Public Wifi, Naked Links and Privacy

I have the good fortune to work with a lot of smart people and conversations about data, privacy, etc. go around quite a bit. I also have a creative mind so I tend to run with a lot of the conversations and thoughts and sometimes where that gets to can border on science fiction. The technoramble™ in this stretches that limit a bit and you might have to watch it on Netflix before it hits home.  By this, I mean it dips into the science fiction a bit using my own understanding as a point of reference to speculate where technology could be going.

Naked Links

I am not sure if I am using this term entirely correct and so let me redefine it so that I am. In internet terms, a naked link is typically any link that is embedded in an HTML page where you do not change the address.  So for a link tag, you will see the full web address http://www.claytonharbour.com instead of a friendly version such as my site.

I will take it slightly farther and say that any URL that you transfer either from a web browser, app (i.e. Facebook, Instagram, Google Photos), iMessage, etc. These URLs all go across the wire at some point and resolve to locations where your data is stored.  Data, in the case of most users, can and often does commonly refer to an image or picture. Yes, I intentionally wanted to link naked and picture in your mind because the next bit might get a bit dry.

When you share photos in today’s world you will typically share them with friends and family however that relies a lot on friends and family being part of your favourite social media site (i.e. Facebook).  However, if you want to increase your target audience a bit more for those family members (i.e. me) that aren’t a part of Facebook then you have to create a link that is generally viewable across the internet and less secure.  I’m very grateful that my family is so versed on internet security that they have never chosen to do this.  I am also grateful for my sense of humour.

Moving on, I will pick on Google Photos for the next bit since, as I mentioned, as I don’t have a Facebook account.  The principle should be similar for users who do have a Facebook account.  When you share an album on Google you have an option of creating a public link that you can share with friends and family.  For example, this link https://photos.app.goo.gl/ZsLCUVQutMG5qRKB7 points to a busy little bee.  I created the link  by doing the following:

  • Uploaded my busy bee photo to Google Photos
  • Clicked the sharing icon on the top right
  • Chose the option “create link” on the modal that pops up
  • [Optional] Select someone to share the link with

This link can be used to share with friends, family and everyone on the internet honestly.  Super great!

Now let’s start looking at the not so great things there.  In this example, if you clicked on the link you’ll notice that we get some additional information about who the image is being shared with.  That’s not so great because you are potentially exposing users that don’t want to be exposed.  This could provide additional context to hackers about things that are important in your life, such as bees and flowers in my case, and give them another data point to use in social engineering.

It’s not super horrible though and the average user wouldn’t have to worry about that.  I was a little concerned though so I posted something about this on the Google Photos help.  Someone on the post suggested that I make a feature request, so I did, asking that users that are not logged in to Google will not see the additional information.  I am not a UI designer but I like pictures and privacy so if anyone wants to send me an email about UI suggestions or thoughts I will gladly provide an opinion.

Anyway, if you are an anxious person, like me, you can relax a bit.  It’s not horrible to have this information linked to a picture, it’s probably publicly available anyway.

More Technical – Your ISP, Public Wifi and Privacy

Where I am going to go next with this story requires a bit more technical information for context. Most sites now use HTTPS the actual content of the site or the request is sent encrypted.  What this means is you can relax a bit about the content being sent back and forth between you and a website, so mostly this means your banking information, passwords, etc are secure and you don’t have to worry.  Also, Facebook will also encrypt the data in their payload so your posts are also hidden.  Phew, no one knows about granny’s bout of explosive diarrhea the other day.

The URL that is being used for the request, however, is not encrypted and this is where things get interesting.  As we have noted above some of these URLs can be used to link directly to pieces of your data that are publicly available on the internet such as the bee in the example above.  Depending on the implementation you may get pictures, comments, emails, etc.

In Canada, we pay a lot for cellphone data.  The upshot is that a lot of people in Canada use public Wifi, and I am going to assume this is the case for a lot of people that travel.  When you use public wifi they can also log URLs and there aren’t a lot of laws that I am aware of that provide guidelines for this.  Even if there were rules here you can’t get around the coffee shop hacker that knows how to observe these requests going through the public Wifi.  If you are tech savvy you have probably already solved this problem with a VPN.

In any case, the picture I am trying to paint here is that these are little data points that we are already sharing.  We’ve mentally gone down the phishing angle so I think we are primed that the data could be repurposed intentionally in a harmful way.  This is entirely intentional and I will admit it’s to help put your mind in a bit of an anxious state so the rest of this is more believable.  If you do go down this road remember it’s more science fiction at this point in time.

An additional point I will mention is that larger companies typically log these URLs for analytic purposes as well as to help troubleshoot issues that happen either in software, networking or hardware.  So if you know that there was an issue trying to reach the URL https://photos.app.goo.gl/ZsLCUVQutMG5qRKB7 from Bob’s coffee shop, for example, you can use that sample data to try to get to the root cause.

There is absolutely nothing nefarious about that or scary, this is just good practice.  I am going to add a few more points to this though to try to warm up your suspicious mind so that my last few points are less of a leap.

Facial Recognition, Casinos and Governments

There have been a lot of advances lately in AI and facial recognition.  If you have noticed a lot of your pictures in <insert favourite photo sharing application> can classify and bucket similar faces.  This is very useful and helps you identify who is in that picture you are posting, who to share with and sometimes who not to share with.  It still needs some help and faces that change too much over the years requires some manual intervention.  That said it really is quite good!

This sort of facial recognition technology is apparently also widely used by casinos.  Apparently, they invest heavily in facial recognition software for security purposes so they can identify people that are known to “cheat”.  I put cheating in quotes because I believe gambling is a huge scam so I am not sure who is being cheated more.  I also used “apparently” because I have never worked on those systems so if there is really software doing this as I have been told, I don’t know about it personally.  This data, collected in the name of security for the business seems to have fewer limitations.  Consider how many times you notice a web camera when you are out in public places such as a store, restaurant or mall.

Looking back at casinos we know that most of them also provide free Wifi.  With not too much of a stretch, you can imagine that they are also monitoring that information as well.  If you start combining some of these data and include some analyzing or post-processing of that data you can start to see a bigger picture forming about the person or people that are frequenting your establishment.  I am entirely speculating that this is going on however I am looking at a smaller/ private case of what may be and also pointing out that this is currently being done on a larger scale by governments in some countries.

I know what you are thinking, I am paranoid and they would never use my information that way.  Maybe, however, I do wonder why the Mexican government needs a copy of my fingerprints on file when my own country does not.  I have another point that will make your head spin.

AI, New Faces, Deep Fake and DigiDoug

When we start to look at facial recognition we can already see people running with that technology in a completely new direction: creating people.  The technology already exists to take existing photo data, mash it together using AI and come out with completely new faces.

Pretty cool idea, but if you look at deepfake and apply that to identity theft it gets a bit more interesting.  The technology makes it possible to create a backstory and show realistic progressions of that person through the years.  If you have ever had a border guard ask for access to your phone or social media the need for this is already becoming apparent.  Those that don’t have social media or refuse these requests are typically detained longer so providing a back story in some cases makes sense to throw off suspicion.

If you look at the technology such as EA’s Gameface we see that mapping faces over a generic 3D model it is pretty cool.  This was new technology many years ago and there have been huge leaps forward with this, such as the creation of DigiDoug.  In the DigiDoug link, TED Talk you see a real-life model of a human being rendered in near real-time.  The delay between facial expression and rendering is apparently 1/6 of a second which is amazing.  

The simulation apparently took a huge dataset to create enough data points for the technology to render.  This included many sessions from the speaker that simulated real facial movement, different lighting situations, etc.  The result though is a realistic 3D model acting in real time that looks real.

Simulated Humans, Data and Looking Forward

The implications of the technology though are quite profound and use in places such as movies or video games seem obvious.  Maybe even using it in your next video conference so you could “show video” even if you are attending in pyjamas.  Something like that will eventually become commonplace and we might even have easy filters available for our FaceTime talks with friends and families.  Or an ogre model for our next D&D game conference.

This is where the post dips into science fiction, meaning that, as far as I know, it isn’t possible with our current datasets.  It does open the door for what might be possible in the future and how hacking attempts may change going forward.

Imagine as we upload more and more data online with more and more advanced camera technology we are creating more and more advanced datasets of our life.  Couple this with advancing AI technology and expanding template libraries we can imagine that fewer data points would be required to create a simulated human.  As our child posts the 30th selfie today we can ask ourselves if we should maybe have a talk to them about data that goes beyond the cost of the cell phone bill.

Conclusion

I thought it was necessary to add a conclusion to this.  I don’t think that we should stop posting photos or sharing with friends and family.  I think that is very important and would encourage you to keep being mindful about doing this.  Heck, I’d even take that further and say post a public link to that family member that is not on your Facebook feed.  Even if you have to make it public and take that tiny extra risk in security, they are worth it.

What I do think is that we should be mindful and forward-looking in how we are using technology and what sites are storing our data and for what.  I also think we need to be mindful for how that data may be used as technology changes and what limitations or guarantees we have for this.

One Comment on “Public Wifi, Naked Links and Privacy

  1. Pingback: Don’t Go Breaking My Heart | Clayton Harbour

%d bloggers like this: