Tuesday, September 27, 2011

It depends on how you look at it

Our modern life in the always-on Internet has become quite complicated and entangled; sometimes things look very different depending on which perspective you take. Below are three unrelated, but yet quite related, reflections on the implications of that choice of point of view:

  1. People are rhapsodizing over the new If This Then That web service platform, and there's no denying that it's a fascinating service. But before you declare it to be the future of everything for all time, you might want to spend a bit of time thinking about Jon Udell's critique:
    What if I only want to give IFTTT the power to tweet on my behalf, though, and not give up access to my private direct messages? More generally, how can I think about the tradeoffs involved in delegating all versus some versus no powers to IFTTT, across a range of services I might authorize it to use on my behalf?
  2. Some years back, the various browser vendors blurred the distinction between the "address bar" in your browser, and the "search box" in your browser. It used to be the case that these were separate, and you had to use each for the correct purpose: if you wanted to go to Apple's web site, you could go to your address bar and type in http://www.apple.com, and the browser would take the string you entered, interpret it according to RFC 1738, and retrieve the specified resource. Meanwhile, if you entered 'apple' into the search box, the browser would contact your preferred search engine, and send it the search request "apple", and display the results, probably something like these.

    Well, at some point this changed, and the browsers became more "user friendly", and it became possible to forget all that complexity, and just enter whatever you wanted into the address bar of your browser; if it was a URL, the browser went there directly; if it wasn't, the browser treated it as a search. In fact, Chrome has no "search box" at all, only an address bar.

    However, this blurring of the lines between "asking the browser to search for things for me" versus "telling the browser exactly what to do", while generally easing the user experience, has opened up a grey area in your use of the Internet, one you may not have been aware of, in which intermediate servers on the Internet are examining your search traffic and potentially altering your searches in ways that the Internet, and not necessarily you, find "better":

    • The New Scientist provides great coverage of this story, noting that
      Users entering the term "apple" into their browser's search bar, for example, would normally get a page of results from their search engine of choice. The ISPs involved in the scheme intercept such requests before they reach a search engine, however. They pass the search to an online marketing company, which directs the user straight to Apple's online retail website.
    • The EFF blog provides some more detail, with links to the original research, and explains that:
      Paxfire provides a product for ISPs that rewrites DNS errors (effectively conveying "the name you asked for doesn't exist") to responses sending users to search pages that host advertisements, for which Paxfire then shares the corresponding ad-related revenue with the ISPs. This practice has already been controversial.
    • There has been some discussion about whether this is, technically speaking, illegal. Julian Sanchez spends some time thinking about the problem, and issues his assessment:
      The mechanics are opaque to the average user, but Paxfire is in effect combing through all these messages to find the ones that maybe, possibly, perchance the user really meant to be an address rather than a search request, because they don’t really understand how their browsers work. And thaaats kinda wiretappy.
  3. Over at The eXileD, Yasha Levine spends some time thinking about an Internet service called CloudFlare, which is supposed to protect your users from accidentally visiting those dangerous parts of the Internet. Says CloudFlare:
    We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.

    Well, OK, notes Levine, but that also means that:

    People who sign up for the service are allowing CloudFlare to monitor, observe and scrutinize all of their site’s traffic, which makes it much easier for intel or law enforcement agencies to collect info on websites and without having to hack or request the logs from each hosting company separately. But there’s more. Because CloudFlare doesn’t just passively monitor internet traffic but works like a dynamic firewall to selectively block traffic from sources it deems to be “hostile,” website operators are giving it a whole lotta power over who gets to see their content. The whole point of CloudFlare is to restrict access to websites from specific locations/IP addresses on the fly, without notifying or bothering the website owner with the details. It’s all boils down to a question of trust.

When you're connected to everything, all the time, and all of your services are keeping track of you, and sharing and discussing and analyzing your activities in real time, you're interacting with an overall entity that is considerably more aware of who you are and what you do than you might realize, no matter how security-conscious or privacy-aware you might think you are.

It's not obvious what the answers are to any of these concerns, but it's great to see various people taking the time to raise the questions and study them and point out the various pros and cons.

No comments:

Post a Comment