OCSP Cookies

Tuesday, July 16. 2013

A little bit fun with cookies

Not only big data companies are using cookies for tracking. Some certification authorities (CAs) are using cookies to collect data about visitors of HTTPS encrypted websites or email services.

OCSP is used by some certification authorities for this purpose. A browser or email client may use OCSP for online validation of SSL certificates during connect. An ocsp-request is send to the OCSP server of the certification authority which signed the certificate to check if it is still valid. The URL for OCSP validation is encoded in the SSL certificate.

The HTTP header for an example ocsp-request by fist connection to a GlobalSign signed website looks like:

POST http://ocsp2.globalsign.com/gsorganizationvalg2 HTTP/1.1
Host: ocsp2.globalsign.com
User-Agent: Mozilla/5.0 (...) Gecko/20130626 Firefox/17.0 Iceweasel/17.0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 117
Content-Type: application/ocsp-request

The ocsp-response from the server contains the information if the SSL certificate is valid or not. Some certification authorities try to set a long-term cookie with the ocsp-response. The cookie set by GlobalSign is valid for 6 years.

HTTP/1.0 200 OK
Server: cloudflare-nginx
Date: Mon, 15 Jul 2013 19:59:18 GMT
Content-Type: application/ocsp-response
Content-Length: 1499
CF-Cache-Status: HIT
Vary: Accept-Encoding
Expires: Thu, 18 Jul 2013 19:59:18 GMT
Set-Cookie: __cfduid=57a288498324f76b1d1373918358; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.globalsign.com
CF-RAY: 8e9084e0d3206fa

If the surfer visit an other HTTPS encrypted website signed by GlobalSign, the cookie is send in the ocsp-request. The HTTP header of the request looks like:

POST http://ocsp2.globalsign.com/gsorganizationvalg2 HTTP/1.1
Host: ocsp2.globalsign.com
User-Agent: Mozilla/5.0 (...) Gecko/20130626 Firefox/17.0 Iceweasel/17.0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 117
Content-Type: application/ocsp-request
Cookie: __cfduid=57a288498324f76b1d1373918358

The certification authority will get a fragmentary list of visited websites or used email accounts. The list contains only websites which using SSL certificates signed by the CA.

Mozilla Firefox up to version 17.0 handle OCSP cookies like third party cookies. Firefox 18.0 and newer does noct accept OCSP cookies any more. Because of restrictive settings JonDoFox and JonDoBrowser does not accept OCSP cookies even if used together with Firefox 17.0. In combination with the add-on TorBirdy Mozilla Thunderbird is secure too. If you were using Thunderbird without TorBirdy you may set following value:

network.cookie.cookieBehavior = 2

It is possible to disable OCSP in encryption settings dialog. The benefits for security are low, it was never really secure by design. In 2009 Moxi Marlinspike demonstrated how to fool OCSP: Defeating OCSP With The Character '3' (PDF). Tools for man-in-the-middle attacks like sslsniff circumvent OCSP automatically.

Weaponized information technology

Tuesday, July 2. 2013

The documents leaked by E. J. Snowden offer a small view on the world-wide spying activities of NSA and GCHQ. But GB and USA are not the only one. The ongoing international development of espionage is very dynamically. Latest newcomer in the club of PRISM brothers are India, Finland and Germany. In Germany the spying capacities of BND will be extended with a 100 Mio. Euro program over next 5 years to improve the warrant-less spying on central internet nodes like DE-CIX.

Where are we going?

New technologies ....

The technological base for vast espionage is the development of information technology und the growing usage of the Internet.

  • The internet is used for more and more kinds of communication. More and more information is crossing central internet nodes. This is an invitation for intelligence agencies to monitoring it.

  • High sophisticated search technologies offer the possibility to discover relevant information in large data stores. We are using this search technologies day by day like a duck takes to water. We send keywords to our preferred search engines and expect useful results out of billions of public websites.

    Intelligence agencies are using this technologies for searching collected data too. Recorded Future is a joint venture of Google and In-Q-Tel for utilization of the sophisticated Google search technology for intelligence tasks.

  • The mathematical analysis of abstract networks and graphs was adapted for our contact networks. It offers the possibility for sophisticated analysis of communication meta data. Public research results are Project Gaydar, which uses Facebook contacts to discover which students are gay, or Identification of opinion leaders in social networks by Universities of Berlin and Vienna. The research results may be adapted for other proposes, it is only an example.

    It is used by Dutch intelligence services to identify opinion leaders in government critical groups and handicap them individually in manifold ways (by yearly deep tax checking... and other bullying) to disturb the work of the groups.

  • Spam filtering is a well known technology to hide unwanted or not relevant information. We use it day by day.

    By example the usage of this technology was reported for German BND since 2011 to prevent keyword spamming in observed email traffic. 95% of emails with "terrorist" keywords are rejected automatically from more detailed analysis by spam filter techniques. In the remaining 5% (approx. 2 mio. emails per year) only 0.01% contains real interesting information for BND. The filter need some improvements. But each improvement in automated pre-processing will increase the amount of scanned traffic.

Technical advances may be used for improving our live or may be used for other goals too.

.... are weaponized

Unfortunately almost all technologies are weaponized in our world. "Because it is possible it will be done." Time by time some weaponized technologies are very dangerous in inhuman like nuclear weapons or chemical weapons. Such weapons have to outlaw for usage by international agreements to protect human rights.

The usage of information technologies for vast espionage is such a weaponized technologies with deep impact on all level of our society. It influences international collaboration if NSA and GCHQ are spying on diplomatic mission like UNO, G8 and G20 meetings or the boards of EU. It influences economical development because of usage for economic spionage. Political activities and interest groups are manipulated and each individual may be handicapped in manifold ways. It violates human rights in a global manner. Everybody is affected, directly or non-directly.

Espionage is not used in the interest of our society by default, it is used by a small elite who have access to the results. The interests may differ time by time.

The documents leaked by E. J. Snowden (supported by G. Greenwald) opened the eyes of many people about the vast espionage and the deep impact for our society. It is time to use the popular outrage to drive our governments into a political process to outlaw espionage and protect human rights by international agreements. A first campaign for data protection agreements to prevent espionage was launched by several Pirate Parties.

Please support: AntiPRISM.

Farewell

Sunday, June 30. 2013

I am leaving JonDos and I thought I'd take the opportunity to thank all our users who made that adventure happen for me in the last 4 and a half years. Stay engaged. It is more needed than ever. A special thanks goes to Rolf Wendolsky, a.k.a. jondos. Not many would have considered employing me. I won't forget that.

Alptraum Sicherheit - Buchempfehlung

Friday, June 28. 2013
Cover

Auzüge aus Rezensionen:

Die Autorin und Dokumentarfilmerin Marita Neher zeigt anhand konkreter Fallbeispiele, was diese Gesetze für jeden Einzelnen von uns und unsere Gesellschaft bedeuten, welches Sicherheits­konzept dahinter­steckt und wer davon profitiert. Eine eindrückliche Recherche und ein Warnruf zum Schutz unserer Demokratie.
Ein beunruhigender Einblick in eine Realität, in der im Namen der Sicherheit Rechts­staatlichkeit und Demokratie sehenden Auges ausgehöhlt werden.

"Apltraum Sicherheit" von Marita Neher gibt es als Buch oder als E-Book beim Fischerverlag. Sollte es beim Buchhändler Ihres Vertrauens nicht im Regal stehen, so kann der Buchhändler es (als "Proxy") innerhalb von 24h auf Bestellung für Sie besorgen.

Einige kurze Zitate aus der Einleitung des Buches unter dem Titel "Die Doppelgefahr des Terrors":

Erst im Laufe meiner Beschäftigung mit dem Thema wurde mir klar, wie bequem ich es mir in unserer Demokratie hatte und wie wichtig es aber stattdessen ist, dass ich selber etwas zum Erhalt dieser Demokratie beitrage.
....
Das Ausmaß der präventiven Polizei- und Geheimdienstarbeit wollte ich lange Zeit nicht wahrhaben. Ich befürchtete, zur Verschwörungs­theoretikerin abgestempelt zu werden, zur Verfassungs­feindin. Wenn man Computer nicht funktionierte, hatte ich schon überlegt, ob das Bundes­kriminalamt an meinen Dateien interessiert sein könnte. Und obwohl die Daten meiner Meinung nach nichts enthielten, was mich verdächtig gemacht hätte, war ich mir dessen plötzlich nicht mehr sicher.
....
Am Anfang meiner Recherche hatte ich einen Wissenstand, wie ihn jeder Deutsche hat, der regelmäßig Nachrichten sieht und Zeitung liest. Am Ende meiner Recherche wusste ich, dass dies nicht ausreicht, um sich eine unabhängige Meinung zu bilden. Es ist mir deshalb wichtig, meine Erfahrungen und Informationen öffentlich zu machen. Es ist mir wichtig, weil ich in Sorge darüber bin, wie sich unser Land verändert, und weil ich diesen schleichenden Prozess sichtbar machen möchte.

Terrorist Attacks

Monday, June 24. 2013

Last week general Keith Alexander (chief of NSA and chief of US Cyber Command) testifies before the House Permanent Select Committee on Intelligence about the value of the NSA surveillance program. He claimed they have helped prevent potential terrorist events 50 times in 20 countries over the last ten years. The USA was directly affected 10 times. Precise information about prevented attacks are not public. It is not possible to evaluate the benefit of spying for counter terrorism. How much attacks were not prevented?

In USA during the last 40-some years from 1970 to 2012 up to 2,400 terrorist attacks were registered by National Consortium for the Study of Terrorism and Responses to Terrorism averaged 60 attacks per year or 600 attacks over ten years. Very different groups were responsible for these attacks.

  • Most terrorist attacks in the last years were done by Eco-terrorists like Earth Liberation Front or Animal Liberation Front. By FBI-rating these are the most dangerous groups since 2001.

  • Religious extremist groups: 7% of attacks were done by anti-abortion activist (Christians). For 4.9% of terrorist attacks militant Zionist groups were responsible (Jewish Defense League, Jewish Armed Resistance, Thunder of Zion or Jewish Action Movement), and 2.5% of attacks were done by militant moslems.

  • Right-wing extremist groups are responsible for 20-25% of attacks and left-wing extremist groups are responsible for 5%.

In EU member states year by year 170-500 terrorist attacks were registered, see: EU Terrorism Situation and Trend Reports 2006 (498 attacks), 2007 (583 attacks), 2011 (174 attacks).

  • Most terrorist attacks in EU were done by the separatist groups ETA, IRA and Corsican. For 85% of all attacks in 2006 and 2007 these groups were responsible. Because a political process was started the number of terrorist attacks was reduced significantly in 2011. Increasing surveillance was not a main reason for reduced number of attacks.

  • Right- and left-wing extremist groups are responsible for 60-70 terrorist attacks per year.

  • Religious extremist groups are not active in Europe, only very few isolated case were registered. Eco terrorist attacks were registered in very few isolated cases too like the destroying of a genetically modified cornfield by Movimento Verde Eufemia.

Conclusion: The benefits of the vast NSA and GCHQ surveillance programs for counter terrorism are very limited!

In Germany we have had only a few terrorist groups. Lets have a look:

  • The Sauerland terrorist group was founded by Melvüt K. He was an informant of Federal Office for the Protection of the Constitution (BfV) and he supplied the group with (not working) detonators for bombing attacks. It was the third trial of Melvüt K. to found a terrorist group and betray it to law enforcement.

  • The Globale Islamische Medienfront (GIMF) was founded by Irfan P. He was an informant of Federal Office for the Protection of the Constitution (BfV) too and got up to 3,000 Euro per month from the BfV for his work. Like Melvüt K. he was never charged.

  • Sebastian S. was the founder of the militant right-wing "Blood and Honour" network. He was warned by agents of Federal Office for the Protection of the Constitution (BfV) multiple times before law enforcement actions against him were executed.

  • The systematic faults during investigations of law enforcement agencies against the NSU terrorist group are not plausible without support of intelligence services for the terrorist group. Many documents about the group were wiped intelligence services before it was possible to use it for law enforcement.

We don't need more warrant-less surveillance like the 100.000.000 Euro "Technikaufwuchsprogramm" program of BND to build an espionage service like NSA in Germany. We need more control of intelligence services.

PRISM Brothers

Wednesday, June 12. 2013

The Guardian and The Washington Post recently published slides about the PRISM project of the US government’s National Security Agency (NSA). The agency is engaged in mass surveillance of users around the world. I assume, the topic is well known to readers of our blog. International protests against PRISM are mostly focusing on US spying by NSA and FBI only. But other countries have projects like PRISM too.

The NSA counterpart in Canada is the CSEC (Communications Security Establishment Canada). Like NSA the CSEC has far-reaching national security powers to monitor and map electronic communication signals around the globe. Defense Minister Peter MacKay spoke about the spying activities only: "We don’t target Canadians, okay."

The British counterpart of NSA is called GCHQ (Government Communications Headquarters). It operates in partnership with NSA, CSEC and other spying agencies, uses an own worldwide nework of monitoring station and is part of ECHELON.

The DSD (Defence Signals Directorate, Australia) and GCSB (Government Communications Security Bureau, New Zealand) are cooperating with NSA, CSEC and GCHQ too (UKUSA Agreement). Both are ECHELON partners with own monitoring station. The cooperation includes information sharing. According to Fairfax Media's sources, intelligence agencies in Australia have been receiving a high volume of valuable data from NSA, with some even coming from the PRISM program itself.

The NSA counterpart in Sweden is called FRA (Försvarets radioanstalt). In June 2008 it got the power to warrantlessly wiretap all telephone and Internet traffic that crosses Sweden's borders. Swedish people are target of FRA espionage too.

France has an own spying network called Frenchelon. Like the US counterpart Echelon it is not only used for counter terrorism but economic espionage and spying on political activists too.

The secret Onyx interception system is the Swiss intelligence gathering system for espionage and maintained by the NDB (Federal Intelligence Service). It is used to monitor telephone, fax and Internet communications worldwide. In 2006 a secret document sent by the Egyptian department of Foreign Affairs to the Egyptian Embassy in London and intercepted by Onyx was public.

The NSA counterpart in Russia is the SSSI (formerly FAPSI). It was setup in 2003 by reorganization of intelligence agencies in Russia and has unlimited power to warrantlessly wiretap all internet communications. The FBI counterpart in Russia is the FSB. The interception system SORM offers unlimited, direct access to the servers of almost all Russian ISPs for the FSB (Wired). Intercepted e-mails and phone calls were published by Russian media in 2011 to discredit opposition member. The largest social network in Russia is Vkontakte.ru with 200 million members. It cooperates with FSB and sent data of opposition member.

In Germany warrantlessly wiretapping and espionage is done by BND (Federal Intelligence Service). It is scanning 20% of all emails routed over German AS for 16,400 keywords. In 2010 the keyword scanners sent copies of 37,000,000 email to the BND for more detailed analysis. In 2008 W. Schäuble (formerly minister of the interior) recommended the setup of a spying agency like NSA or like the British GCHQ for Germany. The project was cancelled in 2010 but the recommendation was renewed by R. Wendt last days.

Minister of the interior Friedrich approved, that German intelligence services gets valuable data from NSA but he didn't know anything about a program called PRISM.

Stand up! It's time NOW!

Stelle als JonDoBrowser-Entwickler

Monday, June 3. 2013

Liebe Leser des Blogs,

aktuell suchen wir jemanden, der uns bei der Entwicklung des JonDoBrowsers unterstützt. Dabei könnte diese Aufgabe im Rahmen von Telearbeit (von zu Hause aus) als Teilzeit-Stelle, nebenberuflich, oder auch in selbständiger Arbeit auf Projekt- oder Stundenbasis wahrgenommen werden. Wir freuen uns auf Bewerbungen!

Bewerbungen sind bitte per E-Mail zu richten an: rolf.wendolsky_(at)_jondos.de

Voraussetzungen:

  • Erfahrung mit JavaScript-Programmierung
  • Kenntnisse über online-Tracking-Techniken und Online-Anonymität
  • wünschenswert: Kenntnisse in C++
  • optional: Erfahrung in der Entwicklung von Firefox-Add-Ons

Am Besten liegt der Bewerbung auch ein Programmierbeispiel bei, und kurze Angaben dazu, was man bereits im Software-Bereich gemacht hat. Umfangreiche Zeugnisunterlagen sind uns dabei weniger wichtig.

Liberty Reserve closed

Tuesday, May 28. 2013

Liberty Reserve was closed a few days ago. It was one of the most frequently used Internet payment processors. The DNS record of the domain points to Shadowserver.org, an organization that fights global computer crime in cooperation with US authorities. The Tico Times reported that the money laundering investigation against the founder was a joint operation between authorities in the US and Costa Rica.

We are not happy about the closing and we are not able to accept payments with Liberty Reserve any more. The service was offering anonymous payments between customers and merchants, it doesn't apply the US embargo restrictions against 60 countries and was world wide useable. Liberty Reserve was listed as a member of the Global Digital Currency association (GDCA), a trade association of online currency operators, exchangers, merchants and users with a declared goal to help with fighting fraud and other illegal activities. In our point of view Liberty Reserve was a trusted payment processor.

The e-gold payment sites milenia-finance.com, asiangold.com, exchangezone.com, moneycentralmarket.com and swiftexchanger.com are offline too (closed by US authorities) and the DNS records point to Shadowserver.org. The payment processor Pecunix was down only for short time, it was target of DDoS attacks. The servers of Pecunix were moved to another, secure location and the service is online again. After closing of Liberty Reserve the digital payment processor PerfectMoney.com announced it was no longer accepting U.S. citizens as customers to avoid trouble with US agencies.

First-Party Cookies

Thursday, May 9. 2013

The browser Mozilla Firefox version 22.0 will block third-party cookies by default. Content from a third-party origin will get only permission to set cookies if its origin already has at least one cookie set. (see: The New Firefox Cookie Policy). This policy will potentially block cookies from advertising networks that are used to track the browsing habits of users. Google, the main sponsor of Mozilla, is not affected by this policy because Firefox gets a Google cookie at first start.

Is blocking of third-party cookies useful to avoid the tracking of browsing habits of users by third parties? Let's make a small test. We installed a fresh Firefox and disabled third-party cookies in the configuration. This configuration setting is a little bit more restrictive than the new Firefox cookie policy, but suitable for our demonstration. Afterwards we opened 3 websites and took a look at stored cookies.

  1. Zeit.de (online portal of a German newspaper)
    cookies set by Zeit.de

    All cookies were classified as first-party content but some of them are used by third-party servers.

    • The cookie "rsi_segs" is used by www.audiencescience.com for behavioral based advertising.
    • "wt3_eid" and "wt3_sid" are used by WebTrekk.
    • The cookies "__umta" ... "__umtz" are used by Google Analytics.
    • The cookie "_chartbeat2" is used by www.chartbeat.com for real-time analysis of website vistors.

    The cookies are generated and send to the tracking service by Javascript. Because these cookies are used to transfer information to third parties it is a violation of user preferences.

  2. Zalando.de (commercial webshop)
    cookies set by Zalando.de

    Zalando.de uses Javascript generated cookies too. But additional we found two cookies for the sub-domain "track.zalando.de". This domain is a DNS alias for "zalando-de01.webtrekk.net", an external server not related to Zalando.de. By using the DNS alias for loading a 1x1 pixel transparent image (webbug), it became first-party status and was able to set the cookies "wteid_xxxxx" and "wtsid_xxxxx".

  3. Heise.de (German IT news portal)
    cookies set by Heise.de

    Heise.de is using WebTrekk too. Both methods of Zeit.de (1.) and Zalando.de (2.) are combined:

    • If Javascript is active, the cookies "wt3_eid" und "wt3_sid" are created with Javascript.

    • If Javascript was disabled, a 1x1 pixel webbug will be loaded from the sub-domain "prophet.heise.de". This sub-domain is a DNS alias for "heise02.webtrekk.net" and is used to get first-party status for the webbug. The webbug sets the cookies "wteid_xxxxx" and "wtsid_xxxxx" for tracking.

Conclusion

Tracking services are using sophisticated methods to get first-party status for their tracking elements to avoid blocking. The tracking services above are only small examples. Yahoo! Web Analytics sets a one-year, first-party, persistent cookie that includes a unique visitor ID number and is able to track 99,9% of website visitors.

It is not possible, to use first-party cookies for cross-domain tracking. These cookies are only valid and accessible within the context of one domain. But by using additional tracking features, it is possible to link tracking data of multiple domains together. WebTrekk collects Geo-location by IP address, screen size and color depth of your monitor, inner size of browser window, your preferred language, browser name and version, operating system and version, settings of Java (ON/OFF), Javascript (ON/OFF) and cookies (ON/OFF). It is possible to calculate a high quality browser fingerprint with this data. The browser fingerprint will be unique for most user and it may be possible to use it for linking tracking data over multiple domains.

To avoid tracking of your browsing habits by third parties we recommend the blocking of all cookies and Javascript. Enable session cookies or Javascript only for trusted websites if required to get it working as expected. Delete all cookies after leaving the website or at least by closing your browser. JonDoFox and JonDoBrowser are configured for this behavior. During your surf session you can delete cookies with click on the menu item "Tools - Clear Recent History" or you may hit CTRL-ALT-DEL.

JonDoBrowser 0.6 - Status Report

Tuesday, April 16. 2013

In the future the JonDoBrowser shall replace the JonDoFox profile in order to allow an even better protection against tracking on the Web. As the development is already on its way since a while we would like to deliver a short status report every six weeks from now on. That would hopefully give users an idea about where we are now and what still remains to do:

The top 5 things we did during the last six weeks:

1) Worked on the update mechanism (full updates are working on Linux now)
2) We disabled SSL 3.0 by default. If there are problems, please report them!
3) Disabled the annoying add-on bar and moved the UnPlug icon to the toolbar.
4) Reported possible problems for the protection against tracking with HTTP authentication to Mozilla.
5) Released JonDoBrowser 0.6

Top 5 things for the coming weeks:

1) Releasing JonDoBrowser 0.7 (scheduled for May 20, 2013)
2) Integration of partial updates into the update patch for Linux systems
3) Integrating a better compression algorithm for JonDoBrowser packages on Linux systems into the build script
4) Mozilla's reftests test suite shall work flawlessly with JonDoBrowser.
5) Removing a duplicated UnPlug in the extensions directory of the profile as this is probably causing issues during the first start of JonDoBrowser on Linux

ToDo for the 1.0-Release:

1) Update mechanism for Windows, Mac OS X and Linux
2) Integration of JonDo into the JonDoBrowser (Windows only)
3) Making JonDoBrowser compatible with Mozilla's test suites

Webtracking Trends

Wednesday, March 20. 2013

More than 80% of Internet user dislike the tracking of their online behavior. But tracking is expanding more and more. Popular Web sites are far more aggressive in their tracking practices.

More Elements on Popular Websites

The project Web Privacy Census of University of California is watching the state of internet tracking and privacy over years. An increasing usage of tracking features was documented. For an example we want to show only the usage of cookies by the 100 most popular websites:

Numbers of cookies
20093.602
20115.675
20126.485

The project observed statistically significant increases in the amount of usage of sophisticated HTML5 features like DOMstorage and other EverCookies for tracking. 38% of popular websites were using EverCookies techniques in Oct. 2012. EverCookies are not easy to manage and remove by users like third-party cookies.

Because it is easy to block third-party content with modern browser more third-party aggregators are working to hide their presence in a first-party site by serving content from what are or appear to be first party servers. This approach makes it very difficult to block tracking scripts by advertising blocker. For an example you may have a look at the easy to use tracking plug-ins offered by Webtrekk for blogs, content management systems and shops.

Some tracking services doesn't use markers like cookies or EverCookies but only browser fingerprinting for surfer recognition. The demonstration project Panopticlick featured out, that more than 80% of browser have a unique fingerprint. The recognition rate increases to 94% if Flash or Java plug-ins were enabled. (How Unique Is Your Web Browser PDF). Tracking services are using more sophisticated methods and achieve 30% higher recognition rates than cookies based approaches. Other tracking services are using browser information, screen size and other values additionally for user recognition.

An increasing number of websites is using more than one tracking service. An example is the webshop Zalando. It uses the following tracking and advertiesment services: 36YIELD, ADSCALE, APPNEXUS, ATDMT, ATEMDA, CRITED, DEMDEX, DOUBLECLICK, FACEBOOK, METRIGO, OPENX, PUBMATIC, ADSERVER, SOCIOMANTIC, YIELDLAB und YIELDMANAGER.

Decreasing number of independent tracking companies

A number of families of domains and tracking services have been created through acquisition of many companies by some global player. The families are sharing collected data and achieve a large coverage of popular websites.

The larges family is Google and associated companies. The earnings of these family are 44% of the world-wide online advertising market. During the last years Google bought the following companies:

2003Applied Semantics
2003Springs
2006dMarc
2007Adscape
2007Feedburner
2007DoubleClick + falkad.net
2009Admob
2009Teracent
2010Invite Media
2011Admeld
2012Wildfire
2012Adelphic

Because of this acquisitions tracking features of the Google family are present on more and more popular websites:

Tracking features of the Google family
2005 present on 7% of popular websites
2006 present on 16% of popular websites
2008 present on 55% of popular websites
2009 present on 80% of popular websites
2012 present on 97% of popular websites

Other tracking families are the Overture network, Microsoft and the Yahoo! family, each with a portion of 3-8% of the world-wide online advertising market. The new cooperation of Facebook with BlueKai and Epsilon is the start of a new large tracking family.

Using of Real World Data

The tracking of our online behavior offers only an incomplete view on our interests. First steps are taken by Facebook to include real world data in profiling for proper online advertisements. A cooperation with Axciom and Datalogix was announced in February. Both databrokers operate big databases with real wold data like creditcard payments, loyalty cards at supermarkets and product warranty cards and so on.

If the information flow increased in both direction, our online activities may get more influence of our real live. A year ago Sarah Downey warns:

The harms of online tracking are real and growing. This isn't about targeted advertising, like the ad industry wants everyone to believe. This is about the collection and use of your personal information in ways you can't even imagine.

Today our online activities may decide about getting a new job or may have an influence on assurance taxes. Personally I know 3 cases of including private online activities to check job applicants by personnel managers. In one case the result was positive. In two cases the applicants were rejected mainly (but not only) because of this data.

16. Europäischer Polizeikongress

Wednesday, February 20. 2013

Auf einem Polizeikongress finden die Teilnehmer ein dankbares Forum, um neue Überwachungsbefugnisse zu fordern. Zentrales Thema auf dem 16. Europäischen Polizei­kongress war die Wiedereinführung der Vorrats­daten­speicherung (neudeutsch: Mindest­speicher­dauer). Heraus­ragende Gedanken äußerte BKA Vize­präsident J. Maurer: Jeder Bürger müsse eine neue Sicht auf das Internet verinnerlichen und eine Speicherung von IP-Adressen sei nicht problematisch, weil:

Wer im Internet ist, hat die Privatheit verlassen.

Diese pauschale Sichtweise würde eine Aufhebung des Post- und Fern­melde­geheimnis für E-Mails und sonstige private Kommunikation im Internet bedeuten. Das Post- und Fern­melde­geheimnis wurde nach den Erfahrungen mit der faschistischen Dikatur Mitte des letzten Jahr­hunderts als Grund­recht in allen über­geordneten Normen­katalogen verankert (UN-Menschen­rechts­konvention, EU-Grund­rechte­charta, Grund­gesetz), als Schutz­recht für Bürger gegen einen über­mächtigen (Polizei-) Staat. Für mich stellt sich die Frage, ob Herr Maurer die geeignete Einstellung hat, um verantwortungsvoll die Führung einer Polizei­behörde mit weit­reichenden geheim­dienstlichen Kompetenzen zu übernehmen.

Ein weiteres Beispiel für den Geist des Kongresses war der starke Beifall für den nordrhein-west­fälische Innenminister R. Jäger, als er die Haltung von Bundes­justiz­ministerin Leutheusser-Schnarren­berger als "nah an einer Straf­vereitelung" bezeichnete. Die Bundes­justiz­ministerin hält eine Mindest­speicher­dauer von sieben Tagen für IP-Adressen und Quick Freeze für Verbindungs­daten für ausreichend (siehe Eckpunkte­papier des BJM zur VDS, PDF). Außerdem ist für Frau Leutheusser-Schnarren­berger Anonymität ein Grund­prinzip des freien Internets.

Medial begleitet wurde der Polizeikongress mit Horror­geschichten über drohende Terror­anschläge per E-Mail oder die schlimmen Folgen fehlender Vorrats­daten­speicherung für die Aufklärung von Mord­fällen (FAZ). Der Bundes­daten­schutz­beauftragte bezeichnete den FAZ-Artikel als unredlich.

Kein Sprecher auf dem Polizeikongress konnte neue Fakten oder Studien präsentieren, welche die Notwendigkeit der Vorrats­daten­speicherung wissenschaftlich belegen. Zur Erinnerung:

  • Das wissenschaftlichen Gutachten des Max-Planck-Instituts (MPI) für ausländisches und internationales Straf­recht kam zu dem Schluss, dass die Aufzählung spektakulärer Einzel­fälle nicht als Nach­weis der Notwendigkeit für eine 6-monatige Mindest­speicher­dauer genügt. Die Straf­verfolgungs­behörden haben nach Ansicht der Autoren bisher keine belastbaren Begründungen für eine Schutz­lücke im Internet liefern können.
  • Die Zahlen der jährlichen Kriminalstatistiken des BKA zeigen, dass die Vorrats­daten­speicherung 2009 keinen Einfluss auf die Aufklärungs­rate und die allgemeine Entwicklung der Straf­taten im Internet hatte. Es gibt von Jahr zu Jahr mehr Straf­taten im Internet bei abnehmender Aufklärungsrate.
    2007
    (ohne VDS)
    2008
    (ohne VDS)
    2009
    (mit VDS)
    2010
    (ohne VDS)
    Straftaten im Internet 179.026 167.451 206.909 223.642
    Aufklärungsrate im Internet 82.9% 79.8% 75.7% 72,3%

Sicherheitspolitiker aller Ebenen sollten mehr Respekt vor Grund­prinzipien unserer Gesellschaft zeigen, statt nicht-diskussions­fähige Maximal­forderungen zu präsentieren.

JonDos does not recommend Hushmail.com

Monday, January 28. 2013

Hushmail.com enjoys a good reputation for privacy friendly e-mail services or years. The EFF.org recommended in the tutotial about anonymous e-mails accounts only Hushmail.org (Don't be a Petraeus) and the German Journalist P.Beuth wants to publish a tutorial for anonymous e-mail accounts by using Hushmail.com next days in the online newspaper ZEIT.de.

JonDos does NOT recommend Hushmail.com

Have a look at the privacy policy of Hushmail.com. The content of all emails is scanned and like an extended data retention the following data records are stored for 18 month:

  • all sender and recipient email addresses (data retention log)
  • all file names of attachments
  • subjects of all emails
  • URLs in the bodies of unencrypted email
  • ... "and any other information that we deem necessary"

The stored records are not deleted when you cancel your account.

When you make a purchase to buy a premium account your IP address, country, city and postal code will be transfered to third party PCI compliant services. Hushmail.com is not responsible for the privacy policy of these services. The usage of PCI compliant services may be useful for payment processors like PayPal.com but it is not required for telecommunication services. JonDos GmbH operates for years successful without using PCI compliant services.

The website of Hushmail.com uses third-party services for some parts such as the help system. After login your Hushmail ID and your name is transferred to these service on purpose (not unintentionally!). For the privacy policy of third-party services Hushmail.com is not responsible.

Recommended e-mail provider

A small list of recommended e-mail provider you may find in our online help about anonymous e-mail accounts with Mozilla Thunderbird. You may send us your recommendations by using our contact form and we will add it after checking the service.

Lawful access to user-related telecommunication data in Germany

Wednesday, December 19. 2012

In April 2012 the security scientist Pete Swire published a paper about trends in lawful surveillance. Intelligence services and law enforcement agencies are seeking access to stored data in the cloud and on private computers because wired interception of telecommunication is less effective.

With a new drafted law (BR-Drs. 664/12) the German government is taking a leading position in this development. For the future intelligence services and law enforcement agencies may have warrant-less access to passwords of e-mail accounts and cloud-stored data, PIN codes of smartphones and to the TR-069 interface of routers provided by Internet access provider for customers. Provider with more than 100,000 customers have to offer automated interfaces for lawful access. Smaller provider have to answer a request within 6 hours. All providers are not responsible in case of unauthorized access to user-related telecommunication data.

The German Pirate Party commented:

"This draft is not supported by constitution." (Patrick Breyer, MDL)
JonDonym storage grid

We are going for development of new services to keep your data private. For premium users we offer a storage grid, which does not have all the comfortable features of DropBox and is only accessible by webinterface (at the moment). But it implements some great security concepts:

  • The storage nodes of the grid are operated by verified JonDonym operators. Because of splitting and encryption of data the operators can't inspect your uploads.
  • An account is not required and no personal data is collected.
  • The cryptographic keys for read/write or read-only access are included in the URI and are not linkable to a single person.
  • Access to the storage grid is protected by one of the strongest anonymisation services around the world.

Don't be a Petraeus

Thursday, November 29. 2012

The EFF.org evaluated the investigation of FBI in the personal lives of CIA Director David Petraeus, Paula Broadwell, Jill Kelly and General John Allen and published A Tutorial on Anonymous Email Accounts.

  1. You should use an anonymisation service when setting up and accessing your webmail account. You must always use the anonymisation service. (The EFF.org recommends Tor, but JonDonym is suited too.)
  2. Use a privacy-friendly mail provider with secure SSL encryption. GMail or Yahoo! are not acceptable, but Hushmail is not the only one proper mail provider all over the world. You may find some more recommendations in our online help.
  3. If an email address was required for account creation you may use disposable addresses. Do not use an email address, which is traceable to you real identity - never.
  4. Use encryption to keep you mails private. The content of emails may be used for deanonymisation. OpenPGP is recommended.
  5. Additional we want to add a fifth point. Do not store read or sent mails or drafts on the server of your mail provider. Stored mails are not protected by privacy law like telecommunication, if the owner was able to delete them.