Issue 01

December 4, 2017

Introduction

The Crossover is a newsletter about things that we think everyone today should know for their day-to-day interactions with technology.

As our reliance on technology grows, we anticipate a knowledge gap. There are those who are comfortable with technologies and possess the necessary technological skills and know-how to protect themselves online, and there are those who like to use technologies but do not have the necessary knowledge or skills to protect themselves even if they would like to. Learn. Become aware. Consider. Act.

We aim to give advice on digital rights, digital privacy and generally on using the internet. We curate a list of articles and we send out a newsletter with links to those articles. We provide our opinion on why people should be interested in these subjects. We also provide recommendations for simple tools (programs, software, add-ons) that people can use to help them to be safe, secure, and private when online. We also aim to take a moment to explain technology concepts in everyday language, or link to sources that do the same. All our recommendations are ours and we do not promote products or tools.

This is the first edition of our newsletter. There is no regular schedule for this newsletter and we will never send a new issue more than once a week.

To subscribe use you can visit https://tinyletter.com/thecrossover

This edition is also available at https://0io.eu/thecrossover.

If you would like to suggest topics or articles for future issues, please send them to thecrossover@0io.eu.

Learn

For this newsletter, we will explain third party scripts.

What are third party scripts

Every time you visit a webpage, you load a number of different assets or content, like images or text, as well as code. Usually, the more complex a webpage is, the more code is used to program the webpage and this code is split across multiple files. Because there is so much code that is common across all webpages, there are projects that provide code that can be reused as a library and embebed in any web page. What this means is that often a large part of the code being executed when you visit a webpage was not actually developed only by the people that developed that website, but also by third party developers that distribute their code. This code can have access to all the information you see on the webpage and to your user data, just like the code written by the developer of the actual webpage you are visiting.

Sequences of code, known as scripts, can access which keyboard keys you pressed, how you moved your mouse around the webpage, how frequently or how much you scrolled up or down, and they have access to the text you wrote before you submit forms (e.g., if you start to search for the term "abortion" but then delete it and search for "adoption", both behaviours could be known). These scripts can use this information to watch your every move and to see how you behave online.

Because some of these script libraries are so commonly used by webpage developers, developers often resort to Content Distribution Networks (CDN) to distribute these files. For example, Google provides a CDN for the open source library jQuery. This means that a developer who wants to use jQuery in their webpage, can link to the jQuery instance stored in the Google servers. When you load that webpage, your computer will fetch the version stored in the Google servers, rather than a version stored in the same servers as the webpage you are visiting. Importantly, what this means is that by using their CDNs, these companies can now track you through the different websites you visit.

Suppose that you visit two websites, and they both use a version of jQuery hosted at Google. On the first website, you search for information about a particular disease (e.g., high blood pressure). As the webpage accesses the jQuery hosted at Google, Google logs this request. Now you visit a website about medications to control or treat this disease (e.g., ACE inhibitor) and Google again logs this request and can now tell that you visited both websites. As the host of this CDN, Google could know both pieces of information about your search. This data could then be used to try and infer something about you, or could be sold to private companies (e.g., insurances) for advertising or other purposes.

Not all third party scripts are malicious. For example, jQuery is a frequently used open source library that can make website development easier. However, there are also malicious third party scripts that can actually track your behaviour online. You can avoid some of these third party scripts by using ublock origin and decentraleyes, although it is important to understand that these are not the perfect solution and do not protect against all types of tracking. See below for a description of these add-ons and what they can and cannot do.

Become aware

No, you’re not being paranoid. Sites really are watching your every move

https://arstechnica.com/tech-policy/2017/11/an-alarming-number-of-sites-employ-privacy-invading-session-replay-scripts/

In this article the author describes how big companies are using third party scripts to spy on a user's online behaviour.

"Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording," Steven Englehardt, a PhD candidate at Princeton University, wrote. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.""

"A study published last week reported that 482 of the 50,000 most trafficked websites employ such scripts, usually with no clear disclosure. It's not always easy to detect sites that employ such scripts. The actual number is almost certainly much higher, particularly among sites outside the top 50,000 that were studied."

We're building a dystopia just to make people click on ads

https://www.ted.com/talks/zeynep_tufekci_we_re_building_a_dystopia_just_to_make_people_click_on_ads

We think this is a must watch talk. Sociologist Zeynep Tufekci shows how major tech companies are building their products around ads and describes the dangers of this approach. Tufekci provides some disturbing examples of how the technology used by big companies can be used to influence our society. For example, Tufekci explains how Facebook could use data they already have, or outcomes from the social experiments they are currently running, to control the results of democratic elections.

These structures are organizing how we function and they're controlling what we can and we cannot do. And many of these ad-financed platforms, they boast that they're free. In this context, it means that we are the product that's being sold.

"We have to face and try to deal with the lack of transparency created by the proprietary algorithms, the structural challenge of machine learning's opacity, all this indiscriminate data that's being collected about us. We have a big task in front of us. We have to mobilize our technology, our creativity and yes, our politics so that we can build artificial intelligence that supports us in our human goals but that is also constrained by our human values."

Consider

Has Web Advertising Jumped The Shark?

http://blog.dshr.org/2017/11/has-web-advertising-jumped-shark.html

The author of this blog describes the current problems with web advertising:

The first point is of particular interest. The author shows how bad guys use third party scripts to exploit users, in many cases introducing security vulnerabilities or introducing code that mines a cryptocurrency into a user's browser.

Firefox 57 is out

https://www.mozilla.org/en-US/firefox/57.0/releasenotes/

https://techcrunch.com/2017/09/29/its-time-to-give-firefox-another-chance/

Mozilla recently released a new version of their browser. Firefox 57 is a complete rewrite of their browser core and it's a major improvement to their browser. If you previously tried Firefox but abandoned it for Chrome/Safari/etc because it was too slow, you should give firefox another try.

A note on browsers. A common misconception is that the Google Chrome browser is open source, however, this is not true. Chrome is based on the open source browser called Chromium, but google adds closed source code to Chromium and releases the browser as Chrome. This means that there is a significant amount of code in Chrome that we cannot be sure about what it does. This is especially worrying since Google is an ad company and would certainly benefit from knowing more about you and your browsing habits. Google is also a for-profit company with ad publishers and other big companies as their main clients. As such, maximizing the profit of those companies will always be put before maximizing your experience.

Even though Chromium, and not Chrome, really is an open source browser, the development is mostly driven by Google software developers whose job it is to write code that ends up supporting Chrome.

For this reason, we recommended using Firefox, a completely open source browser developed by the Mozilla non-profit organization.

Act

Recommended browser extensions

uBlock Origin

https://github.com/gorhill/uBlock/

uBlock Origin is a browser extension that is available for Firefox, Chrome and even Safari. It is a very fast performing ad and third party script blocker. It also includes some anti ad blocker functionality. It is completely open source.

We recommend you go to uBlock's settings and enable a few block lists that are not enabled by default. This makes uBlock block some extra 3rd party scripts. You can go to Settings -> 3rd party filters and enable the following checkboxes if they are not already enabled:

This blocks most ad servers and known trackers. If you are worried that this does not block all trackers you can also setup Privacy Badger.

If you are a power user, we recommend you run this extension in advanced mode and block all 3rd Party Scripts and Frames. This will break most websites and you'll have to manually allow the 3rd party scripts you trust. See this page to configure uBlock Origin to use Advanced mode.

Privacy Badger

https://www.eff.org/privacybadger

Many people use the Ghosthery extension to block ad trackers. However, Ghostery is developed under a proprietary license and may sell some data about your browsing habits to 3rd parties. If you are worried that uBlock Origin does not block all trackers, you can either run it in advanced mode, or install Privacy Badger. This extension is developed by the Electronic Frontier Foundation and it's open source.

Decentraleyes

https://decentraleyes.org/

Decentralyes includes third party scripts that are usually used by developers to build webpages. It detects when your browser is trying to access remote versions of scripts, for example those stored in a large CDN like Google, and intercepts the request. Instead, it returns the version that is stored in your computer. This way the CDN will not receive your request and cannot be used to track you.