An analysis of 100 Occupy websites by Tim Limbert shows 99 are insecure. Most are hosting tracking bugs by Google, Twitter, and Facebook which are designed to collect information on visitors. Since these are US corporations, activist data is vulnerable to government data-mining. At OTC, to be in full compliance with Limbert’s suggestions we would need to install SSL encryption (which costs money that we are short on). We don’t have Facebook, Twitter, or Google bugs, but we did activate a program on our server to collect and analyze visitor information. This week we will be switching to Limbert’s suggestion (Piwik) which can be customized to only collect incomplete IP addresses. We have excerpted some of this article below, find the complete article here.—Ed
Major advertisers and corporations have been quietly tracking the online movements of those visiting “Occupy Wall Street” related sites for months. They have have used this data to create detailed portraits of the lives and interests of potential protestors. This data is then sold in unregulated markets and retained indefinitely in databases that may be subject to secret government subpoena. The most shocking thing about this is who is ultimately responsible: the self-proclaimed revolutionaries who run the sites.
However, this is not an act of malice: most likely website operators have no idea they are allowing their visitors to be tagged and tracked. Instead, they think a “like” button is a nice addition to their blog, or that “free” web analytics tools will help them build an audience, or perhaps they believe embedding a calendar of events will help coordinate real-world action. What they have failed to ask themselves is exactly why are all these wonderful tools free in the first place? Servers cost money, programmers need to eat, and tech executives need to pay for their private jets – where does that money come from?
Well, it turns out all those companies providing “free” services are making huge amounts of money by building detailed dossiers of individual Internet users that they sell to advertisers. Many of these companies have privacy policies claiming the data is “anonymous” – but in reality it is anything but. Every single time an Occupy website uses these “free” tools they are allowing the corporations who track their visitors to make handsome profits on the back of their “revolution”. Considering that the Occupy movement is opposed to unchecked corporate power it should be quite alarming to activists that they are unwittingly giving the very corporations they are fighting detailed information about those in their movement.
I became aware of this problem because I use the browser add-on Ghostery to keep track of what sites are spying on me and to prevent them from doing so. I have long been confounded by the presence of large numbers of tracking bugs on Occupy related websites. At no point did I believe that the operators of the websites were anything but sincere in their efforts to change the world for the better. However, I believe they are woefully ignorant of the implications of the technology they use and are behaving irresponsibly. This essay is an attempt to educate activists on the depth of the tracking problem and offer some surprisingly easy fixes. These revelations may sting, but I will also provide activists with the knowledge they need to become responsible stewards of their visitors’ data.
Aside from semi-intentional “traffic” monitoring, the biggest source of bugs were the result of attempts to make it easier for visitors to share links on social media. For this reason, Facebook and Twitter were on 47% of sites. They both use their seemingly innocuous “Like” and “Tweet” buttons to track visitors. Those helpful little buttons actually send back a wealth of information about website visitors to their respective corporations each time a page is viewed. Add to this the random “Digg” or “Add This” widget and it is obvious that the inclusion of social media buttons provides a major beachhead in efforts to track online audiences on Occupy related websites. Sadly, it is entirely possible to include share buttons for most social media platforms without using the ‘official’ buttons which enable tracking. I will provide information on how to do this as well.
One last point of bad news is that of 100 sites examined only one – Occupy Sheffield – was using SSL. SSL stands for “Secure Sockets Layer” and provides a method for securing the transmission of website data using encryption. When you connect to a site using SSL the address is “https” rather than “http” and there is usually a lock icon or a special color on your address bar to signify the connection is secure. Online banking, shopping and other security-sensitive sites routinely use SSL to protect transactions. It is an excellent idea to use SSL on pretty much any site, but especially on sites promoting political dissent. The lack of SSL was disappointing, but not at all surprising. Adoption of SSL is sorely lacking across the web. (Those keeping track at home will notice that the site you are currently visiting, timlibert.me, does in fact use SSL – I practice what I preach!)
My goal here is not to shame anybody and name-names, but to raise awareness. However, it is important that people be able to inspect my data so you may download my database here as a CSV file. That file includes full details of all the sites I inspected – so if you think you may be one of those sites I highly recommend you download it and take a look.
Why is this a problem?
Because so much of what Internet companies do is hidden behind complex privacy policies and claims of “trade secrets” there is no real way to know exactly what happens to the data they collect. This is a very useful shield against public scrutiny as it makes it impossible to discuss the true impact of privacy violations when so much is kept secret. However, there is a powerful tool which I will now employ – the thought experiment. Our imagination and reason will allow us to overcome the limitations imposed on us by legal jargon. If technology companies object to anything I postulate below I welcome them to provide me with details of their internal policies. In fact, I hope they consider this a challenge.
Occupy may have seized physical space around the world, but their websites are occupied by corporations. […]