Privacy Gimmicks | Don't Buy Into ThemCategory: thoughts
A 6 Minute Read
20 Oct 2014
Disclaimer: Dear companies included in this post, please don’t sue me. This is opinion, and yes, with patches your products could be the cat’s pajamas down the road. Seriously though, I have no money to sue for anyways. Thanks.
If there is one thing you can expect to happen after any public scare, it’s that someone, somewhere, will try to make money off of it. This has certainly been the case with the Snowden Revelations. Since the Summer of Snowden in 2013, a huge list of products and services have popped up with founders looking to make a buck or two off of the whole privacy business. Of course there’s nothing wrong with people profiting, but the lure of money seems to have led to a lot of half baked products. We’ve seen everything pop up onto the net from private cloud storage startups, to secure email services, to privacy focused USB operating systems, many of which are marketed as being “NSA Proof”. That’s not to say that every privacy-startup since Snowden has been terrible, but the majority seem to be, well, gimmicks.
There have been three products which stand out to me: the Safeplug, the Anonabox, and ICLOAK. All of these products have received significant funding and/or media coverage, and yet all of them seem to be replications of existing free software with a fancier label. That’s not to say that existing privacy technologies shouldn’t be marketed more to the mainstream, but all three of these products have had major problems, yet still won our hard earned money.
Let’s begin with the Safeplug, which is is a piece of hardware developed by Pogoplug. Retailing at $49, it transparently routes your traffic through the Tor network. Ideally, this should be an excellent setup for online anonymity, and because of this it appeared all over the media. However a security audit found that it wasn’t quite as secure as people thought:
“Despite the use of Privoxy as an ad-blocker, the Safeplug does nothing to prevent users’ browsers from collecting both first- and third-party tracking cookies, allowing users to be de-anonymized across websites despite the presence of Tor
Safeplug users are vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an attacker external to their home network to modify the Safeplug settings (including silently turning off the use of Tor).
A malicious user within the network can modify the Safeplug settings without notifying any other devices on the network.
The Safeplug has a higher web request latency than that of the Tor Browser Bundle.”
Ultimately, the audit suggested users to simply use the Tor Browser Bundle. I don’t know about you, but to me it seems fairly damning when researchers suggest that a piece of free software is more secure than dedicated hardware.
The Anonabox is somewhat similar. It was a Kickstarter project to build a hardware router that also transparently routes traffic through Tor, and was about to receive almost $600,000 in funding before it was pulled for making false claims. The founders of the Anonabox said that it had four generations of prototype hardware, however a clever Reddit user on /r/privacy found that this simply wasn’t true, as the hardware could be found cheaply off the shelf from Chinese distributors. Moreover, @stevelord on Twitter had done some digging on the Anonabox to find quite a few configuration peculiarities that put it’s claims into question, which can essentially be summed up in this tweet: “Oh wow, I haven’t seen software design as bad as this since I fucked huawei boxes over”.
Of course, a much more secure and well planned implementation already exists in The Grugq’s PORTAL, which is free on Github, provided you have the hardware. If you don’t have the hardware, he recently announced that you’ll be able to order a preconfigured box, and as @stevelord also said, “it looks like the difference between @thegrugq and @anonabox is years of OPSEC experience, a working hardware platform and $500,000”.
Lastly we have ICLOAK, a preconfigured and bootable USB stick which launches a operating system similar to that of Tails. It definitely appears to be a cleaner, more mainstream friendly design than Tails, but I have a few bones to pick with it. First, it is unable to strongly differentiate itself from Tails. This is important, as Tails operates as an open project with years of experience and a lot of eyes on it, meaning that there should be quite a bit of reason before anyone decides not to use it. In fact, on the Kickstarter page (where they happened to raise over $100,000), they even have two FAQ entries specifically attempting to address this. The first is simply talking about how Tails isn’t user friendly (something I’d refute). But the second FAQ entry asks about technical details on what differentiates it, to which the answer is, “We are in the process of preparing a formal multi page white paper with a fully indepth response about the difference between ICLOAK and Tails. We will publish it as soon as it is available”. This answer was made in July of 2014, and yet in late October I am still unable to find any technical explanation of what makes ICLOAK superior. Again, this is a problem considering the fact that Tails has years of experience behind its belt and zero profit motive. If you’re trying to convince me not to use Tails, you need a damn good reason.
The second bone to pick with ICLOAK is that the markup is absolutely insane. In the pictures on the Kickstarter page, the ICLOAK stick appears to use a USB2 Kingston Data Traveler GE9. For this they charge $50 (unless you preorder, in which case you will get it for a few dollars cheaper). However, this same USB stick can be purchased for less than $8 online from NCIX, and loaded with Tails for free, for which there is an abundance of documentation. Yes, software development is expensive, but if your competitor has years of experience and review, as well as extensive documentation on installation, you’re going to need to change that business model.
Lastly, if installing Tails is too complex for you (one of the problems ICLOAK claims to want to solve), then you need to step back and reconsider if you even have the technical ability to use Tor properly. Staying anonymous online is a lot more than simply plugging in a USB stick. Nevertheless, if you still want to use an anonymous OS, then go find a nerdy friend to install it for you.
##What’s Your Point?
I’m not trying to flame all privacy startups in this article, in fact I think we need more of them (more good ones at least). I also don’t mean to blame regular consumers for being uninformed about existing projects like PORTAL or Tails. We can’t expect everyone to know about arcane privacy software that only 1% of the population even bothers thinking about.
The issue that I have is that these types of products are appearing on the market, getting huge media attention and funding, while being utlimately inferior to existing alternatives. It’s almost like playing Wack-a-Mole, where a Kickstarter will pop up, get massive funding and coverage, leaving security folk to have to hammer them back down into place. It would of course be nice if companies took the quality of their products, rather than the packaging, more seriously. It would also be nice if consumers took a more skeptical stance, especially before funelling money to a Kickstarter campaign. It would be amazing if the media more heavily vetted these ‘privacy solutions’ before hyping them up, though I doubt this will ever happen.
While there’s obviously no clear-cut solution for this problem, my only suggestion is to stop handing your money over to all these privacy startups. Wait a few weeks first, check out /r/privacy to see if it’s being discussed, if not then ask about it. Ultimately, be skeptical and don’t buy into gimmicks.