Privacy & Surveillance

Posts under this category name relate to privacy generally, rather than distinguishing between the various ‘kinds’ of discussing or recognizing privacy.

Packet Headers and Privacy

/ Christopher Parsons / 1 Comment

One of the largest network vendors in the world is planning to offer their ISP partners an opportunity to modify HTTP headers to get ISPs into the advertising racket. Juniper Networks, which sells routers to ISPs, is partnering with Feeva, an advertising solutions company, to modify data packets’ header information so that the packets will include geographic information. These modified packets will be transmitted to any and all websites that the customer visits, and will see individuals receive targeted advertisements according to their geographical location. Effectively, Juniper’s proposal may see ISPs leverage their existing customer service information to modify customers’ data traffic for the purposes of enhancing the geographic relevance of online advertising. This poses an extreme danger to citizens’ locational and communicative privacy.

Should ISPs adopt Juniper’s add-on, we will be witnessing yet another instance of repugnant ‘innovation’ that ISPs are regularly demonstrating in their efforts to enhance their revenue streams. We have already seen them forcibly redirect customers’ DNS requests to ad-laden pages, provide (ineffective) ‘anti-infringement’ software to shield citizens from threats posed by three-strikes laws, and alter the payload content of data packets for advertising. After touching the payload – and oftentimes being burned by regulators – it seems as though the header is the next point of the packet that is to be modified in the sole interest of the ISPs and to the detriment of customers’ privacy.

Continue reading

Apple and Locational Data Sharing

/ Christopher Parsons

Apple’s entrance into the mobile advertising marketplace was born with their announcement of iAd. Alongside iAd comes persistent locational surveillance of Apple’s customers for the advantage of advertisers and Apple. The company’s advertising platform is controversial because Apple gives it a privileged position in their operating system, iOS4, and because the platform can draw on an iPhone’s locational awareness (using the phone’s GPS functionality) to deliver up targeted ads.

In this post I’m going to first give a brief background on iAd and some of the broader issues surrounding Apple’s deployment of their advertising platform. From there, I want to recap what Steve Jobs stated in a recent interview at the All Things Digital 8 concerning how Apple approaches locational surveillance through their mobile devices and then launch into an analysis of Apple’s recently changed terms of service for iOS4 devices as it relates to collecting, sharing, and retaining records on an iPhone’s geographic location. I’ll finish by noting that Apple may have inadvertently gotten itself into serious trouble as a result of its heavy-handed control of the iAd environment combined with modifying the privacy-related elements of their terms of service: Apple seems to have awoken the German data protection authorities. Hopefully the Germans can bring some transparency to a company regularly cloaked in secrecy.

Apple launched the iAd beta earlier this year and integrates the advertising platform into their mobile environment such that ads are seen within applications, and clicking on ads avoids taking individuals out of the particular applications that the customers are using. iAds can access core iOS4 functionality, including locational information, and can be coded using HTML 5 to provide rich advertising experiences. iAd was only made possible following Apple’s January acquisition of Quattro, a mobile advertising agency. Quattro was purchased after Apple was previously foiled in acquiring AdMob by Google last year (with the FTC recently citing iAd as a contributing reason why the Google transaction was permitted to go through). Ostensibly, the rich advertising from iAds is intended to help developers produce cheap and free applications for Apple’s mobile devices while retaining a long-term, ad-based, revenue stream. Arguably, with Apple taking a 40% cut of all advertising revenue and limiting access to the largest rich-media mobile platform in the world, advertising makes sense for their own bottom line and its just nice that they can ‘help’ developers along the way… Continue reading

DoubleClick, Cookies, and Personal Information

/ Christopher Parsons

The web operates the way it does, largely, because there is a lot of money to be made in the digitally-connected ecosystem. Without the revenues brought in by DoubleClick, as an example, Google would likely be reluctant to provide its free services that are intended to bring you into Google’s ad-serving environment. A question that needs to be asked, however, is whether DoubleClick and related ad delivery systems: (a) collect personal information; (b) if the answer to (a) is “yes”, then whether such collections might constitute privacy infringements.

In the course of this post, I begin by outlining what constitutes personal information and then proceed to outline DoubleClick’s method of collecting personal information. After providing these outlines, I argue that online advertising systems do collect personal information and that the definitions that Google offers for what constitutes ‘personal information’ are arguably out of line with Canadian sensibilities of what is ‘personal information’. As a result, I’ll conclude by asserting that violations may in fact be occurring, with the argument largely emerging from Nissembaum’s work on contextual integrity. Before proceeding, however, I’ll note that I’m not a lawyer, nor am I a law student: what follows is born from a critical reading of information about digital services and writings from philosophers, political scientists, technologists and privacy commissioners. Continue reading

Privacy Issues Strike Street View (Again)

/ Christopher Parsons / 5 Comments

Google Street View has come under fire again, this time for collecting wireless router information and some packets of data whilst wandering the globe and collecting pictures of our streets. It looks like the German authorities, in particular, may come down hard of Google though I’m at odds about the ‘calibre’ of the privacy violation – router information is fair game as far as I’m concerned, though data packets are a little dicier. But before I dig into that, let me outline what’s actually gone on.

Last Friday, Google announced that they had been inadvertently collecting some data packets sent via unencrypted wireless access points for the past three years. This admission came after the Street View program (again) came under criticism from German data protection authorities following Google’s (original, and earlier) admission that they had only been collecting information about wireless routers as they drove their cars around towns. Specifically, the original admission saw Google reveal they had collected the SSID and MAC addresses of routers. In layman’s terms, the SSID is the name of the wireless network that is usually given to the device during configuration processes following the installation of the device (e.g. Apartment 312, Pablo14, or any of the other names that are shown when you scan for wireless networks from your computer). The MAC address a unique number that is associated with each piece of Internet networking equipment; your wireless card in your computer, your LAN card, your router, and your iPhone all have unique numbers. After collecting both the SSID and MAC address of a wireless router the company identified the physical location of the device using a GPS system.

Google collects information about wireless networks and (almost more importantly) their physical location to provide a wifi-based geolocation system. Once they know where wireless routers are, and plot them on a map, you don’t need GPS to plan and trace a route through a city because a wireless card and low-powered computer will suffice. There are claims that this constitutes a privacy infringement, insofar as the correlation of SSID, MAC address, and physical location of the router constitute personal information. I’m not sure that I agree with this, as the Google service stands now.

Continue reading

Twitter, Mobile Browsers, and Metadata Privacy

/ Christopher Parsons

If you spend much time working with computers then you’re likely familiar with metadata, or data about data. In the digital era metadata is relied upon for many of the tagging and categorization systems that are seen in popular web environments, such as Twitter, Digg, Delicious, Facebook, and so forth, and is more generally used to define, structure, and administrate data across all digital environments. I should state, upfront, that metadata is incredibly valuable: nothing that I’m going to write about should leave you with the suggestion that metadata should be removed from the digital landscape or could be removed. Instead I’m advocating for a responsible use of metadata.

In this post I will be drawing on a pair of examples to underscore just how much data is contained in popular metadata structures: the information divulged every time a person tweets on Twitter, and what your mobile phone operator may be giving up to third-parties when you browse the web on your phone. In the latter case, especially, we see that metadata is not just important for routing data traffic but also responsible for disclosing a considerable amount of personal information. I’ll conclude by noting, once again, that our privacy regulators, commissioners, advocates, and researchers need to additional funding if citizens are to have those parties regularly identify ‘bad’ metadata practices and seek rapid remedies before the data ends up being datamined for illicit or unjustifiable reasons.

Continue reading

Deep Packet Inspection Canada

/ Christopher Parsons

Last week my advisor, Dr. Colin Bennett, and I launched a new website that is meant to provide Canadians with information about how their Internet Service Provider (ISP) monitors data traffic and manages their network. This website, Deep Packet Inspection Canada, aggregates information that has been disclosed on the public record about how the technology is used, why, and what uses of it are seen as ‘off limits’ by ISPs. The research has been funded through the Office of the Privacy Commissioner of Canada’s contributions program.

Deep packet inspection is a technology that facilitates a heightened awareness of what is flowing across ISP networks. It has the ability to determine the protocols responsible for shuttling information to and from the Internet, the applications that are used in transmitting the data, and (in test conditions) can even extract elements of data from the application layer of the data traffic in real time and compare it against other packet signatures to block particular data flows based on the content being accessed. Additionally, the technology can be used to modify packet flows using the technology – something done by Rogers – but it should be noted that DPI is not presently used to prevent Canadians from accessing particular content on the web, nor is it stopping them from using P2P services to download copywritten works.

Continue reading