From Tesla Motors to the “Patriot Hack” - Martin Eberhard on Protecting Your Privacy Online 55 Comments
I found Martin Eberhard, co-founder and former CEO of Tesla Motors, in the pages of 2600.
I was deep in the throes of palate nirvana at Stumptown Coffee in Portland (good coffee is not bitter) when I came across a curious article in 2600: The Hacker Quarterly.
Nursing the best dark brew I’ve ever had, I moved from a great article on free global phone calls to another on the language of gang signs, ultimately landing on a column signed not with an anonymous pseudonym but by Martin Eberhard, co-founder of Tesla Motors.
The subject? Engineering a “patriot hack” to protect privacy online. This, I remember thinking, should be interesting…
It was so interesting, in fact, that I reached out to Martin after my bear-rich Pacific Northwest roadtrip and asked for permission to reprint his article here. He graciously agreed.
This article is broken up into four sections, which I titled:
The Patriot Hack - From China’s Firewall to Lockpicking (15%)
The Political and Technical Landscape (60%)
Strategies to Protect Your Privacy (10%)
The “Haystack” Call to Action (15%)
If you want a quick read and aren’t interested in the political or legal aspects, just jump over the second section.
I hope you find this as thought-provoking — and practical — as I did.
The Patriot Hack - From China’s Firewall to Lockpicking
How long can the regime control what people are allowed to know, without the people caring enough to object? On current evidence, for quite a while.
So concludes James Fallows’ article titled “Penetrating the Great Firewall” in the March ’08 issue of The Atlantic. The Chinese firewall is a crude but effective system that looks at every single Internet connection in the country, and decides whether or not the user may proceed, based on policies set by the government. If a Chinese citizen looks too hard for information about, say, Tibetan independence, the Tiananmen Square massacre, or Falun Gong, not only might her search be blocked, she is also inviting a visit from the police.
An outrageous invasion of privacy, isn’t it?
Reading Fallows’ article immediately made me think about how to get around the Chinese firewall, and made me wonder how many people there already have. I guess it’s the hacker instinct in me – I go straight from being outraged about the invasion of privacy to wondering how I might hack it if I had to.
I figured out how ordinary locks worked sometime in junior high school, and soon thereafter, I figured out how to pick these locks, how to make keys for them without fancy locksmith machines, and how to re-key locks my way. Soon thereafter, I discovered computers, which definitely were not personal in those days. I got kicked out of my 10th grade computer programming (Fortran) class for allegedly loading something into the school district’s mainframe that brought the whole thing down. (No comment.) In those days, such security systems were challenges – picking the lock was an end to itself.
As I grew up, I channeled this energy into getting a decent engineering degree, then into becoming an entrepreneur. I guess you could say that Tesla Motors was my first try at hacking the global energy system.
The Political and Technical Landscape
Meanwhile we are busily transforming the “Land of the Free” into a high-tech surveillance society of our own. In the name of preventing terrorism in this post-9/11 world, we have come to accept the Patriot Act, video cameras watching us along highways and intersections, more video cameras in other public places, invasive airport screening, scrutinized financial transactions, widespread wiretaps, surveillance of our online activities, efforts to create national identity cards, face recognition equipment at sporting events, and lots more.
Alarmingly, we give up our privacy not just to protect ourselves from terrorists, but also for mundane convenience: “preference” information gathered by online retailers, credit card usage data, ubiquitous RFID tags embedded in consumer goods, “club” discount cards at supermarkets, deep personal information posted at social networking sites and then sold to marketers, open wireless networks, etc.
In this article I focus on the ocean of data collected about us by search engine companies.
We know that search engine companies collect and save massive amounts of information about our searches, but then again, search engines are so useful and convenient. They ostensibly use this information to tune the advertising that we get to see. We also know that many sites sell the data they collect to others. Who knows to what other ends these data are put? Some, such as Google says as a matter of policy that they will not be evil.
Unfortunately, your privacy is not a right that is clearly or specifically called out in the US Constitution. Some specific aspects of your privacy are protected, such as the privacy of your beliefs (in the 1st Amendment), privacy of your home against demands that it be used to house soldiers (in the 3rd Amendment), privacy of you and your possessions against unreasonable searches (in the 4th Amendment), and perhaps most importantly the 5th Amendment’s privilege against self-incrimination, which provides some protection for the privacy of your personal information.
Since about 1923, the US Supreme Court has interpreted the “liberty” guarantee of the 14th Amendment to guarantee an increasingly broad right to privacy, and is the basis of most privacy protection outside those specifically listed. But the future of this constitutional privacy protection remains an open question. In our current Supreme Court, the so-called “originalists,” like Justices Scalia and Thomas, are not inclined to protect your privacy beyond those plainly and specifically guaranteed in the Bill of Rights. (Supreme Court nominee Robert Bork has derided the right of privacy as “a loose cannon in the law.” Good thing he never made it onto the Court!)
Beyond constitutional protection, your privacy and the protection of your sensitive or personal information are protected somewhat by a patchwork of statutes on a per-industry basis. The Privacy Act of 1974 prevents the unauthorized disclosure of your personal information that is held by the federal government. The Fair Credit Reporting Act protects information about you that has been gathered by credit reporting agencies. The Children’s Online Privacy Protection Act restricts what information about your children (age 13 and under) can be collected by web sites. The Sarbanes-Oxley Act, HIPAA and GLBA each contain some protection for some of your personal or confidential information. Some state laws also provide protection.
Since privacy is not specifically protected in the constitution, there will continue to be a battle between those of us who want our privacy protected and those who want to invade it – often our own government, certainly businesses who aggregate and sell our eyeballs, and worst of all, cooperation between the two.
Let’s not forget most of the phone companies’ gleeful cooperation with the US government’s widespread warrantless wiretap program. You can bet that every service provider company – search engine companies included – is paying close attention to the immunity that Congress is right now granting to these phone companies for their illegal participation in this wiretapping program. [Note from Tim: I did a post on the practical implications of this and FISA here.]
What will happen when the government asks your favorite search engine company to divulge what you and I have searched for? This has happened already. So far, Google has resisted, but AOL and others did not. The World Privacy Forum notes:
“In 2006, AOL released about 20 million search queries of over 500,000 of its users. Those queries were put on the web. Reporters for the New York Times were able to identify a user from the search queries; others have also been able to identify users. In 2005, the U.S. Department of Justice subpoenaed Google, Yahoo, MSN, and AOL for tens of millions of users’ search queries. Google successfully fought the request, and was able to limit its disclosure, but it is unknown how much data other companies may have turned over.”
Although Ask.com has subsequently announced that they will delete your searches after 18 months, Google has not.
To get an idea bout how long Google is interested in your data, a Google cookie on your machine expires in the year 2038! [Note from Tim: this appears to have been reduced but someone with better detective skills should comment.] So the Google search you made 3 years ago for, say, “file sharing music” could come back to haunt you 3 years from now when some new, even more odious version of the Digital Millennium Copyright Act (DMCA) comes into law.
Can even Google forever be trusted not to be evil? To what new ends will they put all that data about us? Anyway, doesn’t it creep you out knowing that they are saving and analyzing every search you have ever made?
And now, with Google’s acquisition of Doubleclick, they will be able to correlate your searches with the rest of your web browsing – and maybe make it more painful to block cookies from Doubleclick and Google.
Strategies to Protect Your Privacy
An anonymizer tool or a proxy site will mask your IP address and some of the info about your computer when you surf the web.
To get an idea about what websites, including search engines already know about you, check out this site: http://ipid.shat.net/. Spooky.
I use an Ironkey when I can, and there are both free sites and pay sites that can make your surfing anonymous. But some websites don’t work well with these tools. [From Tim: I cannot wait to test Pandora -- one of my favorite sites -- overseas using some of the proxy sites.]
The World Privacy Forum suggests several strategies to help protect your privacy while using search engines:
• Do not accept search engine cookies. If you already have some on your computer, delete them.
• Do not sign up for email at the same search engine where you regularly search.
• Mix it up. Use a variety of search engines.
• Watch what you search for.
• Read your news on one search engine, have your email on another, and use a handful of other separate search engines for Web research.
• Vary the physical location you search from.
• If you surf using a cable modem, or a static (unchanging) Internet connection, ask your service provider to give you a new IP address.
• Be aware that your online purchases can be correlated to your search activity at some search engines.
The “Haystack” Call to Action
Unfortunately, these search strategies are cumbersome and not especially effective.
We certainly can not count on the government to respect or help to protect our privacy. And I would rather not have to trust Google and Ask.com to protect my privacy.
What we need is a simple tool that requires little of our attention, and provides pretty good privacy – something as simple to use as a browser plug-in.
This is an opportunity for a little constructive hacking, and browsers that allow plug-ins provide the perfect opportunity. What I am proposing is a simple plug-in for the Firefox browser (and any other browser that supports plug-ins) that will bury your searches in noise. Let’s call this plug-in “Haystack.” [There are step-by-step tutorials for how to create Firefox plug-ins]
Here is how it works: Haystack generates a relatively low level background of random searches across a variety of search engines whenever your computer and your network connection are not too busy. The goal is to generate hundreds to thousands of random (hay) searches for every real search you do, such that your searches are a small needle in the haystack of these automatically-generated searches.
Search engines generally run analytic software that constantly looks for attacks – denial of service attacks, bogus click-throughs to pump up somebody’s advertising costs, etc. Since the goal of Haystack is to protect our privacy, not to bring any search engine down, it must be written in such a way that, from the search engine’s point of view, it looks like you are just manually searching.
• Search engine variety: through a setup option, you can select which search engines Haystack uses, matching the ones you normally use yourself.
• Frequency: I think one search every 15 seconds on average is about right, though the interval should be random, varying from say 5 seconds to about 5 minutes. If your machine is on for 10 hours per day, this will generate 2,400 “hay” searches per day. Remember, the goal is to look as much like a lot of human-generated searches as possible, not to jam up the search engine.
• Search terms: this needs to be very broad, random, and always changing. I suggest seeding the program with a search word list, and then pulling new search terms from the search results themselves, as well as occasionally from the text on the front pages of news sites like cnn.com. The searches must include a spectrum of provocative terms, so that any such search that you might do will not stand out.
• Search complexity: like search terms, broad and random. Search for single words, as well as several words at a time, and even with excluded words.
• Computer usage: Ideally, Haystack should not initiate searches when either your computer is very busy or your network connection is very busy. Since the actual search results are not valuable, Haystack should even abort an initiated search by closing the connection to the search engine if CPU usage suddenly increases.
• User controls:
o On/off radio button
o Check boxes to enable one or more search engine sites
o Slider for search frequency (2 seconds to 10 minutes?)
o Button to clear search engine cookies and private data
o Button to get latest version
• Output: Haystack should not bother the user with an open tab; the search results should be silently loaded and discarded (after gleaning a new search term or two from the data). A small icon on the toolbar indicating that Haystack is running should be good enough, perhaps also indicating the ratio of Haystack searches to your own searches.
If you and I both run Haystack, then the “information” search engines collect from our searches is mostly noise. Perfect. But think what happens if millions of us run Haystack… It does throw a monkey wrench into their lovely data collection machinery, doesn’t it?
Such is the cost of asserting our right to privacy.
So why am I writing this? Simple: I am a hardware hacker. My software abilities are limited to some really tight assembly language code. I am also spending most of my time planning my next big hack into the world of oil consumption, perhaps the subject of a future article.
Although I care a lot about privacy and recognize its defense as a patriotic act, I am not the one to write Haystack.
Are you?
[Postscript: Readers have suggested several good tools that do most of what Haystack is designed to do. Read the comments for all the goodies, but here are two excellent picks: Scroogle (anonymizes Google searches) and TrackMeNot (noise-producing Firefox plug-in).]
###
Posted on October 8th, 2008
- Subscribe and get the latest
- Save this page
- Stumble It
- Email to a Friend
- Print it
- Leave a comment
55 Responses to “From Tesla Motors to the “Patriot Hack” - Martin Eberhard on Protecting Your Privacy Online”
7:19 pm
Hi Tim,
Thanks for such a great article on Eberhard!
I also wanted to share with you my good news of recently going from a $40,000, 60 Hour workweek to now working 12 Hours, and completely remotely!
Bliss! You and your book continue to be an awesome inspiration! Next step: automation!
Peace,
Matt
7:33 pm
Very interesting read. I appreciate the percentages you gave the different sections…maybe someone should write a wordpress plug-in that does this automatically for blog headings (as long as we’re on the subject of developing plug-ins)!
It is a little scary how much data is collected on our internet usage. Unfortunately I feel like search engines will find a way around what ever “privacy plug-in” users decide to implement. Those google folks are very clever.
I’m personally not too worried about my search terms being logged. Unless the government all of a sudden starts cracking down on fantasy football leagues, local jazz club patronage, and occasional celebrity gossip searches!
By the way, Tim, I gave you a shout out in my most recent blog post…I site your blog as the stepping stone that took me into the blog-o-sphere, which before that had been mysterious and scary. So thanks for that!
8:40 pm
Sweet Ride. Thanks for the great article.
8:56 pm
one site must be mentioned!
Scroogle.org <— best anon google searching ever!!
9:39 pm
It doesn’t do everything listed above, but the Firefox plugin TrackMeNot started down this road: http://mrl.nyu.edu/~dhowe/TrackMeNot/
The problem is that it probably isn’t too hard for Google et.al. to tell which searches generated click-thru (real) and which didn’t (fake). Obviously they could then sort that wheat from the chaff pretty easily.
9:47 pm
Tim, I can confirm that using an anonymous proxy service abroad works wonders for U.S. based content (Pandora, Hulu, etc.), not to mention that it also keeps your laptop safe while you work from public wifi spots. I’m typing this message from my hotel/home in Viet Nam while listening to Pandora and loving every second of it.
10:37 pm
Very well done!
I would not be too frightened by our government watching what we do just yet. The government is too busy bailing out the financial industry right now to devote any resources to detecting people’s internet motives. Seriously, most large government agencies that hold power are tied up with the bailout package and the monitoring of the companies it is affecting. This includes FBI, CIA, Secret Service, and others that I’m to lazy to think of right now.
You see, unless they start writing tickets to the people who do participate in, shall we say, activities of little ethicality, very few people will be prosecuted for such activities on the web. Mainly because, there are simply not enough prosecutors out there to handle it. Taking precautions is a good idea, but I wouldn’t stress out unless you are making profits from unethical activity that is web based (very large fines will be involved if you get caught).
Again, take the precautions, but don’t think that you are being watched that closely.
John
11:09 pm
This is a very interesting idea brought forth from Martin.
I am actually really interested in designing privacy tools like this and have been involved in a couple already. I would be interested in starting an open source project, but in case someone beats me to it I want to expand on his idea.
What if the Haystack simply becomes an internal spider. It scours your history of all your websites and follows internal links on those domains. It would mess up analytical software (not really my goal) but it would provide an extra layer of security and protect your privacy better. For example NetVibes would no longer know exactly what I am reading, or which websites I am actually visiting.
Great job bringing this forward Tim - I enjoyed the video about FISA a while ago. Bummer it still passed.
11:35 pm
Interesting stuff. Did a quick search and came across this:
http://mrl.nyu.edu/~dhowe/trackmenot/
Sounds like what you’re talking about.
11:38 pm
[...] Smashing Magazine illuminates with Adobe Illustrator Tutorials - Best Of: Part 2 Paul Stovell with more on Bindable LINQ: Dependencies and Architecture: Five tips for Low Friction Projects Ramky asks What are the Good Qualities of a Developer?? Tim Ferris reprints 2600’s article: From Tesla Motors to the “Patriot Hack” - Martin Eberhard on Protecting Your Privacy Online [...]
11:57 pm
If you like Pandora, give Spotify a try. /David
12:20 am
There is such a tool already. It’s called Track Me Not, and it’s a firefox plugin.
1:01 am
Yeah, echoing the first commenter, I think the plugin would have to be quite clever to convince the search engine that genuine sessions were running. For example, any searches you manually perform could also be automatically added as individual words to the noise list, creating even more confusion - is the main idea that springs to mind.
1:11 am
Hang on - *are* you in Portland? If so, seriously, come and tango. Next week we have one of the biggest and best tango festivals in North America.
And that’s the last I’ll say on that, as I’m *way* off-topic and sounding like a stalker.
I like the idea of Haystack, but I’m inclined to think that the dedicated snoopers will always manage to a few technical steps ahead of 99% of us. And with things like computer-analysed cctv spreading rapidly in city centres (in the UK, at least, I don’t know about here), and government agencies taking fingerprints at the least opportunity, I think we’re going to struggle to maintain any kind of meaningful right to privacy in the future.
Dear god, I’m sounding like my friend’s libertarian father, who would seriously like to move to a bunker in Colorado. It’s not that - it’s just that I’m English. We’re not known for our political optimism. :) I would love to be convinced I’m wrong.
1:22 am
Interesting and scary read. I, like many others I know, am aware of the security risks and very open holes in our systems, but lack the drive at times to make the switch in habits (beyond basic, common sense changes). The IronKey looks interesting and Martin is not the first one to recommend it, however what about something for Mac users?
Tim - I know you own a little silver box… is there a simple, secure method available that works with a Mac like IronKey works with PC’s?
2:36 am
Haystack exists. It’s called TrackMeNot:
http://mrl.nyu.edu/~dhowe/trackmenot/
3:35 am
Tim, I live in China. Most expats here, and savvy young Chinese, know how to use proxies. Many use the Gladder (”Great Ladder for Great Firewall”) Firefox extension, which works great. Once you have set it up for the websites you use often, you forget the Great Firewall is even there.
As for the Haystack idea, it already exist - it’s called TrackMeNot. But of course an alternative option is always good.
5:54 am
Hi Tim, there is an interesting speech that Kaiser Kuo, from ogilvy China, gave at bTWEEN about China netizens and censorship, it’s worth watching :)
http://just-b.com/btween/sessions/censorship-culture-chinese-netizens
What is perceived by us as the Great Firewall is more a Net Nanny to the Chinese netizens and they already have a lot of strategy to avoid it.
Thus, the answer to “How long can the regime control what people are allowed to know, without the people caring enough to object?” is not “On current evidence, for quite a while.” they already objected in their own Chinese way by quietly working around it :)
My wife is Chinese, and I go in China from time to time, and I am always astonished about the perceived helplessness of Chinese people in Western countries.
And by the way, to add to the list of anonymity tools: http://www.torproject.org/
5:56 am
Hey Tim,
It’s true that privacy is a major concern. Things like FICA, DMCA, cameras everywhere I look, scare the crap out of me. It’s impossible to go totally off the grid now.
However, looking at this from a content provider’s perspective, allowing Google to serve me advertising based on my interests isn’t such a bad thing. On occasion I *do* find ads helpful.
As someone who strongly advocates using Adwords, what kind of effect do you think it would have on product marketing, and the economy in general, if Haystack were enabled on every PC and search patterns became untraceable?
I’ll bet that you happily use Google Search, Gmail, and other G products as well. Keep in mind those tools are free only because Google is able to achieve some level of precision matching advertisers to buyers. Haystack would take that away.
The fact that we don’t have new laws in place to protect the privacy of search data to some degree (legal cases, for example) is appalling. “The Constitution doesn’t protect it” is a ludicrous argument, because there’s no way the Founding Fathers could have predicted this great of an advance in technology. Ironically, the same Supreme Court judges who argue against privacy protection use this same argument (”there’s no way they could have known…”) as a sound argument for all sorts of other infringing legislation (gun control is a recent example).
The renegade approach described in this article will certainly do a decent job of protecting your own privacy, but if everyone used it we’d be screwed. The author was right…this is indeed a hack, not a long term solution.
Here’s an interesting thought: what if the hack worked so well that the ad brokers had no choice but to lobby as hard as they could for privacy legislation, so that at least some of their users would feel safe disabling the hack…making search data relevant again?
7:39 am
[...] From Tesla Motors to the “Patriot Hack” - Martin Eberhard on Protecting Your Privacy Online - Ti… Reprint of an article by Martin Eberhard, evolving around building an application that - in an attempt to project your privacy online - silently performs thousands of random search engine calls in the background ‘ Although I care a lot about privacy and recognize its defense as a patriotic act, I am not the one to write Haystack. Are you? ‘ [...]
7:45 am
I also live in China…I use Hotspot Shield from http://www.anchorfree.com to get into all the blocked sites. Works like a charm! I can watch TV shows on http://www.hulu.com and listen to music on Pandora. Without the shield I am forbidden do a google search on the Falun Gong, Tibet, and other sensitive issues. I’ve even had my internet blocked while chatting about sensitive issues with friends in the US via IMing. I teach 800 high school students and I’d say almost all of them know how to use proxy sites and how to download illegal movies/music/images. But its kind of an unspoken truth that everything you do here is being monitored by someone. Kind of scary…
8:00 am
Does anyone else feel like they are in “The Matrix”? Can I be Keanu???
Anyway, great article. Laws will never stop paranoia or “evil doers” (thanks George W for coining this). Gun laws don’t stop crazies from getting guns. Drug laws don’t stop druggies from shooting up. If someone is hell bent to hurt someone or themselves they will succeed. It goes back to being Unrealistic in life. Most people are good and when they get Unrealistic they are successful and help many people. But when “evil doers” get Unrealistic mayhem ensues. Protecting ourselves from “evil doers” and the Govt should always be a top priority. So use all the gadgets available to protect yourself and your loved ones. Never and I say never, expect the Govt to get things right, they can’t even balance a budget for crying out loud.
Good Luck,
Dana
8:59 am
For a few years I was the owner and operator of the MagusNet Public Proxy which provided the kind of service you describe for free.
It was a way to demonstrate my security knowledge and give something back to the Internet. I had the satisfaction of allowing many people to get access to content, about 20,000 unique IP addresses per day, that they would not ordinarily be able to access and provide some layer of protection for them via my service. The biggest challenge was having to deal with various law enforcement agencies both foreign and domestic. From time to time there would be users of my service that would do bad things and I would have to explain that:
1. Anonymity is OK
2. I didn’t do it.
After a few years this was a hassle and when I moved to a new state I shut down the service.
I have been thinking about doing this again via the TOR ( The Onion Router ) project ( http://www.torproject.org ) and I2P (en.wikipedia.org/wiki/I2P) which fit the description of what you are looking for in Haystack.
I have found that by using these and other methods I can connect thru the most draconian filters and firewalls with complete confidence in my privacy.
I am happy to see that the idea of supporting anonymity for good purposes is still alive and with any luck maybe a few of your readers will help keep projects like TOR and I2P alive.
JLF SENDS…
9:29 am
Pandora from outside the US looks like this. If you’re not scared yet about how much digital info about you is being sucked up, read this Telegraph (UK) article.
9:36 am
Hi Guys,
Thanks for the excellent suggestions! Congrats also to Matty — well done :)
@Gil,
Haystack wouldn’t negatively affect Google Adwords at all. Think of it this way:
Random searches don’t click on ads, so they don’t cost advertisers anything or affect the ranking of ads. The people who are actually searching would still see the ads they’re intended to see.
Imagine there is a billboard on highway and the advertiser is only charged when someone calls the number on the board. There can be drone cars on the road, but none of them call and it doesn’t affect the advertiser. The normal people will still see it and that’s all that matters.
Google Adwords works because it matches ads to searches. It will work for real people no matter if the static is 1% of total searches or 50%. The advertisers won’t need to lobby, as they’ll still get the results they’re getting now, assuming Google can handle the computational load.
Assuming that no more than 1-3% of the population would ever use these tools — looking at current usage stats, this would still be high — Google will be fine, and therefore their advertisers.
Hope that helps!
Tim
9:37 am
Cool article. I work right now as a Search Engine Optimization technologist for 360i. Our clients include NBC, MTV, E*TRADE and several more. I know a lot about search engines and have spoken one on one with many analytics professionals from the 10th street Google headquarters here in Atlanta. We use a few custom built tools here for pulling data from Google such as rankings and data, which anyone can get if they want. The trick is to make it look natural, like you have said. Because we pull thousands of searches per day through our automated ranking systems, we have had to practice following the retrieval method algorithm’s frequent changes. For anyone who decides to work on this Haystack extension, make sure you make the search frequency at a random interval. If Google sees a search come through from the same IP every 5 seconds on the second, it wont matter if its 5 seconds or 20 minutes, it knows it isn’t natural. Consider making the tool choose a cryptic pattern of seconds like a Fibonacci sequence or something like that.
Another thing I would like to offer. I have installed a circumventor on my own personal server that I use for searching and surfing. Its a simple php script encased in one file and can be uploaded to any private server and used for surfing. I call it surf.php. The only thing is you have to do all your surfing through a search engine that you predefine in the script. I set it to youhide.com for me and it works as a double layer circumventor. Also if you have a MAC get TOR open source Onion proxy server and get a list of active IPs. You could be in Atlanta GA one minute and in 5 seconds be in Belgium Germany, next minute Australia. This was originally designed on the DARPA frame a while back by the US DOD. I use and love it.
If you need secure file sharing with anonymity, use something like drop.io. I have provided a link to the php script surf.php below in a drop.io fashion for you to download, untraceable.
There is also an extension for FF called SwitchProxy which allows you to switch IP address at any rate you wish. This is optimum for a search engine, the only hard part is getting a reliable list of IPs. Also, as mentioned above, getting out from behind a shared IP is tough, but if you think about it, you are actually already protected within a haystack if you have a good firewall up on your personal computer. In my APT complex there are approximately 20 wireless networks within reach of my mac’s airport. After a little commandeering I can tell you that we are all on a shared IP through Comcast, which means if I search for it, so has everyone else in my complex. And to think I used to hate my shared IP =).
Another tip, don’t download or use chrome. I love the tool, and I use it for professional work here in the office sometimes, but you talk about no anonymity, incognito is a joke. Basically, the largest information hub in the world will not let anyone who sits at your computer what you have searched for, but they will gladly show up each hit on Google Analytics. (we use this tool all day) Most likely, if they are sitting at your computer, they aren’t the enemy.
Online purchases, really simple, go to any Simon Mall and pay cash for a Visa Gift Card that will not have any info tied to you and ship all products you order on Amazon to a receptionist since you “may not be there to sign when UPS drops it off”.
Unfortunately, Brazil(see the De Niro film) is imminent.
I know I’m about a decade late but, free Kevin Mitnick! =)
Thanks
Jeremiah
9:42 am
Actually Tim, on AdWords, the impressions per click affect click-through rates which negatively do affect ads slightly. The only thing is this is an across the board effect which will hurt the guys on top as much as the guys on bottom, but really don’t worry about it because it would require thousands of impressions to increase the cost you are going to pay for a desired position by a few cents.
My buddy here works close with SearchIgnite, our sister company, and ad networks is all they do.
Doesn’t really change anything, so I still wouldn’t worry. Hope it helps!
Jeremiah
9:50 am
IF you are really interested in privacy beyond just the digital realm, may I suggest the book “How to be Invisible” by J.J. Luna. The author is someone who takes his privacy very seriously. The inspiration for the title came from some advice given to him by a member of Spain’s secret police back in the days of Franco. After spending the night in a jail for some questioning, Mr. Luna asked his captor how he could avoid a repeat. The response was, “Learn to be Invisible.”
Some of his advice may be hard to square in our current culture of spilling our private lives onto our facebook pages, but he has some real important advice about protecting your identity and yourself.
-EB
10:02 am
[...] Martin on protecting your privacy online From Tesla Motors to the ?Patriot Hack? - Martin Eberhard on Protecting Your Privacy Online - The Bl… [...]
10:13 am
With regard to privacy and the US Constitution, it was a concern of the authors that by creating the “Bill of Rights” that it would lead to a situation where the government tried to tell the citizens that the only rights they have are the ones enumerated within the Constitution. To counter this, they insisted that the 9th Amendment be included. Basically, the 9th A says that “Any rights not specifically limited in the US Constitution (via power to the government) are reserved for the People”. For us, that means that ‘privacy’, while not a right listed in the Constitution is still a right that is wholly ours to control, not something the current regime can usurp.
Unfortunately, even with the protection of the 9th A, we are seeing our un-enumerated rights limited.
10:52 am
@Jon
I really dig the clarity and precision of your comment. I feel the same way and I am constantly seeking a better way to protect us all. I feel like 98% of the topics that homogenize to the top are far less important than the few topics concerning our rights as individuals.
Tim, do you have any suggestions on the matter of the constitution and what someone in their 20’s should do?
Thanks!
Jeremiah
12:08 pm
@Jeremiah,
Man, that’s a good question. To be honest, I don’t have a precise answer to such a big question. What would your answer be? The question to all readers:
“Do you have any suggestions on the matter of the constitution and what someone in their 20’s should do?”
I’d also like to repost Jeremiah’s original comment, which is great:
Cool article. I work right now as a Search Engine Optimization technologist for 360i. Our clients include NBC, MTV, E*TRADE and several more. I know a lot about search engines and have spoken one on one with many analytics professionals from the 10th street Google headquarters here in Atlanta. We use a few custom built tools here for pulling data from Google such as rankings and data, which anyone can get if they want. The trick is to make it look natural, like you have said. Because we pull thousands of searches per day through our automated ranking systems, we have had to practice following the retrieval method algorithm’s frequent changes. For anyone who decides to work on this Haystack extension, make sure you make the search frequency at a random interval. If Google sees a search come through from the same IP every 5 seconds on the second, it wont matter if its 5 seconds or 20 minutes, it knows it isn’t natural. Consider making the tool choose a cryptic pattern of seconds like a Fibonacci sequence or something like that.
Another thing I would like to offer. I have installed a circumventor on my own personal server that I use for searching and surfing. Its a simple php script encased in one file and can be uploaded to any private server and used for surfing. I call it surf.php. The only thing is you have to do all your surfing through a search engine that you predefine in the script. I set it to youhide.com for me and it works as a double layer circumventor. Also if you have a MAC get TOR open source Onion proxy server and get a list of active IPs. You could be in Atlanta GA one minute and in 5 seconds be in Belgium Germany, next minute Australia. This was originally designed on the DARPA frame a while back by the US DOD. I use and love it.
If you need secure file sharing with anonymity, use something like drop.io. I have provided a link to the php script surf.php below in a drop.io fashion for you to download, untraceable.
There is also an extension for FF called SwitchProxy which allows you to switch IP address at any rate you wish. This is optimum for a search engine, the only hard part is getting a reliable list of IPs. Also, as mentioned above, getting out from behind a shared IP is tough, but if you think about it, you are actually already protected within a haystack if you have a good firewall up on your personal computer. In my APT complex there are approximately 20 wireless networks within reach of my mac’s airport. After a little commandeering I can tell you that we are all on a shared IP through Comcast, which means if I search for it, so has everyone else in my complex. And to think I used to hate my shared IP =).
Another tip, don’t download or use chrome. I love the tool, and I use it for professional work here in the office sometimes, but you talk about no anonymity, incognito is a joke. Basically, the largest information hub in the world will not let anyone who sits at your computer what you have searched for, but they will gladly show up each hit on Google Analytics. (we use this tool all day) Most likely, if they are sitting at your computer, they aren’t the enemy.
Online purchases, really simple, go to any Simon Mall and pay cash for a Visa Gift Card that will not have any info tied to you and ship all products you order on Amazon to a receptionist since you “may not be there to sign when UPS drops it off”.
Unfortunately, Brazil(see the De Niro film) is imminent.
I know I’m about a decade late but, free Kevin Mitnick! =)
Thanks
Jeremiah
12:56 pm
This approach may have the opposite effect you are looking for. Let’s say you are actually searching for something big brother would want to know about. They are filtering through each and every request. Sending more requests, which happen to be randomly generated doesn’t some how make those other requests go away.
If big brother finds something, they just pick up your computer and look at what’s there before you’re prosecuted. If you have random searches those will be picked up too. You may be incriminated for things you haven’t done, and while they’re are searching, and potentially planting evidence, they may find things they didn’t know about.
The key to protecting your privacy is being smart about what you’re doing. Don’t post things you don’t want others to know. Do use complex and unique passwords for each site. Make sure the challenge questions to have your password reset have complex answers.
6:20 pm
Tim,
Are you still in Portland? You were 2 blocks from the VocationVacations office. I’m in San Francisco thru Friday PM. If you’re still in Portland this weekend, let me know…..let’s finally meet up.
Cheers!
Brian Kurth
Founder & President, VocationVacations
brian@vocationvacations.com
6:27 pm
Tim, you should see this. http://www.youtube.com/watch?v=0kHhc67GopM Watch the whole thing through.
12:00 am
Hey Tim,
I’ve actually already made a video guide that shows users how to use proxies with firefox while abroad. I had to get creative during my last semester abroad at University of Glasgow; the video was the result.
Hopefully you find it helpful.
1:14 am
Bravo on this one, Tim! I would like to reiterate using scroogle.org as mentioned in a comment above, adding that this can be added to Firefox search bar with an add-on from here:
http://tinyurl.com/tim-ferris-scroogle-firefox
Please keep this kind of info coming!
4:01 am
Tim on T-Nation
You’re becoming famous - Charles Poliquin (one of the top athletic coaches in the world) mentioned you in his article here:
http://www.t-nation.com/free_online_article/sports_body_training_performance/question_of_strength_october_1
Good luck!
7:31 am
Jeremiah,
Brazil is a great film and a I reference it all the time when explaining privacy to people.
The fact is most people in North America have given up their privacy for convenience. While in law school I did a study of something called “Total Information Awareness.” It was a program that had been proposed by Admiral John Poindexted, who was then head of DARPA’s Information Awareness Office. It was quite controversial at the time it was announced and congress eventually killed it. I had wanted to find out more about it, thus my research. As it turned out, the main part of the proposal was for the government intelligence community to purchase commercially available data on consumers, stuff that is already out there. I was aware there were companies that collected data on consumers, but the extent to which they do boggled my mind. I became much less worried about this proposed government program and more alarmed at the level of information that private companies have on virtually everyone in the country. What was most disheartening to me was that most of this information was given up for the sake of convenience or ‘free stuff.’ Consumer data companies then use this data to segment consumers into several different cohorts with names like “Town & Country” (think wealthy suburbanites with a particular kind of tastes) and then sell that information to marketers.
It you want to maintain your privacy, it takes active steps. At first it may seem difficult, but it’s just like Tim’s advice about taking control of your life and not going through it on cruise control. Once you’ve created beneficial habits, it’s easy. It’s a fascinating world, if you want to know more about it go to EPIC.org (Electronic Privacy Information Center) and by all means read “How to be Invisible.”
-EB
BTW - As an example of the watchers being watched, some pranksters turned the tables on Admiral Poindexter, getting satellite photos of his house and even publicizing his home phone number.
http://www.wired.com/politics/law/news/2002/12/56860
http://eyeball-series.org/tia-eyeball.htm
9:22 am
“They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” - Ben Franklin
12:27 pm
Tim,
I must say I am thoroughly enjoying this post! (as I do most : )
The participation here has been so good that along with several other recent stimuli it has catalyzed me into starting my own personal blog.
ElamBend,
That is so interesting about Admiral Poindexter, it actually reminds me of the good old days before 2600, where the birth of hacking began. I myself am no hacker but I find it a fascinating underground world.
EPIC.org is great and I also recommend EFF.org. The only problem with EFF is that even though they broadcast some pretty crucial and powerful information, no body seems to be responding to the calls to action. I think Tim did a good job with the FISA post before, I know some of my friends and I responded to the calls to action from both he and Daniel Ellsberg on stopping the bill.
I only hope that as we work to thaw and free our selves and spread the good words and inspiration, others become more willing to respond to our calls to action. It hurts when you know for a fact what will truly help someone but they will not listen to you and continue walking forward like a child running out to the street. I guess that because knowledge is power and brings about an element of responsibility, those of us in the know are now accountable for reaching out and grabbing these children running into the street and bring them back to safety. I hope we can be as strong as some of our previous heros and find it in our hearts to do what is best for the common good.
Thanks again for an awesome post Tim!
Jeremiah
12:55 pm
I worry about my privacy a lot, but it seems like I don’t worry about the same things as this author. My web searches and sites I visit tell a lot about who I am, but people who know me already know 99% of that. The other 1% might be embarrassing - but never illegal in the strictest sense.
I think it’s more important to protect your private communications; especially phone and email.
I don’t store my email on a web-service (even though I use Yahoo for my account, I download it clean everything every time I check my email). I encrypt every computer hard drive device using TrueCrypt (free encryption software that is highly rated). I use the “whole disk” encryption option on my computers and encrypted volumes on my key drives and detached drives.
My key drives run keydrive-specific versions of Thunderbird (for email) and Trillian (for instant messaging) so I can communicate from any computer without installing special software on any computer. If I use any random computer to check email or use IM, all of the data and logging generated stays on my keydrive encrypted volume. Instructions for setting this up are available online.
Encryption works whether you lose your device, or if law enforcement wants to read your data. In America, you can’t be compelled to give up the key to your encrypted devices thanks to the Fifth Amendment.
Protecting email can be critically important to protecting privacy (ask Sarah Palin). Nobody can be sure they would never be the target of a criminal investigation (ask those Bear Sterns Hedge Fund guys).
2:28 pm
Excellent post Tim, in Europe the same thing is happening, it’s not just in the USA. We’re being controled each time more, and the worse part is that many people are accepting because they’re afraid, not only of terrorists, but also afraid of the governments. Everything is being controled, every cent you spend has to much a cent you earn, the phone companies and internet providers are now forced to keep everything recorded for a period of 2 years. Your bank accounts can be controled and/or frozen anytime, all in the name of security, Governments are using fear as a weapon, the Uruguayan writer Eduardo Galeano was warning us about this in the 1950´s, he told us this would happen and he was right about it. I’m a believer in technology and a user, but i also believe we should cut back a bit, get back to some primitive habits, we’re getting too lazy and that makes it easy to control us. I’m talking about using less credit cards and more cash, this is just one example among many possibilities, and there’s a lot more we can do.
I would like to know a few things if you can answer me Tim or somebody else here:
Is it true that Yahoo as given information about dissidents to the chinese government?
You talked about firefox plug ins, i don’t know anything about that, so this question might seem stupid, but doesn’t firefox belong to google? if so, do you think it’s safe to use firefox as a protection? Won’t google be able to colect information from that browser?
Thanks a lot
Once again excellent post
7:20 pm
This is a smart way to obscure your searches, and as such meets the desired goal of making the monitoring ineffectual. But, I don’t believe this is a good idea. It will actually give government officials more firepower against you, not less.
If someone wants to dig into you enough to pull up your individual searches, they’ll use the inflammatory hay searches against you the same way they’d use the needle searches.
In a draconian system, where many people are negatively affected by search monitoring this might be an effective way to decrease the system’s efficiency. In our society where it seems likely that search monitoring is used to identify a relatively small list of targets to investigate further, running haystack would be a good way to get yourself on that list. Which seems, unpleasant.
Awesome dialogue to start, and I’m a huge fan of Eberhard so I don’t mean this disrespectfully. He’s definitely a smart guy as well (certainly smarter than I, by any responsible measure), so I wouldn’t discount the possibility that he’s right and I’m wrong. But I don’t think I’m wrong. :)
Tyler Willis