FLOSS after Prism: Anonymity by default

In my last blog post I discussed that we have to protect the user’s privacy better by giving the user the choice to decide which data gets submitted to services. In this blog post I want to share some thoughts about the case that the data is submitted and how to protect the user in such a case.

There are of course many legit online communications done by our systems. They should check for security updates, a weather applet might want to check the latest weather for the place you live in and so on and on. While this is obviously data the user wants to be submitted, the process of submitting the data is concerning from a privacy point of view. While it is in fact just meta data, it is telling a lot about the person.

Let’s just look at system updates and what they tell us:

  • Unique identification of the user through IPv6
  • Location of the user through the IP address
  • Identification of the used operating system (e.g. asking debian for updates implies you use Debian)
  • Interval in which the system is used (e.g. daily updates)

This is a rather threatening set of data especially if I think about that some proprietary software installed additional sources.list entries on my system (Google and Steam) without ever asking me.

But there is an easy way to protect the user’s privacy in such cases through anonymity. With the help of the Tor project it is possible to completely hide the information listed above. If the user cannot be uniquely identified any more, the information which can be derived from that gets lost. And that is a good thing.

Of course any user could just install Tor. But let’s face it: it’s difficult and complex and the user needs to know that Tor exists in the first place. It’s a nice solution for informed people like me, but certainly not for the vast majority of people for whom we develop free software.

So it is up to us to improve the situation. Why not integrate Tor (or similar services) directly in our products? For data like the weather applet it could just sent all requests through Tor and by that help to protect the users. Yes it requires more work from us developers, but in the end we are the only ones who really can decide whether it’s useful to use Tor for a given service or not. Let’s face it: for a Facebook status update applet using Tor is rather pointless. So let’s use anonymity where it is possible, where it makes sense and let’s integrate this information into the privacy center I proposed in my last blog post.

29 thoughts on “FLOSS after Prism: Anonymity by default

      1. I agree with you, but talking about PRISM, which is a nation-state attack on privacy: that’s exactly the case in which Tor is probably totally uneffective, as well explained by that article.

        Yet, you need to be a heck of a criminal to be worth the attention of a nation-state.

        1. Actually if we would use Tor (or similar services) for not really relevant data in FLOSS by default, the Tor network would become more secure by that. For two reasons: there is more traffic and there are more people who might start running an exit node.

  1. I am not so sure Tor is the right answer. It is slow and does not guarantee privacy.

    I don’t think much other messures than using https and ssl can be taken. In some cases encryption could be used.

    1. There are things where the slowness of Tor doesn’t matter. Consider downloading the latest weather in the background. It’s not like the user is waiting for that to finish.

      1. Yes, but I am thinking we might need something better. Something like BitMessage or similar. Or some protocol that ensures privacy. Tor could give a false sense of security.

    2. We are talking about a different problem here: https and ssl are about hiding the message, Tor is about hiding the identity of the sender of the message.

      1. Yes, I know.. but it doesn’t do that good enough. What I meant was that we should maybe find a new way which is better than Tor.

  2. I don’t know, if you know pidgin. But the network settings in the pidgin GUI provides an very simple way to connect with tor, so even a normal user could get this (You can choose Tor as proxy).

    I think, you have to let the users have the choice. This only works, if there are simple GUIs a normal user could manage, but such a GUI is kind of missing. An example: A few days ago I want to achieve, that Akregator uses Tor: I had to install Konquerer, set there a proxy (this changes a kioslavefile in my home directory), also add a dns-request policy manually in my kde settings files (so dns request go also through tor, does still not work) and uninstall Konquerer again. Maybe kioslave is already an interface for global proxy settings, but there is no access through a global GUI.

    1. no that’s not easy as it’s already hidden in the network settings. Do you expect users to go there? I don’t.

      1. It’s not bad at all. Choose “Tor” is much more simple than choose 127.0.0.1 with port xy etc..
        I understand your view, but such a predefined Tor configuration option is a step in the right direction.
        Especially for Pidgin there is also the problem, that not every chat server, not even every jabber server could be connected via Tor. (You say, developers could hardcode this, but for every jabber server it is really difficult.)

    2. you could simply use proxychains (or some GUI that uses it) to route all the traffic from one application to tor… that would solve one problem the author is pointing out (or that’s what I understood..)
      now, the whole privacy topic is a lot more deeper than that. and it makes me happy that a KDE developer is pushing it, since a LOT of KDE apps assume you are the only user of you computer… and store your personal data in the clear, and/or in a centralized way, which, for me, makes it easier to an attacker to collect data.

  3. I like the idea.
    But what is the advantage of tor over anonymous proxy servers if the goal is to secure the users anonymity against weather services?
    KDE could operate their own trusted proxy that could be demanded by their software.
    Wouldn’t that be easier and faster?

    1. and by that have a single point of failure? Or a single point where all the traffic can be intercepted. No, tor is a nice solution as it generates an overlay network.

  4. First I have to say that I agree with you on applications explaining how they use our data when they send it to a remote server (VLC album cover download explanation is the perfect example here). The user must be able to disable those features and they should not be enabled by default, or only enabled like VLC does it, with a first time warning describing the issue.

    I think the problem with the Ubuntu-Amazon thing is that it is opt-out/enabled by default and there no confirmation asked the first time you use it to warn the user (I never used it myself, correct me if I’m wrong).

    * IPv4/6 is not anonymous by design thus communication using the IP protocol will always disclose informations (and all communications whatever the protocol will always disclose informations). Using Tor to “fix” this isn’t really an acceptable solution. Just like HTTP/HTTPS, there is a choice to be made on which information to encrypt/anonymize and which to keep in the clear because there isn’t much point anonymizing it. If you want a private by default network, you have to change the basic protocols the Internet relies on.

    * The weather applet is a completely different issue. The user has to actually configure it to make it useful and it feels quite obvious it’s not giving weather prediction out of thin air; it must get them somewhere. The configuration “stage” is the most important here and the user should be made aware of privacy considerations at this step.
    Moreover, hiding your IP behind Tor is pointless as most people will check the weather for the location they currently live in thus revealing their location. You could then request several random locations to bypass this, but statistics may counter that and this is quickly getting to the point where getting the weather is way to much traffic for a simple thing.
    Don’t event think about getting it on a slow network. I don’t really want to request five times more information to get the one I really want just to make me “anonymous” as far as weather is concerned.

    * System updates also are a completely different issue. First they are mirrors, thus the service is not as centralized like a weather forecast service may be so information collection would not be as easy. Moreover, the information available to the mirror is an issue only if it is collected and stored by the mirror. At this point, it becomes a trust issue. Do you trust the mirror you selected to not store information on you ?
    There is no point in discussing proprietary software phoning home to get updates as they are closed anyway and you’ll “never know” which kind of informations they will send “home”. They could easily send your IP address without you knowing when requesting updates, thus making Tor useless.
    The interval at which you update your system is also easily guessable if you have access to all the mirrors and make correlations between them. The operating system used is not something you can really hide either without making pointless requests to different distributions mirrors at random.

    Fighting PRISM isn’t about becoming paranoid. It is about fighting the usability fights that matters just like VLC did.

    1. Moreover, hiding your IP behind Tor is pointless as most people will check the weather for the location they currently live in thus revealing their location.

      Yes, but all the weather service provider knows is someone is using it from said location. They won’t have the IP information, and presumably any other information sent to the server could be spoofed (similar to how the browser’s User-Agent string could) to mimic other users of that weather service

      1. And if tor is used the weather service will get a lot of “strange” data. Like people from Australia requesting weather for Europe.

  5. Good thoughts :-) but…

    Using tor is a another blackbox for the user and implies more difficulty if there is something wrong. E.g. an update does not work… ore the weather-data could not be retrieved.

    The discussion of privacy lacks on something different: No one knows, or could really say, what privacy is or in which cases the privacy is in danger. As long as most of the people do not know that, you could do what you want, it interests only some few people.

    Using tor for some applications seems to me like using homeopathy to heal rhinitis. Its not really clear, what benefit it would bring.

    I agree with Siosm.

    PRISM is the discussion starter, but the discussion misses the mark. Pickup the data from IXPs is something different to gather information of your hole life.

    BTW: Your Blog hostet by WordPress tries to gather information from the readers…. where do you begin,to protect the users privacy? ;)

  6. It’s a very good idea!
    It would be nice to start with little things like a tor-weather-app to get expirents.

    Stop feeding BIG DATA MONSTER

  7. What makes Tor preferred over I2P? Have you considered I2P? I personally see I2P as a better and more secure solution to the same problem.

    1. this was an example. If someone goes to implement something like that I’m sure (s)he will make a good evaluation of all available options.

Comments are closed.