EFF on the Mechanics of Corporate Surveillance

EFF has published a comprehensible and very readable "deep dive" into the technologies of corporate surveillance, both on the Internet and off. Well worth reading and sharing.

Boing Boing post.

Posted on December 13, 2019 at 6:01 AM • 22 Comments

Comments

Corporate OverlordDecember 13, 2019 9:01 AM

I would consider calling this commercial surveillance instead of corporate. In my experience performing corporate surveillance, that is information operations targeting employees of a company.

Just a nit.

meDecember 13, 2019 11:19 AM

@Corporate Overlord: would you happen to have a similar article about your kind of corporate surveillance? This topic sounds as interesting as the one this post is about.

HankDecember 13, 2019 11:19 AM

I would love a law that prohibits correlating data for the purpose of identification. Lets go back to advertising that is not targeted. Given that I would only allow opt-in identification that is understandable and limited to one website. No legal mumbo jumbo about how it is used either.

Impossibly StupidDecember 13, 2019 11:38 AM

I'm a bit disappointed with their "fight back" section. They buried network-wide technologies like the Pi-hole under web solutions, and they mentioned "burner" solutions only in the context of mobile phones. These days, though, most computers support the easy creation and use of multiple user accounts, and/or you can even buy relatively cheap "burner" computers like the Raspberry Pi (or some low-end tablets) for dedicated online uses (e.g., a banking-only device). More mention should have been made of Tor and VPNs and other techniques of limiting your network signature (e.g., visiting specific sites only when on the shared WiFi network of a specific business or library).

Likewise, disposable email addresses are still a very important thing to use. Even if they can be combined in a unified profile, they often are not. More importantly, I think, is that you can embed your own tracking information in them about which service provider you gave them to, thereby allowing you to track the trackers.

AndersDecember 13, 2019 1:00 PM

EFF doesn't make trusting the content easy either.
Let's take the pdf link at the end of the article.
While real pdf file ends with underscore and zero (_0),
browser shows filename without them.

This rises strong suspicions that maybe i landed on
phishing site instead of the real one.

Really, EFF? Hard to rename file?

RobDecember 13, 2019 1:02 PM

The security function of the tech industry still suffers from a lack of credible information regarding which specific tools are trustworthy. Some would say it's impossible to trust any, but in practice, that will never work for most users. Most people need to be able to put some level of trust in the companies and tools they use. It doesn't have to be perfect trust, but ultimately consumers need some concrete guidance on specifics.

What is needed is an international body of best practices and standards that are to be expected of any company which purports to handle user data or protect user privacy. Basically, an ISO-form certification, verified by an independent, non-profit auditing body, that certifies the company/device/platform/service follows the standards. Depending on the specific of what exactly is being certified, some elements of the standards may vary (e.g., a computer manufacturer or social network may have different standards than a VPN), but should all tie back to the core standards.

EFF is maybe the only organization in the position to create something like this. Existing options (like FSF certification) are not sufficient because they are ideologically-motivated, niche, and don't cover the necessary material. Those who achieve certification according to the standards should have to pass an audit, and then be re-certified on a scheduled basis. Performing auditing and certification services could also serve as an additional revenue stream for EFF, as well as bringing a lot more clarity to tens of millions of consumers.

Dancing On Thin IceDecember 13, 2019 6:33 PM

@Hank

I heard about targeted marketing 25 years ago.
Seemingly insignificant things can clue a skilled salesman into what techniques work best for different personalities.
Then there is Target knowing a teen was expecting before her dad.
Computers and people willingly answering quizes about how they hang toilet paper just made it easier.

Jesse ThompsonDecember 13, 2019 7:43 PM

I'm just made sad that so little resource goes into creating open source security solutions that anybody can use on their own terms in comparison to how much resource goes into "security as a service".

Security is not an app. It's a procedure, and practicing it requires the use of some very good (and ideally very small) tools which one can exercise complete control over.

But I guess that's a difficult business model to finance. :/

Electron 007December 13, 2019 7:49 PM

Please excuse the copypasta ...

a smattering of state and federal laws offer specific protections to some. Vermont’s data privacy law brings transparency to data brokers. The Illinois Biometric Information Protection Act (BIPA) requires companies to get consent from users before collecting or sharing biometric identifiers. In 2020, the California Consumer Privacy Act (CCPA) will take effect, giving users there the right to access their personal information, delete it, and opt out of its sale. Some communities have passed legislation to limit government use of face recognition, and more plan to pass it soon.

Town hall is out of its jurisdiction to regulate interstate commerce. As always, "opt-out" is a cruel joke played on consumers.

At the federal level, some information in some circumstances is protected by laws like HIPAA, FERPA, COPPA, the Video Privacy Protection Act, and a handful of financial data privacy laws. However, these sector-specific federal statutes apply only to specific types information about specific types of people when held by specific businesses.

These laws are not really that specific, and you have to think about how highly technical-sounding legislation is going to be interpreted and enforced by non-technical or tech-illiterate lawyers and judges, or any twelve average citizens. Average-joe town hall cops don't understand or care about about the finer points of law or specific technical distinctions. You are made out to look like a "black-hat hacker" and the skinhead cops throw you in prison for a number of years on a vague and poorly understood charge which is then railroaded through a no-grand-jury guilty-plea-only collective-bargaining judicial administrative system without so much as a trial.

They have many gaps, which are exploited by trackers, advertisers, and data brokers.

These are always considered legitimate established businesses by the same town hall cops who are always looking for or fabricating a dating profile or the like on Facebook // Twitter because they demand the ability to press arbitrary sex charges against defendants, or else defendants are considered anti-social, psychopathic or terrorist if they refuse to maintain an appropriate social media profile.

Petre Peter December 14, 2019 6:58 AM

Also, what corporations can do with data about you is not the same as what you can do with data about corporations.

AndersDecember 14, 2019 7:20 AM

@SpaceLifeForm

Tried with several browsers, FF, IE, TOR etc. Same result.

Position your mouse pointer on the download link.
A hint window appears saying the filename.
This filename inside the hint window is different
from the file you are actually getting. Filename
inside the hint window is without "_0", file you
actually get is ending with "_0".

tdsDecember 14, 2019 1:50 PM

@Anders, SpaceLifeForm

From the USA ("'United States of Amnesia'"):

Win 7, FF 71 w/Noscript and two from eff: with "_0" for both hover and download

late model iOS & Safari: with "_0" for hover; download not tested

late model macOS & Safari: with "_0" for hover; download not tested

jdgaltDecember 14, 2019 3:16 PM

They call this a deep dive? Nothing there is new to me, and I was expecting much more detail.

I'm also annoyed that they didn't cover things like China's social credit score, and the intentions by Google and other players in the "deplatforming" movement to create their own in the west. Nor the fact that six multinationals own most of the world's communication industries.

I would like to see EFF take the lead in resisting these control movements by starting open-source products to defeat them, such as a peer-to-peer replacement for ICANN's DNS.

Bong-Smoking Primitive Monkey-Brained SpookDecember 14, 2019 3:40 PM

@jdgalt:

They call this a deep dive?

Agreed it's a misnomer. Typical buzzword usage. Truth is it's a good read. Should have been called "wide snorkel" because they covered more breadth than depth. Deep dives happen right Tango Foxtrot here: the Mariana Trench of Security Deep Dives ;-)

@Ratio:

WTF are you? 'W' = Where.

DrZoidbergDecember 15, 2019 12:00 PM

The article missed one important (IMHO) point. Google is not only its Analytics, but also through their CDN services for fonts and javascript. These are quire pervasive and many sites do not work properly, or at least don't look properly if a users blocks these request. This, I think is a great problem to us who care about our privacy and we need to raise awareness about it.

SpaceLifeFormDecember 15, 2019 4:56 PM

@ Anders

It smells of malware to me.

I would run malwarebytes, jouni regcleaner.

Run regcleaner as admin, pick the 'do them all' option.

Reboot, run them again.

You may be surprised.

Make sure you are up to date on the os side. Run security essentials (defender) scan. It will likely report clean.


Then, reboot, rinse, repeat.

Again, you may be surprised.

At this point, I do not recommend any third-party antivir for win7+ users that are not tech savvy.

1&1~=UmmDecember 16, 2019 1:50 AM

@Bong-Smoking Primitive Monkey-Brained Spook:

"WTF are you? 'W' = Where."

MIA? No, retried maybe, possibly off in 'pastures new'... But it would appear that others have popped up as 'the smallest spark of missions past'.

Bong-Smoking Primitive Monkey-Brained SpookDecember 16, 2019 8:27 AM

@1&1~=Umm:

But it would appear that others have popped up

I noticed :)

Electron 007December 27, 2019 4:37 PM

@ Corporate Overlord • December 13, 2019 9:01 AM

I would consider calling this commercial surveillance instead of corporate. In my experience performing corporate surveillance, that is information operations targeting employees of a company.

Just a nit.

@ me • December 13, 2019 11:19 AM

@Corporate Overlord: would you happen to have a similar article about your kind of corporate surveillance? This topic sounds as interesting as the one this post is about.

Friday the 13th.

Targeting employees. There's either a competing firm or a labor union organizing a strike.

Whether it's "commercial" or "corporate", the EFF definitely promotes the "collective bargaining" side of the equation.

"We're all in this together."

True, to a certain extent, "we" all have to work as a team, get our job done, whatever it is that we do, and get paid for it. Well, there are getting to be some union bosses, and some really nasty blackball jobs out of that labor union with all the Marxist-Leninist rhetoric from the union bosses.

Some of us are getting fired. Some of us aren't being paid. Some of us are being ripped off, or having our money, homes, vehicles or other assets confiscated by cops in solidarity with the labor union, without the due process of law.

EFF is not on our side for this. At all.

A Detroit Mob boss was arrested.
https://www.cnbc.com/2019/09/12/uaw-leader-charged-with-embezzling-union-funds-amid-contract-talks-in-detroit.html
Several associates are implicated.
https://www.detroitnews.com/picture-gallery/news/local/detroit-city/2019/02/18/six-uaw-and-fiat-chrysler-officials-convicted-so-far-auto-scandal/2904726002/
Alexei Navalny's offices were raided by police in Moscow.
https://www.bbc.com/news/world-europe-50916198
Navalny himself has lawyered up and shut up.
https://www.rt.com/newsline/476859-russia-navalny-refutes-raid/
The Intercept, Glenn Greenwald, PSOL, Comando Vermelho ...

EFF is on *their* side, not ours. And they get the U.S. Navy involved in radical left-wing activism, gun control politics and military hostility against the United States. That's the problem I have with that organization.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.