The Secret Service and Yellow Tracking Dots in Printers

I was happy to receive an email today from freelance journalist Theo Karantsalis. Since 2010, he's been trying to get the US Government to fess up about which printer manufacturers they are in cahoots with.

Readers of my blog may recall an effort I made a few years ago to get Lexmark, the printer company, to fess up to using the tracking dot technology. It eventually worked - they admitted it.

Theo's Freedom of Information Act (FOIA) request has revealed the other side of the story: the US Secret Service sent him an official list of ten manufacturers that have "fulfilled or agreed to fulfill document identification requests submitted by the Secret Service... using machine identification code technology".

The manufacturers are:

• Canon
• Brother
• Casio
• Hewlett-Packard
• Konica
• Minolta
• Mita
• Ricoh
• Sharp
• Xerox

In other words, these manufacturers have helped (or have agreed to help, in the future) the US Government identify individuals through the near-invisible secret dot pattern that their colour printers print on every page. Lexmark didn't make the list, even though they have the dot technology enabled. 

For those of you keeping track: the government AND the manufacturers have finally fessed up: "yes, this tracking dot technology is a real thing and we use it". So it's not a secret anymore, right? Well... maybe with all the digital privacy issues these days, paper privacy issues don't get precedence. If we can't communicate privately on paper, how can we expect to communicate privately online? 

Theo's news post

FOIA request on Scribd

Brahm's Yellow Dots cross-post

Accessible Encryption, Privacy & Security

Sometimes I talk to people about things like privacy, security, or data redundancy and they look at me like I'm a crazy person - why would anyone care about that? Do you have to be some sort of sick weirdo to care that much about those issues?

The reality is that my digital life is pretty boring, but it's important to me. I've had relatives have their emails "hacked" and I can only imagine how much it sucks to lose all of your correspondence and contacts. I've seen stories of people who bring their computers to a shop to have them repaired, and the creeps at Best Buy copy all sorts of personal files to snoop through later. I'm also extremely uncomfortable with the idea of people (internet service providers, governments) monitoring my web browsing habits, just like I'd be uncomfortable reading my physical mail and packages, or looking at my library history, or reading through my medical files.

Here's a few pieces of software that I use to keep myself safe and secure.

KeePass - free - www.keepass.info

One of the worst things you can do online is use the same password EVERYWHERE. If someone breaks into your email account, they can search your history to find all the services you subscribe to (Facebook, your bank, Skype, etc) then try your password on those sites. Odds are in their favour that it will work.

KeePass is a vault where you can store all of your passwords. You set a "master" password on the vault, then save all of your other passwords inside. KeePass also has a password suggester/generator which helps change all of your dumb passwords into awesome passwords. The file is highly encrypted (you generate entropy for the encryption by waving your mouse around the screen) and can't be accessed if you use a complex password. KeePass looks like this:

Generally I have a few unique passwords I remember, like my Gmail account. But everything else goes in the vault, and I randomly generate a 20+ character password for each account. If you asked me what my online banking password was, my honest answer would be "I don't know". I've been using KeePass for over four years and find it indispensable.


TrueCrypt - free - http://www.truecrypt.org/

TrueCrypt is free and open source hard drive encryption software. You can choose to encrypt your whole hard drive, create an encrypted "container" (like a folder) that you can encrypt and decrypt on the fly, or create a secret, undetectable hidden partition. Like KeePass, it uses extremely robust encryption to secure whatever you need away from prying eyes.

What would you store there? Ask yourself this question: If someone stole your computer, do you have any files that you'd never want to be shared with the world? Those are the files you'd encrypt with TrueCrypt. Maybe it's your tax return, maybe it's some bad Grade 8 creative writing that you can't bring yourself to delete, maybe it's your digital diary, who knows.

Or maybe someday you're going to have to cross a border into another country. Border security agents are getting more and more power to do things like copy your entire hard drive onto their systems for analysis. Imagine landing in London only to be immediately deported for having some pirated movies on your laptop. Forget asking whether they might find anything incriminating - do you think your personal data is safe with them?

Just how good is this encryption? Right now, there's a mortgage fraud case in the States where a judge is ordering a defendant to decrypt the contents of her laptop because the Feds can't break it.


Prey - free (for basic version) - http://preyproject.com/

Prey is free (for the basic version) and open source software that helps you recover your computer, phone, or tablet if its stolen. You install the software once, then write down your website username and password somewhere safe (how about your KeePass vault, backed up on your Dropbox account?).

If someone steals your computer and connects to the internet, Prey acts like a "good guy" Trojan horse - you can turn on the webcam, take a picture of the bad guy, and get information about where it's connecting to the internet from (without the thief knowing). You can take that info to your local police and they'll usually step in and get it back. Prey has a whole blog of success stories of people who recovered lost or stolen devices with Prey:
http://preyproject.com/blog/cat/recoveries


A VPN (I use WiTopia, which is $50-70 per year)

I just blog posted about this the other day - go read this post: http://blog.brahm.ca/2012/02/virtual-private-networks-and-why-you.html


Tor Browser - free - http://www.torproject.org

In my blog post about VPNs I give an over-simplified explanation of how VPNs work. Tor is a network of VPNs that obfuscates your location by encrypting your web traffic and routing it through multiple "Tor nodes" all over the globe. A super-detailed explanation can be found here.

I first heard about the Tor project a few years ago, when it was significantly less user friendly - it required a lot of end-user configuration. I just checked it out today, and wow, I'm impressed. It can be downloaded as a pre-configured instance of Firefox's portable edition that "just works". You start it up, wait a second as it builds an encrypted connection, and this is what you see:

If you're trying to access the internet from a country with a crazy dictator or want to take the simplest step possible to protect your privacy when you're travelling, install Tor Browser. Here's a list of who uses it, and why.

--

Make yourself and your data safe, and protect yourself from digital snoops!

Virtual Private Networks and Why You Might Want One

On Tuesday I signed up for a paid Virtual Private Network (VPN) service. Why? In three words: privacy, security, and flexibility.

The internet is not a series of tubes as you may have been led to believe. It is a network of computers that all have to talk to each other. Sometimes it is not clear who owns what computer, if they are using it for good or for evil, or if it can access your private data.

Here's a simplification of how the internet works. Let's say you want to visit Wikipedia, so you type http://en.wikipedia.org into your browser. Your network traffic (requests you send to the internet, and the data that comes back) first passes through your local network. This is literally the network you're connected to - a router at home, a wifi hotspot at Starbucks, or maybe a computer lab on campus.

Next, the traffic passes through your Internet Service Provider's servers: SaskTel, Shaw, Rogers, etc. Finally, your traffic passes through more servers until it gets to Wikipedia's servers. Wikipedia's servers then sends information back to you the same way you received it. Anyone who is determined enough can snoop at what you're looking at - maybe someone sitting at the other side of Starbucks, or maybe someone who works at Shaw, or maybe some tricky hacker.

A VPN creates a highly encrypted and secure connection (a "tunnel") between your computer and a VPN server. If you type http://en.wikipedia.org into your browser when you're using a VPN, the VPN server "asks" Wikipedia for the info you wanted, then sends it on to you. Wikipedia won't know anything about you (unless you're logged into a user account) and it cannot tell you're using a VPN, and no-one between the VPN server and your computer can see what's going on, either.

Here's a diagram I made (all by myself!) that explains how VPN works. Click to enlarge:

It is virtually impossible for anyone between your computer and the VPN server to figure out what you're doing on the internet - whether it's paying your bills, submitting your tax return, typing a note to your sweetie, learning about dogs and cats, or watching a saucytime grownup film.

Privacy and security are good enough reasons to get a VPN - I'm confident that data I'm transmitting on my computer can't be intercepted by local hackers, my Internet Service Provider, the government, or whoever might be "listening" to internet traffic. But the coolest feature - at least for Canadians - is flexibility.

Lots of websites know roughly where you're browsing from, based on your IP addresses. It's why when you type "www.google.com" you're taken to www.google.ca. It's why Canadians can't watch lots of streaming videos, due to dumb licensing rules.

But with my VPN provider, I can pick a VPN server anywhere in the world, so my traffic looks like it's coming from anywhere in the world. I can pick a server in New York City and immediately start watching videos on ComedyCentral or Hulu (or others). Or I can pick a server in the UK and start watching BBC content.

I selected WiTopia.net as my VPN provider. They are very well-reviewed, and in my limited experience - great. They responded to a bunch of pre-purchase questions quickly and with lots of details. There are some free VPN providers out there, but it's easy enough for a 16-year-old hacker to set up a VPN server and make it look legit - so I'm paying for peace of mind. With WiTopia, you can pay by the day, month, or year, and there are lots of money-back guarantees. So check them out if you want to protect your online info and free yourself from the shackles of location-based internet!

Blog post: done. Now I'm off to watch full episodes of the Colbert Report!

Yellow Dots Blog visits the frontpage of Reddit

Wow - someone submitted a link to my Yellow Dots blog to reddit (a massively popular link-sharing site) yeterday. I was quoted in PC World magazine about the tracking dots issue back in June and I thought that would be big exposure, but I was wrong.

Here's a snapshot of my all-time Yellow Dots blog traffic:

That tiny little blip near July is PC World magazine traffic. That massive spike in November? Reddit. You can see that I have had 181,000 pageviews in the last month, but (do the math) I only had 6,000 pageviews before this reddit exposure.

Here's the weekly traffic:

It was pretty cool suddenly getting that level of exposure. All that traffic generated about 15 or 20 new blog comments of all varieties, which I spent some time responding to. But it only lasted about six hours - suddenly, it was all over, and the internet's attention was focused elsewhere! (As depicted by the sharp drop-off in traffic).

When I started the Yellow Dots blog, I wasn't aiming for immediate exposure - I wanted to document my experiences online for other people to find. It looks like that's exactly what happened! In fact, I sent a message to the person who submitted a link to reddit and asked where they found the link. Their answer - Google! It made my very happy :-)

"Brahm's Yellow Dots" Blog Linked & Quoted in PC World!

A few years ago I learned about the secret matrix of yellow dots that colour laser printers embed on every single page you print on colour laser printers - even B&W-only pages. The key word here is laser - traditional colour inkjet printers don't do this (at least that we know of).

Don't believe me? Print anything from a colour laser printer. Scan it at the highest resolution you can. Now look closely. Here's what I found on my printer and here's some further analysis.

Anyway. I blogged, and I blogged, I wrote letters and made phone calls to Lexmark Canada until they finally admitted to making their printers include the secret yellow dot pattern. This pattern is unique to every printer and can be used to identify from what printer a document is printed - which is, in my opinion, a privacy issue. My motivation was exploring the issue from the consumer side and seeing how a company would respond to a consumer challenge of the technology.

Eventually I got a letter from the president of Lexmark Canada, offering me a refund for my printer. I didn't want the refund (I still liked the printer, despite the privacy issue), but in my mind the story was done. Mission accomplished - consumers who were willing to be vocal enough could at least achieve a refund. The blog didn't get any attention during my adventures, so I left it online for others to find... eventually.

Fast-forward to earlier this week. I get an email from a senior editor at PC World asking if they can link to the blog for an article they're writing on the yellow dots issue! I sent a reply back saying "absolutely" and some reasons why I left the blog online.

PC World published their article yesterday and even quoted my email! Here's an excerpt:

Consumers who discover the dots are understandably surprised. Brahm's Yellow Dots, a blog dating from 2008, chronicles the efforts of Brahm Neufeld, a student at the University of Saskatchewan in Canada, to communicate with his printer's vendor, Lexmark, after a friend told him about the yellow dots. To Lexmark's credit, the company eventually acknowledged what was going on and even offered to refund Neufeld for his printer. Neufeld, now an electrical engineer, remains concerned about the technology and the extreme discretion that printer vendors are exercising around it. "My motivation was always to document my experience--as a consumer--trying to get printer companies to fess up to this somewhat-shady practice."

How cool is that! I am curious to see if this makes it to the print version of the magazine.

I took a peek at my blog's analytics and I've netted about 1,000 new hits from the article. Not bad!

(for the Yellow Dots blog, not this one)

Cheers to PC World who is keeping some momentum on this issue going!

Mandatory Disclosures of Privacy Breaches in Saskatchewan

This headline popped up in my Star Phoenix news feed the other day:

"Province Ponders Revealing Privacy Breaches"

I quote, from the article:

"The issue here is this is people's private information," said NDP house leader Kevin Yates. "When your private information has been given to a third party, people have a right to know that, not only the individual but the public also has a right to know that if their information guarded by SGI . . . or held by any agency is allowed to be made public. That is of concern to everybody."

Kudos, Kevin Yates and everyone who agrees with this idea! Citizens should absolutely have a right to know about when their private data has been accidentally distributed to third parties.

To those of you who are on the fence: other organizations know a lot about you. Saskatchewan Health Region knows your health, the U of S knows your academic record, the Government knows your name, address, and SIN number. The fact that organizations are not legally obliged to disclose privacy breaches is crazy!

Here's an even better idea. What if the law required organizations to notify citizens of ANY time their personal information is disclosed (en masse) by any organization. This would mean that any time your information is lost, leaked, sold, accessed or otherwise distributed, you know about it. Let's assume there's a fair use exception, like if a contractor needs to let a subcontractor know your address for work you've hired the contractor to do.

There would be two immediate benefits to this system: For one, citizens have the benefit of knowing who is holding their private information. Secondly, if violators faced significant fines, organizations would have to tighten their control of private data - especially in Regina, where medical records have been found blowing around on the street.

On the scale of confidential, need-to-know, and right-to-know, I'd argue that when your personal information is involved, notification of privacy breaches should be a right.

Canadian Privacy Commissioner's Google Street View Probe: Let's Drop It

On Friday, May 14, 2010, Google announced that their camera-laden Street View cars had been inadvertently been collecting unencrypted wifi data:

"...we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products." (source: Google)

I recommend reading Google's entire explanation for an example of a perfect admission of wrongdoing and accompanying apology. Straight out of the good communication textbook, Google:

1. Acknowledged their wrongdoing (collection of unsecured wifi data);
2. Recognized feelings of anger, frustration, disappointment and betrayal;
3. Took full responsibility for their actions;
4. Explained their error without assigning blame;
5. Offered a sincere apology;
6. Offered an immediate fix for the problem (grounding of all Street View cars, contacting government regulators about how to dispose of the data).

In response, Canada's Office of the Privacy Commissioner is launching a full investigation into what happened (see link for news release).

Says Privacy Commissioner Jennifer Stoddart:

“We have a number of questions about how this collection could have happened and about the impact on people’s privacy. We’ve determined that an investigation is the best way to find the answers.”

But... don't we already have the answers? Google collects data, Google realizes mistake, Google releases details of exactly what happened and how, Google gets in touch with governments so they can delete this data properly. And because Google collected the data and not evil hackers, guess what the impact was: nothing.

I like the Office of the Privacy Commissioner. They're a taxpayer-funded office who promote and protect the individual privacy rights of Canadians - and I'm down with that. They've slapped Facebook into shape on more than one occasion. But do we need to be spending taxpayer dollars on an investigation where there isn't anything to investigate?

Canada isn't the only country getting up in arms. The Consumerist is reporting that 30 American states are banding together for an investigation of their own. 

Here's the real issue. The data in question that was collected by Google was pulled off unsecured wireless networks. In layman's terms, that's a network without a password and encryption. People were (in all fairness, unknowingly) broadcasting their internet interactions for the world to see. Yes, that includes emails and passwords!

Forget about Google, what about Wardriving? There are far less-responsible people and organizations than Google who are pulling information from unsecured networks all of the time. Suddenly, the fact that Google's sitting on information from our private networks is awesome - now that they have it, they can protect it, they know they have to get rid of it, and they can't use it maliciously. And they're good at security. When Chinese hackers hacked Google, Google hacked them back.

The Office of the Privacy Commissioner should be helping Canadians by lowering the number of people who are accessing the internet over unsecured networks. They should be developing ways to make sure products like routers and laptops are safe (privacy-wise) to use out of the box, and to promote the use of secure protocols to websites that handle sensitive information (banks, social networks, email, etc). They should be finding ways to better educate the public on taking privacy matters into their own hands. They should be working with Google to dispose of that private data as quickly as possible, rather than work against them through an investigation. They should be developing programs so that everyone can understand privacy and data in the digital age.

Forget about this investigation. It should be the end-user's responsibility to take steps to protect their own privacy. No user is perfect - I've helped lots of people with different computer issues, and I've made plenty of mistakes myself. No hardware is perfect - many wireless routers are "broken" out of the box, in that their out-of-box settings are terribly insecure. Lastly, no software is perfect - Google's Street View cars were obviously flawed.

Still, individuals must accept a higher degree of responsibility for their digital privacy and security. Nobody would paint their SIN number on the side of their house, yet there are plenty of unsecured wireless networks doing just that.

The Internet Beyond Facebook

I deleted my Facebook account just before it was "cool" - at the end of April 2010. See? This is the Google Search Trends for the query "delete Facebook":

It was just after I read the Eroding Privacy Timeline, published by the Electronic Frontier Foundation, and right before these events happened:

1. May 5 - Facebook Security Hole Exposes Private FB Chats and Friend Lists to All
2. May 6 - Instant Personalization Adds Malware to FB Profiles
3. May 7 - Facebook Leaks IP Addresses of Users
4. May 11 - Shameful New York Times Interview With Facebook Exec
5. May 17 - OpenBook is released (not by Facebook), which lets you search Facebook's newly-public updates for people who are publicly announcing that they hate their boss, are using drugs, and are having sex (etc).
6. May 21 - "Anonymous" User/Ad Data Found Not Anonymous

Yes, May 2010 was a bad month for Facebook and I am glad I got out when I did (not that my account was actually deleted).

Here's a fair question of me: If I care so much about online privacy issues, why do I have a blog, a homepage, a Google/Gmail account, a Twitter account, etc?

For one, most of the online services I subscribe to have fairly easy-to-read and easy-to-digest privacy policies (example: Gmail. Counterexample: Facebook's privacy policies over time). Second, my favourite services often give me an easy way out - it's easy to delete accounts, unlike Facebook. Third, most of these services have spent a lot of time building and earning my trust as a user - Facebook has always been sketchy. Fourth, and perhaps most importantly, the services don't radically change over time, at least not to the insane degree that Facebook has changed from privacy-centric to advertiser-centric.

(I'll admit that the services I like aren't without flaws. I am a fan of Google products but they dropped the ball with Google Buzz when it was released).

There's a difference between leading a private life and the expectation of the right to privacy. For example, from Fall 2008 to Spring 2009 I spent months trying to get more information on the secret yellow tracking dots that colour laser printers use to identify document owners (it's not a conspiracy theory!). I got in touch with Lexmark and they eventually offered to give me a full refund on my years-old colour laser printer, but I was more concerned with the overall privacy issue at hand, not my personal privacy. I declined the offer.

Back on topic. Privacy issues aside, Facebook had evolved into a service that just wasted my time. I'd log in (several times per day, usually) and just creep updates. Then, I realized that the reasons most people used Facebook suddenly no longer applied to me!

• Photo sharing - Facebook does this well, but there are free alternatives with more flexible privacy controls like Flickr and Google's Picasa.
  
  
• Staying in touch with friends and family - That's why I have a phone (voice/text/BlackBerry Messenger) and email.
  
  
• Reconnecting with old friends - There are lots of other ways to do this.
  
  
• Connecting with organizations through Fan Pages - Often congested and ugly for big organizations and under-used and neglected for small ones. Also, this feature is now less about connecting and more about marketing.

I'm not arguing that everyone should delete their Facebook account; I am arguing no-one should feel trapped by something they optionally use. If you feel trapped, it's a sign you need to escape.

I felt cut off for the first few days after deleting my Facebook account, but now that it's gone, I don't feel like I am missing anything - I can waste my time doing other things! My subconscious urge to constantly check it is gone - I've escaped from the trap!