The NY Times has an interesting article about targeted advertisements that follow people around the web:

Julie Matlin was tempted by a pair of shoes on Zappos.com. Then the shoes started showing up in ads on other sites she visited.

Then the shoes started to follow her everywhere she went online. An ad for those very shoes showed up on the blog TechCrunch. It popped up again on several other blogs and on Twitpic. It was as if Zappos had unleashed a persistent salesman who wouldn’t take no for an answer.

That sounds creepy. Nobody wants to feel watched while surfing the web — it’s just too much like having your mind read. Perhaps that’s not too worrying when you’re shopping for shoes, but what about when you’re looking for information about that skin rash that won’t go away?

It used to be easy to prevent the problem described by the woman in the Times story, but now there are sneakier ways to track users across websites. Now you need something like this Firefox add-on to thoroughly purge your browser of tracking technologies.

But does anyone really care?

There’s nothing easier than drumming up a bit of indignation for a news story. But does anyone really care about being tracked this way? Sure, all else equal, most of us would pick more privacy rather than less. But the real question is whether anyone is willing to pay for that privacy.

The metaphor of a persistent salesman who won’t take “no” for an answer is an illuminating one. Just as some stores try to attract customers by telling them about their easy-going, non commission-based salespeople, some websites could differentiate themselves from the competition by telling internet users that they won’t install invasive tracking technologies.

We may yet see something like that, but I have my doubts. People like privacy, but they like getting great content and services cheaply, too. Websites that earn extra money by intruding on their customers’ privacy are likely going to outcompete websites that don’t if web user preferences lean more toward getting stuff cheaply than maintaining privacy. There is no easier place for experimentation with business practices than the web, so the dearth of websites that compete on the margin of privacy suggests that there probably isn’t much demand for it.

Government regulation of privacy

Right now, there is a debate at the Economist about whether governments should more heavily regulate online privacy issues. This blog has always been in favour of things that help people protect their privacy, but I have also stressed the importance of considering the costs of doing so. To my ear, government intervention to enhance privacy protections online sounds like forcing internet users to accept a different bundle of cheap content, quality services, and privacy than they currently want.

A quote from the primary proponent of regulation in the Economist debate highlights this:

…it is hard to imagine that the typical internet user can really do much to safeguard their privacy when companies purposefully make it so difficult.

Let’s imagine an (admittedly weird) alternate world where the current Economist debate is about the problem that all brick and mortar stores must be entered via doors that measure a mere 3 feet in height. One of the proponents of government regulation for bigger doors says:

…it is hard to imagine that the typical shopper can really do much to improve their shopping experience when companies purposefully make it so difficult to fit in the entrance.

It’s laughable because we know how easy it would be for stores to install larger doors and capture the customers who are dissatisfied with the doggy door experience. When you realize that privacy is something that can and is bought and sold today just like any other commodity, you have to admit that a lack of concern on the part of businesses when it comes to privacy issues may just mean there is limited demand for it from most consumers’ point of view. And, in fact, it is possible that the current equilibrium is pareto optimal.

Whenever you read about a dispute between a web-based service and a country, you need to ask yourself only one question: where is the server located?

BlackBerry servers are located in Canada, and data is encrypted when it is sent from one phone to another. That’s a problem for countries that want to intercept and monitor information sent across BlackBerry networks. From The Economist article:

Countries have two basic technical methods of controlling the flow of information over the internet. First, they claim legal jurisdiction over information stored on servers within their own borders. Second, they can read or block traffic moving through the choke-points where internet cables cross the border.

Neither of those options is available to countries wanting to spy on BlackBerry users, which is why Research In Motion, the makers of the BlackBerry, have been getting flack from the governments of India, Lebanon, Saudi Arabia and now the UAE:

The UAE’s Telecommunications Regulatory Authority said it would suspend BlackBerry Messenger, email and Web browsing services beginning on October 11th if RIM does not provide a solution for local messaging control.

Fortunately, Research In Motion told its customers not to worry:

The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.

Unfortunately, Research In Motion quickly made a deal with the government of Saudi Arabia that undoes those fine intentions:

The agreement, which would involves placing a BlackBerry server inside Saudi Arabia, would allow the government to monitor users’ messages and allay official fears the service could be used for criminal purposes.

A similar deal with the UAE is likely to follow.

Staying secure when eavesdropping is a risk: VPNs

This brings up a general point about safe internet use in any setting where third parties — including governments, your ISP, or the guy next to you in the coffee shop sharing that WiFi hotspot — may be able to peek at your communications. A commentator at The Economist’s article wisely noted that:

…one can go to any hotel in Dubai, hop on its wifi with your laptop and use your own VPN (or company VPN in my case), effectively blocking them from seeing your communications.

Although it may be illegal to do so depending on your location, and I’m in favour of following the laws in the country you’re in, using a VPN may be a good idea in some scenarios.

The best explanation of VPNs I’ve read is from HowStuffWorks.com, which suggests the analogy of the internet as an ocean and most internet traffic as being like a ferry from one island to another. When you’re on a ferry, everyone can see who you are and what you are doing. It’s public.

A VPN, on the other hand, is like a submarine that allows you to travel underwater from island to island. Some savvy observers of the ocean (your ISP, for example) may know that you are in a submarine, but they won’t know your ultimate destination or what’s inside of the submarine (i.e., the information you are transferring from your computer to the destination computer).

To use a VPN, you simply need to install VPN software on your computer (some suggestions are provided below), connect to the internet, start the VPN software, then proceed to browse the net.

Drawbacks of VPNs

As with any security solution, VPNs have some drawbacks:

1. You have to trust the VPN provider more than you trust your current connection. There’s no way around this if you’re using a commercial VPN (highly technical users can set up their own VPN servers to get around this problem, but the process is too difficult for most of us). The best assurance any VPN company can give you is something like this:
   

   What needs to be understood, is that our livelihood depends on keeping you safe and honoring your privacy. If we ever compromised that, unwillingly or with bad intent, I would imagine word would get out pretty fast. I can say that here at WiTopia, we take it very very seriously.

2. They slow your browsing/VOIPing/messaging. Because of the encryption/decryption process and because your internet communications are first routed to your VPN’s servers before being routed to the ultimate destination, you’ll probably notice some lag.

A few VPN companies

I can’t promise that these companies will keep your information secure. There is no such thing as perfect security. If it’s important to you, you need to do the background research and decide for yourself if using a VPN is safer than the alternative. That said, here are two companies that were discussed by CNET and one that a friend recommended to me:

1. WiTopia
2. HotSpotVPN
3. proXPN, which is free and has a Facebook page where the company often answers user questions

Added 10 Aug 2010: U.S. authorities are already able to tap BlackBerry messages. And Bruce Schneier noted a few days ago that:

The UAE can’t eavesdrop on BlackBerry traffic because it is encrypted between RIM’s servers and the phones. That makes sense, but conventional e-mail services are no different. Gmail, for example, is encrypted between Google’s servers and the users’ computers. So are most other webmail services. Is the mobile nature of BlackBerrys really that different? Is it really not a problem that any smart phone can access webmail through an encrypted SSL tunnel?

Once you enter your credentials, like your [email] user name or password, the company sweeps through your contact list and sends everyone an invitation to join the site.

Nothing new here, but the tactic can be tough to spot. Facebook has nearly tricked me into giving up all of my email contacts a couple of times.

A Chinese-language version of Skype scans users’ chat messages for keywords such as “democracy,” and sends a copy of the offending message to the company’s servers, according to a report released Thursday by a Canadian online human rights group.

That’s despite adamant claims by the Ebay-owned company that its software offers encrypted, safe communication.

Emails, too, often prove less than private. The hacking of Governor Sarah Palin’s Yahoo account is only the most recent example.

Bottom line

if you would be unable to bear the consequences of your communication getting intercepted, you probably shouldn’t send it by Skype, email, or any other electronic medium. Of course, even snail mail can be intercepted, face-to-face conversations recorded. No communication method is perfectly secure, and, as always, you must make make tradeoffs between security and convenience. Few of us would be satisfied to go the tin foil hat route.

Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you’re entering the country. They can take your computer and download its entire contents, or keep it for several days.

[...]

Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won’t work here. The border agent is likely to start this whole process with a “please type in your password”. Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day.

You’re going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key – even if you also encrypt your entire hard drive – and keep your sensitive data there. Lots of programs allow you to do this. I use PGP Disk (from pgp.com). TrueCrypt (truecrypt.org) is also good, and free.

The article goes on to talk about the importance of using strong passwords, as well as the limits of depending on strong passwords to protect encrypted data.

Edited to add (19 May 2008): The quoted sections of the Guardian article have been trimmed due to a complaint from one of the editors.

The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons [about 40% of the population], including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era.

You can’t do much when something like this happens. One thing you can do, however, is make sure your passwords are strong.

Experts said the information could allow crimes beyond identity theft. Some people use the name of a child or part of an address as a password on a bank account, so the combination of these details could allow someone to break their code.

Two new questions arise, courtesy of the latest advancement in cellphone technology: Do you want your friends, family, or colleagues to know where you are at any given time? And do you want to know where they are?

Privacy is fast becoming the trendy concept in online marketing. An increasing number of companies are flaunting the steps they’ve taken to protect the privacy of their customers. But studies suggest consumers won’t pay even 25 cents to protect their data.

Later, one of the people interviewed explains why he thinks this is the case:

The thing about consumer privacy is it’s really a death from a thousand cuts. With any given click or any given web page the loss of information is usually very subtle. The fact that you may get more spam or pay more for flowers because you live in a wealthy ZIP code are just single drops in a tsunami of privacy violations.

Too bad. I certainly sympathize sometimes with the sense of hopelessness about keeping my privacy that many people experience. And, for some, perhaps the costs of combating privacy concerns are higher than the costs from losing one’s privacy.

The Office of the Privacy Commissioner of Canada oversees Rogers’ personal information handling practices. If your privacy concerns are not addressed to your satisfaction by Rogers you may contact the Office of the Privacy Commissioner of Canada for further guidance

So, Rogers doesn’t want to consider the subject further. The reasoning is this: if the Privacy Commissioner thinks Rogers handles privacy adequately, so should Rogers’ customers.

I encourage those of you who are customers of Rogers (there may not be many of you, as the majority of this blog’s readers are American) to call them or email them for a real answer. When pressed by actual customers, Rogers is probably more likely to be responsive.

Update (23 April 2007): Rogers replied a week and a half ago with this (I apologize for the delay in posting and for the strange quote marks and other typographical oddities that have appeared in this post as a result of my use of a foreign keyboard):

Please note that Rogers does not sell nor release any confidential subscriber information, to anyone outside Rogers line of companies (who basically share the information for the purpose of providing excellent customer service to our subscribers). The private account information of our subscribers is never fraudulently used to jeopardize customer privacy concerns.

With regard to internet usage, the information is kept on the database to ensure that bandwidth is not abused. This allows us to provide high level of performance for all subscribers. The IP addresses are dynamic and can change at anytime. Also, any personal subscriber account details are only released with a court order.

As with the email I received from Shaw, this message from Rogers avoids some of the most pertinent questions I and this site’s readers would like answered (“how long does Rogers store data on its subscribers’ internet usage?” for example, or “how long are logs of what IP addresses were assigned to which customer kept?”).

I admire Rogers’ refusal to sell or release confidential subscriber information, but I worry that the company’s definition of “subscriber information” and “personal subscriber account details” don’t include internet histories. Also, if the company keeps records of bandwidth usage, it must have a way of identifying users’ internet histories even though IP addresses are dynamic. So that bit about dynamic IP addresses was, I think, a lot of smoke.

What I’d like to see from each of these ISPs, although I may not get it, is a specific confirmation or denial of the practice of selling users’ internet histories. It seems to me that none of what Rogers (or any of the others) has said thus far prohibits this.

Update (6 April 2007): Rogers has not yet responded; Telus emailed me to say they are thinking the matter over (which I think is fair); Shaw dodged the questions with this answer

The questions you asked do not directly relate to customers [sic] personal information (i.e. data relating to an IP address is not personal information as long as it is not associated with a particular customer account) and would require that we disclose confidential business information proprietary to Shaw. Therefore, we confirm that we are not in a position to provide responses to your questions, except for question 6.

In response to question 6 [Does Shaw sell internet usage data? What kind of data? If so, how is it anonymized and to whom do you sell it? What language in your privacy policy discloses this?], we advise that Shaw does not sell Internet usage data to third parties.

Shaw’s privacy policy is fairly thorough and is, I think, a good effort. However, the way that Shaw answered the questions I sent them reveals the limitations of the company’s privacy policy. Shaw’s policy describes how “Personal Information” (a category that includes customers’ names, addresses, telephone numbers, gender, credit information, payment records, and correspondence sent by the Customer to Shaw) is protected, but it appears that the company doesn’t consider “data relating to an IP address” to be personal information. Perhaps Shaw feels that as long as a customer’s name is stripped from the data, it has been thoroughly anonymized and is fit for treatment not mentioned in the privacy policy. But we know this type of anonymization isn’t good enough. New York Times made this pretty clear in its 2006 article called Face Is Exposed for AOL Searcher No. 4417749, published after AOL released what it thought were anonymized search terms.

I’ll press for more detailed answers from Shaw, and hopefully get something from Telus and Rogers soon.

————————

Original article:

Last year, when AOL was caught out for publishing its users’ search terms and phrases, many people, including me, were surprised at how much harm can be had when internet usage data, even seemingly anonymized data, is not kept confidential by those who necessarily have access to it. Internet Service Providers, or ISPs, can collect a lot of personal information about you just by keeping track of the websites you visit. It’s important, then, to know what information ISPs collect, how long they keep it, and to whom they show/sell it.

12 days ago, Ryan Singel, writing for a Wired blog, wrote that

ISPs are selling data history of their users, according to co-founder of web analytics firm, Compete, David Cancel, who told a panel of conference attendees on Tuesday that his company buys such data. Cancel says the data does not include IP addresses, but that’s not enough to truly anonymize it, as click stream data can include searches that identify a user.

Recently, Ryan has been asking questions of some of the big American ISPs (like Comcast and Verizon) to find out if any of them are selling their users’ internet usage logs. So far, AOL and Cox have answered up (with results posted in a handy web-spreadsheet visible at the page linked to above), but others haven’t. To get complete information from all of the ISPs, Ryan says

We’re asking those of you who are customers of the non-responsive ISPs to call, write, FTP or IM or Twitter your ISP and ask them to clarify how they use, store or even sell data about you. Report the results back and we’ll add it to the spreadsheet.

What to ask your ISP

Ryan has made it easy to ask your ISP what it’s up to. Along with the phone numbers and email addresses of major American ISPs, he’s written a list of questions to ask them, and I’ve reposted them here (feel free to copy and paste, then email to your ISP; change “ISP NAME” to your ISP’s actual name if you’re feeling ambitious):

Canadian ISPs

Shaw, Rogers, and Telus are the big internet service providers in Canada, and, since I live in Canada, I sent an email to all three. I’ll report whatever results I get here as well as on Ryan’s blog. If you want to email any of the Canadian ISPs, you can find their submittable help forms here: Shaw, Rogers, and Telus. If you send an email and get any sort of answer, post it in the comments below or in the comments on Ryan’s blog, called 27B Stroke 6. Just to make it ridiculously easy to send an email, I’ve altered the forms (only slightly) to be Canada specific:

Trustworthy search engines

Last fall, when the United States Justice Department asked for private search records to aid its case in a court battle, some of the biggest search engines, including AOL, Yahoo, and Microsoft, gave in to the request immediately. Google refused to hand over the data and a subsequent court ruling on the matter took Google’s side. So, when it comes to search, Google is probably the safest.

Who’s paranoid?

At the risk of joining the tinfoil hat crowd, there is something you can do to avoid suffering even if one of the major search engines decides to give up on your privacy. Blackboxsearch.com lets you search Google, Yahoo, and MSN anonymously (and for free).

Here’s how it works: every time someone performs a search on Blackboxsearch, the website sends the request to the appropriate search engine while hiding your IP address. All searches arriving at Google or Yahoo or MSN appear to come from Blackboxsearch’s IP address, which means that if ever an entity like the Justice Department gets its hands on the search terms, all it would get is a mass of words and phrases, all seemingly coming from the same place. There would be nothing there that would help them match up searches to IP addresses and individuals.

Then again, using Google for your searches is probably more convenient, since it doesn’t involve navigating and getting accustomed to a new website. Privacy and security always involve tradeoffs in terms of time and effort, so decide for yourself how severely a data compromise would affect you, and either go directly to Google for your searches or use a proxy like Blackboxsearch.