Open Web

Today we are releasing the implementation guide for EFF’s Do Not Track (DNT) policy. For years users have been able to set a Do Not Track signal in their browser, but there has been little guidance for websites as to how to honor that request. EFF’s DNT policy sets out a meaningful response for servers to follow, and this guide provides details about how to apply it in practice. At its core, DNT protects user privacy by excluding the use of unique identifiers for cross-site tracking, and by limiting the retention period of log data to ten days. This short retention period gives sites the time they need for debugging and security purposes, and to generate aggregate statistical data. From this baseline, the policy then allows exceptions when the user's interactions with the site—e.g., to post comments, make a purchase, or click on an ad—necessitates collecting more information. The site is then free to retain any data necessary to complete the transaction. We believe this approach balances users’ privacy expectations with the ability of websites to deliver the functionality users want. Websites often integrate third-party content and rely on third-party services (like content delivery networks or analytics), and this creates the potential for user data to be leaked despite the best intentions of the site operator. The guide identifies potential pitfalls and catalogs providers of compliant services. It is common, for example, to embed media from platforms like You Tube, Sound Cloud, and Twitter, all of which track users whenever their widgets are loaded. Fortunately, Embedly, which offers control over the appearance of embeds, also supports DNT via its API, displaying a poster instead and loading the widget only if the user clicks on it knowingly.

Knowledge makes the difference between willing tracking and non-consensual tracking. Users should be able to choose whether they want to give up their privacy in exchange for using a site or a  particular feature. This means sites need to be transparent about their practices. A great example of this is our biggest adopter, Medium, which does not track DNT users who browse the site and gives clear information about tracking to users when they choose to log in. This is their previous log-in panel, the DNT language is currently being added to their new interface.

Comcast met with Federal Communications Commission Chairman Ajit Pai's staff this week in an attempt to prevent states from issuing net neutrality rules. As the FCC prepares to gut its net neutrality rules, broadband providers are worried that states might enact their own laws to prevent ISPs from blocking, throttling, or discriminating against online content.

Comcast Senior VP Frank Buono and a Comcast attorney met with Pai Chief of Staff Matthew Berry and Senior Counsel Nicholas Degani on Monday, the company said in an ex parte filing that describes the meeting. Comcast urged Pai's staff to reverse the FCC's classification of broadband as a Title II common carrier service, a move that would eliminate the legal authority the FCC uses to enforce net neutrality rules. Pai has said he intends to do just that, so Comcast will likely get its wish on that point. But Comcast also wants the FCC to go further by making a declaration that states cannot impose their own regulations on broadband. The filing said: We also emphasized that the Commission's order in this proceeding should include a clear, affirmative ruling that expressly confirms the primacy of federal law with respect to BIAS [Broadband Internet Access Service] as an interstate information service, and that preempts state and local efforts to regulate BIAS either directly or indirectly.

India is the world’s largest democracy and is home to 13.5 percent of the world’s internet users. So the Indian Supreme Court’s August ruling that privacy is a fundamental, constitutional right for all of the country’s 1.32 billion citizens was momentous. But now, close to three months later, it’s still unclear exactly how the decision will be implemented. Will it change everything for internet users? Or will the status quo remain? The most immediate consequence of the ruling is that tech companies such as Facebook, Twitter, Google, and Alibaba will be required to rein in their collection, utilization, and sharing of Indian user data. But the changes could go well beyond technology. If implemented properly, the decision could affect national politics, business, free speech, and society. It could encourage the country to continue to make large strides toward increased corporate and governmental transparency, stronger consumer confidence, and the establishment and growth of the Indian “individual” as opposed to the Indian collective identity. But that’s a pretty big if. Advertisement The privacy debate in India was in many ways sparked by a controversy that has shaken up the landscape of national politics for several months. It began in 2016 as a debate around a social security program that requires participating citizens to obtain biometric, or Aadhaar, cards. Each card has a unique 12-digit number and records an individual’s fingerprints and irises in order to confirm his or her identity. The program was devised to increase the ease with which citizens could receive social benefits and avoid instances of fraud. Over time, Aadhaar cards have become mandatory for integral tasks such as opening bank accounts, buying and selling property, and filing tax returns, much to the chagrin of citizens who are uncomfortable about handing over their personal data. Before the ruling, India had weak privacy protections in place, enabling unchecked data collection on citizens by private companies and the government. Over the past year, a number of large-scale data leaks and breaches that have impacted major Indian corporations, as well as the Aadhaar program itself, have prompted users to start asking questions about the security and uses of their personal data.

n order to bolster the ruling the government will also be introducing a set of data protection laws that are to be developed by a committee led by retired Supreme Court judge B.N. Srikrishna. The committee will study the data protection landscape, develop a draft Data Protection Bill, and identify how, and whether, the Aadhaar Act should be amended based on the privacy ruling.

Should the data protection laws be implemented in an enforceable manner, the ruling will significantly impact the business landscape in India. Since the election of Prime Minister Narendra Modi in May 2014, the government has made fostering and expanding the technology and startup sector a top priority. The startup scene has grown, giving rise to several promising e-commerce companies, but in 2014, only 12 percent of India’s internet users were online consumers. If the new data protection laws are truly impactful, companies will have to accept responsibility for collecting, utilizing, and protecting user data safely and fairly. Users would also have a stronger form of redress when their newly recognized rights are violated, which could transform how they engage with technology. This has the potential to not only increase consumer confidence but revitalize the Indian business sector, as it makes it more amenable and friendly to outside investors, users, and collaborators.

The White House on Wednesday made public for the first time the rules by which the government decides to disclose or keep secret software flaws that can be turned into cyberweapons — whether by U.S. agencies hacking for foreign intelligence, money-hungry criminals or foreign spies seeking to penetrate American computers. The move to publish an un­classified charter responds to years of criticism that the process was unnecessarily opaque, fueling suspicion that it cloaked a stockpile of software flaws that the National Security Agency was hoarding to go after foreign targets but that put Americans’ cyber­security at risk.

The rules are part of the “Vulnerabilities Equities Process,” which the Obama administration revamped in 2014 as a multi­agency forum to debate whether and when to inform companies such as Microsoft and Juniper that the government has discovered or bought a software flaw that, if weaponized, could affect the security of their product. The Trump administration has mostly not altered the rules under which the government reaches a decision but is disclosing its process. Under the VEP, an “equities review board” of at least a dozen national security and civilian agencies will meet monthly — or more often, if a need arises — to discuss newly discovered vulnerabilities. Besides the NSA, the CIA and the FBI, the list includes the Treasury, Commerce and State departments, and the Office of Management and Budget. The priority is on disclosure, the policy states, to protect core Internet systems, the U.S. economy and critical infrastructure, unless there is “a demonstrable, overriding interest” in using the flaw for intelligence or law enforcement purposes. The government has long said that it discloses the vast majority — more than 90 percent — of the vulnerabilities it discovers or buys in products from defense contractors or other sellers. In recent years, that has amounted to more than 100 a year, according to people familiar with the process. But because the process was classified, the National Security Council, which runs the discussion, was never able to reveal any numbers. Now, Joyce said, the number of flaws disclosed and the number retained will be made public in an annual report. A classified version will be sent to Congress, he said.

Eric Schmidt, the Executive Chairman of Google’s parent company Alphabet, says the company will “engineer” specific algorithms for RT and Sputnik to make their articles less prominent on the search engine’s news delivery services. “We are working on detecting and de-ranking those kinds of sites – it’s basically RT and Sputnik,” Schmidt said during a Q & A session at the Halifax International Security Forum in Canada on Saturday, when asked about whether Google facilitates “Russian propaganda.”

“We are well of aware of it, and we are trying to engineer the systems to prevent that [the content being delivered to wide audiences]. But we don’t want to ban the sites – that’s not how we operate.”The discussion focused on the company’s popular Google News service, which clusters the news by stories, then ranks the various media outlets depending on their reach, article length and veracity, and Google Alerts, which proactively informs subscribers of new publications.

The Alphabet chief, who has been referred to by Hillary Clinton as a “longtime friend,” added that the experience of “the last year” showed that audiences could not be trusted to distinguish fake and real news for themselves.“We started with the default American view that ‘bad’ speech would be replaced with ‘good’ speech, but the problem found in the last year is that this may not be true in certain situations, especially when you have a well-funded opponent who is trying to actively spread this information,” he told the audience.

Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising. Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers. Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived “hash” summary of the file itself. The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking.

What is F-Droid? F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

The Congressional Research Service produced a newly updated report on the subject, suggesting that congressional intervention might be appropriate. “The FCC’s move to reexamine its existing open Internet rules has reopened the debate over whether Congress should consider a more comprehensive measure to amend existing law to provide greater regulatory stability and guidance to the FCC,” the CRS report said, adding that whether Congress would do so “remains to be seen.”  See The Net Neutrality Debate: Access to Broadband Networks, updated November 22, 2017.

For years, Comcast has been promising that it won't violate the principles of net neutrality, regardless of whether the government imposes any net neutrality rules. That meant that Comcast wouldn't block or throttle lawful Internet traffic and that it wouldn't create fast lanes in order to collect tolls from Web companies that want priority access over the Comcast network. This was one of the ways in which Comcast argued that the Federal Communications Commission should not reclassify broadband providers as common carriers, a designation that forces ISPs to treat customers fairly in other ways. The Title II common carrier classification that makes net neutrality rules enforceable isn't necessary because ISPs won't violate net neutrality principles anyway, Comcast and other ISPs have claimed. But with Republican Ajit Pai now in charge at the Federal Communications Commission, Comcast's stance has changed. While the company still says it won't block or throttle Internet content, it has dropped its promise about not instituting paid prioritization.

Instead, Comcast now vaguely says that it won't "discriminate against lawful content" or impose "anti-competitive paid prioritization." The change in wording suggests that Comcast may offer paid fast lanes to websites or other online services, such as video streaming providers, after Pai's FCC eliminates the net neutrality rules next month.

The Russian government is reportedly considering building an “independent internet infrastructure” that it can use as an alternative to the global Domain Name System, or DNS system. Last month, Russia’s Security Council asked the government to start building a backup DNS system citing “the increased capabilities of Western nations to conduct offensive operations.”

However, some defense experts say the move could “have more to do with Moscow’s own plans for offensive cyber operations,” according to the Defense One website. The alternative DNS would also serve the so-called BRIC nations — Brazil, Russia, India, China, and South Africa — and would operate independently of international organizations.

Russian president Vladimir Putin set a deadline of August 2018 to complete the infrastructure.

The information security world is focused on two new security vulnerabilities, “Spectre” and “Meltdown”, that represent vulnerabilities embedded in computer hardware. Lawfare readers should respond in two ways: keep their operating systems up to date and, critically, install an ad-blocker for your web browser. (Here are guides on how to do so in Chrome and Firefox.) In fact, a proper response to Spectre should involve ad-blocking on all government computers. Other than that, don’t worry. Readers who just wanted to know what to do can stop reading. But for those curious about some of the technical background on these vulnerabilities and why ad-blocking is an essential security measure for a modern computer, read on.

Such profiteering tactics have disproportionately affected low-income and rural communities. ISPs have long redlined these demographic groups, creating what’s commonly known as the “digital divide.” Thirty-nine percent of Americans lack access to service fast enough to meet the federal definition of broadband. More than 50 percent of adults with household incomes below $30,000 have home broadband—a problem plaguing users of color most acutely. In contrast, internet access is near-universal for households with an annual income of $100,000 or more. The reason for such chasms is simple: Private network providers prioritize only those they expect to provide a return on investment, thus excluding poor and sparsely populated areas.

Chattanooga, Tennessee, has seen more success in addressing redlining. Since 2010, the city has offered public broadband via its municipal power organization, Electric Power Board (EPB). The project has become a rousing success: At half the price, its service is approximately 85 percent faster than that of Comcast, the region’s primary ISP prior to EPB’s inception. Coupled with a discounted program for low-income residents, Chattanooga’s publicly run broadband reaches about 82,000 residents—more than half of the area’s Internet users—and is only expected to grow. Chattanooga’s achievements have radiated to other locales. More than 450 communities have introduced publicly-owned broadband. And more than 110 communities in 24 states have access to publicly owned networks with one gigabit-per-second (Gbps) service. (AT&T, for example, has yet to introduce speeds this high.) Seattle City Councilmember Kshama Sawant proposed a pilot project in 2015 and has recently urged her city to invest in municipal broadband. Hawaii congressperson Kaniela Ing is drafting a bill for publicly-owned Internet for the state legislature to consider next year. In November, residents of Fort Collins, Colo. voted to authorize the city to build municipal broadband infrastructure.

It's an uncertain waiting game as to when the next-generation high-speed wireless service known as 5G will reach mass market, but the business implications are already a major talking point at CES 2018.

The term "5G" refers to the fifth-generation wireless broadband technology based on the 802.11ac standard. The packet of technology will bring speed and coverage improvements from 4G, with low-latency wireless up to 1GB/s, and it'll spur a host of new opportunities for enterprises and workplace productivity.In a panel discussion at CES, a trio of executives from Qualcomm, Ericsson, and Nokia discussed how 5G could transform industries ranging from transportation to manufacturing.

Some 5G rollouts are already planned for 2018. Samsung announced last Wednesday that it will provide Verizon with routers and radio frequency planning services for the carrier's initial 5G commercial rollout that will begin in Sacramento, Calif., in the second half of 2018.Meanwhile, AT&T announced that it will provide 5G services in roughly 12 markets by late 2018, with plans to offer the service to consumers while it trials 5G technology with businesses across all industries.Still, the panel of executives at CES remain skeptical that 5G would roll out for most Americans before late 2019 or 2020.

The request is one of the first responses from the U.S. Congress to the disclosure earlier this month by security researchers of the two major flaws, which may allow hackers to steal passwords or encryption keys on most types of computers, phones and cloud-based servers. McNerney, a member of the House Energy and Commerce Committee, asked the companies to explain the scope of Spectre and Meltdown, their timeframe for understanding the vulnerabilities, how consumers are affected and whether the flaws have been exploited, among other questions.

With over 1.5 billion people using Facebook has become the superpower of the social media landscape. With with power comes responsibility and Facebook has unfortunately been responsibly for some pretty shady revelations!

Where power is not overtly totalitarian, wealthy elites have bought up all media, first in print, then radio, then television, and used it to advance narratives that are favorable to their interests. Not until humanity gained widespread access to the internet has our species had the ability to freely and easily share ideas and information on a large scale without regulation by the iron-fisted grip of power. This newfound ability arguably had a direct impact on the election for the most powerful elected office in the most powerful government in the world in 2016, as a leak publishing outlet combined with alternative and social media enabled ordinary Americans to tell one another their own stories about what they thought was going on in their country.This newly democratized narrative-generating power of the masses gave those in power an immense fright, and they’ve been working to restore the old order of power controlling information ever since. And the editor-in-chief of the aforementioned leak publishing outlet, WikiLeaks, has been repeatedly trying to warn us about this coming development.

In a statement that was recently read during the “Organising Resistance to Internet Censorship” webinar, sponsored by the World Socialist Web Site, Assange warned of how “digital super states” like Facebook and Google have been working to “re-establish discourse control”, giving authority over how ideas and information are shared back to those in power.Assange went on to say that the manipulative attempts of world power structures to regain control of discourse in the information age has been “operating at a scale, speed, and increasingly at a subtlety, that appears likely to eclipse human counter-measures.”What this means is that using increasingly more advanced forms of artificial intelligence, power structures are becoming more and more capable of controlling the ideas and information that people are able to access and share with one another, hide information which goes against the interests of those power structures and elevate narratives which support those interests, all of course while maintaining the illusion of freedom and lively debate.

To be clear, this is already happening. Due to a recent shift in Google’s “evaluation methods”, traffic to left-leaning and anti-establishment websites has plummeted, with sites like WikiLeaks, Alternet, Counterpunch, Global Research, Consortium News, Truthout, and WSWS losing up to 70 percent of the views they were getting prior to the changes. Powerful billionaire oligarchs Pierre Omidyar and George Soros are openly financing the development of “an automated fact-checking system” (AI) to hide “fake news” from the public.

For Facebook, journalism has been a pain in the neck from day one. Now, bogged down with the insoluble problems of fake news and bad PR, it’s clear that Facebook will gradually pull the plug on news. Publishers should stop whining and move on.Let’s admit that publishers have been screwed by Facebook. Not because Mark Zuckerberg is evil, but because he’s a pragmatist. His latest move should not come as a surprise. On Thursday, for the second time in six months, Facebook stated publicly that news (i.e., journalism) will appear further down in everyone’s newsfeed, in order to favor posts from friends, family and “groups.” Here is how Zuck defended the move:“The research shows that when we use social media to connect with people we care about, it can be good for our well-being. We can feel more connected and less lonely, and that correlates with long term measures of happiness and health. On the other hand, passively reading articles or watching videos — even if they’re entertaining or informative — may not be as good. Based on this, we’re making a major change to how we build Facebook. I’m changing the goal I give our product teams from focusing on helping you find relevant content to helping you have more meaningful social interactions”.Consider us notified. Facebook is done with journalism. It will happen, slowly, gradually, but the trend is here. In this context, the email sent yesterday by Campbell Brown, Facebook’s head of news partnerships, who states “news remains a top priority for us,” rings hollow.

These and other classified documents provided by former NSA contractor Edward Snowden reveal that the NSA has developed technology not just to record and transcribe private conversations but to automatically identify the speakers. Americans most regularly encounter this technology, known as speaker recognition, or speaker identification, when they wake up Amazon’s Alexa or call their bank. But a decade before voice commands like “Hello Siri” and “OK Google” became common household phrases, the NSA was using speaker recognition to monitor terrorists, politicians, drug lords, spies, and even agency employees. The technology works by analyzing the physical and behavioral features that make each person’s voice distinctive, such as the pitch, shape of the mouth, and length of the larynx. An algorithm then creates a dynamic computer model of the individual’s vocal characteristics. This is what’s popularly referred to as a “voiceprint.” The entire process — capturing a few spoken words, turning those words into a voiceprint, and comparing that representation to other “voiceprints” already stored in the database — can happen almost instantaneously. Although the NSA is known to rely on finger and face prints to identify targets, voiceprints, according to a 2008 agency document, are “where NSA reigns supreme.” It’s not difficult to see why. By intercepting and recording millions of overseas telephone conversations, video teleconferences, and internet calls — in addition to capturing, with or without warrants, the domestic conversations of Americans — the NSA has built an unrivaled collection of distinct voices. Documents from the Snowden archive reveal that analysts fed some of these recordings to speaker recognition algorithms that could connect individuals to their past utterances, even when they had used unknown phone numbers, secret code words, or multiple languages.

The classified documents, dating from 2004 to 2012, show the NSA refining increasingly sophisticated iterations of its speaker recognition technology. They confirm the uses of speaker recognition in counterterrorism operations and overseas drug busts. And they suggest that the agency planned to deploy the technology not just to retroactively identify spies like Pelton but to prevent whistleblowers like Snowden.

The European Commission, on January 24, published its guidance aimed to facilitate a direct and smooth application of the European Union’s new data protection rules across the EU as of 25 May. The Commission also launches a new online tool dedicated to SMEs.

With just over 100 days left before the application of the new law, the guidance outlines what the European Commission, national data protection authorities and national administrations, according to the Commission, should still do to bring the preparation to a successful completion. The Commission notes that while the new regulation provides for a single set of rules directly applicable in all Member States, it will still require significant adjustments in certain aspects, like amending existing laws by EU governments or setting up the European Data Protection Board by data protection authorities. The Commission states that the guidance recalls the main innovations, opportunities opened up by the new rules, takes stock of the preparatory work already undertaken and outlines the work still ahead of the European Commission, national data protection authorities and national administrations. Andrus Ansip, European Commission Vice-President for the Digital Single Market, said: “Our digital future can only be built on trust. Everyone’s privacy has to be protected. Strengthened EU data protection rules will become a reality on 25 May. It is a major step forward and we are committed to making it a success for everyone.” Vĕra Jourová, Commissioner for Justice, Consumers and Gender Equality, added:” In today’s world, the way we handle data will determine to a large extent our economic future and personal safety. We need modern rules to respond to new risks, so we call on EU governments, authorities and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day.”

The guidance recalls the main elements of the new data protection rules: One set of rules across the continent, guaranteeing legal certainty for businesses and the same data protection level across the EU for citizens. Same rules apply to all companies offering services in the EU, even if these companies are based outside the EU. Stronger and new rights for citizens: the right to information, access and the right to be forgotten are strengthened. A new right to data portability allows citizens to move their data from one company to the other. This will give companies new business opportunities. Stronger protection against data breaches: a company experiencing a data breach, which put individuals at risk, has to notify the data protection authority within 72 hours. Rules with teeth and deterrent fines: all data protection authorities will have the power to impose fines for up to EUR 20 million or, in the case of a company, 4% of the worldwide annual turnover.

An analysis of public comments on the FCC's plan to repeal net neutrality rules found that 2 million of them were filed using stolen identities. That's according to New York Attorney General Eric Schneiderman. "Millions of fake comments have corrupted the FCC public process—including two million that stole the identities of real people, a crime under New York law," Schneiderman said in an announcement today. "Yet the FCC is moving full steam ahead with a vote based on this corrupted process, while refusing to cooperate with an investigation."

Some comments were submitted under the names of dead people. "My LATE husband's name was fraudulently used after a valiant battle with cancer," one person told the AG's office. "This unlawful act adds to my pain that someone would violate his good name." Schneiderman set up a website where people can search the FCC comments for their names to determine if they've been impersonated. So far, "over 5,000 people have filed reports with the Attorney General's office regarding identities used to submit fake comments," the AG's announcement said.

While the 5,000 reports provide anecdotal evidence, the AG's office performed an analysis of the 23 million public comments in order to figure out how many were submitted under falsely assumed identities. Many comments for and against net neutrality rules are identical because advocacy groups urged people to sign form letters, so the text of a comment alone isn't enough to determine if it was submitted by a real person. The AG's office thus examined comment text along with other factors, such as whether names matched lists of stolen identities from known data breaches. Schneiderman's office also told Ars that it looked into whether or not the submission of comments was in alphabetical order, one after another, in short time periods. In general, analysis of formatting and metadata played a role in the analysis. The number of comments believed to be fake has grown as the A.G.'s investigation continues, and it isn't done yet. Schneiderman's office is still analyzing the public comments. We asked Schneiderman's office how many of the fake comments supported net neutrality rules, and how many opposed them, but were told that the information was not available. While fake comments used names and addresses of people from across the nation, more than "100,000 comments per state" came "from New York, Florida, Texas, and California," Schneiderman's announcement said.