GEOG 479
Cyber-Geography in Geospatial Intelligence

Privacy Implications

Print

On any given morning when you open your browser and check your favorite news site, an interesting thing happens in the blink of an eye between your click and when the news about various world crises appear on your monitor. Data from this one visit was likely sent to multiple companies, some of which you may have heard of and many you haven’t. Almost instantly, these companies log your visit, bombard you with ads tailored to your interests, and contribute to an ever-growing online file about you.

There's nothing sinister about this. Advertisers support free online content. All the personal data lets them tweak their ads to your interests and measure the effectiveness of how well their approach is working. The site might be The New York Times, CBS News, The Atlantic, or BBC, and the same process happens more or less to the same degree with any site. Each move of your mouse generates data for someone, and all the companies want to make sure that your steps around the Internet are captured.

It would be naive to believe that we are not all the subjects of targeted advertising, but the sheer number of data collectors will probably surprise you. If I may share from my own experiences in a typical 48 hour period, the companies tracking me were Acerno. Adara Media. Adblade. Adbrite. ADC Onion. Adchemy. ADiFY. AdMeld. Adnetik, Adtech, AppNexus, Atlas, Audience Science. This was just the “A's”. It's possible to view which ones do so using an add-in for Firefox called "Lightbeam".

The complete list was over 100, and while you might use the Firefox add-in "Lightbeam" to compile your own list, it’s going to surprise you just how many there are that are watching you. The major companies such as Google, Microsoft, Facebook, etc., are all on my list, but most of the ones I saw are smaller data and advertising businesses that make up a separate network of companies that want me to see their ads and buy their sponsored products. There’s huge money in it, and while someone's name might not be attached to the data collected (yet), the data is used to select a set of ads an individual is statistically more likely to respond to.

We navigate over the web pretty much clueless of the machines that power the web with cookies that generate huge databases of our movements. When we shop for a children’s birthday caterer and magically see clown ads appear on random web pages, it’s not difficult to feel a little creeped out by the feeling we are being watched.

These issues were nonexistent when Bush 1 was in the White House. They were only beginning to be thought of when 911 happened. We live in a time when unique capabilities advertisers use did not exist even a decade ago. Never before has so much data been gathered about so many people for the sole purpose of selling them “stuff.”

The privacy debates are typically couched in geek speak that is technical in nature. A story breaks about Google bypassing various browser privacy settings, or we read the details about how Facebook tracks you with various techniques and changes privacy policies on what seems a whim. The question that is at stake is, can we remain anonymous? How do we guard our online identity? Do the companies exist to serve the users or the clients?

All the collection companies do pretty much the same thing by offering targeted ads based on how you act (behavioral), who you are (demographic), and, of course, where you live (geographic). They provide advertisers the ability to choose the types of sites which their ads will run, based on multiple parameters in branding and marketing.

It's noteworthy to point out how this practice is different from traditional advertising. The practice used to be between advertisers and publications targeted towards a specific audience – hobbyists for example. You wanted to read about the latest news in your field of interest and bought a publication targeted towards people with shared interests - an audience - and advertisers would purchase ad space in the publication to reach that audience. Some practiced it as an art and it eventually became a science that was studied at the graduate school level. Online advertising is different - you buy the audience without the publication. You want a ScubaWorld.com reader? An ad network can sell you someone who has been to scubaworld.com, but is now reading about shaving products at shavingproducts.com. The data is collected and is cheaper and more targeted. Bids for the data are a fraction of what the equivalent print version would be.

Legitimate privacy concerns arise when geodata is collected and the data is used for purposes other than what an individual should reasonably expect. The temptation to use geodata for other purposes is tempting, especially when it is combined with other consumer information (i.e., name, address, etc.). This conflated data provides businesses the ability to send targeted advertisements to consumers and even monitor an individual's movements – acts that might be considered an invasion of privacy.

The growth of and the collection of geodata is in collision with both consumer privacy concerns. There are also legitimate privacy concerns in nations that host a repressive government with respect to free speech and free thought. The more difficult question of both is “what constitutes a valid use of such data? Currently in the US and Europe, there is little legislation or guidance on this question. As anyone surfs the Web, information is constantly being collected about you. Web tracking is not 100% evil - personal data can make your browsing more efficient; cookies can help your favorite websites stay in business.

Review the Digital Element website to gain an insight to the way personal geodata is marketed to third parties by at least one company.

Listen to the Experts

One cybercrime expert puts it thusly,"Do we blindly trust any future government? Because any right we give away, we give away for good." In less than ten minutes, Mikko Hypponen, the chief research officer at F-Secure Corporation in Finland, has led his team through some of the largest computer virus outbreaks in history. His team took down the world-wide network used by the Sobig.F worm. He was the first to warn the world about the Sasser outbreak, and he has done classified briefings on the operation of the Stuxnet worm -- a hugely complex worm designed to sabotage Iranian nuclear enrichment facilities (9:23).

Mikko Hypponen: Three types of online attack
Click here for transcript of the three types of online attack video.

[MUSIC PLAYING] 

[APPLAUSE] 

MIKKO HYPPONEN: In the 1980s, in the Communist Eastern Germany, if you owned a typewriter you had to register it with the government. You had to register a sample sheet of text out of the typewriter. And this was done so the government could track where text was coming from. If they found a paper which had wrong kinds of thought, they could track down who created that thought. 

And we in the West couldn't understand how anybody would do this, how much this would restrict freedom of speech. We would never do that in our own countries. But today in 2011, if you go and buy a color laser printer from any major laser printer manufacturer and print a page, that page will end up having slight yellow dots printed on every single page in a pattern which makes the page unique to you and to your printer. 

This is happening to us today. And nobody seems to be making a fuss about it. And this is an example of the ways that our own governments are using technology against us, the citizens. And this is one of the main three sources of online problems today. If we look at what's really happening in the online world, we can group the attacks based on the attackers. 

We have three main groups. We have online criminals. Like here, we have Mr. Dmitry Golubov from the city of Kiev in Ukraine. And the motives of online criminals are very easy to understand. These guys make money. They use online attacks to make lots of money and lots and lots of it. We actually have several cases of millionaires online, multimillionaires who made money with their attacks. 

Here's Vladimir Tsastsin from Tartu in Estonia. This is Alfred Gonzalez. This is Stephen Watt. This is Bjorn Sundin. This is Matthew Anderson, Tariq Al-Daour, and so on, and so on. 

These guys make their fortunes online, but they make it through the illegal means of using things like banking Trojans to steal money from our bank accounts while we do online banking or with key loggers to collect our credit card information while we are doing online shopping from an infected computer. The US Secret Service, two months ago, froze the Swiss bank account of Mr. Sam Jain right here. And that bank account had $14.9 million US dollars on it when it was frozen. Mr. Jain himself is on the loose. Nobody knows where he is. 

And I claim it's already today that it's more likely for any of us to become a victim of a crime online than here in the real world. And it's very obvious that this is only going to get worse. In the future, majority of crime will be happening online. 

The second major group of attackers that we are watching today are not motivated by money. They're motivated by something else, motivated by protest, motivated by an opinion, motivated by the laughs. Groups like Anonymous have risen up over the last 12 months and have become a major player in the field of online attacks. So those are the three main attackers-- criminals who do it for the money, hacktivists like Anonymous doing it for the protest, but then the last group are nation states, governments doing the attacks. 

And then we look at cases like what happened at DigiNotar. This is a prime example of what happens when governments attack against their own citizens. DigiNotar is a certificate authority from the Netherlands, or actually, it was. It was run into bankruptcy last fall because they were hacked into. Somebody broke into and they hacked it thoroughly. 

And I asked last week in a meeting with Dutch government representatives, I asked one of the leaders of the team whether he found plausible that people died because of the DigiNotar hack. And his answer was yes. So how do people die as a result of a hack like this? 

Well, DigiNotar is a CA. They sell certificates. What do you do with certificates? Well, you need a certificate if you have a website that has HTTPS, SSL encrypted services, services like Gmail. 

Now we all, or a big part of us, uses Gmail or one of their competitors. But these services are especially popular in totalitarian states like Iran, where dissidents use foreign services like Gmail because they know they are more trustworthy than the local services and they are encrypted over SSL connections. So the local government can't snoop on their discussions, except they can if they hack into a foreign CA and issue rogue certificates. And this is exactly what happened with the case of DigiNotar. 

What about Arab Spring and things that have been happening, for example, in Egypt? Well, in Egypt the rioters looted the headquarters of the Egypt secret police in April 2011. And when they were looting the building, they found lots of papers, among those papers this binder titled Finfisher. And within that binder were notes from a company based in Germany, which had sold the Egypt government a set of tools for intercepting and in very large scale all the communication of the citizens of the country. They had sold this tool for 280,000 euros to the Egypt government. The company headquarters are right here. 

So Western governments are providing totalitarian governments with tools to do this against their own citizens. But Western governments are doing it to themselves as well. For example, in Germany just a couple of weeks ago the so-called Staats Trojan was found, which was a Trojan used by German government officials to investigate their own citizens. If you are a suspect in a criminal case, well, it's pretty obvious your phone will be tapped. 

But today, it goes beyond that. They will tap your internet connection. They will even use tools like Staats Trojan to infect your computer with a Trojan, which enables them to watch all your communication, to listen to your online discussions, to collect your passwords. 

And when we think deeper about things like this, the obvious response from people should be that, OK, well, that sounds bad, but that doesn't really affect me because I'm a legal citizen. Why should I worry? Because I have nothing to hide. And this is an argument which doesn't make sense. 

Privacy is implied. Privacy is not up for discussion. This is not a question between privacy against security. It's a question of freedom against the control. 

And while we might trust our governments right now, right here in 2011, any rights we give away will be given away for good. And do we trust-- do we blindly trust any future government, a government we might have 50 years from now? And these are the questions that we have to worry about for the next 50 years. 

[MUSIC PLAYING] 

Credit: TED