Did We Lose the Privacy War?

eihab writes "I've been a fanatic about my online privacy for the last few years. I've been using NoScript and blocking Google Analytics, disabling third-party cookies, encrypting IM and doing everything in my power to keep data-miners at bay. Recently, I've been feeling like I'm just doing too much and still losing! No matter what I do, I know that there's a weak link somewhere, be it my ISP, Flash cookies, etc. I've recently gotten AT&T U-Verse, who, according to their privacy statement, will be monitoring my TV watching habits for advertisement purposes. I'm extremely annoyed by that, yet I love the service so much and I don't think I can cancel it. I just can't take this anymore. I have nothing to hide, but I do not want to be profiled and become member #5534289 in a database somewhere that records everything I do. I know I'm not that interesting to anyone, but the idea of someone being able to pull up everything about me with a simple SQL SELECT statement and a couple of JOINS makes me cringe. One of the reasons I hate data mining is that data security is not understood and almost non-existent at a lot of places. Case in point: I changed my life insurance two years ago, and the medical firm that conducted my health screening was broken into and computers with non-encrypted hard drives and patients' data were stolen. That medical firm didn't really need my SSN, but then again neither did AT&T when I signed up for U-Verse. Am I just too paranoid? Is privacy dead? Should I just give up and accept the fact that privacy is not the norm anymore (like Facebook's founder recently said) or should I keep fighting the good fight for my privacy?"

Tracking your TV watching is good

[Yossarian45793]

I can understand concerns about privacy when it comes to web browsing, but I don't get the fear about TV watching being tracked. I can't count the number of good TV shows that have been canceled because of bad ratings. Before Tivo existed, every time one of the shows I liked was canceled I wished that the TV network was tracking MY viewing habits instead of the unwashed masses who appear to like reality TV. Ever since I've had Tivo I always record all the shows I like and I'm happy that Tivo is collecting that information. Sometimes I even record and play back reruns (with the TV off) to positively affect the data for the shows I like.

Privacy is more nuanced than that...

[yar]

Privacy is a nebulous concept, and it's possible that in some cases, we give up privacy, and in others, we don't. It's not necessarily a binary on/off thing that you either have or you don't. I don't believe that people who say that privacy is dead are correct; or if they are, it's a very narrow view of privacy. You still don't have people watching you in the shower, for example. (Hopefully...)

Check out Daniel Solove's work- here's a good start.
"I've got nothing to hide" and other misunderstandings of privacy
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&rec=1&srcabs=667622

He's got some other interesting articles on the subject there, and some interesting books as well.

There are still things you can fight for to protect privacy, even if you are giving up some facets. You can fight against ubiquitous surveillance, and continue to do the things that you're doing to protect your privacy. You can help make threats to privacy transparent, for example, by supporting groups like EFF.

Re:Inherent privacy is dead.

[CodeBuster]

and you have to do it in the open.

So use a false or constructed identity. This can be done to varying levels of quality and sophistication depending upon how much time and money you are willing to put into it. Will this prevent a determined adversary from penetrating your disguise? No, but it will make it too expensive for most commercial entities to consider and unless they have reason to doubt your credentials then it is likely that they will never see past the deception. This is the sort of basic tradecraft that intelligence agencies have been using for decades (i.e. unofficial cover). Learn the skills and techniques of the intelligence agency if you really want to protect your privacy; the search for good educational resources is left as an exercise for the reader.

Re:Good privacy is really difficult

[icebraining]

Firefox uses Google Location Services. From their privacy policy:

If you allow a website to get your location via this service, we will collect, depending on the capabilities of your device, information about the wifi routers closest to you, cell ids of the cell towers closest to you, and the strength of your wifi or cell signal. We use this information to return an estimated location to the Firefox browser and the Firefox browser sends the estimated location to the requesting website. For each request sent to our service, we also collect IP address, user agent information, and unique identifier of your client. We use this information to distinguish requests, not to identify you.

Re:Good privacy is really difficult

[IndustrialComplex]

It offered me the option to use Firefox's location services. Curious, I let it, and despite being logged in via VPN, it accurately pulled up my location to within a few hundred feet. Still not exactly sure what it's doing to figure that out, but boy, that's scary...

I'm not sure why you are surprised. Now, I haven't worked in IP networking for a while, but I don't see how a VPN would have any effect on what you did.

Lets say the termination point for your VPN is a server at your house. IP A.B.C.D
You connect to the Hotel's wifi and get assigned IP W.X.Y.Z

You establish your VPN by whatever means you use. You are now using your home server as a proxy with the data between you and your server encrypted.

Now for standard advertisements which try to 'local' advertise to you (Find deals in YourCity/ZIPCODE), they would likely return results which are based on the location of IP A.B.C.D, your home server.

But when you connected to google maps, and it ASKED you for your location information, this is what I expect happened:

Google: Hey, what is your location information? (Sent to your home server ABCD, encrypted and relayed to you at IP WXYZ)
You: Sure here it is. (Your computer then filled in it's LOCAL, ie hotel, IP address and other information , encrypted at WXYZ, decrypted at ABCD, and sent to google)
Google: Based on the information you sent us, here is the public information regarding the location of that IP address, and we will stick it on a picture of a map for you.

Again, it's been a while since I dealt with VPNs, but there doesn't seem to be anything surprising going on here.

Re:You surrendered.

[CorporateSuit]

They can use it to check your credit history and decide whether you have to put down a deposit or not. They can also use it to tamper with your credit history, if you stop making payments that you owe them, or if they are simply evil.

Re:You surrendered.

[b4dc0d3r]

This is misunderstood a lot. Companies are not allowed to require your SSN for service. They often ask for it, just to be able to track you down if you fail to pay. (alert: USA-centric info follows). The loophole is, most companies are not required to offer service to everyone. So they can refuse to provide service to you without explanation (usually "incomplete application" or something similar), while technically following the law. That's why there's usually no state (or fed) regulation which allows this behaviour specifically.

Semi-related: I recently applied for a membership at Hollywood Video, when I lived 100 feet away from the store. They wouldn't give me a membership without a phone number, because they couldn't call me and tell me my movies were late. I told them it would be more convenient for me to rent there than somewhere else, but if they felt that driving 100 feet to get their movies back was a hardship, I'd take my business somewhere else. It's not required to have a phone number, but since my application was not complete I was denied.

The only workaround is as you said, contact someone and complain. More people need to do this. There are several companies which ask for my SSN and I level-set, look them directly in the eye, and say "You are not an agent of the Social Security administration, therefore you are not allowed to ask for that." They pause for a bit, say "uhhh, ok, I'll just leave that blank," and continue. By stating it that way, there is no question that I know my rights under the law, and they usually aren't prepared to fight it because they don't know the relevant law, being the front-line grunts just following orders. It amuses me.

Of course, recent IRS and anti-terrorism laws have changed this slightly, but it's still a small portion of companies.

http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm [privacyrights.org]
http://www.privacyrights.org/fs/fs31-CIP.htm [privacyrights.org]

Partial list of who might legitimately be required to retain SSN:
        * Commercial banks.
        * Agencies and branches of foreign banks in the United States.
        * Thrifts (savings and loan institutions).
        * Credit unions.
        * Private banks.
        * Trust companies.
        * Investment companies.
        * Brokers and dealers in securities.
        * Futures commission merchants.
        * Insurance companies.
        * Travel agents.
        * Pawnbrokers.
        * Dealers in precious metals.
        * Check cashers.
        * Casinos.
        * Telegraph companies.

As always, know your rights. In my opinion, casinos require SSNs for tax enforcement under the guise of covering money laundering. Telegraph companies? Maybe "money by wire" makes sense for tracking financial terrorist support, but if I'm sending a telegraph, they are allowed to ask for my SSN for no apparent reason.

Re:Don't borrow money

[dwye]

> So I think that much of the targeted information is coming via credit-reporting agencies.

Obviously, you also do not respond to charities received in the mail. My family used to do this, occasionally, and my parents are still inundated, even though they stopped responding after my father retired, over a decade ago.

Re:Don't borrow money

[SleazyRidr]

Oh, charities...

When I was a kid I donated $2 to a charity for guide dogs. My parents still receive a letter every year asking if I want to give more money this year. So much for those two bucks, they must've spent several times that by now just writing to me...