Mar 312015
 
 March 31, 2015  Healthcare, Non-U.S.

I continue to grind my teeth while listening to talking heads spout their theories about Andreas Lubitz, the Germanwings co-pilot who seemingly intentionally crashed his plane into the Alps, killing all onboard. Not satisfied with rank speculation about his mental health, talking heads also share their ignorance  about whether German law permits German doctors to disclose any concerns to a patient’s employer.

Today, however, there’s a breath of fresh – and reassuring – air. John Edwards, the Privacy Commissioner of New Zealand, wrote a plain language post to explain to New Zealanders what the law is in their country concerning disclosure of otherwise-confidential medical information. As Commissioner Edwards writes:

In the aftermath of any tragedy it will quickly become obvious that some people had information which, if they had acted on, or shared, or joined up with other information, might have allowed the tragedy to have been averted.  There will be many reasons why those dots were not connected, but in lieu of cool headed analysis and investigation, the default is to blame laws that might have got in the way. Cue Fox NewsBloomberg, and no doubt countless others’ immediate calls for a revision of Germany’s privacy laws, reported as ”the strictest in the world”.

All this despite the fact that the Time article itself links to a 1999 decision of a Frankfurt court which ruled that a doctor was legally obliged to reveal “confidential” patient information in circumstances which presented a real risk to the safety of others.

Commissioner Edwards then goes on to explain the relevant laws in New Zealand in very simple terms.

It’s a wonderful example of plain writing for the masses and we need more of that.

Mar 312015
 
 March 31, 2015  Non-U.S., Surveillance

From the Office of the Privacy Commissioner for Personal Data, Hong Kong:

The Office of the Privacy Commissioner for Personal Data (“PCPD”) published today a Guidance on CCTV Surveillance and Use of Drones (the “Guidance”).

This Guidance replaces the Guidance on CCTV Surveillance Practices as it introduces amendments to take account of the new provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012. More significantly, it incorporates new guidance for the responsible use of drones.

Drones (or unmanned aircraft systems) are either controlled autonomously by computers or by remote pilots.

Drones can be used in many ways that bring about great social and economic benefits, such as land surveying, predicting weather patterns, fighting fires as well as search and rescue operations. With reduced costs and increased capabilities, they are increasingly used in commercial operations (such as shooting advertisement; TV and movie production); and for hobby or recreational purposes.

The Privacy Commissioner for Personal Data, Mr Allan Chiang said, “While the privacy implications of surveillance tools such as CCTV are fairly well understood, drones when fitted with cameras could add a new dimension to these privacy concerns by virtue of their unique attributes. These include their mobility as well as ability to stay in the air for a considerable period of time, gather information from vantage points and over a broad territory. They have been aptly referred to as ‘unblinking eyes in the sky’.”

“To eliminate or reduce the privacy intrusiveness of the use of drones as a persistent, surreptitious, agile and efficient surveillance tool, users of drones should be particularly mindful of the need to respect people’s privacy. Public perception and the reasonable privacy expectations of affected individuals should be ascertained. The alternative use of less privacy intrusive means of collection and use of personal data should be seriously considered. The intrusion on privacy can only be justified if it is proportional to the benefit to be derived,” Mr Chiang stressed.

The privacy guidelines for the use of CCTV apply equally to the use of drones. However, to address the drones’ special attributes such as mobility, small size and difficulty to identify the operator, innovative measure to safeguard privacy are called for. Specific illustrations of this approach are provided in the Guidance.

Please read the Guidance at www.pcpd.org.hk/english/resources_centre/publications/files/GN_CCTV_Drones_e.pdfor obtain a copy at the PCPD office (12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong).

Mar 312015
 
 March 31, 2015  Surveillance, U.S.

Cyrus Farivar reports:

Last fall, a judge in Charlotte, North Carolina unsealed a multi-case set of 529 court documents that detail the use of a stingray, or cell-site simulator, by local police. After that, the Mecklenburg County District Attorney’s office set out to review the applications and determine which records needed to be shared with defense attorneys.

The DA’s office released a statement Friday saying its review is complete, and the county’s top prosecutorial authority found that “only two cases” involved the use of stingrays “for investigative purposes,” meaning defense attorneys should be notified.

However, the report is not that simple.

Read more on Ars Technica.

Mar 312015
 
 March 31, 2015  Business, Online

This post also appears over at the Citizen Lab.

Andrew Hilts writes:

The conversation about web advertising security was recently invigorated by a blog post on the Internet Advertising Bureau’s website that called for the industry to broadly implement the HTTPS secure data transmission standard. The IAB post referred to a survey of its members in which “nearly 80%” of responding companies claimed to support HTTPS delivery of their services.

In our blog post, we describe the results of tests we conducted to measure HTTPS support on the advertisers found on a sample of news websites as well as two sample lists of advertisers. We find a large disparity between our results and the figure referred to on the IAB post.

Background: HTTPS, surveillance, and the Internet ad industry

Users of the web benefit from the security provided to them by encrypted HTTPS data transmissions. As we’ve written about elsewhere, HTTPS masks the content of communications sent over the wire, making web browsing surveillance more difficult. It also provides a degree of identity verification, so people can be confident that the data they receive comes from who they think it does.

Unfortunately, many of the sites from where we get our news and information do not support HTTPS. It’s difficult for those sites to secure their readers when the advertisers they rely on do not secure the delivery of ads themselves. Everything on a webpage, including the advertisements and behavioural tracking scripts, needs to be served through HTTPS for the protocol to provide much security.

A 2013 report published in the Washington Post and based on disclosures by former NSA contractor Edward Snowden describes how surveillance programs “piggyback” on ad tracking networks in order to relate the web traffic they collect to real-world identities.

For instance, Google stores an identifier string called a prefid in a cookie that is sent back and forth on every page you visit that serves ads through Google’s ad exchange. By doing this, Google can build a profile of your interests and know what ads to show you.

When this prefid is transmitted insecurely along with the rest of your browsing activity, it is not just Google that can build a profile. Actors with control on the network transmitting your browsing activity can correlate that prefid with the pages you visited, with identifiers from other ad networks, usernames or other information in order to assign an identity to the browsing activity. HTTPS obfuscates data in transit, making this sort of snooping much more difficult.

HTTPS also protects people from “man-in-the-middle” attacks, where an actor with control over part of the network can insert or replace content sent from a website before it arrives at the reader’s computer. This technique makes it easier for attackers to infect computers with malware, or otherwise impersonate trusted websites. HTTPS verifies the origin of received data through a complex certification system and will reject data that appears to be tampered with.

The Internet Advertising Bureau’s announcement

For these reasons, it is welcome news for the web that the Internet Advertising Bureau (IAB) seems to be starting to throw its weight behind encrypting the Internet advertising ecosystem. Last week, the IAB’s Director of Technical Standards, Brendan Riordan-Butterworth published a blog post titled Adopting Encryption: The Need for HTTPS. In his post, Riordan-Butterworth states the ad industry needs to “finish catching up” to technology companies and the US government, the latter of which has just recently published a policy proposal for all public Federal websites to be served through HTTPS. He goes on to call the adoption of HTTPS an “important step” in protecting the public’s privacy and security.

While the position taken by the blog post advocates for a more secure ad industry, the post claims that a majority of ad delivery systems are already supporting HTTPS. Specifically, Riordan-Butterworth refers to an IAB membership survey, in which 80% of respondents stated their systems support HTTPS. However, the post notes the figure “doesn’t reflect the interconnectedness of the industry”, and the complexity of actually implementing HTTPS in the real word. Additionally, a post on Techdirt, a news website that was an early adopter of HTTPS by default, raised doubts about the accuracy of the 80% figure.

To investigate the current state of HTTPS support in the advertising industry we asked two questions. First, in a context where online advertising is highly prominent — online news websites — on a given site, how many of the third party connections support HTTPS? Second, given a list of popular advertising trackers, how many of them support HTTPS?

HTTPS support levels for ad trackers on news websites

Our first test looked at what third party connections occur when loading the global top 100 news websites as measured by Alexa. We used TrackerSSL, a Chrome extension developed here at Open Effect, to measure which of those third parties (many of which are advertisers) support HTTPS encryption, which are transmitting identifiers in cookies, and the overall percentage of third parties that support HTTPS on each website.

Of the 98 sites that loaded in our test, an average of 47 different third parties transmitted data to/from the web browser. 19 of those third parties (41%) transmitted data that included a cookie file that contained a unique identifier, suggesting the occurrence of detailed user tracking. The St. Louis Post-Dispatch’s website had the most trackers of the sample, with 168 unique third party hostnames engaging in data transmissions on a single page load. The distribution across all top 100 websites is shown below in Figure 1.

Turning to security, an average of 53% of the third party hosts transmitting data on top news websites support HTTPS. News websites, on average, initiated communications with 10 different third parties that led to transmissions of uniquely identifying cookies that could not be secured with HTTPS. An average of 9 unique ID transmissions were to servers that support HTTPS. In other words, network snoops can take advantage of many insecurely-transmitted unique identifiers to help them identify just who is reading what news.

Overall the results show that news websites are slightly beyond the midway point of getting their third party dependencies secured before they themselves can reliably implement HTTPS.

Figure 1: Ad tracker HTTPS support rates on the Alexa top 100 news sites

HTTPS support among popular ad trackers

To more broadly assess the rate of HTTPS support for advertisers in the IAB and beyond, we looked at two lists of advertising trackers. First, we visited the the Digital Advertising Alliance’s opt-out pagefor receiving targeted advertising (which does not opt you out of the behavioural tracking), which loaded resources from 123 different advertisers at test time. The Digital Advertising Alliance is an association focused on digital advertising industry self-regulation, of which the IAB is a member. Once we loaded the DAA’s tool, we then used TrackerSSL to examine how many of those Digital Advertising Alliance member advertisers support HTTPS.

Figure 2: The IAB’s “opt-out” page that loads 123 IAB-member ad trackers, and the percentage of those that support HTTPS (38%)

As shown in the above screenshot (Figure 2), only 38% of the 123 advertisers in the Digital Advertising Alliance’s own database support HTTPS, less than half of the 80% figure referred to by Mr. Riordan-Butterworth in his post.

We ran a similar test on the 2,156 advertiser hostnames contained in the Disconnect privacy company’s public list of known ad trackers, which is not limited to Digital Advertising Alliance members. We found that just under 11% of ad trackers in this list supported HTTPS in practice, as shown in Figure 3 below. Another 3.8% did support HTTPS but used server configurations to actively redirect users away from a secure to an insecure connection. The remaining 85.7% of advertising trackers did not support HTTPS at all.

Figure 3: HTTPS support rates for the advertisers in the Disconnect data set

Limitations

To assess HTTPS support, TrackerSSL and the other analysis scripts we ran each issued an HTTPS HEAD request to the hostname of an advertiser or third party connection on a web page. We additionally checked for a record in the Electronic Frontier Foundation’s (EFF) HTTPS Everywhere list of redirects in case the host communicates through HTTPS at a different hostname. The EFF’s list of redirects is finite, however, and so there is a chance that a small number of advertisers that support HTTPS on a different hostname than they serve regular HTTP will be missed by our analysis. Therefore, it is likely that the actual support for HTTPS is slightly, though not significantly, greater than we report.

Conclusions

We found a significant disparity between the level of HTTPS support in the ad industry referred to on the IAB’s blog and what we measured with our tests. We furthermore found that more than half of the ad trackers found on popular news websites that use cookie-based tracking mechanisms have no security measures in place to stop bad actors from collecting and correlating these unique identifiers with other browsing data. An important area of future work will be to repeat these tests in six months, and again in a year’s time to determine the relative success of the IAB’s call to security.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.