The Internet is Insecure

So what is the internet, really? It is not magic, although it tries hard to look like it. We don’t talk about the physical aspect of the internet often until something breaks, but understanding how the network works is key to understanding all the very many ways it is possible to lose your privacy on the internet.

Magic is perfect, humans and the internet are not.

When you loaded this page on your home computer, quite a few things happened very quickly. Your computer first asks a domain name server to translate this website’s URL (www.open-shelf.ca) into an IP address so it knows what server to try to talk to on the internet. Once it knows the server’s address it then sends a message in the HTTP language requesting the contents of the website. The internet by design tries to use the quickest route between your computer and the server in terms of bandwidth, physical location, and errors in the system. Routers, the hubs internet traffic flows through, keep an eye on each other and know which hubs are being slow and should be avoided. Your request bounces around between a number of routers before it gets to its destination server and those routers could be located anywhere on earth. When your computer’s HTTP message requesting the website arrives at the Open Shelf server an automated program is triggered. The server then sends back to your computer the files that make up this webpage. The files required to load this page include a number of CSS stylesheets, a bunch of jQuery files, some more javascript, some images, and the HTML file it is all contained in. Every time you click a link on a page your computer repeats this process, contacting the server again for new files. In order to speed up operation, your browser does its best to cache what you’ve already downloaded and reuse it. The final step in the process of loading this website is when the browser translates all those files into a standard visual format on your screen for you to appreciate.

When you look at the structure of the internet from this perspective, it’s easy to see how, with so many moving parts, a near-infinite number of things can go wrong. The internet is robust, it is designed to route around errors and slowdowns, but it assumes all packets are equal. Because of its de-centralized nature, there is no God-Emperor of the internet who can keep an eye out for problems or track patterns – there are just a lot of sysadmins (system administrators) who act as tiny gods of their own domains, putting out fires as they occur.

With no map or guide to the haphazard cobbled-together internet it is therefore easy to find a crack to pry open.

For example, a popular method of gathering information on a user is simply to add a piece of javascript into the webpage. From this you can pick up on a user’s browser type, language, what plug-ins they have installed, and their IP address, which give you their location (sometimes very accurately). Everybody uses these little pieces of javascript – they’re the entire basis of analytics. If you want to know how many visitors your site got last month, this is how you do it. However, the person who views the website is never told by their browser that this is happening. This piece of javascript is no different from any other piece of data being downloaded.

A number of tools exist to keep an eye on who is tracking you on websites, including [disconnect] and [ghostery]. But once you’ve plugged that hole, here’s another: imagine a malicious person takes control of a router, one of those hubs in the internet, and monitors all the traffic that goes through it. Thanks to various tricks, this router may convince your computer to send all your traffic through it instead of the most efficient route. All you will notice would be a possible lag in your internet speed, but they will be able to watch your every click.

The solution to *that* is encryption, which keeps information private between your computer and the server its talking to. This is why the Heartbleed bug was such a big deal: if encryption wasn’t working, this hole we thought we had covered was totally open the whole time. Whether the server you’re talking to uses encryption or not is something you can’t control as a user except to demand it from the businesses you patronize.

Even if you have your encryption in place, what happens if someone malicious takes control of the server itself? Or if someone gets between your computer and the internet? What if the NSA tapped into the very cables that make up the internet? [They have].

Now that you know all this, what’s the takeaway message?

The internet is a human invention and thus has plenty of flaws. Pretending it’s magic does a disservice to the amount of work that goes into making it function every day, but it also gives a false sense of security. No matter what fancy new website you’re using, it’s ultimately just made up of packets of information travelling down a wire. Magic doesn’t exist after all.

Ruth Collings  is a librarian in Toronto interested in privacy, accessibility, and technology in patron-focused libraries.  You can contact her via contact [at] ruthcollings.ca or at her website ruthcollings.ca.