
Privacy Behaviors After Snowden - ivotron
http://cacm.acm.org/magazines/2015/5/186025-privacy-behaviors-after-snowden/fulltext
======
junto
I have also sadly noted that there is little interest from my peers in such
matters.

It is also hard to change. I work with technology everyday. I planned to:

\- move away from Gmail to Fastmail

\- move away from Dropbox to Spideroak or Owncloud

\- move away from G+ Photos to ?

\- move away from SMS and WhatsApp to TextSecure

The results? I'm still on Gmail. I still have a Dropbox account and I'm slowly
moving stuff to Spideroak. I'm the only one who uses TextSecure and I end up
sending SMS in the clear to my friends. I've tried a multitude of photo apps
and none of them do what I want.

All a very sad state of affairs.

~~~
rsync
I don't think most of those that you list are really substantive moves.

Certainly moving from dropbox to spideroak or ... someone like spideroak ...
would give you the ability to encrypt independent of the provider, perhaps
with duplicity[1] or this other method I like[2].

But moving from gmail to fastmail doesn't seem like ti buys you much.

I think the two biggest, _substantial_ moves you can make are providing your
own email and providing your own dialtone. I do the former, and have for
almost 20 years ... but I haven't gotten my act together yet to do the latter.

What you gain, provided you own the equipment and rent the rackspace, is _you_
are the recipient of lawful orders and legal actions. _you_ are contacted and
_you_ are required to respond. Not your ISP, not your provider, not some third
party ...

That's a big, substantial difference. Sure, you still need to worry about your
traffic out in the wild, but as far as the host itself, you have complete
control.

Cost is a difficulty, but consider a 3-4 year old 1U server from ebay ... more
than ample to handle this very light workload ... and then maybe $50/mo for 1U
of rack and power, given that you won't use much bandwidth at all. Then
there's some kind of VOIP peering/connection/whateveridontevengetit that you
can get for $x per month. Basically, instead of getting a POTS line in your
rack, you get some kind of voip peer from a bigger voip provider. Or
something.

But consider what you're buying here: You are a _peer_ on the network. You're
not a consumer - you are actually taking part in the Internet. Legally you are
a peer as well, as you are a property owner, not a rentier, and you are secure
in certain physical rights to your rented space.

That's a substantial step.

[1] [http://duplicity.nongnu.org/](http://duplicity.nongnu.org/)

[2]
[https://news.ycombinator.com/item?id=6554313](https://news.ycombinator.com/item?id=6554313)

~~~
lisper
> providing your own dialtone

Is that possible? How do you do it?

~~~
lfam
Yes, I'm very interested in this. Can someone point us to some good info on
setting this up?

------
throwawayaway
> When the Web search engine DuckDuckGo, which advertises its superior privacy
> practices, attributed a rise in its daily queries to the PRISM revelation,
> it did not include user counts.

contrary to this article, duckduckgo showing a huge increase in the number of
queries: implies an increase in number of users. it doesn't store user id's as
a matter of policy, surprised the author doesn't mention that is why user
count is not reported. the fact that it can't do so is the whole point.

would be interested in growth numbers for textsecure, redphone, firefox hello
vs. skype, visits to glen greenwalds site and so on.

some background on the author:

Author

Sören Preibusch ([http://preibusch.de/](http://preibusch.de/)) is a user
experience researcher at Google, Mountain View, CA, and was at Microsoft
Research, Cambridge, U.K., when this article was written.

------
higherpurpose
I think the methodology to show "how much people care about privacy post-
Snowden" is _flawed_ in that regard.

I'll just give the most powerful example for this. So this study shows that
there's basically little difference between people searching for privacy tools
now and before Snowden, right?

Okay, except pre-Snowden there's no way something like the Patriot Act
wouldn't have been renewed again. Why has it failed to be renewed now then?
Because many people _do care_ about privacy and have called their Congressmen
to act accordingly.

I'm also seeing much more interest in end-to-end encrypted apps. Pre-Snowden
few knew about "end-to-end encryption" and what that means. I'm seeing many
more comments online with people asking about it.

I think the biggest issue is that people feel "overpowered", so the solution
usually becomes inaction. In other words it's not "I don't care about privacy"
\- it's "I don't care about privacy enough to learn to use complicated new
tools or radically change my behavior online...but if you give me easy to use
strong encryption, especially in the apps I'm already using, I'm happy to use
it."

Let's assume sending (snail) mail wasn't secure, but pigeon messaging was.
People wouldn't refuse to use pigeon messaging because "they don't care about
privacy". They wouldn't do it because it's too complicated and too much of a
hassle.

This is why convincing platforms and service providers to use strong
encryption by default is so important.

------
chrisacree
I'm not surprised by this. Getting the public at large's attention
concentrated in the first place is hard enough; keeping it there is
impossible. However, that's not to say that all this has been in vain.

The snooping revelations sent huge ripples through the tech community, and
that is the community both most affected and most poised to make a change. A
small group of dedicated people is all it takes to enact change, and it's
clear to me there has been significant increase in the scrutiny of both
government surveillance and existing businesses privacy policies and software.
Maybe the public at large has moved on, but some people have adopted the
cause, and a small focused group can be far more potent than a vague, if
large, mass of people. Just ask Occupy Wall Street.

The main take-away here is that yes, the public will move on. As it always
does. Nothing is going to hold the country's attention more than a couple
weeks, and even that is pushing it. So use that momentum if appears, but don't
depend on it staying. More important is whether a subgroup is galvanized to
action and will commit to the long fight.

Parallels to consider: \- the political influence of relatively small interest
groups via lobbyists \- the oft-repeated wisdom that for a startup it's better
to have a core group that loves you than a million that think you're just
pretty good

~~~
themartorana
I'm also interested in the effect companies pushing for and enacting better
privacy and encryption had. For instance, Google made sweeping and immediate
changes, and Apple tightened encryption in iMessage and iOS, to the vocal
chagrin of govnt agencies. Did visible actions like these help speed the
public decline in interest because the public at large felt that major
influencers had become their champions (naive though it may be)?

------
fnordfnordfnord
"Privacy" probably isn't a keyword that I would search for if I had new
concerns about my online privacy. I think "secure" or "encrypted" as in secure
browser, text, communication, etc. After reading a few Snowden related
articles, I think a lot of people would also bypass simple keywords for more
targeted searches such as "TOR", "OTR", etc. Also, as the author makes note
of, I'd want to look at search data that wasn't from Bing, mainly because that
is the default installed search engine for MS Windows. While anyone may choose
to use Bing, its users will also include a large pool of unsophisticated
users.

------
quchen
PDF version:
[http://delivery.acm.org/10.1145/2670000/2663341/p48-preibusc...](http://delivery.acm.org/10.1145/2670000/2663341/p48-preibusch.pdf?ip=178.27.248.251&id=2663341&acc=OA&key=4D4702B0C3E38B35.4D4702B0C3E38B35.4D4702B0C3E38B35.643A5797A8FAE0F7&CFID=514364689&CFTOKEN=34970414&__acm__=1432545192_01a335e6c187d69b80964980924e0ed1)

~~~
tobik
The link doesn't work. Use
[http://m.cacm.acm.org/magazines/2015/5/186025-privacy-
behavi...](http://m.cacm.acm.org/magazines/2015/5/186025-privacy-behaviors-
after-snowden/pdf)

------
belorn
The research methodology seem to have looked at the amount of people looking
for privacy tools, privacy statements, and usage of privacy tools. This seem
to correlate with news article, and then die down a time afterward.

I am not very surprised by this. If one would look at global health news and
news about diseases, and correlate that with purchases of health products, you
would likely find similar pattern where you get initial peaks that is followed
with a decreased interest which slowly returns to original levels. Once you
have tried a product out, its hard to notice any difference and its thus easy
to return to previous behavior after a initial scare.

What is hard to predict is if peoples risk analyses changes from reading such
news. After Snowden, has help lines, priests, lawyers, and therapist seen a
impact? If so, how much and for how long? The decision to try out tor for a
week and then switching back feels inherently different from deciding to not
call a help line in case someone might be listening in.

------
Zigurd
It's not the user's fault. Unless mainstream services make privacy strong,
simple, and pervasive all they are doing is marking the people who seek
privacy for greater surveillance.

Google, Yahoo, and Microsoft need to step up and make it so my mom can have
secure email. They have all the tools, especially the ability to use social
graphs as the basis for web-of-trust.

~~~
schoen
Yahoo and Google are both working on end-to-end e-mail options.

[https://github.com/google/end-to-end](https://github.com/google/end-to-end)

[https://github.com/yahoo/end-to-end](https://github.com/yahoo/end-to-end)

An even harder problem, maybe: how could we make it so communications
intermediaries _don 't_ know your social graph? The most exciting idea in this
direction I know of is AGL's Pond:

[https://pond.imperialviolet.org/](https://pond.imperialviolet.org/)

But it comes with some more severe tradeoffs than just end-to-end encrypting
your e-mail, like deliberately introducing delays in sending and receiving
messages in order to create ambiguity about when communication took place.

~~~
throwawayaway
well imagine a decentralized facebook with absolute privacy. you don't need
delays. traffic to and from "the server" is maintained at a flat rate of
encrypted white noise type signal. whoever talks to whoever else through this
black box is a mystery.

~~~
schoen
There's a tension between referring to it as decentralized and saying that it
has a server.

This approach is great in general, but there are some known challenges about
padding and latency.

One is that you have to use padding up to the maximum rate at which you want
to send data, so if you want to have some service that can use 500 kB/s, you
have to send and receive that much data all the time.

Another is that you may have to make server transmissions nearly synchronous;
you can't send extra data in a window even if you have a backlog. If you break
this rule, then an attacker who can delay one user's traffic can use that
power to confirm a hypothesis that two users are talking to one another. This
probably means that you can use it for e-mail and IM, but probably not voice.
There may also be a problem if a user is momentarily or permanently
disproportionately popular and hence wants to receive more data than the
standard padding rate allows.

You may also have to overcome users' inclination to only use the service when
they're talking to each other. If not, the time windows when particular pairs
of people were active may eventually show a strong correlation, especially the
times when both of them disconnected.

~~~
throwawayaway
one: that limitation is obvious, technologies such as the following can assist

[https://en.wikipedia.org/wiki/Multicast](https://en.wikipedia.org/wiki/Multicast)

two: i don't understand how encrypted traffic that maintains a noise level and
hides encrypted data in the noise can be subject to traffic analysis.

third: popularity, that is a solved problem for the majority of limited
bandwidth systmes, you get lag.

fourth users inclination: both endpoints being comprimised to that extent is
beyond the scope of most counter surveillance technology that i have ever
heard of.

of the criticisms only the one i labelled two seems really interesting to me,
could you please elaborate?

i was able to run voice comms and play computer games simultaneously on isdn
and modem lines and therefore the voice bandwidth concerns i don't think are
realistic

~~~
schoen
It's possible that it might turn out to be voice-capable, I'd like to see how
the Guardian Project's work with voice over Tor has gone. But there is a
notion that more latency is better for anonymity, and clearly worse for voice,
and we don't even necessarily know where the sweet spot is for anonymity. And
the anonymity that you get from something like Tor is already of questionable
value against either a global adversary or one who's already monitoring you.
To make the anonymity stronger there, we have to make the latency _worse_.

The traffic analysis comes in where you notice correlations between increased
or decreased activity on one link and a corresponding change in activity on
another link. Just having noise isn't necessarily enough to spoil those
correlations; after all, so much of modern statistics is about detecting very
weak signals given many noisy observations.

There is also research about active attackers shaping traffic flows (like
delaying or blocking packets injecting additional packets). Then the notion is
that the changed shape of a flow will be visible elsewhere on the network, and
that's the destination. Unfortunately, this seems to work really well!

~~~
throwawayaway
I don't think you have followed me at all. The intention is to send a noisy
level of encrypted 'constant' bandwidth. The activity has the same random
level of increased and decreased activity the whole time, active or inactive.

How are you not getting this?

endpoint0-n ---> 'server' \---> endpoint0-n

where ---> is a random level of encrypted noisy signal. the endpoint does not
open a connection to the other endpoint, it opens it to the 'server'.

no amount of traffic analysis or packet injection is going to mess with that.

the absolute best traffic analysis can do is provide a 1/n probability based
on active connections to the 'server' that endpointA was talking to endpointB.

> we have to make the latency worse.

> there's a notion that latency is good for anonymity

we have to do something because of a notion?

i give up.

~~~
schoen
So if you can guarantee that the probability distributions of the number of
bytes sent between the endpoints and server in a time window are unaffected by
whether or not communication was happening in that time window, your approach
is totally valid.

Pond _does_ have that property, if you use the defaults. I don't think a lot
of other systems do. The tradeoffs are pretty steep in terms of delaying
interactions until the next time window, sending and receiving cover traffic
in every time window, and accepting hard limits on your data rate that are
bounded by the cover traffic.

What I think you can't do safely, for example, is say "I have a cover traffic
pattern that is a Gaussian distribution of amount of data transmitted and
received, and now I have to send a bunch of data, so I'll just pick the high
of the distribution and send a whole bunch of data at once". One reason this
is unsafe is that you'll simultaneously skew the _recipient 's_ distribution,
creating a statistical signal that you and the recipient were communicating.

~~~
throwawayaway
the amount of traffic to the 'server' is completely random.

the traffic from the 'server' is completely random and unrelated to the
traffic into it.

within this level of encrypted traffic noise, data is carried, smaller than
the carrying capacity of that traffic.

------
yakamok
i refused to read it on the basis the font sucks and its light color!!

~~~
btbuildem
[http://www.readability.com](http://www.readability.com)

------
Canada
The general public can't do anything to improve privacy. They have no viable
options. It's up to us, the hackers and entrepreneurs, to create new viable
options.

------
resonation
God, that was the least informative research project I've ever encountered.
The premise of the research is something akin to:

    
    
      Based on recent news reports, where a whistleblower
      revealed that tobacco farmers routinely fertilize 
      their crops with human brains, which then inadvertantly
      leads to contamination of tobacco products, leaving all
      smokers at risk of developing human prion related diseases, 
      we've conducted a study to see if this increased the 
      frequency of hits on the Phillip Morris website's 
      ingredients page. Our findings show that numbers only
      increased by 0.00001%.
    

Gee, thanks.

Nevermind questioning why anyone would look at the list of public ingredients,
when the problem is contamination, which, by definition, means that unintended
ingredients ruined the desired product.

Why would a company list an accidental poison as part of its normal product?

Why would Microsoft's privacy policy reveal any useful information about
secret government programs?

At no point in time have I ever met anyone who would have imagined that
Microsoft's privacy policy would protect them from the NSA.

It's almost like someone decided to study the things people DON'T do, after
learning of some significant revelation.

Like, hey let's conduct a study of how many people prefer to watch _Family
Feud_ over _Price Is Right_ after being in a car accident! Oh, interesting!
The difference is barely measurable!

