privacy

87 Articles

Amazon Sidewalk: Should You Be Co-Opted Into A Private Neighbourhood LoRa Network?

November 30, 2020 by 61 Comments

WiFi just isn’t very good at going through buildings. It’s fine for the main living areas of an average home, but once we venture towards the periphery of our domains it starts to become less reliable.  For connected devices outside the core of a home, this presents a problem, and it’s one Amazon hope to solve with their Sidewalk product.

It’s a low-bandwidth networking system that uses capability already built into some Echo and Ring devices, plus a portion of the owner’s broadband connection to the Internet.  The idea is to provide basic connectivity over longer distances to compatible devices even when the WiFi network is not available, but of most interest and concern is that it will also expose itself to devices owned by other people. If your Internet connection goes down, then your Ring devices will still provide a basic version of their functionality via a local low-bandwidth wide-area wireless network provided by the Amazon devices owned by your neighbours. Continue reading “Amazon Sidewalk: Should You Be Co-Opted Into A Private Neighbourhood LoRa Network?”

Keep Your YouTube Habits To Yourself With FreeTube

October 7, 2020 by 43 Comments

If your usual YouTube viewing selection covers a wild and random variety of music, tech subjects, cooking, history, and anything in-between, you will sooner or later be baffled by some of the “Recommended for you” videos showing up. When it features a ten-hour mix of Soviet propaganda choir music, you might start wondering what a world taken over by an artificial intelligence might actually look like, and realize that your browser’s incognito / private mode really isn’t just for shopping birthday presents in secret. Things get a bit tricky if you actually enjoy or even rely on the whole subscribing-to-channels concept though, which is naturally difficult to bring in line with privacy in today’s world of user-data-driven business models.

Entering the conversation: the FreeTube project, a cross-platform application whose mission is to regain privacy and put the control of one’s data back into the user’s hands. Bypassing YouTube and its player, the watch history and subscriptions — which are still possible — are kept only locally on your own computer, and you can import either of them from YouTube and export them to use within FreeTube on another device (or back to YouTube). Even better, it won’t load a video’s comments without explicitly telling it to, and of course it keeps out the ads as well.

Originally, the Invidious API was used to get the content, and is still supported as fallback option, but FreeTube comes with its own extractor API nowadays. All source code is available from the project’s GitHub repository, along with pre-built packages for Linux (including ARM), Windows, and Mac. The application itself is created using Electron, which might raise a few eyebrows as it packs an entire browser rendering engine and essentially just disguises a website as standalone application. But as the FAQ addresses, this allows easy cross-platform support and helps the project, which would have otherwise been Linux-only, to reach as many people as possible. That’s a valid point in our book.

Keep in mind though, FreeTube is only a player, and more of a wrapper around YouTube itself, so YouTube will still see your IP and interaction with the service. If you want to be fully anonymous, this isn’t a silver bullet and will require additional steps like using a VPN. Unlike other services that you could replace with a local alternative to avoid tracking and profiling, content services are just a bit trickier if you want to actually have a useful selection. So this is a great compromise that also just works out of the box for everyone regardless of their technical background. Let’s just hope it won’t break too much next time some API changes.

ESP8266 Turned Secretive WiFi Probe Request Sniffer

September 20, 2020 by 21 Comments

When a Wi-Fi device is switched on, it starts spewing out probe requests to try and find a familiar access point. These probe requests contain the device’s MAC address and the SSID of the hotspot it’s looking for, which can potentially be used to identify a specific device and where it’s been. After experimenting with these probe requests, [Amine Mehdi Mansouri] has created OpenMAC, a tiny ESP8266 based sniffer that could be hidden anywhere.

The device consists of an ESP-07S module, a regulator circuit for getting power from a USB-C connector, and a button for power cycling. An external antenna is required for the module, which can be selected based on the size or gain requirements for a specific deployment. [Amine] tested the OpenMAC at a local library (with permission), in combination with a number of his own little Wi-Fi repeaters to expand the reach of the network. All the recorded MAC addresses were logged to a server, where the data can be used for traffic analysis in and around the library, or even for tracking and locating specific devices.

This is nothing new, and is relatively common technique used for gathering information in retail locations, and could be also be used for more nefarious purposes. Newer versions of iOS, Android, and Windows 10 feature MAC address randomization which can limit the ability to track devices in this manner, but it isn’t always activated.

We’ve seen a number of projects that exploit probe requests. FIND-LF can be used for locating devices in your home, and Linger fools probe requests sniffers by replaying previously recorded requests.

iPhone pictured with a lock

Is Anything Really Private Anymore?

June 26, 2020 by 53 Comments

In the connected age, every day it appears privacy is becoming more and more of an idealistic fantasy as opposed to a basic human right. In our latest privacy debate per [TechCrunch], apparently the FBI is taking some shots at Apple.

You may recall the unfortunate events, leading the FBI to ask Apple to unlock an iPhone belonging to a person of interest. Apple did not capitulate to the FBI’s request on the basis of their fundamental commitment to privacy. The FBI wasn’t really thrilled with Apple’s stance given the circumstances leading to the request. Nevertheless, eventually, the FBI was able to unlock the phone without Apple’s help.

You may find it somewhat interesting that the author of the news piece appears to be more upset with the FBI for cracking the phone than at Apple (and by extension other tech companies) for making phones that are crackable to begin with.

Maybe we should take solace in knowing that Apple stood their ground for the sake of honoring their privacy commitment. But as we saw, it didn’t really matter in the end as the FBI was able to hire a third party to help them unlock the phones and were later able to repeat the process in-house. The article also noted that there are other private companies capable of doing exactly what the FBI did. We understand that no encryption is 100% safe. So it begs the question, “Is anything really private anymore?” Share your thoughts in the comments below.

Google And Apple Reveal Their Coronavirus Contact Tracing Plans: We Kick The Tires

April 16, 2020 by 85 Comments

Google and Apple have joined forces to issue a common API that will run on their mobile phone operating systems, enabling applications to track people who you come “into contact” with in order to slow the spread of the COVID-19 pandemic. It’s an extremely tall order to do so in a way that is voluntary, respects personal privacy as much as possible, doesn’t rely on potentially vulnerable centralized services, and doesn’t produce so many false positives that the results are either ignored or create a mass panic. And perhaps much more importantly, it’s got to work.

Slowing the Spread

As I write this, the COVID-19 pandemic seems to be just turning the corner from uncontrolled exponential growth to something that’s potentially more manageable, but it’s not clear that we yet see an end in sight. So far, this has required hundreds of millions of people to go into essentially voluntary quarantine. But that’s a blunt tool. In an ideal world, you could stop the disease globally in a couple weeks if you could somehow test everyone and isolate those who have been exposed to the virus. In the real world, truly comprehensive testing is impossible, and figuring out whom to isolate is extraordinarily difficult due to two factors: COVID-19 has a long incubation period during which it is nonetheless transmissible, and some or even most people don’t know they have it. How can you stop what you can’t see, and even when you can detect it, it’s a week too late?

One promising approach is to isolate those people who’ve been in contact with known cases during the stealth contagion period. To do this is essentially to keep a diary of everyone you’ve been in contact with for the last week or two, and then if you eventually test positive for COVID-19, alert them all so that they can keep from infecting others even before they test positive: track and trace. Doctors can do this by interviewing patients who test positive (this is the “contact tracing” we’ve been hearing so much about), but memory is imperfect. Enter a technological solution. Continue reading “Google And Apple Reveal Their Coronavirus Contact Tracing Plans: We Kick The Tires”

Iceland Is Doing Its COVID-19 Proximity Tracing The Open Source Way

April 10, 2020 by 6 Comments

As governments around the world grapple with the problem of tracing those who have had contact with a person known to have been infected with the COVID-19 virus, attention has turned to the idea of mobile apps that can divulge who a person has been near so that they can be alerted of potential infections. This has a huge potential for abuse by regimes with little care for personal privacy, and has been a significant concern for those working in that field. An interesting compromise has been struck by Iceland, who have produced an app for their populace that stores the information on the device and only uploads it with the user’s consent once they have received a diagnosis. We can all take a look, because to ensure transparency they have released it as open source.

On signing up for the scheme a central server stores the details of each user as well as their phone number. When the epidemiologists have a need to trace a person’s contacts they send a notification, and the person can consent to their upload. This is a fine effort to retain user privacy, with depending on your viewpoint the flaw or the advantage being that the user can not have their data slurped without their knowledge. Iceland is a country with a relatively small population, so we can imagine that with enough consent there could be effective tracing.

We installed the Android version on the Hackaday phone to have a look, but unfortunately it seems to need to be in Iceland to be of use enough to explore. We would be interested to hear from our Icelandic readers, to hear their views. Meanwhile readers can juxtapose the Icelandic app with another proposal for a more anonymised version.

Decentralized Privacy-Preserving Proximity Tracing

April 9, 2020 by 6 Comments

As we continue through the pandemic, whether we are on lockdown or still at work, there is a chance for all of us that we could still pick up the virus from a stray contact. Mapping these infections and tracing those in proximity to patients can present a major problem to infection control authorities, and there have been a variety of proposals for smartphone apps designed to track users’ contacts via the Bluetooth identities their phones encounter. This is a particular concern to privacy advocates, because there is a chance that some governments could use this as an excuse to bring in intrusive personal surveillance by this means. A group of academics from institutions across Europe have come together with a proposal for a decentralised proximity tracing system that allows identification of infection risk without compromising the privacy of those using it.

Where a privacy-intrusive system might use a back-end database tracking all users and recording their locations and interactions, this one uses anonymised tokens stored at the local level rather than at the central server. When a user is infected this is entered at app level rather than at server level, and the centralised part of the system merely distributes the anonymised tokens to the clients. The computation of whether contact has been made with an infected person is thus made on the client, meaning that the operator has no opportunity to collect surveillance data. After the pandemic has passed the system will evaporate as people stop using it, rather than remaining in place harvesting details from installed apps. They are certainly not the first academics to wrestle with this thorny issue, but they seem to have ventured further into the mechanics of it all.

As with all new systems, it’s probably good to subject it to significant scrutiny before deploying it live. Have a read. What do you think?

We are all watching our authorities as they race to respond to the pandemic in an effective manner, and we hope that should they opt for an app that it does an effective job and they resist the temptation to make it too intrusive. Our best course of action meanwhile as the general public is to fully observe all advised public health measures such as self-isolation or the wearing of appropriate personal protective equipment.