Tuesday, April 14, 2009

Privacy vs. Security - An Example

As you may recall during our social engineering exercise, one of the attack vectors we discussed used a URL shortening service and Twitter. The implicit trust between users on social networking sites like Twitter, increases the chances that a user will click on links from someone they "follow". The use of URL shortening services to save precious character space makes it more difficult for a user to vet the site they are clicking through to and therefore leaves many users in jeopardy of visiting a malicious site.

Some URL shortening services, like TinyURL, have responded to this problem by creating a preview function that allows users to view the full URL of the destination website prior to visit the site. For those interested in utilizing this service visit http://tinyurl.com/preview.php.

I bring this service to your attention for two reasons. First, I strongly encourage those users of Twitter or TinyURL to make use of this feature for security purposes. Second, this service demonstrates a tension between privacy and security.

TinyURL is interested in protecting the security of its users and therefore created this URL preview service so that users could defend themselves against social engineering attacks. However, this URL preview feature is enabled via the use of cookies. A cookie is a persistent file written to your hard drive that allows TinyURL to uniquely identify you (or more precisely your computer). As a result, TinyURL is able to log all the links you (or someone using your computer) visit. As we discussed in class, this type of data collection represents a threat to privacy as users may not fully understand that a portion of their surfing history is being tracked by TinyURL. As a result of this data collection a host of other privacy concerns are raised including the possiblity of secondary use.

I am in no way seeking to condemn TinyURL. I believe it is doing the right thing by creating this preview functionality to protect its users from social engineering attacks. Further, using a cookie is far less intrusive then requiring users to register for an account and provide personal information. That being said, I believe TinyURL can do a much better job explaining to its users what its data rention policy is and how it protects the surfing history of its users from abuse.


Brian S said...

I agree with you, and I think TinyURL offers a beneficial service to society by protecting Twitter and other users from security problems associated with visiting malicious sites. However, as mentioned it does obviously have privacy issues associated. This could cause serious privacy concerns, but it is definitely the lesser of two evils. It must make sure that the information it does collect and store is protected and not accessible to the wrong people that may take advantage of individual users. Clearly stating potential privacy issues before accessing TinyURL should be required so that users know exactly what they are getting into and aren't completely unaware.

jamie said...

The European Union Commission is currently looking into a possible privacy of information violation in the United Kingdom. The commission is claiming that the UK is failing to protect the right of its citizens to keep their information private. The problem in the UK started when the commission began to investigate Phorm Inc, which violated EU Internet privacy law. Phorm technology uses Internet service providers to track individual’s web behavior. Companies use Phorm to gather information on different Internet users to better personalize ads. For instance, this technology enables a Hotel in Las Vegas to post ads for potential costumers who have been searching things that have to do with a Vegas vacation. This could be very useful in helping business to better target their ads, not only saving money by not advertising with people who they know are not interested in their product, but also gaining potential revenue by being able to better personalize their advertising.
This would not be the issue that it currently is if the UK Internet providers had alerted and gained consent from people who Phorm would be used on. While the company claims that it does not store any personal data that does not change the fact that Phorm is able to gather personal information from non-consenting citizens, something that is clearly against EU law. The current Internet laws in the UK allow for Internet traffic to be intercepted if it is “unintentional” or if the interceptor has reason to believe that he has consent. The UK’s laws are not nearly as stringent on this subject as the EU’s. According to EU law, a company must have “clear consent” before it can intercept Internet traffic.
Many Internet users have complained that they did not consent to Phorm gathering information on them. While this is a clear breach of EU law, it is not as clear in the UK. Phorm could claim that it had “reason to believe” that the individuals had consented, thus making their actions legal. The EU commission could potentially take the UK to court and force it to change its laws to comply with EU law.
This example of a breach of Internet security brings many other issues to light. What makes the information private? Is it ok to look at people’s Internet behavior if you take away all of their personal identifying information? These are questions that are very difficult to answer, and disagreed upon by many experts. In general, most countries have laws that make it illegal to intercept any information that individuals send on the Internet, even if any personal identifiers are taken off. But, it is clear that some countries have laws that are much more stringent than others, which can cause problems with Internet information being intercepted in countries with lax laws, and that information being sold to companies in countries with more stringent laws. This is clearly an issue of utmost importance, and in need of more definite and universal laws.

Johanna B. said...

As my group took advantage of Twitter's use of TinyURL in planning our imaginary attack on Ned in class several weeks ago, I've recently become aware of the potential threat that the service can pose, despite its obvious advantages. I admit I had never thought twice about clicking on TinyURL links prior to that (especially since my boss is constantly sending my links to various things through Twitter) even though I am always careful not to follow links in phishy (I crack myself up) emails, or not to follow links in spammy facebook messages. Lately I have been much more wary of TinyURL links, so their new security service appeals to me a lot. Particularly because I don't have the option not to follow links sent by my boss. While I agree that clarity in precisely what TinyURL does in order to make their service more secure is key, I think I'm willing to sacrifice a little privacy and gain a few cookies to avoid potential viruses.

Jake said...

As usual, I immediately saw the philosophic implications at the heart of this debate (and will ignore everything else...). The privacy vs. security debate manages to manifest itself in different ways. What is fascinating is at the core of this trade-off is the implicit idea that web users somehow agree to accept any and all things that come with where they click. The idea being that in voluntarily choosing to visit a website, you are consenting to acquire all that comes with it (cookies), etc. Notice that this stems from the voluntary process- the idea being that if you don't want the "baggage" that comes with a website, then don't go to it.
This may have been true in the first days of the internet, where functioning online was not a societal requisite. However, as an American in today's world, we must ask how VOLUNTARY online participation actually is? Can one actually do what is required of them in their every day lives without accessing certain websites? Yes, it is possible to survive without the internet. But to thrive and succeed certain actions are required of us.
Let me draw a parallel example. Given technological advances in health, one can survive on water and vitamin supplements- that is- survive without food. However, is it reasonable to think that having food is some luxury such that every time you eat food you must consent to giving away some of your privacy? Certainly this is unreasonable.
Now this analogy lies at the absolute end of the spectrum, but the idea here still resonates: some things must be done in order to live the way we want to live. This is everything from the basic function of eating, to the more technological function of using the internet in certain ways. Yes, to even have the internet is a luxury, not a necessity in the physiological sense. But at this point, the internet is so ingrained in our culture and our way of life that to live without it interferes with living!
I'm not sure this notion of consent has been fully addressed in the privacy vs. security debate, which is ironic seeing as it is the central issue.

Ben2012 said...

A post in response to the readings, not this thread:

What I think struck me the most about James Bamford's The Shadow Factory was less the extent to which the NSA and the intel community currently listen to or sort through communications, but the extent to which they have in the past. Bamford details the history of the NSA, created in secret, and the extent to which the intel community has previously worked backroom deals to get access to information. Viewed in this context, it seems like the NSA's activities with Qwest and the other companies isn't entirely new, though certainly it takes things to a vast new level, enabled in part by the advance of technology.

The fact that similar principles--secrecy and extralegality, for two--have been acted on before doesn't make them excusable now. In fact, most telling about the history Bamford presents is the fact that when previous NSA activities leaked out, there was an outcry against them and investigations (the Church Commission). The IC has obviously learned from this, taking as many steps as possible to keep their activities secret once again, but ultimately failing.

In total, I think a society that is based on the consent of the governed can do better than continually hiding extralegal activities--or secretly changing the laws--again and again. Lessons must be learned; I'm not sure they have been.