Some privacy practices when using Facebook

Tor

I have recently started using the Tor Browser when browsing Facebook and Twitter (although I need to get into the habit of doing so consistently). Amongst other things, Tor can help to protect against IP address tracking (although it is not bulletproof!). I find it unnerving that Facebook and Twitter are able to discern who my housemates and officemates are, even if I have had almost no interaction with them. (I don’t mind being associated with my particular housemates and officemates at the moment, but some people may mind that.)

Mobile website and JavaScript

I also use the mobile Facebook website on my laptop, and avoid it completely on my phone. The mobile Facebook website can run without JavaScript, which you can disable using NoScript, a Firefox extension which is automatically shipped with the Tor Browser. Disabling JavaScript protects against some of their data collection habits, such as cursor tracking and reading from unsubmitted forms.

Facebook is not the only website that practises such habits with JavaScript: another example is described here. The Independent‘s website is particularly bad as far as JavaScript is concerned: many articles on their site do not display properly unless you allow a load of JavaScript from third parties, including many advertisers.

Clickjacking

When you click on outgoing weblinks on Facebook, they do not directly take you to the desired website. Instead, they take you first via a tracking page: note the URL at the bottom:

This intermediate tracking page allows Facebook to know what links you have clicked on, at what time and in what context. (A browser doesn’t send this information to the webserver of the page containing the link.) To partially overcome this, I give the full URL when posting a link. A reader can then copy this URL and go to it directly, skipping the intermediary.

Since many users are not aware of Facebook’s outlink tracking, it should be considered a form of clickjacking.

Conclusion

These practices are a start, in lieu of managing to persuade one’s friends to migrate to a more private (and oftentimes more open, somewhat ironically) platform. Of course, Facebook may still harvest information about me, including anything I post, the things that I click on (or not click on), and anything said about me by other people.

By the way, you should care about privacy even if you are not a criminal and have ‘nothing to hide’. That claim is patently false: we all have secrets which we would like to keep, even if they are not illegal. Society has stigmas, and an unscrupulous government or employer could use its illicitly-obtained knowledge about your relationship, which you might like to keep quiet about, to blackmail you. And while it’s unlikely that any Facebook employee would personally be interested in your life, the psychological profiling that they may obtain from tracking your cursor could be very lucrative for an insurance company. And, of course, we often talk about other people behind their backs, in unflattering ways.

What techies are missing in the debate over surveillance

I recently started volunteering for Julian Huppert’s campaign to become the Liberal Democrat MP for Cambridge. (For more on that, go to their website.) Some of the other volunteers were members of the tech sector; as such, they used a lot of encryption in their work, had a lucid understanding of how encryption works. Of course, we are all very strongly worried by the attitudes towards Internet surveillance and encryption that Theresa May and the Conservative Party seem to hold. These includes last year’s Snoopers’ Charter, which gives the option of requiring ISPs to hand over users’ browsing history to the state (and not just to police and security agencies, but also other, unrelated, branches of government). More recently, the section on digital issues in the Conservative Party manifesto* contains rather troublesome proposals, including

  • Verify, a single digital ID system to be used for both government services and private services such as banking, and
  • the words ‘we do not believe that there should be a safe space for terrorists to be able to communicate online and will work to prevent them from having this capability’.

Unsurprisingly, the Manchester bombing last week will be used to justify activating the Snoopers’ Charter (but only after the election, of course!).

* I actually rather like some other parts of that section in the manifesto, especially ‘central and local government will be required to release information regularly and in an open format’; such a process would be long and costly, but would be very useful for future policymakers.

Like me, Julian and many others, they were quick to point out how heavily encryption is used in day-to-day, perfectly innocuous transactions over the Internet. (See also this piece by the web company Mythic Beasts.) We also knew how surveillance or web censorship could be defeated, using freely available tools such as Tor. Despite all these things, the Tory attitude towards Internet surveillance stands popular; Labour and the SNP abstained in the vote over the Snoopers’ Charter.

Why are we doing so poorly in this argument? One reason is that

The widespread public understanding of encryption is not accurate.

Or, more facetiously:

The debate over encryption is not a debate over encryption.

Okay, my use of the phrase ‘widespread public understanding of encryption’ may be a little hyperbolic, since I can’t speak for the country as a whole. But I think it’s clear that plenty of people don’t understand that normal people use encryption, not just criminals, perverts and terrorists. In some ways, this is laudable: it illustrates how computer and software manufacturers have been able to preconfigure their systems so that people can use them safely without having to think about all the processes (like encryption) that go on under the bonnet. The fact that computing is so accessible is a good thing. One should not need an understanding of mechanical engineering and combustion chemistry in order to drive a car.

However, the same sort of accessibility means that there is a large disjunction between how most people use their computers, and how techies use them. (I know ‘techies’ is a very loose term.) It’s true that policies such as censorship, surveillance and ‘bans’ on encryption can be defeated easily by those with the technical know-how. This doesn’t mean that the policy is moot, because

The effectiveness or otherwise of any policy depends on social factors as well as its technical merits.

Many people will go along with these authoritarian digital policies, reasoning along the lines of ‘I have nothing to hide, so I have nothing to fear’, or ‘we should do anything to keep our children and our country safe’. How else is it that the Great Firewall of China manages to keep a billion people in check, despite its many weaknesses?

The upcoming election may be a fait accompli as far as this issue is concerned. Labour is not devoted to protecting digital liberties, while the Conservatives are keen to abolish them. (Perhaps a third party, either in a coalition or in opposition, may be strong enough to moderate the government on this issue, but neither the LibDems nor the Greens are likely to be strong enough to do that effectively.) As we continue campaigning on this issue until and after the election, we must not focus too much on the technical weaknesses. In doing so, we’d risk blinding people with endless facts about Tor, VPNs, RSA and other obscure three-letter words and acronyms. Instead, we must focus on the social harms of a surveillance state and the benefits of personal privacy (including as a matter of LGBT+ rights).

Why I reject the term ‘virtue signalling’

The Manchester incident last night (reported on in detail here) was tragic, the attacker(s) deserve condemnation, and all those who sought to help (emergency services, but also hotels, taxi drivers and such) deserve praise for their humanity and love. That much should be clear. The Queen’s response was dignified and speaks for many of us.

In the wake of such a horrible incident, it would only be human to express solidarity for the victims. Indeed, many public figures with prominent voices have done so. Not all of them were equally well-received: Jeremy Corbyn’s tweet has received replies that accuse him of ‘[making] political capital out of people’s death under the guise of praising emergency services’. (See also Another Angry Voice‘s post on this.) The fact that his tweet is actually apolitical, and not fundamentally different in content from (albeit much shorter than) Theresa May’s statement is not important. (His later and longer statement is likewise uncontroversial in content, yet received similarly poorly.)

There is a popular attitude that ‘liberals and the left like to virtue-signal‘. This is applied at people who stand up for groups that they themselves do not belong to, such as male feminists, or people who don’t support black people being disproportionately wrongfully arrested and shot by police. Such people are only there to get attention, and don’t really care about the cause.

The snarl term ‘virtue signalling’ hasn’t been prominently applied to Jeremy Corbyn yet today, but that’s the implication. Why should one get so much flak for saying basically the same thing as Theresa May and the Queen? Few think that the Queen’s statement was a cynical move to exploit this incident in order to increase public support for the monarchy.

Why does ‘virtual signalling’ only apply to some causes, and not others? When Theresa May took the time out of her very busy schedule to join the Church of England in condemning the National Trust’s Easter egg hunt for not referencing Christianity, why was that not dismissed as merely ‘virtue signalling’, but given so much coverage?

Jumping to conclusions

As of the time of writing, very little is known about the attacker(s). This does not stop people from going ahead and assuming that they were Islamic terrorists, for example, in the Republican House Speaker Paul Ryan’s statement. ISIS has claimed responsibility, although their involvement has not been confirmed by any authorities. To get to the conclusion that ISIS is responsible, given the information currently available, you would have to say that ISIS is your most reliable source of information, more so than the police.

Damned if he does, and damned if he doesn’t

Tim Farron, current leader of the Liberal Democrats, once said that he thought that homosexuality was a sin. This led to a lot of anger in some circles, and the fear that the Liberal Democrats would not fight sufficiently strongly for (or could even oppose) LGBT+ rights.

Farron has more recently clarified his position by saying that his ‘views on personal morality [didn’t] matter’ and that this was not party policy. The right-wing blogger Guido Fawkes has spun this as: ‘Tim Farron has his beliefs and he seems willing to compromise them for political gain.’

Nobody seems to think that the vegetarian Jeremy Corbyn would ban meat-eating if he got into power, or that it he’d be compromising his moral stance by not banning meat-eating. Why should LGBT+ issues be any different?

Two quotes of Confucius

The classical Chinese philosopher Confucius and his disciples set out a vision of a society in which people aspired to become junzi. The term translates literally as ‘noble’s son’, more figuratively as ‘superior man’ (cf. Nietzsche’s Übermensch), and embodies ‘gentlemanly’ virtues: honesty, sincerity, good manners, a love of learning, selflessness, and, most importantly, humanity, putting the lives of human beings before pursuits for wealth or pleasure. In such a society, the people would value principled leaders, whose policies would benefit all and whose words would be just.

Society has changed massively since Confucius’ time, much for the better: it is difficult to justify returning to such a patriarchic, feudal and superstitious time. However, the ethical principles of his school are still hugely relevant, and leaders, as well as we the people who elect them, would do well to read the Analects, even if we do not agree with everything in there. In light of the upcoming general election, I would like to draw attention to two quotes in particular.

The Master [Confucius] said, “Fine words and an insinuating appearance are seldom associated with true virtue.”

Someone said, “Yong [a disciple] is truly virtuous, but he is not ready with his tongue.” The Master said, “What is the good of being ready with the tongue? They who encounter men with smartness of speech for the most part procure themselves hatred. I know not whether he be truly virtuous, but why should he show readiness of the tongue?”

As a bonus, here is an account from the Book of Mencius of Confucius’ disciple Mencius with a king of a city-state:

‘Your dogs and swine eat the food of men, and you do not make any restrictive arrangements. There are people dying from famine on the roads, and you do not issue the stores of your granaries for them. When people die, you say, “It is not owing to me; it is owing to the year.” In what does this differ from stabbing a man and killing him, and then saying – “It was not I; it was the weapon?” Let your Majesty cease to lay the blame on the year, and instantly from all the nation the people will come to you.’

King Hui of Liang said, ‘I wish quietly to receive your instructions.’

Mencius replied, ‘Is there any difference between killing a man with a stick and with a sword?’

The king said, ‘There is no difference!’

‘Is there any difference between doing it with a sword and with the style of government?’

‘There is no difference,’ was the reply.

Mencius then said, ‘In your kitchen there is fat meat; in your stables there are fat horses. But your people have the look of hunger, and on the wilds there are those who have died of famine. This is leading on beasts to devour men. Beasts devour one another, and men hate them for doing so. When a prince, being the parent of his people, administers his government so as to be chargeable with leading on beasts to devour men, where is his parental relation to the people? Zhong Ni said, ‘Was he not without posterity who first made wooden images to bury with the dead? So he said, because that man made the semblances of men, and used them for that purpose – what shall be thought of him who causes his people to die of hunger?’

Trident as the Ultimate Blasphemy

Trident has once again surfaced as a political issue. Enough has been said to criticise it on strategic, military, financial, ethical and diplomatic grounds that I find it unbelievable that the majority of people still that it’s a useful system. Nonetheless, I’d like to propose the following argument:

Whether as a first strike or a retaliatory strike, any use of weapons of such destructive power as Trident would set humanity back hundreds of years by destroying so much (social as well as physical) infrastructure. If (like me) you believe that humanity collectively has an eventual purpose to work towards, then such destruction should be extremely unpalatable. If moreover (unlike me) you believe that this purpose is set by Heaven, then by committing this damage, you would be intentionally and directly going against Heaven’s purpose.

Or alternatively: Presumably your use of Trident would have some aim in mind, however unsavoury or misguided; Clausewitz defines: ‘War is merely the continuation of policy by other means.’ This would be far worse, because you would essentially be saying ‘Humanity doesn’t need to exist if I can’t get what I want.’ Or, more blasphemously: ‘Heaven’s motives are my motives.’

Theresa May, David Cameron, Tony Blair and George W. Bush all profess to be Christians, and are very public about it; they often allude to it in their speeches. But, to properly reconcile a belief in a God-given cause for humanity with a willingness to destroy it–even as a deterrent–requires a Deus Vult attitude, and it would be called religious extremism if it were practised by leaders of any other country.

Continue reading Trident as the Ultimate Blasphemy

A cynic’s Easter message

We have heard a lot about the notion of ‘fake news’ and ‘alternative facts’ in the past year. We have seen how a hoax or a rumour, originating from an individual or a small number of people, can spread like wildfire, especially on social media. We have seen how damaging these claims can be, and how they may continue to be believed even after they have been refuted.

These hoaxes tend to be outrageous or emotive. We have seen that extraordinary claims are more likely to spread and to be shared, contrary to the principle that extraordinary claims require extraordinary evidence if they are to be believed. Then, the fact that it has spread widely is used as evidence of the claim itself.

We have seen that neither the number of followers of a movement, nor the fervour of said followers, says anything about the legitimacy of the movement. We have seen that people will commit daring and sometimes evil acts based on a lie.

Anyway, a belated happy some-books-said-that-a-man-has-been-raised-from-the-dead-and-his-dad-commands-you-to-do-various-things day.

The size of the UK transgender population

Accurate estimates of the sizes of transgender populations are hard to come by, but according to an article in The Times on Thursday, there are about 650,000 people in the UK (around 1%) who identify as transgender. The article does not cite a source and, unfortunately, the online version is behind a paywall (to which I have no access).

In an article from nine months ago, The Guardian cites a ‘conservative’ estimate of 0.2%, or around 130,000.

I was quite surprised to learn that this number was so high. For comparison, the 2011 census found that around 430,000 people identified as having Chinese ethnicity, and that around 270,000 identified their religion as Judaism. These groups, as well as many other minorities, are not represented well in Parliament or other high-ranking positions.

Petition to the UK government: ‘Recognise the importance of citizens’ access to encryption’

I’ve just submitted a petition (indeed, my first) to the UK government. The petition is still in the sponsorship stage, but you can click this link to sign it. Once it becomes live I shall put the updated link here. The petition became live on 7 April, and can be found here. The text is below:

The government must recognise the personal and economic benefits to encryption, and that any backdoor into WhatsApp cannot remain exclusive to GCHQ, but would soon become known to foreign intelligence services or criminal groups.

Home Secretary and Europol are demanding companies such as WhatsApp to install backdoors so that security services may read suspected terrorists’ messages. (Times, 27.03.17) The UK government may have ‘noble’ aims, but any backdoor would soon be found by the Russian or Chinese intelligence services. This would make the UK vulnerable to economic espionage, and have a chilling impact on dissidents in those countries. It could also be exploited by groups such as Anonymous, which may use intercepted messages to harass vulnerable groups such as LGBT+ people. T

Unfortunately, the petition had a character limit, so here are a few more words about the issue.

The petition is in response to the Home Secretary Amber Rudd’s demand towards (and plans to force) messaging services such as WhatsApp, Telegram and Apple iMessage, which offer end-to-end encryption for their users, to open up backdoors for the UK security services, ostensibly as a response to the reports that the Westminster attacker Khalid Masood used WhatsApp to communicate, possibly in order to plan the attack (although this is not known). The government argues that this is just the modern equivalent of the traditional practice of steaming open the envelopes carrying letters of suspected criminals, but the analogy is a poor one. Never did the police have the power to systematically steam open all envelopes, without supervision. They were subject to limited jurisdiction; the American or Russian police had no right to enter a British post office and open the letters there.

The adage that ‘if you have nothing to hide then you have nothing to fear’ would be a valid argument iff (a) the British security services were the only people with the means to read your communications, and (b) their only motives were to prevent crime and terrorism, for some suitable definition of ‘crime’ and ‘terrorism’. The first assumption is a terrible one. There have been countless examples of individuals or small groups finding weaknesses in widely-used software, such as the Heartbleed bug and Shellshock. What is there to stop a third party from finding and opening a backdoor intended only for GCHQ? It is a longstanding principle of cryptography that ‘security by obscurity‘ offers very little security. Once the weakness becomes available to others, the second assumption also goes out of the window. Unfortunately, the Russian and Chinese police and intelligence agencies have rather different ideas about what counts as ‘terrorism’. By forcing messaging companies to open up loopholes in their encryption, the UK government would be indirectly supporting the surveillance mechanisms of those states.

In fact, even the UK’s police and intelligence services should not be idolised (although it was tempting to do this after a police officer died in the Westminster attack). A day before the attack, it was reported that the Met Police spied on Greenpeace activists, in coordination with Indian police and mercenary crackers. Greenpeace may have more destructive elements, but these activists were mostly peaceful protestors and the surveillance could not be justified as being in order to pre-empt a criminal act.

Moreover, groups such as Anonymous have habitually practised the ‘doxing‘ of individuals, as in the Gamergate controversy, releasing personally sensitive information about other people. For example, some gay and transgender people have been threatened with being outed, as a means of blackmailing or otherwise harassing them. Being gay or transgender isn’t illegal in most of the West, but it can still have a social stigma that is strong enough to make this an effective tactic. This sort of abuse would only become much more common if its practitioners were able to intercept the messages of vulnerable people. Hence, privacy should be regarded as an LGBT+ issue as well.

A purely military solution cannot win a war. This truth has been expounded by military thinkers such as Sun Tzu and Clausewitz, and we continue to learn it the hard way. In the warfare of the computer era, a purely technical solution can be no better. A backdoor may help the police find the motives and co-conspirators of Khalid Masood in this instance, but it cannot be seen as a panacea for terrorism. People will still become terrorists or dissidents if they are drawn by political or social causes, and it is at these that we must strike.

Infringing Beethoven’s copyright

A few years ago, I put a recording of myself playing a movement from Beethoven’s Tempest Sonata on YouTube:

There were quite a few mistakes, and I’m not overly proud of it. But it was one of the latest snapshots of my piano-playing before I stopped doing so regularly, and it was of one of my favourite pieces (to which I couldn’t do justice).

I went through my YouTube account today to look at some of the other videos that I have since put up, and found this message:

Infringing Beethoven's copyright

Somebody (‘one or more music publishing rights collecting societies’) has filed a copyright claim on my amateur performance of a two-hundred-year-old piano sonata composed in pre-Germany Germany. YouTube has unquestioningly taken their side, and is monetising my video by putting ads on it. The revenue goes towards whoever made this anonymous copyright claim.

Somebody is making money from my recording, simply by saying that they deserve it. The video has been up for 3 years and there have been fewer than 100 views, so I doubt they are making very much money from it. I have now filed a dispute, although I suspect that the claimant will, at most, have to take down the ads, and not even issue an apology. It’s part of a worrying trend on the Internet in which rights are being transferred away, from content creators towards publishers or aggregators.