Responding to criticism from privacy activists, YouTube in the past two weeks has rolled out a number of new privacy features. Chief among these is a "delayed cookie" option thatYouTube promises will not leave cookies in the browsers of users who have not yet clicked the "play" button to view a video.
While this statement is true for traditional Web browser-based cookies, YouTube's cookie-lite solution still leaves long-term, non-session Flash cookies behind in the Web browser of visitors who have yet to actually click play to watch the YouTube videos.
As revealed on this blog yesterday, YouTube has recently rolled out a number of new privacy features, chiefly in response to privacy activists complaining about the company's use of non-session cookies.
Writing on the Google corporate policy blog Tuesday, Steve Grove of YouTube stated:
To ensure that we openly communicate about privacy issues on all federal websites that use our technology, we created an embeddable video player that does not send a cookie until the visitor plays the video.
YouTube's online technical documentation also reveals a bit more about the feature:
Enabling delayed cookies means that the YouTube video player will not set any non-session cookies on the computer of a visitor (viewing the page on which the YouTube video is embedded). The YouTube video player may set non-session cookies on the visitor's computer once the visitor clicks on the YouTube video player.
While this statement is true for browser-based permanent cookies, it is still a false statement. Visitors to Web pages that have made use of this new cookie-lite feature continue to receive long-lasting Flash cookies, even when they do not click play to watch a video.
The Electronic Privacy Information Center has thoroughly described the Flash cookie privacy problem:
Flash cookies provide the only method by which a flash movie can store information on a user's computer....
Few consumers are aware of where Flash cookies are stored or how to control their use. Normal web cookies can be managed via the preferences dialog of most web browsers, but no similar utility is included for these Flash cookies. It is possible for Flash cookies to remain on user's computer indefinitely, as there is no mechanism to set an expiration date on Flash cookies.
The only way to delete these well-hidden objects is to visit a special Web page on Adobe's site. The existence of Flash cookies and the need to visit the special Adobe Web site to remove them is not widely known by most Web users.
Web browsers are unable to automate the process of Flash cookie removal. As a result, those in the security community have had to take rather extreme steps to try to automate the process of Flash cookie removal in a way that doesn't break most Web functionality. These obscure techniques remain far too advanced for non-technical users.
Proof of YouTube's use of Flash cookies
To verify that YouTube is still using non-session cookies, follow these steps:
- First, go to the Adobe Flash Settings Manager page, and delete all of your old Flash cookies.
A screenshot of an empty Flash cookie jar
- Close all of your browser tabs, and restart your browser. Now revisit the Adobe Flash Settings Manager page, and verify that you still have no Flash cookies.
Then, go to a Web page that is making use of the new YouTube "delayed cookies" feature. For this example, we used Barack Obama's inaugural address, as embedded into one of the older White House blog entries.
(As we noted on this blog yesterday, the White House used an in-house Flash based tool for its latest weekly video address. Earlier messages from the President are still delivered using YouTube, although the White House tech team has enabled the "delayed cookie" option for all of these).
- By looking through the source code for that blog page, we can verify that the YouTube flash file is indeed being served from youtube-nocookie.com, and thus should be making use of the "delayed cookie" feature.
<script type="text/javascript"> var params = { allowscriptaccess: "always", allowfullscreen: "true" }; swfobject.embedSWF("http://www.youtube-nocookie.com/v/3PuHGKnboNY&hl=en&fs=1&showinfo=0", "flashcontent", "480", "295", "8", null, {}, params); </script> - Wait for the YouTube flash file to load, but do not click play. Now, close all your browser tabs, and then restart the browser.
- Remember that session-cookies, by definition, are for a single browsing session, and thus when you restart the browser, all previous session cookies are deleted. Anything still hanging around is long-term.
- Now, go back to the Adobe Flash Settings Manager, and you should see that a cookie from s.ytimg.com (a domain controlled by Google) has now been quietly added to your Flash cookie jar, even though the White House Web site made use of the "delayed cookie" option, and you never clicked the play button.
A screenshot of the flash-cookie jar, containing a cookie from YouTube
Analysis
Those in the privacy community will likely pounce on this as evidence of Google's hypocrisy, while Google will likely respond by carefully parsing the definition of the phrase "non-session cookie" to not include Flash-cookie objects. Google might even even argue that its Flash-based cookies do not contain unique tracking information (something this blogger is unable to verify, since the Adobe Flash Manager only allows you to delete, but not view the contents of a Flash cookie).
One thing is clear. YouTube has advertised a new delayed cookie feature, and stated that it "does not send a cookie until the visitor plays the video." That message is further reinforced by the fact that the new cookie-lite embedded video players are served from a different domain name, youtube-nocookie.com.
Yet a user visiting a page that includes one of these "delayed cookie" videos still ends up with a long term, non-session Flash cookie hidden away in the depths of their browser.
Technical definitions of "cookie" versus "Flash cookie" aside, YouTube's "delayed cookie" feature simply fails to deliver on the company's promises.
When reached for comment, Marc Rotenberg, the director of the Electronic Privacy Information Center, said:
(Regarding the) spat over cookies, the Youtube and the Whitehouse web site is the tip of the iceberg. There is a much bigger debate about Google's role in federal information policy looming.
The Google blog post, if read carefully, is very revealing. It is all about justifying Google's growing dominance in government information dissemination.
This is a business plan. It is tied directly to YouTube's advertising model and revenue forecasts. There is nothing about actual federal information policy.
Complying with federal laws (e.g. the Privacy Act which regulates data collection) or federal policy on persistent cookies are real obstacles. The question is whether Google will decide for itself whether it will comply with these laws or the people's representatives.
The debate is just beginning.
Google's PR team have yet to respond to queries from this blogger regarding the cookie issue.
Disclosure: In 2008, I worked as a policy fellow for the Electronic Privacy Information Center. In 2006, I worked as a summer intern at Google, and have twice received graduate fellowships from the company.
Editors' note: Correction, March 3, 12:46 p.m. PST: This post, which originally carried the headline "White House ditches YouTube after privacy complaints," significantly misconstrued the White House's policy on and use of YouTube. In the interests of disclosure and transparency, we are leaving the contents as originally posted, with two subsequent update notes and with the exception of the headline change. See also our follow-up story, "No, the White House hasn't ditched YouTube."
* * * * * * * * * * * * * Original story follows * * * * * * * * * * * * *
Updated at 5:50 p.m. PST March 2: The New York Times is reporting that the White House has denied any change in online video policy. While the White House spokesperson admitted to using an in-house flash based solution for the latest of the president's weekly video messages, he said the White House is just "experimenting" with different solutions.
Updated at 2:59 a.m. PST March 3: Late Monday, Google posted on its Public Policy Blog a rebuttal to this report: "White House videos on YouTube."
Responding to complaints by privacy activists, the White House has quietly abandoned YouTube as the provider of the embedded videos on the president's official home page.
With the release of the latest weekly video address, the White House has shifted to a Flash-based video solution using Akamai's content delivery network.
The White House's decision to move away from the Google-owned video-sharing site will likely be met with praise by privacy activists and could mark the beginning of a real backlash in response to Google's insatiable thirst for detailed data on the browsing habits of Web surfers.
Ironically, the decision by the White House comes days after YouTube began to roll out new policies to better protect the privacy of visitors who view videos embedded into federal government Web sites. The move by YouTube may prove to be too little, too late.
This is the new embedded video tool used by the White House.
(Credit: Whitehouse.gov)The White House's decision to embed YouTube videos in the president's official home page drew instant criticism from privacy activists. In addition to several critical posts on my blog, by the Electronic Frontier Foundation (here and here), the Center for Democracy and Technology and the Center for Digital Democracy blasted the choice of video providers.
The focus of the criticism was on the use of long-term tracking cookies by the Google-owned video-sharing site. When the new White House site first went live in January, every visitor to the president's blog would be issued a tracking cookie, even those who did not click the "play" button to watch the video.
The White House acted quickly, and soon deployed a technical fix to the cookie issue, which protected Web surfers who did not click the play button. However, the tens of thousand of people who clicked play were still issued a cookie, and thus tracked by YouTube.
In an unannounced change over the weekend, the White House appears to have solved the remaining cookie privacy issue for those Web site visitors who wish to watch the president's weekly video message.
Out with YouTube, in with Akamai
As of Saturday, the White House seems to have ditched YouTube as its video provider. Visitors to the White House blog can now click play to view a Flash-based video that loads directly from the White House's own Web servers. This solution, which appears to use Akamai's content delivery network, does not make use of tracking cookies.
The president's tech team seems to have finally hit on an optimal solution--one which protects the privacy of the visitors to the White House site, while still permitting the president to spread his message.
The White House is still posting copies of the videos to its official YouTube channel. However, the president no longer provides free advertising to YouTube by embedding those videos on a taxpayer-funded site.
Furthermore, the White House has copied one of the coolest of YouTube's social features: the ability for users to easily share and embed videos on their own sites. Each of the White House-hosted videos includes an "embed" link under it that can be copied and pasted onto any other Web site or blog.
It is unclear whether this switch away from YouTube marks a permanent shift in policy for the White House, or whether the Oval Office geek squad is merely testing an alternate video provider. While the latest video is served using Akamai's servers, the older videos remain as embedded YouTube files.
YouTube's new cookie rules
The timing of the White House's decision to switch to Akamai is rather strange, given the recent moves by YouTube to offer a more privacy-preserving solution for videos used on federal government sites.
Within the last couple weeks, YouTube has silently rolled out its own updates in response to the cookie-related criticism. People wishing to embed a YouTube video can now select a delayed cookies option when copying the embed URL.
This is the new delayed cookies option for YouTube embeds.
(Credit: Screenshot of YouTube)That choice will cause the embedded videos to be served from an alternate domain, www.youtube-nocookie.com, which registrar records reveal was first registered on January 23 2009, just one day after this blog first mentioned the White House/YouTube cookie issue.
New documentation on the YouTube site reveals:
Enabling delayed cookies means that the YouTube video player will not set any non-session cookies on the computer of a visitor (viewing the page on which the YouTube video is embedded). The YouTube video player may set non-session cookies on the visitor's computer once the visitor clicks on the YouTube video player.
This option is rather similar (yet still inferior) to the technical fix that was previously used (and since disabled) by the White House, as well as the open source MyTube tool developed by the Electronic Frontier Foundation.
A prominent privacy policy
In another new move by YouTube, the site now appears to be directly embedding a link to its privacy policy in all videos that are played from government sites.
This is the new privacy policy link in .gov-hosted YouTube videos.
(Credit: Whitehouse.gov)When those same videos are viewed at YouTube.com, or when embedded in a blog or other non-.gov site, the clickable link to the privacy policy is gone.
Webmasters for various state agencies seemed to notice the new policy last week and initially complained to YouTube, thinking that the new youtube-nocookie.com was a phishing site.
A representative from YouTube told the Webmasters:
The privacy policy link you see on your embed player is in response to federal regulations regarding privacy on embed players. We're working to remove it from state and local .gov sites as soon as possible.
Still not perfect
While the decision by the White House to ditch YouTube is a good one, unresolved issues remain.
First, as previously noted by the Electronic Frontier Foundation, the White House Web site makes use of an "invisible pixel" style Web bug/tracker on every page on the site, hosted by WebTrends.com.
Ideally, the White House should take its Web analytics technology in-house and abandon the use of this third party tracking technology. Otherwise, at the very least, the White House privacy policy should be updated to note the tracking cookies used by WebTrends.
Second, the White House still has not published the waivers it issued to YouTube (and potentially other third parties), which permitted the sites to use long-term tracking cookies. The Electronic Frontier Foundation has repeatedly asked for these documents-- requests that the White House has ignored.
Given the president's much-publicized commitment to transparency, it is time that the White House publishes these documents.
Third, in its recent move to include privacy policy links in videos embedded at .gov Web sites, YouTube has clearly demonstrated that it has the ability to modify the services it provides depending on the referrer information associated with incoming requests. YouTube should build on this and adopt a policy of not logging any data associated with .gov-referred requests.
That is, the site would be free to keep logs on the videos viewed by visitors to its own site as well as those embedded on blogs, but it would opt to immediately forget all identifying information associated with requests from government sites.
While the White House seems to understand the cookie privacy issue, it is unlikely that members of the House and Senate are equally as tech savvy. After all, some of them can barely figure out Twitter.
YouTube videos are heavily used on the Web sites of those in the House and Senate. YouTube should adopt sane logging policies for visitors who view these videos, so that we don't have to wait for the House and Senate to fix the problem themselves.
YouTube did not return a request for comment, while a representative for the White House Web team declined to speak on the record.
When the mainstream media first announced Barack Obama's "victory" in keeping his BlackBerry, the focus was on the security of the device, and keeping the U.S. president's e-mail communications private from spies and hackers.
The news coverage and analysis by armchair security experts thus far has failed to focus on the real threat: attacks against President Obama's location privacy, and the potential physical security risks that come with someone knowing the president's real-time physical location.
President Obama and his BlackBerry at the White House in late January.
(Credit: UPI Photo/Ron Sachs/Pool)Serial numbers
Before we dive in, let's take a moment to note that each mobile phone has a unique serial number, known as an IMEI, or MEID. This unique number is transmitted in clear text, every time the phone communicates with a nearby cell tower. Thus, while the contents of a phone call or the data session (for e-mail) are usually encrypted, anyone with the right equipment can home in on a particular IMEI and identify the location of the source of that signal.
The most common device used to locate a phone by its IMEI is a "Triggerfish", a piece of equipment that is routinely used by law enforcement and intelligence agencies. This kind of device tricks nearby cell phones into transmitting their serial numbers and other information by impersonating a cell tower.
The devices, which are actually fairly low-tech, were used to hunt down famed hacker Kevin Mitnick back in the 1990s. Most interesting of all, according to Department of Justice documents, Triggerfish can be used to reveal a suspect's location "without the user knowing about it and without involving the cell phone provider."
The expensive brand-name Triggerfish devices, made by the Harris Corp., are sold only to government agencies. However, it is almost certain that foreign governments have similar technology. Furthermore, someone with a low budget could likely use the open-source GNU Radio platform, which can already decipher GSM signals, to roll their own phone sniffer.
Finding Obama
We know that the president has been given a White House-issued BlackBerry phone. As a result, Obama's smartphone is broadcasting its IMEI serial number for anyone with the right equipment to detect.
Of course, the president is never alone, and so it is likely that anyone sniffing the wireless spectrum near the president would pick up hundreds of different BlackBerrys in the area.
However, Obama's aides do have to go home at some point, whereas Obama sleeps at the White House. This means that over the course of several days or weeks, it should be possible for a patient adversary to determine which IMEI belongs to the president's phone, and which IMEIs are associated with the phones of aides, simply by following the president (at a distance) and monitoring the spectrum at all hours.
As staffers go home for the evening, and Secret Service agents rotate out of duty, an adversary can strike their IMEI numbers off of the list. Within days, that initial list of 100 BlackBerrys can be reduced down to a single IMEI identifying the president's phone
Were someone to learn the president's IMEI, they could use it to gain valuable (and dangerous) information. For example, by pointing an antenna at the White House, it'd be possible to instantly determine if the president was inside. With a sophisticated-enough antenna, it might even be possible to determine which vehicle the president is sitting in while traveling in a motorcade, or to determine if the Secret Service is driving an empty limousine along a high-profile route to draw attention, while the president travels to a venue in an unmarked vehicle. The digital trail left by the president's BlackBerry would soon announce his presence to those keeping an eye out for his IMEI.
I am sure that others could come up with even more nefarious uses for real-time access to the president's physical location. I will leave that task to the blogosphere.
Burners
The simple solution to this problem, of course, is for the President to regularly change his IMEI serial number by getting a new phone. However, this presents another problem: that of the odd man out.
Imagine that foreign spies point a directional antenna at the White House and are thus able to capture the IMEI numbers of Obama and his team, as they leave and return to the White House from various events.
If a new IMEI number were to suddenly appear, be used for one week, disappear, and then be replaced by a new IMEI, which was also used for a week, before also disappearing, it would soon be obvious that a single person was changing phones. This pattern would be even more obvious, if everyone else in the president's entourage kept using their own phone--and thus broadcast the same IMEI, week after week.
Simply put, the only way that President Obama can gain some level of anonymity with regard to his IMEI number is if everyone in his team also changes their IMEI numbers with the same regularity.
Fans of the HBO TV show The Wire (a group that includes Obama) will no doubt remember the use of cheap prepaid "burner" phones by the fictional drug dealers. In order to avoid being wiretapped by the police, the entire criminal gang would dispose of their phones at once and switch to brand-new devices.
Essentially, the White House needs to start using burners.
Cost-effective protection
It would be extremely expensive (and wasteful) for the president and his staff to get a new BlackBerry each week. Luckily, there are two options available to the White House tech staff that allow them to protect the president's location privacy in a cost-effective (and environmentally friendly) way:
First, the White House geek team can simply shuffle the BlackBerrys used by the President's staff. That is, take away everyone's phone, mix them up, restore the software to the factory default, then issue a "new" phone to each staffer.
Within minutes, the phones would synchronize with the White House e-mail servers, and thus the "new" devices would have instant access to the e-mails and information that had been on the previous device.
The inconvenience factor of such a solution could also be significantly reduced by having twice as many phones as employees--that way, staff would not have to go without their phone for more than a minute or two, as they were swapped each week.
As long as this shuffling of phones were done randomly, the IMEI numbers would be sufficiently anonymized. Sure, a potential attacker would know that the device belonged to a member of the White House staff, but they would not know whether if belonged to a lowly intern, the press secretary, or the president.
A slightly more laborious method would be to hack the software running on the BlackBerrys and flash the devices with a new serial number. While this is quite possibly a violation of the Digital Millennium Copyright Act (which prohibits most forms of phone hacking), it is unlikely that Research In Motion (which makes the BlackBerry) would sue the White House for engaging in such reverse engineering.
Of course, the downside of giving each phone a new serial number is that these phones would then need to be re-registered with the wireless communication company, which would otherwise refuse to provide the devices with service. However, this additional burden for the White House techies would yield significant security benefits, as each phone would be given a clean IMEI number not associated with the White House.
Insiders
In this article, I've focused solely on the scenario of a bad guy with an antenna. There is also the very real (and significant) risk of an insider working for the phone company.
Insiders are a notoriously difficult security problem to fix, something Obama has likely already learned, after his passport file was read by a contractor working for the State Department.
Even if every person working for the White House's telecommunications carrier were honest, it could also be possible to social-engineer the information out of a customer service representative (otherwise known as "pretexting").
Alternatively, an adversary could simply hack into the computer systems used by the phone company in order to get information on Obama's phone. Is was this latter approach that was followed by an unknown attacker who was able to spy on the phone calls of more than 100 Greek government officials during the 2004 Olympics.
Foreign trips
President Obama is likely to go on many foreign trips during his four (or more) years in office. In addition to burdening taxpayers with the obscene international roaming rates associated with his foreign BlackBerry usage, there are new and more serious security concerns to consider.
The federal government can most likely trust AT&T and the other wireless carriers. After all, they did join forces with the National Security Agency to spy on millions of American's phone calls without a warrant. The telecommunication companies in foreign countries are far less likely to be pro-United States, and in some cases, they are likely to be working closely with foreign intelligence agencies.
Thus, as long as President Obama keeps his BlackBerry turned on while he is in China, it is likely that the Chinese government will be closely monitoring his location, as reported by the president's phone to the Chinese government-owned phone company. The same sort of security issues will likely arise in many other countries.
Due to these security concerns, this blogger would be extremely surprised if the Secret Service permitted the President to use his BlackBerry when on foreign trips.
As you can see, the use of a BlackBerry by the president creates a number of very real security headaches that are no doubt keeping several people at the Secret Service awake at night. While the initial focus of the press was on the e-mail and smartphone technology in the president's phone, the real threats and risks are actually associated with more boring functions of the device.
Further reading: M. Jakobsson and S. Wetzel. "Security Weaknesses in Bluetooth" (PDF) describes some very similar location privacy attacks against mobile phones using Bluetooth-based sniffers.
Someone at the White House appears to be listening to those of us in the privacy community.
For the third time in just six days, the Obama administration has modified the White House Web site privacy policy in response to criticism from the blogosphere.
When the site launched on January 20, it exempted YouTube from federal anticookie tracking rules that would have otherwise cast a legal shadow over the use of embedded videos on the White House blog.
Reacting to criticism from the blogosphere, the White House first modified its Web site on Friday to limit the cookie exposure to only those users who clicked on videos. Then, on Sunday, the White House again tinkered with its privacy policy to scrub YouTube's name from the cookie exemption.
The original YouTube-specific exemption stated:
For videos that are visible on WhiteHouse.gov, a "persistent cookie" is set by third-party providers when you click to play the video.
This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.
However, by Sunday evening, the exemption had been edited to remove all mention of YouTube:
For videos that are visible on WhiteHouse.gov, a "persistent cookie" is set by third-party providers when you click to play the video.
This persistent cookie is used by some third-party providers to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.
The decision by the White House to revisit the cookie exemption does not come as a complete shock. The YouTube rule had in just a few short days generated both bad press and direct criticism from several public-interest groups.
It should be noted that this change is, for the most part, cosmetic. YouTube continues to be the only company whose video content is embedded within the White House Web site. Furthermore, the Google-owned video-sharing site is the only one that has received both official legal clearance from the White House Counsel and direct assistance by the White House tech staff (who embed the YouTube content) in planting tracking cookies within the Web browsers of millions of Americans.
Google CEO Eric Schmidt, who has advised President Obama and who personally donated $25,000 to the president's inauguration celebration (out of a total of $150,000 by six Google executives) must be rather pleased.
Still no transparency
In spite of Obama's much-publicized commitment to transparency, the White House has yet to actually provide a copy of the waiver (something this blogger has requested from White House officials informally, as well as via the Freedom of Information Act).
The text of the original privacy policy implied that a specific waiver had been issued for the cookies forced upon end users who intentionally viewed YouTube videos embedded within the White House Web site. The text now implies a far broader waiver for multiple video-sharing Web sites. However, it remains unclear if a new waiver has been issued, or if the old waiver was broad enough to cover multiple sites.
When I first wrote about the privacy policy text last week, I criticized the White House for providing YouTube with a specific exemption. At the time, I noted that no other company had received such special treatment.
The motivation of my criticism was to try to shame the White House staff into doing away with the exemption--as cookies are in no way required in order to serve online video. Instead of recognizing the need to protect consumer privacy, White House officials reacted by expanding the exemption to other companies.
In many ways, the current policy is actually worse than before: non-tech-savvy consumers now have no idea how many companies might be forcing their Web browser to accept tracking cookies. At least up until last week, visitors could take some comfort in the knowledge that only one company might be invading their privacy when they visited the White House Web site (and then only by a firm that had pledged to "do no evil"). Now, at least according to the White House's wide exemption, there could be many.
Last week, I said we should be reasonable and give the White House Web team a bit of time--after all, it is in a brand-new office, managing a new computer network, and scrambling to meet the demands of a very busy boss. However, if the team has had enough time to tinker with the privacy policy at least three times in the past six days, then it has more than enough time to post a copy of the waiver.
Update: 12 hours after posting this story, the White House (partially) reversed itself. The rather dubious YouTube-only waiver from federal Web privacy rules has been maintained, but the White House Web site has been updated to limit the exposure of visitors to YouTube's tracking efforts to only those people who actually click the "play" button on a YouTube video. For more details on the new changes, read this blog post.
The new Web site for Obama's White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on the site's policies relating to search engine robots, a far more interesting tidbit has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules relating to the use of cookies on federal agency Web sites.
The new White House Web site privacy policy promises that the site will not use long-term tracking cookies, complying with a decade-old rule prohibiting such user tracking by federal agencies. However, the privacy policy then reveals that Obama's legal team has exempted YouTube from this rule (YouTube videos are embedded at various places around the White House Web site).
While the White House might not be tracking visitors, the Google-owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama's home in cyberspace.
No other company has been singled out and rewarded with such a waiver.
In a blog post back in November, I criticized the Obama transition team's Change.gov Web site for its use of embedded YouTube videos. At the time, I stated that the practice might violate long-standing federal rules that forbid federal agencies from using persistent tracking cookies on their Web sites. It turns out that I was wrong: the transition team was technically not a federal agency and thus not bound by the anti-cookie rules.
Now that Obama is president, his official Web site is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user's browser--even for those users who do not click the "play" button.
Someone on the Obama legal team seems to have read my previous blog post, as they've modified the White House privacy policy to specifically exclude YouTube's tracking cookies from federal rules that would otherwise prohibit their use:
"For videos that are visible on WhiteHouse.gov, a 'persistent cookie' is set by third party providers when you click to play the video.
This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie."
YouTube and cookies
Each time a new user visits YouTube, a unique permanent tracking cookie is issued by the Web site to the user's browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the video-sharing site, allowing it to identify users and monitor their video viewing habits.
YouTube is also able to set and access a user's tracking cookie when she visits a third-party Web page that has embedded a video stored on the YouTube site (such as a blog or other Web site), even if the user never clicks the play button.
The moment that the flash file containing the video player is downloaded from YouTube's servers and displayed in the user's browser as part of another Web page, the cookie is transmitted to YouTube's servers. Considering how widespread the practice of embedding YouTube videos has become, this gives Google an amazing amount of data on the Web-browsing activities of hundreds of millions of Internet users--many of whom may not realize that such tracking data is being collected.
The White House policy is not being followed
The YouTube-related text in the new White House privacy policy implies that not all users will be tracked by YouTube. The policy notes that:
"If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video."
As of Thursday morning, this statement is false.
In multiple tests by this blogger with both Internet Explorer and Firefox, merely visiting pages on the White House blog causes YouTube to set a long-term tracking cookie in the browser--even if the user does not press the play button to start the video. After eight months, this cookie will be automatically deleted by the user's browser--unless, of course, the user visits another Web page somewhere else on the Internet containing a YouTube-embedded video, in which case, the eight-month cookie clock is reset. Given how widespread YouTube video embeds have become, this cookie essentially lasts forever.
While it is obvious that I am rather critical of this entire affair, I am willing to give the Obama Web team the benefit of the doubt in one area: the fact that their current Web infrastructure does not deliver on the promises made by their privacy policy.
The Obama White House Web site is only two days old, and so it is certainly possible that the team simply hasn't gotten around to deploying a more privacy-preserving system for YouTube video embeds. Protecting users who do not click "play" from automatically receiving a cookie is certainly possible; the Electronic Frontier Foundation in 2008 released a wrapper script for YouTube videos that provided this very feature. Let us hope that the Obama team deploys such a technology in due course.
Can YouTube be justified as a "compelling need"?
For the past 10 years, federal agencies have been prohibited from using tracking cookies on their Web sites, except in a few special cases. The Office of Management and Budget rule M-03-22 states that:
"Agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors' activity on the Internet except .... [when there is] a compelling need."
The question we must now focus on is this: Is the need for Obama to use embedded videos hosted by YouTube (and not, say, another company's video-streaming platform that does not force cookies upon its users) a use that can be reasonably described as compelling?
Presumably, this has been justified on the basis that YouTube forces cookies on the visitors of any Web site that embeds one of its videos. However, while Joe or Jane blogger has no bargaining power with YouTube/Google, the federal government certainly does.
In just the past couple weeks, YouTube has launched dedicated pages for both the House and Senate to show off their own videos, and the site also recently started allowing users to directly download copies of some videos. This latter feature has not yet been widely deployed across the site, and is seems to be limited to videos posted by Obama's team.
Given the famously close connections between Obama and Google, you'd think his tech team could negotiate for a cookie-less way to embed videos. At a technical level, this would be an easy enough change, even if it would deny Google the ability to collect even more information on millions of Americans.
Cookies and other federal agencies
Finally, the new White House YouTube rule may have a far broader impact on the way that federal agencies use Web 2.0 content. Simply put, if another federal agency embeds a YouTube video in its Web site without first having the agency's legal team issue a waiver, have federal rules been violated?
Up until this week, federal agencies have been free to embed Web 2.0 content in their own sites without any real need to consider the privacy risks posed to end users. The fact that the White House Counsel has felt it necessary to issue such a waiver for YouTube videos appearing on the White House Web page could be reasonably interpreted to mean that such a waiver is now required for all embedded Web 2.0 content that might force cookies upon end users. This is certainly new legal ground.
Consider, for example, the Transportation Security Administration, which has posted YouTube videos to its blog numerous times over the past year. Its privacy policy makes no mention of YouTube cookies. Could this lead to issues for the TSA Web team, or perhaps even congressional investigations? Given my own history with TSA, I certainly hope so.
Update at 9:30 a.m. PST: Video audience figures have been updated.
President-elect Barack Obama has now posted his second weekly address to YouTube, and it has already gotten more than 411,000 views. A week ago, I criticized the use of YouTube by Obama's transition team, calling it a no-bid giveaway to the Google-owned video-sharing site.
The solution I called for then--the adoption of BitTorrent as the official distribution platform for Change.gov--was, admittedly, a pipe dream.
In this post, I'll explain why the government needs to step up and host its own videos and why it is simply improper to rely on YouTube to foot the bandwidth bill for Obama's messages to the people. I will also make the case that the use of YouTube and Google Analytics by the Obama transition team violates the privacy of Web site visitors and possibly even violates federal rules banning the use of permanent tracking cookies on government sites.
YouTube as the platform of choice
The announcement a couple weeks ago of Obama's decision to use YouTube for his weekly addresses led to headlines across the world. The president-elect's use of streaming video technology was hailed as revolutionary or, as one transition team rep gushed, "just one of many ways that he will communicate directly with the American people and make the White House and the political process more transparent."
Obama's team uploaded his first video address to YouTube (928,000+ views), AOL (220+ views), Yahoo (8,400+ views), and MSN (545+ views)--all figures as of Monday morning.
In keeping with the spirit of this posting, the above video is not embedded.
(Credit: YouTube)For his second weekly video, the Obama team seems to have ditched AOL and only uploaded the video to YouTube, Microsoft's MSN, and Yahoo. Web 2.0 start-ups such as Veoh, Vuze, Revver, and Blip.tv have not gotten any love.
While the transition team should be commended for uploading the video to multiple sites (albeit all owned by multibillion-dollar tech titans), the difference in the number of views is rather startling. Without access to accurate stats (which are not public), it is tough to know how many YouTube views came from people viewing the video embedded into the Change.gov site, searching YouTube, or watching a copy embedded into a personal blog or other news site.
However, I do think it is fairly reasonable to assume that a decent percentage of those nearly 1 million views came from people visiting Change.gov, the taxpayer-funded, official site of the Obama transition team. It is those hundreds of thousands of viewers who clicked the play button to load and stream a video embedded from YouTube's servers that are the focus of this post.
Privacy risks
YouTube, like many other sites, uses persistent cookies to track repeat visitors. Thus, when a regular YouTube user views a video embedded in a blog or other third-party site, the user's cookie is automatically sent to YouTube's servers--even without the user clicking the play button. Given the widespread use of embedded videos, this gives Google, which owns YouTube, an even better idea of the surfing habits of millions of people around the world.
And even if you believe Google's "do no evil" motto, it seems at least a little bit creepy for the company to track each time someone visits Change.gov--especially when that person doesn't actually press the play button to watch Obama's latest message to the people.
The privacy risks associated with the widespread use of embedded videos is something that has caused significant concern for privacy activists--enough for the folks at the Electronic Frontier Foundation to develop the privacy-preserving MyTube tool for Webmasters. If the Obama team insists on sticking with YouTube embeds, perhaps it will at least consider deploying MyTube to protect the privacy of citizens who visit the official transition site.
The privacy risks aren't just limited to YouTube.
Just a week ago, Dan Goodin at The Register criticized the use of the Google Analytics Web-tracking code in the Change.gov site--which also sets a permanent tracking cookie. Although he mostly focused on security risks, and not privacy-related threats, he blasted Obama's Web design team, stating that:
The failure of Obama's Webmasters to follow anything remotely like best practices is more than a little troubling because it suggests they don't fully grasp the security realities of living in a Web 2.0 world.
Eight years ago, the issue of cookies tracking users on government sites was a fairly big issue in tech policy circles, drawing the attention of those in Congress. Eventually, the Office of Management and Budget issued a directive that forbid the use of persistent cookies on federal agency sites.
The Obama team's use of both YouTube and Google Analytics raises serious privacy concerns and likely clashes with the OMB directive.
If Obama's transition team can afford to lease a jet for the president-elect and to pay for staff salaries, BlackBerrys, and hotel rooms, why can't it also pay for a few Web servers capable of serving up Flash video?
(Credit: Change.gov)To be clear, Change.gov is not creating or requesting its own persistent cookies. However, due to the embedding of YouTube videos and Google Analytics Web-tracking code in the site, visitors will be transmitting cookies to Google's servers. Since the YouTube cookies are not set directly by the Change.gov servers, it is unclear whether the Google cookies violate the specific OMB directive. Even if they do not, they clearly violate the intention of the rule--which was created in the days before embedded videos or third-party-hosted Javascript.
The official privacy policy listed at Change.gov makes no mention of cookies, nor of the collection of visitor information by Google's servers. The privacy policy does, however, pledge "not to make personal information available to anyone other than our employees, staff, and agents." At best, the Obama team copied a boilerplate privacy policy from somewhere else and overlooked the use of YouTube and Google Analytics. At worst, it seems pretty deceptive.
When reached for his thoughts, Marc Rotenberg, executive director of the Electronic Privacy Information Center told me:
On the upside, the transition people have done a good job with the ethics in government rules for transition team members. Now they need to revise the Change.Gov Web site and respect the rights of citizens who are seeking information about the new administration.
Lots of traffic
The low-quality video YouTube video embedded into the Change.gov blog is 7MB. When multiplied by more than 900,000 views, we find out that Obama's first video led to the consumption of over 6 terabytes of bandwidth. If the Obama team had to pay for the data, instead of getting it for free from YouTube, it would have cost nearly $1,000, at least if it used Amazon.com's S3 cloud-hosting service.
While YouTube did not serve any advertisements within or around Obama's chat, each of those 900,000+ viewers did see YouTube's name prominently placed within the Change.gov site (as a watermark in the bottom corner of the video). Once the three-minute video is over, viewers are given the ability to watch other related videos (which might have advertisements) or, with one click, to navigate directly to the Google-owned video-sharing site, which certainly has advertisements.
Furthermore, I'm sure that Google's PR team was absolutely overjoyed with the thousands of newspaper articles that flatteringly tied the president-elect to the video-sharing platform. While all press is good press, it is likely such Obama-related press is even better.
Defaults matter
The Obama team's uploading of its weekly videos to YouTube is fine--providing, as it currently does, that it also uploads the videos to a few other places too. As the videos are not copyrighted, members of the public are free to redistribute them via other platforms (as the LegalTorrents P2P site has done), and even mash them up. This is great, and I support this embrace of Internet distribution by the president-elect's team of geeks.
I do, however, have a problem with the use of YouTube-hosted embedded videos on the official Change.gov site.
The transition team has a budget of over $12 million. If it can afford to lease a jet for Obama and to pay for staff salaries, BlackBerrys, and hotel rooms, why can't it also pay for a few Web servers capable of serving up Flash video? Isn't it a bit tacky for the federal government to be relying on Google to host its videos?
It's as if the entire Obama transition team has adopted Hotmail's free e-mail service for its daily communications--with each e-mail sent by an Obama adviser followed by a signature pitching one of Microsoft's products: "See how Windows Mobile brings your life together--at home, work, or on the go."
Obama raised half a billion dollars through online donations during his campaign. His was the first presidential campaign to employ a chief technology officer (a computer geek formerly at the travel site Orbitz). These guys know what they're doing when it comes to technology; they design beautiful, interactive sites and have relied upon complex data-mining algorithms to profile and target individual voters and donors. If they wanted to, they'd have no problem installing a few dozen Adobe Systems Flash streaming servers. However, since YouTube will gladly foot the bill, the Obama team hasn't felt the need.
During his campaign for the presidency, Obama didn't call for a Web 2.0 government, but for a Google government--something that CEO Eric Schmidt, who is now serving as one of Obama's economic advisers, was probably very happy to hear. While I love conspiracy theories as much as the next guy, I don't really see one here. However, given the close connection between Obama and several higher-ups at Google, it is better to avoid the appearance of a conflict of interest.
Thus, it is time to bring an end to embedded YouTube videos on Change.gov. By all means, use streaming video to reach the masses, but let the bits flow from government-owned servers (preferably without privacy-invading cookies). If bloggers wish to embed YouTube videos of the speech on their own sites, that is fine. But Obama shouldn't.
Disclosure: I was a technology fellow at the Electronic Privacy Information Center in spring 2008 where I worked on social-networking-related issues. I also worked for Google as a summer intern in 2006, received two Google fellowships, and currently use Google Analytics tracking tool for my personal site.
Google announced on Monday that the company will be reducing the amount of time that it will keep sensitive, identifying log data on its search engine customers. To the naive reader, the announcement seems like a clear win for privacy. However, with a bit of careful analysis, it's possible to see that this is little more than snake oil, designed to look good for the newspapers, without delivering real benefits to end users.
In a post to the company blog on Monday, the company announced that it will be significantly reducing the amount of time that it hangs onto identifying user data in its Web server logs:
Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.
Hidden further down in the blog post, were a few more details:
We haven't sorted out all of the implementation details, and we may not be able to use precisely the same methods for anonymizing as we do after 18 months, but we are committed to making it work.
Google's announcement was extremely light on details, specifically, how the company planned to anonymize the records after 9 months. I contacted Google to find out more, and received an extremely interesting reply:
After nine months, we will change some of the bits in the IP address in the logs; after 18 months we remove the last eight bits in the IP address and change the cookie information. We're still developing the precise technical methods and approach to this, but we believe these changes will be a significant addition to protecting user privacy.... It is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified.... We hope to be able to add the 9-month anonymization process to our existing 18-month process by early 2009, or even earlier.
To understand what this means (and how useless the new privacy "enhancements" are), consider the following:
When a user conducts a search using Google's search engine, the company stores three main types of information in a log file: the user's IP address (which is a unique network address given to her computer by her Internet service provider), the words that she searched for, and her cookie identifier (a unique value given to every Web-browser that visits a Google Web-property).
As per Google's existing policy, after 18 months Google "anonymizes" the IP address and cookie information from its logfiles. While the company hasn't said how it de-identifies the cookies, it has revealed in public statements that its IP anonymization technique consists of chopping off the last 8 bits of a user's IP address.
As an example, an IP address of a home user could be 173.192.103.121. After 18 months, Google chops this down to 173.192.103.XXX.
Since each octet (the numbers between each period of an IP) can contain values from 1-255, Google's anonymization technique allows a user, at most, to hide among 254 other computers. In comparison, Microsoft deletes the cookies, the full IP address and any other identifiable user information from its search logs after 18 months.
Google has now revealed that it will change "some" of the bits of the IP address after 9 months, but less than the eight bits that it masks after the full 18 months. Thus, instead of Google's customers being able to hide among 254 other Internet users, perhaps they'll be able to hide among 64, or 127 other possible IP addresses.
By itself, this is a laughable level of anonymity. However, it gets worse.
First, remember that Google will not delete or anonymize user cookies from the logs when it slightly smudges IP addresses after nine months. Second, remember that as long as you use a Google Web property at least once every two years, the company will maintain a unique identifiable cookie value within your Web browser.
Thus, consider the following scenario:
In June 2008, a user from 173.192.103.121 with cookie value 12345 conducts a search for "breast cancer risks." Nine months later, in March 2009, the company scrubs some portion of the IP address, perhaps to 173.192.103.1XX. However, the cookie remains in the log.
In April 2009, that same user returns to Google, and conducts a search for "stephen colbert youtube videos," again from the same IP and the same cookie value 12345.
Even though the 9-month-old search logs have been "anonymized", because the cookie values remain, it is trivial to match the newer search results to the older searches, and thus completely reverse the anonymization process.
The simple truth is that any IP anonymization technique, no matter how strong or weak, is simply a waste of time, if cookie values are not also anonymized.
Unfortunately, Google is relying on the fact that the mainstream media (I'm looking at you New York Times and Washington Post) are clueless on these issues, as well as seemingly most of the technology press. Google's new anonymization policy is totally worthless, and the company deserves to be called out for its deception.
Disclaimer: I interned at Google during the summer of 2006 and received a $5,000 Google fellowship in both 2006 and 2007. I have also interned or worked for both the Electronic Privacy Information Center (EPIC) and the American Civil Liberties Union (ACLU) of Northern California, public interest groups that have been extremely critical of Google's privacy policies.
If you thought that the National Security Agency's warrantless wiretapping was limited to AT&T, Verizon and Sprint, think again.
While these household names of the telecom industry almost certainly helped the government to illegally snoop on their customers, statements by a number of legal experts suggest that collaboration with the NSA may run far deeper into the wireless phone industry. With over 3,000 wireless companies operating in the United States, the majority of industry-aided snooping likely occurs under the radar, with the dirty-work being handled by companies that most consumers have never heard of.
A recent article in the London Review of Books revealed that a number of private companies now sell off-the-shelf data-mining solutions to government spies interested in analyzing mobile-phone calling records and real-time location information. These companies include ThorpeGlen, VASTech, Kommlabs, and Aqsacom--all of which sell "passive probing" data-mining services to governments around the world.
ThorpeGlen, a U.K.-based firm, offers intelligence analysts a graphical interface to the company's mobile-phone location and call-record data-mining software. Want to determine a suspect's "community of interest"? Easy. Want to learn if a single person is swapping SIM cards or throwing away phones (yet still hanging out in the same physical location)? No problem.
In a Web demo (PDF) (mirrored here) to potential customers back in May, ThorpeGlen's vice president of global sales showed off the company's tools by mining a dataset of a single week's worth of call data from 50 million users in Indonesia, which it has crunched in order to try and discover small anti-social groups that only call each other.
Slide from "Identification of Nomadic Targets " ISS Webinar
(Credit: ThorpeGlen)Clearly, this is creepy, yet highly lucrative, stuff. The fact that human-rights abusing governments in the Middle East and Asia have deployed these technologies is not particularly surprising. However, what about our own human-rights-abusing government here in the U.S.? Could it be using the same data-mining tools?
To get a few answers, I turned to Albert Gidari, a lawyer and partner at Perkins Coie in Seattle who frequently represents the wireless industry in issues related to location information and data privacy.
When asked if there is a market for these kinds of surveillance data-mining tools in the U.S., Gidari told me: "Of course. It is a global market and these companies have partners in the U.S. or competitors."
The question is not if the government would like to use these tools--after all, what spy wouldn't want to have point-and-click real-time access to the location information on millions of Americans? The real mystery is how the heck the National Security Agency can legally get access to such large datasets of real-time location information and calling records. The answer to that, Gidari said, is the thousands of other, lesser-known companies in the wireless phone and communications industry.
The massive collection of customer data comes down to the interplay of two specific issues: First, thousands of companies play small, niche support roles in the wireless phone industry, and as such these firms learn quite a bit about the calling habits of millions of U.S. citizens. Second, the laws relating to information sharing and wiretapping specifically regulate companies that provide services to the general public (such as AT&T and Verizon), but they do not cover the firms that provide services to the major carriers or connect communications companies to one other.
Thus, while it may be impossible for the NSA to legally obtain large-scale, real-time customer location information from Verizon, the spooks at Fort Meade can simply go to the company that owns and operates the wireless towers that Verizon uses for its network and get accurate information on anyone using those towers--or go to other entities connecting the wireless network to the landline network. The wiretapping laws, at least in this situation, simply don't apply.
Giardi explained it as follows:
Networks are more and more disaggregated and outsourced, from customer service call centers overseas with full viewing access to data to key infrastructure components and processing. A single communication is handled by many more parties than the named provider today. Moreover, interoperability protocols include network identifiers--send a message from company A to company B and the acknowledgment of delivery may include location and other information. That's just the way the system is designed--location was about billing in the early years and no one bothered to undo the existing protocols when business models changed and interoperability became common practice or a myriad of new messaging companies came into being...So my point is that there are many access points--albeit less convenient than one-stop shopping at the big carriers--to get information including real-time data.
ThorpeGlen's product appears to be a mashup of Google Earth + phone location data (in this case, from 50 million people in Indonesia)
(Credit: ThorpeGlen)For example, if a Sprint Wireless customer in Virginia calls a relative in Montana--who is a customer of a small, regional landline carrier--information on the callers will spread far beyond just those two communications companies.
Sprint doesn't own any of its own cellular towers, and so TowerCo, the company that owns and operates the towers, of course, learns some information on every mobile phone that communicates with one of its towers. This is just the tip of the iceberg, though. There are companies that provide "backhaul" connections between towers and the carriers, providers of sophisticated billing services, outsourced customer-service centers, as well as Interexchange Carriers, which help to route calls from one phone company to another. All of these companies play a role in the wireless industry, have access to significant amounts of sensitive customer information, which of course, can be obtained (politely, or with a court order) by the government.
With the passage of laws like the FISA Amendments Act and the USA Patriot Act, in most cases, requests for customer information come with a gag order, forbidding the companies from notifying the public, or the end users whose calling information is being snooped upon. Gidari summed it up this way:
So any entity--from tower provider, to a third-party spam filter, to WAP gateway operator to billing to call center customer service--can get legal process and be compelled to assist in silence. They likely don't volunteer because of reputation and contractual obligations, but they won't resist either.
Seeking clarification, I turned to Paul Ohm, a former federal prosecutor turned cyberlaw professor at the University of Colorado Law School and a noted expert on surveillance laws.
Before getting into the details of the issue, Ohm first outlined the basic problem of the various wiretap and surveillance laws; they are extremely confusing and few people fully understand them. The 9th Circuit Court of Appeals seemed to share Ohm's view, stating a few years ago that the Electronic Communications Privacy Act is a "complex, often convoluted area of the law" (United States v. Smith, 155 F.3d 1051).
Ohm then said that the "one thing I can say with confidence is that you are correct to note that the [Stored Communication Act's] voluntary disclosure prohibitions (in 18 USC 2702(a)) apply only to providers to the public."
After describing all the ways that the government could legally collect real-time data on millions of U.S. citizens, Gidari said that essentially, the existence of such a program would likely remain a secret (barring a whistle-blower or leaks to the press by government officials). Summing it up, he stated that:
Whether [a] vendor to a carrier to the public cooperates with agencies (either for a fee or by acquiescence in an order), is something you will not find out as FISA makes it so, regardless of whether the person is in the U.S. or communicating with a person abroad. Such means and methods largely are hidden.
However, if the existence of such a program were ever confirmed, Ohm said that Congress would not be too happy:
If [the sharing of data by niche telecom providers] is seen as allowing an end-around an otherwise clear prohibition in the SCA, Congress is likely to throw a fit when it is revealed and try to amend the law. DOJ is sensitive to this kind of thing (despite what the NSA wiretapping program would lead you to believe) and would probably try to avoid blatantly bypassing otherwise clear language in this way.
The Transportation Security Administration is joining the 21st century. Just 5 years after security experts first outlined methods for faking boarding passes (and 2 years after the FBI raided my home for automating the process), TSA is finally testing out technology to neutralize this security threat. The only problem? The new authenticated boarding passes lay the groundwork for a surveillance state, enforceable all-points-bulletins, and most scary of all, data discrimination.
Can TSA be trusted to do the right thing?
A sample secure boarding pass
(Credit: Continental Airlines)For the last 4 months, Continental Airlines and TSA have been running a pilot project, which permits passengers to pass through security using mobile-phone based boarding passes. After the user checks in online 24 hours before travel, the airline will send a dense 2D bar code to the passenger's mobile phone. The program is open to anyone flying on a non-stop Continental Airlines flight out Houston.
The bar codes contain all of the information that would ordinarily appear on a boarding pass, plus one other important thing: a digital signature.
The system doesn't seem too bad, security wise. The airlines each create a PGP cryptographic key pair, a private key which they use to sign each boarding pass, and a public key which they give to TSA.
When a passenger shows up at a TSA checkpoint, the boarding pass is scanned by TSA agents with a handheld device. The device will verifies the cryptographic signature, and if the boarding pass hasn't been modified, it'll display the passenger's information, which the agent can then compare to the passenger's ID. (Click here to see a picture of the boarding pass being read by the handheld device.)
Privacy safeguards
The Department of Homeland Security released a detailed Privacy Impact Report on the boarding pass system in late 2007. The report reveals a number of interesting details, and surprisingly, that the system was designed with passenger privacy in mind. The report (pdf) notes that:The [Boarding Pass Scanning System (BPSS)] equipment is a handheld 2-D Bar Code scanning device and should be considered standalone as it will not be connected to any network - via wireless or ethernet connection.....
When [the passenger's] information is collected, it is immediately displayed on the device screen, in order for TSA screeners to screen the passengers against their photo identification. Once this is completed, the information is immediately and permanently deleted from the system....
The BPSS device application does not maintain a transaction log with bar code scan content; the application does not save or store the bar code scan data to a file, database, etc.
As many of my readers may know, I caused a bit of a panic at TSA in 2006, when I created a website that made fake boarding passes. Once the FBI dropped their investigation, and TSA decided not to come after me, the Feds became a lot nicer to me. I've flown out to Washington DC a couple times since to meet with TSA officials, and I know for a fact that a number of people inside DHS have read my research paper. Thus, it's not terribly surprising that the system in trial at Houston airport closely follows the design I outlined.
The authors of the privacy report were even nice enough to give me props, and mention my boarding pass security research as a motivation for the technology in the second paragraph of the document.
The makings of a surveillance state
TSA has clearly done a good job in designing this system, and making sure to include privacy analysis at the early design stages. The main problem though, is that it creates the foundations of a surveillance state. A world where TSA agents will be able to read through your digital dossier in detail as they decide how strictly to prod and probe you. This system, essentially, sets the stage for data discrimination at checkpoints.
When a passenger goes through a TSA checkpoint right now, the agent only has a few bits of information in front of him or her: The passenger's reported name, ID documents and the the physical features of the passenger (race, gender, dress, accent). Yes, it is possible for an airline to flag a passenger (the dreaded SSSS on a boarding pass), if the passenger's name appears on one of the watchlists. However, this is still very little information.
Imagine if, when going through a TSA checkpoint, the agents had a full dossier on each passenger - detailing everywhere you'd ever flown, any past criminal records, credit history, parking tickets and heck, even which books you've been seen reading in the airport. It's not such a wild fantasy, as US Customs Officers already have this information, and look at it when you enter the country.
What if ....
While the pilot program that TSA is using in Houston is privacy preserving, passengers will have no way of knowing if a future administration decides to update the software or hardware of the handheld devices. It would be very easy to add a wireless card to the devices, and no passenger would ever be the wiser. Suddenly, TSA agents would have a wealth of information at their fingertips, information that could help agents "fight the war on terror."
Such a change, if it did happen, would probably not require that TSA notify the public. Moreover, I doubt if it'd even have to tell the entire Congress. It would simply hold a closed briefing for the Intelligence Committees -- including the same gutless "gang of 8" who knew about the NSA's Warrantless Spying program for years, and didn't do anything about it.
To be clear, I'm not accusing TSA of doing anything wrong. All I'm saying is that once agents start scanning in bar codes with hand held devices, we the public will have no way of knowing what happens to the data. TSA is, afterall, rather trigger-happy when it comes to pseudo-classifying data as Sensitive Security Information .
Remember the National Security Letter powers that the FBI was given by the Patriot Act? Congress and the public were assured that there would be safeguards, and that they would be used correctly. Fast forward a few years, and we find out that National Security Letters have been widely abused, time and again.
I don't have an easy solution to recommend here. The current boarding pass system is easy evade, and digitally signed bar codes do solve this problem. However, given that passengers can still refuse to show ID when they fly (and thus totally avoid the watchlists), I'm not really sure what is the main goal of this pilot. Why spend millions to beef up boarding passes, when passengers can still slip through the system with no ID?
Perhaps the real solution, as crazy as it may sound, is for TSA to do their job - and screen passengers. As experts have noted over and over, a valid ID and boarding pass are not proof that someone is not a terrorist. Instead of wasting money and time trying to verify documents and ID cards, why not reallocate these resources to searching bags and patting down old ladies?
Thanks to Adam Shostack for tipping me off to the NYT article on the TSA pilot.
Public interest groups, academics and members of the press have hammered Google for its lax privacy policies. The criticism has mostly focused on the log deletion practices and browser cookie policies at the search giant. Google claims that search quality and user privacy are a zero-sum game: deleting log data makes it more difficult to improve search results. Perhaps the company is right. However, there are several other pro-privacy steps that Google could take to significantly protect its customers--which it has not done, and continues to reject.
Over the last few months, a number of Google's engineers have issued public statements on the company's public policy blog to defend its much criticized log data retention policies. The company claims that the data can be used to hunt down malware, to catch people defrauding its advertising system, and can be used to improve search results.
These high-profile Googlers make the case that user privacy and search quality are a zero sum game: deleting logs to protect customer privacy makes it far more difficult to provide a good search experience.
While I personally think this is a load of rubbish, I'm going to give them the benefit of the doubt today, because I want to focus on a different issue. Namely, that Google could take a few easy steps in other areas to protect customers from the prying eyes of AT&T, the NSA, or the pervert next door reading your e-mails sent over a wireless network.
Search terms
Imagine a normal search situation. A user will visit Google.com, type in a few words, "security blogs," perhaps, and click on the search button. From the search results page, a user will click on a link, taking them to www.some-website.com. Due to the way that Google has designed its search engine, Web site owners are given the search terms that brought each Web surfer to their site.
A more technical explanation of this is as follows: Google embeds the search terms that the user issued into the Web URL of the search response page. That is, an example search URL will look like http://www.google.com/search?q=security+blogs . This is known as a HTTP GET request. When a user clicks on one of the search results on that page, the Web site owner will be told the exact address of the referring Web site. Due to the fact that Google embeds the search terms in its results URL, the Web site owner learns which terms lead a user to their page.
Google could very easily stop including the search terms in the URL and thus stop passing on the search terms to the Web sites that users click on from a Google results page. It could do so by requesting that the user's browser send the terms to a Google server in a more discrete way. Many Web sites do this, especially those dealing with private information. Amazon.com and other e-commerce sites do not transmit the customer's credit card information by sending it in the URL--even on a SSL-encrypted Web session. To do so would needlessly endanger the user.
A switch to this more privacy-protecting method of Web data submission, known as a HTTP POST, would be a trivial change for Google's engineers. Furthermore, it wouldn't lead to any additional data processing resources for its vast number of servers. For Google, such a change would cost the company essentially nothing yet it would give its customers an immediate increase in privacy.
The only downside to such a change, would be the loss of information for Web masters. Companies would like to know which search terms drew a customer to their Web site, especially if that visit resulted in a sale. While no doubt useful for marketers, this is not something they deserve to know. Furthermore, Google's responsibility is to the users with the eyeballs. At the very least, if a firm wants to know what people are searching for--let it buy an advertisement from Google. Right now, Google gives this data away to every Web site owner, for free.
Encrypted mail
By default, all Google searches as well as e-mail sent and read via Gmail are transmitted in the open, over an unencrypted session. What that means, is that the data can be seen by anyone with access to the network--anyone else using the Wi-Fi connection at Starbucks, your Internet service provider, or any government agency that has tapped the Internet backbone.
All Web browsers support the SSL encryption standard. Google even offers encrypted access to Gmail users, if they know to ask for it. Users simply need to visit https://www.gmail.com, and their e-mail entire session will be safe from prying eyes.
Unfortunately, encryption is expensive, at least in terms of computing power. Turning SSL on by default for the millions of Gmail users would mean that Google would have to dedicate more computers to the service. Those computers cost money. A Google spokesperson confirmed this, telling me that "we have not made SSL the default due to capacity and latency issues."
Google has made a shrewd business decision: Those users who care enough about their privacy to read the company's FAQ can get a bit of protection for their e-mail, while those users who presumably don't care, are left exposed to hackers and snoops.
Google should change its policies with regard to SSL and e-mail. At the very least, it should mention the secure Web mail option and provide a link on the main Gmail log-in page. This information is currently hidden in one of the help pages. In an ideal world, Gmail would enable SSL by default.
Searches, exposed.
While the company offers encrypted Web mail, it does not do the same for searches. Currently, there is no way to keep your search terms secret from those who might be watching the network. Could the company offer this? Sure, but it has chosen not to. Primarily, because of cost.
Luckily, someone else has taken steps to fill the search privacy gap left by Google.com. A Texas man named Daniel Brandt has created a Google-powered privacy-preserving search engine: Scroogle.org.
Scroogle submits search queries to Google on a user's behalf, scrapes the results, and displays them to the user. Scroogle's search data policies are fantastic: no cookies, no search-term records and all access logs are deleted within 48 hours. The site uses HTTP POST requests by default, which helps to keep the search terms a secret between the user and the search engine. Furthermore, for those users willing to put up with the 1- or 2-second delay required to initiate an SSL connection, encrypted searches are available to users via https://ssl.scroogle.org/.
Over 130,000 searches per day are made through the Scroogle site, 10 percent of which use SSL. In an e-mail conversation, Daniel told me that his "ultimate goal is for Scroogle to survive long enough so that the public sector gets the idea that all major search engines should be treated like public utilities."
Daniel Brandt seems like a great guy. He's doing this for free--and accepts tax deductible donations on the Scroogle site. However, for users who don't trust Daniel's claims, they may wish to use the anonymizing TOR proxy in parallel with Scroogle.
What Daniel's site shows, is that privacy preserving search is possible. While Scroogle doesn't show any ads, if Google offered this service, they could still make a buck on it. Imagine that--making money, while not being evil.
Disclosure: I'm paid as a technology policy fellow by the Electronic Privacy Information Center, a public interest group that has repeatedly criticized Google for its privacy policies. Furthermore, I interned for Google in 2006, and have received a $5,000 fellowship from the company, both in 2006 and 2007.
