ITIC:Privacy on the web - Exercises

From Juneday education
Jump to: navigation, search

What service has the following as part of their terms and conditions?

Use a search engine to figure out (examples of) what services have the following quotes (some quotes are used in more than one service) as part of their services:

If you use our services to make and receive calls or send and receive messages, we may collect telephony log information such as your phone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information and types of calls.

Expand using link to the right to see some suggested solutions or hints.

For instance, Google

You grant XXX a non-exclusive, transferable, sub-licensable, royalty-free, perpetual, irrevocable, fully paid, worldwide license to use, reproduce, make available to the public (e.g. perform or display), publish, translate, modify, create derivative works from, and distribute any of your User Content in connection with the Service through any medium, whether alone or in combination with other Content or materials, in any manner and by any means, method or technology, whether now known or hereafter created. Aside from the rights specifically granted herein, you retain ownership of all rights, including intellectual property rights, in the User Content. Where applicable and permitted under applicable law, you also agree to waive and not enforce any “moral rights” or equivalent rights, such as your right to be identified as the author of any User Content, including Feedback, and your right to object to derogatory treatment of such User Content.

Expand using link to the right to see some suggested solutions or hints.

For instance, Spotify

You give us permission to use your name and profile picture and information about actions you have taken on XXX next to or in connection with ads, offers, and other sponsored content that we display across our Products, without any compensation to you.

Expand using link to the right to see some suggested solutions or hints.

For instance, Facebook

You also agree that you will not use these products for any purposes prohibited by United States law, including, without limitation, the development, design, manufacture, or production of nuclear, missile, or chemical or biological weapons.

Expand using link to the right to see some suggested solutions or hints.

For instance, iTunes

Acceptable Use; Safety-Critical Systems. Your use of the Lumberyard Materials must comply with the XXX Acceptable Use Policy. The Lumberyard Materials are not intended for use with life-critical or safety-critical systems, such as use in operation of medical equipment, automated transportation systems, autonomous vehicles, aircraft or air traffic control, nuclear facilities, manned spacecraft, or military use in connection with live combat. However, this restriction will not apply in the event of the occurrence (certified by the United States Centers for Disease Control or successor body) of a widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization. (emphasis added by Juneday authors)

Expand using link to the right to see some suggested solutions or hints.

For instance, AWS(Amazon Web Services)

Does Facebook know your network, even if you don't have a Facebook account?

Read the following two articles:

Do you think the information in the articles are true? Why/Why not?

Do you use any apps owned by Facebook? Here's a list of apps/services owned by Facebook(May 2019). Do you know if those apps uploads your phone's contact list to Facebook (directly or indirectly)? How could you find out?

Here's an excellent article on the subject, if you want to learn more: Investigating sources of PII used in Facebook’s targeted advertising (Giridhari Venkatadri, Elena Lucherini, Piotr Sapiezynski, and Alan Mislove, Proceedings on Privacy Enhancing Technologies 2019).

How unique is your browser?

Even if you don't have accounts on social media (or make sure you are not logged on) companies and others can still track you online activities, such as what pages you visit online. This is made possible due to the fact that you may not be so anonymous as you think, because your browser might actually have a unique "fingerprint". Companies may, using e.g. advertisement systems, build a profile of your online activities, by noticing that your browser has distinct features, which then in turn, might get linked to your person when you state your personal information (making an order, creating an account etc).

One simple (and common) technology for tracking (following) people online is to use a cookie. Use a search engine to find out what a cookie is and how it works.

You can turn cookies off (completely or by blocking at least third-party cookies). But since your browser might be unique, there are other ways to track your online activities. Investigate the terms "super cookie", "zombie cookie" and "HTML5 Cookie".

Did you know about these things? What did you think? Discuss with a class mate or friend. How can you protect yourself against various kinds of cookies (if you are worried that they are used to track or even profile you)?

As mentioned above, your browser might also be uniquely identifiable, which allows for recognizing if not your person, but that you are returning to a site you've visited before, and also cross-site visiting patterns (if your fingerprint is shared among services tracking you). Next, we'll investigate just how unique various browsers are.

Install some additional browsers

It's always good to have a few different browsers available. If not for security or privacy reasons, it's good to try out different browsers, because you might find one that better suits your needs. We therefore like you to install a few new browsers on your system (and phone if you feel like it). You can always remove the browsers you don't like afterwards.

Here's a list of (more or less) popular browsers. Install a few or all of them for the next part of this exercise. Use a search engine to find out how to install them.

  • Mozilla Firefox
  • Google Chrome
  • Chromium
  • Opera
  • Iridium
  • Tor Browser
  • Brave Browser
  • Midori
  • Dillo
  • w3m
  • Lynx

What is the most popular/most used browser?

If you want, you can check out this Wikipedia article on browser usage share. Make sure you also read the sections on accuracy, to be aware of possible errors in the statistics. It's good to know that user-agent headers (a text-part of your requests to a web server) can be spoofed.

Check uniqueness of your browsers

Use a search engine to find some online tools for fingerprinting your browser. Suggested keywords for the search:

  • browser fingerprinting
  • browser sniffing
  • browser fingerprinting test

Run the test and make a note of what browser you were using and what the test result reported. Compare your standard browser with the newly installed. Which one was better? Run the test on your mobile phone browser(s). What was the result there?

If you are aware of the vulnerabilities and careful about your privacy, you might consider changing browser (or alternate between a few to create noise in the tracking systems). There are also plugins that help protect you against fingerprinting and other tracking schemes. Here's a list of useful sites for the careful (paranoid?):

Please also note that there are more ways to fingerprint users, than just looking at the browsers (even if browsers are a great help in this kind of fingerprinting). Some ISPs even insert headers identifying a device (or range of devices) so that every request you do online contains this inserted information. And, of course, your IP number is another way of tracking you (but you can use a VPN or TOR or both to help mitigate this kind of tracking). The point of this exercise, however, is not to make you paranoid or worried. We think that knowing about the risks online and how to protect against most of them are things every modern person should know.

Miscellaneous questions on privacy and security

Sites that give access to private information

p.st

Visit p.st and read the information there.

  • Is this site for real?
    • Why do you think it is or isn't for real?
    • If it is not for real, what do you think the purpose of this site is/was?
    • If it is for real, what do you think the purpose of this site is/was?
  • Who is behind it (use some network tools to figure out)?
    • Try to figure out what the organization behind the site has done or said about privacy online.

ratsit.se

Visit www.ratsit.se and search for yourself or someone else

  • Were you successful in finding the person?
    • If you found more than one person with the same name, what extra information did you have to give to find the person you were looking for?
    • If you had to provide extra information, like postal code etc, did you know that or could you find that information out somehow?
  • Think about ethical problems with this service (if any)
  • Think about advantages or upsides of this service (if any)
  • Look up at least ten newspaper articles about ratsit and try to see if most are positive or negative about the service
  • What person or organization is behind ratsit.se?

Whistleblowers, activists and advocates

Use a search engine to find out some basic facts about the following persons, and write down who they are/were, and what they are famous (or infamous depending who you ask) for having done in relation to privacy/surveillance, human rights, internet, intellectual property laws (e.g. copyright and software patents) and information:

  • Rebecca MacKinnon
  • Caspar Bowden
  • Edward Snowden
  • Mona Seif
  • Chelsea Manning
  • Aaron Swartz
  • Lawrence Lessig
  • Heather Marsh
  • Jonas Bosson
  • Eva Galperin
  • Richard Stallman
  • Lina Ben Mhenni
  • Julian Assange
  • Suw Charman-Anderson
  • Cory Doctorow
  • Yasodara Córdova
  • Erik Josefsson
  • Malkia Cyril
  • Jacob Appelbaum
  • John Gilmore
  • John Perry Barlow

Note that, of course, you don't have to agree with anything the above mentioned persons have done or said, the purpose is only to give you a sample of people with (often strong) opinions on privacy, surveillance, freedom of information, intellectual property laws (in relation to software and the Internet) etc.

Digital rights, freedom of information, digital freedom, free software, free culture etc - advocacy

Visit and get a basic idea of what the following organizations do and what issues they are addressing:

Swedish personal identity numbers (Swe: Personnummer)

Find out whether the personal identity numbers (PIN) in Sweden are secret, or obtainable for anyone. That is, can you figure out the PIN (Swe: personnummer) of e.g. your teacher?

Tasks:

  • Find out your teacher's PIN (but don't publish it or spread it - see below for restrictions by law)

PINs are used to uniquely identify persons in Sweden. A typical use is as the primary key in various databases. When combining tables a database, or even tables in different database systems, it is vital to have a unique identifier in order to be certain that the correct rows of data are being combined. If an authority needs to combine various tables to get more information about a person, of course it is vital that the data specifies the exact same person in each table, so that the combined information is correct. Even so, it is very common that banks and other services use different formats for what they call a PIN "personnummer". Even the number of digits differ some times, and also other parts of the format such as delimiter between the various parts.

Find out the correct format of the PINs in Sweden. How many digits and other signs should a correct PIN have? What does each part of a PIN in Sweden stand for?

Tasks:

  • Find out the correct format for Swedish PINs
  • How many digits and other characters should a correct Swedish PIN have?
  • What does each part or number or other character in the PIN stand for?

The last digit is a control digit. How do you calculate the control digit from the rest of the digits in the PIN? Use your own PIN to verify that you can calculate the last digit. The algorithm for calculating the control digit is called luhn10 or the modulo 10 algorithm (Swe: modulus-10-algoritmen).

Tasks:

  • Make up a fake PIN and verify that the control digit is (probably - at 90% chance) wrong.

Having a very common name makes it harder to get more information about a person by only knowing what city and the name of the person. Find out how many Maria Nilsson live in Göteborg, Sweden. How many people with your teachers' names live in the same city? How many with your name live in the city you live?

Tasks:

  • How many Maria Nilsson live in Gothenburg?
  • How many people with the same name as your teacher live in Gothenburg?
  • How many people with the same name as you live in your city?
    • What if you include all middle names?

Find out what the Swedish data protection authority (Datainspektionen) has to say about PIN (personnummer). Hint: Start here.

Tasks:

  • What is the Swedish data protection authorities recommendations regarding PINs?

If you wanted to find out your teacher's tax return (Swe: självdeklaration), you need the PIN of your teacher when you request this from the tax authorities.

Tasks:

  • Write down the steps you would take to get the tax return documents of your teacher from the Swedish tax authorities
  • How would you get the PIN of your teacher?
    • Who would you contact in order to get this?
    • What information about your teacher would you need to get the full PIN?
  • Who would you contact in order to request a copy of the tax returns?
  • What information do you need to provide in order to request someone's tax returns?
  • Would it be possible to also obtain the teacher's current standing with the CSN (Swedish student loan authority)?

Some people have protected identities which limits the possibilities to request otherwise public data about them.

Tasks:

  • What regulations or exceptions about Swedish PINs can you find?
    • Hint: Read all the links below to see what the law says about stopping you from obtaining personal information in certain cases

Read the below carefully before you do anything illegal or stupid

Note, to request public information is one thing. To go public (publish e.g. on the web) personal information, is strictly regulated by the law. This is why there is a big difference between public information with personal data that you need to request from the authorities to obtain, and to make public information with personal data public (or even worse: make public information with personal data publicly searchable)!

In other words, to obtain personal data about someone for personal use is one thing. To spread, publish or make it publicly available is in most cases an offence punishable by law, unless you obtain a license (and in many cases consent from the persons whose data is to be published). So think about what you do with personal data that you obtain.

Note Even if it were possible for anyone to obtain your PIN, you shouldn't publish it or make it available online anyway. The inertia of having to request such information as opposed to just searching for it online, makes you less vulnerable for identity thefts, frauds etc. Be restrictive with what you share about yourself online. Also, for the above mentioned reasons, be restrictive with what you share about other people online.

Useful links:

Links

Further reading

Terms of service

Privacy while surfing the web

Social media related

Mobile phone related privacy stuff

General privacy stuff

Facial recognition, camera surveillance

Privacy and security

Swedish personal identity numbers (Swe: Personnummer)

Data leaks - personal data stolen or leaked

Where to go next

This is the last module and page for the Introduction to IT and computing book.

We have material on Bash and Bash programming here, if you really want more:

And we have an introduction to Java programming (if you want to try that) here:

And we have an introduction to databases here:

« PreviousBook TOCNext »