ZeroPaid.com » browsing

Guide: How to Enhance Your Web Privacy with NoScript

Drew Wilson — Sat, 27 Aug 2011 21:06:46 +0000

Privacy while surfing can be serious business for a number of web surfers. Some use a number of tools like NoScript to block unwanted scripts on websites they visit. This can help stop websites from tracking who that user is that visit that webpage, thus enhancing their privacy. This guide will show you how to download, install and use NoScript.

Before we start with the guide, we should offer a reason why someone would use something like NoScript. Many websites these days employ different tracking techniques. These website tracking techniques can tell the web owner a number of things about its users. The bits of information that can be obtained include type of web browser, country of origin, ISP, operating system, screen resolution, age, gender, marital status, type and level of education, which site you came from, which webpage you left on on the website and sometimes even the webpage you went to to name a number of these examples. I'm not entirely sure how some of these statistics are gathered, but such statistics can be made available by sites like Alexa which can give you a sense of what the traffic is like for a number of websites. On the other hand, usually, website owners track data on a more cumulative level. This means that, sure, it can detect you are from country 'X', but all the web owner typically sees is, 'X' number of users from from country 'X' Unless you are doing something that warrants individual attention, a website owner probably won't care about web hits on an individual basis. Even when you warrant their attention on a moderation level, chances are, it's a case of seeing a particular users IP address more than anything else. Having said all of that, tracking of your internet activity isn't (or, should I say, shouldn't be) compulsory when you've done nothing wrong. In a way, using NoScript can be your way of saying, "Hey, count me out of your statistics gathering". If you want to be one of those individuals that would rather opt out of being tracked using NoScript, then read on. For this guide to work, you need to be using the internet web browser FireFox. Step 1: Download NoScript As with many FireFox plug-ins, downloading and installing this plug-in is very straight forward. First, you need to the NoScript website. Under the NoScript logo, there's a green button that says "Download". Click on that button. When you do click on that link, you'll see a little pop-up message asking you if you really want to install NoScript. Since we want this plug-in, click on "Allow" Step 2: Install NoScript After you've allowed this plug-in to download, you'll get a pop-up window that asks you if you want to install this. Since we know this is not a malicious plug-in, we can go ahead and click on "Install Now" Step 3: Restart FireFox As with most other plug-ins we've encountered, you must restart FireFox for the installation to be completed. If you are ready, just click on "Restart Now" in the little notification window. Step 4: Test NoScript When your browser restarts, you should see one or two things. The first is that NoScript appears right next to your address bar as shown below: If you are on a website that uses scripts, you should see a bar along the bottom notifying you of any scripts the website you are viewing uses. As a test, we decided to browse to YouTube and see how NoScript behaves out of the box. This was our result: As we can see, there is a total of 24 scripts and no objects are present. By default, some scripts are automatically allowed on YouTube through NoScript. This can easily be changed through the NoScript menu that can be found either by clicking on the NoScript button or, as we demonstrate below, on the "Options..." button on the bar along the bottom of our browser: From this menu, we can easily pick and choose whatever set of scripts we want to allow. We can allow all scripts, block all scripts or allow and block different scripts. The thing to remember is that some scripts are needed to run many parts of a website. So, blocking all scripts may result in you not being able to view a website properly. Blocking and allowing scripts is more of something you have to feel your way through. You can block scripts that exists in the website itself and see how the website functions without it and then unblock it afterwards if you suddenly are unable to use a website in whatever fashion you choose. Experiment around with it is my best advice. Final Thoughts I think NoScript is a nice plug-in because it can tell you more about a website then you would just by loading it without any extra plug-ins. Sure, some websites seem simple, but then you can find out that a simple website can have two dozen scripts running in the background. It is also an added layer of security. While a light layer of security, it's better than nothing at all I think. Some malicious websites might use scripts to do a lot of nasty things to its users. I'm sure someone immersed in the field of back-end web coding would say it's entirely possible to create a whole variety of nasty stuff with scripts. NoScript can block websites that use malicious scripts which is a nice bonus. Overall, I think it's a nice thing to add to your plug-in collection.

Britain – FIPR Phones Home to Say that Phorm is Actually Illegal

Jorge Gonzalez — Thu, 24 Apr 2008 08:53:24 +0000

The Phorm storm in Britain has made the headlines a couple of times. The question on whether the system is even legal has gotten FIPR demanding the Home Office to retract certain comments they made where they suggest Phorm is actually legal. FIPR has made a detailed legal analysis that suggests quite the contrary.

Last month, we here at ZeroPaid reported on the developments over Phorm. We followed up the report with another report earlier this month which points to Richard Clayton saying that Phorm is illegal, yet despite the comments, Phorm continued to be tested in the market. The, what seemed to be, cold shoulder from regulators didn’t deter an additional commentary and call from the Foundation for Information Policy Research (FIPR) which suggests that the Home Office is misleadingly suggesting that Phorm is legal and didn’t violate the Regulation of Investigatory Powers Act of 2000 (or RIPA).

The Open Rights Group points us to a copy of the in-depth legal analysis sent to the Home Office recently. Among other things, the analysis states that such technology could develope quite a rap sheet in Britain:

“This paper concludes that deployment by an ISP of the Phorm architecture will
involve the following illegalities (for which ISPs will be primarily liable and for
which Phorm Inc will be liable as an inciter):

interception of communications, an offence contrary to section 1 of the
Regulation of Investigatory Powers Act 2000
fraud, an offence contrary to section 1 of the Fraud Act 2006
unlawful processing of sensitive personal data, contrary to the Data
Protection Act 1998
risks of committing civil wrongs actionable at the suit of website owners
such as the Bank of England.”

It might be quite obvious, but probably one of the last things any company wants to do is open oneself up to litigation by a major bank – especially when the whole issue revolves around privacy. Here’s some more highlights:

Phorm’s public announcements go to great length to emphasise the anonymity it claims for its processes. These processes are embodied in software which is not open to inspection, either by the public or by the ISPs who will run the software, and
Phorm can in any case change the software whenever it wishes without anyone’s knowledge. Phorm’s claims cannot therefore be verified, and rest entirely on placing trust in Phorm.

Common sense apart, RIPA s16 happens to put the matter beyond doubt. It
deals with bulk interception authorised by the Secretary of State by warrant. In such cases, for the protection of those whose communications are caught up in bulk interception, it is laid down that only part of the material, as specified by a separate certificate, may actually be inspected. (It is assumed to be filtered from the bulk by technical means.) RIPA s16 deals with this by requiring that “the intercepted material is read, looked at or listened to by the persons to whom it becomes available by virtue of the warrant to the extent only that” certain conditions are satisfied. Material is thus treated as having been intercepted, and as having been made available to its interceptors, before any processing is applied to
determine whether it is in fact to be inspected by any individual. From this it is perfectly clear that in the Phorm system, the pages that it scans have been made available, and have been intercepted, before they are subsequently discarded.

The process in all cases is as described in Clayton at 46 onwards. In the case of searches, the search terms sent by the user to a search engine are intercepted and analysed by the ISP using the Phorm system. This requires the consent of the provider of the search engine. Search engine providers derive revenue from advertisements based on their users’ searches and on their users’ selection from among search results, and they are in competition with Phorm for advertising revenues based on their customers’ activities. There is not the slightest basis for supposing that they consent to the interception of their customers’ communications with them, expressly or by implication, nor has any such basis
been suggested. (The HO Note entirely overlooks this significant point.)

There are a number of other significant points being made in this piece including a case where there was actually a complaint against Phorm. When the matter was referred to the Home Office, the Home Office actually responded saying that the matter wasn’t their responsibility (paragraph 9). Basically, the entire paper shoots down Home Office’s insinuation that Phorm is legal on just about every front. One might find the Home Office to be funny by the time they are done reading the analysis.

The original note by the Home Office was posted in full last month. Among other things, the Home Office said:

18. It is arguable that a targeted online advertising service can be “connected with the provision or operation of [the ISP] service”. The RIPA explanatory notes for section 3(3) state: “Subsection (3) authorises interception where it takes place for the purposes of providing or operating a postal or telecommunications service, or where any enactment relating to the use of a service is to be enforced. This might occur, for example, where the postal provider needs to open a postal item to determine the address of the sender because the recipient’s address is unknown.”

19. Examples of section 3(3) interception, very relevant to the provision of internet services, would include the examination of e-mail messages for the purposes of filtering or blocking spam, or filtering web pages which provide a service tailored to a specific cultural or religious market, and which takes place with user’s consent whereby the user consents not to receive the filtered or blocked spam or consents (actively seeks) a service blocking
culturally inappropriate material. The provision of targeted online advertising with the user’s consent where the user is seeking an enhanced experience and the targeted advertising service provides that.

Of course, anyone would consider an extra layer of ads sent from their ISP that they pay in the first place to be an “enhanced experience” much like e-mail filters. This is just like anti-spam filters which, if our memory serves us correctly, blocks unsolicited advertisements in the first place. Sarcasm aside, here’s a few more highlights from the Home Office e-mail:

21. Where targeted online advertising is determined and delivered to a user’s browser as a consequence of a proxy server monitoring a communication to download a web page, there may be monitoring of a communication in the course of its transmission. Consent of the ISPs’ user and web page host would make that interception clearly lawful. The ISPs’ users’ consent can be obtained expressly by acceptance of suitable terms and conditions for the ISP service. The implied consent of a web page host (as indicated in paragraph 15 above) may stand in the absence of any specific express
consent.

22. Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs’ users and the protection of their personal data, and with the ISPs’ users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high
standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services.

One may wonder how scary this can be when an organization like this says right on their home page, “Working together to protect the public”

The original Richard Clayton analysis can be found here. The Open Rights Group notes:

FIPR want the Home Office to withdraw informal advice they issued in February, which FIPR say wrongly concluded the system is lawful, creating “an obstacle to the just enforcement of the law”. At the public meeting attended by Phorm and their critics last week, Simon Davies of 80/20 Thinking Ltd identified the legality of Phorm under RIPA as a legitimate issue, but urged participants not to get bogged down in a question which, in the end, can only be decided in a court of law. Hopefully, FIPR’s legal analysis will bring UK citizens one step closer to an answer to the question “Is Phorm legal?”. As Richard Clayton observes:

The Home Office’s superficial analysis said that the system would be lawful. Given their batting average at the High Court, relying upon their opinion was always unwise

digg_url = ‘http://digg.com/tech_news/FIPR_Phones_Home_to_Say_that_Phorm_is_Actually_Illegal’;