An update on using Tor on Android

Back in 2012 I wrote a blog post on using Tor on Android which has proved quite popular over the years.

These days, there is the OrFox browser, which is from The Tor Project and is likely the current best way to browse the web through Tor on your Android device.

If you’re still using the custom setup Firefox, I’d recommend giving OrFox a try – it’s been working quite well for me.

How many pages of ToS and Privacy Policies?

So, I started this thought experiment: let’s assume for the moment that government is completely trustworthy, only has your interests at heart and doesn’t secretly sell you out to whoever they feel like. Now, on top of that, what about the agreements you enter into with corporations? How long are they and could you properly understand all the implications to your privacy and give informed consent?

So… I started with when I left home. I got on a Virgin Flight, they have a privacy policy which is eight pages. I then arrived in New Zealand and filled out a customs form. I could not find anything about what the New Zealand customs service could do with that information, but let’s just assume they’re publishing it all on the internet and selling it to the highest bidder. The other alternative is that they follow the New Zealand Privacy act, which is a mere 182 pages.

Once getting through customs I turned on my phone. The basics are probably covered by the New Zealand Telecommunications Privacy Code (35 pages) and since I was on Vodafone NZ, their three page privacy policy likely applies. Of course, I’m roaming, so the Vodafone Australia three page privacy policy also likely applies (of course, under a completely different legal framework). There’s likely things in the other agreements I have with Vodafone, the standard agreement summary is a mere 4 pages and the complete agreement is 84 pages.

I arrived at my hotel and the Langham privacy policy is two pages. I then log into Facebook, 30 pages of important things there, into Twitter, another 11 pages. My phone is all hooked up to Google Play, so that’s another 10 pages. I walk into the conference, the code of conduct is a single page which was a pleasant relief. I then log into work mail, and the GMail terms of service is three pages with a four page privacy policy.

If I was someone who used the iTunes, it would be reasonable that I would watch something in the hotel room – another 24 pages of agreement before then deciding to call home, carefully reading the full 20 pages of Skype terms of service and privacy policy.

In total, that’s 428 pages.

This excludes any license agreements to the operating system you’re using on your laptop, phone and all the application software. It also excludes whatever agreement you enter into about the CCTV footage of you in the taxi to and from the airport.

So, my question to the panel at OSDC was: how on earth is the average consumer meant to be able to make an informed decision and give their informed consent to any of this?

Not a good week for Telstra and privacy

The Office of the Australian Information Commissioner just posted this:

This isn’t to do with what I’ve posted about here the past few days, but to do with an incident back in December 2011. The details of  734,000 customers were available publicly on the Internet.

Details exposed include:

  • Name
  • phone numbers
  • Services held
  • free text field (where information such as username, password, email or other information could be recorded)

The ACMA report says that up to 41,000 customers had their user names and passwords exposed.

So… who had access? I quote from the ACMA report:

Between 3 June 2011 and 8 December 2011, the Visibility Tool received 108 access requests per day from unrecognised IP addresses (IP addresses that cannot be conclusively identified as Telstra IP addresses). On the day of the media publication, this number increased to 20,498 access requests.

The information was available from 29th March 2011 through 9th December 2011 with from a date in October it being easier to access (via a google search).

Unfortunately this is yet another case of internal procedures failing and being inadequate and only when the issue was raised publicly (in Whirlpool and the media) was it swiftly fixed.

It can be hard for a person inside a company to speak up, continue to speak up and be an asshole on these issues. It’s just human nature and after all, annoying your boss isn’t what everybody wants to do all day at work. I hope that the improvements that Telstra has committed to as a result of this investigation make it easier for people to raise such problems and ensure they are resolved.

Achieving things inside large companies can be incredibly hard. I have sometimes felt I’ve had more success trying to convince a dead seal to go for a walk than to get a large company to fix something that’s obviously broken (and everybody knows it). Undoubtedly there were people inside Telstra who knew about the problem yet felt powerless to force a fix to happen. This kind of culture is poisonous and tricky to avoid in a large organisation.

Both ACMA (Australian Communications) and OAIC have full reports:

If we are extrapolate out for the latest incident (NextG and Netsweeper) we could expect:

  • Telstra Incident report in ~2 months
  • If ACMA or OAIC take action, a report in ~6months