I’ve spoken about trackers before and recommended four steps/solutions for protecting your browsing privacy:

• Script blocking (browser plugin that blocks scripts by default, the most important plugin one can have!)
• Ghostery (browser plugin that shows how many trackers any given website is using)
• Ad Block Plus (browser plugin that blocks ads on websites, which often includes trackers)
• A replacement hosts file from my friend Dan Pollock (redirects attempts to bad sites to your own computer)

Companies are increasingly more interested in selling your personal information than protecting you (see a few Canadian examples here).

Yesterday I was interviewed by CBC regarding a viral video of a speeding motorcycle here on Vancouver island, and spoke about the potential to track the anonymous poster of the video using the internet. The irony is, I can’t watch the video that I’m in, as CBC has required tracking by Doubleclick (s0.2mdn.net) in order to view it (Read my friend Chris’ detailed article on why Doubleclick is a concern.

If you’re able to watch the video above, you haven’t taken sufficient measures to ensure your browsing security and you should be aware that you’re likely being heavily tracked.  In essence, having the ability to watch the video equates a violation of your privacy.  Since most attacks these days are browser-based, you will be well served to take the steps listed above to both protect your browsing privacy and to make your computer(s) more secure overall.

I would argue the four steps listed above are even more important these days than having anti-virus software installed. The first three are browser plugins, so they should be easy to install. The fourth one is a little more complicated, so don’t hesitate to contact me if you need help going through this process as an individual or for your organization.

This is a time sensitive post, CBC is a National Canadian treasure, and can resolve the tracking ability of their website at any time. Notify me if/when this happens and I will update the article as such, once verified. –Kris

Do you think such a thing could be implemented without any public consultation or corporate media attention? It exists. About 6 months ago at an Ideas Victoria meeting, Kevin S McArthur brought up the fact Victoria Police were using cameras on some of their police cars, called Automatic Licence Plate Recognition, or ALPR. As Chris Parsons and myself were in attendance, no strangers to privacy issues in Canada, we immediately had a list of questions about such a system. Who was running it (later to find out the RCMP)? How wide spread was it? Where was the data sent and/or stored? Who had access to it? What type of information was stored? How was it claimed to be used, how could it be used?

Rob Wipond was also in attendance, one of Victoria’s last freelance journalists, and one of few I know who do investigative journalism… researching stories with more than a one day turn around for a quick hit. He was also very interested, and agreed to initiate the research by submitting some freedom of information (FOI) requests.

This story takes many bizarre twists and turns, including lies, misinformation and misunderstandings by everyone involved in this system. My thanks to the folks at FOCUS Online for supporting such research. This is the type of story that should be national, but none-the-less I’m proud a “little magazine from Victoria” can be responsible for disclosing such an important breach of our civil liberties.

You can read the entire article called Hidden Surveillance in the February 2012 issue of FOCUS, which is on newsstands now.

If the story interests you, Rob went a step further and published all of the documents he received from his FOI and Federal Access to Information requests!

Disclosure: I did not participate in most of the research, only in the initial planning stages, due to potential conflict of interest with my role on the Privacy and Access committee of the BC Civil Liberties Association and other committments.

On Vancouver Island, you might pick up the Times Colonist newspaper to see what’s happening. There are little to no privacy risks if you buy it from a stand. However on the internet, where the company has the opportunity to protect you even more than the physical space, they’ve decided to try a different angle… sharing your reading habits with other companies. If you use ghostery you can see that by viewing timescolonist.com, they are sharing your viewing habits on every page you visit to at least 10 different companies, with little to no disclosure on what those third parties do with your information.

If your local newspaper isn’t a concern, which it should be, what about your financial institution?

Why are these organizations providing your private news reading habits, and online financial transactions to 3rd party companies?  If you decided to ask them, perhaps also ask how much money are they making from providing your information?

How does your local news website score? What about your financial institution? Download ghostery and find out for yourself.

It should be noted that 10 trackers doesn’t necessarily mean worse than 1 tracker; if your personal information is provided to a tracker, you have no control of what happens to it when it gets there… they could sell it to 50 more companies.

If you find any other interesting results from ghostery, let us know on twitter and we might add it!

Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (PII) of over 11,000 people was on it, including social insurance numbers (SIN), as well as bank account information. I’ve been told there were no cameras or alarms in the area, and the information was not encrypted. If your organization handles personal information, let this be your final reminder to ensure that all personal information is encrypted both while in transit (transport layer) as well as on the computer (storage layer).

I was interviewed for over 30 minutes by CBC BC today, a few second made it onto the news. Check out this clip from the top of the 6pm news.

One of the tips I gave but didn’t make it in, is to annually request a copy of your credit report. This is free once a year to do if you send your request in writing, and is the best way to determine if you’re a victim of  identity fraud. When you do this, put it in your calendar as a reminder to make the request again in a year from now.

UPDATE: Jan 13, 2012:

Saanich news is reporting that UVic will pay for $1.7M worth of credit reporting monitoring as a result of this breach. So if you’re thinking your organization can’t afford an organization like PrivaSecTech to protect the personal information of your staff and clients, this is another example of how being proactive would have been less than 1% of the reactive cost. It costs you nothing more than an email or a phone call to see what we can do for your organization. We look forward to working with you to ensure this doesn’t happen to you.

I’m sure you’ve received an email spam from what appears to be a legitimate email address, saying you’re entitled to millions of dollars. You know that — that email address was spoofed, which is easy for any techy to do. It was someone pretending to be someone they’re not. The same applies to phone systems, and there’s a good reason for it. There are countless phone companies, and many more companies which own hundreds to thousands of telephone numbers. When you get a phone call from your bank or utility company for example, the number (DID) on the caller ID is the main number of the institution, not the local number of the person making the call. Companies get to choose which person in their company gets which phone number, and they don’t want you calling back the person who called you, they want you to dial back to their main switchboard (PBX) and get routed to the proper place, where they know someone will be available to answer the telephone when you call back, to help you. This is one of the reasons caller ID spoofing is possible, companies need to be able to change this in real time, as employees come and go.

With the prevalence of voice-over-IP (VoIP) technology, it is very easy to spoof a caller ID, you can pretend to be calling from any phone number you want. You can pay for services online that do this, or setup a VoIP DID yourself and spoof whatever number you want, it’s quite easy. The more people that know how easy it is, the more prone to abuse it is.

Just today, CBC News is reporting an incident in Langley B.C. where it is alleged a hacker used her son’s computer accounts to call police through the family’s computer, saying he had killed several people and was holding more hostages at their home. This resulted in the SWAT team being deployed to their home, with firearms drawn. Not a situation anyone wants to go though.

Unfortunately for law enforcement, this means exercising due diligence in handling such issues, as they will only increase. The telephone companies (telcos) are not really interested in resolving this. Doing so, would mean implementing authentication (proof you are you say you are) and encryption (making it so others can’t intercept/eavesdrop), but that would prevent things like telemarketing, and telcos make a lot of money from telemarketing.

I’m not aware off hand of any hardware phone solutions for the public that use authentication or encryption, but Whisper Systems offers encrypted voice (RedPhone) and encrypted text (TextSecure) solutions for the Android operating system. TextSecure is great, if the person you’re communicating with has it also, not only are all of your texts stored encrypted on your phone, they’re also encrypted going over the wireless telephone network! This means you can use TextSecure before a telephone call as a reasonable usage of authentication. There’s also zfone for making encrypted telephone calls on the internet.

Until phone companies around the world implement authentication and encryption, remember to not ever trust the phone number you see calling you, as it could easily be fake. This means if you get a call from your bank, or utility company, or even from a friend or family member’s number, you will never know it really is them, it could easily be someone pretending to be them, to get information from you. Treat caller ID like you do emails, or even letters in the mail, after reading this you know that all three of these can easily be faked!

I was quoted in this Vancouver Sun article today which highlights several ways you can protect yourself from sidejacking attacks.

Today I was quoted in the Winniped FreePress about Firesheep:

http://www.winnipegfreepress.com/life/home_family/program-firesheep-allows-easy-hacking-of-facebook-twitter-over-unsecured-wifi-105879628.html