Postcards from the edge – and your (lack of) online privacy

Everyone likes getting postcards — but we don’t think of the contents as especially valuable or private. That’s why important news goes into an envelope – we just don’t like people being able to read about our lives and interests.

There are entities on the watch

Even if we don’t think about it as we look for cat videos or social news, the internet is one of the most closely watched locations on the planet. Some countries have closely regulated limits on who can search for what and where, blocking access to some sites and services at the border, filtering out some topics from search engines, and even making it illegal to have some privacy apps such as VPNs on their devices. While much of these those controls are made for political reasons, the same technical mechanisms are used track and record people in the United States. These ever-more detailed and targeted profiles of you aren’t after your direct control, they are just transforming you into a commercial commodity that can be bought and sold and hit with advertisements.

But I don’t have anything to hide!

Some people poo-pah the need for online security and privacy with the observation “I have nothing to hide.” However, I doubt that these very same individuals send all of their letters in the form of postcards – they use envelopes. They would describe it as, “it’s not that we have super-secret information, it’s just that we want to have some privacy in our lives.”

The problem of packets and postcards

The postcard reference is not accidental. The basic unit for transmitting information across the internet is a data packet. And, like a postcard, these packets are not always encrypted – that means the address where you are sending the packet from, the destination, device and location information, and the message in the packet can be intercepted and read.

They can also be read by about anyone throughout the transmission chain – the guy sitting across from you in the café, the ISP, and the place you are communicating with. They can sometimes even step into the conversation unannounced and unnoticed by you. This is the situation with the internet standby of HTTP.

Incognito as Groucho Marx

Switching on the browser’s incognito function hides you from trackers just like running postcards out to the mailbox in a Groucho Marx mask. All activity is visible and readable – it just is not clear who person dropped the letters in the device mailbox — but the postcard messages are still openly readable by everyone. Incognito only hides you from the other person using the device – nothing more. So if you think of the Groucho glasses and mustache as a silly, useless costume – you understand the value of the incognito function.

Envelope strategy with HTTPS

The improvement to HTTP came with HTTPS. The additional S standing for secure, signifying that the connection and the data packet payloads are encrypted using the Transport Layer Security. It is usually shown as a little lock icon in the corner.

HTTPS used to be used primarily for eshop and banking due to the cost of having a certification for each transaction. The lack of a HTTPS mark has been a reliable symbol that the website was poorly assembled and was a warning flag of a phishing site. But as certification costs have dropped to near zero, HTTPS use has grown to make up about over two thirds of all web traffic. Even some phishing sites are now using HTTPS.

But, HTTPS is not perfect. Think of it as an envelope for your letters, keeping prying eyes from reading the contents. However, it is limited as it does not conceal who you are writing to and your own location. Even worse, it’s an envelope that can be messed with at the major connection points – as the TLS “handshake.”

Adding up the HTTPS issues

It is probably best to think of HTTPS as providing partial or incomplete encryption. Although the content of your activities may be safely encrypted in those data packets, there is a lot of additional information about you exposed on the metadata.

Three areas that HTTPS leaves uncovered are location, destination, and device details.

  1. Location privacy – Every packet has an IP address for your device, one of the essential identifying elements for the internet. This is used to route these packets straight to your device and tells the internet traffic routers where you are.
  2. Destination privacy – Every site you visit is transformed from text into a numerical sequence called a DNS. the DNS – the Domain Name System – the process for converting a text URLs into numerical IP addresses. While the content viewed may not be visible, the place where it is going certainly is.
  3. Device details – As part of making the connection, each packet describes your device, the operating system, some of the major programs/apps used, even some details about the monitor size and settings. Because most of us have customized our devices to some degree, this also helps identify them out.

Thanks to these three issues, the internet postman/trackers know that you use your smartphone during the day and laptop in the evening, are usually home from 7:30 in the evening, most of your searches for vacation information are done on the laptop, and something about your searches, and currently you are on vacation outside of the USA and should be blocked from watching your favorite series.

Aren’t you glad they don’t know even more about you? Thwarting this surveillance economy and keeping our own individual autonomy is what this quest for privacy is all about.

 

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.