Tricking online tracking: disinformation as a means of protection
Light is regularly shed on news about espionage involving particularly prominent or high-profile individuals. One of the latest developments to rear its head was a piece from the newspaper "Libération", one of the French media outlets that has revealed alleged spying on the last three French presidents between 2006 and 2012 by the United States, although there are many other similar news stories.
- Equation: The Death Star of the Malware Galaxy
- Regin: Top-tier espionage tool enables stealthy surveillance
- The Duqu 2.0
- Operation Toohash
In this regard, we must also be aware of the fact that not only information concerning famous people, large companies, government institutions, research bodies, etc., is important, but information regarding anonymous individuals is also extremely useful and of great interest. We must also keep in mind that said information poses a significant economic benefit if taken advantage of, thus the reason why it is collected and exploited by companies with access to it.
In general, this information can be classified into one of two large groups depending on its origin:
- Information obtained from open sources, meaning that anyone who wants to access it can do so.
- Information collected and managed by companies that offer services or products in order to offer people a better user experience in many cases.
With regard to information or intelligence gathered from open sources, or «Open Source Intelligence» (OSINT), detailed information can be found in the article OSINT - Information is power. This article discusses different points such as the usefulness of the process, its phases, related problems, and the main tools that can be helpful in terms of carrying it out. As a general rule, this information can be obtained from publications from a multitude of online services such as: the media (magazines, newspapers, the radio, etc.), forums, social networks, blogs, conferences, symposiums, papers, online libraries, etc.
It is very important to take into account that any information that we post on the Internet - or make available to third parties - ends up escaping from our control, meaning that we are thus unaware of what can be done with said information and whether it can be used against us. We must be mindful of the fact that privacy protection responsibility - even though in some cases it is fairly covered - must begin with ourselves.
Information collected and managed by companies that offer services or products refers to information gathered mainly by large companies that compile huge amounts of user data in order to offer better service. In light of this, the Electronic Frontier Foundation(EFF), an entity from the United States dedicated to the protection of citizens' rights in the digital world, has recently published their annual report about data collection practices and its security in large companies. The report known as «Who has your back? Protecting your data from government requests» analyses companies such as Amazon, Apple, Facebook, Google, Microsoft, Twitter, etc. The following table provides an overview which evaluates the different privacy and security features concerning the previously mentioned companies:
Likewise, there are web pages such as Terms of Service Didn't Read that catalogue online services based on different parameters and classify them into various categories. Building on the motif «"I have read and agree to the Terms" is the biggest lie on the web. We aim to fix that.», the web page evaluates aspects such as staying in control of a copyright, not sharing user information with third parties, the ability to modify terms of service without needing to notify users, etc. This analysis is used to classify services by category, ranging from very good «Class A» to very bad «Class E».
Many of the techniques utilised by these companies to obtain information are viewed as too intrusive by an increasing number of users. The solution proposed by said companies, on occasion as required by current legislation, is to notify users that certain information is going to be collected. Users can then decide whether or not to accept the terms of service. If a user decides to not accept the terms of service, however, the features available to said users are either greatly restricted, or the use of the service/product is restricted all together.
In the face of such an inconvenience or detriment to users, maybe now is an appropriate time to evaluate the possibility of complicating companies' exploitation of information gathered about us by applying the method of disinformation. In order to do this we will introduce the concept of «Tricking online tracking», or, in other words, carrying out different activities such as: regularly performing random Internet searches, introducing false GPS coordinates into mobile phone apps or images that we post on social networks, simulating connections to open WiFi networks in other parts of the world, etc.
The concept of disinformation is not new; historically, this concept has been used particularly in the military domain and involves deliberately spreading misleading or false information concerning either the armed forces themselves and/or military action plans in order to confuse the enemy.
Sun Tzu already said this around 500 BC: "All warfare is based on deception". Applying this concept to the field of privacy protection for users and companies can be quite useful and interesting.
interesting.
To sum up, the simulation of random behaviour that hides real data so third parties cannot statistically distinguish between true and false information is carried out in order to prevent companies from creating, among other things, accurate and adapted profiles about us. The creation of said profiles is known as user profiling. These actions will also considerably hinder the possibility of a delinquent being able to utilise us as an attack vector for carrying out a cyber-attack such as: spear phishing or any attack based on social engineering in general, in addition to those attacks which are based on information gathered from open sources. Consequently, employing disinformation as a means of protection would make us more resilient.