The problem with being private is that it increasingly means that you have to choose to drop out of society. You would never let the government put a tracking device on you, but you may be carrying a cell phone that tracks your location. You don’t want the government monitoring your internet usage, but Google collects data on you.
Since most people find they can’t live without a cell phone or Google, they grudgingly accept that they will lose their privacy and become trackable. That doesn’t sit well with Moxie Marlinspike, a security hacker with the Institute for Disruptive Studies. He is a common speaker at security events, and he spoke at the Black Hat security conference in Las Vegas today about how to give users more choices by allowing them to hide from both Google and cell phone carriers without losing access to their services. (See our roundup of all Black Hat and Defcon stories).
Marlinspike (pictured) has set up two experimental services that allow you to stay anonymous and still use the internet. One service circumvent’s Google’s data collection methods. Google itself “anonymizes” search engine data after nine months by deleting the last eight digits of Internet Protocol address data. But Google gathers a lot of data on you through Gmail, Google Analytics, Google Checkout, and Google Health. You have to be logged in to use Gmail, and so that gives Google the ability to track you for advertising purposes.
“Make no mistake,” Marlinspike said. “They are a surveillance business. Their intent is not the same as the government eavesdroppers. The effect is the same. Who knows more about citizens in their own country, North Korean leader Kim Jong-il, or Google? Why is Google not scary? Because we choose to use it.”
To create anonymous access to Google, Marlinspike created an add-on for the Firefox web browser with a custom proxy server, which redirects you when you are using a Google application. If Marlinspike’s software detects a request for a Google service that does not require a login, it sends the request to the Google Sharing proxy server. That server anonymizes your identity and assigns a cookie to you that will work with the Google service. The link from you to the proxy server is encrypted using SSL technology.
You can then use the Google service without being tracked. It has been available for about six months and about 80,000 people are using it. Meanwhile, Marlinspike has also set up a way to do voice-over-internet-protocol VOIP calls on cell phones without being identified. The system, dubbed Whisper Systems, lets you make calls (via RedPhone) or send text messages (TextSecure) without being tracked. RedPhone creates encrypted phone calls so no one can listen into your conversation. TextSecure also encrypts your text messages.
The Whisper Systems service has been available for two months and has about 2,000 users. It is interesting and noble that Marlinspike wants to create a third path, which lets you participate in society without being tracked. But the sad truth is that many people probably won’t care enough to use these services.
VB's research team is studying web-personalization... Chime in here, and we’ll share the results.