Last week I’ve given a talk about privacy by design as it relates to websites at Observe, Hack, Make (OHM) 2013, a quadrennial geekfest and hacker/maker event held in the Netherlands. It’s one of the biggest hacker festivals out there, with 3,000 people that have descended on the festival grounds, and it’s great fun and a great place to meet people, hackers, makers, thinkers, and media people. It’s been somewhat of a Dutch tradition to hold these events every 4 years.
The video will be uploaded as soon as it becomes available.
I’ve designed and developed Annie Machon’s website in May 2012. This site used to run on a closed-source Typepad solution, and Annie wanted to move her website to a more open solution, for which we’ve settled on WordPress. Also, she wanted to move away from the .com domain for reasons of domain jurisdiction. You see, when you operate a .com, .net, .org etc. these domains can be easily seized by the American government if you’re doing something that may upset them. This has happened to MegaUpload, to Richard O’Dwyer’s TVShacks, the examples are legion. This can be really damaging for your reputation, so it’s important to make sure that you’ve set up your infrastructure to resist attacks like these as much as feasibly possible.
I’ve also modified Annie’s WordPress site as to prevent browser tracking as much as possible, allowing people to visit her site without fear of their movements being tracked. Normally, your website visits get tracked if the websites you visit implement things like Facebook Like buttons, etc., which reference external scripts and images that will tell these third-party services what your surfing behavior is. This is obviously not something that we would want, we want an open, free web, that’s easy to use, by which it’s easy and natural in fact to share information, without having to fear that we get tracked and profiled. With browser tracking a lot of information about your browser gets sent to companies like Facebook. Things like IP address, browser brand and version, the country you’re coming from, etc. These parameters are all used to connect this data together and build up a profile in this way.
Synopsis of My Talk
This talk is about the possible conflict between getting your message out there, and trying to maintain your site visitor’s privacy. This talk will highlight some of the issues that need to be taken into consideration when building websites for whistleblowers with high security & privacy needs.
This talk is about the conflict that can arise between getting your message out there, and trying to maintain your audience’s right to privacy. In the last couple of years, with the dramatic increase in the use of social media, often one of the most effective ways of spreading your message to a large group of people has become to foster a community using existing social networks, like Facebook or Twitter.
The problem with using these services is that, while convenient, they also snoop on your audience’s private data. These companies make their money by creating and selling detailed profiles to marketers, to that they can effectively target their ads. Often these services run their own ad service as well, as is the case with Facebook and Google. Later on, this data can come back to hunt you. Let’s say you’ve been searching on Google for some serious illness or disease. You can imagine what your health insurance company would do, had it access to this information. Up the premiums or deny you insurance altogether.
Sander Venema was asked by Annie Machon to redesign her website in early 2012. We took special care in avoiding common traps that can compromise the security and privacy of the site’s visitors when designing the new site.
In his talk, Sander will talk about the special considerations that come with building websites for whistleblowers with high security & privacy needs, both for the owner/operator, and the visitors of the site; discuss what the problem points are, and how we worked around them to create a website that is both pretty, usable and as safe as possible. He will also talk about domain security and governments claiming jurisdiction over a domain name, even if the actual server is not located in their country and the site isn’t aimed specifically at their citizens. There have been several cases in the past where websites have been brought offline because of this.