On the Ethics of Ad-Blocking

As the saying goes, if you’re not paying for the product, then you are the product. The business model for most of the Internet revolves around advertising – which in and of itself is not a bad thing. It may be an annoying thing, but passive advertising isn’t actually harmful. Passive advertising is placing ads where people can see them. And savvy marketers will place their ads in places where their target audiences tend to spend their time. If you’re targeting middle-aged men, you might buy ad space on fantasy football or NASCAR web sites, for example. If you’re targeting tween girls, you might buy ad space on any site that might feature something about Taylor Swift or Justin Bieber. And if it stopped there, I don’t think many of us would object – or at least have solid grounds for objection. After all, this advertising is paying for the content we’re consuming. Producing the content costs money – so someone has to pay for it or the content goes away.

Unfortunately, online marketing didn’t stop there. On the web, competition for your limited attention has gotten fierce – with multiple ads on a single page, marketers need you to somehow focus on their ad over the others. And being on the Internet (and not a printed page), advertisers are able to do a lot more to grab your attention. Instead of simple pictures, ads can pop up, pop under, flash, move around, or float over the articles you’re trying to read. Worse yet, ad companies want to be able to prove to their customers that they were reaching the right people and that those people were buying their product – because this makes their ad services far more valuable, meaning they can charge more for the ads.

Enter the era of “active advertising”. It has now become very hard to avoid or ignore web page and mobile ads. Worse yet, the code that displays those ads is tracking where you go and what you buy, building up profiles on you and selling those profiles to marketers without your consent (and without most people even realizing it). Furthermore, those ads use precious data on cell phones and take a lot of extra time to download regardless of what type of device you use. And if that weren’t bad enough, ad software has become so powerful, and ad networks so ubiquitous and so commoditized, that bad guys are now using ad networks to distribute “malware” (bad software, like viruses). It’s even spawned a new term: malvertising.

Over the years, browsers have given users the tools they need to tame some of these abuses, either directly in the browser or via add-ons. It’s been a cat-and-mouse game: when users find a way to avoid one tactic, advertisers switch to a new one. The most recent tool in this toolbox is the ad-blocker. These plugins allow the user to completely block most web ads. Unfortunately, there’s really no way for ad blockers to sort out “good” advertising from “bad” advertising. AdBlock Plus (one of the most popular ad-blockers) has attempted to address this with their acceptable ads policy, but it’s still not perfect.

But many web content providers need that ad revenue to stay afloat. Last week, Wired Magazine announced that they will begin to block people that use ad-blockers on their web site. You will either need to add Wired.com to your “whitelist” (allowing them to show you ads) or pay them $1 per week. They state clearly that they need that ad revenue to provide their content, and so they need to make sure that if you’re going to consume that content that you are paying for it – either directly ($1/week) or indirectly (via ad revenue).

So… what’s the answer here? As always, it’s not black and white. Below is my personal opinion, as things stand right now.

I fully understand that web sites need revenue to pay their bills. However,the business model they have chosen is ad-supported-content, and unfortunately the ad industry has gotten over-zealous in the competition for eyeballs. In the process of seeking to make more money and differentiate their services, they’re killing the golden goose. Given the abusive and annoying advertising practices, the relentless and surreptitious tracking of our web habits, the buying and selling of our profiles without our consent, and the lax policing that allows malware into ads, I believe that the ad industry only has itself to blame here. We have every reason to mistrust them and every right to protect ourselves. Therefore, I think that people are fully justified in the use of ad-blockers.

That said, Wired (and other web sites) also have the right to refuse to let us see their content if we refuse to either view their ads or pay them money. However, I think in the end they will find that people will just stop coming to their web sites if they do this. (It’s worth noting that some sites do well with voluntary donations, like Wikipedia.) Therefore, something has to change here. Ideally, the ad industry will realize that they’ve gone too far, that they must stop tracking our online pursuits and stop trafficking in highly personal information without our consent.

The bottom line is that the ad industry has itself to blame here. They’ve alienated users and they’re going to kill the business model for most of the Internet. They must earn back our trust, and that won’t be easy. Until they do, I think it’s perfectly ethical (and frankly safer) to use ad-blocking and anti-tracking tools.

Below are some of my favorite plugins. Each browser has a different method for finding and installing add-ons. You can find help here: Firefox, Safari, Internet Explorer, Chrome.

  • uBlock Origin – ad-blocker
  • Privacy Badger – anti-tracking plugin
  • HTTPS Everywhere – forces secure connections whenever possible
  • Better Privacy – another privacy plugin, slightly different from Privacy Badger

If you would like to get more involved, you might consider contributing to the Electronic Frontier Foundation.

 

 

Book review: Data and Goliath (Bruce Schneier)

I finally got around to finishing Bruce Schneier’s latest bestseller: Data and Goliath. I’ve read a few of Bruce’s books over the years (and own most of the rest, waiting patiently to be read). I’ve watched Bruce on many TV news segments, lectures, interviews, and web videos. I follow his blog and Twitter posts. I’ve even had the pleasure of emailing him from time to time. Some day I’d love to meet the guy. So… what I’m trying to say here is: fair warning, I’m a bit of a Bruce Schneier fan boy.

However, I feel this is completely justified. I tend to have the most respect for the even-keeled, professorial types – the ones who are passionate about what they do and highly knowledgeable about their field, but at the end of the day are most concerned with getting it right and avoiding hyperbole. That’s a small camp of people, but Bruce is definitely in it.

Bruce’s latest book is at once timely and timeless. The topics of computer security and online privacy are obviously hot right now in the wake of the Snowden revelations, but Bruce makes it clear that this stuff has been going on for a very long time now and will only get more important in the coming decades. I think Bruce was moved to write this book much as I was to write mine – people need to understand what’s going on here, but the fact of the matter is that they just don’t. At the end of the day, it’s up to us to demand change. Left to their own devices, corporations and governments will not cede the power that comes from massive data collection and mass surveillance.

Data and Goliath is remarkably comprehensive and well researched. Bruce draws on many sources – not just the Snowden documents (to which I believe he has had full access, at least for a time) but also from many insiders and security researchers, in addition to decades of experience.

In the first section, Bruce explains how we got where we are and what’s really going on. It was staggering to see it exhaustively cataloged. The enormity of the problem we face and the depth to which surveillance has already permeated our society is truly alarming. Even though I was aware of most of these things at one time or another, even I found myself shaking my head while reading this litany. One of the key take-aways from this section is how all of this data is used in concert to create a shockingly complete picture of each person’s life – not just digital life, but real life. Correlating all of these data streams results in something quite a bit larger than just the sum of its parts – which is something that I feel is lost on most people, but crucial to understand.

Bruce explores the harm that is already being done by this mass surveillance and data collection, and explores the very real future dangers in the second section of the book. Again, this is something that I believe everyday people just aren’t grasping. Too many people blow it all off thinking they have nothing to hide, so who cares? Everyone should care. I can’t do it justice in a paragraph – you’d think I was just being paranoid and blowing it out of proportion. Bruce walks you through why this all matters, with real-life examples, and clearly explains the deep impacts it is already having on our democracies.

Finally, Bruce wraps up the book with a wide range of things that we can and should be doing. What I love about Bruce’s approach is that it’s not all-or-nothing. Surveillance and espionage and even mass data collection all have their place in a civil society. Where many people get it wrong, I think, is to go to one extreme or the other. There is absolutely a sane, practical, and healthy middle ground to be found here. Targeted surveillance, when governed by transparent laws and reviewed by impartial third parties, makes perfect sense and has a place in democratic society. Collecting mass quantities of anonymous data can provide huge benefits for everyone – from medical research to traffic avoidance. It’s not always what we’re doing, it’s how we’re doing it. Still, Bruce comes down solidly on the side of an individual’s right to privacy and that computer security is essential for everyone. He just points out, very clearly, that that stance does not interfere with protecting ourselves from criminals and terrorists. That’s a false choice.

This book does not go into any detail, really, on how to protect yourself at a personal level – he even says that that would take an entire book (like, oh, say, I don’t know…. MY book). It does, however, explore many legal frameworks and “bill of rights” type proposals that are already on the table from around the world. Bruce also makes many solid and well-crafted proposals for approaching these problems – while many are politically difficult, they’re eminently rational and workable.

At the end of the day, though, it’s really up to us, as a people, to decide that we value our privacy and demand action – not just for ourselves, but truly for our society as a whole. The first step is to get educated… and if you had to pick just one book to read, Data and Goliath would be an excellent choice.

miniLock: how to send and receive encrypted files easily

For over two decades, the prevailing utility for sending and receiving encrypted files was PGP (Pretty Good Privacy) – including the popular free and open-source implementation GNU Privacy Guard (GPG). In order to use PGP, you needed to use a software tool to create at least one pair of encryption keys: one public (which you give away freely) and one private (which you guard very carefully). People use your public key to encrypt something and then send it to you via email or whatever. You then use your closely-guarded private key to decrypt it.

The problem, though, is that PGP is complicated and normal people just don’t have the patience for it. It’s also tricky to integrate PGP into things like email clients, especially web-based clients. And having to manage these keys is a real pain – they’re quite large and ugly. Here, for example, is one of my PGP public keys:

 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

mQENBFMgmu4BCADis9lcLt4Rvu8qs557zOI+immGGHki7i8H01tXJvJOicKniWo/
IP3p3MM4dPsggyCXB1LA1qZxDsiGvJVB2H+kCWmHClFfzBi6/G/RTzaB2+ecmcdl
Etc1JHeaSzJjSEcSAAV9dwp3toQuID2JX5O6mtodCxufZnjrkyVauLL3GCAT99s7
mu5g87r+HTNiyl43RHAvZp1trsWQvwT/VtQOkUMKJBDs5s4l8UJEDLFPEN6JBJE1
dK8DplG5+i5jYQWEJi5OI/eu4/GYzkMsXfbnbk+6ufiO3Ik5rNWGxqm7zD21lwLL
+V8M19l2dGVIcu/OhBPEEsZEcJB2Bh3msRUBABEBAAG0JUNhcmV5IFBhcmtlciA8
Y2FyZXkucGFya2VyQGdtYWlsLmNvbT6JAT0EEwEKACcFAlMgmu4CGwMFCQeGH4AF
CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQVLmNqFHnFbqKlgf/fuhtyfmf4zyb
YLUEutZFx57bkExonB33UVZZ/phgo+Z6c60XPfizmNG5qBHA9IaG5VvX9kel1mea
qtFrNdISOsVCDCzLTpI1mN3X8Dn6Fhk70APAHOiABxJr7LF+aX/t1GV4dQZjD4RL
8eRST6q7RsGrYIAFSbeUjZooeSkqUThGeeuIrKcMUhnTPG20uIGVDQ/x1tCjcnUR
fgpUUO5o1TMLEsylGYTKASJYJc5uiIcXgCV+FUmpt21OM2rxpaf7AkCx0Qcm3Cro
B8O+BiVqM7KYTRxu6CaVbb2lvYQqp+wUqSx1GussZ/Es1zno5ZXs9PVc+8LIK6XH
PQm88aabd7kBDQRTIJruAQgAoxMGQJ5ntCa1orN7emuHg4EnazmrFGH0iMT83gR7
k8rhMEs2tYc46aFsiQhPmltH6YNbzeIA+7SArIc5YwKCcoGpJxQWznGysQuuT76s
ScZnq/5AzhpOjymixAmMCXJ3X8LhWery4Ufw0mnHhJ7EhM0UP4o/7oXC1CHeXtwx
abo4tVkxc0lMvclecc5IZQCbZlxukNLCkvQz91MgT0EnTD1akSOW211gO4JQ2rdu
e0b7rVFGih+BOx6idJNfpKz+PheUo77ohLmnHFf0rWDPoCPjw/OIEiXd5JgLg8bH
xqCEV6SXmgvOZFIylwDlFLUtzlSFTSreLseAv3NeeGzZEwARAQABiQElBBgBCgAP
BQJTIJruAhsMBQkHhh+AAAoJEFS5jahR5xW6xQoH/1Yz0MT8a1tXKCOz5eX/Ed6D
f+oY0f0q0TfOFABT7AxFqDkjP/aUwS7KhpRGGFDiwReDOip/U93U7kODdsILXpxF
3BQZrs74l7tjbKa5PlE8QWjtNZuxPLtB6f3sJ2XpRH0dD8vWyykvIH/Xig+Qjl+a
wECfusncBkvrniXCSfTH0+uLtUUUpMdaT9i1DoQwGTSeUnUq/QOw+zGKyo0/b1Z3
ZwcYSz4zQhidLU5PrlOENBWDHZp2qlFFuB1f6THkHmqfUZG2mCEeUHwT6ztC0hA3
it22/PoHkXU+p1z5vIMcI5AUFFDCUBN8P/E+ghcDywfxMJruxeJ5j+kmN2od5ZI=
=rZkO
-----END PGP PUBLIC KEY BLOCK-----

 

If the computer that stores my private key dies, then I can no longer decrypt anything that was sent to me. Worse yet, if that computer is lost or stolen, then anything ever encrypted with it is vulnerable.

There’s a new kid on the block called miniLock which has three very important improvements over PGP:

  1. The private key is generated using an email address and a long passphrase. You no longer have to worry about storing and potentially losing your private key, you recreate it as needed from something you can easily remember.
  2. The public key is much, much shorter – only 44 characters long. This may seem bad since we know that shorter keys make for weaker encryption, but miniLock uses a different form of cryptography that can use smaller keys with the same level of security.
  3. Under the covers, miniLock uses a new(er) type of encryption called elliptic curve cryptography which allows for much smaller keys.

For comparison, here is my public miniLock key (or “miniLock ID”):

dtsyrmf4mQamR3G4xfMaCRe5zdRi78M6rvdJr5owgtg8z

 

That’s it! These keys are so short that you can easily send them to others, even tweet them.

This tool is brand new and hasn’t even officially been released yet, let alone fully vetted by the crypto experts. But it’s got a lot of potential and may finally allow regular people to use truly-secure, end-to-end encryption for all sorts of communication.

Until encryption is easy and built in to everything, it won’t be used. We have to find ways to make it much more accessible – and miniLock is a valiant attempt.

Book review: No Place To Hide by Glenn Greenwald

I finally finished reading “No Place To Hide: Edward Snowden, the NSA, and the U.S. Surveillance State” by Glenn Greenwald. Glenn, a respected and fiercely independent journalist, along with CITIZENFOUR documentarian Laura Poitras (winner of an Oscar this year), were the two people Ed Snowden sought out to handle the release of the documents he took from the NSA, detailing the massive surveillance regime of both the United States (NSA) and Britain (GCHQ).

This book has four distinct stories to tell. The first two chapters detail how Ed was able to contact Glenn and Laura and manage to convince them that he was for real, and then the harrowing tale of how they met him in China and walked away with tons of classified documents that detailed the vast array of surveillance tools and programs used by the NSA and GCHQ. These two chapters read like a spy novel – a real page-turner. And yet, they’re just the setup for the real meat of the book. (I can’t wait to see CITIZENFOUR.)

The next three chapters cover three very distinct aspects of the situation. The third chapter, aptly named “Collect It All”, goes into detail on the surveillance techniques and processes, outlining the astounding depth and breadth of what these agencies are capturing. You’ve read a little of this in the mainstream press, but until you see these details laid out, you just can’t appreciate what’s really been going on. I actually found this chapter to be a little too heavy on the details – at times it was a little dry – but frankly there’s just no other way to convey the enormity of these surveillance programs.

The fourth chapter called “The Harm of Surveillance” does a fantastic job of explaining why constant, clandestine scrutiny and observation have such a profoundly adverse affect on the human psyche and democracy in general. This chapter methodically debunks the classic rebuttals to the worry over Big Brother such as “I’m not doing anything wrong so I have nothing to hide” or “if they want to listen to my boring life, then they’re welcome”, including some poignant references from U.S. history. It explains how the constant threat of being watched and overheard has a chilling effect not only on dissidents and adversarial journalists, but also on everyday citizens (the concept of the Panopticon that I covered in my book, as well). I think this may well be the most important chapter of the book for the average reader – to understand clearly why it’s actually counterproductive to trade privacy for “security” – in fact, it’s a false choice. These programs are a two-way mirror, allowing those in power to see everything that the governed are doing while blocking the governed from seeing what their elected representatives are up to. (You can also see a great TED talk from Glenn on this topic, but it doesn’t diminish the value of reading this chapter.)

The final chapter, “The Fourth Estate”, comes off as a bit of rant against many modern journalists and their organizations, often by name. This is understandable given the harsh treatment Glenn and his partner have received from many of his “colleagues” and the governments of the United States and Britain. However, he’s absolutely right in calling out the failing of U.S. political journalism and how cozy mainstream journalists, editors, pundits and producers have become with the people and institutions they are claiming to be holding accountable. If I were in his position, I would have a very hard time not taking it all personally… well, because a lot of it has been very personal. But the important takeaway is not how Glenn in particular was treated, but how the media have abdicated their solemn duty to be a check on these powers, to be adversarial when necessary, to be stand up for truth and justice, to challenge authority and power, to see the bigger picture and put things in proper historical context.

Bottom line: I heartily recommend this book for everyone. I wish some of the personal aspects would have been saved for a second book because it can be too easy to view his analysis as sour grapes. I happen to agree that he, his partner, Laura and Ed are being wrongly persecuted and maligned – but addressing these grievances in the book taints the more general arguments he makes. But look past that – just because he’s pissed off doesn’t make him wrong – he’s not wrong. This is an important book and essential reading for anyone who believes in true democracy (and the 1st and 4th amendments to the U.S. Constitution).

truly secure mobile communication (for free)

It’s been almost two years now and the bombshells from the Snowden leaks are still falling. If we didn’t believe it before, we must all now acknowledge that we simply cannot trust that our regular mobile communications are secure – that includes phone calls as well as text messaging. While I believe in my heart that companies like Apple are trying to minimize illicit access to these communications, their system and their software are closed and proprietary – and therefore, we can never be truly sure.

The only solution to this is 100% transparency: the software must be open for inspection and auditing. It’s the only way we can know what’s going on behind the scenes.

And thankfully, Open Whisper Systems has come to the rescue! Over the past few years, they have developed some fantastic apps for truly secure phone calls and text messaging – all completely open source. Co-founded by security researcher Moxie Marlinspike, these tools are the real deal – praised by both Edward Snowden and the EFF.

Originally developed as two separate tools for Android called RedPhone and TextSecure, they have since been combined into a new app called Signal for iPhone/iPad. (The Android apps will eventually be consolidated under the same name.) These apps will allow you to make truly secure phone calls and send text messages that simply cannot be cracked – anywhere around the world, for free. It doesn’t get much better than that. You use your existing phone number to register, making it easy to add your friends and family at contacts.

You can read all about how to install and set up these apps here:

Here’s the important part: we should ALL immediately download, install, and use these apps. And we need to encourage everyone we know to do the same. The only way this works is if everyone does it. And I mean everyone. Your mom. Your neighbor. Your kids. Your friends. Everyone. It’s not about having something to hide. You’re a human and privacy is a human right. When we’re being watched, we act differently (see this TED talk if you’re skeptical). The only way we can fight back against dragnet surveillance and avoid the Panopticon is to “go dark” – all of us. If you need more convincing, check out this wonderful essay by Bruce Schneier.

I’ll give you one more reason to download and use these apps: you will be registering your concern for privacy and showing support for groups that are taking steps to preserve this most basic of human rights.