Privacy: The Future of Content Filtering
by Peter Lowe on Aug 19, 2021 12:00:00 AM
Peter Lowe shared his thoughts on the future of data protection and internet tracking on the eye/o blog last week.
Tracking on the internet is something that's very, very hard to avoid, if not completely impossible. It's so common and accepted that even companies claiming to be "privacy preserving" actively implement methods to circumvent attempts to block them. Massive data breaches have shown the type and scale of data that's being kept about us. It's everywhere.
Sometimes it might be tempting to give up and just accept tracking as a fact of life -- and, actually, that's what more than a few people I know have done -- but there's still a lot you can do to minimize the amount of your personal data being kept, shared and sold. And there are countless people working on standards, regulation, tools, services, and methods to help us - so it's not entirely hopeless.
But what does the future look like? I have a few guesses.
Regulation has arrived, and is here to stay. More and more places in the world are implementing regulation around data handling to a greater or lesser extent, and companies are having to adjust to take this into account.
You've probably heard of GDPR, and may have heard of the CCPA in California - but did you know that Nevada has its own regulations? And even China is talking about implementing their own laws?
However, each set of rules is slightly different. Some are focused on individual rights, some are more focused on company responsibilities. Some have teeth, some don't. So what I expect to become more common is something along the lines of tax laws: companies will start operating out of regions that are advantageous to what they're trying to do.
We've already seen this to some extent. Quad9, the open public recursive DNS resolver that provides malware protection for free, moved its operational and legal headquarters to Switzerland recently. This ensures that legally it's an EU organization, and subject to GDPR along with all the other regulations. Though on the flip side, it's not uncommon to see error pages saying that a site is no longer operational for visitors in the EU.
So, just like funneling money through tax havens and taking advantage of shell companies, data will be stored in places where the rules don't apply. Legal loopholes will be taken advantage of, allowing data to be abused in ways that the regulation has tried to prevent. And none of this will be visible to anyone except the most determined analysts.
Layered privacy protection
Most people I know use some form of browser addon for content filtering, in particular ad blocking. This is great for browsing, but with the proliferation of chatty IoT devices, services loading in the background, mobile phones, and whatever else, this isn't enough anymore.
This means that people interested in protecting their privacy online need to look at additional methods. DNS filtering, for example, is a great way to protect your whole network against threats and data sharing coming from IoT devices - especially those that can't be upgraded and have no way to configure. For more serious applications and specific uses, VPNs are another way to mask your behaviour online. And simply using privacy focused services is a great thing to do - DuckDuckGo, the Brave Browser (and their new search engine), Apple iOS - these are all using privacy as a selling point.
My prediction on this side of things is: privacy will move from being a unique feature, to becoming something that is actively looked for and more commonly offered. And if you care about your privacy online, then we'll have to use these products all over the place.
Regulation is coming into place, the ways to protect ourselves are becoming more plentiful, and everything's getting easier to use.
Which means one thing: the people who want to track you are going to try harder.
Browser fingerprinting used to be uncommon; now it's a standard part of how ad networks operate. Server-side data sharing was unusual for most companies; now it's becoming the default. CNAME cloaking was basically just a theory at one point; now academic papers are being published on how widespread it is.
But that's just the start.
Facebook has patented methods for identifying a camera's geolocation based on scratches on the lens, and the people it can identify in the photo. Amazon wants to monitor people's moods based on the sounds an Echo device can hear while you're sleeping. Oculus (well, Facebook) is monitoring what people are looking at and how they're moving, so that it can place ads directly into VR games. Fitness trackers are identifying users with PTSD and targeting ads for antidepressants at them.
One of those is false - but without checking, do you know which one?
So where are new threats going to come from? This is harder to predict, but my guess is that we'll really just see more advanced versions of what's already happening: taking data that doesn't seem useful, and turning it into a way to build up profiles of people and target them. As tracking becomes even more pervasive and precise, unconscious details like eye movements, heart rate, involuntary actions, microexpressions, if they aren't already being factored into targeted ads, will be.
And, of course, SPACE ADS. We're going to see ads from space and privacy threats alongside them. But that's a whole other article.
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.
TL;DR: SASE is broadening—it is about more than just access! It is about endpoint protection and user-based access…and it's called Security Service Edge (SSE). All of the aspects of the joint NSA and CISA guidance on Protective DNS (PDNS) and user-level policies are part of the secure category, originally launched by Gartner in January 2022. Regardless, it’s been interesting to see the NSA and CISA create guidance recognizing the breadth of cyber...