Is Apple Pay Really Private?

Apply Pay, the new payment system unveiled by Apple yesterday was an intriguing alternative to using Debit and Credit Cards. But how private, and how secure, is this new payment system going to really be?

Tim Cook, Apple CEO, made it very clear that Apple intends to never collect data on you or what you purchase via Apple Pay. The service, in fact, adds a few new layers of security to transactions. But you have to wonder.

A typical model for data collection business models is to promise robust privacy assurances in their service agreements and marketing even though the long-term strategy is to leverage that data for profit. Anyone who was with Facebook early on knows how quickly these terms can change.

So, when we’re assured that our purchases will remain wholly private and marketing firms will never have access to them, how can we really be confident that this will always remain the case? We can’t. So, as users, we should approach such services with skepticism.

As with anything related to personal data, we should assume that enterprising hackers or government agents can and will figure out a way to access and exploit our information. Just last week, celebrities using Apple’s iCloud had their accounts compromised and embarrassing photos were made public. And while Apple has done a pretty good job at securing Apple Pay, it’s still possible someone could figure out a way in…and then you’re not just dealing with incriminating photos, you’ve got your financial history exposed.

So ask yourself:

  1. Can you think of things you buy that could prove embarrassing or might give people with malign intent a way to blackmail or do financial damage to me?
  2. If my most embarrassing purchases were to become permanently public, can I live with that?
  3. How would such public exposure impact my reputation, professionally and personally?
  4. Does the convenience of purchasing something with my phone outweigh the risks to my financial security?

Depending on how you answer this, you may want to stick with your credit card.

Or just go the analog route and use the most anonymous medium of exchange: cash.

Private Google Search Alternatives

Google NSA skin using Stylish Browser PluginA few weeks back, I dropped Google search in favor of DuckDuckGo, an alternative search engine that does not log your searches. Today, I’m here to report on that experience and suggest two even better secure search tools: StartPage and Ixquick.

The probelm with DuckDuckGo

As I outlined in my initial blog post, DuckDuckGo falls down probably as a consequence of its emphasis on privacy. Whereas Google results are based on an array of personal variables that tie specific result sets to your social graph…a complex web of data points collected on you through your Chrome Browser, Android apps, browser cookies, location data, possibly even the contents of your documents and emails stored on Google’s servers (that’s a guess, but totally within the scope of reason). This is a considerable handicap for DuckDuckGo.

But moreover, Google’s algorithm remains superior to everything else out there.

The benefits of using DuckDuckGo, of course, are that you are far more anonymous, especially if you are searching in private browser mode, accessing the Internet through a VPN or Tor, etc.

Again, given the explosive revelations about aggressive NSA data collection and even of government programs that hack such social graphs, and the potential leaking of that data to even worse parties, many people may decide that, on balance, they are better off dealing with poor search precision rather than setting themselves up for a cataclysmic breach of their data.

I’m one such person, but to be quite honest, I was constantly turning back to Google because DuckDuckGo just wouldn’t get me what I knew was out there.

Fortunately, I found something better: StartPage and Ixquick.

Google but without all the evil

StartPage is a US version of the Dutch-based search engine Ixquick.

There are two important things to understand about StartPage and Ixquick:

  1. Like DuckDuckGo, StartPage and Ixquick are totally private. They don’t collect any data on you, don’t share any data with third parties and don’t use cookies. They also use HTTPS (and no Heartbleed vulnerabilities) for all transactions.
  2. Both StartPage and Ixquick use proxy services to query other search engines. In the case of Ixquick, they query multiple search engines and then return the results with the highest average rank. StartPage only queries Google, but via the proxy service, making your search private and free of the data mining intrigue that plagues the major search engines.

Still some shortcomings remain

But, like DuckDuckGo, neither Ixquick or StartPage are able to source your social graph, so they will never get results as closely tailored to you as Google. By design, they are not looking at your cookies or building their own database of you, so they won’t be able to guess your location or political views, and therefore, will never skew results around those variables. Then again, your results will be more broadly relevant and serendipitous, saving you from the personal echo-chamber that you may have found in Google.

Happily private

It’s been over a month since I switched from DuckDuckGo to StartPage and so far it’s been quite good. StartPage even has a passable image and video search. I almost never go to Google anymore. In fact, I’ve used a browser plugin called Stylish to re-skin Google’s search interface with the NSA logo just as a humorous reminder that every search is being collected by multiple parties.

For that matter, I’ve used the same plugin to re-skin StartPage since where they get high marks for privacy and search results, they’re interface design needs major work…but I’m just picky that way.

So, with my current setup, I’ve got StartPage as my default browser, set in my omnibar in Firefox. Works like a charm!

Ed Sez – Tips from Edward Snowden on Foiling the Snoopers

At the recent SXSW conference, Edward Snowden supplied people with tips to complicate the lives, if not totally block, those that stick their noses in your online business.

Not to be confused with trying to ruin the chances of the NSA averting a nuclear strike by terrorists on my own country, I do feel there are some well-reasoned limits to what the US government should be doing, especially when it comes to figuring out ways to undermine secure Internet protocols. After all, when, as purported by Snowden, the NSA begins devising backdoor hacks into our web browsers, you can be certain that this only makes it easier for others (perhaps dangerous) individuals from doing the same.

In other words, in the name of the War on Terror, the NSA might actually be planting the seeds for the death of the Internet…or at least a 9/11 style assault on the world’s computer infrastructure. Students of the origins of Bin Laden and his connections with the US War on Communism might be right to feel a little déjà vu.

A related threat, of course, is that criminals might stand on the shoulders of the NSA’s good work and do some very bad work against you and your bank account and your identity.

Anyway, that’ my soap box speech on this.

But back to my recent spat of blogs on privacy and how to cover your virtual butts. Snowden did hand out a few treats for the kids at SXSW: two browser plugins that he regards as good ways to enhance your privacy against NSA or NSA-inspired hackers.

The first is Ghostery, which allows you to view what web services are collecting data on you when you visit a given web page. It goes further by letting you (Ad Block style) block, pause or allow such collection.

I’ve been using it for a few days and have found it fascinating just how many scripts are gathering info on me when I land on a given page. Right now, I have everything turned off, so that should take care of that.

I did experience one problem watching an embedded video on a website. In these cases, you can pause all of Ghostery or try to figure out which one of the dozen or so scripts it’s blocking is the required one for the video and then decide if it’s worth it.

The other plugin is called NoScript, which simply shuts down all scripts, including JavaScript, Flash, etc. I haven’t tried this out, but I’m expecting it be something I will only use sparingly given the amount of jQuery and other useful bits embedded in many web interfaces.

 

This Too Shall Pass – Deleting My Facebook Account

Screen Shot 2014-03-15 at 10.18.57 AMI’m killing my Facebook account.

And with it, I’m severing that company’s ability to collect data on my web habits, whereabouts, social connections (including off-Facebook connections) and financial transactions.

Apparently, I’ll also be reducing my exposure to NSA malware, as Mark Zuckerberg revealed in a public thrashing of Obama and the intelligence services that have been spreading malware through imposter Facebook sites.

This really won’t be that hard. Last year, I began experimenting with not using the social network, just to see how that was. This impulse was born from a general annoyance about FB’s murky privacy policies and the general tone of content on FB which had became increasingly irrelevant to my real social connections with people. (Remember when people started to appreciate that group emails were rude and began with the lines, “sorry for the group email!”…That’s how Facebook seems to me now, without the apologetic preface.)

BTW, if you’ve got your own suspicions about Facebook, the Electronic Frontier Foundation has put together a great timeline of Facebook’s shifting privacy policies. Reading their timeline is a great way to get your head around how free Internet services (FB, Gmail, etc.) are really about hooking you in with very clear and considered privacy policies that are planned to be revoked once they’ve got you dependent on them…or at least that’s how the timeline suggests this business model works.

Of course, deleting my Facebook account won’t be without costs.

If you’ve been a rolling stone like me, you have friends in many far-flung places. Facebook did make those connections feel stronger, so that aspect will be missed. But I’m online and quite findable, so if my pals from Japan or Europe want to find me, they only need know my name.

It turns out that completely deleting your account is a two-week process, described quite well on Digital Trends. The trick is that once you delete your account, you cannot log in for two weeks, or your account will be reactivated. That means you should first delete all apps from phones, tablets, etc. before deleting your account. You should probably delete your cookies too, just to be sure you don’t inadvertently reactivate it by triggering all those FB web beacons that mine the Interwebs.

Anyway, I’ll give my FB contacts a few days to run across my post and then I’ll zap it for good.

Better living through anonymity!

Back to Firefox – Update on Sync

This goes out to all you paraoid netizens out there, and if you’re not one, you should be…

As a follow-up to my last post on moving off Chrome and back to Firefox for privacy and security reasons, I wanted to document that I gave Firefox Sync a closer look.

Mozilla, the folks that develop Firefox, has a very detailed information page on Firefox Sync, but to sum up, this feature allows one to share add-ons, bookmarks, passwords, preferences, history and tabs across all your computers and other devices.

Firefox Sync PreferencesDouble-plus-good: you can decide what to sync and what not to. Because I’m trying to be extra careful with my data, I opted for syncing only my add-ons, bookmarks and preferences. One important note on syncing add-ons, this will install your add-ons across your devices, but not necessarily configure them, so you might have to do that part manually.

If you opt to sync your history, it will do so up to 60 days.

Reading over the security details of Firefox Sync, it seems like you’re in pretty good hands since sync uses an encryption key. I consider passwords and history going beyond my tolerance threshold, but these are likely pretty secure for most folks. My rule is to assume that hackers access my sync data: What can I live with leaking out to the public?

Add-ons? okay
Bookmarks? I guess so.
History? Not really
Passwords? Are you kidding?

When I set up sync, I also added Firefox as my default phone browser which I find no problems with yet and it’s nice to know that I’m surfing as privately on Android as on OSX.

A Technophiles Journey Off the Grid

Cookie Monster freaks out over cookies on his computer

Image by Surian Soosay

Okay, so it is likely impossible to actually “use” the Internet without it “using” you back. I get that. Terms of service get changed without clear explanation, cookies get saved, NSA snoops do what NSA snoops do. The whole business model of the Interwebs is set up to trade your info for access.

I’m under no illusions.

But, after the Great Target Hack and Edward Snowden’s revelations regarding the NSA (I think we were all waiting for these things to happen), I’m finding myself rethinking the trade offs I made concerning privacy and online anonymity for online convenience (and laziness).

There was a time, when I used to block cookies and obsess over terms of service agreements. Hell, I even used Tor from time to time.

But, after awhile, it just became easier to stop worrying and learn to accept a level of personally sanctioned data breach. But now with all the stories of identity theft, commercialization of your personal info and multi-governmental and corporate sweeps of such data…it’s time for a little reflection…and retreat.

So, I’ve decided to experiment with reducing my digital footprint and I’ll post updates from time to time on how’s it going, in addition to my occasional posts on library projects.

Among my experiments, I’m planning on moving out of Googlelandia as much as possible, starting with changing the default search in my browser and moving back to Firefox. I’ll cover the Firefox post next time, but for now, let’s look at life without Google Search.

Most people online probably don’t remember a world before Google and those that do, don’t want to remember. Needless to say, Google’s initial search algorithm was so good, that it rapidly conquered the search market to the point that Yahoo! handed over its search to Microsoft and the dozens of smaller search engines were quickly forgotten. Anyone remember Web Crawler? Exactly!

Screen Shot 2014-02-13 at 12.52.53 PMAside from Bing (hack!) and the Bing-lite Yahoo! search, there really aren’t many alternatives worth turning to when one needs anonymity. That is, except for DuckDuckGo, a search engine that uses secure HTTPS, does not use cookies by default and generally does not collect any data linked to you (see their privacy statement for more info).

And the search results are not that bad.

But they aren’t great.

Life on DuckDuckGo will be very reminiscent of the best old-school search tools from the pre-Google 90s. Gone will be the kinds of results that require an analysis of your personal search history, online social habits and analysis of your cookies. Often you’ll get exactly what you’re after, but just as often, you’ll get it a few results lower on the page, just below some commercial sites that are using keyword tricks to rise to the top.

For example, I’m thinking about what color scheme I want to go with for my new flat and used DuckDuckGo to find sites that could help me with that. So I did a search for something like: “paint interior design color tools.” The first result led to a 404 page. The second result was not too bad, a Benjamin Moore paint selecting tool for professional painters. Other results were somewhere between these two extremes, with many of them going to pages that were slightly relevant but failed in the “authoritative” category.

Google expends a lot of effort at weeding out, or drowning out, pages with low street cred, and you’ll probably hardly ever get to a 404 page thanks to their very busy and persistent robots. Something else that will be hard to find in Google is nothing. In Google, the dreaded “Sorry. No results were found” message would be an amazing and rare feat of your talents for obscurity. Not so in DuckDuckGo…these come up from time to time.

DuckDuckGo also lacks an image and video search functionality. For this, they provide a dropdown that lets you search via Google or Bing.

I’d also add, that I’m using DuckDuckGo in a Firefox omnibar plugin, so as I type, I get suggested hits. These are also not as accurate or relevant as the Google version, but I’ve also limited it by not preserving any search history in Firefox.

After a few days of trying this out, I do like DuckDuckGo enough to keep using it, but I have had several lapses of risky searches on Google. This is especially true for professional work, where Google knows my work interests quite well and serves up exactly what I need. But for general searches, DuckDuckGo is a good tradeoff for privacy wonks.

Stay tuned for more journeys off the grid including my return to Firefox and experiments with thumb drive applications…