Old Fucking Punk @lwriemen@librem.one

Don't Play in Google's Privacy Sandbox

Last week, Google announced a plan to “build a more private web.” The announcement post was, frankly, a mess. The company that tracks user behavior on over ⅔ of the web said that “Privacy is paramount to us, in everything we do.” 

Google not only doubled down on its commitment to targeted advertising, but also made the laughable claim that blocking third-party cookies -- by far the most common tracking technology on the Web, and Google’s tracking method of choice -- will hurt user privacy. By taking away the tools that make tracking easy, it contended, developers like Apple and Mozilla will force trackers to resort to “opaque techniques” like fingerprinting. Of course, lost in that argument is the fact that the makers of Safari and Firefox have shown serious commitments to shutting down fingerprinting, and both browsers have made real progress in that direction. Furthermore, a key part of the Privacy Sandbox proposals is Chrome’s own (belated) plan to stop fingerprinting.

But hidden behind the false equivalencies and privacy gaslighting are a set of real technical proposals. Some are genuinely good ideas. Others could be unmitigated privacy disasters. This post will look at the specific proposals under Google’s new “Privacy Sandbox” umbrella and talk about what they would mean for the future of the web.

The good: fewer CAPTCHAs, fighting fingerprints

Let’s start with the proposals that might actually help users.

First up is the “Trust API.” This proposal is based on Privacy Pass, a privacy-preserving and frustration-reducing alternative to CAPTCHAs. Instead of having to fill out CAPTCHAs all over the web, with the Trust API, users will be able to fill out a CAPTCHA once and then use “trust tokens” to prove that they are human in the future. The tokens are anonymous and not linkable to one another, so they won’t help Google (or anyone else) track users. Since Google is the single largest CAPTCHA provider in the world, its adoption of the Trust API could be a big win for users with disabilities, users of Tor, and anyone else who hates clicking on grainy pictures of storefronts.

Google’s proposed “privacy budget” for fingerprinting is also exciting. Browser fingerprinting is the practice of gathering enough information about a specific browser instance to try to uniquely identify a user. Usually, this is accomplished by combining easily accessible information like the user agent string with data from powerful APIs like the HTML canvas. Since fingerprinting extracts identifying data from otherwise-useful APIs, it can be hard to stop without hamstringing legitimate web apps. As a workaround, Google proposes limiting the amount of data that websites can access through potentially sensitive APIs. Each website will have a “budget,” and if it goes over budget, the browser will cut off its access. Most websites won’t have any use for things like the HTML canvas, so they should be unaffected. Sites that need access to powerful APIs, like video chat services and online games, will be able to ask the user for permission to go “over budget.” The devil will be in the details, but the privacy budget is a promising framework for combating browser fingerprinting.

Unfortunately, that’s where the good stuff ends. The rest of Google’s proposals range from mediocre to downright dangerous.

The bad: Conversion measurement

Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised? Currently, third-party cookies do most of the heavy lifting. A third-party advertiser serves an ad on behalf of a marketer and sets a cookie. On its own site, the marketer includes a snippet of code which causes the user’s browser to send the cookie set earlier back to the advertiser. The advertiser knows when the user sees an ad, and it knows when the same user later visits the marketer’s site and makes a purchase. In this way, advertisers can attribute ad impressions to page views and purchases that occur days or weeks later.

Without third-party cookies, that attribution gets a little more complicated. Even if an advertiser can observe traffic around the web, without a way to link ad impressions to page views, it won’t know how effective its campaigns are. After Apple started cracking down on advertisers’ use of cookies with Intelligent Tracking Prevention (ITP), it also proposed a privacy-preserving ad attribution solution. Now, Google is proposing something similar. Basically, advertisers will be able to mark up their ads with metadata, including a destination URL, a reporting URL, and a field for extra “impression data” -- likely a unique ID. Whenever a user sees an ad, the browser will store its metadata in a global ad table. Then, if the user visits the destination URL in the future, the browser will fire off a request to the reporting URL to report that the ad was “converted.”

In theory, this might not be so bad. The API should allow an advertiser to learn that someone saw its ad and then eventually landed on the page it was advertising; this can give raw numbers about the campaign’s effectiveness without individually-identifying information. 

The problem is the impression data. Apple’s proposal allows marketers to store just 6 bits of information in a “campaign ID,” that is, a number between 1 and 64. This is enough to differentiate between ads for different products, or between campaigns using different media.

On the other hand, Google’s ID field can contain 64 bits of information -- a number between 1 and 18 quintillion. This will allow advertisers to attach a unique ID to each and every ad impression they serve, and, potentially, to connect ad conversions with individual users. If a user interacts with multiple ads from the same advertiser around the web, these IDs can help the advertiser build a profile of the user’s browsing habits. 

The ugly: FLoC

Even worse is Google’s proposal for Federated Learning of Cohorts (or “FLoC”). Behind the scenes, FLoC is based on Google’s pretty neat federated learning technology. Basically, federated learning allows users to build their own, local machine learning models by sharing little bits of information at a time. This allows users to reap the benefits of machine learning without sharing all of their data at once. Federated learning systems can be configured to use secure multi-party computation and differential privacy in order to keep raw data verifiably private.

The problem with FLoC isn’t the process, it’s the product. FLoC would use Chrome users’ browsing history to do clustering. At a high level, it will study browsing patterns and generate groups of similar users, then assign each user to a group (called a “flock”). At the end of the process, each browser will receive a “flock name” which identifies it as a certain kind of web user. In Google’s proposal, users would then share their flock name, as an HTTP header, with everyone they interact with on the web.

This is, in a word, bad for privacy. A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate. The flock names will likely be inscrutable to users, but could reveal incredibly sensitive information to third parties. Trackers will be able to use that information however they want, including to augment their own behind-the-scenes profiles of users. 

Google says that the browser can choose to leave “sensitive” data from browsing history out of the learning process. But, as the company itself acknowledges, different data is sensitive to different people; a one-size-fits-all approach to privacy will leave many users at risk. Additionally, many sites currently choose to respect their users’ privacy by refraining from working with third-party trackers. FLoC would rob these websites of such a choice.

Furthermore, flock names will be more meaningful to those who are already capable of observing activity around the web. Companies with access to large tracking networks will be able to draw their own conclusions about the ways that users from a certain flock tend to behave. Discriminatory advertisers will be able to identify and filter out flocks which represent vulnerable populations. Predatory lenders will learn which flocks are most prone to financial hardship. 

FLoC is the opposite of privacy-preserving technology. Today, trackers follow you around the web, skulking in the digital shadows in order to guess at what kind of person you might be. In Google’s future, they will sit back, relax, and let your browser do the work for them.

The “ugh”: PIGIN

That brings us to PIGIN. While FLoC promises to match each user with a single, opaque group identifier, PIGIN would have each browser track a set of “interest groups” that it believes its user belongs to. Then, whenever the browser makes a request to an advertiser, it can send along a list of the user’s “interests” to enable better targeting.

Google’s proposal devotes a lot of space to discussing the privacy risks of PIGIN. However, the protections it discusses fall woefully short. The authors propose using cryptography to ensure that there are at least 1,000 people in an interest group before disclosing a user’s membership in it, as well as limiting the maximum number of interests disclosed at a time to 5. This limitation doesn’t hold up to much scrutiny: membership in 5 distinct groups, each of which contains just a few thousand people, will be more than enough to uniquely identify a huge portion of users on the web. Furthermore, malicious actors will be able to game the system in a number of ways, including to learn about users’ membership in sensitive categories. While the proposal gives a passing mention to using differential privacy, it doesn’t begin to describe how, specifically, that might alleviate the myriad privacy risks PIGIN raises.

Google touts PIGIN as a win for transparency and user control. This may be true to a limited extent. It would be nice to know what information advertisers use to target particular ads, and it would be useful to be able to opt-out of specific “interest groups” one by one. But like FLoC, PIGIN does nothing to address the bad ways that online tracking currently works. Instead, it would provide trackers with a massive new stream of information they could use to build or augment their own user profiles. The ability to remove specific interests from your browser might be nice, but it won’t do anything to prevent every company that’s already collected it from storing, sharing, or selling that data. Furthermore, these features of PIGIN would likely become another “option” that most users don’t touch. Defaults matter. While Apple and Mozilla work to make their browsers private out of the box, Google continues to invent new privacy-invasive practices for users to opt-out of.

It’s never about privacy

If the Privacy Sandbox won’t actually help users, why is Google proposing all these changes?

Google can probably see which way the wind is blowing. Safari’s Intelligent Tracking Prevention and Firefox’s Enhanced Tracking Protection have severely curtailed third-party trackers’ access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered. 

As a result, Google has apparently decided to defend its business model on two fronts. First, it’s continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers’ access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The “Privacy Sandbox” proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google’s targeting business will continue as usual.

The Sandbox isn’t about your privacy. It’s about Google’s bottom line. At the end of the day, Google is an advertising company that happens to make a browser.

Five Concerns about Amazon Ring’s Deals with Police

More than 400 police departments across the country have partnered with Ring, tech giant Amazon’s “smart” doorbell program, to create a troubling new video surveillance system. Ring films and records any interaction or movement happening at the user’s front door, and alerts users’ phones. These partnerships expand the web of government surveillance of public places, degrade the public’s trust in civic institutions, purposely breed paranoia, and deny citizens the transparency necessary to ensure accountability and create regulations.

You can read more about EFF’s thoughts on how this technology threatens privacy, encourages racial profiling, and stifles freedom here.

Amazon is aggressively pursuing these worrisome partnerships with police throughout the country. Yet it should be communities themselves, and not spy tech vendors, who ultimately decide whether their police may use new systems of surveillance of public places.

Reporting in CNET reveals that Amazon persistently reached out to the Chula Vista, California, police department and engaged in a multi-month campaign to convince the city of more than 270,000 to implement the partnership.

In an email to the Chula Vista Police Department, a Ring outreach coordinator played on fears of rising property crime in the town as a way to pitch the potential partnership. They wrote, “I recently came across this news clip of an uptick in home break-ins in Chula Vista… As an extension of Ring’s Neighborhoods initiative, I’m reaching out to share an offer to all public safety agencies that actively participate in either crime prevention or community policing.” When the police department did not respond, the Ring representative followed up to offer discounts and even a donation of a free video doorbell.

What emerges is a partnership that allows police access to a widespread surveillance network, and coaching from Amazon on how to gain access to that footage and how to talk to the public. In return, Amazon gets a big boost in its efforts to sell millions of cameras.

Here are five specific concerns about Ring’s spreading partnership with law enforcement:

 1. City money is subsidizing the cost of Amazon products

Reporters have shown that municipalities are paying Amazon up to $100,000 to reduce costs of Ring cameras by $50 or $100 for city residents. In addition, cities are promoting Ring at city events, which helps Amazon sell more cameras and ultimately make more profit.

The Monitoring Association, an international trade organization for surveillance equipment, is concerned about Ring’s police partnerships. The organization's President, Ivan Spector, told CNET, “We are troubled by recent reports of agreements that are said to drive product-specific promotion, without alerting consumers about these marketing relationships... This lack of transparency goes against our standards as an industry, diminishes public trust, and takes advantage of these public servants.”

 2. There is insufficient transparency about the partnerships

There’s a reason why Amazon was able to build up hundreds of police partnerships before journalists and civil liberties advocates were able to identify the widespread implications of such relationships. Reporting reveals that statements put out by local governments were written by, or approved, by Ring. This means that a large multi-national corporation whose objective is to maximize profits dictates what your local police department can and cannot say about the efficacy or necessity of Ring.

For example, Ring dictated almost the entirety of a press release from the Bloomfield, New Jersey, police department—and then, the company still required the town to make several corrections to unsanctioned additions.

It took reporting from multiple news outlets for the public to learn about the extent of these partnerships, which have rapidly spread without sufficient community input and local government control. The decision whether to plug the police department into thousands of new surveillance cameras should be made through an open, democratic process, and not just by corporate sales staff and police executives.

3. Police sell Ring products

The Ring-police partnerships turns what should be our most trusted civil servants into salespeople. As part of the partnerships, both via town-wide discounts and as part of Ring’s approved police talking points, local law enforcement are expected to promote the adoption of Ring and its accompanying app, Neighbors. 

This raises the very serious question: do police think you need a camera on your front door because your property is in danger, or are they encouraged by Amazon to try to make a sale?

This arrangement will deepen the public’s distrust of police officers, and threatens to make citizens wary of any public safety advice coming from police. How would people know if safety tips are motivated by an attempt to sow fear, and by extension, sell cameras and build an accessible surveillance network?

4. Amazon’s communication experts coach police on how to get your footage

Ring seems to have anticipated public concerns about a large network of cameras, promoted by police, whose footage is stored by a large corporation.

Ring provides police departments with incredibly detailed talking points and response guides for questions the public may have about Ring, their privacy, and the nature of the police-Ring partnerships. Some of the questions Ring anticipated are, “What is the partnership benefit?”, “Is law enforcement able to access user data or camera through Neighbors?”, and “Why is law enforcements participation on the app useful?”

Perhaps most troubling, Amazon coaches police on how to best talk residents into handing over their footage so police don’t have to get a warrant. One method cited is increasing a department’s participation on social media and its community outreach. These are things that have supposedly helped police in other cities raise their “opt in rate.”

5. Police have your Ring camera on their map

Police and Amazon know where Ring cameras are in a town through the “Neighbors portal” map interface.  This facilitates police requests for footage from a particular camera. Amazon has also reportedly created maps based on addresses given during purchase at events where Amazon sold Ring at a discount. As part of the agreement for discount events in one community, Amazon promised to “provide the City with an address report for the products purchased in order to help the Arcadia Police Department track the location of Ring Video Doorbells and other Ring security camera equipment, and assess the level of community interest.” 

Next Steps

As more reporting continues to come out about the privacy hazards of Ring and its police partnerships, more communities will likely step up to demand community control over whether police so dramatically expand their access to video transparency. In the meantime, it's important for residents to think twice about any technologies that facilitate the proliferation of police surveillance on the streets where we protest, canvas for political candidates,  and move freely every day.

In Secretive Court Hearing, NYPD Cops Who Raped Brooklyn Teen in Custody Get No Jail Time

Two NYPD cops coerced Anna Chambers into sex in exchange for her freedom. A judge just gave them no jail time.

The post In Secretive Court Hearing, NYPD Cops Who Raped Brooklyn Teen in Custody Get No Jail Time appeared first on The Intercept.

Larry Fink, Joe Biden’s Wall Street Ally, is Deeply Invested in Amazon Cattle Ranching, a Force Behind Deforestation

The giant investment firm BlackRock has contributed to the climate crisis by investing in a Brazilian meatpacker, JBS, linked to Amazon deforestation.

The post Larry Fink, Joe Biden’s Wall Street Ally, is Deeply Invested in Amazon Cattle Ranching, a Force Behind Deforestation appeared first on The Intercept.

#Compasses to point true #north for first time in 360 years | #Science | The Guardian

https://www.theguardian.com/science/2019/aug/30/compasses-to-point-true-north-for-first-time-in-360-years

#Navigation #Geology #Greenwich #UK #Geomagnetism

Courtesy, Professionalism, Respect

The officer that killed Eric Garner was fired, and the cops are acting as reasonable as you’d think.

Repeat Offenders

Can’t a comedian make fun of the marginalized without being criticized whatsoever? Disgusting.

Ever wanted to ditch #bigtech but had no idea how? Get your #free Librem One account for social, chat and voice or a premium account with mail and #VPN and get end-to-end #encryption, no tracking, no ads and no data sharing https://librem.one #purism #libremone #noads

Great Barrier Reef outlook now 'very poor', Australian government review says

https://www.theguardian.com/environment/2019/aug/30/great-barrier-reef-outlook-now-very-poor-australian-government-review-says?CMP=Share_AndroidApp_Librem_Social #climatechange #climatecrisis #extinction

#Amazon #fires show world heading for point of no return, says #UN | World news | The Guardian

https://www.theguardian.com/world/2019/aug/30/amazon-fires-biodiversity-united-nations

#Nature #Deforestation #ClimateChange #GlobalWarming #Biodiversity #Brazil #SouthAmerica

There’s No Gay Gene. In Fact, There’s No Anything Gene.

The nation’s press is trying to atone today for the sins of its past: A few years ago a research team conducted a small study that located a few epigenetic markers that seemed to be associated with being gay. Not a single working geneticist—and I say this advisedly—not a single one suggested this was the […]

From Victories to Union Militancy, 5 Reasons for Workers to Celebrate This Labor Day

Labor Day often gets short shrift as a worker’s holiday. Marked primarily by sales on patio furniture and mattresses, the day also has a more muddled history than May Day, which stands for internationalism and solidarity among the working class. Labor Day, by contrast, was declared a federal holiday in 1894 by President Grover Cleveland, fresh off his administration’s violent suppression of the Pullman railroad strike.

Senate Democrats’ Campaign Arm Is Pressuring Consultants Not to Work With Leading Progressive Candidate in Colorado

Andrew Romanoff said the Democratic Senatorial Campaign Committee pressured a number of firms not to work with his Senate campaign.

The post Senate Democrats’ Campaign Arm Is Pressuring Consultants Not to Work With Leading Progressive Candidate in Colorado appeared first on The Intercept.

Trump Administration’s Court-Packing Scheme Fills Immigration Appeals Board With Hardliners

In his first six years as an immigration judge in New York and Atlanta, from 1993 to 1999, William Cassidy rejected more asylum-seekers than any judge in the nation. A few years ago, Earle Wilson overtook Cassidy as the harshest asylum judge on the Atlanta court, which has long been considered one of the toughest immigration […]

30,000 Blue Tarps, 2.4 Million Downed Trees, Billions Short: 5 Ways Puerto Rico Is Still Struggling to Recover From Maria

Tropical Storm Dorian skirted Puerto Rico’s western corner yesterday, before heading north towards Florida, where it is expected to develop into a Category 3 hurricane. While the storm spared Puerto Rico of much damage, it raised attention to how the island is still in recovery mode—and ill-equipped for another natural disaster. Hurricane Irma struck Puerto […]

Users of a Major Online Trump Hub Expect They’ll Be Kicked off Reddit—and They Don’t Know Where to Go

For years, Reddit had hesitated to take action against one of its most prominent toxic communities: r/The_Donald, which in addition to being the site’s fan club for supporters of President Trump, has become a noxious hotbed of hate speech and bigotry. That finally changed on June 26 when Reddit “quarantined” r/The_Donald message board, making it […]

Food-waste study reveals trends behind discarded items

Americans throw out a lot more food than they expect they will, food waste that is likely driven in part by ambiguous date labels on packages, a new study has found.

How Ohio’s Chamber of Commerce Killed an Anti-Pollution Bill of Rights

Emails reveal that the Ohio Chamber of Commerce enlisted a key Republican lawmaker in a successful effort to nullify the Lake Erie Bill of Rights.

The post How Ohio’s Chamber of Commerce Killed an Anti-Pollution Bill of Rights appeared first on The Intercept.

From Philadelphia to Oregon, the Insurgency Is Making Waves in Municipal Elections

So far this year, Working Families Party-backed candidates were elected into more than 50 offices at the local and municipal levels in nine states.

The post From Philadelphia to Oregon, the Insurgency Is Making Waves in Municipal Elections appeared first on The Intercept.