Category

Data Privacy

Not-so-Private Browsing Mode

By | Data Privacy, Data Protection | No Comments

Have you ever used a “private” browsing window before?  You might know it as “Incognito Mode” in Chrome, “InPrivate” in Edge, or “Private Browsing Mode” in Safari & Firefox.  These private modes may do little more than tell the browser to forget what you did once you close the window.  Search history, pages visited, and what you typed in will be deleted when the browser closes.  However, there are many misconceptions about what private means.  A scientific study conducted on the Misconceptions About Private Browsing Mode found that most users grossly overestimate the protections provided by private browsing modes.   A very important aspect to recognize is that these private browsing modes are concerned about privacy within the scope of the device you are using.  For example, users sharing a laptop may want to use a private browsing mode to conceal login credentials and browsing history from other users of the device.  Information sent over the internet, however, is subject to the same scrutiny as any other traffic sent in regular browsing mode and can be tracked.   So that means, your search history that’s not stored by the browser can still be stored and saved by your search provider, e.g. Google, and traced back to you using more advanced fingerprinting techniques which a private browser does not prevent.

The study found that the wording of the various private browsing disclosures by the major browsers led to many misconceptions and overestimation of the level of privacy actually provided.  The paper’s introduction highlights such misconceptions: “This overestimation reaches far; Eric Schmidt, former CEO of Google, once stated, ‘If you’re concerned, for whatever reason, you do not wish to be tracked by federal and state authorities, my strong recommendation is to use incognito mode, and that’s what people do.'”  This statement by Schmidt, falsely implies that incognito mode provides more protections than it actually does.  Assuming the intent was not to mislead then that means even the CEO of Google at that time had grossly overestimated the protections provided by private browsing.

Since even the CEO of one of the biggest companies in the world has misconceptions about the protections provided by one of his company’s most popular pieces of software, we thought we’d put together a list to help you.  Below, we’ve provided a few of the key items that the average private browsing window does and does not protect you from:

Private Browsing does NOT:

  1. Prevent websites from tracking you
  2. Prevent malware and viruses
  3. Hide the websites you visit
  4. Hide your location
  5. Hide your downloads
  6. Block Ads

Private Browsing does:

  1. Prevent your web activity being saved locally by the browser
  2. Prevent most data that is usually saved in non-private browsing sessions from being exposed
  3. Share data between other private browsing tabs during a session
  4. Make you feel safer without providing the level of protection you need to be anonymous

Uses for Private Browsing:

  1. On a shared computer with other users such as a family computer or in a library.
  2. To avoid leaving a trace of past activity on any computer.
  3. To log into the same site with a second account.
  4. To test how a site looks to a new user.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

DNS: Tracking mitigation upended

By | Data Privacy | No Comments

DNS ad-based tracking gets a boost

On 11/22/2019, the co-founder of NextDNS posted an article (https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) addressing 3rd-party tracking capabilities with DNS. If you haven’t read it yet, it’s worth a read to see how far-ranging the technical challenges are. At Grey Market Labs we’re acutely aware of tracking techniques that range from simple to complex to downright scary, so this technique wasn’t a surprise. Instead it just was another step towards a future where tracking mitigation is impractical for all but the most sophisticated users.

Some DNS history and how we got here…

DNS began in the 80s when everyone on the internet more or less trusted everyone else, at least when it came to allowing computers to talk to each other. That trust was fine when the set of computers was small and trust was a reasonable expectation. There was even a single group responsible for allowing new computers and domains to connect and they manually maintained a master list. By the late 80s there were many more computers connecting to this new internet and the management overhead was untenable. Simplifying a bit, an automated system was built that allowed computers to be dynamically added to networks using the existing DNS strategy.

For a while this also worked quite well and solved the scale problem. Unfortunately, it didn’t solve the trust problem — after all, who is allowed to update this list? If anyone can update the list of computer “addresses” then anyone can change their addresses. Imagine if the phone book caused reality instead of representing reality… If the phone company misprinted your phone number in the phone book, just like that, it’s your new number. If they misprinted your street address you had to move, sorry. If they left off your phone number, you no longer have one. That’s the strength of DNS when it comes to finding computers. One can only imagine a business bribing the phone book printer to leave off a particular company or to misprint their address. I’m sure that never happened though. DNS has that ability, and there were lots of compromises that follow that analogy.

On the subject of the phone company…

Ever wonder why with caller ID on your phone, a caller is able to misrepresent who they were? Fake FBI scams have caller ID reporting “Federal Bureau of Investigations”, social security number scammers show up as “Social Security Administration”, etc. It turns out that phone companies, when they built the networks MANY years ago, they also relied on trust that was reasonable to expect then, but is not reasonable to expect now. They have made progress here but it’s yet another example of existing systems that fail (or refuse?) to evolve and are ultimately exploited.

So what exactly was Grey Market Labs expecting here?

That “single step towards a future that we believe will prevent many tracking mitigations” was the use of CNAMEs to disguise the ultimate target of a DNS request. Most DNS ad blockers (and some that are designed purposefully to prevent tracking independent of advertisements) use a blacklisting or whitelisting technique. This means that bad sites (advertisers) are blocked and good sites (the people using the advertisers but aren’t running their own ads, such as such as a news site) are allowed. Once a CNAME is set correctly, the ads appear to come directly from the news site so blocking it will prevent access to the news site itself. And it turns out big sites are actually using this already (snippet from Medium article):

foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, washingtonpost.com, weather.com, coach.com, gap.com,  cnn.com,  arstechnica.com, saksfifthavenue.com, t-mobile.com, statefarm.com

Ultimately, if traditional DNS blockers come up with a way around the problem that NextDNS mentioned, that’s great! It really is a solution that’s mostly dealt with at the DNS layer. But tracking and advertising companies have more steps lined up to enable these news sites (any site really) to win the tracking game. One such step is by using a proxy. By adding a proxy the traffic can be made to appear to originate from our example news site directly, which will prevent DNS-related blocking (and CNAME cloaking mitigation) from working. Try not to forget that the primary reason companies continue to push the boundaries of ad-tech is to make money.

Fortunately, our Opaque line of products is already capable of dealing with this, and many other innumerable challenges, in a future-resilient way. The best part is, administrators/gurus/users don’t have to bother with changing DNS providers, updating configurations, or applying security patches–that’s all our job.

So, which advertiser/tracking database is your activity stored in? When is the last time you saw a meaningful (or any) report about your DNS usage?

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

Cyber Liability Insurance: Part of a comprehensive security plan

By | Data Privacy, Information Security, Risk and Liability | No Comments

It seems like every day there is a new story about a data breach and how millions of sensitive user records have been exposed.  The financial and healthcare industries are two of the biggest targets with some of the most sensitive data about people’s daily lives.  Theft and exposure of this data can open up these institutions to huge financial losses in the form of lawsuits and lost business.  Companies need ways to prevent and mitigate these potential losses.  Well-designed security protocols and software can prevent many of the data breaches that happen daily.  There will always be some risk of a breach but the use of best practices and strong security software reduces the number of attack vectors and thus significantly diminishes the risk.

Knowing that there always remains the risk of a breach, the question every company should be asking is: Should Your Business Get Cyber Liability Insurance?  As the CEO of LowCards.com (a free consumer resource website covering the credit card industry) points out, “many businesses are now turning to cyber liability insurance to minimize their risk of loss.”  Bill Hardekopf provides a great 101 on Cyber Liability Insurance and why you should consider it.  An important takeaway from the article is that “The insurance provider will evaluate policies, software and hardware to check for potential areas of weakness.”  The provider may even set a minimum standard for obtaining insurance or charge higher premiums for companies with weaker practices and software. Even if the standards aren’t there today, they will be emerging, and they will begin to affect rates and overall liability of a data compromise or a breach.

A good analogy to cyber liability insurance is property insurance, something every business should have.  Basic safety measures like fire extinguishers and smoke detectors are often minimum standards for even obtaining property insurance.  More advanced features like a security alarm system result in discounts on the premium paid for insurance.  In the same way with cyber liability insurance, installing anti-virus software or an advanced counter-exploitation platform could be considered a minimum standard or result in reduced premiums.

Given the importance of preventing a data breach most companies already implement counter measures.  However, given the likelihood a business will be the target of a successful data breach, companies should also consider adding cyber liability insurance.   Having a comprehensive plan for prevention and mitigation will help a company weather any storm that confronts them.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.

Is your VPN doing everything it promises to protect your privacy?

By | Data Privacy | No Comments

Commercial VPN services have recently gained widespread popularity and many present themselves as a solution for online privacy.  Some of them even claim to enable anonymous internet browsing. However, as pointed out in a recent Forbes article, Too Many VPNs Put Our Privacy And Security At Risk, the current VPN market is more of a minefield than an utopia.   Numerous VPN services been found to have significant security flaws, and some have been found to be downright malicious – they could potentially be exploiting your data rather than protecting it. While this is concerning on its own, it also highlights a need to better understand how a VPN fits in with a holistic approach to internet privacy.

Commercial VPNs create an encrypted “tunnel” for your web traffic between two points, your computer and your VPN provider.  If properly configured, anyone eavesdropping on that connection would only see that you were connected to a VPN; they wouldn’t be able to see your requests to individual websites.  This is valuable protection, especially if you are concerned about the trustworthiness of a Wi-Fi hotspot or ISP.   But because that tunnel sends all your traffic through the VPN provider, it’s of utmost importance that you use a trustworthy provider with a business model that aligns with your best interests.

However, even the best VPN is only a tool that can protect part of your digital footprint across the internet.  Potential privacy compromises are still possible at points before or after the VPN.

While it is often claimed that VPNs enable ‘anonymous’ surfing by obscuring your IP address, this is only successful in defeating the most rudimentary of tracking attempts.  Routine browsing activity generates a huge amount of metadata that can be used to uniquely identify and track users without relying on an IP address.  Techniques like browser fingerprinting, network traffic analysis, and even browser cookies can leverage this metadata to track users’ activity through a VPN.

A holistic approach to privacy also goes beyond protecting users’ browsing activity; it also includes the privacy and security of data already on your systems.  Any computer browsing the open internet, whether behind a VPN or not, is a potential vector for data compromise through malware, phishing, targeted attacks, or unintentional disclosure. A VPN can be a valuable tool for protecting your privacy, but it is far from a comprehensive solution.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.

The Socially Conscious Network

By | Data Privacy | No Comments

Ginny!” said Mr. Weasley, flabbergasted. “Haven’t I taught you anything? What have I always told you? Never trust anything that can think for itself if you can’t see where it keeps its brain?

-Arthur Weasley, Harry Potter

Any sufficiently advanced technology is indistinguishable from magic

-Isaac Asimov

Arthur Weasley from Harry Potter, being a wizard and having magic to rely on, didn’t need modern technologies like phones or cars. However, given his job in the department of Misuse of Muggle Artefacts Office at the Ministry of Magic he learned about how muggles (non-magic folks) created technologies to solve the issues which previously had only been solved by magic.

Today’s technologies, like cell phones, work almost like magic. They can provide us with the world’s knowledge in seconds or allow us to talk face to face with anyone in the world. They can get us almost anywhere in the world in less than a day. In a sense, without further investigation, they work like magic. If we think of magic as a basic law or force of nature then there is no intermediary step. It just works like gravity just works. But the reality is far more complicated when we think of something like a car where the basic forces of thermodynamics, friction, and combustion are harnessed to create a vehicle which can travel great distances through simple controls.

We know a car doesn’t think, at least not yet, but they are getting smarter and simply pressing on the gas pedal is no longer “driving by wire” where the input clearly leads to an expected output. Modern cars have antilock brakes which modify the pressure applied to slow down a car despite how hard the brake is pressed. This is handled by algorithms and calculations being computed by a processor within the car. In effect, a simple brain within the car. Still, such behavior is relatively easy enough to understand. There is still a defined cause and effect. Pressing the brake still slows you down but now it is done more effectively to reduce the risk of the brakes locking and the tires skidding.

Now, let’s move on from our car metaphor and look at something much more amorphous like a website such as Facebook. I think to many of the billions of users Facebook seems like a much simpler concept than a car. I’m sure some people have more confidence that they could build Facebook before they could ever build a car. Facebook was a simple website to connect people and share information that was originally invented by a college student. Since then, Facebook has grown and evolved into something much, much bigger than one college student could ever have imagined. In a sense, it has taken on a life of its own.

For the average user, you click a few buttons, download an app or go to a website and enter your personal information. From there, you can “privately” share your thoughts and communicate with your “friends”. Almost like magic, you can connect to any of the billions of users who would also like to connect with you.  But Facebook is not magic; It is technology. A far more advanced technology than the basic car that Henry Ford first mass produced. Unlike a physical car where the user had full and exclusive access to see all the internal workings should he or she choose, a user of an information technology like Facebook does not.

Why is this? Because we cannot see where Facebook keeps its brain. With vast processing power sitting on secured, proprietary servers, Facebook is more like a free taxi from a “friend” whom we don’t know very well. Imagine, this friend keeps a video camera in his car and records your every move. He assures you that it is just to serve you better and for your safety but you have to trust him that this is true. Since this is your “friend”, someone you’ve established a trusted relationship with, you agree to these recordings which you are assured are only to better help you. Or maybe he doesn’t even tell you if he is recording. You notice a camera but you trust that if he is recording then he is recording for his own benefit or protection and would never use it for any nefarious purpose.  Extend this scenario to Facebook or Uber and you might see where this is going. They are no longer just recording your every move, they are making decisions to “better serve you”. Your lips look chapped as you dryly swallow?  How about a bottle of water for $1. Thanks! I was parched. This is great that you are keeping such a close eye on me to better meet my needs.

Unlike an attentive, close friend, corporations like Facebook are not your friends.  Your friends are hopefully focused on your well-being. Also, unlike your friends, they will remember every time you ever “poked” someone. A good friend will forgive and forget.   You know your friend. You know her brain is in her head. You trust her. You don’t know Facebook. You don’t know where it keeps its brain or what it thinks or who it shares its brain with. In minutes an analytics company can pay a hefty sum to find out your most intimate details you shared with Facebook. A true friend would never do this and say it was for your best interests.

Sites like Facebook and LinkedIn offer at their core a simple service but benefit greatly from something called the network effect. But why did we ever invite them in to listen to our every conversation? Was it trust, ignorance, or just convenience? There was a user agreement when we signed up and probably never read but we had to accept it to use the service. Just standard legal stuff right?  Most services clearly state that they have the right to use your data in any way they want? If you’re not worried then you haven’t imagined the possibilities. Remember, if a service is free and the company doesn’t sell anything to you then you are the product and the company is selling you. There is no free lunch in this world unless your bubby takes you to Denny’s for the senior special.

So, it’s hopeless and this is just the cost of doing business, right?  Wrong, there is a solution. A new social contract must be created. A socially conscious terms of service that’s puts the user’s interests first. One that balances the user’s privacy with the needs for advanced technological services. One that respects our humanity and remembers what is most important. A contract that gives you the same level of trust as that of a friend.  And with that contract the technological know-how to actually back it up.  A contract is step one.  This is a fair and balanced terms of service that protects the user’s interests.  Competence is step two.  We all have friends we trust to keep our secrets but not necessarily to deliver an important letter on time.  You need a company that can protect your data, maintain good records and securely use that information to assist you.  Transparency is step three. You need to see where the brains are kept and how decision are made. The process should be clear and auditable.

Grey Market Labs is focused on these goals. We realize this social contract is a paradigm shift the world needs now. The technological age does not mean the end of privacy. As lofty as it may sound democracy depends on privacy, privacy with accountability. We cannot rely on government regulation alone to drive these changes forward.   We also cannot rely on other corporations whose business it is to sell your data.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission of protecting life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of behavior and activity online.

Contact us to see how we can work together.