Mozilla's Guide to Privacy-Aware Christmas Shopping

Mozilla reviews the privacy practices of Internet-connected toys, home accessories, exercise equipment, and more.

Posted on November 23, 2017 at 12:31 PM • 67 Comments

Comments

handle_xNovember 23, 2017 1:54 PM

We have ONE recourse as a consumer :

That recourse IS REFUSING TO BUY CRAP.

Do not go gently into that Black Friday!

RAGE, RAGE against the dying of privacy under the guise of consumerism!

God bless all, and great thanks to Bruce's public service herein.


Clive RobinsonNovember 23, 2017 2:03 PM

I think it's prudent to say that as the data was derived from each companies product details a few things have been left out...

For instance if there is either an account or advertising mentioned it's safe to say that "third party business records" are being created, which can br obtained by any LEO including those "transport" and "campus" cops.

Further if the device has any kind of conbectivity, it's probably fairly safe to assume it will not be secure, thus data will leak.

Likewise anything with voice control will phone it home to the mothership to be processed, so both the above apply.

If it's got either a microphone or camera built in or both, be wary especialy if it needs Internet connectivity.

Yes I know it sounds paranoid but lets be honest do you realy want to trust people who see your private life and that of your children and pet dog as ways to raise an aditional income stream if they can?

Can I suggest a more suitable present for people these days is something without any kind of electronics in them?

But remember if you do give socks check for RFIDs you never can be to sure...

DroneNovember 24, 2017 1:23 AM

Look at the list below. Just going to the Mozilla article invites all those other lurkers to the conversation without your knowing. And that's just the FIRST LAYER of unwanted interlopers, each of which may (if not blocked) invite many other sites to listen and probe... ad-infinitum. Yeah, "privacy not included".

mozilla.org
advocacy.mozilla.org
bootstrapcdn.com
maxcdn.bootstrapcdn.com
fonts.googleapis.com
gstatic.com
fonts.gstatic.com
mozilla-foundation-talk.herokuapp.com
mozilla.net
cdn.mozilla.net
code.cdn.mozilla.net
shpg.org
c.shpg.org
google-analytics.com
www.google-analytics.com
optimizely.com
cdn.optimizely.com

fudgeNovember 24, 2017 2:02 AM

You call out lurkers and imply nefariousness but can you flesh it out?

Everyone operates multiple domains. That's not a particularly large list.

Unless you have specific reasons among that list to revoke trust what exactly are you denoting?

WaelNovember 24, 2017 2:27 AM

I stopped using my iRobot Roomba after I found out it's mapping my place and possibly sending information without my consent[1]. I don't want anyone to know how I arrange my cat litter boxes.

Besides, it doesn't clean anything and scared my old cats. One of them thinks it's rude the machine follows her to her crap box. Poor thing lost 7 of its 9 lives. I should call her Seven of Nine. Thank goodness she's an American cat, otherwise she'd be dead now.

[1] I don't even think it's connected to the hotspot, but... paranoia, you know.

keinerNovember 24, 2017 3:01 AM

@ Drone

FF56 or palemoon and AddOns NoScript and uMatrix and you'r done.

No scripts. And after closing the browser, do a decent Bleachbit (recommended by the owner of this blog, btw... ;-D )

roxetteNovember 24, 2017 6:01 AM

Mozilla guide to privacy-aware online shopping.

1. Check out that lovely pre-installed google cookie in your brand new browser (they are our number one sponsors after all!)
https://www.cnet.com/news/a-dangerous-conflict-of-interest-between-firefox-and-google/

2. Check out how our developers flirt with the idea of opt-out metrics
(https://betanews.com/2017/08/24/mozilla-firefox-telemetry-privacy/)

3. Now just take our word for it: we care about your privacy (disclaimer: as long as it does not interfere with our sources of revenue and business model

keinerNovember 24, 2017 6:52 AM

@roxette

Nice little game: configure a Firefox 57 (with NoScript set to block each and everything) under "Privacy & Security to clean everything when Firefox closes and to open ONE EMPTY Tab when you start it.

Close it, do a Bleachbit. Start FF and close it. Then do a Bleachbit again. For me there are 12 MB of dirt in the FF profile to clean up after opening an EMPTY Tab! Really amazing. 10.2 Mb in cache, some more in cookies (set to be cleaned completely on leaving FF!), site preferences etc.

And then have a look in .cache/mozilla (on linux, comparable in Win, I guess). There are another MBs of trash.

Clean all this up (my Bleachbit deletes everything in .cache/mozilla, set under "Custom"). Start FF again and all the trash will be back in place again.

If you don't have enough: Start a pcap (aka Wireshark) on the machine with the FF and open the browser. Un-be-lievable...

Google and Microtrash even much worse, but the should not be so noisy with their "Privacy" stuff.

JonKnowsNothingNovember 24, 2017 9:14 AM

Intercept has a good overview of some trackers/cross platform trackers currently in use. Not overly surprising to folks here and also not overly surprising to those using the apps and phones.

ht tps://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/

(url fractured to prevent autorun)


The Always ON internet is not working for a lot of folks and Big Data Analysis can only track those who are ON so the pool of their generalizations (aka targeted advertising and tracking) becomes more stagnant over time and the error rate rises.

The Not On folks are going to be a growing faction after the Dead Net Neutrality hits the USA and the imminent price increases force the economically marginal connections to drop off line.

What's a hoot (unless you need it), is that so many agencies and sites mandate you use a web page/app to access services. That ain't gonna work too well ...

Check out the problems folks in Puerto Rico have trying to log-in to apply for assistance with no electricity, no internet and everything pretty much broken.

The data trackers are probably skewed badly anyway. GIGO still is the operative word for there. Nothing is deleted and Nothing gets corrected. Lots of Nothing about Nothing.

You could have some fun by mailing your phone to yourself and letting it wander all over the various transport hubs - maybe the new phreaking ?

SomnosNovember 24, 2017 9:56 AM

The best first step towards privacy-aware Christmas shopping is to avoid doing it on a Firefox browser.

If you like the interface but aren't so hot on the malware that's shipped with it, try GNU's icecat.

Herman JayNovember 24, 2017 10:06 AM

Try this for a laugh:

Open the Mozilla link and scroll all the way down to where it says:

Mozilla cares about protecting your online privacy and security. Consumer Reports sets the standard for consumer reviews and protection. That’s why we are using the new Digital Standard developed by Consumer Reports and its partners to help us evaluate the products in this buyer’s guide. Learn more about the Digital Standard.

Click on the "Digital Standard" link and ... it doesn't load unless you activate java script! You couldn't make it up.

Clive RobinsonNovember 24, 2017 10:30 AM

@ E.Y.O.,

Mozilla cares about privacy in the same way that McDonald's

Not quite true, atleast at MuckyD's --in the UK-- they will tell you what's inside their food. Mozzy sure is not telling you what's in the "junk food" equivalent they are serving up ;-)

CallMeLateForSupperNovember 24, 2017 10:30 AM

@all
I was interested in seeing what the review might say about connected televisions. The answer: nothing. Not a single TV in the pile!

@Drone
In addition to some of the "interlopers" you listed, I also see "fake-domain.noscript.net". (What up wi' dat, I wonder?)

WaelNovember 24, 2017 11:05 AM

@Clive Robinson,

atleast at MuckyD's --in the UK-- they will tell you what's inside their food.

I told you this in the past: did you hear about the McDonald's sandwich made out of cow's lips? It's called the McJagger. Sometimes the name is 'R-rated'; gives you a glimpse what's inside ;)

Heh, pardon me! Sir Mick, That is!

CallMeLateForSupperNovember 24, 2017 11:12 AM

@fudge

"You call out lurkers and imply nefariousness but can you flesh it out?
[...]
Unless you have specific reasons among that list to revoke trust what exactly are you denoting?"

I think Drone is saying... readers here who are interested enough in the slings and arrows potentially loosed by IoT crap... er, products... to have a look at the linked article expose themselves to a subset of said weapons by simply visiting the linked page.

If you don't understand what I'm saying, have a thoughtful look at this (admittedly dated) study:

http://techscience.org/a/2015103001

CallMeLateForSupperNovember 24, 2017 11:27 AM

@all

FYI: the CNET article linked by "roxette" is 10 years old, talks about Firefox 2.0.

Clive RobinsonNovember 24, 2017 11:47 AM

@ Wael,

The scary thing about Mick de Lips is that, apparently a two person sofa was designed after his smackers...[1]

As normal I can't find a link at the moment which probably means you can 0:)

[1] Not sure if it comes with a Mars Bar stuck in the crack or not though ;-)

WaelNovember 24, 2017 12:15 PM

@CallMeLateForSupper,

SNORT! ...

:) Careful there! I'm not responsible for any drink spillage on your keylogged keyboard or your SnitchPhone.

@Clive Robinson,

which probably means you can...

Probably! But that has to wait a bit. Have some work stuff to finish. Gotta make a living and pay the bills, dawg! See, in situations like this a good pair of foot coverings help, but you have the erksome habit of insisting on keeping my feet cold.

apparently a two person sofa was designed after his smackers

Sofa, smackers, eh?

Not sure if it comes with a Mars Bar stuck in the crack or not though ;-)

goddamn! Crack, too? I see a yellow card in your near future. You'll sofa king deserve it ;)

hmmNovember 24, 2017 4:09 PM

"For me there are 12 MB of dirt in the FF profile to clean up after opening an EMPTY Tab!"

It's probably just pocket or the other built-in extensions doing their thing.
You're concerned about cached extension data leaking then don't use them.

Cleaning up after the fact with bleachbit is likely overkill + missing the point.
You've seen browsers undeleting deleted files from your file system?

hmmNovember 24, 2017 4:23 PM

"to have a look at the linked article expose themselves to a subset of said weapons by simply visiting the linked page."

But if you LOOK at the actual domains on that list, they're mostly NOT data collectors.

You're always being exposed to 3rd party snooping on major sites now, it's not something FF57 does or doesn't do at all. Let's break them down. The list in question was :

mozilla.org
advocacy.mozilla.org

Obviously those are part of the FF mission, I see no data snarfing there.

bootstrapcdn.com
maxcdn.bootstrapcdn.com

Both manage bootstrap and dynamic font CDN services. I see no data snarfing but the potential exists if misconfigured I guess.

fonts.googleapis.com
gstatic.com
fonts.gstatic.com

If you don't trust googleapis you're using the internet differently than most.

mozilla-foundation-talk.herokuapp.com
mozilla.net
cdn.mozilla.net
code.cdn.mozilla.net

More subdomains to facilitate their various missions, no major sellouts detected.

shpg.org
c.shpg.org

These are supposedly "analytics for good" probably to manage safe browsing /etc.
This is perhaps a data sink but you'd have to dig into it to see what it gets.

google-analytics.com
www.google-analytics.com

Same, more google analytics that large %'s of the internet use. Mild concern I guess.

optimizely.com
cdn.optimizely.com

Analytics for optimizing sites in a general sense. Mild concern again I guess.


None of these on this list is a data snarf that I can tell.

If the list had included akamai or AWS or a bunch of shady 3rd party analytics that nobody had ever seen or heard about, that would be more of a heads up to pay attention.

I'm not trying to defend FF57 from due criticism, I just think that particular list of domains is about as harmless as you're going to find. Am I wrong?

Did I miss some nefarious data mine in there? Please correct me!

hmmNovember 24, 2017 4:54 PM

"If you don't have enough: Start a pcap (aka Wireshark) on the machine with the FF and open the browser. Un-be-lievable..."

Well? What do you actually see?

hmmNovember 24, 2017 6:18 PM

"None of these on this list is a data snarf that I can tell."

I should have qualified that, google analytics is what it is.

But where is this boogeyman?


65535November 24, 2017 10:47 PM

@ handle_x

"That recourse IS REFUSING TO BUY CRAP."

I agree.

This is especially true with larger households and their limited budgets. There is nothing worse than paying Amazon or Google to spy on you with useless Iot bling.

I have a "no cell phone" policy at my abode where I take the phones of kids who visit here and put them in a heavy pot with a plastic dish in side and put the very heavy lid on top. That proves to be a fairly good faraday cage. No compromising pictures while at dinner, or aggravating ring tones going off all the time. When the kids leave they take their cell phones home - to pester their families.

@ Drone

Good list. But, I worry more about the certificates loaded into FF from the factory. I have yet to reduce them to a relatively safe level and that goes for the certs in IE or Edge.

@ keiner

Your comment on DOM storage or other storage to be empied by bleach bit make good sense.

@ hmm

You make a good counter-point. I am a little concerned with c.shpg.org and google-analytics.com because they just don't sound to privacy friendly.

Yes, I know Google supposedly mask some individuals with their code but I would also guess they can unmake them also. If you have data to the opposite then let us know. I will say the FF is the best of the major browsers for privacy.

@ keiner and roxette

Both of you make good points. I have always favored "follow the money" thinking. It would be nice to have rational conversation on the funding of Mozilla/Firefox and leverage Google/chrome may have over FF. Google is so big that some influence must be exerted on Mozilla - but how much should be rationally laid out.

Clive RobinsonNovember 24, 2017 11:34 PM

@ hmm, 65535,

But where is this boogeyman?

Consider the following,

1, Has Microphone.
2, Has Camera.
3, Has GPS.
4, Has accelerometers.
5, Has Internet/phone/bluetooth/WiFi.
6, Has Forced updates.

That is what you buy today could be one forced update to boogeyman tommorow...

For example Oracle has shown that Google has made additions to Android that turn on hidden location tracking that the user can not turn off.

Others have shown that Google contrary to promises made in court about not aggregating various user data sources, is doing exactly that...

Now if Google is happy to lie cheat and steal, what do you think less reputable companies are going to do?

When making a purchase of new kit, you should run down the above checklist and if any of the boxes get a check in them... think about spending your money elsewhere...

ClipperNovember 25, 2017 12:43 AM

I think mozilla is a lost case since they announced how they will block "fake news" and this will be funded by Soros.

If anyone with a political agenda can finance mozilla so they block what he considers "fake news", then it's time for an alternative. So far Pale Moon fits the bill, but I keep my eyes open for other alternatives as well. Maybe the qupzilla project becomes better after some linux project adopted it.

DroneNovember 25, 2017 2:17 AM

@Keiner said: "FF56 or palemoon and AddOns NoScript and uMatrix and you'r done."

Where do you think the list came from? Yup, FF57 + uMatrix.

hmmNovember 25, 2017 2:52 AM

@ Clive

1, Has Microphone.
2, Has Camera.
3, Has GPS.
4, Has accelerometers.
5, Has Internet/phone/bluetooth/WiFi.
6, Has Forced updates.

Yeah that's a smartphone AKA the always-on listening device you pay to have your every doing completely monitored by anyone who has the budget and interest, without much recourse.

(I'll always use dumb GSM/CDMA phones. My battery still comes out and I recharge weekly)
(*Caveat, I can't get hacked by an Uber app or Android being 2 versions out of date.)

We were talking about if FF57 "phones" "home" on a blank tab, or to 3rd party data sieves.
Someone made a vague claim along those lines and I was following up.

FWIW, the DEFAULT settings are to check for autocorrecting domains/typos and keep people safe from unsafe sites, that sort of thing. All of that in this model requires phoning home at some level. You can turn most of it off, IDK about all of it, maybe in config, maybe not.

But the implication was "fire up firefox 57 and you're naked to the world"
-and I want to clarify the butter on that naan.

hmmNovember 25, 2017 2:57 AM

"I think mozilla is a lost case since they announced how they will block "fake news" and this will be funded by Soros."

You are not reading particularly well unfortunately and are now spreading disinformation.

Soros isn't the specific threat to your greatly threatened worldview in this instance, that would be reality itself.

Good luck.

Petre PeterNovember 25, 2017 10:05 AM

If everything is private, my data belongs to me, unless i store it on someone else’s property; if everything is private, then required fields are optional after authorization, identification, and authentication; if everything is private, then i cannot masquerade the word public with private; if everything is private i cannot masquerade the word choice with threat; if everything is private i can assign responsibility; if everything is private i cannot know what happens with my tax money; if everything is private what do i do with my surplus; if everything is private, “we the people” are no longer responsible for justice.

Clive RobinsonNovember 25, 2017 10:15 AM

@ hmm,

Yeah that's a smartphone AKA the always-on listening device you pay to have your every doing completely monitored

Not just smart phones, think about those entertainnent systems, those voice activated devices, and all the rest of the crap as well.

You can not even buy a TV or even some kitchen appliances without the Internet for functionality, which was never needed, but almost certainly phones home some way.

With Wifi or GSM chips being as small as a little fingernail and less than $1 in quantity it's not difficult for them to be tucked into even toys for your children...

How we expect even adults to understand what the game is, is a tall order. Which is why I guess atleast the German Government is making noises. Also it won't be long before the new European privacy rules start digging in against some --but only some-- companies. Others will just set up cut out companies for a single product, milk it and through it away because by the time the legal cases get to court the money will be gone and the company filed for closure etc.

You only have to look at what the UK's Sir Philip Green tried to get away with with BHS to know that there are some types out there for which no scruple will get in their way. Oh and there's similar further up the greasy pole like Rupert "the bear faced lier" Murdoch who used phone hacking and worse criminal activities to sell newspapers, then get others to take the fall for him and his lieutenants...

So what you might expect from "no name no brand" Far Eastern companies in terms of obaying the privacy laws is probably wildly over optomistic, to what will happen one way or another.

WaelNovember 25, 2017 11:02 AM

Previously I had Ghostry and NoScript addons. Now I tried UMatix, and I like it so far. Thanks for the refrences.

WaelNovember 25, 2017 12:13 PM

@Clive Robinson,

As normal I can't find a link at the moment which probably means you can 0:)

I can't. Probably did not participate in the discussion, thus I remember no keywords. Used the strings above, no results.

hmmNovember 25, 2017 2:10 PM

@ Clive

"You can not even buy a TV or even some kitchen appliances without the Internet for functionality, which was never needed, but almost certainly phones home some way."

It's a valid gripe! But your conclusion is not yet true. Not all coffee is Keurig yet.
Not all refrigerators phone home or ID you or instagram your lunch. Too many do.

The consumer has to be careful like never before. Kids can make that very difficult.

I believe there will be a return to sanity and some decent brands will realize that tracking and infiltrating their customers' every habit is a BAD BUSINESS PRACTICE, and they will push back with privacy conscious products and advertise them on that basis preemptively.

I'd certainly pay more for an impetus towards that, wouldn't you? We're not alone.
There's an untapped market there.

This is a mirror of Ajit Pai's argument for selling out the internet to hatchet men:
We squeeze the consumers & they're willing to pay more for what they expect to have already.

We do not demand better as a majority of society, and so we are eventually resigned to the abbatoir.

hmmNovember 25, 2017 8:07 PM

"Google is so big that some influence must be exerted on Mozilla - but how much should be rationally laid out."

Google is so big that massive influence has been exerted on the WEB ET AL. All of it.
How do you monetize without ads/clicks? If not google page ranking, what, BING?
(Chorus of snickering)

The devils we know and the devils we don't, most of them suck but still we have preferences.
If you're willing to avoid all sites that use analytics like that you're a True Scot.
Realize that walls off likely over 90% of the popular web2.0 that everyone is using.

ClipperNovember 26, 2017 4:46 AM

@ hmm

You can substitute Soros with Trump or whoever you like, the point still remains the same, when a web browser gets to decide for you what is "fake news", then it isn't a simple browser but something else.

The more complex firefox gets the more we need a simpler tool with a smaller attack surface that focuses on its job instead of getting into politics.

hmmNovember 26, 2017 6:02 AM

"You can substitute Soros with Trump or whoever you like, the point still remains the same"

That's crazy talk. We're accusing Trump of things we can prove he did personally.
There's no 1:1 liberal converse of every extant neo-liberal fascist.

"when a web browser gets to decide for you what is "fake news"

You aren't paying adequate attention. The browser doesn't decide that. Neither does Soros.
Neither does Mozilla directly although they do sign off on the result.

Here's where you go wrong :

You've DECIDED that siphoning out known-fake news items is a POLITICAL BENT.
You've SIDED with the plausibility of KNOWN-FALSE FAKE NEWS FROM KNOWN PROPAGANDA MILLS.

Even BREITBART is allowed to post "news" items to Google's general feed.
You think Soros would allow that given infinite magical internet censor powers?

The fact is you're being SEVERELY UNDERSERVED as a conservative desiring non-BS news.

That's not Mozilla, that's not Soros. That's the fault of your party.
It is deliberate. Trump plays to it with his "fake news" tropes.

The man is going to prison. Don't go with him.

ClipperNovember 26, 2017 8:01 AM

The point of using a web browser is that I, as the user, am the one to decide what is "fake news and propaganda". If you like "known sources" you can stick to them, if you don't you can go wherever you like. Otherwise, we can have firefox lock us out of gossip sites because they are not reliable, or even amateur tech sites because they are not peer reviewed and so on.

paranoia destroys yaNovember 26, 2017 12:19 PM

"I, as the user, am the one to decide what is fake news and propaganda."

There are 2 definitions of "fake news".
The political one is propaganda agreeing with our pre-concieved opinions.
Another is what agrees with multiple experts in that field, not necessarily mainstream views.
(A specialist in in one area may be totally ignorant on other matters.)

Nolly JaxNovember 26, 2017 2:47 PM

It makes you wonder how much Mozilla really cares about user privacy when they send us a guy to defend their case by suggesting that, when it comes to browser privacy, trackers like google-analytics are essentially "analytics for good" and only "a mild concern." If we care about privacy, we're "using the internet differently from everyone else," and we should be glad that Firefox is in bed with Google, cause it might have been Bing instead. Now there's a few gems for Mozilla's "We Care About Your Privacy" page.

hmmNovember 26, 2017 10:31 PM

"The point of using a web browser is that I, as the user, am the one to decide what is "fake news"


The point isn't censoring "fake news" - it's censoring fake SOURCES - more specifically, a foreign disinformation campaign.

You've already proven you don't pay nearly close enough attention to do that effectively enough.
And you're not alone at that either.

You can decide what you believe. Nobody at Mozilla will change that.
You can decide where you browse to. Nobody at Mozilla will change that.
You can decide which news sources you prefer. Ditto. Absolutely.

But you can't decide Mozilla's adequately-vetted greater-than-1-BS-source "news feed" standard.

If you have a problem with sought "NEWS" information coming from single infrequent sources that aren't confirmed or vetted or established as veritable sources of information historically, and in fact ARE FURTHER LINKED TO A KREMLIN TROLL FARM or similar effort, as we can forensically do using big data...

Then you are the problem. Nothing personal but it's true.

The reason single-source BS news "works" as a lucrative employment scheme for thousands of otherwise unemployed young professional trolls in eastern Europe IS BECAUSE YOU HAVE NO ABILITY OR INTEREST IN SCREENING IT OUT WHEN IT REINFORCES YOUR PREVIOUS ASSUMPTIONS.

https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect

I don't mean that as a slight, I mean that as a diagnosis of what ails you and in fact 1/3 of our nation.

Heal thyself. Breitbart is a pretty low bar, if you're below even that standard of vetting,
maybe it's not Soros that's keeping you from valid information.

Bottom line, if you didn't fall for it this wouldn't be a problem.

#pizzagate has consequences.

hmmNovember 27, 2017 12:16 AM

"Otherwise, we can have firefox lock us out of gossip sites because they are not reliable"

Spreading false information about his false information being censored, typical wormhole.

ClipperNovember 27, 2017 4:52 AM

This joke with Kremlin trolls has gone really too far, every country and every political party has trolls and it's not a web browser's work to distinguish which trolls are good and which are bad. If someone wants guaranteed sources he trusts, he can visit a single site he approves and get done with it.

Mozilla has no job messing with whether I like to read breitbart or cnn, if you can't understand this then maybe you are someone's troll as well.

No one But YourselfNovember 27, 2017 5:22 AM

Google Analytics is the most widely used spying tool in existence. They have become digital bouncers, even blocking access to government sites. That is tax paying citizen cannot load a traffic map without disabling all defenses. That is Google needs to verify your identity for you to use a Department of Transportation road map.
Google is the worlds largest advertiser and holds fantastically detailed dossiers on every citizen, starting with our grade school children. Law enforcement/government can simply request data circumventing the due process of a warrant.

Phone Home
Type in about:config in the FF browser then search for Google. As Gomer Plye said, “surprise, surprise surprise”! Google is there lurking at the Mozilla add on site which FF browser checks home every few hours.
Be extremely cautious with add-ons as many do collect your data.

If you must use FF then implement the settings in https://www.ghacks.net/2017/10/05/firefox-56-new-preferences-and-ghacks-user-js-changes/

I reject any application or OS with constant updates. This allows software developers to monetize its user base. So I use an older stable fork with all the data-mining stripped out. I then generate browser fingerprints using a user-agent spoofer. Then a rotating VPN with uBlock Origin and uMatrix. Only turn on JS temporarily.

Google greets me with “Robot – Is that you?” and denies access simply because I won’t be bullied.
Amazon is also tightening its verification but only when you login. That is fair. However their three step verification is only for those not addicted to Android smart-phones.

Hmmm read the new EU data principles taking effect then report back. Notice the 2.7 billion fine with another whopper on the way.
Unlike America, Europe no longer accepts playing dumb as a valid defense. So now we move on to fake news and disinformation.

hmmNovember 27, 2017 5:29 AM

"Mozilla has no job messing with whether I like to read breitbart or cnn"

You are fundamentally misunderstanding things, seemingly intentionally but I can't be sure.

Breitbart and CNN are actually verified to act as legitimate news feed agencies.
So nobody is going to make you choose between those anyway. Bad example maybe?

And... neither are shady 1-shot-and-gone blogs posted by foreign trolls trying to masquerade as actual local journalists.

I'm really sorry to have to explain this to you, but those are not 1:1 equal concepts.

Unknown microblogs from invented non-identities being paid by a foreign power to report distorted and intentionally false items to western targets ARE NOT JOURNALISTS.

This really isn't being decided "by the browser" either. Nor is it censoring anyone.
Nor does it decide what you will personally think is newsworthy.

If you don't understand that, perhaps verified information being publicly disseminated with a modicum of established veracity simply isn't your interest?

Nobody will take away your alt right hate cartoons, I promise. It's just not journalism.

If this upsets you, you're upset with the way the of the world again. No recourse suggested.

hmmNovember 27, 2017 5:38 AM

And as a follow up, neither google nor any other private internet company is under ANY OBLIGATION to give you a personal alternate reality where your discredited and thoroughly debunked blog collections spewing unsubstantiated (and ridiculous in this case) conspiracy theories and false information are called "Actual News" or given any promotion as that.

Because that's not reality. You can still browse along to your silly disinformation sources, nobody will stop you. They just aren't going to help the default user be deliberately misinformed by default, though you're free to willfully pursue that.

So stop whining. You have an entire internet of bullsh* to browse through at your whim.
Simply pretend for yourself that it all rises to the level of vetted journalism, right?
Internally.

Enjoy.

Clive RobinsonNovember 27, 2017 8:45 AM

@ Clipper,

Mozilla has no job messing with whether I like to read breitbart or cnn, if you can't understand this then maybe you are someone's troll as well.

No they don't untill the political rabble decide otherwise. Think of it like questionable content that gets the "think of the children" response from idiot politicos and those not bright enough to realise they are being more abused than they realise...

The aim is as it is in what you would consider politically questionable regimes. Which is "control the message the sheeple get fed".

What people so easily forget or chose to ignore is "Technology is Agnostic to Use". The "directing mind" cares not one jot how they get the technology put in place "Think of the children" is one of the best. Once the legislation and technology is in place the mission creep starts and the next thing you know it will be treason not to get your news from "The Disney Channel" or who ever else has greased a few political palms and those of senior civil servants etc

If you stand back from the daily drudge and actually look up and around you, you will see this going on all around you. Thus the majority are sleep walking into a nightmare, thinking that it's all for the best...

No one But YourselfNovember 27, 2017 9:12 AM

Data-Mining at Public Sites under the Guise of Security

Try to load this offical State of Texas roadmap:
Three different Google trackers and bing.com are lurking:
http://dfwtraffic.dot.state.tx.us/ITS_WEB/FrontEnd/default.html?r=AUS&p=Texas&t=map

This sites streetmap used to load. No more.
The new security policy now overrides the State of Texas privacy policy:

“This site is monitored to ensure proper operation, to verify the function of applicable security features and for similar purposes. Unauthorized attempts to upload information...”

This weasel worded sentence allows Big-data to forcibly data mine the public. That is, Google is preventing traffic conditions to be DOWNLOADING without these advertisers first verifying citizens identity. All under the false flag of security.
http://www.txdot.gov/inside-txdot/contact-us/privacy-security.html

There are many other example of public institutions being data-mined. Bruce posted a library privacy study last year. The results were dismal with Google typically managing the inventory through the Polaris library GUI.
Are they tracking the media checked-out? No one knows or will answer.

While Europe will not allow these blatant abuses, we are stuck with ‘Data-Mining under the Guise of Security’ in America. We suck!

hmmNovember 27, 2017 9:52 AM

@ Clive

If however one thinks MOZILLA is a substantial actor towards state sponsored ACTUAL censorship simply because it STATED that it would help filter out from its news feed known-fake non-news from non-journalism sources that don't measure up to "Actual News" by any educated criteria regardless of political bent, I'd suggest you're not only barking up the complete wrong tree but also fully believing you are a real dog meanwhile.

Donald Trump's favorite trope is that the evil media is ALWAYS lying and the "real truth" is out there.
The guy who made up the Obama birther story and "never golfs" and is worth 10 billion?

He is now questioning the veracity of the video in which he described grabbing various parts of women, for which he has already subsequently apologized, on which we can all see is Donald J Trump, in the flesh, saying those words and enjoying himself thus.

Now he says it didn't happen, in front of Congress members no less.

Is there bias in mass media? Of course there is. We're not that naive, there's bias everywhere.

Is that the greater source of disinformation in the lives of average people, the unavoidable bias in this vetted journalism that still fires people caught prevaricating or plagiarizing, that requires lists of sources and having long-standing relationships where they've demonstrated competence and veracity at least on some basic level for years?

Or is there a raging elephant smashing load bearing walls of your home that you continue to deny exists?

"Oh it's impossible to know what's true anymore, ask any blogger in Lithuania."

Clive RobinsonNovember 27, 2017 1:46 PM

@ hmm,

If however one thinks MOZILLA is a substantial actor towards state sponsored ACTUAL censorship

I don't think very much about Mozilla, or whit it does or does not think past present or future.

My point is if they put the mechanism in then it will get used now and in the future, and they will not be able to take it out beyond a certain point (think about Apples comments on the all writs assist pile they got served up by the psychos at the DoJ).

As I've noted the method is agnostic to the policy set by a directing mind. Thus once in place a legislator can find ways to use it that Mozilla do not have a snowballs chance in hell of resisting.

But further have a think on how it might be implemented and then you start to see the real evil that will be possible by "third party business records".

It's way way safer for all concerned if Mozilla goes nowhere near this direction, they and their users will regret it in the long run for little or no real gain before hand.

Now if you think,

I'd suggest you're not only barking up the complete wrong tree but also fully believing you are a real dog meanwhile.

That is your choice, but it does not matter who implements such a stupid method, it will in all probability end up inflicting it not just on the whole industry but everybody who makes the mistake of using software with such a method in it.

By the way this is not my first rodeo, I made predictions quite a while before Ed Snowden appeared on the scene. People more or less said what you have (trees and dogs) only for the Snowden documents confirm what I had predicted. Let's just wait and see what happens in the long run. After all the last US president to do anything remotely sensible with regards crypto etc was Bill Clinton, it's all been down hill faster and faster since. Do you realy think the FBI and the DoJ are going to let US politico's pull out of this tail spin that benifits then with every turn?

parabarbarianNovember 27, 2017 1:48 PM

@Clive Robinson

"What people so easily forget or chose to ignore is 'Technology is Agnostic to Use'."

I think it was Bruce his-own-self that once advised that "...it is poor civic hygiene to install technologies that could someday facilitate a police state." He may have backed off on that in recent months and some of his followers here seem to salivate over the prospect of a police state as long they get to be in charge. However, despite such human weakness it remains good advice.

Clive RobinsonNovember 27, 2017 2:51 PM

@ parabarbarian,

[Bruce] may have backed off on that in recent months and some of his followers here seem to salivate over the prospect of a police state as long they get to be in charge.

The thing about Police States and Tyrannies is those that think they are in charge rarely are. Worse even if they are in charge today, like as not they will be charged with crimes of high state tommorow.

As has been noted on the odd occasion "Those that play with fire oft tend to get burnt" likwise "Those who live by the sword die by the sword".

Thankfully there are very few out and out psychopaths with the apparent charisma or ability to hold an audiance for long enough to maintain the position of leader in a Police State or Tyranny for very long. Stalin's solution was "to get them first" and purged out likely contenders for his throne. But few would actually have wanted his life style, it's not what most would dream of as a super power leader.

The reality is that whilst many would like the idea of being POTUS for the apparent life style and assumed power few would actually like the reality of the position. Real power lies in the ability to find tipping points whilst apparently encoraging consensus, a gentle finger as it were on the balance of power at just the right time to herd the cats, just long enough to get most to walk in a given direction and importantly feel good about having done so...

The art of true statesmanship is not the art of the deal or surrounding yourself with second rate cronies, and most definately not threatening those who have displeased you with destruction or annihilation with a side order of hellfires and damnation... It's the art of little compromises or barely visable light touches here and there to gain big wins without apparently having put any effort in, by making people feel good about doing things without appearing loud, pridefull or boastfull. Most of all though it's about NOT using the power you have at your fingertips, something few tyrants or leaders of police states have ever managed.

hmmNovember 27, 2017 6:07 PM

" but it does not matter who implements such a stupid method "

Everyone worth their journalism credentials already has.

It's called vetting. It's called fact checking. It's called research.
It's called cutting out the crap sources of disinformation.

(The Fox News types aren't used to such requirements I guess.)

It's been done since yellow owner-shaped journalism was a plague on our nation,
and nobody in fantasy Fox News land complained when it was investigating Clinton.

"Bias" "Censorship" "Media manipulation" - sure, those are superlatives that describe this, slightly maybe.

So your alternative is "anyone from Lithuania with a blog is now a vetted journalist on the same level as Walter Kronkite" ?

That's not journalism, that's scrapbooking.

hmmNovember 27, 2017 6:09 PM

Did I just type Kronkite? Jesus. Cronkite.

George Soros made me screw that up via Mozilla's biased spellcheck, conspiracy!!!

ClipperNovember 27, 2017 8:39 PM

@hmm

Unknown microblogs from invented non-identities being paid by a foreign power to report distorted and intentionally false items to western targets

And what about those paid by domestic power, AKA the taxpayer?

Clive RobinsonNovember 27, 2017 11:58 PM

@ hmm,

Did I just type Kronkite? Jesus. Cronkite.

What's wrong with old Walter? After all he had a voice that worked wonders on the US Citizens. Half an hour of him a night was considered more efficacious than a bottle of mogadon[1] washed down with a bucket of Ovaltine[2]. Thus with the population zombified politicians thought they could get away with anything, "tricky Dickie" being but one.


[1] https://en.m.wikipedia.org/wiki/Nitrazepam

[2] Originly made in the village of Neuenegg, a few kilometres west of Bern Switzerland and called Ovomaltine after it's two main ingredients dried egg powder and malt extract. It originaly claimed all manner of health benifits and sleep promotion over the years, thus it became a good old US tradition to drink the brew every night come rain or shine[3]...

[3] Any one know a good emoticon for sarcasm?

hmmNovember 28, 2017 2:03 AM


"And what about those paid by domestic power, AKA the taxpayer?"

Well the money trail should be that much easier to lead you to your well-proven conclusions, then shouldn't it?

Go ahead.

Dan HNovember 28, 2017 7:16 AM

Inferno OS was the embedded operating system developed by Bell Labs from Plan 9. It can run either native on hardware or hosted on a number of operating systems.

The Charon Web browser is included and of course it doesn't support Javascript. There is also a command called "os" which allows one to run programs from the host inside of Inferno.

If using Inferno hosted on Windows, how would malware and viruses that target Windows be handled when using either Charon or Firefox via the "os" command?

Clive RobinsonNovember 28, 2017 7:52 AM

@ All,

This article from ElReg,

https://www.theregister.co.uk/2017/10/24/browsers_api_security_paper/

Is about cost-v-security of W3C api's in browsers, and the results are to say the least going to be a little eye opening to many... (whilst the more grizzled security greybeards will mutter "Told yar so sohnny"). Put simply getting rid of the mainly unused APIs, will more than halve the code complexity oh and only effect around 5% of websites...

To be upfront about it some of the API's should never have been considered. Because they were obvious security side channles and served no real purpose or benift to the browser user just the web site owner/operator. Especially as things like low battery etc are built into the OS to warn the user, so it would be redundant for the website owner/operator to bring to the users attention.

The original paper can be found at,

https://arxiv.org/abs/1708.08510

ElReg are a bit brutally honest with their appraisal comment,

    The results come as little surprise to Vulture South, since over the last couple of years, we've taken a growing interest in the privacy implications of APIs that serve little purpose but to profile users for advertisers.

Thus their conclusion is no real supprise,

    It's yet another reason the W3C needs to take a leaf out of the Internet Architecture Board's book, and make user protection part of its mission, instead of an afterthought.

Or in other words "W3C pull yer block out yer butt and smell reality" or "Get with Best Practice, as that crunch you hear is liability walking up your garden path".

ClipperNovember 30, 2017 8:18 AM

@Clive Robinson

I remember when Ovaltine was considered to be the best thing for health, don't know about that but at least it tasted nice, maybe a bit like Irish Cream without the alcohol. I can't remember if I had taken Nitrazepam though I think I did, but maybe that's proof how good it worked.

I think the best thing right now would be onioned networks where you can view whatever you want using a stripped down browser without all this modern "functionality". That would allow me to sip some Irish Cream with complete peace of mind.

An API no one seems to mention has to do with "Intel Identity Protection", which is Intel's backdoor that will allow the browser to broadcast the CPU serial number. I wonder why this "feature" is now on every Intel processor, but there's no mention about its implementation on browser level. I suspect they will roll it out silently.

CallMeLateForSupperDecember 1, 2017 9:31 AM

@Clive
"Any one know a good emoticon for sarcasm?"

Oh please don't go there! I suggest you eschew emoticon and stick with good ol' tried-and-true, for example:
/sarcasm ON
Trump is unbelievably presidential.
/sarcasm OFF

PeterDecember 1, 2017 11:04 AM

@Petre

If everything is private

If everything is public then the only thing i have to give is to take-to take you as an example.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.