advocacy group whose campaign included a mix of anti-Hillary Clinton and anti-Islam messages, the people said.

Facebook also worked with at least one campaign putting racist ads in Germany to target German voters. This is what the "neutrality" of tech looks like: racism with money behind it is always welcome. The data collection and subsequent profiling of people is a central element of how racism is spread, and how data brokers and advertising companies work together to profit.

Russia Recruited Activists to Stage Protests

The people who were recruited didn't know they were working with Russians. But this is an odd corner of Russian attempts to create noise and conflict around issues related to race.

Russia’s most infamous troll farm recruited US activists to help stage protests and organize self-defense classes in black communities as part of an effort to sow divisions in US society ahead of the 2016 election and well into 2017.

As always, research your funders and contacts.

US Government Wants the Right to Access Any Data Stored Anywhere

The US Supreme Court will hear a case that looks at whether a legal court order can compel a company to hand over information, even if that information is stored outside the US.

In its appeal to the high court, meanwhile, the US government said that the US tech sector should turn over any information requested with a valid court warrant. It doesn't matter where the data is hosted, the government argues. What matters, the authorities maintain, is whether the data can be accessed from within the United States.

This has the potential to open the floodgates for personal data to be accessed regardless of where it is stored. This would also gut privacy laws outside the US (or create a legal mess that will take years to untangle, and make lawyers very rich). It will also kills the tech economy and isolate the US, because who outside the US would want to connect to a mess like that?

For $1000 US, You Can Use AdTech to Track and Identify an Individual

A research team spent $1000 with an ad network, and used that to track an individual's location via targeted ads.

An advertising-savvy spy, they've shown, can spend just a grand to track a target's location with disturbing precision, learn details about them like their demographics and what apps they have installed on their phone, or correlate that information to make even more sensitive discoveries—say, that a certain twentysomething man has a gay dating app installed on his phone and lives at a certain address, that someone sitting next to the spy at a Starbucks took a certain route after leaving the coffee shop, or that a spy's spouse has visited a particular friend's home or business.

The researches didn't exploit any bugs in mobile ad networks. They used them as designed. So, aspiring stalkers, abusers, blackmailers, home invaders, or nosy creeps: rest easy. If you have $1000 US, AdTech has your back.

Watches Designed for Helicopter Parents Have Multiple Security and Privacy Issues. Cue Surprise

In what should surprise absolutely no one, it looks like spyware designed for the hypervigilant and short-sighted parent have multiple security flaws that expose kids to focused risk.

Together with the security firm Mnemonic, the Norwegian Consumer Council tested several smartwatches for children. Our findings are alarming. We discovered significant security flaws, unreliable safety features and a lack of consumer protection.

Surveillance isn't caring. I completely understand that raising a kid can be petrifying, but when we substitute technology for communication, we create both unintended consequences and multiple other points of potential failure.

DailyPost - October 17, 2017

6 min read

I've been thinking and rethinking how I use Twitter. I've been on the service for a while, but I am increasingly uncomfortable with the service and the company. Between Twitter's blatant failures at curbing abuse, curbing the spread of misinformation, and the general privacy issues that plague corporate social media, I will be leaving Twitter at some point in the future.

However, I still have interesting conversations on Twitter. I still learn things. I still meet people I wouldn't meet otherwise. So, while I am staying on the site for now, I am also looking at things I can change to make leaving Twitter easier - which brings us to this post.

I use Twitter as a way of storing links I will read later. I'm going to change that, and store information in a space I control, in a format that works for me. I'm hoping that this will also make be a better reader and sharer - rather than skimming and being superficial, I will spend a little more time selecting what I want to retain. For now, I'm thinking I'll keep a running list of information I encounter during the day, and rather than spin it out on Twitter over the course of the day, I'll collect them into a list, with short commentary.

This isn't revolutionary - really, it's what a whole bunch of people did before Twitter, back in Ye Olde Days of the Blogge. I see myself putting out posts like this every few days. Over time, we'll see what develops.

Collection of data in the UK

In the UK, there appears to be widespread collection of data from social media accounts:

It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified such as “biographical details”, “commercial and financial activities”, “communications”, “travel data”, and “legally privileged communications”.

It's unclear if this information is collected via publicly available information, or via some type of access granted by the company.

Old, but always timely: How to Write a Tom Friedman Article

From 2004, but, unfortunately, timeless. How to Write a Tom Friedman Article.

What’s important, however, is that we focus on what these events mean [on the ground/in the street/to the citizens themselves]. The [media/current administration] seems too caught up in [worrying about/dissecting/spinning] the macro-level situation to pay attention to the important effects on daily life. Just call it missing the [desert for the sand/fields for the wheat/battle for the bullets].

You too can write like intellectually lazy hot takes. Because we need more of those.

InfoSec Pros Among Worst Offenders of Employer Snooping

Who knew? Information Security professionals often access information they .

And it turns out that IT security executives were the worst offenders of this snooping behavior, compared to the rest of their team, according to the Dimensional Research survey commissioned by One Identity.

Executives are more likely to engage in unethical behavior than lower level employees. Shocking.

More on Harvey Weinstein

We will be hearing about Harvey Weinstein for a good long tiome, I suspect. The latest is that he fired a director and recast the lead in movie because the director's choice "wasn't 'fuckable'".

“I was furious after being kicked off my film and I told them all about what happened, I told them about the harassment claims and I said here is your quote: ‘I don’t cast films according to Harvey Weinstein’s erection,’ and they just laughed,” Caton-Jones said.

And, of course, the press knew, and other people knew, and no one did anything. We shouldn't kid ourselves that the attention on Harvey Weinstein is fixing the root of the problem. Weinstein deserves everything he gets, but if you think Weinstein is unique, or that Hollywood is unique, think again. Harassment is pervasive. When women speak, we need to believe them.

More on Insecure IoT Devices

Many IoT devices use Bluetooth Low Energy to connect. Sex toys are no exception, including the occasional butt plug.

This is the final result. I paired to the BLE butt plug device without authentication or PIN from my laptop and sent the vibrate command.

I hope that we can look past the butt plug (figuratively) to see how many standard IoT implementations are hopelessly insecure.

No One Reads Terms and Conditions

From 2016, but still relevant.

What we did is we went to the extreme, and we included this - a firstborn clause suggesting that if you agreed to these policies that as a form of payment, you'd be giving up a first-born child. And 98 percent of the participants that took the study didn't even notice this particular clause.

I know parenting is hard, people, but seriously -- pay attention.

OpEd by a Student on Navigating White Educators

The author is a black student who has been taught by predominantly white teachers.

(s)tudents of color make up 85 percent of the population... Our teaching staff is proportionally opposite: more than 85 percent white. That racial disparity between students and staff is a problem. There are subliminal and subconscious micro aggressions, uncomfortable questions about black hair, attempts to invalidate students' experiences of racism and constant assumptions about their backgrounds.

We need to listen to students, even if it makes us uncomfortable -- or especially when it makes us feel uncomfortable.

Privacy and Tracking on State Department of Education Web Sites

Doug Levin has started what looks to be like a great series on State Departments of Education and how they respect (or don't) the privacy of people who visit them.

(t)he web is not—nor will ever be—static. New technologies, tools, and services routinely offer up innovative new capabilities and personalized experiences. And, with every new digital experience that may amaze and delight website visitors, potential new threats can be introduced. While not frequently on the cutting edge of technology, school websites and information technology systems are not immune to these larger trends

This work will be coming out over the next few days/weeks - I look forward to seeing where it leads.

Google Serves Fake News Ads on Fact Checking Sites

You can't make this stuff up. Google AdWords was used to spread misinformation on sites dedicated to debunking information. As usual, Google provided no information about how their system was exploited, or how much money they made from ads placed by these fraudulent sites.

Google declined to explain the specifics of how the fake news ads appeared on the fact-checking sites.

As I and others have written about, Google is complicit in this, and Google and other adtech vendors profit from misinformation.